When Tanuj Gulati reflects on his 25-year journey through the cybersecurity industry, he sees a progression through three distinct chapters, each marked by a major acquisition that shaped his approach to building companies. From co-founding Vaau in his early twenties through its acquisition by Sun Microsystems and Sun’s acquisition by Oracle, to scaling Securonix to more than 1,200 employees before a private equity exit, Tanuj has experienced the full spectrum of startup growth.

His evolution from implementing identity management solutions to pioneering behavioral analytics reveals a consistent philosophy: Stay close to customers, focus before expanding and build measurable value from day one. Today, as artificial intelligence (AI) transforms cybersecurity with new attack surfaces and sophisticated threats, Tanuj’s insights on scaling engineering teams globally, navigating complex acquisitions and building products that solve real problems offer a roadmap for founders navigating an increasingly complex landscape.

Listen first, build second

In 2004, tech giants like CA Technologies, IBM, Sun Microsystems and Oracle dominated the identity and access management (IAM) market. Rather than compete head-on with incumbents, Tanuj and his team at Vaau began as a consulting and services company, implementing existing IAM solutions for enterprise customers. This approach gave them something invaluable: Direct visibility into where the market leaders were falling short.

“We were working very closely with customers,” Tanuj said. “Our entire focus was on the identity and access management space, working with the incumbent solutions and helping companies deploy those solutions.” By staying close to customers throughout deployments, they discovered a critical gap in identity and access governance: Specifically, the ability to certify users’ existing access and provide observability into what permissions different employees and contractors held within organizations.

The timing aligned with an emerging trend with the rise of role-based access control (RBAC). Vaau applied data science and early machine learning algorithms to define access rights for different roles, allowing them to innovate without directly challenging the incumbents’ core platforms.

“For any company that’s starting up, it’s important to understand where you can fit into the existing ecosystem,” Tanuj said. This philosophy of finding a specific niche and executing deeply would become a recurring theme throughout his entrepreneurial journey.

Beyond the exit: Why transparency beats strategy

Vaau’s acquisition by Sun Microsystems in February 2008 marked Tanuj’s first experience navigating a major corporate transition. Within just a couple of years, he would face another when Oracle acquired Sun, giving him a rare perspective on how different acquiring companies approach integration.

“Sun was one of the best organizations that I’ve seen: Fantastic engineering mindset, very focused on customers,” Tanuj said. “Our product, when we went into the Sun ecosystem, was adopted globally by the entire sales team, and we focused a lot of attention on scaling the go-to-market and the sales teams.”

The key to making acquisitions work lies in transparency and mindset. “If you and your team are not ready for that cultural shift, then it won’t be successful,” Tanuj said. “But if you can prepare your company for a cultural shift by being extremely transparent on what may transpire during that acquisition, it can be a fantastic journey.”

His advice for founders contradicts conventional wisdom about exit planning. “Never go into starting a company with the mindset of how you’re going to exit,” Tanuj said. “The exit can happen in different ways and really depends on how you’re growing, how your team is adapting and the macroeconomic situation.”

Instead, he recommends evaluating exit opportunities every 3 years based on company stage, internal culture and process maturity. These factors determine whether a strategic acquisition or an initial public offering (IPO) makes more sense for all stakeholders.

Bootstrap vs. billions

When Tanuj founded Securonix in 2009, the security information and event management (SIEM) landscape was fundamentally broken. Despite massive credential theft and data breaches, SIEM vendors remained focused on scale and technology rather than outcomes.

“Most of the SIEM products were signature-based,” Tanuj said. “And because they were signature-based, somebody was out there writing what to look for. If you are a hacker or, for that matter, a normal person today, if you enter your password wrong two or three times, you don’t enter it the fourth or fifth time. You click on ‘forgot your password.’”

This observation led to Securonix’s core innovation: Using behavioral analytics to detect cyber attacks. “There has to be a smarter way to do detections,” Tanuj said. “And that smarter way has to be something that the threat actors will not find an easy way to get around.”

While Securonix pioneered the user and entity behavior analytics (UEBA) space, 14 other companies quickly entered with massive funding rounds. “As a vendor that was bootstrapping and trying to grow the business, when we saw a lot of these companies come in, it was obviously a wake-up moment for us on what we needed to dominate this market,” Tanuj said.

The company expanded beyond UEBA into adjacent product categories, building rather than buying to maintain control over the user experience. This approach helped Securonix grow to become one of the top players in the SIEM market. Even so, Tanuj sees a missed opportunity.

“If we had built the company through acquisitions early on, or had expanded into parallel markets that we were not going to build products in, if we had built that culture and that muscle early on, it would have been a lot easier for us to go into parallel markets,” he said. “That’s one thing that I think through and say, well, this is what I should have done maybe in year 3 or year 4.”

Leadership lessons from 50 to 1,200 employees

Tanuj’s experience scaling teams across vastly different company sizes – from around 50 employees at Vaau to Sun and Oracle’s massive organizations to Securonix’s peak of 1,200. This provided a unique laboratory for understanding how leadership evolves with scale.

“Certain traits in a leader work well irrespective of the size of the organization,” Tanuj said. “Your integrity, the transparency that you have, do you lead by example or not? What kind of culture are you able to establish?”

The differences emerge in how work gets done. “You have a small company where you have to wear multiple hats,” Tanuj said. “You have a medium-sized company where there’s a level of delegation required with the right controls. And in a larger organization, it’s important that everybody stays in their lane and there’s a process where everybody communicates and coordinates with each other.”

Securonix’s distributed DNA started from day one. With engineering teams split between the United States and India, the company built a culture designed for asynchronous collaboration. This foundation proved crucial as the company expanded to 40 U.S. states and multiple international offices.

“We were good at operating with each other and having that kind of culture where it doesn’t need to be live communication for everything,” Tanuj said. The nature of SIEM operations drove geographic distribution decisions, too. “A SIEM is a 24/7 business,” Tanuj said. “If a SIEM goes down, the security operations are impacted for customers. We needed to be able to support our customers through a 24/7 operation.”

At his core, Tanuj believes success hinges on early organizational culture. “You can always change or introduce change within that culture,” Tanuj said. “But it is important to have the capacity from day one to quickly pivot, for people to be accepting of each other, for people to respect each other and have decision-making that is global.”

Why measurable value beats feature lists

Securonix’s early foray into the Middle East taught Tanuj a painful lesson about premature expansion. While the company secured sales opportunities, it lacked basic infrastructure to support them.

“We had some sales opportunities in the Middle East that we were very quick to grab onto,” Tanuj said. “Not having the ability to accept money in that currency or to support that customer once it went live was a fantastic failure.”

The experience crystallized a fundamental principle: Never expand before the entire company is ready. This philosophy shaped Securonix’s deliberate approach to opening offices in eight countries — only after establishing local workforces, customers and channel partners.

For early-stage founders, Tanuj’s advice about maintaining direct customer relationships never wavers. “The voice of the customer is best heard when you hear it yourself,” he said. “If you’re a technical founder and you’re not talking to that customer, or the customer who may likely use your product, you’re not going to survive.”

This applies regardless of product type. “It could be that you’re building a middleware product,” Tanuj said. “That means that there are developers or end users that you need to be close to. Irrespective of the customer, having a direct interaction with them is super important.”

Product architecture should align with GTM strategy from the outset. Channel-friendly products that don’t require deep integration can scale through partners, while technical products requiring extensive customization need direct sales motions with strong pre-sales support.

The modern cybersecurity buyer adds another layer of complexity. With risk-conscious chief information security officers (CISOs) and cost-conscious chief financial officers (CFOs) scrutinizing every purchase, founders must build measurable value into their products.

“If they’ve put that lens on, is there a metric? Is there something that I can bring to the CISOs that will help them justify the cost?” Tanuj said. “It could be soft value adds. But if you don’t have that lens, and it’s not something measurable, it becomes very difficult for the CISOs to justify internally to the business.”

His bottom line for founders: “Don’t expect the CISOs to build a business case for your product if you can’t do it yourself.”

Preparing for AI’s next cybersecurity revolution

Securonix’s early bet on AI for behavioral analytics positioned the company at the forefront of a transformation reshaping the cybersecurity landscape. But today’s AI-powered threats represent a quantum leap from the signature-based attacks Tanuj first sought to defeat.

“I’m proud of the fact that we were the pioneers in introducing AI into behavioral analytics,” Tanuj said. “The whole idea was to go after the unknown and have continuous adaptability and a feedback loop that could be used in detecting threats.”

Today’s threat actors have weaponized AI in sophisticated ways. “You have hackers using AI to perform research,” Tanuj said. “And then you have their use of AI to mimic voice or how you look or speak in conducting successful phishing campaigns.”

The attack surface has fundamentally expanded beyond traditional endpoints. “Now it’s agents and robotics and humanoids coming into the picture,” Tanuj said.

Most companies applying AI to cybersecurity remain narrowly focused on detection, investigation and response. Tanuj sees this as short-sighted. “I don’t think that they’re focused on how you can do a lot of massive learning from both data that is coming in as well as data generated by AI tools within companies,” he said.

His vision for the future involves AI agents specializing in different aspects of security operations, eventually converging into next-generation platforms. “All these AI agents will interconnect to become the next SIEM,” Tanuj said.

For founders building in this space, Tanuj emphasizes one critical technical decision: Measurement infrastructure. “If from the get-go, a company has strong technical fundamentals on measuring their product, both in terms of the adoptability and the quality, these frameworks that help you measure will always stick around as you go through different company pivots,” he said.

This focus on measurement becomes even more critical in the AI era, where understanding not just whether or not something worked, but why it worked, determines future success.