>>Okay. We're back in Boston covering AWS reinvent 2022. This is our second live reinvent. We've done the other ones, uh, in between as digital. Uh, my name is Dave Lanta and you're watching the cube. Peter McKay is here. He's the CEO of sneaking ad Shani is the chief technical officer guys. Great to see you again. Awesome. Being here in Boston >>In July. It is Peter. You can't be weather's good weather. Yeah, red SOS. Aren't good. But everything else >>Is SOS are ruin in our sub, you know, >>Hey, they're still in the playoff, the hunt, you >>Know, all you gotta do is make it in. Yes. >>Right. And there's a new season. Simple >>Kinda like hockey, but you know, I'm worried they're gonna be selling at the trading >>Deadline. Yeah. I think they should be. I think it's you think so it's not looking good. Oh, >>You usually have a good angle on this stuff, but uh, well, Hey, we'll see. We'll go. I got a lot of tickets. We'll go and see the Yankees at least we'll see a winning team. Anyway, we last talked, uh, after your fundraising. Yeah. You know, big, big round at your event last night, a lot of buzz, one of the largest, I think the largest event I saw around here, a lot of good customers there. >>It's great. Great time. >>So what's new. Give us the update. You guys have made some, an acquisition since then. Integration. We're gonna talk >>About that. Yeah. It's been, uh, a lot has happened. So, uh, the business itself has done extremely well. We've been growing at 170% year, over year, a hundred percent growth in our number of customers added. We've done six acquisitions. So now we have, uh, five products that we've added to the mix. We've tripled the size of the company. Now we're 1300 people, uh, in the organization. So quite a bit in a very short period of time. >>Well, and of course my, in my intro, I, I said, reinvent, I'm getting ahead of myself. Right. >>Of course we'll >>Reinforced. We'll be at reinve >>In November. Are that's the next one at >>Reinforced. We've done a lot of reinvents by the way, you know? >>So there's a lot, lot of reinvention >>Here. So of course, well, you're reinventing security, right? Yes. So, you know, I try to, I think about when I go to these events, like, what's the takeaway, what's the epiphany. And we're really seeing the, the developer security momentum, and it's a challenge. They gotta worry about containers. They gotta worry about run time. They gotta worry about platform. Yeah. You guys are attacking that problem. Maybe describe that a >>Little bit for us. Yeah. I mean, for years it was always, um, you know, after the fact production fixing security in run time and billions and billions of dollars spent in fixing after the fact. Right. And so the realization early on with the was, you know, you gotta fix these issues earlier and earlier, we started with open source was the first product at wait. Then six, six years ago, then we added container security and we added infrastructure's code. We added code security. We added, um, most recently cloud security with the F acquisition. So one platform, one view that a developer can look at to fix all the issues through the, be from the beginning, all the way through the software development life cycle. So we call it developer security. So allowing developers to develop fast, but stay secure at the same time. >>So I like the fact that you're using some of your capital to do acquisitions. Yeah. Now a lot of M and a is, okay, we're gonna buy this company. We're gonna leave them alone. You guys chose to integrate them. Maybe describe what that process was like. Yeah. Why you chose that. Yeah. How hard it was, how long it took. Take us through that. >>Yeah. Yeah. I'll give, uh, two examples, maybe one on sneak, which was an acquisition of, of the company that was focused on, uh, code analysis, actually not for security. And we have identified the merit of what we need in terms of the first security solution, not an ability to take a security product and put it in the end of developer, but rather build something that will build into the dev motion, which means very fast, very accurate things that it can rely on source and not just on the build code and so on. And we have built that into the platform and by that our customers can gain all of their code related issues together with all of their ISE related issues together with all of the container issues in one platform that they can prioritize accordingly. >>Yeah. Okay. So, so talk more about the, the, the call, the few, the sneak cloud, right? Yeah. So the few name goes away. I presume, right. Or yes, it does. Okay. So you retire that and bring it in the brand is sneak. Yeah. Right. So talk about the cloud, what it does, what problems >>It's solving. Yeah. Awesome. And, and this goes exactly the same. As we mentioned on, on the code, we have looked at the, the, the cloud security solutions for a while now. And what we loved about the few team is that they were building their product with their first approach. Okay. So the notion is as followed as you are, you know, you're a CSO, you have your pro you have your program, you're looking, you have different types of controls and capabilities. And your team is constantly looking for threats. When we are monitoring your cloud environment, we can detect problems like, you know, your FL bucket is not exposing the right permissions and is exposed to the world or things like that. But from a security perspective, it might be okay to stop there. But if you're looking at an operation perspective, you need to know who needs to fix, how do they need to fix it? >>Where do they need to fix it? What will the be the impact if they would fix it? So what do we actually doing is we are connecting all the dots of the platform. So on one end, you know, the actual resources that are running and what's the implication in the actual deployed environment. On the other end, we get correlation back to the actual code that generates that. And then I can give that context both to the security person, the context of how it affects the application. But more importantly, the context for the developer is required to fix the problem. What's the context of the cloud. Yeah. And a lot of things are being exposed this way. And we can talk about that. Uh, >>So this is really interesting because, and look, I love AWS to do an amazing job. One of the other things I really like about 'em is it seems like they're not trying to go hard and monetize their security products. Mm-hmm, they're leaving that to the ecosystem, which I like. Yeah. Microsoft taken a little different approach, right? Yeah, yeah, yeah. Ton a lot. But this, this, this example you're giving ad about the S3 bucket. So we heard in the keynotes yesterday about, you know, reasoning, AI reasoning, they said, we can say, is this S3 bucket exposed to the public? We can do that with math. Right. Yeah. But you're what I'm inferring is you don't stop there. Yeah. Yeah. There's a lot of other stuff that has to, >>And sometimes have to, not as simple, just as a configuration change, sometimes the correlation between what your application is doing affects what is the resulted experience of, you know, the remote user or in this case, the attacker, right. I mean, >>The application has access, who has access to the application, is this, this the chain. >>So propagates, you have to, you have to have a, a solution that looks both at have very good understanding of the application context. A very good understanding of what we refer to as the application graph, like understanding how it works, being able to analyze that and apply the same policies, both at development time, as well as run time. >>So there's, there's human to app. There's also a machine to machine. Can you guys help with that problem as well? Or is that sort of a futures thing or >>Could you, I'm not sure. I understand what >>Referring, so machines talking to machines, right. I mean, there's data flowing. Yep. You know, between those machines, right. It's not just the humans interacting with the application. Is that a trend that you see and is that something that you guys can solve? >>So at, at the end of the day, there is a lot of automation that happens both for, by humans for good reasons, as well as by humans for bads. Right. <laugh> and, and the notion is that we are really trying to focus on what matters to the developer as they're trying to improve their business around that. So both improves making sure they know, you know, quality problems or things of this kind. But as part of that, more importantly, when we're looking at security as a quality problem, making sure that we have a flow in the development life cycle that streamline what the developer is expecting to do as they're building the solution. And if every single point, whether it's the ID, whether it's the change management, whether it's the actual build, whether it's the deployed instance on the cloud, making sure that we identify with that and connect that back to the code. >>Okay. So if there's machine automation coming in, that shouldn't be there, you can sort of identify that and then notify remediate or whatever action should be >>Taken. Yeah. Identify, identify remediate. Yep. >>Yeah. We, we really focus on making sure that we help developers build better products. So our core focus is identify areas where the product is not built way in a good way, and then suggest the corrective action that is required to make that happen. >>And I think part of this is the, you know, just, uh, the speed of the software development today. I mean, you look at developers are constantly and not just look at sneak you're, you're trying to get so much more productivity outta the developers that you have. Every company is trying to get more productivity out of developers, incredible innovation, incredible pace, get those is a competitive advantage. And so what we're trying to do is we make it easier for developers to go fast innovate, but also do it securely and embed it without slowing them down, develop fast and secure. >>So again, I love, I love AWS love what they're doing. We heard, uh, yesterday from, from CJ, you know, a lot of talk about, you know, threat detection and, you know, some talk about DevOps, et cetera. But yeah, I, I, I didn't hear a lot about how to reduce the complexity for the CSO. And the reason I bring this up is it feels like the cloud is now the first level of defense and the CISO is, is becoming the next level, which is on the developer. So the developer is becoming responsible for security at a whole shift left, maybe shield. Right. But, but shift left is becoming critical. Seems like your role and maybe others in the ecosystem is to address my concern about simplifying the life of the CISO. Is that a reasonable way to think about it? I >>Think it's changing the role of the CISO. How so? You know, really it's, I, I think it's before it, in this, in the security organization and D you should chime in here is, you know, it used to be, I did, I owned all application security, I owned the whole thing and they couldn't keep up. Like, I think it's just every security organization is totally overwhelmed. And so they have to share the responsibility. They have to get that fix the issues earlier and earlier, because it's waiting too long. It's after the fact. And then you gotta throw this over the fence and developers have to fix it. So they've gotta find a new way because they're the bottleneck they're slowing down the company from, in innovating and bringing these applications to market. So we are the kind of this bridge between the security teams that wanna make sure the, that we're staying secure and the development organizations and engineering and CEOs go fast. We need you guys to go faster and faster. So we, we tend to be the bridge between the two of them. >>One of the things I really love happening these days is that we change the culture of the organization from a culture where the CSO is trying to, you know, push and enforce and dictate the policy, which, which they should, but they really wanna see the development team speak up like that. The whole motion of DevOps is that we are empowering them to make the decisions that are right for the business, right? And then there is a gap because on one hand, this is always like, you need to do this, you need to do this. You need to do that. And the dev teams don't understand how that impacts their business. Good enough. And they don't have the tools and, you know, the ability to add a source problem. So with the solution liken, we really empower the developers to bake security as part of their cycle, which is what was done in many other fields, quality, other things, everything, it, everything moves into development already, right? So we're doing that. And the entire discussion now changes into an enablement discussion. >>So interesting. Cause you saw, this is the role of the CSOs changing. How so? I see that in a way like frees, sneak the CSO with the cloud is becoming a compliance officer. Like you do this, you do this, you do this, you do this, you third >>One would take a responsibility >>Trying. Yeah. Right, right. And so you're flipping that equation saying, Hey, we're gonna actually make this an accelerant to your business. >>So, so set the policy, determine compliance, but make sure that the teams, the developers are building applications in compliance with your policy. Right. So make sure and, and don't allow them to do something. If they're doing, if they're developing an application with a number of vulnerabilities, you can stop that from happening so you can oversee it, but you don't have to be the one who owns it all the way through from beginning to, >>Or, or get it before it's deployed. So you don't have to go back after the fact and, and remediate it with, you know, but, >>But think about deploy, they're deploying apps today. I mean, they're updating by the hour, right? Where, you know, six years ago, five years ago, two years ago was every six to nine months. Right? So the pace of this innovation from developers is so fast that the old way of doing security can't keep up. Like they're built for six month release cycles. This is six hour release cycles. And so we had to, it has to change security. Can't stay the way it is. So what we've been doing for se seven years for application security is exactly what we're doing for cloud security is moving all that earlier. All these products that we've been building over the years is really taking these afterthought security components and bringing 'em all earlier, you know, bringing everything like cloud security is done after the fact. Now we can take those issues and bring 'em right to the developers who created that and can fix the issues. So it's code to cloud back to code in a very automated fashion. So doesn't slow developers down. >>Okay. So what's the experience. We all know there's, everybody has more than one cloud. What's the experience across clouds. Can you create a consistent, continuous experience, cloud agnostic, >>Agnostic, cloud agnostic, uh, development environment, agnostic, you know, language agnostic. So that's kind of the beauty oft where you have maybe other certain tools for certain clouds, uh, or certain languages or certain development environments, but you have to learn different tools, you know, and, and they all roll up to security in a different way. And so what we have done is consolidated all that spend for open source security, container security infrastructure, now, cloud security, all that spend and all that fragmentation all under one platform. So it's one company that brings all those pieces >>Together. So it's a single continuous experience. Yeah. The developer experience you're saying is identical. Yes. >>Actually one product >>It's entitlement that we're getting. Yes. So you're hiding the underlying complexities of the respective clouds and those primitives developer doesn't have to worry about them. No, I call that a super cloud super >>Cloud. >>Okay. But no, but essentially that's what you're, you're building, building on the, on this ed Walsh would say on the shoulders of giants. Yeah, exactly. You know, you don't have to worry about the hyperscale infrastructure. Yep. Right. That you're building a layer of value on top of that. Yes. Is, is that essentially a PAs layer or is it, is it, can I think of it that way or is it not? Hmm. Is it platform? I >>Mean, yeah. I, I, I would say that at the end of the day, the, the way developers want to use a security tool is the same. Right. So we expose our functionality to them in those ways, if you're using, you know, uh, uh, one GI repository or another, if you're using one cloud or we, we are agnostic to data, don't, it's not, it doesn't really affect us in that manner. Um, I want to add another thing about the, the experience and associated with the consolidation that Peter referred to, uh, earlier, when you have a motion that automatically assess, you know, uh, problems that the developer is putting as part of the change management, as example, you do creating pool request. Now adding more capabilities into that motion is easy. So from enablement of the team, you can add another functionality, add cloud at ISC, add code and so on like that, because you already, you already made the decisions on how you are looking at that. And now you're integrated at, into your developer workflows, >>Right? So it's, it's already, it's already integrated for open source, adding container and ISD is real easy. It's all, you've already done all the integrations. And so for us going to five products and eventually 6, 7, 8, all, all based on the integrations that you already have in the same workflows that developers have become a use accustomed >>To. And that's what we, a lot of work from the company perspective. Right. >>I can ask you about another sort of trend we're seeing where you see Goldman Sachs last reinvent announced a cloud product, essentially bringing their data, their tools, their software. They're gonna run it on AWS at the snowflake summit, uh, capital one announced the service running on snowflake, Oracle by Cerner, right? Yeah. You know, they're gonna be, do something on OCI. Of course, make 'em do that. But it's, it's a spin on Andreessens every company's a software company. It's like every company's now becoming digital, a software company building their own SAS, essentially building their own clouds, or maybe, maybe something they'll be super clouds. Are you seeing industry come to sneak and say, Hey, help us build products that we can monetize >>There companies. So, first off, I think kind of the first iteration is, you know, all these industries of becoming software driven, like you said, and more software is more software risk. And so that kind of led us down this journey of now financial services, you know, tech, you know, media and entertainment, financial services, healthcare. Now it's this long tail of, of low tech. Yeah. Within those companies, they are offering services to the other parts of the organization. We have >>So far, mostly >>Internal, mostly internal, other than the global SI. And some of the companies who do that for a living, you know, they build the apps for companies and they are offering a sneak service. So before I give you these, I update these applications. I'm gonna make sure I'm running. I'm, I'm, I'm signifying those applications to make sure that they're secure before you get them. And so that now a company like a capital one coming to us saying, I wanna offer this to others. I think that's a, that's a leap because you know, companies are taking on security of someone else's and I think that's a, that's not there yet. It may be, >>Do you think it'll happen? >>We do have the, uh, uh, threat Intel that we, we have a very, a very strong security group that constantly monitors and analyzing the threat. And we create this vulnerability database. So in open sources, an example, we're the fact of standard, uh, in the field. So many of our partners are utilizing the threat Intel feed of snake as part of their offering. Okay. If you go to dock as an example, you can scan with, with snake intelligence immediately out of the gate over there, right? Yeah. >>And tenable, rapid seven trend micro. They all use the vulnerability database as well. Okay. So a lot of financial institutions use it because they had, they'd have seven, 10 people doing re security research on their own. And now they can say, well, I don't have to have those seven. I've got the industry standard for vulnerability database from Steve. >>And they don't have to throw out their existing tool sets where they have skills. >>Yes, exactly. >>Peter bring us homes, give us the bumper sticker, summarize, you know, reinforce and kind what we can expect going forward. >>Yeah, no, I mean, we're gonna continue the pace. We don't see anything slowing, slowing us down in terms of, um, just the number of customers that are, that are shifting left. Everybody's talking about, Hey, I need to embed this earlier and earlier. And I think what they're finding is this, this need to rein reinnovate like get innovation back into their business. And a lot of it had to slow down because, well, you know, you, we can't let developers develop an app without it going through security. And that takes time. It slows you down and allows you not to like slow the pace of innovation. And so for us, it's it help developers go fast, incredibly, you know, quickly, aggressively, creatively, but do it in a secure way. And I think that balance, you know, making sure that they're doing what they're doing, they're increasing developer productivity, increasing the amount of innovation that developers are trying to do, but you gotta do it securely. And that's where we compliment really what every CEO is pushing companies. I need more productivity. I need more aggressive creativity, innovation, but you better be secure at the same time. And that's what we bring together for our customers. >>And you better do that without slowing us down. That's >>Don't trade off, slow >>Us down. Always had to make. Yes, guys. Thanks so much for coming to the cube. Thanks, David. Always great to see you guys see ID. Appreciate it. All right. Keep it right there. This is the Cube's coverage of reinforced 2022 from Boston. We'll be right back right after the short break.