 Hello, and welcome to theCUBE's presentation of the AWS Startup Showcase. This is season two, episode four of the ongoing series, covering the exciting hot startups from the AWS ecosystem. Here we're talking about cybersecurity. In this episode, I'm your host, John Furrier. We're here with excited to have CUBE alumni who's back, Stahl Antony, who's the CEO and co-founder of horizon3.ai. Talking about exploitable weaknesses and vulnerabilities with autonomous pen testing. Stahl, great to see you. Thanks for coming back. Likewise, John, I think it's been about five years since you and I were on the stage together, and I've missed it, but I'm glad to see you again. Well, before we get into the showcase about your new startup, that's extremely successful, amazing margins, great product. You have a unique journey. We talked about this prior to you doing the journey, but you have a great story. You left the startup world to go into the startup-like world of self-defense, public defense. Yeah, it's- And I say, what group did you go to in the public sector that became my private partner? My background, I'm a software engineer by education and trade. I started my career at IBM. I was a CIO at GE Capital. I think we met once when I was there, and I became the CTO of Splunk, and we spent a lot of time together when I was at Splunk. And at the end of 2017, I decided to take a break from industry and really kind of solve problems that I cared deeply about and solve problems that mattered. So I left industry and joined the US Special Operations Community and spent about four years in US Special Operations where I grew more personally and professionally than in anything I'd ever done in my career. And I exited that time, met my co-founder in Special Ops, and then as he retired from the Air Force, we started Horizon 3. So there's really, I want to bring that up one because it's fascinating that not a lot of people in Silicon Valley and tech do that. So thanks for the service, and I know everyone who's out there in the public sector knows that this is a really important time for the tactical edge in our military. A lot of things going on around the world. So thanks for the service and a great journey. But there's a storyline with the company you're running now that you started. I noticed you get the jacket on there. I noticed a little military vibe to it. Cyber security, I mean, every company's on their own now. There's no, they have to build their own militia. There is no government supporting companies anymore. There's no militia. There's no one's on the shores of our country defending the citizens and the companies. They got to fend for themselves. So every company has to have their own military. Yeah, in many ways, you don't see anti-aircraft rocket launchers on top of the JP Morgan building in New York City because they rely on the government for air defense. But in cyber, it's very different. Every company is on their own to defend for themselves. And what's interesting is this blend, if you look at the Ukraine-Russia war as an example, 1,000 companies have decided to withdraw from the Russian economy. And those 1,000 companies we should expect to be in the ire of the Russian government and their proxies at some point. And so it's not just those companies, but their suppliers, their distributors. And it's no longer about cyber attacks for extortion through ransomware, but rather cyber attacks for punishment and retaliation for leaving. Those companies are on their own to defend themselves. There's no government that's going to, that is dedicated to supporting them. So yeah, the reality is that cyber security, it's the burden of the organization. And also your attack surface has expanded to not just be your footprint, but if an adversary wants to punish you for leaving their economy, they can get, if you're in agriculture, yeah, they could disrupt your ability to farm, or they could get all your fruit to spoil at the border because they disrupted your distributors and so on. So I think the entire world is gonna change over the next 18 to 24 months. And I think this idea of cyber security is gonna become truly a national problem and a problem that breaks down any corporate barriers that we've seen previously. What are some of the things that inspired you to start this company? Because I loved your approach of thinking about the customer, your customer, as defending themselves in context to threats. Really leaning into it, being ready and able to defend Horizon 3, has a lot of that kind of military thinking for the good of the company. What's the motivation? Why this company? Why now? What's the value proposition? Yeah, so there's two parts to why the company and why now. The first part was what my observation when I left industry remember, my military background is watching Jack Rine and Tropic Thunder. I didn't come from the military world and so when I entered the Special Operations Community, step one was to keep my mouth shut, learn, listen and really observe and understand what made that community so impressive. And obviously the people, and it's not about them being fast runners or great shooters or awesome swimmers, but rather they are learn-it-alls that can solve any problem as a team under pressure. Which is the exact culture you wanna have in any startup. Early stage companies are learn-it-alls that can solve any problem under pressure as a team. So I had this immediate advantage when we started Horizon 3, where a third of Horizon 3 employees came from that Special Operations Community. So one's this awesome talent. But the second part that, I remember this quote from a Special Operations Commander that said, we use live rounds in training because if we used fake rounds or rubber bullets, everyone would act like Medal of Honor winners. And the whole idea there is you train like you fight. You build that muscle memory for crisis and response and so on up front. So when you're in the thick of it, you already know how to react. And this is a lines to a pain I had in industry. I had no idea I was secure until the bad guys showed up. I had no idea if I was fixing the right vulnerabilities, logging the right data and Splunker if my CrowdStrike EDR platform was configured correctly. I had to wait for the bad guys to show up. I didn't know if my people knew how to respond to an incident. So what I wanted to do was proactively verify my security posture, proactively harden my systems. I needed to do that by continuously pen testing myself or continuously testing my security posture. And there just wasn't any way to do that where an IT admin or a network engineer could in three clicks have the power of a 20 year pen testing expert. And that was really what we set out to do. Not build a autonomous pen testing platform for security people, build it so that anybody can quickly test their security posture and then use the output to fix problems that truly matter. So the value approach if I get this right is there's a lot of companies out there doing pen tests. And I know, I hate pen tests because you do dev ops and changes, you got to do another pen test. So it makes sense to do autonomous pen testing. So congratulations on seeing that. That's obvious to that. But a lot of other companies have consulting tied to it. What seems like you need to train someone and you guys taking a different approach. Yeah, we actually as a company have zero consulting, zero professional services. And the whole idea is that build a true software as a service offering where an intern, in fact, we've got a video of a nine year old that in three clicks can run pen tests against themselves. And because of that, you can wire pen tests into your dev ops tool chain. You can run multiple pen tests a day. In fact, I've got customers running 40, 50 pen tests a month against their organization. And that, what that does is completely lowers the barrier of entry for being able to verify your posture. If you have consulting on average when I was a CIO, it was at least a three month lead time to schedule consultants to show up. And then they'd show up, they'd embarrass the security team, they'd make everyone look bad cause they're going to get in, leave behind a report. And that report was almost identical to what they found last year. Because the older that report, the one that the data itself gets stale, the context changes and so on. And then eventually you just don't even bother fixing it. Or if you fix a problem, you don't have the skills to verify that it's been fixed. So I think that consulting led model was acceptable when you viewed security as a compliance checkbox, where once a year was sufficient to meet your like PCI requirements. But if you're really operating with a wartime mindset and you actually need to harden and secure your environment, you've got to be running pen tests regularly against your organization from different perspectives, inside, outside, from the cloud, from work from home environments and everything in between. So for the CSOs out there, for the CSOs and the CXOs, what's the pitch to them? Because I see your jacket that says Horizon 3AI, trust but verify, but the trust is canceled out, it's just as verify. What's the product that you guys are offering, the service, describe what it is and why they should look at it? Yeah, sure. So one, back when I was at CIO, don't tell me we're secure in PowerPoint. Show me we're secure right now. Show me we're secure again tomorrow and then show me we're secure again next week. Because my environment is constantly changing and the adversary always has a vote and they're always evolving. And this whole idea of show me we're secure. Don't trust that your security tools are working. Verify that they can detect and respond and stifle and attack. And then verify tomorrow, verify next week. That's the big mind shift. Now what we do is- How do they respond to that by the way? Like, they don't believe you at first or what's the story? I think it's, there's actually a very bifurcated response. There are still a decent chunk of CIOs and CSOs that have a security as a compliance check box mindset. So my attitude with them is, I'm not going to convince you. You believe it's a check box. I'll just wait for you to get breached and sell to your replacement because you'll get fired. And in the meantime, I spend all my energy with those that actually care about proactively securing and hardening their environments. That's true, people do get fired. Can you give an example of what you're saying about this environment? Being ready, proving that you're secure. Today, tomorrow and a few weeks out. Give me an example of- Yeah, I'll give you actually a customer example. There was a healthcare organization and they had about 5,000 hosts in their environment. And they did everything right. They had Fortinet as their EDR platform. They had user behavior analytics in place that they had purchased and tuned. And when they ran a pen test self-service, our product node zero immediately started to discover every host on the network. It then fingerprinted all those hosts and found it was able to get code execution on three machines. So it got code execution, dumped credentials, laterally maneuvered and became a domain administrator, which in IT, if an attacker becomes a domain admin, they've got keys to the kingdom. So at first the question was, how did the node zero pen test become domain admin? How did they get code execution? Fortinet should have detected and stopped it. Well, it turned out Fortinet was misconfigured on three boxes out of 5,000. And these guys had no idea. And it's just automation that went wrong and so on. And now they would have only known they had misconfigured their EDR platform on three hosts if the attacker had showed up. The second question though was, why didn't they catch the lateral movement, which all their marketing brochures say they're supposed to catch? And it turned out that that customer purchased the wrong Fortinet modules. Once again, they had no idea. They thought they were doing the right thing. So don't trust that just installing your tools is good enough. You've got to exercise and verify them. We've got tons of stories from patches that didn't actually apply to being able to find the AWS admin credentials on a local file system and then using that to log in and take over the cloud. And in fact, I gave this talk at Black Hat on war stories from running 10,000 pen tests. And that's just the reality is you don't know that these tools and processes are working for you until the bad guys have shown up. The velocity is there. You can accelerate through logs. You know that from the days you've been there, this is now the threat. Being, I won't say lazy, but just not careful or just not thinking. Well, I'll give you an example. We have a lot of customers that are Horizon 3 customers and Splunk customers. And what you'll see their behavior is, is they'll have Horizon 3 up on one screen and every single attacker command executed with its timestamp is up on that screen. And then look at Splunk and say, hey, we were able to dump vCenter credentials from VMware products at this time on this host. What did Splunk see or what didn't they see? Why were no logs generated? And it turns out that they had some logging blind spots. So what they'll actually do is run us to almost like stimulate the defensive tools and then see what tools, what did the tools catch? What did they miss? What are those blind spots and how do they fix it? So your product's called Node Zero. Yep. You mentioned that. Is that specifically a suite, a platform? Yeah. How do people consume and engage with you guys? So the way that we work, the whole product is designed to be self-service. So once again, while we have a sales team, the whole intent is you don't need to have to talk to a sales rep to start using the product. You can log in right now, go to Horizon through to AI, you can run a trial, log in with your Google ID, your LinkedIn ID, start running pen tests against your home or against your network, against this organization right now without talking to anybody. The whole idea is self-service, run a pen test in three clicks and give you the power of that 20-year pen testing expert. And then what will happen is Node Zero will execute and then it'll provide to you a full report of, here are all of the different paths or attack paths or sequences where we were able to become an admin in your environment. And then for every attack path, here is the path or the kill chain, the proof of exploitation for every step along the way. Here's exactly what you've got to do to fix it. And then once you've fixed it, here's how you verify that you've truly fixed the problem. And this whole aha moment is run us to find problems, you fix them, re-run us to verify that the problem has been fixed. Talk about the company, how many people do you have and give some stats? Yeah, so we started writing code in January of 2020. Right before the pandemic hit. And then about 10 months later, at the end of 2020, we launched the first version of the product. We've been in the market for now about two and a half years total from start of the company until present. We've got 130 employees. We've got more customers than we do employees, which is really cool. And instead, our customers shift from running one pen test a year to 40, 50 pen tests. And it's full SaaS. The whole product is full SaaS. So no consulting, no pro-serve. You run as often as you want. Who's downloading, who's buying the product? You know what's amazing is we have customers in almost every section or sector now. So we're not overly rotated towards like healthcare or financial services. We've got state and local education or K through 12 education, state and local government, number of healthcare companies, financial services, manufacturing. We've got organizations that large enterprises. Security is diverse. It's very diverse. I mean, ransomware must be a big driver. I mean, is that something that you've seen a lot of? And the thing about ransomware is if you peel back the outcome of ransomware, which is extortion. At the end of the day, what ransomware organizations or criminals or APTs will do is they'll find out who all your employees are online. They will then figure out if you've got 7,000 employees, all it takes is one of them to have a bad password. And then attackers are gonna credential spray to find that one person with a bad password or whose Netflix password that's on the dark web is also their same password to log in here because most people reuse. And then from there, they're gonna, most likely in your organization, the domain user when you log in, like you probably have local admin on your laptop. If you're a Windows machine and I've got local admin on your laptop, I'm gonna be able to dump credentials, get the admin credentials and then start to laterally maneuver. Attackers don't have to hack in using zero days like you see in the movies. Often they're logging in with valid user IDs and passwords that they've found and collected from somewhere else. And then they make that, they maneuver by making a low plus a low equal a high. And the other thing in financial services, we spend all of our time fixing critical vulnerabilities. Attackers know that. So they've adapted to finding ways to chain together low priority vulnerabilities and misconfigurations and dangerous defaults to become admin. So while we've over rotated towards just fixing the highs and the criticals, attackers have adapted. And once again, they have a vote, they're always evolving their tactics. And how do you prevent that from happening? So we actually apply those same tactics. Rarely do we actually need a CVE to compromise your environment. We will harvest credentials just like an attacker. We will find misconfigurations and dangerous defaults just like an attacker. We will combine those together, we'll make use of exploitable vulnerabilities as appropriate and use that to compromise your environment. So the tactics that, in many ways, we've built a digital weapon and the tactics we apply are the exact same tactics that are applied by the adversary. So you guys basically simulate hacking. We actually do the hacking. Simulate means that there's a fakeness to it. Okay, so you guys do hack. We actually compromise. Like sneakers, the movie, the old sneakers movie for the old folks like me. And in fact, that was my inspiration. I've had this idea for over a decade now, which is I want to be able to look at anything, that laptop, this Wi-Fi network, gear in hospital or a truck driving by and know I can figure out how to gain initial access, rip that environment apart and be able to opponent. Okay, Chuck, he's not allowed in the studio anymore. No, seriously, some people are exposed. I mean, some companies don't have anything, but there's always passwords or, so most people have that argument. Well, there's nothing to protect here. Not a lot of sensitive data. How do you respond to that? Do you see that being kind of putting the head in the sand or? Yeah, it's actually, it's less there's not sensitive data, but more we've installed or applied multi-factor authentication. Attackers can't get in now. Well, MFA only applies or does not apply to lower level protocols. So I can find a user ID password, log in through SMB, which isn't protected by multi-factor authentication and still upon your environment. So unfortunately, I think as a security industry, we've become very good at giving a false sense of security to organizations. Compliance drives that. Compliance drives that. And what we need, but back to, don't tell me we're secure, show me. We've got to, I think, change that to a trust but verify, but get rid of the trust piece of it. Just a very- Okay, we got a lot of CISOs and CISOs watching this showcase, looking at the hot startups. What's the message to the executives there? Do they want to become more leaning in, more hawkish, if you will, to use the military term on security? I mean, I heard one CISO say, security first, then compliance, because compliance can make you complacent. And then you're insecure at that point. So what's the- I would actually say that, so I agree, one, definitely security is different and more important than being compliant. I think there's another emerging concept, which is I'd rather be defensible than secure. What I mean by that is, security is a point in time state. I am secure right now. I may not be secure tomorrow because something's changed. But if I'm defensible, then what I have is that muscle memory to detect, respond and stifle and attack. And that's what's more important. Can I detect you? How long did it take me to detect you? Can I stifle you from achieving your objective? How long did it take me to stifle you? What did you use to gain access? How long did that sit in my environment? How long did it take me to fix it, you know, so on and so forth? But I think it's being defensible and being able to rapidly adapt to changing tactics by the adversary is more important. Yeah, this is the evolution of how the red line never moved. You got the adversaries in our networks, in our banks. Now they hang out and they wait. So everyone thinks they're secure, but when they get, start getting hacked, they're not really in a position to defend. The alarms go off. Where's the playbook? Team springs into action. I mean, you kind of get the visual there, but this is really the issue. Being defensible means having your own, essentially military for your company. Or this, being defensible, I think has two pieces. One is you've got to have this culture and process in place of training like you fight because you want to build that incident response muscle memory ahead of time. You don't want to have to learn how to respond to an incident in the middle of the incident. So that is that proactively verifying your posture and continuous pen testing is critical there. The second part is the actual fundamentals in place so you can detect and stifle as appropriate. And also being able to do that. You know, when you are continuously verifying your posture, you need to verify your entire posture, not just your test systems, which is what most people do, but you have to be able to safely pen test your production systems, your cloud environments, your perimeter. You've got to assume that the bad guys are going to get in. Once they're in, what can they do? So don't just say that my perimeter is secure and I'm good to go. It's the soft, squishy center that attackers are going to get into. And from there, can you detect them and can you stop them? So now take me through the use case. You've got to be sold on this. I love this topic. All right, pen test, what am I buying? Just pen test is a service. You mentioned dark web, are you actually buying credentials online on behalf of the customer? What is the product? What am I buying if I'm the CISO from Horizon 3? What's the service? What's the product? Be specific. So very specifically, and one just principles. The first principle is when I was a buyer, I hated being nickled and dimed by vendors, which was I had to buy 15 different modules in order to achieve an objective. Just give me one line item, make it super easy to buy and don't nickle and dim me. Because I've spent time as a buyer that very much has permeated throughout the company. So there is a single skew from Horizon 3. It is an annual subscription based on how big your environment is. And it is inclusive of on-prem internal pen tests, external pen tests, cloud attacks, work from home attacks, our ability to harvest credentials from the dark web and from open source sources, being able to crack those credentials, compromise. All of that is included as a single skew. All you get as a CISO is a single skew, annual subscription, and you can run as many pen tests as you want. Some customers still stick to maybe one pen test a quarter, but most customers shift and they realize there's no limit. We don't nickel and dime. They can run 10, 20, 30, 40 a month. Well, it's not nickel and dimming in the sense that it's more like dollars and hundreds because they know what to expect. If it's classic cloud consumption, they kind of know what their environment is. Can people try it? Let's just say I have a huge environment. I have a cloud, I have an on-premise private cloud. Can I dabble and set parameters around pricing? Yes, you can. So one is you can dabble and set parameters around scope, which is like manufacturing does this. Do not touch the production line that's on at the moment. We've got a hospital that says every time they run a pen test, any machine that's actually connected to a patient must be excluded. So you can actually set the parameters for what's in scope and what's out of scope up front. Once again, we're designed to be safe to run against production. So you can set the parameters for scope. You can set the parameters for cost if you want, but our recommendation is I'd rather figure out what you can afford and let you test everything in your environment than try to squeeze every penny from you by only making you buy what you're looking for as a smaller. So the variable ratchet, if you will, is how much they spend is the size of their environment and usage. Just size of the environment. Okay, so it could be a big ticket item for a CISO then. It could if you're really large, but for the most. What's large? I mean, if you were Walmart, well, let me back up. What I heard is global 10 companies spend anywhere from 50 to a hundred million dollars a year on security testing. So they're already spending a ton of money, but they're spending it on consultants that show up maybe a couple of times a year. They don't have, humans can't scale to test a million hosts in your environment. And so you're already spending that money, spend a fraction of that and use us and run as much as you want. And that's really what it comes down to. All right, so what's the response from customers? What's really interesting is there are three use cases. The first is that SOC manager that is using us to verify that their security tools are actually working. So their Splunk environment is logging the right data. It's integrating properly with CrowdStrike. It's integrating properly with their active directory services and their password policies. So the SOC manager is using us to verify the effectiveness of their security controls. The second use case is the IT director that is using us to proactively harden their systems. Did they install VMware correctly? Did they install their Cisco gear correctly? Are they patching right? And then the third are for the companies that are lucky to have their own internal pen tests and red teams where they use us like a force multiplier. So if you've got 10 people on your red team and you still have a million IPs or hosts in your environment, you still don't have enough people for that coverage. So they'll use us to do recon at scale and attack at scale and let the humans focus on the really juicy hard stuff that humans are successful at. Okay, I love the product. How do, again, I'm trying to think about how I engage on the test. Is there pilots? Is there a demo version? Yeah, there's free trials. We do 30 day free trials. The output can actually be used to meet your SOC II requirements. So in many ways, you can just use us to get a free SOC II pen test report right now if you want. Go to the website, log in for a free trial. You can log into your Google ID or your LinkedIn ID, run a pen test against your organization and use that to answer your PCI segmentation test requirements, your SOC II requirements. But you will be hooked. You will want to run us more often and you will get a Horizon 3 tattoo. The first hit's free as they say in the drug business. Yeah, yeah, I mean, so you're seeing that kind of response then. The trial converts pretty well. It's exactly, in fact, we have a very well-defined aha moment, which is you run us to find, you fix, you run us to verify. We have a 100% technical win rate when our customers hit a fine fixed verify cycle. Then it's about budget and urgency, but a 100% technical win rate because of that aha moment. Because people realize, holy crap, I don't have to wait six months to verify that my problems have actually been fixed. I can just come in, click, verify, rerun. The entire pen test will rerun a very specific part of it on what I just patched to my environment. Congratulations, great stuff. You're here part of the AWS startup showcase, so I have to ask, what's the relationship with AWS? You're on their cloud. What kind of actions going on there? Is there a secret sauce on there? Yeah, so what's going on? So one is we are AWS customers ourselves, our brains command and control infrastructure, all of our analytics are all running on AWS. It's amazing when we run a pen test, we're able to use AWS and we'll spin up a virtual private cloud just for that pen test. It's completely ephemeral. It's all Lambda functions and graph analytics and other techniques. When the pen test ends, you can delete, there's a single use Docker container that gets deleted from your environment so you have nothing on-prem to deal with. And the entire virtual private cloud tears itself down. So at any given moment, if we're running 50 pen tests or 100 pen tests self-service, there's a hundred virtual private clouds being managed in AWS that are spinning up, running and tearing down. It's an absolutely amazing underlying platform for us to make use of. Two is that many customers that have hybrid environments, so they've got a cloud infrastructure, an Office 365 infrastructure and an on-prem infrastructure. We're a single attack platform that can test all of that together. No one else can do it. And so the AWS customers that are especially AWS hybrid customers are the ones that we do really well targeting. Got it, and that's awesome. And that's the benefit of the cloud. Absolutely, and the AWS marketplace. What's absolutely amazing is the competitive advantage being part of the marketplace has for us. Because the simple thing is, my customers, if they already have dedicated cloud spend, they can use their approved cloud spend to pay for Horizon 3 through the marketplace. So you don't have to, if you already have that budget dedicated, you can use that through the marketplace. The other is you've already got the vendor processes in place. You can purchase through your existing AWS account. So what I love about the AWS company is, one, the infrastructure we use for our own pen tests. Two, the marketplace. And then three, the customers that span that hybrid cloud environment, that's right in our strike zone. Yeah, awesome. Well, congratulations. And thanks for being part of this showcase. And I'm sure your product's going to do very, very well. It's very built for what people want, self-service, get in and get the value quickly. No agents to install, no consultants to hire, safe to run against production. It's what I've wanted. Great to see you, and congratulations. And what a great story, and we're going to keep following you. Thanks for coming on. No, thank you, John. Okay, this is the AWS startup showcase. I'm John for your host. This is season two, episode four on cybersecurity. Thanks for watching.