SMBs won’t scale you: The hard truth about expanding upmarket to win enterprise customers

3rdtimeluckystudio // Shutterstock

SMBs won’t scale you: The hard truth about expanding upmarket to win enterprise customers

Every high-growth software company eventually hits the same crossroads: Small and medium businesses (SMBs) can get you started, but only enterprises can get you scale. In this article, Oso, a unified permissions layer for apps and AI, explains what it really takes to break through.

Breakout Companies Hit Their Stride Only After Navigating The Enterprise Shift

For technology vendors, moving from SMBs to enterprises is the most reliable accelerant of growth. It’s also one of the hardest. Larger customers extend deal cycles and demand higher product maturity. The payoff: bigger contracts, faster revenue expansion, and stronger valuations.

Take Amazon Web Services as an example. AWS launched in 2006, targeting developers and startups, but its growth accelerated as enterprises and regulated businesses started migrating core workloads post-2012. This followed heavy investments in security and compliance certifications (SOC 1/2/3, ISO 27001, PCI DSS, HIPAA eligibility, and FedRAMP authorization), the release of Amazon VPC in 2009, followed by IAM and Direct Connect in 2011, the build out of the Amazon Partner Network starting in 2012, and the expansion of mission-critical cloud services such as databases and data warehouses, By 2024, AWS had reached $108 billion in annual revenue, up 19% year-over-year, serving over 2.3 million business and enterprise customers and leading the global cloud market with 31% share.

Gong shows the same pattern. In 2021, six years after its 2015 founding, Gong raised $250 million at a $7.2 billion valuation, with a revenue run rate of about $100 million. By early 2025, that number had surged to over $300 million ARR. Today, four Fortune 10 enterprises, including Google, now use Gong. The number of seven-figure customers more than doubled in the past year, as customer spend shifted from tens to hundreds of thousands of dollars annually. Among its key growth initiatives, the company invested heavily to build out a robust compliance and security program to meet stringent enterprise requirements.

Box started as a consumer file-sharing tool in 2005 but pivoted upmarket around 2008. Box had scaled from a $3 million consumer business to a $1 billion+ enterprise solution today by focusing on enterprise content management.

HubSpot and Shopify show how even SMB-focused companies eventually rely on enterprise demand. After investing in larger customer segments, HubSpot saw deals over 100 seats grow by 55% year-over-year in 2017. Shopify launched Shopify Plus in 2014, and by 2019 the enterprise tier was generating nearly a third of total revenue.

Slack and Zoom highlight how enterprise adoption translates into valuation. Slack, founded in 2013, gained widespread enterprise traction by 2018 after adding enterprise-level capabilities for security, integration, and data protection. These helped propel its $27 billion acquisition by Salesforce in 2021. Zoom, founded in 2011, built for enterprise reliability and security from the start, fueling its 2019 IPO and rapid growth into a global SaaS leader.

AI vendors are now facing the same shift. A 2025 PwC survey found 73% of executives plan to use AI to change their business models, with two-thirds already seeing measurable value. AI Vendors that meet enterprise demands for security, governance, and compliance will capture this spend.

The pattern across all of the examples above is consistent. SMBs provide early traction, but enterprises deliver scale.

Winning Upmarket Means Playing a Different Game

Moving upmarket is simple in theory, hard in practice. Enterprises buy with security reviews, procurement hurdles, and complex IT needs. Vendors win only if they can prove enterprise-grade product, business, and operational strength.

Product Capabilities

Security is the first and last gate. Enterprises expect SSO with major identity providers, strong encryption, data isolation, and certifications like SOC 2, ISO 27001, and GDPR compliance. Just as critical are fine-grained access controls providing the ability to define roles, permissions, and hierarchies that mirror the customer’s organization. Without this, security teams stop adoption cold.

Enterprises also demand auditability. They need clear answers to “who accessed what, when, and why.” Logging, exportable audit trails, and easy compliance reporting cut review cycles and smooth renewals.

Scalability is another test. SMB-grade systems buckle under enterprise loads. Vendors must prove they can handle thousands of concurrent users, massive datasets, and high transaction volumes with predictable latency. SLAs and performance benchmarks turn claims into credibility.

Finally, enterprises want flexibility. No two are alike. Configurable roles, developer APIs, and customizable workflows let customers adapt the product to their processes instead of bending to a one-size-fits-all model.

Business and Operational Capabilities

Enterprise growth depends as much on operations as on the product itself.

Large customers expect enterprise-grade support, including SLAs, 24/7 channels, and dedicated success managers to resolve issues fast. They also demand help taking deployments from pilot to production, including migration and change management. Beyond that, procurement teams scrutinize financial stability, security, and compliance, so clear documentation and governance tools are essential. And because enterprises operate at scale with complex contracts and global structures, vendors must have mature processes to manage the load effectively.

Vendors that can demonstrate these capabilities give enterprises confidence that they are buying into a reliable, long-term partner.

The Roadblocks on the Path Upmarket

Moving from SMBs to enterprises unlocks larger revenue but exposes vendors to new risks:

• Longer sales cycles and higher CAC. Enterprise deals stretch 6–18 months. They involve demos, procurement reviews, and executive approvals. The result: higher acquisition costs and tighter cash flow.
• Security and compliance scrutiny. What SMBs overlook can sink an enterprise deal. Vendors face 300-question security assessments, must show certifications like SOC 2 or ISO 27001, and prove fine-grained permissions with full audit trails. Without this, deals stall.
• Product gaps and custom demands. Features that win SMBs rarely meet enterprise needs. Buyers expect SSO, audit logging, and integrations. Early enterprise customers also push for custom features, which bloats the roadmap and pulls engineers off core work.
• Operational strain. Enterprises expect deep support—SLAs, 24/7 coverage, and success managers. Losing a single account can erase millions in ARR, so retention is as critical as acquisition. Companies also need cultural shifts: moving from fast SMB cycles to slower, compliance-heavy motions without overspending on premature sales hires or one-off features.

Enterprises open the door to durable, high-value growth, but only for vendors that meet strict standards in security, compliance, and operations.

Enterprise Buyers Don’t Reward Vendors For Reinventing Infrastructure.

The pattern across successful technology companies is clear: they offload undifferentiated infrastructure to managed services and focus their engineers on features that set them apart.

This is already the norm in many parts of the stack. Few teams build their own databases when PostgreSQL, MongoDB, or Snowflake are available. API gateways like Kong and Apigee, cloud compute and storage from the hyperscalers, and identity services based on SAML and OpenID Connect are all standard to buy. These components are critical, but they’re not where companies want to spend scarce cycles.

Authorization belongs in the same category. It sits on the critical path for any vendor selling to enterprises or regulated industries. Buyers expect fine-grained permissions, delegated administration, regional residency, and audit logs. Without them, deals stall. High-growth companies increasingly recognize authorization as infrastructure, not differentiation, and are offloading it to an authorization as a service provider accelerates their move upmarket.

Take the popular website experience platform Webflow as an example. Authorization became a critical milestone on their path to acquiring larger enterprise customers. As demand grew from agencies, Fortune 500s, and global brands, Webflow’s original permission system couldn’t keep up, and left gaps for enterprise buyers who expected fine-grained access controls.

Webflow’s recent announcement of CMS Collection Access Control extends enterprise-ready permissions into the core content layer. What once required custom workarounds is now built into Webflow’s experience, enabling customers to define exactly who can create, edit, and publish across sites and teams.

Offload Permissions, Focus on Growth

Winning in the enterprise means knowing where to differentiate and where to lean on proven infrastructure. Just as companies rely on managed services for databases, storage, and identity, they’re now doing the same for authorization.

This story was produced by Oso and reviewed and distributed by Stacker.