 I think that using the rationalization and excuse that security is complex is a broken argument. And the reason is, is that everything in life is complex. And this is the first time you and I are talking, so I would love to know a bit about Traceable. Talk a bit about what is company all about, what do you folks do, especially when we look at the whole security or AI space? Well, Traceable AI is an API security platform company. And we can't really talk about Traceable without talking about our roots, which includes our founder Jyoti Bonsal and Sanjay Nagaraj. And Jyoti had success with AppDynamics, an application performance metrics platform, where the founders learned how to operate at massive enterprise scale, which is incredibly important in the API security space. There's a lot of APIs and they're being used all the time. And our customers are transacting in the hundreds of billions of API calls per month. And what we do is not just catalog discovery and visibility of APIs, but we're able to do normative baseline analytics against the risk and threat of APIs. And we are able to do it at massive scale. So we can catch things that are being abused by the bad guys before companies ever get notices about them from a vulnerability or a published threat standpoint, how we're able to discover those unknown, unknown threats within their environments. There's a way that we've built our platform different at the architectural core. So we've been in business now coming out of stealth about two years ago. And the company has had explosive growth and it's fun to be a part of another one of Jyoti Bonsal's enterprises. When you look at the whole evolution of security landscape, especially with the emergence of cloud, cloud native, how different is API security from traditional security? In my case, I have an unfair advantage in this particular question because I don't come from the solution side historically. Personally, I've been in solutions for about five years, but before that I was 20 plus years in the corporate world. And I was in enterprise roles, including CIO and Chief Information Security Officer, worked in banking for about 17 of those years. So I've been able to see the evolutions of the security and technology stacks over the last almost 35 years. And as we've gone from mainframe isolated systems to client server to data centers and now to cloud, what we see is that there is a virtualization that's been happening where we continuously virtualize upward. First we virtualized compute and processing and storage. And now we're virtualizing everything in layer seven. So all of the ways that applications interact with each other is now using APIs. You don't have to do point-to-point integrations. You don't have to do point-to-point data connectors. And today all of this cool stuff and massive business value is being delivered with APIs except there's been very little on the way of security over the last decade in the API space. So developers have been developing. Cool things have been happening. And now bad things are really beginning to rack up in the API space because bad actors are realizing that they could just attack those APIs and get the same outcomes that they used to have when they had to learn all of the other layers of technology and other layers of security. Now they can just do those with APIs and bot armies and a number of other techniques that are easier in order for them to exploit your systems. And we kind of live in an API-centric or API-driven world as you just pointed out to it. So let's also talk about how serious or how severe when it comes to API securities because when we look at APIs, you can talk about zombie APIs. It's a very big, very complicated space. So now let's look at this report that you folks did. First of all, let's talk about what was the goal of this state of API security report. And then we'll talk about what are some of the key findings that gives us a very good visibility into the state of API security. When we looked at the landscape of analyses and studies that have been done previously about API security, we saw a gap that we addressed with our approach to the issue. We coordinated with Larry Poneman and Sue Poneman, which is a great experience. You're dealing with one of the most well-known people in security studies on the planet. And as we approached Larry for a discussion about this, we said, look, what we don't want to do is what we've seen in the past, which is API security studies that focus on prior breaches or exploits. There's only so much that we can learn from history. What we really need to understand is what are the reasons and the mechanisms that are causing people not to make a decision to secure their API claim today. Why aren't people moving quickly? And when we look at the results and the findings that came out of this study, there are very few things that shocked me anymore in technology after three decades of being in it. But I was completely shocked to see what was mathematically a representation of the cognitive dissonance, this huge gap between people universally stating API security is an issue, a problem, a concern, a threat. It's a growing threat. And even more importantly, 74% of the companies that responded, more than 1,700 companies, 77% of them stated that they've experienced more than three API-related exploits or breaches in the last 24 months. And yet when we look at the study itself as it relates to, and what are you doing about it, the answer is 50%, 60%, 70% of companies are doing nothing. And I don't know that there's much of a, you know, an example in technology history that we can look at that there's ever been a time in this history that we see everybody universally agreeing that APIs are a risk and a threat, and that almost everybody is also saying, I'm not doing anything about it. This gap really, really represents the most important findings out of this study, that we're seeing people sitting and admiring the problem of API security while not necessarily changing their architectural focus, their budgetary focus, their resource focus on addressing the risks and threats that APIs represent today. What is the reason for this gap? Is it, I mean, the tools are there, completely attraceable, you folks are there. Is it once again, as you're saying, you know, initially we started talking about the whole shift left movement and everything else, but that sounds more like on paper, but those things are not taking place in real life in practice. So is it cultural, which is needed? Or it's like once again, CISOs, budgetary, did you also try to find, you know, what is the cause of this gap? Well, I think there's a couple of causes that are really well articulated in the report findings or they're implied and inferred. So a great example of one that's implied and inferred is, is it is very difficult for companies on a percentage basis in response to this study to find resources and money to address this problem, which suggests that we've spent 20 or 30 years building our current state security stack, and it's extremely difficult for us to change course. And why this is a problem is because for the bad actors, they are not burdened with those problems, right? They're not burdened with things that slow them down. Organizational structures, budgetary decisions, they're opportunistic, and our security organizations today are not agile in the face of that opportunistic behavior on behalf of the bad guys. So that's problem number one that clearly is shown in the results that we see. The other is, is that it requires us to rethink how technology is actually working today. When we think about virtualization and we think about APIs being the neural network that connects all of this data and all of these applications today, that's completely different than what monolithic applications look like. It's completely different than what the data centers look like. And we're not really addressing that change. And you mentioned shift left, and I think this is really interesting. An example of why people are not registering the need of implementing API security within their organizations comes with the very simple test that I frequently ask CISOs, which is if API security is supposed to be specific to AppSec, and you are attacked by a bad actor who uses APIs in a bot army to attack your application front end and shut down your digital channels, what vulnerability is that? And there's usually a pause and people go, well, that's not really an application vulnerability. And then my response is, then why are you putting all of your attention for API security in AppSec exclusively? Because APIs now represent a universal attack layer. I can use them to dust your applications. I can use them to exfiltrate data. I can use them to create fraudulent accounts as well as takeover existing accounts. And I can use them like network type packets to do attacks against your applications as well as all of your landed digital assets. And so I think that there's a lack of understanding in the marketplace of the diversity of ways that APIs can be used to attack and exploit. And I think that's really where the gap is today. People really don't understand how this universal attack layer of APIs works. And it makes it difficult for them to make the next step, to think about it architecturally and from a security standpoint. What kind of changes you think organizations need to have so that, once again, going back to the problem that you're talking about, so they're not looking at the wrong things. They are looking when they look at the security, they should have a holistic approach towards security. Yeah. Look, there's patterns that repeat themselves. And I think this gets lost in many of our technology conversations today. There was a time when you could walk into a data center and say, how many firewall rules do I have? And your security analysts would look at you and go, I don't know. Right? That's an unacceptable answer today. There's times when you could say, how many virtual machines do I have? And your engineers would look at you and say, I don't know how many virtual machines we have. They're kind of like popcorn. I can make as many as I want. And yet today, there's no place for a conversation to start with. I don't know how many virtual machines I have or how many web applications my employees are using. Or we see these patterns historically where developers are typically five to eight years ahead of security. That's an understandable pattern because developers' jobs are to deliver business value using technology. Security always follows behind because we don't really understand the dimensions of the risk and threat until things get into production. So I think that when we look at this need for change, we need to be respectful of history and go, how did we solve these problems previously? A solution is a part of that. But one of the things that really is clear is there is no governance. There is no policy framework. There are no security guidelines writ large that are being applied to the API space. And so we're all collectively learning on the job. Not just the solution providers like Traceable but the bad actors are learning on the job and our enterprise organizations and government agencies are learning on the job. It's clear that solution providers and bad actors are learning faster than the enterprise space is. And that's where we need to see those gear shifts change. We need to see intellectual curiosity within enterprises to say, how are all the different ways that I can be exploited, breached or attacked? And am I reducing or expanding my threat and risk surface or attack surface every day? And if I'm not reducing it, what do I need to do to change that? And I think that there's just a lot of questions that are coming to the fore. But back to the most important point that you made Swapnil, the reality is that it is gaining attention today because more and more bad things are happening in the API space. And the breaches that are happening in the API space are extremely troubling. Because it's not just in the case of a major mobile carrier, they didn't just lose your personal data again, which is a very common outcome of most breaches and exploits. They lost your entire bill payment history. They lost what plan you were subscribing to. They lost a tremendous amount of contextual information that is extremely important to the bad actors when they engage in social engineering and other types of hacks and breaches. And this is the kind of data that's being exposed in these API hacks. And I think that sadly, there's a certain cynical part of me as a former CISO that says, all we need is another news story and people will get much more motivated about API security. But frankly, after 30 or 40 years of security, we should be well beyond needing bad news, driving business decisions. We should be making decisions based upon what's important for the reduction of risk and threat within our environments. Very well said. And also when you're talking about that organizations need to be more kind of creative or curious about it, but whose responsibility is it? Who owns API security? Because when it becomes everybody's problem, actually it is nobody's problem. That is very, very true. And I'm gonna point to the study results on this particular question, because I think it's really telling about how fragmented the decision making and the responsibility assignment is right now in the enterprise. We see obviously a large percent of respondents, almost 20% that say it's the CISO's remit, right? But then we see an almost equal number, 17% or so, saying it belongs to CIOs and CTOs. And I think that's really interesting because we have a very specific security problem here, very specific risk and threat problem here. And yet there's one out of five respondents that are saying this is actually a technology problem bigger than just the CISO. We're also seeing assignment, it should belong to the line of business, which is also an interesting development because it's suggesting that developers that are associated with those particular business units should have the obligation for API security. So I think that this kind of fragmentation today of who should be assigned the responsibility for API security is also a representation of what problems that we have. Because we're still arguing who should be owning API security and the bad actors once again are not burdened with that problem. In fact, they like the idea that nobody knows who API security should be assigned to. Because if there's one thing that bad actors love is they love gaps and blind spots and processes and organizations and in structures and in frameworks. So I think current state today suggests nobody's sure. I will say definitively, and this is Richard's observation and opinion, I will say definitively that I believe that API security squarely belongs in the chief information security officers remit, but that does mean we need to change a lot of current state structures around application development and design, security architectures, frameworks and all of those types of other components of securing our enterprises. I don't think in a way that when we do see all those news to relate to security, mostly we hear about big companies also because they also generated a lot of page views. Nobody cares about a tiny company got compromised. I don't think that we might assume that the larger organization you are, the secure discussions move to the board rooms at that level, board level. Do you also see based on this report that it also depends on the size and nature of organizations, how they deal with security? Because as I said, most of the time when we look at these breaches, they are compromising some very, very critical information and there are some very, very large organizations there. Certainly the headline breaches with tens of millions of accounts or tens of millions of users or fraudulent account creation, those grab all of the headlines. There's an interesting component to this study as well that is showing that when we get into small and medium-sized enterprises, there's a repeat of the same argument that we've heard forever, which is, well, I'm a medium-sized enterprise and I don't have a large security organization and I don't have the same kind of money as the big guys to spend. And the reason why this is a flawed argument is those same companies never have the same defense when it comes to app dev. It's funny that you're not, it's funny that you're not poor enough to be stopping any API development. And you want the benefits that you get from API development but you don't want the realities of the economic investments necessary to secure that plane, which is what I think nets to a flawed argument all the way around, right? You don't get to say, look, I wanna go out and buy a Ferrari and be a race car driver and then not to suffer the consequences of having a cool car that goes really, really fast but you don't know how to drive it. And that's what we're kind of seeing in the API space. Oh, look, this is very easy to create an API call. And really when we look in the small and medium sized enterprise space, the security consequences are actually accruing to the larger enterprises. So APIs today are the primary pathway for third party access for any number of organizations. So now you start to see the API threat and risk of a small company that is in the supply chain of a larger company now creating significant problems for that larger company. So like I said, these are patterns that we've seen before. We've seen third party risk issues, manifest in monolithic applications and data centers but it seems like we're also not applying our learned lessons from those times in these cases. So a lot of young and smaller companies using APIs as their primary method for integration or providing services commercialization to large enterprises. And now we have an even further expanded attack surface because these small companies say, I don't have the resources to be able to do security against these APIs. So again, tons of conflicts. Look, I think it's not an all bad news conversation. We're obviously seeing decisions and strategy and conceptualization going in the correct direction. The reality is in the API space, whether you're a large company or medium sized company, you need to be moving faster because the bad guys are moving at light speed. And if we're sitting around continuing to admire the problem and trying to figure out what strategies we're going to adopt to fix it, that's just more time that the bad guys have to do bad things. The worst thing with the bad guys versus good guys is that as a good guy, you have to be right 101% time. Bad guys have to be right only once and that's what the big difference is. Can you tell me that, when we look at the whole API security, it is complicated, depending on the perspective that you look at as you gave the analogy of Ferrari, I'm into steam racing, so I do know what you mean. You cannot just get into Ferrari and put on any other sports car and put your foot on the gas. It will be out of control, but most people don't even know that and they think that's how it works, which is that your security is complicated depending on how you look at it. It is overwhelming also, your teams are already doing so many things. A lot of things are moving into developers' pop line thanks to the shift left movement. Talk a bit about how it's traceable making it easier for these organizations so that irrespective of how they have seen so, not what a strategy they have, at least some of the critical workloads are kind of safe so that they can, their developer teams continue to focus on adding business value without getting overwhelmed or scared because security sometimes slow you down, it can stop you as well. So talk about the role you folks play in helping these organizations that you surveyed. Well, I'm going to start my response with something that I think might be a contentious statement, but I'm known for that in the industry, so I'll just say it. I think that using the rationalization and excuse that security is complex is a broken argument. And the reason is, is that everything in life is complex. Things in the analog are complex. If you don't believe so, take apart a Swiss watch that winds and try and put it back together again, right? Our relationships in our family are complicated. Having a family member in the hospital, there's complications. We can't use complicated as an excuse anymore. However, when we look at the solution side and to your point about what Traceable's doing about that, the truth is that we in the solutions industry for security have spent too much time building solutions that require expertise on the part of the security staff and professionals that are operating it. And what this causes is fatigue, right? So I produce tons of information and now you've got to sort through it as a security analyst to try and find, the single risk that is a needle within a needle within the needle of an eye of a needle in a haystack. And it becomes very, very difficult. So Traceable is leveraging things like AI, which have been around for years. I don't like to talk about AI nowadays because it seems like it's a new thing and it's not. But we use AI to grind enormous amounts of data about these APIs and try and pinpoint the actual moment of threat or exploit or risk in a way that we can manifest it in with context to the security analyst. So they go, I know exactly what to do. Now I've got the warning, I've got the alert and I know what action I need to take. And the next step from that, which we also do at Traceable is to automate that, right? Now automation has been an interesting challenge because a lot of people say, I want something like runtime protect, but their internal processes are not yet to a point to be able to ingest an order or a command that says, this application is being attacked, shut it down right now. People are extremely worried in the business side of production impacts and customer impacts. And we haven't conditioned our systems to actually be able to capitalize on these automated capabilities, but we can see a world and you probably are having tons of conversations with other security providers where we can see a world where automation orchestration and the actions taken based upon the decisions generated from these new generation security solutions are going to be able to operate at the speed of the bad actors, which is our biggest issue today. The bad actors are faster, but being able to leverage technologies like AI and threat analytics and normative baseline analytics and runtime protect, all within the traceable suite are going to be the way to be able to get ahead of the bad actors with every single discovery of a potential exploit that we make in your environment. I want to talk about AI. Now let's look at AI from two different perspectives. I've been asking this question to all the security folks also. That one is AI for security and second is security for AI. A lot of companies which are running all these AI workloads, what does API security mean for them at the same time? What does these new generative AI technologies mean for API security? Let me start with AI protection first because it's actually a very common use case that we're asked about at traceable. And when we talk to large enterprise companies, the very first request that they're making of us is, is can you buy me enough time for me as an enterprise organization to figure out how I want to operationalize AI in my organization? And really what they're saying is, is help protect my corporate data from being exposed to public or open AI engines. Because there is no delete my data button, there is no regulation, there are no protections once your corporate data is exposed. And we saw this specifically in the Samsung hack that has drawn so much attention, which is an analyst decided that they wanted to, grind a faster spreadsheet and they exposed something like 5% of Samsung's corporate financial data to AI engines. So the great thing for us is all prompts, ingestion, outcomes, outputs in the AI space all right on APIs. And because of that reality, we have an unfair advantage in being able to help companies protect their data from being exposed externally. So that's job number one for us in the AI space. Now, when we look at it from a product standpoint, you know, again, you know, the froth and the excitement about AI has been heavily oriented towards large language models in the media of the last six, you know, to nine months. I again, contentious statement, large language models are actually the least interesting component of the AI space. You know, computational AI and, you know, things that are really advanced like planar geometry and, you know, all the different things that take a tremendous amount of work and effort for human beings to calculate are where AI is getting super interesting. And LLM AI is interesting, but only for specific use cases. So I would say that, you know, for the solution space, our orientation towards computational AI and how we leverage AI to continuously narrow the window of, you know, variables and information associated with one specific threat. And now take that one specific threat and multiply across billions and billions of calls, being able to have that type of laser point accuracy is only able to be achieved using AI. And that's what we're continuously building and expanding within our security solution, you know, and the traceable platform. And we're not unique in that. I think that if companies are not aggressively figuring out how to leverage AI to improve analytic results, risk reductions and automation, they're going to be left behind in the overall scheme of things. And, you know, our commitment to AI includes bringing, you know, folks like, you know, the founder of AI for Yuaiba, Zhixiang Wang, you know, having Dr. Wang on staff is just another part of our commitment because we've seen the benefits the AI can yield and we've seen it over the course of years, not over the course of the last nine months. Richard, thank you so much for taking time out today and walk us through this, you know, whole report. And also, I mean, there are a lot of worrying some trend but you also said, you know, that a lot of positive things are also happening. So we hope that, you know, security and you're right about that. It is everything in life is complicated. And that's what I said, depending on who you talk to for a lot of folks driving a Ferrari and Lamborghinis or Bugatti is as easy as driving your Kia. But, you know, that's, you know, for you it's easy because you used to be a CISO as well. But, you know, it's good to see a company that is actually helping organizations in securing their workloads, their applications. And I would love to chat with you again, not only whenever you come up with new reports but also just to keep helping folks in securing their workloads. I really appreciate your time today and I would love to talk to you again soon. Thank you. I thoroughly enjoyed myself and thank you so much Papno. And anytime, you know, my job is, you know, not just traceable but to be a resource when it comes to security in the marketplace. And I'm happy to have any conversations you'd like to have in the future.