Note: Think of a sales play as a recipe. If you follow the recipe, we can achieve more predictable, consistent results. And if we find an asset or approach that works best (or flops), then we can tweak the recipe to continuously improve. **If you have improvements to suggest, please contribute comments to this MR to suggest your edits and upvote on others.
Objective - Convert landed accounts that are already using CI/CD to expand from GitLab Premium to GitLab Ultimate.
Who is this sales play for?
Note: This play is FYI only for SDRs because it is upselling tiers, not necessarily expanding seats.
Ideal Customer Profile - Existing GitLab Premium customers already using CI/CD
Target Buyer Personas
|Persona role||Possible titles|
|Economic buyers||CISO or Security Manager, VP of Security, Director of Security, VP of IT or CTO, App/Dev Director|
|Technical influencers||Chief Architect, App Dev Manager|
|Other Personas to consider||Infrastructure Engineering Director, Release and Change Management Director|
Target Account Lists
Consider the following questions:
GitLab Premium customers may be experiencing one or more of the below challenges:
|Challenges ("Before Scenarios")||So What? ("Negative Consequences")|
|Difficulty writing secure code without becoming security experts||Increased risk|
|Vulnerabilities found late in the SDLC||Costly remediation, blocks production at last minute|
|Costly triaging and tracking of vulnerabilities||Inefficient use of scarce security resources, lengthy remediation process|
|Managing complex tool chains, plugins, and fragile automation scripts||Added cost, maintenance, and admin overhead|
|How to ensure scans are executed consistently and policies applied||teams may skip scans or use exceptions to push ahead, difficult to see across tools when this happens|
|Security costs are unpredictable or concerning as DevOps scales||must find more money as number of apps grows|
An in-depth view of security pain points and probing questions around them can be found on the DevSecOps resource page
By upgrading from GitLab Premium to GitLab Ultimate, customers may experience one or more of the below benefits:
|Desired Future State (“After Scenarios”)||So What? (“Positive Business Outcomes”)|
|Greater efficiencies for both security and dev||less risk and greater velocity of DevOps|
|Consistent compliance to policy||less risk of vulnerabilities in production and easier audits|
|Reduced security exposure, more scanning finds more vulnerabilities||reduced risk to finance and reputation|
|Predictable security costs that scale with DevOps||able to confidently forecast and budget as DevOps and App Sec both scale|
To achieve the positive business outcomes highlighted above, what required capabilities does the customer need to solve for and how will success be measured?
|Required capability||Customer Metrics|
|Comprehensive app sec scanning methods||percent of apps scanned with multiple scan types|
|Scan results delivered to the developer in their CI pipeline||vulnerabilities found pre-prod|
|Security governance||time spent on audits, fewer compliance issues|
|Option to use 3rd party scanners||metric?|
|Vulnerability management||mean time to resolution|
Note: maybe we use this link as mvc1 and then change the resource pages to the suggested format?
|Questions to Better Understand the Customer’s needs||Discovery questions|
|current state||1. Are you wanting to shift security left? How is that going?
2. What security tools are you using today?
3. How are you currently securing containers and Kubernetes?
|future state||1. What if you could simplify your shift-left efforts?
2. What challenges do you have with your existing tools and can you predict their cost 2 yrs out?
3. Would you like to better protect containers and K8s?
|Required capabilities||1. Could security integrated into CI help you get there?
2. What if you had one, known cost that enabled ALL your security scans, with results to the developer in their CI pipeline, along with vulnerability management for the security pro? What if you could either eliminate some existing security tools or reduce their use/cost?
3. What if you could scan containers and monitor their host and their traffic within K8s clusters?
Note: if they say they do NOT want to shift left and empower developers to find and fix security flaws, you are probably speaking with a security analyst. Talk to his/her boss, DevOps, or application dev/engineering team.
With GitLab Ultimate, organizations are able to truly shift security left (and right!) while keeping up with DevOps velocity. Empower developers to find and fix vulnerabilities earlier and security teams to manage risk from detection through remediation. With GitLab, the integration is done for them. No need to fit your security tools into the CI pipeline - it's already built-in! And for ONE predictable cost, even as you scale!
GitLab Ultimate enables IT transformation by optimizing and accelerating delivery while managing priorities, security, risk, and compliance.
Note: Everything you get in Premium plus all security scanners, vulnerability management, security and compliance dashboards, free guest users, 50,000 compute minutes, a named CSM, and more…
How GitLab meets the market requirements for security (link includes benefits, videos, and more.)
With GitLab Ultimate, organizations are able to truly shift security left (and right!) to find and fix vulnerabilities earlier while keeping up with DevOps velocity and new attack surfaces of cloud native apps. With GitLab, the integration is done for them. No need to fit your security tools into the CI pipeline - it's done! And for ONE predictable cost, even as you scale!
For one cost, you can:
Advantages of a single application for DevOps and Security together include unparalleled visibility and insights/traceability with consistent compliance to policies and regulatory requirements for cleaner, easier audits.
Key GitLab differentiators include:
see provided link for additional details including value and videos
Most common objections
|How does your scanning capability compare to leading scanners? How accurate are they?||accuracy slide, G2 SAST|
|Can you integrate with my incumbent scanner?||We can work with other scanners or replace them|
|Ultimate is 5x.||Why Ultimate|
GitLab (or a GitLab partner) offers the below services to help accelerate time to value and mitigate risk:
These are Sales prescriptive actions to initiate engagement with target audience for Premium to Ultimate upgrade of existing GitLab CI users. Strategy and actions differ by market segment with SMB relying on marketing to drive inbound contacts initiated by the customer and ENT/MM primarily using the play to guide conversations initiated by sales.
Enterprise and Mid-market Accounts
For Enterprise and MM, sales will do active outreach to customers to engage them in conversation using the recommended email templates and conversation flow below, modifying as needed. These accounts will not be included in the automated email campaign. This allows the SAEs greater control over who is contacted in their accounts, and the contacts can be more personal.
ENT and MM Sales Actions
Small Business Accounts
For SMB customers, we will rely on inbound responses to the marketing-generated 'contact sales' emails in the recommended email sequence. Marketing is the key driver for this segment to get to an initial meeting, then sales will use actions below for follow up with interested prospect.
SMB Sales Actions
This sequence of recommended emails is intended to move the prospect from interest to POV. Note:
Subject: Interested in speed and security?
Subject: Learn how to deploy to production 6x faster
Subject: No more afterthought security
If your customer engages with emails (sent either from marketing or from yourself), the lead will come to you via email and will it show what asset they clicked on and if they clicked the 'contact us' button. Based upon this insight, and any conversations you may have had, you will want to choose where in this progression is most appropriate to begin.
The following sequence is recommended to progress the customer from awareness and interest in GitLab security capabilities to consideration, agreement of solutions alignment to expected value, and ultimate purchase (pun intended)
Meeting 1 - assess business objectives
Use Value Discovery above along with these recommended assets to determine their business priorities, existing security tools, chief pain points:
Ask 4 questions:
Milestones: Identify key value driver, champion, and economic buyer, agree to second meeting
Metric: Opportunity stage 0 - pending acceptance or stage 1 - Sales Accepted Opp or no opportunity
Meeting 2 - assess security priorities
Based on their business objectives, assess interest in learning more on theses topics then schedule deep dive with your SA. (@cblake and the #s_secure slack channel can help with any questions you may have.) Identify key value driver, champion, and economic buyer.
Milestones: Identify key value driver, champion, and economic buyer, agree to meeting with economic buyer
Metric: Opportunity Stage 1 - Discovery
Meeting 3 - help them see the value
Use the provided ROI framework slide to help the customer identify all of his obvious costs, now and most importantly, into the future. Show how GitLab can provide predictable costs as they scale. Make sure it's clear that our greatest value is our all-in-one approach that provides all types of security scans integrated into a united UI for both dev and sec. Be sure to include the value of this benefit along with tool costs.
Milestones: agree to next meeting
Metric: Opporunity Stage 2 - Scoping or Stage 3 - Technical Evaluation
Will have specific resources under actions above. This is for additional resources.
Consider these milestones and adjust stages in SDLC as you progress.
Note: progress of the GTM Motion will be measured at the campaign level with clicks/opens/page visits, SAO.
Marketing is running a related demand gen campaign.