What is the Trojan Horse strategy?
The Trojan Horse strategy is the market-entry pattern where a startup enters a regulated, network-effect-protected, or entrenched market by first offering a non-threatening “Trojan” product that gets the company in, then expanding the offering toward the real strategic target once inside. The metaphor — from Greek mythology — emphasises that the entry product is not the destination; it is the vehicle that bypasses defensive systems.
Classic examples
Stripe’s entry into payments via developer-friendly APIs (Trojan) before expanding to banking-as-a-service, treasury, and full financial infrastructure (real target). Twilio’s entry via SMS-API utility (Trojan) before expanding to customer-engagement platform. AWS’s entry via S3 storage (Trojan) before expanding to compute, ML, databases, and full cloud-platform dominance. In each case, the simple initial product earned trust, customer data, and developer relationships that the strategic-target product could not have won directly.
Why Trojans work
Three structural reasons. (1) Lower defensive trigger — incumbents don’t recognise the Trojan as a threat because it appears to address a small niche. (2) Customer onboarding — the Trojan creates the integration relationship that makes expansion easy later. (3) Capability build-up — operating the Trojan teaches the team the operational complexity of the broader market.
How to choose a Trojan product
Three filters. (1) Real customer pain — the Trojan must be a painkiller in its own right, not just a strategic wrapper. (2) Adjacency to strategic target — the Trojan must share customers, infrastructure, or data with the real target. (3) Non-threatening to incumbents — incumbents must see the Trojan as a niche tool, not a competitor. If incumbents recognise the threat, the Trojan loses its bypass advantage.
Trojan strategy in regulated markets
Regulated markets — banking, healthcare, education, defence — particularly reward Trojan strategies. Direct competition with incumbents triggers regulatory protection and incumbent legal defence. Trojan entry via adjacent services (developer tooling, compliance helpers, data integration) allows the startup to build capabilities and customer relationships before tackling the regulated core. Plaid in banking, Veeva in pharma life sciences, Auth0 in identity all followed Trojan patterns.
Türkiye context
Türk regulated markets (BDDK banking, SPK securities, Sağlık Bakanlığı healthcare, MEB education) particularly reward Trojan strategies because direct license-based competition is slow and capital-intensive. Successful Türk startups in these spaces often enter via SaaS tools or compliance helpers, build customer relationships, then expand into the licensed-and-protected core when regulatory permission and customer trust both arrive.
Related: Wedge / Beachhead, Aggregation Theory, Cold Start Problem.