Discovery, value mapping & the 90-day pilot
Diagnose before demonstrating; turn a useful tool into a controlled rollout.
Diagnose before you demonstrate
After this you can open a discovery call by mapping the buyer's real bottleneck before showing a single completion.
The fastest way to lose an enterprise deal is to open your laptop and start a demo. Your job isn't to show what Cursor does. It's to find out what is actually broken in how this org ships software, then prove Cursor moves that needle. Diagnose first, prescribe second.
A demo that lands on the wrong pain is worse than no demo. You've spent your one moment of attention proving you didn't listen. The Field Engineer who wins can sit with a VP of Eng and reconstruct, in their language, exactly where their delivery pipeline stalls before showing a single completion.
"I don't want to demo yet. Walk me through the last meaningful change you shipped, from request to production and tell me where it sat waiting. Then I'll show you the two places we'd attack first."
That reframe earns you three things:
- It signals you're an engineer, not a vendor.
- It pushes them to expose the real bottleneck instead of a sanitized one.
- It buys you the right to be selective about what you demo.
Selectivity is credibility.
Discovery is the deliverable, not the warm-up. Value mapping, the maturity ladder, the 90-day pilot, the scorecard: each one is only as good as the facts you gather here. Garbage discovery produces a pilot that proves nothing.
Takeaway. Diagnose before you demonstrate. A demo aimed at the wrong pain spends your one window proving you didn't listen.
Self-check
The 7-dimension discovery framework
After this you can run a discovery conversation across seven dimensions and tag every answer fact, hypothesis or unknown.
Structured discovery beats charisma. You map seven dimensions and every answer gets one of three tags:
- A fact (they told you, you verified).
- A hypothesis (your inference, still needs confirming).
- An unknown (you don't know and it matters).
That tagging discipline is what separates a real account plan from a wishlist.
- Dimension
- Org shape
- What you're really after
- Team count, reporting lines, who owns dev tooling, champion vs. economic buyer
- Killer question
- Who decides what every engineer's editor is - and who pays for it?
- Dimension
- SDLC
- What you're really after
- How work flows: request → design → code → review → merge → release
- Killer question
- Where does a change wait the longest between idea and prod?
- Dimension
- CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often.
- What you're really after
- Pipeline maturity, gates, test coverage, deploy frequency
- Killer question
- How long is your PR-to-merge and merge-to-deploy cycle today?
- Dimension
- Security posture
- What you're really after
- Data residency, model approvals, ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. needs, compliance regime
- Killer question
- What's your bar for a tool that sees source code - and who signs off?
- Dimension
- Current AI usage
- What you're really after
- What's already in use, sanctioned or not - incl. shadow AI
- Killer question
- What AI tools are engineers using today that procurement doesn't know about?
- Dimension
- Pain
- What you're really after
- The concrete, measurable bottleneck worth money
- Killer question
- If you could delete one recurring delay, which one?
- Dimension
- Buying process
- What you're really after
- Budget, cycle, paper, security review, who can say no
- Killer question
- What did your last six-figure tooling purchase actually require to close?
| Dimension | What you're really after | Killer question |
|---|---|---|
| Org shape | Team count, reporting lines, who owns dev tooling, champion vs. economic buyer | Who decides what every engineer's editor is - and who pays for it? |
| SDLC | How work flows: request → design → code → review → merge → release | Where does a change wait the longest between idea and prod? |
| CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often. | Pipeline maturity, gates, test coverage, deploy frequency | How long is your PR-to-merge and merge-to-deploy cycle today? |
| Security posture | Data residency, model approvals, ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. needs, compliance regime | What's your bar for a tool that sees source code - and who signs off? |
| Current AI usage | What's already in use, sanctioned or not - incl. shadow AI | What AI tools are engineers using today that procurement doesn't know about? |
| Pain | The concrete, measurable bottleneck worth money | If you could delete one recurring delay, which one? |
| Buying process | Budget, cycle, paper, security review, who can say no | What did your last six-figure tooling purchase actually require to close? |
Seven dimensions. Tag every answer fact / hypothesis / unknown. The unknowns are your next-meeting agenda.
The most dangerous tag is a hypothesis you've recorded as a fact. 'They have mature CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often.' because the champion said so stays a hypothesis until you've seen the pipeline. Pilots die when an assumed fact turns out false in week three.
- Fact
- Stated by the org AND corroborated by a number, a screenshot or a doc. Safe to build a pilot on.
- Hypothesis
- Your inference or their unverified claim. Confirm it before it shapes scope.
- Unknown
- A gap that materially affects the deal. It becomes an explicit agenda item, never silently ignored.
Instrumenting the 'current AI usage' dimensionread adoption, don't guess it
'Current AI usage' is the dimension reps fudge the most. They log 'they use some AI' and move on. There's a concrete instrument for reading it. Once a customer is in (or in a pilot), the admin analytics give you two signals you read together: a team's or person's request volume and their acceptance rate of committed AI code. Plot them as a quadrant and each cell prescribes a different action.
- Signal pattern
- High volume + high acceptance
- What it means
- Power users. They've found the workflows that work.
- Your move
- Learn how they prompt (shared knowledge / shared transcripts), then distribute those learnings across teams.
- Signal pattern
- High volume + low acceptance
- What it means
- Trying hard, getting poor output.
- Your move
- An enablement and training opportunity, not a churn risk. Coach the prompting.
- Signal pattern
- Low volume
- What it means
- Not really adopting yet.
- Your move
- Drive awareness and adoption; find the one workflow that hooks them.
| Signal pattern | What it means | Your move |
|---|---|---|
| High volume + high acceptance | Power users. They've found the workflows that work. | Learn how they prompt (shared knowledge / shared transcripts), then distribute those learnings across teams. |
| High volume + low acceptance | Trying hard, getting poor output. | An enablement and training opportunity, not a churn risk. Coach the prompting. |
| Low volume | Not really adopting yet. | Drive awareness and adoption; find the one workflow that hooks them. |
Request volume × acceptance rate. Admins can enable shared knowledge / shared transcripts at team level to study exactly how a power user works.
People are blind to what's automatable in their own workflow. The canonical story: a Cursor engineer hand-posted a daily usage update to Slack for weeks before a teammate said 'why don't you just automate this?' (now an automation queries the data via MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. and posts it). Probe in discovery for the repetitive thing a champion does by hand every day. That's the most fertile ground for a quick, sticky early win.
Takeaway. The deadliest error in discovery is logging a hypothesis as a fact: that's the assumption that blows the pilot up in week three.
Self-check
QWhich is the correct characterization of how to record a champion's claim that 'our security team will approve anything SOC 2 Type II'?
QReading the admin analytics, a team shows HIGH request volume but a LOW acceptance rate of committed AI code. What does that pattern mean and what do you do?
Shadow AI is a sale, not a scandal
After this you can turn a shadow-AI finding into a governance pitch instead of weaponizing it against your champion.
In nearly every enterprise you walk into, engineers are already pasting code into consumer chatbots and leaning on unsanctioned assistants. Procurement doesn't know. Security definitely doesn't. A bad rep's instinct is to weaponize this: 'your developers are leaking IP!' Don't. Fear sells one meeting and poisons the relationship.
Shadow AI is demand that already exists. Your job is to convert ungoverned usage into governed usage, not to expose it as a scandal. The engineers have already proven the appetite and the productivity case for you. You're replacing a risk with a control.
This is where Cursor's enterprise control plane becomes the pitch, not the features. Ungoverned chatbot usage means no audit trail, no data-handling guarantees, no model allowlist and source code leaving the building. Governed Cursor usage gives the org Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it., model/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs./repo allowlists, SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SAMLAn enterprise standard that powers single sign-on./OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. with SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave., RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., audit logs and AI-code tracking. Same productivity, now with a paper trail security can defend.
Source pasted into consumer tools
No audit log, no data residency control
No model or repo allowlist
Security finds out via incident, not dashboard
Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it.; AES-256 at rest, TLS 1.2+
Audit logs + AI-code tracking
Model / MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. / repo allowlists, terminal sandboxing
SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SAMLAn enterprise standard that powers single sign-on./OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth., SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave., RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. under one admin plane
Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. and ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. are real Cursor controls. Note one boundary: ZDR does NOT apply when teams bring their own API keys. Know it cold, because a security reviewer will test it.
Takeaway. Shadow AI is proven demand. Convert ungoverned usage into governed usage and you're replacing a risk with a control, not running a sting on your champion.
Self-check
Value mapping: pain → capability → metric → money
After this you can carry a persona's pain through capability and metric to a dollar unit the economic buyer already budgets against.
Discovery surfaces pain. Value mapping converts it into a number the economic buyer cares about. The chain is always the same:
- 1A persona's pain.
- 2The Cursor capability that addresses it.
- 3The metric that proves it.
- 4The economic translation into engineer-hours, cycle time or time-to-first-commit.
- Persona
- Staff/Senior Eng
- Pain
- Context-switching across repos to make one change
- Capability
- Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop.: guided environments, snapshots, /in-cloud subagents and local/cloud handoff
- Metric
- Cycle time per cross-repo change
- Economic translation
- Engineer-hours reclaimed per sprint
- Persona
- Reviewer / Tech Lead
- Pain
- Review queue backs up; bugs slip through
- Capability
- BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. (~90-second average review, ~10% more bugs found, ~22% lower run cost)
- Metric
- PR-to-merge time; escaped-defect rate
- Economic translation
- Faster merge cadence; fewer prod incidents
- Persona
- New hire
- Pain
- Weeks to first meaningful commit in an unfamiliar codebase
- Capability
- Codebase-aware chat + governed workflows
- Metric
- Time-to-first-commit
- Economic translation
- Onboarding cost per new engineer
- Persona
- Eng Director
- Pain
- Can't see or govern AI usage across teams
- Capability
- Organizations admin plane, Teams, Groups, usage analytics and audit logs
- Metric
- % governed AI usage; policy coverage
- Economic translation
- Risk reduction + spend visibility
| Persona | Pain | Capability | Metric | Economic translation |
|---|---|---|---|---|
| Staff/Senior Eng | Context-switching across repos to make one change | Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop.: guided environments, snapshots, /in-cloud subagents and local/cloud handoff | Cycle time per cross-repo change | Engineer-hours reclaimed per sprint |
| Reviewer / Tech Lead | Review queue backs up; bugs slip through | BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. (~90-second average review, ~10% more bugs found, ~22% lower run cost) | PR-to-merge time; escaped-defect rate | Faster merge cadence; fewer prod incidents |
| New hire | Weeks to first meaningful commit in an unfamiliar codebase | Codebase-aware chat + governed workflows | Time-to-first-commit | Onboarding cost per new engineer |
| Eng Director | Can't see or govern AI usage across teams | Organizations admin plane, Teams, Groups, usage analytics and audit logs | % governed AI usage; policy coverage | Risk reduction + spend visibility |
Every row ends in a unit the economic buyer already budgets against.
"Your champions will tell you it 'feels faster.' The CFO doesn't buy feelings. I'll translate every win into engineer-hours per sprint, days off your cycle time and weeks off new-hire time-to-first-commit - the three lines your finance team already tracks."
The translation step is non-negotiable. A capability with a metric but no economic unit dies in the procurement review. 'BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. finds 10% more bugs' is a feature. 'Bugbot cuts escaped defects and at your incident rate that's N fewer Sev-2s a quarter at $X each' is a business case.
ROI is a journey: qualitative → quantitative → dollarsmeet the buyer where their proof is
Proving ROIReturn on Investment. The value gained versus what it cost, the language an economic buyer funds deals in. isn't one number, it's a staged climb and where the customer sits on it tells you what evidence they'll accept. Start with qualitative signal (are engineers excited, do they feel more productive), move to quantitative productivity (PR velocityHow quickly pull requests are merged; the easiest delivery metric to measure, though it sits furthest from the customer outcome., code quality, bug counts, % of code turned over), then land on real dollars.
- Velocity
- Cursor reports velocity increases upward of 30% and rising.
- Automations
- Save ~30-60 min/day per person; an automation costs a tiny fraction of an engineer's salary but can make them 10-20% more effective.
- Dollars framing
- 'Pull-forward revenue': when AI collapses deployment from weeks/months to days, teams pull roadmap items (and their revenue) forward.
- Dogfooding proof
- ~30-40% of Cursor's own merged PRs are created end-to-end by cloud agents; a power-user engineer estimates ~70% of theirs. (Verify before quoting.)
Use the highest-credibility evidence the customer is ready for, and reach for the dollar framing the moment a CFO is in the room. The 'pull-forward revenue' line is the one that lands with finance, because it reframes the spend as revenue acceleration rather than a cost. (Treat the specific percentages as perishable and verify before quoting them.)
Don't map every capability to every persona. That's a feature dump in a table costume. Map the two or three pains worth real money to this org and translate those hard. Depth over coverage.
Takeaway. A metric with no economic unit dies in procurement. Always land the chain on a dollar line finance already tracks.
Self-check
The maturity ladder: stage capabilities, not users
After this you can place an org on the autonomy ladder and pick the one rung above where they sit today.
The most common adoption failure treats rollout as a headcount ramp: 'get 200 seats live.' Wrong axis. You stage capabilities by trust, not users by quantity. Each rung is a more autonomous way of working and you only climb when the org has earned the trust to hold the rung below.
Interactive diagram. Step through it with the Next and Previous controls below, or Tab to a region to read its detail.
Climb by trust, not by seat count. Lead with the top rung in a low-trust org and you lose the room: it reads as reckless, not impressive.
- 1Assistive - completions and in-editor chat. The human writes every line, AI accelerates. The trust floor.
- 2Governed workflow - sanctioned rules (.cursor/BUGBOT.md), model/repo allowlists, Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. on. AI inside guardrails.
- 3Repository workflow - BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. on PRs, codebase-aware agents operating across a repo with review gates.
- 4Pipeline / SDK - agents wired into CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often. and programmatic flows; bounded fixes prepared by isolated cloud agents and reviewed by humans.
- 5Higher autonomy - Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. with reusable environments, /in-cloud subagents, local/cloud handoff, terminal + browser, minimal supervision.
Never lead with the highest-autonomy rung in a low-trust org. Autonomous cloud agents shipping multi-repo changes is the right destination. Pitch it on day one to a risk-averse security culture and it reads as reckless, ending the conversation. Meet them one rung above where they are.
Locate the org with the 'three eras' vocabularyattention, not features
The ladder maps onto Cursor's own framing of where the industry is, defined by where a developer's attention goes. Use it to place an org out loud:
- Era 1 - Tab
- Autocomplete. Attention is on keystrokes. Maps to the assistive rung.
- Era 2 - synchronous agents
- Agent rides shotgun, you steer every step. Attention is on steering. This era lasted under a year. Maps to governed/repository workflow.
- Era 3 - async agents
- Cloud agents on their own VMs return artifacts; attention shifts to reviewing and managing outcomes. Maps to the higher-autonomy rung.
Each era is defined by where attention goes. The fuller maturity curve runs: manual → Tab → AI as junior teammate (delegate detailed tickets) → AI as a whole engineering team / multi-agent orchestration → AI as co-founder working backward from an end state.
The gate between rungs: artifact-verifiabilityforeground vs background
What actually lets an org climb a rung is whether the work can be verified through an artifact. That's the foreground-vs-background decision rule and it's the most useful heuristic you can give a customer. Foreground agents are for interactive, ambiguous, security-sensitive or steered work where you make decisions and watch every step. Background / cloud agents are for execution against clear goals and acceptance criteria. The test: if the output is reviewable through an artifact (an image, a recording, logs, a diff), push it async; if it's fuzzier, stay foreground.
Exploring an unfamiliar API; spikes
Security-sensitive or ambiguous changes
UI tweaks you want to watch happen
Refactors with clear acceptance criteria
Migrating a whole branch or a database
Anything whose result is checkable from a diff/recording
Don't spin up a background agent with a one-sentence prompt to 'refactor the whole codebase.' Background work needs heavy upfront structuring (clear goal, acceptance criteria, often a specific ticket pulled in via MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs.). A fuzzy task handed to an unsupervised agent is exactly the reckless move that costs you the room. Verifiability is the gate: no artifact to check against means it isn't ready to go async.
Expect: 'A bank with a strict change-management culture wants to start with autonomous agents in CI. What do you do?' Strong answer: redirect down the ladder. Start with assistive plus governed workflow, prove quality and safety, then earn the pipeline rung. Call out that leading with the top rung in low trust is the classic mistake.
Takeaway. Stage capabilities by trust, not seats by count. The corollary: never lead with the top rung in a low-trust org.
Self-check
QWhat axis does the maturity ladder stage on and why is that better than staging on seat count?
The 90-day pilot and the four-lens scorecard
After this you can structure a 100–500 engineer pilot in three acts and defend the four-lens scorecard against a vanity metric.
For 100–500 engineers, the pilot runs in three 30-day acts and the sequencing is the strategy: guardrails first, enablement second, expansion third. Flip that order and you get a viral tool with no governance and a security team that kills it in month two.
- Prove (0–30)
- Guardrails first. Baseline the four lenses, stand up SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave./allowlists/Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code., land a focused cohort, prove the top one or two pains.
- Expand (31–60)
- Enablement second. Mentorship and champions widen usage. Box lifted usage +75% in 6 weeks via mentorship. Climb one ladder rung.
- Decide (61–90)
- Expansion third. Scorecard vs. baseline, build the economic case, define the rollout, negotiate the Enterprise agreement.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Prove (0–30) → Expand (31–60) → Decide (61–90), with the four-lens baseline pinned at day zero and the guardrails-first, enablement-second, expansion-third order carried through each act.
Start narrow, then earn the expansionthe rollout pattern
Don't roll out to everyone at once. The pattern Cursor recommends: pick a repo, a few tasks and a few engineers; prove measurable impact; expand to a couple more teams; share results up; and only scale org-wide once you've seen strong ROIReturn on Investment. The value gained versus what it cost, the language an economic buyer funds deals in. on specific tasks. The narrow start is what gives the four-lens scorecard a clean signal and what keeps the security team comfortable while trust is still being built.
The recommended first automationlow risk, high stickiness
When a pilot team asks 'what's the first automation we should set up?', there's a data-backed answer: 'Summarize Changes Daily.' It posts a Slack engineering digest of notable repo changes every day at 10am PST. Cursor's data science found it the stickiest automation at 89% retention last month. It's the ideal opener because it's low blast radiusHow much breaks if a change goes wrong; the scope of potential damage. (it reads and reports, it doesn't touch code), it's visible to the whole team and it builds the daily habit that makes everything above it on the ladder feel normal.
To use cloud agents, a repo is onboarded at cursor.com/onboard: select/add repos, install to GitHub, optionally add env vars and secrets, and Cursor auto-sets-up the dev environment. Setting up an environment from scratch takes roughly 5-30 minutes (often quoted ~20), so don't let a slow first run spook the champion.
Two mitigations to name up front: launch many agents at once rather than serially, and save the built environment as a team snapshot so new agents start from the snapshot instead of rebuilding (this is critical for slow-to-build repos). After that, engineers move freely between local and cloud from the client.
You measure against a four-lens scorecard and you set the baseline before you start. A pilot with no day-zero baseline proves nothing, because every result answers 'compared to what?'
- Lens
- Adoption & capability
- What it captures
- Are people using it and at what rung?
- Example signals
- WAU/DAU, ladder rung reached, % on governed workflows
- Lens
- Flow
- What it captures
- Is delivery actually moving faster?
- Example signals
- Cycle time, PR-to-merge, deploy frequency
- Lens
- Quality & safety
- What it captures
- Are we shipping safer, not just faster?
- Example signals
- Escaped-defect rate, BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. catches, policy coverage
- Lens
- Experience & trust
- What it captures
- Do engineers and security trust it?
- Example signals
- Developer sentiment, security sign-off, retention of usage
| Lens | What it captures | Example signals |
|---|---|---|
| Adoption & capability | Are people using it and at what rung? | WAU/DAU, ladder rung reached, % on governed workflows |
| Flow | Is delivery actually moving faster? | Cycle time, PR-to-merge, deploy frequency |
| Quality & safety | Are we shipping safer, not just faster? | Escaped-defect rate, BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. catches, policy coverage |
| Experience & trust | Do engineers and security trust it? | Developer sentiment, security sign-off, retention of usage |
Four lenses, baselined day zero. 'Lines of AI code' is NOT a lens; it's the wrong headline.
'Lines of AI code' as your headline metric is a trap. It rewards volume over value, it's trivially gamed and it tells the economic buyer nothing about flow, quality or trust. If an exec asks for it, redirect to cycle time and escaped defects.
"I'm going to deliberately defer one use case (autonomous CI agents) until phase two. Not because it won't work, but because earning it on the back of a clean phase-one record is how it survives your change board. Saying 'not yet' is how I keep your trust."
Deliberately deferring a use case ('not yet') is a credibility move, not a weakness. A rep who scopes out the riskiest item to protect the pilot's record signals discipline. Cite Box as proof enablement works: 85%+ daily usage, 30–50% throughput gains, 80–90% less migration effort, +75% usage in 6 weeks via mentorship.
Takeaway. Sequencing is the strategy: guardrails first, enablement second, expansion third, baselined day zero, scored on flow and quality rather than lines of AI code.