 Okay, we're back in Boston covering AWS re-invent 2022. This is our second live re-invent. We've done the other ones in between as digital. My name is Dave Vellante and you're watching theCUBE. Peter McKay is here, he's the CEO of Sneak and Adi Sharabani is the Chief Technical Officer. Guys, great to see you again. Awesome being here in Boston, in Boston in July. It is. Peter, you can't be here. It's good weather, yeah. Red Sox on good, but everything else is okay. Sox are ruining our summer, you know? They're still in the playoff, a daunt. You know, all you got to do is make it in. Yes, right? And then it's a new season. Simple. Kind of like hockey, but you know, I'm worried they're going to be selling it the trading deadline. Yeah, I think they should be. I think it's not looking good. You usually have a good angle on this stuff, but well, hey, we'll see. We'll go, I got a lot of tickets, we'll go and see the Yankees, at least we'll see a winning team. Anyway, we last talked after your fundraising. Yeah. Big round at your event last night, a lot of buzz. It was a lot of fun. The largest event I saw around here. A lot of good customers there. It was a great time. So what's new? Give us the update. You guys have made some acquisitions since then. Integration, we're going to talk a little bit. Yeah, it's been a lot has happened. So the business itself has done extremely well. We've been growing at 170% year over year, 100% growth in our number of customers added. We've done six acquisitions. So now we have five products that we've added to the mix. We've tripled the size of the company. Now we're at 1,300 people in the organization. So quite a bit in a very short period of time. Well, and of course, in my intro, I said reinvent. I'm getting ahead of myself. We'll be at Reinforce in November. That's the next one. At Reinforce. We've done a lot of reinvents, by the way. There's a lot of reinvention here. So of course, you're reinventing security. So I try to think about when I go to these events, like what's the takeaway? What's the epiphany? We're really seeing the developer security momentum. And it's a challenge. They've got to worry about containers. They've got to worry about runtime. They've got to worry about platform. You guys are attacking that problem. Maybe describe that a little bit further. Yeah, I mean, for years, it was always after the fact, production, fixing security in runtime, and billions and billions of dollars spent in fixing after the fact, right? And so the realization early on with Sneak was you've got to fix these issues earlier and earlier. We started with open source, was the first product that waited six years ago. Then we added container security, and we added infrastructure as code. We added code security. We added, most recently, cloud security with the Fugue acquisition. So one platform, one view that a developer can look at to fix all the issues from the beginning, all the way through the software development life cycle. So we call it developer security. So allowing developers to develop fast but stay secure at the same time. So I like the fact that you're using some of your capital to do acquisitions. Now, a lot of M&A is, okay, we're going to buy this company, we're going to leave them alone. You guys chose to integrate them. Maybe describe what that process was like, why you chose that, how hard it was, how long it took, take us through that. Yeah, I'll give two examples, maybe. One on Sneak codes, which was an acquisition of a company that was focused on code analysis, actually not for security. And we have identified the merits of what we need in terms of that first security solution. Not an ability to take a security product and put it in the hands of the developer but rather build something that will build into the dev motion. Which means very fast, very accurate, things that you can rely on source and not just on the build code and so on. We have built that into the platform and by that our customers can gain all of their code related issues together with all of their ISC related issues, together with all of the container issues in one platform that they can prioritize accordingly. Okay, so talk more about the cloud. The few cloud, the Sneak cloud, right? So the few name goes away, I presume, right? Yes it does. So retire that and bring it in. The brand is Sneak, right? So talk about the cloud, what it does, what process it's solving. Awesome, and this goes exactly the same as we mentioned on the code. We have looked at the cloud security solutions for a while now and what we loved about the Fuq team is that they were building their product with their first approach, okay? So the notion is as followed, as you're a CISO, you have your program, you're looking, you have different types of controls and capabilities and your team is constantly looking for threats. When we are monitoring your cloud environment we can detect problems like your S3 bucket is not exposing the right permissions and is exposing the world or things like that. But from a security perspective, it might be okay to stop there. But if you're looking at an operation perspective you need to know who needs to fix, how do they need to fix it, where do they need to fix it? What will be the impact if they would fix it? So what we're actually doing is we are connecting all the dots of the platform. So on one end you know the actual resources that are running and what's the implication in the actual deployed environment. On the other end, we get correlation back to the actual code that generates that. And then I can give that context both to the security person, the context of how it affects the application. But more importantly, the context for the developer is required to fix the problem. What's the context of the cloud? And a lot of things are being exposed this way and we can talk about that. So this is really interesting because, and I love AWS to do an amazing job. One of the other things I really like about them is it seems like they're not trying to go hard and monetize their security products. They're leaving that to the ecosystem, which I like. Microsoft taking a little different approach, right? They're making a ton of money on security. But this example you're giving Adi about the S3 bucket. So we heard in the keynotes yesterday about reasoning, AI reasoning. They said, we can say, is this S3 bucket exposed to the public? They could do that with math, right? But what I'm inferring is you don't stop there. There's a lot of other stuff that has to. And sometimes it's not as simple as just as a configuration change. Sometimes the correlation between what your application is doing affects what is the resulted experience of their own user or in this case, the attacker, right? I mean like the application has access. Who has access to the application? Is this the same? Yeah, so this propagates. You have to have a solution that looks both that have a very good understanding of the application context, a very good understanding of what we refer to as the application graph, like understanding how it works, being able to analyze that and apply the same policies both at development time as well as runtime. So there's human to app. There's also machine to machine. Can you guys help with that problem as well? Or is that a sort of a futures thing? Could you, I'm not sure I understand what is. Machines talking to machines, right? I mean, there's data flowing between those machines, right? It's not just the humans interacting with the application. Is that a trend that you see? And is that something that you guys can solve? So at the end of the day, there is a lot of automation that happens both by humans for good reasons as well as by humans for bad reasons, right? And the notion is that we are really trying to focus on what matters to the developer as they're trying to improve their business around that. So both improves, making sure they know quality problems or things of this kind. But as part of that, more importantly, when we're looking at security as a quality problem, making sure that we have a flow in the development life cycle that streamline what the developer is expecting to do as they are building the solution. And if every single point, whether it's the IDE, whether it's the change management, whether it's the actual build, whether it's the deployed instance on the cloud, making sure that we identify all that and connect that back to the code. Okay, so if there's machine automation coming in that shouldn't be there, you can sort of identify that and then notify, remediate, or whatever action should be taken. Identify, identify, remediate. Yeah, we really focus on making sure that we help developers build better products. So our core focus is identify areas where the product is not built way, in a good way, and then suggest the corrective action that is required to make that happen. I think part of this is just the speed of software development today. I mean, you look at developers constantly and just look at sneak. You're trying to get so much more productivity out of the developers that you have. Every company is trying to get more productivity out of developers. Incredible innovation, incredible pace, get those out, get as a competitive advantage. And so what we're trying to do is we make it easier for developers to go fast, innovate, but also do it securely and embed it without slowing them down. Develop fast, stay secure. So again, I love AWS, love what they're doing. We heard yesterday from CJ, I think a lot of talk about threat detection and some talk about DevOps, et cetera, but I didn't hear a lot about how to reduce the complexity for the CISO. And the reason I bring this up is, it feels like the cloud is now the first level of defense. And the CISO is becoming the next level, which is on the developer. So the developer is becoming responsible for security. The whole shift left, maybe shield right, but the shift left is becoming critical. Seems like your role, and maybe others in the ecosystem is to address my concern about simplifying the life of the CISO. Is that a reasonable way to think about it? I think it's changing the role of the CISO. How so? Really, I think it's before in the security organization, and Adi, you should chime in here, is it used to be I owned all application security, I owned the whole thing, and they couldn't keep up. Like I think it's just, every security organization is totally overwhelmed. And so they have to share the responsibility. They have to get that, fix the issues earlier and earlier because it's waiting too long, it's after the fact. And then you got to throw this over the fence and developers have to fix it. So they've got to find a new way because they're the bottleneck. They're slowing down the company from innovating and bringing these applications to market. So we're the kind of this bridge between the security teams that want to make sure that we're staying secure and the development organizations and engineering and CEOs go fast. We need you guys to go faster and faster. So we tend to be the bridge between the two. One of the things I really love happening these days is that we change the culture of the organization from a culture where the CISO is trying to push and enforce and dictate the policy which they should, but they really want to see the development teams pick up. Like the whole motion of DevOps is that we are empowering them to make the decisions that are right for the business, right? And then there is a gap because on one end, the CISO is like, you need to do this, you need to do this, you need to do that. And the dev teams don't understand how that impacts their business good enough and they don't have the tools and the ability to address those problems. So with a solution like SNCC, we really empower the developers to bake security as part of their cycle, which is what was done in many other fields, quality, other things, IT, everything moves into development already, right? So we're doing that and the entire discussion now changes into an enablement discussion. So, interesting, because you said the role of the CISO is changing, I see that in a way, like pre-sneak, the CISO with the cloud is becoming a compliance officer. Like you do this, you do this, you do this, you do this. You're- And you don't want to take responsibility to direct it to the cloud? Yeah, right, right. So you're flipping that equation, saying, hey, we're going to actually make this an accelerant to your business. So set the policy, determine compliance, but make sure that the teams, the developers are building applications in compliance with your policy, right? So make sure and don't allow them to do something if they're doing, if they're developing an application with a number of vulnerabilities, you can stop that from happening. So you can oversee it, but you don't have to be the one who owns it all the way through from beginning to end. Or get it before it's deployed, so you don't have to go back after the fact and remediate it with, you know. But think about Deploy. They're deploying apps today. I mean, they're updating by the hour, where six years ago, five years ago, two years ago was every six to nine months, right? So the pace of this innovation from developers is so fast that the old way of doing security can't keep up. Like they're built for six month release cycles. This is six hour release cycles. And so we had to, it has to change. Security can't stay the way it is. So what we've been doing for seven years for application security is exactly what we're doing for cloud security. Is moving all that earlier. All these products that we've been building over the years is really taking these afterthought security components and bringing them all earlier. You know, bringing everything. Like cloud security is done after the fact. Now we can take those issues and bring them right to the developers who created that and can fix the issues. So it's code to cloud back to code in a very automated fashion so it doesn't slow developers down. Okay, so what's the experience, we all know there's, everybody has more than one cloud. What's the experience across clouds? Can you create a consistent continuous experience? Cloud agnostic. Cloud agnostics, development environment agnostic, you know, language agnostic. So that's kind of the beauty of Steak where you have maybe other certain tools for certain clouds or certain languages or certain development environments. But you have to learn different tools, you know? And they all roll up to security in a different way. And so what we have done is consolidated all that spend for open source security, container security, infrastructure. Now cloud security, all that spend and all that fragmentation all into one platform. So it's one company that brings all those pieces together. So it's a single continuous experience. The developer experience you're saying is identical. Yes, actually one product. It's entitlement that we are getting. Yes. So you're hiding the underlying complexities of the respective clouds and those primitives. Developer doesn't have to worry about them. I call that a super cloud. Super cloud, here you go. Okay, but essentially that's what you're building. You're building on, as Ed Walsh would say, on the shoulders of giants. Exactly. You know, you don't have to worry about the hyperscale infrastructure, right? You're building a layer of value on top of that. Is that essentially a PAS layer? Can I think of it that way or is it a platform? I would say that at the end of the day, the way developers want to use a security tool is the same. So we expose our functionality to them in those ways. If you're using one Git repository or another, if you're using one cloud, we are agnostic to that. It doesn't really affect us in that matter. I want to add another thing about the experience and associate with the consolidation that Peter referred to earlier. When you have a motion that automatically assess you know, our problems that the developer is putting as part of the change management as example, you do creating pull requests. Now adding more capabilities into that motion is easy. So from enablement of the team, you can add another functionality, add cloud, add ISC, add code and so on, like that. Because you already made the decisions on how you are looking at that and how you integrated that into your developer workflows. Right, so it's already integrated for open source. Adding container and ISC is real easy. It's all, you've already done all the integrations. And so for us going to five products and eventually six, seven, eight, all based on the integrations that you already have in the same workflows that developers have become accustomed to. And that reduces a lot of work from the company perspective, right? I can ask you about another sort of trend we're seeing where you see Goldman Sachs last re-invent announced a cloud product essentially, bringing their data, their tools, their software. They're going to run it on AWS. At the Snowflake Summit, Capital One announced a service running on Snowflake, Oracle by Cerner, right? You know they're going to be doing something on OCI, Larry's going to of course make them do that. It's a spin on Andreessen's, every company's a software company. It's like every company's now becoming digital, a software company, building their own SaaS and essentially building their own clouds or maybe someday they'll be super clouds. Are you seeing industry come to sneak and say, hey, help us build products that we can monetize? There's companies, so first off, I think that kind of the first iteration is, you know, all these industries are becoming software driven like you said and more software is more software risk. And so that kind of led us down this journey of now financial services, you know, tech, you know, media and entertainment, financial services, healthcare. Now it's this long tail of low tech. Within those companies, they are offering services to the other parts of the organization. We have- So far mostly internal. Mostly internal other than the global SIs and some of the companies who do that for a living. You know, they build the apps for companies and they are offering a sneak service. So before I give you these, I update these applications, I'm going to make sure I'm running, I'm sneakifying those applications to make sure that they're secure before you get them. And so that, now a company like a Capital One coming to us saying, I want to offer this to others, I think that's a leap because, you know, companies are taking on security of someone else's and I think that's not there yet. Maybe you think it'll happen. We do have the threat Intel that we have a very strong security group that constantly monitors and analyzing the threats and we create this vulnerability database. So in open source as an example, we're at the factor standard in the field. So many of our partners are utilizing the threat Intel feed of sneak as part of their offering, okay? If you go to Docker as an example, you can scan with sneak intelligence immediately out of the gate over there, right? And Tenable, Rapid 7, Trend Micro, they all use the vulnerability database as well. So a lot of financial institutions use it because they did have seven, 10 people doing security research on their own and now they can say, well, I don't have to have those seven, I've got the industry standard for vulnerability database from sneak. And they don't have to throw out their existing tool sets where they have skills. Yes, exactly. All right, Peter, bring us homes, give us the bumper sticker, summarize, reinforce and what we can expect going forward. Yeah, I know. I mean, we're going to continue the pace. We don't see anything slowing us down in terms of just a number of customers that are shifting laughed. Everybody's talking about, hey, I need to embed this earlier and earlier. And I think what they're finding is this need to reinnovate, like get innovation back into their business. And a lot of it had to slow down because we can't let developers develop an app without it going through security and that takes time, it slows you down and allows you not to slow the pace of innovation. And so for us, it's, it helped developers go fast, innovate incredibly quickly, aggressively, creatively, but do it in a secure way. And I think that balance, making sure that they're doing what they're doing, they're increasing developer productivity, increasing the amount of innovation that developers are trying to do, but you've got to do it securely. And that's where we compliment really what every CEO is pushing companies. I need more productivity. I need more aggressive creativity, innovation, but you better be secure at the same time. And that's what we bring together for our customers. And you better do that without slowing us down. Don't slow us down. That's the trade-off that you said it made. Guys, thanks so much for coming to theCUBE. Thanks, David. It's always great to see you again. Thanks, David. I appreciate it. All right, keep it right there. The coverage of Reinforced 2022 from Boston. We'll be right back right after this short break.