In 2006, Merrick Furst was the undergraduate dean of the College of Computing at Georgia Tech. He’d had a remarkable career: he was one of the co-inventors of probabilistic circuit analysis, was dean of the graduate program in computer science at Carnegie Mellon, and then president at the International Computer Science Institute at UC Berkeley, before moving to Atlanta. Furst had an entrepreneurial bent: in between academic stints, he’d founded several companies. The most notable was Essential Surfing Gear, which was likely the first company to provide apps for web browsing. Essential Surfing Gear was sold in 2000.
In 2005, eBay’s chief information security officer (CISO) Howard Schmidt visited Georgia Tech for a board meeting. Schmidt wasn’t just a CISO; he had served at the White House as a cybersecurity coordinator in the Executive Office of the President, where he was known as one of the foremost experts in cybersecurity. This was early enough in the history of the web that it was possible the term had not yet even been invented. Furst met with Schmidt during his visit; he was excited to talk to Schmidt about some new cybersecurity technology they’d been working on in Georgia Tech.
At the time, computer viruses were mostly viewed as annoyances. Sure, they slowed down computer performance, popped up obscene messages or crashed individual infected systems. But they weren’t regarded as professionalised threats — most viruses of the time were not designed to steal identities, auth credentials or financial information, nor were they built by criminal groups or state actors. Many viruses were the result of hobbyists — ‘script kiddies’ as the term went. But there were early signs that a new threat was materialising, and the team at Georgia Tech had noticed. What Furst wanted to show Schmidt was a solution to this emerging threat. The group had observed that a variety of cybersecurity attacks was increasingly perpetuated through a network of compromised machines. The name they used to call the threat was ‘bot armies’. The name that eventually stuck was ‘botnet’. Already, botnets were taking control of vast numbers of computers without their owner’s knowledge, and the malware that made up the botnets was becoming increasingly capable of more and more problematic attacks at the bidding of sophisticated ‘bot-masters’.
The fact that a name did not exist was a demonstration of how early this all was: to most of the folks doing business on the Internet, this seemed like something out of a cyberpunk novel. They barely knew the shape of the threat, or the potential danger.
Schmidt understood the threat immediately. He thought that Georgia Tech’s solution had relevance to eBay’s commercial interests, and asked Furst out to San Jose to present. Years later, Furst and his business partner Matt Chanoff would write:
The meeting seemed like a spectacular success. Howard and his team already knew that botnets were busy ripping off eBay and its customers. Computers around the world were already impersonating humans and, for example, setting up fraudulent sellers and posting fake reviews so that buyers would trust them. Howard described this as “trust fraud.” They were also subverting the advertising revenue model with fake clicks. At least as worrying as all that, bots were appearing on internal eBay computers and doing who-knew-what.
And they were ubiquitous, estimated at the time to be lodged on 17 percent of all computers worldwide (emphasis added). The Georgia Tech team’s technology (…) appeared to be a revolutionary solution for a huge and promising market.
Howard and his fraud team did some calculations right in front of Merrick and said, “If you can stop this kind of trust fraud, it can save eBay $40 million per year. How much will you sell it for? (emphasis added)” Merrick, who didn’t have an actual product yet, let alone a pricing plan, did what experienced entrepreneurs do—he made up a plausible number and said, “$150,000 per year or so, to start.” Howard jumped on it. His next question was “How soon can you deliver? (emphasis added)”
To Merrick, Chanoff — and eventually their investors — this was clear proof of demand. eBay wasn’t the only team that responded eagerly. The Georgia Tech team heard similar things from dozens of prospective companies. Even before they formed a company to commercialise the tech, they sold a rudimentary data feed to a large security company for $100k a year.
Furst and Chanoff founded Damballa in 2006. They negotiated IP rights from Georgia Tech and got started converting the tech into production-ready software. Furst became the company’s initial CEO, with the intention of handing it off to other execs as the company gained momentum. Thanks to anecdotes like eBay’s, and Furst and Chanoff’s illustrious backgrounds, the Damballa team raised money easily and on good terms: their initial raise was $2.5 million on a $5 million valuation — considered remarkable for 2006. The two VC funds they raised from began helping Furst and Chanoff with building out the team.
Six months later, Damballa was ready with a product for eBay. They turned up at the company asking, in effect, “Who should we talk to, and where do you sign?” But then, strangely, eBay began dragging their feet. Schmidt delegated the project to a subordinate. There were many polite conversations that never led anywhere. The signs of demand — so strong at the beginning, so remarkable and so clear, suddenly seemed illusory. Damballa never sold a trust fraud or click fraud solution to eBay … or to anyone else.
More than a decade later, Furst and Chanoff would reflect on what happened next:
Everyone at Damballa believed that all the elements that made up demand were in place. The product would save customers a large amount of money, it worked the way they needed it to, and we had a competent team and sufficient capital to operate. Most important, we all had a fixed idea in our heads that we never questioned: companies would not tolerate their machines being compromised. Bots hiding secretly on the company computers led to all sorts of risks. Click fraud, trust fraud, stealing passwords, eavesdropping on company emails, stealing proprietary data or customer information—we made up examples, and we heard examples from people like Howard. We didn’t feel stuck. Even as sales lagged expectations, we always felt that we saw the problem and could move forward by fixing it. Maybe our software increased processing time. Maybe putting third-party software like ours inside customers’ firewalls was too risky for them. Maybe putting it outside their firewalls made them feel vulnerable. Maybe the particular examples of bad things bots could do weren’t hitting home and we had to change the marketing.
These were all obvious, reasonable actions. The team found a replacement CEO and Furst moved himself to the board. Over the next several years, as sales to other companies fell well short of expectations, internal company and board conversations kept revolving around the same issues. They did everything a company on the cusp of a major breakthrough would do: they replaced key management personnel, improved the product, raised more money — repeatedly, over many years, eventually deploying $69 million in venture capital. The technology was novel, the target market was large and lucrative … what was wrong?!
As management and the board worked to get the company on track, they addressed all the conventional issues. They believed in a very clear idea of why there should be demand, and worked on the basis of that belief. They thought the customers were compromised by bots and that they would buy things to fix that—that they would not not buy because they couldn’t allow themselves to be compromised. That view stayed at the root of all the company’s plans and tactics, and it didn’t budge. Internally, there were variations on that basic belief. Some people thought that money was the issue: customers would buy because being compromised cost them money. Others thought our customers would be afraid that their customers would be scared away or displaced by bots. Still others thought risk was the issue: customers would buy because they were otherwise vulnerable to fraud allegations.
With hindsight we can see that these just aren’t effective ways to understand customer demand. The right question ought to have been, “What ever gave us the impression that eBay would be a customer?” On what basis did we believe that our preferred value proposition would actually drive sales? (emphasis added)
Furst would later describe those years as “living in a waking dream.” In The Heart of Innovation, his 2023 book with the answers to many of these questions, Furst wrote that conversations during this period was extremely painful, because everyone felt like they knew what they were talking about and yet nothing they said had reliable predictive power. Even when they disagreed, their core premises were all the same: “Customers bought due to a value proposition. They bought based on certain properties that they possessed, and that the product possessed.”
But Damballa’s value proposition was perfect. And yet it did not lead to sustained demand. Furst observed that such logic didn’t work — at least not universally. Which meant that it wasn’t very useful.
In the end, through a ton of hard work and effort, Damballa grew to $12 million in annual sales. Furst and Chanoff write, years later: “In hindsight, it’s arguable that Damballa did uncover an authentic demand, but because we never figured out its precise nature, we never understood the situations where it occurred or their frequency, so we were overoptimistic about the addressable market size. That led to financing the company unsustainably.”
Damballa was eventually sold to a consortium of investors for a mere $9 million dollars, in 2016. This consortium in turn sold the company to Roswell-based Core Security, in what was described as a ‘fire sale’. This occured 10 years later. Furst and Chanoff report that all but the last round of investors lost money. It was a bad outcome for a decade-long journey.
Sources
The Heart of Innovation, by Matt Chanoff, Merrick Furst, Daneil Sabbah and Mark Wegman.
https://www.securityweek.com/damballa-vanishes-fire-sale-core-security/
http://www.bizjournals.com/atlanta/news/2016/07/21/atlantas-damballa-sold-for-nearly-9-million.html