 Okay, we're back at the area in Las Vegas, Falcon 22. You're watching theCUBE. My name is Dave Vellante. Michael Santonis is here. He's the Chief Technology Officer at CrowdStrike. Michael, good to see you. Thanks for coming. Thanks for having me. Yeah, so this is your first time, I think, on theCUBE. It is. And it's really a pleasure. I've been following you, watching you very closely. You're quite prominent and very articulate. I loved your keynote. Talking about what is XDR, I think you guys are going to do really well in that space because you've got clarity, vision and execution. Talk about some of the announcements that you made this week, particularly interested in Insight XDR. What's that all about? Yes, I've been talking about XDR for a while and trying to help push the right narrative. There's a lot of marketing in the industry with XDR. So we've been talking a lot about what it means, the benefit that it provides from a technology perspective, what you need in the architecture. So we firmly believe it's a philosophy and we build all of our technology to work together, but it's bringing in third parties. And that was really a lot of the announcements. My keynote was to show everybody the work that we've been doing to bring in data from Zscaler and Proofpoints. And we talked about bringing in data from a whole range of different vendors, firewall vendors. And we've been doing XDR use cases for a long time. So a big part of our strategy is to make security easy. And we've been doing a lot of XDR use cases with our Falcon Insight module. So the announcement that I made was to relaunch Falcon Insight as Insight XDR. And it means all of our close to 20,000 customers have access to the product. So that gets bundled right in, it's like SaaS automatically part of the portfolio. Log off on Friday, come back on Monday and you're good to go. And then you just called out Zscaler and Proofpoint. I think you also mentioned Palo Alto Network, Cisco, Fortinet as well. You're pulling in telemetry from- Yeah, we've got a long roadmap of people that we're integrating with. We talked about Cisco. We talked about Ford Rock and Fortinet. We announced that we're going to be pulling in telemetry from Palo and a range of other vendors, Microsoft and others. And that's what XDR is about. It's about first party and third party integration and making all of the telemetry work together. I was talking to George about this yesterday is, I think there's a lot of confusion sometimes when you have the dogma of cloud native. Snowflake, same thing. No, we're not doing on-prem. People think that you're excluding on-prem data, but you're not. You can ingest on-prem data. We absolutely are not excluding on-prem. We will support and secure every workload, whether it's on-prem or in the cloud, whether it's connected to the internet or offline. A lot of the indicators of attack and the detection techniques that we have are on the sensor itself. So you don't have to be connected anywhere for that capability to work. You get the benefit when you connect to the cloud of the additional visibility, the additional protection, but the core capabilities on the sensor that we have. Given that you guys started 11 years ago, plus two days now, and you had that dogma, cloud-first, cloud-only, native, cloud-native, was there ever a point where you're like, boy, we might be missing some of the market, and you held true to your principles? Two-part question. Did you ever question that? And by focusing all your resources on cloud, what has that given you? There's been a laser focus on having a native cloud platform. It's easy to say cloud-native, and if you look at a lot of the vendors in the industry today, if you're a customer and you ask them, hey, can you give me an on-premise product? I'm not going to buy your product. They've got an on-premise product. The problem is when you have two different versions, you end up having compromise. You have to manage two code bases, impact the engineering team. Their features are different. Customers ultimately are the ones that miss out, because if I have the on-prem version or I have the cloud version, I may not get the same capability. For us, it's been very clear. It's been a laser focus to be a cloud and cloud-only from day one. You've renamed Humeo. I got to stop using Humeo, I guess. It's not called Log Scale, Falcon Complete Log Scale. You're bringing together security and observability. Although you're not doing the full spectrum of observability, you're just sort of focusing on part of it. Can you explain that? Yeah, so first of all, we did rebrand and bring the Humeo brand closer to CrowdStrike by renaming it Falcon Log Scale. And just to be clear, it's not just a rebranding of the name. We've been spending a lot of time. We made that acquisition in March of last year. We've been doing a lot of work on the technology. We've built out the Falcon long-term retention. We built a whole bunch of capability into the product. So now is the right time to rebrand it as Falcon Log Scale. And at the same time, we also announced Falcon Complete Log Scale. And it's part of the complete franchise. And that's where customers can get the value and the benefit of Log Scale, but they don't have to set it up. They don't have to manage it. They leave that to us. So you get pretty much involved in the M&A activity. You talked to the stage yesterday about Reposify and what's going on there. You guys obviously got to still do the deal. You made investments this week. You announced investments in Salt Security, the API specialist, and also Vanta, compliance automation. What's the thinking behind that? Explain actually the fun that you guys are sprinkling around as a strategic investor and why those companies. Yeah, so there's two parts that I'm involved in and they're part of my team. One is the M&A team and one is the Falcon Fund side of the business. Obviously two very different things. The M&A part of CrowdStrike, we're always looking to see for every technology space that we want to get into, what is the best option, build by partner. Sometimes it's build, sometimes it's a hybrid approach of build and partner. Other times we go down the path of M&A and I was super excited about Reposify, great company, great technology. And as you said, we made announcements to where investing is part of the fund into Vanta and Salt. We're very blessed. We're very fortunate to have achieved a lot of success in a short period of time. And we think we've got an opportunity to help fledgling companies, to help them guide through the process of setting up the company, helping them with engineering principles and guidelines, helping them with the go to market perspective. So the fund is really about that. It's finding the next cyber security company, working closely together. And it's been a huge success. You had Vanta and Salt on earlier and there's so much excitement about what they do. Yeah, Evan, it's a clear compliment to what you guys are doing. I want to ask you about your lightweight agent. There are other firms that say they have a lightweight agent too. You know, what makes your lightweight agent so different, so special? Yeah, I've never seen a PowerPoint presentation that's wrong. It's very easy to say your lightweight agent is super lightweight and many times when you look at them, they're not lightweight. They take a lot of effort to install. They need reboots. If you've got security that's part of the operating system, if you've got security that requires to reboot, you can't go to a bank and say, hey, you've got 100,000 machines. We're going to install all of this technology, but you've got to reboot it once, twice, three times. So what ends up happening is you see deployment cycles that go on for 12 months. I've spoken to organizations here this week that said we had budgeted to roll out your product in 18 months because of what we experienced in the past and we did it in seven weeks. That's a lightweight agent with no reboot. And then you look at the updates. You look at the CPU resource utilization. So again, very easy to say lightweight. I haven't seen anything like what we've built at CrowdStrike. How do you keep an agent lightweight when you're both acquiring in companies and adding modules? I think you're over 20 modules now. How is it that the agent can remain so lightweight? So we spent a lot of time building out the agent cloud architecture that we have. The concept of our agent is very different. It's not collecting data, storing it, trying to send it up. We have a smart agent with smart filtering built in. So we're very careful in terms of the data that we collect. But think of the aperture on a camera. If you want to let more light in, you widen the aperture. It's the same as our agent. If we want to bring in more telemetry, we widen that aperture. So we're very efficient on the network. And we collect data when a machine process runs, we collect that telemetry. We use it in different ways, but we collect once and reuse it many times. So it's the same agent for Next Gen AV, for EDR, for our Spotlight Vulnerability Management module. And when we're looking at M&A, so coming back to your question, we will look at technology. And if we can't bring that technology and incorporate it into the agent that we already have, we won't acquire it. Worst thing in security is complexity. When you give an organization one, two, three, five plus agents, and then they have three, four, five plus management consoles, it's too hard when they're under attack. Well, it's like my business partner and co-host John Furrier says is that as an industry, we tend to solve complexity with more complexity. And it's problematic. Can you talk about your threat graph? Like what is that? Is it a graph database? Is it purpose built? Is it a time series database? A combination? What is that? Yeah, it is a graph database. When the company was started, obviously the vision was to crowdsource telemetry from so many machines, from millions of devices around the world. And the thesis at the time was, as that capability scales out, there's nothing commercially available that will be able to ingest all of that data. And today we're processing over seven trillion events every single week. We can't go and get something off the shelf. So we've had to build the technology from the ground up. That's the first part. Secondly, there is a temporal element to this. There's a time element. And we have an ontology built where we track the relationship between all the telemetry that we get. The reason why I believe we stand alone in EDI is because of that time element, the relationship that we have. And we just have so much context that makes it easy for the threat hunter. Speed and ease of use is critical in cyber. So you're seeing in the database world, everything's kind of converging with all this function. 11 years ago, these were pretty rudimentary. I shouldn't say rudimentary, but immature markets, they've come a long way. If you had to start, if those capabilities that are there today with graph databases and time series databases were available in 2010, would you have used off the shelf technology or would you have still developed your own? We would have done the same thing that we've done today. And why? Can you explain what that guy, is it a performance thing? Is it just control? Yeah, look, it's everything that I talked about before, the benefit that you get from the approach that we've taken and the scalability that the requirements that we need. We still today, there's nothing that we can go and get off the shelf that can scale and give us the performance that we need, that can give us the ability to have that relationship data, the ontology of what we have in the platform and the way that we interoperate with all of the different modules, that just wouldn't exist. We wouldn't have that capability. And what you'd find is would be pretty much the same as every other vendor, where they have on-premise solutions, they have hybrid hosted solutions. And when you have those trade-offs, you see it in the product. Yeah, so the point is you're very focused on the purpose of your proprietary technology. You're not trying to serve the all things to all people. You used a term yesterday in your keynote, which caught my attention. You used the term ground truth. And that has a very specific meaning. Can you explain what you meant, like what is ground truth in the world and what does it mean to CrowdStrike? Yeah, I was talking about ground truth as it relates to the acquisition of Reposify. And the big thing for us, we wanted to bring additional capability to the platform to give our customers external and internal visibility of all their assets and all of their vulnerabilities. What's important with us, with our agent, is today we give you a single source of truth. When we put that agent onto a device, we tell you everything about the hardware. We tell you everything about who's logged in. We tell you everything about the applications that are running, the relationships between the user, the device, and the application. We're not a CMDB, we feed CMDBs with information that is instant, that is live. And when we look at Reposify, it broadens, again, I'll use the same word, it broadens the aperture. It gives us more visibility around what's going on. So we're super excited about that because having information about all of your assets, all of your users, the applications they use, whether they're vulnerable, how you need to protect them, having it at your fingertips, it's a game changer. Can CrowdStrike be a generational company and what do you have to do to ensure that that outcome occurs? I think we absolutely are and we're paving a path to really continuing to build out that platform. I said in my keynote that I think we're at an early innings. If you buy, for example, as a customer, our Insight module, because you want to start with EDR, you've got 21 modules to go yesterday. Today we talked about Discover 2.0. We talked about Discover for IoT. I talked about the Reposify acquisition, a whole range of technology built on that single cloud agent architecture. And we've heard the success stories here this week from customers that have just gotten so much benefit. They've rolled out one agent and they've turned off eight or nine from other security vendors. So absolutely we can be a generational company with what we're doing. What are the blockers to customers turning on those additional modules? Because not all customers are using all modules. Is it that they've made an investment in an alternative technology and they're sort of hugging onto it or are there other technical blockers? Many times it's the investment, right? So if you've made an investment in a company, you've got a year to go, you might want to sweat that asset. But typically what we find is the benefit that we have, it's a very simple conversation. If we can give people a cost and a technology benefit, they're going to make the transition to move. There's so many technical benefits. We talked about the single agent, but the actual features of the modules themselves. But the big thing for us is we've done over 4,700 business value assessments where we sit down with an organization and we look at what they have. We look at what their spend is. We look at their FTEs. We look at the security outcomes that they get. And then we come out with a model that shows them technology and business value and that's what really drives them to make the switch. So the business value in that BVA is not just a reduction in expected loss, that's part of it. Better security, you're going to be lower your risk. But you're saying it's also the labor associated with that? Yeah, absolutely. It's how do you operationalize the solution? How many people do you need? How long does it take you to respond? How do you interact with third parties, with your suppliers? It's taking in all of that data. We've spent a long time building out that model and it's proving to be very successful. Customers love it. Is that sort of novel ROI thinking in the security business? Or I'm trying to think of, I know for years it would watch Art Covey-Ello stand up at RSA and tell us how, this year's worse than last year. But I never really heard a strong business case that would resonate with the P&L manager other than we got to do this or we're going to get hacked and you're going to be screwed. Is that new thinking or did I just miss it? I don't know if I want to say it's new thinking. I think what happened, what changed was 10, 15 years ago at a conference you'd stand up and everybody would tell you, ransomware is up and phishing is up and at the end of it, people are trying to work out. Is that good or is that bad? It went up 20% based off what? That doesn't work anymore. Everyone got tired of that. And a few of us have been doing it for a while. I'm sort of two and a half decades into this. And if you try to use that model of scaring people, they switch off. They want to understand the benefit. The break in the car is so you can go and stop safely when you need it. And I look at security the same way. We want to accelerate the company. We want to help companies do their job. But security is there to make sure they don't get into trouble. Yeah, it's like having two security guards by your side, right? I mean, they're going to help you get through the crowd and move forward. So Michael, thanks so much for coming to theCUBE. Thanks for having me. You're very welcome. All right, keep it right there after this short break. Dave Vellante will be back with theCUBE live coverage from Falcon 22 at the Aria in Las Vegas.