the cube presents ignite 22. brought to you by Palo Alto Networks hey guys and girls welcome back to Las Vegas it's thecube we are live at Palo Alto networks ignite 22. this is day one of two days of cube coverage Lisa Martin here with Dave vellante Dave we've had great conversations today talking with Executives the partner ecosystem is evolving it's growing at Palo Alto networks going to be digging into that next well we heard a lot of talk about you know Palo Alto you know the goal 100 billion dollar you know market cap company and to me a way and I think a critical way in which you get there is partner with the ecosystem because you can't do it alone the power of many versus the resources of one agree completely agree we've got Carl Sutherland with us SVP of North America ecosystem sales at Palo Alto networks welcome to the cube thanks so much for having me it's great being here so here we are the first full day of the conference actually started yesterday with the partner Summit give the audience a flavor of the partner Summit who was there what was talked about what's the current voice of the partner these days yeah great questions so we had a 150 Partners from around the globe representing all of our different routes to Market and for us our partner Community is expanding we work with system integrators we work with gsis we work with service providers Distributors traditional value-added resellers so it was a whole host of partners that were there it was a c-level audience and we really talked about the direction of where we're going as a company how they can continue to invest with us and have greater success long term and so from a voice of the partner standpoint what they're here to do is share with us where they want to engage more how we can enable them to be successful you talked about the Power of One Versus a community we're really looking at a segment of the marketplace right now for us to scale and hit our aspirational goals we can't do it with Palo Alto Network employees we have an employee base of 12 000 people if you take our ecosystem it's over a hundred thousand employees so if we can get them aligned and selling and motivated it's going to be a good day for all of us what so what are they telling you where do they want to spend their time where do they want to add value where are they winning yeah that's a great question so there's a transformation that's going on right now in the partner Community what's happening is a lot of Partners going that are transitioning from what would be traditional transactional Partners or resale Partners to being services-led and the Market's driving them there and what I mean by that is that customers are in a desperate dire State needing assistance figuring out and solving these very complex security problems so if there is a subset of Partners out there that have the skill set and capabilities that can come in from a consultative standpoint help them to develop the structure through deployment a full-blown management and do life cycle management that's a tremendous value I mean the numbers you hear thrown around in the industry right now is up to seven million uh security I.T jobs right now that are out there the open head count is tremendous people can't hire people fast enough all of us in the industry are going through and trying to find early in career or college graduates so we can train quickly or cross-train from other segments to get them into cyber security so if our part of the community can continue to get skilled and expand it's only going to help and the cloud is obviously where does the cloud fit in Carl because you know a lot of the partners when the clouds really start on the Steep part of the s-curve are like we have an opportunity here and by the way if we don't transition our business we could get commoditized yes so that you know that but you were talking about the transactional we can help people move to the cloud and a big part of that has got to be we can secure them in the cloud because it's a more in a lot of ways you know Cloud security is great but in a lot of ways it adds complexity what are you hearing from the party yeah so we are fortunate at Palo Alto networks when you look across the three loud largest cloud service provider from a Google AWS and Microsoft Azure we're either their number one isv or absolutely their number one security ISP so we've got a great uh relationships with them now our partners are coming along and saying how do we transact how do we add value a lot of times that value to your question is wrapping services around it to make sure it's a successful deployment because exactly what you stated the complexity is an all-time high so how do we make sure that we can solve a complex problem in a short term while increasing their security posture and that's really the goal and so where there there's sometimes complexity and mystery there's opportunity and partners can be profitable in doing that I wrote a piece once chaos is cash I have a security you know the criminals and vendors as well yes yes where there is is challenge and complexity there is great opportunity yeah talk about some of the partner program Evolution and some of the things that were announced with respect to the next wave program just yesterday yeah so at next wave um the program's been around for 12 years we constantly are looking to make enhancements and how we make those enhancements are by going out and speaking with these partners and listening to what they need so I have the honor to get to represent what their needs are and how we bring it to market for them so a couple interesting announcements that we made yesterday first of all we announced a new structural format for the program which is really going to allow our different route to markets to have a program that's fit for them because in the past when we were just traditionally a firewall company when the ecosystem just meant resale it was an easy model to have it's complex right now sometimes it's resale sometimes it's influence sometimes its services only we really need to be flexible and credible so we announced a Services only path so if you are a consulting company if you are a insurance company and you want to bring opportunities and leads to Palo Alto Network and you want to provide the services if you're not interested in the transaction you don't want to get involved in that we now have a pathway for you to support you to enable you and Kennedy to give you recognition within Palo Alto networks from an alignment standpoint so we're super excited about that uh as I know you guys speak quite a bit about the managed Services industry so it's a red hot area within Palo Alto networks one of the needs out there was that all not all managed Service Partners are created equally and so some have fantastic capabilities some have gaps we were calling it a P2P part of the partner program within managed services so our two managed Services Partners can actually work together to solve the problem that the end user has and give them a better outcome and fill each other's gaps so candidly it's been going on for a while the partnering but we've never really recognized it so we really built a program around it and now are sponsoring and supporting it versus people doing it on a sidebar so those guys were here in force yesterday yes sir right and and so obviously a lot of energy I'm sure do you see a day where they're here in force on the show floor yeah and and how do you see that evolving so they are here enforcement just right here you see a few of them I'm looking at AWS who's our you know we are their largest isv I'm looking at CDW we had them on the floor is our if not largest second largest partner globally right now and continuing to grow at a rate well they will probably be our first billion dollar partner to think about the size and scale of that relationship and where we've come from um their name CDW don't they never really thought of CDW right as a as a security firm wow what a transformation but please carry on and think about that let's talk about CDW saying think about reach that CDW has it's a 23 billion dollar organization and in a way an inside out sales model meaning there's a tremendous reach they have from their inside sales team and the relationships that they have traditionally historically they were procurement relationships in a way and I said this to the CDW team they were the easy button in the past now what they're doing is they made Seven Acquisitions over the last two years all of them Services oriented so now they're coming in as a consultative Viewpoint and solving a lot of complex problems and I see Google Cloud right here another great partner for us that we continue to invest in we have a great amount of integration and Technology integration with them and so and those are the three that I'm seeing just looking over my left shoulder right if I turn around I'll probably name five more so the majority of this room are the partners that fall within our ecosystem today fantastic so okay so what's your vision for where you want to take this ecosystem because as I said at the top I mean ecosystems are sort of the Hallmark of a I guess you're not a cloud company see I think you of you as a cloud company and so okay good so and I know you don't own your own public cloud and you know your history is you had your own data centers but yeah but you're the security Cloud yeah and so a security Cloud any Cloud needs a great ecosystem so what's your vision for the ecosystem let's go you know five plus years out sure you we start with the end in mind and what I mean by that is we always start with the end user what's the end user's needs the end user today needs flexibility with how they consume the technology they need help in how they support and deploy the technology they need guidance in how they plan out for their future and what their growth is so what we're doing is building a very diverse set of Partners in our ecosystem that all have special skills that they bring to the table so when nikesh sits up here and talks about being a 10 billion or a 20 billion or a 50 billion dollar company we absolutely cannot do it without our ecosystem and without having a very diverse ecosystem that all has different skills that can help us scale because again Palo Alto does not want to be a services company right let's work with the people who are the best at that when we think about the deloittees and accentures and the value they have within the end user base and our joint customer base what a fantastic time to to partner together and solve those boardroom challenges and that's where I really see the vision is that at the boardroom we're building out a plan that's three to five years that's going to continue to increase their security posture because we're not thinking if we're not forward thinking like that will be left behind because the Bad actors are thinking about how they find the different areas to penetrate they're getting so sophisticated the badocracy adversaries they are well funded they're motivated Grant the ransomware attack numbers in terms of the Velocity the complexity yes no longer are we going to get if it's when yeah uh big challenge for organizations Acro across I mean really across an organization regardless of Industry are you guys having any conversations with boards in the partner organization to help align the board with the executive level and really not just have security as a board level initiative but actually being able to execute a strategy yeah and you you nailed it it's not an initiative the initiative to me means there's a beginning and an end right a strategy means there's going to be a comprehensive approach how you continue to improve and we are very fortunate that a lot of our largest Partners around the globe have that position within the boards where they are the trusted advisor so what we're doing now is enabling them and giving them the skills so they can have a more comprehensive conversation around our platform approach around the challenges you know BJ I knew who was with you earlier today likes to say that the average customer he goes and sees has 50 to 70 disparate Technologies within their environment how do you manage that how do you maintain it how do you do renewals oh and by the way most likely the people who actually initially procured that aren't with you anymore they're in a different company so the need for a platform approach is there more so than ever but the decision for the platform quite often has to come from the most senior levels within the organization because again I'm going to go back to your what was your chaos line that you said chaos is Cash chaos is Cash well also chaos is job security so if you're at at the lower level within an organization that chaos and that magic gives you a little job security but that's a short term long term you really need to think about how you're protecting the environment holistically so it is a boardroom decision down that we need to have and you know that chaos the the motivation for that piece that I wrote was from the criminals standpoint right and then I was like okay but there's great opportunities for the technology industry but but I think that you know where we're headed I wonder if I get your thoughts on thoughts on this Carlos we always talk about the Board Room I think we're going now Beyond it here I am you know I'm hypersensitive about my security I got password managers two-factor authentication I don't want SMS based two-factor authentication I want my own authenticator and that's still not enough yeah I got air gaps yeah you know for my crypto you know and I'm super paranoid my point is I think the the individuals are getting much more Savvy about security why because we've all been hacked you know it's like when you lost your data in the because you weren't backed up you know that never happens anymore it's in the cloud or you know some people have multiple backups so it's it's becoming a cultural Trend beyond the board and it's because of the board lord said hey this is really important and so I think it's not only top down I think you're going to see bottom up and middle out and the exciting part for Palo Alto networks is and maybe for you as well is there any more exciting environment to talk about that's rapidly changing and constantly changing you could come back next week and our conversation is going to change as far as what we're doing we constantly need to be thinking three steps ahead of where we're going to move and be flexible and dynamic enough to change and that's what's going to keep us ahead of the economy yeah there's no segment as Dynamic I mean data is dynamic but not as fast changing as cyber I mean because of the adversary as you mentioned I mean so smart so now now they have open adversary ecosystems I mean the adversaries are building ecosystems right absolutely insane I've got peers that are bad guys yeah right right chaos is Cash what's your favorite partner story that you think really demonstrates the value of the ecosystem that Palo Alto networks has built yeah so without sharing names I'll talk about a large U.S national partner that was very uh that was founded on a networking business and partnered with a very large networking company and built that business and was successful doing that they wanted to Pivot into the security space and very early on they made a commitment to Paulo and Ulta networks to say we're going to learn we're going to invest we're going to align with your sales force and we're going to work together and right now they are our largest partner globally and they grew 70 year over year wow so think about that this is not on a small base we're talking about a half a billion dollars in Revenue growing at 70 year over year because to your point earlier it wasn't an initiative it was a strategy and they're executing on the strategy so I tell a lot of we call War Stories like that to other partners that are looking to invest from different markets it could be a large service provider that's you know trying to transform themselves into a security player and talk about the potential of what it could be in for their Marketplace and by the way I say publicly quite often Palo Alto networks will be your most profitable relationship that you have because of the total addressable Market that we're going after because of the solutions that we bring to Market and because of the opportunity within the end users right now and we're excited I want to come back to the mssp in that in its context so we've seen the rise of the mssp and particularly you know we were talking earlier I think it was with Wendy that uh no it was with CDW like 50 of the organizations in North America don't even have a sock yeah right so they need a service provider to come out so you said we you don't want to be in the services business right you're a product company right and that's from a financial standpoint that's phenomenal you're roughly 50 billion dollar market cap company let's let's call it six billion in Revenue so that's a nice Revenue multiple 8X you know and and and the Market's down so you're a 10x Revenue multiple company typically services companies are a 1x or a 2X are you seeing a change there where technology is giving these service providers operating leverage where they're able to scale whether it's because of the cloud because of the Partnerships the Eco would you call it before the the peer-to-peer ecosystem yes like the Gap fillers yes are you do you see the economics of services changing yeah from a baseline economic standpoint not looking at the valuations but let's look at it from a an opportunity to be profitable with Palo Alto networks we know if you are just doing the transaction you have a certain range of margin that you're going to make in the opportunity we know if you wrap services around it you're going to get 3x to 4X that margin we know that if it's managed services and there's life cycle management you're talking 5x to 8X that initial transaction and by the way it's recurring revenue for them so when you think about it if you just do a transaction you're only recurring revenue is a renewal that's predictable but it's not extremely profitable now we're saying the operating leverage you get is if you wrap that services and you're going to have an increased opportunity for a greater margin and it's sticky it's hard to replace a partner who's adding value to your team and A lot of times you walk in the end user you can't tell who the partner is and who the end user is because they are one team that's value yes and that's going to drive ebit yep for your partners and that's going to drive valuation you know you know I want to come back to valuation not that I'm not you can do that okay but because I was I predicted I do my prediction post every year and I predicted last year that we're going to see you know a Spate of MSS mssps I predicted you're going to see someone go public nobody's going public these days but I still think it's a great business yeah that's an untapped opportunity it's not an 8X or it's not a software marginal economics or but it's really sticky super high value yeah and I think it has you know long-term potential yeah to your point if you want to talk valuations for a second let's look at what's happened to the marketplace over the last 12 to 18 months the large majority of the non-public partners that we work with have taken on Capital from private Equity the private Equity that has come in has challenged them to go through a transformation that transformation is you we need you to be Services LED and that service is value because they believe there's going to is going to be a great greater evaluation from that end and they'll be able to scale and grow and stay ahead of the market doing that so when we have conversations when I have conversations yes I'm talking about the technology and the direction of the company but I'm also in there as a consultant saying where's the direction of your company and how do we have this great platform and how do we build it into your business and you wrap services around it and those are the conversations that CEOs want to have when I'm sitting down with our partner CEOs I bet they don't want to talk about our product being better than someone else's product they want to talk about the direction and health of their business yeah it's their business that's a business discussion business decision and they're thinking about okay what's my five-year strategic plan because they got to make bets yeah they're going to bet on a platform that they can add value to that creates that flywheel effect and they get a bet on your ecosystem as well correct oh correct absolutely good to be the leader it's good to be a leader and you know I'm sure as you've heard a few times we believe that economic headwinds are going to favor the market leaders and economic headwinds are going to favor the platform approach so we're going in more aggressive with our partner Community than ever before and there's just so much energy and excitement I feel like I keep on using that term over and over again but that's really what we walk away with last question for you is we have about 30 seconds left a lot of momentum in the partner ecosystem as you've described eloquently what's next what's next what's next yeah so when I I rolled out the strategy for what's next and what it is is a foundational platform that is going to allow flexibility for the partners and for them to decide where they want to invest and it can be in new areas it can be I went online closer with the cloud service providers it could be I want to build a managed Services business can you help us do this it could be I want to go through and I want to drive greater penetration into geographical areas we haven't been before so again we're almost acting as a consultant looking at what they're going from the direction and building a program and a platform where we can grow and work with them it's exciting it's fun it's great highly collaborative highly collaborative highly collaborative thank you for joining us on the program on the partner program the ecosystem Better Together what you guys are doing and ultimately how it benefits the end user customer we really appreciate your insights excellent thank you thank you so much appreciate it all right our pleasure for our guests and Dave vellante I'm Lisa Martin you're watching the cube the leader in live Enterprise and emerging Tech coverage [Music]

(upbeat music) >> Hello, and welcome to this CUBE Conversation. I'm John Furrier, host of theCUBE here in Palo Alto, California for a great remote interview with Ameya Talwalkar, CEO of Cequence Security. Protecting APIs is the name of the game. Ameya thanks for coming on this CUBE Conversation. >> Thank you, John. Thanks for having us. >> So, I mean, obviously APIs, cloud, it runs everything. It's only going to get better, faster, more containers, more Kubernetes, more cloud-native action, APIs are at the center of it. Quick history, Cequence, how you guys saw the problem and where is it today? >> Yeah, so we started building the company or the product, the first product of the company focused on abuse or business logic abuse on APIs. We had design partners in large finance FinTech companies that are now customers of Cequence that were sort of API first, if you will. There were products in the market that were, you know, solving this problem for them on the web and in some cases mobile applications, but since these were API first very modern FinTech and finance companies that deal with lot of large enterprises, merchants, you have it, you name it. They were struggling to protect their APIs while they had protection on web and mobile applications. So that's the genesis. The problem has evolved exponentially in terms of volume size, pain, the ultimate financial losses from those problems. So it has, it's been a interesting journey and I think we timed it perfectly in terms of when we got started with the problem we started with. >> Yeah, I'm sure if you look at the growth of APIs, they're just exponentially growing because of the development, cloud-native development wave plus open source driving a lot of action. I was talking to a developer the other day and he's like, "Just give me a bag of Lego blocks and I'll build whatever application." I mean, this essentially- >> Yeah. >> API first is, has got us here, and that's standard. >> Yeah. >> Everyone's building on top of APIs, but the infrastructure going cloud-native is growing as well. So how do you secure APIs without slowing down the application velocity? Which everyone's trying to make go faster. So you got faster velocity on the developer side and (chuckles) more APIs coming. How do you secure the API infrastructure without slowing down the apps? >> Yeah, I'll come to the how part of it but I'll give you a little bit of commentary on what the problem really is. It's what has happened in the last few years is as you mentioned, the sort of journey to the cloud whether it's a public cloud or a private cloud, some enterprises have gone to a multi-cloud strategy. What really has happened is two things. One is because of that multi-environment deployment there is no defined parameter anymore to your applications or APIs. And so the parameter where people typically used to have maybe a CDN or WAF or other security controls at the parameter and then you have your infrastructure hosting these apps and APIs is completely gone away, that just doesn't exist anymore. And even more so for APIs which really doesn't have a whole lot of content to be cashed. They don't use CDN. So they are behind whatever API gateways whether they're in the cloud or whatever, they're hosting their APIs. And that has become your micro parameter, if you will, as these APIs are getting spread. And so the security teams are struggling with, how do I protect such a diverse set of environments that I am supposed to manage and protect where I don't have a unified view. I don't have even, like a complete view, if you will, of these APIs. And back in the days when phones or the modern iPhones and Android phones became popular, there used to be a sort of ad campaign I remember that said, "There is an app for that." >> Yeah. >> So the fast forward today, it's like, "There's an API for that." So everything you wanted to do today as a consumer or a business- >> John: Yeah. >> You can call an API and get your business done. And that's the challenge that's the explosion in APIs. >> Yeah. >> (laughs) Go ahead. >> It's interesting you have the API life cycle concept developing. Now you got, everyone knows- >> Right. >> The application life cycle, you know CI/CD pipelining, shifting left, but the surface area, you got web app firewalls which everyone knows is kind of like outdated, but you got API gateways. >> Yep. >> The surface area- >> Yeah. >> Is only increasing. So I have to ask you, do the existing API security tools out there bring that full application- >> Yeah. >> And API life cycle together? 'Cause you got to discover- >> Yep. >> The environment, you got to know what to protect and then also net new functionality. Can you comment? >> Right. Yeah. So that actually goes to your how question from, you know, previous section which is really what Cequence has defined is a API protection life cycle. And it's this concrete six-step process in which you protect your APIs. And the reason why we say it's a life cycle is it's not something that you do once and forget about it. It's a continuous process that you have to keep doing because your DevOps teams are publishing new APIs almost every day, every other day, if you will. So the start of that journey of that life cycle is really about discovering your external facing API attack surface which is where we highlight new hosting environments. We highlight accidental exposures. People are exposing their staging APIs. They might have access to production data. They are exposing Prometheus or performance monitoring servers. We find PKCS 7 files. We find Log4j vulnerabilities. These are things that you can just get a view of from outside looking in and then go about prioritizing which API environments you want to protect. So that's step number one. Step number two, really quick is do an inventory of all your APIs once you figure out which environments you want to protect or prioritize. And so that inventory includes a runtime inventory. Also creating specifications for these APIs. In lot of places, we find unmanaged APIs, shadow APIs and we create the API inventory and also push them towards sort of a central API management program. The third step is really looking at the risk of these APIs. Make sure they are using appropriate security controls. They're not leaking any sensitive information, PCI, PHI, PII, or other sort of industry-specific sensitive information. They are conforming to their schema. So sometimes the APIs dba.runtime from their schema and then that can cause a risk. So that's the first, sort of first half of this life cycle, if you will, which is really making sure your APIs are secure, they're using proper hygiene. The second half is about attack detection and prevention. So the fourth step is attack detection. And here again, we don't stop just at the OWASP Top 10 category of threats, a lot of other vendors do. They just do the OWASP API Top 10, but we think it's more than that. And we go deeper into business logic abuse, bots, and all the way to fraud. And that's sort of the attack detection piece of this journey. Once you detect these attacks, you start about, think about prevention of these attacks, also natively with Cequence. And the last step is about testing and making sure your APIs are secure even before they go live. >> What's- >> So that's a journey. Yeah. >> What's the secret sauce? What makes you different? 'Cause you got two sides to that coin. You got the auditing, kind of figure things out, and then you got the in-built attacks. >> Yeah. >> What makes you guys different? >> Yeah. So the way we are different is, first of all, Cequence is the only vendor that can, that has all these six steps in a single platform. We talked about security teams just lacking that complete view or consistent and uniform view of all your, you know, parameter, all your API infrastructure. We are combining that into a single platform with all the six steps that you can do in just one platform. >> John: Yeah. >> Number two is the outside looking in view which is the external discovery. It's something Cequence is unique in this space, uniquely doing this in this space. The third piece is the depth of our detection which is we don't just stop at the OWASP API Top 10, we go to fraud, business logic abuse, and bot attacks. And the mitigation, this will be interesting to you, which is a lot of the API security vendors say you come into existence because your WAF is not protecting your APIs, but they turn around when they detect the attacks to rely on a WAF to mitigate this or prevent these threats. And how can you sort of comprehend all that, right? >> Yeah. >> So we are unique in the sense we can prevent the attacks that we detect in the same platform without reliance on any other third-party solution. >> Yeah, I mean we- >> The last part is, sorry, just one last. >> Go ahead. Go ahead. >> Which is the scale. So we are serving largest of the large Fortune 100, Fortune 50 enterprises. We are processing 6 billion API calls per day. And one of the large customers of ours is processing 1 billion API calls per day with Cequence. So scale of APIs that we can process and how we can scale is also unique to Cequence. >> Yeah, I think the scale thing's a huge message. There, just, I put a little accent on that. I got to comment because we had an event last week called Supercloud which we were trying to talking about, you know, as clouds become more multicloud, you get more super capabilities. But automation, with super cloud comes super hackers. So as things advance, you're seeing the step function, the bad guys are getting better too. You mentioned bots. So I have to ask you what are some of the sophisticated attacks that you see that look like legitimate traffic or transactions? Can you comment on what your scale and your patterns are showing? Because the attacks are coming in fast and furious >> Correct. So APIs make the attack easier because APIs are well documented. So you want your partners and, you know, programmers to use your API ecosystem, but at the same time the attackers are getting the same information and they can program against those APIs very easily which means what? They are going to write a bunch of bots and automation to cause a lot of pain. The kind of sophistication we have seen is I'll just give a few examples. Ulta Beauty is one of our customers, very popular retailer in the US. And we recently found an interesting attack. They were selling some high-end hair curling high ends which are very high-end demand, very expensive, very hard to find. And so this links sort of physical path to API security, think about it, which is the bad guys were using a bot to scrape a third-party service which was giving local inventory information available to people who wanted to search for these items which are high in demand, low in supply. And they wrote a bot to find where, which locations have these items in supply, and they went and sort of broke into these showrooms and stole those items. So not only we say are saving them from physical theft and all the other problems that they have- >> Yeah. >> But also, they were paying about $25,000 per month extra- >> Yeah. >> For this geo-location service that was looking at their inventory. So that's the kind of abuse that can go on with APIs. Even when the APIs are perfectly secure, they're using appropriate security controls, these can go on. >> You know, that's a really great example. I'm glad you brought that up because I observed at AWS re:Inforce in Boston that Steven Schmidt has changed his title from chief information security officer to just chief security officer, to the point when asked he said, "Physical security is now tied together with the online." So to your point- >> Yeah. >> About the surveillance and attack setup- >> Yeah. >> For the physical, you got warehouses- >> Yep. >> You've got brick and mortar. This is the convergence of security. >> Correct. Absolutely. I mean, we do deal with many other, sort of a governance case. We help a Fortune 50 finance company which operates worldwide. And their gets concern is if an API is hosted in a certain country in Europe which has the most sort of aggressive data privacy and data regulations that they have to deal with, they want to make sure the consumer of that API is within a certain geo location whereby they're not subject to liabilities from GDPR and other data residency regulation. And we are the ones that are giving them that view. And we can have even restrict and make sure they're compliant with that regulation that they have to sort of comply with. >> I could only imagine that that geo-regional view and the intelligence and the scale gives you insights- >> Yeah. >> Into attacks that aren't really kind of, aren't supposed to be there. In other words, if you can keep the data in the geo, then you could look- >> Yep. >> At anything else as that, you know, you don't belong here kind of track. >> You don't belong here. Exactly. Yeah, yeah. >> All right. So let's get to the API. >> Yeah, I mean- >> So the API visibility is an issue, right? So I can see that, check, sold me on that, protection is key, but if, what's the current security team makeup? Are they buying into this or are they just kind of the hair on fire? What are security development teams doing? 'Cause they're under a lot of pressure to do the hardcore security work. And APIs, again, surface area's wide open, they're part of everyone's access. >> Yeah. So I mentioned about the six-step journey of the life cycle. Right? We see customers come to us with very acute pain point and they say, "Our hair is on, our hair on fire. (John laughing) Solve this problem for us." Like one large US telco company came to us to, just a simple problem, do the inventory and risk assessment of all our APIs. That's our number one pain point. Ended up starting with them on those two pain points or those two stops on their life cycle. And then we ended up solving all the six steps with them because once we started creating an inventory and looking at the risk profile, we also observed that these same APIs were target by bots and fraudsters doing all kinds of bad things. So once we discovered those problems we expanded the scope to sort of have the whole life cycle covered with the Cequence platform. And that's the typical experience which is, it's typically the security team. There are developer communities that are coming to us with sort of the testing aspect of it which integrated into DevOps toolchains and CI/CD pipelines. But otherwise, it's all about security challenges, acute pain points, and then expanding into the whole journey. >> All right. So you got the detection, you got the alerting, you got the protection, you got the mitigation. What's the advice- >> Yeah. >> To the customer or the right approach to set up with Cequence so that they can have the best protection. What the motion? What's the initial engagement look like? How do they engage? How do they operationalize? >> Yeah. >> You guys take me through that. >> Yeah. The simple way of engaging with Cequence is get that external assessment which will map your APIs for you, it'll create a assessment for you. We'll present that assessment, you know, to your security team. And like 90% of the times customers have an aha moment, (John chuckles) that they didn't know something that we are showing them. They find APIs that were not supposed to be public. They will find hosting environments that they didn't know about. They will find API gateways that were, like not commissioned, but being used. And so start there, start their journey with an assessment with Cequence, and then work with us to prioritize what problems you want to solve next once you have that assessment. >> So really making sure that their inventory of API is legit. >> Yep. Yep, absolutely. >> It's basically- >> Yep. >> I mean, you're starting to see more of this in the cloud-native, you know, Sbot, they call 'em, you know, (indistinct) materials. >> (Ameya faintly speaking). What do you got out there, kind of full understanding of what's being instrumented out there, big time. >> Yeah. The thing is a lot of analysts say that APIs is the number one attack vector this year and going forward, but you'll be surprised to see that it's not the APIs that get targeted that are poorly secured. Actually, the APIs that are completely not secured are the ones that are attacked the most because there are plenty of them. So start with the assessment, figure out the APIs that are out there and then start your journey. That's sort of my recommendation. >> So based on your advice what you're saying is there's a, most people make the mistake of having a lot of undocumented or unauthorized APIs out there that are unsecured. >> Yeah. And security teams are unaware of those APIs. So how do you protect something that you don't know even exists? >> Yeah. >> Right? So that's the challenge. >> Okay. You know, the APIs have to be secure. And as applications connect too, there's the other side of the APIs, whether that's credential passing, so much is at stake here relative to the security. It's not just access it's what's behind it. There's a lot of trust coming in. So, you know, I got to ask you a final question. You got zero trust and you got trust kind of coming together. What's (laughs), how do you respond to that? >> Yeah. Zero trust is part of it in the sense that you have to not trust sort of any API consumer as a completely trusted entity. Just like I gave you the Ultra Beauty example. They had trusted this third party to be absolutely safe and secure, you know, no controls necessary to sort of monitor their traffic, whereas they can be abused by their end consumers and cause you a lot of pain. So there is a sort of a linkage between zero trust. Never trusts anybody until you verify, that's the sort of angle, that's sort of the connection between APIs security and zero trust. >> Ameya, thank you for coming on theCUBE. Really appreciate the conversation. I'll give you the final word. What should people know about Cequence Security? How would you give the pitch? You go, you know, quick summary, what's going on? >> Yeah. So very excited to be in this space. We sort of are the largest security of API security vendor in the space in terms of revenue, the largest volume of API traffic that we process. And we are just getting started. This is a exciting journey we are on, we are very happy to serve the, you know, Fortune 50, you know, global 200 customers that we have, and we are expanding into many geographies and locations. And so look for some exciting updates from us in the coming days. >> Well, congratulations on your success. Love the approach, love the scale. I think scale's a new competitive advantage. I think that's the new lock-in if you're good, and your scaling providing a lot of benefits. So Ameya, thank you for coming, sharing the story. Looking forward to chatting again soon. >> Thank you very much. Thanks for having us. >> Okay. This is a CUBE Conversation. I'm John Furrier, here at Palo Alto, California. Thanks for watching. (cheerful music)

>> ANNOUNCER: Live from Las Vegas, it's theCUBE. Covering VM World 2017. Brought to you by Vmware and its ecosystem partner. >> Hi, I'm Stu Miniman here with John Troyer and excited to welcome back to the program Chris Wahl, who's the Chief Technologist at Rubrik. Chris, thanks for joining us. >> Oh, my pleasure. It's my first VMworld CUBE appearance so I'm super stoked. >> Yeah, we're pretty excited that you hang out with, you know, just a couple of geeks as opposed to, what's it Kevin Durant and Ice Cube. Is this a technology conference or Did you and Bipple work for some Hollywood big time company? >> It's funny you say that, they'll be more tomorrow. So I'll allude to that. But ideally, why not hang out with some cool folks. I mean I live in Oakland. Hip Hop needs to be represented and the Golden State Warriors. >> It's pretty cool. I'm looking forward to the party. I know there will be huge lines. When Katie comes to throw down with a bunch of people. So looking forward to those videos. So we've been looking at Rubrik since, you know, came out of stealth. I got to interview Bipple, you know, really early on, so we've been watching. What you're on like the 4.0 release now right? How long has that taken and you know why don't you bring us up to speed with what's going on with Rubrik. >> Yeah, it's our ninth, our ninth major release over basically eight quarters. And along with that, we've announced we've hit like a 150 million dollar run rate that we've included when we started it was all about VMWare, doing back-ups providing those back-ups a place to land, meaning object store or AWS S3. And now it's, we protect Hyper-V, Acropolis from Nutanix, obviously the VMWare Suite, we can do archive to Azure, we can do, there's like 30 some-odd integration points. With various storage vendors, archive vendors, public cloud, etcetera. And the ulta release which is 4.0, just really extends that because now, not only can we provide backups and recovery and archive, which is kind of our bread and butter. But you can archive that to public cloud and now you can start running those workloads. Right, so what we call a cloud on, I can take either on demand or archive data that's been sent to S3, and I can start building virtual machines, like I said on demand. I can take the AMI, put it in EC2 and start running it right now. And I start taking advantage of the services and it's a backup product. Like, that's what always kind of blows my mind. This isn't, that's not the use case, it's one thing that we unlock from backup to archive data >> One of the challenges I usually see out there, is that people are like, oh Rubrik, you know they do backups for VMWare, how do you, you know, you're very much involved in educating and getting out there and telling people about it, how do you get over the, oh wait you heard what we were doing six months ago or six weeks ago, and now we're doing so much more. So how do you stay up with that? >> It's tough to keep up obviously, because every quarter we basically have either some kind of major or a dot release that comes out. I mean realistically, I set the table a little bit differently, I say, what are you looking to do? What are the outcomes that you're trying to drive? Simplicity's a huge one because everyone's dealing with I have a backup storage vendor and I have a storage vendor, and I have tape vendor, and all this other hodge podge things that they're dealing with. They're looking to save money, but ultimately they're trying to automate, start leveraging the cloud. Start really like, taking the headache out of providing something that's very necessary. And when I start talking about the services they can add, beyond that, because it's not just about taking a backup, leaving it in some rotting archive for 10 years, or whatever, it's really what can I do with the data once I have this duplicated and compressed, kind of pool, that I can start drawing from. And that's where people start to, their mind gets blown a little bit. Now that the individual features and check boxes sets, it is what it is, you know, like if you happen to need Hyper-V or Acropolis or whatever, it's really just where you are on that journey to start taking advantage of this data. And I think that's where people start to get really excited and we start white boarding and nerding out a little bit. >> Well Chris, so don't keep us in suspense, what kinds of things can you do once you have a copy of this data? It's still, it's all live, it's either on solid state or spinning disk or in the cloud somewhere. That's very different than just putting it on tape, so what do I do now, that I have all this data pool? >> So probably the most common use case is, I have VBC and a security group in Amazon. That exists today. I'm archiving to S3 in some way, shape, or form. Either IA or whatever flavor vessel you want. And then you're thinking, well I have these applications, what else can I do with them? What if I put it to a query service or a relational data base service, or what if I sped up 10 different copies because I need to for lode testing or some type of testing. I mean it all falls under the funnel of dev test, but I hate just capping it that way, because I think it's unimaginative. Realistically, we're saying here you have this giant pile of compute, that you're already leveraging the storage part of it, you the object store that is S3. What if you could unlock all the other services with no heavy lift? And the workload is actually built as an AMI. Right, so an ami, it's actually running an EC2, so there's no, you don't necessarily have to extend the Hyper Visor layer or anything like that. And it's essentially S3 questions, from the product perspective. It's you know, what security group, BCP, and shape of the format you want it to be. Like large, small, Xlarge, et cetera. That's it. So think about unlocking cloud potentials for less technical people or people that are dipping their toe in a public cloud. It really unlocks that ability and we control the data plane across it. >> Just one thing on that, because it's interesting, dev tests a lot of times, used to get shoved to the back. And it was like, oh you can run on that old gear, you know you don't have any money for it. We've actually found that it can increase, kind of the companies agility and development is a big part of creating big cool things out of a company, so you don't under sell what improving dev tests can do. So did you have some customer stories or great things that customers have done with what this capability has. >> Yeah, but to be fair, at first when I saw that we were going to start, basically taking VMWare backups and pushing that in archive and then turning those into EC2 instances of any shape or quantity. I was like, that's kind of crazy, who has really wanted that Then I started talking to customers and it was a huge request. And a lot of times, my architectural background would think, lift and shift, oh no, don't necessarily do that. I'm not a huge fan of that process. But while that is certainly something you can do, what they're really looking to do is, well, I have this binary package or application suite that's running on Elk Stack or some Linux distro, or whatever, and I can't do anything with that because it's in production and it's making me money, but I'd really like to see what could be done with that? Or potentially can I just eliminate it completely and turn it into a service. And so I've got some customers that completely what they're doing, they're archiving already and what they have the product doing is every time a new snapshot is taken and is sent to the cloud, it builds automatically that EC2 instance, and it starts running it. So they have a collection of various state points that they can start playing with. The actual backup is immutable, but then they're saying, alright, what if exactly what I kind of alluded to a little, what if I start using a native service in the cloud. Or potentially just discard that workload completely. And start turning it into a service, or refactor it, re platform it et cetera. And they're not having to provision, usually you have to buy infrastructure to do that. Like you're talking about the waterfall of Chinese stuff, that turns into dev stuff three years later. They don't have to do that, they can literally start taking advantage of this cloud resource. Run it for an hour or so, because devs are great at CDIC pipelines, let's just automate the whole stack, let's answer our question by running queries through jenkins or something like that. And then throw it away and it cost a couple of bucks. I think that's pretty huge. >> Well Chris, can you also use this capability for DR, for disaster recovery? Can you re hydrate your AMI's up there if everything goes South in your data center? >> Absolutely. I mean it's a journey and this is for dot zero. So I'm not going to wave my hands and say that it's an amazing DR solution. But the third kind of use case that we highlight with our product is that absolutely. You can take the work loads either as a planned event, and say I'm actually putting it here and this is a permanent thing. Or an unplanned event, which is what we all are trying to avoid. Where you're running the work loads in the cloud, for some deterministic period of time, and either the application layer or the file system layer, or even, like a data base layer, you're then protecting it, using our cloud cluster technology, which is Rubrik running in the cloud. Right there, it has access to S3 and EC2, you know, adjacently, there is not net fee and then you start protecting that and sending the data the other way. Because Rubriks software can talk to any other Rubrik's software. We don't care what format or package it's in. In the future we'd like to add more to that. I don't want to over sell it, but certainly that's the journey. >> Chris tell us about how your customers are feeling about the cloud in general. You know you've lived with the VM community for a lot of years, like many of us, and that journey to cloud and you know, what is Hybrid and multi-cloud mean to them, and you know, what you've been seeing at Rubrik over the last year. >> Yeah it's ahh, everybody has a different definition between hybrid, public, private-- >> Stu: Every customer I ever talked to will have a different answer to that. >> I just say multi cloud, because it feels the most safe And the technically correct version of that definition. It's certainly something that, everyone's looking to do. I think kind of the I want to build a private cloud phase of the journey is somewhat expired in some cases. >> Stu: Did you see Pat's keynote this morning? >> Yeah, the I want to build a private cloud using open stack and you know, build all my widgets. I feel that era of marketing or whatnot, that was kind of like 2008 or 2010. So that kind of era of marketing message has died a little bit. It's really just more I have on prem stuff, I'm trying to modernize it, using hyper-converge, or using software to find X, you know, networking et cetera But ultimately I have to start leveraging the places where my paths, my iya's and my sas are going to start running. How do I then cobble all that together. I mean at the sea level, I need visibility, I need control, I need to make executable decisions. That are financially impactful. And so having something they can look across to those different ecosystems, and give you actionable data, like here's where it's running, here's where it could run, you know, it's all still just a business decision, based on SLA. It's powerful. But then as you go kind of down message for maybe a director or someone's who's managing IT, that's really, someone's breathing down their neck, saying, we've got to have a strategy. But they're technically savvy, they don't want to just put stuff in the cloud and get that huge bill. Then they have to like explain that as well. So it kind of sits in a nice place where we can protect the modern apps, or kind of, I guess you can call them, modern slash legacy in the data center. But also start providing protection at a landing pad for the cloud native to use as an over watch term The stuff that's built for cloud that runs there, that's distributed and very sensitive to the fact that it charges per iota of use at the same time. >> Well Chris, originally Rubrik was deploying to customers as an appliance, right? So can you talk a little bit about that, right, you have many different options now, the customer, right? You can get open source, you can get commercial software, or you can get appliances, you can get SAS, and now it sounds like you're, there's also a piece that can run in the cloud, right? That it's not just a box that sits in a did center somewhere So can you talk about, again, what do customers want? What's the advantage of some of those different deployment mechanisms, what do you see? >> I'm not saying this as a stalling tactic, but I love that question. Because yes, when we started it made sense, build a turnkey appliance, make sure that it's simple. Like in deployment, we used to say it can deploy in an hour and that includes the time to take it out of the box and that only goes so far because that's one use case. So certainly, for the first year or so, the product that was where we were driving it, as a scale out node based solution then we added Rubrik edge as a virtual appliance. And really it was meant to, I have a data center and I'm covering those remote offices, type use cases. And we required that folks kind of tether the two, because it's a single node that's really just a suggesting data and bringing it back using policy. Then we introduced cloud cluster in 3.2 which is a couple of releases ago. And that allows you to literally build a four plus node cluster as your AWS, basically you give us your account info and we share the EMI with you or the VM in case of Azure and then you can just build it, right? And that's totally independent, like you can just be a customer. We have a couple of customers that are public, that's all they do, they deploy cloud cluster they backup things in that environment. And then they replicate or archive to various clouds or various regions within clouds. And there's no requirement to buy the appliance because that would be kind of no bueno to do that. >> Sure. >> So right, there's various packages or we have the idea now where you can bring your own hardware to the table. And we'll sell you the software, so like Lenovo and Cisco and things like that. It can be your choice based on the relationships you have. >> Wow Chris your teams are gone a lot, not just your personal team but the Rubrik team I walked by the booth and wait, I saw five more people that I know from various companies. Talk about the growth of like, you know Rubrik. You joined a year ago and it felt like a small company then. Now you guys are there, I get the report from this financial analyst firms and like, have you seen the latest unicorn, Rubrik and I'm like, Rubrik, I know those guys. And gals. So yeah absolutely, talk about the growth of the company. What's the company hiring for? Tell us a little bit about the culture inside. >> Sure, I mean, it's actually been a little over two years now that I've been there, it's kind of flying. I was in the first 50 hires for the company. So at the time I felt like the FNG, but I guess now, I'm kind like the old, old man. I think we're approaching or have crossed the 500 employee threshold and we're talking eight quarters essentially. A lot of investment, across the world, right, so we decided very early on to invest in Europe as a market. We had offices in Utruck in the Netherlands. And in London, the UK, we've got a bunch of engineering folks in India. So we've got two different engineering teams. As well as, we have an excellent, center of excellence, I think in Kansas City. So there's a whole bunch of different roots that we're planting as a company. As well as a global kind of effort to make sales, support, product, engineering, marketing obviously, something that scales everywhere. It's not like all the engineers are in Palo Alto and Silicone Valley and everyone else is just in sales. But we're kind of driving across everywhere. My team went from one to six. Over the last eight or nine months. So everything is growing. Which I guess is good. >> As part of that you also moved to Silicone Valley and so how does it compare to the TV show. >> Chris: It's in Oakland. >> Well it's close enough to Silicone Valley. >> It's Silicone Valley adjacent. I will say I used to visit all the time, you know. For various events and things like that. Or for VM World or whatnot. I always got the impression that I liked being there for about a week and then I wanted to leave before I really started drinking the kool aid a little heavily so it's nice being just slightly on the east bay area. At the same time, I go to events and things now. More as a local and it's kind of awesome to hear oh I invented whatever technology, I invented bootstrap or MPM or something like that. And they're just available to chat with. I tried it at that the, the sunscreen song, where he says, you know, move to california, but leave before you turn soft. So at some point I might have to go back to Texas or something to just to keep the scaley rigidity to my persona intact. >> Yeah, so you missed the barbecue? >> Well I don't know if you saw Franklin's barbecue actually burned down during the hurricane, so. >> No >> Yeah, if you're a, a huge barbecue fan in Austin, weep a tear, it might be a bad mojo for a little bit. >> Wow. Alright, we were alluding at the very beginning of the interview, you've got some VIP guests, we don't talk too much about, like, oh we're doing this tomorrow and everything, but you got some cool activities, the all stars, you know some of the things. Give us a little viewpoint, what's the goal coming into VM World this year and what are some of the cool things that you're team and the extended team are doing. >> Yeah, so kind of more on the nerdy fun side, we've actually built up, one of my team, Rebecca Fitzhughes build out this V all stars card deck so we picked a bunch of infuencers, and people that, you know friends and family kind of thing built them some trading cards and based on what you turn in you can win prizes and things like that. It was just a lot of other vendors have done things that I really respect. Like Solid Fire has the socks and the cards against humanity as an example. I wanted to do something similar and Rebecca had a great idea. She executed on that. Beyond that though, we obviously have Ice Cube coming in. He's going to be partying at the Marquis on Tuesday evening so he'll be, he'll be hanging around, you know the king of hip hop there. And on a more like fun, charitable note, we actually have Kevin Durant coming in tomorrow. We are shooting hoops for his charity fund. So everybody that sinks a goal, or ahh, I'm obviously not a basket ball person, but whoever sinks the ball into the hoop gets two dollars donated to his charity fund and you build it to win a jersey and things like that. So kind of spreading it across sports, music, and various digital transformation type things. To make sure that everyone who comes in, has a good time. VMWare's our roots, right? 1.0, the product was focused on that environment. It's been my roots for a long time. And we want to pay that back to the community. You can't forget where you came from, right? >> Alright, Chris Wahl, great to catch up with you. Thanks for joining us sporting your Alta t-shirt your Rubrik... >> I'm very branded. >> John Troyer and I will be back with lots more coverage here at VM World 2017, you're watching theCUBE.