Scroll

Designing Category Smashing Businesses with Oliver Friedrichs (Phantom, Pangea)

For the second episode in a row, we’ve caught a seasoned entrepreneur at that perfect moment when they’ve started a new company but still have time for a conversation before their new adventure kicks into high gear. Oliver Fredrichs, founder of several security companies including Immunenet and Phantom, joins us to talk product strategy as he embarks on a new journey to disrupt the security industry once again with his new venture Pangea. 

The most critical, first question for any young company is “what are we making”? And equally important is the follow-on question of what category does the offering fit into or how should people think about it? Is it a better version of something that exists? A new type of something that’s meaningfully different? Or is it an entirely new category of product they’ve never seen before? 

Oliver and Dave discuss examples of each type of strategy from their own experience and the industry in general. The “better mousetrap” approach is covered with examples from antivirus and more recently cloud security posture management. We discuss when it is a good time to “next gen” a category to revitalize it and return it to growth. Examples here include Palo Alto Networks firewall and Vulnerability Management (from its early days as vulnerability assessment). Oliver and Dave call out the fatal mistake so many market incumbents make that result in them missing out on a refresh cycle. 

Creating new categories dominates our conversation and we explore Oliver’s case study of Phantom in depth. We start by explaining the core principles of a new category and lay bare some indicators that a product group hasn’t yet made the leap to a full blown category. Oliver then shares the spark of idea that led him to found Phantom as the first SOAR followed by how he built the boundaries for their product and ultimately the companies that followed their lead as the first mover. While most of our time is spent discussing what worked and didn’t from a product perspective, Oliver also shares his go-to-market playbook, including what he will avoid this time around and what he intends to do again with Pangea. 

We wrap up with a quick look at the future of SOAR and Oliver shares an early peek at what he’s building now at his new company. This episode is perfect for early cybersecurity companies looking for product advice, product professionals wrestling with category questions, or anyone who wants to listen in on a dialogue between 2 industry veterans geeking out on product.

About this episode

For the second episode in a row, we’ve caught a seasoned entrepreneur at that perfect moment when they’ve started a new company but still have time for a conversation before their new adventure kicks into high gear. Oliver Fredrichs, founder of several security companies including Immunenet and Phantom, joins us to talk product strategy as he embarks on a new journey to disrupt the security industry once again with his new venture Pangea. 

The most critical, first question for any young company is “what are we making”? And equally important is the follow-on question of what category does the offering fit into or how should people think about it? Is it a better version of something that exists? A new type of something that’s meaningfully different? Or is it an entirely new category of product they’ve never seen before? 

Oliver and Dave discuss examples of each type of strategy from their own experience and the industry in general. The “better mousetrap” approach is covered with examples from antivirus and more recently cloud security posture management. We discuss when it is a good time to “next gen” a category to revitalize it and return it to growth. Examples here include Palo Alto Networks firewall and Vulnerability Management (from its early days as vulnerability assessment). Oliver and Dave call out the fatal mistake so many market incumbents make that result in them missing out on a refresh cycle. 

Creating new categories dominates our conversation and we explore Oliver’s case study of Phantom in depth. We start by explaining the core principles of a new category and lay bare some indicators that a product group hasn’t yet made the leap to a full blown category. Oliver then shares the spark of idea that led him to found Phantom as the first SOAR followed by how he built the boundaries for their product and ultimately the companies that followed their lead as the first mover. While most of our time is spent discussing what worked and didn’t from a product perspective, Oliver also shares his go-to-market playbook, including what he will avoid this time around and what he intends to do again with Pangea. 

We wrap up with a quick look at the future of SOAR and Oliver shares an early peek at what he’s building now at his new company. This episode is perfect for early cybersecurity companies looking for product advice, product professionals wrestling with category questions, or anyone who wants to listen in on a dialogue between 2 industry veterans geeking out on product.

Meet our guest

Oliver Friedrichs

Founder and CEO, Pangea

Friedrichs serves as Founder and CEO of Pangea. Prior to Pangea, Friedrichs served as Vice President, Security Products at Splunk, driving the vision and direction of Splunk’s security portfolio. With a record in building four successful enterprise security companies over the past two decades, Friedrichs founded and served as CEO of Phantom (creators of the SOAR category, acquired by Splunk), founder and CEO of Immunet (early innovators in the cloud EDR category, acquired by Sourcefire/Cisco), co-founder of SecurityFocus (creators of Bugtraq and DeepSight, the world's first Internet early warning system, acquired by Symantec), and Secure Networks (one of the industry's first vulnerability management solutions, acquired by McAfee). Friedrichs also architected and developed a prototype of the first commercial penetration-testing product, SNIPER, acquired by Core Security Technologies in 2001 and further developed into CORE IMPACT. He attended the University of Manitoba and is the co-author of three security books and a recipient of 33 patents.

Transcript

[00:00:00] Dave: Oliver welcome to security voices. Thanks 

[00:00:03] Oliver: Dave. Thanks for 

having me.

[00:00:04] Dave: You're phoning in from Tahoe, like so many San Franciscans who have not abandoned the city, but taking a break from the city as it goes through its zombie phase. As the people in our company have been calling it, the zombies that walk the streets of San 

Fran, it's a strange new world.

That's for sure. You know, like a lot of folks I, uh, happened to evacuate to Tahoe back actually in early 2020, right. Just before COVID in fact and have, uh, been stationed out here ever since the 

city is looking better. I've I go out there probably once a month or so. And there's people back in the streets, the zombie thing is ingest.

There's some areas that are still a little rough, but it does feel like it's recovered. 

[00:00:48] Oliver: Yeah. Yeah. That's what I hear. It's great. Great to hear. Maybe not as quickly as New York, but San Francisco is its is its own animal, a great, great city. And really like to see it come back. 

[00:00:58] Dave: It was somewhat funny to hear all the people who were decrying the demise of San Francisco and saying that well, Silicon valley is not what it used to be.

It's not the throbbing art of tech and so forth. And I just think it's nonsense. The ecosystem is so strong and so powerful there, it's just a thing. It's a phase. The heart of the tech industry is, and will be San Francisco in the Silicon valley, such things like that. Just don't change that 

[00:01:27] Oliver: fast. Yeah, I agree.

And in fact, you know, as we talk a little bit more about what I'm doing next, we've seen a lot of folks move out of the area, whether it's still Austin. To Colorado, Washington, other states, or even Nevada for tax purposes. The other reason was largely for compensation was at one point an advantage in a lot of those states and a lot of those cities, but we've seen that level off, especially with the remote work from home movement compensation really isn't the motivator anymore to leave the bay area.

And so we see that as it's just a key stable proving ground. That's not going to change, you know, you still have all of the Fang companies located there with their primary headquarters and that's, that's simply not going to change anytime soon. All right. 

[00:02:17] Dave: So last week you had the team over in Palo Alto.

If I remember correctly, not in the city, but away from the zombies in the peninsula and. How is it being back in person with a team again? Now this isn't the first time he had done it. You guys have been quietly kind of starting Pangea use or have been a few others. Was this onsite number one, number two, number three.

How long have you guys been doing this? 

[00:02:45] Oliver: Yeah, that's a good question. I thought I'd say this as, this was our third onsite with folks flying in from around the country to meet in person, but a lot of folks are working from the office in Palo Alto, you know, with the mask mandate, dropping with the ability to work from an office.

A lot of our team is happy to go back to a place where they can focus. Collaborate and engage with the rest of the team. You know, this remote work has its advantages, certainly in some situations, but work when you're in an early stage company and you're trying to innovate and you're making decisions and even design and architectural decisions on product super fast, nothing can really compare with the speed that you can execute when you're, face-to-face in a conference room, able to whiteboard and really hash through these things.

[00:03:33] Dave: Yeah, we're we're remote first as well. And our team onsite is this week here in LA. So it's absolutely essential. We used to do every month in the early days before the pandemic hit and you're right. I mean, there's good white boarding solutions for remote white boarding, but there's no substitute for getting together in person for building trust for doing real deal, whiteboarding planning, you know, building those team dynamics, the softer team dynamics and so forth.

There's there's zero substitute. I think there's a lot of people who had this mistaken impression that, oh, remote means we don't get together in person. It's like, no, no, no, no, no, no. Remote means it's actually more important than ever to get together in person. Just not all the 

[00:04:18] Oliver: time. Yeah, absolutely. I don't think there's a replacement for in-person collaboration.

And I think, you know, some companies are starting to see that Goldman Sachs is demanding. Everyone returned to work five days a week. Starting, I think it's in April, right? So I think different companies have different beliefs and it's going to be interesting to see how this really pans out. I mean, we're still probably half remote and half in person in Palo Alto.

You know, we're, we're not simply trying to hire as fast as we can. We want to hire the best people for the right role in the right place. And sometimes that means they're not in the bay area and they're not in Palo Alto, but they still need to visit. And we still need to meet once in a while to be able to get things done.

And 

[00:05:00] Dave: you set your boundaries. Do you set your boundaries inside the continental United States or is it actually broader than that? 

[00:05:08] Oliver: Yeah, so we're actually looking at other countries as well. Argentina, Spain for engineering. Those are both proven to be great international locations, both from an economical standpoint, but also just from a talent standpoint of the caliber of engineers that you can find in those countries with relevant experience in our case, in cyber secure, So we're not opposed to looking at those at those areas, but certainly given some of the work that we do is, is sensitive and should be government related as well at some point.

So our core engineering team is still very us centric. Canada is another location that has always been where we've worked in the past. We've had offices there in the past. I know your last guest Alfred and I have worked together extensively and in the past had engineers in Calgary and in up in Canada and other locations.

Um, again, great, great resource and a great place to have either a primary or secondary engineering office. 

[00:06:07] Dave: It's interesting as well. Running a company got a lot easier when you could lean on a PO like adjust works or a Sequoia or so forth. These companies that basically serve as your HR and that made running a company a lot easier inside the U S you didn't have to work through benefits, brokers and deal with all of this stuff.

They take it off your plate and hiring internationally now has gone through a wave of becoming Wazier too with companies like deal and oyster and so forth who will handle a lot of the nuances of employing people internationally. It wasn't something I was aware of even a year or two ago, but my, my mind it's gotten so much easier to hire people abroad 

[00:06:52] Oliver: now.

Yeah, it really, it really has. I think for Canada specifically, There are PEOs like Tri-Net and others that will allow simple, quick onboarding of folks in Canada for something that other countries we're still looking at, contract work for the most part, right? As, as a small startup, you know, we're typically not forming entities in those countries since that's obviously the beyond the scope of what we're able to do or interested in doing at this point.

But, but definitely having, you know, great contract workers with teams you may have worked with in the past, right? That you trust and know that we'll we'll ramp as you grow and as you need to grow and also can get the quality of work done again, in our case, in cyberspace. Let's switch 

[00:07:34] Dave: gears a little bit.

And for those of you listening, are you thinking, oh, damn, this is going to be another podcast about starting a company and all the mechanics and the product side of it. You are absolutely right. So if you're not game for a product geek conversations, startup conversation, this would be a brilliant time to step out of the podcast.

And we're bummed Jack can't join us today. He's got last minute prep and mayhem for ShmooCon. So tip of that to Jack wish you could be here, but other obligations to the community. And I'm sure he's, he's pulling ShmooCon together with force of will right now and helping other folks so bummed that he can't be here.

It does mean that we will descend to the very depths of product door, Curry ear in ways that only Oliver and I typically do over a bottle of wine. So here we go today. It's it's water and kombucha. Um, I'm not sure if that'll make it better or worse, but it'll happen either way. All right. To start out.

Let's talk about categories now. You're about to embark. You've done a little bit of everything. You've done. Category creation before. I think I'd say like security focus was partly category creation and what you guys did with deep site way back in the day that Alfred talked about you've done EMEA net, you did Phantom quite famously a new category.

That was one of the first entrance into soar. Let's talk a little bit about the different types of product strategy, which seems incredibly germane as you get ready to start a new company as you've started a new company with Pangea. So let's talk for a moment about the first type and there's three. The first one is when you play into an existing category with a better mouse trap, what comes to mind?

When we talk about the better mouse trap type stuff, 

[00:09:24] Oliver: everything is always cyclical, right? Like every few years there's a new. Set of technologies. And as a result, the attack surface changes, right? So as compute evolves and compute changes like the most recent major evolution, obviously being the cloud, the attack surface changes, right?

So at that point we usually see the re-emergence of traditional technologies in like a new form factor or with some new feature set that caters to these new, to these new technologies. Right? So with cloud, we've seen the movement of network-based detection, technologies evolve. We've seen malware based detection, technologies evolve, basically every fundamental security technology that we used to run on windows and other server based platforms had to change to adapt to this cloud movement where we no longer own the data center.

We no longer own the infrastructure. That's one change that I see where there's always opportunity in it. And it's always like, there's will always be opportunity as the core compute platform changes. Right? And then you have new companies that evolve every five to 10 years because of that. And they become very successful.

And typically the companies that were part of the last evolution of compute have matured, they become big and slow. And so they're right for disruption, right? So I'd say that's the cycle that keeps happening in the industry. The second one is where you have new technology that allows you to deliver existing products in a better way.

Right? So, you know, as we heard from, with, with Alfred, at immune net, what we saw as the opportunity to build a cloud based anti-malware company, leveraging real-time cloud lookups, whereas in the past, when you and I were at Symantec, we were pushing antivirus definitions to the end point. Every hour, right?

In that thing that got unpalatable, like you can not continue doing it faster in the amount of data we're pushing wasn't tenable anymore. Right? So the cloud allows us to change that and flip the model and make it much more 

[00:11:21] Dave: efficient. What's interesting to me is just to give a super concrete example, even within cloud, we're talking about.

The first real public cloud service, Amazon S3 going back to 2006 cloud has been around long enough now public cloud services, infrastructure as a platform platform or infrastructure as a service platform, as a service. Now we've seen iterations and kind of the categories kind of iterate and people come out with better mouse traps inside cloud, right?

Take CSBM cloud security, posture management. You had the early companies in evident.io, cloud passages. You had red lock who now are the has-beens right? It had been two of those have been subsumed into the monster that is Palo Alto Prisma, but you see companies like Wiz and Orica and others come out that are super to capitalized in order to bring in this new round of, of innovation into an existing category.

You know, they kind of thank you Palo Alto for your investment and creating this category. We'll take it from here. And of course, Alto's putting up a hell of a fight has competitive products there. But I think this is also why these existing, these better mousetraps, which are attractive businesses, lots of times, these are super well capitalized companies in Wiz and Orca and some of their other brother-in-law lace works.

And Jupiter one, I think go into that too. And part of the reason they're well capitalized as they have to be because they have to compete, they have to displace and compete and get their voice heard above the clamor when you compete the likes of Palo Alto networks and so forth. So it's an interesting strategy where there's, there's plenty of innovation.

It has serious constraints on it. Like you can't bring the proverbial knife to the gunfight if you're competing against incumbents and trying to get people to switch. Yeah, 

[00:13:18] Oliver: totally agree. And I think, you know, there's always the notion of first mover advantage, right? Where if you can get to the market first with a new idea in, let's say a new category.

Then it's yours to lose, but if you get acquired and you get sucked into a much larger company and you don't have the ability to keep innovating at the same pace that you were before, right. Someone can come along and disrupt you. And that's, I think what's happening here is that, you know, a lot of the first early movers have been taken out and now there's like second and third level entrance that are disrupting the.

Incumbents much sooner than you would typically see in a market like 

[00:13:54] Dave: this. Yeah. The cycles are definitely going faster. So when people say that, oh, well, it's a better mouse trap. It's just like a better version of the old thing. That's not a bad thing. It's a very viable strategy. It's much lower risk than a lot of, than a lot of the other strategies that are there.

But it does, I think have stricter capital requirements. And, you know, it has implications for not only how you build the product, but I think heavily on go to market. I think there's very little forgiveness on the go-to-market side. If you're going into an existing category, you've got to get it right.

Yeah, 

[00:14:28] Oliver: definitely. And, and you know that the addressable market, fortunately at that point has been proven, right? Someone else has paved the way for you to demonstrate there's a need, there's at least some basic requirements on what a product or an MVP in that category needs to do. Analysts may be tracking it and they have their own ideas, whether right or wrong on what these products should do.

Um, so it's really up to you at that point to come up with a better way to do it, whether it's more efficient capital wise and cost wise for the customer, it delivers better security, or it just uses a different model or different approach than the traditional guys are using. Right? There's yeah. There's lots of examples of that happening.

[00:15:06] Dave: Yep. So the next category is strategy. Let's call it number two would be to refresh a category. And this is the, the infamous next gen. It's just like this other thing, but it's the next generation. And a couple of things come to mind with this. Like the obvious one is what Palo Alto did to use them. As an example, this time on the positive side, you had this dead category of firewalls checkpoint, you know, they were, they were sort of the Scion of the first generation of firewalls.

They were the big success and there was a bunch of others NetScreen came in Sonic wall at the lower end and so on. And then it became conventional wisdom that it was just. Like there's nothing happening in this firewall space and comes Palo Alto next gen firewall, all few go. And to a certain degree, we saw this with endpoint.

We've seen it with web application firewalls. I'll never forget a conversation with Andrew Peterson where I asked him what the turning point was with their product. And when they started to really get traction, it had nothing to do with the technology. It was when they stopped fighting, calling themselves the next gen laugh and just accepted the fact that it was the next gen WEF.

And everyone looked at it and said, oh, well of course it is like the temptation was to call it real-time application, self protection or rasp. But at the end of the day, the way that people thought of it, it's really just this next gen of this other thing. It's a refresh or revitalization strategy. And it's a very viable strategy when you get some of the goodness of a new category, but you also get some of the familiarity and budget stealing from the existing category.

How do you think about a category of refresh. 

[00:16:48] Oliver: Yeah, no, I think you, you know, Palo Alto is a great example as, as CrowdStrike and a number of other companies, right. That have come into spaces that were well and long established. You know, sometimes it takes some of the older players getting long in the tooth and you're not innovating as quickly.

Right. Because the idea is that the newer players come up with really aren't rocket science, right. It's not like nobody's thought of this before, which is the case for most companies. Right. It really takes someone to execute and to do it. But look, it requires additional level of, I think, a layer of computer science, right.

That didn't exist before, like looking in, in Palo Alto's case, looking at the application layer versus just the TCPI. With something that wasn't really being done. And as obvious as that is right, we all know the OSI multi-layer model. There are layers above TCP and IP, and, you know, if we can filter out the application layer, that's becomes a super valuable feature.

And if we can do that efficiently at line rate at high speed, you know, multi-gigabit, uh, rate which Palo Alto prove they could do, then that's something that people would really want, especially as the internet has largely become layered on HTTP now, right. Or HTTPS. Right. So looking at that, the packets and the protocols below that and the application layer becomes.

Absolutely necessary. Like I can't even think of firewalling anymore without looking at the layer above HTTP, slowing, you know, are you blocking Facebook? Are you blocking Twitter? Are you blocking other sites, uh, from your enterprise, for example. And so that typically comes with the evolution of the internet and the technologies that we use on the internet as well.

So that's kind of a good example of where the target moved and the, the attack surface moved. So we had to dig deeper and go further. And Palo Alto was the first to see that movement, I think, and definitely caught checkpoint off guard. A 

[00:18:43] Dave: lot of times, I think that changes required by a category refresh to the incumbents.

It just looks like a feature. It's like, ah, you know, they're not asleep at the wheel. They see it. And they're like, there's a new feature here. We should probably add at some point. And then the feature gets bigger and bigger. The gap gets wider and wider until you realize like, no, this is a full re architecture and a substantially different product than what we have right now.

And we saw this with endpoint, definitely. I mean, I'll never forget that the tail end of my time at Symantec, I had a few awful months where I was responsible for the enterprise products, having, having done consumer for five years. And I wondered what the problem was and realized that a lot of the innovation on the consumer side never made it to the enterprise product.

There were never forced take the engines. And as a result, they weren't getting the latest updates and so forth, but also. There was this meaningful difference, which I don't think looked that important to Symantec at the time. And it was a switch from importance of malware to ATPs, to human based attackers and all of these attacks that were non-deterministic where you couldn't just say, eh, it's a Trojan.

It's like, no, no, no, no. There's this pattern of behavior that looks like an adversary insider environment. And it was the combination of just all this stuff. Accumulating, lacking efficacy on the AAV side, in the real world, even though the test looked fine. And then also the failure of this human context.

So process execution, metadata, and the rest of it. And it just built up until there is this palpable throw out the bums movement where customers were just fed up and said, you know what? There are so many alternative things out there. There's so many new players. I'm going to take a look. I don't care if they have all these, if they did great Navy comparatives, I don't care if they'd had great Navy tests.

I just know I don't want this anymore because it's not keeping up. 

[00:20:44] Oliver: Yeah, that's a great point. And I think the interesting thing there that dynamic too was the consumer business was so different from the enterprise business, right? I think the enterprise business, there were really only a couple of options.

The other being McAfee, so to win a deal in enterprise was a battle. But once you won it, that customer was largely locked up for years, if not decades on your stack. Whereas the consumer business is hyper competitive with literally when we did immunit back in 2008, there were, there were 50 plus antivirus vendors in the market in the consumer space.

How do you differentiate yourself? You had to be hyper competitive and move fast and be super aggressive with new technologies. And. You know, we don't see that as much in the enterprise consumer moved so much faster. And I think that's another reason why you didn't see that kind of movement from the consumer tech stack to the enterprise tech stack in that.

[00:21:41] Dave: All good points. So that brings us to our last strategy and one, you and I have done a few times. And what someone says is the hardest, which is creating a new category. So the never seen before thing that doesn't quite fit here, it doesn't fit there, which has all of the challenges that go with that, figuring out what are the boundaries for the product, like, you know, narrow in on that need.

What's the customer pain point. Now, like, what are the boundaries for it? Like where do you stop and where do you finish? How do you market this? Like how many, which pain points do we absolutely. There's probably like 10 pain points we can hit. Which ones are the real pain points, the pain killers, the things people have to have versus the nice to have kind of vitamin where I'll get to it when I get to it, which probably means never.

How do you market it? How do you market to something that someone doesn't have a budget for and hasn't bought before and so forth. And I think the example that we'll dig into here and use as a case study, one of the big ones is, is Phantom with what you guys did with soar. But what are some other new category examples that you had used?

What are some of your examples? Either recent or historical? I would 

[00:22:54] Oliver: say I've been involved in just the one from the start, which is the sore category, you know, it's. Well, I'd say some of the past companies we've done new and interesting things. I don't think they've created categories that Gardner and others would define as an actual unique, unique category.

And it's, it's unique to be able to do that. I think, you know, you might be able to do that once in your career to actually create a category. Like if you could go back in time and say, you know, a gentlemen named Marcus random gets a lot of credit for creating the firewall back in the early nineties, late eighties, perhaps even, you know, that's, that's a unique opportunity to say that you did that.

And then the rest of the industry has built on your initial work and design work and invention. It's really rare, I think, to be able to do that. And it happened for a lot of folks that never happens, you know, it's, it's like it took us three other companies to get to one that actually, I would say was a new category in the source space.

And then finally for gardener after years of us building on that space, finally recognizing it, and they came up with the word soar, we didn't call it soar security, orchestration, automation, and response, but they finally saw it as important enough to label it and start tracking 

[00:24:08] Dave: it. Yeah, it's interesting.

I mean, just because it's new doesn't mean it's a new category. If we go back found stone, our insight there was that vulnerability assessment needed to turn into vulnerability management. People were treating internet scanner at ISS cyber cop at McAfee as these point and shoot scanners. There were things that a consultant did for you.

And that may be if you had a big team, you ran every now and again. But there was no systematized process. It wasn't an operational thing. You did all the time. Look across your environment from farmer abilities and kind of manage your security posture proactively. It just didn't happen. I would say like at Foundstone with all management later with Qualis and other states that was the category refresh.

There was budget already there, somewhat for vileness assessment. There is regulatory drivers that came in or compliance drivers with PCI. I don't think what we did there really was new category creation. It was really a refresh of a category. They'd gotten a little long in the tooth, a little tired and we significantly iterated it towards an operational discipline.

What else would you say? Like was a close, not quite like, how do you look at what you guys did with security focus and deep site? Yeah, 

[00:25:25] Oliver: that one, we could potentially call it a category creation. Although, you know, you could say that that was the, a really early example of threat intelligence. Right. We were collecting global telemetry from around the world from sensors, firewall sensors, correlating that, running analytics on it and detecting global warm spread super early on.

And that didn't exist. But I would also say it hasn't become even to this day and official category, right? Like I don't think the analysts see it as such, you know, they haven't really labeled it. I would say it falls under threat Intel perhaps. And we were definitely at the, at the forefront of threat Intel, right.

Bug track was the preeminent place that you would go to find out about zero-day vulnerabilities and about new bug disclosures. And it was very controversial. Like this was long before responsible, full disclosure. It was super controversial. So was that a new category? Well, people were already disclosing vulnerabilities before that, but we kind of packaged it in a way that allowed enterprises and others to access the data.

Very easily. So it's, it gets a little blurry, right? I think, yeah. What I would say one distinction is when you have a fundamental new engine technology that didn't exist before at all, that's clearly a new category. Like whoever invented the first antivirus scanner, the first firewall, the first web gateway and so on, right?

Those are foundational core security technologies that didn't exist that have since become categories for which people allocate budget specifically for that product. Right. And it's, and it's a new product. 

[00:27:07] Dave: I think there's there's products that are trying to create a new category that don't necessarily fit the bill.

But then there's legit new categories, which implies that people create budget for it. There are people. Who have a discreet and clear responsibility for this thing. Like the product is a foundational tool in their tool belt, and they have a clear responsibility for it. Analysts starts to cover it.

There's plenty of VC funding flowing into the space there's products that are long lived and getting better. I think those are some of the criteria here. So while there's a lot of things that emerged that train. Uh, category, there's a requirement for a ground swell of these other things for it to actually be successful.

And I do think it's interesting. I've been watching the deception category and I saw a TiVo recently get acquired. And of course we've had Haroon of thanks, Dawn. And I've talked to some of the other players in that space. And one of the, one of the conversations I had with, um, with one of the companies, is there a saying, oh, this is deception two dot, oh, this is the next iteration of the category.

And the whole time I was thinking. Nah, actually, it isn't like, this was never a category before. There's a few products, but they all sucked. And we had internet security systems back in the day, we had a deception product. We had a honey honeypot just never took off. It. Wasn't that useful. Wasn't that interesting.

And it, the whole category, which wasn't even really a category, it was just a set of products that nobody really used bumped around for a long time, until really Haroon with Canary gave people. Great product, low price point free entry point and kind of built some real support. And then he saw money flooded in with companies like a TiVo Calvio trap X and a few others who tried it out.

And I still think today, like, is it a category? I don't know. I mean, it's, does it, does it meet the requirement of having a groundswell where it's legitimately different and interesting, and it's kind of broken out by analysts and there's people who use it as their foundational tech as part of their tool belt.

What do 

[00:29:21] Oliver: you think that space, like you said, has been around for a long time, like yourself? When we were at McAfee in 98, we built something called cyber cops staying, which was fundamentally based on honey D, which was built by Neil's provost a long time ago in the mid nineties. Right. As open source. And so that's, I would say the first example.

Of honeypot technology. And then at semantic, we acquired a company called recourse, which, which also had a company, a product called mantrap, which was just starting to see a little bit of adoption, but their main product was an intrusion prevention system or IDs or IPS with mantra, not again, seeing the majority of, of revenue in that case.

So there's been many, many years of innovation. And what I think it really took is for things to get bad enough and just for shit hit to hit the fan where like you have no choice, but to start using some of these approaches that traditionally were largely discounted or, you know, people weren't willing to allocate budget.

Right. It was like, okay, how bad do things have to get for me to now start distributing honey tokens around my network. So I can see if someone got in versus using traditional detection technology. Right. And I think it's a symptom of like how bad things are today. But also these technologies look they've advanced dramatically from the late nineties, right?

When, when you and I were working on them and they become full-scale enterprise products. So I think today they're distinct enough where I probably would consider deception being a category that's different, you know, whether or not it provides the same value as other other categories, I'd probably say probably not.

Right. That's why it's taken so long for it to get to where it is. 

[00:31:06] Dave: We'll get into a full law, new category of case study in a moment, but just to close out on deception, I think one of the things that happened is security has become so less deterministic than what it was before we have security operations center.

Now in almost all the big companies that are more mature and they don't expect to just like monitor for AAV alerts and firewall logs. They're hunting. You know, sometimes with help from others, but there's actual teams that are hunting and looking for signs of human attackers. And in those instances, hunting pots, let's call them that are deception.

Tech can be incredibly useful if someone's going after one of those targets, you know that they're not going after the legit resource. That's pretty cool. You can understand the appeal now that people aren't expecting, you know, to see honeypot alerts right next to like firewall and IDs. It's like, no, no, no.

I'm seeing that as part of like a series of moments that I'm tracking for my EDR, my NDR and everything else. And now they hit this as part of like a sort of a kill chain of events. It makes sense. We have the people who are looking for it now, and there's been this movement towards actually hunting and chaining things together, which just didn't exist before.

I think also cloud makes us super interesting. See an attacker, move them into the cloud. Why not move one, one area kind of seamlessly into another area and kind of quarantine the actions there, like stuff like that's possible that just wasn't before. And I think, um, you know, kind of going back to it, these changes sometimes are small and sometimes are just huge in terms of the implication and can give birth and, or at least a groundswell of support to something like this that it just didn't enjoy before.

[00:32:51] Oliver: The false positive rate is low. The false negative rate is, is high. So the ability to detect an actual intruder using that approach right, is, is very valuable. Especially with SIM itself has flaws right in the number of alerts and that we're collecting today from all of our devices, make it nearly impossible to see everything.

So as you mentioned, right, it's deception is very deterministic. If someone hits a device. They shouldn't know about that. Doesn't have any critical data on it and they get in, right. That's that's a warning sign, you know, 

[00:33:24] Dave: when you asked yourself, okay. So how has things gotten the bulk of the share and the deception space?

And I think the innovation there was consumer like usability. They made it super easy just to try and, you know, and the argument was kind of what you said. There is like, Hey, this is crazy deterministic. You're monitoring for people-based attackers. Now you can put this in at a super low cost, with very little energy, with great customer support behind it.

They're just a lovely group of people who care deeply about their product. Why wouldn't you try it? Why wouldn't you at least give it a shot for a small amount? And they do the classic land and expand. And I think all of that is kind of what it's taken for us to get to this point to where we're even able to have a conversation about the possibility of a deception category.

Some of it was obvious. Some of it wasn't obvious at all. Yeah. 

[00:34:16] Oliver: Oh, good points. 

[00:34:17] Dave: Yeah. All right. So one of the biggest categories to emerge and be recognized by the analyst and to be widely deployed and used and to not just result in one really big acquisition, but several is sore. And let's see if we can, if we can define this properly, I'm going to hurt myself.

It's security orchestration of God. this acronym for me. What's what's source stand for Ali. 

[00:34:43] Oliver: Yeah. Telling me about it. I didn't invent the acronym. So a security orchestration, automation and response is the official name. 

[00:34:51] Dave: There you go. It's about 30 syllables. So you started Phantom. What year did you start?

[00:34:57] Oliver: Phantom? Mid 2014 is when we first. 

[00:35:02] Dave: And when were you guys acquired by Splunk 

[00:35:05] Oliver: too early 2018. So about four years of four years after starting. Got it. 

[00:35:12] Dave: And one of just an amazing acquisition, you guys built something really special with Phantom and we want to do is on the cusp of you going into arguably another category creation company with Pangea.

We want to break apart the Phantom case study. And first off, let's start with, where did the idea come from? So given that there isn't budget for this, there wasn't something else that you could kind of play off of. Where did the concept of Phantom come in and you had been inside Sourcefire at the time, 

[00:35:45] Oliver: right?

That's right. I, well, I was, I was part of source fire. We had just gotten acquired by Cisco and, uh, I had about a six month transition period. So I was just at, I was at the very end of that on my way out of Cisco with no future. 

[00:36:02] Dave: Basically none whatsoever. They didn't offer you anything. 

[00:36:07] Oliver: Interesting. Okay. No, look, I, uh, Cisco's a great company and you know, it would have been a great place to stay, but yeah, I was fortunate, maybe fortunate or unfortunate, right.

To transition and to, to move on after, after Sourcefire know both great companies and a lot of great friends and are still there, the plan was to move on. They didn't necessarily need me at that point in time and I was happy to, to figure out what was 

[00:36:34] Dave: next. So where did the idea for Phantom come from?

You'd been inside Swiss fire. Presumably you've been talking to customers. You were inside Cisco for a hot minute. I'm going to go out on a limb and say that your idea for Phantom didn't come from here, your time at Cisco, where did the concept come from? Like where did you get the seed of the idea and what did you do to 

[00:36:54] Oliver: water it?

And this is really interesting. Literally the day after I departed Cisco, I went to a conference. And Silicon valley called sign at a security innovation network run by a gentlemen named Robert Rodriguez, who I know you're familiar with as well. And I had an opportunity to meet with the NSA and it was a really short meeting about 15 minutes, and it didn't have an agenda other than, Hey, what, you know, what's important to you to you now what's important to national security.

If I wanted to build something, how could I help the country and help defend our freedom? And the interesting thing is they started walking down. This idea of they called it integrated adaptive cyber defense, and it was more of an idea than it was a product that existed at the time. And it was about the fact that we have so many different security technologies that we've created now that don't talk to each other.

They don't inter-operate, they don't work as a consistent holistic platform to defend the organization. You know, whether it's a government agency or an enterprise. You know, how can we glue them together in a way that would make them more effective in defending ourselves? So in what was literally a 15 minute meeting, you know, I walked out of there thinking, wow, this is, this is big, you know, while they may not be able to visualize exactly what this should look like, given my product experience, I was able to walk away and start thinking, how, jeez, how would I build this?

Like, what would this actually look like? Like how could I tie together the firewall with the end point product, with threat intelligence and numerous other technologies to actually build what's essentially automation to automate a lot of these products to be able to defend yourself more effectively.

So again, soar didn't exist. That name didn't exist. We were calling it security automation at the time and really started thinking about, okay, what would a platform like this need to do. Well, first of all, I would need to integrate with other security products and do products have API APIs at the time some products had API APIs, others didn't right.

Like at the, at that point in time, API APIs, weren't a requirement from the buyer in a lot of cases, until years later, when the big banks said, we're not going to buy your product, unless you have an API that we can integrate with. Right? So the API APIs were a huge requirement to do this. And we really started formulating, you know, how would we build an engine that tied together multiple products?

It probably needs some scripting or programmatic ability or a visual ability to create workflows like a BPMN editor that would allow you to stitch together inputs from one product to the output of another product, to be able to do activities sequentially. Right. So we kind of conceived the idea of this automation engine.

That would take, let's say a threat until indicator query your SIM to see, have you seen this event anywhere in your network and then talk to if, and if you have seen it, figure out which end points have actually seen it, then talk to the end point product to see, does this file actually exist or is there a process communicating over this, to this IP address or this port or this protocol, and then talk to the firewall to block it and then talk to a forensic tool to snapshot the end point or enact tool to take it off of the network.

Right? So, so these are things that security analysts have been doing manually for decades, right? It's not like this is new, the actual re you know, the actual response is new, but the idea of like stitching these actions together, wasn't really something that had been done before. We did find interestingly enough companies that were at the forefront of security that were writing Python scripts to do some of them.

Right because there wasn't a product that they could buy that allowed them to do it. So they would build and tire products that did this. You know, Netflix was one of them that had some internal technology to execute these types of responses really, really fast, but they didn't have, you know, there wasn't, again, a commercial product or even a category.

This was really, really kind of cutting edge stuff at the time. 

[00:41:18] Dave: And it's a little bit of a non-sequitur, but we noticed this as well at open Raven where we found out early that Airbnb had a project called inspect and it was pretty similar in a lot of ways to what we're doing at open Raven. And there was a similar one at JPMC where they call it security rules or like data rules, I think is what they called it.

And to me, from a category standpoint, you look at that and if these brilliant. Companies are building something substantial to solve the problem. I think as a, as a young company or entrepreneur, that should get you really excited like that shouldn't concern you in many instances, especially if you're able to talk to the folks.

When we spoke to the folks at Airbnb, it was a great conversation. We walked away with a tremendous amount of respect for what they built. And also we realized they have zero interest in commercializing it or even the ability to do so it was built so specifically for their business. So to me, it's like, it's, it's interesting.

A great tell for this sort of thing is if you see the beginnings of innovation inside mature organizations with big security engineering teams and so forth, like I think to me, that's a sign that you're onto something more so than a sign that you should step away 

[00:42:36] Oliver: from it. Common, big engineering, secret engineering teams, right?

How do you take a problem that requires a lot of people today? And productize that, right? Those are always massive opportunities to do that. And what we saw is that, look, there are thousands of people, triaging security alerts, the term alert, fatigue, and all of the data we see around alert volume and velocity today is pretty cliche, right?

The whole industry has been talking about that, but when we started, it was still, the FireEye breach had just happened. And the target breach, right. It was Mo that was monitoring. The devices really couldn't keep up. Right. And that was an indicator that there just too much volume of alerts. So how do we automate that?

And the NSA's number was what we're seeing a billion alerts a day, right? How can we possibly react to that without automation? And so how do you take that problem and reduce it down to a product. Yeah, I think the math was that they would need hundreds of thousands of people just to deal with those alerts.

Right? So, so like if you take a services business today and productize it, that's always a big opportunity. And this was a massive one. Not only did we have the people problem, not able to keep up with the volume and velocity of alerts. We had this army of point products that have been created over decades, which you and I have been partly responsible for, right.

That are all disconnected and not talking to each other. So the typical enterprise had 50 to 60 products. How do you get those working together effectively? Then there was a massive shortage in security. People like three to 4 million. Now back then it was one or 2 million, you know, again, all of these things converge to, you know, we have to have automation and we saw automation in marketing in other parallel categories, but nobody had done it insecurity.

So we kind of sat there and thought, this is crazy. Like how, how like are we just like on the wrong track? Like how come nobody has done this? This seems so obvious. And that's really where Phantom came from. And we had the first mover advantage. We tried to capitalize on that. I would say, knowing what we know today, we should have raised more money and gone way faster.

And we'd probably still be around as a really substantial player. But with the time we didn't really know, we saw this as, Hey, let's go small for a little bit because we don't know how big this is going to be. And if anything, we're going to build something valuable that someone may take us out for 50 million or a hundred million.

But then we saw more and more, I think, affirmation and confirmation that this is real. So when we raised more money, our competitors had already seen us succeed. Right. So they started with deeper pockets right out of the gate and were able to build faster and catch up as well to their credit. They were great competitors.

We competed very well with companies like Dymista and swim lane. Right. Also we're second movers, probably starting a year after us. Look, this market's never winner take. All right. It's big enough. Everyone does well. And as the other companies have. 

[00:45:42] Dave: How did you settle on the product features? How did you draw the boundaries when there wasn't any sort of category definition to go for?

Like, you guys created a cookbook for the Domestos, the swim lanes and the others to follow, but when you were creating the MBP, the baseline features for Phantom, how did you decide on what was in, what was out? What were the things that were big question marks for you? Yeah. So this 

[00:46:09] Oliver: is where some experience in building software comes in handy because the customer doesn't know what the heck they want.

Great. At this point, we talked to probably a hundred CSOs over the first year about automation with a PowerPoint deck with no product, but essentially getting validation that, yeah, if you had something like this, I probably wouldn't turn on full automation, but I would at least use it to augment my human team.

To do things more effectively and keep them in their swim lanes and make sure that they're doing things in an orderly, orderly way. I would say the first set of features always comes from the founding team in a situation like this. Like you have to have some notion of what I as a customer would want.

Right? So in our case, we built a layer of API APIs that would connect to third-party products with an app layer that sat in between, and then an automation engine that was based on Python that would actually run these playbooks to be able to run the automation. Right. And, and that's largely, you know, pretty geeky computer science stuff.

Right? You hide it eventually under a very pretty visual editor that lets you drag and drop boxes to create playbooks. But some of this, you can't get from your customers. Right. You got to kind of come up with it yourself. Right. But then when you have something, whether it's right or wrong, you can iterate super fast when you start getting customer feedback.

Right. And you're not always right. Like you, you may have some gut instinct on, okay, this is what it should look like. And hopefully you're right. More than 50% of the time. Right. So you're at least, at least getting in the door and then you're moving super fast to continue evolving that idea. Like for example, the first time we started our visual editor was something called Blockly, which was some open source block-based editor, you know, there's something called I think MIT, stitch or switch.

I can't remember the name, but you know, it's for children to create programs where they would drop blocks within each very much. Yeah. It kind of worked, it created Python code that our playbooks ran in, but then we had one customer has said, whoa, like this is not going to work. I need a full. Visual BPM and editor.

So I can drag and drop blocks and create a complex workflow version one, which was essentially a prototype was thrown away. Right. We had to reinvent it and create a visual editor that the customers want it. After that, for me, 

[00:48:43] Dave: the feedback gets consistent enough to where a few, hear it. 2, 3, 4, 5 times from customers who are in your ideal customer profile inside your ICP, you start hearing it enough.

Or if you start getting hints and sales calls, especially the ones that don't move forward. That's when you really, you kind of know, it's like, okay, This is something that I have to pay attention to. I think at CrowdStrike, David, clearly an example, one of the things that was holding us up was people kept asking for prevention.

We kept thinking it like, so you just want us to block some things. And it turned out that, yes, that was the answer. So what we did is initially we took features from Microsoft, Emmett E M E T, that forced DSLR and forest DEP. And we basically like Alex and sq brought them in, in a way that made sense. They weren't magical, but when we had it in there, all of a sudden product started selling.

It was the signal to customers that the product at that point fit the pattern in their head of what they wanted from an EDR and from a next gen endpoint product. And it was just this trigger. And I think of it as a maturity signal for a lot of folks, it's like, I may not even want to use it. And we know it because we watch the telemetry and no one turned it on and used it, but we'd heard it enough.

Especially from folks who decided to pass on us. We said, okay, put it in. Even if you won't use it. And sure enough, like it worked, it was a lever, but it was listening to those cues. And I think that's often one of the most painful things about a new category is you just, you think you might have it. And then all of a sudden you realize, Nope, I'm actually off by like two or three things.

And they're just like explorers in the jungle. You just keep hacking away at the vines to keep going. And you see a glimpse of the temple, you know, often the distance and you realize, oh hell, there's a little bit more to get through here. And it's hard. So people will tell you, oh, you're doing it wrong. If it's hard, it's like, no, no, no.

It's the hard thing about hard things, kind of Ben Horowitz jam. It's like, no, it really is that hard. You're bushwhacking. And I'm not sure there's any way to do it other than just a fight your way through it. Keep getting feedback, keep iterating and knocking those down. And before you know, it you're in the temple clutching the Sapphire or whatever it is.

You're there to claim grabbing a hold of the market early. If you will, 

[00:51:12] Oliver: we are in the jungle without a map, right. In your, your goal is to get out and figure out like, what the heck is this thing going to be? We were fortunate that Uber. Signed on. As far as our first design partner, they had just an, a phenomenal security engineering team that originally came from Facebook before they went to Uber and they had built something more of a SIM like monitoring system that had some automation at Facebook and they didn't want to build it again, but they had really good ideas on exactly what they wanted to see if we built it, you know, that was so valuable to have a customer like that.

And they were still, you know, this was 2014, right? So they were still in the early days as well, but had a very mature security engineering team. And so that's these design partners getting the best ones that you can, people who have really strong product ideas, they've seen products before is invaluable.

These folks are going to help you build the right thing and avoid you from making mistakes. Cause again, like you'll have, you'll have great ideas as the founder entrepreneur. But that doesn't mean you're right. Hopefully you've got enough instinct around on that. You're on the right track. But then when it comes down to actually zeroing in on what this feature needs to do, then they're going to help you.

Like, for example, they were down to, there are too many clicks to get from this one page to what I want to do on the second page, it took three clicks. We want you to reduce it down to one click, right? That's the type of feedback that you'll get, which is valuable because they want to do their job faster.

They don't want to click three times. They want to get an ad, run, run an action immediately from the main page. Right? So that's where that feedback comes in really handy. Let's 

[00:52:54] Dave: stop talking about product for just a minute and talk about what you did from a go-to-market perspective, knowing full well that you're creating the category here.

What did you do that worked from a category creation perspective and you can pepper that in with some things that didn't work too, but what did your playbook, what did your strategy. Yeah. So 

[00:53:15] Oliver: it's, you know, I'd say we followed a pretty typical enterprise go to market strategy, right? Where, you know, we had an initial set of, of sales folks that got on board, you know, they had existing relationships.

So they were able to get us into key accounts effectively. But I'd say the unique thing was finding customers that were the right. They they're the right qualified customers for our stage of company and our product, right? So there's groups of enterprises that are mature big and they won't invest in early stage technology.

Right. They're not willing to take a risk. Then there are customers who are looking for early stage technology there they're on the leading edge. They want to protect the enterprise. And that's where you see more of like an innovative thinking, CSO, CIO. So for example, you know, who's willing to take that risk.

He's looking for those products that are new because he knows that what he has, isn't going to cut it. Right. So how do you find those customers? And that's really, really the challenge, right? So it's a combination of, uh, you know, personal relationships that we have that investors have that invested in us as well as early sales team.

And then this is long before any type of formal marketing or lead generation approach. Because again, this category doesn't exist, right? They don't even know they want it. And so you have to sell based on the merit of the promise of what this will deliver eventually, and the vision that you have. Right.

And there are companies that will buy on that. And usually it's driven by an individual at that company at the customer, right. Who's willing to make that bet who also sees the same problem and has the same beliefs that you do about how to solve it. Right. So how do you find those people? And it's, it's a shotgun approach.

You have to talk to everyone as many people as you can. All the time, because again, like you can't, this isn't about search engine optimization or search engine marketing, or even going to conferences with existing categories initially, right? Like you just need to go, this is, this is one-on-one combat to end to hand to find the buyer.

And then it builds people, start talking about it, thinking, look, this is really cool. This is really new. It's really innovative. And it builds and builds. And then eventually it took years. But after three years, the analyst took attention, took note and Gartner Forrester, some of the early ones like ESG, John Olsen, right.

Were, were big advocates and working with those analysts early on. So John is someone that we've worked with in the past multiple times. At ESG and doing early research that can demonstrate the cost savings of your product. For example, we know you can't hire the five to 10 head count that you need to operate the sock today.

What if I can give you a product for the cost of two head count that can give you five head count back in terms of return of efficiency, right? Wouldn't that be great. So doing that kind of work that actually proves the economics become super important for the CSO and for the CFO and for procurement, right?

To warrant the purchase, because they're going to have to redirect head count dollars to your product. In this case, like we talked about before, because that was their current direction is I'm going to take people and solve the problem, but Hey, you have this new product. Wow. This looks really interesting.

I don't have to hire 10 more people. I can use your product to do this. 

[00:56:46] Dave: So. Let's talk about what you got right with your playbook and what you didn't. So knowing that you may be going back into category creation. What about your strategy with Phantom? Are you absolutely going to duplicate? 

[00:57:04] Oliver: Well, that's a good question.

I mean, I think we missed, I would say on the product side, some, some big evidence in retrospect, obvious indicators that not everyone was ready for full automation, right. The notion of I'm going to replace my people with a black box or even a white box where I'm writing playbooks and I know what they do, and I'm just going to let it run on its own.

That's not the reality that we saw. Right. So we, we built the best automation engine. That we could build. And I would say today, it's still from a scale standpoint, fault tolerance standpoint, the strongest engine out there, what we missed was that people still wanted their teams engaged in the product and overseeing it, chatting, communicating, managing an incident manually, and then using automation where appropriate.

So what we missed is what, you know, our competitor Demisto to their credit really, I think saw was they started with this notion of chat ops, which is a slack like interface where my team can join and start communicating. And then we'll let them run automation from there. Right. And they'll gradually ease into automation, get more comfortable with it over time.

And then maybe, eventually there'll be fully automating some things, but they still have this world to live in as a team. Where they can work together. And so we miss that and we had to go back and build it. You know, it was easier to build in the automation engine because that was a much harder computer science, but we still, I think we're overly optimistic that people really want it to automate as much as they did and were comfortable with it.

At that point in time, 

[00:58:54] Dave: we had this conversation just the other day, where we have a brilliant engineer who is questioning some of the things in the user experience. And I went into a whole conversation of, you have to meet the customer where they are. Sometimes they don't want to jump in the pool.

Sometimes they want to feel the water first. You have to meet them where they are and pull them into a more sophisticated, complete experience over time. That feels like a great learning, a great lesson. And that's somewhat like going back to, we talked about with deception, that's somewhat like Haroon did too with thanks is thinks, can areas from open source, from a pricing perspective, usability perspective, he made it super easy just to put your foot into the water.

So that feels like a really important learning. Yeah, 

[00:59:40] Oliver: definitely. You really need to gauge where the customer is and try to try to get there instead of bringing them with you to the future, they'll get there eventually, but they have to go at their own pace. 

[00:59:50] Dave: They want a really fast car. They don't want the time traveling DeLorean, as it turns out.

What did you try last time that you'll avoid this time? Like, what do you see as you look back, you think, oh man, that was wasted, time wasted money. You won't bother with that. 

[01:00:05] Oliver: It's been a while now. And I know the industry has changed since even the early days of, of Phantom. You know, there was some of the marketing that we did.

And I think we had to do it, but we'd go to these conferences where we would pay to attend. And they would guarantee some 10 20 meetings with decision makers at companies. And these individuals were invited to attend the conference for free to learn from their peers. Right. And that's where they were coming.

But they had to commit to meeting with companies that were paying to, to meet with them. And most of the people did not want to meet with new companies. Right. They were kind of doing it because they had to, and the whole model is just not, I don't want someone who doesn't want to meet with me. Why would I want to do that?

Like, I want to meet with someone who actually wants to hear about the product and find value in it. And so it was uncomfortably. And made you feel kind of bad because look, I don't want to inconvenience, you know, this person doesn't seem to be happy to be meeting, but they feel like they need to. And it's, it was just a kind of ugly model.

And there was a couple of companies doing this and we would pay to do it a couple of times and it never worked out. I don't think we had one customer. Ultimately from that, that model, you know, you kind of want to give back as much, if not more than you're taking in communications and always offer like valuable information, something educational, something that the customer can learn versus.

The traditional approach of email marketing, you know, I think has largely proven not to work anymore. So I think, again, even since I've been doing it, the world's changed, right? You're, you're probably even more on top of it than I am right now. 

[01:01:52] Dave: I get invitations to events. Like the one you described probably two times a day, and some of their pitches have gotten pretty good to where they it's kind of disguised thinly, disguised as a real conference and a real opportunity.

And for all the same reasons you just mentioned, it just feels gross to me. And like something I never, ever want to do. Yeah. I see the attraction of it, but it's not cheap for one, especially for a young company. And secondly, it just doesn't feel good, like going to a meeting that, you know, somebody has to take for all those reasons.

Great example, let's wrap up with just a looking ahead. We'll talk, we'll finish up with a few words on Pangea, but before we leave soar, what's the future of soar? Where is it headed now? That you're you're long gone from Splunk and you can speak openly about it. What's the future of, of soar? 

[01:02:43] Oliver: I think there's two areas.

One is, you know, like every other technology, right. Soar has moved to the cloud. So having a cloud delivered soar has become an expectation. People don't want to set up their own instance in their enterprise. Now this is introduces real security questions. Right? I now have the cloud, a cloud store product talking to my security products, which may or may not be on prem.

And what does that look like? Right. So those are all good questions that vendors need to solve. The second one though, is really about usability and I'd say. The time to getting to success with the first set of soar products, you still had to write code and you had to know Python. And that really limited the audience, right?

That could actually get to success with these products. Like you had to either get a contract or consultant or your SOC engineers had to know Python, which they increasingly do, but it really limits the mid market where people may not be programmers and, you know, getting to a no code experience, not just low code, but no code to write.

These playbooks, I think is really key. And there's a couple of companies out there going, trying to go down that path. I don't know how successful they are, uh, at this point. I mean, I can tell you it's not easy, right? There's a reason why products are still written with code in general because the visual programming is not where it needs to be, but this isn't necessarily writing applications, right?

This is writing automation, playbooks that stitched together. A set of sequential actions with decision-making built in, at different points. And there's ways to do that with no code that are emerging. And some of the products may already do that. So I think that's going to be key to get more and more people to be using these products.

[01:04:36] Dave: The store has to change shape in order to kind of meet mass market expectations and current staffing requirements and limitations and so on. It has to evolve and, yeah. All right. We're not going to have time for our normal speed round here, but that's okay. Tell us a little, a little bit about Pangea, whatever you're comfortable saying about the company and knowing you it'll be very little, but having said that Oliver is notoriously tight-lipped about such things.

What would be helpful for you to say about Pangea? Because I know you're hiring now, so hopefully there's some possibly clever people looking to join a company like Pangea what would you say to them? What's your pitch that you're willing to share at the moment for potential hires and a future potential design partners, which seemingly around the corner.

[01:05:23] Oliver: Thanks for the opportunity. So I think, look in the past, this. You know, you have a similar background that I do. And we've been building products that sell to the enterprise that sell to the security buyer, the CIS, so typically, or someone under his organization. Right. And quite honestly, I'm, I'm sick of that.

Like it is, it is a tough battle, no idle. I know you're in the middle of it, Dave. It is a tough battle. There are thousands of companies out there that are selling to that buyer. And even with Phantom, it was hard to differentiate yourself from the noise and to, to get to success there. Right. It comes down to how much capital you have in your effectiveness of your sales team and your relationships.

And, you know, I know you're, you're on the path to success, but it's a tough one with this company. We're going after the developer and we call them the builder, right? These are people building applications, and they're not necessarily security applications. These are. Websites, web applications, SAS applications, mobile applications today.

One of the things that's become evident is that if you're not building your own applications, if you're a global fortune 500 or global 2000, you're largely becoming irrelevant, right. Applications and apps, whether they're mobile or online SAS apps, there's how you directly communicate with your customers, irrespective of who you are.

Right. So what that means is that every one of these companies has become a software company. Now they have engineering teams, they have product teams that are designing products and delivering products to enhance their interaction with their consumers directly. Um, again, whether you're Coca Cola or anyone else, you're building products and software.

So how do we cater to that audience? And that's really what Pangea is about. And at a really basic level, every time someone builds a new product, they have to add security features and they have to keep adding and rolling their own security functions and becoming security experts. Our goal is to give you those features out of the box to let you add those so that you don't have to become a security expert.

When you think about it today, you go to AWS for all of your compute storage, analytics, database, AI ML technologies, where do you go for security right there. Isn't a single well-known name that you can think of where I go to get my security features. And that's really what Pangea is about. The name is not a coincidence, right?

We, we see us ourselves as becoming the supercar. For those security features that app builders need, 

[01:08:05] Dave: is that sort of a rationale of the name revealed there? Pangea the supercontinent 

[01:08:12] Oliver: maybe that's a bit optimistic, but it was a great name. And I like names that start with a P like Phantom, so got to stay consistent.

[01:08:22] Dave: Got it. Cool. Well, thanks so much for coming on all over. This has been great. I know that not everyone's going to love a deep product category conversation, but there's probably a few people in young companies out there thinking it started in a company where this is catnip. So for those of you who stayed with us as we dorked out on category creation and product, thanks for listening and all of our thanks for coming on.