 Hello everyone, welcome to this CUBE Conversation here in Palo Alto, California. I'm John Furrier, host of theCUBE. We're here at Theropassus CEO and co-founder, Sam Lee. Thanks for coming on. Thanks for joining us for the CUBE Conversation. Glad to be here. So Sam, you've started a company. You're in the compliance area. You got all kinds of new regulations out there these days. I mean, I can't remember the days when you had all this, these regulars off. I'm happy. HIPAA for healthcare. You got all kinds of data protection, compliances, data is the hottest topic right now and managing that data, securing that data is the number one problem people are trying to solve and not lose the innovation angle. Take a minute to explain what you guys do at Theropass. What do you guys mean, focus? Yeah, you're absolutely right. And I'm Sam, started Theropass about four years ago. It all came from a personal experience. I was running a fintech company in a short tech space before Theropass. And we're doing great. We're creating a great product. But then as soon as we hit real customer conversations, talking to customers and partners with consequences, they start asking about problem questions about our compliance posture. You have a information security policy. You have a SOC2 audit. And you answer those 400 questions in Excel, right? We were a 12 person company in Soho, like, you know, crunching code every day. We didn't have all those. So, you know, I started out and so, okay, let's bite the bullet. Let's get a SOC2 audit, which is one of the most popular compliance framework here in the States. And I thought it would be a six weeks process talk. Six months later, I still don't have the report. At the same time, like those information security best practices are very important, right? We want the world to be a better place and we want to take our data, our customers data seriously. So I want to build a informative compliance program. At the same time, five years ago, there was drastically lack of tools, software solutions, and good audit solutions for me to do that. So I then spent some time at Bay and Capital Ventures as at EIR. I like to joke that, you know, that is a good job for a job list MBA, I go there, I drink their coffee, their snacks and think about startup ideas. And this compliance pain point really stood up, you know, high on my list. Why is there not a TurboTax like or Carta like solution for information security compliance, which every technology company needs? And, you know, because as you said, like more companies are hosting data of their customers, this has just becoming a bigger problem than it was before. So started Thorough Pass back then and was known as Laika. We re-read it to Thorough Pass earlier this year to be really the one stop shop for IT compliance and privacy compliance for technology companies. And, you know, we created a TurboTax-like experience for companies to set up their compliance for the first time, accelerate their program build out, automatically collect and verify evidence, as well as demonstrating compliance to enterprise buyers or partners alike. You know, Sam, I love this story because, you know, the transition to cloud computing has accelerated the entrepreneurial opportunities you see startups all the time getting funded. Now you got AI, but it's also opened up small, medium sized enterprises to have more capabilities and, you know, I remember, you know, you get all these kind of pen tests, SOC2 reports as you mentioned, you know, it's hard to do that. And the time clock, you mentioned six months and getting the report, but things can change too. Then you got to go back and do it again. So this idea of cloud native and agile development is kind of really where the pain point is too, not just for small companies, but even large companies to kind of have that framework of compliance. And this is a huge challenge. It's a service model. But it's got to be fast and agile. And matching that agility to compliance is like molasses, slow moving, you know, icebergs versus, you know, rapid fire coding. Yeah. And I think, you know, really, as you said, the macro has pushed that towards where we are, right? There are more regulations around privacy and cybersecurity being passed in a country and as well as, you know, internationally. And there are more best practices that the industries, which traditionally are only, you know, being enforced upon large companies, are now trickling down to vendors of different sizes, right? That's also because like there are those high profile data breaches happening, which makes the regulator set up more rules, as well as pushing the largest enterprise to push down those requirements to all their vendors, which, you know, is a great trend for the industry. But at the same time, it is very hard to, you know, set up, maintain and demonstrate information security compliance, especially for cloud native internet companies. If you look at how this was traditionally done, there are a lot of manual process involved, right? How do you prove that you have all those security control set up? It involves a lot of screenshots, a lot of uploading static documents to auditors' share point. And that is not a great process. And they're- And all the questions too are all old. Do you have a virtual machine on bare metal? Like, what are you talking about? I'm on the cloud, like what are you talking about? All these old IT policies are archaic, right? They're not relevant. But I think the build side is a key value of being agility. But you brought up the idea of working together. We're in an API economy now and AppSec review teams need to be fast. And I think the growth for companies and doing business with other companies require this. Can you talk about how companies can do this with the right way? Because I see the growth being stunted. If you can't be compliant or have a framework, not only does your build team get kind of stunted or held back or dragged down, but your growth, operational growth could be hindered. Yeah. And I think that is actually one of the most common reasons why companies pick up compliance and purchase their own pass earlier in their journey is because that those requirements has trickled down to the youngest companies, right? And when compliance become a gross locker, that's when the sense of urgency really goes up, right? And also it is much cheaper to set up a robust and effective compliance program early on versus until you have hundreds of employees, then you have more people to train and more culture to change, right? So we like to partner with companies of different size and stages, but definitely a lot of our customers are younger companies, FinTech, Hal's Tech, SaaS company. They hold really sensitive data and they want to do the right thing. Our job is to make following compliance as simple as possible so that they can focus on what they do best, innovate in their field, without having to waste time on a lot of manual processes and like, you know, busy work, I like to call it with compliance and focus on the really strategic issues that really matters. Innovation not being dragged down by old school compliance, I love that. Take me through how it works. I love it. How do you inject this guidance, this expert guidance into the customer's journeys? Take us through an example, if you can, through that the component that you've done right for the day. Yeah, you are a brand new tech company, let's say in the AI space, right? And you're starting to sell to enterprise, whether it's financial institutions, healthcare systems or, you know, big retailers and they will start to ask questions like, can you show me your SOC2 report, right? Can you prove that you are taking our data seriously? That's usually a very common trigger for people to, you know, purchase a IT compliant solutions and start pursuing a information security audit such as SOC2 or, you know, ISO 27001 or high trust, the healthcare space. And then you will sign up for a thorough pass. It's very simple. It's very much like several texts, you know, for us living in the States, you know, you sign up for a thorough pass, you go through an onboarding process, you get paired with a team member on us which will help you throughout the process. And then you connect to all the SaaS tools that you're already using. If you think about it, what the auditors need to see eventually is you have encryption turned on, you have multi-factor authentication turned on, right? It's all of those different metadata that we can automatically collect by integrating with the SaaS tools that you're already using. So we have a robust integration portfolio with, you know, the cloud service providers, JIRA, GitHub, like all those tools that matters in a compliance context. We ingest those data into thorough pass and we perform the validation directly on the platform. So that, you know, traditionally a auditor have to, you know, eyeball a screen shots or manually review a report in order to test out a control. That process is almost completely automated through the integrations with those systems as well as our auditor platforms so that the customers experience the entire process from setting up the compliance program to proving it to the auditor all the way to proving it to their enterprise buyers directly and completely on the thorough pass platform. Yeah, I love the TurboTax kind of reference. Obviously, QuickBooks is the other product that they sell the enterprises. I love the CARTA example. I mean, the folks watching that might not know what CARTA does. They're a company that does all the manual or the heavy lifting that was a manual process with involving stock who was stocking the company, stock options, cap tables, how companies capitalize, which is a grueling manual industry, right? It's like, and it also impacts a lot of the transactions, whether it's a more financing, if adventure financing or M&A deal or an acquisition, how they handle stock programs is automated. That's kind of the thing. We're really inspired by the business model of CARTA founder, Harry, as an engineering investor as well. What they do is they turn a otherwise very heavy manual once a year consulting heavy process, the foreign IA evaluation, into a delightful software driven experience. That's what we're doing here for information security audit. That's what we're doing here for SOC too, as well as all the other different frameworks that we support. The thing too about the CARTA that you like, I also will add that it makes you confident because they track everything. And now the worst thing about manual is who didn't file the right thing? Where's that paperwork? Where's that file? This is where it gets harder, right? So that delightful, but confident experience is critical. I get that for the startups. I think you'll run the table on DevOps teams and startups love the product. How about enterprises? Take me through, I'm an enterprise, I got existing stuff. How do you interface with that value proposition? Yeah, absolutely. I think for the enterprise persona, like they care about efficiency, right? And we have a lot of compliance professionals on staff who came from that world. Nobody is interested in spending, all of their day on collecting manual evidences or doing reports or the worst case, chasing different teams in the company to submit their evidence requests just to pass the compliance requirement. We streamline all of that by a lot of the integrations. We're using the LOM model to streamline a lot of policy review and validation piece, which was very interesting use case. What they also hate doing is because larger companies tend to be compliant with multiple compliance frameworks from different geographical regulations and like different best practices, they often find themselves in the audit for the whole year, right? I just finished my stock to audit. I'm going through my ISO certification, then I'm doing high trust. Well, we're able to offer because a lot of those requirements are similar and the evidence are shared. We're able to do what we called one audit multiple reports so that you can complete one audit and all your evidence are being automatically mapped and verified to different compliance frameworks and you will get multiple reports or certifications or audit done in one go, drastically saving time on that. Just like startup founders want to focus on innovation and what matters most. Compliance professionals at those large enterprise want to focus on the more strategic and cyber security focused activities versus manually chasing people for evidence. And that's the piece that we streamline and replace. Yeah, the cloud, the cloud models shown everyone the undifferentiated, heavy lifting. Love that quote from Andy Jassy. It's so persistent over time. I got to ask you, why do you think companies are hesitant to acknowledge their need to obtain compliance advice and maintenance? Is it they don't, they look at it later or they, what's their, why is their attitude like this? Why are they hesitant to acknowledge that they actually need it? They look in the other way. They just not busy. What's the issue? Yeah, well, look, I'm a two time startup founder. I totally understand that mentality, right? If it's not broken, why fix it? And no, there are always a lot of things going on. So totally understand that. What we discovered is, if you need your compliance posture, if you need your stock to report yesterday, like that's probably too late, right? We can help you accelerate and take a lot of the busy work away, but you need those programs early on because if the company has become in any way successful, you will be asked those tough questions and you want to look prepared and not last minute when being asked. It's five years ago, I think a lot of companies are doing this much later than they do today. Thanks to us and our PR companies, like educating the market a little bit more on the importance of setting up compliance in the first place. But what we're seeing, we're seeing less hesitation on investing in this because people realize like this, these are not optional, these are must haves, and they can actually accelerate your business, right? If you want to build reputation early on with your enterprise buyers, by having those certifications nail down early on is actually a great strategy. Let me ask you a question on that point because I think it's clear that compliance was that one department. Ah, the compliance department, they got to check the boxes. Now with cloud, you got APIs, you got interactions, you got business deals. Again, I come back to app sec reviews. You know, I want to do a deal with someone and sometimes it requires full inspection. Talk about software, supply chains, the security issues, shift left. Now data is an innovation strategy, but with legal and compliance issues, you got data protection, compliance, new things coming. Who knows what's next? How do you, how do you see that, Sam? Because I think this is the world that's going to get much more dynamic and robust as they say, you know? Yeah, I completely agree, right? We're sharing knowingly or unknowingly a lot of data with a lot of vendors out there, right? Both as a consumer and as a startup operator. So, you know, it's become really important for compliance professionals at the enterprise to get hold of all of their vendors' compliance pushers. And, you know, that's where solutions like Thoropass really help them to not only build up a robust compliance program, but also can effectively demonstrate to their partners and buyers because those diligence needs to happen. And, you know, together we want to prove out that our customers are doing a great job. Like, they deserve the credit to prove that out. So we have a solution to help companies answering due diligence questions more efficiently, like with the LIM model and all of the great things that they're already doing on the platform. Pretty much like a lot of questions that the enterprise asks you have great answers for. And you have data to prove that you're doing that. It's the process of getting them out in the format that makes sense that takes a lot of time. So we help them to take away that heavy lifting. And obviously our SOC2 reports and different compliance certifications are accepted by the biggest banks and hospital systems in the world. So that by itself, you know, proves out the compliance posture and can save a lot of time in due diligence process. I was going to ask you that question. You just beat me too, but I think we should be a customer as well. We definitely need your service for our CUBE cloud and our Genevieve AI stuff with all our transcripts and media. I have to ask you about- Absolutely. Take us through what people are saying about Thoropatch. You mentioned some of the big banks, you know, compliance is a huge issue. I mean, data protection, audit, all these things kind of come together in one thing. It's not just compliance audit. It's like data management, data legal, data supply chain. We've taken that term around because you're seeing supply chain questions with data. You know, AI is saying hallucinations in open AI and chat GPT, you're like, whoa, whoa, where is that data coming from? A lot of things are changing. What are your customers saying about you guys? Were they happy? Where are you winning? Yeah, well, they wish they had them, they had us sooner, that for sure, right? It's like, you know, usually companies still delay a little bit on when they invest, but once they are on board, it can go very quickly. They really love the bench of expertise and opinions that we have in this space. Like we have the highest expert to customer ratio that we like to call it, right? Every company is a little bit different. The standards are the same, but they're different interpretations. We want to make sure all of our customers get a really personalized experience to the extent possible, right? To really demonstrate their compliance in the most differentiated way to their customers. So, you know, we are very much invested in our experts that are both on staff as well as we partner with. And lastly is the piece around integrating audit and certification into people's compliance journey, right? When we first started the company, we're like some of our competitors today. We help you set up compliance, all the red, light, and green, but very quickly we realized that if we cannot help the customers go through the audit process smoothly with multiple different compliance framework, that's only battle half won. So we went out of our way to create it. We were calling it the oral way, the integrated audit experience into our system so that the customer can go through the experience completely on our UI, and there are no surprises throughout the process. So that they can go from, you know, drafting their first policy on the platform all the way to having the compliance report in hand directly on the platform. So these are a couple, you know, major differentiators that we have. We love our customers. We have, you know, have the luxury to found a great vertical to be in. And we really want to, you know, with our effort build a little bit more trust in the marketplace so that the technology companies can have a better name when they are selling to enterprises. Yeah, love the confidence to give customers. And I love the TurboTax reference because the ties together, they look at TurboTax. I remember when I was doing my startups in the years, I'd used TurboTax. I didn't have any money to hire, you know, expertise. You know, I wanted to have that built into the software. You guys are doing the same thing here. Love that. Quick question while I got you here. You got to love the AI aspect coming in to help you with your experts because if you're going to build that expert ratio out to your customers, I'm sure you're going to get a lot of data and some of the AI trends is a tailwind for you guys, right? Yeah, 100%, right? I think until this latest wave of LLM models, like we're able to ingest and validate a lot of structured data from different data sources, right? All of your configuration from Amazon web service, like all of the pull requests on GitHub. And that allows us to automate a lot of the control testing and create really efficiency audit process. The LLM complete the other part of the puzzle, which is how can we parse large amount of documentation policies, procedures in an effective way so that the validators, the auditors, the enterprise buyers can quickly find and verify what they care about without having to spend a lot of human hours on reviewing those. Because we have the audit integrated in our solutions and are the only company that does that, the LLM wave gave us an incredible amount of new technology opportunities for us to make our process more efficient and more accurate so that our teams can do more work in a shorter period of time without sacrificing quality. And our customers get a somewhat magical experience on, right? You can submit a software port and see where the gaps are. And that is all enabled by the LLM models that we're leveraging in our technologies. I love the focus on ease of use. I love the focus on the integration of DevOps and Cloud, but I think the real value is you really kind of focus on the core fear of a customer, which is the audit, the dreaded audit. I mean, that is the biggest pain point and fear a customer might have. So big, big difference. And I think, yeah. And, you know, a software audit for Walmart is different from a software audit for a 20 person company, right? So, you know, following kind of the static playbook may not be the best way to, to are the most stage appropriate way for your company. You know, we try to tailor everything that we give to the customers and with the integrations as well as the policy review process that I talked about. This process can be really, really further streamlined. For a startup and a growing company, that audit could really take the wheels off the bus, big time, and derail, rail companies, momentum. Great, great solution. Same, great to have you on. Co-founder and CEO, love your positioning. Love the vertical you're in. Lot of great headroom, bringing SaaS and automation into a market that needs it. It's changing too. It's only going to be more complex. Final comments, give a plug for the company, what you're working on, how much funding have you raised? How many employees do you have? What are you looking to do? You're hiring, obviously. What's the final pitch? Yeah, thank you, John. Really, you're really glad to be here. You know, I'm lucky. As I said, you found this great vertical and a great mission to be a part of. You know, we raised our CRC. Last year, we're about 180, 190 folks headquartered here in New York with large presence across the country and they left Ham. What I want to say is like, information security compliance is no longer optional for any companies that hold data. And Thorough Pass is the only compliance and audit solution that truly gives our customers everything they need without surprises and gaps. Partnering with us allows you to reduce costs, build trust with customers and partners, and more importantly, focus on the things that matter most to your businesses and not get bogged down by compliance. Thorough Pass, inspired by TurboTax and Carta, two great software packages for startups and growing companies and enterprises, Sam Lee, co-founder and CEO. Thanks for coming on this CUBE competition. Thanks for joining me today. Thank you, John. All right, I'm John Furrier of theCUBE. Thanks for watching.