Snyk Shifted Sales to CISOs
Snyk at $250M ARR
The shift to CISOs was the moment Snyk stopped trying to charge the user and started charging the budget owner. Individual developers loved free scanning because it caught vulnerable packages in GitHub with little setup, but they rarely controlled security spend. Selling to CISOs let Snyk bundle reporting, user admin, and policy controls that security teams actually needed to govern hundreds of developers, helping ARR climb from $4M in 2018 to $19M in 2019 and setting up the later move into a broader enterprise platform.
-
This is a common monetization problem in bottom up tools. Docker learned the mirror image lesson, that monetization works best when the team getting value also has the budget. Snyk found that developer usage created the wedge, but security leaders were the natural buyer once the product needed governance and compliance features.
-
The product changed with the buyer. A solo developer mainly wants a scan result and a fix suggestion. A CISO wants dashboards, user controls, and proof that teams are following policy across repos, containers, and cloud projects. That buyer shift is what turned Snyk from a point tool into a multi product application security company.
-
That enterprise turn also changed the competitive set. Once Snyk sold to CISOs, it moved closer to vendors like Palo Alto, CrowdStrike, and especially Wiz, which are building broad security suites for senior security buyers. By late 2024, enterprise ARR was driving 70% of Snyk's net new ARR, while Wiz was pushing directly into app security with Wiz Code.
From here, application security keeps moving toward larger security platforms bought by one senior budget holder and rolled out across the engineering org. Snyk's advantage is that it still starts in the developer workflow, but its growth now depends on turning that developer foothold into a standard control layer for the CISO across code, containers, APIs, and cloud.