👓 A look inside Snyk's biggest growth loop

For those that don’t know, Snyk is the developer security company, most recently valued at nearly 8 billion dollars.

Snyk was founded on the premise that the only feasible path to secure software applications is a developer-first path, which really means empowering developers to secure their apps as they’re coding, building and deploying them.

So Snyk basically makes it super easy for developers to stay secure while still moving fast.

It’s a platform with several closely integrated products, each helping secure a different aspect of the development lifecycle. So Snyk can find and automatically fix vulnerabilities in source code, open source dependencies, containers, infrastructure and cloud configurations.

The thing that has really made Snyk so successful is the maniacal focus on developer experience, which isn’t just about the product itself, but also extends to the go-to-market model, where much of Snyks success has been fueled by product-led growth, acknowledging the reality that most developers just don’t want to talk to salespeople.

Before becoming a full-time advisor with PLGeek, I was VP of Product at Snyk for two years, where I led PLG, developer experience and developer education.

Snyk’s growth model

Snyk had a whole bunch of acquisition growth loops of different types.

• Company-generated company-distributed content loops (e.g. Snyk vulnerability database)

• Collaborative personal viral loops (e.g. team invites)

• Incentivised personal viral loops (e.g. referrals)

• Branded viral loops (e.g. Snyk auto-generated Pull Requests)

• Sales loops

These loops (along with several engagement/habit loops) worked together in a macro system to reinforce growth with compounding effects. The qualitative model looked roughly like this (details blurred):

Sidecar products

The idea of sidecar products is to attract visitors, some of whom interact with a CTA (Call To Action) you’ve placed for them to do something (e.g. sign up for your core product).

Snyk leverages sidecar products very effectively, with a number of them successfully contributing to platform growth:

• The Snyk Vulnerability Database (market-leading security intelligence)

• Snyk Learn (democratised developer security education)

• Code Checker (check source code for known vulnerabilities)

• SBOM Checker (check software bill-of-materials for known vulnerabilities)

• Website Scanner (score a website on its security posture)

• Code Snippets (library of vetted secure code from public repositories)

And last but not least, the focus of this post:

• Snyk Advisor (holistic health assessment of open source packages)

Snyk Advisor

Snyk Advisor is a sidecar product that allows developers to find and evaluate the best open-source package for their projects. It has a database of over 1 million open-source packages that devs can query and compare across aspects of:

• Popularity (are there lots of developers regularly using this package?)

• Maintenance (is this package well maintained such that if security or functional defects are found or introduced, we can be confident they’ll be fixed in a reasonable timeframe?)

• Community (is there an active community around this package where we could get help if needed?)

• Security (is this package secure - Snyk’s core competency and the bridge into the core product)

Advisor provides scores across each of these areas (utilising the Snyk core product for the security assessment and scoring) and an overall health score.

As of the time of writing, Snyk Advisor supports packages from the following ecosystems:

• npm

• PyPI

• Go

• Docker

It’s incredibly powerful for Snyk from an acquisition perspective because it serves a general-purpose development use case that is high frequency - developers searching for, comparing, and deciding which open-source packages, libraries and images to include in the apps they are building. Millions of developers do this daily, and Snyk Advisor elegantly solves that problem for them.

Snyk Advisor is a type of Company Generated, Company Distributed (CGCD) content loop.

Company Generated Company Distributed content loops

A bit of background…..CGCD loops typically (though not always) utilise search engines for distribution.

Companies create SEO-optimised pages for the content, and people find those pages when searching.

Some of those people will visit those pages, and the pages contain CTAs (e.g. to sign up) that some visitors will click and become new users.

Those users are monetised in some way. For some products, that might be via ads, or as is typical in B2B SaaS, via some of them purchasing paid plans. And some of that revenue generated is reinvested into creating and publishing more content.

Editorial vs Programmatic content

Content can be written manually, or programmatically generated. Both can be leveraged to great effect as part of a broader SEO strategy, but programmatic SEO offers the potential to generate indexable content in the range of millions of pages. This allows you to capture the long tail of search queries, but to do so effectively means you need reliable differentiated data and templates to create high-quality resources that genuinely solve a user problem.

Snyk Advisor is a programmatic SEO asset. Each of its million-plus package pages is automatically generated; the package managers/repositories, source code repositories and Snyks own vulnerability database are indexed to harvest key data, scoring is applied, and an SEO-optimised page is automatically generated.

The Snyk Advisor CGCD loop

The four steps of the Advisor CGCD loop are:

1. Snyk publishes new indexable advisor package pages

Snyk Advisor publishes new package pages (including data on newly found security vulnerabilities) into indexable pages.

WHAT: Indexes package data, scores packages, generates and publishes new package pages.

WHO: Snyk (Programmatic, Automated).

WHY: To maintain thought leadership, market presence, and to attract new developer users who care about choosing the best packages for their projects & products.

2. Developers search for packages or vulnerabilities

Developers search for packages and/or specific vulnerabilities and find links to Advisor.

WHAT: Use a search engine to research packages or vulnerabilities.

WHO: Developers.

WHY: To learn more about packages before use.

3. View package information in Advisor

Developers learn about and compare characteristics of packages they are considering using and become aware of Snyk.

WHAT: Views package information in the Snyk Advisor.

WHO: Developers.

WHY: To learn more about relevant packages and/or to educate themselves.

4. New or returning users

Viewing Advisor pages drives developers to sign up or return to Snyk.WHAT: Signs up or returns.

WHO: New or returning developer user.

WHY: Proactively understand and fix vulnerabilities in their projects.

Some of those new or returning users and their teams eventually go on to purchase paid plans.

Extending the Advisor loop horizon

While growth loops are compounding, the reinvested input is not always the only input. Those other inputs can decelerate, making the loop spin slower and causing the rate of growth to approach a plateau.

When you see (or better predict) this happening, it’s time to look for ways to extend the loop to create further headroom for growth.

For Advisor, I’ll highlight two paths used to extend the loop horizon; one that’s fairly obvious and another that’s less so.

The obvious extension - adding ecosystems.

There’s a certain TAM associated with every developer ecosystem. Extending support to other ecosystems and generating package/image pages for those ecosystems widens the net.

Advisor started with just Javascript packages from the npm ecosystem, and later extended to Python (PyPI), Docker, and finally, Golang. Other ecosystems would further extend the loop horizons, but investment needs to be weighed against the size of the ecosystem (number of developers and number of unique developers not also in other supported ecosystems) and corresponding search volume.

The non-obvious extension - adding code examples

Outside of adding support for additional ecosystems, the Advisor loop was extended with an additional use case: developers searching for reusable snippets of code that demonstrate how to use the packages they’re including in their projects.

To date, code examples pages have been implemented for many popular Javascript and Python packages.

Note the CTAs to pull visitors into Snyk.

The results - Advisor loop performance

The growth came from a variety of

• Indexing more package pages to capture the long tail of search volume - more packages within an ecosystem, and adding more ecosystems

• Technical SEO changes - also aligned with Google algorithm changes

• Adding additional use cases - code examples

Summary

Snyk has many performant and creative growth loops that work together in a macro system. Snyk Advisor is an amazing asset that has been responsible for significant growth in visitor traffic to Snyk, and subsequent new user and team (Org) account creations.

It has effectively leveraged SEO as part of a Company Generated Company Distributed content loop via programmatically generated pages solving a real high-frequency problem for developers - choosing and using packages for their projects.

I want to call out some people instrumental in Snyk Advisor; first, Oren Hacohen, where the idea originated and was incubated, and Anna Uss, Snyk’s SEO team lead, who helped scale the loop dramatically. Consider following them on LinkedIn - they’re super smart people.

If you have a really interesting example of a successful and non-obvious growth loop you’ve worked on or been involved with. I’d love to hear from you and potentially feature you in a future Product-Led Geek newsletter post. Just drop me a line at [email protected].

Sharing is caring! If you enjoyed this post, please consider sharing it with a few folks who might find it useful. Thanks!