It’s the stuff of startup dreams: A $1 billion valuation that unlocks a status few ventures ever achieve—unicorn. To outsiders, it can seem like the result of simply finding a winning idea and pursuing it single-mindedly until it reaches that coveted hockey stick growth. What gets lost in the headlines are the nitty-gritty details that reveal a long, winding road to success marked with trial-and-error and uncertainty about what problem you’re actually trying to solve. And Material Security’s story is no exception.

In 2017, former Dropbox engineers Ryan Noon, Abhishek Agrawal and Chris Park quietly launched an enterprise software company that takes a counterintuitive approach to email security. Instead of focusing on preventing attacks (which are bound to happen), why not go straight to the source and protect the precious information hackers go after once they’re inside those inboxes? The startup remained in stealth mode under the code name Stellarite until June 2020, and less than two years later, rose to unicorn status after receiving a $1.1 billion valuation during its Series C fundraising.

“Official legend has us as a security company the entire time,” says Noon. “But what people don't realize is exactly how many options were on the table when we started the company.”

The reality is, when angel investors cut their first check to the trio in July 2017, the three founders were still out pitching four different ideas and hadn’t yet built an MVP for any of their proposed solutions.

And believe it or not, that was part of their well-structured plan, one that started to take shape three years earlier.

In 2014, Noon’s startup, Parastructure, was acquired by Dropbox, where he and Agrawal met and became instant friends. On work breaks, they’d stroll along San Francisco’s waterfront, talking shop and dreaming of future ventures before looping back to Dropbox HQ.

“People told us it was inevitable that we’d start a company together someday,” Noon says.

But after the whirlwind of starting, scaling and selling his first startup—Noon needed a break. In 2016, he left Dropbox and moved to Berlin, telling Agrawal he wasn’t sure if or when he’d start another company. “Someday” was the only vague timeline he could give.

That fall, however, Noon contacted Agrawal with a renewed sense of entrepreneurial ambition and a strong conviction to get started as soon as possible.

Agrawal recalls that conversation with a laugh. “I was like, ‘What the hell happened to you? It's only been a couple months!’”

All of this was playing out against the backdrop of the 2016 U.S. presidential election, during which the public became acutely aware of how easy it is for emails to be hacked. Sitting in Berlin catching up on American news articles, Noon was astonished that he (and anyone else) could read the personal emails of a former White House official. Wasn’t there a better way to prevent things like this from happening?

The first inklings of the idea that would become Material Security began to take shape, but Noon kept it in his back pocket. To him, much more important than finding an idea to pursue was finding the team he wanted to pursue it with. “If you have the right people working together the right way, and you're disciplined in discovery, you can go far,” says Noon.

Product-market fit was far from my mind at the beginning. I wanted to get the team right first.

To do this, he flew back to California, where he and Agrawal brought in Chris Park (who had been Parastructure’s first engineer). With the three of them assembled, they had their founding team. What they didn’t have, though, was an idea of what they’d build—but still, they weren’t worried about that just yet.

“We knew we wanted to start a company together, but we needed to ensure we were aligned on important things like roles, responsibilities, revenue models and spaces we liked or didn’t like,” explains Agrawal. “So, basically, everything except the actual product idea.”

True to their developer roots, the three structured their entrepreneurial endeavor much like the software testing lifecycle, with specific timeframes and clearly defined exit criteria. As they began to explore different startup ideas, the founders named this the “discussion phase.”

Goals. Outline what each stage should accomplish. For their discussion phase, the first goal was to make sure all three founders were aligned on the type of company they wanted to start; they determined the equity split and roles and did premortem exercises, such as assuming the company had failed and then working backward to figure out how they could’ve prevented it. The second goal of their discussion phase was to come up with product ideas to pursue.

Duration. Estimate how long it will take to complete the phase. Noon, Agrawal and Park allotted six months to the discussion phase, but in reality, they took only one-third of that time.

Exit criteria. Define criteria to clarify when a phase has ended so you know to move on to the next. The founders decided beforehand that the exit criteria for their discussion phase (to then move into the validation phase for their chosen idea) was that Agrawal and Park would quit their jobs.

Another way they systematized their process was by creating a spreadsheet called the “spaces and opportunities tracker.” They met once a week and assigned homework tasks, including populating rows in the S&O tracker with ideas they gleaned from a variety of sources.

Eventually, they accumulated 25 opportunities. The next step was to whittle down the list to a more manageable size. To do this, they eliminated any ideas that:

Weren’t interesting to all three of them

Upon further research, didn’t seem viable from a business perspective

Weren’t conducive to the B2B business model they had previously agreed upon

In the end, Noon, Agrawal and Park settled on four software ideas, including two in security and one in people analytics, and drafted “flight plans” that detailed the steps to validate each opportunity. But even at this stage, they weren’t overly attached to any specific idea.

One of the best pieces of advice I ever got was that when you're starting a company, you often think you're picking an idea, but you're really picking a customer. It's actually pretty easy to change your idea, but it’s way harder to change the customer you're serving.

“Every time you change customers, you leave all this learning on the table and start from scratch,” explains Agrawal. “Whereas if you're iterating on a value proposition with the same customer, you've at least got all this learning about the customer that you can continue to leverage for future validation.”

With a handful of solid ideas to pursue, there was only one thing left to do to meet the exit criteria of the discussion phase: In April 2017, Agrawal and Park quit their jobs and joined Noon to pursue their new startup full-time.

When faced with the prospect of picking an idea to pursue, founders can do any number of things: They can conduct customer interviews, for instance, or build an MVP. Noon, Agrawal and Park took an entirely different approach: They started selling.

Material Security co-founders Abhishek Agrawal, Ryan Noon and Chris Park

“We knew all four ideas were good,” says Noon. “They were all good markets, and we all felt like we could start a company around any of them. But we knew one idea would be way easier to sell than the others, and the only way to find out was to try.”

They called this the “hot knife through butter test.” By attempting to sell each of their four software ideas, it would quickly become apparent which solution was worth pursuing before they spent any time building it. And so, it was time to enact the flight plans. Which idea would take off?

“All of the flight plans boiled down to the same thing. It was essentially find as many people as possible in your network that have anything to do with that idea, and try to sell it to them,” says Noon.

Don't ask for feedback. Don't do user research—just try to sell your idea.

And in the earliest days, selling was a team sport. ​​"A lot of founding teams delineate roles pretty early: 'One of us will be the sales one, the other will be the engineering one and the other will be the product one.' And then the salesperson is selling stuff that didn't get built, the engineer is just building fun stuff and the product person is doing something that makes no sense,” says Noon. “The plan early on is to find an opportunity together, so we would consciously take off hats and put other hats on."

Pre-selling to validate an idea before building is a common risk-reduction strategy in the early startup days, but Noon, Agrawal and Park took “lean” to another level. Not only had the team not yet built a demo, but they also didn’t even have a landing page or full mockups for any of their ideas because they didn’t want to waste time on something they hadn’t yet validated. In fact, in one of their earliest presentations, they pitched the Netflix security team on becoming a design partner with nothing but a notes doc and 10 bullet points outlining a customer, problem and solution.

“It was mostly us asserting each bullet point and seeing if there was pushback, which got us honest feedback very quickly,” says Agrawal.

People will debate you if you're asserting something, whereas if you're asking for feedback, they won’t be as honest because they don’t want to hurt your feelings.

Shortly after, the founders decided to start selling an early access program for each idea, but they knew bullet points and slides wouldn’t be enough to engage prospective buyers in the validation stage. Their solution? Something they called “marketing vignettes.” These were pitch decks built to look like pared-down sales landing pages, with descriptions of different features.

Here are some examples:

These vignettes were highly effective for two reasons:

They gauged interest without overwhelming. “There was just enough UI to convey a concept without letting you get bogged down in it with a customer,” Agrawal says.

They allowed the founders to experiment with messaging. “A big part of finding product-market fit early on is testing messaging,” he says. “When you make slides, it lets you skip product marketing because you're just thinking about bullet points that list features. But when you make marketing vignettes, you have to name your features and also convey in a couple sentences what the benefits are. It forces you to exercise muscles around positioning and marketing.”

Marketing vignettes in hand, the founders spent every day pitching their ideas to different prospects. “It was exhausting to have all these conversations,” recalls Agrawal. “It was like a 9-to-5 job where we were trying to sell multiple different products at once.”

Here’s what a typical day in the validation phase looked like: It started with meeting an HR leader to pitch a people analytics product. The next hour, they’d go to a security person and pitch a security analytics product. And then, later in the day, they’d pitch another security product that was slightly different.

“It was strange,” admits Agrawal, “but it was also very telling because you were quickly finding out not just which ideas the customers cared about but also which ideas you were excited to pitch. If you were struggling to pitch them, or if you were having to pump yourself up, it would become clear they weren’t winning ideas. But if you were energized by your own pitch, you knew you were onto something.”

The earliest stages of a startup might seem a bit early to use a dedicated CRM tool, but during the validation phase, the founders started using Streak to manage customer relationships. The very act of learning to use the features of the CRM (with its pipelines, deals and stages) taught them a lot about how selling works and helped them gauge interest as deals started moving forward in the tool.

“It's all about next steps,” says Noon. “A lot of founders who do enterprise don't learn sales, and sales is really all about going through a progression of steps. Talking about the problem, showing the solutions and then walking prospects through what to do next if they’re interested—like signing paperwork or joining an early access program. Using CRM software actually teaches a lot about that progression.”

After two months of pitching their four different startup ideas, one was clearly emerging as a winner: the email security product. They knew they were approaching product-market fit when the following started happening:

It was easy to identify “champions” within organizations. In sales, a “champion” is a person who promotes your product within their own company, helping lead to a sale. For the founders’ security software idea, a champion was typically someone like a CSO or CISO whose job involves identifying and adopting the latest defensive technology to protect their company. For their people analytics idea, however, they had a hard time identifying who to pitch to because it wasn’t HR’s job to push software through their org. “Just the act of having to go through LinkedIn and identify people to try to sell our product to was a huge qualifier because it was like, ‘We got 20 meetings on this one. And only two on the other.’ That tells you something,” says Agrawal.

After the pitch, prospects started asking buying questions. The founders really knew they were onto something when prospects were energized by the pitch rather than an apathetic reaction — making feature requests and saying things like: “This is cool. I want to show this to the rest of my team.” “When will this be ready?” “How much does it cost?” “How long does it take to integrate?”

Angel investors wanted in. While buyer interest is certainly a strong sign of PMF, investor interest is too. Pitching their email security software solution to companies ended up being a pathway to their seed funding. As Noon shares: “We'd pitch it to some CISO, and they'd be like, ‘This is the coolest thing I ever saw. When's it available? Can I buy it?’ And we’d be like, ‘Well, early access starts in two months. And by the way, will you angel invest?’” (The team ended up with 20+ industry operators on their early cap table.)

Customers opted into the early access program. This was the team’s clearest measure of success because it meant prospects weren’t just using words to show interest—they were willing to use their dollars.

“There's such a cult around product-market fit,” says Noon, “and everyone has their own definition of what it is.”

The founding team developed a four-part checklist for when you’ve found PMF:

You sold your product to at least five customers. The first one or two sales could just be pure luck, and while it’s certainly not a hard-and-fast rule, Noon believes five customers is the threshold for knowing your product’s got pull.

You sold it for a price that’s sustainable. Price point matters. If you sold your product to five people for dirt cheap, that doesn’t count for PMF because you can’t keep a company running with that kind of pricing. Noon says, “I sometimes see people celebrating like, ‘Yeah, I sold it to five different public companies!’ But then I find out it’s for only $15K each, and I'm like, ‘If that's your price point, you're doomed.’”

Those customers all bought it for the same reason. This one’s a little murky, as some companies (such as Retool) have customers that use their product for vastly different reasons. But when people are buying your product largely for the same purpose, it’s a strong signal that you know your market and are serving it well.

They’re willing to tell someone else about it. Having customers willing to vouch for your product is a good sign you’ve found PMF—not to mention, it’s essential if you want to raise money. VCs who are serious about investing in your company will want to talk to your customers as part of the due diligence process.

Defining PMF is one thing; finding it is another. Based on their own criteria, Noon, Agrawal and Park didn’t achieve product-market fit until a year and a half after they decided to start a company together.

By 2018, the founders had enough interest (and, most importantly, six early access opt-ins) to finally start building. That’s when they went heads-down for a couple of months to code the first version of what was then called Stellarite. Having a working demo increased their hit rate and accelerated their growth, and in August 2018, the company announced a $20 million Series A led by Andreessen Horowitz.

On June 30, 2020, the startup came out of stealth mode in a company blog post that unveiled the name it’s known as today: Material Security. Shortly after, the company raised a $40 million Series B round in May 2021 and a $100 million Series C one year later, bringing its total funding to $166 million.

Today, Material Security’s technology protects the Microsoft and Google accounts of major companies such as Mars, Lyft, Gusto and DoorDash. But even with the many achievements of their unicorn startup, the founders stay grounded with a healthy dose of humility and humor.

“We always say that if this company works out, we'll write a book someday—and if it doesn't, we'll write a blog post,” jokes Noon. “We're hoping it’s not the second kind.”