Gone are the days when you needed a developer to build an app for a relatively easy task. No-code and low-code development let you dramatically increase the speed of building and bringing simple (and, sometimes, not-so-simple) apps to market. I swear, half my life is being run by Zapier at the moment: Book a meeting with me, and all sorts of things happen automatically in the background to ensure that our meeting is on the right calendars, is transcribed and the video of the call is stored away and tagged with your company’s name.
The ease of creating apps that low-code and no-code offer has trade-offs, though: In order to work, they need access to some pretty sensitive data. If someone wants access to my data, they could try to hack my email, or they could hack one of the many automations tied to my email accounts. When more and more apps are essentially running on the same underlying architecture and code, they become a very tempting target for hackers and others with nefarious intentions.
Enter Nokod Security, which offers to monitor no-code and low-code apps for security vulnerabilities and mitigate breaches.
The company recently raised $8 million from Acrew Capital, Meron Capital and Flint Capital, and the team was gracious enough to share the (lightly edited) deck they used so we could take a sneaky peek under the hood.
We’re looking for more unique pitch decks to tear down, so if you want to submit your own, here’s how you can do that.
Slides in this deck
The company has left the 21-slide deck intact except for a few parts.
- Cover slide
- Team slide
- Example no-code apps
- “Who uses no-code apps”
- Macro trend: The Low-Code / No Code trend
- Threats and attacks slide
- Problem slide
- Threats and Attacks slide
- Attack vectors slide
- Mission slide
- Solution slide
- Architecture slide
- TAM slide 1
- TAM slide 2
- TAM slide 3
- Go-to-market slide
- Competition slide
- Validation slide
- (Redacted) Validation takeaways slide
- Timeline slide
- Contact slide
Three things to love
Nokod’s deck has a lot of cool things going on, as well as some stuff that had me pretty confused. As always, I’ll get to my misgivings and OldManYellsAtCloud.gif feedback in just a moment. For now, let’s look at the slides that got me excited.
Give me a T! Give me an E!
Okay, I’m not gonna spell out T-E-A-M in the subhead, but this is an example of a company that knows its strengths. In an early-stage company, a founding team that has an unfair advantage is a straight-up superpower. Nokod has all bases covered on that front:
The two co-founders have both started and exited companies in the cybersecurity space before. That’s a hell of a way to catch an investor’s attention. Relevant experience and successful exits screams “unfair advantage.” Even after just reading this one slide, I was pretty unsurprised that this company successfully raised money.
Apart from the obvious, this slide shows that the founding team understands what’s important in a pitch deck: If you’ve got incredible traction, lead with that. If you don’t, highlight your experienced team.
Well-articulated problem
A good fundraising story will have a good explanation of what the problem is and why it might be worth solving. Not everything on this list is well explained. To wit: Do you, without googling, know what PII is, or, indeed, why collection and storage of PII might be a bad thing?
The company could have taken the effort to explain the impact of some of these issues and why low- and no-code apps are particularly vulnerable in these situations, but I get the message in broad strokes: The cost of embracing no-code and low-code is that people might not always know exactly what’s going on, and if something does happen, it can be hard to figure out exactly where the ne’er-do-wells gained entry to a system.
A better go-to-market slide than most
Building a coherent go-to-market strategy can be surprisingly hard. It’s what I end up arguing about with my pitch coaching clients most often. Having some vague, hand-wavy “build it and they will come” theory works when you are focusing on the product, but if you are raising money to acquire customers, you don’t get to shrug and say, “We will figure it out when we get there.” You aren’t getting there. You are raising money to execute, so you are there.
This go-to-market slide has a clear profile of the customer: how they can be reached, what the business model is, where they are geographically and even who the decision-maker is within the business. I’m not sure how many medium-sized companies have a CISO or director of application security. I suspect a lot of the time, these decisions fall to a CTO rather than a dedicated, clearly defined security role.
Still, as an investor, I can look at this and see the outline of a plan. My next question would be: “Okay, talk me through your process. How do you actually land a sale?” The story should be consistent and outline a good sales funnel — something like, “The leads come from X, we reach the decision maker through A, B and C, and then we close the deal 25% of the time. But we suspect we can increase that percentage if we do Y and Z.” An answer like that will pass muster for me, and doubly so if the company already has paying customers and can point to the sales process it used.
In the rest of this teardown, we’ll take a look at three things Nokod could have improved or done differently, along with its full pitch deck!
Three things that could be improved
The overarching challenge with Nokod’s deck is that it seems rather defensive about whether it has a market.
That’s a lot of market sizes, y’all
There are no fewer than three market-sizing slides: two slides with a top-down approach, and a (redacted!) slide with a bottom-up focus. That strikes me as pretty insecure, as if the company doesn’t really know how to think about its own market.
The truth is, there aren’t a lot of players in this subsector of cybersecurity, which might imply one of two things:
- There is no market;
- Somehow, Nokod has stumbled upon a market that is completely untapped.
Both options are suspicious. I would guess the company ended up with three TAM slides because it was getting a lot of pushback on whether this market exists.
I suspect this approach may have backfired: If you need to explain your company’s raison d’etre in so many ways, something could be fundamentally wrong here.
One option would have been to condense the three models into a single slide with a bit of design. Another would have been to do deeper market research. “We’ve found 20 paying customers that fit this profile, and we believe we can find another 20,000” is a totally valid explanation — as long as you can back it up. Then, the other markets would be extensions of the market, which is also a well-accepted way of looking at things.
Don’t defend low-code
The company starts fantastically with its cover slide and a team slide. Then it shifts gears into trying to convince the investors that low- and no-code are real. Slides No. 3 to No. 8 are all variants of: “Really, I swear, this thing is huge! And it would really suck if security was compromised.”
My read is this is because of one of two scenarios: The company was pitching to a lot of unsophisticated investors who weren’t aware that this is a huge trend in business and corporate software. If so, I’d argue they were pitching to the wrong investors, and that makes me worry how good the founders are. Alternatively, the founders were talking to investors who know all of this, and they were massively underestimating their audience.
Either way, it just reads a bit odd. I’d have simplified it to one slide describing the macroeconomic trend of low- and no-code app development, and one slide about security and why such apps are particularly risky.
Then, we have this particularly confusing slide about threats and attacks. It appears that this is a screenshot from an article on SDX central. I haven’t heard of that news source, but it is odd not to refer to the source on this slide. Forrester itself references the article but doesn’t link to the report. Either way, this comes off as a slightly desperate move, and I’m not sure what part of the story Nokod is trying to tell here.
It’s possible that the voice-over for this slide adds additional context, and that slides No. 3 to No. 8 have narrative connective tissue that isn’t present in the deck itself. That’s not best practice, as it’s helpful if the deck can be shared and fully understood even without the benefit of a talk track.
The overall flow…
I think most of the slides in this deck fall solidly in the “good enough” category. What I find confusing, however, is the overall story arc: I can’t find one.
In a good pitch deck, even when you’re just clicking through the slides, there’s usually a logic to why the story flows the way it does. That isn’t to say there is a fixed order that you should stick to — you can get pretty creative with narrative structure.
But Nokod’s deck seems to jump back and forth a lot. It goes from explaining the trend of low-code apps, then talks about threats and attacks, then talks more about the problem, before going back to threats and attacks, then to attack vectors.
I do this sort of storytelling for a living, and most of the time, I can pitch a startup’s deck without the sort of deep knowledge a founder has about their own market. That isn’t the case with this deck. The “mission” slide crops up around halfway through the deck, for example:
And the mission isn’t formulated very well, either. At first, I thought it was about using low- and no-code applications to prevent cyberattacks. But the opposite is the case here: The product is designed to prevent cyberattacks that become possible because of low- and no-code applications.
And again, after the mission, we are taken back to the solution slide, which I can’t fully understand, and an architecture slide that I can’t understand at all.
Going off only this slide deck, I would re-order it to something like the following, along with the main points and narrative flow from slide to slide:
- Cover slide: Hi, my name is X, and we are Nokod, on a mission to secure the huge risks inherent in the current rise of low- and no-code applications. First of all, let me tell you about…
- Team slide: The team. We have more experience than anyone else in the business, and are uniquely positioned to make this company successful. We’ve both built and exited companies in the cybersecurity space before. So, what are we solving?
- The rise of no-code apps: According to Gardner, more than 65% of all applications built in the next few years will fall in the low-code category. That’s hugely beneficial and financially lucrative, because it’s far cheaper and faster to develop this way. Low-code apps are generally pretty good on security, too, so that’s great.
- Who uses no-code apps: Everyone, basically, but there are risks, too: As more and more corporations rely on these frameworks, if one of them gets hacked…
- Problem: … the vulnerability will be known widely, which poses a huge security risk for the entire industry.
- Solution: In the abstract, the way to solve this is X, Y and Z. We have built exactly that solution, so let me tell you a bit more:
- Product: Our product does A, B and C to help customers when D, E and F happens. We offer early detection and mitigation, and solve security threats before they hit. I already mentioned that everyone uses this — the market is huge.
- TAM: For our beachhead audience of the application security market, this is a $10 billion annual market. We believe we are well-positioned to help everyone doing low- and no-code development. The SAM is 65% of that market ($6.5 billion), and we believe we can reasonably serve a third of that market over the next five years. The SOM is $2 billion. Here’s how we are going to do that:
- Go-to market: Selling security software, like all B2B sales, is a slow process, but it ain’t rocket science. We have a tried and tested sales process and a healthy sales funnel. Best of all, there’s limited competition in this space for now. We have an opportunity to make a huge land-grab until the competitors start catching up.
- Competition slide: (This is redacted, so unclear how I would pitch this.)
- Traction slide: (This is not really included, so I’d have to find out how to tell that part of the story.)
- Ask and use of funds slide: I’ve said a lot about this in the past :-)
- Contact slide
- Appendix slide: Case study
- Appendix slide: Our technology advantage
By organizing the slide deck like this, we get a far more logical and smooth narrative. It’s always an option to move some of the parts that are less important for the story to other appendices, too.
The full pitch deck
If you want your own pitch deck teardown featured on TC+, here’s more information. Also, check out all our Pitch Deck Teardowns and other pitching advice, all collected in one handy place for you!
Comment