Speaker 1: 0:22

Welcome to this new episode of Techzine Talks. On Tour Today we have Vivek Ramachandran. He's the founder and CEO of Squarex. Welcome to the show.

Speaker 2: 0:35

Thank you so much for having me on the show. Really excited. Well, you never know.

Speaker 1: 0:39

You don't know yet what I'm going to ask of you. Maybe I'm gonna say I don't believe in anything you do. You wouldn't be that excited, would you.

Speaker 2: 0:46

That'll definitely be exciting for your viewers and readers. Not so much for my PR team.

Speaker 1: 0:53

No but otherwise, obviously I wouldn't have taken this meeting if I wasn't intrigued at least by what you do. But just briefly, where do you come from in terms of previous background and all that stuff? And why did you start Squarex? And then we can get into the BDRs, or browser detection and response. That's actually what you're doing so.

Speaker 2: 1:16

I've been in cybersecurity now 24 years, started off on the offensive side, found a bunch of zero-day vulnerabilities back in the day in wireless systems and other technologies, spoken at DEF CON and Black Hat main stage 20, 25 times over the last 17 years and that's when I realized that I was pretty good at offensive security. And then that kind of went into me starting two companies. The first one was a wireless monitoring device company and, at that point in time, one of the defense agencies. They were looking at a way to monitor 802.11ac. It had just come out and there weren't any devices to do that. So that was 2012,. Around that time, yes, 2012, 2013. And I had a very good understanding of wireless security because back in the day I'd been finding a lot of wireless exploits and whatnot. So I took off the shelf Ubiquiti devices, created custom firmware with OpenWrt and created those devices and started selling them.

Speaker 2: 2:10

Post that I started to realize that people didn't understand offensive security well, because those were back in the days when practitioners were more of like a checkpoint certified administrator rather than really knowing what attacks were happening. So then I started this other company called Pentester Academy and it did red-blue teaming exercises in the cloud where large organizations could come in, pick and drop whatever they had and we would create these environments where they could do these exercises. Ran that for seven to eight years. All the big banks, finance institutions they were all customers. Eventually, that company got acquired as well, and that was 2022. So what had happened at that time is I was spending so much time with red teams and I was starting to see a common theme emerge when it came to attackers breaking into enterprise devices, and that was really the web browser, and so I looked at all incumbent security solutions. I figured what was happening is we were moving towards a browser-native, cloud-native world, native world. Well, yeah, yeah, to a certain extent, yes, or an excellent.

Speaker 2: 3:10

We know, we don't know, we're not all using Chromebooks, but yes, but I get what you mean and and this is really where I think for a long time, the whole industry had dependent on sassy SEC secure web gateways to clean up things in the cloud so that you could send all your browser traffic and and whatnot. Yeah, now what's been happening in the last few years is browsers have become application platforms in their own right. Originally, when these technologies are invented, they supported just a handful of HTTP protocols, but now most protocols are binary and real-time WebSockets, webrtc, grpc, whatnot and this is really where many of these solutions build during a time where you could look at network traffic and reconstruct what is happening at the application layer. They're miserably failing, and this was the tailwind which kind of made me feel like look, if the browser is a complex beast, applications are all running in there. You want something browser native.

Speaker 1: 4:05

But the obvious question here is why can't EDR? Because that's endpoint right? Why can't they do it Absolutely? Or why didn't they integrate it yet? Because they could potentially do that right Absolutely. You're probably going to sell your company to one of those.

Speaker 2: 4:22

So great point. So I'll answer that in two parts. Right, edrs currently, as they stand, have zero visibility into the browser. They primarily look at file and process, and you know what is really going on there. By looking at a browser's memory, it is almost impossible to reconstruct what is happening at the application layer what is the user clicking, what is the identity you know being exchanged and whatnot.

Speaker 2: 4:43

Now I would hazard a guess the reason why these guys haven't moved into browser native is the same reason why you would see a lot of network security background companies which is sassy, as you see not moving in at all, which is this is my thesis is network security has evolved over 30 years endpoint security over the last 15 to 17 years, cloud security 8 to 9 years. Most of these companies come from that background and that is really where client-side web attacks, javascript, webassembly. This is not something which comes as second nature to them, which would literally mean they would have to go ahead, create an entire new team with a client-side web attack DNA and go ahead and build all of that. Now, what's been?

Speaker 1: 5:24

happening is Even 10 years ago. This must have been an obvious, because let's just look at a company like Google, which actually had a vision of we're gonna do Chromebooks do everything in the browser. There must be some browser security in those things, right? Yes, great question.

Speaker 2: 5:45

So I'll break it up. Edrs have nothing in there, so like a crowd strike or a Sentinel one, you know, the most they have is a lightweight extension which can just block sites based on threat feeds. Yeah, we've had that for about 15 years.

Speaker 2: 5:57

But when you come to Google Chrome as an example, they started off with Chrome Enterprise and the whole idea of Chrome Enterprise is that you can manage your browser. But at this point in time, most of the policies are really hardening policies, which is an allow or a block, you know, block all extensions or allow only whitelisted extensions and things like that. There's some rudimentary DLP capability, but what a browser vendor wouldn't really want to promise is application layer security to you. And the big reason for that is imagine if Google Chrome went in and said well, we are going to ensure that identity attacks or Oauth SAML hijacks won't happen on. Google Chrome Can't guarantee that.

Speaker 1: 6:35

So you're looking at it. So, if you're looking at it from a traditional OSI model, right.

Speaker 2: 6:40

So you're looking at layer seven, and that's very rare to have that kind of unless it's inside a SaaS solution from a vendor themselves, but it's extremely rare to have it inside a browser Exactly, and the big reason why today, even Microsoft, as the operating system vendor, can't guarantee that there can never be ransomware or malware and that's why EDR exists, so similar to that browser platform in its own right. The vendor can't guarantee that no kind of attack is going to happen over here which is going to compromise your enterprise. They will, of course, try to solve as much as they can, but they are also very obsessed around software vulnerabilities and that's the primary thing, if you look at it, what the Chromium security team is trying to solve.

Speaker 1: 7:24

So how are you greeted by CISOs and people that have to decide on security inside an organization? Because I could imagine I speak to lots of customers as well that they don't want another layer of security. Right, they know they have to do layer security, but probably their reaction is the same as mine.

Speaker 2: 7:43

I already have EDR, so why the hell do I have to invest in something else? Yeah, so most of the time, what they end up comparing us first with is SASE SSC, and the big reason for that is they've been told by the SASE SSC vendors that we are going to go ahead clean up not just your browser.

Speaker 1: 7:57

You send everything through our thing in the cloud or whatever, and then we will make sure of it Exactly.

Speaker 2: 8:02

But what's been happening is, if you talk to any CISO, most of the time SASE-SSE increases latency, and the big reason for that is it breaks what I call the laws of routing physics, which is ideally, when you send out a packet, you need to be able to go through the shortest path and get to the destination.

Speaker 1: 8:18

That's one of the reasons why some SASE providers claim that they are the only SASE, because they have the private backbone and they can actually guarantee Any of those pops is also an issue.

Speaker 2: 8:28

But beyond a point, right like you, can't be as ubiquitous as the internet. No, and that is really where almost every single SASE vendor the biggest complaint is user experience, the fact that you slow things down Now even worse, sase requires that you're already connected to the internet. So now you're at the airport, you're trying to connect via a captive portal. Immediately your connectivity goes down because the sassy client can't connect. Till the time you can't go through the captive portal and there's a little bit of round robin. So the user experience latency is one big problem.

Speaker 2: 8:58

Now the second piece attackers, and my favorite quote is attackers are the only innovators, because if an attacker innovates, every security company has to drop everything they do and go behind that. Attackers have been innovating where what they've realized is they can completely subvert network traffic inspection and go ahead, smuggle in malware, ransomware, all of that during download. So we, based upon research that we'd seen, put out something called last mile reassembly, and the whole idea really is look, on the client-side browser javascript is powerful enough that you could literally go ahead and create a malicious excel entirely on the client side, put a macro in it, drop that as a download sassy. Ssc doesn't even see it.

Speaker 1: 9:39

yeah, so you have started seeing attackers evolve if you download that, drop it as a download, then your edr should see it right. Great point and this is really where what's been happening is if you download that, drop it as a download, then your EDR should see it right.

Speaker 2: 9:47

Great point and this is really where what's been happening is, if you look at the latest attack, midnight Blizzard, they ended up using an RDP configuration file to map local drives to remote drives. That's a classic example, because EDRs are very good with binary files, but anything non-binary, even office documents with a malicious macro, they aren't good at all. When it comes to looking at config files like RDP, they don't do it at all. So today, if you went into an EDR vendor, you can't create a policy which says block RDP files which may contain a redirect directive but does not include one of your whitelisted RDP servers.

Speaker 1: 10:22

Yeah, leaving aside the fact that, if you still use RDP, maybe you should think about something else. Anyway, yeah, so to your point. What's happening? Yeah, leaving aside the fact that, if you still use RDP, maybe you should think about something else anyway, yeah, yeah, so to your point.

Speaker 2: 10:29

what's happening is the complexity of file types has exploded. Edrs came at a time when, most of the time, all you cared about was installing a binary file and now, because of that explosion, there are so many things they can't. Now here's the other interesting thing People are downloading fewer and fewer files because everything sits in the cloud. All your apps are in the cloud and you don't see it at all right. And this is really where, if you look at it, people in their 20s. They don't even use Outlook Express. It's all webmail. So if fewer and fewer things get downloaded, what's actually happening is attackers are starting to realize all you need to get is the user's identity, because then you can access the cloud app, saas app storage as the user and exfiltrate data from there, where EDR is useless.

Speaker 1: 11:10

But coming back to the initial question about how you're greeted by the company, that you visited right. So, let's try and because I can imagine they say look, I don't, I'm sort of completely, it's death by security solutions right, absolutely so.

Speaker 2: 11:26

Here's the good news Market education is the most painful task. You want to leave it to the big boys most of the time. So what really happened is when I was starting to think about this company, a category called enterprise browsers were already existing right, and you know Island Talon. All of these guys were in there. Talon got acquired by Palo Alto, which now became Prisma Access Browser, and they are pushing that narrative saying look, browser security is important, you need to have all of this. Ireland's probably raised close to a billion dollars. They are pushing the same.

Speaker 2: 11:54

But here's the incredible piece the early GTM data. What it's kind of showing is, if you talk to most CISOs, they get excited. They've been educated. Now they start to deploy this dedicated enterprise browser and remove all of the browsers. They immediately realize this is massive user friction, why A security team has never owned infrastructure. They've always secured infrastructure. And if browser is the new infrastructure through which everything is happening, anytime now with a dedicated enterprise browser that you actually see there is a latency issue or a site doesn't load, that's a security team and the CISOs problem.

Speaker 1: 12:27

And they don't want to be there, right.

Speaker 2: 12:29

They don't want to be there, because the moment you come in front of productivity, you know you're going to lose. So there have been cases where all of them, all of these solutions, have been pulled off the shelf. Now the way we attack the market was very different. We said these enterprise browsers barely do any attack detection. They're primarily focused on unmanaged devices.

Speaker 1: 12:47

VDI and all of that, and that's also a browser that sits next to another browser, right.

Speaker 2: 12:52

Exactly, and I've always been.

Speaker 1: 12:54

I mean, I understood why they did it, but I've always been very I mean not negative, but I didn't like the side-by-side of it. Oh, this is my private area, this is my work area MDM all that, all that, it's just a lot of friction.

Speaker 2: 13:09

Exactly and to your point. No new independent browser has ever worked in the history of browsers right, Brave, for all the great stuff that they do, still only has probably 50 million installs. I have it on my phone, I use it, there you go, but 8 billion people online, Just 50 million installs. So exactly to your point. What started happening is we came in with a very strong attack detection and I know we'll get into that browser detection response but by then these users were all educated that browser is the new endpoint, that's the weakest link. You need to go secure it. So when we walked in and we said we work with all browsers because we deploy as a browser extension and we solve attack detection in a very fine-grained way but can also do some of the other use cases, you're probably looking at enterprise browsers, for that was a big win where we didn't have to actually go ahead and convince much.

Speaker 1: 14:01

Do you feel that this is enough to actually create a standalone business in the sense of yes, great question. Actually create a standalone business in the sense of Great question, because I see some parallels with API security, for example, which is very big for a couple of years, and then the no name got acquired by Akamai and Everybody else is just wandering around. And one of the biggest complaints I've heard from customers but also from those companies we companies it's just a too niche or dedicated thing to sell separately.

Speaker 1: 14:36

But if you do it like this if you say this is going to be the new endpoint, then that also sort of implies that you see a good, viable business opportunity there as well. Exactly.

Speaker 2: 14:53

So, if you take a step back, right and just all history of computing, mobile devices weren't very functional. We came up with smartphones with supported applications. That became its own ecosystem and that's now a multi-trillion dollar enterprise. Similarly, what my strong belief is is if browser is the only application you're using on an endpoint today, all your apps are running within it, or you can only access cloud apps via it, then this becomes not just an application but really corporate IT, which is important for you to own, govern, govern properly, make sure you secure it. So our core thesis is maybe seven, ten years from now, if we are in a completely cloud native world which will probably end up happening some day or the other then and browser is your gateway device, or rather your gateway application platform, then by being there super early, we make sure that we can evolve with the platform.

Speaker 2: 15:51

Similar to you know, if you look at it, the AV guys came in. You know, eventually that move to EDRs, xdrs and whatnot, and I'm hoping, if that happens, if that thesis works. You know, rising tide lifts all boats. Is anything sitting in the browser has the ability to stop things upstream. So I give you an example the whole security industry says shift left. We say shift up, because if I have the capability to look at ransomware in the browser before it even drops on the endpoint, I'm starting to make your EDR obsolete at some point.

Speaker 1: 16:20

Yeah, if Well, edr has been sort of suppressed by XDR anyway, right, yes, and I think I've never found carried that much much shift left anyway. So yeah, I don't, it's just I think it's not not realistic, yeah the shifting left, I mean maybe exactly, we'll see.

Speaker 2: 16:39

We'll see if that happens or not?

Speaker 1: 16:40

yeah, that's realistic, but I think every, everything, everything you try to force yes, that usually is either takes a long time absolutely or fails.

Speaker 2: 16:50

So great point that you made and I'd like to counter it with the following right, the whole shiftless thing. The biggest issue was we were forcing it and telling people go back review code, better have an ssdlc and whatnot. But shift up, something beautiful happens. I'm not telling anything to any user, I'm basically just stopping attacks upstream in the browser itself. So we aren't forcing people to replace their EDR immediately. We aren't telling them that, oh, stop using this at all the moment they start seeing that a lot more attacks can be blocked automatically in the browser. You know, the thesis gets proved.

Speaker 1: 17:24

But on the other hand, they probably want something to replace it, because they don't want to have double the cost. Right, yes, absolutely, but it's a temporary thing.

Speaker 2: 17:33

Yeah, but that is a real thing right For companies.

Speaker 1: 17:38

They say look, I love the concept of a layered security approach, but that also means that if I have seven layers, I have seven times the cost, 100%. Yeah, times the cost, absolutely 100 yeah, so, and how do you?

Speaker 2: 17:48

but how do you see?

Speaker 1: 17:48

so how do you see bdr or? Or it's a browser-based uh detection and response. How do you see um? How do you see that integrating with existing? Because there must be a reason why edr and and sort of by extension, xdr can't really. Yeah, they don't know how to handle this. Correct, but is it possible to actually integrate all the what you're? Offering them into the existing stack.

Speaker 2: 18:13

Yes, yes, something you're already doing. But I'll give you a very simple example. Today, let's say, tom Dick and Harry in your organization get you know sent a link on LinkedIn. They click a couple of links, fill in a form and a malicious document ends up downloading. Let's say your EDR picks it up. All your EDR says today is Tom Dick and Harry downloaded a malicious file via the Chrome browser. Now the security team has no idea how the attack came to be. So this is the first place where we integrate. What we do is sitting in the browser. Given we have the same file hash, we send it to the same data lake, to your SIM, wherever you want us to, and now you can completely demystify the attack graph and actually figure out. The entire attack chain is like Tom Dick and Harry, LinkedIn, da da da, eventually downloaded. So what we are doing is automatically adding value by first telling you the lineage of the attack, as it happened in the browser.

Speaker 2: 19:03

Almost all end-user attacks begin there. Yeah, that is phase one. Step two, when it comes to identity big, big topic of discussion at this point in time so many organizations have IDPs but haven't really, you know, completely jailed it down. Not possible because you want to have people the flexibility to use things. Yeah, we can close that gap and basically say look, by being a custom IDP factor, we can ensure that a users can log in only through certain approved browsers, and that can be any browser on their device right now. Based upon that, we can tell you what is the shadow SAS and shadow IT leakage, because we see how your users are signing in using your enterprise identity in any other site. So we are beginning by tackling these two big things demystifying attack chains for attacks happening on the endpoint, and then IDPPs, which is identity attacks, and then you can also actually educate companies on what they should think about supporting and not supporting right.

Speaker 1: 20:00

Because I think shadow IT. I always call that shadow innovation because I think as a company, you always need to look for what everybody's using, because if a lot of people are using something you're officially against, you really should think about making it possible to use it securely, right, 100%?

Speaker 1: 20:18

I think that's 100% and something that also sort of. I was at a demo once and we got to demo it ourselves at a company and we had to download ourselves at a company and we had to download, I think, a data set to actually input into an AI model and we could do something interesting. And on a Safari browser on a Mac that went down easily. But I've tried to do it in Chrome on my Windows PC and it's malicious.

Speaker 2: 20:51

So if you I'm thinking out loud here if you have a BDR approach, you will never have that problem again because you have the same Exactly, so you don't have to rely on the iffy Absolutely, and I think what's happening is browsers, fundamentally, are heterogeneous platforms and Chrome and Edge, of course, is all Chromium, and then you have Firefox and Safari, which are totally different engines in the way things are built and, to your point, at this point in time, there's no unified parity solution. The same problem we face for a very long time on mobile devices, with mobile MDMs right, just wouldn't work across so many different devices. So I think market consolidation in the browser space is primarily around chromium browsers and non-chromium, and that's where we are hoping that, by the way that we've built the product is. We have a browser agnostic piece which is really 85% of all the code and then 15% is really us just proxying that and translating it to individual browser nuances so that we can have parity of detection and mitigation.

Speaker 1: 21:55

So just let's drill down a little bit into the BDR itself, right? So what does it consist of? Just give me sort of an impression of what it does and how it works.

Speaker 2: 22:07

So when we looked at this problem right, there's two ways to do everything. First is what everybody calls like send it to the cloud, we'll figure it out there. But when we looked at it we said this won't scale. We have to go ahead and build more and more things entirely on the client side so that it is genuinely browser first class citizen. So the way we did this is we have a browser extension which works across all browsers and in that browser extension what happens is there's a core service worker thread and then we inject what are called content scripts into every single page. These scripts start to monitor what is happening in the DOM, look at events like DOM mutations, what the user interaction is looking like, network requests and whatnot, and pick up telemetry, which has security significance. And how do you?

Speaker 1: 22:52

how does that determine? Where does it get the knowledge about analyzing that telemetry? Yeah, so where is it analyzed? Is it trained beforehand? Is it a pre-trained model that you get on your thing, or does it connect to anything, something outside and try to?

Speaker 2: 23:11

So three parts to it. I actually feel like, if you look at attack classes itself, there are primarily three classes and that's how the direction algorithms are also plugged in. One is at known attacks which can directly algorithmically be solved. As a simple example, anything which is trying to read the cookie and send it to a third-party website Very predictable. Monitor certain APIs see what's happening Makes sense. So that is really where those are baked in directly.

Speaker 2: 23:37

The second piece is really what is around slightly more fuzzy policy based kind of detections, and there you have traditional statistical detection methods and all of that. So what we've done is we leverage the same technology that Adobe, figma and all of these guys use, which is WebAssembly, and WebAssembly is this cool new technology has been around for a while, but more mature today, where you can actually have native code running in the context of the browser, extremely, you know, high speed, almost at native speeds, also also easy to assemble. That's also exactly, yeah, and which means we can already leverage a lot of the older C libraries you know, which are all pretty fast. So our detection algorithms are primarily running as WebAssembly modules, and what we've also been able to do is we have a lightweight interpreter as part of WebAssembly, so that not you don't have to just build things as parameters based policies. Instead you can have full-blown rule scripts. So now the last piece, the whole AI piece. Right.

Speaker 1: 24:36

Yeah, because now it's relatively old-fashioned stuff, right?

Speaker 2: 24:38

Yeah. So there's two pieces to that. I would say modern AI, let me kind of say, because the statistical algorithms have been around for a while Modern AI, llm where is it really interesting and how do we really use it? The piece that we've been innovating there is DLP. For a long time, the whole industry has wasted time with regular expressions right, go all out, crazy, writing those like X's, and it's so easy to beat with just very simple visual tampering.

Speaker 2: 25:03

This is really where we've been able to do two things. One is create a very lightweight quantized model which can run in the context of the browser and do certain things like data, rather page classification, some amount of DLP. Now, of course, we depend on the larger ecosystem of AI to evolve for us to do it, because we aren't doing fundamental innovations in any way. We're trying to just reuse it for our problem. The second piece, what we've kind of been able to do is, for a very long time, things like policy writing for a new security product has been very painful. So we've trained an LLM in our entire policy scripting language and all of that. So now you could literally go in and say isolate all files, files, all office files, with macros in them and it can automatically go generate a policy for you. Yeah, that has been amazingly fast from a product adoption perspective yeah, just to, just to get it clear where does this an LLM run and how do you?

Speaker 1: 25:54

how does it? I assume it protects real-time, right, it's in.

Speaker 2: 25:57

Yes, that must run on the device somewhere so the lightweight, you know kind of like LLM, which is doing the whole site classification on a couple of things that runs as a WebAssembly module, a very lightweight one In the browser, in the browser, and the second piece, which is really all the policy engines and all of that stuff, pure LLM, one that still runs in the cloud and I think, as LLMs themselves progress, we'll start migrating more and more from the vantage point of the browser.

Speaker 1: 26:24

And maybe a bit of an oblique kind of tangent, but how do you look at the development of the AI, pc? Because, I can see maybe I'm completely wrong, but I can see that they've been selling it like oh, you can run AI on your device, which is the NPUs and all that stuff. I can see some interaction between what you're trying to do and what they're offering, right.

Speaker 2: 26:52

So the best example I can give you is WebGPU, right? So Chrome and all the big browsers eventually came out with these WebGPU APIs where, via JavaScript, you could access GPUs on the endpoint. So there are two big things which are happening. One is most browser vendors are also building AI into the browser which you can then call into via their management APIs. And the second piece, of course, is you're going to have AI almost. I think at some point every PC would probably have an AI code chip or something like that. It's going to be pretty fast. So I'm assuming what's going to happen is just like web GPU. You're probably going to have like web AI APIs and, to your point, as the broader ecosystem starts to mature, we get the benefit because we are already fairly early and starting to leverage all of this to be able to grow with that. But yeah, for the AI piece piece, of course, we are foundationally dependent on the technology.

Speaker 2: 27:48

You can't do everything yourself.

Speaker 1: 27:50

Alright, that sounds interesting. So what's your? Do you have any goals towards the future? What do you see happening between now and a couple of years? Do you really think I'm paid to be skeptic, right yeah?

Speaker 2: 28:05

of course.

Speaker 1: 28:05

Do you really think that this will blow up and really become very big? Or is it just waiting for? So what Palo Alto did with the old enterprise browser and stuff? Is it waiting for a big guy? It's like we're actually, we believe this. Maybe microsoft says, well, I'm going to do this. What? What? What google did, did with wiz for cloud security? Maybe some, some of the big players oh, let's just buy you or whatever 100.

Speaker 2: 28:35

So I think here's here's my thesis on. It is here's what's going to happen in the next two, two and a half years either browser security will show up as a line item in a CISO budget or it will get subsumed as part of EDR, as a module in EDR, which is browser EDR or SASE. Sse might decide to go ahead and rope that perimeter right through the browser and say you know what, like, we also need to sit in the browser to get this right.

Speaker 1: 29:00

Yeah, because many of those SSE companies like C-Scaler and all those guys. They've also introduced on-prem sort of versions of their internet access kind of thing, so they could potentially quite easily integrate that into something on-prem right.

Speaker 2: 29:21

Yeah, but just just to kind of double-click on that. Right, if you pick the EDR vendors, 100% that's a possibility, and we'll know whether EDR wants to subsume browser security, because browsers sit on the endpoint. Sase is a bit more interesting, though, and here is why, for almost the last 10 years, the thesis that they've sold to the industry is you don't need anything on the endpoint. Now you'll have to come back, cannibalize your thesis and basically say you know what, you need something on the endpoint.

Speaker 1: 29:48

And that's probably in the browser. They've been retracing their steps already right Slowly. If you look at, for example, zscaler that I also mentioned earlier when I talked to them about 10 years ago or 8 years ago, whatever they said, look, the internet is a new network, so you don't need anything else.

Speaker 1: 30:04

I said well, I don't believe that because there are still lots of on-prem no, no, no, no. And then they and I think it was four years ago when they came out with sort of an on-prem extension of their cloud. So they are slowly but surely already retracing their steps right.

Speaker 2: 30:17

And this is one of the things which is if any one of companies in the browser security space ends up going and listing publicly, I think the whole space is validated. It won't get subsumed. That's just the reality of it. Any space that you see today, you can map it to at least one or more publicly listed companies. If that doesn't happen and the category starts to get subsumed in either way, then you know what you can be a great acquisition. I think two, two and a half years is really when you'll start to start seeing where that is going. But we need at least one or two public market companies in the browser security space for this to become an independent space. And that's the final market validation right, because at least one or two companies are so big purely by selling browser security. That hasn't happened yet?

Speaker 1: 31:03

No, and sometimes at first it can look very promising.

Speaker 2: 31:06

Yes, you become a unicorn very quickly and then, just 100%, being a unicorn is not akin to publicly killing people 100%. So there are so many companies with massive valuations and most of the time, we all know that you have to catch up to that and whatnot.

Speaker 1: 31:17

Well, we've all seen what happened with Lacework, for example, they were worth 8 billion a couple of years ago.

Speaker 2: 31:22

And they were sold for 200, 300 million or 400.

Speaker 1: 31:25

It was very, very, very, very little at least.

Speaker 2: 31:29

So my personal view is I'm very pragmatic at some point in time to say look, this is the market's decision and you have to finally honor and respect it. If we get the right to be a separate category amazing once in a lifetime opportunity, if not build fantastically well be one of the top two or three products. So you're a very attractive acquisition and you can get good returns to your investors.

Speaker 1: 31:51

Yeah, at the end of the day, it's all about helping the customers be more secure, right? Exactly. It doesn't really matter which way it pans out. I do think for customers it makes more sense to have it as part of a bigger platform, because then the initial, so the inherent integration is there no fancy stuff, no double billing or you know all that stuff.

Speaker 2: 32:13

And if you look at it right, almost every industry started with that as an aspirational model. And to your point, at one point people used to even say why doesn't Windows have its own antivirus? Why do we need a separate AV right? This should be part of the Windows licensing. Windows Defender came in to solve that but never really solved that. So to your point, it may happen Everything where it resides aspirationally. We want it all chunked into the same platform.

Speaker 1: 32:40

It's one of the nice at least in my opinion, one of the nice things about the security industry is there's never a dull moment right. So as soon as something comes up, there's always a security company coming up.

Speaker 2: 32:49

That also does it 100%? Yeah, Security is one of those evergreen fields because we are second order.

Speaker 1: 32:54

Any new technology comes in, there's going to be a security aspect see, and we've seen a lot of it, when all the tales of AI, right even yeah, like so many companies, simple prompt injection detectors just got acquired within like a year, year and a half, because people just want to consolidate all those features.

Speaker 1: 33:14

Yeah, it makes sense. All right, I think I have a good impression of what you do and what you're trying to solve, and where you're going, at least, or where you want to go or may go or may not go, I don't know.

Speaker 2: 33:23

We should meet again in a year and you'll see.

Speaker 1: 33:25

Yeah well, I may be back here next year. I'm not a big fan of big shows, but this one is quite important, so I look forward to catching up whenever we get a chance. I'll sure be following the space. Yeah, awesome, thank you so much. Thank you.