Turning Cyber Risk into Revenue (EP 870)

Hello friends, Uncle Marv here with a special edition of the IT Business Podcast. This is a vendor profile recording for the IT Nation PitchIT competition for 2025. And today's guest, his company was already on PitchIT.

They were on last year, and if you go back to episode 653 of the IT Business Podcast, you will hear them, but we're probably going to talk about a lot of the same stuff here. Threat Captain's core mission is to bring or bridge the gap between executive leadership and security teams. Their SaaS platform enables MSPs to graphically demonstrate the likelihood and potential of financial impact of cyber breaches based on a client-specific security controls.

I'm sure there's a lot more to it than that, so let me introduce Adam Anderson here for Threat Captain. Adam, welcome to the show. Yeah.

Hey, thanks for having me again. I guess I did well enough that there was no restraining order and you weren't trying to keep me away. So yeah, I really appreciate you having us back on.

This is a lot of fun. All right. Well, let me go ahead and ask an easy question first.

How have things been this past year since you were on last time? Oh, it has been a roller coaster. So it's one of the most fun parts about starting a company is learning all the things that you were wrong about with your assumptions. So yeah, no, it's one of the things that we've been able to just have a lot of fun with is improving the product and increasing the value back to MSPs by actually watching them use our tools.

So the last time we talked, we were just coming to market, but now we've done tens of thousands of simulations. We've had MSPs generate hundreds of thousands of dollars with the tool, and it's just been a whirlwind of learning. So we've hired more people, customer success has staffed up, and I think we have our team.

So that's pretty exciting to be able to build the thing and to have that clear path forward. Okay. Well, let me ask this question that I would normally save for later, but I'll ask it early on.

What is the feedback that you've gotten from MSPs? Because last year you were, like you said, just coming to market, you were getting most of your feedback from Sean Lardo and the judges and stuff. But what's the actual feedback from MSPs? So in all honesty, when we first started, MSPs were really kind of confused about what we were doing because they didn't know if we were a risk assessment tool, if we were a sales enablement tool. And so we came to market with a really cool piece of tech, but it really wasn't intuitive what to do with it.

And so what we learned is that we had to be a lot more intentional with our messaging. We had to be a lot more intentional with our sales. So when we're talking to MSPs, being clear what we're there for and what we're not there for.

And also, we learned that we had to have a more robust customer success team to help enable folks. So in short, their feedback was, wow, what a cool tool. I wonder what I should do with it.

So yeah, that's been the journey is seeing eyes light up as you realize that by speaking financial risk rather than just cyber risk, you actually unlock new revenue opportunities and you increase your MRR, your NRR. Yeah, it's been a lot of fun. All right. 

Was there like an aha moment of when that happened? Was it during the competition? Was it after the competition? When did it actually hit you guys that you need to make that pivot? It really happened a little bit after the competition where we had an MSP out of Connecticut use the tool in a way we'd never seen them do it before. You know how it happens when you give a certain quality of nerd a tool and then they're going to do what they want with it. Right. 

And so what so this gentleman, Greg, he used it to explore doing a gap analysis of a municipality out of Florida and was able to highlight, hey, these are the controls that you have in place. This is how it's reducing risk. You're trying to be compliant.

We need to do a little bit more. And just having that narrative lined up conversations for him around how to actually turn those gaps into mitigated risk. So that was a lot of words to say.

He was only speaking to the CFO, the CISO of that municipality was never in the room. And they only talked about financial impact. So by the time the CISO was brought in, the CFO was saying, “I have budget for you and I want you to spend it most effectively rather than the other way around, where the CISO and the MSP walk into the room to try to actually win budget.

So that's when we had that aha moment. It's like we need to make sure our messaging really resonates with salespeople and not necessarily just the technical people inside of MSPs. Well, that certainly helps with the revenue side of it when you can, you know, get the money part taken care of first and the implementation is just a matter of how much of this can we implement with the amount of money given.

So that sounds fantastic. Let me ask now about integrations and stuff, because, you know, a lot of people already have platforms that they're doing cybersecurity with. They're already, you know, have an attached surface, you know, dashboard where they can see a store.

They have their red, yellow, and green stuff there. Have you guys done anything more with integrating with some of the other products in the space? Yeah, we've met a lot of friends that we would like to integrate with. And, you know, there's only so many dev cycles in a day.

And so what we did is we did a full integration with ConnectWise and we're looking at expanding that into Security 360 so that our numbers actually show up in there. That still hasn't been discovered how we're going to do that. We're still talking, but it's a lot of fun.

Anytime you get to riff with John Helms, you're already winning the day. Other MSP vendors that we really are looking at integrating with are kind of waiting on us to get our API kind of set together. So we've had a lot of great conversations, but it's not simply enough to be able to pass information back and forth.

We want it to be valuable. And so we've been building that API that lets other vendors pull our information from us. But our real wins are totally about integrating with other sales and enablement platforms such as other CRMs, you know, different kind of document creations, software. 

So, yeah, my first priority is how do I get an API that people can make calls to? And my second priority is how do I make it easier to do to work with the different users through, you know, sales enablement type tools such as what ConnectWise does. All right. So we talked about how you play nicely with others.

Let's talk about what truly sets ThreatCaptain apart. I think it's my beard, honestly, it's a fantastic beard. No, so here's the thing that I've figured out.

This is my fourth cybersecurity company and I never had a hard time delivering a superior product. My techs were amazing. I always struggled with customer acquisition.

So what sets ThreatCaptain apart is that we are laser focused on trying to make cybersecurity sales easier for managed service providers. The fact that we do financial impact analysis and we do the translation of cyber risk into technical, I'm sorry, cyber risk into financial risk. That's incredibly important, but that's not enough.

What sets us apart is guiding the sales enablement and the sales process all the way from discovery to closing of the deal where we show how talking business over tech results in you getting that check. Oh, I didn't even mean to say that. And that just rolled out. 

Very nice. Very nice. So now let me ask you, going back to your aha moment in terms of people using the product in ways you didn't think about, is there anything new this year that wasn't a part of what you guys brought us last year? Yeah, the probably the best thing that we've been able to add is our product called AnchorPoint. 

And so we have the financial impact analysis and we've got our simulations and that's all very, very good. But reports by themselves are pretty useless if your salespeople don't know how to talk about that. So we've created an entire workflow and automation that will help your salespeople as an MSP actually be able to tell effective stories around the data that's being produced. 

So to say it a little differently, we were creating amazing reports that were telling accurate things. But if the salesperson or the person doing your QBRs can't bring that into your stack or bring that data into your messaging, it was almost a hindrance. So we really found a lot of value over the last, gosh, I think it's about four months now that we've released this AnchorPoint add-on.

And it's been a game changer for a lot of our adopters, early adopters. OK, another question I just thought of is how quickly can somebody on board with you guys and start to show value to clients? You can do it in one day. So this is very streamlined.

I love creating complicated products. My designer says, no, no, no, you should not make complicated products. So it really is value in one day because a lot of the work is done for you behind the scenes. 

So if you choose to log in, create your first client and run a simulation, that takes less than 10 minutes from being able to log in to being able to actually show a client what their potential cyber breach might cost them. OK, and then talking about those clients and a lot of us have different clients with different compliances and frameworks that we use. Are you guys tied to all their frameworks or which one specifically? So we so the NIST CSF 2.0 framework with their new govern pillar has said in multiple places, thou shalt do financial analysis.

Traditionally, you'll see it as part of building a cybersecurity strategy. You'll see it in governance and you'll see it in the strategic planning. Now, that translates over into a lot of the different compliance, particularly around HIPAA and various financial compliance.

Gosh, you cannot remember the one that's a mess out of New York, right? There you go. See, that's it. So, yes, it is part of compliance.

I will. I don't want to lie to people. There's nothing in there that says thou shalt do financial analysis or you will fail your audit. 

What it is, is to say in order to do this in the right way, we highly recommend you do financial analysis. So what I'm seeing is that this is the direction that compliance is moving and that it is effective to have these conversations with your clients saying these are best practices. And if you want me to do a good job, we absolutely should do that.

So that is one way to go about it. We've actually had a few clients who simply say, hey, because of the governance pillar, I'm going to start providing governance services and I'm going to use ThreatCaptain as the center of that. And they just added another two hundred and ninety bucks a month per customer. 

So, you know, it costs, you know, gosh, I think this gentleman added in what was one email blast to his customers and having an opt in, opt out process. He had an additional seven thousand dollars MRR within two months after going live with ThreatCaptain. It turns out sometimes the hardest parts about generating revenue from cybersecurity is the messaging around that.

And so, you know, that I don't always say you should do that. It all depends on your MSP. If you're not offering governance, then maybe this isn't the right play.

But if you are, if you have a VSO or if you have, you know, these kind of compliances, something that you're interested in, then, yeah, there's definitely revenue opportunities out there being able to run simulations and the simulations then uncover additional revenue opportunities from professional services and managed services. So it's pretty much a win, win, win all the way around. The customer is thinking about security from a business point of view.

The MSP is able to generate short term wins while they're building up their revenue from professional and managed services. And ThreatCaptain gets to sit in the middle of there and take credit for saving the world. So I love that.

There you go. I want to go back to the beginning where you talked about people being confused about how to use ThreatCaptain itself. Was there a myth or a misuse that you had to take care of and get rid of? Yeah, it turns out literally everybody who we talked to wanted to use it inside of a risk assessment. 

And I'm not saying that it's a bad idea, but what we had to actually educate is what is a risk assessment. So I'll kind of break this down a little bit. You have actually three pillars to an assessment.

The first is assessing risk. The second is business impact. And the third is financial impact.

And so what people were doing is they were doing RBF, or as I say, it's resting bitch face. So that's completely wrong. No one wants to buy anything from that.

So I'm like, you have to flip that around, guys. Don't lead with the risk assessment. It's part of the process.

It's not the process. And so it should be financial, then business, then risk or fun boat ride. So one of the ways we tried to unpack this whole thing is, look, don't show up to your customers with the resting bitch face and try to sell them cybersecurity.

Take them on a fun boat ride and let the CFO tell you what to spend. Very nice. Very nice.

By the way, that joke does not always kill. But I like it so much, I keep using it. And my wife's like, is it working? I was like, no, you're a revenue so far.

But I love saying fun boat ride. So what am I going to do? Oh, I thought you were going to say you love saying, you know, resting bitch face. Well, you know, that too, that too.

All right. Well, Adam, let me let you do this, because I know that, you know, part of the PitchIT, you know, thing that you're going to go through with orientation and boot camp and stuff is they're going to ask you to be able to, you know, drive that pitch home. And of course, you've got five minutes, I think, in part of your, you know, your video stuff here.

So let me give you a couple of minutes to kind of practice that. What would be your pitch right now that you would like for listeners to hear? Great. So, hey, I'm Adam Anderson.

I'm CEO of ThreatCaptain. This is my fourth cybersecurity company. I exited my first, which was a VAR.

I'm still chair of the board for my third, and I'm CEO of ThreatCaptain. And what I've learned after all of these companies is that the number one thing I needed to do to help my clients was to be able to communicate risk more effectively. And I love all of the data and all the jargon.

But when I use that to try to talk to the businesspeople, all the risk got lost in translation. What we've learned is that by actually speaking their language, which is the language of finances, you're going to have parallel and parity when you speak about risk. That's going to unlock opportunities.

To be clear, more revenue, shorter sales cycle, lower churn. By doing this the ThreatCaptain way, you're going to be able to have stickier clients who are loyal and get more referrals. At the end of all this, you're going to be able to have that narrative and be able to track exactly what kind of risk reduction you're doing.

And you're going to be able to quantify the value that you're producing inside of your QBRs, inside of your marketing materials, and just in general. So our hope is that MSPs come over to our side. We flip the script.

We don't lead with technical jargon. We lead with financial risk. And we really help reduce the overall impact of cybercrime in the world by actually selling cybersecurity products and services our customers will buy.

And there you have it, folks. Adam Anderson, ThreatCaptain, with his probably the first official pitch, right? That's pretty it. Yeah.

No, no, no judgment, guys. We're working on it. So I think I feel like I nailed it.

Yeah, you got a boot camp to finish. So I'm going to wish you good luck, Adam, and hope to see you on stage at IT Nation Connect in November. And I'm sure I'll see you out and about.

Thanks. All right, folks. That's going to do it for this vendor profile for PitchIT 2025.

We'll be back with more. And until next time, holla.