 Hey everyone, welcome to theCUBE's presentation of the AWS Startup Showcase. This is season two, episode four of our ongoing series that's featuring exciting startups within the AWS ecosystem. This theme, cyber security, protect and detect against threats. I'm your host, Lisa Martin. I've got two guests here with me. Please welcome back to the program, Sam Kazame, COO and co-founder of Security Scorecard and Bharath Chary, team lead solutions marketing at Confluent. Guys, it's great to have you on the program talking about cyber security. Thanks for having us, Lisa. Sam, let's go ahead and kick off with you. You've been on theCUBE before, but give the audience just a little bit of context about Security Scorecard or SSC as they're going to hear it referred to. Yeah, absolutely. Thank you for that. Well, the easiest way to put it is when people want to know about their credit risk, they consult one of the major credit scoring companies and when companies want to know about their cybersecurity risk, they turn to Security Scorecard to get that holistic view of the security posture. And the way it works is SSC is continuously 24-7 collecting signals from across the entire internet, entire IPv4 space. And they're doing it to identify vulnerable and misconfigured digital assets. And we were just looking back over like a three-year period. We looked from 2019 to 2022. We assess through our techniques over a million and a half organizations and found that over half of them had at least one open critical vulnerability exposed to the internet. What was even more shocking was 20% of those organizations had amassed over 1,000 vulnerabilities each. So SSC, we're in the business of really building solutions for customers. We mine the data from dozens of digital sources and help discover the risks and the flaws that are inherent to their business. And that becomes increasingly important as companies grow and find new sources of risk and new threat vectors that emerge on the internet for themselves and for their vendor and business partner ecosystem. The last thing I'll mention is the platform that we provide, it relies on data collection and processing to be done in an extremely accurate and real-time way. That's a key for, that's allowed us to scale. And in order for us to accomplish this, security scorecard engineering teams, they use the really novel combination of confluent cloud and confluent platform to build a really robust data for streaming pipelines. And the data streaming pipelines enabled by confluent allow us at security scorecard to collect the data from a lot of various sources for risk analysis. Then they get further analyzed and provided to customers as a easy to understand summary of analytics. Rob, let's bring you into the conversation. Talk about confluent, give the audience that overview and then talk about what you're doing together with SSC. Yeah, and I wanted to say, Sam did a great job of setting up the context about what confluent is. So appreciate that. But a really simple way to think about it, Lisa, is confluent as a data streaming platform that is pioneering a fundamentally new category of data infrastructure that is at the core of what SSC does. Like Sam said, the key is to really collect data accurately at scale and in real time. And that's where our cloud native offering really empowers organizations like SSC to build great customer experiences for their customers. And the other thing we do is we also help organizations build a sophisticated real time backend operations. And so at a high level, that's the best way to think about confluent. Got it. But I'll talk about data streaming, how it's being used in cybersecurity and what the data streaming pipelines enabled by confluent allow SSC to do for its customers. Yeah, I think Sam can definitely share his thoughts on this, but one of the things I know we're all sort of experiencing is the rise of cyber threats, whether it's online from a business B2B perspective or as consumers, just the our data and then the data that we're generating and the companies that have access to it. So as the need to protect the data really grows, companies and organizations really need to effectively detect, respond and protect their environments. And the best way to do this is through three ways, scale, speed and cost. And so going back to the points I brought up earlier, with confluent, you can really gain real time data and injection and enable those analytics that Sam talked about previously while optimizing for cost and scale. So doing all of this at the same time, as you can imagine is not easy and that's where we excel. And so the entire premise of data streaming is built on the concepts that data is not static, but constantly moving across your organization and that's why we call it data streams. And so at its core, we have sort of built or leveraged that open source foundation of Apache Kafka, but we have re-architected it for the cloud with a totally new cloud native experience and ultimately for customers like SSE, you've taken away the need to manage a lot of those operational tasks when it comes to Apache Kafka. The other thing we've done is we've added a ton of proprietary IP, including security features, like role-based access control, I mean, Sam probably knows what I'm talking about. And that really allows you to securely connect to any data no matter where it resides, at scale, at speed and at real time. Can you talk about Baroth speaking with you, but some of the improvements, and maybe this is a question for Sam, some of the improvements that have been achieved on the SSE set as a result of the complement partnership, things are much faster and you're able to do much more and understand. Sam, take it away. I can maybe kick us off and then Baroth, feel free to chime in. Lisa, the problem that we're talking about has been, for us, it was a long-standing challenge. We're about a nine-year-old company. We're a high-growth startup and data collection has always been in our DNA. It's at the core of what we do. And getting the insights and analytics that we synthesize from that data into customers' hands as quickly as possible is the name of the game because they're trying to make decisions and we're empowering them to make those decisions faster. We always had challenges in the arena because we, well, partners like Confluent didn't exist when we started Scorecard. When we were a customer, but we think of it as a partnership. When we found Confluent technology and you can hear it from Baroth's description, like we shared a common vision and they understood some of the pain points that we were experiencing on a very visceral and intimate level and for us, that was really exciting, right? Just to have partners that are there saying, we understand your problem. This is exactly the problem that we're solving. We're here to help. What the technology has done for us since then is it's not only allowed us to process the data faster and get the analytics to the customer, but it's also allowed us to create more value for customers, which I'll talk about in a bit, including new products and new modules that we didn't have the capabilities to deliver before. And we'll talk about those new products in a second, exciting stuff coming out there from SSE. Baroth, talk about the partnership from Confluent's perspective. How has it enabled Confluent to actually probably enhance its technology as a result of seeing and learning what SSE is able to do with the technology? Yeah, first of all, I completely agree with Sam. It's more of a partnership, because like Sam said, we sort of shared the same vision and that is to really make sure that organizations have access to the data, like I said earlier, no matter where it resides, so that you can scan and identify the potential security threats. I think from our perspective, what's really helped us from the perspective of partnering with SSE is just looking at the data volumes that they're working with. So I know a stat that we talked about recently was around scanning billions of records, thousands of ports on a daily basis. And so that's where, like I mentioned earlier, our technology really excels because you can really ingest and amplify the volumes of data that you're processing so that you can scan and detect those threats in real time. Because I mean, especially with the amount of volume, the data volume that's increasing on a year by year basis, that aspect in order to be able to respond quickly, that is paramount. And so what's really helped us is just seeing what SSE is doing in terms of scanning the web ports or the data systems that are at potential risk, being able to support their use cases, whether it's data sharing between their different teams internally, or being able to empower customers to be able to detect and scan their data systems. And so the learning for us is really seeing how those millions and billions of records get processed. Got it. Sounds like a really synergistic partnership that you guys have had for the last year or so. Sam, let's go back over to you. You mentioned some new products. I see SSE just released a tax surface intelligence product that's detecting thousands of vulnerabilities per minute. Talk to us about that, the importance of that, and another release that you're making. There are some really exciting products that we have released recently and are releasing at Security Scorecard. When we think about ratings and risk, we think about it not just for our companies or our third parties, but we think about it in a broader sense of an ecosystem because it's important to have data on third parties, but we also want to have the data on their third parties as well. Nobody's operating in a vacuum. Everybody's operating in this hyper-connected ecosystem and the risk can live not just in the third parties, but they might be storing processing data in a myriad of other technological solutions which we want to understand. But it's really hard to get that visibility because today the way it's done is companies ask their third parties, hey, send me a list of your third parties where my data is stored. It's very manual. It's very labor-intensive and it's a trust-based exercise that makes it really difficult to validate. What we've done is we've developed a technology called AVD, Automatic Vendor Detection. And what AVD does is it goes out and for any company, your own company or another business partner that you work with, it will go detect all of the third party connections that we see that have a live network connection or data connection to an organization. So that's like an awareness and discovery tool because now we can see and pull the veil back and see what the bigger ecosystem and connectivity looks like, thus allowing the customers to go hold accountable not just the third parties, but their fourth parties, fifth parties, really ent parties and they can only do that by using scorecard. The attack surface intelligence tool is really exciting for us because well, but before security scorecard, people thought what we were doing was fairly impossible. It was really hard to get instant visibility on any company and any business partner. And at the same time, it was of critical importance to have that instant visibility into the risk because companies are trying to make faster decisions and they need the risk data to steer those decisions. So when I think about that problem in managing sort of this evolving landscape, what it requires is it requires insightful and actionable real-time security data and that relies on a couple of things, talent and tech. On the talent side, it starts with people. We have an amazing R&D team. We invest heavily. It's the heartbeat of what we do. That team really excels in areas of data collection, analysis and scaling large data sets. And then we know on the tech side, well, we figured out some breakthrough techniques and it also requires partners like Confluent to help with the real-time streaming. What we realized was those capabilities are very desired in the market and we created a new product from it called the Tech Surface Intelligence. The Tech Surface Intelligence focuses less on the rating. There's a persona and users that really value the rating. It's easy to understand. It's a bridge language between technical and non-technical stakeholders. That's on one end of the spectrum. On the other end of the spectrum, there's customers and users, very technical customers and users that may not have as much interest in a layman's rating, but really wanna deep dive into the strong threat intel, data and capabilities and insights that we're producing. So we produced ASI, which stands for Attack Surface Intelligence. That allows customers to look at the surface area of attack, all of the digital assets for any organization and see all of the threats, vulnerabilities, bad actors, including sometimes discoveries of zero-day vulnerabilities that are out in the wild and being exploited by bad guys. So we have a really strong pulse on what's happening on the internet, good and bad, and we created that product to help service a market that was interested in going deep into the data. So it's so critical. Oh, go ahead. I wanted to jump in there real quick because I think the points that Sam brought up, we had a great discussion recently while we were building on the case today that I think brings this to life, going back to the AVD product that Sam talked about. And Sam can probably do a better job of walking through the story, but the way I understand it, one of security scorecards, customers approached them and told them that they had an issue to resolve and what they ended up, so this customer was using an AVD product at the time. And so they said that, hey, they called SSE, they said, hey, your product shows that you were using HubSpot, but we stopped using that ages ago. And so I think when SSE investigated, they did find a very recent HubSpot ping being used by the marketing team in this instance. And as someone who comes from that marketing background, I can raise my hand and said, I've been there, done that. So yeah, I mean, Sam can probably share his thoughts on this, but that's I think a great story that sort of brings this all to life in terms of how actually customers go about using SSE products. And Sam, go ahead on that, sounds like I'm one of the things I'm hearing that is a benefit is reduction in shadow IT. I'm sure that happens so frequently with your customers about like a great example that you gave of the IT focusing, we don't use HubSpot, have it in years, marketing initiates an instance. Talk about that as some of the benefits in it for customers, reducing shadow IT. There's gotta be many more benefits from a security perspective. Yeah, there's a big challenge today because the market moved to the cloud and that makes it really easy for anybody in an organization to go sign up, put in a credit card or get a free trial to any product. And that product can very easily connect into the corporate system and access the data. And because of the nature of how cloud products work and how easy they are to sign up, a byproduct of that is they sort of circumvent a traditional risk assessment process that organizations go through and organizations invest a lot of money, right? So there's a lot of time and money and energy that are invested in having good procurement risk management life cycles and making sure that contracts are buttoned up. So on one side, you have companies investing loads of energy and then on the other side, any employee can circumvent that process by just going in with a few clicks, signing up and purchasing a product. And then that causes a disparity in a delta between what the technology and security teams understanding is of the landscape and what reality is. And we're trying to close that gap, right? We wanna close and reduce any windows of time or opportunity where a hacker can go discover some misconfigured cloud asset that somebody signed up for and maybe forgot to turn off. I mean, a lot of it is just human error and it happens. The example that Barath gave, and this is why understanding the third parties are so important, a customer contacted us and said, hey, your AVD detection product has an error. It's showing we're using a product, I think it was HubSpot, but we stopped using that, right? And we don't understand why you're still showing it. It has to be a false positive. So we investigated and found that there was a very recent live HubSpot connection ping being made. Sure enough, when we went back to the customer, I said, we're very confident the data is accurate. They looked into it. They found that the marketing team had started experimenting with another instance of HubSpot on the side. They were putting in real customer data in that instance and it triggered a security assessment. So we see all sorts of permutations of it, large multinational companies spin up a satellite office and the contractor setting up the network equipment. They misconfigure it and inadvertently leave an administrator portal to the Cisco router exposed on the public internet, and they forget to turn off the administrative default credentials. So if a hacker stumbles on that, they have direct access to the network. We're trying to catch those things and surface them to the client before the hackers find it. So we're giving them this hackers eye view and without the continuous data analysis, without the stream processing, the customer wouldn't have known about those risks. But if you can automatically know about the risks as they happen, what that does is that prevents a million shoulder taps because the customer doesn't have to go tap on the marketing team's shoulder and go tap on employees and manually interview them, they have the data already. And that can be for their company, that can be for any company they're doing business with where they're storing and processing data. That's a huge time savings and a huge risk reduction. Huge risk reductions, like you're taking blinders off that they didn't even know were there. And I can imagine Sam too in the last couple of years as SaaS skyrocketed the use of collaboration tools just to keep the lights on for organizations to be able to communicate. There's probably a lot of opportunity in your customer base and prospective customer base to engage with you and get that really full 360 degree view of their entire organization, third parties, fourth parties, et cetera. Absolutely, absolutely. Customers are more engaged than they've ever been because that challenge of the market moving to the cloud, it hasn't stopped. We've been talking about it for a long time, but there's still a lot of big organizations that are starting to dip their toe in the pool and starting to cut over from what was traditionally an in-house data center in the basement of the headquarters, they're moving over to the cloud. And then on top of that, cloud providers like Azure AWS, especially make it so easy for any company to go sign up, get access, build a product and launch that product to the market. We see more and more organizations sitting on AWS launching products and software. The barrier to entry is very, very low and the value in those products is very, very high. So that's drawing the attention of organizations to go sign up and engage. The challenge then becomes, we don't know who has control over this data, right? We don't know who has control and visibility of our data. We're bringing that to surface. And for vendors themselves, like especially companies that sit in AWS, what we see them doing, and I think Lisa, this is what you're alluding to, when companies engage in their own scorecard, there's a bit of a social aspect to it. When they look good in our platform, other companies are following them, right? So now all of a sudden, they can make one motion to go look good, make their scorecard buttoned up and everybody who's looking at them now sees that they're doing the right things. We actually have a lot of vendors who are customers. They're winning more competitive bake-offs and deals because they're proving to their clients faster that they can trust them to store the data. So it's a bit of, we're in a two-sided kind of market. You have folks that are assessing other folks. That's fun to look at others and see how they're doing and hold them accountable. But if you're on the receiving end, that can be stressful. So what we've done is we've taken that situation and we've turned it into a really positive and productive environment where companies, whether they're looking at someone else or they're looking at themselves to prove to their clients, to prove to the board, it turns into a very productive experience for them. What now? Oh yeah, that validation. Go ahead, Bra. I was gonna ask Sam his thoughts on one particular aspect. So in terms of the industry, Sam, that you're seeing sort of really move into the cloud and like this need for secure data, making sure that the data can be trusted, are there specific like verticals that are doing that better than the others or do you see that across the board? I think some industries have it easier and some industries have it harder. Definitely, industries that are, I think healthcare, financial services, absolutely we see heavier activity there on both sides, they're certainly becoming more and more proactive in their investments, but the attacks are not stopping against those, especially healthcare because the data is so valuable and historically healthcare was an under-invested space. Hospitals and we're always strapped for IT folks. Now they're starting to wake up and pay very close attention and make heavier investments. That's pretty good. Tremendous opportunity there. Guys, I'm sorry we are out of time, but this is such an interesting conversation you see we could keep going. Wanna ask you both, where can prospective interested customers go to learn more on the SSC side, on the Confluent side for the AWS marketplace? I'll let Sam go first. Sure, thank you, Bra. On the security scorecard side, look, a security scorecard is with the help of Confluent has made it possible to instantly rate the security posture of any company in the world. We have 12 million organizations rated today and that's going up every day. We invite any company in the world to try security scorecard for free and experience how easy it is to get your rating and see the security rating of any company. And any company can claim their score. There's no charge. They can go to securityscorcard.com and we have a special actually a special URL securityscorcard.com slash free dash account slash AWS dash marketplace and even better if someone's already on AWS, you can view our security posture with the AWS marketplace vendor insights plug into quickly and securely procure your products. Awesome guys, this has been fantastic information. Sorry, Bra, did you want to add one more thing? Yeah, I just wanted to give a quick call out Lisa. So anyone who wants to learn more about data streaming can go to www.confluent.io. There's also an upcoming event which has a separate URL that's coming up in October where you can learn all about data streaming and that URL is current event.io. So those are the two URLs I just wanted to quickly call out. Awesome guys, thanks again so much for partnering with theCUBE on season two episode four of our AWS startup showcase. We appreciate your insights and your time. And for those of you watching, thank you so much. Keep it right here for more action on theCUBE. For my guests, I am Lisa Martin. We'll see you next time.