Upsell Premium to Ultimate sales play planner

description to add

Sales play planner and strategy page

content subject to change as we iterate and source feedback! All feedback is welcome- everyone can contribute.

Sales play name

Premium => Ultimate CI/CD: find and use the sales playbook here.

Description

Convert accounts from premium to ultimate that are using GitLab CI

Type

Upsell and expand

Supporting marketing campaign

See the epic in GitLab

Geos/countries

NA, EMEA, what else? APAC is in consideration, looking for feedback on if other team members agree or have past data to validate successful results with CI/CD campaigns

Target accounts

Full list of Premium accounts (added March 22nd 2021): here

Target segments and key messages for each

Emphasis on large due to the relation to verticals + regulated industries, but all should be included

ENT: Do more with less when you expand your benefits from using GitLab by adding Security capabilities of GitLab Ultimate all within the DevOps platform your teams already know and love. Bring security scanning to the developer’s existing workflows to empower them to find and fix vulnerabilities, while at the same time simplifying your tool set and eliminating integration efforts. Unify teams to work more efficiently and collaboratively through a shared platform so you can deliver business value faster while staying secure and compliant.

MM: Don’t let security slow you down. Improve efficiencies, collaboration, and eliminate bottlenecks by enabling security capabilities on your existing GitLab Platform. Spend time on planned work instead of maintaining and integrating tools. Get expertise and support that assures you can meet your strategic goals along the way.

SMB: Go fast, go safely, and do it easily by using even more of the GitLab platform. Take your continuous integration up a notch by seamlessly adding security scanning and collecting the vulnerabilities all in one easy-to-use place. You don’t have to be a security expert to see your risks and where to resolve them. Start right before inefficiencies get in the way of scaling out successfully.

PubSec: Reap the full rewards of the platform you are already using. Upgrade to Ultimate to manage risk from security and regulatory compliance by identifying vulnerabilities and compliance issues before the code ever leaves the developer’s hands. Stop worrying about audits!

Sales teams

SAEs, Account managers, and CSMs

Pipeline goal

See this section in the working doc

Target personas

Budget and influence are key for this play, so our basic assumption is that upleveling to someone’s boss isn’t going to be enough - people need to reach out to additional business units, namely security, and bring in “fresh” teams and opportunities within existing accounts. Additionally, we need to enable and equip current premium customers and their teams to be more “active champions” and essentially show them the light that is the value of Ultimate. (Think risk! and protecting the business)

  • Economic buyers:
    • CISO or Security Manager, VP of Security, Director of Security, VP of IT or CTO, App/Dev Director
  • Technical influencers:
    • Chief Architect, App Dev Manager, DevOps lead

Target verticals

With the heavy tie to security for value with Ultimate, all regulated industries should be a focal point

  • Healthcare, government, finance, telecom

Partner routes to market

  • Reseller?
  • MSP?
  • GSI?
  • Disti?

Elevator pitch

Get maximum benefits from using GitLab by adding Security capabilities of Ultimate all within the DevOps platform your teams already know and love. Bring security scanning to the developer’s existing workflows to empower them to find and fix vulnerabilities, while at the same time simplifying your tool set and eliminating integration efforts. Unify teams to work more efficiently and collaboratively through a shared platform so you can deliver business value faster while staying secure and compliant.

Value proposition

  1. Stop choosing between velocity and risk — test all of your code, on every commit, automatically, i.e. not just critical apps or periodic scans - without costly tool chain integrations.

  2. Better leverage your scarce security resources by putting app sec tools, that are meant for the developer, into the hands of the developer, so they remediate more and earlier.

  3. Improve visibility while at the same time reducing friction between processes and tools used by dev and app sec teams.

Other thoughts/notes:

  • Everything you get in Premium as well as free guest users, 50,000 compute minutes, and more…
  • GitLab Ultimate provides the single tool DevOps teams need to find and fix vulnerabilities in application code and its environments and to manage their risk from detection through remediation.
  • GitLab empowers and unites developers and security pros alike using repeatable, defensible processes that automate security and compliance policies from development through production.

Partner value proposition

Partners will appreciate the size of the Ultimate deals as well as the stickiness that use of its capabilities provides. Security is an ideal candidate for professional services assistance as well. Become an expert in end-to-end DevSecOps through a platform already used and loved by many.

Which GitLab stages/feature make up this sales play:

  • Create, Verify, Release, Secure, Software Supply Chain Security

Key capabilities in Ultimate center around security, compliance, insights/analytics, and releasing better + faster

  • Compliance dashboard - high level view of project compliance status and merge request approvers
  • Release analytics- An aggregated view of all release metrics for each of the projects associated to a group.
  • Auto rollback- Automatic rollback to the last successful deployment.
  • DORA 4 metrics (Deployment frequency available now, lead time scheduled to ship in 13.11), the remaining two are on the roadmap later this year)
  • Static Application Security Testing - check for potential security issues by evaluating static code but with Ultimate, see the results of the scans directly in the MR pipeline and also in the Security Dashboard, alongside all of the additional scans below that come with Ultimate:
    • Dynamic Application Security Testing - analyze review applications to identify potential security issues on running web applications before deployment
    • Secrets Detection - avoid exposing secrets and credentials for potential exploit.
    • Dependency Scanning - evaluate third-party dependencies to identify potential security issues.
    • Container Scanning - analyze Docker images and check for potential security issues.
    • License Compliance - identify the presence of new software licenses included in your project and track project dependencies. Approve or deny the inclusion of a specific license.
    • Coverage-guided Fuzz testing API Fuzz testing - surface security and logic flaws not identified as known vulnerabilities.
  • Security Dashboard - visualize security status for projects.
  • Vulnerability Management
  • Security Approvals in Merge Requests

Ultimate also includes priority support (4 business hour support), upgrade assistance, and a Customer Success Manager who will work with you to achieve your strategic objectives and gain maximum value from your investment in GitLab.

Which combination delivers the overall outcome to a customer

Identifying customers who are already using GitLab Premium and leveraging us for SCM and CI capabilities, as well as have a need for reporting, insights, analytics, and security. We want to understand their challenges and primary objectives. Often they have started shifting security left but struggling to scale across all projects. Bonus points if they’re trying to extend their automation or start automating their deployments and have a need for modern CD with compliance. We want to understand what they need first, and then plug in what value we can provide in Ultimate among the major themes: Security, compliance, releasing safely and efficiently (not trading velocity for risk or quality and having control over deployments/environments), end-to-end visibility and insights, and collaboration that unifies teams.

  • A good example to portray the power of CD/Security in Ultimate: combining Review Apps and DAST. Only GitLab can deliver DAST results to the developer within their pipeline before the code is merged. We do so by running the dynamic scan against the review app. Ensuring your apps are secure and compliant doesn’t stop once the code has been shipped. GitLab Ultimate also provides container security for runtime monitoring and protection.

Where should you land vs expand?

Land SCM/CI and Expand CD/Security

  • CD: Ultimate is ideal for projects with executive visibility while managing priorities, security, risk, and compliance.
  • Security: With Ultimate you can achieve advanced DevOps maturity with enterprise-level application security capabilities, out of the box, without custom integrations.

Differentiators

How does GitLab uniquely deliver this business outcome vs. competitors?

  1. Single application with end-to-end visibility and insights
    • From developers to managers to execs. Lovable developer UX with executive visibility. No one asks “what changed?”
    • Reduces exposure and unifies teams- with emergent advantages including unparalleled visibility and insights and much easier traceability.
  2. Embedded security that’s contextual and congruent to DevOps processes
    • Built in security and compliance shifted all the way left (and all the way right) - reduces risk and scales
    • Consistent compliance to policy, for cleaner and easier audits
  3. Leading SCM, CI, and code review in one platform
    • Completely integrated from idea to production
    • No plugins, etc. to maintain
  4. Transparent and collaborative
    • Single source of truth with built-in collaboration to focus on remediation, less friction
    • Auditable - see who changed what where, when including policy exceptions.

In addition to product advantages,

  • GitLab is open-core, source available, and home to a vibrant community and DevOps subject matter experts with world-class support.
  • Popular among developers making shift left easier to adopt.
  • Scalable with proven benefits in some of the largest Enterprises.

Differentiator notes and brainstorming

  • Reporting/analytics/insights in one place
  • The only DevOps vendor included in last year’s Gartner AST MQ
  • Leading CI/CD capabilities (Forrester Wave), SCM, code review
  • Unified deployment and monitoring
  • Automated and integrated CD, flexibility and control over how and when you deploy your apps without forced tradeoffs
  • Automated and integrated security. No need to integrate security scans into your CI Pipeline - we’ve done it for you!
  • Compliance dashboard to surface non-compliance and policy-driven automation to simplify audits.
  • Simplify your tool chain! A single platform for end-to-end DevOps can reduce your security and risk by eliminating plugins and improving access control and transparency.

Validation/customer stories

wip, for now: Glympse, BI Worldwide, Jasper, Wag!, HERE Tech

Offer and CTA

  • Landing page with a valuable asset (tbd) and offer with Ultimate free trial for 30 days.
  • “Try Ultimate today” or something in that realm?
  • placeholder

Potential tagline: Status quo doesn’t get it done. “Deliver faster. Deliver secure. With GitLab”

  • Other ideas are themes around “time waits for no one, plan for the future today and be ready to grow, etc.”

Buyer’s journey

tbd

Objection handling: WIP

See Security FAQ slides and Objections on DevSecOps use case page

  • Why is the price 5x?
    • What features or value justify the price jump?
      • Answer:
  • What’s been added over the last 12 months? I didn’t see a lot of value the last time I looked at Ultimate
    • Answer:
  • Lots of value maps to project management, what’s the CI/CD value for adopting Ultimate? What about security?
    • Answer:
  • I’ve already got security scanners that I can use
    • Answer:
  • I’ve already spent so much on AppSec tooling, not to mention DevOps
    • Answer:
  • We don’t even use a lot of what we spend money on today
    • Answer:
  • How do I justify this to my boss?
    • Answer:
  • We’re way too immature and early on in our journey to think about something like Ultimate
    • Answer:
  • I’ve never heard of ya’ll. I’ve known of our current vendor for 20 years or more. “If it ain’t broke, don’t fix it”
    • Answer:
  • “Just not good timing right now”
    • Answer:
  • “There’s a plugin for that” or “there’s an action for that” and they’re FREE
    • Answer:
  • Specific competitor objections….?
    • Jenkins
    • GH
    • Checkmarx
    • Veracode

Other resources