Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Sales Play: Upsell Premium to Ultimate

Jump to Sales Play Tactics


Objective - Convert landed accounts that are already using CI/CD to expand from GitLab Premium to GitLab Ultimate.

Who is this sales play for?

Note: This play is FYI only for SDRs because it is upselling tiers, not necessarily expanding seats.

Who to meet

Ideal Customer Profile - Existing GitLab Premium customers already using CI/CD

Target Buyer Personas

Persona role Possible titles
Economic buyers CISO or Security Manager, VP of Security, Director of Security, VP of IT or CTO, App/Dev Director
Technical influencers Chief Architect, App Dev Manager
Other Personas to consider Infrastructure Engineering Director, Release and Change Management Director

Target Account Lists

Getting Started

Consider the following questions:

Value Discovery

Common Pains

GitLab Premium customers may be experiencing one or more of the below challenges:

Challenges ("Before Scenarios") So What? ("Negative Consequences")
Difficulty writing secure code without becoming security experts Increased risk
Vulnerabilities found late in the SDLC Costly remediation, blocks production at last minute
Costly triaging and tracking of vulnerabilities Inefficient use of scarce security resources, lengthy remediation process
Managing complex tool chains, plugins, and fragile automation scripts Added cost, maintenance, and admin overhead
How to ensure scans are executed consistently and policies applied teams may skip scans or use exceptions to push ahead, difficult to see across tools when this happens
Security costs are unpredictable or concerning as DevOps scales must find more money as number of apps grows

An in-depth view of security pain points and probing questions around them can be found on the DevSecOps resource page

Common Benefits

By upgrading from GitLab Premium to GitLab Ultimate, customers may experience one or more of the below benefits:

Desired Future State (“After Scenarios”) So What? (“Positive Business Outcomes”)
Greater efficiencies for both security and dev less risk and greater velocity of DevOps
Consistent compliance to policy less risk of vulnerabilities in production and easier audits
Reduced security exposure, more scanning finds more vulnerabilities reduced risk to finance and reputation
Predictable security costs that scale with DevOps able to confidently forecast and budget as DevOps and App Sec both scale

Required Capabilities

To achieve the positive business outcomes highlighted above, what required capabilities does the customer need to solve for and how will success be measured?

Required capability Customer Metrics
Comprehensive app sec scanning methods percent of apps scanned with multiple scan types
Scan results delivered to the developer in their CI pipeline vulnerabilities found pre-prod
Security governance time spent on audits, fewer compliance issues
Option to use 3rd party scanners metric?
Vulnerability management mean time to resolution

Engaging the Customer

Note: maybe we use this link as mvc1 and then change the resource pages to the suggested format?

Questions to Better Understand the Customer’s needs Discovery questions
current state 1. Are you wanting to shift security left? How is that going?
2. What security tools are you using today?
3. Are you confident you can secure containers and Kubernetes?
future state 1. What if you could simplify your shift-left efforts?
2. What challenges do you have with your existing tools and can you predict their cost 2 yrs out?
3. Would you like to better protect containers and K8s?
Required capabilities 1. Could security integrated into CI help you get there?
2. What if you had one, known cost that enabled ALL your security scans, with results to the developer in their CI pipeline, along with vulnerability management for the security pro? What if you could either eliminate some existing security tools or reduce their use/cost?
3. What if you could scan containers and monitor their host and their traffic within K8s clusters?

Note: if they say they do NOT want to shift left and empower developers to find and fix security flaws, you are probably speaking with a security analyst. Talk to his/her boss, DevOps, or application dev/engineering team.

Positioning Value

Elevator pitch

GitLab Ultimate is ideal for projects with executive visibility and strategic organizational usage. Ultimate enables IT transformation by optimizing and accelerating delivery while managing priorities, security, risk, and compliance. A single tool DevOps teams need to find and fix vulnerabilities in application code, its environments, and to manage their risk from detection through remediation.

Note: Everything you get in Premium as well as free guest users, 50,000 CI/CD minutes, a named TAM, and more…

How GitLab Does It

How GitLab meets the market requirements for security (link includes benefits, videos, and more.)

How GitLab Does It Better

With GitLab Ultimate, organizations are able to truly shift security left (and right!) to reduce exposure and align security with dev. Emergent advantages include unparalleled visibility and insights and much easier traceability with consistent compliance to policies or regulatory requirements for cleaner, easier audits.

Key GitLab differentiators include:

  1. Detailed and Actionable Scan Results Displayed in MRs created from Feature Branch
  2. Block MRs based on Security Policy
  3. Compliance Management
  4. Fuzz testing, including API testing
  5. Offline environments
  6. Vulnerability management (vs point solutions)

see provided link for additional details including value and videos

Proof points

Objection handling

Most common objections

Objection Response
How does your scanning capability compare to leading scanners? How accurate are they? accuracy slide, G2 SAST
Can you integrate with my incumbent scanner? We can work with other scanners or replace them
Ultimate is 5x. Why Ultimate

Other objections and responses can be found in the FAQ deck with more detail on Potential objections here.


GitLab (or a GitLab partner) offers the below services to help accelerate time to value and mitigate risk:

Additional Resources

Sales Play Tactics

Marketing is running a related demand gen campaign to drive leads to you using the account list above and this Message house

Marketing will be sending these emails to generate leads:

  1. Email #1 (link) Are you getting the most out of GitLab? CTA: Talk to your rep about what you’d like to achieve.
  2. Email #2 (link) GitLab Ultimate can take your app sec to a new level CTA: Ask your rep for a deep dive on any of these topics.
  3. Email #3 (link) GitLab for Security and Compliance - Let’s do the math together CTA: Use this template(link) and talk to your rep about how GL can help you with more predictable costs.

Actions for sales to take

Note TBD: When sales gets the lead, will it show from which email it came? If so, sales will want to align the meeting purpose to the CTA from which the lead came. If sales will not see from which email the lead came, they can choose where in this flow is most appropriate to begin.

  1. Initial qualification meeting 1 - use the value discovery section above to assess business objectives. Use these recommended assets based upon areas of most interest:
    • Cost and/or complexity⇒ use ROI template (link) discussion
    • vulnerabilities/risk ⇒ security deck (link) as preface to next mtg
    • compliance/software supply chain security ⇒ compliance deep dive deck (TBD as preface to next mtg (will have a new webinar May 24

Milestones: Identify key value driver, champion, and economic buyer, agree to second meeting

Metric: Sales Accepted Opp

  1. Meeting 2 - purpose is to understand customer’s interest in one or more of the topics of interest and provide a deep dive on:
    • Vulnerability mgmt (deck and PM/PMM to engage)
    • Container security (deck and PM/PMM to engage)
    • Policy management (deck and PM/PMM to engage)
    • Auditing and Compliance reporting (deck and PM/PMM to engage)
    • Security of software supply chain (deck and PM/PMM to engage)

Milestones: Identify key value driver, champion, and economic buyer, agree to meeting with economic buyer

Metric: Sales stage x

  1. Meeting 3 - purpose is to use the provided template and assess opportunity and show how GL Secure compares for more predictable costs.
    • Share CISO deck and review more detailed ROI (if needed)
    • Identify key value driver, champion, and economic buyer
    • Ask for POV to prove value unique to this customer

Milestones: agree to next meeting

Metric: Sales stage x

Resources to use

Will have specific resources under actions above. This is for additional resources.

How to measure progress

Milestones (identified by sales stages and/or SDLC fields)


Note: progress of the GTM Motion will be measured at the campaign level with clicks/opens/page visits, SAO (is there a code sales needs to use in SFDC?)

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license