Marcin Kleczynski, founder of Malwarebytes
Message boards to Malwarebytes: Founder Marcin Kleczynski talks origins, industry and the evolution of cyber threats
On this episode of SPx, Marcin Kleczynski, founder of Malwarebytes breaks down the origin story of the company he started at just 15 years old, living with his parents in the suburbs of Chicago. Kleczynski shares how pirated video games led him founding a company with more than 800 employees and four offices across the world. Kleczynski talks misconceptions around malware, company culture, how the big traditional companies are failing and how Malwarebytes has stepped in to take on a greater share of the antivirus market.
- Today's guest: Marcin Kleczynski, founder of Malwarebytes.
- Malwarebytes origins, like many startups, began in the humblest of places, Kleczynski's parents' house in Bensenville, Illinois.
- At just 15 years old, Kleczynski's interest in pirated video games led to what became his passion and purpose, fighting viruses and malware.
- After accidentally infecting his family computer with malware, Kleczynski was bound and determined to fix the mess he'd made. That's how he found the security message board that changed his life.
- After three days of assistance and a thirty page manual, Kleczynski's problems were solved. But he'd also come to believe that the message board people were real life superheroes.
- In fact, some of the original members of Malwarebytes came from these message boards. The woman who gave him the 30-page manual still works for the company today as Director of Threat Research.
- That started Kleczynski's spark for fighting cyber crime. He picked up some programming books, including Visual Basic 6 For Dummies, and worked on automating the 30-page manual into a program people could run automatically.
- One of the so-called superheroes gave Kleczynski the domain name Malwarebytes.biz, and that name has followed the company (however reluctantly) ever since.
- Kleczynski explains how needs for fighting malware have evolved over the years: "Traditional anti-virus has been around since the '80s, right? And the way to catch viruses since the '80s is to first see them, fingerprint them, identify them, ship those fingerprints to all of your customers, and react."
- Today's malware is polymorphic: "Now you're trying to fingerprint something that is constantly changing and morphing like a real human virus. So, these criminals, these malware writers, have built-in automation, AI, into the morphing of this malware so how can you possibly ship billions of signatures, fingerprints? You can't."
- Malwarebytes began as a complement to traditional antivirus software, but Kleczynski explains how the business model has changed and begun to replace the big traditional companies like Norton and McAfee.
- Kleczynski shares how the formation of the actual Malwarebytes company came together, the founders, and what it was like to build a business while a full-time student at the University of Illinois.
- Misconceptions around malware: "It's really important to level set and understand that while there are nation state players out there and there are people that are incredibly sophisticated in trying to break into the tightest of organizations, a lot of the stuff out there is common malware that you go visit a URL or you click on a link, or it comes in an email to you, and the criminals are just trying to throw a fishnet out there and see what they catch."
- Of Malwarebytes' 800 employees, nearly 50 are threat researchers and intelligence. They work in the deepest, darkest parts of the web, and help Malwarebytes as well as agencies like the FBI fight cybercrime.
- "Everybody has an antivirus installed and yet we still ran on a quarter of a billion computers last year and disinfected them. So, if I look at the results, not much has changed. The marketing has been beefed up a little bit, but the amount of money that these companies spend on research and development is nothing."
- Kleczynski talks about the process of raising capital at Malwarebytes and why they chose to grant their employees equity.
"If you draw two circles there's core and there's context. And great companies are made when they focus on their core, primarily, and not necessarily the context."
Table of Contents
(00:00 to 01:05) Introduction
(01:05 to 08:34) Malwarebytes Origin Story
(08:34 to 10:12) Meeting Bruce
(10:12 to 11:40) Building the Company
(11:40 to 14:08) Meeting Bruce In-Person
(14:08 to 16:05) Growing the Company
(16:05 to 18:24) Attributes
(18:24 to 22:09) Profiling Malware Producers
(22:09 to 22:35) Addressing Possible Trust Issues
(22:35 to 24:15) Pups
(24:14 25:45) Changing the Industry
(25:45 to 26:45) The Competitive Landscape
(26:45 to 29:01) New Players In The Industry
(29:01 to 30:08) Marcin’s Personal Journey
(30:08 to 32:30) Getting Serious With The Company and Future Investing
(32:30 to 33:45) What the Founders Are Up To Now
(33:45 to 36:35) Malwarebytes End-Point Use
(36:35 to 37:16) Marcin’s Celebrity Experience
(37:16 to 38:24) Conclusion
Joe: Joining me in the Catalyst studio today is the founder of Malwarebytes Marcin Kleczynski.
Marcin: Yeah, you got it right.
Joe: Did I do it?
Marcin: [Chuckle] You did.
Joe: Sweet, all right, we’re off to a strong start.
Joe: Welcome, it’s good to catch up.
Marcin: Yep, likewise, thank you.
Joe: So, we’re going to do an origin story today which I’m pretty excited about because there’s a lot of cool factor in how you started. Can you give us a quick overview of where Malwarebytes stands today as far as its place in the antivirus universe?
Marcin: Yeah. So, I started the company actually quite young, I think I was maybe 15 years old at the time. And I had one of those white bells that everybody had on their desk at my parent’s house. And loved to pirate video games, really my only hobby at the time, and all of a sudden viruses are coming up onto the computer. So, downloaded a pirated video game, here we are, and didn’t know what to do. And these is when malware and ransomware was pretty boring. I mean, we’re talking about a purple gorilla jumping around on your screen trying to sell you stuff, right? Today we’re talking about far more sophisticated actors. But didn’t know what to do and I looked up my symptoms like WebMD online and I found a security message board. And to me these were really superheroes out there in the world trying to help me fix my computer. I mean, I just post my question and they said, “Hey, let us help you.” And really that’s how Malwarebytes got started, that’s how we just got on the scene.
Joe: At this point then you were living in Chicago?
Marcin: Yeah, so I’m in Bensenville which-
Joe: Bensenville, okay.
Marcin: The airport pretty much took that whole city out, but yeah, I’m living with my parents in Bensenville.
Joe: And if I read correctly it was a shared computer, so you were not only kind of hosing your own computer, that you were hosing your parent’s computer if you had the virus on there. So, you were pretty determined to fix it.
Marcin: Oh, well my mother was pretty determined to make me fix it, so…
Joe: [Chuckle] Do you remember the name of the board that you found?
Marcin: Yeah, it was a little message board called Spyware Info .com.
Joe: Spyware Info? And there was just a group of people on there? And this was back in the days when it was- was it web-based at that point and sort of somewhere where you’re just leaving messages? Was there chat built into it or anything like that?
Marcin: Yeah, it was web based, 2004. So, just simple message board at the time.
Joe: My first chat rooms were [TelNet?] back in the day where you have to [Unix command] everything.
Marcin: No, it was a little further along. [Chuckle]
Joe: All right. So, they were able to get you out of trouble there and it took a couple of days, but you solved the virus. At some point there you started to make the transition into thinking that this is something that you wanted to get further into. Do you remember when you, okay, you now established these relationships in the forum, you cleaned the virus off your computer, what happens then as far as why did you keep going down that road at that point?
Marcin: Yeah, well to your point it took three days. And we had one of the traditional antivirus products out on the computer we were paying for it and yet still got infected. So, what’s that all about?
Marcin: So, after three days of getting help, and really, I truly believed these people were superheroes. In fact, many of the original kind of members of the company came from these message boards. The person who first helped me removed the malware manually, handed me a 30-page pamphlet that took me three days to follow, she actually works for us today. I have not met her, so Mika is still in Belgium.
Marcin: And we have not met. So, she’s our Director of Threat Research working for- Our VP of Threat Research, but I’ve never met her.
Joe: I mean, it’s very unusual that you’ve never met her now and I don’t think you ever can at this point, you just pretty much dial in and say-
Marcin: Yeah, keep it going, right?
Joe: [Chuckle] Yeah, keep it going. Okay, so out of that then you solved it, you got the pamphlet, what then lead you into wanting to build a business around or even explore this world more?
Marcin: Well, first of all, the welcoming community that the people that were on these message boards were welcoming. And I too wanted to be that superhero, right? And so, some of that passion of just fighting cybercrime really started to spark. And I saw how helpful these people were and I wanted to be that person. So, I picked up a few programming books at the time Visual Basic 6 For Dummies, great read, I would highly recommend, and started to program a bit and said listen, let me try and automate some of these 30 pages of instruction. There’s a huge opportunity here, traditional anti-virus is failing, I’m evidence of that, other people on this message board are evidence of that, and the problem was huge. So, actually, from the same message board as I’m building these little freeware applications, one of these superheroes said, “Hey, I’ve got a great idea. Why don’t I give you a domain name Malwarebytes.biz.”? And I went that’s a terrible name [Chuckle] Here we are.
Joe: Can you explain before we go down that road Norton and McAfee why were they failing? And what were they missing that you ended up picking up?
Marcin: Yeah, it’s a very complicated question and answer I suppose. Traditional anti-virus has been around since the ’80s, right? And the way to catch viruses since the ’80s is to first see them, fingerprint them, identify them, ship those fingerprints to all of your customers, and react. Today the world we live in and it really started in the 2000’s malware and viruses, and really it’s synonymous at this point – have become polymorphic meaning you and I go to the same website, we’re infected with the same type of malware, but it’s a very, very polymorphic, it’s changing. It’s very different between you and I even though it does the same thing. So, to fingerprint that malware first of all you’re already behind, and now you’re trying to fingerprint something that is constantly changing and morphing like a real human virus. So, these criminals, these malware writers, have built-in automation, AI, into the morphing of this malware so how can you possibly ship billions of signatures, fingerprints, you can’t.
Joe: So, then you were the first really to look at predictive and looking at the patterns and not relying on the fingerprint model?
Marcin: I think patterns is a really good word to describe that. That was really the genesis of how we were better. We were able to ship, you know, one such fingerprint that would identify the whole strain of malware no matter how much it has changed. Today, that’s even evolved further. We’re doing a lot of our artificial intelligence and machine learning on good ware and bad ware, so good files and bad files and trying to detect malware. And there’s some predictive things you can think of. For example, a lot of malware on your computers are small files, not big files, and these are the types of things that we’re really trying to understand, like a real human virus too.
Joe: So, how much malware gets by? I mean, how much exist on computers today that nobody knows about would you guess?
Marcin: So, actually you bring up a really good transition into what Malwarebytes started with. No anti-virus, even Malwarebytes- And I don’t know if we call ourselves antivirus as much as end point security or cyber security, but no antivirus can catch everything. Even if you get to the 99.9% range, you’re still talking about millions of files out there that are malicious. You’re talking about things that don’t even have files anymore that it infects you directly from the browser. The world is dangerous, it’s getting harder, and harder to catch these criminals. So, nothing is ever going to detect everything, right? No vaccine is permanent, no antibiotic is permanent. So, we started in the game of remediation, which means when I was infected, I went to this message board, you know, Norton or McAfee let the threat onto my computer, and I had to follow all these manual instructions and run 50 tools to disinfect that computer. And so, the first thing Malwarebytes as I saw we would do is we would infect automatically, remediate, so we’re going to go fix your problem first. And by fixing your problem first we can then plant a seed that your AV sucks, your antivirus sucks, and Malwarebytes can do it better or can augment your antivirus. So, we really became that wingman, the one that comes and saves the day and then bolts on to your traditional antivirus. Now a lot of that has changed today, but that’s really the genesis of the company.
Joe: And I remember that was very clever because you weren’t then trying to compete directly with them, you were a natural companion to them, and before you knew it, you’re doing better than they were and then why need them?
Marcin: Absolutely, it was a Trojan Horse. And in fact, a lot of these traditional antivirus companies in their customer chat would recommend our product.
Marcin: And that got very interesting, right? Because when we struck, we struck hard.
Joe: So, in that group, you know, you made acquaintances, friends, and I mean now even co-founders and employees. And a lot of them, you know, pretty far into the company you didn’t meet them. So, you just had this distributed sort of a company. So, you were given the domain name, at this point had you formed the company structure? Did you have an LLC? And if not then when did that happen? And then whose name was kind of on that and how did the actual first sort of founders and employees come to be?
Marcin: Yeah, no way, I didn’t even know what an LLC was. [Chuckle] So, here’s this 17-year-old kid living in Bensenville, Illinois, and you know, he’s going to college in a year and has this Malwarebytes.biz domain name, hates the name, but it was free, and is building some free tools as well. And I meet a guy named Bruce on this message board. And Bruce is really just helping out just like everybody else, but in particular is sending me malware samples that look interesting and saying- And again, this is nerding out right now…
Joe: Please do, yeah.
Marcin: You know, he’s sending me malware samples going, “Hey, you’re not detecting this.” And I ask him a lot of questions like who are you? Where are you from? So, I found out that he’s just this guy in Boston working at a tech repair shop. So, all day long computers are coming in and they’re infected with something, and they all have traditional antivirus. And he’s sending me the samples of all of these computers that traditional antivirus missed. So, I said, “Wow, this is really cool, you’re really smart, why don’t we build an anti-malware product together that really tackles this problem?” The high prevalence malware out there that’s really hurting the users and is getting by traditional anti-virus. And he just said yes. So, for the next year, you know, we’re building this Malwarebytes company. And imagine telling your mom, you know, you’re 17 at the time, you’re just working with some 30-year-old guy on the web, and imagine him telling his wife, like “I’m working with this 17-year-old kid.” So, needless to say we hadn’t met until a couple years later.
Marcin: But 2008 rolls around we build the product, we launch the product, and shove it to these message boards and they’re all automating this 30-page pamphlet from before.
Joe: All coming off that one pamphlet really.
Marcin: Yeah, I call it a pamphlet, you know, list of instructions, whatever you want to call it. But why give somebody that’s in need of help that when you could just say go run Malwarebytes and do a couple of other things?
Joe: Right. When did the actual company form? Was at that point it was formed?
Marcin: Yeah. So, January 21st, 2008 we launched Malwarebytes what we call Anti-Malware. And it was just Bruce and I and we don’t know what to do with the money. You know, so-
Joe: And it was a decent amount of money right off the bat?
Marcin: Yeah, it was. So, by August we had made maybe $250,000 which is no joke, right, in six-months time all from this “buy now” button and help support Malwarebytes because we helped you. $25 perpetual licence, and even to this day the people that bought that still have the product for $25 so what a bargain.
Joe: I’m one of them.
Marcin: Awesome. So, in June we created the LLC, got a real lawyer involved and I guess that’s the formal introduction of the company. But what’s even more interesting is in August I’m due at the University of Illinois. And this is some serious cash coming in, of course we’re investing it in the company, but I see a future here. Anyway, I told my mom that maybe I’m not going to go, and it was computer science, due down there in August and 45 seconds later I’m heading down and she’s packing my stuff. So, I attended the university for four and a half years.
Joe: Oh okay, well go mom, I guess.
Marcin: Yeah, go mom. I don’t regret it. I think, you know, just meeting friends and all of that.
Joe: So, when did you actually meet Bruce in person for the first time?
Marcin: So, I met Bruce in person probably late 2008. So, probably two years after we started working together, three years after we started working together. One year after we launched the product and at that point probably a million dollars in.
Joe: Wow. Had you, I mean, like seen a picture of him on the website? What was that first meeting like?
Marcin: I don’t remember that, but the first meeting was so anti-climatic it was like, “Hey Bruce.” It was like shake hands and so how’s it going, you know? It was a very- Because we knew each other, right? It felt like that.
Joe: There’s always the internet, you know, weirdness to when you talk to someone so much on the internet and you meet them for the first time in life, but I guess, you know, it’s a business relationship and you guys are rolling and probably had a lot to celebrate.
Marcin: Yeah, no totally.
Joe: That’s cool. So, how much were you able to grow the company while you were also in school? And did Bruce sort of step-in and do more while you were in school, or what was sort of the growth trajectory then with you being in school after that initial launch?
Marcin: Yeah, so I spent a lot of time building this company out of the University of Illinois. At the same time, I had Bruce as a co-founder, obviously. He was working 15, 16-hour days. You know, I was trying to put in as much as I could. He was our Head of Threat Research, you know, I was doing a lot of engineering work and the product was practically selling itself at the time. We also had another co-founder, Doug, Swanson, who himself has an interesting story, was a PhD student at Princeton and Masters at Yale, and so on, in physics, right? So, super smart guy. And again, the way we met was he built something really cool for the message board, I really wanted that part of our product, we agreed on he would get 30% of the profits. And after, you know, a couple of weeks he’s like, “This looks like drug money, just make me a partner.” [Chuckle] So, he looked at it futuristically like hey let’s go build a great company, I’m not in this for the money, we’re here to help the world. And really, the three founders were pretty altruistic then and still are. So, you know, I was really involved in building the company, living in a dorm room at the time, and my fourth co-founder was a guy out in California, and that’s why the company is based out of California. He was introduced to me as somebody that can help with operations while I’m obviously at the university. So, he was really customer facing, he was helping us build out a sales team because we started getting dragged into corporates trying to buy our product. So, the four of us really in that first year and a half, two years, were really the core team and I was at the university obviously.
Joe: Well, so they staggered a little bit as they came in but you still all consider them co-founders?
Marcin: Yeah, they were staggered, but really that is the founding team, right? And each were very unique. I mean, each all had superpowers, right? That helped build the business.
Joe: Right. So, back to the forum, I’d really love to dig into the world of the people who are creating this and the people who are fighting, you know, you just feel like there’s this giant Avenger-style battle going on in cyberspace between the people who are trying to do bad things and the people trying to do good things. And a lot of people to the point of your crew and the people who are on this forum with you really just are driven to do it as people without any other reason than it’s the just thing to do. So, you know, as you exist, are you able to identify specific bad players? Are you able to identify specific countries or motivations? You know, and just talk about how you see the whole landscape of- And obviously some people have political motivations, some people have financial motivations, some people are just anarchist, so how do you sort of divide up the landscape of the people who are doing the bad stuff?
Marcin: This is an interesting topic because, you know, and especially true back in the day a lot of the malware that we saw was commodity malware meaning this was not a targeted nation state attack. And in fact, many companies today, you know, get hit with kind of a fishnet of ransomware or something else. And you know, people react as if its a nation state attack. No, somebody just clicked an email, you know, opened the link, got infected and it spread through the organization and now somebody on the other end went wow, we got a good target.
Marcin: So, you know, it’s really important to level set and understand that while there are nation state players out there and there are people that are incredibly sophisticated in trying to break into the tightest of organizations, a lot of the stuff out there is common malware that you go visit a URL or you click on a link, or it comes in an email to you, and the criminals are just trying to throw a fishnet out there and see what they catch. And attribution is always hard because these people are behind, you know, firewalls and VPNS and TOR browser, they’re really trying to hide obviously because they’re criminals. So, attribution is always hard, but I do claim that a lot of this is just common malware that even people that don’t necessarily have the experience can hand roll, make a couple thousand dollars a year, and that’s a lot of money where they are.
Joe: So, you have a front row set at the vastness of the damage, especially financially, but to people’s data that these attacks can do. But you’re also at the frontlines of even having a hope of attribution. And so, that has to be a driving force because you spend your whole life trying to beat it down and on the other end of that process is maybe one guy who is with impunity putting out malware over, and over, and over again. And every time he comes up with something new you have to sort of, you know, combat that. There’s got to be a drive to just go find that guy and shut him down, so who better to do that than the people who are on the frontlines? So, how do you feel about attribution? Do you just try as hard as you can? Or you just say it’s impossible? Or?
Marcin: It’s both. So, if you look at our company today, we’re about 800 people. And 50 or so are threat researchers and intelligence as we call it. And there are a handful of those people who are very, very closely tied to the dark, dark, deepest part of the web that you can imagine. And they interact with these people, right? They try to understand them, they try to find who they are. And at the same time, we’re working with intelligence agencies, i.e. the FBI. One other example was tech support scammers, not necessarily related to what Malwarebytes does, which is protects your computer, but you’ve might have gotten some of these calls, you get a random call from a random number that you pick up and it says, “Hi, we’re calling from Microsoft Tech Support.” First of all, Microsoft will never call you. Or we’re calling from the IRS, the IRS will never call you. But you know, the scam here is we found some malicious activity on your computer and so let us log in, let us help you, and charge you $400. So, in that specific instance attribution was a lot easier in this specific instance, we worked with the FCC to bring a civil case against these people and they were actually based out of Florida.
Marcin: Yeah, so they were making millions of dollars just randomly dialing elders, right? Scamming them into charging $400 for the product, and many times it was for Malwarebytes, or for Symantec’s, or for Microsoft. So, you know, we were even on the receiving end which is why we took such a stance because a customer would call us and say, “Well, I paid $400 for Malwarebytes.” And I went, “We don’t charge $400.”
Marcin: That’s when the ah-ha moment happened. But that’s an example of where attribution was a lot easier, we worked with the appropriate agencies many times we’re looking at code and it’s like how do you identify somebody through code?
Joe: Unless they choose to.
Marcin: Unless they choose to, there are shout outs in code. Hey Marcin, in malware.
Joe: As you start to profile and you have all these folks that are digging in and trying to understand the way the malware producers think, well you know, what’s the profile? If you sort of had to say this is what they typically are, and typically where they come from, and why they do it. What’s going on in their brains as best as you can tell?
Marcin: Yeah, I mean a lot of them are coming from poverty, right? And have a computer, you know, are really self-educated in this and there’s not a PhD for malware writing, so many have not even gone through high school. We see a lot of Eastern Europe, we see a lot of South America, we see a lot of U.S., they’re out for money, obviously, many of them are out there for fame, the ability to infect a million people is pretty interesting.
Joe: A badge of honor.
Marcin: Yeah, it’s a badge of honor, right? So, at the same time there are nation state attackers out there, in fact even legal ones if that makes sense. So, the idea of a white hat versus a black hat. I mean, a white hat is looking to infiltrate and test, penetrate test that network to then let the company know that they’ve done so they can go fix it. So, I’ll give you an example, there was a company called The Hacking Team in Italy. And their entire business model was to find vulnerabilities in commonly used software, hardware, so the iPhone for example where you can jailbreak the iPhone without the user knowing and turn the microphone on for eternity and record it. So, pretty useful, right? If you were somebody that was trying to spy on the user. Well, their revenue stream was the sell that to governments.
Joe: Sell the recordings?
Marcin: To sell the bug.
Joe: The bug, got it, okay.
Marcin: Because now the government gets it and let’s say they want to infiltrate a person of interest; they go jailbreak their phone with this specific vulnerability and there you go. So, what does that make them? That makes them an arms dealer in some ways. Is that a black hat? Is that a white hat? Is that a grey hat? It’s a very blurry line. Funny enough, they themselves got hacked and all of the intellectual property, if that’s what you want to call it, the findings that they were selling for millions of dollars was leaked into the open. So, what did all the companies that were affected like Apple do? They fix those issues immediately into all of the iPhones into all of the Macs, into all of the Windows devices. And that became a zero-dollar revenue stream because it’s no longer valuable, right? So, this is the world that’s out there.
Marcin: And maybe that’s the extreme. You know, a lot of the stuff we talked about is common malware, basic ransomware that any good ant-virus could block.
Joe: And you mentioned that people put in your name in these because of who you are and what you do. And obviously there’s going to be criminal organizations behind this because it’s a great revenue generator. So, how much does your actual own personal, I don’t want to say safety, but your actions could be costing a criminal organization or even a government, a lot of their intelligence, a lot of their money. And so, does that ever enter into your sort of sphere?
Marcin: Yeah, I think once a year, or once every six months I have this deep dark thought, you know? And especially around some of the more reputable vendors, and I’ll get to that in a minute, but there’s not been a case where somebody’s necessarily been harmed, or kidnapped, or anything like that. I think a lot of people see this as a battle and we’re just a nuisance in the way even though we think we’re doing a good job fighting the bad guys. And Malwarebytes is not the biggest out there either, right? So, Symantec, McAfee owned a tremendous market share. So, we’re not necessarily the biggest player. And I think there is some cat and mouse game here, right? And there’s some interest from the bad guys to even try to elude us and escape us. So, it’s more of a game than really-
Joe: Right. There has to be cross-pollination too because obviously a lot of people that are serving as security contractors, whatever, were hackers previously. So, you have all the time, they got arrested, or at least in shows, or whatever. And so, is there always an element of on the forum, even back in the early days, did you ever suspect that some of the people that were making the malware were also on the forums? And you know, were there always trust issues? And are they coming to try and get on the threat research team, or assessment team for Malwarebytes to bring that intel back to what they’re doing? How does that all play out?
Marcin: Well, absolutely that’s something that always comes to mind as we interview, right? And especially if you haven’t met the person, right? You’ve got to do extensive background checking, and extensive interviewing, and we go into the bad guys message boards and deep dark web, why wouldn’t they come to the light side or whatever you want to call it? It’s a lot easier to do, right? Very Star Wars. So, while we try to inflate and understand what the criminals are doing and get as early into the process as possible, they’re doing the same. So, yeah, it’s been a lot of extensive interviewing, you know, and making sure because a lot of people have reputations online beyond what they think. One thing that we were talking about a minute ago is, you know, the safety of me and the team, and so on. The one that actually concerns me even more is, we detect a lot of reputable, known vendors that are making a lot of money on – not necessarily – I guess suspicious activity. So, let me explain. We detect something called potentially unwanted programs, pups as we call it. These are applications that you can download off the internet right now legally if you want to put air quotes around that and pay $50 legally, I put air quotes around that. We feel they’re dubious to the users. For example, you buy a brand-new computer off the shelf at Best Buy. You run one of these applications on your computer and it finds 2,000 things wrong with it. You click the “fix it now” button and it charges you $50 without letting you fix any of it. So, brand new computer, there’s no issues with it, it’s detecting stuff. Or for example, toolbars that get pre-installed when you’re installing something else because they use dark patterns in the applications and very ominous language or ambiguous language, you have no idea what you’re doing and it’s a privacy concern because they’re taking all of your browsing data and history. So, we detect these guys and they’ve sued us multiple times in the state of- Well, in other states, but now in the state of California and we’ve won multiple lawsuits. We’re hurting them pretty strongly, but we feel very strongly that our users deserve a choice
Marcin: And so, that’s why we detect that.
Joe: Yeah, way back when you install anything you click advanced options and to unclick the toolbar, and I always have to remember to do that. Whenever I don’t next thing, I know I have a toolbar and my default web browser has changed, and it’s annoying, and it’s wrong, and yeah.
Marcin: So, the product you’re installing gets a dollar for every time they trick you into installing that toolbar.
Marcin: Millions of users, there’s millions of dollars.
Joe: We kind of jumped out as you were going through school and growing the company, what was the trajectory? Obviously, at some point you had to get approached because you were even in their mind, they saw you as a complement and as you started stealing market share the big guys had to want you. And so, when and how often did you get approached to be purchased? And then sort of piggybacking off that when obviously you didn’t let that happen when did you start to see those guys changing how they operated to match what you were doing?
Marcin: Well, we got approached quite a bit, especially early on. They really liked the brand, the story, you know, we were still a very small team. We had taken a lot of market share, so we were approached quite a bit, we turned it down for various reasons, you know, some of it monetary, some of it just altruistic and you know we wanted to build something better. And we know brands can die very quickly when absorbed by large companies. So, that was really the primary driver and the founders felt strongly about that.
Joe: Did you ever get close?
Marcin: Pretty close, yeah, I’d say we got pretty close and that company is not doing well today. So [Chuckle] and it was the board that just didn’t feel like it was a good fit for them.
Joe: Right, and is this the person, the founders having some optics issues?
Marcin: Ah, no not that one.
Marcin: This is a company out of Europe.
Joe: Got it, all right.
Marcin: Again, we had a great vision match, they were a pretty strong company, it was one of their acquires that we felt would build a brand together instead of steamroll across it, but we thought it was better for the employees, the founders, to just keep going and I think it was the right decision. I mean, you know, today we help 250,000,000 people a year for free, right? And to me that’s something I go up every year to a company and say that’s how many people we helped last year; can we double it this year?
Joe: So, by saying no to them at some point they’re going to adjust so what they’re doing to mimic what you’re doing. So then, how did you see the competitive landscape change as your kind of matured?
Marcin: It’s funny, none of these company’s care.
Marcin: And that’s maybe overstating some of it, but even today the failure rates are increasing. We disinfect customers all day long and every time they have an antivirus installed. It’s not like we come in, fix the computer, and it’s like oh, why didn’t you have an antivirus installed? Everybody has an antivirus installed and yet we still ran on a quarter of a billion computers last year and disinfected them. So, if I look at the results, not much has changed. The marketing has been beefed up a little bit, but the amount of money that these companies spend on research and development is nothing. I mean, they’re trying to be profitable, they have shareholders out there that need to generate cash for- We still have a mission, they’ve kind of lost their way. And the technology has not changed dramatically.
Joe: They have a lot of legacy corporate partners so they’re just riding those relationships.
Marcin: That’s right.
Joe: As long as possible.
Marcin: There’s a lot of pre-installed partners. You know, you buy a computer off the shelf at Best Buy it’s pre-installed with one of these big AVs.
Joe: Well, there have been some new guys, Avast I think got some traction. So, what about some of the new players that have come in? Are there hybrids that are trying to be both and are going after the Nortons successfully?
Marcin: So, we’re one of the only companies that go after consumers and enterprises and that’s by design. We started as a consumer only company, but those consumers, those home users went to work, had similar challenges, similar issues, and had to install Malwarebytes. And that’s kind of how our Trojan Horse in- A lot of the new players, so I think the last five years, have been focused primarily on the enterprise. So, companies like Cylance which just got bought by Blackberry for 1.4 billion, companies like CloudStrike which are going public very shortly here, great company. You know, if you remember the DNC hack two or three years ago, they were kind of the ones that detected a lot of that.
Joe: Yeah, I heard about that.
Marcin: So, very interesting new players. I think the market is getting incredibly crowded. And so, it’s because these traditional anti-virus companies are failing. So, it’s very easy, right? Where you have these chief information security officers that are in charge of these large companies and they see every other company around them getting breached, what do they do? Well, I think we need to re-evaluate whether Symantec or McAfee is right for us. So, it’s a very easy point of entry for a new enterprise endpoint player. Consumer is a little different. Where we differ is, we’re already being used by the organization. So, it’s a pretty easy call saying, “Hey, listen, you know your traditional AV is failing, I know you’re looking at maybe other vendors in this space, but Malwarebytes has always been there for you let’s have a conversation.”
Marcin: The others I think are doing well also, but it’s a crowded market and it’s hard to differentiate.
Joe: So, ironically, you’re going to be eventually the one that the young kids are saying, you know, that Malwarebytes, you know, just kind of like right now that you are in that position with the MacAfee’s of the world.
Marcin: We are. And actually, funny you bring that up, we struggle with what the world looks like in 10 years. So, if you think about it, you know, people are using mobile devices more often and while we have some mobile protection our core product is for your laptop/desktop. So, some of the stuff that we’ve been doing is how do we go infect, pun intended, the college kids today. So, give Malwarebytes out for a very cheap cost, because these are decision makers 10 years from now, right? They’re going to be the ones protecting these organizations in the workforce. So, that’s our strategy and I think it’s going to be effective, but if you look at the traditional AV buyer, the people that buy Symantec, McAfee, they’re in their 60’s.
Marcin: Like that customer base has 20 years left, right? And so… [Chuckle]
Joe: Yeah, I mean, that’s the modern credo or whatever it is, is you’ve got to innovate yourself or somebody else will, yeah. So, one thing that we didn’t get to dig into is you personally. So, you started a company that did very well at a very young age and are now the CEO of the company. Was that a struggle? What was the journey like to grow and have all these people working for you? And to have this money flowing and have a board to deal with and co-founders? What was your personal journey in becoming a businessperson?
Marcin: It’s an interesting one for sure. There’s been a lot of tough times, a lot of great times. Big highs, big lows, but primarily I think the one thing that I’ve done really well is just stay grounded, right? And stay humble. And I think A, my family was a big part of that. You know, my mom saying that’s cool kiddo, but you’re going to college is a big one for me. I think never being in the workforce truly, I can go in there starry-eyed, right? This is how I would treat other people. And then going to the University of Illinois I met some friends who didn’t care what I was doing and why which in its own way is, you know, is great. I’d say, “Hey, I’ve got some customer calls.” They’d say, “We don’t really care, go and get a beer with us.” Right? It’s a very humbling experience. So, I think that’s been really important for me. I see the value of surrounding myself with great people and they will help build the company with you not for you if that makes sense.
Joe: Yeah, and in there you did a couple of large raises, right? And so, what was the raise process like? Obviously, if you had suiters to buy you, it probably wasn’t difficult to get suiters, or at least people at the table to talk about the investments. What was your first raise like? Why did you choose who you choose to go with? And talk us through that.
Marcin: Yeah, this was an interesting time in the company’s history. I had just ended the University of Illinois, so this is 2013 and it’s time to make a decision on how serious this is going to get. We’ve got a hundred some people at the time, I’m leaving the university, I’m back in Chicago, and I’m commuting back and forth between the Bay area. Pretty tedious, not really the most fun. And we’ve had a lot of interest, you know, obviously, to buy the company to raise some money. At the same time, we were not a traditional Bay area company. For example, we didn’t have equity for our employees which was just unheard of in the Bay area. And so, we needed to address that. I decided, you know, I’m in, not that I wasn’t at the University of Illinois, but now things got serious. We have a lot of people, we’re feeding a lot of people, it’s time to do something. And it was really the inflection point for the company. So, I remember the guys at Highland had actually reached out. Like on the perfect day I finally responded after many, you know, times of them trying and said, “Okay, let’s have a conversation.” And the people I met were, you know, one was from Chicago, so even though living in the Bay area I was just a down to Earth guy. The other is still a close friend of mine today, they offered just great terms and in fact we didn’t need the money so that was a good opportunity. So, what we did is we took it as secondary which meant it went out to employees and out to some of the founders. And because we didn’t have an option pool or employee equity pool, we said let’s pretend like you did and let’s treat this like a mini IPO, we’re going public, kind of.
Marcin: So, here’s a lot of cash and now we’re going to grant you equity, but we’re going to start at zero meaning we’re going to invest you over the next four years. And we did that the second time too. We did that when Fidelity invested a couple years back. We really just wanted to make sure our employees didn’t have to worry about the cash, right? And get rewarded for the hard work they put in. And again, it wasn’t a tremendous amount of money for each, right? But some people made $25,000 cash right there and then or some people even made $50,000, right? You’d think they’d go and say, “Wow, this is great. I’m going to go buy a house and move on with life.” But no, retention was the highest it’s ever been. And I think people saw that we cared, you know, we could have been greedy and said, “Well, sorry, you signed up for what you signed up.”
Joe: Yeah, well, I don’t think that’s who you guys are.
Marcin: No. And to this day, you know, we treat our employees with kind of that approach.
Joe: So then looking at today, you know, what’s your day to day? You’re a very active CEO, what are the other founders doing now? What’s happening over the last year or so with the leadership team and the founder team and the founder team?
Marcin: So, the guy out in the Bay area moved on maybe four or five years ago. He started kind of his own company which is cool. Bruce, my co-founder who did threat research retired maybe two or three years ago. So, he’s living with his wife out in Boston, still pretty active in terms of just helping us out but doesn’t want a formal roll. Doug who has the PhD in physics is out in London now and he’s still full-time with us and also on the board, so he’s my co-founder on the board. A lot of the original employees still kicking, right? Mika from Belgium is still kicking.
Joe: Theoretically. Probably some kid named Steve or something who just has a fake persona.
Marcin: So yeah, the original team is still kind of at it and nobody is exhausted. We still have a mission ahead of us. We’re about 800 people, about 400 in the Bay area, about a hundred here in Clearwater Tampa Bay area. A lot of engineering and customer support. We have about 100 people in Cork, Ireland and about 100 people in Estonia. And the rest are kind of sprinkled all over the globe working from home. And we spend a lot of money on R&D, you know, talked about our research team as 50 people, our engineering team on top of that is another 250. So, almost half the company is engineering, research, and really building cool stuff.
Joe: What are then the temptations to go widen versus deep in your product offerings?
Marcin: That’s a great question. It’s a mistake that I think a lot of security companies do which is while we are running out of runway with endpoint, meaning the device protection, let’s go work on network, let’s go build something that makes no sense whatsoever. And I get it, right? Because your investors are pushing you to drive growth.
Joe: And you have a brand that you can leverage.
Marcin: And you have a brand that you can leverage. You can sell more stuff under that brand, right? I just think it needs to be done strategically. And to me, if you draw two circles there’s core and there’s context. And great companies are made when they focus on their core, primarily, and not necessarily the context. So, I can go build a product that takes notes for you on your desktop, does that make sense though, right? I can probably go make a million dollars just selling it to our user base, but the distraction that causes and especially when security is so important that you need to specialize, that’s why we go deep in that. Endpoint, really, it’s the device that you carry around it’s the device that’s sitting on your desk, it’s what you use to log into all of these other services. Like that is the primary point of what gets infected, where your data is, and that’s what I want to do really, really well.
Joe: Well, and I still feel there’s a lot of passion there from the way you talk about it. You know, now that you’ve had a couple of chances with the investments to take some money, the company is healthy and it’s running, how much of your time, what is your sort of in an average month are you still doing heavy days on the actual ops of the company or do you have things that you’re doing outside of the company? What do you spend your time on?
Marcin: I have found that I’m very interested in operations, the nitty-gritty in the weed’s kind of stuff. I definitely focus on strategy and I’ve got great people that, you know, help me with that. But I really love just execution pieces, and the metrics, and testing things quickly and rapidly. And you know, I’m definitely a personality that knows how to start something not necessarily finish it. And everybody knows that, it’s okay. So, my time is spent obviously with people like you quite a bit and getting the brand name out there and socializing it. But also, with the teams and in the weeds, you know, I sit with the sales organization. Now I’m sitting with engineering organization. One thing that I promised my team I would do was also go to a staff meeting monthly. And that’s not that crazy, but I do it in all of the various offices. So, actually right after this I’m doing the Clearwater staff meeting, next month I’m doing the staff meeting in Estonia. So, trying to be at every office, be present, be a leader, be in the weeds, understand that I’m here to understand what you do for us and how I can help. Versus just take a step back and just watch from afar, I don’t believe in that.
Joe: And given that these folks are putting your name in their malware and given that you are CEO of a very successful company, you know, there are a lot of conferences where you show up. I mean, tomorrow will be at PoweredUp where you show up sort of as a rock star. And so-
Marcin: You see my face, right? [Laugh]
Joe: I mean, there are people who- You know, there are conferences that will sell tickets so that tech folks and people in that world just to come here you talk or part of a program. What is that sort of like industry celebrity experience been like for you?
Marcin: Well, I’m incredibly humbled by that comment and just that in general. But my goal with that is to get the brand name out there, not my brand, but the company’s brand because I want users to be protected and know where to go when they need it, but I also want our employees to have a sense of pride of who they work for. When people look at LinkedIn resumes, I want them to say, “Wow, you worked at Malwarebytes for five years, that’s awesome.” And so, that’s my mission personally. And frankly sharing my story and telling people, you know, it’s okay to fail and to be humble and to build great teams around you and here’s how I did it and how can I help, it’s just fun for me, it really is.
Joe: That’s wonderful. Well, you have a great brand, a great company, I appreciated you sharing your story, it was really cool. And I wish you the best of luck going forward, and we’ll keep watching.
Marcin: Well, thank you for that, I appreciate it.
0 Reviews on this article
About the host
Joe Hamilton is publisher of the St. Pete Catalyst, co-founder of The St. Petersburg Group, a partner at SeedFunders, fund director at the Catalyst Fund and host of St. Pete X.