 Hello, and welcome to this CUBE special presentation of the AWS startup showcase on cybersecurity. This is the CUBE season three, episode three of the ongoing series covering the exciting startups from the AWS ecosystem. I'm your host, John Furrier. Today we're joined by a great guest, routine son, VP of product at secure frame, hot startup. VP of product got the keys of the kingdom. We're going to talk about how AI can simplify InfoSec compliance. Thanks for joining us today. Thanks for coming on. Yeah, thanks for having me, John. Great to be here. Routine, the compliance automation space is really young. We were talking before you came on camera, but we're in a world where security risks are everywhere. There seems you got shared models out there, which create opportunities for exploitation. Always going to watch those interoperability. There are so many people trying to achieve the compliance game and trying to get there, mend the vulnerability in the cloud configuration. This is an issue about, this issue isn't just about fixing the present. It's about paving a safer future. I mean, this is kind of setting a foundation for this next wave. You get a lot more data, budgets aren't doubling, data is or tripling, AI's here, but yet a lot of the blocking and tackling is still the same. So you got the present and you got the future. You guys from the middle of this with secure frame, give us a taste of how you guys see this market of compliance and what you guys are doing. Take it and introduce the company. Yeah, sure. So, you know, at the end of the day, the core kind of mission and vision of secure frame is to actually simplify compliance for businesses of all sizes, right? And we believe that a lot of that simplification happens through automating the work that needs to be done. At the end of the day, you know, most of our customers tend to be very tech forward, tech enabled companies. So their entire infrastructure stack tends to be in public cloud. They use a lot of SaaS tools for endpoint management, single sign-on, HR. Their apps are typically in AWS, Azure, GCP. And so it actually is very easy to get a very good idea of the posture, the security posture and the compliance posture of these organizations because so much of their technology infrastructure is actually cloud native and is API first, right? And so the mission and the kind of the goal of secure frame and the value that we provide is really to plug in to all of the different infrastructure assets that you have. And simplify the kind of compliance workload that you typically have to go through to get a SOP2, to get ISO 27001, to get FedRAMP authorized. There's a lot of manual people work that is involved in that process, as I'm sure you're aware. The large security teams, you mentioned before, budgets are not getting bigger. You know, we have a cybersecurity shortage from a skills and labor gap perspective. And we think that things like automation and AI can actually go a long way in addressing some of the skills shortage, as well as the lack of budget that a lot of customers are seeing today to invest in security and IT. So you're mainly targeting in the market with cloud native people in the cloud or have cloud operations, is that right? Yeah, the company certainly started that way. As we've grown, so we're about three years old and we've grown pretty significantly. You know, we're over 2000 customers at this point from nothing just in 2020. And as we've grown, we've naturally seen a pull up market, right? So we started off really with kind of the, you know, 50% 100% tech startup, largely based in Silicon Valley in New York, all the kind of tech hubs. And now we're really starting to see, you know, 500% 1,000 person, 2,000 person organizations coming in. And as those larger and older organizations come to us, the tech stack looks a little bit differently, right? Not everybody is, all of a sudden you start to see customers that are not entirely in AWS. They might have some servers on-prem. They might have some applications in a colo somewhere. And so the infrastructure mix is a little bit different now than what we have seen before, but we're still very much focused on kind of the tech enabled and tech forward companies. You know, routine a few years ago, maybe five years ago, I remember Dave Vellante and I were doing a deal with our CUBE software, you know, our platform for hosting videos, it's a simple thing. We had to do a compliance checklist and it looked like a 1995 list of who's you're in your data center, what software you're running on the server, all these like old school like check boxes, like they don't apply to us, we're born in the cloud. So, you know, I see this clearly, that was years ago, now more than ever, there's a migration of cloud operations. The key is you got the connection. So you mentioned earlier the visibility into posture. And I bring up the checklist because that was a nightmare. I had to go in and think of everything out. And that's the nightmare of the existing enterprise, the legacy, right? So as you get more connected in the cloud, how does that enable you guys to be successful and what's the benefit to the customer and how fast does that happen? Is it easy, is it hard? Take us through that use case, because this is a dream scenario from a telemetry or connected oriented dataset. Yeah, yeah, I mean, look for the customers that are entirely born in the cloud, this is actually a very easy problem to solve, right? Because most of these cloud workloads have a public-facing API, so it's very easy for us to grab that data. You probably went through that process yourself if you had to go through that compliance checklist. A lot of that is around evidence collection. It's like, yeah, I adhere to this control, now I need to go and find the evidence that shows and proves that I adhere to this control. And oftentimes that evidence is a screenshot or it's a PDF doc that some poor person somewhere has to go and take a screenshot of a lot of different console screens or export a whole bunch of PDFs and figure out which controls need, which uploads and so on and so forth. The reality is all of that stuff can actually be blown away by automation. If that information, that metadata around the configuration of those workloads and the configuration of those applications are made publicly available, right? And so we plug into AWS, we plug into Azure, we plug into GCP, we plug into your endpoint management tool, your single sign-on service, your HR tools, your code repos and inversion history and version change tools, your ticketing tool, all of these different tools. And the purpose of it is to basically automate the evidence collection and the workload testing that needs to be done to prove that you are compliant with the thing that you say that you're compliant with. And so for organizations that are cloud-native and API-first, that is actually really, really easy. You don't have to do it manually anymore. There's compliance automation technologies out there, likes a gear frame that make that job super easy for you. For organizations that have a hybrid, we have a lot of companies that have some stuff, like I mentioned, on-prem. It's a little bit trickier, but even a lot of the on-prem services now actually have an external-facing API, right? They have an internet-connecting or internet-facing connection that we can pull into. And so we are actually, we recently just launched our API so that customers can use our API to build that kind of custom middleware with their on-prem services so that they can build that same level of automation that we offer out of box for a lot of the cloud-native stuff. And obviously as we grow and as we see more and more larger customers in mid-market and enterprise, we expect that we'll have to build a lot of that stuff out of box ourselves as well. But that's really kind of where the company and where I believe the market is headed. As a, that's huge, by the way, too. I love the cloud-native piece. And for the hybrids, if you have the cloud op, that's key. You guys also are notable for having some of this GovCloud integrations announcements and capabilities. We want to get that in a second. But before we get to the GovCloud, which is a whole nother animal, the Amazon cloud. Talk about the capabilities there. You just have a lot going on there. The benefits on Amazon, the integration testing and what you guys solve for. I mean, obviously misconfiguration are huge. I mean, everyone, S3 bucket not secure. Everyone knows that example, but that's trivial. There's other misconfigurations. A lot going on. What's your capabilities in AWS, for example? Yeah, it's pretty deep. The company really, the product really started with cloud infrastructure testing, specifically for AWS. So we've got well over 300 different individual tests that are running against different AWS services. And so in a lot of ways, you can actually think of this kind of technology as a CSPM, right? Not sure how familiar you are with the cloud security posture management, but tools like Wizz and Orca and Laceworks, this is a similar kind of technology with a different application, right? If you look at the CSPM space, it's really around detecting cloud application security vulnerabilities and then remediating them. What vendors like SecureFrame does is we actually identify those misconfigurations. We help you remediate them, but the angle is really from a compliance angle perspective. And so when we talk about AWS, we've got over 330 native tests that are offered out of box, specifically for AWS. You mentioned S3 bucket encryption as a good example. That's kind of the classic one we like to talk about in terms of like making sure that, it's very easy for you to prove that you have encryption at rest turned on for AWS, but there's plenty of other ones, right? Like do you have multi-factor authentication turned on for your AWS console logins? Do you have cloud trail turned on for logging? Do you have a WAP enabled for your AWS services? And so on and so forth. And all of these tests tend to map to a certain control requirement that is necessary for you to be able to check the box for SOC2 or ISO and so on and so forth. And that's really where the evidence collection and the posture checking comes in, right? If you have those things, we automatically pull that information and we keep it in our system. And that becomes your evidence, that becomes your proof that you adhere to that particular control. So instead of having to take screenshots of every single S3 bucket that you have encrypted to prove that they're encrypted, really what it is is we are automatically pulling the metadata and we're appending it to that control to say, yeah, all your S3 buckets are encrypted because that metadata field is showing that they're all encrypted. I mean, yeah, having an actionable place is key. I want to ask you about the difference between like a mechanism or a process versus say a workload. You know, the S3 bucket was a great example. That happens a lot. But now I got the process. I got mechanisms. Now I got like context, my workload end to end. How do you guys view that piece of it, automating that workload versus say the mere process? Yeah, I mean, you know, I think it's important to have visibility into the configuration layer. That is, I think, more so what you're talking about when you think about the process piece. And then it's also important to have actually visibility into the data layer, right? And that's really around the workload itself. It's one thing to know whether or not an AWS S3 bucket is encrypted. It's another sort of to know like, what's the severity if it's not encrypted? And that's kind of dependent on the context of like, what is the data that is actually stored in that S3 bucket? And so right now, you know, we have a lot of conversations going with different providers, vulnerability scanning tools, vulnerability management tools, CSPMs to have better context into that information. And that's going to ultimately enrich our platform to help our customers be able to make better decisions to be able to stitch together both the workload context of the data itself that exists in those services, as well as the configuration context of like whether or not those services are configured or misconfigured in the first place. Nice, great, great solution. You guys are well positioned, I think, for this whole next wave of app development. Obviously AI is huge. I've got to ask you about to lay out the products for me, for the folks watching, what do you guys offer for services? What's the difference between the offerings now and also what AI do you have? Because I mean, you have some AI going on, which is great automation, it makes perfect sense. Lay out the products and let's get into the AI aspect. Yeah, yeah. So at the end of the day, we've got two products, fairly simple, secure friend comply, which is our core compliance automation product. So everything that you need to pass a SOP2, pass ISO, pass, you know, FedRAMP, GDPR, whatever the framework is, we offer as much automation as we can out of box. Obviously there are some things around process that simply can't be automated. And for that, we offer pretty flexible workflow tools to allow you to do that. So comply is kind of our core product. We have another product called secure friend trust that we launched earlier this year and is actually doing quite well. And the idea behind secure friend trust is basically a lot of customers, once they actually go through the compliance regime and they go through the compliance journey, they want to be able to publicly demonstrate that they are compliant. They want to kind of show off their security posture as a differentiator, right? Because it actually helps them close more deals and accelerate their pipeline. And there's kind of two main things in that kind of vendor procurement cycle that they're looking for. One is an easier way to be able to answer vendor questionnaires and security questionnaires that they are receiving. And so we have some AI that actually automate the filling out and the populating of those questionnaires based on an internal knowledge base that you would have that we would plug into. And another is around a public-facing trust center, right? And I think the world and the industry is moving more towards a model around profile-based trust. Nobody really wants to fill out 200-page questionnaires anymore. People don't want to send them, people don't want to receive them, right? And so I think the future really is around profile-based trust and sending people to a trust center where you kind of show all of your accreditation. You have a lengthy FAQ place where people can get that information and self-serve and that you can tightly control who gets access and who sees it. But your security team and your app site team and your development team are not having to spend hours and hours answering every single security questionnaire and they can actually get back to their core jobs which is development or which is actually securing the organization. On the topic of AI, it actually extends across both of those products. If you think about what compliance is at the end of the day, the content of compliance is a lot of text. It's a lot of unstructured text, right? You have policies, what's in a policy? It's text. You have control language, what's in the controls? It's text, right? You have framework requirements. What's in that? It's text. So large language models are actually really, really good and compliance is in a perfect application for how we think about using LLMs to actually automate a lot of the manual work that our customers are having to do. So we recently launched comply AI or remediation and what that basically does is with the click of a button if we detect that you have a control that is failing because there's a cloud resource that is misconfigured, we can automatically generate the infrastructure as code instructions for you to copy and paste to fix that misconfiguration, right? So historically, you would have to go into AWS console, you'd have to look for the thing that is failing, find the setting, check it, turn it on and so on and so forth. It's a lot faster if you can actually do a lot of these things as IAC. And so we launched comply AI for remediation for AWS first for all the kind of AWS commands and then we shortly followed that with comply AI remediation for Azure and GCP customers as well. So that's just one example. Questionnaire automation I mentioned was another one where we are using large language models to automatically populate answers to questions that people are receiving for their security questionnaires. We're able to get to 90% accuracy even on the first try. And so instead of your team spending a lot of time filling it out from zero to one, a lot of that legwork is done for you. Now your team just has to kind of do the editorial work of making sure that the answers are right before you send it off. And we're starting to see dramatic time savings from customers by using some of these tools. Well, I mean, there's so much benefits that you get the time savings. You reduce the steps that takes to do things that could their manual tasks. But also I think the enablement pieces is in the first part of that talk you just gave their masterclass I would say is the first part is that this underestimated revenue side of the equations there, the the the abstract review side enabling more business through advertising your posture is really critical for how deals get done. Integration. Absolutely. What not. This is a untold story. It's really relevant. And the engineers are being pulled into essentially biz dev deals to drive integration. That's the way it works. That's the way software works now. So. Absolutely. That's a huge upside. That's a revenue generator. And then the other side is the savings of the time with the policy. So I mean, hey, the tasks are infrastructure code. It's the same code every time almost. It's not not rocket science. Right, right. Yeah, I mean, you know, how do you look at the language models? You guys, what are you guys doing? You guys leveraging the LLMs or foundation models to come in with your data? Is that just unstructured data? You're creating NLP. She doing vector database and beds. What's what's what's going on? Yeah, so our pipeline is a mixture of kind of all of those things. So we do use open source LLMs to power a big part of it. But then we actually enrich that pipeline to get better data accuracy. So we do a lot of prompt engineering on our own side. We apply our own kind of weights and biases towards certain answers. And we constantly are fine tuning the system to basically get better answers, right? At the end of the day, a lot of this stuff is generative. And so you have the opportunity to kind of fine tune it through things like prompt engineering and adjusting weights and biases and so on and so forth to get to kind of the ideal answer that the customers are looking for. Awesome. What's next on the GNAI for you guys? Obviously the low hanging fruit is those infrastructure code manual things. Is there a future where you see it going completely autonomous where it's like, I mean, because you want to have everything connected because I can imagine more telemetry is going to come in as more configurations happen and you want to manage the AIC. Do you see an admin role being automated soon? Or do you see that just maybe too far down the road? I think that there's still a lot of room for human judgment in a lot of these things. When you think about the GRC space, right? Like governance, risk and compliance. I think that it is fairly easy to automate a lot of the manual tasks around compliance but how people interpret risk tends to be very personal and tends to be very subjective, right? And you can certainly use AI to kind of give you a read out or an interpretation of the risk that an organization has. From the customer conversations we've seen, I don't have the confidence yet that AI will get to a point where our customers feel comfortable just entirely relying on GPT or relying on hugging face or any of these LLMs to actually determine their risk posture for them, right? There still has to be that human judgment that is there. So one of the things that we're actually embedding AI in is allowing people to do risk assessment and risk discovery much easier using artificial intelligence but ultimately you still want that control to be in the hands of a person. People don't like black box models. I think we learned that in security a long time ago. There's always been the promise of kind of black box ML. It's nothing new, right? LLMs are really just kind of the latest craze but we've had these kind of black box ML powered models when you think about the layers on top of SIMS, you know, what we used to do with like UEBA and XDR and MDR and all the kind of smart scoring that we used to do around like risk scoring and threat scoring. But at the end of the day, like people want to tinker. So you have, people want a customized risk score, right? Not everybody operates on the same risk spectrum. Not everybody operates on the same risk score. And so you have to build a lot of customization in to give people kind of the degree of freedom to assess and to manage their risk landscape the way that they want to. I think LLMs help automate some of the more menial tasks around that, but you still kind of have to leave room for the human judgment. Ruti, thanks for that extra commentary. That's great advice on the LLMs. We agree, the huge upside potential with AI, more pragmatic, operational things are automate kind of what you know. You need a script, you need some code, infrastructure was code to fix a known thing. That's pretty straightforward. Until explainability comes out, I think it's going to be a while before we can make sure that just having a good report that says you're secure doesn't may not mean it. You got to really got to ensure that. Great stuff there. I got to ask you about the GovCloud piece. I saw that you guys had some new features of the Amazon GovCloud. I bring that up because what's great about cloud native and things that you guys are doing is that you can be agile with your technology, right? In the old days, government related stuff was a whole nother animal. They do things differently. Talk about how you guys sequenced to the GovCloud from Amazon cloud and how that integration went for you guys and what it means for the customers that now you see more private, public, interconnection points in apps, right? GovCloud is a customer with private companies and there's a lot more integration going on between private and public sector. Yeah, yeah, look, I mean the GovCloud thing for us, we got pulled into that naturally through a lot of customer momentum. A lot of our customers, naturally being in the compliance space, a lot of our customers have to actually adhere to FedRAM, CMMC, NIST 853, NIST 800, 171. The acronyms keep coming, right? And I think there's the commercial side of the business where a lot of startups are obviously targeting and selling to each other and you need things like SOC2 and ISO 270001 for that. But at the end of the day, the biggest cybersecurity buyer in the world is the United States government, right? And so it's a meaningful portion of a lot of our customers' businesses. And so it was a no-brainer for us to kind of extend our capabilities and our service from AWS commercial cloud to GovCloud because our customers are doing business with the US government and a lot of their infrastructure is actually on GovCloud. So they wanted us to be able to extend the same kind of evidence collection, automation capabilities, the same kind of real-time continuous monitoring capabilities, the compliance data management capabilities. They wanted us to extend that from what we offered on AWS commercial cloud to GovCloud. And so it was a natural kind of pull motion for us to go in that direction. But as a result, we are also now seeing significant opportunities obviously in the government space. Well, so here Fran, you guys got a good growing market that's changing and fast too with AI, business model that's clean, growing with the cloud native. You got the secret sauce with the technology and AI. Let's talk about the customers. Again, the topic of this talk is how AI can simplify infosec compliance. What's in it for them? What are you seeing? Can you share the reaction they're having? Obviously where it's changing for them, where you're winning, why they're working with you guys? Take some time to talk about the customer and how AI can simplify their infosec compliance. Yeah, absolutely. I'll give you a couple of customer stories off the top of my head to kind of illustrate the power that AI and automation really have in making this space much more productive and efficient. On questionnaire automation, for example, the average, if you were to boil down the average kind of security engineer salary or application developer salary in Silicon Valley and in New York, you're probably talking about 150K, 200K, maybe 250K a year. Hourly, that breaks down to about $150 an hour. The average security questionnaire takes anywhere between eight to 10 hours to complete. Most of that is actually on the security team or on the application and infrastructure team, like your DevOps or your platform and infrastructure teams. So on average, each questionnaire is about $1,000. Anywhere between $1,000 to $1,500. For one questionnaire. And when you tell a customer, hey, our packaging is an annual subscription fee. And we won't share the pricing. Typically, we work with the customer very closely to make sure that pricing is appropriate for them. But it's kind of a no-brainer. Like if you're doing 15, 20 questionnaires a year, it's a no-brainer for you to actually use AI to automate the questionnaire answering as opposed to taking time away from your developers to do it. One side of that equation is the money that is spent in terms of salary. The other side of that equation is the opportunity cost. You just took away 10 hours from your developers to answer a security RFP. They could have spent that 10 hours actually building better products, actually making sure that your environment was more secure and so on and so forth. So the opportunity cost makes that trade off even more apparent and even more of a no-brainer. So those are like some hard numbers that we typically have seen from customers when they think about leveraging our trust AI capabilities to automate security questionnaires. On the comply AI for remediation front, again, another good example, I was talking with a customer who when we walked them through the reasons why one of his cloud configurations was misconfigured and why that test was failing, he told us it took them two hours to kind of scour through all of the documentation to find the right setting that was causing that test to fail, that was causing that control to fail. And when we launched comply AI for remediation and we just generated that as infrastructure as code, he fixed that problem in five minutes. And that was one test in one control. We run over 300 tests for AWS alone. So the time savings compound very quickly when you start to think about some of these use cases and applying them at scale. I mean, it's really a quality of life too for the staff as well. It's more of the burden of the hassle, right? It's the custodial work, the labor, the rock fetches, current work, whatever you want to call it. It's just a pain in no one wants that, right? And that's retention issue as well. And then productivity is huge. I mean, no brainer. Talk about the next step for you guys. What's on the roadmap? I've got a couple of minutes left. I wanted to get your thoughts as a VP of product. What are the top features people are asking for that you're going to build? Or what do you see coming that you've got your eye on? You put a little market requirements around. What are some of the product things that you see coming? Yeah, I think it kind of stems back to what we started off this interview with. We are naturally getting pulled up market with larger and larger customers. And what a 50% startup or 100% startup looks like is very different than a 1,000, 2,000 person company that's been around for five, six, seven, eight years, right? Their infrastructure is different. Their business processes are different. They have more business units. They have more product lines that have different compliance requirements. And so a lot of what's on the product roadmap going forward is really going to be making sure that we can kind of support and cater to larger organizations while not losing the kind of simplicity in the usability that has made us so popular and so well adopted in the SMB space, right? People come to us because it was very quick to get set up on Secure Frame. Most of our customers configure all of their integrations in a couple of hours. We don't want to lose that kind of usability as you go upmarket, but at the same time we want to introduce flexibility into the system so that, hey, if you are using an app that we don't support out of box, that you can use our APIs or you can use an integration builder to custom build that integration yourself. Or if you are bringing your own control set into Secure Frame and you don't want to use our own control set because you've had a compliance program for years and years, we want to enable you to be able to bring your custom control set and your custom frameworks into the system and easily map your things to our tests so that you can take advantage of our automation without forcing you to kind of rebuild your entire compliance regime just to be able to use a tool. So that kind of compatibility with the enterprise organizations is really kind of key on our near term roadmap. Operationalizing it easily is a great growth strategy. I think that's going to work well for you guys so congratulations on the success routine. Thanks for coming on theCUBE here as part of the AWS Startup Showcase and again, I'm looking forward to chatting more and again, congratulations to Secure Frame and what you guys are doing. Thanks for coming on. Yeah, thanks for having me, John. Really enjoyed it. Okay, how AI can simplify InfoSec compliance here on theCUBE's presentation of the AWS Startup Showcase on cybersecurity season three, episode three is great. Check out these companies, they're doing great and the hot startups are there with the new solutions cloud native, connect your network, get that compliance automate and AI is right there. All the benefits coming on here on theCUBE. Thanks for watching.