>> From the Silicon Angle Media Office in Boston Massachusetts, it's "The Cube." (groovy techno music) Now, here's your host, Dave Vellante. >> Hello, everyone. The rise of open source is really powering the digital economy. And in a world where every company is essentially under pressure to become a software firm, open source software really becomes the linchpin of digital services for both incumbents and, of course, digital natives. Here's the challenge, is when developers tap and apply open source, they're often bringing in hundreds, or even thousands of lines of code that reside in open sourced packages and libraries. And these code bases, they have dependencies, and essentially hidden traps. Now typically, security vulnerabilities in code, they're attacked after the software's developed. Or maybe thrown over the fence to the sec-ops team and SNYK is a company that set out to solve this problem within the application development life cycle, not after the fact as a built-on. Now, with us to talk about this mega-trend is Peter McKay, a friend of The Cube and CEO of SNYK. Peter, great to see you again. >> Good to see you, dude. >> So I got to start with the name. SNYK, what does it mean? >> SNYK, So Now You Know. You know, people it's sneakers sneak. And they tend to use the snick. So it's SNYK or snick. But it is SNYK and it stands for So Now You Know. Kind of a security, so now you know a lot more about your applications than you ever did before. So it's kind of a fitting name. >> So you heard my narrative upfront. Maybe you can add a little color to that and provide some additional background. >> Yeah, I mean, it's a, you know, when you think of the larger trends that are going on in the market, you know, every company is going through this digital transformation. You know, and every CEO, it's the number one priority. We've got to change our business from, you know, financial services, healthcare, insurance company, whatever, are all switching to digital, you know, more of a software company. And with that, more software equals more software risk and cybersecurity continues to be, you know, a major. I think 72% of CEOs worry about cybersecurity as a top issue in protecting companies' data. And so for us, we've been in the software in the security space for the four and a half years. I've been in the security space since, you know, Watchfire 20 years ago. And right now, with more and more, as you said, open source and containers, the challenge of being able to address the cybersecurity issues that have never been more challenging. And so especially when you add the gap between the need for security professionals and what they have. I think it's four million open positions for security people. So you know, with all this added risk, more and more open source, more and more digitization, it's created this opportunity in the market where you're traditional approaches to addressing security don't work today, you know? Like you said, throwing it over the fence and having someone in security, you know, check and make sure and finding all these vulnerabilities, and throw it back to developers to fix is very slow and something at this point is not driving to success. >> So talk a little bit more about what attracted you to SNYK early. I mean, you've been with the company, you're at least involved in the company for a couple years now. What were the trends that you saw, and what was it about SNYK that, you know, led you to become an investor and ultimately, CEO? >> Yeah, so four years involved in the business. So you know, I've always loved the security space. I've been in it for a number, almost 20 years. So I enjoy the space. You know, I've watched it. The founder, Guy Podjarny, one of the founders of SNYK, has been a friend of mine for 16 years from back in the Watchfire days. So we've always stayed connected. I've always worked well together with him. And so when you started, and I was on the board, the first board member of the company, so I could see what was going on, and it was this, you know, changing, kind of the right place at the right time in terms of developer first security. Really taking all the things that are going on in the security space that impacts a developer or can be addressed by the developer, and embedding it into the software into that developer community, in a way that developers use, the tools that they use. So it's a developer-first mindset with security expertise built-in. And so when you look at the market, the number of open source container evolution, you know, it's a huge market opportunity. Then you look at the business momentum, just took off over the past, you know, four years. That it was something that I was getting more and more involved in. And then when Guy asked me to join as the CEO, it was like, "Sure, what took you so long?" (Dave laughing) >> We had Guy on at Node JS Summit. I want to say it was a couple years ago now. And what he was describing is when you package, take the example of Node. When you package code in Node, you bring in all these dependencies, kind of what I was talking about there, but the challenge that he sort of described was really making it seamless as part of the development workflow. It seems like that's unique to SNYK. Maybe you could talk about-- >> Yeah, it is. And you know, we've built it from the ground up. You know, it's very difficult. If it was a security tool for security people, and then say, "Oh, let's adapt it for the developer," that is almost impossible. Why I think we've been so successful from the 400,000 developers in the community using Freemium to paid, was we built it from the ground up for developer, embedded into the application-development life cycle. Into their process, the look and feel, easy for them to use, easy for them to try it, and then we focused on just developer adoption. A great experience, developers will continue to use it and expand with it. And most of our opportunities that we've been successful at, the customers, we have over 400 customers. That had been this try, you know, start it with the community. They used the Freemium, they tried it for their new application, then they tried it for all their new, and then they go back and replace the old. So it was kind of this Freemium, land and expand has been a great way for developers to try it, use it. Does it work, yes, buy more. And that's the way we work. >> We're really happy, Peter, that you came on because you've got some news today that you're choosing to share with us in our Cube community. So it's around financing, bring us up to date. What's the news? >> Yeah so you know, I'd say four months ago, five months ago, we raised a $70 million round from great investors. And that was really led by one of our existing investors, who kind of knew us the best and it was you know, Excel Venture, and then Excel Growth came in and led the $70 million round. And part of that was a few new investors that came in and Stripes, which is you know a very large growth equity investor were part of that $70 million round said you know, preempted it and said, "Look it, we know you don't need the money, but we want to," you know, "We want to preempt. We believe your customer momentum," here we did, you know, five or six really large deals. You know, one, 700, seven million, 7.4 million, one's 3.5 million. So we started getting these bigger deals and we doubled since the $70 million round. And so we said, "Okay, we want to make money not the issue." So they led the next round, which is $150 million round, at a valuation of over a billion. That really allows us now to, with the number of other really top tier, (mumbles) and Tiger and Trend and others, who have been part of watching the space and understand the market. And are really helping us grow this business internationally. So it's an exciting time. So you know, again, we weren't looking to raise. This was something that kind of came to us and you know, when people are that excited about it like we are and they know us the best because they've been part of our board of directors since their round, it allows us to do the things that we want to do faster. >> So $150 million raise this round, brings you up to the 250, is that correct? >> Yes, 250. >> And obviously, an up-round. So congratulations, that's great. >> Yeah, you know, I think a big part of that is you know, we're not, I mean, we've always been very fiscally responsible. I mean, yes we have the money and most of it's still in the bank. We're growing at the pace that we think is right for us and right for the market. You know, we continue to invest product, product, product, is making sure we continue our product-led organization. You know, from that bottoms up, which is something we continue to do. This allows us to accelerate that more aggressively, but also the community, which is a big part of what makes that, you know, when you have a bottoms up, you need to have that community. And we've grown that and we're going to continue to invest aggressively and build in that community. And lastly, go to market. Not only invest, invest aggressively in the North America, but also Europe and APJ, which, you know, a lot of the things we've learned from my Veeam experience, you know how to grow fast, go big or go home. You know, are things that we're going to do but we're going to do it in the right way. >> So the Golden Rule is product and sales, right? >> Yes, you're either building it or selling it. >> Right, that's kind of where you're going to put your money. You know, you talk a lot about people, companies will do IPOs to get seen, but companies today, I mean, even software companies, which is a capital-efficient industry, they raise a lot of dough and they put it towards promotion to compete. What are your thoughts on that? >> You know, we've had, the model is very straightforward. It's bottoms up, you know? Developers, you know, there's 28 million developers in the world, you know? What we want is every one of those 28 million to be using our product. Whether it's free or paid, I want SNYK used in every application-development life cycle. If you're one developer, or you're a sales force with standardized on 12,000 developers, we want them using SNYK. So for us, it's get it in the hands. And that, you know, it's not like-- developers aren't going to look at Super Bowl ads, they're not going to be looking. It's you know, it's finding the ways, like the conference. We bought the DevSecCon, you know, the conference for developer security. Another way to promote kind of our, you know, security for developers and grow that developer community. That's not to say that there isn't a security part. Because, you know, what we do is help security organizations with visibility and finding a much more scalable way that gets them out of the, you know, the slows-down, the speed bump to the moving apps more aggressively into production. And so this is very much about helping security people. A lot of times the budgets do come from security or dev-ops. But it's because of our focus on the developer and the success of fixing, finding, fixing, and auto-remediating that developer environment is what makes us special. >> And it's sounds like a key to your success is you're not asking developer to context switch into a new environment, right? It's part of their existing workflow. >> It has to be, right? Don't change how they do their job, right? I mean, their job is to develop incredible applications that are better than the competitors, get them to market faster than they can, than they've ever been able to do before and faster than the competitor, but do it securely. Our goal is to do the third, but not sacrifice on one and two, right? Help you drive it, help you get your applications to market, help you beat your competition, but do it in a secure fashion. So don't slow them down. >> Well, the other thing I like about you guys is the emphasis is on fixing. It's not just alerting people that there's a problem. I mean, for instance, a company like Red Hat, is that they're going to put a lot of fixes in. But you, of course, have to go implement them. What you're doing is saying, "Hey, we're going to do that for you. Push the button and then we'll do it," right? So that, to me, that's important because it enables automation, it enables scale. >> Exactly, and I think this has been one of the challenges for kind of more of the traditional legacy, is they find a whole bunch of vulnerabilities, right? And we feel as though just that alone, we're the best in the world at. Finding vulnerabilities in applications in open source container. And so the other part of it is, okay, you find all them, but prioritizing what it is that I should fix first? And that's become really big issue because the vulnerabilities, as you can imagine, continue to grow. But focusing on hey, fix this top 10%, then the next, and to the extent you can, auto-fix. Auto-remediate those problems, that's ultimately, we're measured by how many vulnerabilities do we fix, right? I mean, finding them, that's one thing. But fixing them is how we judge a successful customer. And now it's possible. Before, it was like, "Oh, okay, you're just going to show me more things." No, when you talk about Google and Salesforce and Intuit, and all of our customers, they're actually getting far better. They're seeing what they have in terms of their exposure, and they're fixing the problems. And that's ultimately what we're focused on. >> So some of those big whales that you just mentioned, it seems to me that the value proposition for those guys, Peter, is the quality of the code that they can develop and obviously, the time that it takes to do that. But if you think about it more of a traditional enterprise, which I'm sure is part of your (mumbles), they'll tell you, the (mumbles) will tell you our biggest problem is we don't have enough people with the skills. Does this help? >> It absolutely-- >> And how so? >> Yeah, I mean, there's a massive gap in security expertise. And the current approach, the tools, are, you know, like you said at the very beginning, it's I'm doing too late in the process. I need to do it upstream. So you've got to leverage the 28 million developers that are developing the applications. It's the only way to solve the problem of, you know, this application security challenge. We call it Cloud Dative Application Security, which all these applications usually are new apps that they're moving into the Cloud. And so to really fix it, to solve the problem, you got to embed it, make it really easy for developers to leverage SNYK in their whole, we call it, you know, it's that concept of shift left, you know? Our view is that it needs to be embedded within the development process. And that's how you fix the problem. >> And talk about the business model again. You said it's Freemium model, you just talked about a big seven figure deals that you're doing and that starts with a Freemium, and then what? I upgrade to a subscription and then it's a land and expand? Describe that. >> Yeah we call it, it's you know, it's the community. Let's get every developer in a community. 28 million, we want to get into our community. From there, you know, leverage our Freemium, use it. You know, we encourage you to use it. Everybody to use our Freemium. And it's full functionality. It's not restricted in anyway. You can use it. And there's a subset of those that are ready to say, "Look it, I want to use the paid version," which allows me to get more visibility across more developers. So as you get larger organization, you want to leverage the power of kind of a bigger, managing multiple developers, like a lot of, in different teams. And so that kind of gets that shift to that paid. Then it goes into that Freemium, land, expand, we call it explode. Sales force, kind of explode. And then renew. That's been our model. Get in the door, get them using Freemium, we have a great experience, go to paid. And that's usually for an application, then it goes to 10 applications, and then 300 developers and then the way we price is by developer. So the more developers who use, the better your developer adoption, the bigger the ultimate opportunity is for us. >> There's a subscription service right? >> All subscription. >> Okay and then you guys have experts that are identifying vulnerabilities, right? You put them into a database, presumably, and then you sort of operationalize that into your software and your service. >> Yeah, we have 15 people in our security team that do nothing everyday but looking for the next vulnerability. That's our vulnerability database, in a large case, is a lot of our big companies start with the database. Because you think of like Netflix and you think of Facebook, all of these companies have large security organizations that are looking for issues, looking for vulnerabilities. And they're saying, "Well okay, if I can get that feed from you, why do I have my own?" And so a lot of companies start just with the database feed and say, "Look, I'll get rid of mine, and use yours." And then eventually, we'll use this scanning and we'll evolve down the process. But there's no doubt in the market people who use our solution or other solution will say our known the database of known vulnerabilities, is far better than anybody else in the market. >> And who do you sell to, again? Who are the constituencies? Is it sec-ops, is it, you know, software engineering? Is it developers, dev-ops? >> Users are always developers. In some cases dev-ops, or dev-sec. Apps-sec, you're starting to see kind of the world, the developer security becoming bigger. You know, as you get larger, you're definitely security becomes a bigger part of the journey and some of the budget comes from the security teams. Or the risk or dev-ops. But I think if we were to, you know, with the user and some of the influencers from developers, dev-ops, and security are kind of the key people in the equation. >> Is your, you have a lot of experience in the enterprise. How do you see your go to market in this world different, given that it's really a developer constituency that you're targeting? I mean, normally, you'd go out, hire a bunch of expensive sales guys, go to market, is that the model or is it a little different here because of the target? >> Yeah, you know, to be honest, a lot of the momentum that we've had at this point has been inbound. Like most of the opportunities that come in, come to us from the community, from this ground up. And so we have a very large inside sales team that just kind of follows up on the inbound interest. And that's still, you know, 65, 70% of the opportunities that come to us both here and Europe and APJ, are coming from the community inbound. Okay, I'm using 10 licenses of SNYK, you know, I want to get the enterprise version of it. And so that's been how we've grown. Very much of a very cost-effective inside sales. Now, when you get to the Googles and Salesforces and Nordstroms of the world, and they have already 500 licenses us, either paid or free, then we usually have more of a, you know, senior sales person that will be involved in those deals. >> To sort of mine those accounts. But it's really all about driving the efficiency of that inbound, and then at some point driving more inbound and sort of getting that flywheel effect. >> Developer adoption, developer adoption. That's the number one driver for everybody in our company. We have a customer success team, developer adoption. You know, just make the developer successful and good things happen to all the other parts of the organization. >> Okay, so that's a key performance indicator. What are the, let's wrap kind of the milestones and the things that you want to accomplish in the next, let's call it 12 months, 18 months? What should we be watching? >> Yeah, so I mean it continues to be the community, right? The community, recruiting more developers around the globe. We're expanding, you know, APJ's becoming a bigger part. And a lot of it is through just our efforts and just building out this community. We now have 20 people, their sole job is to build out, is to continue to build our developer community. Which is, you know, content, you know, information, how to learn, you know, webinars, all these things that are very separate and apart from the commercial side of the business and the community side of the business. So community adoption is a critical measurement for us, you know, yeah, you look at Freemium adoption. And then, you know, new customers. How are we adding new customers and retaining our existing customers? And you know, we have a 95% retention rate. So it's very sticky because you're getting the data feed, is a daily data feed. So it's like, you know, it's not one that you're going to hook on and then stop at any time soon. So you know, those are the measurements. You look at your community, you look at your Freemium, you look at your customer growth, your retention rates, those are all the things that we measure our business by. >> And your big pockets of brain power here, obviously in Boston, kind of CEO's prerogative, you got a big presence in London, right? And also in Israel, is that correct? >> Yeah, I would say we have four hubs and then we have a lot of remote employees. So, you know, Tel Aviv, where a lot of our security expertise is, in London, a lot of engineering. So between London and Tel Aviv is kind of the security teams, the developers are all in the community is kind of there. You know, Boston, is kind of more go to market side of things, and then we have Ottawa, which is kind of where Watchfire started, so a lot of good security experience there. And then, you know, we've, like a lot of modern companies, we hired the best people wherever we can find them. You know, we have some in Sydney, we've got some all around the world. Especially security, where finding really good security talent is a challenge. And so we're always looking for the best and brightest wherever they are. >> Well, Peter, congratulations on the raise, the new role, really, thank you for coming in and sharing with The Cube community. Really appreciate it. >> Well, it's great to be here. Always enjoy the conversations, especially the Patriots, Red Sox, kind of banter back and forth. It's always good. >> Well, how do you feel about that? >> Which one? >> Well, the Patriots, you know, sort of strange that they're not deep into the playoffs, I mean, for us. But how about the Red Sox now? Is it a team of shame? All my friends who were sort of jealous of Boston sports are saying you should be embarrassed, what are your thoughts? >> It's all about Houston, you know? Alex Cora, was one of the assistant coaches at Houston where all the issues are, I'm not sure those issues apply to Boston, but we'll see, TBD. TBD, I am optimistic as usual. I'm a Boston fan making sure that there isn't any spillover from the Houston world. >> Well we just got our Sox tickets, so you know, hopefully, they'll recover quickly, you know, from this. >> They will, they got to get a coach first. >> Yeah, they got to get a coach first. >> We need something to distract us from the Patriots. >> So you're not ready to attach an asterisk yet to 2018? >> No, no. No, no, no. >> All right, I like the optimism. Maybe you made the right call on Tom Brady. >> Did I? >> Yeah a couple years ago. >> Still since we talked what, two in one. And they won one. >> So they were in two, won one, and he threw for what, 600 yards in the first one so you can't, it wasn't his fault. >> And they'll sign him again, he'll be back. >> Is that your prediction? I hope so. >> I do, I do. >> All right, Peter. Always a pleasure, man. >> Great to see you. >> Thank you so much, and thank you for watching everybody, we'll see you next time. (groovy techno music)