SMBs Won’t Scale You: The Hard Truth About Expanding Upmarket to Win Enterprise Customers

Every high-growth software company eventually hits the same crossroads: small and medium businesses (SMBs) can get you started, but only enterprises can get you scale. In this article, you’ll learn what it really takes to break through

Breakout Companies Hit Their Stride Only After Navigating The Enterprise Shift

For technology vendors, moving from SMBs to enterprises is the most reliable accelerant of growth. It’s also one of the hardest. Larger customers extend deal cycles and demand higher product maturity. The payoff: bigger contracts, faster revenue expansion, and stronger valuations.

Take Amazon Web Services as an example. AWS launched in 2006 targeting developers and startups, but its growth accelerated as enterprises and regulated businesses started migrating core workloads post-2012. This followed heavy investments in security and compliance certifications (SOC 1/2/3, ISO 27001, PCI DSS, HIPAA eligibility, and FedRAMP authorization), the release of Amazon VPC in 2009, followed by IAM and Direct Connect in 2011, the build out of the Amazon Partner Network starting in 2012, and the expansion of mission-critical cloud services such as databases and data warehouses,  By 2024, AWS had reached $108 billion1 in annual revenue, up 19% year-over-year, serving over 2.3 million business and enterprise customers and leading the global cloud market with 31% share.

Gong shows the same pattern2. In 2021, six years after its 2015 founding, Gong raised $250 million at a $7.2 billion valuation, with a revenue run rate of about $100 million. By early 2025, that number had surged to over $300 million ARR. Today, four Fortune 10 enterprises, including Google, now use Gong. The number of seven-figure customers more than doubled in the past year, as customer spend shifted from tens to hundreds of thousands of dollars annually. Among its key growth initiatives, the company invested heavily to build out a robust compliance and security program3 to meet stringent enterprise requirements.  

Box started as a consumer file-sharing tool in 2005 but pivoted upmarket around 2008. Box had scaled from a $3 million consumer business to a $1 billion+ enterprise solution today4 by focusing on enterprise content management.

HubSpot and Shopify show how even SMB-focused companies eventually rely on enterprise demand. After investing in larger customer segments, HubSpot5 saw deals over 100 seats grow by 55% year-over-year in 2017. Shopify launched Shopify Plus in 2014, and by 2019 the enterprise tier was generating nearly a third of total revenue.

Slack and Zoom highlight how enterprise adoption translates into valuation. Slack, founded in 2013, gained widespread enterprise traction by 2018 after adding enterprise-level capabilities for security, integration, and data protection. These helped propel its $27 billion acquisition by Salesforce in 2021. Zoom, founded in 2011, built for enterprise reliability and security from the start, fueling its 2019 IPO and rapid growth into a global SaaS leader.

AI vendors are now facing the same shift. A 2025 PwC survey6 found 73% of executives plan to use AI to change their business models, with two-thirds already seeing measurable value. AI Vendors that meet enterprise demands for security, governance, and compliance will capture this spend.

The pattern across all of the examples above is consistent. SMBs provide early traction, but enterprises deliver scale. 

Winning Upmarket Means Playing a Different Game

Moving upmarket is simple in theory, hard in practice. Enterprises buy with security reviews, procurement hurdles, and complex IT needs. Vendors win only if they can prove enterprise-grade product, business, and operational strength.

Product Capabilities 

Security is the first and last gate. Enterprises expect SSO with major identity providers, strong encryption, data isolation, and certifications like SOC 2, ISO 27001, and GDPR. Just as critical are fine-grained access controls providing the ability to define roles, permissions, and hierarchies that mirror the customer’s organization. Without this, security teams stop adoption cold.

Enterprises also demand auditability. They need clear answers to “who accessed what, when, and why.” Logging, exportable audit trails, and easy compliance reporting cut review cycles and smooth renewals.

Scalability is another test. SMB-grade systems buckle under enterprise loads. Vendors must prove they can handle thousands of concurrent users, massive datasets, and high transaction volumes with predictable latency. SLAs and performance benchmarks turn claims into credibility.

Finally, enterprises want flexibility. No two are alike. Configurable roles, developer APIs, and customizable workflows let customers adapt the product to their processes instead of bending to a one-size-fits-all model.

Business and Operational Capabilities 

Enterprise growth depends as much on operations as on the product itself. 

Large customers expect enterprise-grade support including SLAs, 24/7 channels, and dedicated success managers to resolve issues fast. They also demand help taking deployments from pilot to production, including migration and change management. Beyond that, procurement teams scrutinize financial stability, security, and compliance, so clear documentation and governance tools are essential. And because enterprises operate at scale with complex contracts and global structures, vendors must have mature processes to manage the load effectively.

Vendors that can demonstrate these capabilities give enterprises confidence they are buying into a reliable, long-term partner.

The Roadblocks on the Path Upmarket

Moving from SMBs to enterprises unlocks larger revenue but exposes vendors to new risks:

  • Longer sales cycles and higher CAC. Enterprise deals stretch 6–18 months. They involve demos, procurement reviews, and executive approvals. The result: higher acquisition costs and tighter cash flow.
  • Security and compliance scrutiny. What SMBs overlook can sink an enterprise deal. Vendors face 300-question security assessments, must show certifications like SOC 2 or ISO 27001, and prove fine-grained permissions with full audit trails. Without this, deals stall.
  • Product gaps and custom demands. Features that win SMBs rarely meet enterprise needs. Buyers expect SSO, audit logging, and integrations. Early enterprise customers also push for custom features, which bloats the roadmap and pulls engineers off core work.
  • Operational strain. Enterprises expect deep support—SLAs, 24/7 coverage, and success managers. Losing a single account can erase millions in ARR, so retention is as critical as acquisition. Companies also need cultural shifts: moving from fast SMB cycles to slower, compliance-heavy motions without overspending on premature sales hires or one-off features.

Enterprises open the door to durable, high-value growth, but only for vendors that meet strict standards in security, compliance, and operations.

Enterprise Buyers Don’t Reward Vendors For Reinventing Infrastructure.

The pattern across successful technology companies is clear: they offload undifferentiated infrastructure to managed services and focus their engineers on features that set them apart.

This is already the norm in other parts of the stack. Few teams build their own databases when PostgreSQL, MongoDB, or Snowflake are available. API gateways like Kong and Apigee, cloud compute and storage from the hyperscalers, and identity services based on SAML and OpenID Connect are all standard to buy. These components are critical, but they’re not where companies want to spend scarce cycles.

Authorization belongs in the same category. It sits on the critical path for any vendor selling to enterprises or regulated industries. Buyers expect fine-grained permissions, delegated administration, regional residency, and audit logs. Without them, deals stall. High-growth companies increasingly recognize authorization as infrastructure, not differentiation, and offloading it accelerates their move upmarket.

That’s where  Oso comes in. Oso provides a unified permissions layer that models any enterprise or LLM access pattern, enforces it consistently across services, and adapts as requirements change. Treating authorization as infrastructure frees engineers to focus on differentiated product features while clearing one of the most persistent blockers to enterprise adoption.

Authorization Unblocks Upmarket Expansion at Webflow, Intercom, and Productboard

From web platforms to customer service to product management, companies across sectors hit the same wall moving upmarket: homegrown authorization couldn’t keep up with enterprise demands. Oso gave each a secure, scalable foundation to clear that barrier and grow.

Webflow needed fine-grained permissions to win larger accounts, but its JSON-based system slowed under load and bogged down developers. By adopting Oso’s centralized policy architecture, Webflow gained scalable RBAC, ReBAC, and ABAC support, sub-10 ms checks, and compliance tooling. The result: enterprise-grade access controls, improved reliability, and a foundation for broader web experiences. You can learn more by reading the Webflow and Oso case study here. 

"Oso brings us peace of mind. Authorization should be a utility, like water or power. It should just work, so we can keep innovating for our users instead of rebuilding the wheel." - Justin Helmer, Senior Staff Engineer, Webflow

Intercom spread custom authorization logic across its Rails app. Changes were slow, bugs were common, and authorization issues topped its bug bounty. In three weeks, two engineers migrated to Oso. Today, Oso authorizes over 250,000 users a day, eliminated authorization bugs, and enabled fine-grained features that cleared the path upmarket. 

"We went all in on Oso and it has been really great for us. As we moved upmarket, being able to consistently and accurately implement authorization features helped us move a lot faster - and resolved a never ending source of bugs and confusion." - Brian Scanlan, Principal Engineer, Intercom

Productboard replaced its limited, hard-coded model with Oso’s flexible permissions layer. It now delivers enterprise-grade controls, from custom roles down to field-level rules, while enabling secure agentic AI workflows. The team estimates Oso accelerated enterprise readiness by 2–3 years. You can read the full Productboard and Oso case study here

"Oso made building Productboard Pulse much faster, since every API can just call Oso to figure out what’s allowed, no matter where the data resides. By building on top of a proven authorization foundation, we’ve avoided the biggest hurdles derailing AI efforts in many companies." - Matúš Koperniech, Staff Engineer, Productboard

Offload Permissions, Focus on Growth

Winning in the enterprise means knowing where to differentiate and where to lean on proven infrastructure. Just as companies rely on managed services for databases, storage, and identity, they’re now doing the same for authorization. 

Oso makes it simple to deliver fine-grained, auditable permissions without derailing your roadmap—freeing your team to focus on what makes your product unique. Talk to us to see how Oso can help you scale upmarket with confidence.

1 https://www.techmonitor.ai/hardware/cloud/cloud-infrastructure-market-330bn-2024-genai-growth

2 https://www.calcalistech.com/ctechnews/article/sybh2ass1g

3 https://www.gong.io/trust-center/compliance/

4 https://www.zuora.com/our-customers/case-studies/box/

5 https://www.saastr.com/hubspot-and-shopify-are-both-going-more-enterprise-but-also-more-smb/

6 https://www.pwc.com/us/en/tech-effect/ai-analytics/ai-predictions.html

Want us to remind you?
We'll email you before the event with a friendly reminder.

Frequently asked questions

About the author

Mat Keep

Product Marketer

Mat Keep is a product strategist with three decades of experience in developer tools and enterprise data infrastructure. He has held senior product roles at leading relational and NoSQL database vendors along with data engineering and AIOps providers. Today, he works as an independent advisor helping technology companies navigate the transformative impact of AI. At Oso, he focuses on how secure, scalable authorization can accelerate AI adoption.

Write your first policy