 Welcome back to Moscone West, everybody watching theCUBE's coverage of RSA 2023. RSA is back and it's big, it's back to pre-pandemic levels. Brendan Hannigan is here, he's the CEO and co-founder of Sonrai Security. Good to see you again. Thanks for coming to theCUBE. It's been nice to meet you, Dave. We're delighted to see you. Tell me, I always like to ask, I said good to see you again. You've been on theCUBE before, I've not interviewed you, but I always like to ask founders and co-founders, why did you start the company? Take us back to the beginning. The beginning thought about it is, essentially, the way we build technology has totally changed from the way we've done it in the past. And that's been going on for many years, driven by a lot of the cloud providers. And we realized two things. One, we have to transform how we're securing. It's going to be totally different, it has to be. So that's one reason. And the second reason is, you know, we've worked hard to build security for enterprises through the years. There's many innovations that have happened. And people always ask me, what's the next big innovation in security to really change the game for customers? And I keep telling them, it's the cloud. If you do an amazing job in the cloud, you can deliver a level of security far superior to anything you could do in Enterprise Network and Data Center. And our approach to helping customers is to achieve that objective. You know, it's interesting. So with the very first reinforce that I went to, Stephen Schmidt at the time was the CSO of AWS. He's now, of course, the chief security officer, I guess. He was a CSO of AWS. Now he's the CSO of Amazon. Hey, right. He said at the time, the state of cloud security is actually really good. And this vendor narrative that says, you know, everything is scary and bad is not helpful for the industry. And I said, okay, that's a different perspective. At the end of the day, though, it's still really complex. So what is the state of cloud security? Is it, what's end of the spectrum? Is it on? In the end of the spectrum, the great thing is, the art of the possible is amazing with the cloud. And so Steve is right. And by the way, we build our platform in AWS. We're an amazing partner and AWS is an amazing partner to us. And so we work very closely with AWS. But when you're a company and we actually focus, Dave, on larger enterprises. So there's always a segmentation in the marketplace. And think of my own company. We've got a single team. We're very focused on one app. And so it's very integrated between the development and running cloud. Think now you go to a big enterprise. They have hundreds and hundreds of cloud accounts. Some of our customers have thousands and thousands of cloud accounts. Dave, hundreds of teams using those cloud accounts. The art is, as time goes on, a lot of complexity gets built in as to how companies are using that cloud. The scale of it gets very complicated. And so the scale, the flexibility leads to complexity from a security perspective. So the reality is, for many companies, this gets very complex very quickly. And the other thing is right now, the industry, the whole security industry is orienting towards cloud. And quite honestly, the security industry is confusing the living daylights out of our customers. And that is something we really got to work on to help customers. So I think customers have a scale problem and a complexity problem. And then we, as an industry, are confusing the living daylights out of them. Okay, so cut through that confusion. Where should people be thinking about, how should people be thinking about cloud security and help us take the confusion away? What are those confusion elements and what should we be focused on? So I think about it this way, which is there's this concept within the industry called CNAP, which is a broad-based platform with many different things into it. And of course, that makes sense for a class of customers. So customers have to know where they are in this journey. Some customers are at the early stages. They can use broad-based solutions that do a little bit of everything. But as you grow up in scale, you actually need specialized capabilities in certain areas. So for example, in the cloud, the risks are different than in a traditional environment. And two of the key risks that exist. We say this all the time. Vulnerability management and detection and basic configuration settings is important. It's like keeping your house clean. It's just not enough. The risk is underneath the covers of cloud. And it's all about how the compute and the resources in the cloud can interconnect. So we focus on helping our customers with identity access permissions. Understanding what are the risks in terms of how they've set that up, helping our customers eliminate it and make sure they never come back again. Okay, that's helpful. So the complexity is you've got thousands of cloud accounts, hundreds of teams. They've all, none of them are using the same exact best practice. We know that. They're doing things. I always say a lot of these problems are self-inflicted. They are. But it's because we're moving so fast. But okay, so how do you specifically solve the problem? Well firstly actually, as we talk about the confusion that customers can have and the complexity of it. The industry is speaking about cloud like it's an amorphous blob. There's a cloud and we need to solve cloud security with a single product and it's not right. So we actually segment. We actually focus on large enterprises and we say large enterprises have unique challenges of scale and complexity. And one of the biggest challenges of scale and complexity they have are the rights, permissions, and identities and what they can access in the cloud, who can access critical resources and who can escalate to get privilege and do damage in that cloud. I'll give you an example of scale Dave. It's not unusual for our customers to have hundreds and hundreds and hundreds of thousands of roles in AWS or service accounts. Human beings can't manage that. We know that. The analytics to understand that is enormous in terms of what we have to do. And what do we do for our customers? We graph every way any entity can get access to a resource in their cloud. We graph every way an entity, a piece of computer serverless function can get access to a privilege. And then we run analytics to solve a problem for a customer. How can we eliminate a risk that's just extremely concerning? In other words, a developer getting access into production, an obvious way for an attacker to laterally move through to cloud, helping with an audit. So auditors are getting smarter about cloud. The auditor walks in and says, hey, we're having a look at the cloud. Tell me how you're controlling access to resources. And our current many, many, many companies now because of the scale of what's happened, it's a hard question to answer. We answer the question for every resource. We can tell every single thing that can access anything in all the clouds actually. So for example, an individual might have access to so many more resources than he or she should have access to. It's using. And that's very common. Exactly. And the reason, explain why that's a problem. I mean, it's pretty obvious, but somebody gets in, then they have access to a much wider blast radius than they would normally. So this is actually the risk that we run if we focus on the edge and vulnerabilities and watching external threats. We all know at any point in time, there could be a zero day vulnerability or you don't can't possibly have them all remediated. And so somebody gets in. Now, we think of it as being an attacker, but within the cloud, we all know the infrastructure is created automatically. It's created during build processes. So now the entity that gets into person has the ability to create a piece of compute. Now, what can it do when it's in there? We have to answer that question. And it's a really hard question to answer, but yet it's fundamentally important because we don't have a data center anymore. We can't just surround it with a firewall. The data is entirely separated from the compute and you have to be able to answer the question. When that serverless function is active, what can it access for that 60 seconds? That's a critical question to answer because that's exactly what a hacker will do. They go in, they move around, they grow in terms of their privilege and then they basically get access to something that actually is important. And now they could actually, if they have the right rights, they could create a piece of compute and extract it. All of that is possible, all of it happens. And it's hidden in the complexity of these big, large environments. Okay, so we love the analogies of superheroes on theCUBE when we're talking about security, you know, what is it, the Incredibles, right? Each of them has a superpower. What would you say is sunrise superpower? Our superpower is all around identity access and permissions underneath the cover. And basically saying with a certainty, we can answer the question, what can this entity do? Where can it get privilege? And how can it access for all of the cloud providers? That's a superpower. On top of that, the value we're delivering is amazing audits, incredible way to understand what attackers can do if they're in your cloud and then continuously monitor if any changes. Under the covers, Dave, we have this amazing technology. What it's doing is actually, a lot of people now talk about graphs because graphs are a really important technology. We're actually loading up every possible permission entitlement in AWS. We're graphing every way any entity can get to that entitlement. And we're able to do it at a scale where our customers, we've got customers with 4,000 cloud accounts. We've got customers with hundreds and hundreds and hundreds of thousands of service accounts and roles in their environment. So it's scale. It's immense understanding of access, identity and privilege in these environments. And it's the orchestration to do that for large enterprises. So we're talking about graph. You're talking about graph database? Or is that something that you've built? Or is it visualization capability? Underneath the covers, we've built a way to actually aggregate all the ways in which things can interconnect into cloud and answer, it's kind of a complicated way to answer a simple question. What can that thing do? Who can access my critical data? And is that creating risk for my business? So is it, I think of it as a purpose-built database? It is a purpose-built database. It's a graph database. It's a graph database. Okay, so it's expressive. It's extremely expressive. It's all, actually, our entire platform can, we've a beautiful UI on our platform, but it can be entirely interrogated through GraphQL. So it's truly a... Explain that. Because the knock on graph databases in commercial worlds is you don't have, you have the expressiveness, but you don't have the elegance of a query elegance of relational. Absolutely. So it sounds like you've solved that problem? Super, we have, actually. So we basically, what we do, and this is one of the challenges with sort of an off-the-shelf, oh, we're just going to create things and stick them in a graph, that's, we actually have to build custom stores, customs ways of interconnecting. And then we have custom analytics to answer really hard questions. How, like if we take AWS, how do all the various different permissions models affect how things are interconnected in this graph? So we build these analytics, and now we use GraphQL as an API into it where you can go and execute the analytics against a graph. So what it's doing is it's like, you can go in and get an individual node or an individual vector with an integraph, or you can actually go in and execute one of our analytics and get the answer out. So it's super flexible. And of course, in the world of cloud, in the world of automation, we have some customers who initially want to see, and then customers want to automate. You can't, you've got to be able to bring on thousands of cloud accounts and automate that process, and that's what we do a great job at. Is there reticence initially to automate, and how do they sort of get, how do you get customers through that reticence if it exists? We actually, so it's governance, it's escalation paths, it's certification paths, it's involving humans where they want to be involved. There's some things actually which are easy to automate, and there's other things where absolutely it requires human intervention. And we basically tell customers, here's the flavors of what's possible, and you get to choose based on what you want to do, based on your comfortable now. Many customers, as they should be, initially are reticent, they should only do it on basic things. But after a while, so for example, I'll give you one simple example, we will actually, if we have a finding and we execute a policy and it's extremely concerning, we will escalate it and say, okay, we're escalating it to this team, if they don't resolve it in seven days, we'll escalate it to a bot. That's pretty decent. You got time to fix it, it's a bad situation. After that, we've automated and it's going to remove. It's going to be a cloud janitor basically. That's a good process. You know, I don't know where I saw this, a bit of your website or, I don't know, but it was called Cloud Security Posture Management and that's inadequate, is your philosophy. What is it and why is that inadequate? So this is the acronym soup, which the security industry always does this. And it's basically, for now in cloud, it's getting challenging. Cloud Security Posture Management really is representative of an important function which is are the base settings of how I've set up the cloud platform correctly? For example, have I got MFA enabled? So that's a simple question, we should answer that question and there's lots of ways to do that. We have an amazing way to do it, but it's insufficient, why is it insufficient? Same with just vulnerability scanning, making sure there's no log for JSON, my cloud, it's very important, totally insufficient. When somebody, how do we segment and control access and movement within a cloud? It's using the identity and access management systems of each of the cloud providers. There are 40,000 unique permissions possible across three cloud providers. So, no amount of CSPM, no amount of vulnerability work will guarantee nobody will get into your cloud. And once they get in, if you have not constrained the risk of identity, access, permission, when they get in, you're going to be in big trouble and that's how you've set it up. So it's totally insufficient. We have to do the hard work to say, what are the assets that are important to me? What can access it? Is it appropriate? Now monitor to make sure it stays the way I want it. If something changes, I get an alarm. That's what we talk about. It's security from the inside out. The great thing about it Dave is it's something that customers have, it's work, but they've great control over this. They've no control over all the millions of things trying to attack us all the time. One thing they do have control over, that's my critical data. Who can access it? More importantly in cloud, what can access it? The serverless functions, the containers, the ephemeral compute. Is it appropriate? Am I monitoring for changes? That's our superpower. And we believe that's the magic of cloud. That's what allows us to deliver a level of security in cloud that's much better in the data center. CSPM, vulnerability management, important. But if that's all you do, you're going to be no better than having your existing, challenging cybersecurity situation that we have with existing enterprise networks and data centers. The magic of cloud is we can get granular to team, to workload, to data and put immense control over. And that's the superpower. They don't lift and shift your security posture. Actually go beyond and leverage the cloud is what you're saying. The pillars of security in the past are things like firewalls and security operation centers. The pillars of security in the future have I set up the cloud platform correctly? Identity, data, and then of course the workload. People are underestimating the importance of identity and data. They are the critical pillars for cloud security in this world. And that's what gets you to an amazing place in terms of security. You can do this across any cloud. Is that right? Yes, and this has been a labor of love and it takes a long time because each of the cloud providers have built these amazingly flexible systems to allow DevOps teams to innovate quickly, leverage and build microservices applications. And that power is built into the identity and access management system of each cloud. I'll re-emphasize the statistic. 40,000 permissions across three different cloud providers with 20 being added every day. My company, we understand every one of those permissions. We change our analytics every day to reflect the new permissions and we're running our analytics for our biggest customers all the time to say, oh, something's changed and new path has been opened up that you don't expect into your data. That's our superpower. And the experience of using your solution irrespective of the cloud that I'm on is identical. Is that right? Sort of hiding all that underlying complexity of the cloud? Actually, this is your, you ask really good questions because actually the reality is we have to do both. And I'll tell you why. So when we're working with our customers, right, there's uniquenesses of each platform. And so obviously we have to understand that. But we actually have this orchestration platform where sometimes we're sending the findings and the remediations to teams who may only know AWS, for example. So we have to, when we're speaking to that team, we got to speak AWS. We've learned this actually. If we boil out, I call it boiling out the vitamins. If we boil out the vitamins too much, they go, I am not sure what to do with this. So we got to speak that language and we do for each cloud provider. But then now actually as a company, by the way, this is the big difference between a small SaaS company who's going to buy this Uber single thing versus a big enterprise. When I get to a big enterprise, I can't have my security program baked in three, four different ways. I have to have some way of saying these are the controls that are important to my business. And we let them do that. So we can do things like separation of duties. We can do things like privilege escalation. And it turns into each of the cloud providers, language and rules. And then when we send the notifications to those experts, it actually looks like it's just AWS or it's just some other cloud provider. Okay, so you basically have an abstraction layer that speaks your common language. We do. And then you allow the sort of drill down to speak AWS or Azure or GCP. And when we started out first, we thought we're just going to build this great abstraction layer and then we learned very quickly. And now I need to hear specifics about AWS and what's wrong, which of course is correct. It was the good feedback for our customers. And so we go both ways. I got to ask you, what are you seeing in cloud demand? It's really interesting. We watch very closely the cloud consumption, the demand you're seeing. You saw Azure growth slow down, still really good. I mean, I had it at 30%. I think it came in at 31% constant currency. Google, GCP, a little softer. People saying Amazon might come in. I got them at 15%. Still significantly higher than the on-prem world. I've also heard some people forecast next quarter, AWS maybe as low as 10%, but I've heard that being really proactive about going out to their customers, locking in longer-term deals, playing the long game. What's your outlook for cloud, cloud demand? Is it sort of, you hear repatriation all the time? I've written about the repatriation myth. I just don't see it in the numbers, but what are you seeing in the front lines? Of course, so again, this is like, I haven't seen the, I don't have the intricate data, but I will tell you, here's my viewpoint. Yeah, yeah, just sort of anecdotal, right? Of course there's going to be an impact. If you look at, one of the big impacts that's happened actually is the funding environment for startups has actually changed dramatically in the last two years, right? And so startups themselves are spending less money. And so a lot of SaaS companies are going to be spending less on cloud. That's just normal. I mean that, of course they are, and that has to impact the cloud providers. It's just a blip on a journey, which is 100%. There's nothing going to stop this. And actually Dave, this note that the repatriation notice is just another blip, and I'll tell you why. It's not, and you know this, and you, in the end, we don't go to cloud because I used to have a server here and I'm putting a server there. We go there for innovation. I have built things in my solution and in my, our platform, I shouldn't say mine, our platform, our team built this amazing platform with magical capabilities that are available in cloud. We wouldn't innovate at this rate if I wasn't building it in cloud. It's not about, oh my God, I'm plugging a server in. We all know that. There's nothing can stop that. And if you're a big enterprise in particular and you want innovation in your IT department, it's only happening in cloud. Like nobody's like innovating in, let me build the next version of on-prem software for a data center. So you're never going to get new innovation. So anything that happens this year is a blip. This is unstoppable, and it's great for security. We have a lot of work to do to make it great because if it's done poorly, it is extremely concerning, but when done well, it is amazing. And that's actually, that's what we have to do for our customers. So speaking of venture capital and the like, I mean you guys, I think you're a series C company. Is that correct? Raise a fair amount of money, not quite a hundred million, but is that right? Yeah, no, we have actually raised $88 million. Yeah, okay, 80 something, right? Okay, are you sort of in growth mode? You know, there's a whole narrative about growth capital is now hard to get. Where are you guys? Are you? We are actually super, so we're absolutely in growth mode, but we're actually also in a mode where we grow based on how the business is going. You know what I mean? We're not trying to, the problem we're solving is a problem which is for sophisticated customers at the high end of the marketplace. That's where my company focuses. All of our deals are many hundreds of thousands of dollars. So when we close with a customer, it's typically many hundreds of thousands of dollars. It's some of the biggest companies in the world. So we basically are super happy at our growth. We've got enough capital to grow and we're not trying to be all things to all companies, we're just not. We think it's too hard. We're going to focus on these amazing solutions for amazing brands in the world. Typically ones which have these big complex clouds, many teams using those clouds and they've bought a technology problem and they have an orchestration problem and we help them with that problem. That's it. It's chaotic and I always say chaos is cash for criminals and the technology company that can get it right, Brendan. So thanks very much for coming on theCUBE. I really appreciate it. Thank you so much for having us. All right, thank you for watching. Keep it right there, John Furrier and I will be back with RSA 2023. You're watching theCUBE from Moscone West in San Francisco.