How GitGuardian Leverages Data and GitHub to Fuel Its Growth

This post by François Dufour is part of our series on Product-Led Growth and Marketing Playbooks. There, we share insights and advice from leaders who have built successful PLG businesses marketing and selling technical products to technical audiences.

“Orian and his GitGuardian Growth team drive a ton of developer signups with a unique GitHub hack. You should talk to him, François”. After hearing this from Jeremy Goillot, founder of a large Growth community in France, I immediately asked for an intro to Orian. I was not disappointed. Orian Roturier, Head of Growth and Demand Generation at GitGuardian, a fast-growing French cybersecurity startup, kindly agreed to unpack their growth playbook and learnings.

A data engineer by training and with deep expertise in analytics and performance marketing, Orian has led the company's Growth playbooks since 2020. During his 3+ years at GitGuardian, he has scaled and optimized their growth and demand gen.

He revealed the details of GitGuardian's unique Github "hack", how they use data and industry-based content to connect their PLG and Sales-led motions, and how they "newsjack" some security breaches while providing value. He also explained how they structured their growth teams.

Key takeaways:

• Growth hack - GitGuardian scans and detects leaked secrets in public Github repos, then emails developers with a courtesy notification. This drives 90% of their developer sign-ups and fuels their PLG motion and brand awareness.
• Newsjacking when breaches happen - They set up a process and a team to rapidly analyze and report on high-profile breaches. It establishes their brand as an authoritative voice on emerging security threats.
• Connecting PLG and Sales-Led motions - They acquire developers via their email hack and, from there, identify and engage security engineers at these accounts with a mix of BDR outbounding and Industry-Based Marketing (IBM).
• Growth fueled by data - A central data team supports marketing, sales and CSM, with Snowflake as the single source of truth for targeting, account scoring and more. Their researchers leverage it too and create industry trend reports.
• One common metric - Every person in marketing drives toward the same metric: new pipeline value created, ensuring strong alignment.

Let's explore GitGuardian's growth playbook:

What does GitGuardian do? Who do you target?

We offer a SaaS platform for secrets management and code security. As the leader in secrets detection, we serve mid-market to large enterprises with engineering teams above 200 developers. Our products monitor public and private source code repositories, detecting exposed API keys, tokens, certificates, and other secrets. With over 350+ different secret detectors, they scan code commits across all major code hosting platforms.

The main users of our platform are application security engineers. But we believe in putting the developer "in the loop" to reduce the remediation workload. Since developers are at the source of security incidents with leaked secrets, they can often resolve them the fastest.

While the CISO makes the final purchasing decision, there are, on average 10-15 people involved in an enterprise deal's buying committee. We target everyone from hands-on appsec practitioners up to CISOs, including engineering managers, DevOps/DevSecOps, red teams, and even SOC team members. Navigating this complex web of stakeholders is key to selling our enterprise product.

80% of our customers are based in the United States.

How do you acquire customers?

We acquire users through both bottom-up product-led growth (PLG) and customers with top-down sales-led motions, fed by our PLG, Demand Gen programs, and an Industry-Based Marketing (IBM) approach. 

PLG

Our Github "Good Samaritan" growth hack (which we'll unpack next) is the best example of our developer-led PLG approach. We provide value and utility first before any hard selling occurs. In addition to that hack, we also offer developers lots of free tools (“lead magnets”) to complete our bottom-up go-to-market motion. Some may not necessarily rival our GitHub hack in reach, but are great for surfacing the right intent. 

For instance, we just launched: Has my secret leaked?, so one can check whether a secret was leaked on GitHub. This is a pure brand awareness play; we don’t even ask for an email. We also do Programmatic SEO and generate pages using the same template to handle low-volume but specific questions. We do that with our docs and go in-depth on how to remediate secrets. 

All in, we acquired 400k+ users since January 2020 when we started running these playbooks.

Sales-Led

For larger enterprises, we use a more traditional sales-led approach, leveraging third-party data, security events, and an IBM playbook. SDRs/BDRs and Account executives target security professionals and technology leaders as the primary buyers.

Here are our key lead sources:

For inquiries and demo requests:

• Historically our top channel was Google - we're the enterprise-grade solution for "secrets detection" queries
• Now it's mostly events like RSA
• Also product users clicking on “request demo” from onboarding emails or our app
• Finally, LinkedIn and email nurturing

For leads:

• Events and media sponsorships are big sources
• LinkedIn is always important

Can you describe your award-winning "Good Samaritan" Github growth hack?

This program proactively detects and notifies developers when their secrets get exposed publicly on GitHub. Here is how it works:

Our platform continuously scrapes public GitHub repositories looking for exposed API keys, access tokens, certificates, and other secrets that were committed accidentally.

When leaked secrets are found that pose a security risk, we immediately email the developer who owns that repository - typically within 5 minutes of detection.

These "Good Samaritan" emails notify developers of the potential credential leak, but contain no sales pitch or call to action. They simply alert developers to the risk, so they can promptly revoke or rotate those secrets. To avoid being spammy, we give the full context and the click takes developers to a “sign-up with GitHub” page -optimized for that flow - to go and remediate this specific problem.

We detect around 500,000 compromised API keys every month, translating to >10 million keys annually. Each month we notify over 120,000 developers about leaks specific to their projects.

And all that only costs us $90 per year to send these emails with a Mailgun account. 

10% of developers receiving these notifications resolve their issue and sign up for GitGuardian. 

For developers, having exposed secrets can be embarrassing and even detrimental to their careers. By handling notifications with care and empathy, we turn an unpleasant situation into a positive brand experience. Instead of a vendor selling services, we establish trust and credibility as a partner who has the developer's back. Initially, we turned that into social proof on Twitter but now have also fed a full-blown review program on G2, Peerspot, etc

This is a good reminder that, with developer-focused products, growth and revenue may follow value, but should not precede it. 

How do you connect your PLG and Sales-led funnels?

90%+ of our bottom-up acquisition necessitates a Sales touchpoint, i.e. we rarely see full self-serve deals because the platform is a significant investment.  

To scale beyond developers to large enterprises, we enrich signals from product usage to identify promising sales targets (using enrichment cascades via Clay for instance).

Our data team maintains a unified customer data platform (CDP) on Snowflake, joining behavioral usage data with our target account list and buyer profiles. The strongest usage signals like high-risk secret scans, frequent logins, and regular activity. We track and pipe that into Snowflake. There, our data team joins activity records to the accounts list and calculates “fit scores and likelihood to buy scores" to quantify sales-readiness.

Some examples of strong signals include:

• The company hiring an AppSec engineer with secrets detection experience, a strong hint that they have a homegrown solution or want to build one
• Whitepaper downloads
• Event or webinar participation
• Proprietary signals based on GitHub activity and our product
  

These enriched account records then flow into our CRM and various go-to-market systems - including customer.io - to empower sales and marketing.

When high-value usage signals indicate interest from a target account, we employ orchestrated multi-channel campaigns to connect with the right stakeholders.

Instead of cold outreach, we leverage the product usage as a warmer intro to security champions. Contextual messaging based on the prospect's activity demonstrates our understanding of their needs.

IBM and Industry-specific content and messaging further accelerate these sales conversations by addressing the buyer's unique pain points. For example, metrics on IoT vulnerabilities resonate strongly with manufacturing accounts.

To scale this process, we recently established a business development team under marketing. This outbound team focuses on re-engaging marketing qualified leads (MQLs) that previously went cold. The BDRs prioritize event attendees, content downloaders, and product trialists who meet target account criteria.

How critical is PLG to acquire new mid-market and enterprise logos and revenue?

Our product-led and sales-led motions are complementary. There are always some offline interactions and signals that are challenging to track. 

From our data, only about 10% of closed deals had active product usage before sales discussions. However, I'm convinced our free trial and transparent pricing work tremendously in our favor, even if not tracked. People try our product with personal emails or developers hear from peers who've used it.

Selling to technical users, making sure we are transparent (we publish our pricing), and giving open access to information and our product - without requiring signing NDAs to take to sales first -  are essential for building trust.

You have mastered newsjacking and content with your data and research. How? 

When major security incidents occur, the companies impacted need to disclose them. If the source code was made public, we immediately use our product to scan and see if secrets were exposed. Then we bring a lot of value to the reporter. We work with a PR agency in the US & EMEA.

Our security researchers quickly publish detailed breach analyses, establishing us as an authority on emerging threats.

For example, when the Toyota breach became public in October 2022, we rapidly compiled an in-depth incident report including:

• The type of data exposed, such as API keys, account credentials, and internal source code.
• A review of affected cloud services and which specific assets were compromised.
• An analysis of how hackers could potentially exploit the leaked secrets.
• Recommended remediation steps for companies to protect themselves.
  

These newsjacking campaigns generate significant website traffic, backlinks, and brand lift - converting media attention into growth.

But we avoid sensationalizing issues, aiming to provide genuine value through thoughtful analysis.

The keys to success with this technique are having:

• A rapid response process and team are in place to investigate the breach and run our scanner on the leaked source code.
• Timely, relevant, and in-depth analysis that stands out from generic reporting.
• Multi-channel distribution of content across social media, forums (including HackerNews, Reddit, etc.), and press.
• A focus on educating rather than promoting our products overtly.
  

We also create an annual State of Secrets Sprawl report. It highlights the growing problem of secrets sprawl and how organizations can address it.

We produce this in a three-month collaboration between our content, R&D, and data science teams. Our data engineers analyze usage statistics from our product for proprietary insights, and from public GitHub leaks. We also commission a third-party polling service to incorporate survey-based perspectives from security practitioners.

The final report synthesizes trends on the expanding scale of secrets management issues, top challenges teams face, and emerging best practices for detection and remediation. This campaign has become a keystone of our thought leadership.

What is your playbook with events?

Sponsoring industry events remains a pillar of our strategy, but we try to have a smart and low-cost approach to them with careful tracking and targeting.

Here are some keys to our event formula:

• Pre-event targeting: We process registration lists to tag and prioritize employees at our target accounts when meeting scheduling opens.
• Creative booth experiences: We design interactive onsite experiences with compelling swag to attract and engage prospects.
• Right events for our audience: We focus on conferences where we can cost-effectively connect with our core personas, based on attendee profiles.
• Rigorous post-event tracking: Our team tracks all marketing qualified leads back to sponsorships for detailed ROI analysis, optimizing future events spending.

For us, RSA provides better results than Black Hat based on attendee profiles: we find more application security engineers there.

How is the GitGuardian marketing team structured?

Our marketing team counts around 20 people structured into four teams:

Content Marketing 

This team includes technical writers, usually former developers, who create educational articles, guides, and documentation, and developer advocates who turn them into social media posts, conference tech talks, webinars and more. Their content powers marketing campaigns across the funnel.

Product Marketing 

They enable sales and drive product launches. They craft positioning and messaging and also started a tech partnership program

Shared Services 

With one in-house website integrator (a Webflow expert) and a designer. 

Growth Marketing - Orian’s team

With about 10 people, it includes:

Demand Generation 

They are responsible for:

• paid ads (LI, Google, FB), sponsoring podcasts and newsletters, and content syndication
• SEO
• Email nurturing and our newsletters
• Our reviews program: we use our broad user base to leverage some reviews
• Product-Led growth and lead magnets
  

Field Marketing

They manage our local events, our presence at large security trade shows such as RSA or Black Hat and events from associations such as OWASP​​.  They also support customer marketing with the CSM team and Channel marketing with the Channel Sales rep.

Sales/Business Development 

Our inbound-focused BDRs nurture and convert marketing-qualified leads through multi-touch outbound campaigns.

Everybody in marketing has the same true north target = the dollar amount of new opportunities created. This shared goal is great for tight collaboration and shared goals.

What are your favorite growth and marketing resources?

For growth-focused marketers looking to step up their game, I recommend these resources:

• Newsletter  from Emily Kramer ex Asana CMO: on Growth, content and PMM
• Dave Kellog's KellBlog. I genuinely don't know how so many marketers get by with only a surface-level understanding of funnel dynamics. Trust me, you need this.
• Growth.Design - an interactive way to learn good UX design from everyday apps. You'll learn marketing psychology and get better and designing a PLG experience.
• Pemavor's Newsletter: Lesser known, it's one of the only places that documented the N-gram analysis for Google Ads' search terms - a tool I used to beat the best agencies in the world in a head-to-head performance contest for Fortune 500 companies.
• SparkToro's blog. Interesting take on organic content and audience tactics.
• Hacking Growth by Morgan Brown & Sean Ellis. It's like reading Dune if you like Sci-Fi: an oldie but goodie, you sort of have to read it if you like the genre. Still, you may find more modern and practical resources elsewhere.
• Simo Ahava's content & Analytics Mania - if you understand what they are talking about, you'll be in the 1% of the best technical marketers for tracking.
• The Clearbit Manager Handbook. The first section is a must-read for everyone who wants to succeed in their role as IC or Manager.

‍