64. Building a Billion-Dollar Security Company: Lessons from Drata’s Co-Founder and CTO

Hello, everyone, and welcome to another episode of the security podcast of Silicon Valley. I'm one of the hosts, John McLaughlin. I'm joined today by Sasha Sienkiewicz, our other host. And we have an amazing guest to share with everyone, Daniel Marashlian, the co-founder and CTO of Drada, an amazing security company here in the Valley.

Welcome to the show. Thank you. Welcome, Daniel. It's great to have you.

Congratulations on all of the success with Drada. I felt like it just sort of showed up out of nowhere, was a really nice, viable alternative to that other platform. Yeah, it does kind of seem like we came out of nowhere. And we're approaching our four-year mark in market, like three and a half, three and three quarters, somewhere in between there.

If you're, you know, little, little, I mean, we're still like little toddler size, right? So you can say three and a half, I think still. But we're getting there. That's fun.

Do you think of yourself as a security person? Are you a security person? I would say, so I'm a serial entrepreneur. I'm on the tech side of life.

I've been, you know, trained programmer, been programming for 20 plus years, expert developer myself. But as that first engineer in all these companies I've started, I think I've lost count. This is my eighth from my last count that I did. Some, you know, we started and shut down in three, six months and some we went on to exit and beyond.

But you always had, as the first engineer, I had to be the security engineer. Not only from the engineering app sec side, but, you know, IT, you know, networking, firewalls, all that fun goody stuff, offense, defense. But it's always had to be that. But I wouldn't say that's where my career was.

And then as we grew and whatever, you know, company we did, you know, eventually you would offshore that and hire a security engineer or whatever it may be. But it's fun. It's fun being involved with that team. That's one of my favorite teams at Drada to work with.

They're awesome. And so obviously always pass it down to the experts. But yeah, in terms of a career in cyber, the answer is no. Right.

Like you go look at the cyber security community of companies for the past 40 years. And that wasn't my forte in my career of the past almost 20. Now it was in B2B, social networking, education. And all of a sudden, you know, this go around, we started a cyber security company.

And some some may ask why. Yeah. Why? Well, you got to be a little crazy to get into this security space.

Right. Yeah. You know, relatively short. We started a company about a decade ago, my co-founder and I, Adam.

And it was an ed tech is called Portfolium. Think of LinkedIn for college kids is the easiest way to think about it. And it worked, but it was a grind. Right.

It was your classic start. It was seven years. I think we raised I should I'm embarrassed. I should know how much we raised.

I think it was like eight million, somewhere around there. And we did end up selling it seven years later to Instructure, the makers of Canvas. But in that journey, it was a grind. Right.

From starting it from the bottom up approach, more like a social network to realizing where the revenue and sustainability of the business would be is more top down to the universities. And the more and more we got to selling to universities, like almost every time the CIO or someone like that would come in and it'd be like, this looks great. Love what you guys are doing. How are you going to protect our student data?

And, you know, it kept coming back to the extremely long security questionnaires or let me see your SOC 2 report. And even a decade ago, it was like SOC 2 what? Like we're on AWS. Don't worry about it.

Let's go. But, you know, then you like, OK, this is serious. Like we're starting to block deal flow. And obviously the security aspect is super important.

And so it was let's look into this. Let's dive in. And then once I did, it's like you don't know what you don't know. Hire a consultant.

Rip engineers off the roadmap. Go through the whole gamut. And for a small startup, I think we had six engineers at that startup. Ripping three engineers off to help go get a SOC 2 report is no joke.

It's a big decision. You know, we did it. All good. But then in that journey of being acquired and working with Instructure's security team, it was awesome.

Like it was weird in a way. I was extremely excited about compliance. And I think the reason was is I saw the pain that sales teams, my sales teams particularly, went through of like trying to help to go through procurement and increase deal velocity. So it was like, all right, well, how's this big multinational, multibillion dollar company doing it?

And they had a big size security compliance group. And so I wanted to learn from them. Canvas is one of the largest brands and probably has the world's largest set of data around students. It was like same way that I was doing it.

Spreadsheets, screenshots, cheer tickets, meetings, but not of like a 40 person company, like a 1400 person company. It just opened my eyes to, whoa, I really think this is how the industry is doing it. And while Canvas is a decent sized business, it's not 14, 000 or 140, 000. So you could think about those very large entities and they're just doing it by hand with just humans.

And it was like, you know what? I think we need to automate this for the industry. You felt that pain. Yeah.

And you're like, let's do something about this. Yeah. When we start talking about automation, where do you begin automating? Because there's so many different things that you automate.

Yeah. How did you lend your top three automatable spaces or subset of the problem itself? It really, when we say automation, not that it's limited to this, but there's a big emphasis, which is continuous evidence collection for security controls. I don't think anyone's excited about having meetings, collecting screenshots and like getting evidence of how I effectively operate a security control in my business.

That's not the fun part. The cool part is setting up structure for your business to run secure, you know, a well-oiled machine. And the output is call it this artifact that you can use and to build trust as you continue to grow your brand into different. Those are great.

That messy middle is kind of boring and gross and mundane. And that's what we're trying to automate is that continuous collection of data. How do you guys take advantage of the AI or Gen AI technology as a whole? And what are the specific new developments that you're personally excited about?

Really trying to understand the models, pick the right partner. We stayed with our AWS partner and using Bedrock and that technology downstream, which powered by Anthropic and like isolating and indexing and sharding the data appropriately. So we took a lot of time in the data pipelining and just the hard engineering part. Once that was done, we said, hey, application teams and product teams, what do you want to do with this?

And so now we're starting to sprinkle all that in across the app and all these workflows that we see a human might take, you know, whatever from an hour to 10 hours to do. It's like, how do we use generative AI to reduce that by 90%? So that's where we're starting. And that's been kind of, you know, the first six, nine months was the infrastructure.

Now it's been roughly nine or like three quarters or so of sprinkling AI and workflows in. And as we look forward, you know, into next year and beyond, it's continually, you know, finding advancements, automations, reduction of time tasks. That's great. And I think we're going to be like, I think the thing I'm most excited about that we've been talking about is like, if we don't continue to innovate, someone else will, and we don't want that to happen to us.

So we even have like a little team inside Drada of like, go, go disrupt ourselves, right? Using AI and make sure that we're on the cutting edge of that. So that's, that's kind of what I'm super excited about. Yeah.

And this is quite common topic of how do we ensure that we don't slow down as a company? So inside Drada, what does a typical day look like for you? It definitely varies day to day, but from doing podcasts to, you know, CISO dinners and fun marketing field stuff. But on a more technical day, call it, sometimes it's, you know, what I always say, a hundred five minute problems every day.

A lot of times that is one of my days. It's, and that's fine. It's not really, it's not a complaint. It's about a realization of the role of, we have about, I haven't seen about 550, about 250 ish, somewhere in there on, on technology.

And that's a lot of people, a lot of concerns, a lot of help. And if I can go help each one of them move even, you know, 20 minutes faster, that's awesome. Like I'm doing my role as a leader across everyone. So a lot of times I'm very involved across code reviews, architecture reviews, any IT blocking stuff and collaborating with those respective groups to just move everyone as fast as possible.

But, but then sometimes last week, actually we grabbed all the technology leaders. So any director plus that reports up to me or Brian, my head of product. And we grabbed that whole group for three days and did a, you know, 2025 look ahead and planning session. So those are fun days too.

I always call it like changing elevation. Like you need to be able to fly at 30, 000 feet, operate and lead the business and think forward. But if there's an incident, which, you know, hopefully we have none, but you know, they'll always happen from an incident to a code review to whatever that literally next moment, be able to drop down to the ground floor with the troops and being able to do a code review, architecture review, help through an incident, whatever. I love that.

I love also that you, you still get your hands dirty here and there and pay attention to where the rubber hits the road. Absolutely. Yeah. I, I, that's a, been a philosophy of day one that I've always been a leader.

So when I went on my entrepreneurial journey, it was like, as I hire people, as I bring people on, especially leaders and managers, like you have to be technical. So everyone from me to directors, the managers that I see is like everyone is super technical. Obviously we have our respective roles and, you know, pie charts of duties, but when it comes time, we all can jump into the code. What's the, what's the most important quality of a leader?

Do you think? That's a good call. Um, I think just have respect for the people you're leading and know their craft. And a, if you can earn their trust by relating to their pains and their, uh, wins and their craft, you can build trust with them for them to follow you forever.

So like, as example, I've, uh, I've been working with my head architect, John, for almost 20 years now. And, uh, we built four plus companies together and it's like that guy's an unbelievable resource, but, uh, it's his trust that no matter what I, I got his back of, of, uh, what we're going to build. He trusts me on the business side to like, make sure we're, you know, getting paychecks and all that fun stuff. So, uh, yeah, there are many more like that at Drada that I've worked with time and time again.

It sounds like a, a really good, solid, positive collaboration. Yeah. When you look into the future, what does that next like huge milestone for success look like for Drada? What do you, what do you see in its future?

I think the answer long-term is the other side of the business, which is upmarket and enterprise. And how do you disrupt that legacy thinking of GRC and needing to hire a 70 person security compliance team to maintain all these certs? Cause I'm a public company and I have to do socks and I have to do sock two and I have to do GDPR and all this other fun stuff. Uh, and therefore I need to hire humans to do it all.

How do we use a tool like Drada and reduce the human, you know, uh, kind of human capital impact that are still are humans that are involved, but instead of having a 70 person team, maybe have a 20 person team, I don't know, uh, whatever it may be. So, uh, I think like helping larger enterprises, uh, really adopt this new way of thinking of, of automating this program and kind of being there to like guide the machine versus, uh, having the program and the process guide you. Right. Become the standard.

Yeah. I see. I know. I love that.

I love that you're falling in love with the problem instead of like the, the answer to the question, how. So there's a, also very interesting question of how do you disrupt the existing patterns? Yeah. As we know, especially in larger organizations, it's pretty hard to come in with a new process.

It needs to be obvious to people who follow the process, why they should follow something new. Yeah. You know, we've been moving up more and more up market in the past couple of years. It's been great to see our ASPs increase and all that fun, fun stuff, but, uh, absolutely what you just said, right.

You'll find the innovative CISOs and GRC leaders, uh, and, and, you know, CXO leaders that are like, this is great. Let's automate this. Let's let's, even if it's not about reducing staff, but it's about, uh, automating this process to allow these very highly skilled security engineers, et cetera, focus on different problems and securing the business versus, um, that again, like I said, that messy middle of compliance. So they want to do it.

And then you go talk to the practitioners on the floor, that group of 70, I talked to, and there's a resistance, like they think we're going to displace them or they think, uh, it's not trustworthy or they think it's, you know, just a different way. So I think it's brand, it's communication, it's collaboration and partnership versus just here's a tool, go use it. I think, you know, I, I'm the biggest fan of GitHub, uh, and I love it as a developer and I'm sure the very, very large companies have like, you know, dedicated partnerships with them, but like, I just signed up for Drada.

I mean, now we have like, you know, probably 200 ish plus people that contribute to code on GitHub, but like, I just signed up for it. And when we started the company and I go, I never talked to anyone on GitHub. And I think maybe eventually as we grew to the enterprise plan, I'm sure we have a CSM that it manages, but like, we just use it and it's great. And that is a really great place to be, but you weren't like disrupting how I did code rolled back.

If you guys all remember, maybe, I don't know, 15, maybe more like 20 years ago. So like subversion was more of the popular, but then even before that, right. It was like this concept. Yeah.

Yeah. Yeah. And then the CSV or whatever. Oh yeah, totally.

And so it was just like, how do developers collaborate? And then, you know, GitHub and more importantly, Git came out and it just made the world of difference. So I'm sure in that phase, I never was really in that phase too. I use subversion, but it was like, I was the one fighting the team to go to Git very early on.

And we did that. But I think it's like, no matter what disruption of technology, the cloud, you know, the cloud computing wave is probably the best example, maybe the most modern examples, AI, but like, yeah, I don't think it's just like, here's the technology. Use it. I think you have to really build partnership strategies and just that customer obsession and care and that post sales world, like implementation and customer support and the customer success management cycles.

We just attach ourselves to our customers and we just customers are the center of the business. Therefore, like the rest of the business is surrounding our customer support group. Everyone is there to support them internally. And so with that effort, that's how I would say we win at the end of the day.

It's like the relationships and partnership that we give to our customers. I mean, you see it time and time again with AWS and others. It's like, I can talk to so many people at AWS for free to help me like figure something out. They don't charge for it because they know the more you're successful in AWS, the more you'll spend on the services.

So yeah. Customer experience is critical and UI, UX, all of this are trivial to the success of the organization. And I know some organizations shy away from creating a dedicated UI, UX team, or I should say customer success teams, because the idea is that everyone who is building the product should be that team member of the customer experience. You have to understand what are the pain points.

So what's the best day that you've had at Java? That's a good one. I think launch day was pretty fun just because of this immense hard work. And we also launched in the middle of COVID and we started the business in very early July, like July.

I think we incorporate on July 6th or something of 2020. There's three co-founders and then a group of founding engineers, a couple founding sales individuals and our CS lead. So it was like from day one, it was this, you know, 10 or whatever person team that we had this like seven-year-old startup on day one. It was a cheat code that we had.

So all that work in development, R&D mode, stealth mode, and those, you know, just grueling, like literally 16, 18 hours a day of coding. That's it. Yeah. Just that culmination of this product where we were our first customer.

We used our own tool to get our own SOC 2 report. And the day I remember when we got it, we got our own SOC 2 report type one, because it was like the first one on January 14th of 2021. We launched on January 15th. The next day we wanted to have it and prove to the world that you can use Drada for what we're selling.

And so that was a really proud moment. That was fun. I would say just a couple more days come to mind was, I mean, the funding rounds are amazing, but the one that really stands out was our B round, the $100 million round to raise at a billion dollar valuation. And that was 10 months into the business of launching the company.

And from everything I've found online, I think we were the 10th fastest in the world to ever do that. And that was just a very proud moment of all my work and my career that obviously not just me, the entire team and what we did. And it was just, you know, I think the sense of team and it was smaller than I think we had like 40 or so people. It was just unbelievable, even in the remote culture that we had to just be there all together.

And yeah, that was super fun. And then I would say the third one was we won an award that got put like the S&B Tech 50. And we, you know, got on that list in their inaugural year. And it was at the NASDAQ floor and tower.

And so there was, you know, a whole day we're at the closing ceremony and up on the big thing in Times Square and stuff. And so I've just never had something like that in my career. So it was just like, again, a big surreal moment where me and Adam, my CEO, where our faces are in the middle of Times Square. So that was pretty fun.

Pretty cool stuff. On top of the world. Yeah. I can really feel the pride that you have in the team.

That's special. Yeah. Okay. So what about the most challenging day that you've ever had?

Fair enough. Sometimes one of the most challenging days was actually signing the term sheet of those big rounds. As a serial entrepreneur, not to say an exit is my strategy, but there's an amazing value to the individual person of myself or my family or, you know, my coworkers, families on an exit. And the more and more money you take, the more valuation goes up.

The pool of acquiring companies, not to say that that's the target, but there's always an option there. It just gets smaller and smaller. It goes down. So it's like, okay, we're going to go take this billion dollar round.

All of those three, four, $500 million acquisitions are out of the door. And holy cow, imagine launching a company in a year to two and getting acquired for four or $500 million. You'd be on top of the world. Like, that's a amazing story.

All those are gone and off our plate, right? I love where we're at and where we're going and like that we're marching towards an IPO, but like those options were gone. So those were challenging decisions that we did as a founding team. I would say on the technical side, probably, you know, there's incidents that happen just like at any shop and you get through those.

It's almost a mark of success, you know? Yeah. Something happened. Yeah.

You have to get through that just to get on to the next like big. Yeah. And actually, it's a really weird thing to say. Obviously, I never want an incident for sure, but they will happen.

And you see the people that step up and you see the people that truly are experts at their craft, but also have care for their customers and their business. And so that's really cool to see. If you could go back in time and meet the younger Daniel, would you? And if you would, what would you say?

Yeah, I would probably say get more. I got into tennis. I'm a big tennis player, but I got into it later in life at like 16 or so. But I remember my mom putting me in lessons when I was young, like six or something.

And I would have probably said like stick with that and stick with team sport. And I think there's a lot of life lessons in being in sports and playing as a team and winning together that you learn even now in business. And again, like I've said, it's all about the team and the people that build the product. So where did you grow up?

In Sedona, Arizona, a little tourist town. When MP3s first came out, the world's largest MP3 player was called Winamp. And I think worldwide, right? It was AOL eventually.

Oh, I used Winamp. Yeah. So Winamp was out of Sedona, the team that built Winamp. And it was cool to see that as like, you know, even younger kid, like, you know, geeky kind of into computers, like, whoa, this is cool.

It was built where like, you know, they were like a generation above me. But so I didn't really know them personally, but you knew them around. And it was cool to see that that something like that could be built from that small town. I mean, I think there was like 8000 people from that live in Sedona or something.

So so now I feel like with Drada, I think we beat that number to have the biggest tech success out of Sedona. So being a founder can be super stressful. Sometimes there's just like super high highs and super low lows. And there's never the same day twice to balance that stuff out.

Do you use tennis now as part of your. Yeah. Retroar of tools to like unwind a little bit. Yeah.

When I do, I when I do play tennis, it's that like the rest of the world melts away because you're only thinking about that, which is fun. But, you know, I think spending time with friends and my family, my wife and, you know, we live in San Diego. And so going to the beach in the summer and. Yeah.

Well, we have a lot of entrepreneurs that actually tune into this podcast. And this is maybe a little bit of a leading question, but. You just wish that there was one tool or a product or something or a problem that someone would just fall in love with and go build the right thing already. So you don't have the pain point anymore or anything like that.

Cross your mind. Yeah. I mean, the answer is yes. But then which one?

Yes. It's funny. At the end of the day, while I'm a, you know, hardened technologist from development to hosting and the entire gamut, sometimes it's like I hate technology. Not, not the out product, but being in the weeds, like hosting stuff and scaling it and databases and networking.

And it's just like, blah, I just want, like, I'm a software developer by trade. Like I just want to write code and create and the art, the artisan of it. I don't want to know how the canvas is made. Just let me go buy a canvas and I'll use it.

Right. Again. I love that stuff too. On the other side of my brain.

Cause that's why I do it lead. But sometimes like, I just want to use stuff. If you had to lay down a specific example, I would say two problems that I've faced lately. We use, uh, uh, AWS ECS, the elastic container service.

Oh yeah. Yeah. And so, you know, I'm like, if there's, if there's a fire, there's a one line bug change code, line code chain. Okay.

That sucks as an incident, but I fixed it. I want it out as fast as possible. But in like the way that you push it up in a get, it builds the container. It releases out to ECS.

It, it like swaps out, you know, the containers. It's like 20, 30 minutes based on however long things take. And it's like, I need that down to like one minute or three minutes. So that boot time that just fighting fires in this containerized world is a little slower than our older days where it's like, you know, like PHP just pushed the file server.

It's up because it's interpreted, uh, uh, old school style. So that's one. Uh, the other one I would say is honestly, I think this would be a trillion dollar idea. And I think AI is really going to help eventually solve it for people.

But, uh, if I'm, we're building, we're all building software and, and it gets more and more complex in the neural network of the complexity of changes are, you know, become more and more dependent on each other. So there's a new requirement that comes in or a bug, whatever. I'm going to go fix it. I'm going to go fix this, or I'm going to add this.

What does it impact? Like as a quality person, even, even if you don't have manual QA people and you want to rely on software engineers and tests, or even the developers to write the tests, where do I know to go add more logic and more tests and what to look at to make sure it didn't break. And as your app is small, not that hard. Like we're, we're into almost four years of writing software.

Crazy. Imagine getting into like 10 years, 20 years of a like set split Salesforce, right now it works where people split it out and you have microservices and they're, they're independent, but it still is a mesh of everything. So a tool to say, Hey, you're changing this one line of code or this function. You need to go check these six spots.

And it just that time to make sure everything works. That's a, that'd be a really amazing tool. I would love that. It sounds magical.

Yeah. Would you like to leave our listeners with any words of wisdom? I would say for those young entrepreneurs or individuals thinking of starting companies, my advice is it's going to be the hardest thing that you've ever done, but at the same time, extremely rewarding. Just dive in with both feet and, and go all in, you're right.

It's tempting to sit down and turn your brain off and watch the reruns of friends or something at night. But instead of that, learn about a new, you know, design paradigm, learn, you know, go watch the F8 conference or whatever it may be. Just learn, keep learning. For all of you that are just getting started in your world of compliance or even broader GRC governance, risk and compliance.

We really help make it easy. On average, it takes roughly 500 hours to maintain your SOC 2 report. We get that down to about 50 hours, right? Roughly an hour a week.

And we can just kind of tap you on your shoulder when something's going on. So it just makes it easier. Amazing. Well, thank you so much again for joining us on another episode of the Security Podcast of Silicon Valley.

That was Daniel, everyone, the CTO and co-founder of Drada. I'm John McLaughlin. One of the hosts was joined by Sasha Sinkovich. Thank you, guys.

Thank you.