>> Narrator: From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. >> Hi, I'm Stuart Miniman and welcome to this CUBE Conversation. I'm in our Boston area studio and one of the things we always love to do is talk to startups and really find out they're usually on the leading edge of helping customers, new technologies, conquering challenges. And to that point, we have the co-founder and CEO of env0, that is, Ohad Maislish and we brought along with him he's got two of his investors, one of his advisors. So sitting next to Maish, we have Ed Sim, who's the founder and managing partner of Boldstart Ventures and sitting next to him is Guy Podjarny, who is the founder of Snyk. So now, you know is the acronym for Snyk and if you didn't know that, I know I'd heard about the company a couple years before that and my understanding is, Guy your the ones that connected Ohad with Ed who was the first investor. So Guy let's talk to Ohad in a second, but how the conversation started? And what what piqued your interest about what is now env0? >> Yeah, I think it started with people. I mean, I think fundamentally when you think about technology and think about startups, it needs to be an interesting market, it needs to be a good idea, but it really, first and foremost is about the people. So I've I've known Ohad from actually some work that he's done at Snyk earlier on, and was really impressed with his sharpness, his technical chops, and a lot of times the bias for feedback. And then when he presented the idea to me around kind of making Infrastructure as Code easy, and I don't want to sort of steal his thunder, talking about it and about kind of engaging with developers for it, a thought that literally resonated with me, I think, we'll probably dig into it some more. But in we live in a world in which more and more activities, more and more decisions, and really more effort is rolled on to developers. So, there's a constant need for great solutions that make on one hand make it easy for developers to embrace these solutions, on the other hand, still kind of allow the right kind of governance and controls. And I felt like Infrastructure as Code was like a great space for that, where we asked developers to do more, there's a ton of value in developers doing more around controlling these Infrastructure decisions, but it's just too hard today. So, anyways, I kind of liked the skills, I liked the idea. And I pulled in Ed, who I felt was kind of natural to kind of help introduce these experiences with other startups that share a similar philosophy to kind of help make this happen. >> Awesome, thank you Guys. So Ohad, let's let's throw it to you. Give us a little bit about your background, your team, Infrastructure as Code is not a new term. So I guess would love you to kind of weave into it. You know why now? Is it becoming more real in why your solution is positioned to help the enterprise? >> Awesome, first of all, thank you for having me. It's really exciting and again thank you for the opportunity. Regarding your question, so my background is technical. I was maybe still am a geek started University at a young age at the age of 14 in Palo Alto High School. And started my career in non technical roles very early. I have now like 21 years of experience, this is my second startup and third company, as I mentioned, my previous company is services company, provided services for Snyk and we became friends and later on partners, investors, and so on. And, we we've seen huge shift, we call the Infrastructure as Code the third data center revolution. We look at the first one being virtualization about 20 years ago led by VMware and then ZenSourcer. The second obviously, is the public cloud when companies started clicking buttons in order to get those compute resources but now nobody is clicking those buttons anymore. And instead writing, maintaining and executing that code, that Infrastructure as Code and as the Guy mentioned, it made it much more relevant for developers to influence the Infrastructure decisions and not just the app decisions. With that many challenges and opportunities around Infrastructure as Code management and automation, and that's where we focus. >> All right, so Ed I'm sure like me, you've seen a number of companies, try to climb this mountain and fall down and crash so I feel like five years ago, I would talk to a company and they say, oh, we're going to help, really help the enterprise enable developers for networking for storage, for security or anything like that. And it was like, oh, okay, good luck with that. And they just kind of crashed and burned or got acquired or did something like that. So, I feel like from our viewpoint we've seen for a long time that growth of developers and how important that is, but that gap between the enterprise and the developers feels like we're getting there. So, it gets similar what I asked Ohad why now, why this group, why the investment from you? >> Yeah, so I'll echo Guy's comment about the people. So, first and foremost, I was fortunate enough to invest in Guy back in his prior company before he started Snyk and then invested in Snyk. And there are lots of elements of env0 that remind me of Snyk the idea, for example, that developers are doing more, and that security is no longer a separate piece of developing, it's now embedded kind of in what developers and teams are doing. And I felt like the opportunity was still there for Infrastructure as Code. How do you make developers more productive, but provide that control plan or governance that's centralized so that environments can easily be reproduced. And the thing that got me so excited, was the idea that Ohad was going to tie kind of cloud costs from a proactive basis versus a reactive basis. Meaning that once we know that your environments are up and running, you could actually automatically tag it and tie the environment to the actual application. And to me, tying the business piece to the development piece was a huge, huge opportunity that hasn't been tapped yet. And so there are lots of elements of both Snyk and env0 and we're super excited to be invested in both. >> Alright, so Ohad maybe just step back for a second, give us some of the speeds and feeds we read your blog post 3.3 million dollars of the early investment, how many people you have, what is the stage of the product customer acquisition and the like? >> Sure, so we just launched our public beta and announced the funding couple of months ago led by Boldstart and another VC in Israel named Grove, and then angel investors Guy is the greatest investor among those and so we have some others as well. And now we have like 10 employees nine in Israel, one in New York City, I'm relocating after this all pandemic thing will get better. I'm moving to the Bay Area as soon as possible. That's more or less the status. And as I've mentioned, we just launched our public beta. So we have our first few design partners and early like private beta customers now starting to grow more. >> Yeah, and how would you characterize, what is the relationship between what you're doing in the public clouds. We understand, in the early days, it was like, Oh, well, cloud is going to be easy, it's going to just be enable it, it has been a wonderful tool set for developers. But simple is definitely not, I think anyone would describe the current state of environments. So, help it help us give it a little bit of what you're seeing there. And how you deal with like some very large players in ecosystem. >> Our customers are the same as the cloud vendors customers. The cloud vendors provide great value with the technical aspect with Infrastructure. But once you want to manage your organization, you want to empower your developers, you want to shift left some decisions, APM, did shift left for a performance, Snyk is doing great shift left for security. I believe that we are doing similar things to the cost. And you in the cloud vendors are in charge of you being able to do some technical orchestration. But when do you need to tear down those resources? When do you understand that there is a problematic resource or environment and what exactly made it? What is the association, how you can prevent from (mumbles) deployments from even happening at first. So all of those management information and insight ties back to your business logic and processes that's where we fit. >> I think there's actually a lot of analogy if I can chime in, on maybe an ownership aspect that happens in cloud. So we talk about the cloud and oftentimes cloud is interpreted as the technical aspect of it. So the fact that it allows you to do a bunch of things in the clouds and sort of renting someone else's hardware, and then automating a lot of it. But what cloud also does and that definitely represents what we're doing security and I think applies here, is that it moves a lot of things that used to be IT responsibility being a part of the application. So a lot of decisions, including ones really security, and including ones related cost around anywhere from provisioning of servers to, network access, to when you burst out, and to the balancing of business value to the cost involved or the risk involved. Those are no longer done by a central IT organizations, but rather, they're being done by developers day in and day out. And so I think that's really where the analogy really works with cloud is, it's not so much, like clearly there's an aspect of that that is the the technical piece of tracking how much does it cost in the on demand surrounding of cloud, but there's a lot of the ownership change, or the fact that the decisions that impact that are done by developers, and they're not yet well equipped to have the insights, to have the tools, to make the right decisions with a press of button. >> Thank you Guy and absolutely, 'cause cloud is just one of the platforms you're living on, you know well from Snyk that integration between what's happening in the platform, where open source fits into it, the various parts of the organization that are there. So, you've got some good background, I'm sure, helps you're an advisor to Ohad there to helps pull through a little bit of some of those challenges. Yeah, I mean, Ed I'd love to hear just in general your viewpoint on how startups are doing at monetizing things in the era of... You've got the massive players like Amazon and Microsoft out there. >> Look, the enterprise pain is higher than ever right now, every fortune 500 is a tech company right now and they need engineers, and they're hiring engineers. In fact, many of the largest fortune 500 have more engineers than some of the tech companies. And developer productivity is number one, front and center. And if you talk to CIOs, we just hosted a panel with the CIO of Guardian Life and the CTO of Priceline. They're all looking at how do I kind of automate my tool chain? How do I get things done faster? How do I do things more scalable? And then how do I coordinate processes amongst teams. As Guy hit upon and Ohad as well, not just security, there's product design being embedded with developers as product management being embedded with developers. There's finance now, FinOps. If you're going to spend more and more in the cloud, how do you actually control that proactively before things happen versus after or months after that happens? So I think this is going to be a huge, huge opportunity on the FinOps side. And, the final thing I would say is that winning the hearts and minds of developers to win the enterprise is a tried and trued model, and I think it's going to be even more important as we move forward in the next few years, to be honest with you. >> All right, so Ohad you know I think Ed talked about those hearts and minds of developers absolutely critical. When you look at the tooling landscape out there, the challenge of course, is there's so many tools out there, that there's platform battles, there's developers that find certain things that they love, and then there's, oh, wait, can I have a general purpose solution that can help. You talk about this being the third wave, how does this kind of tie into or potentially replace some of the last generation of automation tools. How do you see yourself getting into the accounts and growing your developer base? >> I think, I have a very simple answer, because, now enterprises have two options. Either they go with productivity self-service, or they go with governance, but they cannot have both. So if it's the smaller or they have less risks, so they go with the productivity and they take those risks, take the extra costs, take that potential damage that can happen. But more we see the case of I cannot allow myself this mess, so I have to block this velocity. I have to block those developers, they cannot just orchestrate cloud resources as they wish they have to open tickets, they have to go through some manual process of approval or we see more and more developers that understand there is a challenge they built in-house env0 of self-service combined with governance solution, and they always struggle doing it well, because it's not their core business. So once you see the opportunity of a more and more customers doing a lot of investment in in-house solution that do the same thing, probably a good idea to do it, as a separate product. And also the fact that we have the visibility of different customers, we can be very early but for later on adds pattern recognition, and notice what makes sense, what is problematic and give those insights and more business logic back to the customers which is impossible for them to do if they're only isolated on their cases. So as providing the same great solution to different companies, allowing them self-service combined with governance, and then additionally, add those and Smart Insights later on. >> Yeah, I think what I love about what he said is that I don't think he even sort of said finance or cost at any time of those. So really, like you said, governance and I think you can swap governance or you can swap the kind of the entity that's doing the governance for security for all of those. And that sounds awfully familiar for Snyk, which really kind of begs the answer to be the same, it's the reason that env0 approach is promising and that it would win against competition is that it tends to be that the competition or the people that are around are focused on the governance piece, they're they're focused on just sort of the entity that is the controlling entity. I like to say that it's actually not about shift left, it's about if you want to choose a direction, it's going to be the sort of the top to bottom. So it's more about, like this governance entities, whether security or finance, they need to shift from a controlling mindset that is top down that is like this dictatorship of sort of telling you what you should and shouldn't do to more of a bottom up element and allowing the teams the people in the trenches people actually make decisions to make correct decisions, and in this case, correct decisions from a financial perspective. And then alongside that, the governing entity, they need to switch to being a supportive entity an enabling entity and I think that transition will happen across many aspects of sort of software development and definitely anything that requires that type of governance from from outside of the development process today that is to change. >> Yeah, to chime in and add to Guys point, development is so important, it touches every aspect of an organization. So I always think about it as almost a collaborative workflow layer versus being reliant on kind of one control entity. Great developers always want to move fast. But, how do you kind of build that collaborative workflow and I think that Ohad in env0 is providing that for the environment and finance. Guys doing it for security. And there's lots of other opportunities out there, like privacy as well. And I wouldn't be surprised if finance folks start getting embedded with development at some point just like security is, or design is, product management is as well, because that is probably one of the highest costs around right now for many companies, and they're all trying to figure out how to stop the bleeding much earlier. >> Yeah, it's been lots of discussion, of course, we kind of go beyond DevOps, I think FinOps is in there. Ohad you have a favorite term that you've had from your advisors yet, how you categorize what you're doing. Any final words on kind of that organizational dynamic which we know so often it's the technology can be the easy part, it's getting everybody in the org, pulling in the same direction. >> Yeah, I think I'm looking at maybe a physical metaphor, or just an example, if you just enter a developer's room, you might see a screen TV there with some APM Datadog, New Relic Metrics, developers care about performance. They know very early if they did something wrong. And now they see more and more in those dashboards, in the developers rooms, things like Snyk to make sure you're not putting any bad open source package, which has security or ability. What we believe is that now they don't have the right tools, the right product that they can be part of the responsibility, of course, and that's like somebody else's problem. In other rooms, you have those TVs, those screens that show what is the cost, and maybe only later on in the waterfall kind of way you try to isolate and root cause analysis on what went wrong, but there is no good reason why those graphs of the past should be in the same rooms next to the APM and the Snyks and to prevent those as early as possible, maybe to change the discussion and build more trust between the developers that now seem not to care about the cost because they used not to care like 10 years ago when we used to have is called Apex-Cloud. The VMware or even EC2 Instances with the predicted pricing, that's all school. Now you have auto scaling Kubernetes, you have Lambda those kind of things you pay per usage. So the possibility for engineers to know how much their code is about to cost to the organization is very challenging now. If we tie from the developer up to, the financial operations, we will provide better service, and just better business value for our customer. >> Awesome, so final question I have for you, and Ohad I'm going to have you go last on this one is you kind of painted the picture of where things are going to go. So give us what success look like, Ed, start with you, give us out 12 to 24 months as to env0 in this wave as what should we be looking for? >> Success to me would be that every large enterprise has this on their budget line item as a must have. And the market is still early and evolving right now, but I have no doubt in my mind, it's going to happen. And as you hear about many large enterprises saying that we were in the second inning of cloud migration now we're in the fourth. That is what success will be and I know it's going to happen faster than we all thought. >> I'll take the developer angle to it, I think success is really when developers are delighted, or sort of they feel they're building better software by using env0 and by factoring this aspect of quality into their daily activities. And I think a lot of that comes down to ease of use. Like, I kind of encourage folks to sort of try out the env0 and see the cost calculation, it's all about making it easy. So what excites me is really around that type of success where it's so easy that it's embedded into their sort of daily activities, and that they're happy it's not a forced thing. It's something they've accepted and like having as part of their software development process. >> I fully agree with both Ed in Guy, but I want to add on on a personal note, that one of the reasons we started env0 is because we saw developers quitting jobs at some places. And the reason for that was that they didn't give them self-service, they didn't empower those developers, they were blocked by DevOps, they needed to open tickets, to do trivial things. And this frustration is just a bigger motivation for us to solve. So we want to reduce this frustration. We want developers to be happy and productive, and do what they need to do, and not getting blocked by others. So that's, I think, another way to look at it, to make sure that those developers are really making good use out of their time and going back home at the end of the day, and feeling that they did what they were paid for, not for waiting for others to locate some cloud resources for them. >> All right, well, Ohad want to wish you the best, absolutely. Some of the early things that we've seen sometimes they're the tools that help, we've been talking gosh I remember 15, 20 years about breaking down the silos between various parts of the organization, some of the tools give you different viewpoints into what you're doing, help have some of the connection and hopefully some empathy as to what the various pieces are there. You really highlighted there's nothing worse than I'm not being appreciated for the work I'm doing, or they don't understand the challenges that I'm going through. So, congratulations on env0. We look forward to following going forward and definitely hope being part your customers in the future. Thanks so much. >> Thank you, thank you very much. >> All right, and Guy really appreciate your perspectives on this thank you for joining us. >> Thanks for having them. >> All right, be sure to check out theCUBE.net where you can find all of the events we're doing online these days, of course, where there's a huge back catalog of what we have in the thousands of interviews that we've done. I'm Stuart Miniman, and thank you for watching theCUBE. (upbeat music)

>> Hey welcome back everybody Jeff Frick here with theCUBE. We're at Node Summit 2015 in Downtown San Francisco Mission Bay Conference Center. About 800 people talking about nodes, Node JS. The crazy growth in this application development platform and we're excited to have our next guest to talk about security. Which I don't think we've talked about yet. He's Guy Podjarny, I'm sorry. >> Podjarny Correct. >> Welcome, he's a CEO of Snyk, not spelled like Snyk. (laughing) You'll see it on the lower third. >> It's amazing how often we that question. How do you pronounce Snyk? >> Well I know, obviously people that have never had this start up and tried to go through a URL search. >> Indeed. >> Just don't know what's it's all about. >> It's sort of Google dominance. It's short for so now you know. So now you know. >> Oh, so now you know. Okay perfect, super. First off welcome, great to see you. >> Thank you. Thanks for having me. >> You said this is your second year at the conference. Just kind of share your general impressions of what's going on here. >> Sure, well I think Node Summit is an awesome conference. I think this year's event is bigger, better organized. I don't know if it's bigger people wise but definitely feels that way. It sort of feels more structured. It's nice to see in the audience as well. Just an increased amount of larger organizations that are around and talking about their challenges and a little bit a lot earlier in the conference but a little bit of more experienced conversations. So conversations about hey, we've used node and we've encountered these issues versus we're about to use it. We're thinking of using it so definitely can see the enterprise adoption kind of growing up. That's my primary impression so far. >> Yeah and it's it in 'cause you're a start up but Microsoft is here, Google's here, Intel is here, IBM is here so a lot of the big players. Who've demonstrated in other open source communities that they have completely embraced open source as a method and way to get actually more than the software is getting closer to development community. >> Yeah, agreed and I think another adjacent trend that's happening is ServerList and ServerList has grown ridiculously, by massive amounts in these last while. And Node JS is sort of the de facto default language for ServerList. LAM just started with it and AWS and many of the other platforms only support it. I think that contribution also brings the giants a little bit more in here. The Cloud giants but also I think again just sort of boost the Node JS. As though the Node JS echo system needed a boost. They get another amplifier. Just raise enterprise awareness and general usage. >> Okay, so what's the Snyk all about? Gives us, some people aren't familiar with the company. >> Cool, so Snyk deals with open source security and specifically in Node JS, the world of MPMs. MPM is amazing and it allows us to build on the shoulders of giants and all the others in the community. But there are some inherent security risks with just pulling code off the internet and running it in your application. >> Jeff: Right, right. >> What we do at Snyk is we help you find known security flaws, known vulnerabilities in MPM packages, and do that in a natural fashion as part of your continuous development process, and then fix those efficiently and monitor for them over time. That's basically. >> That's your focus is really keeping track of all these other packages that people are using to their development. Precisely and we're helping you just use open source code and stay secure. The word node is our flag ship and it's where we started and build and now we support a bunch of other systems as well. >> It's interesting, Monica from Intel said that in some of their work they found that some of these applications. The actual developers only contributing 2% of the code 'cause they're pulling in all this other stuff. >> Precisely, I have this example I use in a bunch of my talks that shows ServerList example that has 19 lines of codes. Copies some file from URL and puts it on S3. That's 19 lines of codes which is awesome. Uses two packages which in turn use 19 packages which bring in 190,000 lines of code. >> Wow. >> That's a massive-- >> So what is that step function again? Start from the beginning. >> 19 to 190,000. >> It starts at two? >> 19 lines of code use two MPM packages. They use 19 packages because every package uses other packages as well, and combined those 19 packages bring in 190,000 lines of code. >> Wow, that's amazing. That's an extreme example but you see that pattern. You see this again and again that the majority of your code in your applications especially node is not first party it's third party code. >> Jeff: Right. >> And that means most of your security risks. Most of your vulnerabilities, they come from there so there is a lot of challenges around managing dependencies. I know it's called dependency help for a reason but specifically security is still not sufficiently taken care of. It's still overlooked and we need to make sure that it's not just addressed by security people. But it's addressed a part of the development process by developers. >> How do you keep up? Both with the number as the proliferation grows as well as the revisions and versions inside of any particular package? You kind of chasing a multi headed beast there. >> It's definitely tough. First of all the short answer is automation. Any scale solution has to start with automation. I've got a security research team in Israel that has a vulnerability pipeline that feeds in from activity in the open source world. Some developer opens an issue and gets helps that say SQL injection in some package and that disappears into the ether. So we try to surface those, get it to our security analysts, determine if it's a real vulnerability curated in our database, and then just build that database with your own research but a lot of it is around tapping into community. And then subsequently when you consume this if you want to be able to apply security correctly as you develop your applications Node JS or otherwise. It has to come to you. The security tool has to be a seamless integration with how you currently work. If you impose another step, another two steps, another three steps on the developers. They're just not going to use it. That's a lot of our emphasis is scale on the consumption and the tracking of the database and simplicity and ease of use on the developer on the user side. >> And do you help with just like flagging. Flagging is a problem or is there an alternative. I mean I would imagine with all these interdependencies, you find one rotten apple kind of have a huge impact. It's a huge scale of impact right. >> Absolutely so we do really what our moniker is that we don't find vulnerabilities, we fix them and our goal is to fix vulnerabilities. So we actually, first of all in the flow we have single click, open a fixed PR. We figure out what changes we need to do. What upgrades you need to make the vulnerability go away. Literally click a button to fix it. Put on one bat for everything and then what we also do. We build patches, sort of a little known fact is in the world of operation systems RedHat and Canonical. They build a lot of fixes or they back port a lot open source fixes, and they put them into their repository. You can just say on updates or upgrade and just get those fixes. You don't even know which vulnerabilities you're fixing. You're just getting the fixes so we build patches for our MPM packages as well to allow you to patch vulnerabilities you can not upgrade away. A lot of it is around fix. Make fix easy. >> Right and then the other part as you said is baking security in the development all the way through which we hear over and over and over. >> Build it in and bolt it in. >> The cast in method doesn't work anymore. You've got to have it throughout the application so you said you're speaking on a panel tomorrow. And I wondered if you can just highlight some of the topics for tomorrow for the folks that aren't going to be here and see the panel. When you look at ServerList security. Say that three times fast. What are some of the real special challenges that people need to be thinking about? >> Sure, so you know I actually have two talks tomorrow. One is a panel on Node JS security as a whole and that's sort of a broader panel. We have a few other colleagues in there and we talk about the evolution of Node JS security that includes the platform itself which is increasingly well handled by the foundation. Definitely some improvements there over the years and some of it is around best practices like the ones that was just discussed which is understanding known pitfalls and Node JS sort of security mistakes that you might do as well as handling the MPM echo system. The other talk that I have later in the day is around ServerList security. ServerList security is interesting because a lot of the promise of ServerList is function as a service is that a lot of the concerns. A lot of the earlier or lower levels get abstracted away from you. You don't need to manage servers. You don't need to manage operation systems and with those auto security concerns go away. Which in turns focuses the attackers and should focus you on the application. As attackers are not just going to give up because they can't hack the operating system that the pros are managing. They would look at the next low hanging fruit and that would be the application. Platform as a service and function as a service really increase the importance of dealing with application security as a whole. So my talk is a lot about that but also deals with other security concerns that you might of course any new methodology introduces its own concerns so talk a little bit about how to address those. ServerList like Node JS is an opportunity to build security into the culture and into our methodologies from the early day so trying to help us get that right. >> Alright, as you look forward, the next 12 months. I won't say more than 12 months, 6 months, 9 months, 12 months. What are some of your priorities at Snyk? What are you working on if we get together a year from now, what will we be talking about? I think, so two primary ones. One is continuing the emphasis on fix. Making fixing trivial in the Node JS environments as well as others. I think we've done well there but there is more work to be done. It needs to be as seamless as possible. The other aspect is indeed in this sort of past and fast world and platform and function as a service. Where increasingly there is this awareness as we work with different platforms to the blind spot that they have to open source libraries. They fix your NGX vulnerabilities but not your express vulnerabilities. I sometimes refer to MPM packages or open source packages as sprinkles of infrastructure that are just scattered through your application. And today, all of these Cloud platforms are blind to it so I expect us at Snyk to be helping past and fast users dealing with that security concerns efficiently. >> Alright, well I look forwards to the conversation. >> Thanks. >> Thanks for stopping by. >> Thank you. >> He's Guy Podjarny. He is from Snyk. The CEO of Snyk. I'm Jeff Frick, you're watching theCUBE. (uptempo techno music)

>> From the Silicon Angle Media Office in Boston Massachusetts, it's "The Cube." (groovy techno music) Now, here's your host, Dave Vellante. >> Hello, everyone. The rise of open source is really powering the digital economy. And in a world where every company is essentially under pressure to become a software firm, open source software really becomes the linchpin of digital services for both incumbents and, of course, digital natives. Here's the challenge, is when developers tap and apply open source, they're often bringing in hundreds, or even thousands of lines of code that reside in open sourced packages and libraries. And these code bases, they have dependencies, and essentially hidden traps. Now typically, security vulnerabilities in code, they're attacked after the software's developed. Or maybe thrown over the fence to the sec-ops team and SNYK is a company that set out to solve this problem within the application development life cycle, not after the fact as a built-on. Now, with us to talk about this mega-trend is Peter McKay, a friend of The Cube and CEO of SNYK. Peter, great to see you again. >> Good to see you, dude. >> So I got to start with the name. SNYK, what does it mean? >> SNYK, So Now You Know. You know, people it's sneakers sneak. And they tend to use the snick. So it's SNYK or snick. But it is SNYK and it stands for So Now You Know. Kind of a security, so now you know a lot more about your applications than you ever did before. So it's kind of a fitting name. >> So you heard my narrative upfront. Maybe you can add a little color to that and provide some additional background. >> Yeah, I mean, it's a, you know, when you think of the larger trends that are going on in the market, you know, every company is going through this digital transformation. You know, and every CEO, it's the number one priority. We've got to change our business from, you know, financial services, healthcare, insurance company, whatever, are all switching to digital, you know, more of a software company. And with that, more software equals more software risk and cybersecurity continues to be, you know, a major. I think 72% of CEOs worry about cybersecurity as a top issue in protecting companies' data. And so for us, we've been in the software in the security space for the four and a half years. I've been in the security space since, you know, Watchfire 20 years ago. And right now, with more and more, as you said, open source and containers, the challenge of being able to address the cybersecurity issues that have never been more challenging. And so especially when you add the gap between the need for security professionals and what they have. I think it's four million open positions for security people. So you know, with all this added risk, more and more open source, more and more digitization, it's created this opportunity in the market where you're traditional approaches to addressing security don't work today, you know? Like you said, throwing it over the fence and having someone in security, you know, check and make sure and finding all these vulnerabilities, and throw it back to developers to fix is very slow and something at this point is not driving to success. >> So talk a little bit more about what attracted you to SNYK early. I mean, you've been with the company, you're at least involved in the company for a couple years now. What were the trends that you saw, and what was it about SNYK that, you know, led you to become an investor and ultimately, CEO? >> Yeah, so four years involved in the business. So you know, I've always loved the security space. I've been in it for a number, almost 20 years. So I enjoy the space. You know, I've watched it. The founder, Guy Podjarny, one of the founders of SNYK, has been a friend of mine for 16 years from back in the Watchfire days. So we've always stayed connected. I've always worked well together with him. And so when you started, and I was on the board, the first board member of the company, so I could see what was going on, and it was this, you know, changing, kind of the right place at the right time in terms of developer first security. Really taking all the things that are going on in the security space that impacts a developer or can be addressed by the developer, and embedding it into the software into that developer community, in a way that developers use, the tools that they use. So it's a developer-first mindset with security expertise built-in. And so when you look at the market, the number of open source container evolution, you know, it's a huge market opportunity. Then you look at the business momentum, just took off over the past, you know, four years. That it was something that I was getting more and more involved in. And then when Guy asked me to join as the CEO, it was like, "Sure, what took you so long?" (Dave laughing) >> We had Guy on at Node JS Summit. I want to say it was a couple years ago now. And what he was describing is when you package, take the example of Node. When you package code in Node, you bring in all these dependencies, kind of what I was talking about there, but the challenge that he sort of described was really making it seamless as part of the development workflow. It seems like that's unique to SNYK. Maybe you could talk about-- >> Yeah, it is. And you know, we've built it from the ground up. You know, it's very difficult. If it was a security tool for security people, and then say, "Oh, let's adapt it for the developer," that is almost impossible. Why I think we've been so successful from the 400,000 developers in the community using Freemium to paid, was we built it from the ground up for developer, embedded into the application-development life cycle. Into their process, the look and feel, easy for them to use, easy for them to try it, and then we focused on just developer adoption. A great experience, developers will continue to use it and expand with it. And most of our opportunities that we've been successful at, the customers, we have over 400 customers. That had been this try, you know, start it with the community. They used the Freemium, they tried it for their new application, then they tried it for all their new, and then they go back and replace the old. So it was kind of this Freemium, land and expand has been a great way for developers to try it, use it. Does it work, yes, buy more. And that's the way we work. >> We're really happy, Peter, that you came on because you've got some news today that you're choosing to share with us in our Cube community. So it's around financing, bring us up to date. What's the news? >> Yeah so you know, I'd say four months ago, five months ago, we raised a $70 million round from great investors. And that was really led by one of our existing investors, who kind of knew us the best and it was you know, Excel Venture, and then Excel Growth came in and led the $70 million round. And part of that was a few new investors that came in and Stripes, which is you know a very large growth equity investor were part of that $70 million round said you know, preempted it and said, "Look it, we know you don't need the money, but we want to," you know, "We want to preempt. We believe your customer momentum," here we did, you know, five or six really large deals. You know, one, 700, seven million, 7.4 million, one's 3.5 million. So we started getting these bigger deals and we doubled since the $70 million round. And so we said, "Okay, we want to make money not the issue." So they led the next round, which is $150 million round, at a valuation of over a billion. That really allows us now to, with the number of other really top tier, (mumbles) and Tiger and Trend and others, who have been part of watching the space and understand the market. And are really helping us grow this business internationally. So it's an exciting time. So you know, again, we weren't looking to raise. This was something that kind of came to us and you know, when people are that excited about it like we are and they know us the best because they've been part of our board of directors since their round, it allows us to do the things that we want to do faster. >> So $150 million raise this round, brings you up to the 250, is that correct? >> Yes, 250. >> And obviously, an up-round. So congratulations, that's great. >> Yeah, you know, I think a big part of that is you know, we're not, I mean, we've always been very fiscally responsible. I mean, yes we have the money and most of it's still in the bank. We're growing at the pace that we think is right for us and right for the market. You know, we continue to invest product, product, product, is making sure we continue our product-led organization. You know, from that bottoms up, which is something we continue to do. This allows us to accelerate that more aggressively, but also the community, which is a big part of what makes that, you know, when you have a bottoms up, you need to have that community. And we've grown that and we're going to continue to invest aggressively and build in that community. And lastly, go to market. Not only invest, invest aggressively in the North America, but also Europe and APJ, which, you know, a lot of the things we've learned from my Veeam experience, you know how to grow fast, go big or go home. You know, are things that we're going to do but we're going to do it in the right way. >> So the Golden Rule is product and sales, right? >> Yes, you're either building it or selling it. >> Right, that's kind of where you're going to put your money. You know, you talk a lot about people, companies will do IPOs to get seen, but companies today, I mean, even software companies, which is a capital-efficient industry, they raise a lot of dough and they put it towards promotion to compete. What are your thoughts on that? >> You know, we've had, the model is very straightforward. It's bottoms up, you know? Developers, you know, there's 28 million developers in the world, you know? What we want is every one of those 28 million to be using our product. Whether it's free or paid, I want SNYK used in every application-development life cycle. If you're one developer, or you're a sales force with standardized on 12,000 developers, we want them using SNYK. So for us, it's get it in the hands. And that, you know, it's not like-- developers aren't going to look at Super Bowl ads, they're not going to be looking. It's you know, it's finding the ways, like the conference. We bought the DevSecCon, you know, the conference for developer security. Another way to promote kind of our, you know, security for developers and grow that developer community. That's not to say that there isn't a security part. Because, you know, what we do is help security organizations with visibility and finding a much more scalable way that gets them out of the, you know, the slows-down, the speed bump to the moving apps more aggressively into production. And so this is very much about helping security people. A lot of times the budgets do come from security or dev-ops. But it's because of our focus on the developer and the success of fixing, finding, fixing, and auto-remediating that developer environment is what makes us special. >> And it's sounds like a key to your success is you're not asking developer to context switch into a new environment, right? It's part of their existing workflow. >> It has to be, right? Don't change how they do their job, right? I mean, their job is to develop incredible applications that are better than the competitors, get them to market faster than they can, than they've ever been able to do before and faster than the competitor, but do it securely. Our goal is to do the third, but not sacrifice on one and two, right? Help you drive it, help you get your applications to market, help you beat your competition, but do it in a secure fashion. So don't slow them down. >> Well, the other thing I like about you guys is the emphasis is on fixing. It's not just alerting people that there's a problem. I mean, for instance, a company like Red Hat, is that they're going to put a lot of fixes in. But you, of course, have to go implement them. What you're doing is saying, "Hey, we're going to do that for you. Push the button and then we'll do it," right? So that, to me, that's important because it enables automation, it enables scale. >> Exactly, and I think this has been one of the challenges for kind of more of the traditional legacy, is they find a whole bunch of vulnerabilities, right? And we feel as though just that alone, we're the best in the world at. Finding vulnerabilities in applications in open source container. And so the other part of it is, okay, you find all them, but prioritizing what it is that I should fix first? And that's become really big issue because the vulnerabilities, as you can imagine, continue to grow. But focusing on hey, fix this top 10%, then the next, and to the extent you can, auto-fix. Auto-remediate those problems, that's ultimately, we're measured by how many vulnerabilities do we fix, right? I mean, finding them, that's one thing. But fixing them is how we judge a successful customer. And now it's possible. Before, it was like, "Oh, okay, you're just going to show me more things." No, when you talk about Google and Salesforce and Intuit, and all of our customers, they're actually getting far better. They're seeing what they have in terms of their exposure, and they're fixing the problems. And that's ultimately what we're focused on. >> So some of those big whales that you just mentioned, it seems to me that the value proposition for those guys, Peter, is the quality of the code that they can develop and obviously, the time that it takes to do that. But if you think about it more of a traditional enterprise, which I'm sure is part of your (mumbles), they'll tell you, the (mumbles) will tell you our biggest problem is we don't have enough people with the skills. Does this help? >> It absolutely-- >> And how so? >> Yeah, I mean, there's a massive gap in security expertise. And the current approach, the tools, are, you know, like you said at the very beginning, it's I'm doing too late in the process. I need to do it upstream. So you've got to leverage the 28 million developers that are developing the applications. It's the only way to solve the problem of, you know, this application security challenge. We call it Cloud Dative Application Security, which all these applications usually are new apps that they're moving into the Cloud. And so to really fix it, to solve the problem, you got to embed it, make it really easy for developers to leverage SNYK in their whole, we call it, you know, it's that concept of shift left, you know? Our view is that it needs to be embedded within the development process. And that's how you fix the problem. >> And talk about the business model again. You said it's Freemium model, you just talked about a big seven figure deals that you're doing and that starts with a Freemium, and then what? I upgrade to a subscription and then it's a land and expand? Describe that. >> Yeah we call it, it's you know, it's the community. Let's get every developer in a community. 28 million, we want to get into our community. From there, you know, leverage our Freemium, use it. You know, we encourage you to use it. Everybody to use our Freemium. And it's full functionality. It's not restricted in anyway. You can use it. And there's a subset of those that are ready to say, "Look it, I want to use the paid version," which allows me to get more visibility across more developers. So as you get larger organization, you want to leverage the power of kind of a bigger, managing multiple developers, like a lot of, in different teams. And so that kind of gets that shift to that paid. Then it goes into that Freemium, land, expand, we call it explode. Sales force, kind of explode. And then renew. That's been our model. Get in the door, get them using Freemium, we have a great experience, go to paid. And that's usually for an application, then it goes to 10 applications, and then 300 developers and then the way we price is by developer. So the more developers who use, the better your developer adoption, the bigger the ultimate opportunity is for us. >> There's a subscription service right? >> All subscription. >> Okay and then you guys have experts that are identifying vulnerabilities, right? You put them into a database, presumably, and then you sort of operationalize that into your software and your service. >> Yeah, we have 15 people in our security team that do nothing everyday but looking for the next vulnerability. That's our vulnerability database, in a large case, is a lot of our big companies start with the database. Because you think of like Netflix and you think of Facebook, all of these companies have large security organizations that are looking for issues, looking for vulnerabilities. And they're saying, "Well okay, if I can get that feed from you, why do I have my own?" And so a lot of companies start just with the database feed and say, "Look, I'll get rid of mine, and use yours." And then eventually, we'll use this scanning and we'll evolve down the process. But there's no doubt in the market people who use our solution or other solution will say our known the database of known vulnerabilities, is far better than anybody else in the market. >> And who do you sell to, again? Who are the constituencies? Is it sec-ops, is it, you know, software engineering? Is it developers, dev-ops? >> Users are always developers. In some cases dev-ops, or dev-sec. Apps-sec, you're starting to see kind of the world, the developer security becoming bigger. You know, as you get larger, you're definitely security becomes a bigger part of the journey and some of the budget comes from the security teams. Or the risk or dev-ops. But I think if we were to, you know, with the user and some of the influencers from developers, dev-ops, and security are kind of the key people in the equation. >> Is your, you have a lot of experience in the enterprise. How do you see your go to market in this world different, given that it's really a developer constituency that you're targeting? I mean, normally, you'd go out, hire a bunch of expensive sales guys, go to market, is that the model or is it a little different here because of the target? >> Yeah, you know, to be honest, a lot of the momentum that we've had at this point has been inbound. Like most of the opportunities that come in, come to us from the community, from this ground up. And so we have a very large inside sales team that just kind of follows up on the inbound interest. And that's still, you know, 65, 70% of the opportunities that come to us both here and Europe and APJ, are coming from the community inbound. Okay, I'm using 10 licenses of SNYK, you know, I want to get the enterprise version of it. And so that's been how we've grown. Very much of a very cost-effective inside sales. Now, when you get to the Googles and Salesforces and Nordstroms of the world, and they have already 500 licenses us, either paid or free, then we usually have more of a, you know, senior sales person that will be involved in those deals. >> To sort of mine those accounts. But it's really all about driving the efficiency of that inbound, and then at some point driving more inbound and sort of getting that flywheel effect. >> Developer adoption, developer adoption. That's the number one driver for everybody in our company. We have a customer success team, developer adoption. You know, just make the developer successful and good things happen to all the other parts of the organization. >> Okay, so that's a key performance indicator. What are the, let's wrap kind of the milestones and the things that you want to accomplish in the next, let's call it 12 months, 18 months? What should we be watching? >> Yeah, so I mean it continues to be the community, right? The community, recruiting more developers around the globe. We're expanding, you know, APJ's becoming a bigger part. And a lot of it is through just our efforts and just building out this community. We now have 20 people, their sole job is to build out, is to continue to build our developer community. Which is, you know, content, you know, information, how to learn, you know, webinars, all these things that are very separate and apart from the commercial side of the business and the community side of the business. So community adoption is a critical measurement for us, you know, yeah, you look at Freemium adoption. And then, you know, new customers. How are we adding new customers and retaining our existing customers? And you know, we have a 95% retention rate. So it's very sticky because you're getting the data feed, is a daily data feed. So it's like, you know, it's not one that you're going to hook on and then stop at any time soon. So you know, those are the measurements. You look at your community, you look at your Freemium, you look at your customer growth, your retention rates, those are all the things that we measure our business by. >> And your big pockets of brain power here, obviously in Boston, kind of CEO's prerogative, you got a big presence in London, right? And also in Israel, is that correct? >> Yeah, I would say we have four hubs and then we have a lot of remote employees. So, you know, Tel Aviv, where a lot of our security expertise is, in London, a lot of engineering. So between London and Tel Aviv is kind of the security teams, the developers are all in the community is kind of there. You know, Boston, is kind of more go to market side of things, and then we have Ottawa, which is kind of where Watchfire started, so a lot of good security experience there. And then, you know, we've, like a lot of modern companies, we hired the best people wherever we can find them. You know, we have some in Sydney, we've got some all around the world. Especially security, where finding really good security talent is a challenge. And so we're always looking for the best and brightest wherever they are. >> Well, Peter, congratulations on the raise, the new role, really, thank you for coming in and sharing with The Cube community. Really appreciate it. >> Well, it's great to be here. Always enjoy the conversations, especially the Patriots, Red Sox, kind of banter back and forth. It's always good. >> Well, how do you feel about that? >> Which one? >> Well, the Patriots, you know, sort of strange that they're not deep into the playoffs, I mean, for us. But how about the Red Sox now? Is it a team of shame? All my friends who were sort of jealous of Boston sports are saying you should be embarrassed, what are your thoughts? >> It's all about Houston, you know? Alex Cora, was one of the assistant coaches at Houston where all the issues are, I'm not sure those issues apply to Boston, but we'll see, TBD. TBD, I am optimistic as usual. I'm a Boston fan making sure that there isn't any spillover from the Houston world. >> Well we just got our Sox tickets, so you know, hopefully, they'll recover quickly, you know, from this. >> They will, they got to get a coach first. >> Yeah, they got to get a coach first. >> We need something to distract us from the Patriots. >> So you're not ready to attach an asterisk yet to 2018? >> No, no. No, no, no. >> All right, I like the optimism. Maybe you made the right call on Tom Brady. >> Did I? >> Yeah a couple years ago. >> Still since we talked what, two in one. And they won one. >> So they were in two, won one, and he threw for what, 600 yards in the first one so you can't, it wasn't his fault. >> And they'll sign him again, he'll be back. >> Is that your prediction? I hope so. >> I do, I do. >> All right, Peter. Always a pleasure, man. >> Great to see you. >> Thank you so much, and thank you for watching everybody, we'll see you next time. (groovy techno music)