The Front Lines
SubscribeContent Studio
Robert Brennan.
CEO and Co-Founder · OpenHands
I'm a Software Engineer turned Manager/VP. I've spent about half my career working in Data Science (especially Natural Language Processing) and half working on Developer Tooling (APIs, DevOps, Kubernetes). While I derive a huge amount of satisfaction from building and leading teams, I still like to get my hands dirty. You can see a list of public, hobby, and open-source projects I've worked on at https://rbren.io Strong knowledge of Go, NodeJS, Python, PostgreSQL, Tensorflow/Keras, HTML5, AngularJS, VueJS, Kubernetes. Working knowledge of Java, C++, Android/iOS dev, Haskell
Guest
Robert Brennan
CEO and Co-Founder
Company:
OpenHands
Location:
Boston, Massachusetts, United States
Loading episode...
Listen onApple PodcastsSpotify

How OpenHands Got Inside Major Banks Before Their Competitors Finished the Security Review

The Devin demo changed everything.

In early 2024, Cognition released a video showing their AI agent autonomously completing software engineering tasks end-to-end. The developer community watched it go viral with a mixture of excitement and unease — a powerful technology was being built behind closed doors, by a company nobody had heard of, with no avenue for the engineering community to shape how it evolved.

Robert Brennan, Co-Founder and CEO of OpenHands, watched the same video and moved the next day.

"The development community needs a way to contribute to this change," Robert said in a recent episode of BUILDERS. "If our jobs are going to be changing this drastically, we need a say in how that change happens."

He and his co-founders launched an open source alternative called Open Devon within 24 hours. It was renamed OpenHands once they decided to commercialize — but the sequence matters: community first, company second. That order of operations became the structural foundation for everything that followed, including how they acquire customers today.

The Procurement Wedge Nobody Planned For

OpenHands wasn't designed with regulated industries as the target. Banks, insurance companies, and healthcare organizations showed up on their own — and faster than any outbound motion could have produced.

The reason is structural, not relational. Closed-source AI vendors face a full procurement gauntlet at regulated companies: security reviews, legal sign-offs, vendor onboarding processes that routinely run twelve months or longer. Open source sidesteps most of it. Engineers at major financial institutions carry blanket approval to bring open source software in-house, provided they follow an established internal rulebook. No sales call. No security team sign-off. No waiting.

"We got our foot in the door at a bunch of large banks much faster than any of the vendors could," Robert said, "because they didn't need to talk to a salesperson, they didn't need to talk to their security team."

OpenHands was running active conversations inside major banks before competitors had cleared procurement. That signal — who was adopting fastest and why — defined the ICP. Not from a planning session, but from watching the market reveal a pattern and committing to it hard.

The fit ran deeper than speed. One large US bank stated it plainly: they would not consider a closed-source solution. They needed to look under the hood, understand what the system was doing, and run everything inside their own infrastructure. Data sovereignty, air-gapped deployment, on-premise language models — these weren't preferences. They were the criteria that determined whether a vendor got evaluated at all. OpenHands, as open source, cleared that bar before the first conversation.

A Year-Long POC. Closed in Six Weeks.

Commercial traction exposed the problem most founder-led sales teams eventually hit: motion without structure.

OpenHands had been running a proof of concept with a major US bank for nearly a year. Engineers were using the software. Conversations were ongoing. Nothing was closing. As Robert described it: "We were just kind of giving them the software and saying, do you like it? Do you want to sign? Are you ready yet? Oh, you're not ready yet? Okay, we'll keep giving it to you for free."

When their CRO joined, he applied a different framework to the same account. He defined success criteria before the work continued, structured a path to close, and made the conditions explicit: once they proved X, Y, and Z, the customer would buy. Six weeks later, the deal was signed.

That same discipline restructured how OpenHands handles every enterprise engagement. Their CRO built a four-bucket qualification framework mapping prospects on two axes: company size and AI maturity. Small, low-maturity companies get redirected to the open source project — no sales call scheduled. High-maturity companies, regardless of size, get prioritized and moved fast.

The genuinely difficult bucket is large enterprises with low AI maturity. The contract potential is significant, but without guardrails these accounts absorb unlimited founder time. OpenHands' response: structured POCs with a defined menu of paths, explicit success criteria, and a hard 30-to-60-day cutoff. After that, the prospect takes it or walks away.

Maturity itself gets assessed through specific signals. The clearest one: whether the company has a dedicated developer productivity or AI-for-developers team — and whether that team, not a general engineering manager, is the one on the call. "The most mature companies have an AI team for developers," Robert explained. "If we're working with one of those teams, we know we're in a high maturity organization."

The Pipeline That Runs Without a Sales Team

Most of OpenHands' pipeline intelligence builds itself, through three distinct layers.

GitHub interactions surface which companies have engineers actively engaging with the repo — filing issues, opening pull requests, asking questions. These are the warmest signals possible: people already using the software, already invested enough to interact publicly.

Slack membership maps who has crossed from passive awareness into active community participation. And documentation traffic — tracked by IP address — reveals which organizations have significant engineering attention pointed at the platform before any commercial conversation has started.

"We can see what companies are in our docs based on their IP address," Robert explained. "There's 50 developers at this particular company who are all looking at our docs... we can start to zero in there."

The compounding asset underneath all of it is contributor ownership. When an engineer gets a pull request merged into the project, something shifts. "Once somebody gets their code merged into the project, they're bought into it, they now feel a sense of ownership," Robert said. "They're going to be a champion for you for a very long time."

That dynamic — contribution creating advocacy, advocacy driving the next engineer at the same company into the funnel — is what makes the open source community self-reinforcing as a pipeline source. It also creates the central operational tension Robert is direct about: as paying customers scale up, the gravitational pull is to focus entirely on them. Resisting that pull, keeping the PR queue moving, maintaining response quality on issues — that's what keeps the top of the funnel alive.

The Commercial Line That Makes All of It Work

None of the above functions without one foundational decision made at the start: a hard, public, permanent line between what stays open source and what requires payment.

For OpenHands, everything goes into the open source — including research. The commercial trigger is cloud scale and integrations with work tooling: Slack, Jira, Linear. Individual developers can run the latest agentic technology on their laptops for free, indefinitely. Teams that want to scale into the cloud and connect their existing workflows start paying.

That clarity does two things simultaneously. It gives the community certainty — they know exactly what they can rely on in perpetuity, which is why trust compounds over time rather than eroding. And it creates a natural, structurally obvious upsell: any team that gets value from the open source and wants to scale will eventually cross the commercial line on their own.

The cautionary examples are well-documented. Docker created genuinely world-changing technology and captured only a fraction of the value. Other companies changed their licenses under commercial pressure and burned the communities that built their distribution. Robert's team set the line at founding and has held it. The community, as a result, remains the engine.

Seven takeaways from this conversation.

Actionable for DEV founders

  1. Draw your open/commercial line before you need it — and make it structurally clear.
    OpenHands made an explicit decision: everything, including research, goes into the open source. The commercial line is cloud scale and integrations with tools like Slack, Jira, and Linear. That clarity does two things simultaneously — it builds genuine community trust and creates a natural upsell trigger without a pitch. Vague lines (or license switches after the fact) are what destroy OSS communities. Docker gave too much away and didn't build a sustainable business. Others switched licenses under pressure and burned the communities that made them. Robert's team set the line at founding and held it.
  2. Open source collapses the enterprise procurement timeline in regulated industries.
    This is the non-obvious wedge. Regulated companies carry blanket approvals for open source that bypass the vendor onboarding cycle — which can run 12+ months. OpenHands was running active conversations inside major banks before any closed-source competitor finished their security review. Engineers on the ground already have permission to bring open source in-house; they don't need to talk to sales or security. That's not a sales hack — it's a structural procurement advantage built into the product decision.
  3. Your ICP will often find you before you find them — but you have to commit when the pattern shows up.
    Highly regulated industries weren't the day-one target. They kept showing up because open source removed their single biggest adoption barrier. The GTM move was recognizing that signal early and committing to it: building the product niche around data sovereignty, air-gapped deployment, and on-premise LLMs — the exact requirements that matter to banks and healthcare companies. Following the signal and then doubling down on it is what created defensible positioning.
  4. The four-bucket framework is how you stop letting large slow accounts consume your roadmap.
    Their CRO mapped prospects on two axes — company size and AI maturity — and made the qualification explicit. Low maturity, small company: no call, redirect to open source. High maturity, any size: ideal customer, move fast. The tricky bucket is low maturity, large enterprise: potentially a big check, but a time trap without strict guardrails. For those, OpenHands runs 30-to-60-day POCs with defined success criteria and a hard cutoff. Maturity signals they look for: whether the company has a dedicated developer productivity or AI-for-developers team, and whether that team — not a middle manager — is the one on the call.
  5. Undefined POC success criteria is where deals go to die.
    OpenHands ran an informal POC with a major US bank for nearly a year. No close. Six weeks after their CRO joined, he set explicit success criteria, mapped a close plan, and signed the deal. The founders had been handing over the software and asking "are you ready yet?" — that's not a sales process, it's hope. The fix is structuring the POC as a menu of defined paths with clear criteria: once you prove X, Y, and Z, you buy. That's the conversation that closes.
  6. GitHub, Slack, and doc IP tracking are a pipeline intelligence layer most teams ignore.
    OpenHands can see which companies have engineers interacting on GitHub, who's joined their Slack, and — by IP address — which organizations have dozens of developers reading specific pages in their documentation. If 50 engineers at a company are all looking at the Jira integration docs, that's a buying signal most paid channels couldn't surface. This is the actual demand gen engine — not advertising.
  7. Merging contributor PRs is the highest-leverage retention and advocacy move in open source.
    Once someone gets code merged into the project, they're bought in with a sense of ownership that no marketing campaign replicates. They become long-term champions. The operational risk Robert flags directly: as paying customers scale up, the gravitational pull is to focus entirely on them. Resisting that — keeping the PR and issue queue moving — is what sustains the top of the entire funnel.

More episodes

Edward Tsinovoi
Co-Founder & CEO · IO River
Michael Weider
CEO & Co-Founder · Frugal
Anand Kulkarni
CEO · CoreStory
Tomer Shiran
Founder · Dremio