StackHawk Blueprints: Your APIs Are Under Attack. This CEO Designed the Solution Engineers Actually Want to Use.

Costanoa’s BuilderOps Blueprints help early-stage start-ups build successful foundations. Through this series, Costanoa's BuilderOps team interviews founders and start-up leaders, sharing their learnings to help others build their companies faster and better. Costanoa is an early-stage VC firm backing company builders across data, dev, and fintech. 

For our latest BuilderOps Blueprint, we sat down with Joni Klippert, CEO and Co-founder of StackHawk, a developer-first application security testing platform that helps modern teams using AI-driven development to scale safely, especially in industries – like fintech and healthcare – where data protection is paramount. Stackhawk enables engineering teams to find and fix security vulnerabilities in their APIs and web applications before they reach production.

Let’s kick things off. Why do companies today need StackHawk?

Companies need StackHawk because they're building code twice as fast now, with 83% of internet traffic being API-driven, and they're accelerating release volume dramatically. 

Statistically, there are more vulnerabilities in AI-generated code than human-written code, and the influx of AI-generated code has caused companies’ familiarity with their own codebases to decline. That's an obvious and enormous risk for the average enterprise web application.

Cybersecurity teams are finally understanding that they have a blind spot when it comes to their API Attack Surface. Companies can't afford to wait until software is in production to test for vulnerabilities anymore. They need to find and fix security bugs before they deploy to production.

That’s where we come in.

You started StackHawk with a product-led growth (PLG) approach targeting software engineers. How did you end up expanding to enterprise?

I often say that we were pulled into the enterprise, and I was more than a little skeptical in the beginning. That’s how we launched Stackhawk: as very much a PLG company with open documentation, free trials, and showing value to software engineers as quickly as possible without gating everything behind "speak to a salesperson." 

That's how I'd built my career, in PLG-type companies building software for software engineers.

But as we started to grow and go up market, we realized that mid-market and enterprise customers were actually more ready to buy the type of product that StackHawk offers than smaller companies. In essence, the market was demanding a more enterprise sales motion from us. So we had to retool both our team and our go-to-market motion.ourselves.

What stood out to you about making the pivot?

Previously, when we had conversations with security teams at our target customers, the prevailing sentiment was, “Oh, engineers don’t care about cybersecurity.” What felt gratifying was proving that, when given a cybersecurity product like ours that’s highly technical and runs in CI/CD pipelines, engineers are all in. 

It turns out that engineers actually care deeply about software quality, of which cybersecurity is a part, but were stymied by their previous options, most of which were built with less technical expertise, resulting in features engineers couldn’t use and user experiences that fell short. 

In our experience, when given what they need, engineers are highly energized and activated around cybersecurity. 

What’s unique about StackHawk’s buyer journey?

With enterprise customers, you’re never selling to just one person. You're dealing with multi-persona buyer journeys. In our case, the budget often lives with cybersecurity teams, so it was on us to both prove to this buyer that their needs would be met while also building a product their engineering teams would embrace.

We had to help enterprises scale across different teams, so we needed solutions architects who work well with both technical and non-technical stakeholders. We also had their developers join proof of value calls  because, ultimately, the dev sells the product to the cyber person. They understand exactly what we're offering. It’s very cool to see how their technical expertise and enthusiasm – as they ask questions and learn more – naturally fill in the blanks for their security counterparts .

If you had a crystal ball into the future of enterprise security, what big changes do you foresee over the next 2-5 years?

First, current fastest-growing companies like Lovable, Bolt, and Replit are building software that helps average, non-technical humans build software themselves, often with fully-baked APIs in the background and no clear understanding of cybersecurity.

Second, AI will cause whole cybersecurity product categories to disappear. Certain types of security testing – like SAST, which looks at patterns in how code is written – will become like Clippy in the corner, saying, "This appears to be an insecure pattern in your code" or just won’t write those errors in the first place. In other words: obsolete and even quaint.

The convergence of these two trends represents an opportunity for us. At StackHawk, we're moving toward being able to agentically test: spin up applications, automatically create configurations, test for vulnerabilities, have AI generate fixes, test them, and then tell these customers when a fix is ready to deploy. 

You've had a lot of success raising capital in various environments. Any advice for other founders regarding fundraising? 

The last time StackHawk raised was in 2022, an extremely frothy environment with high valuations. This time, it’s much more about providing concrete proof to prospective investors.

We focused on demonstrating that (1) we could successfully execute the enterprise motion, and (2) that we used our capital intelligently to achieve some outstanding metrics, which gave us useful proof points. My first lesson is really dialing in on those metrics that will move the needle. 

Second, I think it’s increasingly critical to make smart bets with your technology and understand how your product fits into an AI-forward landscape. Investors are clear: with the efficiency AI tooling can provide, your ARR per employee should be higher than it’s ever been before. That’s a new hurdle to jump – and they’re watching.

What brings you professional joy?

The more I'm plugged into the customer experience, the happier our team is. We've sold into some of the largest organizations in the world – international airlines, casinos, food and beverage companies. There's pride in knowing you've built something they really use and in getting their feedback.

We have a customer pulse channel, and it's such a pleasure when customers talk about working with the StackHawk team – not just our technology, but also how we're truly making a difference. Too many software vendors are transactional, but we haven't had anyone go above and beyond their expectations in a relational way.

I think about an early job I had working at Nordstrom, which is famous for its “delight the customer culture” and that vibe really did instill a foundational cultural principle around making a customer’s day. I carry the value of really caring about the person, their pain, and the outcomes we can help produce – and we’ve tied that into how we’ve built the product and the culture here at StackHawk. 

What's your best lifestyle hack for staying grounded?

For those who have done it or been a part of it, Startups are a real grind. It's easy to wake up years into a company and realize you've hardly been outside! Lately I've been prioritizing simple things that get me out of the house, get a little sun on my skin and enjoy our surroundings.

That relaxing has become just as important to me as the more high-energy experiences.