 Hello, welcome to this CUBE conversation here in Palo Alto, California in the CUBE studios. I'm John Furrier, host of theCUBE. We are here with a hot startup really working on some real, super important security technology for the cloud, great company Orca, security, Avi Shua, CEO and co-founder. Avi, thank you for coming on theCUBE and share your story. And serving me. So one of the biggest problems that enterprises in large scale, people who are going to the cloud and are in the cloud and are evolving with cloud native have realized that the pace of change and the scale is a benefit to the organizations but the security teams and getting that security equation right is always challenging and changing. You guys have a solution for that. I really want to hear what you guys are doing. I like what you're talking about. I like what you're thinking about and you have some potentially new technology. Let's get into it. So before we get started, talk about what is Orca security? What do you guys do? What problem do you solve? So what we invented in Orca is a unique technology called side scanning that essentially enables us to connect to any cloud environment in a way which is as simple as installing a smartphone application and getting a full stack visibility of your security posture. Meaning seeing all of the risk whether it's vulnerability, misconfiguration, lateral movement risk, work that has already been compromised and more and more, literally in minutes without deploying any agent without running any network scanners, literally with no change. And while it sounds to many of us like it can't happen, it's a snake hole, it's simply because they are so used to on-premise environment where it simply wasn't even possible in physical server but it is possible in the cloud. Yeah, and we've had many CISOs on the cube over the years. One CISO told us that, and this is a direct quote, I'll find the clip and share it on Twitter, but he said the cloud's more secure than on-premise because there's more changes going on. And I asked him, okay, how did you do it? He says, it's hard, you got to stay on top of it. A lot of people go to the cloud and they see some security benefits with the scale, but they're gaps. You guys are building something that solves those gaps, those blind spots because of things are always changing, you're adding more services, sometimes you're integrating, you now have containers that could have, for instance, malware on it, it gets introduced into a cluster, all kinds of things can go on in a cloud environment that was fine yesterday. You could have a production cluster that's infected. So you have all of these new things. How do you figure out the gaps and the blind spots? That's what you guys do, I believe. What are the gaps in cloud security? Share with us. So definitely, you're completely correct. I totally agree, the cloud can be dramatically more secure than the on-prem. At the end of the day, unlike an on-prem data center, where someone can come, plug in your firewall, plug in your switch, change things, and if you don't instrument it, you won't see what's inside. This is not possible in the cloud. In the cloud, it's all code, it's all running on one infrastructure that can be used for the instrumentation. On the other hand, the cloud enabled businesses to act dramatically faster. When I say dramatically, we're talking about order of magnitude faster. You can create new networks in a matter of minutes, workloads can come and go within seconds. And this creates a lot of changes that simply haven't happened before. And it involves a lot of challenges, also from security instrumentation point of view. And you cannot use the same methodologies that used for the on-prem. Because if you use them, you're going to lose. There were a compromise that worked for certain physics, certain set of constraints that no longer apply. And our thesis is that essentially, you need to use the capabilities of the cloud itself for the instrumentation of everything that runs on the cloud. And when you do that by definition, you have full coverage because if it's run on the cloud, it can be instrumented on the cloud. This is essentially what Orca does. And you're able to have this full visibility for all of the risk and the importance because all of them are essentially virtual workload that we're able to analyze. What are some of the blind spots in the public cloud, for instance, I mean, that you guys are seeing that you guys point out or see with the software and the services that you guys have? So the most common ones are the things that we have seen in the last decades. I don't think they are materially different, simply on steroids. We see things that people, services that are launched, nobody maintained for years. We see things like improper segmentation that everyone have permission to access everything. And therefore, if one environment is rich, everything is rich. We see organization where something was dramatically hardened. So people find a way to, a very common thing is that now everyone talks about CIM and tightening their permission and making sure that every workload have only the capabilities that they need. But sometimes developers are a bit lazy. So they'll walk by that, but also have keys that are stored, that can bypass the entire mechanism that again, everyone can do everything on any environment. So at the end of the day, I think that the most common thing is the standard hygiene issues. Making sure that your environment is patched, that things are tightened. There is no alternative ways to go through the environment. It's scale. Because at the end of the day, the hardest thing for a security professional, you need to secure everything. The attacker just need to find one thing that was missed. And you guys provide that visibility into the clouds to identify those. Exactly. One of the top reason that we implemented Orca using the side scanning technology that I've invented is essentially because it guarantees coverage. For the first time, we can guarantee you that if you scan it, that way we'll see every instance, every workload, every container, regardless of if it's running as a native workload whether it's a Kubernetes, whether it's a service function, we see it all because we don't rely on any per asset integration. We don't rely on friction within the organization. So many times in my career, I've been in discussion with customer that has been breached. And when we got to the core of the issue, it was you couldn't, you haven't installed that agent, you haven't configured that firewall, the IPS was not up to date. So the protections weren't applied. So this is technically true, but it doesn't solve the customer problem, which is I need the security to be applied to all of my environment. And I can't rely on people to do manual processes because they will fail. Yeah. Yeah, I mean, it's, you can't get everything now on the velocity, the volume of activity. So let me just get this right. So you guys are scanning containers. So the risk I hear a lot is, you know, with Kubernetes in containers is a fully secure cluster could have a container come in with malware and penetrate and even if it's air gap, that's still there, still problematic. You would scan that. Is that how it would work? So yes, but sorry for cutting, but we are not scanning only containers. The essence of orca is scanning the cloud environment holistically. We scan your cloud configuration, you scan your Kubernetes configuration, we scan your dockers, they are containers that run on top of them. We scan the images that are installed and we scan the permission that these images are running. And most importantly, we combine these data points. So it's not like you buy one solution that looked at your AWS configuration. It's different solution that look at your virtual machines that run the cluster. Another one that looks at your cluster configuration. Another one that look at the web server and one that look at the identity. And then you have results from five different tools that each one of them claims that this is the most important issue. But in fact, you need to infuse the data and understand yourself what is the most important items or how they are correlated. We do it in an holistic way. And at the end of the day, security is more about thinking as graphs, as vectors rather than list. So we're able to tell you something like, this is a container, which is vulnerable. It have permission to access your sensitive data. It's running on a pod that is indirectly connected to the internet through this load balancer, which is exposed. So this is the tech vector that can be utilized versus just a tool that you say you have a vulnerable containers, but you might have hundreds where 99% of them are not exposed. Got it. So it's really more logical, common sense vectoring versus the old way, which was based on perimeter based control points, right? So is that right? Is that, you're looking at it like, okay, whole new view of it, not necessarily old way. Is that right? Yes, it is right. We are looking at is one problem that is handled in one tool that have one unified data model and on top of that, one scanning technology that can provide all the necessary data. We are not a tool that say install vulnerability scanner, install identity access management tools and infuse all of the data to work and will make sense. And if you haven't installed the tools to you, it's not our problem. We are scanning off your environment of your containers, virtual machine, service function, cloud configuration using our technology. We understand the risk, we put them in a graph and essentially part is the tech vectors that make it for you. This sounds like a very promising value proposition. If I'm a five workload production workload, certainly in the cloud and someone comes to me and says you could have essentially a holistic view of your security posture at any given point in that state of operations. I'm going to look at it. So I'm compelled by it. Now, tell me how it works. Is there overhead involved? What's the cost to, not suddenly in dollars, but you can, I mean, I want to share the price to be great, but like I'm more thinking of me as a customer, what do I have to do? What are operational things we have to set up? What's my cost operationally? And is there overhead to performance? You won't believe me, but it's almost zero. The Plank Orca is literally quick clicks. You just log into the application, you give it the permission, the read only permission to the environment and it does the rest. It doesn't run a single upgrade in the environment. It doesn't send a single packet. It doesn't create any overhead within our public customer list companies that are very critical workloads which are time sensitive. I can quote some names, companies like Databricks, Robinhood, Unity, Sysense, Lemonade and many others that have critical workloads that have deployed it for all of the environment in a very quick manner with zero interaction to the business continuity. And then focusing on that because at the end of the day in large organization, friction is the number one things that kill security. You want to deploy new security tool. You need to talk with the team. The team says, okay, we need to check it doesn't affect the environment. Let's schedule it in six months. In six months is something more urgent than times fly bys and think of security team in a large enterprise that needs to coordinate with 500 teams and make sure it's deployed. It can't work because we can guarantee. We do it because we leverage the native cloud capabilities. There will be zero impact. This allows to have the coverage and find these really weak spot that nobody has been looking at. Having the technology you have is also good but these security teams are burning out. And this brings up the cultural issue. We were talking before we came on camera around the cultural impact of the security assessment kind of roles and responsibilities inside companies. Could you share your thoughts on this? Because this is a real dynamic. The people involved, I'll say people process technology, the classic, things that are impacted with digital transformation but really the cultural impact on how developers push code, the business drivers, how the security teams get involved. And sometimes it's about the security teams are not under the CIO or under the different groups. All kinds of impacts to how the security team behaves in context to how code gets shipped. What's your vision and view on cultural impact of security in the cloud? So in fact, many times when people say that the cloud is not secure, I say that the culture that came with the cloud sometimes drive us to non-secure processes or less secure processes. If you think about it, only a decade ago, if an organization could deliver a new service in a year, it will be an amazing achievement from design to deliver. Now, if an organization cannot ship it within weeks, it's considered a failure. And this is naturally something that was enabled by the cloud and by the technologies that came with the cloud. But it also created a situation where security teams that used to be some kind of a checkpoint in the way of no longer in that position, they are in one hand responsible to audit and make sure that things are acting as they should. But on the other hand, things happen without the involvement. And this is a very, very tough place to be and nobody wants to be the one that tells the business you can't move as fast as you want cause the business want to move fast. So this is essentially the friction that exists whether can we move fast and how can we move fast without breaking things and without breaking critical security requirements. So I believe that security is always about a trial of educate, there's nothing better than educate about putting the guardrails to make sure that people cannot make mistakes but also verify an audit because there will be failures in, even if you educate, even if you put guardrails, things won't work as needed. And essentially our position within this trial is to audit, to verify, to impart the security teams to see exactly what's happening. And this is an enabler for a discussion because if you see what are the risks, the factor that you have, this is an environment that haven't been patched for a decade with the past with one to six. It's a different case then. I need you to look at this environment because I'm concerned that I haven't reviewed it in a year. That's exactly a great comment. You mentioned friction kills innovation earlier. This is one friction point that mismatch off cadence between ownership of process, business owners goals of shipping fast, security teams wanting to be secure and developers just want to write code faster too. So productivity, burnout, innovation, all are a factor in cloud security. What can a company do? To get involved. And you mentioned it's easy to deploy. How do I work with Orca? You guys are just, is it a freemium? What is the business model? How do I get in, how do I engage with you if I'm interested in deploying? So one thing that I really love about the way that we work is that you don't need to trust a single word I said. You can get a free trial of Orca at our website, orca.security, one scan on your cloud environment and see for yourself, whether there are critical risks that were overlooked, whether everything is set and there is no need for a tool or whether there is some areas that are neglected and can be acted any given moment already been breached. We are not a freemium, but we offer free trials. And I'm also a big believer in simplicity and pricing. We just price by the average number of focus that you have. You don't need to read the long formula to understand the pricing. Reducing friction, it's a very ethos. It sounds like you guys have a good vision on making things easy and frictionless. That's what we want. So let me ask you a question. So I want to get your thoughts because there's a lot of conversations in the industry around shifting left, and that certainly makes a lot of sense. Which controls in security do you want to shift left and which ones you want to shift right? So let me put it that I've been in this industry for more than two decades. And like any industry, every once in a while there is a trend and of something which is super valuable but some people believe that this is the only thing that you need to know to do. And if you know a garden hype cycle, at the beginning, every technology is the top of that and we believe that this can do everything. And then it reaches the productivity of the area of the value that it provides. Now, I believe that shifting left is similar to that. Of course, you want to shift left as much as possible. You want things to be secure as they go out of the production line. This doesn't mean that you don't need to audit what's actually running because everything, you know, I can quote Amazon CTO Werner Vogels about everything that can break will break. Everything fails all the time. And you need to assume that everything will fail all the time, including all of the controls that you baked in. So you need to bake as much as possible early on and audit what actually happening in your environment to find the gaps because this is the responsibility of security teams. Now, just checking everything after the fact, of course it's a bad idea, but only investing in shifting left and education have no controls of what actually happening is a bad idea as well. A lot of people, first of all, it's a great, great call out there. I totally agree, shift left as much as possible but also get the infrastructure and your foundational data strategies right on what you're watching and auditing. I have to ask you the next question on the context of the data, right? Because you could audit all day long, all night long, but you're going to have a pile of needles looking for a haystack of needles, as they say, and you got to have context and you got to understand when things can be jumped on. You can have alert fatigue, for instance. You don't know what to look at. You can have too much data. So how do you manage the difference between making the developers productive in the shift left more with the shift right auditing? What's the context in cloud? How do you guys talk about that? Because I can imagine, yeah, it makes sense, but I want to get the right alert at the right time when it matters the most. So we look at risk as a combination of three things. Risk is not only out pickable the lock is. If I'll come to your office and we'll tell you that your security issue is that the cleaning clothes that lock can be easily picked, you'll laugh at me. Technically, it might be the most pickable lock in your environment, but you don't care because the exposure is limited. You need to get to the office and there's nothing valuable inside. So I believe that we always need to take, to look at risk as the exposure, who can reach that lock? How easily pickable this lock is and what's inside? Is it your critical grunge rules? Is it keys that can open another lock that includes these grunge rules or just nothing? And when you take this into context and the wonderful thing about the cloud is that for the first time in the history of computing the data that is necessary to understand the exposure and the impact is in the same place where you can understand also the risk of the locks. You can make a very concise decision of is this something that makes sense? That is a critical attack vector. There's a pickable lock, a critical vulnerability that is exposed in, that is an exposed service and the service F keys that can download all of my data or maybe it's an internal service, but the port is blocked and it's just have a default web server behind it. And when you take that, you can literally produce 0.1% of the alert even less than that, that can be actually exploited versus the rest that might have the same severity scores or sound as critical, but don't have a risk in terms of exposure or business impact. So this is what why context matters. I want to just connect what you said earlier and see if I get this right. Well, you just said about the lock being picked, what's behind the door, it could be more keys. I mean, they're all there and the thieves know it too. It's bad guys know exactly what these vectors are and they're attacking them. But the context is critical, but now that's what you were getting at before by saying there's no friction or overhead because the old way was send probes out there, send people out in the network, send packets to go look at things which actually will clutter the traffic up or look for patterns. That's reliant on footsteps or whatever metaphor you want to use. You don't do that because you just wire up the map and then you put context to things that have weights. I'm imagining graph technologies involved or machine learning. Is that right? Am I getting that kind of conceptually right that you guys are laying it out holistically and saying that's a lock that can be picked but no one really cares. So no one's going to pick it. If they do, there's no consequence. Therefore move on and focus energy. Is that kind of getting it right? Can you correct me where I got that off or wrong? So you got it completely right. On one end, we do the agentless deep assessment to understand your workloads, your virtual machine or container, your apps and the risks that exist with them. Using the side-skinned technology that some people call it like the MRI for the cloud. And we build a map to understand what they're connected to, their security groups, the load balancer, the keys that they hold, what these keys open. And we use this graph to essentially understand the risk. Now we have a graph that includes risk and exposure and trust. And we use this graph to prioritize the attack vectors that matters to you. So you might have thousand upon thousands of vulnerabilities on servers that are simply internal and these cannot be manifested that will be depolarized. And 0.1% of them that can be exploited indirectly to a load balancer and we'll be able to highlight this one. And this is the way to solve alert fatigue. We've been in large organization that use other tools that add million critical alerts using the tools before Orca. We ran our scanner, we found 30. You can manage 30 alerts if you're a large organization. No one can manage a million alerts. Well, I got to say, I love the value proposition. I think you're bringing a smart, a view of this. Obviously you've had the experience there. Avi and team, congratulations. And it makes sense that the cloud is a benefit. It can be leveraged. I think security being rethought this way is smart. And I think it's being validated. Now I did check the news. You guys have raised significant traction as valuation. Certainly raised that around a funding of 210 million, I believe, a series C funding over a billion dollar valuation, which is a unicorn status. I'm sure that's a reflection of your customer attraction. Could you share customer success that you're having? What's the adoption look like? What are some of the things customers are saying? Why do they like your product? Why is this happening? I mean, I can connect the dots myself but I want to hear what your customers think. So definitely we're seeing huge traction. We grew by thousands of percent years of year. Literally, we had times during late last year where our sales team, literally you had to wait two or three weeks till you managed to speak to a seller to work with Orca. And we see the reasons is organization have the same problems that we are focusing on. They have cloud environments. They don't know their security posture. They need to own that. And they need to own it now in a way which guarantees coverage, guarantees that they'll see the imported items. And there was no other solution that could do that before Orca. And this is the fact. We literally reduce deployment project that takes months to minutes. And this makes it something that can happen rather than being on the roadmap and waiting for the next guy to come and do that. So this is what we're from a customer. The basic value proposition of Orca haven't changed. We're providing literally cloud security that actually works, that is providing full coverage, comprehensive and contextual in the seamless manner. So talk about the benefits to customers. I'll give you an example. Let's just say theCUBE. We have our own cloud. It's growing like crazy. And we have a DevOps team, very small team. And we start working with big companies and they all want to know what our security posture is. I have to go hire a bunch of security people. Do I just work with Orca? Because the more the trend is integration. I just was talking to another CEO of a hot startup and the platform engineering conversations about people are integrating in the cloud and across clouds and on-premises. So integration is all about posture as well too. I want to know, people want to know who they're working with. How does that factor into anything? Because I think that's a table stakes for companies to have almost a posture report. Almost like in the MRI you said, or a clean bill of health. So definitely we are both providing the prioritized risk assessment. So let's say that your cloud team want to check their security with your cloud security risk. They'll connect Orca, they'll see the top risk that are prioritized in a very, very clear way. What's been compromised or fully zero. What's in the imminent compromise, meaning an attacker can utilize today. And you probably want to fix it as soon as possible. And things that are hazardous in terms that they are very risky, but there is no clear tech vectors that can utilize them today. There might be things that combining other changes will become imminent compromise. But on top of that, when standard people also have compliance requirements, people are subject to a regulation like PCI, CCPA, easy on NIST and others. So we also show the results in the lens of these compliance frameworks. So you can essentially export the report showing, okay, we were scanned by Orca and we comply with all of these requirements of SOC2, et cetera. And this is another value proposition of essentially not only showing it in a risk lens but also from the compliance lens. You got to be always on with security and cloud. Avi, great conversation. Thank you for sharing nice knowledge and going deep on some of the solution and appreciate your conversation. Thanks for coming on. Thanks for having me. Avi Shua, CEO and co-founder of Orca Security, hot startup taking on security in the cloud and getting it right. I'm John Furrier with theCUBE. Thanks for watching.