(gentle upbeat music) >> Okay, welcome back everyone to theCUBE's live coverage here in Boston, Massachusetts for AWS RE:INFORCE 22. I'm John Furrier, your host with Dave Vellante co-host of theCUBE, and Shreyans Metah, CTO and founder of Cequence Security. CUBE alumni, great to see you. Thanks for coming on theCUBE. >> Yeah. Thanks for having me here. >> So when we chatted you were part of the startup showcase. You guys are doing great. Congratulations on your business success. I mean, you guys got a good product in hot market. >> Yeah. >> You're here before we get into it. I want to get your perspective on the keynote and the talk tracks here and the show. But for the folks that don't know you guys, explain what you guys, take a minute to explain what you guys do and, and key product. >> Yeah, so we are the unified API protection place, but I mean a lot of people don't know what unified API protection is but before I get into that, just just talking about Cequence, we've been around since 2014. But we are protecting close to 6 billion API transactions every day. We are protecting close to 2 billion customer accounts, more than 2 trillion dollars in customer assets and a hundred million plus sort of, data points that we look at across customer base. That's that's who we are. >> I mean, of course we all know APIs is, is the basis of cloud computing and you got successful companies like Stripe, for instance, you know, you put API and you got a financial gateway, billions of transactions. What's the learnings. And now we're in a mode now where single point of failure is a problem. You got more automation you got more reasoning coming a lot more computer science next gen ML, AI there too. More connections, no perimeter. Right? More and more use cases, more in the cloud. >> Yeah. So what, what we are seeing today is, I mean from six years ago to now, when we started, right? Like the monolith apps are breaking down into microservices, right? What effectively, what that means is like every of the every such microservices talking APIs, right? So what used to be a few million web applications have now become billions of APIs that are communicating with each other. I mean, if you look at the, I mean, you spoke about IOT earlier, I call, I call like a Tesla is an application on four wheels that is communicating to its cloud over APIs. So everything is API yesterday. 80% traffic on internet is APIs. >> Now that's dated transit right there. (laughing) Couldn't resist. >> Yeah. >> Fully encrypted too. >> Yeah. >> Yeah, well hopefully. >> Maybe, maybe, maybe. (laughing) We dunno yet, but seriously everything is talking to an API. >> Yeah. >> Every application. >> Yeah. And, and there is no single choke point, right? Like you spoke about it. Like everybody is hosting their application in the cloud environments of their choice, AWS being one of them. But it's not the only one. Right? The, the, your APIs are hosted behind a CDN. Your APIs are hosted on behind an API gateway behind a load balancer in guest controllers. There is no single. >> So what's the problem? What's the problem now that you're solving? Because one was probably I can imagine connecting people, connecting the APIs. Now you've got more operational data. >> Yeah. >> Potential security hacks? More surface area? What's the what's what are you facing? >> Well, I can speak about some of the, our, some of the well known sort of exploits that have been well published, right. Everybody gets exploited, but I mean some of the well knowns. Now, if you, if you heard about Expedian last year there was a third party API that was exposing your your credit scores without proper authentication. Like Facebook had Ebola vulnerability sometime ago, where people could actually edit somebody else's videos online. Peloton again, a well known one. So like everybody is exposed, right. But that is the, the end results. All right? But it all starts with people don't even know where their APIs are and then you have to secure it all the way. So, I mean, ultimately APIs are prone to business logic attacks, fraud, and that's what, what you need to go ahead and protect. >> So is that the first question is, okay, what APIs do I need to protect? I got to take a API portfolio inventory. Is that? >> Yeah, so I think starting point is where. Where are my APIs? Right, so we spoke about there's no single choke point. Right, so APIs could be in, in your cloud environment APIs could be behind your cloud front, like we have here at RE:INFORCE today. So APIs could be behind your AKS, Ingrid controllers API gateways. And it's not limited to AWS alone, right. So, so knowing the unknown is, is the number one problem. >> So how do I find him? I asked Fred, Hey, where are our API? No, you must have some automated tooling to help me. >> Yeah, so, I, Cequence provides an option without any integration, what we call it, the API spider. Whereas like we give you visibility into your entire API attack surface without any integration into any of these services. Where are your APIs? What's your API attack surface about? And then sort of more details around that as well. But that is the number one. Is that agent list or is that an agent? >> There's no agent. So that means you can just sign up on our portal and then, then, then fire it away. And within a few minutes to an hour, we'll give you complete visibility into where your API is. >> So is it a full audit or is it more of a discovery? >> Or both? >> So, so number one, it's it's discovery, but we are also uncovering some of the potential vulnerabilities through zero knowledge. Right? So. (laughing) So, we've seen a ton of lock for J exposed server still. Like recently, there was an article that lock four J is going to be endemic. That is going to be here. >> Long time. >> (laughs) For, for a very long time. >> Where's your mask on that one? That's the Covid of security. >> Yeah. Absolutely absolutely. So, you need to know where your assets are what are they exposing? So, so that is the first step effectively discovering your attack surface. Yeah. >> I'm sure it's a efficiency issue too, with developers. The, having the spider allows you to at least see what's connecting out there versus having a meeting and going through code reviews. >> Yeah. Right? Is that's another big part of it? >> So, it is actually the last step, but you have, you actually go through a journey. So, so effectively, once you're discovering your assets you actually need to catalog it. Right. So, so I know where they're hosted but what are developers actually rolling out? Right. So they are updating your, the API endpoints on a daily basis, if not hourly basis. They have the CACD pipelines. >> It's DevOps. (laughing) >> Welcome to DevOps. It's actually why we'll do it. >> Yeah, and people have actually in the past created manual ways to catalog their APIs. And that doesn't really work in this new world. >> Humans are terrible at manual catalogization. >> Exactly. So, cataloging is really the next step for them. >> So you have tools for that that automate that using math, presumably. >> Exactly. And then we can, we can integrate with all these different choke points that we spoke about. There's no single choke points. So in any cloud or any on-prem environment where we actually integrate and give you that catalog of your APIs, that becomes your second step really. >> Yeah. >> Okay, so. >> What's the third step? There's the third step and then compliance. >> Compliance is the next one. So basically catalog >> There's four steps. >> Actually, six. So I'll go. >> Discovery, catalog, then compliance. >> Yeah. Compliance is the next one. So compliance is all about, okay, I've cataloged them but what are they really exposing? Right. So there could be PII information. There could be credit card, information, health information. So, I will treat every API differently based on the information that they're actually exposing. >> So that gives you a risk assessment essentially. >> Exactly. So you can, you can then start looking into, okay. I might have a few thousand API endpoints, like, where do I prioritize? So based on the risk exposure associated with it then I can start my journey of protecting so. >> That that's the remediation that's fixing it. >> Okay. Keep going. So that's, what's four. >> Four. That was that one, fixing. >> Yeah. >> Four is the risk assessment? >> So number four is detecting abuse. >> Okay. >> So now that I know my APIs and each API is exposing different business logic. So based on the business you are in, you might have login endpoints, you might have new account creation endpoint. You might have things around shopping, right? So pricing information, all exposed through APIs. So every business has a business logic that they end up exposing. And then the bad guys are abusing them. In terms of scraping pricing information it could be competitors scraping pricing. They will, we are doing account take. So detecting abuse is the first step, right? The fifth one is about preventing that because just getting visibility into abuse is not enough. I should be able to, to detect and prevent, natively on the platform. Because if you send signals to third party platforms like your labs, it's already too late and it's too course grain to be able to act on it. And the last step is around what you actually spoke about developers, right? Like, can I shift security towards the left, but it's not about shifting left. Just about shifting left. You obviously you want to bring in security to your CICD pipelines, to your developers, so that you have a full spectrum of API securities. >> Sure enough. Dave and I were talking earlier about like how cloud operations needs to look the same. >> Yeah. >> On cloud premise and edge. >> Yes. Absolutely. >> Edge is a wild card. Cause it's growing really fast. It's changing. How do you do that? Cuz this APIs will be everywhere. >> Yeah. >> How are you guys going to reign that in? What's the customers journey with you as they need to architect, not just deploy but how do you engage with the customer who says, "I have my environment. I'm not going to be to have somebody on premise and edge. I'll use some other clouds too. But I got to have an operating environment." >> Yeah. "That's pure cloud." >> So, we need, like you said, right, we live in a heterogeneous environment, right? Like effectively you have different, you have your edge in your CDN, your API gateways. So you need a unified view because every gateway will have a different protection place and you can't deal with 5 or 15 different tools across your various different environments. So you, what we provide is a unified view, number one and the unified way to protect those applications. So think of it like you have a data plane that is sprinkled around wherever your edges and gateways and risk controllers are and you have a central brains to actually manage it, in one place in a unified way. >> I have a computer science or computer architecture question for you guys. So Steven Schmidt again said single controls or binary states will fail. Obviously he's talking from a security standpoint but I remember the days where you wanted a single point of control for recovery, you talked about microservices. So what's the philosophy today from a recovery standpoint not necessarily security, but recovery like something goes wrong? >> Yeah. >> If I don't have a single point of control, how do I ensure consistency? So do I, do I recover at the microservice level? What's the philosophy today? >> Yeah. So the philosophy really is, and it's very much driven by your developers and how you want to roll out applications. So number one is applications will be more rapidly developed and rolled out than in the past. What that means is you have to empower your developers to use any cloud and serverless environments of their choice and it will be distributed. So there's not going to be a single choke point. What you want is an ability to integrate into that life cycle and centrally manage that. So there's not going to be a single choke point but there is going to be a single control plane to manage them off, right. >> Okay. >> So you want that unified, unified visibility and protection in place to be able to protect these. >> So there's your single point of control? What about the company? You're in series C you've raised, I think, over a hundred million dollars, right? So are you, where are you at? Are you scaling now? Are you hiring sales people or you still trying to sort of be careful about that? Can you help us understand where you're at? >> Yeah. So we are absolutely scaling. So, we've built a product that is getting, that is deployed already in all these different verticals like ranging from finance, to detail, to social, to telecom. Anybody who has exposure to the outside world, right. So product that can scale up to those demands, right? I mean, it's not easy to scale up to 6 billion requests a day. So we've built a solid platform. We've rolled out new products to complete the vision. In terms of the API spider, I spoke about earlier. >> The unified, >> The unified API protection covers three aspects or all aspects of API life cycle. We are scaling our teams from go to market motion. We brought in recently our chief marketing officer our chief revenue officer as well. >> So putting all the new, the new pieces in place. >> Yeah. >> So you guys are like API observability on steroids. In a way, right? >> Yeah, absolutely. >> Cause you're doing the observability. >> Yes. >> You're getting the data analysis for risk. You're having opportunities and recommendations around how to manage the stealthy attacks. >> From a full protection perspective. >> You're the API store. >> Yeah. >> So you guys are what we call best of breed. This is a trend we're seeing, pick something that you're best in breed in. >> Absolutely. >> And nail it. So you're not like an observability platform for everything. >> No. >> You guys pick the focus. >> Specifically, APS. And, so basically your, you can have your existing tools in place. You will have your CDN, you will have your graphs in place. So, but for API protection, you need something specialized and that stuff. >> Explain why I can't just rely on CDN infrastructure, for this. >> So, CDNs are, are good for content delivery. They do your basic TLS, and things like that. But APIs are all about your applications and business that you're exposing. >> Okay, so you, >> You have no context around that. >> So, yeah, cause this is, this is a super cloud vision that we're seeing of structural change in the industry, a new thing that's happening in real time. Companies like yours are be keeping a focus and nailing it. And now the customer's can assemble these services and company. >> Yeah. - Capabilities, that's happening. And it's happening like right now, structural change has happened. That's called the cloud. >> Yes. >> Cloud scale. Now this new change, best of brief, what are the gaps? Because I'm a customer. I got you for APIs, done. You take the complexity away at scale. I trust you. Where are the other gaps in my architecture? What's new? Cause I want to run cloud operations across all environments and across clouds when appropriate. >> Yeah. >> So I need to have a full op where are the other gaps? Where are the other best of breed components that need to be developed? >> So it's about layered, the layers that you built. Right? So, what's the thing is you're bringing in different cloud environments. That is your infrastructure, right? You, you, you either rely on the cloud provider for your security around that for roll outs and operations. Right? So then is going to be the next layer, which is about, is it serverless? Is it Kubernetes? What about it? So you'll think about like a service mesh type environment. Ultimately it's all about applications, right? That's, then you're going to roll out those applications. And that's where we actually come in. Wherever you're rolling out your applications. We come in baked into that environment, and for giving you that visibility and control, protection around that. >> Wow, great. First of all, APIs is the, is what cloud is based on. So can't go wrong there. It's not a, not a headwind for you guys. >> Absolutely. >> Great. What's a give a quick plug for the company. What are you guys looking to do hire? Get customers who's uh, when, what, what's the pitch? >> So like I started earlier, Cequence is around unified API protection, protecting around the full life cycle of your APIs, ranging from discovery all the way to, to testing. So, helping you throughout the, the life cycle of APIs, wherever those APIs are in any cloud environment. On-prem or in the cloud in your serverless environments. That's what Cequence is about. >> And you're doing billions of transactions. >> We're doing 6 billion requests every day. (laughing) >> Which is uh, which is, >> A lot. >> Unheard for a lot of companies here on the floor today. >> Sure is. Thanks for coming on theCUBE, sure appreciate it. >> Yeah. >> Good, congratulations to your success. >> Thank you. >> Cequence Security here on theCUBE at RE:INFORCE. I'm chatting with Dave Vellante, more coverage after this short break. (upbeat, gentle music)

>>Mhm Yes. Welcome to this cube conversation. I'm john Kerry host of the cube here in Palo alto California. We've got two great guests all the way from Ohio and here in the bay area with sequence securities is our focus on cloud growth companies. Sri and met a co founder and CTO of sequence security and Jason Kent hacker in residence at sequence security. We're gonna find out what that actually means in the second but this is a really important company in the sense of A P. I. S. As they are starting to be the connective tissue between systems and and data. Um you're starting to see more vulnerabilities, more risk but also more upside. So risk, reward is high. And anyone who's doing things in the cloud obviously deals with the A. P. I. So Trey and Jason. Thanks for let's keep conversation. >>Happy to be here >>guys. Let's let's talk about A P. I. Security. And but first before we get there trans what does sequence security do? What do you guys specifically build? And what do you sell >>sequences in the business protecting your web and um A P. I. S from various kinds of attacks? Uh We protect from business logic attacks, A P. I. Uh do your api inventory, uh also the detect and defend against things like a town taker. Where's fake account creation, scraping pretty much anything and everything. An application on a PDA is exposed to from from the Attackers. >>Jason. What do you what do you do there as hacker and residents? I also want to get your perspective on api security from the point of view of, you know, uh attack standpoint from a vector. How are people doing it? So first explain what you do and uh love the title hacker and residents. But also what does that actually mean from a security standpoint? >>Yeah. So we can't be in the business that we're in without having an adversarial approach to where our customers are deployed and how we look at them. So a lot of times I spend my time trying to be on the client's backdoors and and try to hit their A. P. I. S. With as many kinds of attacks that I can. It helps us understand how an attacker is going to approach a specific client as well as helps us tune for our machine learning models to make sure that we can defend against those kinds of things. Um as a hacker and residents, my mostly my position is client facing. But I do spend an awful lot of time being research and looking for the next api threat that's out there. >>You gotta stay ahead of the bad guys. But let's bring up some kind of cutting edge relevant topics. One is all over the news cycle. You heard peloton, very highly visible company, It represents that new breed of digital companies that have a new approach and it's absolutely doing very, very well. The new consumers like this product and you're seeing a lot more peloton, like companies out there that are leveraging technology, so they're fully integrated, they had an A. P. I. Issue recently. Um what does it mean? Is that, is that something we're gonna see more of these kind of leaks in these kind of vulnerabilities? What do you guys think about this political thing, >>You know, from an attacker's perspective as a really boring attack? Um, but it led to a huge amount of data leaking out. Same with, you know, the news has been been right with this lately, right, john Deere got hit. Um We've seen yet another credit bureau got hit right. Um and these attacks are coming off as fairly simple attacks that are dumping huge amounts of data, just proving that the FBI attack surface is really a great place to get a rich amount of data, but you have to have a good understanding of how the application works so you can spend a little bit of time on it. But once you've taken a look at how the data flows, you end up with, you know, pretty rich data set as an attacker. I go after them just by simply utilizing their products, utilizing the programs and understanding how they work. And then I drag out all the pieces that I think are going to be interesting and start plucking away at it. If I see a like a profile, for instance, that I can edit, I wonder can I edit someone else's profile. And this is how the peloton attack work. I'm logged in, I'm allowed to see my things, what other things can I see? And it turns out they can see everything. >>So we also saw a hack with clubhouse, which is the hot app now I think just opened up to android users, but they were simply calling it back and Agora, which is, you know, I've seen china, but once you've understood that the tokens work, once you understood what they were doing, you could essentially go in and figure things out. There seems to be like pretty like trivial stuff, but it gets exposed. No one kind of thinks it through. How does someone protect themselves against these things? Because that's the real issue, like just make it less secure. Our Api is gonna be more secure in the future. What can customers do about what do you guys to think about this? >>Yeah, but the reality is, I mean that's just uh too many babies out there. I mean if you see the transition that is happening and that is the transformation where it used to be like a one app or two apps before and now there are like hundreds and thousands of applications driven by the devops world, a child development and and what matters is, I mean the starting point really is you cannot protect what, you cannot see what used to be. Uh an up hosted in your data center is now being hosted in the cloud environments, in the virtual environments, in several less environments and coordinators, you name it, they're out there. So the key is really to understand your attack surface, that's your starting point. So you're you're tooling your applications need to uh I need to be able to provide that visibility that that that is needed to protect these applications and you can't rely just on your developers to do this for you. So you need a right tool that can secure these applications, >>Jason what's the steps that an attacker takes to uncover vulnerabilities? What goes through the mind of the attacker? Um I mean the old days you used to just do port scans and try to penetrate you get through the perimeter. Now with this no perimeter mindset, the surface area Schramm was talking about is huge. What what's going on the mind of the attacker here and the A P I S and vulnerabilities. >>So the very first thing that we do is we sign up for an account, we use the thing, right? We look at all the different endpoints. Um I've got scripts running in my attack tools that do things like show me comments uh in case the developer left some comments in there to tell me where things are. Um I basically I'm just going to poke around using it like a regular user, but in that I'm going to look for places. That makes sense to try to do an attack. So the login screen is a really easy thing. Everybody understands that you put in a user name, you put in a password, you can't go. What I'm gonna do is put in a bad username and a bad password. I'm gonna put in a good user name and a bad password and I'm gonna see what changes, what are the different things that your application is telling me. And so when we look at an application for flaws and ways to get to the data on the back end, all we're doing is seeing what data do you present me on standard use. And then I'm going to look at, well, how can I change these parameters or what are the things that I can change in my requests to get a different response? So in the early phases of an attack, Attackers are very difficult to a seat. Right. They just look like a regular user just doing regular things. It's when we decide. All right. I've found something that starts to get actually interesting and we start to try to pull data out. >>What are some of the common vulnerabilities and risks that you guys see in the A. P. I is when you look when you poke at them that people are are doing is that they're not really doing their homework. Doing good. Security designers are just more of tech risk. What's the most common vulnerabilities and risks? >>Well, so for me, I I've noticed a lot of the OAS KPI top 10, the first couple of things you see them on almost all applications, so broken object level authorization is the first one. It's mouthful. Um but basically all it is is I log onto the platform, I'm authorized to be there, but I can see someone else's stuff and that's exactly what happened in peloton. Um that and what we call insecure direct object reference where I don't have to be logged in, I can just make the request without any authentication and get information back. So those are pretty common areas um that you know people need to focus on, but there's a few others that are outside the top 10 that really make a lot more sense as a defender strains probably has a little better answer to me. >>Yeah. So um I'm like like we said um creating that inventories is key, but where are they being hostess? Another another aspect of things. So so when when Jason spoke about um like hackers are actually probing, trying to figure out what are the different entry points? It could be your production environment, it could be your QA environment staging environment and you're not even aware of, but once you've actually figured out those entry points, the next step of attack was like at peloton and and other places is really eggs filtering. Exfiltrate ng that that information. Right. Is it, is it the O P II information, ph I information um and and you don't want to exfiltrate as a hacker, just one person's information. You you're automating that business logic that is behind it ability to protect and defend against those kinds of attacks, giving that visibility, even though you might not have instrumented that application for for that kind of visibility is key. Once you are bubbling up those behaviors, then you can go ahead and and and protect from these kinds of attacks. And it could be about just simply enumerating through I. D. S. Uh that paladin might have or uh experience might have and just enumerate through that and exfiltrate the information behind it. So the tools need to be able to protect from those kinds of attacks out there. >>Yeah, I think I was actually on clubhouse when um that went down that hole enumerating through the I. D. S. Room I. D. S. And then the people just querying once they got an I. D. They essentially just sucked all the content out because they were just calling the back end. It was just like the most dumbest thing I've ever seen, but they didn't think about, I mean, you know, they were just rushing really fast. So So the question I have for transit and on a defense basis, people are going first party um with a P. I. S. A. P. I. First strategies because it's just some benefits there as we were talking about what do I need to do to protect myself? So I don't have that clubhouse problem or the pelton problem. Is there a Is there a playbook or is their software tools that I could use? How do I build? My apologies from day one and my principles around it to be good hygiene or good design? What's the what's the >>yeah. So aPI security is sort of a looking uh less known given that it's constantly evolving and changing. And the adoption of A P. S. Have gone up significantly. So what you need to start with effectively is the runtime security aspect of things. When a an aPI is live, how do I actually protected? And it ranges from simple syntactic protection things around people. Can can go ahead and break these ap is by providing sort of uh going after endpoints that you don't think exist anymore or going after certain functions by giving large values that they're not sort of coded to accept and so on so forth. Once you've done that runtime protection from a syntactic aspect, you also need to protect from a business logic aspect. I mean, mps will will expose uh information, interact with the customers and partners, what what business logic are they actually exposing and how can it be abused? Understanding that is another big aspects and then you can go ahead and protect from a runtime uh from a long time security perspective, once you've done that and understood that, well then you can start shifting lap things, invest in your uh sort of uh Dass tools or static analysis tools which can catch these things early so that they don't bubble up all the way, but none of them are actually silver bullets, right? So that you have a good uh time security tools, so I don't need to invest in dust or assessed whatever I have invested in my shift left aspect of things and uh and nothing will flow through. So you you need to start shifting left uh but covered all your bases properly, >>you can't shift left, there's nothing to shift from. I mean if you don't have that baseline foundation, what does that even mean to shift left and get that built into the Ci cd pipeline? So that's a great point. How does how does someone and some companies and teams set that foundation with the run time? Do you think it's a critical problem right now or most people are do a good job or they just get get lazy or just lose track of it or you know what, what's what's the common um, use case? Do you see behavior behaviorally inside these enterprises? >>Yeah. So what, what we're seeing is adoption of new technologies and environments um, and they're not um, well suited for the traditional way of doing that time. Security. Like if if you have an app running in your kubernetes environment, if you have an app running in in in a serval less environment, how do you actually protected with the traditional appliance based approach? So I think being able to get that visibility into these environments, understanding the the user behavior, how these applications are interacted with being able to differentiate from that uh, normal human behavior or even sometimes legitimate automation uh from from the malicious intents or or the the probing and the business logic attacks is key to understanding and defending these applications. >>Before we wrap up, I want to just get your expert opinion since you guys are both here around, you know, the next level of of innovation. Also you got cloud public cloud showed us a P. I. S are great. Now you're starting to see cloud operations, they call day two operations or whatever you call it A IOP. There's all kinds of buzz words are for it, but hybrid cloud and multi cloud, Edge five G. These are all basically pointing to distributed computing systems, basically distributed cloud. So that means more A P. I. Is gonna be out there. Um So in a way the surface area of a piece is increasing. What's your what's your view on this as a market? I mean, early days developing fast and what's, what's the, what's the landscape look like? What do you guys see from a attack and defense standpoint? >>Well, just from the attacker's perspective, you know, I see a lot more traffic going, what we call east west traffic, where it's traveling inside the application, it's a P is feeding a ps more data. Um, but what is really happening is we're trying to figure out how to hook third parties into our api is more and more. The john Deere attack was just simply their development api platform that they open up for other organizations to integrate with them. Um, you know, it's, it's very beneficial for John Deere to be able to say I planted this seed at an inch and a half of depth and later, uh, I harvested 280 bushels of corn off that acres. So I know that's perfect. I can feed that back to my seed guy. Well that kind of data flow that's going around from AP to AP means that there's far more attack surface and we're going to see it more and more. I I don't think that we're going to have less Ap is communicating in the near future. I think this is the foundation that we're building for what it's gonna look like for almost every business in the near term. >>I mean this is the plumbing of integration. I mean as people work with each other data transfer, data knowledge format, you mentioned syntax and all these basic things in computer science are coming to A PS which was supposed to be just a dumb pipe or just, you know, rest api those glory days now it's not there. They're basically, it's basically connections. >>Yeah. You're absolutely right. John, I mean like what Jason mentioned earlier, uh, in terms of the way the A. P. I. S are going to grow and the bad guys are going to go after it. You need to think like a bad guy, what are they going to go after? Uh, these assets that are going to be in the cloud, in your hybrid environment, in in your own prem environment. And, and it's, it's a flip of a switch where an internal API can be externally exposed or, or just a new api getting rolled out. So all those things you need to be able to protect, um, and get that visibility first and then being then protect these environments. >>That's awesome. You guys represent the new kind of company that's going to take advantage of the cloud scale and as people shift to the new structural change and people are re factoring security, This is an area that's going to be explosive in development. Obviously the upside is huge. Um Quickly before to end, you guys take a minute to give a plug for the company. Um This is pretty cool. I love love what you guys do. I think it's very relevant and cool at the same time. So sequence security. What are you guys doing funding hiring? What's the plug? Tell folks about it. >>Yeah. So uh we we we started about six years ago but we like starting in the the body defense space by focusing on obscenity ice. And from then we we've grown and we've grown significantly in terms of our customer base, the verticals that we're going after in financial retail social media, you name it, we are there because pretty much all these these uh articles depends on A. P. I. S. To interact with their customers. Uh We've we've raised our cities we last year we've we've grown our customer base. Uh Just in the last year when there was a lockdown people were all these retailers were transforming from brick and mortar to online. Social media also also grew and we grew with them. So >>Jason your thoughts. >>I think that sequence is his ability to scale out to any size environment. We've got a customer that does a billion and a half transactions a month. Um That are ap is from 1000 other clients of theirs. Being able to protect environments that are confusing and cloudy like that. Um Is really it makes what we do shine. We use a lot of machine learning models and ai in order to surface real problems. And we have a lot of great humans behind all of that, making sure that the bad guy maybe they're right now, but they're going away and we're going to keep them away. >>It's super, super awesome. I think it's a combination of more connections, distributed computing at large scale with a data problem. That's, that's playing out. You guys are solving great stuff and hey, you know when the cube studio ap I gets built, we're gonna need to call you guys up to to help us secure the cube data. >>Absolutely right. Absolutely. >>Hey, thanks for coming on the q Great uh, great insight and thanks for sharing about sequence. Appreciate you coming on, >>appreciate the time. >>Okay. It's a cube conversation here in Palo alto with remote guests. I'm john for your host. Thanks for watching. Yeah.