(2025-05-28) Chin Damballa A Startup Horror Story

Cedric Chin: Damballa: A Startup Horror Story. In 2006, Merrick Furst was the undergraduate dean of the College of Computing at Georgia Tech. He’d had a remarkable career

In 2005, eBay’s chief information security officer (CISO) Howard Schmidt visited Georgia Tech for a board meeting. Schmidt wasn’t just a CISO; he had served at the White House as a cybersecurity coordinator

Furst met with Schmidt during his visit; he was excited to talk to Schmidt about some new cybersecurity technology they’d been working on in Georgia Tech.

At the time, computer viruses were mostly viewed as annoyances.

there were early signs that a new threat was materialising, and the team at Georgia Tech had noticed. What Furst wanted to show Schmidt was a solution to this emerging threat.

Schmidt understood the threat immediately. He thought that Georgia Tech’s solution had relevance to eBay’s commercial interests, and asked Furst out to San Jose to present. Years later, Furst and his business partner Matt Chanoff would write:
The meeting seemed like a spectacular success.

Howard and his team already knew that botnets were busy ripping off eBay and its customers.

lodged on 17 percent of all computers worldwide

Howard and his fraud team did some calculations right in front of Merrick and said, “If you can stop this kind of trust fraud, it can save eBay $40 million per year. How much will you sell it for? (emphasis added)” Merrick, who didn’t have an actual product yet, let alone a pricing plan, did what experienced entrepreneurs do—he made up a plausible number and said, “$150,000 per year or so, to start.” Howard jumped on it. His next question was “How soon can you deliver? (emphasis added)”

To Merrick, Chanoff — and eventually their investors — this was clear proof of demand. eBay wasn’t the only team that responded eagerly. The Georgia Tech team heard similar things from dozens of prospective companies. Even before they formed a company to commercialise the tech, they sold a rudimentary data feed to a large security company for $100k a year.

Furst and Chanoff founded Damballa in 2006. They negotiated IP rights from Georgia Tech and got started converting the tech into production-ready software.

Six months later, Damballa was ready with a product for eBay. They turned up at the company asking, in effect, “Who should we talk to, and where do you sign?” But then, strangely, eBay began dragging their feet. Schmidt delegated the project to a subordinate. There were many polite conversations that never led anywhere. The signs of demand — so strong at the beginning, so remarkable and so clear, suddenly seemed illusory. Damballa never sold a trust fraud or click fraud solution to eBay … or to anyone else.

we all had a fixed idea in our heads that we never questioned: companies would not tolerate their machines being compromised.

Even as sales lagged expectations, we always felt that we saw the problem and could move forward by fixing it. Maybe our software increased processing time.

improved the product, raised more money — repeatedly, over many years, eventually deploying $69 million in venture capital

With hindsight we can see that these just aren’t effective ways to understand customer demand. The right question ought to have been, “What ever gave us the impression that eBay would be a customer?” On what basis did we believe that our preferred value proposition would actually drive sales?

In the end, through a ton of hard work and effort, Damballa grew to $12 million in annual sales. Furst and Chanoff write, years later: “In hindsight, it’s arguable that Damballa did uncover an authentic demand, but because we never figured out its precise nature, we never understood the situations where it occurred or their frequency, so we were overoptimistic about the addressable market size. That led to financing the company unsustainably.”

Damballa was eventually sold to a consortium of investors for a mere $9 million dollars, in 2016. This consortium in turn sold the company to Roswell-based Core Security, in what was described as a ‘fire sale’. This occured 10 years later. Furst and Chanoff report that all but the last round of investors lost money. It was a bad outcome for a decade-long journey.