Objective - Convert landed accounts that are already using CI/CD to expand from GitLab Premium to GitLab Ultimate.
Who is this sales play for?
Note: This play is FYI only for SDRs because it is upselling tiers, not necessarily expanding seats.
Ideal Customer Profile - Existing GitLab Premium customers already using CI/CD
Target Buyer Personas
| Persona role | Possible titles |
|---|---|
| Economic buyers | CISO or Security Manager, VP of Security, Director of Security, VP of IT or CTO, App/Dev Director |
| Technical influencers | Chief Architect, App Dev Manager |
| Other Personas to consider | Infrastructure Engineering Director, Release and Change Management Director |
Target Account Lists
Consider the following questions:
GitLab Premium customers may be experiencing one or more of the below challenges:
| Challenges ("Before Scenarios") | So What? ("Negative Consequences") |
|---|---|
| Difficulty writing secure code without becoming security experts | Increased risk |
| Vulnerabilities found late in the SDLC | Costly remediation, blocks production at last minute |
| Costly triaging and tracking of vulnerabilities | Inefficient use of scarce security resources, lengthy remediation process |
| Managing complex tool chains, plugins, and fragile automation scripts | Added cost, maintenance, and admin overhead |
| How to ensure scans are executed consistently and policies applied | teams may skip scans or use exceptions to push ahead, difficult to see across tools when this happens |
| Security costs are unpredictable or concerning as DevOps scales | must find more money as number of apps grows |
An in-depth view of security pain points and probing questions around them can be found on the DevSecOps resource page
By upgrading from GitLab Premium to GitLab Ultimate, customers may experience one or more of the below benefits:
| Desired Future State (“After Scenarios”) | So What? (“Positive Business Outcomes”) |
|---|---|
| Greater efficiencies for both security and dev | less risk and greater velocity of DevOps |
| Consistent compliance to policy | less risk of vulnerabilities in production and easier audits |
| Reduced security exposure, more scanning finds more vulnerabilities | reduced risk to finance and reputation |
| Predictable security costs that scale with DevOps | able to confidently forecast and budget as DevOps and App Sec both scale |
To achieve the positive business outcomes highlighted above, what required capabilities does the customer need to solve for and how will success be measured?
| Required capability | Customer Metrics |
|---|---|
| Comprehensive app sec scanning methods | percent of apps scanned with multiple scan types |
| Scan results delivered to the developer in their CI pipeline | vulnerabilities found pre-prod |
| Security governance | time spent on audits, fewer compliance issues |
| Option to use 3rd party scanners | metric? |
| Vulnerability management | mean time to resolution |
Note: maybe we use this link as mvc1 and then change the resource pages to the suggested format?
| Questions to Better Understand the Customer’s needs | Discovery questions |
|---|---|
| current state | 1. Are you wanting to shift security left? How is that going? 2. What security tools are you using today? 3. Are you confident you can secure containers and Kubernetes? |
| future state | 1. What if you could simplify your shift-left efforts? 2. What challenges do you have with your existing tools and can you predict their cost 2 yrs out? 3. Would you like to better protect containers and K8s? |
| Required capabilities | 1. Could security integrated into CI help you get there? 2. What if you had one, known cost that enabled ALL your security scans, with results to the developer in their CI pipeline, along with vulnerability management for the security pro? What if you could either eliminate some existing security tools or reduce their use/cost? 3. What if you could scan containers and monitor their host and their traffic within K8s clusters? |
Note: if they say they do NOT want to shift left and empower developers to find and fix security flaws, you are probably speaking with a security analyst. Talk to his/her boss, DevOps, or application dev/engineering team.
GitLab Ultimate is ideal for projects with executive visibility and strategic organizational usage. Ultimate enables IT transformation by optimizing and accelerating delivery while managing priorities, security, risk, and compliance. A single tool DevOps teams need to find and fix vulnerabilities in application code, its environments, and to manage their risk from detection through remediation.
Note: Everything you get in Premium as well as free guest users, 50,000 CI/CD minutes, a named TAM, and more…
How GitLab meets the market requirements for security (link includes benefits, videos, and more.)
With GitLab Ultimate, organizations are able to truly shift security left (and right!) to reduce exposure and align security with dev. Emergent advantages include unparalleled visibility and insights and much easier traceability with consistent compliance to policies or regulatory requirements for cleaner, easier audits.
Key GitLab differentiators include:
see provided link for additional details including value and videos
Most common objections
| Objection | Response |
|---|---|
| How does your scanning capability compare to leading scanners? How accurate are they? | accuracy slide, G2 SAST |
| Can you integrate with my incumbent scanner? | We can work with other scanners or replace them |
| Ultimate is 5x. | Why Ultimate |
Other objections and responses can be found in the FAQ deck with more detail on Potential objections here.
GitLab (or a GitLab partner) offers the below services to help accelerate time to value and mitigate risk:
Marketing is running a related demand gen campaign to drive leads to you using the account list above and this Message house
Marketing will be sending these emails to generate leads:
Note TBD: When sales gets the lead, will it show from which email it came? If so, sales will want to align the meeting purpose to the CTA from which the lead came. If sales will not see from which email the lead came, they can choose where in this flow is most appropriate to begin.
Milestones: Identify key value driver, champion, and economic buyer, agree to second meeting
Metric: Sales Accepted Opp
Milestones: Identify key value driver, champion, and economic buyer, agree to meeting with economic buyer
Metric: Sales stage x
Milestones: agree to next meeting
Metric: Sales stage x
Will have specific resources under actions above. This is for additional resources.
Milestones (identified by sales stages and/or SDLC fields)
Metrics:
Note: progress of the GTM Motion will be measured at the campaign level with clicks/opens/page visits, SAO (is there a code sales needs to use in SFDC?)
