How to Build a Cybersecurity Marketplace: The $180M Strategy Behind Bugcrowd

Do you ever feel like you've spotted a massive inefficiency in an industry, but everyone tells you the solution is too radical to work?

There's a strategy you may not have considered. It's not about incremental improvements—it's about fundamentally rethinking how an entire industry operates by building a marketplace that connects supply with unmet demand.

Casey Ellis saw companies spending thousands of dollars hiring one person by the hour to test their security (penetration testing). Meanwhile, there was a massive community of ethical hackers who wanted to help but had no way to get invited in.

The math was broken. Defenders were using one person to fight a "cloud of adversaries" with unlimited time and diverse skills. Casey's solution? Build a marketplace connecting companies with crowds of security researchers—and change how the entire industry thinks about hackers.

Thirteen years later, Bugcrowd has raised over $180 million, pioneered the bug bounty category, and signed customers ranging from Google to the U.S. Department of Defense.

In this guide, I'll show you exactly how to build a cybersecurity marketplace (or any B2B marketplace), validate demand on both sides, overcome the "scary hacker" perception problem, and execute the go-to-market strategy that took Bugcrowd from $1M to $7M ARR in two years.

Key Takeaways

• Marketplace validation starts with proving both sides exist separately. Casey validated supply first (5,000 hacker signups in month one) using just social media and MailChimp, then validated demand with existing customers before writing any platform code.
• Category creation requires changing minds, not just solving problems. The biggest barrier wasn't technology—it was convincing companies that "hackers aren't scary, they can be helpful." Casey spent three years on education before the market caught up.
• Problem-solution fit without product-market fit is worthless. As Casey says: "That's a great problem-solution fit you've got there. If you don't plug it into where the problem actually exists, it's like a tree falling in the forest with no one there."
• The "Uber pitch" test validates your messaging. Casey refined Bugcrowd's pitch by explaining it to every Uber driver in 30 seconds with no jargon. If they showed buying intent, the pitch worked. This became the foundation for all sales messaging.
• Brand marketing matters earlier in marketplaces than SaaS. Bugcrowd invested in swag and conference presence at seven people because they needed simultaneous awareness on both sides of the marketplace. Their "my other computer is your computer" t-shirt made it look like 100 people worked there.

What Is a Cybersecurity Marketplace and Why Build One

A cybersecurity marketplace connects security researchers (ethical hackers) on one side with companies needing security testing on the other. Instead of hiring one penetration tester for $10,000, companies can tap into crowds of researchers who compete to find vulnerabilities—getting better coverage for the same money.

Casey Ellis's background uniquely positioned him to see this opportunity. He grew up in the hacker community in the late 90s, worked as a penetration tester, then ran a white-label pen testing company in Australia starting in 2009.

"I really enjoy thinking like a criminal but don't want to be one," Casey explains. "There's this huge community of white hats like me that want to help but don't have the invitation to help."

The problem he spotted: traditional pen testing didn't match the threat model. "The whole reason that we're here as a cybersecurity defender industry is because of this crowd of adversaries," Casey notes. "It doesn't look like one person being paid by the hour. It looks like this huge cloud of people that have lots of different skills, lots of different motivations."

The math was simple: defenders were losing because they were structurally outmatched.

But here's where it gets interesting: Casey had a profitable lifestyle business doing white-label pen testing. Good cash flow, working less hard than he would later at Bugcrowd.

So why leave?

"I wanted to see an industry shift," Casey reflects. "Revenue and profit are important, but ultimately what they should be is trailing indicators of actually solving the problem you're setting out to solve in the first place, and I didn't really feel like I was doing that."

That's where you come in.

Understanding when you're solving a problem versus when you're ready to disrupt an entire industry is the difference between a lifestyle business and a venture-scale opportunity. Casey made the deliberate choice to go bigger—even though it meant more risk and harder work.

Phase 1: Validating the Marketplace (2011-2013)

Casey's approach to validation offers a masterclass in lean marketplace testing. He didn't build a platform first—he proved both sides of the marketplace existed separately, then connected them manually.

Validating Supply: Do Hackers Want This?

The first question: Is there actually a crowd of ethical hackers who want to help companies find security vulnerabilities?

Casey's background in the hacker community gave him a head start, but he still needed proof at scale. His approach:

Social media marketing to collect signups - No product, just a landing page and MailChimp Result: 5,000 signups in the first month or two

"The first thing I had to solve was, is there a crowd available to do this and will they show up?" Casey explains. "Supply side's there. We've got that part sorted out."

But would they actually do the work?

Test #1: Casey put $500 down on a program for an application he'd built Result: It "got completely destroyed from a security testing standpoint"

"Okay, this model seems to work," Casey concluded.

Critical insight: He wasn't vetting researchers heavily yet. The question at this stage was simply "are they there and will they show up?" Vetting came later after proving the core model worked.

Validating Demand: Do Companies Want This?

Casey already had customer relationships from his pen testing business. He used what he calls an "ascending close" technique:

Step 1: "Do you feel like fifty people coming in and trying to break into your stuff for the same amount of money you've outlaid for one person would outperform one?" Answer: Yes (because math)

Step 2: "Do you feel like that would give you a better understanding of your true risk?" Answer: Yes (again, math)

Step 3: "Have you heard about what Google's doing with trying to crowdsource this stuff?" Answer: Yes (Google was making noise about bug bounties)

Step 4: "Can we give this a try?"

"I had initial customers and initial buy-in, at least notionally, on the idea at that point," Casey notes.

But he also heard consistent objections:

1. "Aren't hackers scary?" - The perception that anyone who can break into computers is automatically bad
2. "How do I pay someone in Uzbekistan?" - Logistics of international payments
3. "My team's overwhelmed already" - Fear of being exposed to the "fire hose of the internet"

These objections became the core product requirements. According to research from Andreessen Horowitz, successful marketplaces solve friction on both sides simultaneously—exactly what Casey identified.

The Manual MVP: No Code Required

For the first six months, Bugcrowd operated with zero custom platform:

Community management: MailChimp for all communications Vulnerability intake: Wufoo forms Matching: Manual by Casey

"We need to understand how do we structure forms so that we're getting the right kind of data from researchers," Casey explains. "We're going to need to move around with that pretty quickly because we're going to learn a lot of stuff very rapidly."

This no-code approach let them iterate on the workflow before committing to building software. They closed major customers—including Google within the first 4-5 months—all running on MailChimp and Wufoo.

"That was huge," Casey says about the Google deal. "They're validating the overall concept. Google buying into that kind of validated the overall market category at that point in time."

Research from NFX on marketplace startups confirms this approach: the best marketplace founders focus obsessively on solving marketplace dynamics before building technology.

Phase 2: The Accelerator and Seed Raise (2013)

Casey's goal was clear: get into Startmate, Australia's top accelerator, to access mentorship for what he knew would be a wild ride if it worked.

"This is a crazy idea. This is a fundamental disruption to how people think about hackers, security, internet security, all of it," Casey reflects. "It's either going to catch on fire and fail, or it's going to move really, really quickly."

He got in. The $50K funding was what he calls "the ramen noodle round"—just enough to get through 4-5 months and fly to San Francisco to raise a proper seed.

The Pitch Evolution: Learning to Speak American

Casey had already closed $1.6M in commitments from Australian investors before flying to SF. He knew he wanted U.S. institutional capital, so he started pitching to tier-one Sand Hill Road firms.

He blew every single one.

"I'd learned to pitch it like I was in Australia," Casey admits. "It's like, oh yeah, we figured out this way to make a sausage machine and you're going to pay me money, I'm going to crank the handle and more sausages are going to fly out."

That works in Australia. In Silicon Valley, it fell flat.

"If you're six months in and feel like you've got it figured out, then you don't have a big enough vision," Casey realized.

He spent a month in what he calls a "hole," refactoring the pitch. The breakthrough came from reframing Bugcrowd not as a better pen test, but as the future of work in cybersecurity.

The winning pitch:

• Crowdsourcing is a fundamental component of how we outsmart adversaries
• This isn't about cannibalizing pen testing—it's about creating a new category
• If we execute on normalizing this across the industry, we have "a right in perpetuity to profit"

Casey raised $2M oversubscribed.

The lesson: Australian investors loved the "cheaper, better pen test" story. U.S. VCs wanted to hear about category creation and long-term market leadership. Understanding cultural differences in how investors evaluate opportunities matters enormously.

According to research from First Round Capital, category-creation pitches require demonstrating that if you win, the market never goes back to the old way. That's exactly what Casey articulated.

Phase 3: Go-to-Market Strategy That Scaled to $7M ARR

With funding secured and some early customers, Casey faced the classic marketplace challenge: which side is harder to scale, and how do you grow both simultaneously?

"Customers, a hundred percent," Casey answers when asked which side was harder. "I was cheating a little bit on the supply side because I was already a part of that community."

The "Uber Pitch" Framework

Before any formal sales process, Casey developed what he calls the "Uber pitch"—a 30-second explanation with zero jargon that he tested on every Uber driver in San Francisco.

"I'm sitting there with a driver, I don't know how technical or non-technical they are," Casey explains. "Literally every time I got in the car, I'd do this and this is how I refined my pitch."

The goal: If a non-technical person showed buying intent ("Oh cool, what is that?"), the pitch worked.

"If I can get this out, have them show some sort of buying intent, not confuse them or trip them up in the process... the more consistently I can do that, the more I'm going to be able to create a message that my team is going to pick up and sell."

This might seem like "dumbing down" a technical product, but Casey disagrees: "The best managers, especially if you're selling to a CISO or someone in an executive role... they've figured out how to do this too. It almost becomes like a game recognizer's game thing."

The practical benefit: Even technical buyers need to sell internally to VPs, CEOs, and CFOs. If your product is hard to explain, the ROI needs to be much higher to justify the political capital required. Simple messaging lowers that bar.

Casey's principle: "Simple is strong. How do you boil something down without burning it? You want to add complexity on top of a strong foundation, not build complexity first."

Early Sales Motion: Network Effects First

Casey's go-to-market followed a clear priority order:

Phase 1 (Australia): "All basically relational outbound. Me going to my buddies and then kind of one degree of separation."

Phase 2 (U.S. entry): "I actually hired early on for network effect." He brought in people who had relationships, trust, and authoritative voices in U.S. cybersecurity.

Phase 3 (Scaling sales): Hired two salespeople (never just one—"they compete with each other and G each other up"). These were full-cycle reps doing prospecting, demoing, and closing.

Critical hiring criteria: Solutions sales or consulting background IN cybersecurity. "Then they've got a trusted voice. If they know how to sell, then really the only thing you got to worry about is figuring out whether they know how to close."

According to research from SaaStr, hiring two sales reps simultaneously (rather than one) increases success rates by 40% because it creates healthy competition and prevents isolation.

The Category Creation Challenge

The hardest part wasn't selling the product—it was changing how people thought about hackers.

"We were still in the category creation phase," Casey notes about the early years. "It was a lot of evangelism, a lot of... the idea that hackers aren't scary, they can be helpful."

This required investment across multiple channels simultaneously:

Conferences: Not just booths, but memorable brand presence Swag: The famous "my other computer is your computer" t-shirt Content: Educating the market on the vulnerability disclosure concept One-on-one: "Unseating folks' opinion that hackers are just inherently bad"

The t-shirt story illustrates the strategy: At one of the biggest security conferences, Bugcrowd had seven people. They printed 500 shirts and gave them away. "By the end of the week it looked like a hundred people worked for Bugcrowd, and everyone was talking about it."

Casey acknowledges this approach isn't for everyone: "I definitely wouldn't advocate an approach like that for everyone." But for Bugcrowd, they knew they were building a marketplace, had a category creation problem, and needed simultaneous awareness on both sides.

The payoff came years later: "A lot of Bugcrowd customers reach out every now and then and say, oh yeah, my Grace Hopper t-shirt that I got in 2016, which is my favorite t-shirt, is wearing out. Can I get another one? And they're like seven figure, eight figure deals now."

The Growth Trajectory

Year 1: $1M in bookings Year 2: $3M Year 3: $7M+

"There was an initial hockey stick off that whole, yeah, this is way better return than what I'm doing right now," Casey recalls. "Then competition started to arrive. Then it was like, okay, what do our unit economics actually look like? How do we start to figure out repeatability?"

The 2016 inflection point came when the U.S. Department of Defense launched "Hack the Pentagon"—a bug bounty program inviting the public to find vulnerabilities in DOD systems.

"To see the DOD go out to the open internet and say, hey, we need the help of 15-year-old kids to secure our stuff—that had a profound impact on everyone else who was asking that question," Casey explains.

That external validation from the DOD did more for category creation than any amount of marketing Bugcrowd could have done themselves.

The Business Model: SaaS, Not Take Rate

One surprising aspect of Bugcrowd's model: they don't take a percentage of bounty payments.

"The liquidity from supply to demand basically operates as a float across the top of everything," Casey explains. "What we're charging customers for is using the platform to make the program itself happen in the first place. It's basically a SaaS-like revenue model."

The bounty payments flow directly from customer to researcher. Bugcrowd charges for:

• Platform access
• Program management
• Triage and filtering
• Community management
• Data and insights

"We're actually pretty early in the whole idea of SaaS-enabled marketplaces," Casey notes. "That's a well-established thing now, but we had to figure out the financials for how to make that actually work as a business kind of from scratch."

This model has advantages:

• Predictable revenue (SaaS subscription vs. transaction volatility)
• Better alignment (customers pay for value, not just volume)
• Cleaner unit economics (no payment processing complexity)

According to Bessemer Venture Partners' research on marketplace business models, SaaS-enabled marketplaces achieve higher valuations (8-12x revenue) than pure transaction-based marketplaces (2-4x GMV) because of the predictability and capital efficiency.

Common Cybersecurity Marketplace Mistakes to Avoid

Casey's thirteen-year journey reveals several critical mistakes founders make when building marketplaces:

Mistake 1: Building Technology Before Validating Marketplace Dynamics

"We didn't cut code on a platform until literally my technical co-founder built the first version on the flight from Sydney to SF," Casey reveals.

They spent six months proving supply existed, demand existed, and they could manually connect them before writing any custom software.

The lesson: Marketplace dynamics (supply/demand balance, pricing, quality control) are harder than the technology. Figure those out first.

Mistake 2: Assuming Problem-Solution Fit Equals Product-Market Fit

"One of the things that clicked for me early on in my career is the idea that problem-solution fit in the absence of product-market fit doesn't solve the problem," Casey emphasizes.

"That's a great problem-solution fit you've got there, Mr. or Mrs. Technical Founder. If you don't plug it into where the problem actually exists, then it's like a tree falling in the forest with no one there."

You can build the perfect solution, but if you don't know how to package it, price it, position it, and sell it to the people who have the problem—you have nothing.

Mistake 3: Selling to People Who Don't Care

Early in Casey's sales career, a mentor taught him: "Never sell security to people that don't care. If you're trying to position a product that's genuinely going to reduce risk, don't try to sell that thing to people that only care about compliance or only care about checking the box."

Casey deliberately curated his ICP around security leaders who actually cared about outcomes, not just compliance checkboxes. This made everything else easier—messaging, retention, referrals.

Mistake 4: Pitching Features Instead of Vision

Casey's early U.S. pitches failed because he focused on "we're a better, cheaper pen test." That's a feature. VCs invest in vision.

The winning pitch: "This is a fundamental shift in how the industry works. If we normalize this, it never goes back."

The lesson: Features cannibalize existing markets (race to zero). Vision creates new categories (defensible moats).

Mistake 5: Ignoring the Hard Side Until It's Too Late

For Bugcrowd, the hard side was demand (customers), not supply (hackers). Casey's background gave him unfair advantages on the supply side, so he could focus energy on the harder problem.

"I was cheating a little bit on the supply side because I was already a part of that community," Casey admits.

Many marketplace founders waste time solving easy problems while the hard side remains unvalidated.

When to Bring In Outside Leadership

An underrated part of Casey's story: he brought in a CEO six years in, then replaced that CEO with another (Dave Jerry) after five more years, and eventually stepped back to a founder/advisor role.

"When you start a company, it's kind of like having a kid," Casey reflects. "There's an early stage where literally everything you do contributes to survival. But then as they grow up, they start to become more autonomous."

His advice on knowing when to step back: "In that founder CEO seat, you should be completely unafraid to ask yourself the question: Am I the right person to be doing this?"

"The moment you start to get nervous about asking that question, you've got an actual problem."

This mindset served Casey well when he faced open heart surgery in July 2024. Having a trusted CEO (Dave Jerry) running operations meant he could focus on recovery without the business suffering.

"I could actually focus on health and recovery and not be freaking out about the business in the meantime. That was a huge blessing," Casey notes.

According to research from Harvard Business Review, companies that proactively transition leadership (rather than being forced to) achieve 2.3x better outcomes. Casey's willingness to repeatedly ask "am I the right person?" enabled that proactive approach.

FAQs

How do you validate a cybersecurity marketplace idea?

Start by validating supply and demand separately before building any technology. Casey got 5,000 hacker signups using just social media and MailChimp, then validated customer demand through direct conversations with existing network. Only after proving both sides existed did he build a platform. The key is manual operations first—use tools like MailChimp, Wufoo, and spreadsheets to test marketplace dynamics before writing code.

What's the difference between a marketplace and a platform?

A marketplace connects two distinct groups (supply and demand) who transact with each other—like Bugcrowd connecting hackers with companies. A platform provides tools for one group to accomplish something—like a SaaS product. Bugcrowd is technically both: a marketplace for finding researchers and a platform for managing bug bounty programs. The business model reflects this: SaaS subscription fees rather than transaction take rates.

How long does it take to build a cybersecurity marketplace?

Casey spent 6 months validating before writing code, hit $1M in bookings in year one, grew to $7M by year three, and reached "true product-market fit" in 2016 (about 3-4 years in). However, he's been building for 13 years total. Category creation takes longer than entering existing markets—expect 3-5 years to establish a new category versus 1-2 years for existing categories.

Which side of a marketplace is harder: supply or demand?

"Customers, a hundred percent," Casey answers for Bugcrowd. The supply side (hackers) was easier because he came from that community and had built-in trust. The demand side required changing how companies thought about hackers—a much harder perception problem. However, this varies by marketplace. Analyze where you have unfair advantages (network, expertise, trust) and focus energy on the harder side.

Should you take a percentage of transactions in a marketplace?

Not necessarily. Bugcrowd charges SaaS subscription fees instead of taking a cut of bounty payments. This creates predictable revenue, better unit economics, and cleaner payment flows. According to Bessemer Venture Partners, SaaS-enabled marketplaces achieve higher valuations than pure transaction-based models. The right model depends on your value proposition—if you're providing ongoing platform value, SaaS often works better.

How do you price a cybersecurity marketplace?

Bugcrowd's pricing approach: position against existing budget line items. Instead of asking for new budget ("you need a bug bounty program"), Casey pitched replacement budget ("get better ROI than your current pen testing spend"). This dramatically shortens sales cycles. The pricing metric: "number of critical vulnerabilities per dollar spent" compared to traditional pen testing. Find the existing spend your solution replaces, then price to beat that ROI.

What's the "Uber pitch" and why does it matter?

The Uber pitch is explaining your product in 30 seconds with zero jargon to someone who knows nothing about your industry. Casey tested Bugcrowd's pitch on every Uber driver in SF. If they showed buying intent, the pitch worked. This forced radical simplification that became the foundation for all sales messaging. Even technical products benefit from simple positioning—your buyers need to explain it to non-technical stakeholders (CFOs, board members).

How do you create a new category in cybersecurity?

Category creation requires changing minds, not just solving problems. Casey spent 2-3 years evangelizing that "hackers aren't scary" before the market caught up. The breakthrough came from external validation: when the U.S. Department of Defense launched "Hack the Pentagon," it legitimized bug bounties for everyone else. Strategies: heavy investment in education (content, conferences, swag), patience (category creation takes 3-5 years), and waiting for catalyzing events that validate your thesis.

When should you invest in brand marketing vs. performance marketing?

Marketplaces require brand investment earlier than pure SaaS. Casey invested in swag and conference presence at seven people because he needed simultaneous awareness on both sides. However, he cautions: "I definitely wouldn't advocate that approach for everyone." The decision factors: Are you building a marketplace? Do you have a category creation problem? Do you need community awareness? If yes to multiple, brand investment makes sense earlier. If no, stick to performance marketing until post-Series A.

Conclusion

Building a cybersecurity marketplace isn't about having the best technology. It's about solving marketplace dynamics, changing industry perceptions, and creating a category that never goes back to the old way.

Casey Ellis's journey with Bugcrowd illustrates the framework:

Validate separately first (5,000 hackers + existing customers) Connect manually before building (MailChimp + Wufoo for 6 months) Invest in category creation (education, swag, conferences) Get external validation (Google early, DOD in 2016) Scale methodically ($1M → $3M → $7M+ ARR)

But the bigger lesson from Casey's career—from profitable pen testing business, to Bugcrowd's thirteen-year journey, to bringing in outside CEOs, to recovering from open heart surgery—is about the long game.

"Revenue and profit are important, but ultimately what they should be is trailing indicators of actually solving the problem you're setting out to solve in the first place," Casey reflects.

That mindset—solving big problems over long timeframes—is what separates lifestyle businesses from category-defining companies.

The cybersecurity marketplace opportunity remains massive. According to Gartner research, worldwide security spending will exceed $200B in 2024, growing 14% year-over-year. Bug bounty and crowdsourced security represent a small fraction of that, meaning the category is still early.

But execution matters more than market size. Casey's three final pieces of advice:

"Be kind to yourself" - The founder journey is brutal; don't make it worse with negative self-talk

"Get yourself in community" - Find people who understand what you're doing and will both support and challenge you

"Figure out the 90% of advice you're going to ignore" - Everyone will have opinions; your job is knowing which ones matter for your specific vision

Because ultimately, building a marketplace—especially one that creates a new category—requires solving problems most people don't even see yet.

Casey saw that defenders were structurally losing because they were using one person to fight crowds of adversaries. The solution wasn't better tools for that one person. It was rethinking the entire model.

That's category creation. And it's how you build something that lasts.

Want More Founder Stories Like This?

This article is based on an episode from The Product Market Fit Show, where host Pablo Srugo interviews successful founders about their journeys from zero to PMF and beyond.

Listen to the full conversation with Casey Ellis to hear more about:

• The white-label pen testing business he left behind
• How accelerators actually work (and don't work)
• The health crisis that forced him to step back
• Why "simple is strong" in sales messaging

🎧 Listen to the episode here →

Subscribe on Apple Podcasts | Spotify | YouTube

New episodes every week with founders who've been in the trenches and lived to tell the tale.