Six GTM Lessons from Auth0, and the Ones My Startup Got Wrong
2025-10-25
I recently attended a workshop by Gonto put on by Craft Ventures (s/o AC Aaron Cort for organizing) on how Auth0 scaled from an early developer tool into a multi-billion dollar company. A lot of the playbook he laid out maps cleanly onto what we tried to do at AutoCloud — sometimes as confirmation, sometimes as a clear mirror of where we got things wrong.
Different category, different era, same underlying lessons.
Here's where the Auth0 playbook and AutoCloud's GTM align, where they diverge, and the mistakes the comparison makes hard to ignore.
Start with user pain, not category messaging
Gonto's best point: developers don't care about "authentication" as a category. They care when they're blocked trying to ship something.
This is where AutoCloud's early playbook diverged from the lesson — and it's the most clear-cut mistake we made. We led with category language: "multi-cloud governance," "cloud posture management," Gartner-style framing. Engineers didn't care. They were searching for why a Terraform deployment was failing, why an AWS account drifted weekly, why security flagged an IAM policy, why nobody owned a $4k/month resource.
The shift came when we stopped marketing the category and started writing into operational pain — misconfiguration examples, IAM edge cases, Terraform and Pulumi patterns, real remediation walkthroughs. Engagement followed almost immediately.
The uncomfortable part in retrospect: we knew this was the right move and still defaulted to category messaging because it was how the buyer's analysts framed the space. That's a trap a lot of infra startups fall into.
Join communities, don't try to build one
Auth0 embedded into the AngularJS ecosystem early — conferences, maintainer relationships, association with the framework as it exploded.
This is where the parallel held strongest for AutoCloud. We didn't try to manufacture a community. We showed up in the ones that already existed: AWS user groups, DevOps Slacks, platform engineering conversations, Kubernetes and IaC ecosystems, cloud security meetups.
What worked best was open source. CloudGraph — a graph-based cloud visibility project — gained traction faster than the core commercial product, and it changed the tone of every interaction. We weren't a vendor pitching governance software. We were people contributing useful tooling. In technical markets, that distinction is everything.
The Auth0 lesson and the AutoCloud experience point at the same thing: in developer markets, credibility doesn't get manufactured, it gets earned in someone else's living room.
Content products beat content marketing
Auth0's biggest wins included jwt.io — a free JWT debugger that eventually drove millions of users.
This is where AutoCloud half-aligned. The instinct was right: lightweight utilities around cloud visibility and IaC analysis consistently outperformed polished enterprise messaging. But we never built a flagship content product on the scale of jwt.io. CloudGraph came closest, and even that was scoped more as an OSS project than a daily-use utility.
The mistake was treating "content products" as a box we'd already checked once CloudGraph was live, instead of as a discipline that demanded its own roadmap. Whitepapers get read once. Useful tools become part of a workflow. The opportunity is still wide open — narrow utilities around Kubernetes troubleshooting, Terraform drift, IAM analysis, cost visibility, AI infra observability, MCP and server orchestration. Engineers are drowning in fragmented tooling.
If I were starting over, I'd staff a small team specifically against shipping content products on a regular cadence, the way most companies staff content marketing.
Timing matters more than messaging
Probably Gonto's most important outbound lesson: companies only change authentication systems during larger initiatives — cloud migrations, modernization, compliance, architecture shifts. Without those triggers, outbound failed.
This held one-for-one at AutoCloud. Nobody woke up wanting to buy cloud governance software. What triggered deals was SOC2 or FedRAMP prep, on-prem to AWS migrations, post-acquisition account consolidation, leadership changes, cost explosions, security incidents, Kubernetes rollouts, new platform engineering initiatives.
The shift in framing was the unlock. Instead of asking "who fits our ICP?", we started asking "who's going through a transition event that makes this problem urgent right now?" The mistake here was how long it took to internalize that — we ran trigger-agnostic outbound for too long before the timing-based motion took hold.
Experimentation has to be cultural
Auth0 reserved meaningful budget for experiments they expected to fail. Most companies claim to value experimentation but actually value predictability.
This held for us. The motions that ended up working best initially looked low-probability: open source as a GTM wedge, highly technical outbound, engineering-first content, cloud provider co-selling, targeting platform teams before security teams. Some worked. Plenty didn't.
The thing that mattered was making failure acceptable as long as something was learned. In developer infrastructure that mindset is non-negotiable — the landscape moves constantly. New frameworks emerge, cloud vendor positioning shifts, AI rewrites workflows, buyer personas evolve. What worked 18 months ago tends to stop working quietly before anyone notices.
Bottoms up and top down aren't opposites
The best infrastructure companies eventually combine PLG-style bottoms-up adoption with enterprise top-down sales.
This is where Auth0 and AutoCloud most cleanly aligned. Engineers found us through OSS, content, demos, and technical conversations. Large contracts closed through CTOs, platform leaders, security teams, and cloud transformation initiatives.
The mistake to avoid is treating these as a choice. Bottoms-up creates credibility and internal pull. Top-down creates budget and organizational commitment. The strongest GTM motions connect the two, and companies that pick a side too early either build pipeline they can't close or close deals that never get rolled out.
The principles don't change
The biggest takeaway from Gonto's talk is that great GTM is less about clever growth hacks and more about deep understanding — of how people behave, when they change, where they already gather, and what pain actually motivates action.
Looking at the AutoCloud playbook through that lens, the places we aligned with the principles were the places that compounded. The places we diverged were almost always the places we eventually had to course-correct. And the mistakes — leading with category language, under-investing in content products, running outbound without trigger events — were all violations of principles we knew, and didn't act on fast enough.
The tactics evolve. The principles don't. The hard part is acting on them when the org is pulling toward the comfortable option.