The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

49. Vivek Ramachandran, Founder and CEO of SquareX, Pioneering Browser-Based Security Solutions

Hello, everyone, and welcome to another episode of the Security Podcast in Silicon Valley. I'm your host, your co-host, John McLaughlin, and I'm joined with co-host Sasha Singovich. Today, we have an amazing guest, Vivek Ramachandran, the founder and CEO of SquareX. Thanks, John.

Thanks, Sasha. Thanks so much for having me on the show. Super excited. Welcome, Vivek.

It's a great honor to have you, and I'm sure all of our listeners are very excited to hear your story as well. I guess our first question is pretty simple, pretty straightforward. You brand yourself as a security person, yeah? Yes.

How did you get into security? What does that story sound like for you? Yeah, I mean, I think this started almost 25 years back. So I've been in this space 20 years and four years before when I was at the university.

So I started security, getting into security, literally the time when I was preparing for my engineering exams. And at that point, these were these very big attacks which happened against Yahoo, AltaVista. I mean, people don't even remember that name anymore, I'm guessing. These massive DDoS attacks.

And at that time, I heard about this hacker called Mixter who had written this tool called Tribal Flood Network, which is what attackers were using to bring down these very big websites. Now, I was barely 18 or 19. And what really intrigued me was, hey, how does one person have so much power that he's actually bringing in all these massive websites down to his knees? And that was when I started researching, downloaded the source code of Trino, understood nothing about it.

And then slowly decided like, hey, there's so much for me to learn. Slowly started uncovering, kind of peeling through the layers of the onion and started getting more and more hooked to it. Was very lucky to get a few internships in cybersecurity. And I guess this was almost like a lifelong obsession for me since then.

But that's how I got started. That's an amazing story. It reminds me a little bit of a conversation that I had with a professor when I was back in school at University of Minnesota. And I was trying to explain to him life, what I found interesting about security.

And I was talking to him about RSA and LGML and, oh, it's so interesting, all the problems. And he kind of looked at me and he said, oh, so you're into security because it changes your relationship with power. Yeah. And I was like, well, I'm not even, maybe a little bit.

But these things tend to obsess you a lot more because, hey, you want to go out there, rule the world, look different, feel different. So, yeah. Yeah. You just want to find your place.

You know what? I've never actually heard Sasha. What's your story of how did you get into security? I've always been asking about data.

I guess I'm very into the privacy in general and just data attempts to reveal a lot of important details about one's life. And I just grown to be very passionate about protecting the essentials of the privacy. Everyone has the right for privacy. And I believe everyone, they have the right for privacy.

We as security professionals have the opportunity to uphold that statement. Absolutely. You mentioned that you got into security through passion that you acquired with one of the examples. This one person is capable of taking down this huge corporation.

How do you see security change then versus now? What do you see as your big field in the security? Yeah. I mean, that's a great question.

I think 25 years back, I feel like you still had a lot of lone warriors building out tools, putting it out there. And I mean, I still remember the very first DEF CON where I spoke at in 2007. You would primarily find like security researchers and people who are just genuinely curious, wanted to exchange notes, wanted to share experiences and all of that. But from there till now, I think security has become very mainstream.

And this is really where at this point in time, hey, getting into security is a process. Back in those days, pick up a research topic, just dive deep, learn more, publish it, and people would know about you, contact you and whatnot. But now I see that it is more structured where go get these exams, do your security plus, do this, do that, eventually get in. So that's more about how people get in.

The industry at large, I would say back in those days, people were more obsessed with security tools, where what you would end up finding is in products. So if you ask somebody, what is security, they would say, hey, I, to me, security is learning how to configure a checkpoint firewall or a Cisco PIX. So the approach was more from a defensive angle. And most administrators were really your security administrators.

There weren't any pure security administrators, teams and all of that, at least back in the day, 25 years back. Now what I feel is attacks have gotten sophisticated, attackers have banded together, whether it is nation states or organized crime, sponsoring hackers out of some attic somewhere in a country nobody can touch. And that has actually made security more of a team sport and not just like a solo lone wolf game. I mean, at least from me as a hacker's perspective, that's how things have changed in a very big way.

We are speaking at DEF CON this year, and you would find that most stocks are also companies and researchers banding together. Yeah. Yeah. And it's not an accident that we see there is a blue team and there is a red team, right?

There is a reason for the war team to be part of that conversation. As a founder at QuareX, what is your day-to-day function look like? And how did you come to the conclusion that you would like to start SquareX and what problem are you solving? Yeah.

When I was doing my last company, Pentester Academy, we were talking to red-blue teams around the world. So we had Fortune 500 customers, government agencies, enterprises and whatnot, right? And at that point in time, mostly red teams would come to us and say, hey, we want to show that our enterprise defenses can still be bypassed. Could you probably figure out what is it that we can show?

And that was the time I figured, even though the web browser is the most used enterprise application, if you think about it, people spend 95% of their time on the browser, maybe 5% in applications like Outlook. There was very little happening on the browser itself to secure it. So most of web security, when it comes to securing your employees online, was actually web proxies. And this is SASE, SSE, secure web gateways and all of that, where you were primarily looking at network traffic to secure application layer attacks.

So when I was doing my research to help the red teams out, I figured that it was very easy to bypass these proxies because they didn't have application context. They didn't have user interactivity understanding. Attackers could reassemble, do attacks on the browser. So I figured if you had to protect your employees from web attacks while they're online, you need something sitting in the browser itself.

Now, as simple as that statement sounds, the non-trivial part for us was, hey, the browser is not like a development platform. It's not a software platform to distribute new products. It has one function and to show you web pages. So we spent a lot of time researching, figuring out a lot of tribal knowledge.

And that is really when SquareX was born, where I felt like if you could build a browser native security product, then this could fundamentally protect your enterprise employees almost 10x better than cloud proxies. Yeah. And just to share a little bit of your success with all of our listeners, you have over 100, 000 IT and cybersecurity users within the first five months of your launch. You raised $6 million from Sequoia Capital C in May of 2023.

And it looks like you had a major release for enterprises in May 2024. So to be an entrepreneur and to be a founder, especially in the security space, it does take a little bit of really have to jump in and believe in the product and believe and see the problem out there and understand not just the problem, but how you can really be a positive influence in the world and be the change that you would like to see. And things don't change unless people take risks. Right.

Yes. We have a lot of entrepreneurs who listen to this show and all the respect in the world. Great. But when a potential prospect and a future customer reaches out, what is the biggest pinpoint that they would like to solve with SquareX?

Yeah, that's a great question. And I'll give you some examples. Till now, most enterprises, when it comes to filtering their web traffic, have been dependent on proxies. Now, these proxies were invented a decade back.

And the primary construct that they use for any form of filtering is a URL. Now, unfortunately, in today's world, the URL is too broad a security construct for you to just say this is whitelisted or this is blacklisted. I'll give you a very simple example. Lately, attackers have been zipping ransomware, encrypting it, which is password protecting the zip file, and uploading it to GitHub.

com. So now your enterprise web proxy policy says GitHub. com is whitelisted because you want your developers. Yeah.

Exactly. Exactly. When we speak to customers, I think the key pain point is to find URL as a top-level security abstraction to be too broad. And attackers are actually squeezing in a lot of attacks via components loading up on pages.

And that is really where SquareX, because we sit in the browser, we look at everything loading on the page from the lens of zero trust, from the lens of validating it from a security perspective, where the URL is just one other component. And I'll give you some simple examples. One prospective customer came to us and they basically said, hey, at this point in time, we find that people tend to upload files, but they have their personal Gmail and the Office Google Workspace both open and logged into, right? Everybody has their personal Gmail open.

So a lot of times when you try to upload a file, you might inadvertently end up uploading it to your personal Google Drive. Because the URL is the same, drive. google. com.

Visually, unless you click on the right-hand side and grab the identity you're using, it's very easy to make that mistake. So here is a simple example where web proxies can't help because they apply at a URL level. While something's sitting in the browser, we can immediately understand, hey, you know what? This page is Sasha's work identity logged into the company drive.

google. com. Versus in this tab, this is Sasha's personal identity logged into his personal Gmail. So based upon that, we are able to slice dice and apply policies to enterprise identity workflows versus your personal identity workflows.

So you apply additional layers of security based on the context that you get from a unique web page. Exactly. So because we sit in the. .

. Yeah, sorry, go ahead. How does the product work? Is it an extension or is it a standalone browser?

I imagine that one of the friction points to make the deployment of where actually as similar as possible is how easy it is to deploy into the organization. Correct. Correct. Absolutely.

And you brought up a great point, right? I think dedicated browser is a bad idea. If you look at the whole history of new dedicated browsers and forget even what we are doing, Brave tried to create an alternate. I mean, you would appreciate that a privacy first browser.

And even that today, the last time I checked has only 40 to 50 million users. So we immediately figured that trying to chase that possibility is a bad idea. So what we did instead, Sasha, is we have a browser extension which can be deployed on any browser. Chrome, Edge.

Now we also are about to support Safari, Fire Opera. So the best part really is all you have to do is deploy a browser extension. Browser extensions have superpowers. Superpowers in the sense that they can monitor browser events, page events, intercept, proxy, do a bunch of stuff which allows us to monitor every web workflow that is going through the user's browser, inspect critical elements, allow enterprises to tap into those elements and apply granular policies.

And based upon that, either block or isolate those workflows. We are in a world of AI. AI is everywhere. All of the keywords, LLM, SLR, AI, Gen AI.

The SquareX, are you guys using AI in any capability or in any capacity to accelerate the identification of the patterns that may be anti-patterns in the user's flow? Yes, yes. I think great question. And we do it in three ways.

The reason I never lead with the word AI is, I mean, to your point, that word is so keyword stuffed at this point is. It's almost like Web3. It's almost like crypto. The moment you use that as a prepend to any introduction, people's bullshit filters kind of get tuned to an all-time high.

How do we use AI? Well, three different ways. One is, of course, because we run in the browser. At that point, we are looking at hundreds of thousands of events which are happening in the DOM, in the browser.

And we have our own lightweight ML models which are running in WebAssembly, which our browser extension ends up loading within the browser itself. So that a lot of attack detection is happening right there at the place where you have the richest metrics rather than having to ship all of those back to the cloud, which is not even practical. Because imagine the sheer number of changes happening on a page at any given time. And then you have to worry about the data privacy of that set of data that you have shipped back to the server.

And then you would have to answer more questions from your customers. Well, what type of data do you protect? Which is an overhead where you as an ordinary day find a reverse plate. Absolutely.

And to your point, we are firm believers that if something can be done in a privacy safe way, that should probably be the de facto way to do it because it safeguards people's data. And at the very same time, to your point, puts very little onus on us to have to worry about what's really happening on our server. So that is the first place. The second place what we've done is with LLMs.

I think the greatest beauty of LLMs in my humble view is that now you have a language interface to interact with anything which is ultra complex below it. So our rule policy language has hundreds of parameters, has a policy engine capable of creating arbitrary scripts. And of course, today, if you were in Palo Alto, there would be courses for administrators who would have to go through this and certify before they're allowed to test the product. But SquareX is a startup.

We expect people to go through all of those tons of documentation before they can be product. I think no one's ever going to use us. So what we did is we created a LLM language interface where you could pretty much just go in and say, hey, block all websites which are downloading encrypted zip files and which may be less than 90 days old. And this is as high level as our policy languages.

And we then work on it and distill it down to smaller parameters and create all of these rules. And this is the second way that we apply AI. The third and final way is security is a needle in a haystack problem. Hundreds of thousands of events.

There is so much chaos. So we have an AI co-pilot which can look at all of these events and summarize them in a very simple way for admins so that they understand what is really going on on their network. We just face a very broad field. It's very complex.

I think we as professionals have done an amazing job with very complex solutions in a very complex space. So props to you for trying to elevate or rather hide the complexity associated with some of the problem that functions in the space. Correct. Correct.

Absolutely. And look, having been in this space, I mean, I said 20 years professionally, 12 years as an entrepreneur. I've realized that most of the time when you talk to administrators, they are unable to even fully uncover what a product is capable of. So product feature discovery and feature use is a real problem.

Unfortunately, most people don't want to acknowledge. And that was one of the biggest reasons we did this. Usually, well, usually it requires a lot of great films, a lot of dashboard setups, and you have to essentially take a core record in a product in order to understand it before you can properly set it up and take full advantage of it. Yes.

And you can imagine as a startup, if that's the barrier you're creating, I think your product is never going to see the light of day, right? No one cares. Make it easy. Make it fast.

And probably you have an opportunity to do something here. I love making it easy. Make it fast. Hide the complexity of a lot of these really intricate data overflow problems and just cut right to the semantic meaning of what's going on inside the system and do it in a private, preserving way right there in a browser.

To ask a question that's a little bit on the entrepreneurial side of the house, what sort of go-to-market strategy do you find is most effective? Because it is a problem of getting the word out, inducing great work, all of the blood, sweat, and tears have been poured into simplifying hard problems. How do you think about that? Yeah.

No, that's a great question, John. And what I did is, of course, I derived a lot of inspiration from what we had done in Pentester Academy before. Pentester at the time of sale had over 150, 000 people on LinkedIn following us, 200, 000 people on Twitter, I think 250, 000 people on Facebook. So I think I've always valued the power of the community going behind you.

And to do that, of course, you have to begin with contributing to the community. It is about giving first rather than taking. I love that. And that's really where what we did very early on is very consciously, we said, look, we need to create and put out a very early version, which cybersecurity IT people can use and try.

And of course, this does not need to be the fully featured enterprise one, but something they could end up using in their day-to-day environment. So one absolutely common case everybody faces in every enterprise is you receive suspicious links and files. And at this point in time, for you to open it up, detonate, try to see what there is. People tend to create VMs or they might have to buy extremely expensive products or rely on browser isolation from one of their larger vendors.

But that doesn't really allow them to inspect into what is happening. So what we did is our isolation features, we put it out as a free extension. And we told folks, you know what, if you want to detonate website files, do some analysis, go use more power to you. That allowed us to test the stability of the extension.

But interestingly, what happened, and this is exactly what I was hoping for, is, I mean, you said 100, 000. Now you're very close to 200, 000, by the way, people using it. Wow, congratulations. Yeah.

And that led to a bottoms-up adoption. So we had security teams writing in and saying, hey, do you have an enterprise version? We would love to go ahead and try it, try it. Many of us are already using the free version individually.

Now, so in the GTM, I primarily looked at it from a three-pronged approach. The first is bottoms-up. Practitioners who are finally going to be implementing, the sooner you can get something in their hands, the faster adoption can happen when even top-down somebody reaches out and says, hey, this is SquareX, have you heard of them, do you want to go use it? Now, top-down is very important in security, right?

For inline security products, the CISO has to write the final check. Underwrite the risk if this is an early-stage startup. So there, I figured going to RSA, going to the large conferences, trying to get a very good advisory board. So we have the who's who.

Jeff Motts, the founder of Defcon and Black Hat, is an investor advisor in the company. The head of Black Hat is an advisor to the company. A lot of founders in Silicon Valley who sold their company are all investors' advisors into SquareX. So that allowed us to go ahead and get those warm introductions so that we can talk to CISOs, understand their problems, and see if there was something in here.

The third part, which I absolutely enjoy doing, is thought leadership, but doing bleeding-edge research in your field. Not just writing white papers, which are a summary of what you want the world to believe, but rather pushing the boundary and edges of how attackers are breaking products, what next generation should look like. Speaking at Defcon, speaking at other hacker conferences. So this year, literally, we are doing a main stage talk at Defcon on how attackers could trivially bypass secure web gateways and sneak through even well-known malware and malicious websites.

So this way, we hope when we talk to any potential customer, we can give them the CISO view, we can give them testimonials from practitioners who are already trying it out, and also show that SquareX is trying to move the needle when it comes to what bleeding-edge in this space looks like. Oh, no, that sounds perfect. You command the expertise with thought leadership. You have bottom-up adoption of users, but you have top-down monetization for your company.

Because, of course, to build a company and to build it responsibly, there has to be some sort of monetization strategy. And I think you hinted to it just there with the top-down piece. That's perfect. If you were to, let's say we fast-forward into the future, and I'll let you decide exactly how far into the future you'd like to fast-forward, but we're fast-forwarding into the future.

Would you be willing to share with us, what does success really look like for you and your team there at SquareX? Yeah. So, I think, John, having built companies before, I always measure success of a company based upon the impact that it can have. And impact primarily is, hey, are you changing the space for good in some fundamental way?

I wouldn't go all the way out and steal a quote from Steve Jobs and says, make a dent in the universe and all of that. I mean, those are very strong, too wide statements for us. We can read those. So, I would instead say for us, what is going to be important is, we have a very unique point of view on the problem of web security when it comes to enterprise employees being online.

And we have a very contrarian view to the rest of the industry, because the rest of the industry is still looking at solving this in the cloud, while we are saying, solve this in the browser, run something browser-native entirely in the browser. So, I feel success for us is going to be that this point of view starting to get adopted by the rest of the industry. And when people look at this and say, hey, you know what? These guys are right.

If you had to detect attacks reliably, you have to do it the place where it happens, which is in the browser. So, at the very same time, I think we have an amazing opportunity here, right? Everyone in the world uses a browser. Every enterprise employee has a browser.

So, I wouldn't go in and jump and say, that's our TAM, SAM, and all of that. But I would basically say the opportunity here is literally us, or eventually other players who might also believe in the same thesis, have an opportunity to literally reside on every browser on planet Earth. And that was one of the big reasons we gave out a free version as well. And we planned to put out a free WebAV or Web Antivirus version for anyone in the community to use, which can protect against attacks.

So, that is our vision. That is our dream. The impact is, could we be on every browser in the world? And could our nuanced point of view, could our contrarian view, be something which the industry ends up adopting at large?

Amazing. Modern systems are being built with a lot more security standard, current security baselines in mind. And one of the biggest threats to the entire system is through access control. How do people communicate with systems?

You are 100% correct. Most of the traffic is through web. It's through your web browser. And it just makes total time to have that oversight over what is going on within your DOM, what is going on within your object in the browser.

To give it that extra layer of assurance that whatever you do is properly protected, whether you accidentally clicked on the link without the NGR, NIF credentials, or took BEST and tokens away and sent it out tomorrow. Correct. Absolutely. And Sasha, if we kind of rewind, right?

Almost 15, 20 years back, I think all work was happening on the desktop. And that is where we were downloading different applications to do different work. And that is when endpoint security came in, EDR, eventually XDR and all of that. And exactly to your point, now all work happens within the browser.

And what you do when you want to do different kinds of work is you go to different kinds of websites. And that is really where we hope that similar to the whole antivirus to EDR to XDR kind of evolution and revolution, the same thing will happen in the browser where you will have browser detection and response systems, something I like to call BDR, a stealing from EDR. And hopefully that has its own little evolution as well. Yeah.

That's nice. That's nice. So if you're having a conversation with a CISO like you've had many times before, and you're explaining your vision and you couch it in, what's the pitch? What's the hook for them to really pull the trigger?

Is it help them with certifications with ISO 27001 or maybe like a SOC 2, type 2? Or this is, we're getting, we're cutting through all of the certifications and we're having a real conversation about real security. Yeah. I mean, John, that's a great question.

So what I generally try to do is either before the call or in the very first few minutes of the call, I try to understand what kind of CISO is this gentleman or lady. And I kind of put them in three buckets. One is CISOs who are hyper-technical. And what I mean is they've kind of gone ahead and done security research.

They've or been engineers or built products. And these CISOs jump right in, right? The moment I say browser, hey, hold on, do you do this? How do you solve this?

There, I'm a quiet listener and I get bombarded with super technical questions. And the moment we are able to answer this, people are impressed. And they're like, okay, now show me how you do this. So the second category is where CISOs who primarily moved in via more of risk compliance and management tracks.

So generally what tends to happen is they go by Gartner and Forrester reports. They go by vendor comparison charts and all of that. And most of the time in that case, what tends to happen is I jump in and I say, hey, what are the use cases none of your vendors have solved, especially the web proxies that you use and where you feel this is important enough. So that gets them talking because anytime to your point, you position a disruptive product, people don't know about the category much.

People don't even know how to visualize. Yeah. When I say. .

. If you create something new, there's no conceptual model of it before, right? Exactly. So the way to attack.

. . Yeah, exactly. So the way to attack it in that point, I felt it's just pure use cases.

Go in and say, hey, give me use cases which are unsolved. Give me use cases of where you feel your employees on their browser you would like to know more. And the third bucket is unfortunately people who've already been burnt by attacks. So they just walk in and basically say, hey, we had this single sign-on identity hijacking attack.

Nothing solves it right now. Do you do it? And I think they want literally a pointed response is yes or no. And if you say no, they're like, hey, you know what?

I'm out of this call. There's nothing else I want to talk about. Maybe this would be a great. .

. Maybe this is a great opportunity to remind of a recent attack. And I'm not asking about a privately disclosed availability or successful attack, but rather something that is an attack that could have been prevented by SquareX. So I'll give you an example where I'm trying to.

. . Yeah. So unbelievably, even today, the most common attack which organizations worry about is spear phishing attacks.

And now what's been happening is with LLMs, the mails sound better. They're more contextual. The websites look better, right? Nothing looks broken and run down.

The grammar is all good and all of that. So I think what a lot of. . .

So this specific attack, what tends to happen is employees get links in SharePoint. And these are private SharePoint tenants that attackers create. And literally what tends to happen is the link goes where it says, hey, can you please go ahead, fill up this form or download this document? Now, SharePoint, literally every web proxy is going to whitelist by default, right?

Or else your entire Office 365 infrastructure might end up going round. And it's very difficult to even figure out this is a new versus an old tenant because, hey, those subdomains are all created in very crazy different ways. So what we found was what was happening is attackers would send this SharePoint link. And once you click on that, it would open up a third-party website where there would be a form which would probably end up mimicking your Microsoft login because, hey, this is all SharePoint.

And because the starting point was a clean, good URL, which is actual Microsoft SharePoint, most users don't really worry much about it and think, oh, you know what? Like I'm on SharePoint. I want to access this document. Okay, I need to re-login once again.

And that's really where the keys to the kingdom are lost. Now, the tricky part really is a web proxy, unfortunately, cannot correlate where you were before and how you clicked and went because web proxies are only looking at individual URL requests in a stateless way. So they can't reconstruct that this was one tab on the user's browser where a page opened, a link was presented, you click on it, then another tab ended up opening and all of these correlations. So when the company presented this to us, they said, hey, I don't even know this can be solved.

And incredibly, because we sit in the browser, we can actually create a hierarchical tree where we basically say, hey, this was SharePoint. Then this next website was opened via it, but it is not belonging to one of your known domains. And now it is actually presenting your form. So the simplest solution we gave to the enterprise and they happily agreed is for all non-whitelisted SharePoint subdomains, if any link is clicked, then all web pages opening via that, you should not allow the user to enter any form of input, including a password field.

Yeah. And you are essentially a pre-hook into that logic. You block the actual report that you did it. Exactly.

Because what we do is the moment we see that an unknown SharePoint was open and a link was clicked, the policy activates. And even though we allow the user to visit the next page, the moment he tries to enter something into an input field, like a password field, we end up blocking and saying, this is read-only request for an exception. And unbelievably, that was such a big aha, eureka moment for that entire team. Because there was no way for them to correlate this web workflow and figure out how you could use previous past context to apply a future policy.

Beautiful and elegant. That's like, Dale, Pete. Thank you so much. Yes.

Yes. Absolutely. All right. This is spectacular.

I like all of the new things that we can solve by just going into the browser and being creative and getting those creative juices flowing. What's been the best day that you've had so far in your entrepreneurial journey at Square? You've only been doing this a little bit over a year. So yeah.

Yeah. You have lots to consider. Yeah. I think the best day really was that when we were at RSA and we had so many people walk in and say, hey, I've actually used the free extension you put out.

I love it. And I'm really, I was waiting for you guys to put out something for enterprises. And this is something we are so happy about that you guys are here. And you wouldn't believe, I mean, all under NDAs right now.

So one of Fortune 50 companies, their main head of cybersecurity came in and said, I personally use your disposable browsers and file viewers to detonate suspicious documents and links. And Vivek, this is amazing. I think it's so seamless, so helpful that now I'm also teaching our IT folks to use it, not just security folks. I think in any journey, right, like people might come, people might come in and say, hey, the funding, I personally don't think funding is a milestone to be super happy about.

It's nothing more than more responsibility. You've taken people's money and hope you're going to give them the return that they're hoping for, right? Hiring or trade, right? You're selling a piece of the company for a fair value and they're giving up a little bit of capital for a little bit of capital.

Exactly. So hiring and growing the team, even that I don't feel is a great event because again, more responsibility, more management. People are coming and joining because they believe in your mission, vision. I think in my view and the company view, all I tell everybody is measure an impact.

That's it. Has your work made impact? And so to your point, that was fantastic because first time, face to face and not online, people came and said, I've used this. I like it.

Where is this going? I imagine that's just an amazing feeling to see the impact and to hear it firsthand from your users, from your go-to-market strategy, from the product, from blazing new trails in the security space, just by going into the browser. Yeah. Absolutely.

Sounds like very soon. The square X word will become the verb. Today, if we want to search for something, we say Google it. And I truly hope that in a near future, we'll be saying if you want to protect your privacy in a browser, we're at a club.

Absolutely. I mean, I'm hoping for that day. And yeah, thank you so much. I'm sure it's not for off at your current growth rate.

Okay. But being an entrepreneur is always a roller coaster. And for all of the ups, there's also downs. And maybe you'd be willing to share a more vulnerable moment and share with everyone, perhaps the most challenging day that you had at Square X on your journey so far and how you overcame it.

Yeah. Yeah. Yeah. So I'll share a moment, unfortunately, from where we couldn't overcome it, but taught us an important lesson.

So we were pitching to one of the largest, I think, consumer electronics companies in the world. And I went, met the CISO through a very warm introduction, which means again, massive burden on my shoulders because, hey, this was an introduction by somebody important. And I showed him the whole product and was pretty blown away. And I'd love to use this right now.

Could we set up a quick POC where I could try it myself? And what had happened was that because we are creating these new tenants, by mistake, it ended up shipping with a couple of policies, which we were still internally testing. I mean, as a startup, you have dev environment, you have preview environment, you have production environment. And.

. . It would be great if those are actually separate environments, Tim. Those are separate environments, but sometimes, you know, you're kind of steering between what you're deploying in each one of those.

And what happened was that we ended up deploying a few experimental policies, which weren't supposed to be deployed in that tenant, but mistakes happen. And the CISO tried the product. And within the first seven or 10 minutes, some of those experimental policies ended up hitting and there were some false positives and he uninstalled it. And after that, when I spoke to him and then we immediately realized the issue, we rolled back on that.

I wrote to him. I didn't get a response. I eventually bumped into him at a mixer. And then he said, look, I tried to use it and it did work.

And I explained to him and he told me something which I agreed. He was like, hey, Vivek, you are a startup. You need to make sure that you understand that someone like myself, if I give you time and if I give you opportunity, that is a privilege. So if you and your team didn't do the homework, that's on you.

And I apologized. And he finally said, look, the next time that I will take a look at what you have, it's probably a year later. So come back to me exactly in a year. And at that point, hopefully these screw ups don't happen.

So I went back and what we really did was create a very simple process on boarding people where there are multiple folks checking everything, including me as the final check, where I go in and emulate a potential customer, check all the knobs and turn things and make sure everything is okay. So I feel, John, to your point, I think startup journey, ups and downs. I think a lot of times you get hit in the face. The important thing is just to learn.

Sometimes there is no comeback and there's no sweet story at the very end. But I think that's the thing that you have to get used to. There's a very important saying, if you're not making mistakes, you're not growing enough. And to be in the entrepreneur and be the founder of a company, it's important that we get out of there every day and do things to as much as we can.

Mistakes will be made. There's just no way around it. It's about how we react to them. Absolutely.

Absolutely. Yeah. Sorry, John. No.

I mean, just in addition to that, not a failure unless you give up. Absolutely. Absolutely. And one of the things I've seen is when things go wrong, it's important to understand that don't go into a blame game.

You have to understand that your team feels just as bad. Right. So it's very important as a leader to be supportive through mistakes rather than purely point out mistakes. So one of the things we do internally in the company is when something like this happens, I quickly talk about how to remediate this in the future.

And then I tell people, you know what, it's all good, all fine. And I generally take everybody out for a team lunch. If something bad has really happened, because that's the best way to cheer everybody up with a little bit of sugar rush. So place with a lot of good desserts.

And hey, then move on and live another day to fight the good fight. Exactly. It's just software, right? Life goes on.

No one died. No one died. I really appreciate you sharing the vulnerable moment too. Yeah.

That means a lot. Absolutely. Yeah. We traveled into the future with a previous question.

Maybe let's have an opportunity, Vivek, for you to potentially travel into the past. And if you could travel into the past and meet your younger self, two questions for you. The first one is, would you? And would you have any advice for your younger self?

I think, yeah, looking back, I would probably have told myself, start even earlier. And I'll tell you why, right? I was born and brought up in India. And India, I mean, especially middle-class family with parents working super hard, getting me the best education that they could.

So what tends to happen is there's always this concern of an existential crisis. And when that is ingrained early on when you're growing up, then generally you start to become very risk-avers. So I had this itch of trying to go do something for whatever I wanted to do for a long time. But my younger self was always scared, right?

My parents were big believers, big supporters, but they were always like, don't you think you should work a few more years and maybe? And that was always because if you didn't have a job, hey, you're on the streets and you're probably dead, right? So younger self is start early. The second thing I would say is be patient.

I have now become the firmest believer in the power of slow compounding. And unfortunately, the law of slow compounding, the greatest sacrifice it will extract from you is having massive amounts of patience where you just need to tell yourself, look, this is the goal I've set. And maybe that is a couple of years away. This is the path I've chosen.

Let's keep grinding. Let's keep going. I think my younger self, even when I was doing my previous companies, had a lot less patience. Anytime that things were going slow, slowly, I used to get a lot more frustrated, a lot more perturbed.

And I was like, ah, this isn't working. You know what? Something's going wrong and all of that. And I think now I tell myself when something is slow and a POC takes four months to kick off with 10 meetings with different people, I just tell myself, hey, this is the process.

So enjoy the process. So once you enjoy the process, I think you aren't going to be getting frustrated with the wait and patience is almost given because you're enjoying the process. So now I just go into a call and I say, I just want to enjoy talking to you as a potential customer, regardless of it never works out or this is going to work out after a year. That's beautiful.

You focus. It sounds like you do an excellent job staying present and just enjoy the journey, enjoy the present moment. Yeah, that's very important. That's very celebrate, celebrate small wins.

I know there's a lot of antithesis around this, which basically says, oh, you know what? I should only stop till you haven't reached like a billion dollars. And that's when you say you made something. I absolutely have a very different thesis.

My perspective is celebrate every small win. Make sure your team feels that they are winning as well. And I don't feel that doing that brings your hunger down in any way, makes you complacent in any way. On the contrary, I feel like having those small wins and celebrating them just compounds on the energy because you feel like you're making progress versus you drawing a goalpost a hundred miles away and saying, look, guys, we still need to get there, right?

It's nothing. It's still day zero. And I understand the whole day zero, day one analogy is, hey, stay hungry, stay full, let's keep doing. But sometimes taken out of context, it makes it look like you've never made any progress.

Well, we have a lot of entrepreneurs that listen to this show. And so this next question is a little bit of a leading question, maybe for some of them, but is there anything, is there a tool or a service or anything that comes to mind that you just wish someone would step up to the plate, build a nice solution and solve this pain point that you see and that you feel? So that. Yeah, there are so many of them.

I mean, I mean, being so what I'm going to what I'm going to say is said entrepreneurs. So I would say for most technical entrepreneurs, what tends to happen is GTM always is a blind side, right? Because we love so much building products that given a choice, we just want to keep building the product and saying, you know what? People will come because I'm building something so great.

So I think on the GTM side, what I would get is one of the things that now with LLMs and all of this is how can you take a core piece of original content and then create different versions of it, which can be disseminated in an automated way across multiple platforms. So as a simple example, if we did a video demo, could somebody build a tool which could take that video demo, convert that into a PDF report, convert that into a podcast with a narration around what is being seen on the screen, convert it into many other forms of collateral, and then just disseminate it automatically. I'm sure it's going to happen, LLMs, but it isn't there today.

I feel that would be amazing because just like in technology, we are looking for force multiply. I think in GTM, something like that, well done and could be a massive force multiplier. Normally, we try to do it ourselves, but we still haven't succeeded. Great suggestion.

Yeah. Well, this has been absolutely amazing. Vivek, thank you so much for the time. I would also like to thank all of our listeners for tuning in to another episode of the Security Podcast of Silicon Valley.

I'm your co-host, John McLaughlin. I was joined today with co-host, Vasha Sinkovich. This has been a YSecurity production and thank you so much, everybody. Thanks, John.

Thank you so much. I really appreciate it. And thank you for all of our listeners. And your insights.

This was a very good show. Yeah. Thank you. Yeah.

This has been amazing.

‹ 50. Alan Braithwaite, Co-Founder and CTO at RunReveal: SIEM doesn't have to suck

48. Dr. Georgianna, Chief Technologist at Foundation for Defensive Democracies, Advancing National Cybersecurity Through Innovation and Policy. ›