Overview
You're selling Security Journey's developer security training platform into enterprise companies. You run full-cycle deals - prospecting into security and engineering orgs, running discovery, coordinating POCs with the SE, and navigating procurement to close. You're convincing CISOs and engineering leaders that investing in proactive secure coding education will reduce their AppSec risk better than just scanning tools.
Role Snapshot
| Aspect | Details |
|---|---|
| Role Type | Full-cycle Enterprise AE |
| Sales Motion | Balanced - some inbound leads, heavy outbound prospecting required |
| Deal Complexity | Consultative to Enterprise |
| Sales Cycle | 3-6 months average |
| Deal Size | $50K-$250K+ ACV (estimated for enterprise AppSec training seats) |
| Quota (est.) | $600K-$1M annual quota (likely 2-4 deals per quarter) |
Company Context
Stage: Private, likely Series A/B stage (55 employees, established product)
Size: 55 employees total
Growth: Actively hiring multiple sales roles (SE and AE), suggesting expansion or GTM scaling
Market Position: Challenger in crowded AppSec training market - competing against Secure Code Warrior, Kontra, Checkmarx, Veracode, and generic compliance training vendors
GTM Reality
Pipeline Sources:
- 40% Inbound - companies searching for developer security training (compliance-driven, post-breach panic, or proactive AppSec program buildout)
- 60% Outbound - you're prospecting into target accounts, likely enterprise software companies and regulated industries (finance, healthcare, e-commerce)
SDR/AE Structure: Unknown at 55 people - likely small team, possibly no dedicated SDRs so you're self-sourcing a chunk of pipeline
SE Support: Limited - probably 1-2 SEs supporting the sales team, so you'll need to triage which deals get SE time
Competitive Landscape
Main Competitors: Secure Code Warrior (market leader), Kontra, Checkmarx Codebashing, Veracode Security Labs, SANS/traditional security training
How They Differentiate: Developer-first UX, hands-on labs vs passive video watching, Aspen AI for personalized paths, role-based learning, better engagement metrics
Common Objections: "We already do annual security awareness training," "Developers are too busy to do more training," "How do you prove this actually reduces vulnerabilities?", "That's expensive per seat"
Win Themes: Developer adoption/completion rates, measurable behavior change, integration with existing dev tools, hands-on practice in real code scenarios
What You'll Actually Do
Time Breakdown
Prospecting (35%) | Active Deals (40%) | POC/SE Coordination (15%) | Internal (10%)
Key Activities
- Outbound Prospecting: You're researching target companies (who just got breached, who's hiring AppSec engineers, who's in regulated industries), building lists of CISOs and VPs of Engineering, and doing cold outreach. Expect 20-30 touches per day via email, LinkedIn, and occasional calls.
- Discovery Calls: First meetings with AppSec managers or security directors to understand their current secure coding practices, developer training gaps, compliance requirements (SOC2, PCI-DSS, etc.), and how they're currently addressing vulnerabilities. You're qualifying whether they have budget, timeline, and a real problem.
- Multi-Threading: Enterprise deals need 3-5 stakeholders aligned - CISO (budget), AppSec Manager (champion), VP Engineering (buy-in that devs will use it), Procurement (contract negotiation), sometimes L&D (LMS integration). You're coordinating meetings across all of them.
- SE Coordination: Getting SE support for demos and POCs. You're prepping them on the account context, joining technical calls, then following up to keep the POC on track. You'll chase POC participants who aren't logging in.
- ROI Building: Creating business cases showing how Security Journey reduces risk - fewer vulnerabilities in production, faster remediation, cheaper than hiring more AppSec engineers. You're mapping their current cost of security bugs to the investment in training.
- Procurement Navigation: Once they say yes, you're in 4-8 weeks of legal redlines, security questionnaires, MSA negotiations, and budget approval workflows. Deals slip quarters regularly because "finance needs to approve" or "waiting on Q4 budget release."
- Pipeline Management: Updating Salesforce, doing forecast calls with your VP of Sales, and explaining why that $200K deal from last quarter still hasn't closed.
The Honest Reality
What's Hard
- Long, Unpredictable Cycles: You'll have deals that look ready to close, then stall for 2 months because the CISO got pulled into a breach response or budget got frozen. You need 3X pipeline because half your deals will slip.
- Multi-Stakeholder Alignment: Getting AppSec excited is easy. Getting Engineering to agree devs will actually use it, L&D to handle LMS integration, and Procurement to approve the budget is much harder. One skeptical VP can kill a deal.
- "Nice to Have" Category Risk: Security training is important but rarely urgent. You're competing with priorities like hiring engineers, buying scanning tools, or incident response investments. When budgets tighten, training gets cut.
- POC Dependency: Most enterprise deals require a 30-60 day POC. You're dependent on their internal champion to get devs to participate, which they often don't prioritize. Low POC engagement kills deals.
- Competitive Market: You're explaining why Security Journey is better than Secure Code Warrior (the 800-lb gorilla) or why they should pay for specialized training vs generic platforms. Price objections are common.
- Self-Sourcing Pipeline: If there's no SDR team, you're doing all your own prospecting on top of managing active deals. That means less time on high-value deal work.
What Success Looks Like
- 2-4 deals closed per quarter at $50K-$150K ACV each
- 3-5 active POCs running at any given time
- 80%+ POC-to-close rate - if you get a good POC, you should close it
- Building Champions: Your AppSec or L&D contact is selling internally for you, not waiting for you to push
Who You're Selling To
Primary Buyers:
- CISO or VP of Security (budget owner, cares about reducing AppSec risk)
- AppSec Manager / Secure Development Lead (day-to-day champion, cares about developer adoption and program metrics)
- VP Engineering or Director of Engineering (gatekeeper - needs to believe devs will use it and it won't slow them down)
- Procurement / IT Buyer (contract negotiation, vendor management, security reviews)
- L&D / Training Manager (sometimes - cares about LMS integration and tracking)
What They Care About:
- Risk Reduction: Will this actually reduce vulnerabilities in our code, or is it just check-the-box training?
- Developer Adoption: How do we get developers to actually engage with this vs ignore it like the last training mandate?
- ROI / Metrics: Can you prove behavior change, not just completion rates? Can we tie this to fewer security bugs?
- Integration Effort: How hard is it to integrate with our SSO, LMS, Slack, dev tools? We don't want another tool no one uses.
- Budget Justification: Why spend $100K+ on training when we could hire another AppSec engineer or buy another scanning tool?
Requirements
- 3-5 years selling B2B SaaS, preferably in security, DevOps, developer tools, or enterprise training
- Experience running full-cycle enterprise deals with 3-6 month sales cycles
- Comfortable navigating multi-stakeholder buying committees (security, engineering, procurement, L&D)
- Ability to have credible conversations about secure coding, AppSec programs, and developer workflows (you don't need to be technical, but you can't sound clueless)
- Self-sufficient prospector - can build your own pipeline via outbound if inbound is slow
- Resilience with long sales cycles and deal slippage - you need to stay motivated when deals push quarters
- Experience managing POCs and keeping them on track (getting stakeholders engaged, measuring success)
- Willingness to work at a 55-person company - you'll have less brand recognition and fewer resources than selling for a market leader