DevSecOps Tooling Selling to the Head of Platform Engineering — 60-Min Training

👁 0 views📖 1,111 words⏱ 5 min read5/30/2026

Direct Answer

DevSecOps Tooling Selling to the Head of Platform Engineering is a 60-minute training for AEs, SEs, and channel managers running $150K–$1.2M ACV cycles against incumbents like Snyk, GitHub Advanced Security, GitLab Ultimate, Checkmarx, Veracode, Sonatype Nexus, Mend.io (WhiteSource), Wiz Code, Aikido, JFrog Xray, Endor Labs, and Semgrep.
The session teaches sellers to qualify against the three-buyer reality (Head of Platform Engineering, Head of Application Security, CISO), run a structured discovery on PR-merge-time and false-positive economics, demo against the customer's actual repos, and trap-set the multi-year renewal at month 12.
Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why DevSecOps Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. DevSecOps tooling is bought by the Head of Platform Engineering with a CISO co-signature. The developer experience is the primary metric — a scanner that blocks PR merges with high false-positives drives platform engineering to disable it within 90 days.

Set the frame on the whiteboard.

Three buyers, one user experience. Head of Platform Engineering picks; Head of Application Security operationalizes; CISO funds. Snyk's 2026 customer survey shows 67% of decisions decided by Head of Platform Engineering.
PR-merge time is the make-or-break metric. A scanner that adds 30+ seconds to PR-check time triggers developer revolt. Best-in-class adds under 8 seconds.
False-positive rate determines adoption. Above 15% FPR, developers ignore alerts. Semgrep and Endor Labs lead on low-FPR static analysis.

End the segment with Mark Roberge's rule: *"Sell the PR-merge time saved, not the rule count shipped."*

Section 2 — The 60-Minute Discovery Block (15 min)

Opening (3 min): "Walk me through your CI/CD pipeline — repos, languages, build tools, scanners deployed today."
PR-merge baseline (10 min): "What's your current PR-check time impact from security scanning? Sub-8 seconds added is best-in-class."
False-positive baseline (10 min): "What's your current FPR on security findings? Under 15% is best-in-class; legacy SAST clusters at 40–60%."
Coverage baseline (10 min): "What's covered today — SAST, SCA, secrets, IaC, container, license? Most enterprises need 5+ scan types."
Repo coverage (8 min): "What percentage of repos are scanned in CI today? 95%+ is best-in-class."
Reachability analysis (7 min): "Does your incumbent prioritize vulnerable dependencies by reachability, or alert on all? Endor Labs and Snyk Reachability lead here."
Renewal posture (5 min): "When is your current DevSecOps contract up? What contractual extraction friction would we navigate?"

flowchart TD A[AE Schedules 60-Min Discovery] --> B[Send Pre-Brief 24 hrs Prior] B --> C{Platform Eng + AppSec + CISO?} C -->|No| D[Reschedule No Exceptions] C -->|Yes| E[PR Time + FPR 20 min] E --> F[Coverage + Repo Scan 18 min] F --> G[Reachability + Renewal 12 min] G --> H[Confirm POC Scope Workshop] H --> I[POC Connected to 5+ Repos Within 5 Days] I --> J[Joint Platform Eng Review at Day 30] J --> K[Bind Decision at Day 60]

Section 3 — The POC That Wins (15 min)

Failure modes to ban. Sample-repo POCs. No PR-merge-time benchmark. No FPR delta vs. Incumbent.

Wins to coach. Real production repos onboarded. Walk through Snyk's and Semgrep's published POC agendas — both connect to 5+ real production repos in under 5 days. PR-merge time delta delivered. Show PR-check time before/after. FPR delta delivered. Show FPR before/after on the same vulnerability set.

End with Andy Paul's rule: *"Show the customer their PR queue cleared, not your rule count expanded."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Snyk, GitHub Advanced Security, and Checkmarx in eight of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The PR-merge time wedge. Ask the Head of Platform Engineering: *"What's your incumbent's PR-check time impact today? Sub-8 seconds is best-in-class."*

Counter-move 2 — The reachability wedge. Ask the Head of Application Security: *"Does your incumbent prioritize vulnerable dependencies by reachability or alert on all CVEs? Reachability cuts FPR by 60–80%."*

Counter-move 3 — The coverage-breadth wedge. Ask: *"How many scan types does your incumbent cover — SAST, SCA, secrets, IaC, container, license? 5+ is best-in-class."*

Show Force Management's command-of-the-message rule: *"Displace on developer experience, not on rule count."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Per-developer vs. Per-repo pricing. Per-developer scales with the customer's team; per-repo punishes monorepos.

Landmine 2 — Multi-year discount math. Three-year deals justify 12–18% discount; five-year deals justify 22–28%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

flowchart TD A[Joint Platform Eng + AppSec + CISO] --> B[Per-Developer Proposal Issued] B --> C{Multi-Year Discount Aligned?} C -->|No| D[Reset to Retention Math] C -->|Yes| E[MSA + SOW Drafted] E --> F{Procurement Solo Meeting?} F -->|Yes| G[Refuse Insist on Platform Eng Joint] F -->|No| H[Joint Negotiation Session] G --> H H --> I[Onboarding Within 7 Days] I --> J[First PR-Time Scorecard Month 1] J --> K[Quarterly Platform Eng Review]

Section 6 — The Trap-Set for Renewal at Month 12 (5 min)

Trap-set 1 — PR-merge time impact under 8 seconds within 90 days. The number is the renewal narrative.

Trap-set 2 — FPR under 15% within 6 months. Below the threshold is renewal-defending.

Trap-set 3 — Repo coverage at 95%+ within 6 months. Lock in full-estate visibility.

Trap-set 4 — Joint Platform Eng dashboard in QBR. Build the developer-experience dashboard into the QBR. By month 12, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

FAQ

Should we lead with SAST or with SCA? Lead with the customer's biggest pain — SAST for greenfield, SCA for legacy with heavy open-source dependency.

How do we handle a customer mid-Snyk or GitHub Advanced Security renewal? Run a complementary deployment in a non-overlapping scan type (e.g., container while incumbent runs SAST). Build proof for the displacement conversation at renewal.

What is the right POC size for a Tier-1 enterprise? 60 days, 5+ production repos, PR-merge time and FPR deltas delivered.

How do we price against GitHub Advanced Security's bundled positioning? GHAS wins on bundled pricing for GitHub-native customers; we win on reachability and FPR depth. Position complementary at the entry tier.

What if the customer asks us to integrate with their existing ticketing and ITSM? Yes — every modern DevSecOps vendor integrates with Jira, ServiceNow, Linear, GitHub Issues. Demo live in the POC.

Sources

Gartner — Magic Quadrant for Application Security Testing (2026)
Forrester — The Forrester Wave: Software Composition Analysis (2026)
Snyk — State of Open Source Security Report (2026)
Semgrep — Developer Security Survey (2026)
Sonatype — State of the Software Supply Chain (2026)
GitHub — State of the Octoverse Security Findings (2026)
Force Management — Command of the Message and MEDDPICC Reference (2026)
Mark Roberge — "The Sales Acceleration Formula" Premium-Pricing Chapter
Andy Paul — "Sell Without Selling Out" Discovery Cadence
Jeb Blount — "Fanatical Prospecting" Renewal-First Doctrine

Keep reading

Download:

### Direct Answer

> **DevSecOps Tooling Selling to the Head of Platform Engineering** is a 60-minute training for AEs, SEs, and channel managers running $150K–$1.2M ACV cycles against incumbents like **Snyk**, **GitHub Advanced Security**, **GitLab Ultimate**, **Checkmarx**, **Veracode**, **Sonatype Nexus**, **Mend.io** (WhiteSource), **Wiz Code**, **Aikido**, **JFrog Xray**, **Endor Labs**, and **Semgrep**. The session teaches sellers to qualify against the **three-buyer reality (Head of Platform Engineering, Head of Application Security, CISO)**, run a structured discovery on **PR-merge-time and false-positive economics**, demo against the customer's actual repos, and trap-set the multi-year renewal at month 12. Built on **MEDDPICC**, **Force Management's Command of the Message**, and **Andy Paul's "Sell Without Selling Out"** discovery cadence.

---

## Section 1 — Why DevSecOps Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. DevSecOps tooling is **bought by the Head of Platform Engineering with a CISO co-signature**. The developer experience is the primary metric — a scanner that blocks PR merges with high false-positives drives platform engineering to disable it within 90 days.

Set the frame on the whiteboard.

- **Three buyers, one user experience.** Head of Platform Engineering picks; Head of Application Security operationalizes; CISO funds. **Snyk's 2026 customer survey** shows 67% of decisions decided by Head of Platform Engineering.
- **PR-merge time is the make-or-break metric.** A scanner that adds **30+ seconds** to PR-check time triggers developer revolt. Best-in-class adds **under 8 seconds**.
- **False-positive rate determines adoption.** Above **15% FPR**, developers ignore alerts. **Semgrep** and **Endor Labs** lead on low-FPR static analysis.

End the segment with **Mark Roberge's** rule: *"Sell the PR-merge time saved, not the rule count shipped."*

---

## Section 2 — The 60-Minute Discovery Block (15 min)

> 1. **Opening (3 min):** "Walk me through your CI/CD pipeline — repos, languages, build tools, scanners deployed today."
> 2. **PR-merge baseline (10 min):** "What's your current PR-check time impact from security scanning? **Sub-8 seconds added** is best-in-class."
> 3. **False-positive baseline (10 min):** "What's your current FPR on security findings? **Under 15%** is best-in-class; legacy SAST clusters at 40–60%."
> 4. **Coverage baseline (10 min):** "What's covered today — SAST, SCA, secrets, IaC, container, license? Most enterprises need **5+ scan types**."
> 5. **Repo coverage (8 min):** "What percentage of repos are scanned in CI today? **95%+** is best-in-class."
> 6. **Reachability analysis (7 min):** "Does your incumbent prioritize vulnerable dependencies by reachability, or alert on all? **Endor Labs** and **Snyk Reachability** lead here."
> 7. **Renewal posture (5 min):** "When is your current DevSecOps contract up? What contractual extraction friction would we navigate?"

```mermaid
flowchart TD
    A[AE Schedules 60-Min Discovery] --> B[Send Pre-Brief 24 hrs Prior]
    B --> C{Platform Eng + AppSec + CISO?}
    C -->|No| D[Reschedule No Exceptions]
    C -->|Yes| E[PR Time + FPR 20 min]
    E --> F[Coverage + Repo Scan 18 min]
    F --> G[Reachability + Renewal 12 min]
    G --> H[Confirm POC Scope Workshop]
    H --> I[POC Connected to 5+ Repos Within 5 Days]
    I --> J[Joint Platform Eng Review at Day 30]
    J --> K[Bind Decision at Day 60]
```

---

## Section 3 — The POC That Wins (15 min)

**Failure modes to ban.** **Sample-repo POCs.** **No PR-merge-time benchmark.** **No FPR delta vs. Incumbent.**

**Wins to coach.** **Real production repos onboarded.** Walk through **Snyk's and Semgrep's published POC agendas** — both connect to 5+ real production repos in under 5 days. **PR-merge time delta delivered.** Show **PR-check time before/after**. **FPR delta delivered.** Show **FPR before/after** on the same vulnerability set.

End with **Andy Paul's** rule: *"Show the customer their PR queue cleared, not your rule count expanded."*

---

## Section 4 — Handling the Incumbent Trap (10 min)

The room will face **Snyk**, **GitHub Advanced Security**, and **Checkmarx** in eight of ten enterprise deals. Coach the room on three counter-moves.

**Counter-move 1 — The PR-merge time wedge.** Ask the Head of Platform Engineering: *"What's your incumbent's PR-check time impact today? **Sub-8 seconds** is best-in-class."*

**Counter-move 2 — The reachability wedge.** Ask the Head of Application Security: *"Does your incumbent prioritize vulnerable dependencies by reachability or alert on all CVEs? **Reachability cuts FPR by 60–80%**."*

**Counter-move 3 — The coverage-breadth wedge.** Ask: *"How many scan types does your incumbent cover — SAST, SCA, secrets, IaC, container, license? **5+** is best-in-class."*

Show **Force Management's command-of-the-message** rule: *"Displace on developer experience, not on rule count."*

---

## Section 5 — Pricing Conversation and Procurement (10 min)

**Landmine 1 — Per-developer vs. Per-repo pricing.** Per-developer scales with the customer's team; per-repo punishes monorepos.

**Landmine 2 — Multi-year discount math.** Three-year deals justify **12–18% discount**; five-year deals justify **22–28%**.

**Landmine 3 — The procurement-only meeting.** **No procurement-only rule** — refuse procurement-only meetings.

```mermaid
flowchart TD
    A[Joint Platform Eng + AppSec + CISO] --> B[Per-Developer Proposal Issued]
    B --> C{Multi-Year Discount Aligned?}
    C -->|No| D[Reset to Retention Math]
    C -->|Yes| E[MSA + SOW Drafted]
    E --> F{Procurement Solo Meeting?}
    F -->|Yes| G[Refuse Insist on Platform Eng Joint]
    F -->|No| H[Joint Negotiation Session]
    G --> H
    H --> I[Onboarding Within 7 Days]
    I --> J[First PR-Time Scorecard Month 1]
    J --> K[Quarterly Platform Eng Review]
```

---

## Section 6 — The Trap-Set for Renewal at Month 12 (5 min)

**Trap-set 1 — PR-merge time impact under 8 seconds within 90 days.** The number is the renewal narrative.

**Trap-set 2 — FPR under 15% within 6 months.** Below the threshold is renewal-defending.

**Trap-set 3 — Repo coverage at 95%+ within 6 months.** Lock in full-estate visibility.

**Trap-set 4 — Joint Platform Eng dashboard in QBR.** Build the developer-experience dashboard into the QBR. By month 12, the dashboard is the renewal narrative.

Close the session by reading **Jeb Blount's** rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

---

## FAQ

**Should we lead with SAST or with SCA?** Lead with the customer's biggest pain — SAST for greenfield, SCA for legacy with heavy open-source dependency.

**How do we handle a customer mid-Snyk or GitHub Advanced Security renewal?** Run a **complementary deployment** in a non-overlapping scan type (e.g., container while incumbent runs SAST). Build proof for the displacement conversation at renewal.

**What is the right POC size for a Tier-1 enterprise?** **60 days, 5+ production repos, PR-merge time and FPR deltas delivered.**

**How do we price against GitHub Advanced Security's bundled positioning?** GHAS wins on bundled pricing for GitHub-native customers; we win on **reachability and FPR depth**. Position complementary at the entry tier.

**What if the customer asks us to integrate with their existing ticketing and ITSM?** Yes — every modern DevSecOps vendor integrates with Jira, ServiceNow, Linear, GitHub Issues. Demo live in the POC.

## Sources

- Gartner — Magic Quadrant for Application Security Testing (2026)
- Forrester — The Forrester Wave: Software Composition Analysis (2026)
- Snyk — State of Open Source Security Report (2026)
- Semgrep — Developer Security Survey (2026)
- Sonatype — State of the Software Supply Chain (2026)
- GitHub — State of the Octoverse Security Findings (2026)
- Force Management — Command of the Message and MEDDPICC Reference (2026)
- Mark Roberge — "The Sales Acceleration Formula" Premium-Pricing Chapter
- Andy Paul — "Sell Without Selling Out" Discovery Cadence
- Jeb Blount — "Fanatical Prospecting" Renewal-First Doctrine

Was this helpful?

Related in the library