 From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Dave Vellante. Hello everyone, the rise of open source is really powering the digital economy. And in a world where every company is essentially under pressure to become a software firm, open source software really becomes the linchpin of digital services for both incumbents and, of course, digital natives. Here's the challenge, is when developers tap and apply open source, they're often bringing in hundreds or even thousands of lines of code that reside in open source packages and libraries. And these code bases, they have dependencies and essentially hidden traps. Now, typically security vulnerabilities in code, they're attacked after the software's developed, maybe thrown over the fence to the SecOps team. And Sneak is a company that's set out to solve this problem within the application development life cycle, not after the fact as a bolt-on. Now, with us to talk about this mega trend is Peter McKay, friend of theCUBE and CEO of Sneak. Peter, great to see you again. It's good to see you, Dave. So I got to start with the name. Sneak, what does it mean? So now you know, it's been, people, it's sneakers, Sneak. In Europe, they tend to use the Sneak. So it's Sneak or Sneak, Sneak, but it is Sneak and stands for, so now you know. Kind of a security, so now you know a lot more about your applications than you ever did before. So it's kind of fitting me. So you heard my narrative up front. Maybe you could add a little color to that and provide some additional background. Yeah, I mean, it's a, when you think of the larger trends that are going on in the market, every company is going through this digital transformation. And every CEO, it's the number one priority. We've got to change our business from a financial services, healthcare, insurance company, whatever are all switching to digital, more of a software company. And with that, more software equals more software risk and cybersecurity continues to be a major, I think 72% of CEOs worry about cybersecurity as a top issue in protecting companies data. And so for us, we've been in the software, in the security space for the four and a half years. I've been in the security space since, you know, watch for 20 years ago. And right now with more and more, as you said, open source and containers, the challenge of being able to address these cybersecurity issues have never been more challenging. And so, especially when you add the gap between the need for security professionals and what they have, four million open positions for security people. So, you know, with all this added risk, more and more open source, more and more digitization, it's created this opportunity in the market where your traditional approaches to addressing security don't work today. You know, like you said, you know, throwing it over the fence and having someone in security, you know, check and make sure and finding all these vulnerabilities and throw it back to developers to fix is very slow and something that at this point is not driving to success. So talk a little bit more about what attracted you to Sneak early. I mean, you've been with the company, you were at least involved in the companies for a couple of years now. What were the trends that you saw and what was it about Sneak that led you to become an investor and an ultimately CEO? Yeah, so four years involved in the business. So, you know, I've always, I love the security space. I've been in it for almost 20 years. So I enjoyed the space. You know, I've watched it. The founder of Guy Pajani, one of the founders of Sneak has been a friend of mine for 16 years from back in the watch for our day. So we've always stayed connected. I've always worked well together with him. And so when you started and I was on the board, the first board member of the company, so I could see what was going on. And it was this, you know, changing the end of the right place, right time in terms of developer first security, really taking all the things that are going on in the security space that impacts a developer or can be addressed by the developer and embedding it into the software in that developer community in a way that developers use, the tools that they use. So it's a developer first mindset but with security expertise built in. And so when you look at the market, the number of open source container evolution, you know, it's a huge market opportunity and then you look at the business momentum just took off over the past four years that it was something I was getting more and more involved in. And then when Guy asked me to join as the CEO, it was like, sure, it took you so long. We had Guy on it, Node.js Summit, I want to say it was a couple of years ago now. And what he was describing is when you package, take the example of Node, when you package code in Node, you bring in all these dependencies, kind of what I was talking about there. But the challenge that he'd sort of described was really making it seamless as part of the development workflow. It seems like that's unique to sneak and you could talk about it. It is, and we've built it from the ground up. You know, it's very difficult. If it was a security tool for security people and then say, oh, let's adapt it for the developer, that is almost impossible. Why I think we've been so successful from the 400,000 developers in the community using freemium to paid, was we built it from the ground up for developer, embedded into the application development lifecycle, into their process, in a look and feel, easy for them to use, easy for them to try it, and then we focus on just developer adoption. A great experience. Developers will continue to use it and expand with it. And most of our opportunities that we've been successful at, customers, we have over 400 customers that have been this try, started with the community, they used the freemium, they tried it for their new application, then they tried it for all they knew, and then they go back and replace the old. So it's kind of this freemium, land and expand, has been a great way for developers to try it, use it, does it work? Yes, buy more, and that's the way we work. We're really happy, Peter, that you came on because you got some news today that you're choosing to share with us in our CUBE community. So it's around financing, you bring us up to date. What's the news? So I'd say four months ago, five months ago, we raised a $70 million round from great investors. And that was really led by one of our existing investors who kind of knew us the best. And it was Excel Venture, and then Excel Growth came in and led the $70 million round. And part of that was a few new investors that came in Stripes, which is a very large growth equity investor. We're part of our, that $70 million round said, preempted it and say, look it, we know you don't need the money, but we want to preempt. We believe your customer momentum, we did a couple, five or six really large deals, $700 million, $7.4 million, $1.3.5 million. So we started getting these bigger deals and we doubled since the $70 million round. And so he said, look, we want to make money, not the issue. And so they led the next round, which is $150 million round at a valuation over a billion that really allows us now to, with a number of other really top tier Cotu and Tiger and Trend and others who have been part of them, watching the space and understand the market and really helping us grow this business internationally. So it is an exciting time. So, again, we weren't looking to raise. This was something that kind of came to us. And when people are that excited about it, like we are and they know us the best because they've been part of our board of directors since their round, it allows us to do the things that we want to do faster. So $150 million raised this round brings you up to $250, is that correct? Yes, $250. And obviously an up round. So congratulations, that's great. I think a big part of that is we're not, we've been always been very fiscally responsible. I mean, yes, we have the money and most of it's still in the bank. We're growing at the pace that we think is right for us and right for the market. We continue to invest product, product, product is making sure we continue our product led organization from that bottoms up, which is something we continue to do. This allows us to accelerate that more aggressively but also the community, which is a big part of what makes that, when you have a bottoms up, you need to have that community and we've grown that and we're going to continue to invest aggressively and build in that community and last to the go to market, not only invest aggressively in North America, but also Europe and APJ, which a lot of the things we've learned from my Veeam experience, how to grow fast, go big or go home, things that we're going to do but we're going to do it in the right way. So the golden rule is a product and sales. Yes, you're building in or selling it. That's kind of where you're going to put your money. You talk a lot about companies will do IPOs to get seen but companies today, even software companies, which is a capital efficient industry, they raise a lot of dough and they put it toward promotion to compete. What are your thoughts on that? You know, we've had, the model is very straightforward. It's bottoms up, developers. There's 28 million developers in the world. What we want is every one of those 28 million to be used in our product, whether it's free or paid, I want a sneak used in every application development life cycle. If you're one developer or you're a sales force with standardized on 12,000 developers, we want them using sneak. So for us, it's get it in the hands and that, you know, it's not like developers aren't, you're going to look at Super Bowl ads. They're not going to be looking. It's, you know, it's, it's finding the ways like the conference we bought the DevSecCon, you know, the conference for developer security. Another way to promote kind of our, you know, security for developers and grow that developer community. That's not to say that there isn't a security part because, you know, what we do is help security organizations with visibility and finding a much more scalable way that gets them out of the, you know, that slows down the speed bump to the, you know, moving apps more aggressively into production. And so this is very much about helping security people. A lot of times the budgets do come from security or DevOps, but it's because of our focus on the developer and the success of fixing, finding, fixing and auto-remediating that developer environment is what makes us special. And it sounds like a key to your success is you're not asking developers to context switch out into a new environment, right? It's part of their existing workflow. It has to be, right? Don't, don't change how they do their job, right? I mean, their job is to develop incredible applications that are better than the competitors, get them to market faster than they can, than they've ever been able to do before and faster than the competitor, but do it securely. Our goal is to do the third, but not sacrifice on one and two, right? Help you drive it, help you get your applications to market, help you beat your competition, but do it in a secure fashion. So don't slow them down. Well, the other thing I like about you guys is the emphasis is on fixing. It's not just alerting people that there's a problem. I mean, for instance, look, a company like Red Hat is going to put a lot of fixes in, but you of course have to go implement them. What you're doing is saying, hey, we're going to do that for you, push the button and we'll do it, right? So that, to me, that's important because it enables automation and enables scale. It is, exactly. And I think this has been one of the challenges for kind of more of the traditional legacy is they find a whole bunch of vulnerabilities, right? And we feel as though just that alone, we're the best in the world at finding vulnerabilities in applications and open source container. And so the other part of it is, okay, you find all them, but prioritizing what it is that I should fix first. And that's become a really big issue because the vulnerabilities, as you can imagine, continue to grow. But focusing on, hey, fix this top 10%, then the next. And then to the extent you can auto fix, auto-remediate those problems, that's ultimately what we're measured by how many vulnerabilities do we fix, right? I mean, that's finding them, that's one thing. But fixing them is how we judge a successful customer. And now it's possible. It was before it was like, oh, okay, you just kind of show me more things. No, when you talk about Google and Salesforce and into it and all of our customers, they're actually getting far better. They're seeing what they have in terms of their exposure and they're fixing the problems. And that's ultimately what we're focused on. So some of those big whales that you just mentioned, it seems to me the value proposition for those guys, Peter, is the quality of the code that they can develop. And obviously the time that it takes to do that. But if you think about more of a traditional enterprise, which I'm sure is part of your TAM, they'll tell you, CISO will tell you, our biggest problem is we don't have enough people with the skills. Does this help? Yeah, absolutely. And how so? Yeah, I mean, there's a massive gap in security expertise. And the current approach, the tools are, like you said at the very beginning, it's I'm doing it too late in the process. I need to do it upstream. So you've got to leverage the 28 million developers that are developing the applications. It's the only way to solve the problem of this application security challenge. We call it cloud native application security, which all these applications usually are new apps that they're moving to the cloud. And so to really fix it, to solve the problem, you got to embed it, make it really easy for developers to leverage, sneak in their home that we call it, it's that concept of shift left. Our view is it needs to be embedded within the development process. And that's how you fix the problem. And talk about the business model again. You said it's a freemium model. You just talked about a big seven figure deals that you're doing. And that starts with a freemium. And then what? I upgrade to a subscription and then it's a land and expand. Yeah, we call it, so it's the community. Let's get every developer in a community, 28 million, we want to get into our community. From there, leverage our freemium, use it. We encourage you to use it. Everybody to use our freemium. And it's full functionality. It's not like restricted in any way, you can use it. And there's a subset of those that are ready to say, look at, I want to use the paid version, which allows me to get more visibility across more developers. So as you get larger organization, you want to leverage the power of kind of a bigger, managing multiple developers. Like a lot of, in different teams. And so that kind of gets that shift to that paid. And then it goes into that freemium, land, expand. We call it explode, sales force kind of explode and then renew. That's been our model. Get in the door, get them using freemium. We have a great experience, go to paid. And that's usually for an application. Then it goes to 10 applications and then 300 developers. And then the way we price is by developer. So the more developers you use, the better your developer adoption, the bigger the ultimate opportunity is. And it's a subscription service. All subscription. Okay, and then you guys have experts that are identifying vulnerabilities, right? You put them into a database presumably, and then you sort of operationalize that into your software and your service. Yeah, we have 15 people in an application, in our security team, that do nothing but every day but looking for the next vulnerability. That's our vulnerability database. In a large case is a lot of our big companies start with the database. Because you think of Netflix and you think of Facebook. All these companies have large security organizations that are looking for issues, looking for vulnerabilities. And they're saying, well, okay, if I can get that feed from you, why do I have my own? And so a lot of companies start just with the database feed and say, look it, I'll get rid of mine and use yours. And then eventually we'll use this scanning and then we'll evolve down the process. But there's no doubt in the market, people who use our solution or other solution will say our known database of known vulnerability is far better than anybody else in the market. And who do you sell to again? Who are the constituencies? Is it SecOps? Is it, you know, software engineering? Is it developers? DevOps? Users are always developers. In some cases DevOps or DevSec, AppSec, you're starting to see kind of the world, the developer security becoming bigger. You know, as you get larger, definitely security becomes a bigger part of the journey and some of the budget comes from the security teams or the risk or DevOps. But I think if we were to, you know, with the user and some of the influencers from developers, DevOps and security are kind of the key people in the equation. Is your, you know, a lot of experience in enterprise, how would you see your go to market in this world different given that it's really a developer constituency that you're targeting? I mean, normally you'd go hire a lot of expensive sales guys, go to market. Is that the model or is it a little different here because of the target? You know, to be honest, a lot of the momentum that we've had up to this point has been inbound. Like most of the opportunities that come in come to us from the community, from this ground up. And so we have a very large inside sales team that just kind of follows up on the inbound interest. And that's still, you know, 65, 70% of the opportunities that come to us, both here in Europe and APJ, are coming from the community inbound. Hey, I'm using 10 licenses of sync. You know, I want to get the enterprise version of it. And so that's been how we've grown. Very much of a very cost effective inside sales. Now, when you get to, you know, the Googles and sales forces in Nordstroms of the world and they have already 500 licenses, either paid or free, then we usually have a more of a, you know, a senior sales person that will be involved in those deals. To sort of mine those accounts. But it's really all about driving the efficiency of that inbound. And then at some point, driving more inbound and then sort of getting that flywheel effect. Developer adoption, developer adoption. That's the number one driver for everybody in our company. We have a customer success team. Developer adoption, you know, just make the developer successful and all the good things happen to all the other parts of the organization. Okay, so that's a key performance indicator. What are the, what are those wrap kind of the milestones and the things that you want to accomplish the next, let's call it 12 months, 18 months. What should we be watching? Yeah, so, I mean, it continues to be, you know, the community, right? The community, recruiting more developers around the globe. We're expanding, you know, APJ is becoming a bigger part. And a lot of it is through our efforts in just building out this community. We now have 20 people. Their sole job is to build out, is continue to build a developer community, which is, you know, content, you know, information, how to learn, you know, webinars, all these things that are very separate and apart from the, you know, the commercial side of the business and the community side of the business. So, community adoption is a critical measurement for us. You know, yeah, you look at premium adoption and then, you know, new customers. How are we adding new customers and retaining our existing customers? And, you know, we have a 95% retention rate. So it's very sticky because you're getting, you know, the data feed is a daily data feed. So it's like, you know, it's not one that you're going to hook on and then stop at any time soon. So, you know, it's, those are the measurements. You know, you look at your community, you look at your freemium, you look at your customer growth, your retention rates. Those are all the things that we measure our business by. And your big pockets of brain power. You're obviously in Boston. That's kind of CEO's prerogative. You got a big presence in London, right? And also in Israel, is that correct? Yeah, so I would say we have four hubs and then we have a lot of remote employees. So, you know, Tel Aviv, where a lot of our security expertise is in London, a lot of engineering. So between London and Tel Aviv is kind of the security teams, the developers are all in the community is kind of there. You know, Boston is kind of more go to market side of things. And then we have Ottawa, which is kind of where watch fire started. So a lot of good security experience there. And then, you know, we've like a lot of modern companies, we hire the best people wherever we can find them. You know, we have some in Sydney and we get some all around the world, go out, especially security, where finding really good security talent is a challenge. And so we're always looking for the best and brightest wherever they are. Well, Peter, congratulations on the raise. The new role really thank you for coming in and sharing with the Cube community. Really appreciate it. Well, it's great to be here. Always enjoy the conversations, especially the Patriots, Red Sox, kind of banter back and forth. It's always good. Well, how do you feel about that? Which one? Well, the Patriots, you know, it's sort of strange that they're not deep into the playoffs, I mean, for us. But how about the Red Sox now? Is it a team of shame? All my friends who are sort of jealous of Boston sports are saying you should be embarrassed? Yeah. What are your thoughts? Hey, it's all about Houston. You know, Alex Cora was one of the assistant coaches of Houston where all the issues are. I'm not so sure those issues apply to Boston, but we'll see. TBD. TBD, I am optimistic as usual of a Boston fan, making sure that there isn't any spillover from the Houston world. Well, we just got our Sox tickets. So, you know, hopefully they'll recover quickly from this. Well, they got to get a coach first. Yeah, they got to get a coach. We need something to distract us from the Patriots. So, you're not ready to attach an asterisk yet? Nope. Nope. To 2018. No, no. All right, good. I like the optimism. Maybe you made the right call on Tom Brady. Did I? It's still. Yeah, a couple years ago. Since we talked, in one, and they won one. So, they were in two, won one, and he threw for what? 600 yards in the first one, so it wasn't his fault. And they'll sign him again. He'll be back. Is that your prediction? I hope so. I do. All right, Peter. Always a pleasure, man. Great to see you. And thank you for watching, everybody. We'll see you next time.