The Front Lines
SubscribeContent Studio
Joshua Zweig.
CEO and Co-Founder · Zip Security

CEO & CO-Founder of Zip Security. Solving hard security problems so you don't have to.

Guest
Joshua Zweig
CEO and Co-Founder
Company:
Zip Security
Location:
New York, New York, United States
Loading episode...
Listen onApple PodcastsSpotify

Why Most Companies Are One Vendor Breach Away From a Crisis They Can't Explain

When Joshua Zweig talks about cybersecurity, he doesn't start with threat actors or zero-day exploits. He starts with a stock exchange.

"We were talking to the head of information security at an important stock exchange the other day," Josh told us on a recent episode of BUILDERS. "And he's like, 'Oh Josh, you'll never believe how small our security team is.' I was like, 'Oh, how small?' And he's like, 'Oh, 500 people.'"

That conversation captures the exact problem Zip Security was built to solve. Not the 500-person teams. The ones that have nobody.

Josh and co-founder Gabbi Merz — both former Palantir engineers — started Zip in 2022 with a mission they could say in five words: make cybersecurity accessible. They've since raised $21 million to execute on it. But the insight that shaped their go-to-market wasn't about product. It was about understanding why the market had failed the people they were trying to serve.

The $7 Problem

The tools exist. That's what makes the situation so frustrating.

CrowdStrike, Okta, Jamf — the security stack a mid-market company needs is well-defined. The problem is deployment. "CrowdStrike published this great study," Josh explained. "For every dollar people are spending on CrowdStrike licenses, they're spending $7 on services for people to go and deploy and set the thing up. But CrowdStrike's not enough. It's like you need that, and then you need maybe eight or ten things — device security tools, identity security tools, an email security tool."

Multiply that 7:1 ratio across an eight-tool stack and you've made enterprise-grade security economically inaccessible to the majority of companies that need it. Those companies don't lack the will. They lack a reasonable option. Zip's goal is to make it, in Josh's words, "five orders of magnitude easier to do security" — using AI and automation to collapse the services overhead that currently puts a real security posture out of reach.

Who They're Actually Selling To

Zip's ICP isn't defined by revenue or headcount. It's defined by security team capacity, and Josh segments the market into three buckets: zero-person IT and security teams where the ops lead or head of engineering is the de facto CISO; what he calls "two guys and a dog" — a help desk tech and an IT director who have the tools but can't operationalize them; and well-resourced teams. Zip focuses entirely on the first two.

The implication is counterintuitive. An 800-person construction company and a 50-person regulated healthcare firm can be the same customer. Firmographic proxies miss this entirely.

The Channel Decision That Defined Their GTM

The default playbook for SMB security companies is MSPs. Zip walked away from it.

"We almost exclusively aren't going to market through the MSPs," Josh said. "The primary reason for us is they end up being very cost sensitive in general." The conversation starts at price before value is established — "is this 80 cents a seat?" — and MSPs are oriented around a bundled model that doesn't fit Zip's focused offering.

Instead, Zip built a channel around independent security consultants and vCISOs — people that companies find through their network when they need security help, not through Google. The structural insight that makes this work: consultants deliver recommendations but don't implement them. "You get to this place in the conversation where you're like, 'Here's all these recommendations on what we think you should do.' And then it's kind of like the Spider-Man meme where you're looking across at each other." Zip fills that implementation gap — making the consultant more valuable to their own client. Josh's operating rule for the channel: think of these partners "as much as our customer, if not more than the end user."

Where the Urgency Is Coming From

Zip didn't have to manufacture demand. Two structural forces are doing it for them.

The first: Fortune 50 security leaders consistently report that 80% of their incidents originate outside their four walls — in vendor supply chains. Those enterprises are now auditing and enforcing security standards on every second, third, and fourth-party partner they work with. That enforcement is moving capital off the sidelines at the SME level without any Zip-originated outreach.

The second is contractual. Enterprise agreements increasingly require breach notification disclosures — if you get hacked, you have to call your customers and tell them. "You really don't want to make that call," Josh said. For startup founders who've spent years building customer relationships, the liability is visceral.

Both forces are visible in real incidents. Josh pointed to Mercor and Vercel as recent examples: "You have a third party that got named jointly as a defendant on a lawsuit and became part of the reason that it seems Meta ended their contract with Mercor — and then the same thing with Vercel. It's sort of all about third parties and creates these major incidents." These aren't abstract scenarios. They're the exact situations Zip's target customers are now being audited against.

The Myth Josh Hears Most Often

Before founders dismiss this as someone else's problem, there's one misconception worth addressing directly. Josh hears it constantly: "We're worried about our salespeople, but our engineers can protect themselves."

His response: "I really don't know what that means." Engineers are often a harder and more critical attack surface to cover. He described a real incident where a new employee Googled a major productivity application to download it as part of their onboarding workflow. The software company's Google Ads had been compromised. The employee downloaded it — with Russian malware embedded inside — and was running it on their machine before Zip caught it. "We were able to stop it before it did any damage or even ran, which was cool. But it's like, what are your engineers doing differently to protect themselves?"

Building the Team Behind It

Inside the company, Josh adapted a Palantir practice and made it more useful. Palantir writes a hiring thesis before an offer — an internal document capturing why they want to hire someone — but never shares it with the candidate. Zip shares it every time.

"Here's where we think you're exceptional. Here's where we think there's some room for improvement. Here's a detailed success story of what we think it could look like over the next two years here working together. And here's like the real risks and mitigations we see." The goal is mutual clarity before day one — removing the ambiguity that costs companies their best early hires.

For a company whose entire market thesis depends on making the complex simple, running the same standard internally as they sell externally isn't incidental. It's the point.

Six takeaways from this conversation.

Actionable for undefined founders

  1. Avoid the channel that compresses your price before you've proven your value.
    Josh made an active choice to skip MSPs despite that being the default playbook for SMB cybersecurity distribution. The reason is structural: MSPs lead with cost sensitivity — the conversation becomes "is this 80 cents a seat?" before you can establish what you're actually delivering. They also serve a bundled model (help desk, device provisioning, security) where Zip's focused security-in-a-box offering doesn't fit cleanly. The channel shapes the conversation, and the wrong channel shapes it badly from the start.
  2. Treat channel partners as the primary customer, not the path to the customer.
    Zip's most productive GTM motion has been building relationships with independent security consultants and vCISOs. Josh's framing was precise: "The right way for us to approach this market is really being laser focused on these folks and thinking about them as much as our customer, if not more than the end user." The structural reason this works: consultants deliver recommendations but don't implement. They hand off a security plan and point at the client. Zip closes that gap — which makes the consultant look better to their client, not just more efficient. Founders building indirect channels should ask whether they're making the partner more valuable to their customer, not just making the sale easier for themselves.
  3. Segment by operational security capacity, not company size.
    Josh's market framework has three buckets: zero-person IT/security teams (where the ops lead or head of engineering is also the de facto CISO), lightly staffed teams of two to five people who have the tools but can't weave them together effectively, and well-resourced teams like Palantir's. His ICP is the first two. A construction company with 800 employees can sit in the same bucket as a 50-person regulated healthcare company — what they share is the absence of the internal capacity to operationalize security. Firmographic proxies like headcount or revenue miss this entirely.
  4. Use enterprise supply chain pressure as demand generation infrastructure.
    Josh's timing thesis for starting Zip was specific: Fortune 50 security leaders consistently report that 80% of their incidents originate in their supply chain — from second, third, fourth, and fifth-party vendors. Those enterprises are now actively auditing and enforcing security standards on every vendor they touch. That enforcement is pushing capital off the sidelines at the SME level without Zip having to create the urgency themselves. The GTM question becomes: how do you get into those enterprise partner networks so you're the recommended solution when vendors get the compliance call? That's where Zip is focusing.
  5. Breach notification disclosure clauses are a forcing function — build around them.
    One of the sharper demand drivers Josh flagged: enterprise contracts increasingly require vendors to proactively notify customers if they've had a security incident. That means a hacked vendor now has to call their biggest customers and explain what happened. Josh's read was direct — startup founders viscerally understand how bad that call is to make. The clause converts what was previously an abstract risk into a concrete, relationship-threatening liability. Founders in security-adjacent markets should map where these contractual forcing functions exist in their buyer's world — they create urgency that no amount of sales motion can manufacture.
  6. Share the hiring thesis with the candidate.
    Palantir's original version of the hiring thesis was internal — write down why you're hiring someone, then pocket it. Zip inverted it. In the final stage of every interview, the hiring manager writes a document covering where the candidate is exceptional, where there's room to improve, what success looks like over the next two years, and what the real risks and mitigations are. Then they share it. Josh's reasoning: "There's no perfect candidates. It's more important to make sure that we have the muscle to talk to each other about what the risks are and be intentional about setting people up for success." The candidate walks in on day one knowing exactly how they were evaluated and what the bar is. That's harder to build than a standard offer letter, but it front-loads the alignment work that most teams do badly or never.

More episodes

Dini Mehta
Operator in Residence · Peak XV
Johannes Hoech
CMO · Sift