My journey into entrepreneurship wasn’t exactly conventional. For one thing, I didn’t actually intend to found a business. In my first job, I was working as a web security tester (AKA computer hacker), and I made some software to help me do my job better.
On a whim, I called it Burp Suite and put it online for sale. Somewhat surprisingly, this hobby project sparked the birth of what would become a thriving business.
As PortSwigger attracted paying customers, I soon had the funds to build a team. It wasn’t a conscious decision to “bootstrap” the business without any investor funding. I didn’t know any different – I assumed this was what every business did.
With a proper team, PortSwigger had the resources to create lots of other output, which we gave away to the community: free software, cutting-edge research, and the Web Security Academy, a free educational platform for learning about web security vulnerabilities. I had come from the world of our users and it was a natural instinct to give back to them.
After establishing Burp Suite as the leading software for web security testers, we broadened our focus into the enterprise market. We repurposed our core technology to enable large organisations to scan their websites at scale, and allow software engineering teams to perform security testing inside their development pipelines, catching vulnerabilities before they go live. Today, Burp Suite technology is trusted by over 16,000 organisations in 160 countries, including Microsoft, Amazon, and NASA.
The journey so far has involved a variety of transformations, for both me and PortSwigger. Computer hacking is largely a solo sport – just the tester and a laptop. I’ve slowly transitioned from working on my own into supporting a large team, obsessed with maintaining our healthy culture and exceptional performance.
In our early years of selling software to security testers, we enjoyed highly efficient product-led growth: no sales or marketing team, just self-service purchasing and organic brand amplification through viral network effects. As a tech founder, I had shied away from “go to market” strategies, assuming they were a black box of dark arts that I didn’t understand.
However, when we began making software for enterprises, we found that we needed a more sales-driven approach. Customers don’t buy powerful enterprise software on a credit card. I’ve learned to embrace this side of the business and everything that it entails.
It’s the clear route to delivering on our mission of enabling the world to secure the web. And better understanding of our customers and why they buy helps us to refine our products.
Looking ahead, there is still much left to do. Today, cybersecurity is a board-level concern. Enterprise security teams tell us they are struggling to keep up with the sheer scale of the challenge. As software development accelerates, there are just too many applications, with faster release cycles, and too few hours in the week.
Web infrastructure is becoming more complex and abstracted, bringing vulnerabilities that aren’t visible in the code, but which only arise in deployment. We are committed to solving this problem by providing enterprise security teams with the tools they need to stay on top of their attack surface without requiring additional scarce talent.
We’re also deeply committed to the web security ecosystem and the millions of individuals who have used and shaped our products. We have exciting plans for better supporting our users, with more research, free-to-use tooling, and community events.
I’m thrilled to see PortSwigger feature in the E2E Tech 100. This recognition is a testament to our incredible team and all they have achieved. We’re proud to be a British success story, helping to solve one of the world’s most critical challenges. As we continue to grow, we are always on the lookout for exceptional and innovative individuals who are passionate about making a difference. If you’re eager to join a dynamic team at the forefront of cybersecurity, we’d love to hear from you.
