 Hello, and welcome to theCUBE's live coverage here at RSA Conference. I'm John Furrier, host of theCUBE. Dave Vellante's here with me. We're moving in an hour. This is about four days of wall-to-wall coverage. RSA is really about connecting to the next generation platforms, tools to make everything secure from the network only up to the application. We've got a great guest here, Edan Plotnik, who's the co-founder and CEO of Apiro. Great company, well-funded. How about making some moves? Welcome, welcome to theCUBE. Thank you, thank you very much for having me. So you guys are a Series B funded startup, so that's not, it really means you're not huge and down the stream, but highly successful, highly funded, huge success in momentum with developers. Application security, we love it. It's got a little bit of open source, S-bomb, software supply chain. Cloud-native developers right now are setting the agenda for what is going to be adopted in enterprises, and everyone below them is working to be enabled. We're seeing that even here in the security conference. Palo Alto Network, so I'm on a platform. It's the first time I've ever heard a security conference talking about a platform. Usually it's just tools. You guys are successful, why? I think, let's talk about the challenge. It's a huge challenge. The complexity of modern cloud applications and software supply chains created a completely new interconnected attack surface. And the siloed tools created significant blind spots. So eventually, the poor, up-sec engineer needs to deal with hundreds of thousands of alerts without context, and then he's shifting these alerts to the developers. Friction, everyone take the tools out, and you have cacophony, and you deliver risks to the cloud. This is why. I know, this is one of the things, so I got to tell you, Dave Alonzo and I have been talking about this for probably two years. Hardcore, two years. Before that, I've been saying it on theCUBE going back to 2010, that developers are going to be coding infrastructure as code, that happened. Then we were saying data as code, programmable data, because now data's now moving into the field of large language. Prompt engineering is just prompting a call to another language model. That's like a procedure call. That's like coding. That's going to become codable. So the question is, if you could flip the script, who decides where the data's stored? The developers have no decision on it. So I think developers will drive every single infrastructure decision in the future. What do you think about that? So first, I think developers are part of the conversation of the architecture. So you will see where the data flow between components in the application and where it's stored, because it affected the performance of the application. The application security engineer will decide what are the security controls to put on this data. So you need to work in harmony and you need to decide where the data is to be able to control it. And I think this is the hard work of the application security engineer in this. So the core problem that you're solving is what? Think of me to explain your company's North Star mission, why you exist, what you brought to the market, and why is it working? Why is the product working and who's your target audience? Sure. So our mission is to secure the code you developed and the way you deliver it to the cloud, okay? This is a huge problem for application security. It's not only the code, it's how you build it, how you ship it to the cloud. This is a huge attack vector. And as I said, the current tools create a lot of alerts. So then you have one app sec engineer to 200 developers, this is the ratio. And he or she are overwhelmed with all the alerts and eventually they need to fix them and the context is what they are missing. And what we are bringing to the picture is the following. Our application security platform basically builds a real time inventory of all the code components, the applications and the software supply chains. So you can ask any question across any code component and get a real time answer in a second. Then we are orchestrating and correlating all the security signals from your silo tools and then we connect the dots on our risk graph. This what gives them the context to be able to save time triaging the alerts, fixing them much faster because we are tying every risk to a code owner with the business impact and lastly prevent, put guardrails to the developers with the context so they will not deliver the risks to the cloud. So that sounds awesome. Let me just dig into that. By the way, congratulations, great solution. I love it already, but I want to ask you a specific question. So you got an inventory of all the software build materials, of all the components of the software. And the relationship between them. In production. In the code. In the code itself, okay. And you can ask question. This API that talks to this open source dependency and expose this API data, is it already being deployed in production? You're a knowledge graph for developers. It's a risk graph for developers and app stick engineers. So the use case is an alert, a bunch of alerts are going off. So what's the use case? What's the problem right there? Okay, where's the code, where's someone's hacking us? It's like a hospital, all the alarms are going off. What do I pay attention to? So let's take the log4j example, okay. In the code, you have 5,000 log4j's. Now you need to cut it down and say, show me only the log4j's that are in a high business impact application. Show me only the log4j's that are in the same repo where I have an API that also expose API data, let's fix this first. Is it already being deployed, already deployed to production? Yes, it's much more risky. Okay, now show me in a click of a button where in my Kubernetes cluster, these log4j's are running. Great, instead of 5,000, you now narrow down to 10, and now we are opening a remediation action because we know who is the developer that committed the code and when it was deployed. So now you close the loop from the Kubernetes- He or she gets a notification. They take care of it. It's not only notification, it's the action items. What actually you need to do to fix and what the implications of the fix? Because in some cases, if you fix it, you can break the application. So you need the end to end. It's called a risk graph. Exactly. Risk, like risk management. It's a, we augment risk on top of every code component, on every API and dependencies because now, I don't care about vulnerability with CVS score eight because it can be low risk to the business. So you need to augment. Operationally, it's an operational dream in the sec ops area. Because you can then prioritize, you go to, okay, critical systems, boom, let's lock those down first. No one cares about checking their email right now. Let's shut that down. Just shut it down. Yeah. You can take actionable. Actionable. Actionable tasks. To fix the risk, the matter to the business. That's important. And I want to double click for a second on one of the points here. Everyone has an SAST and a CA and DAST and CSPM and whatever tools that they put in their tool chain. Eventually, you need one place to take all these alerts and say, okay, this alert is related. It's a hive mind for the network, for the code. Yes. It's the brain for all the software. It's the brain for the software. This is exactly what we are doing. And I'm going to use it in our collateral. You're going to have to give the cube a little thing on that. We'll take advisor shares on that. No, seriously, let's get into the value. This is really cool. So now just play it forward. You almost connect the dots. Let's get into the chat GPT euphoria because you got to love what that has happened. The whole world now sees magic. Yes. Inside the industry, we all know where machine learning was reused a lot. We love it. But the fact that the whole world now understands this horizontal use cases of things I've never seen before. So if you're a lay person, you say, oh my God, that's magic. Okay, we kind of get it. It's just taking the web and formatting. But it's all cool. Now, but you can almost go and say, hey, I can tune, I can use tuning techniques. Absolutely. Your graph, why call the engineer? Okay, let's double click on that. We are using LLM models, okay? What the technology behind chat GPT for two years plus. One, we're using it to automate the work of the analyst and give them the accurate points where they need to start thinking. So we saved hours and we saved manpower. Two, we use the chat GPT technology for the auto remediation stuff in the code. So we can generate, because we have all the context. Chat GPT needs the context from the code, from the build, from the runtime, and then say, okay, this is the solution. And we are leveraging it to help our customers fix much, much faster. I mean, I've always loved the line from Andy Jassy at Amazon said, they want to take care of the undifferentiated heavy lifting. But when you've taken the AI approach with you guys are doing, you can go in and say, okay, we can run this new thing. We can operationalize it. Now we got the tuning, which is not human related. So humans are involved in step one and two. And then the tuning can be self-correcting and or guardrails around policy. So you say, hey, if something happens, shut down these systems, let's target everything here. So we are notified the engineer, write the code. This is in the security operations side. I agree, this is where it's going to be. But in our side, which is the left side, we will put the guardrails to the developers so they will not commit the code with the risks of the business. They're in their own tool chain like GitHub, GitLab and other source control managers where you open the pull request, you will get all the remediation actions and where the people in the organization that can help you fix them. Great story, congratulations. I want to get the last couple of minutes we have here to ask you about the origination story. How did it all get started? Did you wake up one day and say, you know, I'm going to build the most complex reducing system that's going to be intelligent, all knowing AI, future brain of all software code. So I was a GM for software engineering at Microsoft before that, after the acquisition of my previous startup. So I sold my startup to Microsoft in 2015 and I felt this pain firsthand. I managed a lot of developers in a large business unit in the security division at Microsoft. And then they said, okay, you need these risk management processes like these questionnaires before every release, you need the Sust and a CA and a DUST and a secret scanning and pen testing. Then I'm getting tons of alerts and my developers are complaining, Idan, we had a deadline for the 10 of the Fortune 50 customers why we're late on delivery. And all these hassles, blockage, paperwork, boring stuff. And this is where the epiphany came and we went to customers and we asked them like huge customers in the financial industry. And they said, this is a huge pain for us because we want to deliver code to the cloud much faster and we need the guardrails and we don't have the context. We bought all these tools, all these upset tools but we need the context and we need the knowledge of augmenting the risk on top of that. You know, Andy Grove of the famous legendary Intel CEO once said, let chaos rain and then rain the chaos and I think you're starting to see this with your success is just cut to the chase. Cut to the chase. Make it simpler. What and why are we doing all these things? Well, who's, what's the purpose? What are we optimizing for? These are just great questions to ask. Yeah, and the thing is to do more with less today. In the app sec, do more with less and this is why we released yesterday the RISCRAFT Explorer, which allows developers and application security engineer to ask any question that they want on their code and software supply chain. With a great success, quick 30 seconds left in the program. Put a plug in for the company. What are you looking for? Obviously you got plenty of cash. You're doing well with the customers. What are you looking for? How big is the team? Give some stats. So we are around 130 people at the company across Israel, the R&D's in Israel and the business development and all the go to market team is across the US, Canada and London. We're expanding dramatically and we are, we had 531% growth ARR from year over year and it's insane. Suddenly see the rocket chips goes up and we are hiring and we are extending our capabilities with more and more things that will help the developers deliver secure applications to the cloud. And your priorities, keep the R&D going, go to market, increase the sales and marketing. Now it's go to market. It's like 80% go to market focus. Congratulations on your entrepreneurial venture and endeavor. Get hold on to that rocket ship. Make sure it doesn't blow up. Thank you. Was it unregulated disassembly that Elon said? Unscheduled disassembly. It will blow up. We just need to maintain. We actually hit the button there. They blew it up because it was going to. No, you guys are on a good track. Congratulations. Looking forward to following the progress and you're the brain of software. Congratulations. Thank you coverage here. We're bringing all the action here at RSA 2023. I'm John Furrier, Dave Vellante. We'll be right back after this short break.