UpGuard
06 · PLG Strategy

PLG Strategy

  • → How to close the middle-funnel gap from the 'Funnel' section.
  • → Vendor portfolio snapshot is not a single product, but two layers: what we do ourselves + what we enhance with integrations.
  • → The goal is to embed UpGuard at the points where decisions about vendors are made.

Layer 1: What We Do Ourselves

Product mechanics without external partners

Website tripwire: 5 vendors free

Vendor portfolio snapshot on /product/vendor-risk

Mechanics

  • Primary CTA on homepage and /product/vendor-risk: 'Assess 5 vendors for free'.
  • Form: 5 vendor domains + email + role (TPRM / SecOps / Procurement).
  • Backend: batch scan on the existing External Security Score engine.
  • Result: score for each vendor + top risks + prioritization of 'who to check first'.

3 Next Steps on the Results Page

  • Self-serve: 'View entire portfolio' → freemium plan.
  • Sales-assisted: 'Discuss with an expert' → 30-min review.
  • Internal sharing: 'Send report to CISO / Procurement' → shareable PDF / link.

The key: this is not a new product, but a lightweight layer on top of what UpGuard already has – scoring, portfolio, reporting.

Link with free tier as a PLG-onramp

From outside → inside without a transition

Mechanics

  • Website snapshot → auto-creates self-service account.
  • The same 5 vendors appear in the client's freemium plan.
  • Then it works like a regular freemium: continuous monitoring, questionnaires upon upgrade.

Clear Separation

  • Marketing PLG: landing pages, snapshot, content.
  • Product PLG: freemium with a limit on vendors / features.

PQL Signals for Handoff to Sales

  • Went through the 5-vendor snapshot.
  • Added N more vendors (exceeded the free limit).
  • Started using monitoring / questionnaires.
  • Shared the report with colleagues within the company.

Layer 2: Who to Partner With

Integrations in places where the champion-TPRM already works

Go not to the cyber marketplace, but to systems where the vendor issue is already being addressed. These are integration partnerships, not resell. 5 categories by job-to-be-done.

Job-to-be-done · A new vendor has appeared

Procurement and ITSM

Platforms

  • Procurement / S2P: Coupa, SAP Ariba, Ivalua, Jaggaer, Oracle Procurement, Workday.
  • ITSM / service desk: ServiceNow, Jira Service Management, Zendesk, Freshservice.

What We Do

  • Marketplace applications "Security score by UpGuard" for "New vendor / supplier / SaaS" forms.
  • Joint go-to-market: co-webinars «How to embed third-party risk into vendor onboarding».
  • Listing in their marketplace with an emphasis on automated vendor risk.

Goal: Every 'new vendor request' in these systems pulls UpGuard with a single click, without visiting the website.

Job-to-be-done · Vendor is already in the registry

ERP and vendor master

Platforms

  • SAP, Oracle, NetSuite, Microsoft Dynamics, Workday.

What We Do

  • Lightweight integrations "Vendor Risk status in vendor master".
  • UpGuard provides score / status by domain → ERP displays it in the supplier's card.
  • Co-marketing with those who promote "risk-aware procurement".

Goal: The UpGuard score becomes as standard a field in the vendor master as Tax ID or payment terms.

Job-to-be-done · Risk is managed centrally

GRC / IRM

Platforms

  • ServiceNow GRC, Archer, OneTrust, IBM OpenPages.

What We Do

  • Partner connectors "UpGuard → GRC": GRC provides the process, UpGuard provides the external posture data.
  • Joint whitepapers / webinars «How to plug TPRM external signals into GRC».

Goal: UpGuard establishes itself as a signal provider for third-party risk in existing risk programs.

Job-to-be-done · SaaS appears as Shadow IT

SaaS management and identity

Platforms

  • SaaS Management: Torii, BetterCloud, Productiv.
  • Identity / SSO: Okta, Azure AD, Google Workspace.

What We Do

  • Integrations "discovered SaaS → UpGuard check".
  • When the platform finds a new application → it is automatically fed to UpGuard.
  • The TPRM team receives a list of "new & risky SaaS to review".
  • Joint materials about Shadow IT + TPRM.

Goal: Catch informal vendors before they get into the official registry and contract.

Job-to-be-done · Quick check and sharing

Collaboration / developer platforms

Platforms

  • Slack / Teams (bots, applications).
  • Atlassian Marketplace (Jira add-on).
  • GitHub Marketplace (for OSS / 3rd-party libs).

What We Do

  • Bots like /vendor-score domain.com.
  • Shareable link / report directly in the chat.
  • Add-on for Jira (vendor risk in the ticket).

Goal: Allow the champion and engineers to 'ping UpGuard' where they already live.

Conclusions

Layer 1 (website):

  • Website tripwire: 'Assess 5 vendors for free' as the primary CTA.
  • Link snapshot → free tier → PQL signals → sales.
  • A lightweight layer on top of existing scoring and reporting mechanics.

Layer 2 (integrations):

  • First wave: 1–2 anchor partners in Procurement (Coupa or Ariba) and ITSM (ServiceNow).
  • Second wave: GRC (ServiceNow GRC or Archer) + ERP (SAP).
  • Third wave: SaaS Management (Torii / BetterCloud) + collaboration (Slack bot).

Logic: catch the TPRM task where it actually arises (in a procurement form, in an ITSM ticket, in SaaS discovery), rather than waiting for the champion on the website.