(upbeat music) >> Hello, everyone. Welcome back to theCUBE's presentation of the AWS Startup Showcase. This is season two, episode four of the ongoing series covering the exciting startups from the AWS ecosystem. And talking about cybersecurity. I'm your host, John Furrier. Excited to have two great guests. Ed Casmer, founder and CEO of Cloud Storage Security, back CUBE alumni, and also James Johnson, AVP of Research and Development at iPipeline. Here to talk about cloud storage security antivirus on S3. James, thanks for joining us today. >> Thank you, John. >> Thank you. >> So the topic here is cloud security, storage security. Ed, we had a great CUBE conversation previously, earlier in the month. Companies are modernizing their apps and migrating the cloud. That's fact. Everyone kind of knows that. >> Yeah. >> Been there, done that. Clouds have the infrastructure, they got the OS, they got protection, but the end of the day, the companies are responsible and they're on the hook for their own security of their data. And this is becoming more permanent now that you have hybrid cloud, cloud operations, cloud native applications. This is the core focus right now in the next five years. This is what everyone's talking about. Architecture, how to build apps, workflows, team formation. Everything's being refactored around this. Can you talk about how organizations are adjusting and how they view their data security in light of how applications are being built and specifically around the goodness of say S3? >> Yep, absolutely. Thank you for that. So we've seen S3 grow 20,000% over the last 10 years. And that's primarily because companies like James with iPipeline are delivering solutions that are leveraging this object storage more and above the others. When we look at protection, we typically fall into a couple of categories. The first one is, we have folks that are worried about the access of the data. How are they dealing with it? And so they're looking at configuration aspects. But the big thing that we're seeing is that customers are blind to the fact that the data itself must also be protected and looked at. And so we find these customers who do come to the realization that it needs to happen, finding out, asking themselves, how do I solve for this? And so they need lightweight, cloud native built solutions to deliver that. >> So what's the blind spot? You mentioned there's a blind spot. They're kind of blind to that. What specifically are you seeing? >> Well so, when we get into these conversations, the first thing that we see with customers is I need to predict how I access it. This is everyone's conversation. Who are my users? How do they get into my data? How am I controlling that policy? Am I making sure there's no east-west traffic there, once I've blocked the north-south? But what we really find is that the data is the key packet of this whole process. It's what gets consumed by the downstream users. Whether that's an employee, a customer, a partner. And so it's really, the blind spot is the fact that we find most customers not looking at whether that data is safe to use. >> It's interesting. When you talk about that, I think about all the recent breaches and incidents. "Incidents," they call them. >> Yeah. >> They've really been around user configurations. S3 buckets not configured properly. >> Absolutely. >> And this brings up what you're saying, is that the users and the customers have to be responsible for the configurations, the encryption, the malware aspect of it. Don't just hope that AWS has the magic to do it. Is that kind of what you're getting at here? Is that the similar, am I correlating that properly? >> Absolutely. That's perfect. And we've seen it. We've had our own customers, luckily iPipeline's not one of them, that have actually infected their end users because they weren't looking at the data. >> And that's a huge issue. So James, let's get in, you're a customer partner. Talk about your relationship with these guys and what's it all about? >> Yeah, well, my pipeline is building a digital ecosystem for life insurance and wealth management industries to enable the sale of life insurance to under-insured and uninsured Americans, to make sure that they have the coverage that they need, should something happen. And our solutions have been around for many years. In a traditional data center type of an implementation. And we're in process now of migrating that to the cloud, moving it to AWS, in order to give our customers a better experience, a better resiliency, better reliability. And with that, we have to change the way that we approach file storage and how we approach scanning for vulnerabilities in those files that might come to us via feeds from third parties or that are uploaded directly by end users that come to us from a source that we don't control. So it was really necessary for us to identify a solution that both solved for these vulnerability scanning needs, as well as enabling us to leverage the capabilities that we get with other aspects of our move to the cloud and being able to automatically scale based on load, based on need, to ensure that we get the performance that our customers are looking for. >> So tell me about your journey to the cloud, migrating to the cloud and how you're using S3 specifically. What led you to determine the need for the cloud based AV solution? >> So when we looked to begin moving our applications to the cloud, one of the realizations that we had is that our approach to storing certain types of data was a bit archaic. We were storing binary files in a database, which is not the most efficient way to do things. And we were scanning them with the traditional antivirus engines that would've been scaled in traditional ways. So as our need grew, we would need to spin up additional instances of those engines to keep up with load. And we wanted a solution that was cloud native and would allow us to scan more dynamically without having to manage the underlying details of how many engines do I need to have running for a particular load at a particular time and being able to scan dynamically. And also being able to move that out of the application layer, being able to scan those files behind the scenes. So scanning in, when the file's been saved in S3, it allows us to scan and release the file once it's been deemed safe rather than blocking the user while they wait for that scan to take place. >> Awesome. Well, thanks for sharing that. I got to ask Ed, and James, same question next. It's, how does all this factor in to audits and self compliance? Because when you start getting into this level of sophistication, I'm sure it probably impacts reporting workflows. Can you guys share the impact on that piece of it? The reporting? >> Yeah. I'll start with a comment and James will have more applicable things to say. But we're seeing two things. One is, you don't want to be the vendor whose name is in the news for infecting your customer base. So that's number one. So you have to put something like this in place and figure that out. The second part is, we do hear that under SOC 2, under PCI, different aspects of it, there are scanning requirements on your data. Traditionally, we've looked at that as endpoint data and the data that you see in your on-prem world. It doesn't translate as directly to cloud data, but it's certainly applicable. And if you want to achieve SOC 2 or you want to achieve some of these other pieces, you have to be scanning your data as well. >> Furrier: James, what's your take? As practitioner, you're living it. >> Yeah, that's exactly right. There are a number of audits that we go through where this is a question that comes up both from a SOC perspective, as well as our individual customers who reach out and they want to know where we stand from a security perspective and a compliance perspective. And very often this is a question of how are you ensuring that data that is uploaded into the application is safe and doesn't contain any vulnerabilities. >> James, if you don't mind me asking, I have to kind of inquire because I can imagine that you have users on your system but also you have third parties, relationships. How does that impact this? What's the connection? >> That's a good question. We receive data from a number of different locations from our customers directly, from their users and from partners that we have as well as partners that our customers have. And as we ingest that data, from an implementation perspective, the way we've approached this, there's a minimal impact there in each one of those integrations. Because everything comes into the S3 bucket and is scanned before it is available for consumption or distribution. But this allows us to ensure that no matter where that data is coming from, that we are able to verify that it is safe before we allow it into our systems or allow it to continue on to another third party whether that's our customer or somebody else. >> Yeah, I don't mean to get in the weeds there, but it's one of those things where, this is what people are experiencing right now. Ed, we talked about this before. It's not just siloed data anymore. It's interactive data. It's third party data from multiple sources. This is a scanning requirement. >> Agreed. I find it interesting too. I think James brings it up. We've had it in previous conversations that not all data's created equal. Data that comes from third parties that you're not in control of, you feel like you have to scan. And other data you may generate internally. You don't have to be as compelled to scan that although it's a good idea, but you can, as long as you can sift through and determine which data is which and process it appropriately, then you're in good shape. >> Well, James, you're living the cloud security, storage security situation here. I got to ask you, if you zoom out and not get in the weeds and look at the board room or the management conversation. Tell me about how you guys view the data security problem. I mean, obviously it's important. So can you give us a level of how important it is for iPipeline and with your customers and where does this S3 piece fit in? I mean, when you guys look at this holistically, for data security, what's the view, what's the conversation like? >> Yeah. Well, data security is critical. As Ed mentioned a few minutes ago, you don't want to be the company that's in the news because some data was exposed. That's something that nobody has the appetite for. And so data security is first and foremost in everything that we do. And that's really where this solution came into play, in making sure that we had not only a solution but we had a solution that was the right fit for the technology that we're using. There are a number of options. Some of them have been around for a while. But this was focused on S3, which we were using to store these documents that are coming from many different sources. And we have to take all the precautions we can to ensure that something that is malicious doesn't make its way into our ecosystem or into our customers' ecosystems through us. >> What's the primary use case that you see the value here with these guys? What's the aha moment that you had? >> With the cloud storage security specifically, it goes beyond the security aspects of being able to scan for vulnerable files, which is, there are a number of options and they're one of those. But for us, the key was being able to scale dynamically without committing to a particular load whether that's under committing or overcommitting. As we move our applications from a traditional data center type of installation to AWS, we anticipated a lot of growth over time and being able to scale up very dynamically, literally moving a slider within the admin console, was key to us to be able to meet our customer's needs without overspending, by building up something that was dramatically larger than we needed in our initial rollout. >> Not a bad testimonial there, Ed. >> I mean, I agree. >> This really highlights the applications using S3 more in the file workflow for the application in real time. This is where you start to see the rise of ransomware other issues. And scale matters. Can you share your thoughts and reaction to what James just said? >> Yeah. I think it's critical. As the popularity of S3 has increased, so has the fact that it's an attack vector now. And people are going after it whether that's to plant bad malicious files, whether it's to replace code segments that are downloaded and used in other applications, it is a very critical piece. And when you look at scale and you look at the cloud native capability, there are lots of ways to solve it. You can dig a hole with a spoon, but a shovel works a lot better. And in this case, we take a simple example like James. They did a weekend migration, so they've got new data coming in all the time, but we did a massive migration 5,000 files a minute being ingested. And like he said, with a couple of clicks, scale up, process that over sustained period of time and then scale back down. So I've said it before, I said it on the previous one. We don't want to get in the way of someone's workflow. We want to help them secure their data and do it in a timely fashion that they can continue with their proper processing and their normal customer responses. >> Frictionless has to be key. I know you're in the marketplace with your antivirus for S3 on the AWS. People can just download it. So people are interested, go check it out. James, I got to ask you and maybe Ed can chime in over the top, but it seems so obvious. Data. Secure the data. Why is it so hard? Why isn't this so obvious? What's the problem? Why is it so difficult? Why are there so many different solutions? It just seems so obvious. You know, you got ransomware, you got injection of different malicious payloads. There's a ton of things going on around the data. Why is, this so obvious? Why isn't it solved? >> Well, I think there have been solutions available for a long time. But the challenge, the difficulty that I see, is that it is a moving target. As bad actors learn new vulnerabilities, new approaches and as new technology becomes available, that opens additional attack vectors. >> Yeah. >> That's the challenge, is keeping up on the changing world including keeping up on the new ways that people are finding to exploit vulnerabilities. >> And you got sensitive data at iPipeline. You do a lot of insurance, wealth management, all kinds of sensitive data, super valuable. This brings me up, reminds me of the Sony hack Ed, years ago. Companies are responsible for their own militia. I mean, cybersecurity is no government help for sure. I mean, companies are on the hook. As we mentioned earlier at the top of this interview, this really is highlighted that IT departments have to evolve to large scale cloud, cloud native applications, automation, AI machine learning all built in, to keep up at the scale. But also from a defense standpoint. I mean, James you're out there, you're in the front lines, you got to defend yourself basically, and you got to engineer it. >> A hundred percent. And just to go on top of what James was saying is, I think there, one of the big factors and we've seen this. There's skill shortages out there. There's also just a pure lack of understanding. When we look at Amazon S3 or object storage in general, it's not an executable file system. So people sort of assume that, oh, I'm safe. It's not executable. So I'm not worried about it traversing my storage network. And they also probably have the assumption that the cloud providers, Amazon is taking care of this for them. And so it's this aha moment. Like you mentioned earlier, that you start to think, oh it's not about where the data is sitting per se. It's about scanning it as close to the storage spot. So when it gets to the end user, it's safe and secure. And you can't rely on the end user's environment and system to be in place and up to date to handle it. So it's that really, that lack of understanding that drives some of these folks into this. But for a while, we'll walk into customers and they'll say the same thing you said, John. Why haven't I been doing this for so long? And it's because they didn't understand that it was such a risk. That's where that blind spot comes in. >> James, it's just a final note on your environment. What's your goals for the next year? How's things going over there on your side? How you look at the security posture? What's on your agenda for the next year? How are you guys looking at the next level? >> Yeah. Well, our goal as it relates to this is to continue to move our existing applications over to AWS to run natively there. Which includes moving more data into S3 and leveraging the cloud storage security solution to scan that and ensure that there are no vulnerabilities that are getting in. >> And the ingestion, is there like a bottlenecks log jams? How do you guys see that scaling up? I mean, what's the strategy there? Just add more S3? >> Well, S3 itself scales automatically for us and the cloud storage solution gives us leverage to pull to do that. As Ed mentioned, we ingested a large amount of data during our initial migration which created a bottleneck for us. As we were preparing to move our users over, we were able to make an adjustment in the admin console and spin up additional processes entirely behind the scenes and broke the log jam. So I don't see any immediate concerns there, being able to handle the load. >> The term cloud native and hyperscale native, cloud native, one cloud's hybrid. All these things are native. We have antivirus native coming soon. And I mean, this is what we're basically doing is making it native into the workflows. Security native. And soon there's going to be security clouds out there. We're starting to see the rise of these new solutions. Can you guys share any thoughts or vision around how you see the industry evolving and what's needed? What's working and what's needed? Ed, we'll start with you. What's your vision? >> So I think the notion of being able to look at and view the management plane and control that has been where we're at right now. That's what everyone seems to be doing and going after. I think there are niche plays coming up. Storage is one of them, but we're going to get to a point where storage is just a blanket term for where you put your stuff. I mean, it kind of already is that. But in AWS, it's going to be less about S3. Less about work docs, less about EVS. It's going to be just storage and you're going to need a solution that can span all of that to go along with where we're already at the management plane. We're going to keep growing the data plane. >> James, what's your vision for what's needed in the industry? What's the gaps, what's working, and where do you see things going? >> Yeah, well, I think on the security front specifically, Ed's probably a little bit better equipped to speak to them than I am since that his primary focus. But I see the need for just expanded solutions that are cloud native that fit and fit nicely with the Amazon technologies. Whether that comes from Amazon or other partners like Cloud Storage Security to fill those gaps. We are focused on the financial services and insurance industries. That's our niche. And we look to other partners like Ed to help be the experts in these areas. And so that's really what I'm looking for, is the experts that we can partner with that are going to help fill those gaps as they come up and as they change in the future. >> Well, James, I really appreciate you coming on, sharing your story and I'll give you the final word. Put a quick, spend a minute to talk about the company. I know Cloud Storage Security is an AWS partner with the security software competency and is one of I think 16 partners listed in the competency and the data category. So take a minute to explain what's going on with the company, where people can find more information, how they buy and consume the products. >> Okay. >> Put the plug in. >> Yeah, thank you for that. So we are a fast growing startup. We've been in business for two and a half years now. We have achieved our security competency as John indicated. We're one of 16 data protection security competent ISV vendors globally. And our goal is to expand and grow a platform that spans all storage types that you're going to be dealing with and answer basic questions. What do I have and where is it? Is it safe to use? And am I in proper control of it? Am I being alerted appropriate? So we're building this storage security platform, very laser focused on the storage aspect of it. And if people want to find out more information, you're more than welcome to go and try the software out on Amazon marketplace. That's basically where we do most of our transacting. So find it there. Start of free trial. Reach out to us directly from our website. We are happy to help you in any way that you need it. Whether that's storage assessments, figuring out what data is important to you and how to protect it. >> All right, Ed. Thank you so much. Ed Casmer, founder and CEO of Cloud Storage Security. And of course James Johnson, AVP of Research and Development, iPipeline customer. Gentlemen, thank you for sharing your story and featuring the company and the value proposition, certainly needed. This is season two, episode four. Thanks for joining us. Appreciate it. >> Casmer: Thanks John. >> Okay. I'm John Furrier. That is a wrap for this segment of the cybersecurity season two, episode four. The ongoing series covering the exciting startups from Amazon's ecosystem. Thanks for watching. (upbeat music)

>>Hi, everyone. Welcome to the cubes presentation of the eight of us startup showcase open cloud innovations. This is season two episode one of the ongoing series covering the exciting startups from ABC ecosystems today. Uh, episode one, steam is the open source community and open cloud innovations. I'm Sean for your host got two great guests, Webb brown CEO of coop costs and as Thielen, head of business development, coop quest, gentlemen, thanks for coming on the cube for the showcase 80, but startups. >>Thanks for having a Sean. Great to be back, uh, really excited for the discussion we have here. >>I keep alumni from many, many coupons go. You guys are in a hot area right now, monitoring and reducing the Kubernetes spend. Okay. So first of all, we know one thing for sure. Kubernetes is the hottest thing going on because of all the benefits. So take us through you guys. Macro view of this market. Kubernetes is growing, what's going on with the company. What is your company's role? >>Yeah, so we've definitely seen this growth firsthand with our customers in addition to the broader market. Um, you know, and I think we believe that that's really indicative of the value that Kubernetes provides, right? And a lot of that is just faster time to market more scalability, improved agility for developer teams and, you know, there's even more there, but it's a really exciting time for our company and also for the broader cloud native community. Um, so what that means for our company is, you know, we're, we're scaling up quickly to meet our users and support our users, every, you know, metric that our company's grown about four X over the last year, including our team. Um, and the reason that one's the most important is just because, you know, the, the more folks and the larger that our company is, the better that we can support our users and help them monitor and reduce those costs, which ultimately makes Kubernetes easier to use for customers and users out there on the market. >>Okay. So I want to get into why Kubernetes is costing so much. Obviously the growth is there, but before we get there, what is the background? What's the origination story? Where did coop costs come from? Obviously you guys have a great name costs. Qube you guys probably reduced costs and Kubernetes great name, but what's the origination story. How'd you guys get here? What HR you scratching? What problem are you solving? >>So yeah, John, you, you guessed it, uh, you know, oftentimes the, the name is a dead giveaway there where we're cost monitoring cost management solutions for Kubernetes and cloud native. Um, and backstory here is our founding team was at Google before starting the company. Um, we were working on infrastructure monitoring, um, both on internal infrastructure, as well as Google cloud. Um, we had a handful of our teammates join the Kubernetes effort, you know, early days. And, uh, we saw a lot of teams, you know, struggling with the problems we're solving. We were solving internally at Google and we're we're solving today. Um, and to speak to those problems a little bit, uh, you know, you, you, you touched on how just scale alone is making this come to the forefront, right. You know, there's now many billions of dollars being spent on CU, um, that is bringing this issue, uh, to make it a business critical questions that is being asked in lots of organizations. Um, you know, that combined with, you know, the dynamic nature and complexity of Kubernetes, um, makes it really hard to manage, um, you know, costs, uh, when you scale across a very large organization. Um, so teams turned to coop costs today, you know, thousands of them do, uh, to get monitoring in place, you know, including alerts, recurring reports and like dynamic management insights or automation. >>Yeah. I know we talked to CubeCon before Webb and I want to come back to the problem statement because when you have these emerging growth areas that are really relevant and enabling technologies, um, you move to the next point of failure. And so, so you scaling these abstraction layers. Now services are being turned on more and more keeping it as clusters are out there. So I have to ask you, what is the main cost driver problem that's happening in the cube space that you guys are addressing? Is it just sheer volume? Is it different classes of services? Is it like different things are kind of working together, different monitoring tools? Is it not a platform and take us through the, the problem area? What do you guys see this? >>Yeah, the number one problem area is still actually what, uh, the CNCF fin ops survey highlighted earlier this year, um, which is that approximately two thirds of companies still don't have kind of baseline to visibility into spend when they moved to Kubernetes. Um, so, you know, even if you had a really complex, you know, chargeback program in place, when you're building all your applications on BMS, you move to Kubernetes and most teams again, can't answer these really simple questions. Um, so we're able to give them that visibility in real time, so they can start breaking these problems down. Right. They can start to see that, okay, it's these, you know, the deployments are staple sets that are driving our costs or no, it's actually, you know, these workloads that are talking to, you know, S3 buckets and, you know, really driving, you know, egress costs. Um, so it's really about first and foremost, just getting the visibility, getting the eyes and ears. We're able to give that to teams in real time at the largest scale Kubernetes clusters in the world. Um, and again, most teams, when they first start working with us, don't have that visibility, not having that visibility can have a whole bunch of downstream impacts, um, including kind of not getting, you know, costs right. You know, performance, right. Et cetera. >>Well, let's get into that downstream benefit, uh, um, problems and or situations. But the first question I have just throw naysayer comment at you would be like, oh, wait, I have all this cost monitoring stuff already. What's different about Kubernetes. Why what's what's the problem I can are my other tool is going to work for me. How do you answer that one? >>Yeah. So, you know, I think first and foremost containers are very dynamic right there. They're often complex, often transient and consume variable cluster resources. And so as much as this enables teams to contract construct powerful solutions, um, the associated costs and actually tracking those, those different variables can be really difficult. And so that's why we see why a solution like food costs. That's purpose built for developers using Kubernetes is really necessary because some of those older, you know, traditional cloud cost optimization tools are just not as fit for, for this space specifically. >>Yeah. I think that's exactly right, Alex. And I would add to that just the way that software is being architected deployed and managed is fundamentally changing with Kubernetes, right? It is deeply impacting every part of scifi software delivery process. And through that, you know, decisions are getting made and, you know, engineers are ultimately being empowered, um, to make more, you know, costs impacting decisions. Um, and so we've seen, you know, organizations that get real time kind of built for Kubernetes are built for cloud native, um, benefit from that massively throughout their, their culture, um, you know, cost performance, et cetera. >>Uh, well, can you just give a quick example because I think that's a great point. The architectures are shifting, they're changing there's new things coming in, so it's not like you can use an old tool and just retrofit it. That's sometimes that's awkward. What specific things you see changing with Kubernetes that's that environments are leveraging that's good. >>Yeah. Yeah. Um, one would be all these Kubernetes primitives are concepts that didn't exist before. Right. So, um, you know, I'm not, you know, managing just a generic workload, I'm managing a staple set and, or, you know, three replica sets. Right. And so having a language that is very much tailored towards all of these Kubernetes concepts and abstractions, et cetera. Um, but then secondly, it was like, you know, we're seeing this very obvious, you know, push towards microservices where, you know, typically again, you're shipping faster, um, you know, teams are making more distributed or decentralized decisions, uh, where there's not one single point where you can kind of gate check everything. Um, and that's a great thing for innovation, right? We can move much faster. Um, but for some teams, um, you know, not using a tool like coop costs, that means sacrificing having a safety net in place, right. >>Or guard rails in place to really help manage and monitor this. And I would just say, lastly, you know, uh, a solution like coop costs because it's built for Kubernetes sits in your infrastructure, um, it can be deployed with a single helmet stall. You don't have to share any data remotely. Um, but because it's listening to your infrastructure, it can give you data in real time. Right. And so we're moving from this world where you can make real time automated decisions or manual decisions as opposed to waiting for a bill, you know, a day, two days or a week later, um, when it may be already too late, you know, to avoid, >>Or he got the extra costs and you know what, he wants that. And he got to fight for a refund. Oh yeah. I threw a switch or wasn't paying attention or human error or code because a lot of automation is going on. So I could see that as a benefit. I gotta, I gotta ask the question on, um, developer uptake, because develop, you mentioned a good point. There that's another key modern dynamic developers are in, in the moment making decisions on security, on policy, um, things to do in the CIC D pipeline. So if I'm a developer, how do I engage with Qube cost? Do I have to, can I just download something? Is it easy? How's the onboarding process for your customers? >>Yeah. Great, great question. Um, so, you know, first and foremost, I think this gets to the roots of our company and the roots of coop costs, which is, you know, born in open-source, everything we do is built on top of open source. Uh, so the answer is, you know, you can go out and install it in minutes. Like, you know, thousands of other teams have, um, it is, you know, the, the recommended route or preferred route on our side is, you know, a helm installed. Um, again, you don't have to share any data remotely. You can truly not lock down, you know, namespace eat grass, for example, on the coop cost namespace. Um, and yeah, and in minutes you'll have this visibility and can start to see, you know, really interesting metrics that, again, most teams, when we started working with them, either didn't have them in place at all, or they had a really rough estimate based on maybe even a coop cost Scruff on a dashboard that they installed. >>How does cube cost provide the visibility across the environment? How do you guys actually make it work? >>Yeah, so we, you know, sit in your infrastructure. Um, we have integrations with, um, for on-prem like custom pricing sheets, uh, with card providers will integrate with your actual billing data, um, so that we can, uh, listen for events in your infrastructure, say like a nude node coming up, or a new pod being scheduled, et cetera. Um, we take that information, join with your billing data, whether it's on-prem or in one of the big three cloud providers. And then again, we can, in real time tell you the cost of, you know, any dimension of your infrastructure, whether it's one of the backing, you know, virtual assets you're using, or one of the application dimensions like a label or annotation namespace, you know, pod container, you name it >>Awesome. Alex, what's your take on the landscape with, with the customers as they look the cost reductions. I mean, everyone loves cost reductions as a, certainly I love the safety net comment that Webb made, but at the end of the day, Kubernetes is not so much a cost driver. It's more of a, I want the modern apps faster. Right? So, so, so people who are buying Kubernetes usually aren't price sensitive, but they also don't want to get gouged either on mistakes. Where is the customer path here around Kubernetes cost management and reduction and a scale? >>Yeah. So I think one thing that we're looking forward to hearing this upcoming year, just like we did last year is continuing to work with the various tools that customers are already using and, you know, meeting those customers where they are. So some examples of that are, you know, working with like CICT tools out there. Like we have a great integration with armoring Spinnaker to help customers actually take the insights from coop costs and deploy those, um, in a more efficient manner. Um, we're also working with a lot of partners, like, you know, for fauna to help customers visualize our data and, you know, integrate with or rancher, which are management platforms for Kubernetes. And all of that I think is just to make cost come more to the forefront of the conversation when folks are using Kubernetes and provide that, that data to customers and all the various tools that they're using across the ecosystem. Um, so I think we really want to surface this and make costs more of a first-class citizen across, you know, the, the ecosystem and then the community partners. >>What's your strategy of the biz dev side. As you guys look at a growing ecosystem with CubeCon CNCF, you mentioned that earlier, um, the community is growing. It's always been growing fast. You know, the number of people entering in are amazing, but now that we start going, you know, the S curves kicking in, um, integration and interoperability and openness is always a key part of company success. What's Qube costs is vision on how you're going to do biz dev going forward. >>Absolutely. So, you know, our products opensource that is deeply important to our company, we're always going to continue to drive innovation on our open source product. Um, as Webb mentioned, you know, we have thousands of teams that are, that are using our product. And most of that is actually on the free, but something that we want to make sure continues to be available for the community and continue to bring that development for the community. And so I think a part of that is making sure that we're working with folks not just on the commercial side, but also those open source, um, types of products, right? So, you know, for Fanta is open source Spinnaker's are open source. I think a lot of the biz dev strategies just sticking to our roots and make sure that we continue to drive it a strong open source presence and product for, for our community of users, keep that >>And a, an open source and commercial and keep it stable. Well, I got to ask you, obviously, the wave is here. I always joke, uh, going back. I remember when the word Kubernetes was just kicked around pre uh, the OpenStack days many, many years ago. It's the luxury of being a old cube guy that I am 11 years doing the cube, um, all fun. But if we remember talking to him in the early days, is that with Kubernetes was, if, if it worked, the, the phrase was rising, tide floats all boats, I would say right now, the tides rising pretty well right now, you guys are in a good spot with the cube costs. Are there areas that you see coming where cost monitoring, um, is going to expand more? Where do you see the Kubernetes? Um, what's the aperture, if you will, of the, of the cost monitoring space at your end that you think you can address. >>Yeah, John, I think you're exactly right. This, uh, tide has risen and it just keeps riding rising, right? Like, um, you know, the, the sheer number of organizations we use C using Kubernetes at massive scale is just mind blowing at this point. Um, you know, what we see is this really natural pattern for teams to start using a solution like coop costs, uh, start with, again, either limited or no visibility, get that visibility in place, and then really develop an action plan from there. And that could again be, you know, different governance solutions like alerts or, you know, management reports or, you know, engineering team reports, et cetera. Um, but it's really about, you know, phase two of taking that information and really starting to do something with it. Right. Um, we, we are seeing and expect to see more teams turn to an increasing amount of, of automation to do that. Um, but ultimately that is, uh, very much after you get this baseline highly accurate, uh, visibility that you feel very comfortable making, potentially critical, very critical related to reliability, performance decisions within your infrastructure. >>Yeah. I think getting it right key, you mentioned baseline. Let me ask you a quick follow-up on that. How fast can companies get there when you say baseline, there's probably levels of baseline. Obviously all environments are different now. Not all one's the same, but what's just anecdotally you see, as that baseline, how fast we will get there, is there a certain minimum viable configuration or architecture? Just take us through your thoughts on that. >>Yeah. Great question. It definitely depends on organizational complexity and, you know, can depend on applicational application complexity as well. But I would say most importantly is, um, you know, the, the array of cost centers, departments, you know, complexity across the org as opposed to, you know, technological. Um, so I would say for, you know, less complex organizations, we've seen it happen in, you know, hours or, you know, a day less, et cetera. Um, because that's, you know, one or two or a smaller engineering games, they can share that visibility really quickly. And, um, you know, they may be familiar with Kubernetes and they just get it right away. Um, for larger organizations, we've seen it take kind of up 90 days where it's really about infusing this kind of into their DNA. When again, there may not have been a visibility or transparency here before. Um, again, I think the, the, the bulk of the time there is really about kind of the cultural element, um, and kind of awareness building, um, and just buy in throughout the organization. >>Awesome. Well, guys got a great product. Congratulations, final question for both of you, it's early days in Kubernetes, even though the tide is rising, keeps rising, more boats are coming in. Harbor is getting bigger, whatever, whatever metaphor you want to use, it's really going great. You guys are seeing customer adoption. We're seeing cloud native. I was told that my friends at dock or the container side is going crazy as well. Everything's going great in cloud native. What's the vision on the innovation? How do you guys continue to push the envelope on value in open source and in the commercial area? What's the vision? >>Yeah, I think there's, there's many areas here and I know Alex will have more to add here. Um, but you know, one area that I know is relevant to his world is just more, really interesting integrations, right? So he mentioned coop costs, insights, powering decisions, and say Spinnaker, right? I think more and more of this tool chain really coming together and really seeing the benefits of all this interoperability. Right. Um, so that I think combined with, uh, just more and more intelligence and automation being deployed again, that's only after the fact that teams are really comfortable with his decisions and the information and the decisions that are being made. Um, but I think that increasingly we see the community again, being ready to leverage this information and really powerful ways. Um, just because, you know, as teams scale, there's just a lot to manage. And so a team, you know, leveraging automation can, you know, supercharge them and in really impactful ways. >>Awesome, great integration integrations, Alex, expand on that. A whole different kind of set of business development integrations. When you have lots of tool chains, lots of platforms and tools kind of coming together, sharing data, working together, automating together. >>Well. Yeah, we, so I think it's going to be super important to keep a pulse on the new tools. Right. Make sure that we're on the forefront of what customers are using and just continuing to meet them where they are. And a lot of that honestly, is working with AWS too, right? Like they have great services and EKS and managed Prometheus's. Um, so we want to make sure that we continue to work with that team and support their services as that launched as well. >>Great stuff. I got a couple of minutes left. I felt I'll throw one more question in there since I got two great experts here. Um, just, you know, a little bit change of pace, more of an industry question. That's really no wrong answer, but I'd love to get your reaction to, um, the SAS conversation cloud has changed what used to be SAS. SAS was, oh yeah. Software as a service. Now that you have all these kinds of new kinds of you have automation, horizontally, scalable cloud and edge, you now have vertical machine learning. Data-driven insights. A lot of things in the stack are changing. So the question is what's the new SAS look like it's the same as the old SAS? Or is it a new kind of refactoring of what SAS is? What's your take on this? >>Yeah. Um, there's a web, please jump in here wherever. But in, in my view, um, it's a spectrum, right? There's there's customers that are on both ends of this. Some customers just want a fully hosted, fully managed product that wouldn't benefit from the luxury of not having to do any, any sort of infrastructure management or patching or anything like that. And they just want to consume a great product. Um, on the other hand, there's other customers that have more highly regulated industries or security requirements, and they're going to need things to deploy in their environment. Um, right now QP cost is, is self hosted. But I think in the future, we want to make sure that, you know, we, we have versions of our product available for customers across that entire spectrum. Um, so that, you know, if somebody wants the benefit of just not having to manage anything, they can use a fully self hosted sat or a fully multitenant managed SAS, or, you know, other customers can use a self hosted product. And then there's going to be customers that are in the middle, right, where there's certain components that are okay to be a SAS or hosted elsewhere. But then there's going to be components that are really important to keep in their own environment. So I think, uh, it's really across the board and it's going to depend on customer and customer, but it's important to make sure we have options for all of them. >>Great guys, we have SAS, same as the old SAS. What's the SAS playbook. Now >>I think it is such a deep and interesting question and one that, um, it's going to touch so many aspects of software and on our lives, I predict that we'll continue to see this, um, you know, tension or real trade-off across on the one hand convenience. And now on the other hand, security, privacy and control. Um, and I think, you know, like Alex mentioned, you know, different organizations are going to make different decisions here based on kind of their relative trade-offs. Um, I think it's going to be of epic proportions. I think, you know, we'll look back on this period and just say that, you know, this was one of the foundational questions of how to get this right. We ultimately view it as like, again, we want to offer choice, um, and make, uh, make every choice be great, but let our users, uh, pick the right one, given their profile on those, on those streets. >>I think, I think it's a great comment choice. And also you got now dimensions of implementations, right? Multitenant, custom regulated, secure. I want have all these controls. Um, it's great. No one, no one SaaS rules the world, so to speak. So it's again, great, great dynamic. But ultimately, if you want to leverage the data, is it horizontally addressable? MultiTech and again, this is a whole nother ball game we're watching this closely and you guys are in the middle of it with cube costs, as you guys are creating that baseline for customers. Uh, congratulations. Uh, great to see you where thanks for coming on. Appreciate it. Thank you so much for having us again. Okay. Great. Conservation aiders startup showcase open cloud innovators here. Open source is driving a lot of value as it goes. Commercial, going to the next generation. This is season two episode, one of the AWS startup series with the cube. Thanks for watching.

(bright music) >> Hi, everyone. Welcome to the CUBE's presentation of the AWS Startup Showcase around open cloud innovations. It's the season two episode one of the ongoing series covering exciting startups from the AWS ecosystem and talking about open source and innovation. I'm John Furrier, your host. Today, we're joined by two great guests. Dan Garfield, chief open source officer and co-founder of Codefresh IO, and Raziel Tabib, CEO and co-founder. Two co-founders in the middle of all the innovation. Gentlemen thanks for coming on. >> Thank you. >> So you guys have a great platform and as cloud native goes mainstream in the enterprise and for developers, the big topic is unification, end-to-end, horizontally scalable, leveraging data. All these things around agile that I call agile cloud next level. This is kind of what we're seeing. The CNCF is growing. You've seen KubeCon every year is more about these kinds of things. Words like orchestration, Kubernetes, container, security. All of those complexities are now at the center of making things easier for developers. This is a key value proposition and you guys at Codefresh are offering really the first enterprise delivery solution powered by Argo, which is an open source project. Again, open source driving really big changes. So let's get into it. And first of all, congratulations, and thanks for working on this project. What's so special about- >> Thank you for that. >> Argo the project, and why have you guys decided to build a platform on it, and where is this coming together? Take us through why this is so important. >> I think Argo has been a very fast growing open source project for multiple reasons. A, it has been built for the new way of building and deploying an application. It's cloud native. You mentioned Kubernetes becoming kind of the de facto way of running application. It's the de facto way to run automation and pipeline. But also Argo has been built from the ground up to the latest practices of how we deploy software. We deploy software now differently. We deploy it using a GitOps practice. We're deploying it using canary blue-green progressive deployment. And Argo has been built around these practices, around these technologies, and has been very much widely adopted by the community. In the past, the KubeCon you've mentioned, Argo was all over the place. And we were very glad to be working with the community to talk about what the next steps with Argo. >> Yeah, it's a really good point. I would like to just follow up on that because you see this being talked about. It always comes up, where is open source really outside of a pure contributors matter? And when you have corporations contributing, you seeing this has been the trend. You saw it with Lyft, with Envoy, companies doing more and more open source. This is part of a big collaboration. And again, this comes back down to this whole why it's relevant and why it's so special with Argo. Continue to talk about relationship because it's not just you guys, it's now community. >> Yeah, I can speak to that. The Argo project is something that we maintain in partnership with several other companies and really our relationship with it is that this is something that we're actively contributing to. This is something that we're helping build the roadmap on and planning the events around and all those kinds of things. And we're doing that because we really believe in this technology and we've built our platform on it. So when you deploy Codefresh, you're deploying technology that's built directly on Argo and is designed specifically to solve that problem that you spoke to at the top of the hour. We all want to deliver software faster. We all want to have fewer regressions. We want to have fewer breaking changes. We want software to be super reliable. We want to be comfortable with what we're doing. That's really why we picked Argo because that technology that we have it is to Raziel's point delivered in this new way. It's delivered using GitOps. And that's a whole revolution and change in the way that people build and deploy software. And bringing cohesion into that experience is so critical to building the confidence that lets you actually deploy often and frequently and more. >> Dan, if you don't mind just expanding on that one point about the problem you solve, because to me, this has been kind of that evolution. It's almost like, yeah, there's been problems, plural, and opportunities that you saw with those in growing markets like this with DevOps and DevSecOps and now cloud native. What is the catalyst behind all of this? What was the epiphany behind it? How did it get so much momentum? What was it really doing under the covers? >> Well, it's a very simple and easy to use set of tools. And that's one of the big things is that if you look at the ideas of GitOps and there's actually a foundation around this that were part of called open GitOps to GitOps working group under the CNCF. And those principles of, I want to, yes, do my software defined as code. I want to do my infrastructure defined as code and I need something monitoring by production run times and making sure that the declared desired state is always matching the actual state. Those principles have actually been around for a number of years. And with Kubernetes, we really unlocked an API that allowed us to start doing GitOps and this is why we bring in Argo and you see the rise of Argo CD and other workflows and what we've been doing is really because that technology has been unlocked now. So the ability to define how your software is supposed to run and now your entire software delivery stack should run, all defined and then monitored and then kept in check using the GitOps operator. That critical unlock is what's really driving the massive adoption. And like Raziel said, Argo is the fastest growing and most popular open source project for delivering software. And it's not even close. >> Yeah, this is really great point. And I want to get into that 'cause I want to know why, what you guys do on your platform versus the open source and get that relationship settled? Before we get there, though, I want to get your reaction to some of the commentary in the industry 'cause GitOps trend has been exploding into new directions. I mean, it used to be a term about 10 years ago called big data. And at the beginning where data was all big data. Now it was DevOps revolution around data as well. But now you're hearing people talk about big code. Like, I mean, the code bases are becoming so huge. So as a developer, you're leveraging large open source code. This idea of the software delivery with existing code and new code just adds to more code. There's more code being developed every day. >> There is more code delivered every day. And I think that organization realize today, almost in every industry that they have to pace up how fast and how frequent they update their software delivery. We're living in a world in which every aspect of our life has been disrupted by software and organization realize that they have to keep up and figure out how to deploy software more frequent and more lively. And I think, you mentioned that really Kubernetes, the cloud native became the de facto way of running application. I think most of organization has made that decision to move into cloud native. The second question is after, is okay, now we have all applications running, how fast and how more frequent we can deploy applications to the cloud native? And that's the stage in which we're super excited about Argo and our up platform because that's basically streamline the building application for these cloud native, deploying applications for the cloud native, and so on. >> Yeah, and I think that highlights the business value. You getting a lot of the conversations with businesses that say they want the modern application on the cloud scale. And at the end of the day, it comes down to speed and security. So how fast can I get the app out? How well does it work? Does it run performance? And does it have security? And I don't want a slow. >> Exactly. Exactly. It kind of oversimplifies it, but that's kind of the net net. So when you look at Argo open source, what's that's done and kind of where you guys are taking it. Can you talk about the differences between your enterprise version and the open source version and the interplay there, the relationship, the business model health customers can play on both sides or understand the difference? >> Sure. >> Go ahead. >> Go ahead, Raziel. Okay, so I think Argo, as you mentioned, is probably the most advanced technology today to both run pipelines. They're like events to trigger pipelines and Argo work for the one that pipelines, the Argo CD for GitOps and Rollout, for Canary blue-green strategies. And the adoption is really exploding. Just as an Advocate that we had in December, we have worked with the community and organized ArgoCon events in which we had initially kind of thought about 500 attendees. And so we have more than 4,000 registrants and majority of them are coming from enterprise. Now as we have talked to the community during this conference and figure out, okay, so what are the things that you're still missing? And that will help you take the benefit that you get from Argo to the next level. The few things that came up. One is Argo is a great technology. However, Argo now is fragmented into four projects. There is an advance. There is workflow. There is Argo CD. And there is Argo Rollout. And there is a need to bring them all together into a solid platform, solid one run time that can be easily installed, monitor all of these in a single UI, in a single control plane. That's one aspect. The second is the scalability. Really being able to manage it centrally across multiple clusters, not in one cluster. And what we bring in with the new one, we're so excited about this platform, is we're bringing that big. The first to get all of these four projects in one runtime, and one control plane, but also allow the community to run it across multiple cluster from one place getting into the solution, not just as a technology. >> If I may add to that, the value of bringing these projects together, it provides so many insights. So when you're trying to figure out, there's some breaking change that has been made, but you don't necessarily know where it is because you have a lot of microservices that are out there. You have a lot of teams working on it. By bringing all of these things together, we're able to look at all of the commits, all of the deployments, all of the Jira issues. All of these components combined together, so you really get a single view where you can see everything that's going on. And this is another element where when you're trying to deploy software at scale, you're trying to deliver it faster. People are getting a little bit overwhelmed because there are so many updates and so many different services and so many teams working that they're starting to miss that visibility. So this is what we want to bring into the ecosystem is we really want them that visibility to be super clear. And by bringing all of the Argo components, the Argo tools together, we're able to do that in a single dashboard. >> Yeah, so if I get this right, let me just double click on that because it sounds like, yeah, Argo's great. It's been organically growing, a lot of different components to it, but when you start getting into pushing code in an organization, you have, I call the old-school version control kind of vibe going on where it's like you don't know what's out there and how that affects the system as it's a distributed system, which cloud is. There are consequences when stuff breaks. So we all know that. Is that kind of where you guys are getting at? The challenge is actually the opportunity at the same time where it's all goodness, but then when you start looking at scale and the system impact, is that kind of where the open source and you guys pick up, is that right? >> This is one aspect. I think the second one is that again, when you look at each individual component of Argo, each provide a lot of value by itself. But when you sum it, the value of the sum is greater than the value of the individual. So when you're taking, really the events and workflow, Argo CD and Argo Rollout, and you bring them all together into single runtime. The value of its time is really automation all the way from code to cloud. It's not breaking into, there is like an automation for CI, there's an automation for CD, there's information for progressive delivery. It's actually automated all the way from the Git commit through the GitOps through the deployment strategy, and so on. And being able to monitor it and scale it in the enterprise scale. So, of course, it's helping enterprise and make Argo to some level more crucial for enterprise, if I may say, but second is really bringing all of these components together and get the outcome be greater than the individual parts. >> Yeah, that's a good point. Yeah, make it make a commercial grade, if you will, for enterprise who wants to have support and consistency and whatnot. What other problems are you solving? Dan, can you chime in on the whole, how you guys resolve some of these challenges for the enterprise? Because, again, some stability is key as well, but also the business benefit has got to be there for the development teams. >> Yeah. So there's several. One aspect is that the way that most people operate today is they essentially do a bunch of commands and engage with systems. And then hopefully at the end, they write those things to Git. And this is a little bit backwards if you think about it because there's a situation where you can end up with things in production that were never checked in, or maybe somebody is operating and they're making a change. If we look at most of the downtime that's occurred over the last two years, it's because people have flubbed a key when they were typing in a command or something like that. The way that this system works is that we provide an interface, both the CLI and the GUI, where those operations interactions actually end with a Git commit. So rather than doing an operation and then hopefully committing to Git, most of the operations are actually done first in Git, or if there is something that can't be done first in Git, it's maybe bootstrapped and then committed to Git as part of a single command. So this means you have end-to-end traceability. It also means your auditability is way better. And then the second, the other component that we're adding is that security and scale layer. So we are securing these things, we're building in single sign-on, and all those robust security things you would expect to have across all these instances. So many organizations, when they're building their software delivery tools, they have to deploy instances in many locations. And so this is how you end up with companies that have 5,000 instances that are all out of date and insecure. Well with Codefresh, if you need to deploy a component onto this end cluster or something like that, you may have thousands of them. All of those are monitored and taken care of in a centralized way, so I can do all of my updates at once. I can make sure they're all up to date. I'm not running with a bunch of known CVEs or something like that and it's clear. The components are also designed in an architectural way. So that only the information that is needed is ever passed out. So I can have a cluster that is remotely managed, that checks out code, that the control plane never has access to. So this hybrid model has been really popular with our customers. We have customers in healthcare, we have customers in defense and in financial services, all these regulated industries. The flow of information is really critical. So this hybrid model allows you to deploy something that has the ease of a SaaS solution, but has the security of an on-prem solution while being centrally managed and easy to take care of. >> Yeah, it's a platform. It's what it is. It's not a tool. It's not a tool anymore. It's a platform. >> Exactly. >> I think the foundational aspect of this is critical. And you mentioned automation before. If you're going to go end-to-end automation, you have some stuff in the system that whether it hasn't been checked in yet. I mean, we know what this leads to. Disaster or a lot of troubleshooting and disruption. That's what it seems to solve. Am I getting that right? Is that right? >> Yeah. >> Go ahead. >> Yeah, it helps automate the whole process. But as you say, it's really like identify what needs not to be going all the way to production and really kind of avoid vulnerabilities or any flaws in the software. So it automates everything, but in a way that the automation can identify issues and avoid them from coming into the production. >> Well, great stuff here. I've got to ask you guys now that you've got that settled. It's really, I see the value there, how you guys are letting it grow organically and with Argo and then building that platform for businesses and developers. It's really cool. And I see the foundational value there. It just only gets better. How you guys contributing back to open source and helping the wider GitOps and Argo communities? Because this is, again, the rising tide that's bringing all the boats into the harbor, so to speak. So this is a good trend and people will acknowledge that. So how's this going to work as you guys work back into the open source community? >> So we work closely with both myself and the other maintainers worked closely with the community on the roadmap and making sure that we're addressing issues. I think if you look in the last quarter, we probably have upwards of 40 or 50 different issues that we've solved in terms of fixing a bug or adding features or things like that. So making sure that these tools, which are really the undergirding components of our platform, they have to be really robust. They have to be really strong. And so we're contributing those things back. And then when it comes to the scalability side, these are things that we can build into the platform. So the value should be really clear. I can deploy this, I can manage it myself, I can build tools on top of it. And if I want to start doing it at scale, maybe I want support. That's when I really am going to go to Codefresh and start saying, let's get the enterprise little platform. >> Awesome. GitOps, a lot of people like some naysayers may say, Hey, it's the latest fad. Is it here to stay? We were talking about big code earlier. GitOps, obviously seeing open source. Just every year, just get better and better and growth. I mean, I remember when I was breaking into the business, you have to sell under the table. Now it's all free and open and getting better every year. Just the growth of code. Is GitOps a fad? How do you talk to people who say that? I mean, besides slapping around saying wake up. I mean, how do you guys address that when people say it's just the latest fad? >> So if I may comment here and Dan feel free to chime in, I think that the GitOps is a continuation of a trend that everything is a source code. As a developer, many years ago myself and still writing code, always both code and code was the source of tool that's where we write the code. But now code actually is also describing how our application is running in production. And we've already seen kind of where it's get next. We also hear about infrastructure as a code. So now actually we storing the code the way the infrastructure should be. And I think that the benefit of storing all this configuration in a source code, which has been built to track changes, to be enabled to roll back, that is just going to be here to stay. And I think that's the new way of doing things. >> All right, gentlemen, great. Closing statements. Please share an update on the company. What it's all about? What event you got coming? I know you got a big launch. Can you take us through? Take us home. >> Join on February 1st, we're going to be launching the Codefresh software delivery platform. Raziel and I will be hosting the event. We've got a number of customers, a number of members of the community who are going to be joining us to show off that platform. So you're going to be able to see it in action, see how the features work, and understand the value of it. And you'll see how it works with GitOps. You'll see how it helps you deliver software at scale. That's February 1st. You can get information at codefresh.io. >> Raziel, Dan, thanks for coming on. >> Thank you. >> Pretty good showcase. Thanks for sharing. Congratulations. Great venture. Loved the approach. Love the growth in cloud native and you guys sure on the cutting edge. Fresh code, people love fresh code, codefresh.io. Thanks for coming on. >> Thank you. Thank you. >> Okay, this is the AWS Startup Showcase Open Cloud Innovations. Cloud scale, software, data. That's the future of modern applications being developed, changing the game to the next level. This is the CUBE's coverage season two episode one of the ongoing AWS Startup series here in theCUBE.

>>Hello everyone. And welcome to the cubes presentation of the AWS startup showcase open cloud innovations. This is season two episode one of our showcase ongoing series. We're covering very exciting startups from the AWS ecosystem. And we're going to be talking about the open source community. I'm your host, Lisa Martin. And today I'm excited to be joined by Robbie, Myra, the head of product and partner marketing at sneak. Robbie's here to talk with me about developer security for your digital transformation. Robbie, it's great to have you on the cube. >>Thanks Lisa. Nice to be here. >>So talk to me about what's going on in developer land. They're under a lot of pressure. A lot of them are building apps with open source, but what does sneak seeing from the developers lens >>From the developer's lens? There's a lot of pressure to build fast and that's probably the biggest challenge, right? We're in a world of digital transformation where everybody's trying to compete no matter what industry you're in, right on the technology and on the quality of your software or the capabilities of your software, which puts a lot of pressure on developers to build fast. That causes them to do a few things. One, it causes them to build, to develop in a way where they're doing constant iteration and so models that would have enabled a security check to come in at the end, aren't working anymore because they don't have time for those security checks. And it also causes them to do a good thing, which is to leverage other people's code when they can like open source. So they can just focus on, on their own functionality. And that's true, whether they're building new functionality or modernizing legacy applications by moving them to the cloud. >>So it's a high percentage of, of app code 80 to 90% is open source. Then that opens up. Talk to me about w where the vulnerabilities are and how you guys help customers and developers address that. >>Yeah, the vulnerabilities can be anywhere, but the key is that that point, right? If you're using open source in a typical application, 80 to 90 plus percent of the lines of code in that application are going to be open source code, their code. Somebody else wrote that you don't have a direct relationship with, and yet you own the risk that whatever they may have, whatever vulnerabilities may be in their code, you now own that risk. So what we're trying to do with sneakers, trying to do is enable developers to leverage open source, but do that securely. And then we also help them with the 10% that they rent as well, and, and do that all in one really easy environment for a developer that fits into their workflow and into their daily life. >>So security should shift left. I've had the chance to talk with a couple of, do you call them sneakers sneakers? Oh, you do a couple of sneakers recently. We've talked about security shifting lab. That's not a new concept, but I'd love to dig in more to how sneak and AWS do that. And I'm also curious if what you're doing helps. We've talked about the cybersecurity skills got for a long time. Now, just what you guys do, help address that >>It does because it's really leveraging a resource that, that is there, right? There's the number of developers worldwide is growing from, depending on who you believe for these numbers and their estimated numbers, right? But 25 million to 50 million over roughly a five-year period that's already started. So we're somewhere in the 30 now, right? Meanwhile, the security jobs, there's something like 9 million cyber security people in the world, and that's all cyber security roles. It's a much shorter, a smaller chunk that are application security folks. And there's three and a half million unfilled cybersecurity roles. So you can't get cyber security people and keep using the current model you're using. But just scale it linearly, you have to change things. And sneaks belief is the way you change things is you have the developers be part of your security solution, which means they need to have the ability to not only develop, but to develop securely. And that's our concept of developer security. We build tools and a platform that enables developers to be the first part of the security solution and enable security teams rather than individually auditing and fixing things to develop a process, govern the process, guide the development teams, but let the developers own that first step of security. And that's really how you solve that scale problem. >>When you're talking with customers, is this kind of a better together scenario, developers and security folks? Are you helping them align culturally because this is a change? >>Absolutely. I think one of the biggest misconceptions out there is that there's a tension between security and development. And I think that's because organizationally there might be right. Security is responsible for risk and developers responsible for speed of innovation and the faster you innovate, potentially there's more risk. So there might be some organizational tension, but at the human level, people understand each other, they understand the pressures that the other one's going through. They just don't have an easy way to work together. And if you can help them get that, then they, it really takes off it. The relationships form they'll build human to human programs like security champion programs and things to, to integrate the teams because they're both going after the same goal, both sides want to build awesome technology and grow in whatever market they're in. >>Right. And of course, with the need to do that at today's markets speed and scale is a great thing that you guys are doing to facilitate that collaboration. And of course the security let's kind of take a double-click now into the different integrations that sneek has with AWS services. I know there's quite a few, >>There's quite a few. The biggest one, probably the easiest one for the integrations is the native integration that we have with code pipeline. So it makes it easy for developers as they're finishing their builds and deploying to have an automatic security check that comes in, understands if there's things that need to be fixed before this really should be released, and then they can fix it and go forward. But we integrate across with our API across a lot of other services, ECR EKS code builder, so that wherever the developer is working, there's a way for us to integrate with them as they're building across their AWS development process. >>Okay. So giving them plenty of opportunity, let's dig into the platform. Talk to me about the platform, how it's really aimed at developers. You alluded to this a little bit, but I'd like to kind of take a double-click into the technology. >>Sure. That the platform, it, part of it is that idea of it we've wrapped it all as a developer tool. But the thing that makes sneak unique in this is not only we have the idea that we wanted to shift left in time, but we wanted to shift left in ownership. So the developers are primary user and we built a tool that is a developer tool that happens to do security. And we've extended that tool into a platform by enabling it to connect into the developers tools, sharing information, across different elements of what it securing. So for example, the open source that we're scanning for you and testing to find for vulnerabilities, we're also looking at the vulnerabilities in your code and where they may overlap or intersect. We can adjust priorities so that you might not need to fix something. Let's say you're using an open source, vulnerable, a package that has a vulnerability, but your code is never going to access that you don't need to fix it. >>So you can prioritize that one lower, right? Same thing with Kubernetes and containers. You may have a container vulnerability, but the way you're going to leverage the container that won't be used so we can adjust the priority to make it easy for the developer. And that's the other big thing that's different about a developer security platform than a typical security tool. A typical security tool is an audit tool it's designed to output. Here are all the things you have a problem with a developer security tool is a fixing tool. It's just defined as a, here are the problems you have developed with here's how you fix it and go back to building on that. That prioritization is a big part of that, because you can say, here's what you don't need to worry about. And then you can focus the rest of your energy on helping developers fix the problem either by giving them really good advice or automating it for them and saying, Hey, here's a button click that will generate a pull request. And your problem is this fixed. >>It must go a long way to improving developer productivity, one facilitating that speed and the agility with which they need to work, but also from a developer kind of crowd sourcing, crowd swell perspective. I imagine, talk to me about what some of the voices are, the developers that are in your community. What are some of the things that they're saying in terms of how much faster they're able to work, they're able to get those priorities established with automation so much faster? >>Well, that's the biggest thing. Is there a, the productivity gain happens because of the benefit of shift left, right? You're testing earlier. You're finding it at an earlier time when it's easier to fix, but that's because they're the ones doing it, right. If they're waiting to hand off to an auto report and then it comes back, even if somebody is, is giving them them audit faster, it's still after they've moved on. And the other way people try to solve it as well. They'll say, well, I'll take a security tool then to hand it to the developer and they can run it. But so developers are not security experts. So the tool needs to understand what they know and what they don't know, and, and working in an upload. And that's what developers generally say to us because sneak makes it easy to work, but also focuses on the fix and helps them guide them to that, to that answer. Then they're able to go much faster when we're evaluated by companies who are looking for a security solution. If the developers get involved in that evaluation, they'll choose sneak. >>So I'm curious a little bit about as, as the head of product marketing, I'm thinking customer advisory boards, things like that. What's the collaboration like between sneak and the developers to really tune and push the technology forward. I imagine it's quite collaborative, >>Quite collaborative and it's across a lot of, of spectrum. So we do have a customer advisory board and that's generally leaders, right? That's either security leaders or development leaders or operations leaders who are in that advisory board. And they're giving us input on things they need for program-wide governance or program wide adoption. We also have a developer community where we're talking directly to developers and that's where we get a lot of, Hey, here's how I could use this better as a developer. And that guides where we focus features that help developers work better, whether it's integrations with our IDs or whether it's the way we present information, help them prioritize. And then the third part is we have a lot of people using the tool because it has a free model, right? We're as a developer tool, we have a freemium model. There's a level of sneak that developers can use that they don't need to pay for. That's not a temporary trial, it's forever. If you want to use it at that level and we can observe what they're doing. So that observability gives us another insight into where folks get challenged run into, to struggles. And then we can look to address those in our roadmap as well. So, so all of that together really helps us drive the product forward. >>What is the perspective from the analyst view? You talked a little bit about the perspective from the customer. We'll get into a customer story in a bit, but I'd love to know what are the gardeners saying? >>Well, Gardner especially put us, we debuted in their magic quadrant for application security last year. And we did David as a visionary and sort of the highest part of the visionary quadrant you could get in before you crossed over into leader, which is kind of unheard of for a first time into the, into the quadrant. And the main reason for that is that they have built the way those, those magic quadrants are built is they have key capabilities and then they score companies against key capabilities and they weight those capabilities, you know, by order of importance. And Gardner has started to put some of this notion of developer security and cross cloud native application security into those key capabilities. And those tend to align really well with what sneakers. So they have a, for example, a software composition, which is sort of open source security analysis, where first, w w w where the top ranking in that, where the top ranking and container security, where the top ranking and developer enablement. So that's pulling us, they are so-so Gardner and the analyst community is seeing this same demand coming from their customers. And that's really aligning to where our vision is. >>And in terms of kind of propelling that vision forward, the voice of the customer, the voice of the analyst, aligning with what you guys are doing to kind of lead the vision going forward. I want to get into some of the intelligence before we kind of break into a customer example. Talk to me a little bit about snakes security intelligence, what the key capabilities are, and some customers that are leveraging it. Sure. >>The biggest thing is with all the developer tool wrapping that needs to be in this product than it is a developer tool. It's got a developers heart, but it has to have a security brain because it still is a security tool. There are some developer tools. We try to have little check the box capabilities of security and they'll crowdsource for vulnerabilities potentially. But if you're doing this, you need to make sure that all the vulnerabilities that could be found are in the database to be able to be found that the database is comprehensive, that it's timely. They get in very quickly that it's accurate. You don't waste time on false positives because that will turn developers off faster than anything. And that it's actionable. So when it does find something, it helps you go forward with it. And that's where sneaks really focused on. So we collect data from multiple public sources. >>We also have a fairly large proprietary research team that curates that information determines what needs to go in. Sometimes we'll adjust priorities. And we also get a lot of contributions from other sources like community contributions. Again, that big free user base of ours is giving us input academia. Open source groups are also in their social media trends. So if we see something trending on Twitter, then that'll not only get it into the database, but it'll drive prioritization. And that's a big part of what's in sneak Intel, which is the name we use for our vulnerability database. We also have a machine learning algorithm. That's constantly looking at all the code in public, in public applications and repositories. And we use that to train for our own proprietary code testing tool, but it also just gets a lot of it finds things there as well. So it brings a really good source of information that helps people make sure you're finding the vulnerabilities, you're prioritizing them correctly and fixing them. And so Amazon's one who is the, you know, one of the folks that using that tool where one of the primary sources of, of Amazon inspector for open source vulnerabilities, as well as a bunch of other security companies like rapid seven tenable and, and others. >>One of the things I was reading from, I'm always kind of looking at the differentiators and I'm sure you are as the head of product marketing and partner marketing, but it sounds like the database can, is, is a key differentiator finding vulnerabilities up to what is it? 46 days faster than competitors. >>Yeah. I mean, faster than especially public sources, which are the easier ones to, to know how you're doing against, but that's a big part of us. So when I talked about those categories, that's really what we measure ourselves against. How are we doing in terms of comprehensive? Do we have the vulnerabilities that we should have? So we have over four times the number of vulnerabilities as the next largest publicly available database, we find them faster, so timely. So that's at 46 days getting it in faster or faster than other public sources, they get into our solution and then accuracy. Again, we, it's not a stat we can test because you can't test it just from the database. You have to run the tools of our, of others in this space. And we don't have those, but making sure that you're not hitting a lot of false positives is a big part of it as well. >>Got it. Okay. And we only have a couple minutes left, but there's two more areas that I want to dig into with you just crack crack. The surface one is log four, shallow was reading. Snake says this. We were the perfect solution at the perfect time. Unpack that for me in the next minute or so. >>Yeah. And that's a bit, and it kind of wraps back to what we were talking about earlier. Everybody's using open source. If you're in the Java world, a lot of folks had logged for shell and we're using lock for shell for logging as a part of their, as a part of their applications. And so a lot of our customers, I think it was over 30%, 36% of our paying customers had the vulnerability. And you would only have the vulnerability of your Java. So it's a very large percentage of our Java using my customers had the vulnerability, but because they were using sneak, they were able, once we put it in the database, which we did the day, it was disclosed, they were able to find it and fix it very quickly. So 91% of our customers fixed that vulnerability in just two days, 98%, because this was a rolling thunder event, right. There was a vulnerability. And then there was a second vulnerability in the, in the fix. And then there was a vulnerability, even in the fix of that. So the second vulnerability that came out because everybody had been ready for it from the first time 98% picks within two days. Whereas the median number of days to generally fix a vulnerability is over two months. So really fast addressing the solution. >>So those are really impressive. And speaking of stats, I wanted to get into just really quickly a case study that really shows that lasting is one of your customer. One of your many customers, big developer community there about 3,500 developers. Give me some kind of the high level of business outcomes that at Lasagne is, is, is achieving thanks to sneaky. >>Yeah. I mean the biggest one is that almost 99% of their applications are deployed in containers. So being able to have the containers tested for vulnerabilities as they're being deployed before they're being deployed is huge for them to reduce the risk of a vulnerability. They, they had a 65% reduction in high severity container volumes a few months after using sneak across all those developers, which really reduces your, your risk profile of your, of your cloud native applications. They're obviously a big AWS user as well. So, so for them, that was the big thing. And again, it goes to that scale, right? They've got 3 3500 developers, more than 3,500 developers. If you try to go through the security team and have the security team fixing all those things, you'll just never catch up. >>Got it. Last question. Where can I get this available through the AWS market prays marketplace? You mentioned the freemium model, give folks kind of a direction on where to go. >>Yeah. So I would say if you are a, if you're someone in the security team, if you're a buyer, the AWS marketplace is a great place to go because you can probably leverage your existing spend commits with AWS. It's easy to purchase, easy billing, et cetera. If you're a developer, then there is this free version where you might go and just start using it and get comfort for it. And if you are a buyer, talk to your developers because there's a pretty good chance. Someone in your company, that's a developer is already using. Sneak will be comfortable with it. These solutions are only successful. If the developers actually use it, you can't shift left unless the developers pick it up and use it. So using the one that developers are already using is probably a good idea. >>Awesome. Robbie, this has been a great conversation, so much momentum at snake. You're the third sneaker I'd gotten to speak to you in the last month and I have, it's pretty exciting, but thanks for walking us through the technology, the capabilities, the differentiators, the voice of the customer, the voice of the analyst, we appreciate your insights and your time. And we look forward to next time we talk to you. >>Terrific. Lisa, I look forward to it as well, but there's a lot more Smith sneakers to go through before you get back to me again. I guess >>I look forward to adding to my repertoire of sneaker interviews, Ravi. Thanks so much. Thank you for Ravi Myra. I'm Lisa Martin. You're watching this cube interview as part of the AWS startup showcase. Stick around more great content coming up next.

>>Welcoming into the cubes presentation of AWS startup showcase open cloud innovations. This is season two episode one of the ongoing series covering exciting hot startups from the AWS ecosystem. Today's episode. One of season two theme is open source community and the open cloud innovations. I'm your host, John farrier of the cube. And today we're excited to be joined by Loris Dajani who is the C T O chief technology officer and founder of cystic found that in his backyard with some wine and beer. Great to see you. We're here to talk about Falco finding cloud threats in real time. Thank you for joining us, Laura. Thanks. Good to see you >>Love that your company was founded in your backyard. Classic startup story. You have been growing very, very fast. And the key point of the showcase is to talk about the startups that are making a difference and, and that are winning and doing well. You guys have done extremely well with your business. Congratulations, but thank you. The big theme is security and as organizations have moved their business critical applications to the cloud, the attackers have followed. This is Billy important in the industry. You guys are in the middle of this. What's your view on this? What's your take? What's your reaction? >>Yeah. As we, as a end ecosystem are moving to the cloud as more and more, we are developing cloud native applications. We relying on CACD. We are relying on orchestrations in containers. Security is becoming more and more important. And I would say more and more complex. I mean, we're reading every day in the news about attacks about data leaks and so on. There's rarely a day when there's nothing major happening and that we can see the press from this point of view. And definitely things are evolving. Things are changing in the cloud. In for example, Cisco just released a cloud native security and usage report a few days ago. And the mundane things that we found among our user base, for example, 60, 66% of containers are running as rude. So still many organizations adopting a relatively relaxed way to deploy their applications. Not because they like doing it, but because it tends to be, you know, easier and a little bit with a little bit less ration. >>We also found that that 27% of users unnecessary route access in the 73% of the cloud accounts, public has three buckets. This is all stuff that is all good, but can generate consequences when you make a mistake, like typically, you know, your data leaks, no, because of super sophisticated attacks, but because somebody in your organization forgets maybe some data on it on a public history bucket, or because some credentials that are not restrictive enough, maybe are leaked to another team member or, or, or a Gita, you know, repository or something like that. So is infrastructures and the software becomes a let's a more sophisticated and more automated. There's also at the same time, more risks and opportunities for misconfigurations that then tend to be, you know, very often the sewers of, of issues in the cloud. >>Yeah, those self-inflicted wounds definitely come up. We've seen people leaving S3 buckets open, you know, it's user error, but, you know, w w those are small little things that get taken care of pretty quickly. That's just hygiene. It's just discipline. You know, most of the sophisticated enterprises are moving way past that, but now they're adopting more cloud native, right. And as they get into the critical apps, securing them has been challenging. We've talked to many CEOs and CSOs, and they say that to us. Yeah. It's very challenging, but we're on it. I have to ask you, what should people worry about when secure in the cloud, because they know is challenging, then they'll have the opportunity on the other side, what are they worried about? What do you see people scared of or addressing, or what should I be worried about when securing the cloud? >>Yeah, definitely. Sometimes when I'm talking about the security, I like to compare, you know, the old data center in that the old monolithic applications to a castle, you know, in middle aged castle. So what, what did you do to protect your castle? You used to build very thick walls around it, and then a small entrance and be very careful about the entrance, you know, protect the entrance very well. So what we used to doing that, that data center was protect everything, you know, the, the whole perimeter in a very aggressive way with firewalls and making sure that there was only a very narrow entrance to our data center. And, you know, as much as possible, like active security there, like firewalls or this kind of stuff. Now we're in the cloud. Now, it's everything. Everything is much more diffused, right? Our users, our customers are coming from all over the planet, every country, every geography, every time, but also our internal team is coming from everywhere because they're all accessing a cloud environment. >>You know, they often from home for different offices, again, from every different geography, every different country. So in this configuration, the metaphor data that they like to use is an amusement park, right? You have a big area with many important things inside in the users and operators that are coming from different dangerous is that you cannot really block, you know, you need to let everything come in and in operate together in these kinds of environment, the traditional protection is not really effective. It's overwhelming. And it doesn't really serve the purpose that we need. We cannot build a giant water under our amusement park. We need people to come in. So what we're finding is that understanding, getting visibility and doing, if you Rheodyne is much more important. So it's more like we need to replace the big walls with a granular network of security cameras that allow us to see what's happening in the, in the different areas of our amusement park. And we need to be able to do that in a way that is real time and allows us to react in a smart way as things happen because in the modern world of cloud five minutes of delay in understanding that something is wrong, mean that you're ready being, you know, attacked and your data's already being >>Well. I also love the analogy of the amusement park. And of course, certain rides, you need to be a certain height to ride the rollercoaster that I guess, that's it credentials or security credentials, as we say, but in all seriousness, the perimeter is dead. We all know that also moats were relied upon as well in the old days, you know, you secure the firewall, nothing comes in, goes out, and then once you're in, you don't know what's going on. Now that's flipped. There's no walls, there's no moats everyone's in. And so you're saying this kind of security camera kind of model is key. So again, this topic here is securing real time. Yeah. How do you do that? Because it's happening so fast. It's moving. There's a lot of movement. It's not at rest there's data moving around fast. What's the secret sauce to making real identifying real-time threats in an enterprise. >>Yeah. And in, in our opinion, there are some key ingredients. One is a granularity, right? You cannot really understand the threats in your amusement park. If you're just watching these from, from a satellite picture. So you need to be there. You need to be granular. You need to be located in the, in the areas where stuff happens. This means, for example, in, in security for the clowning in runtime, security is important to whoever your sensors that are distributed, that are able to observe every single end point. Not only that, but you also need to look at the infrastructure, right? From this point of view, cloud providers like Amazon, for example, offer nice facilities. Like for example, there's CloudTrail in AWS that collects in a nice opinionated consistent way, the data that is coming from multiple cloud services. So it's important from one point of view, to go deep into, into the endpoint, into the processes, into what's executing, but also collect his information like the cultural information and being able to correlate it to there's no full security without covering all of the basics. >>So a security is a matter of both granularity and being able to go deep and understanding what every single item does, but also being able to go abroad and collect the right data, the right data sources and correlated. And then the real time is really critical. So decisions need to be taken as the data comes in. So the streaming nature of security engines is becoming more and more important. So the step one of course, security, especially cost security, posture management was very much let's ball. Once in a while, let's, let's involve the API and see what's happening. This is still important. Of course, you know, you need to have the basics covered, but more and more, the paradigm needs to change to, okay, the data is coming in second by second, instead of asking for the data manually, once in a while, second by second, there's the moment it arrives. You need to be able to detect, correlate, take decisions. And so, you know, machine learning is very important. Automation is very important. The rules that are coming from the community on a daily basis are, are very important. >>Let me ask you a question, cause I love this topic because it's a data problem at the same time. There's some network action going on. I love this idea of no perimeter. You're going to be monitoring anything, but there's been trade offs in the past, overhead involved, whether you're monitoring or putting probes in the network or the different, there's all kinds of different approaches. How does the new technology with cloud and machine learning change the dynamics of the kinds of approaches? Because it's kind of not old tech, but you the same similar concepts to network management, other things, what what's going on now that's different and what makes this possible today? >>Yeah, I think from the friction point of view, which is one very important topic here. So this needs to be deployed efficiently and easily in this transparency, transparent as possible, everywhere, everywhere to avoid blind spots and making sure that everything is scheduled in front. His point of view, it's very important to integrate with the orchestration is very important to make use of all of the facilities that Amazon provides in the it's very important to have a system that is deployed automatically and not manually. That is in particular, the only to avoid blind spots because it's manual deployment is employed. Somebody would forget, you know, to deploy where somewhere where it's important. And then from the performance point of view, very much, for example, with Falco, you know, our open source front-end security engine, we really took key design decisions at the beginning to make sure that the engine would be able to support in Paris, millions of events per second, with minimal overhead. >>You know, they're barely measure measurable overhead. When you want to design something like that, you know, that you need to accept some kind of trade-offs. You need to know that you need to maybe limit a little bit this expressiveness, you know, or what can be done, but ease of deployment and performance were more important goals here. And you know, it's not uncommon for us is Dave to have users of Farco or commercial customers that they have tens of thousands, hundreds of thousands of machines. You know, I said two machines and sometimes millions of containers. And in these environments, lightweight is key. You want death, but you want overhead to be really meaningful and >>Okay, so a amusement park, a lot of diverse applications. So integration, I get that orchestration brings back the Kubernetes angle a little bit and Falco and per overhead and performance cloud scale. So all these things are working in favor. If I get that right, is that, am I getting that right? You get the cloud scale, you get the integration and open. >>Yeah, exactly. Any like ingredients over SEP, you know, and that, and with these ingredients, it's possible to bake a, a recipe to, to have a plate better, can be more usable, more effective and more efficient. That may be the place that we're doing in the previous direction. >>Oh, so I've got to ask you about Falco because it's come up a lot. We talked about it on our cube conversations already on the internet. Check that out. And a great conversation there. You guys have close to 40 million plus million downloads of, of this. You have also 80 was far gate integration, so six, some significant traction. What does this mean? I mean, what is it telling us? Why is this successful? What are people doing with Falco? I see this as a leading indicator, and I know you guys were sponsoring the project, so congratulations and propelled your business, but there's something going on here. What does this as a leading indicator of? >>Yeah. And for, for the audience, Falco is the runtime security tool of the cloud native generation such. And so when we, the Falco, we were inspired by previous generation, for example, network intrusion detection, system tools, and a post protection tools and so on. But we created essentially a unique tool that would really be designed for the modern paradigm of containers, cloud CIC, and salt and Falco essentially is able to collect a bunch of brainer information from your applications that are running in the cloud and is a religion that is based on policies that are driven by the community, essentially that allow you to detect misconfigurations attacks and normals conditions in your cloud, in your cloud applications. Recently, we announced that the extension of Falco to support a cloud infrastructure and time security by parsing cloud logs, like cloud trail and so on. So now Falba can be used at the same time to protect the workloads that are running in virtual machines or containers. >>And also the cloud infrastructure to give the audience a couple of examples, focused, able to detect if somebody is running a shelf in a radius container, or if somebody is downloading a sensitive by, from an S3 bucket, all of these in real time with Falco, we decided to go really with CR study. This is Degas was one of the team members that started it, but we decided to go to the community right away, because this is one other ingredient. We are talking about the ingredients before, and there's not a successful modern security tool without being able to leverage the community and empower the community to contribute to it, to use it, to validate and so on. And that's also why we contributed Falco to the cloud native computing foundation. So that Falco is a CNCF tool and is blessed by many organizations. We are also partnering with many companies, including Amazon. Last year, we released that far gate support for Falco. And that was done is a project that was done in cooperation with Amazon, so that we could have strong runtime security for the containers that are running in. >>Well, I've got to say, first of all, congratulations. And I think that's a bold move to donate or not donate contribute to the open source community because you're enabling a lot of people to do great things. And some people might be scared. They think they might be foreclosing and beneficial in the future, but in the reality, that is the new business model open source. So I think that's worth calling out and congratulations. This is the new commercial open source paradigm. And it kind of leads into my last question, which is why is security well-positioned to benefit from open source besides the fact that the new model of getting people enabled and getting scale and getting standards like you're doing, makes everybody win. And again, that's a community model. That's not a proprietary approach. So again, source again, big part of this. Why was security benefit from opensource? >>I am a strong believer. I mean, we are in a better, we could say we are in a war, right? The good guys versus the bad guys. The internet is full of bad guys. And these bad guys are coordinated, are motivated, are sometimes we'll find it. And we'll equip. We win only if we fight this war as a community. So the old paradigm of vendors building their own Eva towers, you know, their own self-contained ecosystems and that the us as users as, as, as customers, every many different, you know, environments that don't communicate with each other, just doesn't take advantage of our capabilities. Our strength is as a community. So we are much stronger against the big guys and we have a much better chance doing when this war, if we adopt a paradigm that allows us to work together. Think only about for example, I don't know, companies any to train, you know, the workforce on the security best practices on the security tools. >>It's much better to standardize on something, build the stack that is accepted by everybody and tell it can focus on learning the stack and becoming a master of the steak rounded rather than every single organization naming the different tool. And, and then B it's very hard to attract talent and to have the right, you know, people that can help you with, with your issues in, in, in, in, in, with your goals. So the future of security is going to be open source. I'm a strong believer in that, and we'll see more and more examples like Falco of initiatives that really start with, with the community and for the community. >>Like we always say an open, open winds, always turn the lights on, put the code out there. And I think, I think the community model is winning. Congratulations, Loris Dajani CTO and founder of SIS dig congratulatory success. And thank you for coming on the cube for the ADB startup showcase open cloud innovations. Thanks for coming on. Okay. Is the cube stay with us all day long every day with the cube, check us out the cube.net. I'm John furrier. Thanks for watching.

(upbeat music) >> Welcome to the AWS start up showcase, theCUBE's premiere platform and show. This is our second season, episode one of this program. I'm Lisa Martin, your host here with two guests here to talk about open source. Please welcome Andrew Backes, the VP of engineering at Armory, and one of our alumni, Ian Delahorne, the staff site, reliability engineer at Patreon. Guys, it's great to have you on the program. >> Thank you. >> Good to be back. >> We're going to dig into a whole bunch of stuff here in the next fast paced, 15 minutes. But Andrew, let's go ahead and start with you. Give the audience an overview of Armory, who you guys are, what you do. >> I'd love to. So Armory was founded in 2016 with the vision to help companies unlock innovation through software. And what we're focusing on right now is, helping those companies and make software delivery, continuous, collaborative, scalable, and safe. >> Got it, those are all very important things. Ian help the audience, if anyone isn't familiar with Patreon, it's a very cool platform. Talk to us a little bit about that Ian. >> Absolutely, Patreon is a membership platform for creators to be able to connect with their fans and for fans to be able to subscribe to their favorite creators and help creators get paid and have them earn a living with, just by being connected straight to their audience. >> Very cool, creators like podcasters, even journalists video content writers. >> Absolutely. There's so many, there's everything from like you said, journalists, YouTubers, photographers, 3D modelers. We have a nightclub that's on there, there's several theater groups on there. There's a lot of different creators. I keep discovering new ones every day. >> I like that, I got to check that out, very cool. So Andrew, let's go to your, we talk about enterprise scale and I'm using air quotes here. 'Cause it's a phrase that we use in every conversation in the tech industry, right? Scalability is key. Talk to us about what enterprise scale actually means from Armory's perspective. Why is it so critical? And how do you help enterprises to actually achieve it? >> Yeah, so the, I think a lot of the times when companies think about enterprise scale, they think about the volume of infrastructure, or volume of software that's running at any given time. There's also a few more things that go into that just beyond how many EC2 instances you're running or containers you're running. Also velocity, count how much time does it take you to get features out to your customers and then stability and reliability. Then of course, in enterprises, it isn't as simple as everyone deploying to the same targets. It isn't always just EC2, a lot of the time it's going to be multiple targets, EC2, it's going to be ECS, Lambda. All of these workloads are out there running. And how does a central platform team or a tooling team at a site enable that for users, enable deployment capabilities to those targets? Then of course, on top of that, there's going to be site specific technologies. And how do, how does your deployment tooling integrate with those site specific technologies? >> Is, Andrew is enterprise scale now even more important given the very transformative events, we've seen the last two years? We've seen such acceleration, cloud adoption, digital transformation, really becoming a necessity for businesses to stay alive. Do you think that, that skill now is even more important? >> Definitely, definitely. The, what we see, we've went through a wave of the, the first set of digital transformations, where companies are moving to the cloud and we know that's accelerating quite a bit. So that scale is all moving to the cloud and the amount of multiple targets that are being deployed to at any given moment, they just keep increasing. So that is a concern that companies need to address. >> Let's talk about the value, but we're going to just Spinnaker here in the deployment. But also let's start Andrew with the value that, Armory delivers on top of Spinnaker. What makes this a best of breed solution? >> Yeah, so on top of open-source Spinnaker, there are a lot of other building blocks that you're going to need to deploy at scale. So you're going to need to be able to provide modules or some way of giving your users a reusable building block that is catered to your site. So that is one of the big areas that Armory focuses on, is how can we provide building blocks on top of open source Spinnaker that sites can use to tailor the solution to their needs. >> Got it, tailor it to their needs. Ian let's bring you back into the conversation. Now, talk to us about the business seeds, the compelling event that led Patreon to choose Spinnaker on top of Armory. >> Absolutely. Almost three years ago, we had an outage which resulted in our payment processing slowed down. And that's something we definitely don't want to have happen because this would hinder creator's ability to get paid on time for them to be able to pay their employees, pay their rent, hold that hole, like everything that, everyone that depends on them. And there were many factors that went into this outage and one of them we identified is that it was very hard for us to, with our custom belt deploy tooling, to be able to easily deploy fast and to roll back if things went wrong. So I had used Spinnaker before to previous employer early on, and I knew that, that would be a tool that we could use to solve our problem. The problem was that the SRE team at Patreon at that time was only two people. So Spinnaker is a very complex product. I didn't have the engineering bandwidth to be able to, set up, deploy, manage it on my own. And I had happened to heard of Armory just that week before and was like, "This is the company that could probably help me solve my problems." So I engaged early on with Andrew and the team. And we migrated our customers deployed to, into Spinnaker and help stabilize our deploys and speed them up. >> So you were saying that the deployments were taking way too long before. And of course, as you mentioned from a payment processing perspective, that's people's livelihoods. So that's a pretty serious issue there. You found Armory a week into searching this seems like stuff went pretty quickly. >> And the week before the incident, they had randomly, the, one of the co-founders randomly reached out to me and was like, "We're doing this thing with Armory. You might be interested in this, we're doing this thing with Spinnaker, it's called Armory." And I kind of filed it away. And then they came fortuitous that we were able to use them, like just reach out to them like a week later. >> That is fortuitous, my goodness, what a good outreach and good timing there on Armory's part. And sticking with you a little bit, talk to us about what it is that the business challenges that Armory helps you to resolve? What is it about it that, that just makes you know this is the exact right solution for us? Obviously you talked about not going direct with Spinnaker as a very lean IT team. But what are some of the key business needs that it's solving? >> Yeah, there's several business things that we've been able to leverage Armory for. One of them as I mentioned, they, having a deployment platform that we know will give us, able deploys has been very important. There's been, they have a policy engine module that we use for making sure that certain environments can only be deployed to by certain individuals for compliance issues. We definitely, we use their pipelines as code module for being able to use, build, to build reusable deploy pipelines so that software engineers can easily integrate Spinnaker into their builds. Without having to know a lot about Spinnaker. There's like here, take these, take this pipeline module and add your variables into it, and you'll be off to the races deploying. So those are some of the value adds that Armory has been able to add on top of Spinnaker. On top of that, we use their managed products. So they have a team that's managing our Spinnaker installation, helping us with upgrades, helping up the issues, all that stuff that unlocks us to be able to focus on building our creators. Instead of focusing on operating Spinnaker. >> Andrew, back to you. Talk to me a little bit about as the VP of engineering, the partnership, the relationship that Armory has with Patreon and how symbiotic is it? How much are they helping you to develop the product that Armory is delivering to its customers? >> Yeah, one of the main things we want to make sure we do is help Patreon be successful. So that's, there are going to be some site specific needs there that we want to make sure that we are in tune with and that we're helping with, but really we view it as a partnership. So, Patreon has worked with us. Well, I can't believe it's been three years or kind of a little bit more now. But it's, it, we have had a lot of inner, a lot of feedback sessions, a lot of going back and forth on how we can improve our product to meet the needs of Patreon better. And then of course the wider market. So one thing that is neat about seeing a smaller team, SRE team that Ian is on, is they can depend on us more. They have less bandwidth with themselves to invest into their tooling. So that's the opportunity for us to provide those more mature building blocks to them. So that they can combine those in a way that makes them, that meets their needs and their business needs. >> And Ian, back to you, talk to me about how has the partnership with Armory? You said it's been almost three years now. How has that helped you do your job better as an SRE? What are some of the advantages of that, to that role? >> Yeah, absolutely. Armory has been a great partner to work with. We've used their expertise in helping to bring new features into the open-source Spinnaker. Especially when we decided that we wanted to not only deploy to EC2 instances, but we wanted to play to elastic container service and Lambdas to shift from our normal instance based deploys into the containerization. There were several warrants around the existing elastic container service deploy, and Lambda deploys that we were able to work with Armory and have them champion some changes inside open-source as well as their custom modules to help us be able to shift our displays to those targets. >> Got it. Andrew back over to you, talk to me, I want to walk through, you talked about from an enterprise scale perspective, some of the absolute critical components there. But I want to talk about what Armory has done to help customers like Patreon to address things like speed to market, customer satisfaction as Ian was talking about, the compelling event was payment processing. A lot of content creators could have been in trouble there. Talk to, walk me through how you're actually solving those key challenges that not just Patreon is facing, but enterprises across industries. >> Yeah, of course, so the, talking to specifically to what brought Ian in was, a problem that they needed to fix inside of their system. So when you are rolling out a change like that, you want it to be fast. You want to get that chain, change out very quickly, but you also want to make sure that the deployment system itself is stable and reliable. So the last thing you're going to want is any sort of hiccup with the tool that you're using to fix your product, to roll out changes to your customers. So that is a key focus area for us in everything that we do is we make sure that whenever we're building features that are going to expand capabilities, deployment capabilities. That we're, we are focusing firstly on stability and reliability of the deployment system itself. So those are a few features, a few focus areas that we continually build into the product. And you can, I mean, I'm sure a lot of enterprises know that as soon as you start doing things at massive scale, sometimes the stability and reliability, can, you'll be jeopardized a little bit. Or you start hitting against those limits or what are the, what walls do you encounter? So one of the key things we're doing is building ahead of that, making sure that our features are enabling users to hit deployment scales they've never seen or imagined before. So that's a big part of what Armory is. >> Ian, can you add a number to that in terms of the before Armory and the after in terms of that velocity? >> Absolutely, before Armory our deploys would take some times, somewhere around 45 minutes. And we cut that in half, if not more to down to like the like 16 to 20 minute ranges where we are currently deploying to a few hundred hosts. So, and that is the previous deployment strategy would take longer. If we scaled up the number of instances for big events, like our payment processing we do the first of the month currently. So being able to have that and know that our deploys will take about the same amount of time each time, it will be faster. That helps us bring features to create some fans a lot faster. And the stability aspect has also been very important, knowing that we have a secure way to roll back if needed, which you didn't have previously in case something goes wrong, that's been extremely useful. >> And I can imagine, Ian that velocity is critical because I mean more and more and more these days, there are content creators everywhere in so many different categories that we've talked about. Even nightclubs, that to be able to deliver that velocity through a part, a technology like Armory is table-stakes for against business. >> Absolutely, yeah. >> Andrew, back over to you. I want to kind of finish out here with, in the last couple of years where things have been dynamic. Have you seen any leading indices? I know you guys work with enterprises across organizations and Fortune 500s. But have you seen any industries in particular that are really leaning on Armory to help them achieve that velocity that we've been talking about? >> We have a pretty good spread across the market, but since we are focused on cloud, to deploy to cloud technologies, that's one of the main value props for Armory. So that's going to be enabling deployments to AWS in similar clouds. So the companies that we work with are really ones that have either already gone through that transformation or are on their journey. Then of course, now Kubernetes is a force, it's kind of taken over. So we're getting pulled into even more companies that are embracing Kubernetes. So I wouldn't say that there's an overall trend, but we have customers all across the Fortune 500, all across mid-market to Fortune 500. So there's depending on the complexity of the corporation itself or the enterprise itself we're able to do. I think Ian mentioned our policy engine and a few other features that are really tailored to companies that have restricted environments and moving into the cloud. >> Got it, and that's absolutely critical these days to help organizations pivot multiple times and to get that speed to market. 'Cause that's, of course as consumers, whether we're on the business side or the commercial side, we have an expectation that we're going to be able to get whatever we want A-S-A-P. And especially if that's payments processing, that's pretty critical. Guys, thank you for joining me today, talking about Armory, built on Spinnaker, what it's doing for customers like Patreon. We appreciate your time and your insights. >> Thank you so much. >> Thank you. Thank you so much. >> For my guests, I'm Lisa Martin. You're watching theCUBE's, AWS startup showcase, season two, episode one. (upbeat music)

>>Welcome everyone. I'm Dave Nicholson with the cube. This is a special Q conversation. That is part of the AWS startup showcase. Season two. Got a very interesting conversation on deck with Steve Francis who joins us from Instaclustr. Steve is the chief revenue officer and executive vice president for go-to-market operations for Insta cluster. Steve, welcome to the cube. >>Thank you, Dave. Good to be here. >>It looks like you're on a, uh, you're you're you're coming to us from an exotic locale. Or do you just like to have a nautical theme in your office? >>No, I'm actually on my boat. I have lots of kids at home and, uh, it can be very noisy. So, uh, we call this our apartment in the city and sometimes when we need a quiet place, this, this does nicely >>Well, fantastic. Well, let's, let's talk about Instaclustr. Um, first give us, give us a primmer on Instaclustr and, uh, and what you guys do. And then let's double click on that and go into some of the details. >>Sure. So in sip cluster, we offer a SAS platform for data layer, open source technologies. And what those technologies have in common is they scale massively. We re curate technologies that are capable of massive scale. So people use them to solve big problems typically. And so in addition to SAS offerings for those open source projects where people can provision themselves clusters in minutes, um, we also offer support for all of the technologies that we offer on our SAS platform. We offer our customer support contracts as well. And then we have a consulting team, a global consulting team who are expert in all of those open source projects that can help with implementations that can help with design health checks, uh, you name it. So most of what they do is kind of short term expert engagements, but we've also done longer-term projects with them as well. >>So your business model is to be a SAS provider as opposed to an alternative, which would be to, uh, provide what's referred to as, uh, open core software. Is that, is that right? >>Yeah, that's exactly right. So you, so when, when our customers have an interest in using community open source, we're the right partner for them. And so, you know, really what that means is if they, whether it's our SAS platform, if, if they want the flexibility to say, we want to take that workload off of your SAS platform, maybe at some point operated ourselves because we're not throwing a bunch of PROPRICER proprietary stuff in there. They have the flexibility to do that. So they always have an exit ramp without being locked in and with our support customers, of course, it's very easy. What we support is both the open source project. And if there's a gap in that open source project, what we'll do is rather than create a proprietary piece of software to close the gap, we'll source something from the community and we'll support that. Or if it, or if something does not exist in the community, in many cases, we'll write it ourselves and open source it and then, and then support it. >>Yeah, it's interesting. Uh, supposedly Henry Ford made a comment once that if you ask customers what they want, they'll tell you they want a faster horse, uh, but he was inventing the automobile and some people have, have likened open core to sort of the faster mechanical horse version of open source where you're essentially substituting an old school legacy vendor for a new school vendor. That's wrapping their own proprietary stuff around a delicious core of open source, but it sort of diminishes the value proposition of open source. It sounds like that's, that's the philosophy that you have adopted at this point. That's >>I love that story. I haven't heard that before. One that I like, uh, you know, matching metaphor for metaphor, uh, is, uh, the, um, is the Luddites, right? You know, the Luddites didn't want to lose their weaving jobs. And so they would smash weeding looms and, um, you know, to, to protect their reading jobs. And I think it's the same thing with the open core model they're protecting, uh, you know, they're creating fear, uncertainty and doubt about open, open sourcing. Oh, it isn't secure. And, you know, the, those, those arguments have been used for 15 years or 20 years. And, you know, maybe 15 years ago there were some truth to it. But when you look at who is using open source community open source now for huge projects, you know, if you just do a search for Apache coffee users and go to the Apache Apache website, you know, it's kind of the who's who in big business, and these are people using community open source. And so, um, a lot of the fear and uncertainty and doubt is still used, and it's just, you know, it's just kind of hanging on to a business model that isn't really it's for the benefit of the, of the vendor and not the benefit of the customer. >>Well, so I can imagine being a customer and realizing several years into an open core journey that I basically painted myself into a similar corner that I was in before. Um, and so I can see where that, you know, that can be something that is a realization that, that creeps up over time from a customer perspective, but from your business model perspective, um, if I'm understanding correctly, your, when you scale, you're scaling the ability to, um, take over operations for our customer, uh, that, that some level, I'm sure you've got automation involved in this. Uh, but at some level you've got to scale in terms of really smart people, um, has that limited your ability to scale. So first talk about what have the results been. You guys we've been covering you since 2018. What have your results been over time and has that sort of limited that that limit to your scalability, uh, been an issue at all. >>It's hard to find people, uh, it's hard, it's hard for our customers to find people and it's hard for us to find people. So we have an advantage for two reasons. Number one, we have a really good process for hiring people, hiring graduates, recent computer science graduates typically, and then getting them trained up and productive on our platform and within a pretty short timeframe of three or four months. And, um, you know, so we we've, we've, uh, we have a really well-proven process to do that. And then the other thing that you've already alluded to is automation, right? There's a ton of automation built into our platform. So we have a big cost advantage over our customers. So, you know, our, our customers, you know, if they want to go hire a seasoned, you know, Kafka person or PostGrest personal work, a person, these people are incredibly expensive in the market, but for us, we can get those people for relatively less expensive. And then with the automation that we have built into our platform to do all the operational tasks and handle all the operational burdens on those different open source projects, it's a lot of it's automated. And so, uh, you know, where one of our experts can use, you know, the number of workloads that they can operate is usually, you know, many times more than what someone could do without all of the operational capability or all the automated capabilities that we have. >>So what has your, what is your plan for scaling the business look like into the future? Is it a additional investment in those core operators? Uh, are you looking at, uh, uh, expansion, geographically acquisition? What, what can you share with us? >>We've done some acquisition. We added a Postgres capability. We recently added a last, further Alaska search capability and really buttressed our capabilities there. I think we'll do more of that. And, um, we, we will continue to add technologies that we find interesting and, and federal model, usually what we look for technologies that are pretty popular. They're used to solve big problems and they're complicated to manage, right? If something's easy to manage, people are less likely to perceive our value to be that great. So we look for things that, um, you know, are we kind of take the biggest areas, gnarliest, um, open-source projects for people to manage, and we handle the heavy lifting. >>Well, can you give me an example of something like that? You don't have to, you don't have to share a customer name if you don't, if it's not appropriate, but give us a, give us an example of, of Instaclustr inaction pretend I'm the customer. And, uh, and, uh, you know, you mentioned elastic search. Let's say that, let's say that that is absolutely something that's involved. And I have a choice between some open, open core solution and throwing my people at it to manage it, uh, and, and, and operate at the data layer, uh, versus what you would do. What does that interaction look like? How do, how does the process, >>Um, so one thing that we hear from elastic search customers a lot is, uh, their customers, some of them are unhappy. And what they'll tell us is look, when we get an operational problem with Alaska search, we go to Alaska search. And the answer we get from them is we gotta buy, you know, you gotta buy more stuff, you got to add more nodes, and they're in the business of, uh, you know, that's, that's our business. And, uh, you know, they do have a SAS offering, but, um, you know, they're, they're also in the business of selling software. And so when those customers, those same customers come to us, our answer is often, well, Hey, we can help you optimize your environment. And, you know, a lot of times when we onboard people into our platform, they'll achieve cost savings because maybe they weren't on the cloud. Maybe they weren't completely optimized there. And, um, you know, we want to make sure that they get a good operational experience and that's how we felt lock customers in, right. We don't lock them in with code. We make sure that they have a positive experience that we take a lot of that operational stuff off their hands. And so there's just a good natural alignment between what we want to provide that customer and what they ultimately want to consume. Uh, you know, that, that alignment I think is, is uniquely high within our business. >>Well, so how, how have things changed just in the last several years? Obviously, I mean, you know, the, the pandemic has, has affected everything in, in one way or another, but, but in terms of things that live at the data layer being important, um, I mean, just in the last three or four years, the talk of various messaging interfaces and databases has shifted to a degree. Um, what do you see on the horizon? What's, what's, what's, what's getting buzz that maybe didn't get buzz a year ago. What, what, what are you looking for as well? If you're out looking for people with skill sets right now, what are those skill sets you're hiring to? >>I don't hire engineers, right. I run the go to market organization. I hire marketers, salespeople, consultants, but, uh, so it's probably different. I'm maybe not the best person to ask from an engineering standpoint, but, uh, your question about the data layer, um, and how, you know, that's evolving trends that we see it's becoming increasingly strategic. You know, every, there's a couple of buzzwords out there that, you know, for years now, people have been talking about, um, modernization, digital transformation, stuff like that, but, you know, there's, there's a lot to it like digital, you know, every business kind of needs to become a digital business. And as that happens, the amount of data that's produced is, is just as mushrooming, right. You know, the amount of data on the planet doubles about every two years. And so for a lot of applications for a lot of enterprise mission-critical applications, data is the most expensive layer of the application. >>You know, much more expensive than delivering a front end, much more expensive than delivering a military when you just, when you factor in storage, um, uh, just the kind of moving data in and out, you know, data transfer fees, the cost of engineering resources that it's, it's incredibly expensive. So data layers are becoming strategic because organizations are looking at it and realizing, you know, the amount that they're spending on this is eye-popping. And so that's why it's becoming strategic. It's on the radar, just due to the, uh, the size of bills that organizations are looking at. Um, and we could drive those bills down. You know, our value proposition is really simpler. It's a better, faster, cheaper, and we eliminate the license fees. We can, you know, we are operational experts, so we can get people architected in the cloud more efficiently, and probably about a third of the time we save our customers cloud fees. Um, so it's, you know, it's a pretty simple model that some of those things that are strategically more, or are there, sorry, traditionally more tactical or becoming strategic, just because of the scope and scale of them. >>We, uh, we're having this conversation as part of the AWS startup showcase, which basically means that AWS said, Hey, Silicon angle, have your cube guys go talk to these people because we think they're cool. So, um, so why, why, why do they think you're cool? Are you a wholly owned subsidiary of AWS? Did you, did you and your family, uh, uh, exceed the 300 order, uh, Amazon threshold last year? Y what's your relationship with Amazon? >>I bought an elf on the shelf from, I don't know, I don't know why. Um, you know, we're, we're growing fast and we're, we're growing north of 50% last year in 21 and closer to 60%. Um, you know, we certainly, I think, uh, when our customers sign up for our services, you know, Amazon gets more workloads. That's, that's probably a positive thing for Amazon. Um, we're certainly not, you know, there's much, much, much bigger vendors and partners than us that they have, but, uh, but you know, they're, I think they're aware that there's, there's some, some of the smaller vendors like us will grow up to be, you know, the, you know, the bigger vendors of tomorrow. Um, but they've kind of, they've been a great partner. You know, we, we support multiple, we do support multiple clouds, and Amazon's cool with that. You know, we support GCP, we support Azure and kind of give our customers the choice of what clouds they want to run on. Uh, most of our customers do run an Amazon that seems to be sort of a defacto standard, but, um, they haven't been a great partner, >>But, but AWS, it's not a dependency. Uh, if you're, if you're working within the cluster, it doesn't mean that you must be in AWS. >>Nope. We can support customers. Uh, that's a great question. So we can support customers and multiple clouds, and we even support them on prem, right? If they, if organizations that have their own data center, we actually have an on-premise managed service offering. And if that's not a fit, we even have, um, we can offer support contracts, like if they want to do it themselves and do a lot of the heavy lifting and just need sort of a red phone for emergency situations. Uh, we offer 24 by 7, 365 support with 20 minutes service levels for urgent issues. >>So your chief revenue officer, that means that you write the code that runs operations in your system. I'm not smiling, but I'm at, but I'm, but I am actually joking. So that's what the dry sense of humor. Uh, but, but, but seriously, let's talk about the business end of this, right? We have, uh, we have a lot of folks who, uh, who tuned into the queue because of the technology aspect of it, but let's talk about your, your growth trajectory over time. Um, uh, this isn't a drill down. I'm not asking for your, your pipeline, Steve, but, uh, but, but, you know, give us an idea of what that trajectory has looked like. Um, what's going on. >>Yeah. I mean the most recent year, you know, we're, we're getting, uh, to be, um, I, I don't know what I'm permitted to share expect, but I, you know, we've, we've had a lot of growth, you know, if we've won a couple, a couple of hundred percent, our revenue has in the amount of time that I've been here, which is three years, and we're the point now, or pretty good size. Uh, and that gives us, uh, it's cool. It's exciting. You know, we're, we're noticing in the market is people who traded two years ago. People, no one knew who we were. And now we're beginning to talk to some partners, some resellers, some customers, and they will say things like, oh yeah, we've heard of you. We didn't know what you did, but we've heard of you. And, you know, that's, that's fun. That's a great place to be. Uh, you know, it becomes a little bit self-sustaining at that point. And, um, we, you know, we are about to launch, I, it's not a secret because this isn't public preview. So I think >>Was there, I noticed the pause where you're like, can I say this or not? Go ahead and say, go ahead and say, >>Really we, uh, I was trying to think, wait, am I revealing anything here? I shouldn't. But, uh, we did just go public preview, uh, probably a month ago with a project called Aiden's, uh, cadence workflow. Uh, you can actually, um, go to the Instaclustr website and look up cadence. Um, it's run their homepage, or you can, if you want to go to the open source project itself, you can go to cadence, workflow.io. Uh, this is a project that's trending pretty highly on Google. It's got a lot of important movers in the technology business that are using it and having a lot of success with it. Uh, and we're going to be first to market globally with a SAS offering for cadence, port flop. And, um, it's an incredibly exciting project. And it's exciting for us to specifically, because it's a little different, right? It's not, it's a middle tier project that is targeted at developers to increase developer productivity and developer velocity. >>Um, you joked about my being a CRO writing code, but I actually used to be a coder long time ago. I was not very good at it, but what I did enough of it to remember that a lot of what I did as a coder was right. Plumbing code, you know, rather than writing that code that makes the business application function a huge amount of my time as a developer was spent writing, you know, just the plumbing code to make things work and to make it secure and to make a transactional and just all that, you know, kind of nitty gritty code that you gotta do in a nutshell, cadence makes writing that code way easier. So especially for distributed applications that have workflow like capabilities requirements, uh, it's a massive productivity and PR increaser. So it's cool. Exciting for us is now we can, rather than just target data operators, we can actually target developers and engage, not just at the data layer, but kind of at that middle tier as well, and begin to, uh, identify and, um, uh, synergies between the different services that we have and, and our customers will obviously benefit from that. >>So that's a big part of our growth strategy. >>Yeah. So more, more on from a business perspective and a go to market perspective. Um, what is your, what is your go to market strategy or, uh, do you have, do you have a channel strategy? Are you working with partners? >>He is pretty nascent. You know, our go to market strategy for the most part has been, you know, we, uh, pay the Google gods and, and lots of people come to our website and say, they want to talk to us. You know, we talked to them and we get them signed up with, uh, uh, on our, our, our SAS platform or with a support contract or with our consulting team. Um, we also do outbound, you know, we do, we have an inside sales team that does outbound prospecting and we have, um, and we also have some self-service. We have some, some self service customers as well that just, you know, anyone can go to our website, swipe a credit card, sign up for one of our SAS offering and begin, literally get fired up in minutes and PR and using the platform. Uh, so, you know, it's a bit of a mix of high touch, low touch, I think are, you know, we have tons of big logos. >>We know lots and lots of our customers are household name, really big organizations solving big problems. And, um, that's kind of where the bulk of our businesses. And so I think we've been a little more focused there and go to market than we have sort of a know startup selling to startups and the people that just from super developer focused, wanting low touch. So, but I think we need to do better at that part of the market. And we are investing some resources there so that, you know, we're not so lopsided at the high end of the market. We want kind of a, more of a balanced approach because, you know, some of those, some of those, um, younger companies are going to grow up to be big massively successful companies. We've had that, you know, door dash is a tough class, has been a customer of ours for years, and they were not nearly, you know, we, there were a prepayment, there were custom bars, pre pandemic, and we all know what happened to them, uh, during the pandemic. And so, you know, we know there's other door dashes out there. >>Yeah. Yeah. Uh, uh, final question, geography, uh, you guys global. I, uh, I know you're in north America, but, um, what, what, what does that look like for you? Where are you at? >>We're super global. So, you know, in my go-to-market organization, we have sellers in, um, uh, AsiaPac and Europe, you know, multiple in Asia, multiple in Europe, uh, you know, lots of lots in the, in the states, uh, same with marketing, uh, same with engineering, same with our tech ops delivery team. We have most of them, uh, in Australia, which is where we were founded. Uh, but we also have a pretty good sized team, uh, out of Boston and, um, kind of a nascent team, uh, in India as well, to help to tell it, to help them out. So yeah, very much global and, um, you know, getting close to 300 employees, um, you know, when I started, I think we're about 85 to 90, >>That's it, that's an exciting growth trajectory. And, uh, I'm just going to assume, because it just feels awesome to assume it that since you're on a boat and since you were founded in Australia, that that's how you go back and forth to, uh, to visit the most. >>Yeah. Yeah. It takes a while. It takes a while. >>So with that, Steve, I want to say a smooth sailing and, uh, and, uh, thanks for joining us here on the cube. I'm Dave Nicholson. Uh, this has been part of the AWS startup showcase my conversation with Steve Francis of Instaclustr again. Thanks Steve. Stay tuned. >>Thanks very much to you, >>Your source for hybrid tech coverage.

>>Welcome everyone to the cubes presentation of the AWS startup showcase open cloud innovations. This is season two episode one of the ongoing series and we're covering exciting and innovative startups from the AWS ecosystem. Today. We're going to focus on the open source community. I'm your host, Dave Vellante. And right now we're going to talk about open source security and mitigating risk in light of a recent discovery of a zero day flaw in log for J a Java logging utility and a related white house executive order that points to the FTC pursuing companies that don't properly secure consumer data as a result of this vulnerability and with me to discuss this critical issue and how to more broadly address software supply chain risk is Don Fisher. Who's the CEO of tide lift. Thank you for coming on the program, Donald. >>Thanks for having me excited to be here. Yeah, pleasure. >>So look, there's a lot of buzz. You open the news, you go to your favorite news site and you see this, you know, a log for J this is an, a project otherwise known as logged for shell. It's this logging tool. My understanding is it's, it's both ubiquitous and very easy to exploit. Maybe you could explain that in a little bit more detail. And how do you think this vulnerability is going to affect things this year? >>Yeah, happy to, happy to dig in a little bit in orient around this. So, you know, just a little definitions to start with. So log for J is a very widely used course component that's been around for quite a while. It's actually an amazing piece of technology log for J is used in practically every serious enterprise Java application over the last 10 going on 20 years. So it's, you know, log for J itself is fantastic. The challenge that organization organizations have been facing relate to a specific security vulnerability that was discovered in log for J and that has been given this sort of brand's name as it happens these days. Folks may remember Heartbleed around the openness to sell vulnerability some years back. This one has been dubbed logged for shell. And the reason why it was given that name is that this is a form of security vulnerability that actually allows attackers. >>You know, if a system is found that hasn't been patched to remediate it, it allows hackers to get full control of a, of a system of a server that has the software running on it, or includes this log for J component. And that means that they can do anything. They can access, you know, private customer data on that system, or really do anything and so-called shell level access. So, you know, that's the sort of definitions of what it is, but the reason why it's important is in the, in the small, you know, this is a open door, right? It's a, if, if organizations haven't patched this, they need to respond to it. But one of the things that's kind of, you know, I think important to recognize here is that this log for J is just one of literally thousands of independently created open source components that flow into the applications that almost every organization built and all of them all software is going to have security vulnerabilities. And so I think that log for J is, has been a catalyst for organizations to say, okay, we've got to solve this specific problem, but we all also have to think ahead about how is this all gonna work. If our software supply chain originates with independent creators across thousands of projects across the internet, how are we going to put a better plan in place to think ahead to the next log for J log for shell style incident? And for sure there will be more >>Okay. So you see this incident as a catalyst to maybe more broadly thinking about how to secure the, the digital supply chain. >>Absolutely. Yeah, it's a, this is proving a point that, you know, a variety of folks have been making for a number of years. Hey, we depend, I mean, honestly these days more than 70% of most applications, most custom applications are comprised of this third party open source code. Project's very similar in origin and governance to log for J that's just reality. It's actually great. That's an amazing thing that the humans collaborating on the internet have caused to be possible that we have this rich comments of open source software to build with, but we also have to be practical about it and say, Hey, how are we going to work together to make sure that that software as much as possible is vetted to ensure that it meets commercial standards, enterprise standards ahead of time. And then when the inevitable issues arise like this incident around the log for J library, that we have a great plan in place to respond to it and to, you know, close the close the door on vulnerabilities when they, when they show up. >>I mean, you know, when you listen to the high level narrative, it's easy to point fingers at organizations, Hey, you're not doing enough now. Of course the U S government has definitely made attempts to emphasize this and, and shore up in, in, in, in, in push people to shore up the software supply chain, they've released an executive order last may, but, but specifically, I mean, it's just a complicated situation. So what steps should organizations really take to make sure that they don't fall prey to these future supply chain attacks, which, you know, are, as you pointed out are inevitable. >>Yeah. I mean, it's, it's a great point that you make that the us federal government has taken proactive steps starting last year, 2021 in the fallout of the solar winds breach, you know, about 12 months ago from the time that we're talking, talking here, the U S government actually was a bit ahead of the game, both in flagging the severity of this, you know, area of concern and also directing organizations on how to respond to it. So the, in May, 2021, the white house issued an executive order on cybersecurity and it S directed federal agencies to undertake a whole bunch of new measures to ensure the security of different aspects of their technology and software supply chain specifically called out open source software as an area where they put, you know, hard requirements around federal agencies when they're acquiring technology. And one of the things that the federal government that the white house cybersecurity executive order directed was that organizations need to start with creating a list of the third-party open source. >>That's flowing into their applications, just that even have a table of contents or an index to start working with. And that's, that's called a, a software bill of materials or S bomb is how some people pronounce that acronym. So th the federal government basically requires federal agencies to now create Nessbaum for their applications to demand a software bill of materials from vendors that are doing business with the government and the strategy there has been to expressly use the purchasing power of the us government to level up industry as a whole, and create the necessary incentives for organizations to, to take this seriously. >>You know, I, I feel like the solar winds hack that you mentioned, of course it was widely affected the government. So we kind of woke them up, but I feel like it was almost like a stuck set Stuxnet moment. Donald were very sophisticated. I mean, for the first time patches that were supposed to be helping us protect, now we have to be careful with them. And you mentioned the, the bill of its software, bill of materials. We have to really inspect that. And so let's get to what you guys do. How do you help organizations deal with this problem and secure their open source software supply chain? >>Yeah, absolutely happy to tell you about, about tide lift and, and how we're looking to help. So, you know, the company, I co-founded the company with a couple of colleagues, all of whom are long-term open source folks. You know, I've been working in around commercializing open source for the last 20 years that companies like red hat and, and a number of others as have my co-founders the opportunity that we saw is that, you know, while there have been vendors for some of the traditional systems level, open source components and stacks like Linux, you know, of course there's red hat and other vendors for Linux, or for Kubernetes, or for some of the databases, you know, there's standalone companies for these logs, for shell style projects, there just hasn't been a vendor for them. And part of it is there's a challenge to cover a really vast territory, a typical enterprise that we inspect has, you know, upwards of 10,000 log for shell log for J like components flowing into their application. >>So how do they get a hand around their hands around that challenge of managing that and ensuring it needs, you know, reasonable commercial standards. That's what tide lifts sets out to do. And we do it through a combination of two elements, both of which are fairly unique in the market. The first of those is a purpose-built software solution that we've created that keeps track of the third-party open source, flowing into your applications, inserts itself into your DevSecOps tool chain, your developer tooling, your application development process. And you can kind of think of it as next to the point in your release process, where you run your unit test to ensure the business logic in the code that your team is writing is accurate and sort of passes tests. We do a inspection to look at the state of the third-party open source packages like Apache log for J that are flowing into your, into your application. >>So there's a software element to it. That's a multi-tenant SAS service. We're excited to be partnered with, with AWS. And one of the reasons why we're here in this venue, talking about how we are making that available jointly with AWS to, to drink customers deploying on AWS platforms. Now, the other piece of the, of our solution is really, really unique. And that's the set of relationships that Tyler has built directly with these independent open source maintainers, the folks behind these open source packages that organizations rely on. And, you know, this is where we sort of have this idea. Somebody is making that software in the first place, right? And so would those folks be interested? Could we create a set of aligned incentives to encourage them, to make sure that that software meets a bunch of enterprise standards and areas around security, like, you know, relating to the log for J vulnerability, but also other complicated parts of open source consumption like licensing and open source license, accuracy, and compatibility, and also maintenance. >>Like if somebody looking after the software going forward. So just trying to basically invite open source creators, to partner with us, to level up their packages through those relationships, we get really, really clean, clear first party data from the folks who create, maintain the software. And we can flow that through the tools that I described so that end organizations can know that they're building with open source components that have been vetted to meet these standards, by the way, there's a really cool side effect of this business model, which is that we pay these open source maintainers to do this work with us. And so now we're creating a new income stream around what previously had been primarily a volunteer activity done for impact in this universe of open source software. We're helping these open source maintainers kind of GoPro on an aspect of what they do around open source. And that means they can spend more time applying more process and tools and methodology to making that open source software even better. And that's good for our customers. And it's good for everyone who relies on open source software, which is really everyone in society these days. That's interesting. I >>Was going to ask you what's their incentive other than doing the right thing. Can you give us an example of, of maybe a example of an open source maintainer that you're working with? >>Yeah. I mean, w we're working with hundreds of open source maintainers and a few of the key open source foundations in different areas across JavaScript, Java PHP, Ruby python.net, and, you know, like examples of categories of projects that we're working with, just to be clear, are things like, you know, web frameworks or parser libraries or logging libraries, like a, you know, log for J and all the other languages, right? Or, you know, time and date manipulation libraries. I mean, they, these are sort of the, you know, kind of core building blocks of applications and individually, they, you know, they may seem like, you know, maybe a minor, a minor thing, but when you multiply them across how many applications these get used in and log for J is a really, really clarifying case for folks to understand this, you know, what can seemingly a small part of your overall application estate can have disproportionate impact on, on your operations? As we saw with many organizations that spent, you know, a weekend or a week, or a large part of the holidays, scrambling to patch and remediate this, a single vulnerability in one of those thousands of packages in that case log. >>Okay, got it. So you have this two, two headed, two vectors that I'm going to call it, your ecosystem, your relationship with these open source maintainers is kind of a, that just didn't happen overnight, and it develop those relationships. And now you get first party data. You monetize that with a software service that is purpose built as the monitor of the probe that actually tracks that third, third party activity. So >>Exactly right. Got it. >>Okay. So a lot of companies, Donald, I mean, this is, like I said before, it's a complicated situation. You know, a lot of people don't have the skillsets to deal with this. And so many companies just kind of stick their head in the sand and, you know, hope for the best, but that's not a great strategy. What are the implications for organizations if they don't really put the tools and processes into place to manage their open source, digital supply chain. >>Yeah. Ignoring the problem is not a viable strategy anymore, you know, and it's just become increasingly clear as these big headline incidents that happened like Heartbleed and solar winds. And now this logged for shell vulnerability. So you can, you can bet on that. Continuing into the future and organizations I think are, are realizing the ones that haven't gotten ahead of this problem are realizing this is a critical issue that they need to address, but they have help, right. You know, the federal government, another action beyond that cybersecurity executive order that was directed at federal agencies early last year, just in the last week or so, the FTC of the U S federal trade commission has made a much more direct warning to private companies and industry saying that, you know, issues like this log for J vulnerability risk exposing private, you know, consumer data. That is one of the express mandates of the FTC is to avoid that the FTC has said that this is, you know, bears on both the federal trade commission act, as well as the Gramm-Leach-Bliley act, which relates to consumer data privacy. >>And the FTC just came right out and said it, they said they cited the $700 million settlements that Equifax was subject to for their data breach that also related to open source component, by the way, that that had not been patched by, by Equifax. And they said the FTC intents to use its full legal authority to pursue companies that failed to take reasonable steps, to protect consumer data from exposure as a result of log for J or similar known vulnerabilities in the future. So the FTC is saying, you know, this is a critical issue for consumer privacy and consumer data. We are going to enforce against companies that do not take reasonable precautions. What are reasonable precautions? I think it's kind of a mosaic of solutions, but I'm glad to say tide lift is contributing a really different and novel solution to the mix that we hope will help organizations contend with this and avoid that kind of enforcement action from FTC or other regulators. >>Well, and the good news is that you can tap a tooling like tide lift in the cloud as a service and you know, much easier today than it was 10 or 15 years ago to, to resolve, or at least begin to demonstrate that you're taking action against this problem. >>Absolutely. There's new challenges. Now I'm moving into a world where we build on a foundation of independently created open source. We need new solutions and new ideas, and that's a, you know, that's part of what we're, we're, we're showing up with from the tide lift angle, but there's many other elements that are going to be necessary to provide the full solution around securing the open source supply chain going forward. >>Well, Donald Fisher of tide lift, thanks so much for coming to the cube and best of luck to your organization. Thanks for the good work that you guys do. >>Thanks, Dave. Really appreciate your partnership on this, getting the word out and yeah, thanks so much for today. >>Very welcome. And you are watching the AWS startup showcase open cloud innovations. Keep it right there for more action on the cube, your leader in enterprise tech coverage.

(upbeat music) >> We're here theCUBE on Cloud Startup Showcase brought to you by AWS. And right now we're going to explore the next frontier for privacy, you know, security, privacy, and compliance, they're often lumped together and they're often lumped on as an afterthought bolted on to infrastructure, data and applications. But, you know, while they're certainly related they're different disciplines and they require a specific domain knowledge and expertise to really solve the challenges of today. One thing they all share is successful implementations, must be comprehensive and designed in at the start and with me to discuss going beyond compliance and designing privacy protections into products and services. Justin Antonipillai, who is the founder and CEO of WireWheel, Justin awesome having you on the AWS Startup Showcase. Thanks for being here >> Dave, thanks so much for having me. It's a real honor, and I appreciate it. Look forward to the discussion. >> So I always love to ask founders, like, take us back. Why did you start this company? Where did your inspiration come from? >> So Dave, I was very lucky. I had the honor of serving in president Obama's second term as an Acting Under Secretary for Economic Affairs. So I ran the part of the government that includes the U.S. Census Bureau and the Bureau of Economic Analysis. So core economic statistical bureaus. But I helped lead a lot of the Obama administration's, outreach and negotiations on data privacy around the world. Including on something called the EU-U.S. Privacy Shield. So at the time the two jobs I had really aligned with what our discussion is here today. The first part of it was, I could see that all around the world in the U.S. and around the world, data privacy and protecting privacy, had become a human rights issue. It was a trade issue. You could see it as a national security issue and companies all around the world were just struggling with how to get legal, how to make sure that I do it right, and how I make sure that I'm treating my customer's data, in the right way. But when I was also leading the agency, a lot of what we were trying to do was to help our U.S. citizens, our folks here around the country solve big public problems by ethically and responsibly using government data to do it. And I can talk about what that meant in a little while. So the inspiration behind why WireWheel was, we need better more technically driven ways to help companies get compliance, to show their customers that they're protecting privacy and to put customers, our customers onto a path where they can start using the customer data better, faster and stronger, but most importantly, ethically. And that's really what we try to tackle at WireWheel. >> Right, excellent. Thank you for that. I mean, yeah you know, in the early days of social media, people kind of fluffed it off and oh there is no privacy in the internet, blah, blah, blah. And then wow, it became a huge social issue and public policy really needed to step in but also technology needs this to help solve this problem. So let's try to paint a picture for people as to really dig into the problem that you solve and why it's so complicated. We actually have a graphic. It's a map of the U S that we want to pull up here. Explain this. >> Yeah, I mean, what you're saying here is that every one of your, our viewers today is going to be looking at privacy laws moving across the country Dave but there's a lot of different ones. You know, if you're a company that's launching and building your product, that you might be helping your customers your consumer facing. The law, and you're even let's assume you want to do the right thing. You want to treat that customer data responsibly and protect it. When you look at a map like this and you can see three States have already passed different privacy laws, but look at the number of different States all across the country that are considering their own privacy laws. It really could be overwhelming. And Virginia, as you can see is just about to pass it's next privacy law but there's something like 23,24 States that are moving them through. The other thing Dave, that's really important about this is, these are not just breach laws. You know, I think years ago we were all looking at these kinds of laws spreading across the country and you would be saying, okay, that's just a breach law. These laws are very comprehensive. They have a lot to them. So what we have been really helping companies with is to enable you to get compliant with a lot of these very quickly. And that's really what we've tried to take on. Because if you're trying to do the right thing there should be a way to do it. >> Got it. Yeah, I can't even imagine what the it had been so many permutations and complexities but imagine this, if this were a globe we were looking at it says it gets out of control. Okay, now you guys well you use a term called phrase beyond compliance? What do we mean by that? >> There are a couple of things. So I'd say almost every company taking a product to market right now, whether you're B2C or B2B you want to make sure you can answer the customer question and say, yes, I'm compliant. And usually that means if you're a B2C company it means that your customers can come to your site. Your site is compliant with all of the laws out there. You can take consents and preferences. You can get their data back to them. All of these are legal requirements. If you're a B2B company, you're also looking at making sure you can create some critical compliance records that's it, right? But when we think beyond compliance, we think of a couple of basic things. Number one, do you tell the story about all the trust and protection you put around your data in a way that your customers want to do business with you? I mean Dave, if you went to CES the last couple of years and you were walking into the center or looking at a virtual version of it, on every billboard, the top five, top 10 global companies advertise that they take care of your data and they're onto something, they're onto something. You can actually build a winning strategy by solving a customer's problem and also showing them that you care, and that they're trustworthy. Because there are too many products out there, that aren't. The second thing, I'm sorry, go ahead. >> No, please carry on. >> No, I mean the second thing, and then I think I'd say is going beyond compliance also means that you're thinking about how you can use that data for your customer, to solve all of their problems. And Dave, what I'd say here is imagine a world right now, in which, you know you trusted that the data that you gave to companies or to the government, was protected and that if you changed your mind and you wanted it back that they would delete it or give it back to you. Can you imagine how much more quickly we would have solved getting a COVID vaccine? Can you imagine how much data would have been available to pharmaceutical companies to actually develop a vaccine? Can you imagine how much more quickly we would have opened the economy? The thing is companies can't solve every problem that they could for a customer because customers don't trust that the data is going to be used correctly and companies don't know how to use it in that way and ethically. And that's what we're talking about when we say getting beyond compliance which is we want to enable our customers to use the data in the best way and most ethical way to solve all of their customer's problems. >> Okay, so I ask the elephant in the room question. If you asked most businesses about personal information, where it's stored, you know who has access to it, the fact is that most people can't answer it. And so when they're confronted with these uncomfortable questions. The other documents and policies that maybe check some boxes, why is that not a good idea? I mean, there's an expense to going beyond that but so why is that not just a good idea to check it off? >> Well look, a lot of companies do need to just check it off and what I mean, get it right, make sure you label and the way we've thought about this is that when you're building on a backbone like AWS, it does give you the ability to buy a lot of services quickly and scale with your company. But it also gives us an ability to comply faster by leveraging that infrastructure to get compliant faster. So if you think about it, 20 years ago whenever I wanted to buy storage or if I wanted to buy servers and look we're a company that built in the cloud, Dave it would have been very difficult for us to buy the right storage and the processing we needed, given that we were starting. But I was able to buy very small amounts of it until our customer profile grew. But that also means my data moved out of a single hard drive and out of a single set of servers, into other places that are hosted in the cloud. So the entire tech stack that all of our customers are building on means they're distributing personal data into the cloud, into SAS platforms. And there's been a really big move through integration platforms as a service to allow you to spread the personal data quickly. But that same infrastructure can be used to also get you compliant faster, and that's the differentiation. So we built a platform that enables a company to inventory their systems, to track what they're doing in those systems and to both create a compliance record faster by tracking what they're doing inside the cloud and in SAS systems. And that's the different way we've been thinking about it as we've been going to market. >> So, okay. So what actually do you sell, you sell a service? Is it a subscription? >> Yeah. >> And AWS is underneath that, maybe you could put down a picture for us. >> Sure, we're a cloud hosted software as a service. We have two core offerings. One is the WireWheel Trust Access Consent Solution. So if you go to a number of major brands, and you go to their website, when they tell you here's the data we're collecting about you, when they collect your consents and preferences, when they collect a request for data correction or deletion of the data, all the way from the request to delivery back to the consumer, we have an end to end system that our customers use with their customers, a completely cloud hostable in a subscription. So enables even very small startups, to build that experience into their website and into their products, from the very beginning, at a cost efficient point. So if you want to stand up a compliant website or you want to build into your product that Trust Access Consent Solution, we have a SAS platform, and we have developer tools and our developer portal to let you do it quickly. The second thing we do is we have a privacy operations manager. So this is the most security center but for privacy operations. It helps you inventory your systems, actually create data flow maps and most critically create compliance records that you need to comply with, you know the European law, the Brazilian law, and that whole spectrum of U.S. privacy laws that you showed a few minutes ago. And those are the two core offerings we have. >> I love it. I mean, it's the cloud story, right? One is you don't have to spend a millions of dollars on hardware and software. And the second is, when you launch you enable small companies, not just the biggest companies you give them the same, essentially the same services. And that's a great story. Who do you sell to Justin? What does a typical customer engagement look? >> Yeah, we, in many of our customers and in the AWS say startup environment, you often don't have companies that have like a privacy officer. They often don't even have a general counsel. So we sell a package that will often go to whoever is responsible at the company for privacy compliance. And, you know, interestingly Dave in some startups that might be a marketing officer, it might be a CLO, it might be the CTO. So in startups and sort of growing companies, we've put out a lot of guidance, and our core WireWheel developer portal is meant to give even a startup all they need to stand up that experience and get it going, so that when you get that procurement imagine you're about to go sell your product, and they ask you, are you compliant, then you have that document ready to provide. We also do provide this core infrastructure for enormous enterprises. So think telecoms, think top three global technology companies. So Dave, we get excited about is we've built a core software platform privacy infrastructure that is permanently being used by some of the largest companies in the world. And our goal is to get that infrastructure at the right price point into every company in the world, right? We want to enable any company to spend and stand up the right system, that's leveraging that same privacy infrastructure that the big folks have, so that as they scale, they can continue to do the right thing. >> That's awesome. I mean, you mentioned a number of roles of marketing folks. I can even see a sales, let's say sales lead saying, okay we got this deal on the table. How do we get through the procurement because we didn't check the box, all right. So, let me ask you this. We talked a little bit about designing privacy in a and it's clear you help do that. How do you make it, you know fundamental to customer's workloads? Do they have to be like an AWS customer to take advantage of that concept? Or how did they make it part of their workflow? >> Yeah, so there's a couple of critical things. How do you make it part of the workflow? The first thing is, you go to any company's website right now, they have to be compliant with the California law. So a very straightforward thing we do is we can for both B2B and B2C companies stand up an entire customer experience that matches the scale of the company that enables it to be compliant. That means you have a trust center that shows the right information to your customers, it collects the consents, preferences, and it stands up with a portal to request data. These are basics. And for a company that's standing up the internal operations, we can get them app collecting that core record and create a compliance record very fast. With larger companies, Dave you're right. I mean, when you're talking about understanding your entire infrastructure and understanding where you're storing and processing data it could seem overwhelming, but the truth is, the way we onboard our customers is we get you compliance on your product and website first, right? We focus on your product to get that compliance record done. We focus on your website so that you can sell your product. And then we go through the rest of the major systems where you're handling personal information, your sales, your marketing, you know, it's like a natural process. So larger enterprises we have a pretty straightforward way that we get them up and running, but even small startups we can get them to a point of getting them compliant and starting to think about other things very, very quickly. >> And so Justin, you're a government so you understand big, but how I talk about the secret ingredient that allows you to do this at scale and still handle all that diversity, like what we showed in that graphic, the different locations, different local laws, data sovereignty, et cetera. >> Yeah, there's a couple things on the secret source. One is, we have to think about our customers every day. And we had to understand that companies will use whatever their infrastructure is to build. Like you've seen, even on AWS there are so many different services you can use. So number one, we always think with an engineering point of view in mind. Understand the tools, understand the infrastructure in a way that brings that kind of basic visibility to whoever it is that's handling privacy, that basic understanding. The second is, we focused on core user experience for the non-technical user. It's really easy to get started. It's really easy to stand up your privacy page and your privacy policy. It's really easy to collect that and make that first record. The third is, and you know, this is one of those key things. When I was in the government, I met with folks in the intelligence community at one point day, and this always stuck with me. They were telling me that 20 years ago, you know to do the kind of innovation that you have going on now, you would have had to have had a defense contract. You would have had to have invested an enormous amount of money to buy the processing and the services and the team. But the ability for me as a startup founder, to understand the big picture and understand that companies need to be compliant fast, get their website compliant fast, get their product compliant fast, but build on a cloud infrastructure that allowed me to scale was incredible. Because it allows us to do a lot with our customers that a company like ours would have been really challenged to do without that cloud backbone. >> Love this, the agility and the innovation. Last question, give us the company update Justin, you know where are you? What can you share with us, fundraising, head count, are you generating revenue? Where you are? >> Oh yeah, we're excited as I mentioned, we are already the privacy platform of choice of some of the larger brands in the world, which we're very excited about. And we help them solve both the trust, access consent problem for their customers, and we help with the privacy operations management. We recently announced a new $20 million infusion of capital, led by a terrific venture capital fund, ForgePoint Capital. We've been lucky to have been supported by NEA, Sands Capital, Revolution Capital, Pritzker Capital, PSP. And so we have a terrific group of investors behind us. We are scaling, we've grown the company a lot in the last year. Obviously it's been an interesting and challenging year with COVID, but we are really focused on growing our sales team, our marketing team, and we're going to be offering some pretty exciting solutions here for the rest of the year. >> The timing was unbelievable, you had the cloud at your beck and call, you had the experience in government. You've got your background as a lawyer. And it all came in, and the legal come into the forefront of public policy, just a congratulations on all your progress today. We're really looking forward to seeing you guys rocket in the future. I really appreciate you coming on. >> Dave, thanks so much for having me, really enjoyed it. And I look forward to seeing you soon. >> Great, and thank you for watching everyone is Dave Vellante for theCUBE on cloud startups. Keep it right there. (upbeat music)

(upbeat music) >> We're here theCUBE on Cloud Startup Showcase brought to you by AWS. And right now we're going to explore the next frontier for privacy, you know, security, privacy, and compliance, they're often lumped together and they're often lumped on as an afterthought bolted on to infrastructure, data and applications. But, you know, while they're certainly related they're different disciplines and they require a specific domain knowledge and expertise to really solve the challenges of today. One thing they all share is successful implementations, must be comprehensive and designed in at the start and with me to discuss going beyond compliance and designing privacy protections into products and services. Justin Antonipillai, who is the founder and CEO of WireWheel, Justin awesome having you on the AWS Startup Showcase. Thanks for being here >> Dave, thanks so much for having me. It's a real honor, and I appreciate it. Look forward to the discussion. >> So I always love to ask founders, like, take us back. Why did you start this company? Where did your inspiration come from? >> So Dave, I was very lucky. I had the honor of serving in president Obama's second term as an Acting Under Secretary for Economic Affairs. So I ran the part of the government that includes the U.S. Census Bureau and the Bureau of Economic Analysis. So core economic statistical bureaus. But I helped lead a lot of the Obama administration's, outreach and negotiations on data privacy around the world. Including on something called the EU-U.S. Privacy Shield. So at the time the two jobs I had really aligned with what our discussion is here today. The first part of it was, I could see that all around the world in the U.S. and around the world, data privacy and protecting privacy, had become a human rights issue. It was a trade issue. You could see it as a national security issue and companies all around the world were just struggling with how to get legal, how to make sure that I do it right, and how I make sure that I'm treating my customer's data, in the right way. But when I was also leading the agency, a lot of what we were trying to do was to help our U.S. citizens, our folks here around the country solve big public problems by ethically and responsibly using government data to do it. And I can talk about what that meant in a little while. So the inspiration behind why WireWheel was, we need better more technically driven ways to help companies get compliance, to show their customers that they're protecting privacy and to put customers, our customers onto a path where they can start using the customer data better, faster and stronger, but most importantly, ethically. And that's really what we try to tackle at WireWheel. >> Right, excellent. Thank you for that. I mean, yeah you know, in the early days of social media, people kind of fluffed it off and oh there is no privacy in the internet, blah, blah, blah. And then wow, it became a huge social issue and public policy really needed to step in but also technology needs this to help solve this problem. So let's try to paint a picture for people as to really dig into the problem that you solve and why it's so complicated. We actually have a graphic. It's a map of the U S that we want to pull up here. Explain this. >> Yeah, I mean, what you're saying here is that every one of your, our viewers today is going to be looking at privacy laws moving across the country Dave but there's a lot of different ones. You know, if you're a company that's launching and building your product, that you might be helping your customers your consumer facing. The law, and you're even let's assume you want to do the right thing. You want to treat that customer data responsibly and protect it. When you look at a map like this and you can see three States have already passed different privacy laws, but look at the number of different States all across the country that are considering their own privacy laws. It really could be overwhelming. And Virginia, as you can see is just about to pass it's next privacy law but there's something like 23,24 States that are moving them through. The other thing Dave, that's really important about this is, these are not just breach laws. You know, I think years ago we were all looking at these kinds of laws spreading across the country and you would be saying, okay, that's just a breach law. These laws are very comprehensive. They have a lot to them. So what we have been really helping companies with is to enable you to get compliant with a lot of these very quickly. And that's really what we've tried to take on. Because if you're trying to do the right thing there should be a way to do it. >> Got it. Yeah, I can't even imagine what the it had been so many permutations and complexities but imagine this, if this were a globe we were looking at it says it gets out of control. Okay, now you guys well you use a term called phrase beyond compliance? What do we mean by that? >> There are a couple of things. So I'd say almost every company taking a product to market right now, whether you're B2C or B2B you want to make sure you can answer the customer question and say, yes, I'm compliant. And usually that means if you're a B2C company it means that your customers can come to your site. Your site is compliant with all of the laws out there. You can take consents and preferences. You can get their data back to them. All of these are legal requirements. If you're a B2B company, you're also looking at making sure you can create some critical compliance records that's it, right? But when we think beyond compliance, we think of a couple of basic things. Number one, do you tell the story about all the trust and protection you put around your data in a way that your customers want to do business with you? I mean Dave, if you went to CES the last couple of years and you were walking into the center or looking at a virtual version of it, on every billboard, the top five, top 10 global companies advertise that they take care of your data and they're onto something, they're onto something. You can actually build a winning strategy by solving a customer's problem and also showing them that you care, and that they're trustworthy. Because there are too many products out there, that aren't. The second thing, I'm sorry, go ahead. >> No, please carry on. >> No, I mean the second thing, and then I think I'd say is going beyond compliance also means that you're thinking about how you can use that data for your customer, to solve all of their problems. And Dave, what I'd say here is imagine a world right now, in which, you know you trusted that the data that you gave to companies or to the government, was protected and that if you changed your mind and you wanted it back that they would delete it or give it back to you. Can you imagine how much more quickly we would have solved getting a COVID vaccine? Can you imagine how much data would have been available to pharmaceutical companies to actually develop a vaccine? Can you imagine how much more quickly we would have opened the economy? The thing is companies can't solve every problem that they could for a customer because customers don't trust that the data is going to be used correctly and companies don't know how to use it in that way and ethically. And that's what we're talking about when we say getting beyond compliance which is we want to enable our customers to use the data in the best way and most ethical way to solve all of their customer's problems. >> Okay, so I ask the elephant in the room question. If you asked most businesses about personal information, where it's stored, you know who has access to it, the fact is that most people can't answer it. And so when they're confronted with these uncomfortable questions. The other documents and policies that maybe check some boxes, why is that not a good idea? I mean, there's an expense to going beyond that but so why is that not just a good idea to check it off? >> Well look, a lot of companies do need to just check it off and what I mean, get it right, make sure you label and the way we've thought about this is that when you're building on a backbone like AWS, it does give you the ability to buy a lot of services quickly and scale with your company. But it also gives us an ability to comply faster by leveraging that infrastructure to get compliant faster. So if you think about it, 20 years ago whenever I wanted to buy storage or if I wanted to buy servers and look we're a company that built in the cloud, Dave it would have been very difficult for us to buy the right storage and the processing we needed, given that we were starting. But I was able to buy very small amounts of it until our customer profile grew. But that also means my data moved out of a single hard drive and out of a single set of servers, into other places that are hosted in the cloud. So the entire tech stack that all of our customers are building on means they're distributing personal data into the cloud, into SAS platforms. And there's been a really big move through integration platforms as a service to allow you to spread the personal data quickly. But that same infrastructure can be used to also get you compliant faster, and that's the differentiation. So we built a platform that enables a company to inventory their systems, to track what they're doing in those systems and to both create a compliance record faster by tracking what they're doing inside the cloud and in SAS systems. And that's the different way we've been thinking about it as we've been going to market. >> So, okay. So what actually do you sell, you sell a service? Is it a subscription? >> Yeah. >> And AWS is underneath that, maybe you could put down a picture for us. >> Sure, we're a cloud hosted software as a service. We have two core offerings. One is the WireWheel Trust Access Consent Solution. So if you go to a number of major brands, and you go to their website, when they tell you here's the data we're collecting about you, when they collect your consents and preferences, when they collect a request for data correction or deletion of the data, all the way from the request to delivery back to the consumer, we have an end to end system that our customers use with their customers, a completely cloud hostable in a subscription. So enables even very small startups, to build that experience into their website and into their products, from the very beginning, at a cost efficient point. So if you want to stand up a compliant website or you want to build into your product that Trust Access Consent Solution, we have a SAS platform, and we have developer tools and our developer portal to let you do it quickly. The second thing we do is we have a privacy operations manager. So this is the most security center but for privacy operations. It helps you inventory your systems, actually create data flow maps and most critically create compliance records that you need to comply with, you know the European law, the Brazilian law, and that whole spectrum of U.S. privacy laws that you showed a few minutes ago. And those are the two core offerings we have. >> I love it. I mean, it's the cloud story, right? One is you don't have to spend a millions of dollars on hardware and software. And the second is, when you launch you enable small companies, not just the biggest companies you give them the same, essentially the same services. And that's a great story. Who do you sell to Justin? What does a typical customer engagement look? >> Yeah, we, in many of our customers and in the AWS say startup environment, you often don't have companies that have like a privacy officer. They often don't even have a general counsel. So we sell a package that will often go to whoever is responsible at the company for privacy compliance. And, you know, interestingly Dave in some startups that might be a marketing officer, it might be a CLO, it might be the CTO. So in startups and sort of growing companies, we've put out a lot of guidance, and our core WireWheel developer portal is meant to give even a startup all they need to stand up that experience and get it going, so that when you get that procurement imagine you're about to go sell your product, and they ask you, are you compliant, then you have that document ready to provide. We also do provide this core infrastructure for enormous enterprises. So think telecoms, think top three global technology companies. So Dave, we get excited about is we've built a core software platform privacy infrastructure that is permanently being used by some of the largest companies in the world. And our goal is to get that infrastructure at the right price point into every company in the world, right? We want to enable any company to spend and stand up the right system, that's leveraging that same privacy infrastructure that the big folks have, so that as they scale, they can continue to do the right thing. >> That's awesome. I mean, you mentioned a number of roles of marketing folks. I can even see a sales, let's say sales lead saying, okay we got this deal on the table. How do we get through the procurement because we didn't check the box, all right. So, let me ask you this. We talked a little bit about designing privacy in a and it's clear you help do that. How do you make it, you know fundamental to customer's workloads? Do they have to be like an AWS customer to take advantage of that concept? Or how did they make it part of their workflow? >> Yeah, so there's a couple of critical things. How do you make it part of the workflow? The first thing is, you go to any company's website right now, they have to be compliant with the California law. So a very straightforward thing we do is we can for both B2B and B2C companies stand up an entire customer experience that matches the scale of the company that enables it to be compliant. That means you have a trust center that shows the right information to your customers, it collects the consents, preferences, and it stands up with a portal to request data. These are basics. And for a company that's standing up the internal operations, we can get them app collecting that core record and create a compliance record very fast. With larger companies, Dave you're right. I mean, when you're talking about understanding your entire infrastructure and understanding where you're storing and processing data it could seem overwhelming, but the truth is, the way we onboard our customers is we get you compliance on your product and website first, right? We focus on your product to get that compliance record done. We focus on your website so that you can sell your product. And then we go through the rest of the major systems where you're handling personal information, your sales, your marketing, you know, it's like a natural process. So larger enterprises we have a pretty straightforward way that we get them up and running, but even small startups we can get them to a point of getting them compliant and starting to think about other things very, very quickly. >> And so Justin, you're a government so you understand big, but how I talk about the secret ingredient that allows you to do this at scale and still handle all that diversity, like what we showed in that graphic, the different locations, different local laws, data sovereignty, et cetera. >> Yeah, there's a couple things on the secret source. One is, we have to think about our customers every day. And we had to understand that companies will use whatever their infrastructure is to build. Like you've seen, even on AWS there are so many different services you can use. So number one, we always think with an engineering point of view in mind. Understand the tools, understand the infrastructure in a way that brings that kind of basic visibility to whoever it is that's handling privacy, that basic understanding. The second is, we focused on core user experience for the non-technical user. It's really easy to get started. It's really easy to stand up your privacy page and your privacy policy. It's really easy to collect that and make that first record. The third is, and you know, this is one of those key things. When I was in the government, I met with folks in the intelligence community at one point day, and this always stuck with me. They were telling me that 20 years ago, you know to do the kind of innovation that you have going on now, you would have had to have had a defense contract. You would have had to have invested an enormous amount of money to buy the processing and the services and the team. But the ability for me as a startup founder, to understand the big picture and understand that companies need to be compliant fast, get their website compliant fast, get their product compliant fast, but build on a cloud infrastructure that allowed me to scale was incredible. Because it allows us to do a lot with our customers that a company like ours would have been really challenged to do without that cloud backbone. >> Love this, the agility and the innovation. Last question, give us the company update Justin, you know where are you? What can you share with us, fundraising, head count, are you generating revenue? Where you are? >> Oh yeah, we're excited as I mentioned, we are already the privacy platform of choice of some of the larger brands in the world, which we're very excited about. And we help them solve both the trust, access consent problem for their customers, and we help with the privacy operations management. We recently announced a new $20 million infusion of capital, led by a terrific venture capital fund, ForgePoint Capital. We've been lucky to have been supported by NEA, Sands Capital, Revolution Capital, Pritzker Capital, PSP. And so we have a terrific group of investors behind us. We are scaling, we've grown the company a lot in the last year. Obviously it's been an interesting and challenging year with COVID, but we are really focused on growing our sales team, our marketing team, and we're going to be offering some pretty exciting solutions here for the rest of the year. >> The timing was unbelievable, you had the cloud at your beck and call, you had the experience in government. You've got your background as a lawyer. And it all came in, and the legal come into the forefront of public policy, just a congratulations on all your progress today. We're really looking forward to seeing you guys rocket in the future. I really appreciate you coming on. >> Dave, thanks so much for having me, really enjoyed it. And I look forward to seeing you soon. >> Great, and thank you for watching everyone is Dave Vellante for theCUBE on cloud startups. Keep it right there. (upbeat music)