Episode 182 | The State of AuditShark

Show Notes

Transcript

[00:00] Mike: This is Startups for the Rest of Us: Episode 182.

[00:04] Music

[00:10] Welcome to Startups for the Rest of Us, the podcast that helps developers, designers and entrepreneurs be awesome at launching software products, whether you’ve built your first product or you’re just thinking about it. I’m Mike.

[00:19] Rob: And I’m Rob.

[00:20] Mike: And we’re here to share our experiences to help you avoid the same mistakes we’ve made. What’s the word this week Rob?

[00:23] Rob: Well, feels good to get back in the swing of things after MicroConf last week. I spent about 8 hours going through email, had several hundred in the inbox but I go to inbox zero again yesterday. It feels good to get back working on Drip and HitTail again. Drip is still 1-2 weeks out from the launch of behavior email or email automation and I thought we were a couple weeks out a couple weeks ago but just due to us leaving for MicroConf and all that stuff things get delayed. Well we talked to the UI I should say with myself and Derek and we’re getting moving on it. I’m not doing a ton of marketing on Drip right now just because all the marketing changes once that’s out because we become a different tool for kind of a different audience to be honest. We still have our old capabilities but it’s just a different thing.

[01:10] Mike: Cool.

[01:11] Rob: How about you?

[01:12] Mike: I think I mentioned in the last podcast that I was taking a vacation out in the desert. The plan was to go out and drink whisky and smoke cigars and I had maybe one glass of whisky and no cigars the whole time. I actually fell asleep on Thursday like right next to the campfire twice in the same day.

[01:26] Rob: It’s exhausting. I felt the same way. I slept a lot. The extrovert hangover I kept saying.

[01:32] Mike: Gotcha. Well I think being in the desert it just dries you out and dehydrates you so even if you don’t drink, you still just wake up with a hangover.

[01:40] Rob: And I guess on the Brightside for me HitTail is looking to have one of its best growth months ever but just in monthly recurring revenue growth and it’s moving back towards in the previous high that I had it at and this is due to getting away from tracking code and using the Google web master tools importer. So it’s good to have a win now and again to keep you motivated. There was like several months there where it just felt like all losses and the winner, it discourages you especially if it comes during that dark and cold time of year, glad to kind of be through that and be able to kind of hang my hat on something for the time being. And it’s not that Drip is not doing well or that MicroConf was a success. Drip is doing well but to really have something going up into the right is always a good motivator.

[02:24] Music

[02:27] Mike: I guess we’re talking today about the state of AuditShark.

[02:30] Rob: There were several comments in I think it was in the 170’s. Folks just asking about AuditShark you hadn’t given a thorough update in a while. I know that there’s been stuff going on behind the scenes. Some of it is sensitive. Right? It’s stuff that you can’t necessarily just come out and say what’s going on because so we wanted to kind of get passed MicroConf and get to a point where we could spend a whole episode digging into a lot of the specific comments, thoughts, questions that folks had. And there were several different commuters on both sides of the table. There was a guy named Mathew, Larry Scott Charles and Josh, thanks for your comments. But I think we’re going to cover four main topics today. These are all brought up by commenters specifically.

[03:09] The first one is slow progress. Like what do you say to the slow progress of AuditShark? Second one is the target market like do you have a target market? And the next one is talking about features and development versus talking about marketing, talking more about writing code than talk about marketing and the last one is about whether you are following your own advice. Someone put it if you wrote in to startups for the rest of us, what would your advice to yourself be?

[03:33] So let’s dive into the first one here. We’re going to talk about slow progress. I have a couple quotes. One quote is what do you say to AuditShark and its very slow progress? The other one is in the episode about 12 ways to know when to bail on your project and that was episode 171 at least 10 ways clearly applied to AuditShark. Now I actually don’t think 10 of those ways. I think maybe half of them applied but what are your thoughts on this? You’ve been working on AuditShark I think or about four years now and you started with a target market of banks that didn’t work out you’ve since been looking for a target market and like web and online folks were the market for a while, it seems like that maybe has or hasn’t worked out and you’re working on new stuff. I guess the first thing that you should probably comment on is what do you say to the fact that AuditShark feels like it has pretty slow progress?

[04:22] Mike: Well I think that most people who listen to the podcast don’t necessarily realize that I own three different companies, one of them is a consulting company and then my software company and then the Micropreneur academy with you. And with the consulting company, really, I spend a huge amount of time there which I’m not particularly happy about but the fact is that I’ve spent years where I’ll spend between 40 and 45 weeks a year on the road. Of that time, I’ll fly out on a Sunday and I fly back on a Friday and between travel and the actual work schedule, I’m probably putting in 60+ hours a week just doing the consulting stuff.

[04:56] So it doesn’t leave a whole heck of a lot of time outside of that in order to work on it and that’s kind of why I really went down the road of hiring people to kind of bring in and help put different pieces of AuditShark together because I was spending so much time on the road and what that allowed me to do is it allowed me to do the consulting which is essentially high pay and then turn around and take that pay and allocate it to different contractors who cost significantly less than me and then I can manage them. But that’s still not easy to do because they’re still a huge latency you’ve got to deal with.

[05:26] But at the end of the day when you’re working 60 hours a week during the week from Monday to Friday and then you go home and you want to spend that time with your family. Realistically it’s hard to allocate a lot of extra time to AuditShark and I’ve been able to do it but it’s still hard.

[05:41] Rob: Right. And you’ve been working on it for four years. The first two years you were trying to code everything yourself and so you would come back from consulting and some weeks you were getting like three hours a week of coding but you were talking about it because there’s a product you’re working on but it wasn’t like you’re making these massive strides towards the goal and it wasn’t until you’re a couple years in that you really started and you were able to let go of some of the code base and kind of outsource it. And then that is when you actually started making more coding progress. Right?

[06:10 ] And you’ll notice a shift at that point. I don’t remember but what episode it was but a lot of feature started getting built at that point and then that wasn’t like another year and you were moving forward but what I think your blind spot during that time is I don’t think you went out and find the market or you thought that you had the market but it just wasn’t there and then that’s been like kind of the last year has been coming to that conclusion of like oh no, I missed the mark on this. The market that I thought wanted it doesn’t want it and then since then you’ve been trying to find what that is.

[06:36] Mike: Right. And that market was banks. I was originally going after small banks because I saw this list of I think it was around 8,000 banks or something like that 8,500 banks. And of those, only 10 took up the top 80 or 90% of the market. So the rest of the market was left of these much smaller banks and I thought oh well they have regulatory compliance. They need to do this stuff. And what I found out after talking to them, I realized that and I’ve already built a bunch of stuff they said yeah, we’re interested in that. And then when I went back to them and said hey, I’m almost ready to show you something, that was when I started getting into more in depth conversations with them they said well, actually we have a third party company come in and do those audits for us. We don’t do it on a regular basis.

[07:18] There were a couple of different things that kind of went through my mind at that point. One is like I could say I could go to the third party people that they have come in that these consultants but at that point it’s not necessarily going to be something that the banks are going to end up using on a regular basis. They basically need it once and then that’s it and they don’t need it again for another year and then I’m like well that’s not really an ideal Saas model for me. That’s not what I want.

[07:43] The other thing is I knew that scaling up and trying to go after a bunch of those companies was going to be somewhat difficult so I kind of backed off of that. I didn’t really want to go the third party auditor route at that time kind of looking back on it, it might have been a better idea but I guess I didn’t think hard enough about it.

[07:57] Rob: I think you were locked in the Saas. You really wanted the subscription revenue and you’re already year two into building this web app, this web version of AuditShark and that didn’t necessarily apply as well to third party auditors.

[08:11] Mike: It did but I missed it. And the reason I missed it and the reason I missed it was I was kind of focused on the idea that the banks would be using the software. So I was like oh, well the banks are only going to use it once a year. They really don’t need this so maybe I should go out and find another market. Completely overlooking the fact that if I went instead to those third party auditors and said hey, would you be willing to use this on each of your customers? And although the products benefits their customer, I would charge them instead I just totally missed that.

[08:38] Mike: Yeah. That makes sense. This actually might be a good transition point into point number 2 which is about target market and we can come back to the 12 ways if we have time. But there are multiple comments in terms of target market. These are all quotes from the comments. One person said maybe if I understood AuditShark’s target market a little more and how Mike is going to attack it, I would have more confidence in his advice. Honestly, I think he’s still searching for a market, one that I’m not sure truly exists other than one of customizations for each prospect or client. That was one comment.

[09:06] The next one was what is AuditShark’s target market? Has that changed since 2011? And then the third one was more of a compliment and it says I disagree with the naysayers. Mike has moved on. He’s bringing his product to different markets. He’s now moving on to security companies and auditors. So talk a little bit about that specifically obviously you said banks didn’t work out, third party auditors didn’t work out at the time but it sounds like that might be a good market. But where do you stand today and why do you stand there? You know? Like what evidence do you have that the market you’re talking about is probably viable?

[09:37] Mike: In terms of the people who are using it, as I said before, I completely missed the fact that I could charge those third companies money instead of the banks because my thought was well banks need this particular function done. They’re the ones who should be paying for it. And that’s not actually the case. The case is that these third party auditors are the ones who use the software on behalf of the bank and then they use it and they mark it up to the banks so they charge the bank however many thousand dollars to do an audit and then they pay me some small specific fees associated with the number of machines that they audit in that environment. And like I said, I missed that upfront. It makes a lot of sense and then people that I’ve talked to, that’s exactly how they operate and they’ve said yeah, so I will pay X dollars a month for this particular piece of software that does XYZ.

[10:24] Rob: So the question on the table then is what is your target market today?

[10:28] Mike: The target market is essentially auditors who have to do that as part of their job. It’s essentially looking at the target market as if when you build a product, who has this particular problem? Who is bleeding from the neck and needs this problem solved? And it’s really the auditors who come in and say okay I’ve got a job to do. I have to go out to 50 machines or I have to go out to 100 machines and I have to gather all of these settings.

[10:49] Well each one of those settings takes you a minute to gather which a lot of times they will because and you might have a list of 150 things that you need to look at. And if each of those takes you one minute to get then that’s 150 minutes which is about 2.5 hours per machine. If you have 100 machines that’s a huge chunk of time, talking 250 hours to pull back that information. You have a piece of software that can pull it back very, very quickly for you, you don’t have to spend 250 hours on it. And what’s that worth? Well if you’re times $50 an hour, times 250 hours, if you’re paying less than $12,500 for that, that’s a no brainer.

[11:23] Rob: Right. So you know that there’s a problem out there that people need to be auditing AuditShark can do that, now how do you know this aside from saying there’s an X billion dollar market and I have to grab 1% of it. I’ll be successful like you’ve told me offline that you’ve been in specific talks with dollar amounts mentioned like there’s stuff going on. So why don’t you talk a little bit about that?

[11:45] Mike: Sure. To give a little bit of background from 2003-2005 I worked for a company called Pedestal Software. And they sold compliance software. From 2005 to about 2008 or 2009 I worked doing consulting on that piece of software because in 2005 the company was sold and then I just kind of struck off on my own and I was brought in to do consulting on that product. And I implemented it, extremely large companies like Johnson and Johnson, Pfizer, NASDAQ, the Department of Defense, united health group, DuPont, all these different companies that are not small companies. And I saw exactly how they did it. I saw exactly how the process that they used and what sorts of things were important to them and what sorts of things weren’t?

[12:25] So when I took that knowledge and went offline and started building AuditShark, I knew what these auditors were looking for. It wasn’t s as if I just plucked this thing out of the sky and said hey I’m going to do some research, maybe do some keyword stuff. The way I looked at it was I had this domain expertise that probably nobody else in the planet really has like 1) I’m a software developer and 2) I’ve done consulting in this very, very specific niche industry for four years. So I know what’s important to them. I know what will work and I know what will not. So to bring them back to specific numbers, since January, I’ve been discussing with a specific customer and it’s an enterprise deal. And enterprise deals take notoriously long to come through.

[13:05] The second thing is that it is an enterprise deal. You’re basically swinging for the fences. It’s not like you can sell them some software and go little ways and then have them buy more later on. When they buy software, they buy lots and lots of licenses all at once. So for them, it’s not going to be a small purchase. They don’t buy 5 or 10 licenses, see how it goes and then by 30 million licenses, that’s just not how it works. Basically they look at all their available options. They evaluate them kind of widdle it down maybe do some demos and trials and then they pick one and then they buy it and they move forward with it.

[13:37] So you’re going to get either lots of revenue or zero. And I didn’t really want to come to the podcast and say oh I’m really working on this enterprise deal and then 3 or 4, 5 months down the road have it come up to zero because that’s really what was going to happen or could happen.

[13:50] Rob: Right. And by working on the enterprise deal, you mean you had multiple calls, you’ve done a demo. You’ve submitted pricing. Right? I mean you’re way well into this discussion.

[13:59] Mike: Exactly. And at this point, as far as I know, my product is the only one being recommended at this point. They’ve looked at other products and the other products simply don’t do what they need. I don’t think that’s any small coincidence based on what I said before about me being an expert in this particular field and as a side note I really hate saying that I’m an expertise in this but the fact is I’m a software developer and have done consulting in this particular space. I know exactly what they want, I know exactly what they need. Combining those two things, it kind of does make me an expert in this very, very specific thing that they need.

[14:30] Rob: Right. We all know that deals fall through all the time. Right? So there’s not a huge amount of certainty but you do know that there’s interest and you do know that the people that you’ve demoed to and talked to the guys that are actually going to be implementing it really, really liked it like it’s a neck bleed situation for them so that implies – right? It could simply that there are other people who also have the neck bleed situation and you’re saying that based on that four years of consulting you did, you know that it’s a neck bleed situation.

[14:55] And then the other thing is the deal, even if it goes through, it could take another – who knows? Six months. It could take another 8 months right? You just don’t know they could budget it for the later half or whatever I mean this stuff takes a long time so it’s not something that’s going to come through next week. it’s not 100 trial users that convert in 21 day trials but if this one hits or one like it, it’s a little bit of a game changer for you.

[15:19] Mike: Yeah, definitely. Starting pricing for that is six figures and that’s starting and they would buy quite literally thousands of licenses and if it goes well, they could roll it out enterprise wide which is a multiple of roughly 25 times that. Obviously I can’t charge them gobs and gobs of money because there’s kind of an upper limit to software when you get into the enterprise space because of volume discounts. You look at any software that’s out there, some vendors who sell MacAfee policy auditor which is a somewhat similar product but if you look at theirs and the pricing for it, their pricing drops down to I think 5 or $6 per machine at some point and that’s after you get passed like 50,000 machines. But their pricing on it I think is 30 or 35 and that’s just to buy one license for it and if you buy one license, it costs you $35. If you buy 50,000 it costs you $5 for each of them instead.

[16:07] Rob: Right. But let’s focus on this target market thing. So that, it’s a sold lead in this niche. It’s a Fortune 500 company that you’re talking to [Cross-talk] I don’t think you’ve said it yet. And I think the thing that you’ve gained out of this is even if the deal doesn’t go through, you have a decent level of confidence that there are other companies like this and if you can get in there and do the high touch sales, and this is enterprise sales. Right? I mean you’ve been spending time talking to these guys that this is a possibility for you and I think another thing that you told me offline that perhaps opens this up to be more possible for you is consulting. How much consulting are you going to be doing moving forward.

[16:42] Mike: Virtually none. I basically put in to have my time cut to pretty much zero starting in mid September and depending on how paperwork and PO’s go it may actually be quite a bit earlier on that. And then my consulting would go to zero and I’m not worried about the money because like I said I’ve got income sources. What I really need is I need those 60 hours a week back so that I can focus on getting AuditShark in front of customers and talking to them. I mean that’s really the big thing is being able to have the time to talk to people because if I’m on the road, it’s hard to step out in the middle of a workweek with a customer and then say oh, I need to take an hour off because I need to go do this software demo or make some phone calls and do some cold calls or follow-up on emails with these other people. You just can’t really do that.

[17:26] Rob: Yeah. And your progress is slow as a result. Right. I think the other thing in terms of the target market, you also mentioned another potential client it seems like in the same market but they’re not in enterprise. They’re more that external auditor. The Fortune 500 you’re talking to the internal auditors. These are people who work for that company who want to do auditing and they buy do a large one time purchase like you said being the six figures probably whereas there’s that external auditor market that you referred to earlier who would perhaps be auditing banks or just be auditing anyone who needs auditing. A there’s a small company that has said that they are very interested in AuditShark. Is that right?

[18:04] Mike: Yup. The major difference there is more or less there’s two things. One is the size of the company and the second one is what machines they’re going to be using the software on. So when you’re talking about the enterprise customers, the internal auditors, they’re auditing their own machines. And they’re auditing tens of thousands of them in some cases. When you’re talking about the external auditors or the third party auditors as I’m calling them, they are much more smaller this particular company has less than 10 employees and all of them go out to customers on a regular basis an audit their machines and their books and everything else.

[18:36] And it kind of ties into financial services but it allows them to act as an up sell because if they’re coming in to audit their books they can say well we can also do a risk assessment or risk audit on your computers to see how much of your financial information is vulnerable to external threats. So they can essentially use that to up sell their own services and this particular company does that on a very regular basis. And some of their customers are Fortune 100 and 500 companies. They do have in roads into some of these larger companies who maybe want a second set of eyes on their machines or kind of look over what their internal auditors have done because there are known and documented cases where they’ve gone out and they said okay we’re going to have the IT director go out and do these audits and everything’s managed internally and then they have third party auditors come in and say what a second, these results don’t match up. Come to find out their IT director falsified results.

[19:30] So as the CIO or CEO of the company you are criminally liable for some of those things in a public company. You do not want to be signing off on stuff that could put you in jail. So that’s the reason why they have these third party auditors come in sometime even though they have their own set of internal auditors. They want this third party checked because it helps keep them out of jail. And they’re spending the company to do it so it’s really no sweater off their back.

[19:54] Rob: Right. So as I said you’ve spoken with one firm who is interested. I imagine you have a list of additional terms or other ways to get in contact and try to explore that market which is heavily overlapping with it’s just internal versus external. Right? And they would use the same piece of software at your desktop edition you spent several years building the web version and it seems like the desktop edition which is kind of been off shoot to that has really gained a lot more steam, a lot faster than that web version did.

[20:22] Mike: Right. And I think there’s a couple different reasons for that. I think the primary reason for that is that it’s so quick and so easy to demo. I mean you literally you open it up, you click file, load and you open up a policy. You can do it against local hosts or another machine but literally you just type in a machine name, you hit audit and boom. It just starts pulling back results from that machine. You don’t need to install software on it. You don’t need a lot of configuration. If you need to put in your credentials you can but if you’re already logged into widows with the credentials that have access to that machine, you’re just going to start pulling back results. And that’s an extremely powerful demo to be able to show to an auditor.

[20:58] Versus the web version where it’s like oh well you have to sign up for an account. Now you have to download this piece of software. And then you have to install it and you need to type in your credentials when you install it and now we have to wait a few minutes for it to sync up and now we can schedule something and then you wait for 3 or 4 minutes and then you can look at results in the web interface. It’s a totally different demo scenario. The desktop edition was essentially built in order to overcome that. At the same time, that desktop edition also serves other purposes.

[21:25] Rob: Right. And it sounds like it’s had faster uptake. And you know the desktop version was a little controversial. I mean I brought it up I think on the podcast and then again off line and several folks in the comments brought it up and this is kind of point three which is you talking more about features and development versus marketing. So here’s a couple quotes. 1) It says Mike you do seem to talk about this feature or code or making it do this and that instead of how many customers you’ve acquired this week. It definitely seems more like the internal side project which clearly you get enjoyment out of and then someone else said 1) stop writing code. 2) Get customers now.

[21:59] And I had kind of said a variation of this to you offline. Right? Of like you talk a lot about the development you’re doing especially when the desktop version came up, I asked you specifically like who requested that? Why are you building another app or another off shoot or another interface? No one has offered you money for this. I guess the first question I have for you is why did you go build this desktop version when you’ve already spent all this time building a web version?

[22:24] Mike: Well I mean the primary reason was because I needed something that I could demo easily. What I wanted to do ultimately was have a video on my website that would kind of walk you through it but I also realized that just looking at the video, reading some stuff on it wasn’t necessarily going to be what would drive traffic or drive people to kind of come in and actually take a look at it. What I was hoping to do was basically take that and use it as sort of a marketing thing where I could put it on the website and say hey you can download this and this is what the web based version of the tool would do.

[22:54] So my initial intention was to take in and say okay well you can use this against just local hosts or you can type in one machine or two machines or something like that but when I started building it and actually saw what was really kind of possible with it, it kind of brought me back to between 2003 and 2005 working on security expressions and how quickly and how powerful that was to show to people. And I think that I’ve kind of forgotten that. When you put that in front of somebody, it’s actually quite amazing. I’ve heard from people who have looked at and said wow this is really awesome. I can’t believe that you’re able to do this.

[23:26] So that kind of turned the conversation a little bit and was probably not until I had really started going down the road of development of the desktop edition and say hey maybe I should take this and make this off shoot of the product that hooks into the web’s system as opposed to just kind of an independent marketing thing. The other thing I wanted to was I want to be able to use it to draw publicity to do AuditShark for some very specific circumstances. So recently for example the heart bleed problem has kind of surfaced on the internet. Well how do you know if your servers are susceptible to heart bleed? Well you kind of probably have to go do quite a bit of research and figure out what heart bleed is and how you know whether you’re susceptible to it or not.

[24:02] If I can take a version of AuditShark and essentially package it with a pre-built policy file that only does one thing which looks to see whether or not you’re vulnerable to heart bleed and package it and allow you to download it from my website, then that would be something that would be probably inherently valuable to a lot of people because they’re not going to want to come to my website type in their credentials to their Linux servers and say hey, go check my servers. That’s just not going to happen. And if it did happen, I’d love to have your credentials but that’s not what I was looking for. What I was looking for was something I could put on my website that would address some very, very specific scenarios. So any specific vulnerabilities or worms or things like that come out and be able to put that out there and use this sort of marketing play.

[24:46] And in the past what I’ve seen other companies do is if there’s major exploit of credentials from different companies, if there’s an exploit where they pull a bunch of passwords, they will setup websites where you can go in and you can type in your username and it will tell you whether or not the password was leaked. And I found that to be extremely useful because it’s interesting to find out whether or not your password was leaked to different sources and that’s really just a marketing driver. And that’s how I view that.

[25:12] Rob: So what do you say to the sentiment of someone saying stop writing code and get customers now? Like have you stopped writing code or have you slowed it down because for a while I mean it was several years. You just talked about new features you were building without customer request. It wasn’t someone saying I’m willing just talked about new features you were building without customer request. It wasn’t someone saying I’m willing to pay you money if you built this next feature like what’s your status?

[25:31] Mike: So right now there code has slowed to a crawl. There’s a few minor things that are going in. I call them minor but they’re actually pretty important. So for example licensing. Licensing was not in there. When I started handing out demons of the AuditShark desktop edition, we hard coded the date. It was like here’s the date and it just simply will not work after this. We could build the licensing mechanism but that’s going to take time. Let’s just get this out the door. So there were shortcuts that we took very, very intentionally because we wanted to get it out the door and get it in people’s hands and they’ve taken a look at it. They said wow this is really awesome. I love what it does.

[26:04] And I’ve gotten a few requests but we really haven’t gone down the road of implementing any of them. really what we’ve been focusing on is some clean up, making sure that the code isn’t going to crash or handles edge cases a little bit better because there are certainly places where it doesn’t handle everything as well as it could. And then the reporting is going to be a focus moving forward but we really haven’t put any effort into that either. So there’s a lot of things that could be done but I’m really not working on them. I do have some contractors who are working on some stuff but I’m just not – that’s not my focus right now my focus is kind of revamping some of the marketing on the website, talking to customers directly and doing whatever I can to kind of extricate myself from the consulting so I have more time to spend on that stuff.

[26:48] Rob: Right. Okay. Now in looking back over the past year where you perhaps haven’t had as much focus on that as maybe you should have, why did you decide to continue building and not getting – making phone calls to customers and that kind of stuff.

[27:04] Mike: Well it’s hard to make phone calls when you’re pegged at 60 hours a week during the work week. So this is a B to B product and it’s hard to get in touch with those people. The demo alone for the enterprise customer took me probably close to 8 weeks to schedule a time to have that demo. It’s just not easy to do partly because of my schedule, partly because of their schedule.

[27:21] Rob: Right. And this is one of the reasons we talked about – maybe it was probably two years ago about the enterprise marketing you had said I don’t really want to go into it because I don’t have time to do all the sales calls and to do stuff during the day and that kind of stuff and so it surely makes sense that at this point if you’re kind of your life situation or your work situation’s changed then perhaps that market’s more open.

[27:43] Mike: Yeah I think it’s a lot more viable now than it was even 4 or 5 months ago. Part of that is because of the desktop edition and the directions that it’s turned.

[27:51] Rob: Well let’s jump to the fourth and kind of final point that I pulled out of the comments and it was about not following your own advice. So here’s one quote from the comments. The commenter said in one episode, Mike even said not to take his own advice with respect to his work with AuditShark. And the next quote is what do you say to people who say you are not following your own advice with regards to timeline, remember, we always say 4-6 months and you’re now 4 years in, having a market before you build which thought you did but maybe you didn’t do as thorough of a job as you should have in identifying that market and talking to them. And then currently although today isn’t applicable but maybe six months ago when this comment was posted, not having a target and continuing to build an app and not putting the brakes on development.

[28:37] Mike: I think a lot of the reason we give people general advice about a timeline is there’s a few different things that factor in. One is the motivation to actually continue and two is how long is it going to take you to figure out whether or not somebody’s actually going to pay you for something. And again this is general advice versus specific situation advice. So the advice I think that we tend to give and the advice I tend to give is general advice. But when you start talking to somebody about a very specific situation, there’s always exceptions and I’ve been accused in the past of treating AuditShark like a special snowflake and in some ways I would say that it is and the specific way that I would say that it is do I know what people really want? Are there specific features that I’m aware of that they need? And there really are.

[29:21] I mean I know what the used cases are. Do I know that people will pay for it? Yes I do know that they’ll pay for it. Do I have everything set in stone as to exactly how I’m going to get in front of five more enterprises, no I don’t. That’s what I would say a shortfall but I don’t think that’s the end of the world either especially if I’m able to kind of cut back on my consulting and right now I’m in the process of talking to enterprises and able to successfully do that and move the process forward while I am still consulting as much as I am. I get the sentiment. I do understand it but I think that in parts of this, some that advice just simply doesn’t apply. I think our general advice is also not to go after enterprise markets.

[29:57] Rob: That’s right. And that’s the difference. When I bought HitTail and you were working no AuditShark, we kind of started averaging from that first step of the stair step where I say get something that’s making 1-1,000 grand a month, WordPress plug-in, a Photoshop add on, an eBook, whatever, some small niche app. But at certain point when you’re going after a mid 6 or a 7 figure business stuff does start to diverge. You have to take different steps to do it. So I’m not necessarily agreeing with you in saying that you should go beyond 4 to 6 months because I know that the fact that you’ve spent as much time as you have, it’s taken its toll right? I mean it’s taken its toll on your motivation. I imagine you’ve questioned whether you should keep going but frankly have been impressed with your willingness to continue because most people I know if they get a couple years into something there, just not ever going to make it to launch and frankly you did. You have a completed product at this point.

[30:53] Mike: That could also be called stubbornness or stupidity. You can always look at those things in retrospect and things are either genius or just stupid and it really depends on what the outcome is you know?

[31:02] Rob: Yeah so it seems like the summary I mean the three points here were you know, not following your own advice on timeline, having a market before building and then having a target market. Timeline yeah, it seems like you’ve kind of agree with that. The shorter the better, should’ve been 4-6 months, probably should’ve chewed off a smaller problem but you’re here now, what can you do looking back? Having a market before building you thought you did, I think that’s a mistake you’ve admitted to in the past on these episodes right? That you wish you’ve done more due diligence with the market you wish you’d nail it down better before you started building.

[31:13] Mike: Yeah I think with that though, there’s two different pieces of that because our general advice is make sure that you have a market for the product before you start building it and I think it’s more to make sure that there’s a problem that is worth solving to people. So I built a piece of compliant software that will go out to machines and pull back information and allow you to validate settings. And that is a problem that definitely needs to be solved. But there’s lot of different ways to solve that problem and a lot of different people to solve that problem for. And I solve the problem but I didn’t necessarily nail the initial market that I was going to go after. Problem definitely needs to be solved. Did I get the right people the first shot? No, I don’t think that I did.

[32:07] Rob: You had problem solution fit. You didn’t product market fit because you didn’t know what market you should go after. And I think to be honest, myself and the listeners doubted that you had problem solution fit and some may sill doubt that you have problem solution fit. I think you had confidence the whole time but maybe haven’t quite been able to convince us that it has and I think the fact that an enterprise has now essentially submitted you in for budget or whatever step you’re at at this point that they’re seriously considering moving forward and you gave them a quote and stuff, I think that led some creating to the fact that you’ve at least solved their problem and with another consulting firm looking at it I mean there’s becoming more evidence of that.

[32:46] Mike: The underlying issue there is that there’s a big difference between developer and cis admins so like I’m very much across the line there. I do a lot of systems administration with my consulting, managing large networks of machines with enterprise software packages so I get how that stuff works. I get how active directory works and how you would use a lot of the different enterprise tools just to manage the machines in an enterprise. So I don’t think that’s common knowledge. I think that most people who do know that who are developers are very much minority. There’s not a lot of people who are developers who also kind of cross over into that systems admin area.

[33:25] So I think that’s probably where a lot of this confusion comes from because as developer you’d have to ask why do I need to know what a registry key is set to and it’s like well you know, because that could indicate whether your firewall is on or off and if you have 10,000 machines, you need to check, how are you going to do that? Oh let me just write some code for it. And my response is exactly. That’s how you do that. But what if you need to check a different registry key or what if you need to check services or what if you need to check file auditing settings, or all these other things? So my code base is essentially an engine that will allow you to do all of those things in a much more simplified mechanism that will remotely go out to all those machines and pull back that information.

[34:07] Rob: You known one other thing we haven’t brought up at all Mike is your health issue that you had for like 2 or 3 years that again you don’t want to blame for lack of progress or lack of motivation on a health issue but certainly played a part in the fact that things have taken you a while to get here.

[34:23] Mike: Yeah. I would say that the health issue has probably been going on for more than two years. There’s probably close to four which I indirectly in some ways blame on the level of consulting that I’ve done over the past several years because it has ramped up a lot and it has gone into travel. So as I started working on AuditShark, I could almost probably guess to say yeah my health issue is kind of arose partially as a result of me doing consulting and AuditShark at the same time. I’m sure that it factors into it, by how much? I don’t know. But yeah I mean the health issue is definitely a big thing. I brought it up at MicroConf and I actually had probably 2-3 dozen people come up to me after my talk and explicitly thank me for talking about the issues and bringing them to people and just kind of bringing them to light.

[35:10] So that it’s not as if everyone’s kind of going through those things alone and I showed graphs and I think that was probably one of the more powerful parts of my talk was showing when I got a diagnosis exactly aligned with when some of my website traffic and Twitter following, all of those things, they started kind of taking off all at the same time. And then a few months later I think it was December that I kind of officially launched AuditShark, that’s not too far after August. Going back to that, I think that I could probably blame some of the lack of progress on AuditShark on some of those health issues but I don’t really want to use it as escape either. And I definitely didn’t want to bring it up last August-September timeframe because I didn’t really know what it meant at that time either. In retrospect I can see there are some pretty clear uptakes in a lot of different things since that time. So I think a lot of things have changed over their past 6-9 months.

[36:05] Rob: I would agree I mean especially in the last six months I think that’s where in seeing your graphs for your Twitter followers and your visitors to the website and just the level – it was right after that you’re like hey I have these landing pages. Hey I have some ads running. Hey I have retargeting. Hey I have – you know what I mean? You were just getting yourself in gear on the marketing side in a way that I had not seen in the previous 3.5 years on AuditShark and that’s when you started making this progress. Right? I don’t think it’s by mistake that suddenly you’re talking to a Fortune 500 company in January. I think that all plays into it. Right? You get your mojo back and then you really start hitting things hard and something comes out of that.

[36:40] I think overall in summary we’ve talked about slow progress. We’ve talked about whether or not you had or have a target market talk about focusing too much no features right? Versus development. And on following or not following your own advice but I think the bottom-line is that you’ve made mistakes going through this. We’ve talked about that before. And you’re going to get more mistakes. We’re all going to make more mistakes moving forward before you get your product to where you want it to be for sure. But it seems that at this point you have a much better grip on these issues that I think you’ve had in the past 3-4 years. There’s more confidence. You certainly have more confidence in what you’re doing. I can just tell when we’ve had conversations about it.

[37:20] You haven’t taken the shortest path. I think that’s the one thing that I would say is like it’s taken you four years to get here. I think you could’ve done it in a year. I mean it is a bigger project. All these things compiled, there were mistakes. There’s health issues, there’s 60 hour workweeks. There’s all that stuff and that kind of all adds up to just leading to a very long path which is often hard to travel.

[37:44] Mike: I think everybody wishes that whatever they’ve done that was difficult took them a lot less time to do it but at the end of the day I can’t say I’m disappointed with where things are at right now because I think that things are in a really good spot right now. It’s not to say that I don’t have a lot of work cut out for me going forward. At the same time I think I’m well positioned to be able to take the work and effort that we’ve put in so far and kind of take that to the next level.

[38:06] But one thing I did talk to a couple people about was how I talk about things on the podcast because I guess it’s not very clear to most people that when I say I’ve done this or I’ve done that, I generally mean we. It’s something that I need to work on. It was the team behind me that basically hired out of the consulting revenue. There’s a lot of things that they’ve done and pulled together at my direction that I probably just didn’t have time to do on my own. So that’s something that I kind of need to correct moving forward I think.

[38:35] Rob: Because it’s implying that you are still writing code?

[38:37] Mike: Yes.

[38:38] Rob: You’ve actually been less focused on the technical stuff over the past 6-12 months than it might appear if you were listening to the podcast because a lot of times you said I did this whereas it was your developer.

[38:48] Mike: Right. A lot of times I’ll scope something out and I’ll say okay here are the screens. This is what it’s got to look like. This is how it’s going to function. And then they’ll go do it. There will be some back and forth between them and it’s not like I’m not involved at all, it’s just that I’m usually double checking work doing testing things like that. I’m still technically working on it but I’m not necessarily writing the code for it. I do still feel like I’m involved in it.

[39:08] Rob: So if you have a question or a thought or a comment on what we’ve talked about in this episode, you can call our voicemail number at 1-888-801-9690 or we’re always available via email at questions@startupsfortherestofus.com. You can subscribe to us in iTunes by searching for startups or via RSS at startupsfortherestofus.com where you’ll also find a full transcript of each episode. Our theme music is an excerpt from “We’re Outta Control” by MoOt used under Creative Commons. Thanks for listening. We’ll see you next time.

 

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

15 Responses to “Episode 182 | The State of AuditShark”

  1. Thank you for this episode and addressing some of my comments and questions!

    I appreciate Mike’s willingness to admit mistakes. We all make them and it’s refreshing to hear people own up to them.

    I’m still not convinced of the market for AuditShark. It seems like there may be one big customer, but not convinced there are others. I definitely could be wrong here, and for Mike’s sake, I hope I am.

    The biggest thing that came out of this episode is AuditShark is truly an enterprise software application, not a SaaS business. I think this is what has led to mixed messages from MIke, since the core audience, as I see it, is not interested in building enterprise software.

    In my opinion, to prevent mixed messages and confusion for listeners, there should be no more talk of AuditShark on a regular basis. Maybe an update once a quarter or even every 6 months.

    Another humble opinion… if this big Fortune 500 company doesn’t come through, I think that’s a true sign to throw in the towel.

    I wish you the best, Mike!

  2. Matthew, disagree about update frequency. This stuff is exactly the type of customer-solution-marketing-fit problem so many of us can learn from. Let’s see what Mike does and go through the journey of solving it with him.

    Mike, I think a few things don’t line up. If you’re targeting auditors, I assume their service is mostly once a year (say). They’d look at X servers in a given period and then move to another company. You’re relating the price to the server count (kinda) and making it paid per month. 20 servers isn’t many so they’d probably hit it in the first customer or two. Would the auditors move their licence between companies and uninstall it each time they’re finished? Do they just build up an insane set of servers that they only audit yearly but pay for monthly?

    So, options:

    1) Help the auditors to create a “year-long security” service that they sell and you help them extend their effectiveness via automation. The problem with that is changing their business model (no?), which might prove hard. But maybe enabling them to earn recurring revenue is awesome.

    2) Change charging model to either once-off pricing for an extensive yearly audit and a low monthly maintenance fee that just reports changes. This is tricky because you’ll have to replace a lot of income with lower pricing. It supports the yearly once-off existing business.

    Either way, change pricing page to something like “small business / big business / security consultant” so it mirrors the new way of thinking. Or even junk the individual businesses and fully target the consultants for now, until you’ve bedded down one customer segment.

    Not sure about the name “-shark”. It means something a bit more bitey and less safe.

    However, I think there’s definitely something in there and you just need to find the key.

    Thank you for an excellent podcast and keeping my spirits up while I finish my current product!

  3. Mike is talking in circles now. I can’t take his comments seriously anymore. I’m with Matt–I’d rather not hear about AuditShark anymore.

    There is a market for this type of product. Server config auditing software is nothing new, and there are successful products that do exactly this (e.g., winsitter.com, tenable.com, etc.).

    I’m sorry to be so harsh, but this is not a market problem. This is a case of poor execution in both product building and marketing.

  4. So I have been following the podcast for years, and in particular with interest in how Mike has been developing AuditShark. Part of the problem with some of these comments is it’s a bit tough to establish bona fides of the commenters, in my case, I do security research for a living, perform 1000+ hours per year in enterprise security consulting, have been published, etc. ad nauseum. I live in this space. That being said:

    Matthew:

    Your saying there is no market for this type of thing is based on what experience? I can agree that it is a market that contains numerous solutions, however, each environment there are certain requirements, flexibility issues, and coverage requirements. To assume that an enterprise locks into a single solution or provider for security auditing would be patently false. In fact, what we are seeing in the market is the fact that products like AuditShark are looked at as a gear in a security machine, not as a silver bullet. This is where an enterprise derives value, because at the end of the day everybody gets hacked or has compliance issues at some point, even with a ton of tools and people trying to deal with it.

    Speak for yourself with regards for SaaS only. I know a number of people who are working on enterprise-grade, bootstrapped products that you can’t just put up a landing page and engage in the typical cycle. Having Mike as a resource to show us what the tougher enterprise process looks like provides value to a lot of people operating much like this. I know this from the feedback I receive back from infosec people who I have referred to this particular podcast and Mike’s story in general.

    Richard:

    In terms of your comments on licensing, etc. I really have no opinion. However, your comment on the name “shark” being “less safe” simply indicates that you don’t get the market. Let’s look at some of the product or company names that are prominent in the infosec space: BoneSaw (End Game Systems), Crowdstrike, Wireshark (common tool), Metasploit, FireEye. I can go on and on. This demonstrates to me that Mike has a name that rings along with the rest of the market, which is what people expect.

    Noah:

    Yes there are numerous products that can audit server configurations (both open and closed source) as well as router configs, firewall configs, and numerous other tools. Each tool performs this function in a slightly different manner. This is like saying that because we have had syslogd for 30 years Splunk should have never started up in the first place, I mean logs are just logs right? If you have ever seen an enterprise network diagram of the logging and auditing infrastructure at a Fortune 500, you see a blend of tools, hardware and software that all work towards the same common goal. Mike is not so inexperienced (as I fear you are) that he doesn’t realize that Auditshark fits in as another node on this network diagram. That’s precisely how you make money in this space.

    If I have spoken out of turn because the three of you are in fact knowledgeable in this space then I welcome your response. However, I want Mike to keep talking about his wins and losses while going through this battle because there are lessons learned from both micropreneurs as well as people working in this space. Information security is by far one of the fastest growing startup sectors, but it has it’s own challenges for folks like Mike.

    My suggestion would be that unless you can speak to this issue with some sort of real experience, keep the uninformed comments to yourself. Some of us thoroughly enjoy watching the progress of AuditShark.

  5. I have no domain knowledge regarding the space Audit Shark is in, but I don’t feel that’s important.

    What IS important here is that most of the listeners are going to be bootstrapping software businesses to niche markets, definitely not enterprise, so anything that Mike could share about Audit Shark is not relevant to the podcast.

    The things that would be relevant (talking to people before coding, finding a real pain point, making a minimum viable product, etc, etc) were definitely an example of what not to do.

    And in some ways I still feel Mike is giving excuses. I would believe that most bootstrappers work on their startup at nights or weekends, so having X amount of consulting hours per week sounds like an excuse. I work at least 40 hours a week (sometimes more) and I’m making time to work on my product. Also bad health should be a motivator (http://unicornfree.com/2013/chronic-illness-the-best-reason-to-bootstrap)

    I’ve been calling this since at least episode 60: http://www.startupsfortherestofus.com/episodes/episode-60-delving-into-the-future-of-auditshark#comments

    In my opinion, Mike should not mention Audit Shark since it’s not relevant to a large percentage of the audience, and start something small that we can all learn from.

  6. Enterprise simply dictates the SIZE of the customer, not whether you are entering a niche market or not. You can have a $250,000.00 / year product (which I have reviewed, interacted or installed numerous of them) that solves a very specific problem (thus a niche product, in a niche market) that ONLY an enterprise can use, implement and afford.

    Again, Mike has previous years of experience in a related product. Thus all of the “talk first, code later” stuff was already done. Secondly, there is a pain point that he acknowledges through his previous contacts, I myself being in the domain also agree with Mike. John Ramli loves to disprove the common notion that your MVP has to be done a certain way every single time, perhaps you should go read some of that.

    A complicated product’s MVP is going to be much different than an email capture form and some AdWords, which is a myth that a lot of startup people love to propagate.

    Just because AuditShark looks like a different beast from your traditional micro-bootstrap-buzzword means that we should all pay particular attention to it and learn from it. Especially since most of you folks seem determined that it is set to fail: why not watch it crash and burn in silence, is that not how we learn the most?

  7. Justin:

    You completely misinterpreted my comment. Please go back and read it again.

    Mike has chosen a good market, as evidenced by existing solutions. There *is* room for AuditShark in the “network diagram” (to use your words); Mike is just not delivering the goods.

    I don’t doubt Mike’s experience or the demand for the product. I severely doubt his ability to ship and market it.

    It doesn’t bother me that Mike is doing more enterprise-y stuff–I think it’s cool to hear about something a little different than SaaS. What does bother me is the hypocrisy.

  8. Justin, thanks for the naming comments – I have zero experience in the security industry so very happy to hear the name suits. It then makes even more sense to target security professionals rather than corporates.

    I’m (still) all for continued Auditshark coverage. My markets are very different but I learn from what is relevant and am entertained by what is not.

    I’m also glad I don’t have similar ongoing commentary about my own ability to deliver!

  9. I’m definitely watching and learning from Mike’s development of AuditShark as both a product in the security space and as a product in the enterprise market. Around 5 years ago I was hired as a software engineer for a major hospital and within weeks of coming on-board my function changed to support of an identity access management solution from a vendor. They had been struggling with the product for years and I inherited that bundle of joy. Over time, I found myself building alternate solutions to fix parts of the product that were not working. Over a year I essentially had my own product performing the same and more capabilities than what the vendor had promised. The hospital noticed we did not have any issues for over a year and that we had new capacities and they decided to drop the vendor in favor of the product I built. I soon learned that all hospitals have the same pain points and I decided to work on a product in the security industry for the enterprise space. So I can relate very much to Mike’s struggles with working a day job, raising family, recognizing the niche market gaps and needs of the enterprise space and developing large scale solutions under constrained resources. It’s a demanding journey, so Mike as a community member busy building stuff I thank you for taking time from this path to share and discuss your experiences and lessons learned.

  10. While I am fairly new to listening to this podcast, for only the past few months, I have listened to about half of them already and have enjoyed them quite a bit.

    While Startups for the Rest Us primary focus tends to be bootstrapping and being a Micropreneur, that should not exclude niche products expanding and growing out if its niche to a different and/or larger market.

    From what I’ve heard, Mike is confident in his product’s capabilities and value as he more clearly mentioned in this podcast based on his experiences in that market as a consultant. His initial intentions for Audit Shark was to be Saas or Saas-like product for a niche target market. The fact that the target market ended up not where he thought it was, does not mean it was a dead product because all other factors appeared solid. It is apparent that finally, after illnesses and tremendous hours working his other business (I feel your pain, been there and done that), he was able to reconsider his options, re-evaluate his target market, and re-tool his product.

    I believe that Mike has been successful with his other businesses and his shared experiences with Audit Shark is great opportunity to explore the learning curves to grow a software product beyond a niche market, to see if it will go enterprise or a different direction altogether.

    At some point he will be successful or not. To borrow a quote from Thomas Edison, “I have not failed. I’ve just found 10,000 ways that won’t work.”

    I am interested in learning what happens to Audit Shark and I hope Mike is successful with it!

  11. I guess I missed when this became SaaSonlyfortherestofus.

    To Mike, if you are putting yourself out there on the internets and not getting haters, you’re not doing it right. Keep on keeping on.

    Rob, thanks for all your candid thoughts. These kinds of conversations are what make this podcast so informative. Not slavish, toe the line, SaaS only behavioral tutorials.

  12. I encourage Mike to keep posting updates regularly.

    IMO Mike is a classic bootstrapping entrepreneur, a developer with a lot of experience, runs his own business, did not take any outside money, does not employ tons of staff (if any at all), etc.

    Everyone should try to leverage their expertly and advantages. If you’re a gamer or are familiar with the gaming market, maybe you should write an iPhone game, if you’ve spent tons of time with enterprises, know how the system works and can offer real value to enterprises that’s great.

    While I really wish Mike a great success with AuditShark and truly believe that he should explore this opportunity and give it a real chance, there’s a lot to learn from Mike’s journey even if it’ll eventually fail or Mike will decide to work on something else. Well, very much like any podcast opening ~”…help you avoid the same mistake we’ve done…” isn’t it?

  13. I’m not a Mike or AuditShark hater. It’s just we have to be realistic. 4 years and still no real business??? FOUR YEARS?? You’ve got to be kidding.

    It doesn’t matter if he has domain experience. If anything, this fact should make it an even worse example. Nothing about AuditShark was done right. Niche, enterprise, Saas, or whatever you want to call it.

    But my main point is, are the listeners learning anything from AuditShark? Are we getting new tips for how to market? Are we learning how to build and measure new ideas from AuditShark? Are we learning how to acquire customers? I must answer NO to all of these.

  14. Well a lot has been said in the comments above….

    Mike… for Audit Shark:

    1) How many paying customers do you have?

    2) What is the lifetime revenue since starting the company?

    3) What is the cost per acquisition of a new customer?

    No, these aren’t rhetorical questions, but simple questions that you should know the answer to, that you should have a handle on into a 4 month mvp startup let alone a 4 Year company.

    Rob, its your responsibility to pose these questions to Mike, no sidestepping is allowed by him. You are well versed in these elements, and indeed know the importance of them, so when you discuss Drip or your other products, and mention these key metrics you have my undivided attention. With mike, its more talk and no substance.

    Susan

  15. This episode didn’t many anybody feel better about Mike Taber, just confirmed that for the past 180 episodes one person was speaking from experience, the other was just parroting.