(Upbeat music) >> Hi everyone and welcome back to the Cube's coverage of Splunk.conf 2021, virtual. We are here, live in the Splunk studios here in Silicon valley. I'm John Furrier, host of the Cube. Spiros Xanthos VP of product management of observability with Splunk is here inside the cube, Spiros, thanks for coming on. Great to see you. [Spiros Xanthos]- John, thanks for having me glad to be here. >> We love observability. Of course we love Kubernetes, but that was before observability became popular. We've been covering cube-con since it was invented even before, during the OpenStack days, a lot of open source momentum with you guys with observability and also in the customer base. So I want to thank you for coming on. Give us the update. What is the observability story its clearly in the headlines of all the stories SiliconANGLE's headline is multi-cloud observability security Splunk doubling down on all three. >> Correct. >> Big part of the story is observability. >> Correct. And you mentioned CubeCon. I was there last week as well. It seems that those observability and security are the two most common buzzwords you hear these days different from how it was when we started it. But yeah, Splank actually has made the huge investment in observability, starting with the acquisition of Victor ops three years ago, and then with Omnition and Signalfx. And last year with Plumbr synthetics company called Rigor and Flowmill and a network monitoring company. And plus a lot of organic investment we've made over the last two years to essentially build an end-to-end observability platform that brings together metrics, traces, and logs, or otherwise infrastructure monitoring, log analytics, application monitoring. Visual experience monitoring all in one platform to monitor let's say traditional legacy and modern cloud native apps. >> For the folks that know SiliconANGLE, the Cube know we've been really following this from the beginning for signal effects, remember when they started they never changed their course. they've had the right They have the right history and from spot by spot, you guys, same way open source and cloud was poo-pooed upon, people went like, oh, it's not secure, they never were. Now it's the center of all the action. [Spiros Xanthos]- Yes >> And so that's really cool. And thanks for doing that. The other thing I want to get your point on is what does end-to-end observability mean? Because there's a lot of observability companies out there right now saying, Hey, we're the solution We're the utility, we're the tool, but I haven't seen a platform. So what's your answer to that? >> Yes. So observability, in my opinion, in the context of what you're describing means two things. One is that when, when we say internal durability, it means that instead of having, let's say multiple monitoring tools that are silent, let's say one for monitoring network, one for monitoring infrastructure, a separate one for monitoring APM that do not work with each other. We bring all of these telemetry in one place we connect it and exactly because actually applications and infrastructure themselves are becoming one. You have a way to monitor all of it from one place. So that's observability. But the other thing that observability also is because these environments tend to be a lot more complex. It's not just about connecting them, right? It's also about having enough data and enough analytics to be able to make sense out of those environments and solve problems faster than you could do in the past with traditional monitoring. >> That's a great definition. I've got to then ask you one of the things coming up that came out of CoopCon was clear, is that the personnel to hire, to run this stuff, it's not everyone can get the skills gap problem. At the same time, automation is at an all time high people are automating and doing AI ops, get outs. What do you want to call this a buzz word for that basically automating the data observability into the CICB pipeline, huge trend right now. And the speed of developers is fast now. They're coding fast. They don't want to wait. >> I agree. So, and that's exactly what's happening, right? We want essentially from traditional IT where developers would develop something a little bit deployed months later by some IT professional, of course, all of this coming together, But we're not stopping that as you say, right, that the shifting left is going earlier into the pipeline. Everyone expect, essentially let's say monitoring to happen at the speed of deployment. And I guess observability again, is this not, as a requirement. Observability is this idea. Let's say that I should be able to monitor my applications in real time and, you know, get information as soon as something happens. >> With the evolution of the shift left trend. I would say for the people don't know what shift left is you put security the beginning, not bolted on at the end and developers can do it with automation, all that good stuff that they have. But how, how real is that right now in terms of it happening? Can you, can you share some vision and ideas and anecdotal data on how, how fast shift left is, or is there still bottlenecks and security groups and IT groups? >> So there are bottlenecks for sure. In my opinion, we are aware with, let's say the shift left or the dev sec ops trend, whether IT and devs maybe a few years ago. And this is both a cultural evolution that has to happen. So security teams and developers have to come closer together, understand like, say the consensus of the requirements of each other so they can work better together the way it happened with DevOps and all sorts of tooling problem, right? Like still observability or monitoring solutions are not working very well with security yet. We at Splunk of course, make this a priority. And we have the platform to integrate all the data in one place. But I don't think is generally something that we'll have achieved as well as an industry yet. And including the cultural aspects of it. >> Is that why you think end to end is important to hit that piece there so that people feel like it's all working together >> I think end to end is important for two reasons. actually one is that essentially, as you say, you hit all the pieces from the point of deployment, let's say all the way to production, but it's also because I think applications and infrastructure, FMLA infrastructure with Kubernetes, microservices are in traditional so much more complexity that you need to step function improvement in the tooling as well. Right? So that you need keep up with the complexity. So bringing everything together and applying analytics on top is the way essentially to have this step function improvement in how your monitoring solution works so that it can keep up with the complexity of the underlying infrastructure and application. >> That is a huge, huge points Spiros. I got to double down on that with you and say, let's expand that because that's the number one problem, taming the complexity without slowing down. Right? So what is the best practice for that? What do people do? Cause, I mean, I know it's evolving, it's going faster than that, but it's still getting better, but not always there, but what can people do to go faster? >> So, and I will add that it's even more complex than just what the cloud, let's say, native applications introduced because especially large enterprises have to maintain their routine, that on-prem footprint legacy applications that are still in production and then still expand. So it's additive to what they have today, right? If somebody was to start from a clean slate, let's say started with Kubernetes today, maybe yes, we have the cloud native tooling to monitor that, but that's not the reality of most, most enterprises out there. Right? So I think our goal at Splunk at least is to be able to essentially work with our customers through their digital, digital transformation and cloud journey. So to be able to support all their existing applications, but also help them bring those to the cloud and develop new applications in a cloud native fashion, let's say, and we have the tooling, I think, to support all of that, right between let's say our original data platform and our metrics and traces platform that we develop further. >> That's awesome. And then one quick question on the customer side, if I'm a customer, I want observability, I want this, I want everything you just said. How do I tell the difference between a pretender and a player, the good solution and a bad solution? What are the signals that this is the real deal, that's a fake product >> Agreed. So, I mean, everyone obviously believes that original (laughing) I'm not sure if I will. >> You don't want to name names? Here's my, my perspective on what truly is a requirement for absorb-ability right? First of all, I think we have moved past the time where let's say proprietary instrumentation and data collection was a differentiator. In fact, it actually is a problem today, if you are deploying that because it creates silos, right? If I have a proprietary instrumentation approach for my application, that data cannot be connected to my infrastructure or my logs, let's say, right. So that's why we believe open telemetry is the future. And we start there in terms of data collection. Once we standardize, let's say data collection, then the problem moves to analytics. And that's, I think where the future is, right? So observability is not just about collecting a bunch of data and that bring it back to the user. It's about making sense out of this data, right? So the name of the game is analytics and machine learning on top of the data. And of course the more data you can collect, the better it is from that perspective. And of course, then when we're talking about enterprises, scale controls, compliance all of these matter. And I think real time matters a lot as well, right? We cannot be alerting people after minutes of a problem that has happened, but within a few seconds, if we wanted to really be pro-active. >> I think one thing I like to throw out there, maybe get your reaction to it, I think maybe one other thing might be enabling the customer to code on top of it, because I think trying to own the vertical stack as well as is also risky as a vendor to sell to a company, having the ability to add programming ability on top of it. >> I completely agree actually, You do? In general giving more control to the users and how, what do they do with their data, let's say, right? And even allowing them to use open source, whatever is appropriate for them, right? In combination, maybe with a vendor solution when they don't want to invest themselves. >> Build their own apps, build your own experience. That's the way the world works. That's software. >> I agree. And again, Splunk from the beginning was about that, right? Like we'll have thousands of apps built ontop of our platform >> Awesome. Well, I want to talk about open source and the work you're doing with open telemetry. I think that's super important. Again, go back even five, 10 years ago. Oh my God. The cloud's not secure. Oh my God, open source has got security holes. It turns out it's actually the opposite now. So, you know finally through the people woke up. No, but it's gotten better. So take us through the open telemetry and what you guys are doing with that. >> Yes. So first of all, my belief, my personal belief is that if there is no future where infrastructure is anything about open source, right? Because people do not trust actually close our solutions in terms of security. They prefer open source at this point. So I think that's the future. And in that sense, a few years ago, I guess our belief was that all data collection instrumentations with standards based first of all, so that the users have control and second should be open source. That's why we, at Omnition the company I co-founded that was acquired by Splunk. We we're one of the main tenders of open sensors and that we brought together open sensors and OpenTracing in creating open telemetry. And now , Open telemetry is pretty much the de facto. Every vendor supports it, its the second most active project in CNCF. And I think it's the future, right? Both because it frees up the data and breaks up the silos, but also because, has support from all the vendors. It's impossible for any single vendor to keep up with all this complexity and compete with the entire industry when we all come together. So I think it's a great success it's I guess, kudos to everybody, kudos to CNCF as well, that was able to actually create and some others. >> And props to CNCF. Yeah. CNC has done an amazing job and been going to all those events all the years and all the innovations has been phenomenal. I got to ask what the silos, since you brought it up, come multiple times. And again, I think this is important just to kind of put an exclamation point on, machine learning is based upon data. Okay. If you have silos, you have the high risk of having bad machine learning. >> Yes. >> Okay. That's you agree with that? >> Completely. >> So customers, they kind of understand this, right. If you have silos that equals bad future >> Correct >> because machine learning is baked into everything now. >> And I will add to that. So silos is the one problem, and then not being able to have all the data is another problem, right? When it comes to being able to make sense out of it. So we're big believers in what we call full fidelity. So being able to connect every byte of data and do it in a way that makes sense, obviously economically for the customer, but also have, let's say high signal to noise ratio, right? By structuring the data at the source. Overt telemetry is another contributor to that. And by collecting all the data and by having an ability, let's say to connect the data together, metrics, traces, logs, events, incidents, then we can actually build a little more effective tooling on top to provide answers back to the user with high confidence. So then users can start trusting the answers as opposed to they themselves, always having to figure out what the problem is. And I think that's the future. And we're just starting. >> Spiros I want to ask you now, my final question is about culture And you know, when you have scale with the cloud and data, goodness, where you have people actually know the value of data and they incorporate into their application, you have advantages. You have competitive advantages in some cases, but developers were just coding love dev ops because it's infrastructure as code. They don't have to get into the weeds and do the under the hood, datas have that same phenomenon right now where people want access to data. But there's certain departments like security departments and IT groups holding back and slowing down the developers who are waiting days and weeks when they want it in minutes and seconds for have these kinds of things. So the trend is, well there's, first of all, there's the culture of people aren't getting along and they're hating each other or they're not liking each other. >> Yes >> There's a little conflict, always kind of been there, but now more than ever, because why wait? >> I agree. >> How can companies shorten that cycle? Make it more cohesive, still decouple the groups because you've got, you got compliance. How do you maximize the best of a good security group, a good IT group and enables as fast as possible developers. >> I agree with you, by the way, this is primarily cultural. And then of course there is a tooling gap as well. Right. But I think we have to understand, let's say as a security group, instead of developers, what are the needs of each other, right. Why we're doing the things we're doing because everybody has the right intentions to some extent, right? But the truth is there is pain. We are me and myself. Like as we develop our own solutions in a cloud native fashion, we see that right. We want to move as fast as possible, but at the same time, want to be compliant and secure, right. And we cannot compromise actually on security or compliance. I mean, that's really the wrong solution here. So I think we need to come together, understand what each other is trying to do and provide. And actually we need to build better tooling that doesn't get into the way. Today, oftentimes it's painful to have, let's say a compliance solution or a secure solution because it slows down development. I think we need to actually, again, maybe a step function improvement in the type of tooling we'll have in this space. So it doesn't get into the way Right? It does the work it provides. Let's say the security, the security team requires, it provides the guarantees there, but doesn't get in the way of developers. And today it doesn't happen like this most of the time. So we have some ways to go. >> And Garth has mentioning how you guys got some machine learning around different products is one policy kind of give some, you know, open, you know, guardrails for the developers to bounce around and do things until they, until they have to put a new policy in place. Is that an answer automated with automation? >> Big time. Automation is a big part of the answer, right? I think we need to have tooling that first of all works quickly and provides the answers we need. And we'll have to have a way to verify that the answer are in place without slowing down developers.Splunk is, I mean, out of a utility of DevSecOps in particular is around that, right? That we need to do it in a way that doesn't get in the way of, of let's say the developer and the velocity at which they're trying to move, but also at the same time, collect all the data and make sure, you know, we know what's going on in the environment. >> Is AI ops and dev sec ops and GET ops all the same thing in your mind, or is it all just labels >> It's not necessarily the same thing because I think AI ops, in my opinion applies, let's say to even more traditional environments, what are you going to automate? Let's say IT workflows in like legacy applications and infrastructure. Getops in my mind is maybe the equivalent when you're talking about like cloud native solutions, but as a concept, potentially they are very close I guess. >> Well, great stuff. Great insight. Thanks for coming on the Cube. Final point is what's your take this year of the live we're in person, but it's virtual, we're streaming out. It's kind of a hybrid media environment. Splunk's now in the media business with the studios, everything great announcements. What's your takeaway from the keynote this week? What's your, you got to share to the audience, this week's summary. >> First of all, I really hope next year, we're all going to be in one place, but still given the limitations we had I think it was a great production and thanks to everybody who was involved. So my key takeaway is that we truly actually have moved to the data age and data is at the heart of everything we do. Right? And I think Splunk has always been that as a company, but I think we ourselves really embraced that and everything we do is everything. Most of the problems we solve are data problems, whether it's security, observability, DevSecOps, et cetera. So. >> Yeah, and I would say, I would add to that by saying that my observations during the pandemic now we're coming, hopefully to the end of it, you guys have been continuing to ship code and with real, not vaporware real product, the demos were real. And then the success on the open source. Congratulations. >> Thank you. >> All right. Thanks for coming on and we appreciate it >> Thanks alot _Cube coverage here at dot com Splunk annual conference. Virtual is the Cube. We're here live at the studios here at Splunk studios for their event. I'm John Farrow with the Cube. Thanks for watching. (joyful tune)

>>from around the globe. It's the Cube presenting Cuban cloud brought to you by silicon angle. Welcome to the cubes event. Virtual event. Cuban Cloud. I'm John for your host. We're here talking to all the thought leaders getting all the stories around Cloud What's going on this year and next today, Tomorrow and the future. We gotta featured startup here. Jonah Clipper, who is the CEO and founder of Stack Hawks. Developing security software for developers to have them put security baked in from the beginning. Johnny, thanks for coming on and being featured. Start up here is part of our Cuban cloud. Thanks for joining. >>Thanks so much for having me, John. >>So one of our themes this year is obviously Cloud natives gone mainstream. The pandemic has shown that. You know, a lot of things have to be modern. Modern applications, the emerald all they talked about modern applications. Infrastructure is code. Reinvent, um is here. They're talking about the next gen enterprise. Their public cloud. Now you've got hybrid cloud. Now you've got multi cloud. But for developers, you just wanna be building security baked in and they don't care where the infrastructure is. So this is the big trend. Like to get your thoughts on that. But before we jump in, tell us about Stack Hawk What you guys do your founded in 2019. Tell us about your company and what Your mission is >>Awesome. Yeah, our mission is to put application security in the hands of software developers so that they can find and fix upset books before they deployed a production. And we do that through a dynamic application scanning capability. Uh, that's deployable via docker, so engineers can run it locally. They can run it in C I C. D. On every single PR or merge and find bugs in the process of delivering software rather than after it's been production. >>So everyone's talking about shift left, shift left for >>security. What does >>that mean? Uh, these days. And what if some of the hurdles that people are struggling with because all I hear is shift left shift left from, like I mean, what does What does that actually mean? Now, Can you take us through your >>view? Yes, and we use the phrase a lot, and I and I know it can feel a little confusing or overused. Probably. Um, When I think of shift left, I think of that Mobius that we all look at all of the time, Um, and how we deliver and, like, plan, write code, deliver software and then manage it. Monitor it right like that entire Dev ops workflow. And today, when we think about where security lives, it either is a blocker to deploying production. Or most commonly, it lives long after code has been deployed to production. And there's a security team constantly playing catch up, trying to ensure that the development team whose job is to deliver value to their customers quickly, right, deploy as fast as we can, as many great customer facing features, um there, then, looking at it months after software has been deployed and then hurrying and trying to assess where the bugs are. And, um, trying to get that information back to software developers so that they can fix those issues. Shifting left to me means software engineers are finding those bugs as their writing code or in the CIA CD pipeline long before code has been deployed to production. >>And so you guys attack that problem right there so they don't have to ship the code and then come back and fix it again. Or where we forgot what the hell is going on. That point in time some Q 18 gets it. Is that the kind of problem that that's out there? Is that the main pain point? >>Yeah, absolutely. I mean a lot of the way software, specifically software like ours and dynamic applications scanning works is a security team or a pen tester. Maybe, is assessing applications for security vulnerability these, um, veteran prod that's normally where these tools are run and they throw them back over the wall, you know, interrupting sprints and interrupting the developer workflow. So there's a ton of context switching, which is super expensive, and it's very disruptive to the business to not know about those issues before they're in prod. And they're also higher risk issues because they're in fraud s. So you have to be able to see a >>wrong flywheel. Basically, it's like you have a penetration test is okay. I want to do ship this app. Pen test comes back, okay? We gotta fix the bug, interrupts the cycle. They're not coding there in fire drill mode. And then it's a chaotic death spiral at that point, >>right? Or nothing gets done. God, how did >>you What was the vision? How did you get here? What? How did you start? The company's woke up one morning. Seven started a security company. And how did what was the journey? What got you here? >>Sure. Thanks. I've been building software for software engineers since 2010. So the first startup I worked for was very much about making it easy for software engineers to deploy and manage applications super efficiently on any cloud provider. And we did programmatic updates to those applications and could even move them from cloud to cloud. And so that was sort of cutting my teeth and technology and really understanding the developer experience. Then I was a VP of product at a company called Victor Ops. We were purchased by spunk in 2018. But that product was really about empowering software engineers to manage their own code in production. So instead of having a network operations center right who sat in front of screens and was waiting for something to go wrong and would then just end up dialing there, you know, just this middle man trying to dial to find the person who wrote the software so that they can fix it. We made that way more efficient and could just route issues to software engineers. And so that was a very dev ops focused company in terms of, um, improving meantime to know and meantime to resolve by putting up time in the hands of software engineers where it didn't used to live there before it lived in a more traditional operations type of role. But we deploy software way too quickly and way too frequently to production to assume that another human can just sit there and know how to fix it, because the problems aren't repeatable, right? So So I've been living in the space for a long time, and I would go to conferences and people would say, Well, I love for, you know, we have these digital transformation initiatives and I'm in the security team and I don't feel like I'm part of this. I don't know. I don't know how to insert myself in this process. And so I started doing a lot of research about, um, how we can shift this left. And I was actually doing some research about penetration testing at the time, Um, and found just a ton of opportunity, a ton of problems, right that exist with security and how we do it today. So I really think of this company as a Dev Ops first Company, and it just so happens to be that we're taking security, and we're making it, um, just part of the the application testing framework, right? We're testing for security bugs, just like we would test for any other kind of bucks. >>That's an awesome vision of other great great history there. And thanks for sharing that. I think one of the things that I think this ties into that we have been reporting aggressively on is the movement to Dev Stack Up, Dev, Ops Dev SEC Ops. And you know, just doing an interview with the guy who stood up space force and big space conversation and were essentially riffing on the idea that they have to get modern. It's government, but they got to do more commercial. They're using open source. But the key thing was everything. Software defined. And so, as you move into suffer defined, then they say we want security baked in from the beginning and This is the big kind of like sea level conversation. Bake it in from the beginning, but it's not that easy. And this is where I think it's interesting where you start to think, uh, Dev ops for security because security is broken. So this is a huge trend. It sounds easy to say it baked security in whether it's an i o T edge or multi cloud. There's >>a lot >>of work there. What should people understand when they hear that kind of platitude of? I just baked security and it's really easy. It's not. It's not trivial. What's your thoughts on >>that? It isn't trivial. And in my opinion, there aren't a lot of tools on the market that actually make that very easy. You know, there are some you've had sneak on this program and they're doing an excellent job, really speaking to the developer and being part of that modern software delivery workflow. Um, but because a lot of tools were built to run in production, it makes it really difficult to bake them in from the beginning. And so, you know, I think there are several goals here. One is you make the tooling work so that it works for the software engineer and their workflow. And and there's some different values that we have to consider when its foreign engineer versus when it's for a security person, right? Limit the noise, make it as easy as possible. Um, make sure that we only show the most critical things that are worth an engineer. Stopping what they're doing in terms of building business value and going back and fixing that bugs and then create a way to discuss in triage other issues later outside of the development. Workflow. So you really have to have a lot of empathy and understanding for how software is built and how software engineers behave, I think, in order to get this right. So it's not easy. Um, but we're here and other tools air here. Thio support companies in doing that. >>What's the competitive strategy for you guys going forward? Because there's a big sea change. Now I see an inflection point. Obviously, Cove it highlights. It's not the main reason, but Cloud native has proven it's now gone mainstream kubernetes. You're seeing the big movement there. You're seeing scale be a huge issue. Software defined operations are now being discussed. So I think it's It's a simple moment for this kind of solution. How are you guys going to compete? What's what's the winning strategy? How are you guys gonna compete to win? >>Yeah, so there's two pieces to that one is getting the technology right and making sure that it is a product that developers love. And we put a ton of effort into that because when a software engineer says, Hey, I'd love to use the security product, right? CSOs around the world are going to be like, Yes, please. Did a software engineer just ask me, You have the security product. Thank you, Right. We're here to make it so easy for them and get the tech right. And then the other piece, in terms of being competitive, is the business model. There were something like, I don't You would know better than me, but I think the data point I last saw was like 1300 venture backed security companies since 2012 focused on selling to see SOS and Fortune 2000 companies. It is a mess. It's so noisy, nobody can figure out what anybody actually does. What we have done is said no, we're going to take a modern business model approach to security. So you know, it's a SAS platform that makes it super easy for a software engineer or anybody on the team to try and buy the software. So 14 day trial. You don't have to talk to anybody if you don't want Thio Awesome support to make sure that people can get on boarded and with our on boarding flow, we've seen that our customers go from signing up to first successful scan of their platform or whatever app they chose to scan in a knave ridge of about 10 minutes. The fastest is eight, right? So it's about delivering value to our customers really quickly. And there aren't many companies insecurity on the market today. That do that? >>You know, you mentioned pen test earlier. I I hear that word. Nice shit. And, like, pen test penetration test, as it's called, um, Sock reports. I mean, these are things that are kind of like I got to do that again. I know these people are doing things that are gonna be automated, but one of the things that cloud native has proven as be killer app is integrations because when you build a modern app, it has to integrate with someone else. So there you need these kind of pen tests. You gotta have this kind of code review. And as code, um, is part of, say, a purpose built device where it's an I o T. Edge updates have toe happen. So you need mawr automation. You need more scale around both updating software to, ah, purpose built device or for integration. What's your thoughts in reaction to that? Because this is a riel software challenge from a customer standpoint, because there are too many tools out there and every see so that I talk to says, I just want to get rid of half the tools consolidate down around my clouds that I'm working through my environment and b'more developer oriented, not just purchasing stuff. So you have all this going on? What's your reaction to that? You got the you know, the integration and you've got the software updates on purpose built devices. >>Yeah, I mean, we I make a joke a little bit. That security land is like, you know, acronyms. Dio there are so many types of security that you could choose to implement. And they all have a home and different use cases that are certainly valuable toe organizations. Um, what we like to focus on and what we think is interesting and dynamic application scanning is because it's been hard toe automate dynamic application for especially for modern applications. I think a lot of companies have ignored theon pertuan ity Thio really invest in this capability and what's cool about dynamic. And you were mentioning pen testing. Is that because it's actively attacking your app? It when you get a successful test, it's like a It's like a successful negative test. It's that the test executed, which means that bug is present in your code. And so there's a lot less false positives than in other types of scanning or assessment technologies. Not to say there isn't a home for them. There's a lot of we could we could spend a whole hour kind of breaking down all the different types of bugs that the different tools confined. Um, but we think that if you want to get started developer first, you know there's a lot of great technologies. Pick a couple or one right pick stack hawk pick, sneak and just get started and put it in your developer workflow. So integrations are super important. Um, we have integrations with every C I C. D provider, making it easy to scan your code on every merge or release. And then we also have workflow integrations for software engineers associated with where they want to be doing work and how they want to be interrupted or told about an issue. So, you know, we're very early to market, but right out of the gate, we made sure that we had a slack integration so that scans are running. Or as we're finding new things, it's populating in a specific slack channel for those engineers who work on that part of the app and you're a integration right. If we find issues, we can quickly make tickets and route them and make sure that the right people are working on those issues. Eso That's how I think about sort of the integration piece and just getting started. It's like you can't tackle the whole like every accurate, um, at once like pick something that helps you get started and then continue to build out your program, as you have success. >>A lot of these tools can they get in the hands of developers, and then you kind of win their trust by having functionality. Uh, certainly a winning strategy we've seen. You know, Splunk, you mentioned where you worked for Data Dog and very other tools out there just get started easily. If it's good, it will be used. So I love that strategy. Question. I wanna ask you mentioned Dr earlier. Um, they got a real popular environment, but that speaks to the open source area. How do you see the role of open source playing with you guys? Is that gonna be part of your community outreach? Does the feed into the product? Could you share your vision on how stack hawks engaging and playing an open source? >>Yeah, absolutely. Um So when we started this company, my co founders and I, we sat down and said here, What are the problems? Okay, the world doesn't need a better scanner, right? If you walk the floor of, ah, security, uh, conference. It's like our tool finds a million things and someone else is. My tool finds a million and five things. Right, And that's how they're competing on value. It's really about making it easy to use and put in the pipeline. So we decided not to roll. Our own scanner were based on an open source capability called Zap the Set Attack Proxy. Uh, it is the most the world's most downloaded application scanner. And, uh, actually we just hired the founder of Zap to join the Stack Hawk team, and we're really excited to continue to invest in the open source community. There is a ton of opportunity to grow and sort of galvanize that community. And then the work that we do with our customers and the feedback that we get about the bugs we find if there, ah, false positive or this one's commonly risk accepted, we can go back to the community, which were already doing and saying, Hey, ditch this rule, Nobody likes it or we need to improve this test. Um, so it's a really nice relationship that we have, and we are looking forward to continuing to grow that >>great stuff. You guys are hot. Start of love. The software on security angle again def sec. Cox is gonna be It's gonna be really popular. Can you talk about some of the customer success is What's the What's the feedback from customers? Can you share some of the use cases that you guys are participating in where you're winning? You mentioned developers love it and try It can just give us a couple of use cases and examples. >>Yeah. Ah, few things. Um ah, lot of our customers are already selling on the notion. Like before we even went to G A right. They told all of their customers that they scan for security bugs with every single release. So in really critical, uh, industry is like fintech, right. It's really important that their customers trust that they're taking security seriously, which everybody says they dio. But they show it to their customers by saying here, every single deploy I can show you if there were any new security bugs released with that deploy. So that's really awesome. Other things We've heard our, uh, people being able to deploy really quickly thio the Salesforce marketplace, right? Like if they have toe have a scan to prove that that they can sell on Salesforce, they do that really rapidly. Eso all of that's going really well with our customers. >>How would I wanna How would I be a customer if I was interested in, um, using Stack Hawks say we have some software we wanna stand up, and, uh, it's super grade. And so Amazon Microsoft Marketplace Stairs Force They'll have requirements or say I want to do a deal with an integration they don't want. They want to make sure there's no nothing wrong with the code. This seems to be a common use case. How doe I if I was a customer, get involved or just download software? Um, what's the What's the procurement? What's the consumption side of it looked like, >>Yeah, you just go to Stockholm dot com and you create an account. If you'd like to get started that way so you can have a 14 day free trial. We have extremely extensive documentation, so it's really easy to get set up that way. You should have some familiarity. Or grab a software engineer who has familiarity with a couple of things. So one is how to use Docker, right? So Docker is, ah, deployment mechanism for the scanner. We do that so you can run it anywhere that you would like to, and we don't have to do things like pierce firewalls or other protective measures that you've instrumented on your production environment. You just run it, um, wherever you like in your system. So locally, C I c d So docker is an important thing to understand the way we configure our scanner is through a, um, a file. So if you are getting a scan today, either your security team is doing it or you have a pen tester doing it. Um, the whole like getting ready for that engagement takes a lot of time because the people who are running the tests don't know how the software was built. So the way we think about this is, just ask them. So you just fill out a Yamil file with parameters that tell the scanner what to dio tell it how to authenticate and not log out. Um, feed us an A p. I speak if you want, so weaken super efficiently, scan your app and you can be up and running really quickly, and then that's it. You can work with our team at any time if you need help, and then we have a really efficient procurement process >>in my experience some of the pen tests of firms out there, is it? It's like the house keeping seal of approval. You get it once and then you gotta go back again. Software change, new things come in. And it's like, Wait a minute, what's the new pen test? And then you to write a check or engaged to have enough meeting? I mean, this is the problem. I mean, too many meetings. Do you >>guys solve that problem? Do >>you solve that problem? >>We solve a piece of that problem. So I think you know, part of how I talk about our company is this idea that we live in a world where we deploy software every single day. Yet it seems reasonable that once a year or twice a year, we go get a pen test where human runs readily available, open source software on our product and gives us a like, quite literal. Pdf of issues on. It's like this is so intellectually dishonest, like we deploy all of the time. So here's the thing. Pen tests are important and everybody should do them. But that should not be the introduction to these issues that are also easy to automate and find in your system. So the way we think about how we work with pen testers is, um, run, stack hawk or zapped right in an automated fashion on your system, and then give that, give the configuration and give the most recent results to your pen tester and say, Go find the hard stuff. You shouldn't be cutting checks for $30,000 to a pen tester or something that you could easily meet in your flare up. Klein. You could write the checks for finding finding the hard stuff that's much more difficult to automate. >>I totally agree. Final question. Business model Once I get in, is it a service software and services? A monthly fee? How do you guys make money? >>Yep, it is software as a service, it is. A monthly fee were early to market. So I'm not going to pretend that we have perfectly cracked the pricing. Um, but the way that we think about this is this is a team product for software engineers and for, you know, informed constituents, right? You want a product person in the product. You want a security person in the product? Um, and we also want to incent you to scan your APS And the most modern fashion, which is scanning the smallest amount of http that lives in your app, like in a micro services architecture because it makes a lot easier, is easy to isolate the problems where they live and to fix those issues really quickly. So we bundle team and for a UPS and then we scale within, uh, companies as they add more team. So pen users. 10 APS is 3 99 a month. And as you add software engineers and more applications, we scale within your company that way. >>Awesome. So if you're successful, you pay more, but doesn't matter. You already succeeded, and that's the benefit of by As you go Great stuff. Final question. One more thing. Your vision of the future. What are the biggest challenges you see in the next 24 months? Plus beyond, um, that you're trying to attack? That's a preferred future that you see evolving. What's the vision? >>Yeah, you've touched on this a couple of times in this interview with uh being remote, and the way that we need to build software already has been modernizing, and I feel like every company has a digital transformation initiative, but it has toe happen faster. And along with that, we have to figure out how Thio protect and secure these Moderna Gail. The most important thing that we do the hearts and minds of our support engineers and make it really easy for them to use security capabilities and then continue to growth in the organization. And that's not an easy thing tied off. It's easy change, a different way of being security. But I think we have to get their, uh, in order to prepare the security, uh, in these rapidly deployed and developed applications that our customers expect. >>Awesome. Jodi Clippers, CEO and founder of Stack Hawk. Thank you for coming on. I really appreciate it. Thanks for spending the time featured Startup is part of our Cuban cloud. I'm Sean for your host with silicon angle to Cube. Thanks for watching

(electronic music) >> Host: Live from Midtown Manhattan it's The Cube! Covering Big Data New York City 2017, brought to you by Silicon Angle Media, and its Ecosystem sponsors. >> Okay, welcome back everyone. We are here live, The Cube in New York City for Big Data NYC, this is our fifth year, doing our own event, not with O'Reilly or Cloud Era at Strata Data, which as Hadoop World, Strata Conference, Strata Hadoop, now called Strata Data, probably called Strata AI next year, we're The Cube every year, bringing you all the great data, and what's going on. Entrepreneurs, VCs, thought leaders, we interview them and bring that to you. I'm John Furrier with our next guest, Greg Sands, who's the managing director and founder of Costa Nova ventures in Palo Alto, started out as an entrepreneur himself, then single shingle out there, now he's a big VC firm on a third fund. >> On the third fund. >> Third fund. How much in that fund? >> 175 million dollar fund. >> So now you're a big firm now, congratulations, and really great to see your success. >> Thanks very much. I mean, we're still very much an early stage boutique focused on companies that change the way the world does business, but it is the case that we have a bigger team and a bigger fund, to go do the same thing. >> Well you've been great to work with, I've been following you, we've known each other for a while, watched you left Sir Hill and start Costanova, but what's interesting is that, I can kind of joke and kid you, the VC inside joke about being a big firm, because I know you want to be small, and like to be small, help entrepreneurs, that's your thing. But it's really not a big firm, it's a few partners, but a lot of people helping companies, that's your ethos, that's what you're all about at your firm. Take a minute to just share with the folks the kinds of things you do and how you get involved in companies, you're hands on, you roll up your sleeves. You get out of the way at the right time, you help when you can, share your ethos. >> Yeah, absolutely so the way we think of it is, combining the craft of old school venture capital, with a modern operating team, and so since most founder these days are product-oriented, our job is to think like product people, not think like investors. So we think like product people, we do product level analysis, we do customer discovery, we do, we go ride along on sales calls when we're making investment decisions. And then we do the things that great venture capitalists have done for years, and so for example, at Alatian, who I know has been on the show today, we were able to incubate them in our office for a year, I had many conversations with Sathien after he'd sold the first two or three customers. Okay, who's the next person we hire? Who isn't a founder? Who's going to go out and sell? What does that person look like? Do you go straight to a VP? Or do you hire an individual contributor? Do you hire someone for domain, or do you hire someone for talent? And that's the thing that we love doing. Now we've actually built out an operating team so marketing partner, Martino Alcenco, and Jim Wilson as a sales partner, to really help turn that into a program, so that they can, we can take these founders who find product market fit, and say, how do we help you build the right sales process and marketing process, sales team and marketing team, for your company, your customer, your product? >> Well it's interesting since you mention old school venture capital, I'll get into some of the dynamics that are going on in Silicon valley, but it's important to bring that forward, because now with cloud you can get to critical mass on the fly wheel, on economics, you can see the visibility faster now. >> Greg: Absolutely. >> So the game of the old school venture capitalist is all the same, how do you get to cruising altitude, whatever metaphor you want to use, the key was getting there, and sometimes it took a couple of rounds, but now you can get these companies with five million, maybe $10 million funding, they can have unit economics visibility, scales insight, then the scale game comes in, so that seems to be the secret trick right now in venture is, don't overspend, keep the valuation in range and allows you to look for multiple exits potentially, or growth. Talk about that dynamic, because this is like, I call it the hour glass. You get through the hour glass, everyone's down here, but if you can sneak through and get the visibility on the economics, then you grow quickly. >> Absolutely. I mean, it's exactly right an I haven't heard the hour glass metaphor before but I like it. You want to basically get through the narrows of product market fit and the beginnings of scalable sales and marketing. You don't need to know all the answers, but you can do that in a capital-efficient way, building really solid foundations for future explosive growth, look, everybody loves fast growth and big markets, and being grown into. But the number of people who basically don't build those foundations and then say, go big or go home! And they take a ton of money, and they go spend all the money, doing things that just fundamentally don't work, and they blow themselves up. >> Well this is the hourglass problem. You have, once you get through that unique economics, then you have true scale, and value will increase. Everybody wins there so it's about getting through that, and you can get through it fast with good mentoring, but here's the challenge that entrepreneurs fall into the trap. I call it the, I think I made it trap. And what happens is they think they're on the other side of the hourglass, but they still haven't even gone through the straight and narrow yet, and they don't know it. And what they do is they over fund and implode. That seems to be a major trap I see a lot of entrepreneurs fall into, while I got a 50 million pre on my B round, or some monster valuation, and they get way too much cash, and they're behaving as if they're scaling, and they haven't even nailed it yet. >> Well, I think that's right. So there's certainly, there are stages of product market fit, and so I think people hit that first stage, and they say, oh I've got it. And they try to explode out of the gates. And we, in fact I know one good example of somebody saying, hey, by the way, we're doing great in field sales, and our investors want us to go really fast, so we are going to go inside and we, my job was to hire 50 inside people, without ever having tried it. And so we always preach crawl, walk, run, right? Hire a couple, see how it works. Right, in a new channel. Or a new category, or an adjacent space, and I think that it's helpful to have an investor who has seen the whole picture to say, yeah, I know it looks like light at the end of the tunnel, but see how it's a relatively small dot? You still got to go a little farther, and then the other thing I say is, look, don't build your company to feed your venture capitalist ego. Right? People do these big rounds of big valuations, and the big dog investors say, go, go, go! But, you're the CEO. Your job is analyze the data. >> John: You can find during the day (laughs). >> And say, you know, given what we know, how fast should we go? Which investments should we make? And you've got to own that. And I think sometimes our job is just to be the pulling guard and clear space for the CEO to make good decisions. >> So you know I'm a big fan, so my bias is pretty much out there, love what you guys are doing. Tim Carr is a Pivot North doing the same thing. Really adding value, getting down and dirty, but the question that entrepreneurs always ask me and talk privately, not about you, but in general, I don't want the VC to get in the way. I want them, I don't want them to preach to me, I don't want too many know-it-alls on my board, I want added value, but again, I don't want the preaching, I don't want them to get in the way, 'cause that's the fear. I'm not saying the same about VCs in general, but that's kind of the mentality of an entrepreneur. I want someone who's going to help me, be in the boat with me, but not be in my way. How do you address that concern to the founders who think, not think like that, but might have a fear. >> Well, by the way, I think it's a legitimate fear, and I think it actually is uncorrelated with added value, right? I think the idea that the board has certain responsibilities, and management has certain responsibilities, is incredibly important. And I think, I can speak for myself in saying, I'm quite conscious of not crossing that line, I think you talk. >> John: You got to build a return, that's the thing. >> But ultimately I would say to an entrepreneur, I'd just say, hey look, call references. And by the way, here are 30 names and phone numbers, and call any one of them, because I think that people who are, so a venture capital know-it-all, in the board room, telling CEOs what to do, destroys value. It's sand in the gears, and it's bad for the company. >> Absolutely, I agree 100% >> And some of my, when I talk about being a pulling guard for the CEO, that's what I'm talking about, which is blocking people who are destructive. >> And rolling the block for a touchdown, kind of use the metaphor. Adding value, that's the key, and that's why I wanted to get that out there because most guys don't get that nuance, and entrepreneurs, especially the younger ones. So it's good and important. Okay, let's talk about culture, obviously in Silicon Valley, I get, reading this morning in the Wymo guy, and they're writing it, that's the Silicon Valley, that's not crazy, there's a lot of great people in Silicon Valley, you're one of them. The culture's certainly an innovative culture, there's been some things in the press, inclusion and diversity, obviously is super important. This whole brogrammer thing that's been kind of kicked around. How are you dealing with all that? Because, you know, this is a cultural shift, but I think it's being made out more than it really is, but there's still our core issues, your thoughts on the whole inclusion and diversity, and this whole brogrammer blowback thing. >> Yeah, well so I think, so first of all, really important issues, glad we're talking about them, and we all need to get better. And to me the question for us has been, what role do we play? And because I would say it is a relatively small subset of the tech industry, and the venture capital industry. At the same time the behavior of that has become public is appalling. It's appalling and totally unacceptable, and so the question is, okay, how can we be a part of the stand-up part of the ecosystem, and some of which is calling things out when we see them. Though frankly we work with and hang out with people and we don't see them that often, and then part of which is, how do we find a couple of ways to contribute meaningfully? So for example this summer we ran what we called the Costanova Access Fellowship, intentionally, trying to provide first opportunity and venture capital for people who traditionally haven't had as much access. We created an event in the spring called, Seat at the Table, really, particularly around women in the tech industry, and it went so well that we're running it in New York on October 19th, so if you're a woman in tech in New York, we'd love to see you then. And we're just trying to figure-- >> You're doing it in an authentic way though, you're not really doing it from a promotional standpoint. It's legit. >> Yeah, we're just trying to do, you know, pick off a couple of things that we can do, so that we can be on the side of the good guys. >> So I guess what you're saying is just have high integrity, and be part of the solution not part of the problem. >> That's right, and by the way, both of these initiatives were ones that were kicked off in late 2016, so it's not a reaction to things like binary capital, and the problems at uper, both of which are appalling. >> Self-awareness is critical. Let's get back to the nuts and bolts of the real reason why I wanted you to come on, one was to find out how much money you have to spend for the entrepreneurs that are watching. Give us the update on the last fund, so you got a new fund that you just closed, the new fund, fund three. You have your other funds that are still out there, and some funds reserved, which, what's the number amount, how much are you writing checks for? Give the whole thesis. >> Absoluteley. So we're an early stage investor, so we lead series A and seed financing companies that change the way the world does business, so up and down the stack, a business-facing software, data-driven applications. Machine-learning and AI driven applications. >> John: But the filter is changing the way the world works? >> The way, yes, but in particularly the way the world does business. You can think of it as a business-facing software stack. We're not social media investors, it's not what we know, it's not what we're good at. And it includes security and management, and the data stack and-- >> Joe: Enterprise and emerging tech. >> That's right. And the-- >> And every crazy idea in between. >> That's right. (laughs) Absolutely, and so we're participate in or leave seed financings as most typically are half a million to maybe one and a quarter, and we'll lead series A financing, small ones might be two or two and a half million dollars at the outer edge is probably a six million dollar check. We were just opening up in the next couple of days, a thousand square feet of incubation space at world headquarters at Palo Alto. >> John: Nice. >> So Alation, Acme Ticketing and Zen IQ are companies that we invested in. >> Joe: What location is this going to be at? >> That's, near the Fills in downtown Palo Alto, 164 staff, and those three companies are ones where we effectively invested at formation and incubated it for a year, we love doing that. >> At the hangout at Philsmore and get the data. And so you got some funds, what else do you have going on? 175 million? >> So one was a $100 million fund, and then fund two was $135 million fund, and the last investment of fund two which we announced about three weeks ago was called Roadster, so it's ecommerce enablement for the modern dealerships. So Omnichannel and Mobile First infrastructure for auto-dealers. We have already closed, and had the first board meeting for the first new investment of fund three, which isn't yet announced, but in the land of computer vision and deep learning, so a couple of the subjects that we care deeply about, and spend a lot of time thinking about. >> And the average check size for the A round again, seed and A, what do you know about the? The lowest and highest? >> The average for the seed is half a million to one and a quarter, and probably average for a series A is four or five. >> And you'll lead As. >> And we will lead As. >> Okay great. What's the coolest thing you're working on right now that gets you excited? It doesn't have to be a portfolio company, but the research you're doing, thing, tires you're kicking, in subjects, or domains? >> You know, so honestly, one of the great benefits of the venture capital business is that I get up and my neurons are firing right away every day. And I do think that for example, one of the things that we love is is all of the adulant infrastructure and so we've got our friends at Victor Ops that are in the middle of that space, and the thinking about how the modern programmer works, how everybody-- >> Joe: Is security on your radar? >> Security is very much on our radar, in fact, someone who you should have on your show is Asheesh Guptar, and Casey Ella, so she's just joined Bug Crowd as the CEO and Casey moves over to CTO, and the word Bug Bounty was just entered into the Oxford Dictionary for the first time last week, so that to me is the ultimate in category creation. So security and dev ops tools are among the things that we really like. >> And bounties will become the norm as more and more decentralized apps hit the scene. Are you doing anything on decentralized applications? I'm not saying Blockchain in particular, but Blockchain like apps, distributing computing you're well versed on. >> That's right, well we-- >> Blockchain will have an impact in your area. >> Blockchain will have an impact, we just spent an hour talking about it in the context our off site in Decosona Lodge in Pascadero, it felt like it was important that we go there. And digging into it. I think actually the edge computing is actually more actionable for us right now, given the things that we're, given the things that we're interested in, and we're doing and they, it is just fascinating how compute centralizes and then decentralizes, centralizes and then decentralizes again, and I do think that there are a set of things that are fascinating about what your process at the edge, and what you send back to the core. >> As Pet Gelson here said in the QU, if you're not out in front of that next wave, you're driftwood, a lot of big waves coming in, you've seen a lot of waves, you were part of one that changed the world, Netscape browser, or the business plan for that first project manager, congratulations. Now you're at a whole nother generation. You ready? (laughs) >> Absolutely, I'm totally ready, I'm ready to go. >> Greg Sands here in The Cube in New York City, part of Big Data NYC, more live coverage with The Cube after this short break, thanks for watching. (electronic jingle) (inspiring electronic music)