How his AI-enabled Services startup hit $1M ARR in just 3 months. | Shahar Peled, Founder of Terra Security

Shahar Peled (00:00:00) :
I think asking these people, would you buy this or would you use this, is too easy of a question. Yeah, if they have a problem around it and if you can solve it, they'll buy it. My question was, how much would you pay for it? I think my question about product market fit is, when you turn the solution off, how long it's going to take people to call you.

Pablo Srugo (00:00:16) :
How fast did you hit that million dollar mark?

Shahar Peled (00:00:19) :
It was a few months. It was very, very, very quick. Once we moved to selling a continuous Agent TKI Pentest product, annual subscriptions, in pretty much a quarter, we hit a million.

Previous Guests (00:00:31) :
That's Product Market Fit. Product Market Fit. Product Market Fit. I called it the Product Market Fit question. Product Market Fit. Product Market Fit. Product Market Fit. Product Market Fit. I mean, the name of the show is Product Market Fit.

Pablo Srugo (00:00:43) :
Do you think the Product Market Fit Show has product market fit? Because if you do, then there's something you just have to do. You have to take out your phone. You have to leave the show five stars. It lets us reach more founders, and it lets us get better guests. Thank you. Shahar, welcome to the show, man. It's great to have you here.

Shahar Peled (00:01:00) :
Thank you, Pablo. Great to be here.

Pablo Srugo (00:01:02) :
Cool, man. So you just raised a $30 million Series A from Felicis. Funny enough, we had Aydin, the founder of Felicis, on the show a while ago, actually, and he was telling us about, you know, they did the Series A of Shopify. They did, I think, the Series A of Canva. They did the first round of Notion. So a very good firm has chosen to partner with you. Curious to get into all that. I mean, when did you start this business? 2024, is that correct?

Shahar Peled (00:01:24) :
Yeah, the end of 2024 is where Terra was born. It's just fine because it's been less than a year, and it was just me and my co-founder, Gal, and now there are thirty something of us, almost forty, $38 million in funding. And it wasn't just Felicis. Felicis led the round, but we had, you know, Dell Capital with us, SPCI, of course, our existing investors from the Same Ventures and Law Partners and Underscore. So yeah, less than a year.

Pablo Srugo (00:01:50) :
It's crazy how things can move when you unlock crazy value and just find product market fit. Maybe to start, tell us a little bit about your background, especially since this story is only going to be a timeline of a year. Tell us a little bit about your background, just to set the context.

Shahar Peled (00:02:05) :
Yeah, so my background is in management and cybersecurity. I majored in data science at Business and moved during school. I had an opportunity to be a CEO of a startup. Wasn't the founder, but the CEO. I met this entrepreneur who had multiple businesses. I really wanted to work with him. He had a good idea. I was looking for someone to build it. So I pretty much built the business from the ground up. We raised $5 million. It was sold really nicely. Then I had to leave because my now wife, who is a doctor, was assigned to a hospital in the northeast part of Israel. And I couldn't really come to the office every day in Tel Aviv and moved to JIT quickly after they raised almost $40 million seed round.

Pablo Srugo (00:02:44) :
What was JIT? What do they do?

Shahar Peled (00:02:45) :
JIT is an application security company, ASPM. Now they're in the agentic app space, or agentic security. Really promising company, raised a lot of money from top-tier VCs, third-time founders. They had no one on the business end of the company. They were looking for someone to lead the business, to go to market. So I joined as the VP of go-to-market, led everything from sales, marketing, customer success, operations, business development, and partnerships.

Pablo Srugo (00:03:10) :
Kind of a CRO, sort of like a Chief Revenue Officer type of role.

Shahar Peled (00:03:13) :
Yeah, I wasn't a C level, I was the VP, but basically I was in charge of everything: revenue, go to market, marketing, operations as well. From zero, everything was very early to about sixty paying customers when I left, and then the idea of Terra came from my experience and my co-founder, who came from Big Idea. We knew that things were broken. I know you didn't ask about the background yet, only mine, but it was so clear to us this was going to happen. So I've been at JIT more than two years. Once Gen AI became a thing, I knew we were going to build this. We were just looking for the right time. So after that, Terra came to life.

Pablo Srugo (00:03:51) :
Tell me more about, you said that it was obvious that something was broken, especially for people that are, which is most people, not in cybersecurity. Give us enough so we can kind of get a sense of what it was that you saw, what it was that you knew was broken and had to be fixed post Gen AI.

Shahar Peled (00:04:06) :
Yeah, so Terra Security is an agentic AI powered continuous pen test solution. Pen test, or penetration test, is basically a cybersecurity process to try to mimic adversaries in the way to hack a system, an application, or a network. It is such a complicated process, so it's manual. Not many people have figured out a way to do it automatically. So basically what happened is that there are service companies who do this. Almost every company in the world has to do it at least once, sometimes even thousands of times a year, not just for security purposes, but also for insurance purposes and compliance purposes.

Pablo Srugo (00:04:42) :
So to be clear. I mean, the simple way of putting it is you pay people to try and hack into your app or website or whatever it is, and then you find vulnerabilities that way.

Shahar Peled (00:04:49) :
Exactly, exactly. Because there are lots of scanners in cybersecurity that find vulnerabilities. Some of them are, you know, on paper. What adversaries can do is real. That's the difference between being exploitable and being vulnerable. So what these pen testers, or penetration testers, are trying to do, they are really skilled humans, ethical hackers, as we call them. They're trying to hack your company, show you what adversaries could have done, then give you a report. But because they're manual, they can't really scale. And they do it on a very narrow scope of what we call an attack surface. Attack surface is basically where adversaries can reach from. And it's been a very inefficient process. And it's been that way for twenty five years. Sometimes some would say even more. And when Gen AI came to life, let's say two years ago, it became worse because the gap between what you could have tested with manual processes to what you needed to test with client test processes before Gen AI was still large. You still usually would have done it as an annual process on a narrow, usually seven to ten percent of what we call the attack surface. And then when Gen AI came to play, the first people who became more efficient are engineers, right? They got AI powered tools. They write more code. Some do it with less visibility than ever. With one line of human language, you can get one hundred lines of code. You don't always understand everything that's written. So you write more code. You create more software. A lot of these AI powered coding tools are based on open source. Open source can be very often vulnerable, which means you introduce more vulnerabilities. And the second thing is that adversaries, the bad guys, the hackers, it's much easier for them to adopt AI native tools or adopt new technologies that have no compliance or regulations or, you know, companies or bosses behind them.

Pablo Srugo (00:06:38) :
And the incentives are bigger too, I would think. If you can hack, you know, for them it's like it's money in the bank sort of thing if they can penetrate.

Shahar Peled (00:06:45) :
Exactly, but now it can mean multiple places at once. They can be more efficient, they can be more creative, and they leverage these AI tools. I think when we started, a few days ago, in the Anthropic report it talks about the first AI powered breach. It was massive. We've been talking about it since we founded the company, so we knew it was possible, but now everyone sees it. So, you know, two things happened that made it worse. But the one thing that brought Terra to life is that, at least we believe, this was the first time in history that humans have the technology to mimic how we humans think and operate in real time at scale, which we believe is the basis for real innovation in the form of pen testing, which is the domain we're building in. And there are lots of mechanisms, pen testing, some would say red teaming, which is another form of offensive security, trying to breach to tell you where you're vulnerable. This is how Terra came to life because the problem became more severe. People are going to spend more money on it. It's already a large market, but it's going to get much larger. But now there's actually a potential solution to scale this, and this technology is called agentic AI. It's taking the deterministic aspects of code, which is scripted basically, you tell it to do X, it's going to do X and then Y and then Z, with the degrees of freedom, or let's say the reasoning or creative of AI that can make decisions in real time. When you bring these two together, you can actually create magic.

Pablo Srugo (00:08:12) :
So I got a couple questions. The first one is, is pen testing not a bit of a checkbox exercise? The worry would be that a lot of companies, they pay pen testers to go in and try and find vulnerabilities, partially because they want to find them, partially because there's compliance or other things that just say they have to undergo these things. And so for them, if that's true, then the incentive of the pen testing being much better is not as high. How does that actually work in practice?

Shahar Peled (00:08:38) :
Yeah. So for many people in cybersecurity, pen test is a checkbox exercise because it's a must-have criteria for compliance purposes. But for most organizations, the larger enterprise, there is one person in the organization, someone who is in charge of compliance, that for them, it's a checkbox exercise, but for the security people, cybersecurity people, it's security validation. It's one of the most powerful and effective capabilities because you can actually tell very unique individuals, ethical hackers, to tell you how good you are, what you can achieve, what you can accomplish, and how much it's going to cost me, can we quantify the potential harm to the business if you manage to do X, Y, and Z. So yeah, there is this paradigm that pen test is a checkbox exercise. I think it became a checkbox exercise because people couldn't find a way to scale it and have it become a part of their development life cycle or cybersecurity operations because, again, it's a manual, point-in-time process. But think about it, if you could run it all the time across every change to what we call the attack surface, as we explained before, and in a way that is aligned with your business context and development lifecycle, it becomes the single point of truth. It becomes the ultimate security validation. It kind of reduces the need for some other cybersecurity capabilities that are looking for vulnerabilities that might not be exploitable in reality, but it hasn't been a possibility so far. So for so many people, it became a checkbox exercise, but in our belief, and we see it already with our early customers and we see how we grow lately, this is becoming the most efficient and effective security capability as the premise has been for twenty five years, but the reality wasn't.

Pablo Srugo (00:10:21) :
Because in a way, the problem you're solving for that Chief Security Officer is that they invest in security all the time. And they're obviously just trying to push that up as much as possible. And I can assume often the pushback is from engineering, you're slowing us down, right? From the CFO, you're spending a lot of money and what's the upside? And they can come in and say, well, we used to have a million vulnerabilities, now we have a thousand or whatever the number is, but it's hard to quantify what's the business impact of that. When you can go and say, well, we're running pen testing every week, and, you know, last quarter these are the things that they could hack, and this is the actual potential business impact of getting that information. And sometimes it's just immediately obvious, like, they stole passwords or whatever credentials, whatever it might be, and now these are the incidents, or there are no more incidents. And then for them, that becomes something that everybody can, I would think, really align around and say, okay, you know what, then it is worth all these investments we're making actually are producing what I would think of as business impact if I'm the CFO, or engineering, or other leaders in the organization.

Shahar Peled (00:11:20) :
Yeah, you said it very well. Basically, one of the biggest problems in cybersecurity, I would say the holy grail, is that you have a lot of security tools, processes, and capabilities in your organization. Some are from different vendors or in-house teams. Eventually, the result of many of these tools is visibility of existing vulnerabilities you have in your environment. For enterprises, it will come down to hundreds of thousands, sometimes millions of vulnerabilities.

Pablo Srugo (00:11:47) :
What is, by the way, an example of a vulnerability? What might that be? Like, as simple as what?

Shahar Peled (00:11:52) :
A vulnerability, not in technical terms, would be maybe a hacker can come in and steal credentials of customers and log in as them and steal money from them. Or maybe I can crash your website, the e commerce website, shopping during Black Friday. Or maybe it, I don't know, it's a self driving car, I can hack the system and steal the car.

Pablo Srugo (00:12:14) :
Those are obviously the must solve, but what are some that would be, you know, on the list and you'd just be like, well, these don't matter. Like, what could a trivial one be? Are there trivial vulnerabilities?

Shahar Peled (00:12:23) :
I think vulnerabilities are a technical term to harm you can do. We need to talk about the harm we can do. How we get there? Maybe it's one vulnerability that has names. For example, XSS or SQL injection. I think these aren't really interesting for most of our listeners. I think the result of these vulnerabilities is what's interesting. For example, I can use some vulnerabilities and techniques to change a link on your website. And what happens when you click the link? I hack your session and take all of your information. That's going to cause you harm, right? I think the paths together are very technical and there are many ways together. That's the nice or very scary thing about cybersecurity. There are very often many paths to causing harm, and the harm is different between each company, right? Maybe something we would call a critical vulnerability for one business can be meaningless for another, and vice versa, because their business context is different. Which brings us to pen testing where we talked about the Holy Grail. You have millions of vulnerabilities, ranked in different severity from critical severity to high, medium, low, or informative. It takes time to remediate or fix weaknesses and vulnerabilities. Eventually your weaknesses or bugs, we like to call them bugs. How do you know which one you need to fix first if you have millions, and within those maybe have a hundred criticals, but each critical vulnerability can take weeks to fix and it's going to involve a lot of people and dependencies? What if you could basically say, I don't care about the million, I care about the small percentage, some would say one percent, that are exploitable, which means they're not on paper, they're in reality. A hacker could actually get them done. And what is going to be the business impact if this happened? Then you can actually focus on the small percentage that can cause you the most harm. And you can even try to quantify the potential business impact. And we gave this example, it's Black Friday. On Black Friday, if I'm, for example, a shopping website and someone drops my website on Black Friday, think about the potential business impact this can have. If I'm an airline and someone drops the application that I use to book teams of flight attendants and they can't log in and see where they're flying or they can't check in from the application, think about the amount of business impact this is going to do. We see it every year. We in cybersecurity know that there are thousands, sometimes much more than that, breaches. You mostly don't hear, not you, but most of our listeners won't hear of ninety nine point nine percent of these. But some you will hear. A year ago, more or less, we saw that almost the entire world had these blue screens, right? It came from a bug that caused a very large cybersecurity company to pretty much fall for a few hours. And that has a lot of dependencies. It's an awesome cybersecurity company. They grew massively from there. The amount of business impact it had was billions, I don't know how many billions of dollars of damage in the world.

Pablo Srugo (00:15:23) :
Tell me a little bit more about how this idea comes to you. You kind of mentioned you knew that pen testing was broken. You knew that AI could add a lot of value there, but maybe just tell me more specifically. Is it because of the customers you're selling? Were they telling you something about pen testing, or did this really come kind of top down to you? How does the idea really come into your head?

Shahar Peled (00:15:42) :
So in my last company, one of the offerings we had, it was basically a solution that can dynamically test web applications, all the websites and web applications you use on a daily basis. Dynamically test means we're going to try and use some technologies to try and hack it, look for known vulnerabilities. We packaged it nicely with a nice user experience and user interface. We called it continuous web application pen testing. And because I led both marketing and sales, I saw what we call the top of the funnel, how people enter and hear about the company and get to talk to you, and the bottom of the funnel, those who actually choose to buy. It was by far the best campaign that I've seen in cybersecurity to get people interested. And I spoke to a lot of those, and I pretty much heard the same thing from all of them. We run a pen test periodically, once a year, once in six months, once a quarter, on a scoped part of the attack surface. We're looking for a way to run it continuously. So I always had it in my mind, I wish there was the technology that could actually make it happen without losing the two, some would say most important things, when you run cybersecurity operations or pen testing. One is the safety. You don't want to break an application. When you run pen testing, penetration testing, you by default try to cause harm, right? You're trying to see what harm you can cause. You don't do it, of course, because it's manual. You're a responsible human, so you have what we call guardrails. You don't want to cause harm. AI is less responsible than humans, at least now. And the second thing is accuracy. If you can't find what adversaries or hackers would be able to do, then what's the point? And no one has been able to build a software that can actually do it at scale without losing these two very important things. So it was always deep in my mind, and then we actually tried it and it worked, at least in some use cases. And now we see the scale that we see at Terra that was born out of this aha moment that I had, and also my co founder in his last position from a technical role and not from a market role.

Pablo Srugo (00:17:39) :
But to be clear, at the last company, JIT. They didn't have pen testing at scale but it was something kind of similar, like that campaign that you ran.

Shahar Peled (00:17:45) :
Yeah, so it's called DAST, dynamic application security testing. That's pretty much one of the tools that a lot of companies leverage. And the idea of DAST is can we run dynamically, which means on the website itself, security testing that could somewhat, let's say it this way, mimic what pen testers would have done, but it doesn't do it in a way that is close enough or anywhere close to a skilled human pen tester.

Pablo Srugo (00:18:12) :
When do you decide to leave JIT to start Terra? It was last summer, more or less, probably before that, maybe last spring. So summer 2024, and where's the idea at, or what's the catalyst for you to say okay I'm doing this?

Shahar Peled (00:18:24) :
It was something very personal, to be honest. A very sad thing happened. I lost a family member, and it was probably, you know, what happened in Israel. And it was kind of an aha moment that life is too short. My dream was always to become a founder. I love cybersecurity. I love data. I knew this is what I want to do. I really enjoyed my time at JIT, and I wanted to start and plan to do it. But this, what we call a compelling event, was too strong for me to look away from. It was the perfect timing with technology, the perfect timing with an awesome co-founder, and this personal compelling event, that I said, this is the right time. It was pretty much mid 2024. We finished our dating period, this is what we call it here, dating as founders. We went to do, we still wanted to do some ideation to make sure we're onto the right thing. And it took us a few months to make sure we're all good. Went to raise some funding, and the rest is history.

Pablo Srugo (00:19:21) :
So when you left, I was going to ask, what was your first step? Your first step was to raise a seed round?

Shahar Peled (00:19:26) :
The first step was to do ideation. We had this idea, it was always on the board, but we wanted to make sure we did thorough ideation, make sure we go to every category within cybersecurity, and actually adjacent to cybersecurity as well, that could be a good fit for us. Both in our interest, in our experience, found our market fit. We talked to a lot of security leaders, CISOs, Chief Information Security Officers. We went to a conference to see what's out there. We talked to a lot of ex founders or existing founders, and, you know, advisors and people we look up to. And after we got to conviction that this is what we want to build, there is a huge market here, a huge opportunity. We're trailblazers in this category. This is what we love and we know we have a competitive advantage. This is when we went to raise a seed round. It was quick and successful, and we have really, really strong investors from there.

Pablo Srugo (00:20:19) :
When did you raise the seed round?

Shahar Peled (00:20:21) :
November 2024.

Pablo Srugo (00:20:22) :
And how much was it?

Shahar Peled (00:20:23) :
$8 million.

Pablo Srugo (00:20:25) :
Okay. Tell me a little bit more about the ideation phase, you know, high level. You talked to a lot of people in cybersecurity, founders, etc. How many conversations did you have? How did you structure it? What were you trying to get out of it? You know, the details there, I think, are critical.

Shahar Peled (00:20:40) :
Yeah, I think we had around a hundred conversations with security leaders. We had, obviously, a very good board that we managed everything and, you know, had tracking and analytics. We started early on by asking them not about this problem, but their most acute problems. These people who listen to early stage founders, to have so many of these conversations, I think they have the answers. Some said things about identity, endpoint security, or network.

Pablo Srugo (00:21:08) :
And did you go that high level, like, hey, you know, what's your biggest problem? Or did you always go in with some sort of thesis area you wanted to explore, like, hey, let's talk about identity, what's your biggest problem there? How broad did you go?

Shahar Peled (00:21:17) :
We had phases. In phase one, we went very, very broad. Didn't come with any thesis. We just asked them, what's your top five, you know, pain problems today? Once we pretty much saw that what we were talking about was either in the top five or sometimes top one, top two, and compared it with our thesis and experience from before, we knew we're done. We know that this is what we want to build. And then we came with a thesis and came with a potential solution and told them how acute this problem is, got some numbers, how much money do you spend on this problem a year, how much would you spend if. What's your driver? Is it compliance? Is it assurance? Is it insurance? Or is it real security? What vector of pen testing are you mostly concerned about? Because you can try to breach from the web application. You can try to get access to credentials of employees, for example, or of customers. You can get to the network, to the Wi-Fi, to the physical office. There are lots of different vectors of attack. We asked them, what's the most acute one? How do you solve it today? And then we came with the thesis and a potential solution, show it to them. Now, there wasn't a product, right? It was just, you know, maybe even Figma screens. And once we pretty much got the yes from everyone, we tried to see, okay.

Pablo Srugo (00:22:29) :
So that's important. When you showed it to them, what was the question? Would you buy this? Do you like this? Is this useful? How high of a kind of bar were you setting for that yes?

Shahar Peled (00:22:38) :
I think asking these people, would you buy this or would you use this, is too easy of a question. Yeah, if they have a problem around it and if you can solve it, they'll buy it. My question was how much would you pay for it. Are you willing to sign something, and if we have these X features, you're going to pay a Y amount of money. Are you willing to be a design partner for this? Are you willing to actually put your money where your mouth is, and design partner is also, you don't have to pay for it always, but it's costing you time because it's cycles, it's manpower that you have to give us to give us feedback, and, you know, go on calls with us and implement a solution. So we try to go as deep as possible and see how many of those people we talk to will actually stand behind what they say and use it early on. Put their names behind it. Talk to investors on our behalf. So I think asking them would they use it is too easy of a question. It's very easy for them to say yes. My question behind this is, what is it going to cost these security leaders to say yes to us? Pretty much nothing. What is it going to cost them to sign a document or speak to an investor or connect us to their team, or have their team spend time with us, or connected to the environment, which comes with some legal implications, etc. The answer is, it's going to cost, so if it's going to cost them. Cybersecurity people are very, always understaffed, overworked, spread too thin, always there. So little cybersecurity, you know, people in the world compared to developers, for example, there's so much more to secure. How many people can actually do it? So if these busy people are willing to really stand behind the work and spend time with you and connect to their systems, it means you're on to something.

Pablo Srugo (00:24:17) :
By the way, design partner is becoming like the default way, especially if you're selling to enterprise. I think everybody's kind of, that's the motion they go to. Let me ask this question. Why does anybody become a design partner? What is the psychology, in your opinion, of a good design partner? Because from their vantage point, you know, if you're a late majority, early majority, you might say, this is awesome, just call me when it's done. I'm not going to waste my time. Do you know what I mean? So why do some people become design partners? What motivates them, do you think?

Shahar Peled (00:24:44) :
Yeah, actually my partner was a design partner of many, many startups. He has this thesis. Basically, in my opinion, from listening to him and to our design partners, you get three things. First, usually these are people who are early adopters, innovators, who love to see technology early on and love to get their voices heard. We took the feedback from our design partners so seriously, we built features from them, we built designs for them. We took them as those that speak on behalf of ten thousand other security buyers. They need to represent the majority, otherwise they're not the right fit as design partners. The second thing is, of course, I think people love being a part of something they believe in. Yeah, you can still be a CISO, a security leader, or practitioner in your company, but if you are a design partner, let's say Wiz, who is one of the most successful cybersecurity companies in history, or Palo Alto or CrowdStrike, or Okta, you're a part of something big. I was a part of the design partnerships, you know, design partners to build this and design this. And thirdly, I think for many companies, I heard it from a lot of CISOs, it gets them almost free access to real great innovation, paints them as innovators, and they will get very good prices when this is out. We gave discounts to all of our design partners, and all of them became paying customers. We gave them design partner discounts. They believed in us. They had a pain problem in what we're solving. They knew we're going to solve it. Then they get free access at the beginning and then very cheap access compared to the rest of the market. So I think these are the main reasons to become design partners. But again, I wasn't a design partner, so maybe I'm not the right person to ask.

Pablo Srugo (00:26:18) :
I'm going to ask you for a small favor, a tiny little favor. In fact, it's not even, now that I think about it, it's not even really a favor for me. I'm actually trying to help you do a favor for you. Just hit the follow button. You won't miss out on the next episode. You'll see everything that we release. If you don't want to listen to an episode, you just skip it. But at least you don't miss out.

Shahar Peled (00:26:49) :
Yeah, we had six design partners. It was around six months to work with them, sometimes even less. I know for some of my friends and other entrepreneurs, it can be a year, sometimes even more. For us, it was pretty short because I think that Gal, the co-founder and CTO, and the team that we've hired are so strong, and we're an AI native company, which means we do things so fast and efficiently. We very quickly had a product that provides real value. So we started selling quickly.

Pablo Srugo (00:27:18) :
What's quickly? How many months? When did you start selling?

Shahar Peled (00:27:21) :
It took us around six months to start selling something.

Pablo Srugo (00:27:26) :
So that would be what? May of '25? May of this year?

Shahar Peled (00:27:28) :
Around Q2 of 2025. That was just the first kind of trying to sell. Then later on, I would say towards Q3 or around that, this is when something clicked. We released our, you know, the first ever AgentiKai continuous pen testing solution. Provide real value. We work with incredible customers. Our design partners became paying customers. We started, we have, we didn't just spend a dollar on marketing, and the amount of inbounds we got from the most amazing companies in the world was overwhelming. And very often we started tracking conversion rates. So the conversion rate from a first call to a sell cycle was well over ninety percent at this phase.

Pablo Srugo (00:28:09) :
And what about from a demo to a close, for example? What is the conversion rate there?

Shahar Peled (00:28:13) :
So I don't remember the numbers back then, but currently, from demo to close, from let's say at POV, which means they liked the demo or implemented it to a close, it is currently over seventy-five percent.

Pablo Srugo (00:28:26) :
So this is: they've seen the demo, they've done a proof of value, they have done something, and then they are going to close seventy-five percent. Do you know from SQL to close by chance?

Shahar Peled (00:28:35) :
SQL to close, I do. It is currently over forty percent. I need to look at the exact number.

Pablo Srugo (00:28:38) :
Wow, nice.

Shahar Peled (00:28:40) :
Yeah, it's very, very, very high. I hope we can keep it this way. Because again, once you qualify the potential buyers, and once you see that they have this pain and they believe in the approach that you are going to use to solve this pain for them, I think it is a matter of just the right implementation. And I believe this number could be higher, by the way, for us.

Pablo Srugo (00:29:00) :
I ask because I find these sorts of ratios, there are so many other things that matter, but these ratios are great leading indicators of product market fit and of the potential for fast growth. Because if you have a twenty percent SQL to close versus a forty percent SQL to close, why would you have that? And a huge reason is product market fit, and a huge outcome will be rate of growth because it is just so much easier for any given demo to see how many more you close. Demo to close is a great one because at that point you have done all the stuff. Somebody has seen the demo. They have seen the value. If they are only closing at thirty percent, why are seventy percent still saying no? How much true hair on fire could there be? When you have like fifty-five, sixty percent saying yes, okay, now you are in a great territory where it is like, if you show someone the thing, they buy the thing. And that is an incredible place to be.

Shahar Peled (00:29:52) :
Yeah. I would say, you know, the others that haven't yet bought, these are not closed lost. We have a very small amount of closed lost, which means deals that we had in our pipeline and we didn't close. Sometimes it is just going to take a bit more time, or they don't have the right budget item right now, but they wanted to see the technology, or it takes them more time to approve legal, for example, or to start a proof of value or proof of concept, POV, POC.

Pablo Srugo (00:30:14) :
Back to my point, if you had a twenty percent SQL to close and said, yeah, but so many of them are not closed lost, I say, okay, maybe you are too early. Do you know what I mean? Like there is meaning behind that. If everybody is going to wait that long, or maybe your ACVs are a million dollars, then it is like, okay, fine. Right. But otherwise, anyways, the point being that these are, you know, because the long-term stuff is: what is your rate of growth? It is, you know, what is your retention? What is your net revenue retention? What is word of mouth? Like, these are the signs of product market fit after you have it, but you are a founder trying to get there and trying to think to yourself, do I really have it? And some of these ratios can be very helpful in that regard.

Shahar Peled (00:30:47) :
Yeah, a hundred percent and we definitely started to feel it. I think my question about product market fit is: when you turn the solution off, how long is it going to take people to call you? And we start to feel it. We start to feel people who actually need what we have, or a place, you know, a vendor that they have been with for a while, or just a budget item they have had forever. Sometimes even multiple budget items, which is what we love. We have a very high conversion rate in every phase of the pipeline. And from this point on, generating pipeline becomes easier because then it is word of mouth. And then people start talking about you, and then we got invited to speak at almost every Cyber Studio conference in 2025. And I just hired the first marketing leader in the company. We didn't have a marketing person at Terra until now, basically. And not because we didn't have enough pipeline, but because we had to do other marketing activities, and people are going to come with it. I think that is also a pretty good sign that people need what you are selling. And finally, they see a solution that can actually fit their needs.

Pablo Srugo (00:31:45) :
How many people are you now on the team?

Shahar Peled (00:31:48) :
Thirty-five.

Pablo Srugo (00:31:48) :
How many were you during those six months, where you're doing mainly with design partners?

Shahar Peled (00:31:53) :
I think around ten, maybe even eight or nine. We really grew since the Series A to thirty-five, will be forty soon, because we see this product market fit and we feel it, and we need to build faster and work with more customers and very large customers, you know, Fortune 500, 200, 100, 10. This requires more people, and we see that the scale is coming. So we have to live up to the demand.

Pablo Srugo (00:32:15) :
I've seen a few companies now. There is a company actually in cybersecurity called 10X, 10X AI. I don't know if you know them, but I've seen a few companies now where what they are replacing isn't another software. In many cases, it is actually a services firm, right? Which seems to be your case. And in this case, the upside is that from the buyer's perspective, you are paying an outsourced firm to do something for you. It is not an employee that you have that's much harder to get rid of. It is not even a system of record that you are using that's also very hard to get rid of. It is somebody specifically outsourced services. Now you can come up and say, I can do what they are doing two times better, ten times better, often cheaper. And it kind of becomes a bit of a, frankly, a no-brainer. My question to you, though, is: is your product fully just AI, or is there a human in the loop? Is there a bit of a services element that you have to add in order to get it to the full job to be done instead of like seventy percent of the way there?

Shahar Peled (00:33:14) :
Yeah, that's a great question. We don't believe currently in fully autonomous offensive security, pen testing, red teaming, ethical hacking, for two main reasons. One, as I said, I have not met many security leaders who will be okay with AI creatures running around their environment autonomously and attacking them, especially not in production environments, but mostly not even in non-production environments. And the second one, AI agents aren't yet at the level of the best ethical hackers, which means if you are using just AI agents, you are by default not getting the accuracy or the depth that you would have gotten from the best security ethical hackers. Sam would also talk about compliance. Most compliance auditors will not accept a fully autonomous pandas report as if it was done by a human. So yeah, we are part of this new business model, not business metrics, business model, that was pretty much invented with Gen AI called service as software or AI-enabled service. We believe that taking a fully services, basically fully manual or some automation, to a fully autonomous process is going to take time. Especially when you talk about offensive security, right? Let's talk about self-driving cars. Is it really a hundred percent autonomous? What happens when there is a police officer and there is a crash? There is someone behind the scenes that is going to take the wheel. It is customer service. Is it fully autonomous? How often would you click “talk to a representative”? So let's talk about cybersecurity. I have not seen a cybersecurity category that was manual—not talking about automated with SaaS solutions from the past twenty years—but manual, like SOC or Pentest or Red Team, that is now fully autonomous. And if we narrow it down to offensive security, Pentest, Red Team, it is by default offensive, so it can cause harm. It is one of the most complex and creative operations or processes in cybersecurity. So I think it is going to take a long time until it is fully autonomous. Some of it is fully autonomous. A lot of what we do is fully autonomous, but when you look at it as a whole, it is currently not fully autonomous. And we replace service providers and SaaS companies together, and it is a really, really great business model to be on because you can take it from SaaS metrics, you know, churn or stickiness and human involvement and margins, all the way to SaaS margins and human involvement. Obviously, it doesn't get there on day one, but you keep a much larger, you know, TAM.

Pablo Srugo (00:35:31) :
That's the thing. Yeah. The thing is, the TAM is massive. The demand is existing demand. This is one of the key things. You are going after an existing budget line item, a service that's already being rendered today, and you are just showing up and saying better, faster, cheaper, and some variation of those things. It tends to be a much higher-velocity sale than when you are just trying to either replace employees, which a lot of AI is like, we are going to put this in and now your team of ten can go to five. That's just hard to do for a business because it's employees. There is just a different relationship there. And they typically do other things outside of just pen testing, right? One thing and it is also easier than trying to sell them a new software that's a new line item of something new. Those things can work. It is just the velocity tends to be slower than doing what you are doing.

Shahar Peled (00:36:20) :
I agree about the better and faster. I wouldn't say necessarily cheaper, but at least in our business, when you talk to most security leaders, they are not looking to, obviously, they always look to save money, but in this space, they are looking to do much more because they know they do, just don't do enough. They do it periodically, maybe once a quarter, maybe once a year, maybe once in three years, depending on the software they are testing. And they know that they are really scoped. Before a pen test engagement, you will hop on a scoping call and tell the tester what you want them to test because you have an X amount of hours they are going to do that. And within these X amount of hours, they want to spend a lot of time on non-testing activities. They have to understand the environment, they have to write a report, et cetera, et cetera. So I'm saying you have this budget item, let me help you do much more. Or if you just want to sell the software, you have existing pen testers or red teamers within your organization, that's for larger companies, let me help them do much more. And then I can also be the third party vendor and also give you software. So it gives us so many opportunities for growth, because as you say, it's an existing line item. Everyone has to do it. It is just going to grow. And now we can actually be a core pillar of the cybersecurity program. And I've heard it from so many of our customers.

Pablo Srugo (00:37:29) :
Yeah, to be clear. The better, faster, cheaper really depends on what it is you are replacing. But it is maybe a high-level playbook for AI enabled services. You can look at the thing, and if the service today is good enough, well, then maybe better is not the biggest thing, but faster and cheaper might be. So it depends. In your case, it is less about the cheap and more about the other two.

Shahar Peled (00:37:45) :
It could be cheaper for the same thing, but I can also give you much more for the same cost.

Pablo Srugo (00:37:49) :
One thing, though, that I want to touch on is I think this is the right business model for what you are doing. But did you also think about, ultimately your point is you can't do it fully autonomous, you need humans. So either you hire the humans, you add the AI, you sell it directly to the end customer. In theory, you could have said, no, I just want to build the AI and I'll sell it to existing past ten organizations. Like, did you seriously consider that? Did you think about it? Why did you end up with what you ended up with?

Shahar Peled (00:38:13) :
Yeah, we're still thinking about it. But we wanted to start selling direct because this is the best way to get the right friction with the buyers and build the best products. You can also increase your revenue and ARR much faster and get into these organizations, show them the value, take everything, take the margin and take the value, and increase to other line items. We have one customer today that we replaced four different budget line items for them. We have a few customers that we replaced three line items.

Pablo Srugo (00:38:41) :
What's the ACV like, for example?

Shahar Peled (00:38:43) :
It's six figures and hopefully we're going to go higher in the next year than what we are today. But six figures to start with is very, very good for a less than one year old company. I would say beyond that, once you have, you know, your inside organizations, it shows the market or the world that this is actually a possibility. If we have to sell this to other service providers, maybe it's going to take more time to educate the market on what pen tests should look like. We're not in the business to make pen tests to do it the same but more efficient or make it better. We're in the business to really change the way pen testing is done, make it a core pillar, a part of a very strong cybersecurity program, and not just another engagement, do it, you know, more scoped and faster. We really want to change it, and it requires education. If we're not going to sell to service providers, I can tell you that we might, because these are high revenue, low margin businesses that run pen testing at scale. Think of what that can do for their business. But we can also sell the software to internal offensive security teams. We have another company, not in our category but adjacent, that they do something they call fully autonomous, but then someone is going to have to triage the results. It's the in house team, right? We want to provide our customers the triaged results, which means I'm not going to give you the large amount of vulnerabilities that are theoretical. I'm going to get you the small X amount of vulnerabilities that are proven to be exploitable. I'm going to tell you what I can do, what's going to be the business impact, I'm going to prove it to you, which means you don't have to triage, you just have to go and fix it, and I can also help you with that.

Pablo Srugo (00:40:21) :
This is, you know, you mentioned something that I think is really important to pull on in terms of if you are an early-stage founder building an AI and you have the opportunity to either be AI-enabled service or just pure AI. And if you think about it, there are two lenses that you mentioned I want to highlight. One is, think about the value prop. When you go to your customers today, you tell them, you are already paying for this. I will do it faster and better. That is the value prop. When you go to a pen test services business and you were to sell them the AI, if you were to do that, you are not saying that. You are saying something else. You are saying, you have got a bunch of people there, you are doing a bunch of things. With my AI, you could do more. You could reduce your costs. It is a fundamentally different value prop, and I think it is pretty clear the former is just much stronger. The second thing is, if you think about it in terms of game theory, if you do what you didn't do, right, and you go with selling to the services, you are going to get the classic customer lifecycle. You are going to have the early adopters that are like, oh, wow, yes, I can really leverage this. And if I make these changes and I fire these people, I am going to have better margins, or I am going to sell to more customers. And you have the early majority, the late majority that are like, yeah, maybe, I don't know if this thing will really work, et cetera, et cetera. Whereas if you can just go really fast, selling directly to customers, you are effectively stealing business. And later on, if you decide to move to selling to services and pen testers, they have less of an option because they are like, yeah, okay. I have got to reinvent myself, otherwise I am just going to be left behind. And so you might trade, and I am curious about this, do you find you trade gross margins as a result? Like if you sell pure SaaS, you are eighty, ninety percent gross margins. What do your gross margins look like given the human element?

Shahar Peled (00:41:57) :
So our margins aren't as high as a pure software company yet. We're getting there, but we're getting there faster than expected, and we are going to get there. Yeah, we could sell just the software to these service companies or to in house red teams. I think we're going to do both, by the way, because we're going to do what's best for Terra to grow rapidly, not just sell direct. We're going to start selling with partners and channel partners and resellers and VARs, because we can, that's the best path to growth because these people work with all the customers and everyone needs this. But you have to think of one thing when you come to this business model, which is that eventually, if you're asking me in a year or two, this is what the customers are going to ask from their vendors very, very soon. It's not going to remain manual, point in time, highly scoped for compliance, whatever, the result is a PDF report of thirty, forty pages. I think the baseline is going to be, I'm connected to your environment, I'm running this all the time, I'm doing the entire web attack surface or the attack surface. And the report for compliance is a derivative of a great security program and not vice versa. This is where it's going to go because it's now possible, and I don't see any reason for anyone in the world not to do it if you could. You're already paying for this. Why not get something much better, quicker, aligned with your business context and your development lifecycle, that gives you much better security while not compromising safety or compliance in this case.

Pablo Srugo (00:43:22) :
Let's spend some time on go-to-market. You said that in May of this year, May 2025, you started selling. It kind of went okay, and then things really clicked later. Maybe walk me through, what the go-to-market motion was at the beginning and then you can kind of weave in, what it was that changed and really clicked.

Shahar Peled (00:43:37) :
Yeah, we started around Q2, as I said, and we didn't really have the continuous agentic AI product. We had the point in time product with AI agents. This is how we trained it and then became continuous. It was founder led selling. Started with me selling, generating pipeline, whether from the design partners or, you know, later on from other, you know, paths of pipeline creation. The story became clearer and clearer. You start by what's the best story to tell here. Am I educating the market? Am I replacing pen test providers or am I replacing SaaS providers? Am I a net new? There are a lot of learning curves to do here that you couldn't really do until you see what you can do, you know, technically with your product and your solution. And I think at the end of Q2 of 2025 is where you really start to click things together. And I felt, okay, I reached a very nice number of, you know, ARR myself, seven figures, maybe it's time to get a team that can help me and scale and work with the demand. So I can focus, of course, on selling, but also on growing the team and strategy. So I hired our first go to market person in California. He was an awesome hire. He already sold to many businesses, helped us grow, and then it worked so quickly. So we hired another one, and then a VP of sales, and a BDR, and a sales engineer, and now a VP of marketing, and growing the team from there, because you just see that you have something that works. Constantly we get proof of values, POVs, we get connected, and we win businesses. And when we have bake offs against our competitors, we constantly win. What's your win rate? Against our existing competitors, the AI native ones, currently one hundred percent. I know it doesn't sound real, but there aren't many competitors out there in the market right now. There are a few others that are in stealth, but currently the real bake offs we had against AI native companies in our playbook, we haven't yet lost. Realistically, sometimes we will in the future. You can't win everything. And I know there are strong players coming. It's going to be a much better category because they are going to help us educate the market. I don't yet see them as competitors. I see them as, you know, having a joint marketing budget. Let's educate the market together and make the best one win. It's much easier than competing against, you know, the manual services that they are used to working with because we are educating the market together and I believe in our approach and our products as well. So we haven't yet lost in an AI native bake off, let's call it this way. And that's when it comes to qualifying the Cod Stars. So yeah, from this point on, I don't see a reason not to double down, which is why we raised the Series A and are growing from there.

Pablo Srugo (00:46:10) :
So you're now on the path to $10 million in ARR, but how fast did you hit that $1 million mark?

Shahar Peled (00:46:16) :
It was a few months. It was very, very, very quick. Once we moved from point in time, design partners, not really a product behind the scenes, to selling a continuous agent TKI pentest product, subscriptions, annual subscriptions, in pretty much a quarter, we hit $1 million.

Pablo Srugo (00:46:32) :
What worked best for you in terms of, you know, once you get them into demo, then it's just, you know, demoing, closing, etc. But in terms of qualified lead generation, what do you find has worked best for you at the beginning and maybe now if it has changed at all?

Shahar Peled (00:46:45) :
Yeah, that's something we're still developing. Remember, you're talking to a company less than a year old. A year ago, it was just me and my co-founder, you know, building, raising seed funding. It's trial and error. And I think we still see that it's different for every company because it depends on who the champion is that you're talking to. We usually start from the CEO, who then connects us to their team. But very often the reason they reach out to you is because they're looking for something specific. Very often it's not what you're selling.

Pablo Srugo (00:47:10) :
Is it inbound, or is it outbound? What is the motion?

Shahar Peled (00:47:13) :
Currently, over sixty percent of our pipeline is inbound or intros. Which means we didn't do any activities to get it. And most of these intros, people ask other people to connect them to us. It wasn't us asking for an intro. We do have some outbound, let's say we meet people at conferences, we have a booth, that's a lot. And on top of this, we do have a BDR that can make some calls, but the vast majority of our pipeline is inbound, whether it's through the website, LinkedIn, or CISO group channels that they recommend to each other. Intros over sixty percent. And I would say if you include conferences, and you know, I was speaking at many conferences, my partner as well, those inboxes from these conferences, it's over eighty percent altogether.

Pablo Srugo (00:47:57) :
Do you find the conferences and events have, I mean, you've been in BD for a long time, kind of risen to the top lately in terms of meeting customers and getting customers?

Shahar Peled (00:48:06) :
I don't think "rising to the top" is the right term here. I think it changes between each company, and very often it would be events during those conferences and not necessarily having a booth. But let's say you have a large dinner. This can help a lot. Let's say you have, I don't know, a line of dinners every month or every week. Sometimes it works better for many companies. I know LinkedIn is a great platform for them to get inbound. Very often they pay people to get them intros, like pay to play or BDRs. I think it changes for us specifically. Currently, as I said, inbound is the largest one. I do believe in face to face. I do believe field marketing is going to be a much growing channel for us going forward.

Pablo Srugo (00:48:47) :
Tell me a little bit about raising the Series A. What was that process like?

Shahar Peled (00:48:50) :
It was inbound, basically. Jake from Felicis and Nancy from Felicis reached out to us. We met face to face at one of the conferences in the States, and quickly after that we met one more time. They started a demo, and we basically got a term sheet. We weren't trying to raise funding. We were trying to make it close to using the entire seed funding. We didn't think it was the perfect time. We had a lot more to prove. But they, and also other VCs who wanted to invest in us in the Series A, saw the same. They saw we were on the path to making it to a very good Series A. Let's just do it right now and double down earlier. And it worked. We tripled the ARR since the Series A in one quarter.

Pablo Srugo (00:49:33) :
That's crazy.

Shahar Peled (00:49:35) :
I can't tell you a story of the process we used to raise the Series A because it wasn't a very strong process. I think what Jake and Nancy saw is a very strong team that executes and delivers with real customers and a real product that is going to move very fast. And it's proven to be true. So it wasn't a process that I can tell about.

Pablo Srugo (00:49:55) :
Perfect. Well, let me stop there and just ask the last three questions you always end on. When did you feel like you found true product market fit?

Shahar Peled (00:50:01) :
I think it’s happening today or these days. The first POV is always challenging. I was like, am I going to win the first POV? It was a few months ago. And you win the first POV. And then, okay, I have now two at a time. Can I win both? And then you win both. Now I have three at a time. And then you win all three. And then you see that it clicks and it provides real value. I think it’s happening today or these days. The first POV is always challenging. I was like, am I going to win the first POV? It was a few months ago. And you win the first POV. And then, okay, I have now two at a time. Can I win both? And then you win both. Now I have three at a time, and then you win all three. And then you see that it clicks and it provides real value. And we see that these conversion rates, from a first call to a demo, to legal, to POV, to a close, are really, really high. Again, we still need to do a much better job in analytics and collecting all the data with such a small team for that. It feels like product market fit, because if I’m going to turn Tara off right now, I’m going to get phone calls. And if I have to go into a POV, I feel very good on the win rate we’re going to have if we’ve qualified the lead well. And I don’t think the numbers that I shared are not feasible. I think they are feasible. And I think we can keep those up. And this is why I feel very comfortable on the path to $10 million. And I think we’re going to reach it very quickly. And if you’re asking me, it feels like product market fit. But I think also product market fit is not always binary. I don’t know if you agree with me. Some people say it’s binary.

Pablo Srugo (00:51:09) :
No, I would. I would. I would say it's a spectrum. There is a point where it kind of clicks, you know, and then you can have more of it. But it is a bit of both. It's like a wave. It's like a scale.

Shahar Peled (00:51:20) :
It's a spectrum. I think we've entered the spectrum. But there's so much more to grow within product market fit. There's so much more to do. It's such a new world, a new category, a new offering, requires market education, new technology. I don't know many people who built deterministic solutions with non-deterministic technologies. The AI changes all the time. There's so many known unknowns and so many unknown unknowns that are still going to come. So I feel like we've started this spectrum of product market fit. We feel it. We feel very good with it, which is why we're scaling the team and ourselves and our offerings. By the way, we're going to release a very, very promising new product in Q1 that we're super excited about, and we keep innovating. And I'm sure this feeling of product market fit is just going to grow within that spectrum, but it's already there.

Pablo Srugo (00:52:05) :
Are there ever times where you, you know, because things have been going really fast, but are there ever times where you feel like things might not work out?

Shahar Peled (00:52:12) :
I think as a founder and as a CEO, you always have to worry about what is going to go wrong. And I feel like a part of my position is to foresee what's going to go wrong and make sure it doesn't. You always have worries. So yeah, I have some. I had a lot of situations where I saw that something was going to go wrong. Most of the time I wasn't wrong, but we did what we needed to make sure it wasn't going to go wrong. So if you ask me what's going to go wrong next, I have a few things in my mind that I have to make sure will not go wrong, but I think they're in our hands. And as long as things are in our hands, I trust myself, the team, the investors, and everyone around the Terra ecosystem to make sure it doesn't go wrong. But things will go wrong. You know, it's a crazy rollercoaster. You go up and down. As long as the trend is going up, then I think not having anything go wrong is just not realistic. And if someone tells you nothing goes wrong, they are lying. So I'm not lying. We have struggles, obviously, just like every other startup, but I think overall it's trending up, and that's exactly what needs to be happening in this phase of a startup.

Pablo Srugo (00:53:14) :
What would be your number one piece of advice for an early stage founder?

Shahar Peled (00:53:18) :
Wow, that's a tough question. Number one, get the right co-founder. I think that's the most important thing. It's all about the team. You can pivot, you can raise more funding if needed. Replacing a co-founder is very, very hard. We have a very strong team and a very strong relationship that I think helps us overcome every challenge that we had and every challenge we're going to have. I think this is the most important business decision you're going to make in the startup. And if you're building on your own, then good luck. I think it's very hard, especially in cybersecurity. I've never built on my own as a single co-founder, so I can't give the advice there, but I would say, I guess it's going to be the same for the team. But all in all, get the right co-founder or co-founders. And if you nail that right, if you have belief in the team, if you have the right founder-to-founder relationship and the Venn diagram of your skills, then you can overcome everything: timing, recessions, the markets, technologies, funding. That's the number one advice.

Pablo Srugo (00:54:19) :
Shahar, great having you on the show, man. Thanks so much for sharing your story.

Shahar Peled (00:54:23) :
Thank you, Pablo. It's been a pleasure, Pablo. So hopefully we can do it again. And if anyone has any questions, feel free to reach out to me over LinkedIn. I'm available. I would love to help. A few months ago, I would have loved to share some advice.

Pablo Srugo (00:54:37) :
Wow, what an episode. You're probably in awe. You're in absolute shock. You're like, that helped me so much. So guess what? Now it's your turn to help someone else. Share the episode in the WhatsApp group you have with founders. Share it on that Slack channel. Send it to your founder friends and help them out. Trust me, they will love you for it.