Overview
You sell Terra's continuous pentesting platform to CISOs, security engineers, and compliance teams. The product uses AI to automate penetration testing that normally requires expensive consultants, so you're displacing both manual pentest services and point-in-time assessment tools. You'll spend most of your time explaining how AI-driven pentesting works, running technical pilots, and navigating procurement.
Role Snapshot
| Aspect | Details |
|---|---|
| Role Type | Full-cycle AE (likely self-sourcing) |
| Sales Motion | Outbound-heavy with some inbound from security communities |
| Deal Complexity | Enterprise/Consultative |
| Sales Cycle | 3-6 months |
| Deal Size | $50K-200K ACV (estimated) |
| Quota (est.) | $600K-1M/year |
Company Context
Stage: Early-stage startup (funding unknown, 55 employees suggests Seed/Series A)
Size: 55 employees
Growth: Actively hiring for sales, which suggests some product-market fit but still building out GTM
Market Position: Challenger in crowded pentesting/security assessment space competing against manual pentest firms, automated scanners, and established platforms
GTM Reality
Pipeline Sources:
- 20% Inbound - Security practitioners who find them through content, conferences, or peer referrals. These are higher quality but still need extensive education.
- 70% Outbound - Cold prospecting to CISOs, VPs of Security, and security engineering managers at mid-market to enterprise companies. LinkedIn, email sequences, and security community engagement.
- 10% Partners/Referrals - Some from security consultants or compliance auditors who see the tool in action.
SDR/AE Structure: At 55 people, likely no dedicated SDR support yet. You're doing your own prospecting and qualification.
SE Support: Probably shared or minimal SE support. You'll need to be technical enough to run early demos yourself.
Competitive Landscape
Main Competitors: Manual pentest firms (Big 4, boutique security consultancies), automated vulnerability scanners (Qualys, Tenable), attack surface management tools (Randori, CyCognito), and established PTaaS platforms (Cobalt, Synack).
How They Differentiate: AI-driven automation that claims to deliver consultant-quality depth at scanner speed. The pitch is continuous testing on every code change vs. annual/quarterly manual pentests.
Common Objections:
- "We already have a pentest vendor we trust"
- "How do we know AI can catch what human pentesters find?"
- "This is just another vulnerability scanner"
- "Our compliance auditors require manual pentests"
- "We need to see proof this works in our environment"
Win Themes: Speed of continuous testing, cost savings vs. manual pentests, depth beyond basic scanners, compliance-ready reporting.
What You'll Actually Do
Time Breakdown
Prospecting (35%) | Active Deals/Pilots (40%) | Internal (25%)
Key Activities
- Outbound prospecting: You're building lists of companies with security teams, sending cold emails, and LinkedIn messages to CISOs and security leads. Most ignore you. You're trying to find those who just had a security incident, are preparing for compliance audit, or are frustrated with their current pentest process.
- Technical discovery calls: When you get a meeting, you're digging into their current security testing process, what tools they use, what gaps they have, and whether they have budget allocated for pentesting. These buyers are technical and will ask specific questions about methodology.
- Running POCs: Most deals require a proof-of-concept where Terra tests part of their environment. You're coordinating with their security team, managing expectations, and hoping the AI finds something impressive enough to justify the spend.
- Multi-threading and deal management: Security purchases involve InfoSec, AppSec, compliance, procurement, and often IT leadership. You're scheduling demos, sending follow-ups, getting ghosted, and chasing people who went dark after your last meeting.
The Honest Reality
What's Hard
- Security teams are skeptical of "AI-powered" claims after years of overhyped security tools. You'll spend a lot of time proving this isn't vaporware.
- Deals slip constantly. Even when security teams love the product, procurement delays, budget freezes, and competing priorities push closes out 1-2 quarters.
- POCs are time-intensive and sometimes fail to find impressive findings, making it hard to build urgency.
- You're competing against the status quo (manual pentests once a year) which is deeply entrenched in compliance frameworks.
- At a 55-person company, you lack brand recognition. You're cold calling into enterprises who've never heard of Terra.
What Success Looks Like
- Closing 1-2 deals per quarter in the $50-150K range
- Building a pipeline of 10-15 active POCs and evaluations
- Getting champions within security teams who advocate internally
- Navigating procurement and legal without deals falling apart
Who You're Selling To
Primary Buyers:
- CISOs and VPs of Security (budget holders, care about risk reduction and board reporting)
- Security Engineering Managers (day-to-day users, care about finding real vulnerabilities fast)
- Compliance/GRC teams (care about audit requirements and reporting)
What They Care About:
- Does this find vulnerabilities that matter, or is it just noise?
- Can we trust AI to do what manual pentesters do?
- Will this satisfy our compliance auditors (SOC 2, ISO 27001, PCI-DSS)?
- What's the ROI vs. paying $50K for a manual pentest 2x per year?
- How much effort is required from our team to implement and maintain this?
Requirements
- Experience selling technical security or DevOps tools (they need someone who won't sound lost talking to security engineers)
- Comfort with long, complex sales cycles and technical evaluations
- Ability to self-source pipeline without SDR support
- Track record of closing $50K+ ACV deals in B2B SaaS
- Familiarity with security/compliance concepts (pentesting, vulnerability management, SOC 2, etc.)
- Willingness to grind through outbound prospecting and manage your own pipeline