Skip to main content
Hold The Churn

Hold The Churn with Mike Kim, Co-founder & CEO at Mycroft

Mycroft CEO Mike Kim on scaling agentic security to 100+ customers — sell before you build, virtual CISO retention, and why silence signals churn.

CM

Chandrika Maheshwari

·5 min read
On this page

In this episode of Hold The Churn, we sat down with Mike Kim, co-founder and CEO of Mycroft — an agentic AI platform that acts as a virtual security and compliance officer for B2B SaaS companies.

Mike spent over a decade in security and compliance at KPMG, EY, FreshBooks, and PartnerStack before starting Mycroft in 2024. In under two years, he scaled the company to more than 100 customers — doing it, as he puts it, without a playbook.

What We Covered

Why security is a retention problem, not just a product problem

When security is working, nothing happens — and that's the point. Mike talks about the tension of proving value in a domain where silence means success, and how Mycroft has shifted toward a trusted-advisor model as cybersecurity has become a board-level issue.

The virtual CISO motion

Mycroft isn't just a tool — it's an extension of the customer's team. Mike shares how that changes what customers expect from onboarding through post-sales, and why the stickiest accounts are the ones where sales, engineering, CX, and ops all interface with Mycroft — not just the security team.

Scaling without a playbook

With 100+ customers on a lean team, Mycroft crossed the early-stage chasm by treating agents and systems as force multipliers. Mike walks through how Quivly became their system of record for post-sales — and why good foundations (the "plumbing") are what actually let you move fast with AI.

Sell before you build

Mike's sharpest founder advice: commit to an outcome, get someone to buy it, then figure out how to deliver. Building has become commoditized — the hard part is knowing what to build in the first place.

Boiling the frog: change management in compliance

Security improvements add friction on purpose. Mike explains how Mycroft ramps customers slowly and deliberately — celebrating small wins instead of trying to fix everything overnight — and why that "boil the ocean" trap leads to fake compliance.

Learning to say no

The hardest transition from early stage: moving from "yes to everything" to knowing which customers and requests deserve focus. Mike shares how that shift changed Mycroft's retention and profitability.

Predictive product bets

Coming from Fortune 500 advisory work gave Mike a lens on where customers will need to be protected next. He talks about the retention payoff when you ship a feature before the customer asks for it — and when a news headline validates a bet you made months earlier.

Certification churn vs. real relationships

Some customers only want the SOC 2 badge. Mike explains how Mycroft phases delivery, builds relationships beyond the audit, and why the ones who churn after certification probably weren't the right fit to begin with.

Silence is the killer

The loudest customers — the ones complaining the most — tend to be the stickiest. Mike's early churn signal: when customers go quiet and stop responding.

Key Takeaways

On selling first: "Sell something before you build anything. You should be scared of how to deliver something — I sold something, I promised something to a customer, and I need to build it. That should be the question you're asking, not the other way around."

On proving value in security: "When cyber security is performing at its highest, nothing should be happening. It means we're doing our jobs. The challenge is relaying that value when the customer feels like they're paying for nothing — but that means you're doing your job."

On the trusted advisor model: "The biggest indicator of success for us isn't how often a customer logs in. It's how much of the organization — sales, CX, engineering, ops — is actually interfacing with our team. That's one of the biggest indicators for stickiness."

On systems and AI: "SaaS is transforming into a system of record and outcome-driven services. The faster you have the proper plumbing, the faster you can enable your team to utilize AI. Things slow down a little bit to really go faster."

On founder myopia: "Every founder has an obsession with the problem — that's great. But a lot of founders get too myopic. I wanted to build a product I could self-onboard on. Of course I could — I'm a practitioner by trade. Customers wanted a support network they could really work with."

On building in public: "You're always going to get the filtered output of what people share. I wish founders shared their battle scars more — every screw-up, every mess-up. It discourages people from building, and we need more builders out there."

About Mike

Mike Kim is co-founder and CEO of Mycroft, where he is building agentic AI for security and compliance. Before Mycroft, he spent over a decade in advisory and in-house security roles at KPMG, EY, FreshBooks, and PartnerStack. Mycroft's post-sales team runs on Quivly — a full-circle story of building agentic security on one side of the house while scaling customer relationships with AI on the other.

Listen to the Episode

Full episode available on Spotify, Apple Podcasts, and YouTube.

Watch on YouTube: https://www.youtube.com/watch?v=LbJHjEIsusQ

From Quivly

AI workforce for post-sales.

Hold The Churn with Mike Kim, Co-founder & CEO at Mycroft | Quivly Blog