Grey Baker

The Man Behind GitHub's Security Empire

Grey Baker's LinkedIn says "Visiting Partner at Y Combinator." His GitHub profile - username greysteil - contains a repository called where-is-grey, a relic from the year he cycled approximately 30,000 kilometers around the world between his last startup and his next one. Both things are true, and together they explain something important about how he operates.

Baker came up through Cambridge - BA in Mathematics, then a Diploma and MPhil in Economics, finishing ranked first in a cohort of 72 for the MPhil and collecting the Stevenson Prize along the way. He joined McKinsey out of Cambridge, spent two years doing strategy work across retail banking, pharmaceuticals, and consumer goods, then left. Not to start a company. To learn to code.

In six months, he taught himself software engineering from nothing. Then he joined GoCardless as employee number six, eventually becoming VP of Product and Engineering. When he arrived, the company processed £100,000 a month. When he left, it was £100 million. The team went from 6 to 100+ people. That's not a resume line - that's a working definition of what "operator" means in practice.

He left GoCardless in 2016. Rather than launch a startup immediately, he got on a bike. The around-the-world cycling journey was not a gap year - he tracked his location publicly, documented the whole thing, and presumably had plenty of time on mountain passes to think about what he actually wanted to build. When he came back, he knew.

Dependabot was born as a side project - a tool that automatically keeps software dependencies up to date and patches security vulnerabilities before they become incidents. Baker co-founded it with Harry Marr. No venture funding. No accelerator. Just two people building something they wanted to exist. By the time GitHub noticed, Dependabot had passed $14,000 in monthly recurring revenue and was used by over a million developers.

GitHub acquired Dependabot in 2019. Baker joined the company - not to manage a product backlog, but to build a business unit. He launched GitHub Advanced Security, integrated the Semmle acquisition (50 engineers), and created the code scanning and secret scanning products that now protect repositories at enterprise scale. Under his leadership, GitHub Advanced Security reached $140M ARR - 13% of GitHub's entire revenue. That's an unusual number for a security product built inside a platform company.

After GitHub, Baker moved again - this time into the S23 batch at Y Combinator as co-founder of Pincites, an AI tool for contract negotiation built with Sona and Mariam Sulakian. The company was acquired by Filevine in December 2025, making it Baker's third significant exit. He now serves as a Visiting Partner at YC, working with early-stage founders on the problems he spent the last fifteen years solving by hand.

What makes Baker unusual isn't the exits or the revenue numbers - plenty of people have those. It's the pattern. McKinsey to self-taught engineer. GoCardless VP to world cyclist. Bootstrapped founder to GitHub director to YC partner. Each move looks improbable from the previous one, and inevitable in retrospect. He's not optimizing for a category - he's following the problem.

He reads Virginia Woolf to decompress. He credits "The Waves" with influencing his career path at GoCardless. His non-fiction preferences run to "A History of the World in 100 Objects" and Taiichi Ohno's Toyota Production System - the kind of reading list that tells you more about someone's thinking than their title does.

The Dependabot story is particularly instructive. Baker didn't pitch it to investors. He didn't build a team first. He built the thing, put it on GitHub Marketplace, and let it grow. The marketplace listing was the inflection point - the moment a side project became a company. When GitHub acquired it, Dependabot didn't disappear into a product roadmap: it became a native feature that now ships with every repository on the platform, protecting code that millions of developers write every day without thinking about it. That's the best kind of infrastructure - invisible when it's working.

Baker is now on the other side of that table at Y Combinator, which gives him a particular kind of usefulness as a partner. He's built bootstrapped, he's built inside a giant, he's gone through acquisition twice, and he's done it across fintech, developer tools, and AI. The founders he works with don't need another investor who has seen a thousand pitch decks. They need someone who has written the code, fired up the terminal, and figured it out from first principles.

He's that person.