The tale of two towers
There are two schools in Open source.
The first one considers that pure open source should be free with no exception and that developers shouldn’t live from it but rather willingly spend their time on their art. Even though this might sound like a monk-oriented career, a lot was done through this model.
The second one allows money to be a part of the process, which can be used to enhance the product and bring it to its community.
Our opinion is that reliable software and support, along with consistent upgrades, can only be built by fully-committed people developing it around the clock in exchange for a salary. Money can also attract best-in-class talent to always take it to the next level. Not even mentioning that, in our line of work, DevSecOps are a bit like neurosurgeons, not really legions, nor looking for work.
The open source business model: striking a balance
This model has a bad drawback though, it requires money, meaning that you are able to generate revenue based on FOSS. Quite a challenge if you want to keep it free, *really* open source license-wise, accept contribution and foster a great community.
CrowdSec is a dual security solution. The behavior engine parses logs to find & block aggressions. Based on those local findings, the reputation engine deduces a reputation for IPs and shares the bad ones with our user’s community.
We spent countless hours on finding a business model that would fit everyone’s needs. It needed to meet some golden criteria:
- Keep it under an MIT license or 2 clause BSD, as open source as it can be
- Pay the collaborators
- Keep it fully free for the users
- Avoid the “if it’s free you’re the product” pitfall
- Avoid to have a freemium model asking you to pay to get more
Keeping it fair for users and contributors
Since our mission is to help everyone, individuals, institutions, companies, big and small, to secure themselves, we should by all means cover the budget-constrained users’ needs for free. Large businesses though can pay to get extra features, that would only be useful in their context.
The limit here is that the community can potentially decide to also cover those needs or a business can make a plugin on its own. Meaning it’s up to us to quickly develop efficient and well-priced enterprise features. We can live with this compromise.
In the end, our real value lies in our data. The IP reputation database and the system generating and curating those signals is our core business. But people that are partaking in the effort of curating the Internet from those rogue IPs shouldn’t be the ones paying, should they? But if you are not sharing the IPs you block, it could be either because you don’t want to or because you can’t, due to a regulatory constraint.
In the first case, well it’s your choice, but the ones “playing along” shouldn’t pay for the others. If you don’t share, you don’t get the IP reputation blocklist for free either. You get a great behavior engine, able to cover your security needs. If you don’t share for regulatory reasons, you’re probably a business big enough to undergo those constraints, hence you can pay to access the IP reputation system.
So it narrowed down to the fact that we would provide our users with:
- The behavior engine, for free, for everyone, forever
- The reputation engine for free, for the ones sharing and reinforcing everyone
- Some enterprise grade features if you’re a business
- A subscription access to IP blocklists for people not sharing
- API access to businesses making vast amounts of query per day
That’s it, we had a model both respectful of the community, free for users reinforcing the reputation and paying for others.
Then was the license
There are so many open source licenses, it’s like a Zoo. Some sites (Wikipedia and Choose a license) are doing a pretty good job at narrowing it down to the essential points. Bottom line, since we wanted to put absolutely no constraints on the use you can make of the software, BSD two or three clauses or MIT were the most suitable ones.
Some points that played also a major role, hyper scalers like Google, Azure or AWS and probably countless others, are very careful about the licensing model you use and have requirements. So remember, should you want to ever work with them, to adopt a license compatible with their requirements. CrowdSec’s agent is released under MIT License. The premium offers are SaaS-based and do not interfere with the Agent as such, so no complications here.
Are investment funds open-source friendly?
In 2021? Absolutely.
For our Seed round, we raised $6M, $5M in venture capital and $1M through a non dilutive grant. We were pre-revenue and none of the 40 VC firms we talked to were either shocked or even disturbed by our open source model. Beyond open source, what matters most is the business model around it. Here is our own narrative:
- We create a network effect
- To avoid the chicken & egg problem (why would I join a nascent network), we immediately provide value through the behavior engine
- Overtime, while the network grows , the reputation engine becomes a tremendously powerful edge, a self-fulfilling prophecy
- To remove any friction, the product needs to be free
- We build a premium service around the data gathered, but not on the back of the people reinforcing you
- The value comes from MRR made through services and the network value
If you are able to explain it properly, this is a very obvious demonstration.
A non zero-sum game
As to why Open source, if anyone is still wondering about it, well it is packed with virtues we embrace. It is not a matter of “if” but “when” legacy companies, with heavy licensing, vendor locking and proprietary models, will be hit by the open source tsunami.
But beyond just opening the code, opening the network is also a great benefit. Yes, it implies a very complex curation of incoming signals, but on the other hand, the precision and sensitivity of such a network is of a way greater magnitude than traditional CTI.
CTI traditionally deployed honeypot systems like Cowry (or others) on a couple of hundred machines, over one or two Clouds. Here we have a network running real services (not honeypots), over thousands (and tomorrow hundreds of thousands) of machines, not just over a couple of clouds but in all environments. It means that it’s impossible for a hacker to dodge a range of IP, or fingerprint a honeypot.
Every member joining and sharing partakes into curing the Internet. This is a non-zero sum game because in the end, we don’t need to be so numerous to see most of the Internet illegal activity, the size mainly makes the network more sensitive, allowing faster detections.
What was CrowdSec’s open source fundraiser like?
We started on our own funds, being either not paid or on unemployment money for around 6 months. The founders extended these “draught times” for a full year. While the product was in an Alpha state, being tested by a few users, , we created a fully-thought business model, imagined the best way to present it and backed it up with some market studies. Then, we started our Business angel round.
The best way to achieve this is to create a holding, here usually named a SPV (Special Purpose Vehicle), which allows you to receive both big & small tickets, coming from friends, family or professional Business Angels. In our specific case, we have 17 BA, gathered in a SPV, represented by just one head, which is very convenient. The SPV holds shares directly in the company and each BA owns shares of the SPV, according to its investment level.
Then when our first Beta version came out, we started to beef up our KPIs to follow our adoption. This is not easy with an open source model since the “phone home” isn’t something we would consider. Once you can show adoption, growth, with real metrics and forecast your acceleration, things become easier.
Add in a proper communication campaign and some landmark for adoption (like having a Debian and Redhat package, etc.) you can start planning where you will land in terms of number of adopters every quarter. Hence, you can tell your Seed fund what their money will change.
Basically, the Seeder is here to amplify your early successes and help you find the proper business model, in order to generate your early MRR (aim ~50K/month before the A-Series). This money will mainly be used to staff, enhance product features, create premium ones and communicate on a large scale to boost the Monthly Recurring Revenue.
Count 6 to 7 weeks for the roadshow, the moment where you present your slide deck to the VCs. It’s a *very* *VERY* intense moment, be ready. It’s time consuming, exhausting, you’ll parrot your speech ad nauseam and face some disappointments. It’s always hard to get a no when you’re 100% convinced you’re on the right track.
There is a great momentum in the investment game worldwide, specifically in Cybersecurity. After 3.5 months, we are now proud to announce the beginning of our partnership with Breega.
Let’s not play security alone, let’s play it as a team!