Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more

How we plan

Our broad approach to planning is that we only plan as far ahead as is necessary, and we keep our plans flexible as late as is possible.

PortSwigger planning

Suppose you are planning a road trip from New York to San Francisco. If you wished, you could plan every detail of the trip: your vehicle, passengers, route, where you will stay, meals you will eat, how much you will spend, and your exact day and time of arrival. With competent execution, you could precisely deliver on your plan.

Our journey is nothing like this. It is much more akin to the hobbits' mission to Mordor. We know the purpose of the trip, and where we want to end up. But we don't know what route we will take, or even which route might be possible. We don't know who exactly will join us on the journey, what pitfalls we will encounter, what resources we will need, or when we will arrive.

We can certainly make plans for a journey like this. But those plans are essentially a series of guesses. We can decide in some detail the earliest actions we will take. We can form vaguer conjectures about things we might do later and capabilities we might need. We can identify contingencies: things we intend to do if and when certain events occur. And we can make some preparations for the unexpected. But all of these plans are really hypotheses which we need to test against real-world events and update accordingly.

What this analogy means for us in practice is:

  • Beyond the next few months, our roadmap contains large, vaguely-defined initiatives and approximate timeframes.

  • More details are filled in on planned initiatives when they are a few months away.

  • Close to starting work on a large initiative, it is broken down into numerous small tasks, and full details are filled in.

  • We continuously monitor our roadmap to identify dependencies of our plans, and the timeframes involved.

  • Our financial "budgets" are predictions of how our cost base will evolve as we execute our plans. We update these predictions continuously as our plans evolve and real-world events occur. There is no annual budgetary "planning cycle".

  • Spending decisions are made as part of general decisions about what initiatives we pursue. Each spending decision is made on its own merits. We don't allocate budgets and then decide how to spend them.

  • Our biggest expense is our people. Decisions about which teams to grow and which roles to create are made near-continuously, based on a rolling sense of where our capability bottlenecks are. We add a few more people targeting those bottlenecks, and then monitor our progress to decide where to take action next. Our primary constraints on headcount growth are the supply of exceptional people, the pace at which we can assimilate new joiners into our culture, and free cashflow to fund new salaries. None of these factors is fully under our control.