Enterprise software spend is growing faster than any other IT segment. While overall IT spend is expected to grow 8.6% to $5 trillion from 2023 to 2024, enterprise software spend is expected to grow 13.1% to break $1 trillion during the same period, driven to a large degree by cloud deployment. The size of the pie is massive, but building for enterprises can be a decades-long pursuit. Startups looking to capture a portion of this enterprise market must cross the “enterprise chasm,” the largest challenge startups face in moving upmarket.

Historically, building for the enterprise required a massive amount of time, personnel resources, and capital. Sales cycles are long due to complex IT requirements. If startups wait too long to cross this enterprise chasm, they risk having a competitor capture that lucrative enterprise segment first. In addition, implementation can often detract focus from engineering and product teams as onboarding can often take several months, quarters, or even years to complete. In fact, after spending almost $30 million to add enterprise features to their app, a Product Manager at Slack said that the company was only “halfway there.”

This is where WorkOS comes in. WorkOS offers a suite of enterprise-ready solutions for identity and access management (IAM). Its product lineup includes tools and APIs that enable developers to integrate crucial features into their applications, ensuring robust security and access control for enterprise clients. With WorkOS, developers can implement Single Sign-On (SSO), allowing users to access multiple applications with a single set of credentials. WorkOS also provides directory synchronization (SCIM) capabilities for seamless integration with existing user directories. Its product offerings extend to audit logs for user activity tracking, multi-factor authentication, and self-service onboarding for its user’s enterprise customers.

Michael Grinich (CEO) founded WorkOS in 2019, roughly two years after leaving Nylas, an email client and APIs startup that raised over $10 million. Although Nylas built a product that consumers loved, Grinich realized that the company could only achieve true scale by selling to the enterprise market. However, enterprises demand much more than SMBs. Grinich would have to raise more money and redirect the team's focus to features like SSO, audit logs, and access control. Reorienting the business towards enterprises (six- to seven-figure deals) required an entirely new set of features capable of handling the more rigid regulations and taxing resource demands of large corporations. This would require a massive change in fundamental philosophies within both business and product direction. Rather than reset Nylas’ course, Grinich left the company and took a year off to search for his next venture.

As Grinich told Contrary Research in a May 2023 interview, unlike most entrepreneurs who go out looking for “good” ideas, Grinich set out to find an area that looked like a bad idea to everyone else but himself. He viewed the job of an entrepreneur as a creative one akin to that of a musician or an artist; he sought out inspiration at museums, by meeting new people, and even attending rocket launches, and kept a journal of all of his ideas, no matter how bizarre.

After a year, he came to the realization that he was already familiar with a problem space that met his criteria. The difficult task he faced at Nylas of becoming enterprise-ready represented a meaningful market opportunity. Instead of validating his idea with a minimum viable product, Grinich built what he calls a “minimum awesome product.” In an interview with First Round Review, Grinich explains:

Source: First Round

WorkOS’s products are built to be developer-centric. This ethos is reflected in the details of new features all the way down to the company’s website and easy-to-use documentation. Building developer affinity is a core part of Grinich’s personal philosophy. In a May 2023 interview with Contrary Research, Grinich put it this way:

Single Sign-On

Enterprises have many employees using many different software systems. SSO is an authentication scheme that allows an employee to securely authenticate with all of these separate applications using the same set of credentials. This is often the first requirement that an enterprise client checks. By leveraging the WorkOS API, startups can provide comprehensive enterprise SSO functionality that seamlessly integrates with over 20 identity providers. WorkOS empowers customers to customize the user interface and experience of their SSO screens, incorporating convenient features such as support for magic links. Previously time-consuming enterprise requests can now be fulfilled by startups in minutes, significantly reducing the implementation timeline.

Source: WorkOS

Directory Sync

Directory Sync tackles another common requirement within enterprises. When an enterprise adopts a new tool, it needs to transfer the organizational structure, including employee groups and associated permissions. Manually maintaining this information is impractical, so organizations opt to automatically sync their "directory" from HR providers using a standardized protocol called SCIM. However, customizing SCIM to fit specific use cases demands significant effort and engineering resources, making it a challenging task.

WorkOS’s Directory Sync API allows a product to integrate with over 12 directory services, including Workday, BambooHR, Breathe, and Rippling. Any time (1) an employee is added or subtracted from the company’s core directory or (2) their permissions change, WorkOS ensures that the update is automatically reflected in the customer’s product.

Source: WorkOS

Admin Portal

Source: WorkOS

Admin Portal is a feature that startups can add to their product to enable self-serve onboarding for their enterprise customers. It allows startups to get their enterprise customers up and running with SSO and directory sync without needing to trade Slack or email messages about SAML or SCIM configuration, alleviating another burden for WorkOS customers.

Audit Logs

Source: WorkOS

Another feature that enterprises often demand from their software is audit logs, which are chronological records of the activities occurring within the product. They encompass actions such as logging in, password resets, information access, or utilization of specific features. IT administrators rely on audit logs to monitor user behavior and receive notifications in case of any suspicious activity occurs. WorkOS allows startups to easily implement enterprise-grade audit logs that are customizable, strongly typed, and exportable.

Multi-Factor Authentication

Source: WorkOS

Multi-factor Authentication (MFA) is an authentication technique that requires users to present two or more verification factors to access an application. MFA serves as a fundamental element of a robust IAM policy. With a few API calls, WorkOS allows startups to integrate MFA into an existing application, regardless of the authentication layer or session management strategy. It supports Time-Based One-Time Password (TOTP) and SMS passcode authentication methods.

Customer

WorkOS’s customers are companies that are willing to pay to speed up the development of features that will allow them to cater specifically to enterprises. Customer industries span education, fintech, productivity, legal, and finance and sells to virtually any company that has reached product-market fit.

In an interview with Contrary Research, Grinich stated:

Before WorkOS, SaaS startups with bottom-up sales motions would often see growth stifled as they moved up-market. Typically, their applications would gain rapid adoption within a company without the knowledge of the IT department before being promptly blocked due to the absence of crucial features like SSO. Startups would have to decide whether to risk losing its customers or embark on the distracting, time-consuming process of implementing enterprise features (to the dismay of its developers). With WorkOS, startups can get enterprise-ready in just a tenth of the time, freeing up startups to focus their core products.

Market Size

Enterprise software spend is growing faster than any other IT segment. While overall IT spend is expected to grow 8.6% to $5 trillion from 2023 to 2024, enterprise software spend is expected to grow 13.1% to break $1 trillion during the same period, driven to a large degree by cloud deployment.

Within this, the IAM market was valued at $15.9 billion in 2022 and is expected to grow to $41.5 billion by 2030 (12.6% CAGR from 2023 to 2030). Key drivers of growth include (1) rising instances of security breaches, (2) escalating incidents of identity-related fraud, and (3) growing regulatory and organizational pressure to protect corporate assets. Compromised credentials are the most common initial attack vector, compromising roughly 20% of breaches and costing $4.5 million on average per breach.

A majority of SaaS companies are enterprise vendors. Of the 30K SaaS companies in existence, roughly 20K sell to enterprises. As a point of reference, it cost Slack well over $30 million to implement all the features it needed to move up-market.

The market for IT services is highly fragmented. The IAM market alone has dozens of incumbents. This causes a massive headache for developers that want to better integrate across systems. WorkOS’ platform aims to unite these disparate components.

Notable competitors in the market include:

Auth0: Auth0 is a cloud identity management application. Some developers have likened WorkOS to Auth0. However, Grinich posits that WorkOS has even bigger ambitions as an infrastructure company. Auth0 exclusively focuses on authentication, whereas WorkOS is focused on the wider challenge of becoming enterprise ready. WorkOS’ platform-level approach can provide a better developer experience as your second and third feature integrations will take significantly less time to implement than your first. Okta acquired Auth0 in 2021 for $6.5 billion.

OneLogin: OneLogin is a cloud-based solution for managing identity and access. It allows enterprises to secure and authenticate users' access to various applications across multiple devices. Their SSO and MFA solutions compete with WorkOS’s respective offerings. One Identity acquired the company in 2021 at an undisclosed valuation.

Duo Security: Duo Security primarily focuses on MFA to enhance security for organizations. Their platform provides an extra layer of protection by requiring users to verify their identities through multiple authentication factors. They also have an SSO product that competes with that of WorkOS. The company was acquired by Cisco in 2018 for $2.4 billion.

Microsoft: Microsoft’s Azure Active Directory (Azure AD) is a direct competitor to WorkOS in the IAM space. Azure AD is tightly integrated with Microsoft's suite of products and services, catering primarily to enterprise customers with advanced security options, hybrid environment support, and extensive integration capabilities within the Microsoft ecosystem. Azure AD also offers a vast marketplace of pre-integrated applications and services. The choice between Azure AD and WorkOS depends on business needs, with Azure AD providing robust enterprise features and Microsoft integration, while WorkOS offers flexibility and customization for IAM implementations.

Frontegg: Frontegg is an all-in-one user management platform for B2B SaaS companies. It caters to various growth stages and go-to-market strategies, including Product-Led Growth (PLG) and Enterprise Readiness, as well as selling through resellers. They offer integrations for essential authentication flows, features such as managing complex organizational structures (multi-tenancy), fine-grained authorization, API-token management, a self-service admin portal for end-users, subscription enforcement, and SSO. The company raised a $40 million Series B in 2022.

BoxyHQ: A newer entrant, BoxyHQ is an open-source alternative to WorkOS that gives users the flexibility to customize their solutions and self-host for free. It competes directly with WorkOS across a broader offering of enterprise features, including Enterprise SSO, Audit Logs, and Directory Sync. It also has a Data Privacy Vault feature that helps companies centralize, isolate, and govern any sensitive data they collect. The company raised a $2.5 million seed round in 2021.

WorkOS operates a monthly subscription business model. Pricing is based on the number of SSO or Directory Sync connections. A connection represents the relationship between WorkOS and any group of end users. Each enterprise customer that connects to a user's app with SSO or Directory Sync is counted as one connection.

The company offers two plans:

1. Pay-as-you-go: The monthly fee scales linearly from 1 to 19 connections at $125 per connection.

2. Enterprise: The enterprise solution is offered to customers who need a custom solution, including enhanced security, IT, and support features.

Source: WorkOS

As of June 2022, WorkOS had over 200 paying customers across the globe — just 2 years after founding. Grinich describes WorkOS’s growth as “the aggregate sum of all of our customers’ growth,” and the company counts some of the fastest-growing SaaS startups as customers, including Vercel, Webflow, and Loom. Many of these customers have grown to unicorn status in just a few months of using WorkOS.

Source: WorkOS

WorkOS follows a developer-led growth (DLG) approach. In a conversation with Contrary Research, Grinich stated:

This philosophy has proven successful. Grinich says the company has not churned a single customer since its inception. The company prioritizes the quality of the customer base over the speed of growth. As such, WorkOS has no plans to introduce a top-down sales motion in the near-term.

In June 2022, WorkOS acquired Modulz, the company that created the popular open-source UI frameworks Radix Primitives and Stitches, which provide components for building design systems. The Modulz team joined WorkOS to build out UI-related features and to support open source efforts, furthering WorkOS’ philosophy to create a user experience that is as developer-friendly as possible.

In June 2022, WorkOS raised a $80 million Series B round at an undisclosed valuation led by Greenoaks, with participation from Lachy Groom, Lightspeed Ventures and Abstract Ventures. To date, WorkOS has raised $95 million.

A few comparables in the API space may shed light on WorkOS’s trajectory. Plaid raised a $425 million Series D in April 2021 at a $13.4 billion valuation. Scale raised a $325 billion Series E in April 2021 at a $7.3 billion valuation. Stripe raised a $600 million Series H in March 2021 at a $95 billion valuation. Lachy Groom, Stripe’s own former Head of Issuing, described the company as “the next Stripe for enterprise features.”

Product Expansion

In a conversation with Contrary Research, Grinich states that he has ambitions to expand into identity-adjacent categories such as user management, lifecycle session management, role-based access control (RBAC), and fine-grained permission. A former VP of Developer Relations estimated that the company executed on just 1% of what it intended to build. Lightspeed Partner Nakul Mandan believes that RBAC alone could be a multi-billion dollar product line.

The key is coming up with the right sequencing of product launches. A WorkOS customer typically starts with the SSO product and then layers on additional products. It’s critical that WorkOS not only tracks its customers’ needs, but also ensures its product roadmap stays a few months ahead of them. To achieve its full vision for enterprise readiness, WorkOS must continue executing on product expansion.

Source: The Generalist

Vertical Expansion

Most API startups tend to focus on delivering significant value to a select number of customer companies, typically within specific niches. Plaid, for example, specializes in serving fintech companies, Scale caters to AI companies, and Alchemy targets Web3 companies. It is relatively rare for an API startup to break free from these niche constraints and create value across multiple industries. WorkOS is unique in that its APIs are accessible to every software company, unlocking an immense potential for widespread adoption.

On the other hand, starting with a generalist product gives WorkOS the opportunity to expand to industry-specific use cases. In the future, WorkOS could potentially target any vertical that has unique IAM requirements, such as the healthcare, finance, or government sectors.

Commoditization of Integrations

WorkOS’ core value proposition is its ability to plug into disparate identity platforms and centralize them all into a single API. The consolidation of identity providers over time can potentially commoditize WorkOS’s integration layer. By building for just a few large identity platforms like Okta and Azure, an app can now achieve significant coverage, potentially rendering integration platforms less valuable.

In a conversation with Contrary Research, Grinich acknowledged that AI models (e.g. GPT-4) are a major risk to companies that are purely integration platforms. However, WorkOS doesn’t see itself as an integration platform. It’s a higher-level infrastructure play that ties all the components together. After standardizing the data coming in, WorkOS helps customers decide what to do with that data, providing intelligence around how user membership and organization structures drive business outcomes for teams.

Competition

WorkOS has benefited from being a first mover thus far. While competing point solutions exist, there are few competitors in the broader enterprise readiness space. As WorkOS’s competition increases with fast followers, the company may need to invest in a more aggressive go-to-market strategy, pushing past its current philosophy on DLG. The company has likely experienced low customer acquisition costs to date. Building a top-down sales strategy requires a new muscle and may impact the level of capital efficiency the company has been able to sustain. However, investing in this new sales motion could build WorkOS’ own moat as well.

WorkOS is an API company that helps startups implement the features they need to start selling to enterprise customers, which can help them expand their addressable market. Recognizing that point solutions are often insufficient when companies need to meet the broad needs of an enterprise, the company offers a suite of products that includes single-sign-on (SSO), directory sync, multi-factor authentication, and audit logging. While the company has plenty of opportunity to expand its product offering into a diverse market, it will need to prove its defensibility as other competitors come to the table.