 Okay, welcome back everyone. theCUBE's live coverage here in Boston, Massachusetts for AWS Reinforced 22, big show for around security, Amazon re-invents coming up. That's the big event of all time for radios. ReMars was another one, reinforced the re-shows they call them, theCUBE's got you covered. I'm John Furrier, host of theCUBE with Dave Vellante, who's in an analyst session right now. He'll be back shortly. You've got two great guests. I'm an amazing company, Hacker One. Been on theCUBE, many times, CubeAlumne and Martin Miko, so of course a big time CubeAlumne. You've got two great guests. John Ryan, Senior Principal Product Marketing Manager. Will Capsio, Senior Sales Engineer. Jens, welcome to theCUBE. Thanks for having us, John. So Martin's been on many times. He's such a character, he's such a legend. Your company has had great traction, great community. Just a phenomenal example of community meets technology and problem, problem. He's been part of that organization. Here at Reinforced, they're just kind of getting wind of it now, right? You hear an open teamwork, breaking down the silos. A big theme is this whole idea of open community, but yet, be hardcore with the security. It's been a big part of the Reinforced. What do you guys think of the show so far? Loving it. Partly too, we're both local here in the Boston area, so the commute was pretty nice. And the heatwave broke the other day, so that's wonderful. But yeah, great show. It's good to be back in person doing this kind of stuff and just, it's really lively. You get a lot of good energy. We've had a bunch of people stopping by trying to learn what we're all about, and so it's really fun, great show so far. And you guys have a great company. Take a minute to explain for the folks who may not know Hacker One. Tell them what you guys do real quick in one minute. Okay, the quick elevator pitch. So really, we're making the internet safer using a community of ethical hackers, and so our platform enables that so we can skill match the best talent that's out there around the world to help find all the vulnerabilities that your company needs to discover so you can plug those holes and keep yourself safe. So in the air of a talent gap, well, you know the technology's out there, but sometimes the skills are not there so you guys can feel the void, kind of a crowdsourced vibe, right? Yeah, exactly. If you're trying to build a security program and apply defense in depth, we offer a terrific way to engage additional security talent either because you can't hire enough or your team is simply overloaded, too much to do, so. Hackers like to be a little bit white-hacked hackers, like to be independent, might want some flexibility in their schedule, live around the world. Yes, no question. We have hackers that do it full-time, that do it part-time, and everything in between. Well, you guys are in the middle here with some real products. So talk about what's going on here. How vulnerable are the surface areas and organizations that you're seeing? Yeah, probably more so than you would think. So we ran a survey earlier this year, 800 security and IT professionals across North America and Europe. And one of the findings from that survey was that nearly a third, actually over a third, 37% of the attack surface is not secured. Some of us not even know. They don't know what they don't know. They just have this entire area. And you can imagine, I mean, there's a lot of reasons, real legitimate reasons that this happens. One of those really being that we don't know what we don't know. We haven't scanned our attack surface. And also it's about a decade of no perimeter anymore. Yes. Welcome to the cloud. For sure, absolutely. And people are moving quick, right? You know, the cloud, perfect example. Cloud people are building new applications on top of these new underlying configurations happening on a constant basis. Acquisitions, you know, it's just a fast-moving thing. Nobody can keep track of it. There's a lot of different skillsets you need, you know? And yeah, skills shortage out there too. And what's the attacker solution you guys have? You guys have this hacker one, attack resistance component. What's that about? That's right. So that is to solve what we call the attack resistance gap. So that area that's not protected hasn't been secured. On top of just not knowing what those assets are or how vulnerable they are, the other thing that happens is people are sort of doing status quo testing or they're not able to keep up with effective testing. So scanners are great. They can catch common vulnerabilities, but they're not going to catch those really hard to find vulnerabilities. The thing that the really sophisticated attackers are going to go after. So we use this large community that we have of ethical hackers around the world to be able to skill match them and get them doing bug bounties, doing pen tests, really bulletproofing the organization and helping them risk rank what they find, free edge these, do the retesting, get it very secure. So that's how we do it on a high level. Will you might have a... Yeah, I mean, there's a tremendous amount of automation out there, right? But you can't quite, at least not yet, replace critical thinking from smart security minds. So hacker one has a number of solutions where we can apply those minds in different ways at different parts of the software lifecycle, at different cadences to fit our customer's needs, to fit their security needs and make sure that there's more complete human coverage throughout their software lifecycle and not just automation. Yeah, I think that's a great point, Will and Sean, because you think about it, open source is like not only grown significantly, it's like it is the software industry. If you believe that, which I do, open source is there. It's all software free. The integration is creating a DevOps movement that's going the whole lot of levels. So devs are doing great. They're pumping out code. In fact, I heard a quote here in the Cube earlier this morning from the CTO sequence security that said, shift left to shield right. So shifting left is build your security into the code, but still you've got to have a shield. You guys have this shielding capability with your attack module management service. So now you got the devs thinking, I got to better get security native. But they're pumping out so much code. There's more use cases. So there's going to be code reviews needed for stuff that, as he said, what is this? We've got a code review, new stuff, the developer created something. I mean, that's what happened. That's what's going on everywhere, right? Exactly. We often hear that for every 100 developers, you've got one security professional. Talking about skill shortage, that's just not sustainable. How are you going to keep up with that? Your phone is ringing up the hook. There's no phones anymore, but technically. Yeah, exactly. So yeah, you need to go external, find some experts who can help you figure that out and keep up with that cadence. It keeps going and going. So, hacker one, I love the ethical thing. I'm a big fan. Everyone who watches theCUBE knows I'm a big fan of Martin and your company. But it's not just bug bounties that you do. That's just people think of. They see that in the news. Oh, I made a million dollars from saving Microsoft teams from being exploited or something like that. Or weird things, big numbers. But you do more than that. There's code reviews, there's assessments. Like a variety of different things, right? Yes, exactly. I'll let, What are the hottest areas? Yeah, I mean, that's exactly why we coined the term attack resistance management really is to help describe all those areas that we cover. So you're right, bug bounty is our flagship product. It's what we're best known for. And it's a terrific solution. But on top of that, we're able to layer things like vulnerability disclosure, pen testing and code review. Pen test is actually really important. Attack surface management, a whole suite of complimentary offerings to help you engage these hackers in new and interesting ways. The bug bounty is very popular because it's fun. Yeah, that's what we do. It's fun for the hackers, but the white hat hackers, but the companies, they can see, where's my bugs? It's a fear of missing out and the fear of getting screwed over. That's the biggest driver, right? Yeah, definitely. And we now, we have a product called Assets. So this is attack surface management. And what we're able to do with that is bring that in, leverage the ethical hackers to risk rank. What's your assets out there? How vulnerable are these? What's critical? Feed that in. You know, as Will was saying, we've got all kinds of different testing options. Sometimes bug bounty continuous, that works. Sometimes you want a pen test, you know, you want to bound. Well, the thing about the pen test, well, the soccer poor, Amazon's got soccer reports, but pen test is a moving train. Yeah. Because if you're pushing new code, you've got to pen test it all the time. It's not a one and done. Exactly. You've got to keep it running. Yep. It's one and run, right? You can't do the old school penetration test once a year, big monolithic thing. You know, this is just a check the box for compliance. It's like, no, you need to be focusing this on the assets that you're releasing, which are constantly changing, and do we ongoing smaller cadences of pen tests? I had someone at a conference, had a few cocktails in them, confessed to me that they forged a pen test report. Oh, man. Okay. Because it's like, oh, it was three months ago. I don't worry about it. But a lot can happen in three months. No, this is real. They're like, I can't turn it around fast enough. They had an app sec review in their company, and I'm not saying everyone's doing bad behavior, but people can look the other way. That creates more vulnerabilities. It can happen. And even just that time space. Let's say you're only doing a pen test once a year, or once every two years. That's a long time. It's a lot of dwell time. You can have an attacker inside, mulling around your network. All right, so we get a big service here. That's about AWS. We're here at Reinforce. The trend, you see Amazon getting closer to the ecosystem, a lot more integration. How are you guys taking Hacker One's attack, surface area products, management software, closer to Amazon? What's going on involved? Because at the end of the day, they're enabling a lot of value, and their partners are growing and becoming platforms within themselves. What is the connection with Amazon? Keep those apps running. How do you guys do that? Yeah, so we've got a specific assessment type for AWS. So on the one hand, we're bringing in the right group of ethical hackers who are AWS certified. They have the right skill set. We're matching them. We've got the right assessment type for them to be able to track against and find the right vulnerabilities, report on those. So this is our pen test offering geared particularly towards the AWS platform. And then we also have a AWS security hub integration. So if customers are using AWS security hub, we can plug into that, feed that information, and that gets more to the defense in depth for your AWS security hub. And you guys verify all the ethical hackers, are things verified? Oh yes, absolutely. So they're verified for their pen testing experience and skills, and of course, they're AWS skills in particular, and their work experience, making sure that it's long enough that it's good background check, the whole nine. So absolutely. How far has Amazon come from your perspective over the past few years with the security partnerships? I mean, the services have grown every year. I mean, every Amazon reinvent. Thousands of new announcements, new services. I mean, if they update the DNS service, a new thing, right? So like, everything's happening. What's different now? It's great to see. I mean, you look around at how many different types of security solutions there are here, how many different types of partners. And it just shows you that defense in depth again is a really critical thing. Been a wonderful partner for us. I mean, they're a big fan of us. They tell us that all the time. Yeah, because their customers use you. Because their customers do, that's exactly, exactly. But no, it's been great. So we're looking at, we've got some things on the road maps and continued integrations that we look forward to doing with AWS. But you know, again, it's a great powerful platform. It gives customers a lot of freedom, but with that freedom comes the responsibility that's needed to actually secure us. Well, what's your take? We hear hybrid security keys, management systems announced today, encrypt everything. Don't have over permissive environments. Obviously they're not, they're talking about more platform and stuff. Absolutely. My take would be, I think our own partnership with the AWS security team is great evidence that they're thinking about the right things. We worked in conjunction with them to develop our pentest methodology. So that combined for proprietary hacker one platform data and findings across all of our customers that are commonly common issues found in AWS environments with their own knowledge and their own experiences from the AWS security team directly. So it's a pretty powerful checklist that we're able to run through on some of these customers and make sure that all of the most common misconfigurations and such are covered. Yeah, they're highly motivated to do that because they get blamed for the S3 buckets being kept open. It's not even their fault. Right. Of course not. We got who were in Amazon, Amazon's terrible. Almost it. Yeah, one of the things that we like to talk about is the fact that cloud is really about automation, right? But you can't automate that human ingenuity. The skills that come with an actual human who has the experience and the know-how to fix these things. There's a lot going on in Amazon. It's always been kind of like, just described earlier in a Cuban, an erector set, not Lego blocks yet, but still kind of, you still got to build it. It's getting better in the Lego model, but there are challenges in protecting cloud, Will. I mean, this is a big part of protecting cloud platforms like AWS. What are some of those challenges? I think some of the challenges are the affirmable nature that cloud can really result in developers and really business units across an organization spinning up assets that IT or security don't know about. And so that's where things like Hacker One Assets and those attack surface management style solutions come into play, trying to identify those assets proactively and make sure that they're receiving some sort of attention from the security team, whether it's automated or manual or ideally both. You guys got a good solution. Tell us about the partnership. We've got one minute left. Tell us about your partnership with AWS. You guys are certified in their security group with their team and marketplace, right? Tell us about some of the things. Yeah, we've been at marketplace over a year. We've had that, the specific solution that I mentioned, the AppPen test for AWS in place and integrated with Security Hub for some time now. There's some other stats that we could probably share around the ethical hackers that we have working on that. We have a number of certified AWS hackers who, again, they have the right skill set for AWS. And they've been a great partner. We are very focused on continuing to work with them and build out some new offerings going forward. Well, you guys have done a great job. Will tell your team congratulations on the tech side, on the product side, very strong community. You guys had a lot of success. Congratulations. And thanks for sharing on the team. Appreciate it. Thanks for having us, John. Thank you for your time. We're here to reinforce where all the actors have open, it's team-oriented, got cloud scale, data, encryption on everything. Big news coming out of reinforcement if theCUBE's got it covered here. I'm John Furrier, your host. Thanks for watching. We'll be right back with more coverage after this short break.