 Hey, welcome back to theCUBE's live coverage here at RSA Conference in Moscone in San Francisco. CUBE's four days of live coverage. I've got two great guests here. Casey Ellis is the founder and CTO of Bug Crowd and Dave Jerry, who's the CEO. Guys, Bug Crowd doing great. Thanks for coming on theCUBE. Yeah, thanks so much for having us. Thanks for the year. So this is day two, I guess, or day one. It feels like a day one because it's kind of a big kickoff. Yesterday was the early keynotes, or the evening keynotes. The security industry's changed. You guys are the center of it. You got a deal with open AI, we'll get into it. You got some hard news here. But before we get into it, take a minute to explain what the company does, how you guys started, why you exist. Yeah, for sure. So Bug Crowd obviously started in America. It's the accident that you're hearing now. Started from Sydney, Australia. But really the idea behind it was this kind of fundamental idea that security's a human problem, right? The idea of someone leaving the front door open, someone else exploiting that. That predates the internet by thousands of years. We just kind of sped it up. So how do you connect more humans more efficiently to answering security questions that people have? And you know, coming from the White Hat Hacker community, that's kind of where I grew up. I knew that I had a bunch of peers that wanted to help, but hadn't had the invite, hadn't been plugged in. So that's where it started. It was like creating a platform that could harness that potential and hook it up with the market. Yeah, and you guys also wrote a great wave, too, of the White Hat Hacking, collective intelligence, community participation. And then the Bug Bounties are high, too. People can make some good bank. So there's a business model behind it. Yeah, they have valuable skills and the information that they're finding is valuable as well, right? It's hard to find unless you have the right skills. And if a bad guy finds it first, bad things happen. So yeah, paying for it's a good idea. And so you guys got some good cutting edge stuff with OpenAI. I want to get into the AI side of that. I'm sure that will pay a big scale part of it. But you have some hard news. You guys got some news here at RSA. What's the news? What's the big story? Yeah, we're really excited to be here. So we announced for the first time ever that we're selling pen testing entirely online. So now our customers can actually go to our website and with a few clicks, not only purchase, but actually set up and deploy a pen test, which in our view really starts to democratize the access to pen testing, right? We know customers need it and we're super excited to have that launch last week. Yep. Finally, someone does pen test as a service. The biggest racket in the history of cloud native agile of all time. Hey, let's do a pen test. Pay me 50,000 and then you push some new code and everything's changed. Exactly right. Like this has kind of been the old school reality. It seemed like it was like a base on an old model. And then I also heard that when that was a one problem, I've been hearing, I want to get you guys to react to that. Secondly is that people that were doing the pen test were like, I'm way more skilled than this shit. Yeah, that's right. Yeah. So that's what two dynamics. You're spot on on both sides. Like the problem with the pen test industry from my perspective, like the company I was doing before bug crowd was literally a pen testing company. That's where I got the idea that like many people could probably do a better job than a single person, because math. But you know, it's one of those things where pen testers aren't the problem. It's the pen testing. It's how it's done. It's so inefficient and there hasn't really been a reason to change it. Now that we've got the ability to plug the right talent into your second point, right? Why not do that? Like make the whole thing faster and more effective for both sides. So first of all, congratulations. Check this out. Pen testing is a service. It's already a winner in my mind because I think everyone's been complaining about it. It's one of those little nuances that when you're in a business deal or you're in a partnership with someone else, API's are talking to someone else. There's always the app sec review kind of thing going on. And with agile, if you're pushing code all the time, shifting left, you're going to be always changing the requirements and you got software supply chain right around the corner. So I mean, this is a nightmare scenario if you don't have this tool. Yeah. It's all about reducing the friction to getting to those answers to your questions. So obviously I'm pretty much biased on this. Interviews over. No. We agree. So whatever. It's really great. Winner, winner, winner out of the gate. Now take me through like how it works in terms of like certification. If someone does the pen test, if someone might say, well, what about on the other side? I'm going to need to have it updated. If more code comes, I need trust when you give the pen test results to a partner. What happens next? Take us through the how it works. Yeah. So I think what's really cool about this is we're leveraging all of this latent creativity that exists in the security expert community, right? That's really what Casey founded the business on was how do we connect the right researcher at the right time with the right problem? Yep. So we talked about pen testers don't want to be bogged down on scoping. They want to ultimately go out and perform a test. Want to hack stuff. And get paid to be able to do that and find critical vulnerabilities. And when customers come on and they join with us, we match them with the right pen tester based on the skill set of the tester and based on the customer's environment. We then immediately can deploy a test in a matter of hours versus weeks or months in the previous models. And then from there, results are shared real time back into the platform that both we're reviewing from a QA perspective but then our customers also get in real time versus waiting just for a report to be released at the end of the test. So we're actually helping to speed up not just the access to the testing but the access to the remediation and the mitigation which is the most important. And it's something like a great extension to your existing business. You got a two-sided marketplace of talent and technology and progress and workflows. That's actually one of the things I love about this announcement because I think we're often seen as a bug crowd. We didn't invent bonus closure of bug bounty but the idea of putting a platform in the middle to connect supply of demand, that was, we started that off. And it frustrates me every now and then to hear it referred to as a bug bounty platform vertical because it's not actually a bug bounty problem that we're solving. Like bug bounty is just the most obvious expression of what we do as a platform as an engine. Well product market fit doesn't define a company. I mean, unless you're Twitter and they can't change the product. It turns out if you're trading a category, people can get confused. So going out and talking about all of the different things like a multi-solution platform, another solution in that so that works well. Let's talk about the progression. Obviously, when you get the beach head with the bug bounty platform, if you want to call it a tool, but you innovated on that, you guys did more. Take us through the progression. Now you have platform of testers. You've got tools and technology you're using that imagine, underlying machine learning. A deal with open AI is pretty relevant. Yeah, yeah, for sure. That's not a small fee because I know they're busy too. They are, they are very busy. I think that goes back to the speed advantage that Dave was talking about before because that applies across everything that we do. Security moves fast and if a company moves fast, security needs to move faster with it. What is the deal with open AI specifically? You guys do a little technology transfer. You guys are doing some service for them. What's that deal? Yeah, so the part that's public that everyone started talking about a couple of weeks ago when it launched is we've basically launched their bug bounty program on our platform. So what they're doing is going out to the open internet and saying, hey, come and look at our stuff for security issues. If you're first to find a unique issue, you get paid, the more severe that issue is, the more we'll pay you. So they're basically going out to the entire audience of potential people that can actually be experts and the actual experts that are already there and saying, help us out. Yeah, I think the talent side of it's pretty huge too because when you start getting into remote work, and again, you must see a lot of going on there, a lot of matchmaking there. Are there other services that are coming around to the table for you guys that are looking good? Yeah, so I think ultimately when you look at the platform and the researchers that we have, we're ultimately there to help pair the researchers to drive an outcome on behalf of our customers. What those outcomes are really are limitless. Ultimately anything our customer wants done from a security researcher standpoint can be done by leveraging this platform. So we're looking at a number of different ways to start to expand the platform even further and continue to drive forward this premise of how do we make sure that our paying customers have access to the right talent when they need it? Because these are folks that you just fundamentally can't hire. These are the best in class hackers across the planet and we give them the ability to match this using our platform. Exactly. We were on the, I was on an interview yesterday with Amazon, web services, Married Bear, she's a character, super smart, but of course she's colorful, she's got some of the Marvel characters. You have the bad guys and you got catch the Titans. The world is different, the attack surface area, even we had someone from Sonatape on we talked about Kubernetes, it's unsecure by default. And it constantly changes too. We weren't talking about AI as a security thing in this way six months ago. When we first started the company we weren't talking about automotive security but then we started in 2015, there's been other examples, IOC, whatever else. It's always changing because tech changes and bad guys update what they're doing to attack the tech. So our job is to be in that gap. Ultimately this comes back to how do we help our customers disrupt the adversary? Exactly. That adversary is going to change, it's going to adapt, but how do we fundamentally help them start to so you guys got a lot of funding. What's the platform look like? Can you share a little bit of the secret sauce? Not the secret. Yeah, so a lot of the work. That's your question on the cube. Yeah, we were kind of joking a little bit before we started around kind of the data, right? And the data really is the secret for us. So we have over 10 years of human tag data. So think about this as all the telemetry data of vulnerability information, researcher information, right? All of this amazing intelligence that we've been able to build and we've been doing this for years in ML and AI layer, where we can now match the right researcher with the right program at the right time. And what we're seeing from a result standpoint is fantastic and customers are finding 2x the amount of critical vulnerabilities. Researchers are making more money. So as we start to think about the flywheel effect of the platform and how do you keep a marketplace engaged, those are two really big critical pillars. So that's something that from a platform standpoint we're really excited about and now we're looking at how do you continue to leverage that data to make our customers more successful? And the benefit to the customer is that you have historical context to look at patterns or DNA of attacks. I think, yeah, DNA of attacks, but also what's the traits of a researcher that best fit? Got it, thing up. So the way I describe it, it's literally like a dating website for people that break computers, right? And the thing about that is that the ML layer learns historically in terms of what traits actually have the highest probability of romance or finding a vulnerability, right? And that just continues to improve. You guys have a great business model because that's put in the right person, in the right place, the right time. That's the hot pop. It makes the difference between going out of business or solving that problem. Well, most importantly, it drives more value for our customers, right? Helps them find vulnerabilities faster and helps, again, keep these researchers as engaged as possible. What was the motivation behind the pen testing? More of a obvious low-hanging fruit, knock that down, it's easy. People hate them, hate doing them. Was there demand? What was the decision tree on that? Yeah, I'll let you take this first. I certainly am stronger than you as well. Initially, like in starting the company, it was literally to basically, there's so much fat in the pen test industry. It's like, the people that are selling it and benefiting from that fat, they got no reason to change it, but that means the user loses at the end of the day because they can't be getting the most important. It was going to be disrupted. Yeah, it's. And it's in your wheelhouse. I was looking at it thinking, like someone's going to call BS on this at some point, because it's so in balance, so I might as well be that person and we've really been building that out. And you had, it was wheelhouse for you with the people, the talent. Yeah, yeah, no, for sure. That's where I came from. That's where I came from. And then Bug Bounty early on is back in 2013. People didn't, 10 years on, the idea that a hacker can be a helpful person, like a locksmith, or not just a burglar. We get that now, that wasn't true in 2013. So the easiest way to explain that was to point at Facebook and Google and say, hey, they're doing this. They're not insane. Like maybe there's more to hackers than you might assume. So, and then Bug Bounty caught on as an independent product. So that's kind of how it all got started. Well, we're going to use your systems so we can get the best CUBE alumni to be on our show at the right time. Yeah. When the topics are, you know, instant chair right there. Yeah. Crowd match is a tech concept, you know, just in terms of how do you answer a question? How do you put the question in the best possible place to get an answer? Fascinating. It's very flexible in that sense. Fascinating. Fascinating. To go outside of security, obviously security is where you're at now. Is the strategy adjacent on the beach head and go deeper or go broader? What's the strategy now? Yeah, so we're entirely focused on the security industry, right? We have no intent to go outside of that now. When we think about security is a big market, right? Where else do we start to look at? A lot more fat out there. Pentesting was the first kind of adjacency that we went down and there's a lot more for us to go do. We're excited to do that. We're excited to leverage the capabilities and the underpinnings of the platform to be able to do that. And again, like I said earlier, we have a lot that's going to be coming out shortly that we're really excited about. All right, final segment, this is super fun because you mentioned open AI. AI is hot, everyone's seeing it. The whole world has exposed the chat GPT, so magic is there. There's still some issues, but data tries everything. Proprietary data is going to be the values. Note, everyone's weighing in now finally on that. It's only going to get better. It's going to be feed the AI, merge data models together, large language, multi-modal, foundational models. This is perfect for you guys. What's your strategy there? What's your vision? How do you see AI emerging for your business? And then how do you see it just generally categorically in the industry? Yeah, so I think for us AI has always been a core part of who we are and what we do, right? We talk about crowd match being kind of the first output of really leveraging the data that we have in the platform. And for us and in the seat I sit in, I'm looking at it from two angles. The first being, how do we make our internal teams more efficient to get things done faster and have our folks work on higher value problems to go solve? And then the flip side of that is, how do we help surface more valuable intelligence to our customers even faster? And that's really where we believe that tapping into this 10 plus year history of data that's been tagged, that's incredibly easily accessible, that's where we believe the value driver is going to be for one hundred percent. And you have that durable business and you have the data behind it. What about your vision for data? Where do you see data going? And why should people not be afraid of it? Why should people not be afraid of it? That's a fun one. I think- I mean a lot of CEOs are poo pooing. I think if you don't- Honestly, I think having a healthy respect for the power that it has is a good thing. But if it converts it to fear, then that's useless because you freeze up. You're not actually, you're only thinking about the potential downside, not the benefit, right? So that side of it I think is actually kind of a valid way to think about it. I mean data for us, I think about all of this, the automation side, all that kind of thing. The analogy I love is the Iron Man suit, right? Like the suit, the suit without the human is dumb. It's not as smart as it can be because it doesn't have that creative flair that can adjust what it's programs know how to do, right? That's the teaching layer. But the human without the suit is weak. So you put them together, that to me is just the continuous evolution of how this is going to grow. It's actually AI and humans working in partnership to make each other better going forward. If you look at all the killer use cases, the humans are actively involved and or we're involved in getting the data clean data into the system working. That brings up a good point. So prompt engineering is everyone's thrown that around. Prompt operations has been kicked around. Now I'm hearing prompt tune. I just read a paper on prompt tuning, which is more software driven. Once you get down the, it just takes its own healing, self-healing kind of model. That's basically calling. It's almost like calling a procedure. You're sending data into data set. That's a call. That to me, that's coding. So the question is, will developers flip the script and code data? They already are. Like they already are. Like the most interesting thing about chat GPT coming out and making this whole idea available and easy to access to a large group of people at the same time. The first thing a hacker does is takes that, looks at everything that they're doing, tips it all upside down and tries to figure out how they could break it and make it better. So like what we're seeing is them using chat GPT to improve their attack workflows. Right? And then they're- Yeah, well it's not so, phishing is a use case, it's not one that we see because phishing is- What are the big hacks right now in chat? What are the bad guys using the AI for right now? What are the- And this is not chat GPT specific. I think this is like machine learning AI and LV. It's been in use for a long time to accelerating that everyone's talking about. I think phishing is probably the main one. So the ability to basically trick a human at scale, it's interesting because there's been studies that show that AI generated phishing emails are less believable but the thing is you can do 10x the number of them and you make it up on the volume side. So that's happening a lot. There's other stuff as well but I think that's the most common one that people are talking about saying. Well I got you here, I love having founders on too because entrepreneurial activity is very high right now. If you were going to start a company right now and you had clean sheet of paper, you sit on the beach somewhere and think about new idea. What would you do? What would your mindset be? What would you be attacking? What would be with AI? Knowing that you could do more now for product market fit. I mean you could get mid-term into your graphics. That's a dangerous question. Yeah, I mean my entrepreneurial recipe in general is how do you connect latent value with unmet demands? And how can you use things that create efficiency in the middle to that's the fundamental of the value of the business but where are the big opportunities to do that? So that would be the recipe that I'd use. I love frankly the financial downturn, COVID all of the negative things that have happened not to say that they're good but chaos is a ladder in a sense. Like I think for security, if it's a depressed environment people are thinking about risk more natively in a bull market like maybe nothing will happen. So it's actually a good time to be in security and be a founder because it's easy to have the conversation. And I think everything's being disrupted and a lot of things are disruptible in a kind of unique way in this period of time. So those would be the things I would think about. What would pop out of that? God only knows, I've got a laundry list of things that could work. I'm kind of enjoying working on Bug Crowd right now so I don't think that's too much. The best thing about being the founder is you can do a lot of things. You got a lot of latitude. You start a little sandbox anytime you want. What's the strategy for you guys? What's the next? What's the plug-in for the company? We've got a couple of minutes left. Yeah, so I think what's really cool with Bug Crowd today is what we do really matters, right? Not only are we helping solve a really big security problem for the industry but we're also doing so in a meaningful way for the folks as you talked about earlier in the marketplace, right? This is a way for folks that don't have access to the roles and the opportunities that other people do to earn meaningful income and we're growing really quickly. So that's where we're really excited is this business is hot, the market is growing incredibly fast and we're hiring 30 to 40 people in the next couple months. So it's a lot of work. And what's great about your business model, you don't need to have the customer change much to adopt you. Exactly right. You don't have to have something be ripped out to plug in. 100%. You're instantly adding value out of the gate. Yeah. And that's a big part of how we design products. It's like let's take the way that you're consuming this thing and have that change as little as possible make it a million times better. Well, awesome news on the pen test as a service. That's the big news here. And just in general, a great model for security opens happening better. The more open it is, the better it is. Absolutely. 100%. Casey, thanks for coming on. Appreciate it. Thanks a lot. I'm John Furrier. Be right back.