In 2020, Rob left his job at Robinhood to start an intrusion detection tool. One year later, he shut it down. Here’s what happened.
Hi Rob! Who are you, and what are you currently working on?
Hey there! I’m Rob Picard, 28 years old, and I’m based in Castle Rock, Colorado.
I’m the Security Lead at Vanta, a company that provides security and compliance automation. Prior to this, I was the founder of a security company called Observa.
Observa went through a few iterations but was eventually a self-service SaaS tool to detect accidental database exposure in AWS.
What’s your background, and how did you come up with Observa’s idea?
I’ve been in the security industry for a little over eight years. I started off as a penetration tester at Matasano Security and eventually worked on application security, intrusion detection, and incident response at companies like Addepar and Robinhood.
I’ve been reading Hacker News since I was 14, and I always knew I’d eventually want to start a software company. In late 2020, I read The Launchpad for the first time, and I decided to apply to Y Combinator with an idea I had been considering. I was accepted, and I left Robinhood to start building.
The original idea for Observa was to build a lightweight intrusion detection system targeting earlier-stage companies. We spent a lot of time and effort building this at Robinhood, and I figured there was some 80/20 rule where the low-hanging fruit could be detected by a simpler, less expensive system. This system could provide value to startups that weren’t ready to invest in the more complicated setup.
How did you go from idea to product?
I quickly realized that there were a few obstacles to building something like this that would provide value to smaller startups. Some of the most important log sources that I wanted to monitor were difficult to access or required enterprise-tier subscriptions to the products. In addition, some delayed the data by several days.
I also talked to potential customers and learned that this just wasn’t a priority for them; it wouldn’t be something they’d pay for. This is a classic example of a solution in search of a problem.
I decided to solve a real problem I had experienced. Large consumer companies are constantly fighting account takeover attempts by credential-stuffing botnets. These attackers take advantage of the fact that users often use the same password across many services. They take a list of credentials breached from some database in the past, and they have their botnet try to log in to a list of other services using those same usernames and passwords.
My idea was to work with these service providers and have them share the IP addresses that were performing these attacks in real time. As soon as one company detected the attack, it would trigger a reaction across the industry, and the botnet would be useless against other services.
Long story short, everyone thought this was cool, but after months of trying, I couldn’t get any of these major consumer companies to try a pilot and share some of the IPs they detected. It also turned out that many of them didn’t have sophisticated enough detection capabilities to produce a list of IP addresses in real-time, nor did they have the tooling to block new IPs that I might provide in real-time.
I changed direction again and decided to “do one thing well” with a product that would detect public database exposure in AWS accounts. It’s not difficult for a developer to accidentally make a database publicly accessible on the internet. Even if it has no interesting data, and is only used for testing or development, it can be used by an attacker to pivot into the network.
Many tools will provide you with a list of thousands of potential issues with your cloud posture, so I wanted to focus on the highest signal, and lowest noise signs which indicated an imminent security issue.
I built this tool, launched it on Product Hunt, and a handful of people signed up to use it.
What strategies did you use to grow your business?
Observa never grew beyond that initial group of users. I tried paid ads but didn’t find any real traction. I was looking to use the product-led growth strategy, but I didn’t really understand the amount of effort that goes into making that strategy work.
I did later put out an offer to all YC startups that I would join their Slack workspace with a shared channel and provide security advice, etc. I got a great response from that, but most of the questions ended up being about issues blocking sales (compliance, questionnaires) as opposed to security issues.
When did things start to go in the wrong direction?
With the final iteration of Observa, I found that startups who were interested enough to sign up for a free trial and hook up the tool to their AWS account weren’t really interested in the findings that came out of it. It wasn’t solving a burning issue for them, and they weren’t going to pay for it.
Every time I switched directions, I found a new sense of enthusiasm and excitement for the potential of Observa. I really believed in each of the ideas and thought they could grow into something huge. With that said, I think I started off on the wrong foot entirely.
In retrospect, none of the products I was building came from a burning need that potential customers had. It’s easy to see that from the outside, but each of the products felt like they were solving a major problem. The reality was that they were describing a real problem, but didn’t provide the right solution.
What were the causes of Observa’s failure?
I’m always hesitant to answer this. The reality is that for everything that I did incorrectly with Observa, there is a billion-dollar company that made the same mistake early on.
I’ve been told that Observa failed because I was a solo founder. They couldn’t point to anything a co-founder would have changed, just that I would have “kept going.” I don’t really believe this.
After a year of changing direction without any good ideas for the next thing, I just realized that I didn’t want to do it anymore. Everybody wants to be an author, but nobody wants to write. I wanted to be a successful entrepreneur, but I didn’t want to spend years searching for the right idea.
I love building things, and really love building things people want, but without an idea for what to build, I ran out of enthusiasm and decided I’d have a lot more fun joining a company that had figured this part out.
I emailed my investors to tell them I was going to stop taking any payment from the company and spend an indefinite amount of time figuring out the next idea. After a month or two, I let them know I was going to return the rest of the money and shut down.
I felt a sense of responsibility to the friends and new acquaintances who had invested in Observa. In the end, though, I was just excited to have something more promising I could look forward to. It felt like I was leaving a dead-end job and had new adventures on the horizon. Ultimately, shutting down was a great feeling.
What were your expenses? Did you achieve any revenue? In the end, how much money did you lose?
I raised a total of $462,000 and was able to return $370,545.77 back to investors. I worked on Observa for 10 months, from November 2020 to September 2021.
My largest expense was my own salary and healthcare.
I didn’t generate any revenue.
If you had to start over, what would you do differently?
If I was going to start over, I’d wait until I had an MVP and early signs of traction before I took any investment. Venture capital is an amazing way to accelerate a business, and I wouldn’t avoid it in general, but I wouldn’t want to take investment before having real revenue on the books again. The exception would be a research-heavy business that requires a lot of upfront investment before any revenue can be expected.
I would spend way more time on getting people to pay for something as opposed to finding the “right idea” in theory.
In the end, the only thing that matters is that people are paying for something you’ve built.
What did you do after Observa shut down?
When I decided to shut down Observa, I cold-emailed Christina Cacioppo, the founder of Vanta. During all of my time talking to startups about security, I continuously heard about how Vanta is the gold standard for a startup security product.
They found a fantastic product-market fit by providing a security tool that unblocks sales by getting you ready for compliance standards required by mature buyers.
It turns out that Vanta had started thinking about hiring its first internally-focused security engineer, and I really hit it off with the team. I interviewed at a couple of other places, but Vanta seemed like the perfect fit for me at that point in my career.
Now I’m leading the security team, and I find a lot of joy in building a modern security program while also contributing ideas and thoughts on how we can continue to embed security best practices into the product.
Through all of this, I also discovered that I love venture capital. I’ve been an active angel investor since early 2021. I’ve also been involved as a Senior Venture Partner with Pioneer Fund—a VC fund composed of Y Combinator alumni investing in the top YC companies from each batch. More recently, I joined the scout program at CRV, and I try to keep up with as many interesting startups as I can.