[00:00:00] Jack: Welcome back to security voices.
[00:00:04] Dave: Hey, thanks for joining us
[00:00:05] Al: out. Yeah, thanks for having me. It's a first time. I think I've done a podcast that isn't directly related to my job or being told to do one. So this is like my freewill podcast.
[00:00:15] Dave: Outstanding. Yeah, we, we waited for this for a long time. We talked to a while ago and realistically there is just no way of getting you on with the Cisco PR hounds there, at least in the way that we wanted you on raw uncut unscripted, all that happy stuff.
[00:00:31] Al: Yeah. Yeah. Well, it's, it's nice to be able to have, uh, an opportunity to discuss things without minders, of course, but I still do need to remain employable afterwards, so I'll see how much or how many guardrails I can throw around it.
[00:00:44] Dave: Cool. And you're still out
[00:00:46] Al: of Calgary. Yeah. I mean, I've been here since COVID.
I used to split my time before the pandemic between the valley and here like a particularly San Jose, which is like the biggest fucking strip mall on the planet. Um, but it was nice to go between California and here, but since the pandemic I've just been here.
[00:01:06] Dave: So from, from the depths of a Calgarian winter, we find you.
[00:01:10] Al: Yeah. It's I wish I could share this with you when I was coming up, coming home this morning for dropping my daughter off at school, it's minus three Celsius. I don't know what that is in Fahrenheit, but that's, you know, it's, it's chili, I'll text you a photo. There was a dude running, uh, without a shirt on, uh, and in short shorts out there and join it out for a good jog.
I thought, man, only here, only here can that happen, but yeah, it's cold. It's always cold here. I mean, until June ish.
[00:01:41] Dave: So we, we find you. Not quite in between gigs, but on, on the start of another journey, I was thinking back to the first, some of the first times that I, that I met you in how I, how it kind of originally had an interaction with you without having them, which is I used to use cyber cop when I was at ISS.
I remember using cyber cop, which was, I think that was your first product you did way back in like early to mid nineties.
[00:02:09] Al: Yeah. Yeah, it was, uh, I think we started in, in 1996 and then, uh, it started being called network auditing software, and then we sold it to McAfee who at the time was called network associates.
And then it was renamed cyber cop.
[00:02:24] Dave: Yeah. So cyber cop was the big competition to internet scanner and really one of the first scanners that was out there. I mean, it was sort of a fast follow race, right up against internet scanner. There was another product by accent, um, that didn't work terribly well, but cyber cop worked and it was credible competition to internet.
[00:02:46] Al: Yeah, it was, it was a really good product, especially considering that it was the team that built it. I mean, we were also young. We were in our very early twenties. It was our first professional, anything really, for me, it was my first job outside of government. Um, and it was, uh, we built an amazing product.
It was a small team, like 13 of us ultimately, and then all of us sort of spread out and went. And I think still all of us still work in the industry at some, in some capacity or another. Uh,
[00:03:13] Dave: who are some of the folks that were on that team? I know it was all of her Friedrichs.
[00:03:19] Al: Uh, Tom Ptacek, Tim Newsham.
I've an RSA, um, oh gosh, there was, uh, this is going back a very, very long time. Um, but there were, there were a bunch of us, I mean, all over, went on to do a number of startups, Phantom, cyber Splunk, actually, uh, I've an RSA, I think works, uh, for a French cyber security company, but he did core security, which sort of in color impact your impact.
Uh, Tim newsroom is, uh, working on their startup right now, uh, in this space and, and, uh, Oliver Friedrichs as well, I think is back in startup land. Um, yeah, so it was.
[00:03:58] Dave: Yeah. And the product had some really fun quirks to it. The ballistic itself rotated in the logo and it actually was one of the first products way back in the, before times to have a 3d walkthrough of the network.
And it worked, it worked just enough to be tantalizing is
[00:04:16] Al: yeah. You know, the history behind that is that, um, when I raised money for, uh, Secure networks, which is the name of the company. I worked at a video game company, a subsidiary of Nintendo, um, and, uh, as a part-time contractor doing network admin stuff, and all my buddies were video game programmers.
So they actually helped us with writing all the graphics for that. Um, because we were steeped in it and it was actually, it was really cool. We could have taken it a lot further, but, um, it was also, they also had stuff like they wrote MIPS, shell code for us in the nineties, um, like video game programmers that came off of environments that were super constrained.
And it's not like today, right. Where you have all this processing power and memory, everything was done in, in pick your assembly, language of choice. So you had people who knew risk and MIPS and x86, like inside now, uh, including for graphics generation. Um, and they, they built some amazing stuff and they had a super good history with contributing to security products as well.
Like, I mean, Publicly released buffer overflow was split VT for Linux x86 shell code. Um, and the Gentoo wrote it wasn't in the security industry. He was actually a video game guy. Um, the shell code itself that became standard that people referenced for years to come, because there were so few people that actually understood x86 that.
Well then, unless you worked in a daily, you know, people who are cracking games or writing them, uh we're, we're usually like the choice to go to if you want it, that level of expertise.
[00:05:46] Dave: And you're you just got done with your fundraising, but go in the way back machine, what was it like raising money in the nineties for a cybersecurity.
[00:05:56] Al: It was just, it was hard there wasn't, uh, there were very few precedents to refer to in the VC community, um, is formulaic and a lot of ways they want to understand the risks they're taking and you couldn't point to a lot of successful security companies. And it wasn't a space that was considered hot.
That was difficult to raise. I was lucky enough to take money from the founders of the video game company. Um, they were, they were all, they were, all entrepreneurs are willing to take a bat and they gave us a really small amount of money at the time. It would have been $50,000, um, which is what we started the company with.
I mean, dude, I felt like I had 400 bucks in the bank. So to me that felt, um, but that's how we grubstake it originally to be chanted at that time. I didn't know that there was a valley, uh, and I didn't really understand venture either. The people who had the video game company had raised venture, but I'd never been experienced or whether they've been exposed to that kind of stuff before.
Um, but I did raise a few years after that and it was still. Very difficult to explain to people why they want to do invest in security because should quite frankly, it wasn't top of mind. It was, it was still similar in a lot of ways. They have what I see in cloud environments, you know, where, um, you all understand that malware and ransomware and all these things are an extraordinary problem.
Um, but we're building out cloud environments and we're not reading about breaches that take place there. And we all know that it's just fertile ground. People are crawling around inside those infrastructures, like mad. Um, but it isn't necessarily yet getting the press. Um, so I think it's harder to convince people that they need to buy or build software.
And then there's are some startups that are doing extraordinarily well, so they can learn some lessons. Um, but, uh, unless the VC community has seen a lot of tangible success in a space. It's always tough to get them to invest. I mean, but you know, It's a different animal altogether, uh, guys, as you and I both know, like VCs have a lot of accents under their belt that have come from security companies.
Uh it's top of mind in every boardroom discussion. So raising for it is less painful than it used to be. Certainly I think raising right now, period is less painful
[00:07:52] Dave: than it used to be. Yeah. It, at least for the current time, the last meeting we had with our most recent investors started with, so congratulations for raising at the top of the market.
And I'm not sure that he was right, but I don't think anybody at this point would tell him he's wrong. It's uh, yeah. We'll, we'll see what we'll see what happens. It's amazing to think that was, you know, we're talking about, uh, about a quarter of a century of history here, you know, since your first kind of fundraise it's
Jack, where were you at that time? Had you had you crossed over into secure.
[00:08:34] Jack: Um, I was mostly just trying to keep networks running and keep the bad people out or throw them back out. So I had, I hadn't landed in vendor land yet. I was still trying to defend small business networks.
[00:08:51] Dave: Now, from, from there, you spent time at McAfee. I think you did a pretty short stint at
[00:08:56] Al: McAfee. I want to say it was there a couple of years. Maybe not terribly long could have been shorter than that.
[00:09:03] Dave: Yeah, I know it was, um, it was one of your shorter stints. And we'll talk about this. I want to talk about it a couple of times, because it's, it's typical for a founder to vest in peace, but as soon as they, you know, their, their primary financial goals, they bail, you're actually the rare breed that sticks around.
But McAfee, those were like, those were wild heady days of the nineties when things were crazy. And I know there's a finish some fun stories about how you left and how you quit McAfee. I, I'm not sure. I'm not sure you want to go into the sandwich story, but a sandwich was thrown and shortly thereafter Al was gone.
[00:09:45] Al: It's fair. I do want to point out that I wasn't fired for it. I did go back to work the next day and quit. Um, but yeah, I had a, I had a, um, I had a disagreement over, uh, over product direction and it ended up with me launching a sandwich across. Now I want to put it, like, you gotta keep in mind. This was 23 years ago.
So a majority between here and there for sure. But I was pretty passionate about it at the time.
[00:10:10] Dave: But if, honestly, if that's the most salacious thing you did at that part of the nineties.
[00:10:17] Al: Yeah. Especially at, at McAfee, uh, I wasn't snorting Coke in the server room or any of the other things that might've possibly taken place that company.
Um, now it was pretty pedestrian. It was a short-term stay, but at the time, um, it's interesting. I think I was mature enough then in some ways to do things that later in my career that I didn't, which was understand that I was in the wrong place for, for what they needed me to do. They mean they were paying me more than I'd ever made in my life at the time.
And, um, I was the wrong guy for that job. They wanted me to run a. Product portfolios and focus on running a business. And I wanted to build security software and that's what I was good at. Um, and I knew at the time that staying there would, would steal all the passion. I had the job I did. Like I loved, I still love security extraordinarily actually.
But, but then it was, it was like central to who I was. I didn't have a family. I didn't have a life behind me of any real merit. Right. So, um, I left knowing that it was the wrong place for me to be. And I think later in my career, I ended up staying longer at places than maybe I should have. Um, because I did do end to end up doing things that while I was capable at them, they weren't my passion, which is building things.
[00:11:31] Dave: No. Where did you, after SNL, you ended up, so you had been, had a formative hand, really embolus assessment. And funnily enough, like, I don't think you've ever really gone back into volunteer management. I ended up I'm the fool who ended up going back into volt, going back into vulner assessment, full management, not once, but twice
[00:11:51] Al: going, I'd say more than one kick at the can.
Yeah, I didn't ever, I didn't ever revisit it, although I've always found it super fascinating, but there's, there's so much great work in that space that I didn't know that I could add a whole lot of value there after I'd left, particularly with Foundstone when you started it with, with the guys that you did.
Extraordinary product that filled a gap and the technical gap around assessing networks was, I won't say it was solved, but it was pretty well understood, um, with, with that with Nassis as well. Uh, but the reporting part of it, the ability to do it at scale to do it as a SAS offering, um, those are things that you guys conquered in that space.
So like revisiting it didn't feel like it was going to be a good use of anyone's time. It
[00:12:31] Dave: was really, I mean, the analogy we used at the time was assessing people had kind of got the fact that they had to assess. And we said, that's like going to the dentist. Now this is like brushing and flossing your teeth.
This is the bull management. You do yourself as opposed to it. And it's inherently not as exciting. It's no less valuable, but it's inherently not as exciting as kind of the groundbreaking work. And you went on to do security focus after that.
[00:12:58] Al: Yeah, I did, um, security focus with Elias levy, uh, who was the, uh, one of the moderators of bug track, um, and a number of other folks all over Friedrich's as well.
And some number of folks from secure networks Inc, came with us. And the goal was to ultimately build early warning systems from our outbreaks and for breaches. Um, but we wanted to build a huge community as well, along the way. So we had a, we had a we're sort of a central clearing house for mailing lists like BioTrack and full disclosure.
I should not full disclosure bug track that was focused on full disclosure and then a number of other things. And I ended up being a really substantially sized community of users, um, focused around security, hence security focus. And then the early warning system, we built deep site. It was a pretty good product as well for its time.
It was a SAS based in the early two thousands, which was, which was a unique, in some ways, dealing with massive amounts of inbound IPS IDs data, which was so we had a data scale problem, which was something that we first cut our teeth on there as well. Um, so it was a lot of fun. Um, but then we ended up selling it to Symantec, which is where I met you.
[00:14:04] Dave: Yeah. And what was, I mean, you were, you could already see things shifting at that point. What was different about security focus than S and I, what did you, what did you learn from the SMA experience that you applied to security focus and what was changing in the industry at the same time? And I realize I'm, I'm forcing you into the way back
[00:14:23] Al: machine here, but, well, I think I learned more at security focus than I did that.
S and I, I think your secure networks S and I was, uh, was, uh, uh, it's like we won the lottery, you know, we built a team where everybody got on extremely well. We had the craziest free decor. We were all super passionate and we built good software, never having built software before commercially. So there were, we did hit many challenges along the way.
Um, I, I remember coming back from a LA. One day. And there was a $50,000 PO on the fax machine and I picked it up and it said it had PO on it. And I looked over to one of the, like, to all of our favorites and I'm like, dude, what the fuck? Um, and they say, this is a purchase order. And I said, oh my God, someone just paid $50,000 for our product.
And this was in 1998. So we, there wasn't a lot of opportunity to learn there. I, in fact, I probably learned some, I thought it was a lot easier than it was security focus was, was an awakening for me and that it was a real startup with real challenges. We raised substantial amounts of financing for the time.
Um, we had a large customer base. Uh, we had all the drama that's associated with a startup. Um, you know, and so that was when I actually really learned what it was like to run a company, to build a business, to attract customers and maintain them. Um, all of those lessons that, uh, to secure networks. Well, I didn't learn because we sort of just, we hit everything out of the park by accident.
Um, and, and security focus was much more difficult than that. It was building a more, a brick and mortar ground up business. We, we raised money, um, at a very challenging time as well. Um, and, uh, we had a lot of
[00:16:00] Dave: 2002 and kind of the bust cycle of 2002.
[00:16:04] Al: Well, so we, yeah, we actually, we started it in, in 99, roughly just two.
Um, and, uh, we lived, um, you know, what I was, we've actually raised money for a different company during the.com crash. But, um, during that one, there again, the VC community was relatively skeptical about what we were trying to do. Something nobody had. Which was built early warning systems for malware. Um, and first off, they weren't completely convinced that malware wasn't a problem that was just being solved by any virus, vendors, period.
So why invest money? Um, and they, there still, wasn't a super strong track record in investing in security companies at the time. And you had exits, uh, along the way in that period of time, but there were many of them, you know, their Symantec was certainly pretty acquisitive, but that came later, we were part of their great rush towards acquiring network.
Associates had bought companies previously, but most of them really didn't work that well once they brought in and network associates at the time, I think the majority of the executive team was in court or in jail. So it wasn't, uh, it wasn't exactly fertile ground for investment. So raising money was difficult.
Uh, and we learned a lot. I learned a lot about that process. Plus the team was bigger. Like we had, we had a real company, secure networks was 13 people. Um, and, uh, security focus ended up being closer to 70 or a hundred by the time we sold as well.
[00:17:25] Dave: And how, how long was the journey? How long was security folks?
[00:17:28] Al: the short three years before we, before we ended up being acquired by Symantec. Yeah. So it was, it was, it wasn't the five-year or eight year or 20 year journey that a lot of companies that have been on along the way. Um, but we still continued it while we were at Symantec together. But you and I, in fact, other people team, and that was, that was seven years there.
So the w it didn't stop when we got acquired. It kept on moving.
[00:17:55] Dave: Yup. Yeah. I, I came to it pretty late and it was still chugging along, still valuable, which is super satisfying for people who love to build things. I mean, to see something going on after its acquisition even found still, when I run into people who are happy, Foundstone users, you know, first off, I'm kind of surprised because all I can remember is all the mistakes we made with the product.
Um, but having said that, yeah, it's, it's always a point of pride when someone carried on using the product and the team carried on building the product after we're done with it. I mean, it was, um, it's,
[00:18:28] Al: it's cool to see. Well, it also, it also opened up a hole. It changed the way that the industry did vulnerability assessment as well.
Right. I would argue that they call us rapid seven and others who came along afterwards adopted many of the same approaches that you sort of broke ground on milestone. And it had a big, it had a big impact on the industry.
[00:18:48] Dave: And we were, uh, I mean, and this was kind of an interesting lesson for us, but the tech was okay.
We had better ideas than we had execution and call us, call us, came around, who had both very good ideas and great execution and also Reno. And, uh, and Ron and those guys came along about midway through the journey as well and had, um, I'd say like better ideas than execution, uh, Felipe and Gearhard were kind of old hats at that point, but, uh, Fe they figured it out as they went along as, as the Jevity company and an IPO as a test.
[00:19:25] Al: Sure. I mean, it'd be tough to argue that the tenable didn't turn out extremely well, but I do think that teams make a huge impact on the quality of what you put out. You take a look at the light, Felipe quarto, or Gerhard, Asheville, Becca, and those guys do their business. Like you're very, very good. And you put them in the driver's seat at a funded company.
Um, and you can expect that the output's going to be pretty extraordinary and they did, they did great stuff. So, uh, not to take away from anybody else, but I do think a founding team, people who know what they're doing.
[00:19:55] Dave: For sure. Yeah. And I think if there's any lesson and hopefully people are pulling some things out of this, I think it's, it's fun to revisit this.
And I think there's some lessons in here, but I think there's so much power in having done something the second time. And Felipe had done CC mail and have done other things before that Gearhard had been at McAfee. And I think one other place before that was a seasoned engineering leader made the mistakes and there's just no substitute for having made the mistakes done it before.
[00:20:26] Al: yeah, it, it, you, it, what you learned from failure is extraordinarily valuable because I guess depending on whether you actually use what you learned or not, but there's, there's no question about that. Um, we had to get hard, ran firewalls, IPS, IDs, bone scanners, hosting churn detection system. So he had a bit of a litany of production experience before he rolled over to.
[00:20:49] Dave: Yep. So moving on, you went from Symantec to immune net, which was really, I think part of the beginning of people getting re interested in endpoint. And it was one of those cycles where people weren't quite, they weren't quite convinced yet that Avi needed to be reinvented. Even when I went to CrowdStrike in 20 God, when was it?
2013. I remember people saying like, oh, who needs a new endpoint? Like in Symantec was convinced, you know, they were just going to milk their end point technology at that time. Yeah. Oops. Yeah. They, they paid dearly for it. Still have paid dearly for it as has McAfee, but you know, you, you, it was there. Like you could see this beginning and you, and, and all of our work early in this and did some hard yards at Immunex.
What were the lessons of, what were the lessons of it?
[00:21:44] Al: There were a lot, but I, I would even take it a step back and say, why did we do it? Um, and th the vendors themselves had, had become, um, completely calcified. Uh, they, there was a, there was an extraordinary tunnel vision that took place amongst the vendors themselves saying that the way that they were approaching AAV, um, was making money.
Not that it was right, because they knew it didn't work. As they were, if there was no way you were involved in that, unless you were extraordinarily naive to believe that that technology was, was doing what your marketing said it was doing. Um, but it didn't matter. They still pursued a singular focus on detecting and removing files off of that point.
And the reality was that their customers were being bled out is that technology is not, it's not a solvable problem in computer science, at least not by today's standards. Um, and then of course, so we, we thought, look, there's gotta be a better way to do this. And, and we went and did immunity and the thesis there was first off, you should be cloud managing it.
That's very clear. It's too difficult to manage detection, content and, and capabilities, uh, in static files that are shipped to an end point. I mean, yeah, there's a place for that, certainly, but things are too dynamic. You need to be able to move quickly and you need to be able to harness the information that multiple customers are getting to you.
So you can be more fleet of foot and respond to things. Um, but I think more importantly, we realized that AB. So, whatever you build, you just have to go and address that head on because it's a problem that needs to be solved. And that's sort of where we ended up with at Immunex, um, raising money at the, at the height of the financial crash in 2008 was a grueling painful, demeaning, difficult.
I would say it taught me a lot about fundraising. Um, I don't think we raised enough to be honest. And it, it, it forced some decisions that we had to make a little bit later because we, we had an amazing idea. Um, but I don't know that we had the financial wherewithal to execute on it, to the degree that we needed to.
And then we ended up with some early well-funded competitors who are really good, like CrowdStrike, for example, carbon block others. And these were companies that were not run by sophomore security people. They were like apex predators who knew their business and were really well-funded at it. Um, so there was, there was a number of takeaways from that company for me.
Uh, first was if you're going to raise financing, raising. Ensure that like assume you're going into a bleak, difficult, cold winter. Um, don't allow anybody to tell you to just raise enough to get to MVP, um, or, or anything of that nature, because quite frankly, uh, when you get there, if you're not doing what you need to be doing, raising your next traunch of financing can look pretty ugly.
So the takeaway there was, was, uh, raised the financing that you need, um, that you, that you think you would need in the best, most wildest outcome that you could imagine, um, versus trying to keep it as lean as you can. I think that in that time period, things were changing where you, people were raising larger sums of money to get the job done.
We didn't recognize that, or I didn't recognize that at the time, which was a, which was a mistake ultimately. Um, but it ended really well. Uh, surprisingly, you know, we ended up, uh, being acquired by Sourcefire, which was fantastic. And, um, that was, uh, to this day, the best company I've ever worked for. So it was, it was transformative on a number of levels because it was such a pleasure to be part of that company.
Um, and it, whenever I think about building a company with a really killer culture, um, and a place that I want to go work it's I think I would model an opera star as far.
[00:25:21] Dave: What did Sourcefire do? Right? What distinguished it?
[00:25:24] Al: I think it hired extremely well. Um, it hired people who were all willing to pull in the same direction.
There was very little ego in play. I mean, that I ever saw. Uh, certainly. And, uh, it started at the top, like I'm already rash the founder. Um, if you spent any time around him, he doesn't like he doesn't ride people down or gossip. Um, he doesn't, he wasn't engaged in internet warfare with his peers. So the things that he didn't do, didn't show up inside Sourcefire things that I saw in other companies that were hugely unattractive.
Um, and we had a singular purpose. Like we were making the best products in the world that was our job period. And everybody was pulling behind that. I mean, it helped that we had snort, um, and had built the world's best intrusion prevention system. Uh, and that was, um, that wasn't, uh, a truism. That was a fact that system was extraordinary.
Like it was, it was what it said it was. And you got what you bought, uh, which was really gratifying. So the field was in good shape. The sellers were, were generally very happy because they were selling product that customers love. Renewals were high. Our customers loved us, and then it gave us some space to build EDR.
For example, we didn't have long enough to pursue it because we ended up ultimately getting bought by. So. Um, but it was always a pleasure to show up show up to work there. I loved visiting headquarters, uh, in, in Virginia or other outside of Baltimore, um, in Columbia, Maryland, because it was just awesome.
Like it was invigorating. I never left the meeting there feeling drawn down. I never felt like, uh, anybody in the room wasn't fully on board with what we needed to get done. So it was, uh, it was a pretty extraordinary culture. Definitely one I'd like to emulate myself.
[00:27:03] Dave: I think one of the fascinating things about source fraud and correct me if I'm wrong, but as far as like an enduring and successful open source security product, I mean, one that spans the decade, plus I'm not sure there's another
[00:27:17] Al: example.
I don't think there is necessarily, might be the closest corollary to it. Um,
[00:27:25] Dave: Yes. This was closed in 2002.
[00:27:28] Al: Yeah. So
[00:27:32] Dave: no,
[00:27:32] Jack: that's about right. Yeah.
[00:27:33] Al: Yeah. I think that's, um, that's the, I mean, I'm trying to give a corridor. That's close, uh, Metis boy, maybe, but that, I mean, like at the end of the day, everybody, anybody who needed IDs ran smart for free at home and we're generally are at work.
I'm relatively happy with it. And, uh, it was the first open source security product for sure that that ended up and maybe the only one ever to end up with a multi-billion dollar exit as well. So I think, I want to say that it sold to Cisco for 2.4, $2.7 billion. Um, which is, uh, which is even by today's standards, an awful lot of money.
Um, and, uh, yeah, it was, it was everywhere and it was everywhere because. Like, you know, it was, you download, make all at your config running and that thing was capturing traffic and identifying threats in the free version. Um, so, so taking that to a commercialized version where you had all the support you needed and a user interface that didn't look like it was built in curses and all those things like that was not a heavy lift.
Uh, I don't mean to diminish the work they did because there was a truckload of work. Right. But it all starts with a product that works. It all starts with software. That is exactly what it says. It's supposed to be, um, where there's no bait and switch the marketing. Doesn't lean over the skis to create something that your customer isn't getting when they buy it, all of those things.
So they had that down, pat.
[00:28:52] Jack: Yeah. I, one of the things from my background, um, with, with snort was that it played nice with others, too. It was integrated in other products. And if I'm gonna throw stones at any companies, but like at a Starro we used snort, we also bought and licensed, uh, the VRT rules and we had a healthy relationship.
And we were far from the only company that said, Hey, these snort folks, the Sourcefire people are doing good stuff. Can we partner with them? And both of us win and, uh, I think Marty saw the value of that early on.
[00:29:27] Al: Yeah. Yeah, definitely. We encourage that ecosystem. Marty was a big proponent of it. Um, and, uh, and that worked really well.
I mean, snort was for many years embedded in pretty much any offering you were looking at that that had an, an IDs like kind of functions in it, for sure.
[00:29:43] Dave: Yeah. I think the closest we see, well, I don't know. There's, there's a few things that kind of the, the, the closest analogy today that comes to mind is, um, what started out as bro and is now Zeke championed by core life.
Yeah, I think that's probably the closest thing we have to, to a snort today.
[00:30:04] Al: And bro is really good as well. I mean, so there's some, there's some commonality there it's a circuit as well. Like there's some, this is some of those systems are actually fantastic. So it doesn't surprise me that building something on top of them is helpful.
[00:30:17] Dave: Yeah. I mean the, um, open source security tools. I mean, you see this, like if you, um, uh, give a plug to clink gamblers newsletter, but our Marco's newsletter, um, I think CloudStack list and so forth, but you go through those newsletters, which are all spectacular, really well done. It, especially like Clint sense of humor.
And you see all of these open source security projects now, and it's really cool to see. And I think it's a blending of the heritage that was started with things like Nessus and snore and other tools blending with the heritage of cloud infrastructure, which is also very open source. And we're at a point today where.
You know, it's fairly common for a company like open Raven to have something like mag or Mockingbird, which are both are open source projects and so on. It's just, um, it's cool. But we, we owe in some ways a debt to folks like Renault, Marty and so forth, who proved it work because when we go and pitch for funding and explain it, there's a pattern there that people instantly recognize you don't have to argue it.
[00:31:27] Al: Yeah. Yeah. And I would probably throw HD more in that bucket as well. A hundred percent. Yep. No, I agree. I think the other thing that those highlight is what hasn't changed is the successful open source projects almost always highlight the hole in the. Um, it provided that they're not started by a commercial vendor or any of those things that start natively and get growth they're there because they can't buy it often.
They're there because it isn't, it's a problem. That's not being solved by somebody on the outside. And they, so they represent, I think would ultimately end up as products in market to some degree or another. I mean, there's a proliferation of products right now for cloud or open-source projects for cloud doing a litany of things that are not being well addressed by most vendors.
And there's some definitely, I think like Wiz and Orca and those guys are, are starting to move into that space pretty aggressively. And it looks like people I speak to the use, them love them as well, but, um, there's a huge. Right now for cloud period, which to me sometimes sounds like saying unique security all over again, because that's what a lot of it is, uh, whether you're talking about Kubernetes or otherwise, but, um, that's, uh, these projects themselves are servicing a whole and there's so many of them right now.
[00:32:37] Dave: Yeah. It's, it's crazy. There's a fresh list. Every time you'd come through. And it's, it's kind of Darwinism in its truest sense, the ones that get picked up and people use eventually blossom into commercial products like truffle off. Being an example, you know, that was just, you know, small project for finding developers secrets.
Just got a nice round of funding from Andreessen Horowitz. Yeah, yeah. Yeah. I mean, there's, there's so much activity it's, it's easy to miss things. Super easy to miss things, especially actually when your head's down starting a new company.
[00:33:13] Al: Yeah. But it is nice to see companies that have awesome software get funding because unfortunately that isn't always the way that over.
[00:33:20] Dave: so before we switch into, I want to really focus on the new company and kind of lessons learned as you embark on a new journey. But before we do that, you stayed at Cisco for eight years. I think you said before, which is really, really unusual. Um, let's, let's dig into that now. Why didn't you stay, you could have jumped at any point started another company got out, you had a really long stay there.
I don't know of any other founder that sticks with the acquiring company for as long as you have. And you've stayed at Symantec for a very long time, too. I mean, you and I were there together for at least, you know, five, six years or something like that. What, what motivates you to stay on post, you know, post the OB once the obvious financial incentives, dissipate, what keeps you.
[00:34:13] Al: Uh, I think at different stages in my life, the answer has been different, but I mean, relative to Cisco, um, that was always a tough one to be totally candid with you. Cause it was a bit of an ego Buster whenever I went to a conference and someone said, you're still at Cisco. Like why, why haven't you gone back and done a startup?
Right. That's what all smart people do, they do startups. Um, and you felt like you were, um, uh, you were driving the short bus to school, but, uh, I stayed because I loved it. I mean, that's the short answer. Ultimately I really, really loved the people that I worked with in many cases have built like lifelong friendships with some of them.
Uh, we were building at scale and that was something that I hadn't experienced before even, um, Any company, the size of Cisco has some benefits and it has drawbacks as well. But one of the benefits was I could build a product that was moderately successful and still put it in the hands of 20,000 customers.
And that wasn't an experience that I'd had in the past. And I learned a tremendous amount from you learn how to build software at scale. And, um, it's gratifying as well to see it use to the degree that it is. Now, there are other challenges that come with that size, but I couldn't get that experience anywhere else.
Um, and I worked with a lot of really, really intelligent people. When I, when I first ended up there, I got turned down my first two or three offers to go work there. We got acquired and I was not going with them. Like I was like, uh, zero desire to go work at this paleolithic router vendor, um, who knows exactly zero about software.
And in my mind, I thought this is where you went to retire, not where you went to go with. Awesome software products. And that was a really shortsighted sort of myopic perspective because when I ended up there, I was like, wow, there are a lot of people here who make me feel completely juvenile in almost every aspect of my ability to build software or sell it.
And so I learned while I was there. Um, but it never had the cache of being at the sort of startups that you went to Dave or Jack that you were at. Um, and that was always kind of bothered me a little bit because I still wanted to be participating, you know, like we all came up in the security space and I wanted to be at a vendor.
People saw as a security vendor and it's just go, they saw us and still largely see that vendor as a, you buy world-class routes, which software from them. Um, and that's there that's top of mind when you work there, uh, or whether when you're buying from there or both, but, uh, yeah, I did stay a long time and I was in love with, uh, with the time I was there.
And then when I fell out of love with it, it was time to run away. So, um, but eight years is a long time. And when I look back, it didn't feel like it years ago. Two, maybe three, uh, all in
[00:36:50] Dave: there is I remember when I interviewed for, with Cisco, um, before I joined tenable, it was really impressive. Like the people I interviewed with were, um, I had the same kind of eyeopening experience.
They were incredibly impressive. Like not, not what I expected at all. Um, the office building was, I remember like driving around this corporate parking lot. That was just absolutely confusing. And May's like ending up in this empty office building in this conference room tucked over in a corner, there was nobody in it, even pre COVID.
It was like absolutely desolate. The only thing I remember is there was this giant box of sunshine. I remember looking around. It's like, if I work here, it'll be me. And like three boxes of Costco size SunChips every day. Like God helped me brilliant people who live in offices way away from here and probably just drove in to come visit
[00:37:50] Al: me.
The buildings were soul sucking to be totally candid. They were not, uh, the campus in San Jose was not my favorite place to be because of the buildings. The people were awesome, but the buildings were, um, yeah, I mean, San Jose in general is not a place that I really ever gravitated to. I've lived there because I had to for work, I lived actually close so I could walk to work.
Um, and, uh, yeah, no, not my favorite place in the world. And the campus itself was not awesome for sure. Full of awesome people. Not an awesome building.
[00:38:18] Dave: Yeah. So let's um, and Jack, anything from your side before we dive into, uh, before we dive into the next phase,
[00:38:29] Jack: No, nothing, nothing. Uh, you guys, you guys know each other and you're doing this well.
[00:38:35] Dave: All right. So let's, let's do a, um, let's do a, a full like 25 year you're you're starting a new company. Can we say the name of the company command zero. Cool. And what do you, what are you comfortable saying about what the company does
[00:38:55] Al: level, where we're looking at? Um, automating breach management and response.
So not, not like, uh, when we'd say breach, this is not, my EDR has found on an infected computer and I'm going to RMA at, or do host isolation and call it a day. This is you pull on a thread and it's a holy shit. My next conversation might be with the board sort of probably. Yeah, we're focusing on trying to help people do that better than we do today.
It's still largely a services led business.
[00:39:24] Dave: And you guys just raise around to funding a sizeable round of funding. The closing it, by the time this episode comes out, you know, it'll be, it'll be known, um, presumably or we'll hold it until it is. Um, what, what are your reflections on raising money now versus when you did it for net versus when you did it for security focus versus God help us way back in the day?
[00:39:53] Al: It's um, well, I mean, it's different, um, on almost every dimension, how we went about it was different than how I'd done it previously, which was really helpful. Uh, so when we raised this time, we spent our time raising from people who are in cyber. Whether, whether they were angels or whether they were institutions.
We went to people who really truly understood the space and had been in it for some period of time. We, we have, uh, we have a pretty reasonably large number of angels in the company, and they're all people who have either built. Companies in cyber or hold executive positions and have been in this space for a long time.
This isn't somewhere they've transited through. And then we didn't speak to many, um, venture firms and the ones we did were people who really truly understood it. The advantage of using that approach is that you're not trying to convince somebody security's important. They know, and they can tell you pretty quickly whether they think your idea has any merit or not.
And so it makes the conversations more concise. Timelines are theoretically shorter. Um, and there's less, there's less, um, less education around. Tell me more about security space, et cetera. And you'd think that there wouldn't be as much, um, as there was the previous times I've fundraised, but there's still, you deal with a firm or a person who doesn't know the space you get to spend time, um, laying the foundations for why, what you're doing is important.
We, we sort of sidestep that. Um, it helps that the other co-founders have sold companies before. So between the three of us, we've had six exits. So it gives us, um, some level of, of cache. When we talk to investors, they understand that it's not, it's not our first rodeo. Um, so some of that risk is diminished a little, um, in that conversation, which I think is helpful as well.
It's not everything because the world's not short on people who have sold startups, but it's helpful. Um, The other big difference of course, is that, uh, you know, there's money out there right now in cyber. There's a, there's an extraordinary amount of it as it turns out. So when we met with, with either individual investors or institutions, um, it was less, there was less skepticism and there was more, it almost felt like they wanted to believe we just needed to get them there.
Um, and th there was Corteal in most cases, we, uh, you know, actually in almost every case except for one, um, I left those meetings feeling pretty good about them, independent of whether the person invested or not. We had a really good open dialogue. We, we had intellectual debate that was useful. That great feedback.
Um, we had one, one group who was, was, um, um, reminded me a lot of raising money in 2008. And I walked out of that meeting, um, feeling about like six inches tall. Uh, and then, and then I remembered, man, uh, this was what it was like every time we tried to raise money last time. And that just isn't the case.
This time educated, dealing with educated investors is helpful. The fact that there's money in the system that needs somewhere to go is helpful. And the fact that we have a background, uh, is helpful. So we're not going through the junior associate to the associate, to the person who might make coffee for the partner.
I mean, this, we actually got to meet generally speaking with the partners when we, when we pitched institutions. So that was, that was good. Um, and they have a ton of corollary data to work with. I mean, there's a truckload of exits in the space, so the VCs are a lot less skeptical generally about it. And then they, they understand that.
[00:43:08] Dave: Yeah. Yeah. So to recap, one market conditions are still pretty good. I mean, you're in a vastly different position because you're so experienced. And thirdly, and this is, this is really important. I don't think you can kind of understate the importance of this. Is there so much data out there about the exits and businesses that have gone before who have proven it out to where you can quickly, even if you haven't been in this space for a long time, you can pattern match, but there's a bunch of investors.
You know, people like Ted Schlein who have been doing this for a very, very long time, you know, as long as we've been building products who have kind of grown up the next series of investors and provided an example, too. So all of those things, you know, mean the space is just dramatically different. It's kind of funny.
I think you guys took money at Immunex from tech operators.
[00:43:59] Al: We did. Yeah. From Tom Noonan and company. Yeah.
[00:44:02] Dave: Right. And Tom was the person behind internet security systems. So you look at even a decade, you know, decade to decade, you have the money from those early security companies fueling the next wave of VCs, you know, and not just like, Hey VCs, that made money off it.
But people who made money off their own companies who became VCs and started to put money back into,
[00:44:24] Al: you know, into security
[00:44:27] Dave: and, and in Tolman and Glen McGonigal and their instance taking it and putting it in Georgia of all places in Jack's backyard, you know, based upon the, the success of what they did.
[00:44:40] Al: Yeah. And you've got Dan and golden there as well, who did a very successful end point company. Um, uh, it, uh, they're definitely paying it forward. You see people like that involved in the investment community, and there's a lot of, um, you're telling me it has an extraordinary heritage in the business, but there are a lot of people who have exited startups that actively invest in other startups in cyber.
Um, so it's, it's nice to see and pleasure to work with you.
[00:45:05] Jack: Another one, another one in Atlanta, as Paul judge who has an amazing track record and is now investing. Um, Atlanta tends to get overshadowed shadowed I'm on the other end of the state, but, um, you know, Georgia tech gets all the love, but like Kennesaw state is cranking out, uh, engineers, who, for people that can't get into Georgia tech, uh, Kennesaw there's, uh, is, um, and it's completely overshadowed, but it's, uh, it's a wild tech area, but, um, it also has traffic to a rival LA.
So. I am happy being five hours away from that
[00:45:38] Al: mess. Traffic in at rush hour is like Sao Paolo, dude. It is hideous.
[00:45:46] Dave: The hours I spent on Peachtree working in at ISS. Like
[00:45:53] Jack: I have to transit it next week, uh, in a motor home towing, a 20 foot trailer, uh, to get one of my toys up to, uh, somebody. And it's just like, it's just, I cut way back on the coffee and, and play cool jazz or something to try to calm down survive.
We are going to get out of the helicopter. Wait, wait, wait. I, I refer to that. Uh, it's always construction, but no one's ever actually seen anybody do anything. It's all about the orange barrels, subsidy subsidy, but it's just, I refer to that as waiting for G dot Georgia department of transportation. I see the G dots waiting for G dot.
[00:46:31] Dave: It is interesting though to see. Uh, people who had success started their own funds, maybe did a little bit of angel and you're able to take money from them and kind of this middle phase and the two thousands to really the emergence of rounds now that are done predominantly by angels. You know, like the one you just did and we didn't, we were led by, by up front and then Kleiner, but we've had angels and incredibly easy, like people warned us like, oh, it can get out of hand.
It's difficult. It was incredibly easy. Like people get it. I mean, it's, it's not, it's not hard.
[00:47:07] Al: It's a phrase. There's a lot of sophisticated investors out there who are angels. Um, there's certainly manageable. I mean, whether you want them directly on the cap table or you want to roll them up inside of an SPV, I guess as just a discussion you need to have as a company.
But, um, yeah, there's no shortage of people who understand the risks they're taking, um, and what the returns could be. And, you know, they're effectively as sophisticated as a VC. Um, and if not, if not smarter money, because people who have been in the industry and know it extraordinarily well might be better positioned to make better bets.
[00:47:39] Dave: And they can be just as helpful in some instances,
[00:47:43] Al: if I'm more, if not more. Yeah. I mean, we haven't, we have, uh, we have a great number of angels, but we do have two tier one VCs as well that we're working with. Um, but it's funny you bring up helpful because that's why we decided to go with, uh, institutional VCs period.
We, we did, we did debate a lot internally. What's the value. Um, we have a lot of experience in the industry. We know a reasonable number of people and, um, we have a good angel community to leverage, but at the end of the day, there are some VC firms that do have. Uh, with access and will, are genuinely pardon the pun, but invested in their investment and want to be part of that team to help you out.
I think that's more, in many cases it's more, more, more noise than action in reality. But I think some firms have gained that reputation, meeting that and deserve it. So,
[00:48:31] Dave: so I think I know the answer to this and we can make this short, but it bears asking why not bootstrap? I mean, you've, you've done well.
And so have your co-founders. Why not just take your own money and get it to, you know, get it to the two, three year mark retain more of the company and so forth. Is there, what, what was your
[00:48:50] Al: reaction. Well, we did put our own money in, so we do have money in the business. Um, but, uh, I think that you just need, you need capitalization right now.
That's fairly extraordinary to, to succeed. Um, there's there's I mean, the last time you and I saw each other at RSA, like in 19, before the end of the world, if you go down on that show floor at the time it was claustrophobic, dude, there was like, I think there were over 4,000 vendors or something of seen like that in attendance.
And how do you get, share of mind in an industry with that many voices clamoring, um, and how you get customer access is expensive. Um, and building a real viable company in a marketplace where salaries are stratospheric right now is not cheap. So we chose to raise. So we had a fighting chance to do what we wanted to do in the period of time that we needed, uh, and not have to worry, particularly if there's a market rate.
Um, around financing that we would be unable to finish the journey I've gone up against well-capitalized competitors before I have no desire to get caught in that fight again, without having some money in the back. So it's difficult,
[00:49:57] Dave: mostly just about the size of the raise required to get above the frackers today.
[00:50:03] Al: and it's just so much more expensive. I mean, just engineering talent alone, um, is, is, uh, gee, I'm gonna say two to three times more expensive than it would have been seven or eight years ago. And, uh, and you know, we're hiring senior people as we go out the door, uh, rather than juniors, because we want to defray some risks, which means if you're bringing in people who are like us and have families and mortgages and, and lives, uh, they're not cheap, you pay to play.
[00:50:32] Dave: So you talk about, um, getting above the noise level. What's what's the marketing playbook. Like what do you think it takes to get above the noise level from a messaging marketing perspective?
[00:50:47] Al: I mean, it's going to sound trite, but I think first your product has to do exactly what you say it's going to do.
Um, you, I find that because there's so much. White noise out there that people try to amp up the volume, making claims that are not necessarily congruent with their product can actually deliver. And that's a really awful way to approach getting your product in the marketplace. Like for a whole litany of reasons.
One is, you know, your customers are going to be let down when they use it. Um, which is what you should be most concerned about because everything goes south after that particular event, um, your Salesforce is de-motivated, your renewals are nonexistent, et cetera. Um, but everything's so much easier if you've, if what you have meets the promise of what you say it will, it's so much easier to build up from there.
Um, as long as you're not overselling your value, I think that you still have to have something that's unique enough for people to want to take a second look, because there's just too much out there right now. It's extraordinary. Um, and I think that their first time they use it, it's got to work. Time to value has gotta be short and it's gotta be well thought through, um, people's patients to, to go on a journey with you is a lot thinner than it is.
Uh, unless, unless I think you're solving a problem for them, it's just so catastrophic, the shitty that they're willing to take lumps along the way to grow with you. They want your stuff to work now as a rule or, or at least, you know, work well enough that they feel like what they've engaged in is exactly what they thought they were getting.
Um, and with some room for improvement. Um, and I think that's a problem that startups have occasionally as they go out the door too early for them, it doesn't do that. Uh, and that's, that's difficult. Um, I also think that, you know, I love the idea of when product led growth is an overused term in our, in our space and well in any software space.
But my favorite kind of product to buy is when I've already. Um, because I know what I'm getting and I want to buy it. I don't need to have somebody show up at my door and get an hour long zoom with me to convince me to buy an enterprise piece of software if I've used it. And I can really truly appreciate it.
I'm much more likely to buy it. So I'd, I'd like to see us be able to build something that we can have in the hands of others. Exactly. Like what you've done in open Raven that make software available to people to see, Hey, look, is this, is this solving a problem I actually have? And do I like it? And then have the conversation from there versus, Hey, let's have a POV conversation.
Let me get deployed on a trial. It takes six months to get into your data center and have a six month trial with you. And then hope to God that nothing goes wrong along the way. That's a tough business model, the prosecutor, uh, at scale anyways, unless you're building a cottage business, which I have really no desire to do.
[00:53:18] Dave: Jack here, your scar tissue on that one was visible.
[00:53:23] Jack: No comment.
[00:53:26] Al: I mean, we've all done this, right? So this is, you talked earlier about like the lessons that you hopefully learn along the way from failure, everything I'm bringing up, I've done wrong in the past. So at some, at some juncture somewhere
[00:53:38] Dave: Al it's, um, you know, we've both done plenty of early category work.
I mean, S and I was early category security focus was immune. That was, you know, within the endpoint category, but early next gen. And what, um, what's your playbook for, for something along those lines? Like what's what have you, what have you learned on the product side that helps you navigate the early days?
[00:54:04] Al: Oh, wow. I mean, I guess where, where to start with that? Like what. A moment that's identifying the problem space that you think is unique and is under-serviced at the time. Um, I'm in a position with this startup where my co-founder, uh, gene to beer is the person who really sort of uncovered the area that we want to work in.
And I actually spent. I dunno well, over a reasonable amount of time, agonizing over whether whether he was right, because you have to do that. You have to be intellectually honest with yourself about what the problem you're trying to solve is legit. And I was spending a lot of time with potential, um, customers who would just work in a space rather.
Um, and it's all been refreshing that like, not only is it validated, the problem might be bigger than we thought in the past. Um, but it's always looking for a space that, that people are, are suffering. In the industry right now, um, the customer problems they can't solve, it's just, they can't scratch things that they're, that they, that they need software to fix.
I mean, if you take a look at the number of vulnerability assessments, space is very similar to the one I'm in now. And then this is a services led gig. Yeah. People did pen testing and bone assessment. They did it manually. They did it with scripts and they did it by hand. Um, and it was, uh, it was tribal knowledge.
The customer really had no idea how to do this. Um, so they brought in people who had had all of his heart bit and hard won experience, building, you know, doing vulnerability assessment stuff. Um, and whenever you see that, I think there's a place for technology to play a role. Uh, if it services Latin, there's a massive tan that it's growing still, you have to believe you can scale up better with software, um, is, is, is my belief.
Um, and it's, so it's things that scale and things that speed, I think, uh, and that that's like, that's a very broad, right. Cause I'm not sure that actually applied to what we did at security focus there. We saw a problem. We thought was. We were pretty sure that malware would become endemic and that outbreaks would be a serious problem.
And then networks would be riddled with it. And, um, people needed a way to know what was coming and we were right for a period of time. Um, and then, and then the outbreaks, the worms of the world actually sort of started to diminish because they were so loud that the, the people who were deploying and working in the benefit they needed.
So we had to pivot a little bit.
[00:56:18] Dave: If you see a lot of services, interesting place to focus, air of skepticism, even if it sounds good, go out and do the work. Lots of interviews, lots of note, taking, talk to the people, doing the work, where do they have pain, you know, probe for the unsolved problems and, you know, to a certain degree like with security focus, look ahead, you know, have some, take a few chances.
[00:56:43] Al: So if you can look around corners, and I think when you're, when you're, when you're vetting your idea, like be intellectually honest with yourself continuously, don't drink your own Kool-Aid because any of us who do startups, like we love to get excited. I mean, and we're optimists because you would not do this unless you were capable of glass half full, because like, this is not an industry with a high success rate startups in general.
So you have to believe you're capable. Um, but the idea, like you have to beat it up. It doesn't mean don't do it. If, if there's, um, if there's pushback or it's difficult, I mean, shit, it should be difficult. You're solving a problem that someone hasn't solved yet, hopefully, um, or you're doing it better than someone else has.
And there's always going to be pushback against that, but you do have to believe in it and you have to set some high water mark for figuring out whether this is enough to do an endeavor. And, um, because I think that the road to startups is littered with failures of people who did not prove out their.
Um, to, to a reasonable degree. I mean, there's no certainty in startups and certainly if we had crystal balls, we wouldn't be doing them. Right. Um, but it, uh, you, you have to put your work in upfront at least. And that's, as I get older, that's more important to me because I'm less sure of myself than I was when I was 22.
[00:57:51] Dave: You're less sure of yourself now.
[00:57:53] Al: Yeah, I think so, because I know there's a lot that I don't know at 22, I was really convinced. I knew absolutely everything. Yeah, yeah, yeah. That's not my jam now. And I
[00:58:03] Dave: share that. Yeah. What, um, to what extent is your researching this, to what extent do you put value in things like analyst reviews, that sort of thing.
And I realize I'm just throwing a piece of red meat to a carnivorous animal here, but what's your, what, what kind of credibility do you give that? How much, how much do you pay
[00:58:29] Al: 10. I mean, there's a lot to unpack there. I would say if you're doing a startup and you're relying on analysts, you should go back to the job that you have before you did the startup, because they are, they are not a leading indicator.
They are at best a trailing indicator. And usually whatever space they're covering is so volumetrically massive that you would literally need to be blind to miss it. Someone's already been there. They took the risk before. I think that there's sort of two types of analysts that I break out in our space market analysts.
And these are the people that define the marketplace itself and give high level assessments of where the products meet needs, et cetera. They're extremely powerful. Um, for buyers that are in the enterprise specifically that want to use reference guides and need assistance and figuring out what their strategy might be for buying products.
And then there's testing houses. And I think both are important. Um, I'm not sure how important they are for startups. I think you need to be extremely careful about engaging either, um, early, um, on the analyst side of the house. Um, that's a tough one because if you're selling into enterprise at some point, if your space is large and if you're going to get covered by them, um, I think that the danger there is, is, um, It used to be generally speaking than if you were in the space and you've declined an invitation to participate in a review from a market analyst, then they left you B and you are off in your own little corner of building what it is you needed to do.
Um, that's starting to change. And so you're starting to see some market analysts include you in reviews, independent of whether you choose to be part of them or not. And that starts to look an awful lot like extortion at some point, um, because engaging an analyst isn't as easy as you throw a product over the transom and a couple of paragraphs on what you're doing the best.
It is. You have a team of people who work with that analyst full time to make sure that what you're building shows up in the best light and in the way that you intend it to, uh, so good. Did they actually cover, um, reality because a single given analyst is not going to be as expert in your space as you are, or at least most likely are not.
And they're human beings. They're fallible, they've got opinions. They, they many times come from industry. So may have entrenched opinions on the way in. So you work with them, right? You, you, you have to put real time in to get an. I wouldn't say, I want us to get a thorough review, thorough a treatment of your product.
Should you choose not to take parts? The chances of you getting a meaningful review as positive are diminishing. Um, and there's just no other way to look at that and look, the, the analyst houses, they know this, they can't not know it. Um, so they know it and you know, it, you both know it. So if they invite you to participate, you have a choice don't participate and likely get a shitty review from the analyst.
And, uh, and that will affect your bottom line at some point, um, or try to navigate it. It's difficult. It's a really unpalatable, uh, uh, business model, in my opinion, not all market analysts do it thankfully. And some of the very large ones do not cause they don't need to. Um, I hope that's something that changes because it can be the death of a certain.
Um, and then the other, and also the technical ones. And th this is, um, these are like measure the efficacy of my product, you know, AB comparatives or AB tests, for example, in the HIV world. And I think like they have the best of intentions. Um, but the behavior they've driven has been catastrophic for customers at the end of the day.
And I'll use the AB test vendors because they're, I think it's most prescient there, or most rather most important to this conversation is the AAV vendors themselves, at least to a reasonable degree are in the, the, the hot mess that they're in now, I'm watching their fortunes massively diminished and sort of end of empire because they became so heavily focused on the reviews from these reviewers that they stopped innovating outside of the one problem they had to solve, which was find a piece of malware on a disc and convicted.
Um, and they did that in large part because when they took part in these reviews, whether that's AB test or AB comparatives. And this isn't on the testing vendors. This is on the companies themselves. They, when they did it and they did well, they got financial renumeration. That was measurable. If you were at a calmer consumer based Davey company and you crushed an AB test that could mean 25, 30, $40 million extra in that quarter for you that's real money.
Um, so what happens is you start to study for the. And that's all you do. And that's what happened at these AAV companies. They became, they're like, I'm going to kick ass on this review. And that's pretty much all they were doing. In many cases, they had some things that were tangental and I speak from experience.
Having been both McAfee and Symantec at the ha as, as were you at the heyday of this. Um, and so that tunnel vision then led them to building teams that became completely exclusively focused on winning the review. And these became highly influential in the companies that they were situated in and, uh, at the expense of all other vantage points.
And then these other people were looking at it and were like, dude, dude, first off the idea that a 99% rate catch rate on any of these tests, the idea. W real is farcical because you can ask any customer what they're experiencing and it's not that. And even if it was it's the 1% that they give a shit about not the 99 you caught, uh, because that 1% is what leads you to the front page of the New York times, not the 99 other percent.
And so, hence EDR had an opportunity to blossom inside of the end point industry and have ultimately play a pretty big role in crushing these vendors themselves. And, um, so what happens is, is that because there's financial renumeration. You get stuck in it. Now, there are also testing houses for a while.
And actually even quite recently, there were like participate or I'll just review you without my, your, uh, your participation, both you and I have dealt with that directly. Again, that's an awful business model. That's pretty extortion. Like, although I think it's less common right now at this very moment in time, it does tend to pop up.
But if vendors become fixated on studying for the test, the person who hurts is the, is the consumer of the product they're buying because they're not focused on building an actual security product. They're focused on winning a review. Um, and that has to be something people are really conscious about when they look at review material.
I do think those shiny. Um, path out for us though, here is MITRE. I think that's extraordinary. I think that is changing technical reviews in a way that's nothing but positive. Um, because it is, you know, testing methodology is totally public. Uh, tools are public. The schedules is nothing and there's no money changing hands.
This is not a financial transaction as where other testing houses are to some degree. Um, and, uh, I think that they're looking at the entire attack chain as, uh, they're not focusing on one particular part of you getting your environment compromised. They're trying to look as broadly as they can, which forces your product, not to just try to do one thing.
Um, it, which is very helpful. Uh, and so I like, I really like MITRE attack framework, MITRE attack framework. Yeah. Yeah, I think that's been really valuable. Um, and I hope that's the way the industry continues to go. I, I think that the, the, uh, the market analyst houses though, I mean, you know, they need to be mindful that there's another, an extraordinary position of power, uh, and reviewing people without that, uh, without their ability or their desire to take part in it is ultimately, I don't think it does anyone any good.
I think there's a whole lot of Stanford prisoner experiment going on there, um, that probably needs to be examined. Um, and it's an unhealthy dynamic, but as the weather startups spend time there or not, I would say no, no. If the space you're in is being covered at length, you're probably not early. Right.
[01:05:51] Jack: Yeah. I, uh, MITRE what's happened with MITRE in the past several years has been, uh, has been great to see, even though it ruined one of the jokes, I used to tell my friends at MITRE, which was I'm so old. I remember when MITRE was relevant, which was, which really stung for many years. Uh, but now in, in the past several years, that's not true anymore.
They've they've like, oh, they're still MITRE. Aren't they, they can, they can still wake up and it should not be dismissed. And, and between the attack framework and, um, the cybersecurity framework that, that came out of NIST, one of our foundational problems, we maybe have a chance of fixing outside of marketing, which is a common vernacular, common set of words.
Uh, lexicon that at least those of us who actually care can agree on what some of these words mean, which has been a problem that, you know, Bob Abbott and Willis swear, and Jim Anderson said we had to solve before we could move forward. And you know, that's been a problem for 50 plus years. I totally agree.
[01:06:59] Dave: There was one thing you and I talked about before, if we could spend just a minute or two on it, but having done this been acquired three times now, when you go to get acquired, what's exactly going through your head. What's what are the emotions and the things that you go through
[01:07:19] Al: around it? I think, um, so the first time I got acquired was very different than every other time I was acquired, um, which, uh, was, does there's.
Um, Summarize though. I think first there's a, there's always an extraordinary amount of excitement. Let's assume for a minute that you're not selling for scrap metal. And this is an axis that looks good for the, your fear for your employees and for your co-founders and for your investors. That's extremely gratifying.
It's exciting. Um, and, uh, you know, it's a culmination of, of most likely an extraordinary amount of work that was very hard and very ugly along the way to get there. So this feels good and it should feel good. Um, having been acquired a few times, uh, though I will say that the second time and the third time I was acquired and actually the fourth account, um, Sourcefire because I was, I was on the team there that went over as, as, as, um, you know, key men on the deal.
Um, you, uh, there's trepidation involved as well. It's this is, uh, this is about financial renumeration at the end of the day. It's not just about building extraordinary products. Like we, none of us work for a charity. So there has, this has to be an exit for people that are working for you and taking risks.
And it has to make sense for them. They've got to make good money on it. You owe it to them quite literally, but you, when you get acquired things change and they're usually a dramatic change to the world that you're used to living in. Um, you were not the machine anymore. You are not the singular purpose that drove you to the success that you're at.
You're now most likely, uh, shiny cog in a very, very big machine. Um, and, um, you do not get to be at the table to the degree that you used to be. If at all, in some cases you're now an employee again. And so the ability to drive the culture that you loved and build the product further, and you continue to push it down the line.
That's what. Um, to do inside of a publicly held company or a large acquire. And I like your mileage is going to various, some acquirers are much better than others. Just sort of like two ways. They look at it. One is like basic this voter, the conquered, you were too fucking slow and I ate you. Um, that's not an environment that you want to end up in.
If you get acquired, I promise you this. Um, and the other is like, oh my God, you, people are so smart. I want to work with you. That's where you want to be. But remember, you're coming to that party as one of many, not one. Um, so your product, you know, it takes a, hit your vision takes a hit there's people who, who see their product get acquired.
That thing, they love it almost always been, it's like, oh my God, they got bought by ABC. And that company is going to kill my product. That's true. They most likely are going to change that thing. Maybe not kill it, but they're going to change it, things about it that you loved are likely to change and working there.
That's a, that can be a huge disappointment. So you have to factor that in as a founder is specially. Um, the financial renumerations, um, that's one consideration and, you know, to be totally honest, it's almost always the primary consideration. Um, if you're lucky enough to have competing bids during an acquisition process, uh, I would say that, you know, all things being equal, go with the one that you think will continue the vision of your product, and there'll be a good place to work and do not believe what you're told during diligence by the acquire.
None of them are going to present who they are. Uh, during that process, talk to people who have been bought by them before, take a look and see how many founders are still left in the business, see what roles those founders have in the business and whether they're driving or whether they're taking instruction.
Um, and that, that's a, that's a good way to figure out, um, you know, what kind of home you're you're headed into. And I would say the other thing, and this is important is look to see if that company innovates or whether it be. Because there is a difference and it's not necessarily a bad thing to go to a company who's inquisitive by nature.
Um, rather than building their own IP, then they can do beautiful things with the things they buy. But if they, I guess the distinction is, are they a distribution company or are they a software company? Because a distribution company buys products that have a groundswell of support already and some level of momentum and they put them in their distribution network and they can sell the shit out of them, which is great.
That could be good outcomes. Um, but at some point you become, uh, you become, uh, you become really, you end up in a place where you're like, okay, well, can I build something new? And if that's not their DNA, because they acquire by nature, you're going to be really stymieing and difficult to be unhappy, um, as work for people that are companies that innovate, they buy sparingly, um, or they buy to augment things.
They build. That was a huge difference, a huge difference in the funding envelope once you arrive inside and then you and I have both been through this adventure, right? So be thoughtful if you're lucky enough to have competing bids. And in many cases, that's not the way it works. You end up with one acquire, who's got a great deal on the table.
There's, doesn't have to be two great deals for you to review. Um, and at some point you have to also, you know, you sign a no shop. Uh, you get stuck in it at a stage during your acquisition where you're not able to get more traction at the table. So I think if you're in the place where you're selling, try to generate as much interest from other parties as you can.
Um, so you end up with the best deal right now, financially and the best home to land in, uh, and stay in, uh, because it can be grinding as a founder, which is one of the reasons so many founders quit. I don't think it's always about the pursuit of money. Um, it is the dentist's realized that they're in a home where they can't do what they're best at, which is building new.
[01:12:42] Dave: You know, there's we normally do a speed round. We don't have time for it. And I think that's a brilliant place to end anyways. Yeah, this has been awesome. Thanks so much out. It was, it was worth
[01:12:54] Al: the wait. Yeah. Well, thanks for being so patient man. And thanks for your time today, guys. I hope. Hope everything's going well outside of the podcast.
[01:13:02] Jack: Yeah. Well, thank you so much. This was great. This was another one of those, uh, that we've done several of, which has great insights into building companies and financing companies and, and, uh, really appreciate your insights and taking the time out. Thanks
[01:13:16] Al: you. I have an awesome week, Mr. Cole. I'll talk to you soon.
Thanks again for the time.