>>mhm >>Welcome to this cube conversation here in Palo alto California. I'm john Kerry host of the cube. We've got a great awesome conversation with the Ceo and co founder of harness a hot startup jodi Benson who is the co founder and Ceo but also the co founder of unusual ventures which is a really awesome venture capital firm, doing some great work investment but also they have great content over there for entrepreneurs and for people in the community And of course he's also the founder of big labs, his playground. If you're building out new applications also well known for being the founder of Ap dynamics of super successful billion dollar exit as a startup, Salto, Cisco now doing a lot of things and driving harness, solving big problems. So joe t mouthful intro there, you've done a lot. Congratulations on your an amazing entrepreneur career and now your next uh next next opportunities harness among other things. So congratulations. Thank you for coming. >>Thank you john and glad to be here. >>You guys are solving a big problem in software delivery. Obviously software changing the world. You're seeing open source projects increasing in order of magnitude enterprises jumping on open source in general adoption, large scale with cloud software is being delivered faster than ever before and with cloud scale and now edge this huge challenges around how software deployed, managed maintained. You got, we're talking about space to how do you do break fix in space, all these things are happening at a massive scale across the world. You are solving a big problem. So take a minute to explain what harnesses doing, why you guys exist, why you jumping in into this venture. >>Sure. Yeah. You know what harness mission is to simplify supper delivery and make it uh top notch for everyone. Like if you look at like you know the likes of google and facebook and netflix and amazon these companies are mastered the process of software delivery like and your engineers write code and the code is shipped to the end users and they can do it like multiple times a day at their scale and you know at the complexity that they have but most other business in the world they all want to be software companies but it's extremely, extremely hard for them to get there and I saw this firsthand when I was at epidemics as you know as Ceo last there we're about 12 1300 employees in the company and we had about about 3 50 or so engineers in the company For every 10 or 12 engineers, we had one person whose job was to write automation and scripting and tooling for trying to ships off you know uh you know all kind of scripting kind of stuff. We'll write scripts and chef and puppet and sensible and to deploy in aws and whatnot. And you know one day we're doing the math were like you know we have you know about overall about 30 people whose job was to do devops engineering by writing automation etc to deploy somewhere and I would do the math like you know, one engineer cost is 200 k loaded cost at six million a year that you're spending six million a year just writing deployment, scripting, you know, and even with that we were nowhere close to world class like world class is in like what you would think you could ship every day, we chip on demand, you could, you know, you could deploy software, ship software all of that right? And that was the, you know, I looked at that as a problem inside of dynamics and all they have done with customers, I would talk to like large banks, insurance companies and retailers and telcos and I would hear the same challenge like you know, we hear about devops, we go to the all these devops conferences and events and we see the same 10 companies, you know presenting how the home grew some kind of a devops system for software delivery etc. And you know, I mean that was like, you know, we just, we cannot survive with this like and as the world we need to have uh the right kind of platforms for software delivery and simplify this so that everyone could become as good as a google netflix amazon etcetera that stand of our mission at harness that can we take every business in the world, you know and in a few weeks or a few months, can we get them as sophisticated and good in terms of their dueling for software delivery as a google facebook amazon, those kind of companies would be and that's, that's what we're doing. So >>It's a great ambition and by the way it's a bold move and it's needed. I'll tell you, it's interesting. You mentioned some of those commentary about shipping code at that speed Facebook Google. They had that they had they were forced to do that and again they have all that benefit the mainstream enterprise doesn't. But if you even go back 20 years ago, 15 years ago, that's when Amazon was born. You see two and S three is celebrating their 15th birthday. Software. Yeah, hyper scale has had some good moves there. But the average business went from craft, you know, waterfall QA department go back a little bit slower. I won't say slow motion but manageable now with the speed of shipping and the speed of the scale, that's a huge issue. What kind of pressure do you see that putting on the developer, the individual, not just the system because you got the system of development and the devil and the developers themselves. >>I think the developers have have done quite well to this. I feel like, you know, if you look at the software development part of itself, you know the agile development has been happening for quite some time. So developers have learned how to ship things fast and like in a week sprint or a two week sprint or in in kind of faster cycles. They have moved off from the waterfall kind of models like many years ago now. So that's the suffering development side of things then you have the infrastructure side of things which is the like any province in infrastructure fast. Can you get hardware fast? That's the, you know, the cloud has done that well where the challenges the process, the developers are writing code fast enough these days and you have the, you know, the infrastructure itself could be prov isn't and maintained and and and change fast enough but how do you bring it all together and there is the entire process around it. That's not moving fast enough. So that's where the bottom language. So I feel the, you know, and the process is not good. The developer experience becomes really bad bad because developers are waiting for the process to go and you know, they write some code and the code is sitting on the shelf and they are waiting for things. >>Uh they get all pissed off and mad. What's the holdup? Why what's the process? And then security shifting left, wait a minute to go back and rewrite code. This is huge. I want to just get back and just nail it quickly if you don't mind honing in on the value proposition. What is the harness value proposition? What is the pitch, what are you, what are you offering? What are you solving? Can you nail in on that real quick? >>Sure. So what harness is swallowing is simplifying that software delivery by plane, so developer writes code and that code goes goes through a bunch of steps so a bunch of steps which is uh you know you build the code then you you know test the code, you know, then you do integration tests, then you you know go through your security checks, then you go through a compliance checks, then you go through more dusting, then you're deploying a staging environment, then you go one to do a bunch of things on it. Then you start deploying in production environment but in production you will deploy on like a small part of production, verify everything is working well, it's not working well, you'll roll it back, it's working well then you deploy two more things. This entire process could take like weeks for people to do and this is mostly automated, you know in kind of uh uh you know this kind of random scripts here and there etcetera. So we simplify the entire process that you could describe your process in the language, I just described like you know in a very descriptive declarative kind of way like this is the process I want to achieve and hardness will automatically create your pipelines for this. This kind of process and most of these pipelines have a lot of heavy use of intelligence and um L two, it could go from one step to another, like, so many times, like when you say, you know, deploy the guard and and and 1% of my production environment and see everything is working well and if everything is working well, go to the next 10%. But how do you figure out if everything is working well and that's where the intelligence and um El comes in like, you know, what we learn, what is a normal behavior of your application, how does a normal part of the code works like, you know, there, what's the performance behavior, what is a functional behavior? What errors it is? And if everything is good then you go to the next step so that entire cycle harness automatically, uh you know, uh managers and its automated, you know, if you get governance, you get like, you know, high degree of automation, you get a high degree of, you know, security, you get high degree of like, you know, uh uh you know, quality around him. And so it's it's think of like the, the Ci cd has a lot of developers know and know this process is is ci cd on steroids available to you, Right? So you >>sound like you're making it easier on the Ci cd pipeline process, standing it up, detecting it, prototyping it, if you will, for lack of a better description, get get used to the pipeline and then move it out, roll it out and build your own in a way >>that, is that what is that what you're doing? It's like, you know, a lot of these complex ci city pipelines, what people need, you know, it can take them like three months, six months to to put it uh you know, put it together the harness, it's like an hour, an hour, you could put it together, you know, very, very sophisticated uh Ci cd pipeline and the pipeline is, you know, automated is is, you know, it's it's intelligent around like, you know, what is the normal behavior of your of your applications? Uh It's it's just so phenomenally different than how people have done ci cd before that we simplify the process. Automate the process, you know, and make it manageable and very ready to get involved. >>It's funny you mentioned the three weeks weeks it could take to do the csd pipeline. Of course, that doesn't factor in the what happens when you roll it out, people start complaining, playing with it, breaking it, then you gotta go back and do it again. I mean, that's real and that's a real problem, I mean, can you just going to give a taste of the scar tissue that goes on there. What's some of the what are some of the what some of the pain points that you solve? >>Yeah. So, I think the that is that really becomes the core of the pain point, like, you know, people need, like high amount of dependability, easy to change things, you know, it's we call it like the lack of intelligent automation, you know, and the and this heavy amount of developer toil that the developers have to do so much work around around making all of this work like you know it has to be simplified. So that's that's where our value product comes in like you know, it's it's you know uh you can get like a visual builder and like minutes you can build out the entire process which is your job stability at city pipeline or you could also do like a declarative Yamil interface and just like you know in a few lines just right up whatever process you would want and we would review should be shipped with all kind of integrations with every cloud environment, every monitoring system, every system, every kind of testing process, every kind of security scanning so you can just drag and drop and in minutes eur, europe and running, it just creates so much velocity in this entire process. And also this manageability that people have struggled with >>morale to I mean you can imagine the morale developers go up significantly when you start seeing that the developer productivity has always been a big thing but this intelligent automation conversations huge. Some people have it, some people don't, people say they have it, what is how can you, how can the company figure out uh if someone's really got the real deal when it comes to intelligent automation because again, automation is the is key into devops. >>Yeah, I think I I almost started like you know like if you look at the generational evolution of things like the the first generation was uh you know developer writes code and then it will give you will give it to some some mighty at men who will go and deploy the code, run some commands and do things like tradition to was writing scripts that you're right, a lot of scripts that was automation but it was kind of dumb our dimension and that's how we have, you know that that's where the industry is so actually break now even most of it, the third generation is when the automation is you don't write scripts to you know uh to automate things, you tell our system what you want to achieve and it generates automation for you, right? And that's what we call intelligent automation. Where it's all declarative and all the you don't have to maintain a lot of you know scripts etcetera because they are, you know, they can't keep up with it. You know, you have to change the process all the time and if you change the process, it doesn't work, it becomes completely, you know, uh you know, it becomes very fragile to manage it. So that's that's really where intelligent automation comes in, you know, I look at like, you know, if you can have like uh like you look at like a wrestler, you know, making cars the entire assembly line is automated, but it's, but it's if you want to change something in the assembly line, even that process is automated and it's very simple. Right? So it's and that's what gives them so much uh you know, uh you know, uh let's say control and manageability around the manufacturing process. So the software delivery, uh you know, by assembly line, which is the software software by ci cd piper and really should be a more sophisticated and more intelligent as well now. And that's that's an exhibition, >>jodi. You're also pointing out something that we cover a lot on the cube and we've been writing about is how modern software practices are changing, where this team makeup or whatever its speed is key, but also getting data. Everyone who's successful with cloud and cloud scale and now you got the edge opening up and like I said, even space is going to be programmable, Everything's programmable. And the key is to get the data from the use cases right, get something deployed, look at it, get some data and then double down and make it better. That's a modern approach, not build it and then rebuild it and tear it down and rebuild it, which you're kind of leaning into this idea of let's get some delivery going, let's structure it and then feed it more so that the developers can iterate with with, with the pipeline and this is this again, can scale, can you talk about that? Can you comment on your reaction to that? >>Yeah, definitely. That's exactly how we look at it. Like, you know, you uh you want developers to kind of like say they want to do a, you know, automated process to deploy in their communities infrastructure in matter of minutes, you should be able to get started, but now it's like, you know, there's so much data that comes into it. Like, you know that you have monitoring systems systems like ab dynamics and you're like and data dog and you're logging systems your Splunk and elastic and you know, some logic, you have your, you know, different kind of testing systems here, your security scanning, so there's so much data in it. They're like, you know, terabytes and terabytes of data from it. So when you start doing your deployments, we could also come seem all of the data and see like what was the impact of those deployments or court changes in each of these monitoring, dusting, logging gonna systems and you know, what, how the data changes and then now is that based on that we can learn like, you know, what should be your ideal process and what will break in your process and that's that's the how harness platform works. That's the core of that intelligent automation networks, they're expanding it now to bring a few more of the devops use cases into it Also like the one is cloud cost management because when you, when you, you know, uh you know when we started shipping, there's a lot of people would tell us like, you know, you're you're doing a great job helping us managing the quality, which we always were concerned about like when we're deploying things so you know, security, you know, functionality etcetera. But cloud cost is a big challenge as well. You have your paying like tens and tens of millions of dollars to the cloud providers. And when developers do things in an automated way, it could increase without cost suddenly and we don't know what to do how to manage that. So that's the, you know, we we introduced a new model called cloud cost management to as part of the develops software delivery process that every time you're shipping code and we also figure out like, you know, what with impact on on your on your podcast, you know, can we automate the, you know, uh if there is there is too much impact, can we automate the, you know, the roll back around it, you know, can you get and you can you can we stop the delivery process at that point, can we help you troubleshoot and, you know, reduce the cost down? So that's, you know, that's cost becomes another another another dimension to it. Uh you know, then we recently just added uh you know, the next level that's managing feature Flags. And a lot of the time software developers are adding feature flags to like this feature would be given to this consumer and like, you know, and this feature will be given to this consumer until you test it out through uh test kind of thing and like, you know, what is the impact of, you know, uh turning a feature on versus off, you know, we're bringing that into the same ci cd pipeline. So it's kind of an integrated approach to this uh you know, our intelligently automated biplane instead of these uh small point approaches that just very hard to manage. >>I mean the level of data involved the creature flag for instance, the great is an amazing thing because that allows you to do things that used to be extremely difficult to provision. I mean just picking the color of icon, for instance, this kind of blue, I mean I was just, you hear about this, these kinds of things happening at scale and the date is pretty accurate when it comes in. So I think that's an example of the kind of speed and agility that developers want and the question I want to ask you though on that point because this opens up the whole next conversation, you guys have a modern approach and so much traction and you've recently raised big rounds of funding as you go to the market place, your experienced entrepreneur and uh and Ceo you've seen the waves before. What's the big wave that you're on now? What's the big momentum tailwind for harness? Is it the fact that you're creating value for developers or is it the system that you're integrating into with the intelligence to make things smarter and more scalable? What's the or is it all the above? Can you just share what that that story is? >>Yeah, I think it's, it's, it's really, really both of them. But you know, what are our business case when you go to people who tell them like say, if you're you know, 200 developers. uh, you know, we can give you the world's best software delivery tooling at the cost of half to one developer. Right? So like, you know, so which is like 44, 200 person organization at like 200 to 200 to $300,000 a year. They will get the best software delivery tooling better than a Google Facebook Amazon kind of companies very, very quickly. So our, our entire value prop is built on that like a developer experience gets much better. The productivity gets much better. Developers on an average are spending like 20-30% of the time on deployment, delivery-related toil, like unnecessary stuff that we deal with. So it's only 30% more efficiency gain for the developers. Their quality of life gets better that they don't need to worry about like weekends and nights to babysit your deployments and you know, things breaking and troubleshooting things all the time. Right? So that's that's a that's a big big value. But as a business you get much more velocity your innovation velocity is much higher. You know your risk on your, you know your consumers is much lower because your quality of the of of you know how your ship becomes becomes better. So our business case of like you know at the past of like 1-2 develops engineers will get you the best develops uh you know tooling in the world possible. You know it's not a hard business case for us to make, right? That's that's what we we we look at, it becomes pretty pretty obvious for you know as people try our product, you know the business case >>you don't have to really pass the I. Q. Test to figure this one out, okay everyone's happier and you have more options to scale and make more money in new opportunities not just existing business. I mean the feature flagging these new features you can build a new value and take more territory if you're a business or whatever your objective is so clear value. Can you give an example of some recent successes you've had or or traction points that you think is worth notable that people can get their arms around. >>Yeah definitely like you know we are we're helping a lot of uh you know a lot of customers you know doing uh like completely changing their uh their uh their process of software delivery, you know, 11 recent example, uh nationwide insurance, you know, nationwide insurance, you know, moving from their data center kind of approach to public cloud and to communities and to microservices, like a major cloud native re architecture and in a very ambitious aggressive project to do it, you know, in a in a in a short period of time and harness becomes a platform for them to kind of, you know, uh to remove all the bottom leg around the process, the software delivery process. You know, they obviously they still have to do the developer side of things and they have to do the cloud infrastructure side of things, which is they're doing. But the entire process of how you bring together, you know, harness becomes accelerated around it. So a lot of these kind of stories that we when we kind of create this fundamental transformation for our for our for our customers, you know, uh you know, moving to to a public cloud, you know, moving to microservices, moving to communities, you know, re architect things, but they become much faster. Cloud native higher, you know, a true software company and you know, I would say that's that's something we we we we take a they can take a lot of pride in, I think are always our biggest challenge is uh is to is to is to evangelize and and convince the market that this is possible to do with the product, because historically people have got told like, you know, the only way you can do this kind of software delivery processes and tooling is by engineering it on your own. So everyone wants us on the path of writing their own, you know, and and it's very hard for every, every company in the world to become very good in writing your own software delivery, tooling and processes and systems, etcetera. Right? So it's uh and that's it. So, you know, there is still that that education and evangelism needs to be done, that, you know, there is uh there is no point, you're trying to do it on your own, you can get a platform that can do it all for you and you can focus on the your core business of, you know, what you want to innovate on. >>And I think the Devil's movement hasn't been pioneered and you have to hand roll everything and that's the way it was. But now, as the mainstream market picks this up, you're standing on the shoulders of those pioneers, you are one of them. It's awesome to see this modern approach because it's really playing out in real time again, you've done that before, joe t so it's impressive and, you know, you've seen the movie and developed and the earlier versions pre devops. So, so as cloud native comes and start scaling it's going to be for the rest of us. So, great, great that you're providing the platform and the tools and software. I got to ask you if you don't mind because a lot of people are looking at ways for modern approaches to organizing their teams, how would you define the modern devops movement? You look at devops one point. Oh, we got here. Okay, cloud, cloud native, cloud scale, modern applications, pipe lining. Now, we're looking at a whole another level of confluence of uh of integration and speed. How would you define the modern devops movement? >>Yeah, I think that's a that's a very good question. I think that the core of modern devops, what I would call it develops to point to me is developers self service. It was like the first generation of develops was they create this kind of a devoPS team and then the developers will give all the, you know, delivery related stuff that develops team and the devops team starts to become a bottle, like everywhere now, like in the developed steam job is to build a ci pipeline and the city pipeline and the deployment scripts and you know, do like, you know, you want to do a canary deployment, they have to figure it out how to do it, they have to do, like, you know, you are uh you know, all sort of things that the that needs to be done, you create a central develops team and you give it to them and they become like, you know, uh become a big bottleneck, we look at the modern develops or the next generation and develops has to be done around focusing on the developer experience that and making it all self service for the developers. So you have, you have, let's say you are definitely in for a micro service and it's like, you know 57 engineers, you know, modeling a micro service you want like that, they can go and say this is for our micro service, you know, in a matter of minutes or hours, they can engineer the process without having to lean on a central deVOPS team and to do all the work for them and that's you know, by by maybe a modeler or in some kind of mammal interface or something. That's very easy for them, their experience is so easy that they can manage it themselves without the central deVOPS team have to write it all or cut it all and manage it all. But at the same time the center deVOPS teams, job becomes a bar and governance that can they define the guardrails, that they can define the guardrails on like, you know, you have to have this level of security before something goes into production, you have to have this level of quality before something goes into production, you have to have like, you know, uh this, your cost could not be more than this, right? So you define, so in this instance, instead of the center develops team is doing all the work themselves on writing all the stuff they define the guard rails and it becomes a very easy cell service experience of the developers should do things within those, those guard rails. This is what the modern never actually, >>that's awesome and also accelerate more business value And you're nailing it joe t thank you for coming on and great. Uh, the Ceo on the cube ceo and co founder harness harness dot IO. You guys got free trials, free downloads. You got a great, uh, by as you go model also. Um, you're an entrepreneur at heart. Uh, co founder of unusual ventures, Big Labs appdynamics. Now harness. Congratulations. Thanks for coming on. >>Hey, thank you john. >>Okay, this is a cube conversation. I'm john for here in Palo alto California with the cube. Thanks for watching.

>>and hello, we're back. I've got my panel and we are doing things real time here. So sorry for the delay a few minutes late. So the way let's talk about things, the reason we're here and we're going around the room and introduce everybody. Got three special guests here. I got my evil or my john and the normal And we're going to talk about get ops I called it future office just because I want to think about what's the next thing for that at the end, we're gonna talk about what our ideas for what's next for getups, right? Um, because we're all starting to just get into get ups now. But of course a lot of us are always thinking about what's next? What's better? How can we make this thing better? So we're going to take your questions. That's the reason we're here, is to take your questions and answer them. Or at least the best we can for the next hour. And all right, so let's go around the room and introduce yourself. My name is Brett. I am streaming from Brett from that. From Brett. From Virginia Beach in Virginia beach, Virginia, United States. Um, and I talk about things on the internet, I sell courses on you, to me that talk about Docker and kubernetes Ive or introduce yourself. >>How's it going? Everyone, I'm a software engineer at axel Springer, currently based in Berlin and I happen to be Brett Brett's teaching assistant. >>All right, that's right. We're in, we're in our courses together almost every day. Mm john >>hey everyone, my name is john Harris, I used to work at Dhaka um, I now work at VM ware is a star field engineer. Um, so yeah, >>and normal >>awesome by the way, you are streaming from Brett Brett, >>I answered from breath to breath. >>Um I'm normal method. I'm a distinguished engineer with booz allen and I'm also a doctor captain and it's good to see either in person and it's good to see you again john it's been a little while. >>It has the pre covid times, right? You're up here in Seattle. >>Yeah. It feels, it feels like an eternity ago. >>Yeah, john shirt looks red and reminds me of the Austin T shirt. So I was like, yeah, so we all, we all have like this old limited edition doctor on E. >>T. That's a, that's a classic. >>Yeah, I scored that one last year. Sometimes with these old conference church, you have to like go into people's closets. I'm not saying I did that. Um, but you know, you have to go steal stuff, you to find ways to get the swag >>post post covid. If you ever come to my place, I'm going to have to lock the closets. That >>that's right, That's right. >>So the second I think it was the second floor of the doctor HQ in SAn Francisco was where they kept all the T shirts, just boxes and boxes and boxes floor to ceiling. So every time I went to HQ you just you just as many as you can fit in your luggage. I think I have about 10 of these. You >>bring an extra piece of luggage just for your your shirt shirt grab. Um All right, so I'm going to start scanning questions uh so that you don't have to you can you help you all are welcome to do that. And I'm going to start us off with the topic. Um So let's just define the parameters. Like we can talk about anything devops and here we can go down and plenty of rabbit holes. But the kind of, the goal here is to talk about get ups and get ups if you haven't heard about it is essentially uh using versioning systems like get like we've all been getting used to as developers to track your infrastructure changes, not just your code changes and then automate that with a bunch of tooling so that the robots take over. And essentially you have get as a central source of truth and then get log as a central source of history and then there's a bunch of magic little bits in the middle and then supposedly everything is wonderful. It's all automatic. The reality is is what it's often quite messy, quite tricky to get everything working. And uh the edges of this are not perfect. Um so it is a relatively new thing. It's probably three, maybe four years old as an official thing from. We've uh so we're gonna get into it and I'll let's go around the room and the same word we did before and um not to push on that, put you on the spot or anything. But what is, what is one of the things you either like or either hate about getups um that you've enjoyed either using it or you know, whatever for me. I really, I really love that I can point people to a repo that basically is hopefully if they look at the log a tracking, simplistic tracking of what might have changed in that part of the world or the environment. I remember many years past where, you know, I've had executive or some mid level manager wants to see what the changes were or someone outside my team went to see what we just changed. It was okay, they need access to this system into that dashboard and that spreadsheet and then this thing and it was always so complicated and now in a world where if we're using get up orbit bucket or whatever where you can just say, hey go look at that repo if there was three commits today, probably three changes happened. That's I love that particular part about it. Of course it's always more complicated than that. But um Ive or I know you've been getting into this stuff recently. So um any thoughts? Yeah, I think >>my favorite part about get ops is >>reproducibility. Um >>you know the ability to just test something and get it up and running >>and then just tear it down. >>Uh not >>being worried that how did I configure it the first time? I think that's my favorite part about >>it. I'm changing your background as we do this. >>I was going to say, did you just do it get ups pushed to like change his >>background, just a dialogue that different for that green screen equals false? Uh Change the background. Yeah, I mean, um and I mean I think last year was really my first year of actually using it on anything significant, like a real project. Um so I'm still, I still feel like I'm very new to john you anything. >>Yeah, it's weird getups is that thing which kind of crystallizes maybe better than anything else, the grizzled veteran life cycle of emotions with the technology because I think it's easy to get super excited about something new. And when I first looked into get up, so I think this is even before it was probably called getups, we were looking at like how to use guest source of truth, like everything sounds great, right? You're like, wait, get everyone knows, get gets the source of truth, There's a load of robust tooling. This just makes a sense. If everything dies, we can just apply the get again, that would be great. Um and then you go through like the trough of despair, right? We're like, oh no, none of this works. The application is super stateless if this doesn't work and what do we do with secrets and how do we do this? Like how do we get people access in the right place and then you realize everything is terrible again and then everything it equalizes and you're kind of, I think, you know, it sounds great on paper and they were absolutely fantastic things about it, but I think just having that measured approach to it, like it's, you know, I think when you put it best in the beginning where you do a and then there's a magic and then you get C. Right, like it's the magic, which is >>the magic is the mystery, >>right? >>Magic can be good and bad and in text so >>very much so yeah, so um concurrence with with john and ever uh in terms of what I like about it is the potential to apply it to moving security to left and getting closer to a more stable infrastructures code with respect to the whole entire environment. Um And uh and that reconciliation loop, it reminds me of what, what is old is new again? Right? Well, quote unquote old um in terms of like chef and puppet and that the reconciliation loop applied in a in a more uh in a cleaner interface and and into the infrastructure that we're kind of used to already, once you start really digging into kubernetes what I don't like and just this is in concurrence with the other Panelist is it's relatively new. It has um, so it has a learning curve and it's still being, you know, it's a very active um environment and community and that means that things are changing and constantly and there's like new ways and new patterns as people are exploring how to use it. And I think that trough of despair is typically figuring out incrementally what it actually is doing for you and what it's not going to solve for you, right, john, so like that's that trough of despair for a bit and then you realize, okay, this is where it fits potentially in my architecture and like anything, you have to make that trade off and you have to make that decision and accept the trade offs for that. But I think it has a lot of promise for, for compliance and security and all that good stuff. >>Yeah. It's like it's like the potentials, there's still a lot more potential than there is uh reality right now. I think it's like I feel like we're very early days and the idea of especially when you start getting into tooling that doesn't appreciate getups like you're using to get up to and use something else and that tool has no awareness of the concept so it doesn't flow well with all of the things you're trying to do and get um uh things that aren't state based and all that. So this is going to lead me to our first question from Camden asking dumb questions by the way. No dumb questions here. Um How is get apps? Not just another name for C. D. Anybody want to take that as an answer as a question. How is get up is not just another name for C. D. I have things but we can talk about it. I >>feel like we need victor foster kids. Yeah, sure you would have opinions. Yeah, >>I think it's a very yeah. One person replied said it's a very specific it's an opinionated version of cd. That's a great that's a great answer like that. Yeah. >>It's like an implement. Its it's an implementation of deployment if you want it if you want to use it for that. All right. I realize now it's kind of hard in terms of a physical panel and a virtual panel to figure out who on the panel is gonna, you know, ready to jump in to answer a question. But I'll take it. So um I'll um I'll do my best inner victor and say, you know, it's it's an implementation of C. D. And it's it's a choice right? It's one can just still do docker build and darker pushes and doctor pulls and that's fine. Or use other technologies to deploy containers and pods and change your, your kubernetes infrastructure. But get apps is a different implementation, a different method of doing that same thing at the end of the day. Yeah, >>I like it. I like >>it and I think that goes back to your point about, you know, it's kind of early days still, I think to me what I like about getups in that respect is it's nice to see kubernetes become a platform where people are experimenting with different ways of doing things, right? And so I think that encourages like lots of different patterns and overall that's going to be a good thing for the community because then more, you know, and not everything needs to settle in terms of only one way of doing things, but a lot of different ways of doing things helps people fit, you know, the tooling to their needs, or helps fit kubernetes to their needs, etcetera. Yeah, >>um I agree with that, the, so I'm gonna, since we're getting a load of good questions, so um one of the, one of the, one of the, I want to add to that real quick that one of the uh from the, we've people themselves, because I've had some on the show and one of things that I look at it is distinguishing is with continuous deployment tools, I sort of think that it's almost like previous generation and uh continuous deployment tools can be anything like we would consider Jenkins cd, right, if you if you had an association to a server and do a doctor pull and you know, dr up or dr composed up rather, or if it did a cube control apply uh from you know inside an ssh tunnel or something like that was considered considered C. D. Well get ops is much more rigid I think in terms of um you you need to apply, you have a specific repo that's all about your deployments and because of what tool you're using and that one your commit to a specific repo or in a specific branch that repo depends on how you're setting it up. That is what kicks off a workflow. And then secondly there's an understanding of state. So a lot of these tools now I have uh reconciliation where they they look at the cluster and if things are changing they will actually go back and to get and the robots will take over and will commit that. Hey this thing has changed um and you maybe you human didn't change it, something else might have changed it. So I think that's where getups is approaching it, is that ah we we need to we need to consider more than just a couple of commands that be runnin in a script. Like there needs to be more than that for a getups repo to happen anyway, that's just kind of the the take back to take away I took from a previous conversation with some people um >>we've I don't think that lost, its the last piece is really important, right? I think like for me, C d like Ci cd, they're more philosophical ideas, write a set of principles, right? Like getting an idea or a code change to environments promoting it. It's very kind of pipeline driven um and it's very imperative driven, right? Like our existing CD tools are a lot of the ways that people think about Cd, it would be triggered by an event, maybe a code push and then these other things are happening in sequence until they either fail or pass, right? And then we're done. Getups is very much sitting on the, you know, the reconciliation side, it's changing to a pull based model of reconciliation, right? Like it's very declarative, it's just looking at the state and it's automatically pulling changes when they happen, rather than this imperative trigger driven model. That's not to say that there aren't city tools which we're doing pull based or you can do pull based or get ups is doing anything creatively revolutionary here, but I think that's one of the main things that the ideas that are being introduced into those, like existing C kind of tools and pipelines, um certainly the pull based model and the reconciliation model, which, you know, has a lot in common with kubernetes and how those kind of controllers work, but I think that's the key idea. Yeah. >>Um This is a pretty specific one Tory asks, does anyone have opinions about get ops in a mono repo this is like this is getting into religion a little bit. How many repos are too many repose? How um any thoughts on that? Anyone before I rant, >>go >>for it, go for it? >>Yeah. How I'm using it right now in a monitor repo uh So I'm using GIT hub. Right, so you have what? The workflow and then inside a workflow? Yeah, mo file, I'll >>track the >>actual changes to the workflow itself, as well as a folder, which is basically some sort of service in Amman Arepa, so if any of those things changes, it'll trigger the actual pipeline to run. So that's like the simplest thing that I could figure out how to, you know, get it set up using um get hubs, uh workflow path future. Yeah. And it's worked for me for writing, you know? That's Yeah. >>Yeah, the a lot of these things too, like the mono repo discussion will, it's very tool specific. Each tool has various levels of support for branch branching and different repos and subdirectories are are looking at the defense and to see if there's changes in that specific directory. Yeah. Sorry, um john you're going to say something, >>I was just going to say, I've never really done it, but I imagine the same kind of downsides of mono repo to multiple report would exist there. I mean, you've got the blast radius issues, you've got, you know, how big is the mono repo? Do we have to pull does the tool have to pull that or cashier every time it needs to determine def so what is the support for being able to just look at directories versus you know, I think we can get way down into a deeper conversation. Maybe we'll save it for later on in the conversation about what we're doing. Get up, how do we structure our get reposed? We have super granular repo per environment, Perper out reaper, per cluster repo per whatever or do we have directories per environment or branches per environment? How how is everything organized? I think it's you know, it's going to be one of those, there's never one size fits all. I'll give the class of consultant like it depends answer. Right? >>Yeah, for sure. It's very similar to the code struggle because it depends. >>Right? >>Uh Yeah, it's similar to the to the code problem of teams trying to figure out how many repose for their code. Should they micro service, should they? Semi micro service, macro service. Like I mean, you know because too many repose means you're doing a bunch of repo management, a bunch of changes on your local system, you're constantly get pulling all these different things and uh but if you have one big repo then it's it's a it's a huge monolithic thing that you usually have to deal with. Path based issues of tools that only need to look at a specific directory and um yeah, it's a it's a culture, I feel like yeah, like I keep going back to this, it's a culture thing. Does your what is your team prefer? What do you like? What um what's painful for everyone and who's what's the loudest pain that you need to deal with? Is it is it repo management? That's the pain um or is it uh you know, is that that everyone's in one place and it's really hard to keep too many cooks out of the kitchen, which is a mono repo problem, you know? Um How do we handle security? So this is a great one from Tory again. Another great question back to back. And that's the first time we've done that um security as it pertains to get up to anyone who can commit can change the infrastructure. Yes. >>Yes. So the tooling that you have for your GIT repo and the authentication, authorization and permissions that you apply to the GIT repo using a get server like GIT hub or get lab or whatever your flavor of the day is is going to be how security is handled with respect to changes in your get ups configuration repository. So um that is completely specific to your implementation of that or ones implementation of of how they're handling that. Get repositories that the get ups tooling is looking at. To reconcile changes with respect to the permissions of the for lack of better term robot itself. Right? They get up tooling like flux or Argosy. D Um one kid would would create a user or a service account or uh other kind of authentication measures to limit the permissions for that service account that the Gaddafi's tooling needs to be able to read the repose and and send commits etcetera. So that is well within the realm of what you have already for your for your get your get um repo. Yeah. >>Yeah. A related question is from a g what they like about get apps if done nicely for a newbie it's you can get stuff done easily if you what they dislike about it is when you have too many get repose it becomes just too complicated and I agree. Um was making a joke with a team the other week that you know the developer used to just make one commit and they would pass pass it on to a QA team that would then eventually emerging in the master. But they made the commits to these feature branches or whatever. But now they make a commit, they make a pR there for their code then they go make a PR in the helm chart to update the thing to do that and then they go make a PR in the get ups repeal for Argo. And so we talked about that they're probably like four or five P. R. Is just to get their code in the production. But we were talking about the negative of that but the reality was It's just five or 4 or five prs like it wasn't five different systems that had five different methodologies and tooling and that. So I looked at it I was like well yeah that's kind of a pain in the get sense but you're also dealing with one type. It's a repetitive action but it's it's the one thing I don't have to go to five different systems with five different ways of doing it. And once in the web and one's on the client wants a command line that I don't remember. Um Yeah so it's got pros and cons I think when you >>I think when you get to the scale where those kind of issues are a problem then you're probably at the scale where you can afford to invest some time into automation into that. Right? Like what I've when I've seen this in larger customers or larger organizations if there ever at that stage where okay apps are coming up all the time. You know, there's a 10 X 100 X developer to operations folks who may be creating get repose setting up permissions then that stuff gets automated, right? Like, you know, maybe ticket based systems or whatever. Developers say I need a new app. It templates things or more often using the same model, right of reconciliation and operators and the horrific abuse of cogs that we're seeing in the communities community right now. Um You know, developers can create a crd which just says, hey, I'm creating a new app is called app A and then a controller will pick up that app a definition. It will go create a get a repo Programmatically it will add the right definitely will look up and held up the developers and the permissions that need to be able to get to that repo it will create and template automatically some name space and the clusters that it needs in the environments that it needs, depending on, you know, some metadata it might read. So I think, you know, those are definite problems and they're definitely like a teething, growing pain thing. But once you get to that scale, you kind of need to step back and say, well look, we just need to invest in time into the operational aspect of this and automating this pain away, I think. Yeah, >>yeah. And that ultimately ends in Yeah. Custom tooling, which it's hard to avoid it at scale. I mean, there's there's two, there's almost two conversations here, right. There is what I call the Solo admin Solo devops, I bought that domain Solo devops dot com because, you know, whenever I'm talking to dr khan in the real world, it's like I asked people to raise hands, I don't know how we can raise hands here, but I would ask people to raise hands and see how many of you here are. The sole person responsible for deploying the app that your team makes and like a quarter of the room would raise their hand. So I call that solo devops like those, that person can't make all the custom tooling in the world. So they really need dr like solutions where it's opinionated, the workflow is sort of built in and they don't have to wrangle things together with a bunch of glue, you know, in other words bash. Um and so this kind of comes to a conversation uh starting this question from lee he's asking how do you combine get ops with ci cd, especially the continuous bit. How do you avoid having a human uh sort of the complaint the team I was working with has, how do you avoid a human editing and get committing for every single deploy? They've settled on customized templates and a script for routine updates. So as a seed for this conference, this question I'm gonna ask you all uh instead of that specific question cause it's a little open ended. Um Tell me whether you agree with this. I I kind of look at the image, the image artifact because the doctor image or container image in general is an artifact that I I view it that way and that thing going into the registry with the right label or right part of the label. Um That tag rather not the label but the tag that to me is like one of the great demarche points of, we're kind of done with Ci and we're now into the deployment phase and it doesn't necessarily mean the tooling is a clear cut there, but that artifact being shipped in a specific way or promoted as we sometimes say. Um what do you think? Does anyone have opinions on that? I don't even know if that's the right opinion to have so mhm. >>So um I think what you're, what you're getting at is that get ups, models can trigger off of different events um to trigger the reconciliation loop. And one way to do that is if the image, if it notices a image change in the registry, the other is if there's a commit event on a specific rebo and branch and it's up to, you are up to the person that's implementing their get ups model, what event to trigger there, that reconciliation loop off of, You can do both, you can do one or the other. It also depends on the Templeton engine that you're using on top of um on top of kubernetes, such as helm or um you know, the other ones that are out there or if you're not even doing that, then, you know straight. Yeah, mo um so it kind of just depends, but those are the typically the two options one has and a combination of of those to trigger that event. You can also just trigger it manually, right? You can go into the command line and force a a, you know, a really like a scan or a new reconciliation loop to occur. So it kind of just, I don't want to say this, but it depends on what you're trying to do and what makes sense in your pipeline. Right? So if you're if you're set up where you are tag, if you're doing it based off of image tags, then you probably want to use get ups in a way that you're using the image tags. Right. And the pattern that you've established there, if you're not really doing that and you're more around, like, different branches are mapped to different environments, then triggered off of the correct branch. And that's where the permissions also come into play. Where if you don't want someone to touch production and you've got your getups for your production cluster based off of like uh you know, a main branch, then whoever can push a change to that main branch has the authority to push that change to production. Right? So that's your authentication and permissions um system same for the registry itself. Right. So >>Yeah. Yeah. Sorry, anyone else have any thoughts on that? I was about to go to the next topic, >>I was going to say. I think certain tools dictate the approach, like, if you're using Argosy d it's I think I'm correct me if I'm wrong, but I think the only way to use it right now is just through image modification. Like, the manifest changes, it looks at a specific directory and anything changes then it will do its thing. And uh Synchronize the cost there with whatever's and get >>Yeah, flux has both. Yeah, and flux has both. So it it kind of depends. I think you can make our go do that too, but uh this is back to what we were saying in the beginning, uh you know, these things are changing, right? So that might be what it is right now in terms of triggering the reconciliation loops and get ups, tooling, but there might be other events in the future that might trigger it, and it's not completely stand alone because you still need you're tooling to do any kind of testing or whatever you have in terms of like the specific pipeline. So oftentimes you're bolting in getups into some other part of broader Cfd solution. That makes sense. Yeah, >>we've got a lot of questions about secrets or people that are asking about secrets. >>So my my tongue and cheek answered the secrets question was, what's the best practices for kubernetes? Secrets? That's the same thing for secrets with good apps? Uh getups is not last time I checked and last time I was running this stuff get ups is not has nothing to do with secrets in that sense. It's just there to get your stuff running on communities. So, um there's probably a really good session on secrets at dr concept. I >>would agree with you, I agree with you. Yeah, I mean, get off stools, I mean every every project of mine handles secrets differently. Uh huh. And I think I'm not sure if it was even when I was talking to but talking to someone recently that I'm very bullish on get up actions, I love get up actions, it's not great for deployments yet, but we do have this new thing and get hub environments, I think it's called. So it allows me at least the store secrets per environment, which it didn't have the concept of that before, which you know, if you if any of you running kubernetes out there, you typically end up when you start running kubernetes, you end up with more than one kubernetes, like you're going to end up with a lot of clusters at some point, at least many multiple, more than two. Um and so if you're trying to store secret somewhere, you do have and there's a discussion happening in chat right now where people are talking about um sealed secrets which if you haven't heard of that, go look that up and just be versed on what sealed secrets is because it's a it's a fantastic concept for how to store secrets in the public. Um I love it because I'm a big P. K. I nerd but um it's not the only way and it doesn't fit all models. So I have clients that use A W. S. Secrets because they're in A W. S. And then they just have to use the kubernetes external secret. But again like like like normal sand, you know, it's that doesn't really affect get ops, get ops is just applying whatever helm charts or jahmal or images that you're, you're you're deploying, get off. It was more about the approach of when the changes happen and whether it's a push or pull model like we're talking about and you know, >>I would say there's a bunch of prerequisites to get ups secrets being one of them because the risk of you putting a secret into your git repo if you haven't figured out your community secrets architecture and start diving into getups is high and removing secrets from get repose is you know, could be its own industry, right. It's >>a thing, >>how do >>I hide this? How do I obscure this commit that's already now on a dozen machines. >>So there are some prerequisites in terms of when you're ready to adopt get up. So I think is the right way of saying the answer to that secrets being one of them. >>I think the secrets was the thing that made me, you know, like two or three years ago made me kind of see the ah ha moment when it came to get ups which, which was that the premier thing that everyone used to say about get up about why it was great. Was its the single source of truth. There's no state anywhere else. You just need to look at git. Um and then secrets may be realized along with a bunch of other things down the line that is not true and will never be true. So as soon as you can lose the dogmatism about everything is going to be and get it's fantastic. As long as you've understood everything is not going to get. There are things which will absolutely never be and get some tools just don't deal with that. They need to earn their own state, especially in communities, some controls on their own state. You know, cuz sealed secrets and and other projects like SOps and I think there are two or three others. That's a great way of dealing with secrets if you want to keep them in get. But you know, projects like vault more kind of like what I would say, production grade secret strategies. Right? And if you're in AWS or a cloud, you're more likely to be using their secrets. Your secret policy is maybe not dictated by you in large organizations might be dictated by CSO or security or Great. Like I think once if you, if you're trying to adopt getups or you're thinking about it, get the dogmatism of get as a single point of truth out of your mind and think about getups more as a philosophy and a set of best practice principles, then you will be in much better stead, >>right? Yeah. >>People are asking more questions in chat like infrastructure as code plus C d essentially get ups or C I rather, um, these are all great questions and a part of the debate, I'm actually just going to throw up on screen. I'm gonna put this in chat, but this is, this is to me the source, Right? So we worked with when they coined the term. We, a lot of us have been trying to get, if we talk about the history for a minute and then tell me if I'm getting this right. Um, a lot of us were trying to automate all these different parts of the puzzle, but a lot of them, they, some things might have been infrastructure as code. Some things weren't, some things were sort of like settings is coded, like you're going to Jenkins and type in secrets and settings or type in a certain thing in the settings of Jenkins and then that it wasn't really in get and so what we was trying to go for was a way to have almost like eventually a two way state understanding where get might change your infrastructure but then your infrastructure might also change and needs to be reflected in the get if the get is trying to be the single source of truth. Um and like you're saying the reality is that you're never gonna have one repo that has all of your infrastructure in it, like you would have to have, you have to have all your terra form, anything else you're spinning up. Right. Um but anyway, I'm gonna put this link in chat. So this guide actually, uh one of things they talk about is what it's not, so it's, it's kind of great to read through the different requirements and like what I was saying well ago um mhm. Having having ci having infrastructure as code and then trying a little bit of continuous deployment out, it's probably a prerequisite. Forget ops so it's hard to just jump into that when you don't already have infrastructure as code because a machine doing stuff on your behalf, it means that you have to have things documented and somewhere and get repo but let me put this in the in the >>chitty chat, I would like to know if the other panelists agree, but I think get apps is a okay. I would say it's a moderate level, it's not a beginner level communities thing, it's like a moderate level advanced, a little bit more advanced level. Um One can start off using it but you definitely have to have some pre recs in place or some understanding of like a pattern in place. Um So what do the other folks think about that opinion? >>I think if you're if you're trying to use get out before, you know what problem you have, you're probably gonna be in trouble. Right. It's like having a solution to it probably don't have yet. Mhm. Right. I mean if if you're just evil or and you're just typing, keep control apply, you're one person right, Get off. It doesn't seem like a big a big jump, like, I mean it doesn't like why would I do that? I'm just, I'm just gonna inside, it's the type of get commit right, I'm typing Q control apply. But I think one of the rules from we've is none of your developers and none of your admins can have cute control access to the cluster because if you can't, if you do have access and you can just apply something, then that's just infrastructure as code. That's just continuous deployment, that's, that's not really get ops um, getups implies that the only way things get into the cluster is through the get up, get automation that you're using with, you know, flux Argo, we haven't talked about, what's the other one that Victor Farsi talks about, by the way people are asking about victor, because victor would love to talk about this stuff, but he's in my next life, so come back in an hour and a half or whatever and victor is going to be talking about sys, admin list with me. Um >>you gotta ask him nothing but get up questions in the next, >>confuse them, confuse them. But anyway, that, that, that's um, it's hard, it's hard to understand and without having tried it, I think conceptually it's a little challenging >>one thing with getups, especially based off the we've works blog post that you just put up on there. It's an opinionated way of doing something. Uh you know, it's an opinionated way of of delivering changes to an environment to your kubernetes environment. So it's opinionated were often not used to seeing things that are very opinionated in this sense, in the in the ecosystem, but get apps is a opinionated thing. It's it's one way of doing it. Um there are ways to change it and like there are options um like what we were talking about in terms of the events that trigger, but the way that it's structured is an opinion opinionated way both from like a tooling perspective, like using get etcetera, but also from a devops cultural perspective, right? Like you were talking about not having anyone access cube control and changing the cluster directly. That's a philosophical opinion that get ups forces you to adopt otherwise. It kind of breaks the model and um I just I want everyone to just understand that. That is very opinion, anything in that sense. Yeah, >>polygamy is another thing. Infrastructure as code. Um someone's mentioning plummy and chat, I just had actually my life show self plug bread that live go there. I'm on Youtube every week. I did the same thing. These these are my friends um and had palami on two weeks ago uh last week, remember uh and it was in the last couple of weeks and we talked about their infrastructure as code solution. Were actually writing code instead of um oh that's an interesting take on uh developer team sort of owning coding the infrastructure through code rather than Yamil as a data language. I don't really have an opinion on it yet because I haven't used it in production or anything in the real real world, but um, I'm not sure how much they are applying trying to go towards the get up stuff. I will do a plug for Solomon hikes. Who has a, the beginning of the day, it's already happened so you can go back and watch it. It's a, it's a, what's it called? Q. Rethinking application delivery with Q. And build kit. So go look this up. This is the found co founder of Dr and former CTO Solomon hikes at the beginning of the day. He has a tool called dagger. I'm not sure why the title of the talk is delivering with Q. And built it, but the tool is showing off in there for an hour is called dagger. And it's, it's an interesting idea on how to apply a lot of this opinionated automated stuff to uh, to deployment and it's get off space and you use Q language. It's a graph language. I watched most of it and it was a really interesting take. I'm excited to see if that takes off and if they try that because it's another way that you can get a little bit more advanced with your you're get deployments and without having to just stick everything in Yemen, which is kind of what we're in today with helm charts and what not. All right. More questions about secrets, I think. I think we're not going to have a whole lot of more, a lot more about secrets basically. Uh put secrets in your cluster to start with and kubernetes in encrypted, you know, thing. And then, you know, as it gets harder, then you have to find another solution when you have five clusters, you don't wanna have to do it five times. That's when you have to go for Walton A W. S secrets and all >>that. Right? I'm gonna post it note. Yeah. Crm into the cluster. Just kidding. >>Yes, there are recordings of this. Yes, they will be later. Uh, because we're that these are all gonna be on youtube later. Um, yeah, detects secrets cushion saying detect secrets or get Guardian are absolute requirements. I think it's in reference to your secrets comment earlier. Um, Camels asking about Cuban is dropping support for Docker that this is not the place to ask for that, but it, it is uh, basically it's a Nonevent Marantz has actually just created that same plug in available in a different repos. So if you want to keep using Docker and kubernetes, you know, you can do it like it's no big deal. Most of us aren't using doctor in our communities anyway, so we're using like container D or whatever is provided to us by our provider. Um yeah, thank you so much for all these comments. These are great people helping each other and chat. I feel like we're just here to make sure the chats available so people can help each other. >>I feel like I want to pick up on something when you mentioned pollux me, I think there's a um we're talking about getups but I think in the original like the origination of that I guess was deploying applications to clusters right, picking up deployment manifest. But I think with the gloomy and I obviously terra form and things have been around a long time, folks are starting to apply this I think I found one earlier which was like um kub stack the Terror Forms get ups framework. Um but also with the advent of things like cluster A. P. I. Um in the Cuban at the space where you can declare actively build the infrastructure for your clusters and build the cluster right? We're not just talking about deploying applications, the cluster A. P. I will talk to a W. S. Spin up, VPc spin up machines, you know, we'll do the same kind of things that terra form does and and those other tools do I think applying getups principles to the infrastructure spin up right, the proper infrastructure as code stuff, constantly applying Terror form um you know, plans and whatever, constantly applying cluster Api resources spinning up stuff in those clouds. That's a super interesting. Um you know, extension of this area, I'd be curious to see if what the folks think about that. >>Yeah, that's why I picked this topic is one of my three. Uh I got I got to pick the topics. I was like the three things that there like the most bleeding edge exciting. Most people haven't, we haven't basically we haven't figured all this out yet. We as an industry, so um it's I think we're gonna see more ideas on it. Um what's the one with the popsicle as the as the icon victor talks about all the time? It's not it's another getups like tool, but it's um it's getups for you use this kubernetes limit and then we have to look it up, >>You're talking about cross plane. >>So >>my >>wife is over here with the sound effects and the first sound effect of the day that she chooses to use is one. >>All right, can we pick it? Let's let's find another question bret >>I'm searching >>so many of them. All right, so uh I think one really quick one is getups only for kubernetes, I think the main to tooling to tools that we're talking about, our Argosy D and flux and they're mostly geared toward kubernetes deployments but there's a, it seems like they're organized in a way that there's a clean abstraction in with respect to the agent that's doing the deployment and the tooling that that can interact with. So I would imagine that in the future and this might be true already right now that get ups could be applied to other types of deployments at some point in the future. But right now it's mostly focused and treats kubernetes as a first class citizen or the tooling on top of kubernetes, let's say something like how as a first class citizen? Yeah, to Brett, >>to me the field, back to you bret the thing I was looking for is cross plane. So that's another tool. Um Victor has been uh sharing a lot about it in Youtube cross plane and that is basically runs inside a kubernetes, but it handles your other infrastructure besides your app. It allows you to like get ops, you're a W. S stuff by using the kubernetes state engine as a, as a way to manage that. And I have not used it yet, but he does some really great demos on Youtube. So people are liking this idea of get off, so they're trying to figure out how do we, how do we manage state? How do we uh because the probably terra form is that, well, there's many problems, but it's always a lot of problems, but in the get outs world it's not quite the right fit yet, It might be, but you still, it's still largely as expected for people to, you know, like type the command, um, and it keeps state locally the ss, clouds and all that. And but the other thing is I'm I'm now realizing that when I saw the demo from Solomon, I'm going back to the Solomon hikes thing. He was using the demo and he was showing it apply deploying something on S three buckets, employing internet wifi and deploying it on google other things beyond kubernetes and saying that it's all getups approach. So I think we're just at the very beginning of seeing because it all started with kubernetes and now there's a swarm one, you can look up swarm, get office and there's a swarm, I can't take the name of it. Swarm sink I think is what's called swarm sink on git hub, which allows you to do swarm based getups like things. And now we're seeing these other tools coming out. They're saying we're going to try to do the get ups concepts, but not for kubernetes specifically and that's I think, you know, infrastructure as code started with certain areas of the world and then now then now we all just assume that you're going to have an infrastructure as code way of doing whatever that is and I think get off is going to have that same approach where pretty soon, you know, we'll have get apps for all the clouds stuff and it won't just be flexor Argo. And then that's the weird thing is will flex and Argo support all those things or will it just be focused on kubernetes apps? You know, community stuff? >>There's also, I think this is what you're alluding to. There is a trend of using um kubernetes and see rDS to provision and control things that are outside of communities like the cloud service providers services as if they were first class entities within kubernetes so that you can use the kubernetes um focus tooling for things that are not communities through the kubernetes interface communities. Yeah, >>yeah, even criticism. >>Yeah, yeah, I'm just going to say that sounds like cross plane. >>Yeah, yeah, I mean, I think that's that's uh there were, you know, for the last couple of years, it's been flux and are going back and forth. Um they're like frenemies, you know, and they've been going back and forth with iterating on these ideas of how do we manage this complicated thing? That is many kubernetes clusters? Um because like Argo, I don't know if the flux V two can do this, but Argo can manage multiple clusters now from one cluster, so your, you can manage other clusters, technically external things from a single entity. Um Originally flux couldn't do that, but I'm going to say that V two can, I don't actually >>know. Um I think all that is gonna, I think that's going to consolidate in the future. All right. In terms of like the common feature set, what Iver and john what do you think? >>I mean, I think it's already begun, right, I think haven't, didn't they collaborate on a common engine? I don't know whether it's finished yet, but I think they're working towards a common getups engine and then they're just going to layer on features on top. But I think, I mean, I think that's interesting, right, because where it runs and where it interacts with, if we're talking about a pull based model, it shouldn't, it's decentralized to a certain extent, right? We need get and we need the agent which is pulling if we're saying there's something else which is orchestrating something that we start to like fuzzy the model even right. Like is this state living somewhere else, then I think that's just interesting as well. I thought flux was completely decentralized, but I know you install our go somewhere like the cargo has a server as well, but it's been a while since I've looked in depth at them. But I think the, you know, does that muddy the agent only pull model? >>I'm reading a >>Yeah, I would say that there's like a process of natural selection going on as as the C. N. C. F. Landscape evolves and grows bigger and a lot of divide and conquer right now. But I think as certain things kind of get more prominent >>and popular, I think >>it starts to trend and it inspires other things and then it starts to aggregate and you know, kind of get back into like a unified kind of like core. Maybe like for instance, cross plane, I feel like it shouldn't even really exist. It should be, it like it's a communities add on, but it should be built in, it should be built into kubernetes, like why doesn't this exist already >>for like controlling a cloud? >>Yeah, like just, you know, having this interface with the cloud provider and be able to Yeah, >>exactly. Yeah, and it kinda, you're right. That kinda happens because you do, I mean when you start talking about storage providers and networking providers was very specific implementations of operators or just individual controllers that do operate and control other resources in the cloud, but certainly not universally right. Not every feature of AWS is available to kubernetes out of the box. Um and you know, it, one of the challenges across plane is you gotta have kubernetes before you can deploy kubernetes. Like there's a chicken and egg issue there where if you're going to use, if you're going to use our cross plane for your other infrastructure, but it's gotta, but it has to run on kubernetes who creates that first kubernetes in order for you to put that on there. And victor talks about one of his videos, the same problem with flux and Argo where like Argo, you can't deploy Argo itself with getups. There has to be that initial, I did a thing with, I'm a human and I typed in some commands on a server and things happened but they don't really have an easy deployment method for getting our go up and running using simply nothing but a get push to an existing system. There's something like that. So it's a it's an interesting problem of day one infrastructure which is again only day one, I think data is way more interesting and hard, but um how can we spend these things up if they're all depending on each other and who is the first one to get started? >>I mean it's true of everything though, I mean at the end of that you need some kind of big bang kind of function too, you know, I started running start everything I >>think without going over that, sorry, without going off on a tangent. I was, I was gonna say there's a, if folks have heard of kind which is kubernetes and Docker, which is a mini kubernetes cluster, you can run in a Docker container or each container will run as a as a node. Um you know, that's been a really good way to spin up things like clusters. KPI because they boot strap a local kind, install the manifests, it will go and spin up a fully sized cluster, it will transfer its resources over there and then it will die itself. Right? So that, that's kind of bootstrapping itself. And I think a couple of folks in the community, Jason to Tiberius, I think he works for Quinyx metal um has, has experimented with like an even more minimal just Api server, so we're really just leveraging the kubernetes ideas of like a reconciliation loop and a controller. We just need something to bootstrap with those C R D s and get something going and then go away again. So I think that's gonna be a pattern that comes up kind of more and more >>Yeah, for sure. Um, and uh, the next, next quick answer to the question, Angel asked what your thoughts on getups being a niche to get or versus others vcs tools? Well, if I knew anyone who is using anything other than get, I would say no, you know, get ops is a horrible name. It should just be CVS office, but that doesn't or vcs ops or whatever like that, but that doesn't roll off the tongue. So someone had to come up with the get ups phrase. Um but absolutely, it's all about version control solutions used for infrastructure, not code. Um might get doctor asks a great question, we're not gonna have time for it, but maybe people can reply and chat with what they think but about infrastructure and code, the lines being blurred and that do develop, how much of infrastructure does developer do developers need to know? Essentially, they're having to know all the things. Um so unfortunately we've had way more questions like every panel here today with all the great community, we've got way more questions we can handle in this time. So we're gonna have to wrap it up and say goodbye. Go to the next live panel. I believe the next one is um on developer, developer specific setups that's gonna be peter running that panel. Something about development in containers and I'm sure it's gonna be great. Just like this one. So let's go around the room where can people find you on the internet? I'm at Brett fisher on twitter. That's where you can usually find me most days you are? >>Yeah, I'm on twitter to um, I'll put it in the chat. It's kind of confusing because the TSR seven. >>Okay. Yeah, that's right. You can't just say it. You can also look at the blow of the video and like our faces are there and if you click on them, it tells you our twitter in Arlington and stuff, john >>John Harris 85, pretty much everywhere. Get hub Twitter slack, etc. >>Yeah >>and normal, normal faults or just, you know, living on Youtube live with Brett. >>Yeah, we're all on the twitter so go check us out there and thank you so much for joining. Uh thank you so much to you all for being here. I really appreciate you taking time in your busy schedule to join me for a little chit chat. Um Yes, all the, all the cheers, yes. >>And I think this kid apps loop has been declarative lee reconciled. >>Yeah, there we go. And with that ladies and gentlemen, uh bid you would do, we will see you in the next, next round coming up next with Peter >>bye.

>>from around the globe. It's the Cube presenting Cuban cloud brought to you by silicon angle. Welcome to the cubes event. Virtual event. Cuban Cloud. I'm John for your host. We're here talking to all the thought leaders getting all the stories around Cloud What's going on this year and next today, Tomorrow and the future. We gotta featured startup here. Jonah Clipper, who is the CEO and founder of Stack Hawks. Developing security software for developers to have them put security baked in from the beginning. Johnny, thanks for coming on and being featured. Start up here is part of our Cuban cloud. Thanks for joining. >>Thanks so much for having me, John. >>So one of our themes this year is obviously Cloud natives gone mainstream. The pandemic has shown that. You know, a lot of things have to be modern. Modern applications, the emerald all they talked about modern applications. Infrastructure is code. Reinvent, um is here. They're talking about the next gen enterprise. Their public cloud. Now you've got hybrid cloud. Now you've got multi cloud. But for developers, you just wanna be building security baked in and they don't care where the infrastructure is. So this is the big trend. Like to get your thoughts on that. But before we jump in, tell us about Stack Hawk What you guys do your founded in 2019. Tell us about your company and what Your mission is >>Awesome. Yeah, our mission is to put application security in the hands of software developers so that they can find and fix upset books before they deployed a production. And we do that through a dynamic application scanning capability. Uh, that's deployable via docker, so engineers can run it locally. They can run it in C I C. D. On every single PR or merge and find bugs in the process of delivering software rather than after it's been production. >>So everyone's talking about shift left, shift left for >>security. What does >>that mean? Uh, these days. And what if some of the hurdles that people are struggling with because all I hear is shift left shift left from, like I mean, what does What does that actually mean? Now, Can you take us through your >>view? Yes, and we use the phrase a lot, and I and I know it can feel a little confusing or overused. Probably. Um, When I think of shift left, I think of that Mobius that we all look at all of the time, Um, and how we deliver and, like, plan, write code, deliver software and then manage it. Monitor it right like that entire Dev ops workflow. And today, when we think about where security lives, it either is a blocker to deploying production. Or most commonly, it lives long after code has been deployed to production. And there's a security team constantly playing catch up, trying to ensure that the development team whose job is to deliver value to their customers quickly, right, deploy as fast as we can, as many great customer facing features, um there, then, looking at it months after software has been deployed and then hurrying and trying to assess where the bugs are. And, um, trying to get that information back to software developers so that they can fix those issues. Shifting left to me means software engineers are finding those bugs as their writing code or in the CIA CD pipeline long before code has been deployed to production. >>And so you guys attack that problem right there so they don't have to ship the code and then come back and fix it again. Or where we forgot what the hell is going on. That point in time some Q 18 gets it. Is that the kind of problem that that's out there? Is that the main pain point? >>Yeah, absolutely. I mean a lot of the way software, specifically software like ours and dynamic applications scanning works is a security team or a pen tester. Maybe, is assessing applications for security vulnerability these, um, veteran prod that's normally where these tools are run and they throw them back over the wall, you know, interrupting sprints and interrupting the developer workflow. So there's a ton of context switching, which is super expensive, and it's very disruptive to the business to not know about those issues before they're in prod. And they're also higher risk issues because they're in fraud s. So you have to be able to see a >>wrong flywheel. Basically, it's like you have a penetration test is okay. I want to do ship this app. Pen test comes back, okay? We gotta fix the bug, interrupts the cycle. They're not coding there in fire drill mode. And then it's a chaotic death spiral at that point, >>right? Or nothing gets done. God, how did >>you What was the vision? How did you get here? What? How did you start? The company's woke up one morning. Seven started a security company. And how did what was the journey? What got you here? >>Sure. Thanks. I've been building software for software engineers since 2010. So the first startup I worked for was very much about making it easy for software engineers to deploy and manage applications super efficiently on any cloud provider. And we did programmatic updates to those applications and could even move them from cloud to cloud. And so that was sort of cutting my teeth and technology and really understanding the developer experience. Then I was a VP of product at a company called Victor Ops. We were purchased by spunk in 2018. But that product was really about empowering software engineers to manage their own code in production. So instead of having a network operations center right who sat in front of screens and was waiting for something to go wrong and would then just end up dialing there, you know, just this middle man trying to dial to find the person who wrote the software so that they can fix it. We made that way more efficient and could just route issues to software engineers. And so that was a very dev ops focused company in terms of, um, improving meantime to know and meantime to resolve by putting up time in the hands of software engineers where it didn't used to live there before it lived in a more traditional operations type of role. But we deploy software way too quickly and way too frequently to production to assume that another human can just sit there and know how to fix it, because the problems aren't repeatable, right? So So I've been living in the space for a long time, and I would go to conferences and people would say, Well, I love for, you know, we have these digital transformation initiatives and I'm in the security team and I don't feel like I'm part of this. I don't know. I don't know how to insert myself in this process. And so I started doing a lot of research about, um, how we can shift this left. And I was actually doing some research about penetration testing at the time, Um, and found just a ton of opportunity, a ton of problems, right that exist with security and how we do it today. So I really think of this company as a Dev Ops first Company, and it just so happens to be that we're taking security, and we're making it, um, just part of the the application testing framework, right? We're testing for security bugs, just like we would test for any other kind of bucks. >>That's an awesome vision of other great great history there. And thanks for sharing that. I think one of the things that I think this ties into that we have been reporting aggressively on is the movement to Dev Stack Up, Dev, Ops Dev SEC Ops. And you know, just doing an interview with the guy who stood up space force and big space conversation and were essentially riffing on the idea that they have to get modern. It's government, but they got to do more commercial. They're using open source. But the key thing was everything. Software defined. And so, as you move into suffer defined, then they say we want security baked in from the beginning and This is the big kind of like sea level conversation. Bake it in from the beginning, but it's not that easy. And this is where I think it's interesting where you start to think, uh, Dev ops for security because security is broken. So this is a huge trend. It sounds easy to say it baked security in whether it's an i o T edge or multi cloud. There's >>a lot >>of work there. What should people understand when they hear that kind of platitude of? I just baked security and it's really easy. It's not. It's not trivial. What's your thoughts on >>that? It isn't trivial. And in my opinion, there aren't a lot of tools on the market that actually make that very easy. You know, there are some you've had sneak on this program and they're doing an excellent job, really speaking to the developer and being part of that modern software delivery workflow. Um, but because a lot of tools were built to run in production, it makes it really difficult to bake them in from the beginning. And so, you know, I think there are several goals here. One is you make the tooling work so that it works for the software engineer and their workflow. And and there's some different values that we have to consider when its foreign engineer versus when it's for a security person, right? Limit the noise, make it as easy as possible. Um, make sure that we only show the most critical things that are worth an engineer. Stopping what they're doing in terms of building business value and going back and fixing that bugs and then create a way to discuss in triage other issues later outside of the development. Workflow. So you really have to have a lot of empathy and understanding for how software is built and how software engineers behave, I think, in order to get this right. So it's not easy. Um, but we're here and other tools air here. Thio support companies in doing that. >>What's the competitive strategy for you guys going forward? Because there's a big sea change. Now I see an inflection point. Obviously, Cove it highlights. It's not the main reason, but Cloud native has proven it's now gone mainstream kubernetes. You're seeing the big movement there. You're seeing scale be a huge issue. Software defined operations are now being discussed. So I think it's It's a simple moment for this kind of solution. How are you guys going to compete? What's what's the winning strategy? How are you guys gonna compete to win? >>Yeah, so there's two pieces to that one is getting the technology right and making sure that it is a product that developers love. And we put a ton of effort into that because when a software engineer says, Hey, I'd love to use the security product, right? CSOs around the world are going to be like, Yes, please. Did a software engineer just ask me, You have the security product. Thank you, Right. We're here to make it so easy for them and get the tech right. And then the other piece, in terms of being competitive, is the business model. There were something like, I don't You would know better than me, but I think the data point I last saw was like 1300 venture backed security companies since 2012 focused on selling to see SOS and Fortune 2000 companies. It is a mess. It's so noisy, nobody can figure out what anybody actually does. What we have done is said no, we're going to take a modern business model approach to security. So you know, it's a SAS platform that makes it super easy for a software engineer or anybody on the team to try and buy the software. So 14 day trial. You don't have to talk to anybody if you don't want Thio Awesome support to make sure that people can get on boarded and with our on boarding flow, we've seen that our customers go from signing up to first successful scan of their platform or whatever app they chose to scan in a knave ridge of about 10 minutes. The fastest is eight, right? So it's about delivering value to our customers really quickly. And there aren't many companies insecurity on the market today. That do that? >>You know, you mentioned pen test earlier. I I hear that word. Nice shit. And, like, pen test penetration test, as it's called, um, Sock reports. I mean, these are things that are kind of like I got to do that again. I know these people are doing things that are gonna be automated, but one of the things that cloud native has proven as be killer app is integrations because when you build a modern app, it has to integrate with someone else. So there you need these kind of pen tests. You gotta have this kind of code review. And as code, um, is part of, say, a purpose built device where it's an I o T. Edge updates have toe happen. So you need mawr automation. You need more scale around both updating software to, ah, purpose built device or for integration. What's your thoughts in reaction to that? Because this is a riel software challenge from a customer standpoint, because there are too many tools out there and every see so that I talk to says, I just want to get rid of half the tools consolidate down around my clouds that I'm working through my environment and b'more developer oriented, not just purchasing stuff. So you have all this going on? What's your reaction to that? You got the you know, the integration and you've got the software updates on purpose built devices. >>Yeah, I mean, we I make a joke a little bit. That security land is like, you know, acronyms. Dio there are so many types of security that you could choose to implement. And they all have a home and different use cases that are certainly valuable toe organizations. Um, what we like to focus on and what we think is interesting and dynamic application scanning is because it's been hard toe automate dynamic application for especially for modern applications. I think a lot of companies have ignored theon pertuan ity Thio really invest in this capability and what's cool about dynamic. And you were mentioning pen testing. Is that because it's actively attacking your app? It when you get a successful test, it's like a It's like a successful negative test. It's that the test executed, which means that bug is present in your code. And so there's a lot less false positives than in other types of scanning or assessment technologies. Not to say there isn't a home for them. There's a lot of we could we could spend a whole hour kind of breaking down all the different types of bugs that the different tools confined. Um, but we think that if you want to get started developer first, you know there's a lot of great technologies. Pick a couple or one right pick stack hawk pick, sneak and just get started and put it in your developer workflow. So integrations are super important. Um, we have integrations with every C I C. D provider, making it easy to scan your code on every merge or release. And then we also have workflow integrations for software engineers associated with where they want to be doing work and how they want to be interrupted or told about an issue. So, you know, we're very early to market, but right out of the gate, we made sure that we had a slack integration so that scans are running. Or as we're finding new things, it's populating in a specific slack channel for those engineers who work on that part of the app and you're a integration right. If we find issues, we can quickly make tickets and route them and make sure that the right people are working on those issues. Eso That's how I think about sort of the integration piece and just getting started. It's like you can't tackle the whole like every accurate, um, at once like pick something that helps you get started and then continue to build out your program, as you have success. >>A lot of these tools can they get in the hands of developers, and then you kind of win their trust by having functionality. Uh, certainly a winning strategy we've seen. You know, Splunk, you mentioned where you worked for Data Dog and very other tools out there just get started easily. If it's good, it will be used. So I love that strategy. Question. I wanna ask you mentioned Dr earlier. Um, they got a real popular environment, but that speaks to the open source area. How do you see the role of open source playing with you guys? Is that gonna be part of your community outreach? Does the feed into the product? Could you share your vision on how stack hawks engaging and playing an open source? >>Yeah, absolutely. Um So when we started this company, my co founders and I, we sat down and said here, What are the problems? Okay, the world doesn't need a better scanner, right? If you walk the floor of, ah, security, uh, conference. It's like our tool finds a million things and someone else is. My tool finds a million and five things. Right, And that's how they're competing on value. It's really about making it easy to use and put in the pipeline. So we decided not to roll. Our own scanner were based on an open source capability called Zap the Set Attack Proxy. Uh, it is the most the world's most downloaded application scanner. And, uh, actually we just hired the founder of Zap to join the Stack Hawk team, and we're really excited to continue to invest in the open source community. There is a ton of opportunity to grow and sort of galvanize that community. And then the work that we do with our customers and the feedback that we get about the bugs we find if there, ah, false positive or this one's commonly risk accepted, we can go back to the community, which were already doing and saying, Hey, ditch this rule, Nobody likes it or we need to improve this test. Um, so it's a really nice relationship that we have, and we are looking forward to continuing to grow that >>great stuff. You guys are hot. Start of love. The software on security angle again def sec. Cox is gonna be It's gonna be really popular. Can you talk about some of the customer success is What's the What's the feedback from customers? Can you share some of the use cases that you guys are participating in where you're winning? You mentioned developers love it and try It can just give us a couple of use cases and examples. >>Yeah. Ah, few things. Um ah, lot of our customers are already selling on the notion. Like before we even went to G A right. They told all of their customers that they scan for security bugs with every single release. So in really critical, uh, industry is like fintech, right. It's really important that their customers trust that they're taking security seriously, which everybody says they dio. But they show it to their customers by saying here, every single deploy I can show you if there were any new security bugs released with that deploy. So that's really awesome. Other things We've heard our, uh, people being able to deploy really quickly thio the Salesforce marketplace, right? Like if they have toe have a scan to prove that that they can sell on Salesforce, they do that really rapidly. Eso all of that's going really well with our customers. >>How would I wanna How would I be a customer if I was interested in, um, using Stack Hawks say we have some software we wanna stand up, and, uh, it's super grade. And so Amazon Microsoft Marketplace Stairs Force They'll have requirements or say I want to do a deal with an integration they don't want. They want to make sure there's no nothing wrong with the code. This seems to be a common use case. How doe I if I was a customer, get involved or just download software? Um, what's the What's the procurement? What's the consumption side of it looked like, >>Yeah, you just go to Stockholm dot com and you create an account. If you'd like to get started that way so you can have a 14 day free trial. We have extremely extensive documentation, so it's really easy to get set up that way. You should have some familiarity. Or grab a software engineer who has familiarity with a couple of things. So one is how to use Docker, right? So Docker is, ah, deployment mechanism for the scanner. We do that so you can run it anywhere that you would like to, and we don't have to do things like pierce firewalls or other protective measures that you've instrumented on your production environment. You just run it, um, wherever you like in your system. So locally, C I c d So docker is an important thing to understand the way we configure our scanner is through a, um, a file. So if you are getting a scan today, either your security team is doing it or you have a pen tester doing it. Um, the whole like getting ready for that engagement takes a lot of time because the people who are running the tests don't know how the software was built. So the way we think about this is, just ask them. So you just fill out a Yamil file with parameters that tell the scanner what to dio tell it how to authenticate and not log out. Um, feed us an A p. I speak if you want, so weaken super efficiently, scan your app and you can be up and running really quickly, and then that's it. You can work with our team at any time if you need help, and then we have a really efficient procurement process >>in my experience some of the pen tests of firms out there, is it? It's like the house keeping seal of approval. You get it once and then you gotta go back again. Software change, new things come in. And it's like, Wait a minute, what's the new pen test? And then you to write a check or engaged to have enough meeting? I mean, this is the problem. I mean, too many meetings. Do you >>guys solve that problem? Do >>you solve that problem? >>We solve a piece of that problem. So I think you know, part of how I talk about our company is this idea that we live in a world where we deploy software every single day. Yet it seems reasonable that once a year or twice a year, we go get a pen test where human runs readily available, open source software on our product and gives us a like, quite literal. Pdf of issues on. It's like this is so intellectually dishonest, like we deploy all of the time. So here's the thing. Pen tests are important and everybody should do them. But that should not be the introduction to these issues that are also easy to automate and find in your system. So the way we think about how we work with pen testers is, um, run, stack hawk or zapped right in an automated fashion on your system, and then give that, give the configuration and give the most recent results to your pen tester and say, Go find the hard stuff. You shouldn't be cutting checks for $30,000 to a pen tester or something that you could easily meet in your flare up. Klein. You could write the checks for finding finding the hard stuff that's much more difficult to automate. >>I totally agree. Final question. Business model Once I get in, is it a service software and services? A monthly fee? How do you guys make money? >>Yep, it is software as a service, it is. A monthly fee were early to market. So I'm not going to pretend that we have perfectly cracked the pricing. Um, but the way that we think about this is this is a team product for software engineers and for, you know, informed constituents, right? You want a product person in the product. You want a security person in the product? Um, and we also want to incent you to scan your APS And the most modern fashion, which is scanning the smallest amount of http that lives in your app, like in a micro services architecture because it makes a lot easier, is easy to isolate the problems where they live and to fix those issues really quickly. So we bundle team and for a UPS and then we scale within, uh, companies as they add more team. So pen users. 10 APS is 3 99 a month. And as you add software engineers and more applications, we scale within your company that way. >>Awesome. So if you're successful, you pay more, but doesn't matter. You already succeeded, and that's the benefit of by As you go Great stuff. Final question. One more thing. Your vision of the future. What are the biggest challenges you see in the next 24 months? Plus beyond, um, that you're trying to attack? That's a preferred future that you see evolving. What's the vision? >>Yeah, you've touched on this a couple of times in this interview with uh being remote, and the way that we need to build software already has been modernizing, and I feel like every company has a digital transformation initiative, but it has toe happen faster. And along with that, we have to figure out how Thio protect and secure these Moderna Gail. The most important thing that we do the hearts and minds of our support engineers and make it really easy for them to use security capabilities and then continue to growth in the organization. And that's not an easy thing tied off. It's easy change, a different way of being security. But I think we have to get their, uh, in order to prepare the security, uh, in these rapidly deployed and developed applications that our customers expect. >>Awesome. Jodi Clippers, CEO and founder of Stack Hawk. Thank you for coming on. I really appreciate it. Thanks for spending the time featured Startup is part of our Cuban cloud. I'm Sean for your host with silicon angle to Cube. Thanks for watching