The 8-Figure Email Newsletter — Morning Brew

First few hundred / thousand subscribers were a grind, just continually putting out content.

They have a referral scheme where you get things like:

  • Access to the Sunday episode
  • Access to the FB group where there’s high quality business discussions
  • A t-shirt
  • A mug

Out of the million subscribers

  • 25% referrals
  • 15% organic - people just type in “morning brew” into their browser
  • 60% paid acquisition
  • Word of mouth

They’ve only started doing paid acquisition in the past 2 years but has been very effective on FB and Instagram.

  • They determine how “high quality” a subscriber is by if they opoen 5 out of the first 10 emails.
  • Because paid acquisition was giving them high quality subscribers they really ramped it up.

If you don’t open 4 weeks straight they send them an automated email that says if you don’t click this button we’re going to remove you from the list.

They’ve had a few Macbook give-away days, where they’ll give a Macbook to the person who referred and the person who was referred - they grow mid 5 figures of subscribers on those days.

  • You only get credit when people double opt in - can’t just create throw away burner emails

Asset inventory

  • All your applications in a table
  • is sqreen enabled
  • what environment - development
  • tech stack (languages), what version of the language
  • what ORM it uses?
  • a bunch of prebuilt searches you can use, custom query language
  • which have out of date deps
  • next quarter - plug all of this into their automated system
    • every time someone pushes new code with a vulnerable dep, send webook to notify security team


  • New relic
  • datadog
  • appdynamics
  • Help devs understand apps

security signals (vladimir de turckheim)

  • How can we use in-app signals to inform security team?
  • a PoC in NodeJS
  • Shows that when you log in =/api/login= some CC info is loaded
  • third parties - shows you all communication out with 3rd parties
  • when people are trying to hack you, many of them result in exceptions
  • Can create playbooks - if an action (e.g. this type of error is triggered) more than N times per (user/IP/etc** then send me a slack message / email / etc
  • Will help you build your own custom anomaly changes - no LOC changed in your code

Make all the data they have available to security teams so they can automate as muchh of their workflow as possible.

Customer interview

Stories from the field - Poorna Udupi, CTO at GoodMoney, previously LyraHealth and Health, security engr at Netflix

  • Helps security engineers inform devs of things they need to fix
  • When he was at Netflix - security team spent a lot of time meeting with various devs teams - what creds do apps have, internal/external, what tech stack (polyglot**, they can run scans for you, etc.
    • What should we do to reduce risk? Based on TM, these are the apps we’ll focus on
  • As soon as they made the list of app inventory, immediately changed - devs build new things constantly
  • Running incident response / response playbook automatically is so valuable
    • e.g. shellshock

Reveal: product demo by Cedric Tessier

  • Why wait for an attacker to trigger bad events on your backend to find issues?
  • What if you could find issues ahead of time, automatically?
  • Reveal tab in UI -> “Start a new session”
    • Knows all of the endpoints, meta data, args, etc. from instrumenting the app and traffic observed in production
  • Dynamically loading inside the app all the endpoints - reveal is dynamically injecting requests inside the app. For each one of them, slightly modifies the input, mutates them, to find all the corner cases that could lead to bugs
    • Red - number of exceptions
  • Also learns from its own activity - so next time you do a new session it gets better
  • Then you can go to Events Explorer tab, see exception triggered, etc.
  • Incidents tab - SQL injection detected - shows which DB is used, which DB query was run, URL path + arg that was sent, shows backtrace of program state at the time.
    • Found this vuln in staging, but prod env is protected too
  • Reveal is an IAST
  • Traffic goes to prod - build a mapping (signals, I/Os, exceptions, etc.), structure (routes, params, etc), payloads
  • In staging - smart scanner / fuzzer
  • Generates exceptions/bugs -> tell security team

  • App inventory and in-app WAF are available now
  • Reven and security siganls coming up soon (starting next week**


Can you use WAF and in-app inventory separately?

  • Everything today has been modularized, can use pieces of it without everything.

Pricing of features - still being worked on, will define in next few days.

How does the app inventory work and what data does it discover today and in the coming months?

  • Today: focusing on the meta data - the stack of the app, the ORMs, templating engines, library it uses
  • Security signals augments this with dynamic info of hwo it behaves

There’s lot of interest on product reveal - when will it be available for customers? What does reveal use for scnaning engine? How configurable for customers?

  • We want to build reveal with you, not ready for prime time, but want to partner with you
  • Reveal is loaded in-app, scanner itself is in the app.
  • Agent has been modified to be able to do things like inject requests
  • The business logic behidn the fuzzer is totally generic

They’ve had good success reaching out to people for sponsorship deals by looking for: who is already spending money in this space? And on newsletters?

They charge by number of opens, which they think is better than cost per million CPM impressions or a flat fee, because at least this way you know people may have actually looked at your ad.

They have 3 sales people, many inbound, but mostly trashy. They do mostly outbound.

What is the best medium to give subscribers your content?

What content would be most helpful to them? Things that actually make a difference?

How does this add value for our users?

For any new product they’re thinking about pursuing, he always thinks, “How can I make this a habit for our users?”

It all comes back to expectation.

Yo uhave to love what you’re doing so much and believe in the value you’re providing, bc if you’re expecting something to happen overnight or over a year, you’re setting your expectations theh wrong way.

He’s done the Morning Brew every day for the past 4 years. He’s thought about it every single day.