Opinion & Maverick · Sales Motions · Leadership
Most early-stage cyber startups hire SDRs the moment they close a Series A. It almost never works, and the reason has nothing to do with the reps. The pipeline infrastructure, messaging clarity, and AE capacity required to make outbound productive simply don't exist yet at that stage.
Opinion & Maverick | Sales Motions · Leadership | 8 min read
Part One
Why the first SDR almost always underperforms, and why that's your fault, not theirs.
Here is what happens at almost every early-stage cybersecurity startup between $1M and $5M ARR. The board says pipeline is thin. The VP of Sales (or the founder wearing that hat) agrees. Someone suggests hiring SDRs. Within six weeks, two junior reps are sitting in a Slack channel with a HubSpot sequence, a list of CISOs, and a pitch deck nobody has pressure-tested.
Three months later, the pipeline chart hasn't moved. The SDRs have booked a handful of meetings, most of which went nowhere. The AE is frustrated. The founder is confused. And the SDRs, who were perfectly capable reps, start looking for their next job.
This is not an SDR problem. It is an infrastructure problem. And it repeats because founders confuse "we need more pipeline" with "we need more people generating pipeline."
The SDR model is not broken in general. It is broken at the stage where most cyber startups try to use it. Hiring outbound reps before you have messaging clarity, pipeline architecture, and AE capacity is like hiring a pilot before you've built the runway.
Part Two
The prerequisites nobody talks about during the hiring conversation.
SDRs are an amplifier. They take what's already working and scale it. But if nothing is working yet, there is nothing to amplify. The three prerequisites for a functioning SDR motion at a cyber startup are: messaging that has been tested in live sales conversations, a pipeline architecture that can actually track and route what the SDRs create, and at least one AE who has the capacity (and the skill) to convert SDR-sourced meetings into real pipeline.
Most pre-$5M cyber companies have a pitch that works when the founder delivers it. The founder has context, credibility, and the ability to read a room and adjust on the fly. None of that transfers to an SDR cold email sequence. What transfers is language: a specific, tested articulation of the problem, the buyer's current workaround, and why the timing matters now. If the SDR is working from a generic value proposition ("we reduce your attack surface") instead of a validated problem statement ("your SOC team is spending four hours per shift triaging alerts that turn out to be false positives"), the outbound motion will fail before the first email is sent.
This is the boring one that nobody wants to fix. At most early-stage companies, the CRM is a mess. There is no clear definition of what counts as a qualified meeting. There is no handoff process between SDR and AE. There is no way to attribute pipeline to specific sequences, messages, or segments. So when the SDRs start booking meetings, nobody can tell which meetings were good, which segments responded, or what messages worked. You end up with activity without learning. That is the most expensive kind of motion you can run.
This is the one that kills most SDR programs quietly. The company hires two SDRs who report to a VP of Sales or a founder. Those SDRs start booking meetings. But the AE (often the founder themselves, or one early sales hire juggling existing accounts) doesn't have the bandwidth to take those meetings within 48 hours. Or the AE takes the meeting but runs a generic demo instead of a discovery conversation tailored to the SDR's notes. The meeting goes nowhere. The SDR gets demoralized. The cycle repeats.
Outbound-sourced meetings have a shorter shelf life than inbound. The prospect didn't raise their hand. The window of engagement is narrow. If your AE can't respond fast and run a sharp first call, the SDR's work is wasted.
Part Three
The pattern is consistent enough to be predictive.
| 73% of SDRs hired before $5M ARR at cyber startups turn over within nine months, based on cross-portfolio data from three early-stage VC firms. | 2.1 qualified meetings per SDR per month is the typical output in the first two quarters. Most of those stall at the first AE call. | $145K fully loaded cost of a failed SDR hire (salary, tools, ramp time, management overhead, and opportunity cost) over a nine-month cycle. |
These numbers are directional, not definitive. But the pattern is consistent across the early-stage cyber companies I've worked with and the portfolio data I've reviewed. The SDRs don't fail because they can't make calls. They fail because the calls have nowhere productive to go.
The most common outcome isn't that the SDRs fail to book meetings. It's that they book meetings that don't convert, and nobody can explain why.
When founders tell me their SDR program "didn't work," I ask three questions: What was the message the SDRs were using, and where did it come from? What happened to the meetings they booked? And who decided whether those meetings were qualified? In almost every case, the answers reveal the same thing. The message was written by marketing or copied from a competitor. The meetings were taken late or by someone unprepared. And "qualified" meant whatever the SDR needed it to mean to hit their activity number.
Part Four
The work that makes SDRs productive later starts now.
The answer is not "don't do outbound." Outbound is essential in cybersecurity, where buyers rarely self-identify through inbound content. The answer is: do the outbound yourself first, as a founder or early sales leader, until you've built the infrastructure that makes delegation possible.
Here is what that looks like in practice:
Not because you're a better salesperson than the SDR you'd hire. Because you can iterate on message, segment, and approach in real time. You can tell the difference between a bad subject line and a bad ICP. You can recognize when a CISO's objection is actually a buying signal. An SDR, especially a junior one with no cybersecurity background, cannot make those distinctions yet. Founder-led outbound generates pipeline and learning simultaneously. Delegated outbound, without the right foundation, generates neither.
You need a cold outbound message that works before you hire someone to send it at scale. "Works" means it generates replies from people in your ICP that lead to real conversations, not just polite "send me more info" responses. Test it yourself. Test it in different segments. Test it with different problem framings. When you can hand an SDR a sequence that you know converts at a specific rate to a specific persona, you've given them something they can actually execute against.
You need to know what a qualified meeting looks like (written down, not vibes). You need a handoff process: who gets the meeting notes, when is the call scheduled, what does the AE review before the call. You need pipeline stages that actually mean something. If your CRM has a "discovery" stage that contains everything from a first cold call to a verbal commitment, your SDRs will never get useful feedback on what's working.
The question is not "can we afford SDRs?" It's "have we built the system that makes SDRs productive?" If the answer is no, the hire is premature regardless of budget.
Part Five
The readiness signals most founders skip over.
The SDR model works when four conditions are met. Not three. Not "mostly." All four.
You have a tested outbound message with a known reply rate.
Not a message you think is good. A message you've sent to at least 200 contacts in your ICP and can point to a reply rate, a meeting conversion rate, and a set of common objections. The SDR inherits a playbook, not a blank page.
You have an AE who can take a meeting within 24 hours and run a real discovery call.
Outbound meetings decay faster than inbound. If the AE waits three days, the prospect has moved on. If the AE runs a product demo instead of a discovery conversation, the meeting is wasted even if it technically happened.
You have a CRM with clear definitions and a feedback loop.
The SDR needs to know within two weeks whether the meetings they booked were good. That requires pipeline stages with real definitions, AE notes after every call, and a weekly review cadence. Without this, the SDR is flying blind and so are you.
You have enough ICP density in your target segments to sustain a prospecting motion.
If your total addressable list is 400 accounts and the SDR burns through them in three months, you don't have enough fuel for the model. This is common in niche cyber categories (OT security, API security, firmware analysis) where the buyer universe is small and specific.
When all four conditions are in place, SDRs can be extraordinary. They become a predictable, scalable source of qualified pipeline. They free up founders and AEs to focus on closing. They generate the market signal you need to refine your ICP and your messaging. But the model only delivers that value when the infrastructure is already there.
Part Six
It's not just the money. It's the conclusion you draw from the failure.
The financial cost of a failed SDR hire is real: two reps at $70K base plus tools plus management time, for nine months of underwhelming results, adds up to roughly $300K in fully loaded spend. But that's not the worst part.
The worst part is the conclusion the founder draws from the failure. They say: "outbound doesn't work for us." Or: "CISOs don't respond to cold outreach." Or: "we need to go all-in on inbound and events." None of these conclusions are correct. What actually happened is that outbound didn't work without the right foundation. But because the company attributed the failure to the channel rather than the infrastructure, they abandon a motion that would have worked six months later with the right setup.
The most dangerous outcome of a premature SDR hire is not the wasted budget. It is the organizational belief that outbound doesn't work for your market. That belief can set your GTM strategy back by a year or more.
I've seen this with at least four companies in the last two years. They tried SDRs at $2M ARR, it didn't work, and by $6M ARR they were still running a founder-led sales motion with no outbound engine because they'd concluded the channel was dead. It wasn't dead. It was never given a fair chance.
The Bottom Line
The SDR model is not optional for cyber startups. But the timing is everything.
Cybersecurity startups will eventually need an outbound function. The buyers don't come to you. They're busy, skeptical, and inundated with vendor noise. Outbound, done right, is how you cut through.
But "done right" has requirements. Tested messaging. A CRM that can actually tell you what's working. An AE who treats SDR-sourced meetings as the high-urgency, high-decay opportunities they are. And enough ICP density to sustain a prospecting motion beyond the first quarter.
Do that work first. Then hire the SDRs. They'll thank you for it, and so will your pipeline.
The companies that win in outbound aren't the ones who hire SDRs first. They're the ones who build the system that makes SDRs successful, and then hire into it.
Not sure if your GTM infrastructure is ready for SDRs? We help early-stage cyber and AI startups build the messaging, pipeline architecture, and sales motions that make outbound actually work.
Book a discovery call