 Welcome back, everyone, to our special presentation here at theCUBE with horizon3.a. I am John Furrier, host of theCUBE here in Palo Alto, back is Niho Entani, CEO and co-founder of Horizon 3 for DeepDive on going under the hood around the big news and also the platform, autonomous pentesting, changing the game and security. Great to see you, welcome back. Thank you, John. I love what you guys have been doing with theCUBE. Huge fan, been here a bunch of times and looking forward to the conversation. Let's get into it. All right, so what's the market look like and how do you see it evolving? We're in a down market relative to startups. Some say our data, we're reporting on SiliconANGLE and theCUBE that yeah, there might be a bit of downturn in the economy with inflation, but the tech market is booming because the hyperscalers are still pumping out massive scale and still innovating. So for the first time in history, this is a recession or a downturn where there's now cloud scale players that are an economic engine. What's your view on this? Where's the market heading relative to the downturn and how are you guys navigating that? So I think about it, one, there's a lot of belief out there that we're gonna hit a downturn and we started to see that. We started to see deals get longer and longer to close back in May across the board in the industry and we continue to see deals get at least back loaded in the quarter as people understand their procurement, how much money they really have to spend what their earnings are going to be. So we're seeing this across the board. One is quarters becoming lumpier for tech companies and we think that that's gonna become kind of the normal over the next year. But what's interesting in our space of security testing is a very basic supply and demand problem. The demand for security testing has skyrocketed. When I was a CIO eight years ago, I only had to worry about my on-prem attack surface, my perimeter and insider threat. Those were my primary threat vectors. Now if I was a CIO, I have to include multiple clouds, all of the data in my SaaS offerings, my Salesforce account and so on, as well as work from home threat vectors and other pieces. And I've got regulatory compliance in Europe, in Asia, in the US, tons of demand for testing and there's just not enough supply. There's only 5,000 certified pen testers in the United States. So I think for starters, you have a fundamental supply and demand problem that plays to our strength because we're able to bring a tremendous amount of pen testing supply to the table. But now let's flip to if you are the CEO of a large security company or whether it's a consulting shop or so on, you've got a whole bunch of deferred revenue in your business model around security testing services. And what we've done in our past in previous companies I worked at is, if we didn't think we were gonna make the quarter with product revenue, we would start to unlock some of that deferred services revenue to make the number to hit what Wall Street expected of us. In testing, that's not possible because there's not enough supply except us. So if I'm the CEO of an MSSP or a large security company I see a huge backlog of security testing revenue on the table, the easy button to convert that to recognize revenue is horizon three. And when I think about the next six months and the amount of revenue misses we're gonna see in security shops, especially those that can't fulfill their orders, I think there's a ripe opportunity for us to win. Yeah, one of the few opportunities where on any market you win, because the forces will drive your flywheel. That's exactly right. Very basic supply and demand forces that are only increasing with pressure and there's no way, it takes 10 years just to build a master hacker. Just it's a very hard complex space. We become the easy button to address that supply problem. Yeah, and the autonomous aspect makes APSEC reviews as new things get pushed with cloud native developers. They're shifting left, but still the security policies need to stay pace as these new vectors, threat vectors appear. Yeah. A new thing makes a vector possible. That's exactly right. I think there's two aspects. One is, as you increase change in your environment you need to increase testing. They are absolutely correlated. The second thing though is, for 20 years we focused on remote code execution or RCEs as an industry. What was the latest RCE that gave an attacker access to my environment? But if you look over the past few years that entire mindset has shifted. Credentials are the new code execution. What I mean by that is, if I have a large organization with a hundred, a thousand, 10,000 employees all it takes is one of them to have a password I can crack in credential spray and gain access to as an attacker. And once I've gained access to a single user I'm gonna systematically snowball that into something of consequence. And so I think that the attackers have shifted away from looking for code execution and looked more towards harvesting credentials and cascading credentials from a regular domain user into an admin. This brings up the conversation. I would like to do a more deep dive now, shift into more of like the real kind of landscape of the market and your positioning and value proposition in that. And that is managed services are becoming really popular as we move into this next wave of super cloud and multi-cloud and hybrid cloud. Because I mean, multi-cloud and hybrid, hybrid then multi-cloud sounds good on paper but the security ops become big. And one of the things we're reporting with here on theCUBE and SiliconANGO the past six months is DevOps has made the developer, the IT team because they've essentially run IT now in CI CD pipeline as they say. That means IT is replaced by data ops or AI ops or security ops. And data and security kind of go hand in hand so I can see that playing out. Do you believe that to be true that that's kind of the new operational kind of beach head that's critical and if so, if data is part of security that makes security the new IT. Yeah, I think that if you think about organizations hell even for horizon three right now I don't need to hire a CIO. I'll have a CISO and that CISO will own IT and governance risk and compliance and security operations. Because at the end of the day the most pressing question for me to answer as a CEO is my security posture. IT is a supporting function of that security posture. And we see that at say a growth stage company like horizon three, but when I thought about my time at GE Capital, we really shifted to this mindset of security by design architecture as code. And it was very much a security driven conversation. And I think that is the norm going forward. And how do you view the idea that you have to enable a managed service provider with security also managing and which then manages the company to enable them to have agile security security as code, because what you're getting at is this autonomous layer that's going to be automated away to make the next talented layer whether it's a coder or architect scale. So the question is what is abstracted away at automation seems to be the conversation that's coming out of this big cloud native or super cloud next wave of cloud scale. I think there's two dimensions to that. And honestly, I think the more interesting dimension is not the technical side of it, but rather think of the Equifax hack a bunch of years ago. Had Equifax used a managed security services provider would the CEO have been fired after the breach? And the answer is probably not. I think the CEO would have transferred enough reputational risk and operational risk to the third party MSSP to save his job from him being fired. You can look at that across the board. I think that if I were a CIO again, I would be hard pressed to build my own internal security function because I'm accepting that risk as an executive and we saw what just happened at Uber. There's a ton of risk coming with that with accepting that as a security person. So I think in the future, the role of the MSSP becomes more significant as a mechanism for transferring enough reputational and operational and legal risk to a third party so that you as the core company are able to protect yourself and your people. Now, then what you think is a super cloud principles and concepts being applied at MSSP scale. And I think that becomes really interesting. Talk about the talent opportunity because I think the managed service providers point to markets that are growing and changing. Also, having managed service means that the customers can't always hire talent. Hence, they go to a channel or a partner. This seems to be a key part of the growth in your area. Talk about the talent aspect of it. Yeah, think back to what we saw in cloud. So as cloud picked up, we saw IBM, HP, other hardware companies sell more servers but to fewer customers, Amazon, Google and others, right? And so I think something similar is going to happen in the security space where I think you're going to see security tool providers selling more volume but to fewer customers that are just really big MSSPs. So that is the path forward. And I think that the underlying talent issue gives us economies at scale. And that's what we saw this with cloud. We're going to see the same thing in the MSSP space. I've got a density of talent, plus a density of automation, plus a density of relationships and ecosystem that give MSSPs a huge economies of scale advantage over everybody else. I mean, I want to get into MSSP business. Sounds like I make a lot of money. Definitely, it's profitable. No doubt about it, like that. I got to ask more on the more of the burden side of it because if you're a partner, I don't need another training class. I don't need another tool. I don't need someone saying this is the highest margin product. I need to actually downsize my tool. So right now there's hundreds of tools that MSSPs have all the time dealing with and does the customer. So tools, platforms, we've kind of teased this out in previous conversations together but more relevant to the MSSP is what they do to the customer. So talk about this burden of tools and the socks out there in the landscape. How do you view that and what's the conversation like? On average, an organization has 130 different cybersecurity tools installed. None of those tools were designed to work together. None of those tools are from the same vendor. And in fact, oftentimes they're from vendors that have competing products. And so what we don't have and they're still getting breached in the industry, we don't have a tools problem. We have an effectiveness problem. We have to reduce the number of tools we have, get more out of the effectiveness out of the existing infrastructure, build muscle memory to know how to detect and respond to a breach and continuously verify that posture. I think that's what the most successful security organizations have mastered the fundamentals and they mastered that by making sure they were effective in detection and response, not mastering it by buying the next shiny AI tool on the defensive side. Okay, so you mentioned supply and demand early since you brought up economics. We'll get into the economic equations here. When you have great profits, that's going to attract more entrants into the marketplace. So as more MSSP's enter the market, you're going to start to see a little bit of competition, maybe some FUD, maybe some price, competitive price penetration, all kinds of different tactics go on there. How does that impact you? Because now, does that impact your price or are you now part of them just competing on their own value? What's that mean for the channel as more entrants come in? Hey, I can compete against that other one. Does that create conflict? Is that an opportunity? Are you neutral on that? What's the position? It's a great question actually. I think the way it plays out is, one, we are neutral. Two, the MSSP has to stand on their own with their own unique value proposition. Otherwise they're going to become commoditized. We saw this in the early cloud provider days. The cloud providers that were just basically wrapping existing hardware with a race to the bottom pricing model didn't survive. Those that used the cloud infrastructure as a starting point to build higher value capabilities, they're the ones that have succeeded to this day. The same MO I think will occur in MSSP's, which is there is a base level of capability that they've got to be able to deliver. And it is the burden of the MSSP to innovate effectively to elevate their value problem. It's interesting dynamic. And I brought it up mainly because if you believe that this is going to be a growing new market, price erosion is more in mature markets. So it's interesting to see that dynamic come up and we'll see how that handles on the economics and just the macro side of it. Getting more into kind of like the next gen, autonomous pen testing is a leading indicator that a new kind of security assessment is here. If I said that to you, how do you respond to that? What is this new security assessment mean? What does that mean for the customer and to the partner and that relationship down that whole chain? Yeah, back to I'm wearing a CIO hat right now. Don't tell me we're secure in PowerPoint. Show me we're secure today. Show me we're secure tomorrow and then show me we're secure again next week. Because that's what matters to me. If you can show me we're secure, I can understand the risk I'm accepting and articulate it up to my board, to my regulators. Up until now, we've had a PowerPoint tell me we're secure culture and security. And I just don't think that's going to last all that much longer. So I think the future of security testing and assessments is this shift from a PowerPoint report to truly showing me that I'm secure or not. And you guys auto generate those statements that you mentioned that earlier. That's exactly right. Because the other part is, you know the classic way to do security reports was garbage in, garbage out. You had a human kind of theoretically fill out a spreadsheet that magically came up with the risk score or security posture. That doesn't work. That's a check the box mentality. What you want to have is an accurate high fidelity understanding of your blind spots, your threat vectors, what data is at risk, what credentials are at risk. And you want to look at those results over time. How quickly did I find problems? How quickly did I fix them? How often did they reoccur? And that is how you get to a show me where secure culture. Whether I'm a company or I'm a channel partner working with Horizon 3.ai, I have to put my name on the line and say, here's a service level agreement. I'm going to stand behind. There's levels of compliance. You mentioned that earlier. How do you guys help that area? Because that becomes, I call the, you know, below the line, I got to do it anyway. And usually it's, you know, they grind out the work. But it has to be fundamental because if the threats vectors are increasing and you're handling it like you say you are, the way it is real time today, tomorrow or the next day, you got to have that other stuff flow into it. Can you describe how that works under the hood? Yeah, there's, there's two parts to it. The first part is that attackers don't have to hack in with zero days. They log in with credentials that they found. But often what attackers are doing is chaining together different types of problems. So if you have 10 different tactics, you can chain those together a number of different ways. It's not just 10 to the 10th. It's exact because you don't, you don't have to use all the tactics at once. So there's a very large number of combinations that an attacker can apply to pong you is what it comes down to. And so at the base level, what you want to have is what are the primary tactics that are being used? And those tactics are always being added to an evolving. What are the primary outcomes that an attacker is trying to achieve? Steal your data, disrupt your systems, become a domain admin and borrow. And now what you have is it actually looks more like a chess game algorithm than it does any sort of hard-coded automation or anything else, which is based on the pieces on the board, the IT infrastructure I've discovered, what is the next best action to become a domain admin or steal your data? And that's the underlying innovation and IP we've created, which is next best action, knowledge graph analytics and adaptiveness to figure out how to combine different problems together to achieve an objective that an attacker cares about. So the 3D chess players out there, I'd say that's the more like 3D chess, are the practitioners implementing it. But when I think about compliance managers, I don't see 3D chess players. I see back office accountants in my mind, they're like, okay, are they actually even understand what comes out of that? So how do you handle the compliance side? Do you guys just check the boxes there? Is it not part of it? Cause it, I don't envision the compliance guys on the front lines identifying vectors. Do you even know what it means? Yeah, it's a great question. When you think about the market segmentation, I think we've seen our three basic types of users. You've got the really mature, high frequency security testing, purple team type folks. And for them, we are the force multiplier for them to secure their environment. You didn't have the middle group where the IT person and the security person are the same individual. They are barely treading water. They don't know what their attack surface is and they don't know what to focus on. That's actually where we started with the barely treading water persona. And that's why we had a product that helped those network engineers become superheroes. The third segment are those that view security and compliance as synonymous. And they don't really care about continuous. They care about running and checking the box for PCI and for whatever else. And those customers, while they use us, they are better served by our partner ecosystem. And that's really, so the first two categories tend to use us directly. Self-service pen tests as often as they want. That compliance minded folks end up going through our partners because they're better served there. Steve Hall, great to have you on. Thanks for this deep dive on under the hood section of the interview, appreciate it. And I think autonomous is an indicator beyond pen testing. Pen testing has become like, okay, penetration, security, but this is not going away. Where do you see this evolving? What's next? What's next for Horizon? Take a minute to give a plug for what's going on with the company, how do you see it? I know you've got good margins, you're raising capital, always raising money, you're not yet public. Looking good right now as they say. Yeah, yeah. Well, I think the first thing is our company strategy is in three chapters. Chapter one is become the best security testing platform in the industry, period, that's it. And be very good at helping you find and fix your security blind spots. That's chapter one, we've been crushing it there with great customer traction, great partner traction. Chapter two, which we've started to enter is, look at our results over time to help that that GRC officer or auditor accurately assess the security posture of an organization. And we're going to enter that chapter about this time next year. Longer term though, the big vision I have is, how do I use offense to inform defense? So for me, chapter three is, how do I get away from just security testing towards autonomous security overall? Where you can use our security testing platform to identify ways to attack. That informs defensive tools exactly where to focus, how to adjust and so on. And now you've got an integrated learning loop between attack and defense. That's the future never been done before. Master the art of attack to become a better defender is the bigger vision of the company. Love the new paradigm security. Congratulations, we've been following you guys. We will continue to follow you. Thanks for coming on the special point. Congratulations on the new market expansion, international going indirect, that a big way. Congratulations. Thank you, John, appreciate it. Okay, this is a special presentation with theCUBE and horizon3.ai. I'm John Furrier, your host. Thanks for watching.