 Welcome back everyone to the LiveCube coverage here in Boston, Massachusetts for AWS Reinforced 22, the great guest, Hades Heyman, CRO, Chief Revenue of Sunray Security. Sunray is a featured partner of season two, episode four of the upcoming AWS startup showcase coming in late August, early September. Security themed startup focused event, check it out. AWSstartups.com is the site. We're on season two, a lot of great startups, go check them out, Sunray's in there now for the second time. Hades, great to see you. Thanks for coming on. Thanks for having me. So you've been around the industry for a while. You've seen the waves of innovation. We heard encrypt everything today on the keynote. We heard a lot of cloud native. They didn't say shift left, but they said, don't bolt on security after the fact. Be in the CICD pipeline for the dev stream. All of that's kind of not top one. Amazon's talking cloud native all the time. This is kind of what you guys are in the middle of. I've covered your company, you've been on theCUBE not you, but your teammates have. You guys have a unique value proposition. Take a minute to explain for the folks that don't know. We'll dig into it. But what you guys are doing, why you're winning, what's the value proposition? Yeah, absolutely. So Sunray is, what we do is we're a total cloud solution. Obviously, this is what everybody says. But what we're dealing with is really our superpower has to do with the data and identity pieces within that framework. And we're tying together all the relationships across the cloud. And this is a unique thing because customers are really talking to us about being able to protect their sensitive data, protect their identities. And not just people identities, but the non-people identity piece is the hardest thing for them to rein in. So that's really what we specialize in. And you guys doing good, some good reports on good sales, good meetings happening here. Here at the show, the big theme to me, and again, listening to the keynotes, you hear, you can see what's, wasn't talked about. Ransom, where I wasn't talked about much. You can talk about air gap. I mentioned Ransom here, I think once. You know, normal stuff, teamwork, encryption everywhere. But identity was sprinkled in everywhere. And I think one of my favorite quotes was, I wrote it down, we've security in the development cycle, CISD, we didn't say shift left, don't bolt on any other. Now that's not new information. We know that don't bolt on, I've been around for a while. He said, lessons learned. This is Stephen Schmidt, who's the CSO, top dog in security. Who has access to what and why? Over permissive environments creates chaos. Absolutely. This is what you guys reign in. It is. Explain that. Yeah, I mean, we just did a survey actually with AWS and Forrester around what are all the issues are in this area that customers are concerned about and clouds in particular. One of the things that came out of it is like 95% of clouds are, what's called overprivileged, which means that there's access running amok, right? I mean, it is a crazy thing. And if you think about the whole value proposition of security, it's to protect sensitive data, right? So if it's permissive out there and then sensitive data isn't being protected, I mean, that's where we really reign it in. You know, it's interesting. I zoom out, I just put my historian hat on, going back to the early days of my career in the late 80s, early 90s. There's always, when you have these inflection points, there's always these problems that are actually opportunities. And DevOps infrastructure as code was all about APS, all about the developer. Now, and now open source is booming. Open source is the software industry. Open source has eaten the world. That's now the software industry. Cloud scale has hit. And now you have the devs completely in charge. Now what suffers now is the ops and the sec, second ops. Now ops, dev ops, now dev sec ops is where all the action is. So the next thing to do is build an abstraction layer. That's what everyone's trying to do. Build tools and platforms. And so that's where the action is here. This is kind of where the innovation's happening because the networks aren't in charge anymore either. So you now have this new migration up to higher level services and opportunities to take the complexity away. Because what's happened is customers are getting complexity. They're getting it shoved in their face because they want to do good with dev ops, scale up. But by default, their success is also their challenge because of complexity. That's exactly right. You agree with that? I do totally agree with that. If you believe that, then what's next? What happens next? You know, what I hear from customers has to do with two specific areas is they're really trying to understand control frameworks and be able to take these scenarios and build them into something where they can understand where the gaps are. And then on top of that, building in automation. So the automation is a theme that we're hearing from everybody. Like how do they take and do things like, you know, it's what we've been hearing for years, right? How do we automatically remediate? How do we automatically prioritize? How do we build that in so that they're not having to hire people alongside that, but can use software for that? The automation has become key. You got to find it first. Yes. You guys are also part of the dev cycle too. Explain that piece. So I'm a developer, I'm an organization. You guys are on the front end. You're not bolt on, right? We can do either. We prefer it when customers are willing to use us right at the very front end, right? Because anything that's built in the beginning doesn't have the extra cycles that you have to go through after the fact, right? So if you can build security right in from the beginning and have the ownership where it needs to be, then you're not having to deal with it afterwards. Okay, so how do you guys put my customer hat on for a second, a little hard question, hard problem? I got Active Directory on Azure. I am over here with AWS. I wanted them to look the same. Now my on-premises is getting booming. Now I got cloud operations. So DevOps has moved to my premise and edge. So what do I do? Do I throw everything out? Do I redo? How do you guys talk about customers that have that? Because a lot of them are old school. Right. ID. And I think there's an important distinction here, which is there's the Active Directory identities that customers are used to, but then there's this whole other area of non-people identities, which is compute power and privileges and everything that gets going when you get machines working together. And we're finding that it's about five to one in terms of how many identities are non-human identities versus human identity. So you actually have to look at- So programmable access, basically. Yes, absolutely, right. And privileges and roles that are accessed via different ways because it's how it's assigned. And people aren't really paying that close attention to it. So from that scenario, like the AD thing, of course that's important, right? To be able to take that and lift it into your cloud. But it's actually even bigger to look at the bigger picture with the non-human identities. Right. What about the CISOs out there that you talked to? You're in the front lines, all the customers, and you see what's coming on the roadmap. So you kind of get the best of both worlds, see what's coming out of engineering. What's the biggest problem CISOs are facing now? Is it the sprawl of the problems, the hackerspace? Is it not enough talent? I mean, I'll see the fear. What are they facing? How do you see that? And then what's your conversations like? Yeah, I mean the answer to that is unfortunately yes, right? They're dealing with all of those things. And here we are at the intersection of this huge, complex thing around cloud that's happening. There's already a gap in terms of resources. Never mind skills that are different skills than they used to have. So I hear that a lot. The bigger thing I think I hear is, they're trying to take the most advantage out of their current team. So they're again worried about how to operationalize things. So if we bring this on, is it going to mean more headcount? Is it going to be things that we have to invest in differently? And I was actually just with a CISO this morning and the whole team was talking about the fact that bringing us on means they can do it with less resource. Like this is a resource help for them in this particular area. So that was their value proposition for us, which I loved. So I went to Adrian Cockroft who retired from AWS. He was at Netflix before. He was a big DevOps guy. He talks about how agility has been great because from a sales perspective, the old model was he called it the big Indian wedding. You have to get everyone together, do a POC, you know, long sales cycles for big tech investment proprietary. Now open sources like speed dating. You can know what's good quickly and try things quicker. How is that impacting your sales motions, your customer engagements? Are they fast? Are they test-tried before they buy? What's the engagement model that you see happening that the customers like the best? Yeah, you know, because of the fact that we're kind of dealing with the serious part of the problem, right? With the identities and dealing with data aspects of it. It's not as fast as I would like it to be, right? Because they still need to get in and understand it. And then it's different if you're AWS environment versus other environments, right? We have to normalize all of that and bring it together. And it's such a new space that they all want to see it first, right? So. And the consequences are pretty big. They're huge, right? So, I mean, the scenario here is we're still doing, in some cases we'll do workshops instead of a POV or a POC. 90% of the time that we're still doing a POV, right? So they can see what it is. They got to get their hands on it. This is one of those things that got to see in action. What is the best of breed? If you had to say best of breed and identity looks like blank. How would you describe that from a customer's perspective? What do they need the most? Is it robustness? What's some of the things that you guys see as differentiators for having best of breed solution like you guys have? Best of breed solution. I mean, for us. Or a relevant solution for that matter. Yeah, I mean, for us, again, this identity issue, it's for us it's depth and it's continuous monitoring, right? Because the issue in the cloud is that there are new privileges that come out every single day like to the tune of like 35,000 a year. So even if at this exact moment, it's fine. It's not going to be in another moment, right? So having that continuous monitoring in there and it solves this issue that we hear from a lot of customers also around lateral movement, right? Because like a piece of compute can be on and off within a few seconds, right? So you can't use any of the old traditional things anymore. So to me, it's the continuous monitoring. I think that's important. I think that and the lateral movement piece that you guys have is what I hear the most of the biggest fears. Someone gets in here and can move around. And that's dangerous. And no traditional tools will see it, right? There's nothing in there unless you're instrumented down to that level, which is what we do. You're not going to see it. I mean, when someone has a firewall or perimeter based system, yeah, I'm in the castle. I'm moving around, but that's not the case here. This is built for full observability, yet there's so many vulnerabilities. Yeah, and our view too is, I mean, you bring up vulnerabilities, right? It is a little bit of a darling, right? People start there and our belief in our view is that, okay, that's nice, but you do have to do that. You have to be able to see everything, right? To be able to operationalize it. But if you're not dealing with the sensitive data pieces, right? And the identities and stuff that's at the core of what you're trying to do, then you're not going to solve the problem. Yeah, Denise, I want to ask you, because you make what was this five to one was the machine to humans? I think that's actually might be low on the low end. If you can imagine, if you believe that's true, I believe that's true by the way. If microservices continues to be the way. Which it will, it's going to be much bigger, turning on and off. So the lateral movement opportunities are going to be greater. That's going to be a bigger factor. Okay, so how do I protect myself? Now, because developer productivity is also important. Because I've heard story horror stories like, yeah, my devs are cranking away. Uh-oh, something's out there. We don't know about it. Everyone has to stop, have a meeting. They get pulled off their task. It's kind of not agile. Right, right. I mean. Yeah, and in that vein, right? We have built the product around what we call swim lanes. So the whole idea is we're prioritizing based on actual impact and context. So if it's a sandbox, probably doesn't matter as much as if it's like operational code that's out there where customers are accessing it, right? Or it's accessing sensitive data. So we look at it from a swim lane perspective when we try to get whoever needs to solve it back to the person that is responsible for it. So we can set it up that way. I think that's key insight into operationalizing this. And remediation is key. Yes. How much, how important is the timing of that? When you talk to your customer, I mean, time is obviously going to be longer, but like seeing it's one thing, knowing what to do is another. Yep. Do you guys provide that? Is that some of the insights you guys provide? We do. It's almost like you know us. And again, there's context that's involved there, right? So some remediation from a priority perspective, doesn't have to be immediate. And some of it is hair on fire, right? So we provide actually a recommendation per each of those situations. And in some cases we can auto-remediate, right? It depends on what the customer's comfortable with, right? But when I talk to customers about what is their favorite part of what we do, it is the auto-remediation. You know, one of the things on the keynote is not to go off tangent with one second here, but Kurt, who runs platforms at AWS, went on his little baby project he really loves, was this automated automatic reasoning feature, which is essentially advanced machine learning that can connect the dots. Not just predict stuff, but like actually say this doesn't belong here. That's advanced computer science. That's heavy-duty coolness. So operationalizing that way, the way you're seeing it, I'm imagining there's some future stuff coming around the corner. Can you share how you guys work with AWS specifically? Is it with Amazon? You guys have your own secret sauce? For the folks watching, because this remediation should, so long as it's harder. You have to be smarter on your end if you're engineers. What's coming next? Oh gosh, I don't know how much of what's coming next I can share with you, but for tighter and tighter integrations with AWS, right? I've been at three meetings already today where we're talking about different AWS services and how we can be more tightly integrated, and what's things we want out of their APIs to be able to further enhance what we can offer to our customers. So there's a lot of those discussions happening right now. What's some of those conversations like? I mean they have to do with privilege information. I don't mean like privileged information, I mean like privileges that are out there. What you can access, what you can't. What you can, yes. And who and what can access it and what can't. And passing that information on to us, right? To be able to further remediate it for an AWS customer, that's one. Things like other AWS services like CloudTrail and some of the other scenarios that they're talking about. We're getting deeper and deeper and deeper with the AWS services. It's almost as if Amazon over the past two years in particular has been really tightly integrating as a strategy to enable their partners like you guys to be successful. Not trying to landcrab. Is that true, do you get that vibe? I definitely get that vibe, right? Yesterday we spent all day in a partnership meeting where they were talking about and rolling out new services. I mean they are in it to win it with their ecosystem, not just themselves. All right, Denise, great to have you on theCUBE here as part of Reinforce. I'll give you the last minute or so to give a plug for the company. You guys hiring, what are you guys looking for? The potential customers that are watching? Why should they buy you? Why are you winning? Give the pitch. Absolutely, so yes, we are hiring. We're always hiring, I think, right in this startup world. We're growing and we're looking for talent probably in every area right now. I know I'm looking for talent on the sales side. And again, I think the important thing about us is the fullness of our solution, but the superpower that we have like I said before around the identity and the data pieces, and this is becoming more and more the reality for customers that they're understanding that that is the most important thing to do. And I mean if they're that, Gardner says it, Forrester says it, like we are one of the best choices for that. Yeah, and you guys have been doing good. We've been following you. Thanks for coming on. And congratulations on your success. And we'll see you at the AWS startup showcase in late August. Check out Sunray Systems at the AWS startup showcase in late August. Here at theCUBE live in Boston, getting all the coverage from the Kinos to the experts to the ecosystem here on theCUBE. I'm John Forre, your host. Thanks for watching.