How Casey Ellis Built Bugcrowd to $180M Raised

Casey Ellis shut down a profitable services business to bet everything on a crazy idea: what if hackers were the solution, not the threat? He validated the marketplace with MailChimp, a Wufoo form, and $500—then refined his pitch in the back of Ubers until it clicked.

Key Facts

• Total Raised: $180M+ (Episode metadata)
• First customer landed: Google, within 4-5 months of launch (Casey Ellis)
• Supply-side validation: ~5,000 hacker signups in first 1-2 months via MailChimp (Casey Ellis)
• First-year milestone: $1M in bookings in year one, ~$3M year two (Casey Ellis)
• Category inflection point: DOD's Hack the Pentagon program in 2015 accelerated mainstream adoption (Casey Ellis)

From White-Label Pen Testing to Marketplace Idea

Casey spotted a structural mismatch: defenders paid one person by the hour while attackers operated as a crowd. When every customer asked why they weren't crowdsourcing security, he realized the same objections kept surfacing—and could be solved with a platform.

Casey ran a white-label pen testing business in Sydney from around 2009, which gave him direct access to security buyers and their frustrations. The business generated decent cash but felt like a dead end. 'Revenue and profit, and all those different things are important. But ultimately what they should be is trailing indicators of actually solving the problem,' he told host Pablo Srugo.

The insight that sparked Bugcrowd came on a flight home from Melbourne. Casey had been pitching the concept of crowdsourced security to customers informally, walking them through a simple ascending close: would fifty people outperform one for the same cost? Every customer said yes. Every customer said they weren't doing it because hackers seemed dangerous, payments to international researchers were logistically hard, and their teams couldn't handle the volume of submissions. Same three objections, every time. He registered the Bugcrowd domain and Twitter handle the same day.

"There's latent potential on this side and unmet demand on this side. What if I plug those things in together and try to change the future of work when it comes to security?" — Casey Ellis

Validating the Marketplace with $500 and No Code

Before writing a line of platform code, Casey collected ~5,000 hacker signups via social media and MailChimp, ran a live program using Wufoo forms, put $500 of bounty on an app he built, and watched it get demolished—proving supply showed up and the model worked.

The first question Casey needed to answer wasn't 'can I build this?' It was 'will anyone show up?' He ran social media campaigns targeting the hacker community and collected signups through MailChimp. Within one to two months, roughly 5,000 researchers had signed up. Supply side: confirmed.

Demand validation came next. He ran a real bug bounty program on an application he'd built himself, posting a $500 bounty through a Wufoo form for vulnerability submissions. 'It got completely destroyed from a security testing standpoint,' Casey said. 'So it's like, okay, this model seems to work.' His technical co-founder didn't build the first real platform version until the flight from Sydney to San Francisco to raise the seed round.

This approach—no-code tools, real transactions, real researchers—gave Casey something more valuable than a prototype: proof that both sides of the marketplace would transact. It also helped him figure out what data to collect from researchers before committing to a database schema.

"The idea of using no-code solutions to do that initially with the view of actually cutting our own platform later—that was a very deliberate design choice early on." — Casey Ellis

• MailChimp for community management for the first six months
• Wufoo forms for vulnerability intake—deliberately low-tech to stay flexible
• $500 bounty on a self-built app to test researcher participation
• Platform code written only after supply, demand, and transaction model were confirmed

Problem-Solution Fit vs. Product-Market Fit

Casey draws a sharp line between these two concepts. Having a technically sound solution to a real problem means nothing if you haven't connected it to where buyers actually live, how they budget, and what language makes them act. One without the other is a tree falling in an empty forest.

One of Casey's core frameworks is that problem-solution fit in isolation is a trap—especially for technical founders. 'Problem-solution fit in the absence of product-market fit doesn't solve the problem,' he said. 'If you don't plug it into where the problem actually exists, then it's like a tree falling in the forest with no one there.'

For Bugcrowd, this showed up clearly when Casey was pitching US VCs. His Australian pitch—basically 'more testers for less money'—was a solid problem-solution fit. But it failed repeatedly in Silicon Valley because it framed Bugcrowd as a cheaper alternative in an existing market, not as a category-defining platform. The pitch that worked reframed the vision: crowdsourcing is a permanent, structural component of how defenders will outsmart adversaries. That's product-market fit thinking—connecting the solution to a large, durable, and growing market reality.

Casey says he felt true product-market fit arrive in 2016, accelerated by the Department of Defense's Hack the Pentagon program in 2015. When the DOD publicly asked the internet to help secure its systems, the category legitimacy question was answered at scale.

"Problem-solution fit in the absence of product-market fit doesn't solve the problem. That's a great problem-solution fit you've got there—if you don't plug it into where the problem actually exists, then it's like a tree falling in the forest with no one there." — Casey Ellis

The Uber Pitch: Simplifying Your Message Until Anyone Gets It

Casey literally tested his pitch on every Uber driver in San Francisco—not as a metaphor, but as a real refinement process. If a non-technical stranger showed buying intent within 30 seconds, the message was working. This discipline built a foundation simple enough for a CISO to resell internally.

After blowing his first five or six Sand Hill Road pitches, Casey went back to basics. He spent about a month refactoring his message, and his testing ground was the back seat of an Uber. 'Literally every time I got in the car, I'd do this and this is how I refined my pitch,' he told Pablo. The goal: explain Bugcrowd in 30 seconds or less, with no jargon, and get the driver to lean in with curiosity.

The principle he calls 'simple is strong' has been a Bugcrowd operating principle since day one. 'How do you boil something down without burning it?' Casey said. 'Because if you can get it to that point, then you can add complexity on top of it, and you've got a really strong foundation. If you don't do that first, then you've got all this complexity that you're trying to navigate and build on top of.'

This matters beyond the founder's own pitch. In B2B sales, your internal champion has to resell the solution to a CFO, a VP, a board. If your message requires technical fluency to land, you're creating unnecessary friction at every internal step. The Uber pitch test is a proxy for how well your champion can carry the message without you in the room.

"If I can get this out, have them show some sort of buying intent, not confuse them or trip them up in the process—the more consistently I can do that, the more I'm going to be able to create a message that my team is going to pick up and sell." — Casey Ellis

Early Go-To-Market: Network First, Then Scale

Before funnels, PLG, or paid sales hires, Casey tapped out his existing network in Australia through relational outbound. In the US, he hired salespeople specifically for their trusted relationships in cybersecurity—replicating the network advantage he had at home.

Casey's GTM advice for early-stage founders is blunt: don't think about marketing funnels or hiring salespeople until you've exhausted your personal network. 'The bulk of the power that you're going to have pre-Series A is probably going to come from there,' he said. In Australia, that meant calling contacts one degree of separation away and asking them to try a new thing. It worked because he'd already built trust as a practitioner.

When Bugcrowd moved to San Francisco, Casey recognized he didn't have that same network capital. His solution: hire for it. He brought on two salespeople—always two, never one, so they'd compete and push each other—who had existing relationships and trusted voices in US cybersecurity. Technical depth mattered less than relationship depth at that stage.

On brand and community marketing, Bugcrowd became known as 'a swag company that dabbles in cybersecurity.' At one of the largest US security conferences, with only seven employees, Casey printed 500 t-shirts reading 'my other computer is your computer.' By end of week, it looked like a hundred people worked for Bugcrowd. Those shirts are now connected to seven- and eight-figure customer relationships.

"Don't think about marketing funnels or PLG or hiring salespeople, or any of that stuff until you as a founder have figured out how to tap out your existing network." — Casey Ellis

• Tap your full personal network before hiring any sales function
• In new markets, hire people who have the network you lack
• Always hire two salespeople, not one—competition drives performance
• Brand investment pays long-term even when short-term ROI is invisible

When to Step Back as Founder CEO

Casey brought in a CEO about six years into Bugcrowd, moved to Chairman and CTO, then later to Chief Strategy Officer. His advice: regularly and fearlessly ask yourself whether you're the right person for the role—the moment that question feels threatening, you have a real problem.

After thirteen years building Bugcrowd and open-heart surgery in July 2024 due to a genetic heart valve issue, Casey's relationship to the CEO role has evolved significantly. He stepped back from day-to-day operations to focus on recovery, supported by CEO Dave Jerry, whom he brought in several years prior. 'That was a huge blessing to be in that position as all the stuff went down,' Casey said.

His framework for founder-CEO transition is built around one question: 'Am I the right person to be doing this?' He argues founders should ask it constantly and fearlessly. 'The moment you start to get nervous about asking that question, you've got an actual problem.' If the honest answer surfaces gaps, those gaps become hiring opportunities, coaching priorities, or handoff signals. The company's mission matters more than any founder's title.

"In that seat, you should be completely unafraid to ask yourself the question, am I the right person to be doing this? Because the moment you start to get nervous about asking that question, you've got an actual problem." — Casey Ellis

Australian vs. US Pitch: What Changed