 Heidelberg, we're back, day two of Falcon 2022. We're live from the Ari in Las Vegas. Silicon Angles theCUBE, my name is Dave Vellante and Rob Picard is here. He's the security lead for Vanta, a company that CrowdStrike just made an investment in. Rob, thanks for coming to theCUBE. Thank you very much, happy to be here. So that's big news, you got a big name like CrowdStrike, strategic investment. Tell us about that. Yeah, it's very exciting because CrowdStrike obviously is a major name in the security space and Vanta is really leading the way in a lot of the compliance automation, but being able to sort of dip into that security space more and more, having CrowdStrike behind us is huge. What is compliance automation? Tell us more about what Vanta does. Yeah, so Vanta ultimately is a tool that gives you an automatic way to prepare for your SOC2 audit or your ISO 2701 audit or insert long list of dozens of standards we're working on here. But in the olden days, you would provide a thousand screenshots to an auditor that proves that for the past year, past six months, you've been doing what you say you're doing. Vanta just plugs directly into your systems and proves that evidence to them without the need for all of that. Okay, so software's a service? Yep, software's a service. Charge monthly or, okay. Yeah, something like that. Educate me. If I'm cloud first or cloud only, can I just pull a SOC report off of AWS and send that to the auditors and say, here you go? That'll help, right? If you do that, if you're in AWS and you pull their security hub, you can pull some of these controls in, right? But the question is, what do you do then about your endpoints, right? What do you do about, hey, did we off-board everybody from all of the systems we have enabled, right? All of the SaaS systems we use? And so what Vanta does is we integrate with AWS, but we also integrate with every other system you're using, including your HR system and your identity provider to make sure that, hey, you know, all of these things are working in sync to ensure your compliance. So you're a relatively new parent, but you ever, you know the book, if you give a mouse a cookie, you will, you will. The whole thing is you give a mouse a cookie and then eight million things happen, all these other dependencies, and it goes around and around and around. He's going to want some milk. Okay, I feel like it's the same thing in your world, right? I mean, is there an end? When do you know you're done? Yeah, I mean, ultimately you know you're done when the auditor hands you your SOC2 report, you know? You have your atta stage and you say, hey, I'm SOC2 compliant, or you know, you're ISO cert, but even then it's going to keep going, right? I think the tricky part is there are some key systems that you want to have your eyes on and you want to be monitoring and making sure that, hey, in a year from now when that audit happens, I'm not going to be surprised at what they find, right? And those are going to be your cloud provider, right? Those are going to be your HR system, telling you when people joined and when people left, and those are going to be your identity provider and your endpoints, right? You guys obviously compliance experts. Is it really a matter of sort of codifying that expertise or is there a machine intelligence component involved? Discovery, how does it work? That's a great question actually, and I think part of it is encoding that expertise in the product and making sure that, there's not necessarily, if you ask any given SOC2 auditor for like, hey, what controls should I be using that you're going to audit me against? And it's your job to come up with the controls so they'll provide you some, they're set, but it's going to be different between them, right? The standard itself is not a list of controls, but what we can do is we can provide you that list of controls and say like, hey, we've actually worked with a ton of auditors and they've worked with us, and we can say, this is what you need to do to get started here, and then if you have custom controls to add later, you can do that. But so there's part of that's encoding the expertise, but then part of it is just understanding the world of the auditors enough that we can help guide you through it because like you said, you can go to AWS, you can download a report, right? That says, look, I have these SOC2 controls passed right now, but the question is, you still have to then go hand that to an auditor, have conversations with them, get through all of their questions back to you, and that can get really, really in the weeds. So we have like teams of experts who sit on calls with auditors and customers and help them through this stuff when needed, right? And hopefully it's not needed as much when you're automating most of it. So that's a component of your offering is a service's capability? Is that part of the offering? Is that a four-pay service? Yeah, so you have to talk to the sales team to understand how they fund it all, but essentially we have these professional services teams and these partners that jump in. I think a lot of times it really is just, hey, the auditor asks this question, we don't know how to answer it, we'll send somebody to jump on a call. Let's jump on a call. Exactly, yeah. But if you need more intense work. Get services, then maybe that's available, yeah. Okay, and is there a privacy aspect of your software? Yeah, so Vanta software does actually also support GDPR and CCPA to kind of help you. It's hard to get your head around that stuff. You want to talk about like encoding expertise, having people inside Vanta who can talk through the product and say like, hey, this is what we need to test for in a customer's environment and this is what we need to point to that maybe, you can't automatically test for, but we can give them some template policies or procedures for them to have in their company and we can provide all of that to try to help you feel good about, hey, we're compliant with GDPR, we're compliant with CCPA and we're not going to have problems here. And data sovereignty, I presume is part of that? You know data sovereignty, man, I'm not the expert on data sovereignty, I'll tell you that, but I know that is definitely a part of that. I don't know how deep it goes when it comes to the requirements of any given company. Well it's tricky because a lot of it hasn't been tested in the courts of law, there's just guidelines there. And then a lot of times you don't, how do you really know where the data is, right? I mean you kind of can infer it. And you can get real clever, you can start encrypting data, that sits somewhere here, but you have the keys over here, it's like, no, no, no, the keys are in the right country, you know, that counts. Right, and I can say that's not really been tested, the logic of that, what are the hard parts of what you guys do and what makes you different from everybody else out there? Yeah, I mean I think, I'd say a couple things are really hard about what we do, right? One is maintaining good reputations with auditors, because the goal is ultimately that an auditor sees Vanta and they say, okay, Vanta says that checkbox is checked, I don't have to worry about it. And that's where we are with so many auditors today, right? But that wasn't like that in the beginning, in the beginning it was, hey, we're showing you the code, that actually looks and checks that box, right? But the other hard part is just integrating with the long tail of systems that every customer needs, right? Like if you use a certain HR system and we don't support it, then that's going to really dampen your value that you get out of the product. So the engineering challenge is maintaining a reliable set of both high-quality tests and high-quality integrations with these services. What are the synergies with CrowdStrike? Kind of, you know, maybe it seems obvious, but explain where you pick up and where they leave off. Yeah, I think that's a great point. So, you know, we have a very simple agent that will run, if you need something on your laptop that says, hey, look, this laptop, the disk is encrypted, right? The screen lock is set appropriately for my controls, right? So we have some basic capabilities. It's based on OS query for those interested. But it's not a full-fledged endpoint protection platform, right? And that's where something like CrowdStrike can come in where we can integrate with them and say, okay, hey, if you're ready to move on to something that's a little bit more full-fledged and a little bit more of a, you know, going to protect you against malware and that sort of thing, then you can move on to CrowdStrike and we can integrate directly with them and we can pull all the information we need and we can check all those boxes for you that say, hey, you have appropriate malware protection, you have disks encrypted, you have whatever it may be, right? We can pull that information from them and we can also help you make sure that the people who have access to CrowdStrike itself and your company are the right set of people. Who do you sell to? Do you sell to the audit function within a company or do you sell directly to big auditors, both? So it's, we're mainly selling to the, whoever's responsible for getting that SOC to, getting that ISO, getting GDPR, you know, all these sorts of things at a company, right? So for a small business, right? A startup that's like two people. Could be developer team. Exactly, we're selling either to the founders or developers or something like that and we're saying, hey, you don't want to think about this at all. We can get you like 80% of the way there without having to send a single screenshot and then there's like 20% of like, all right, we'll help you, you know, partner you with the right auditor that's good for your company and get you over the line. But then as we go and we sell to a mid-market company or, you know, even potentially an enterprise, we're talking to people who have very specific expertise in either security or compliance who also don't want to have to do all this manual work. And it's a pure SaaS model. It runs in the cloud. How does it work? I just pointed at whatever software I want to get certified. That's exactly right. It's pure SaaS. You go to, you know, the app.banda.com, you log in and then you go to the integrations page, right? You're starting fresh and you say, okay, well AWS, here's how you integrate AWS, right? We use their assume role functionality and stuff like that to pull in, you know, read-only data from AWS. And then you can also go to your octa and you can say, okay, well, I can connect here through octa through an octa app or I can connect to my Google through an OAuth that has the right permissions. So we try to just limit the amount of permissions we have or the scope of our roles. But really it's just, you know, it's all API-based integrations that we then just pull the data we need to prove that you're doing what you say you're doing. Well, Rob, congratulations on the funding and the activity here at CrowdStrike Good Show. So, you know, good luck to you in the future. Thank you very much. All right, you're very welcome. All right, keep it right there. Dave Vellante for theCUBE will be right back right after this short break from Falcon 22 Live from the Aria in Las Vegas.