CyberWire Daily - Microsoft for Startups: The benefits of the cyber startup ecosystem. [Special Edition]
Episode Date: April 27, 2025Welcome to the Microsoft for Startups Spotlight, brought to you by N2K CyberWire and Microsoft. In this episode, we are shining a light on innovation, ambition, and the tech trailblazers building the ...future right from the startup trenches. This episode is part of our exclusive RSAC series where we dive into the real world impact of the Microsoft for Startups Founders Hub. Along with Microsoft’s Kevin Magee, Dave Bittner talks with an entrepreneur and startup veteran, and founders from three incredible startups who are part of the Founders Hub, each tackling big problems with even bigger ideas. Dave and Kevin set the stage speaking with startup veteran and Cygenta co-founder FC about making the leap from hacker to entrepreneur. Dave and Kevin then speak with three founders: Matthew Chiodi of Cerby, Travis Howerton of RegScale, and Karl Mattson of Endor Labs. So whether you are building your own startup or just love a good innovation story, listen in. For more information, visit the Microsoft for Startups website. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K CyberWire special edition, the Microsoft Startup Spotlight, brought to
you by N2K and Microsoft for Startups.
I'm Dave Bittner and today we're shining a light on innovation, ambition, and the tech
trailblazers building the future right from the startup trenches.
This episode is part of our exclusive RSAC series
where we're diving into the real world impact
of the Microsoft for Startups Founders Hub,
a no cost, no funding required platform
built to empower startups with everything they need
to grow fast and build smart.
We're talking free access to cutting edge AI tools
like GPT-4, up to $150,000 in Azure credits,
and one-on-one expert guidance to turn bold ideas into resilient, scalable solutions.
We'll be talking with founders from three incredible startups who are part of the Founders Hub,
each tackling big problems with even bigger ideas.
So whether you're building your own startup or just love a good innovation story, stay tuned.
This is Microsoft Startup Spotlight,
and the future starts here.
Well, welcome everyone,
and this is the kickoff of our CyberWire N2K special edition
showcasing Microsoft for startup supported companies.
We're talking about Serby, RegScale, and Endor Labs.
Before we get to that, I want to welcome to the show
Kevin McGee from Microsoft and FC,
a very well-known and renowned hacker
and also an entrepreneur in his own right.
Let me start with you, Kevin.
Welcome to the show.
Thanks, Dave.
Thanks for hosting us.
And FC, always great to catch up with you, my friend.
It's been a little while,
but I'm happy that we get this opportunity to chat.
Yeah, thank you.
Thank you for having me on, Dave.
I'm really, really looking forward to this one.
It's going to be an interesting conversation, I think.
Well, Kevin, can you set the table for us here
when we're talking about Microsoft for startups which is something that you run at
Microsoft. What do you want folks to know about that endeavor? Yeah I think we're
really focused on is looking at using the ecosystem that Microsoft's creating
not just a technology but the access to enterprise customers the trust we built
up in the brand over many years,
and then just our marketing machine.
The big microphone, I like to call it, of Microsoft.
How do we hand that to founders and start-ups and innovators
so that they can get the attention that they deserve,
so we can drive innovation, so we can get innovation
into the hands of the folks that most need it now,
because it's harder more than ever to get that attention.
I founded my three companies in the 90s to successful one,
I don't like to talk about using BizBark,
which was the predecessor to the Microsoft for Startups program.
So it's so cool to be involved after all these years,
and I have that connection,
and I remember what having sort of that big ecosystem to plug into,
to be part of something
to help accelerate my business did for me.
And that's what I want to bring to our startup founders as well.
Well, FC, you have personally made the leap from hacker to entrepreneur.
Can we talk about that journey a little bit?
What's your origin story and what led you to where you are today?
So my origin story was I was weirdly bitten by a radioactive spider.
No, no, not really.
You too?
Yeah, yeah, it happens.
Didn't do any superpowers.
No, so I was working as a defense contractor.
I was the head of offensive cybersecurity for Raytheon for many years and I was getting
a little bit frustrated with all the red tape. And there's a fantastic adage that says
you'll never get rich working for someone else. And so it was like, hang on, I need
to get rid of the red tape. I also need to go and make some decent money for
myself. So my wife and I started a company, Sygenta. We started that many years ago. And we took the hard route.
We went with self-funding. I think we put about $250 into it. I donated some computer
systems and that was it. That was the start of it. And it's been a fantastic journey.
It's been hard, but incredibly rewarding.
What are some of the specific challenges you remember
of building a company?
The biggest issues that we had, obviously being self-funded,
was money.
We struggled with money at the beginning.
We had to make sure that we had enough payroll and mortgage
and all of this stuff.
No one was going to come and save us. So that was a challenge.
That was a bit of stress. And then from there on, it's learning how to run a business. And that
is really hard. People just think, oh, I can just be an entrepreneur. I'll just start a company. I'll
start making money and then we'll get clients. There's lots of administrative stuff that you have to learn that you didn't realize
when you were just an employee.
Kevin, I think that is a message that echoes with probably anybody who's been an entrepreneur
who's listening that I think for most people they get into running their own company because
they want to do the work, not because they want to tackle
the day-to-day tasks of running a company, which is its own thing.
I think that's the problem when you make your passion your job.
It can become a challenge.
And really, I think we look at sort of the exits or the big IPOs or the big success stories,
but we really forget the amount of work and challenge it.
It takes to find a unique solution, bring it to market,
get the attention, get the funding you need,
all while figuring out how to make payroll.
I remember in the dot-com boom, running my first company,
I was interviewed for a magazine article.
I said, you're the president of a dot-com startup.
What's the first thing you do when you come into the office?
And I said it was take out the garbage.
Like it's these mundane things that really can
distract from building your business.
But ultimately, I think what gets us through,
and this is why I'm so excited about what we're building
at Microsoft for startups, and I think FC personifies this,
is this hacker mindset is very much in tune
with the entrepreneur mindset.
It's experimental, it's adaptable, but it's also mission focused. And I think that's one
thing our industry is so different than any other industry. We're all defenders. We're
all trying to solve a problem. We're all trying to help people and organizations. So I think
that unites us in a way and lets us work together more collaboratively than potentially any
other industry as well too.
Yeah, I'd like to echo that actually. I think that the hacker mindset is actually really quite helpful in a situation of starting your own company because you don't know all the solutions
that you need when you start, right? So when we started, we didn't have a CRM. We didn't know
which CRM to use. We've changed CRM now three times. Having
the team around you that understand that you're going to make mistakes and that you're going
to change things and the way things work and the way that policies and procedures are done,
they're fluid. You don't go in with this just set of things that you've got and you go,
right, that's it. My business is now sorted out. You have to
understand what you need to change and change it quickly. And I think that was one of the frustrating things when I was working for other people is you could see what needed to change,
but they were so gigantic, you could never change them. Whereas being a small, independent,
entrepreneurial company, we're able to just make a decision. Like the other day, we're just like,
okay, we're not using Adobe anymore.
That's it, we just killed it.
And we're gonna find solutions as we need them
for other work that we need.
You know, FC, I think you have the experience
of being on both sides of things,
having worked for a big organization
and then taking that entrepreneurial journey yourself.
I think one of the challenges that a lot of entrepreneurs have is getting the attention of those big companies
and getting them to take you seriously.
Was that something that you found yourself up against when you're just starting out and knocking on doors?
Or did your experience from the other side serve you well?
I have to say we are incredibly fortunate, right?
So I founded the company with my wife,
who is incredibly good at her job,
and she is very well known.
So we came into the industry
already very well known as individuals.
And because of that,
a lot of people wanted to work with us straight away.
So we made profit in like
the first month, which is very unheard of for a lot of small startups. Because companies
want to work with us, we don't spend a lot of time doing the general marketing stuff
that a lot of people have to do. We have a backlog of people that want to work with us.
We are very fortunate that we have enough clout,
if that's the right word, to say no to certain people.
Like, I won't work with people that don't want
to actually improve their cybersecurity
because it's a waste of their time, it's a waste of my time.
So having that freedom is massive
and is very unlikely to happen
for a lot of people straight away.
Kevin, can you touch on some of the advantages when an organization that's coming up when
they partner with Microsoft for startups?
I imagine having that subtitle, being a partner with Microsoft, helps open some doors.
I think that's the key.
Having that sort of brand recognition can really make a difference.
But if you're two researchers that have spent time in the lab,
building your solution or whatnot,
you maybe don't have those public profiles.
So that's something that we bring to the table.
But also just bridging that gap that FC talks about is,
enterprise leaders have all this challenge.
Big enterprises are risk-averse.
There is a lot of bureaucracy and whatnot.
But ultimately, what they need to do is translate innovation into an outcome,
and they need the understanding of what that looks like and build the narrative
for that business case to unlock that budget or whatever it takes
in terms of cultural change to adopt a new innovation strategy.
So one of the things I do in my day-to-day role, which is what I really enjoy, and I did the reverse, I went from entrepreneurship to the large company, is
bridge that gap and be that translator. Innovators want to move fast. They don't
want to have things get in the way. Enterprise leaders have the exact
opposite problem. How do you find common ground and how do you translate that
innovation, intel comes, that can really, you know, build that story? And I think
you'll hear some stories from some of our
startups as part of the series that have really focused on
understanding that enterprise challenge, taking an
innovative approach to solving it, but then being able to
explain and articulate that solution well that allows that
CISO, that enterprise security leader, to build the business
case or change the culture to adopt it.
And that's really our mission is how do we get those best ideas
into market and how do we help them scale securely responsibility,
and just sell more faster for revenue for startups,
but also making our enterprise customers more secure faster as well too.
Getting sometimes these two cultural groups to come together and speak
the same language
is a bit of a challenge, but when it does happen, amazing things can occur in terms
of an innovation learning loop and whatnot with our startups.
Well, FC, we're going to hear from some startup founders here, some really interesting companies.
What is your advice to folks who are in that situation, that person who is hungry to start
their own business, they feel like they have something that's going to solve some problems that aren't
being solved out there, and they're ready to go. Any words of wisdom?
Yeah, I'd say go for it. Just do it. I'm sorry if I'm going to get sued by Nike for that,
but just actually go away and actually start it, right? So I've had many,
many people come up to me and be like, hey, thinking of doing this, thinking of doing that,
like, when do I do it? How much, how much savings do I need? It's like, don't put your family
at risk. I don't like mortgage the house in order to do it. But make sure you've got a little bit
of money to save up to saved up as a slash fund,
and then just go for it because there'll be unexpected costs along the way.
And you don't want to be out on the street with nothing and saying,
Hey, I've got a company now. So yeah, plan it,
but then just go and do it.
Don't stop because you think you can't do it or that you have to have this
perfect plan. just start it.
Just go and register the company. That bit alone doesn't take any effort.
It's very cheap to start a company. You don't have to trade with that company for ages.
You can just get it started, buy the domains, build small, and then it will go.
That would be my advice, just go off and do it. All right, well I'm looking forward to hearing the stories that our entrepreneurs have to tell.
Kevin McGee and FC, thanks so much for joining us.
Thank you.
Thanks Dave, thanks FC.
Joining us is someone who's been at the forefront of cloud security long before it became buzzworthy.
We're thrilled to welcome Matt Chiodi, Chief Trust Officer at Serby, a Microsoft startup
standout.
Matt brings over two decades of deep security leadership experience, including his time
as Chief Security Officer of Cloud at Palo Alto Networks.
He's not just a security strategist,
he's a voice in the industry.
You've likely read his blogs, caught his podcasts,
or seen him take the stage at major conferences like RSAC.
And if you're an IANS research follower,
you might also know him as a member of the faculty,
helping shape the next generation of cyber leaders.
Today, Matt's here to talk about trust, innovation,
and how Serby is rewriting the rules on securing what he calls
the unmanageable applications in the enterprise.
So let's start off with just some high-level stuff here.
I mean, for folks who aren't familiar with Serby and the value proposition here, can
you give us a little bit of the origin story and the problems that you all are looking
to address?
100%.
Yeah.
So, the origin story of Serby, which I think is probably one of the most interesting, is that
our founders had started some previous companies.
After they left those companies, they were doing some work.
They noticed that they started using these various different SaaS tools.
They would start to use them.
Then eventually, the IT teams would come around and either shut them down or say to them,
hey, these tools don't support these standards.
You can't use them.
So they would get blocked by IT.
And it kept happening over and over again.
Go to provision a tool, a SAS tool,
and then lose access to it.
And so that got them thinking, why are so many of these,
quote unquote, modern SAS tools? Why don't they support these quote unquote modern SaaS tools,
why don't they support these standards?
And they started to research it.
And what they found was that at the time it was easier
for these tools to launch without support for standards
like SAML, SCIM for provisioning and deprovisioning
than it was for these teams to build them out of the box.
And what that created was is that from a product perspective, when they actually spoke with
these companies, they asked them like, hey, why aren't you building this?
They said it's because our users aren't asking for these standards to be supported.
They don't care about them.
And so that got them thinking.
And the name of the company, Serby, it comes from Greek mythology.
So Cerberus, the dog, and that dog, that from Greek mythology, so Cerberus the dog.
And that dog, that three headed dog, if you look at our logo, that three headed dog in
Greek mythology is what guards the gates of hell from breaking loose.
And that's what we do for companies when it comes to all those applications that fall
outside of the scope of their current identity stack.
Well, Kevin McGee, does this story resonate with you?
I mean, I'm thinking back to any experiences in your professional career of facing similar
frustrations.
Well, first off, Dave, you know, I'm a recovering historian, so I love the tie into the Greek
mythology.
I think it was the 12 labors of Heracles he had to steal to steal
Sybravus. But it certainly really speaks to sort of this challenge because the
most innovative and smallest organizations are probably those early
warning systems of because they're quick to adopt tools, start to see identity
sprawl in these early companies and now as big companies are starting to act
more innovative and more like startups,
we're seeing these challenges as well too.
But we've got CISOs that have to figure it out and figure
how to protect these large organizations.
I think there's real consequences to
the large organizations when we don't
have compliance across and hygiene across identities.
It's a great opportunity to look at new investment,
new innovation from both Microsoft's perspective
and our customers.
Well, Matt, help me understand here.
How widespread is this problem
when we're looking across the enterprise landscape?
You know, a lot of us who are in tech,
a lot of times we assume that every company is using something like a 365
or a very modern SaaS app.
And while they might use some of those,
that's not the only type of apps they're using.
We have found that even in some of the most progressive tech
companies, they have these what we would call disconnected
apps that they can't manage with their Entra
or whatever they're using for their IDP.
This creates all kinds of different challenges with these different apps.
There could be no multi-factor authentication, no centralized logs, broken off-boarding,
weak audit trails.
In terms of how widespread it is, we did research with the Ponemon Institute, and we found that the median number of these applications
that exist in an organization, it's 176.
That's the median.
It's not the average.
So 176, that means you've got organizations,
if you've got a multinational corporation
or a large financial services company,
you could be talking about having thousands
of these applications that exist, again,
due to the diversity of the applications that
exist in their businesses.
So the problem is it's very widespread.
Is this more of a legacy problem?
Or are we finding that the new tools that are coming along,
the new SaaS tools, do they have these capabilities out
of the box,
or is this an ongoing situation?
Certainly, some of them do support it out of the box.
But we did other research.
We looked at the top 10,000 SAS applications.
And what we found was surprising.
We found that 47% don't support two-factor authentication,
54% don't support SAML, and 93% don't support two factor authentication, 54% don't support SAML,
and 93% don't support the SCIM standard.
And for those that are familiar with SCIM,
the system for cross identity management,
that is the standard that was created years ago
that was supposed to be available in every app
that would allow you to do automated onboarding,
offboarding, you know, someone moves roles,
things like that, to automatically update it
in those downstream apps.
So no, this is not a legacy problem.
I mean, this is why companies like Auth0 were created
on the market for the Siam start of the house
and even other companies like Dscope followed on
because the problem is so massive.
Well, I know you and your colleagues there at CERBi
are making good use of AI for identity security.
Can you share with us, how are you applying it?
Yeah, most of what people know about AI
is typically generative AI.
We specifically are leveraging agentic AI
and the best way to think about agentic AI
is that it is a model that is trained
on a very narrow problem set.
And then it can take actions autonomously
based on that training.
So if you call a help desk number,
you get an agent on the phone.
We're talking about humans here, at least for now.
They are very good, or they should be very good, at one thing. If you call, you know, help desk support and
ask them how to change you own your car, they're probably not going to be able to help you
with that. But they're good at one thing. So the way that we leverage that is we train
based upon the applications that we need to support. And these are, you know, typical
integrations with, you know, thousands of different applications. So we make use of things like computer vision,
graph neural networks, reinforcement learning.
And the best way I would contrast this
is when most people think about automation,
they're typically thinking of like script-based or RPA,
robotic process automation, and RPA is extremely brittle.
It breaks anytime something changes. And in the use extremely brittle. It breaks any time something changes.
And in the case of most of these, again,
these disconnected apps that we deal with,
there is usually little offered in terms of things
in the way of standards.
And so it's super important that anything like this
be multimodal.
So we look at the app, and we look at, hey,
is there any APIs available?
Is there partial protocol support? And then based upon what's available in that app, we
can leverage it with our agentic AI.
So how do you make sure that the decisions that the agentic AI is making are both safe
and auditable?
That's one of the toughest challenges
to solve with AI right now.
We've got a number of patents that are pending,
and we certainly have not figured this out 100% yet.
It's something that we are actively developing
and working on, but there are a couple different things
that we are working on
and even working with some of our partners.
So people might be familiar with RAG, which is Retrieval Augmented Generation.
That is something that we are leveraging with our agents and it grounds them in their responses
so they're verifiable based upon our internal knowledge.
But safety and auditability comes from how we wrap that AI with structured decision logging
in policy enforcement.
So when we look at where we're going with the platform,
every AI, every agent that's taking
an action on behalf of a user or a system
needs to be logged who, what, when, where, and why,
not just what the model said.
You have to remember, AI is non-deterministic. When you're doing security things with AI,
it's got to be deterministic. And so, there will, at least for now, there's always going
to be a human in the loop. So, for example, if confidence is low or risk is high, we escalate
that to a human by design.
Kevin, what's your response to what Matt's describing
here? I think what CISOs are telling me they want is really just consistency.
That's where the value is and allowing AI to ensure the policies are applied to
its applications that humans would forget or ignore or not even know about.
I think that's where the value that CISO really brings to the conversation and
CISOs are actively looking now looking to solve these challenges and for solutions that can do that.
You know, Matt, I know that Serby integrates with Microsoft Entra.
Can you describe that combination and why that makes sense for customers?
Well, what we overwhelmingly see across customers and prospects is that they do use Entra for
their identity and access management.
It's already integrated as part of 365, and for us, it was a no-brainer to have an integration
there.
In terms of what we do, so Serbi integrates with Entra to apply governance policies, again,
out to those disconnected apps.
Now, normally, those apps would be outside the reach of
Entra. And so we help customers take their existing investment
in Entra, and then be able to extend those native capabilities
of Entra to those disconnected apps. So it could be
enforcement of zero trust principles across all their apps,
not just the ones that are integrated.
There's use cases that are just as diverse
as the applications are.
It could be protecting social media platforms.
It could be design tools.
It could be a legacy application.
And really with a combination of Entra and Serby,
it allows us to combine Microsoft's platform
with Serby's provision precision for
edge cases and those disconnected applications.
Well, Kevin, what is
Microsoft's view of this integration?
Ultimately, we believe in building
an open identity ecosystem and
Serby's innovations really strengthening that approach.
It allows customers to look at the secure edge of
their identity attack surface and solve for that.
Ultimately, we're looking to build
that ecosystem platform for innovation and
allow startups to build on that and find new ways to solve problems.
Serbi is a great example of that.
That really leads to not lock in but fill in to our capabilities, but also just expand and empower organizations
with choice. What do they really need to solve their challenges and how do we provide sort
of all of those opportunities to bring on innovation to address the modern challenges
that the CISO has.
Matt, I'm curious. In your day-to-day, I suppose you probably come across CISO has. Now, Matt, I'm curious, in your day to day,
I suppose you probably come across CISOs who,
in talking to you about the products you offer,
they say, well, our identity program is already complete.
We're good here.
To what degree is that the actual case
with the folks that you interact with?
I would say that, you know,
it depends on the size of the company, but if I'm talking to, you know,
a Fortune 100 CISO, that might be the case.
And then I usually say, ask that same question
to your head of identity and access management.
And then they will always come back and say, ah, yeah.
And so it really depends on who you're speaking with.
You know, did they come up, you know,
with an identity background?
Did they come from an audit background?
But I have not spoken to a single organization in the last four years that have been at Serby
that did not have this challenge of disconnected applications.
And so I just tell CISOs to ask the question in their identity program.
Just ask the question, does our existing identity investments extend
to all of our applications? All of our applications. That's a great place to start.
Kevin, what's your take on that?
Well, I think the hardest place to really be successful in an identity project is layer
eight. It's really going around to each of the stakeholders and having that discussion of federated identity
or cross-functional discussions of how tools are working.
I think the smart CISOs are starting to think in terms of ecosystem resilience, not just
tool coverage to address this challenge.
What do you hope that the takeaway for CISOs is here, Matt?
As they're looking at their existing situation, what do you hope that when they're considering
their identity technology, any words of wisdom
or tips for them?
I would say that they need to, again, think in terms of
how far can they extend their existing investments
across their identity stack?
Is it really all of their apps?
That's where I would challenge them.
So I would think about, talk about your identity coverage,
audit that, what apps sit outside our identity framework.
And then think about it in terms of prioritizing coverage
based upon risk, shared access, and things like that.
And then it's also thinking about,
a lot of times sisters think, well, oh,
does this mean I'm going to have to go out
and replace my identity stack?
That's not that's not the case.
That shouldn't be the case unless you're talking about a tool that's been sitting in your organization
for 20 plus years.
But look at think about tools in terms that can really help you extend your existing investments,
not replace them.
And certainly this is a place where we believe AI can play a big place, a big part of it as well.
We'll be right back.
Next up, we're joined by a founder who's taking on one of the most complex challenges
in enterprise security, governance, risk, and compliance, and making it actually usable.
Say hello to Travis Howerton, co-founder and CEO of RegScale, another standout from the
Microsoft for Startups Founders Hub.
Under Travis's leadership,
Redscale has built a powerful continuous controls monitoring platform
that bridges the gap between security, risk and compliance,
turning what used to be a static, slow-moving GRC process
into something real-time, scalable and cloud-native.
Before launching Redscale, Travis had a remarkable run in public and
private sectors alike. He served as global director for strategic programs at Bechtel,
CTO of the National Nuclear Security Administration, and held leadership roles at Oak Ridge National
Lab and the Department of Energy. When it comes to high stakes, high security environments,
Travis knows the terrain. One of the things that we want to key off of today is this report that you all recently
put out.
This is your inaugural State of Continuous Controls monitoring report.
Can we start off with some high-level stuff here?
What prompted the creation of the report?
Yeah. So we kind of view ourselves as a next generation GRC tool.
What's it called?
A continuous controls monitoring platform or CCM.
We've been a leader in this space recognized by Gartner, but what we're
really looking for is sort of the pulse of the community on what are their
expectations around CCM, what's the state of the community on what are their expectations around CCM?
What's the state of the market?
And we were blessed to have, I think, over 100 CISOs that were participants in this and
gave us a lot of great feedback.
But key things, you know, over 90% believe that CCM can improve both their compliance
and their security program. Only 6% say
they're secure from code to cloud, meaning their CI-CD pipeline takes
compliance and risk into account as it builds. And very few have that embedded.
So it seems like we're very early days in the art of the possible for what the
industry is looking for here, but that there is a lot of hope and need expressed in this market by the CISO community.
Well, let me ask you this.
I mean, was it surprising how few organizations are actually embedding compliance into their
CICD pipeline?
It wasn't surprising to me in that, you know, compliance has always been an after the fact
check the box sort of activity.
You know, when I talk to
CISOs, I always say there's no faster way to shut down a conversation in the bar than to bring up a
compliance chat. Compliance doesn't equal security. It's where this checklist thing you've got to do.
But it can be a roadmap to good security and sort of secure by design principles and embedding those
and sort of secure by design principles and embedding those and having sort of self updating paperwork
is a win for everybody.
Not just the audit and compliance people,
but also the risk folks.
Cause my perspective on it is,
as people move more and more to the cloud,
they take advantage of technologies,
Azure offers and Microsoft offers
where things spin up, down dynamically.
Risk can't be this after the fact manual checklist process.
It's our view, it's an operational imperative for CISOs
to have real time visibility
and to risk and compliance posture
as they accelerate adoption of cloud native technologies,
AI technologies and other sort of forward-leaning technologies
in their organizations.
Well, Kevin McGee from Microsoft is with us.
Kevin, I would love to get your take on this.
I know you have read the report here.
What are your thoughts?
It was a great connection to the early cloud journeys,
I think, where there's a cultural shift
happening within organizations.
We've always done it this way, so it's hard to change.
Then I get what you mean by compliance can sometimes shut
down conversations as a recovering CSO,
compliance wasn't always my favorite topic.
I'll be completely honest with you at that point.
But I started thinking when I saw some of
the demos early on Redscale about what we
could look at compliance in a different way,
how could we reframe it, and how could it be a competitive advantage?
If we could continuously understand what our compliance posture was,
what could that do to the business?
What could that become as a competitive advantage overall?
This is where the space is really interesting for me from a startup perspective.
Well, Travis, what is the advantage
of continuous controls monitoring here?
What's the game changer?
Yeah, the way I've always viewed this
is this is an industry that's run by consultants,
advisory firm, internal staff who manually do this stuff
to make sure all the paperwork's in place
for audits and governance processes
and regulatory reporting.
And it's both expensive, manual, and after the fact.
So what's in it for businesses is leveraging the telemetry you already have in cloud native
systems in the modern API economy, then combining that with the things that AI does well, ingesting
large amounts of data, summarizing it, synthesizing
it for you to have a more real-time view of what's happening. We think that's the art of the possible.
And the cool part about it is I think it's one of the last great computer science problems to solve
in a highly regulated industry, in that everything else is fast. DevOps is fast, CI, CD is fast, AI is fast, cloud is fast.
Risk and compliance moves at snail speed, right?
And so it's how do you get that to be at the same cadence?
I think is the interesting intellectual challenge
and business challenge that we've been trying
to wrap our arms around here at RegSky.
That's a really interesting perspective and insight.
I mean, I think when I talk to people about
Compliance, I think there's a lot of what I would label aspirational talk, you know people want to do more than comply
But then that aspiration kind of meets the real world
So I'm intrigued by this notion of it being the slow thing.
I mean, is it an anchor that organizations
are sometimes dragging behind them?
Oh, a hundred percent.
If you look at the organizations that lag behind
sort of the cutting edge commercial industry best practice,
for example, government will always be,
it seems like years, if not a decade or more behind.
Part of the reason is they have to go through these sort of complex risk and
compliance, what they call authority to operate or ATO processes. In many cases,
banks and other large entities that are multinational have some of the same
struggles. It's sort of a function of scale and size. You get so big and
your operations are so dynamic
that you've got to assure yourself you're not adding risk
and those risk processes take so long to execute
that they just really hold back
digital transformation goals for the company.
So it's sort of an interesting problem
that by avoiding risk in many ways in cyber,
you're adding business risk of getting left behind
and disrupted
because of how far you end up behind others
who are able to more rapidly adopt these technologies.
And we think CCM is the best of both worlds
where you don't have to reduce your posture.
In fact, you're going to improve your posture
if you're gonna move at the same speed
as a commercial entity.
And we think that's where the win is.
Well, help me understand what this looks like day to day for an organization that's decided
they want to jump in and do this. What does that shift look like for them?
Yeah, so there's a it doesn't really matter which framework you're in. NIST puts out a lot
of different ones that are popular. ISO 27000, there's CMMC now, there's PCI,
there's the Cyber Risk Institute, CRI, Financial Services,
NERC SIP and Critical Infrastructure, HIPAA, High Trust,
all these different frameworks that evolve by industry.
You need certain reps and certs
to do business in markets.
And whether it's helping you attest to controls,
using our AI to author business in markets. And whether it's helping you attest to controls using our AI to author things in minutes
that would have taken months to do by hand,
automatic evidence collection,
representing everything compliance is code.
So you can do machine level assessments
as well as AI based assessments,
do smart intelligent routing of things
for your issues issues management workflows,
and then monitoring and accepting risks
all throughout the process.
That whole life cycle is managed by the CCM platform.
And so what it looks like for a customer
is sort of onboarding into the platform,
getting their attestations done, connecting their tooling,
wiring up the AI, and then moving to a real-time posture versus
a reactive after-the-fact posture.
Kevin, what are your insights here?
I mean, what are the advantages that you see when a company adopts real-time compliance?
Yeah.
Again, I switched to my sort of board of directors hat, and I've sat on a number of audit committees
over my tenure as a board member.
And I think there's real strategic value in knowing what your control posture is today.
Not last quarter, not last year, but what it is today.
And it's also going to allow CISOs to have a different conversation with boards, fewer
surprises, more clarity, more understanding of what the role of the board is in mitigating
risk, accepting risk and whatnot.
Again, to be able to come to the board and say,
here's where we are today,
and here are some of the challenges we're seeing
and take action in real time as markets change
or as geopolitical aspects change,
this is a real competitive advantage.
I think this is what compliance was always supposed to be,
but never has really gotten to.
And we're finally reaching into the technology
to solve for that and make it that strategic enabler
that it was always meant to be.
Travis, is there a place for generative AI in all of this?
I mean, it's certainly the topic we're all
obligated to discuss these days.
Yeah, 100%.
And so if you look at this market I mentioned,
it's historically dominated by consultants.
So if you look at, I think Gartner says,
GRC is a $50 billion a year market.
But if you add up all the major GRC vendors,
you're probably lucky to get to $5 billion, much less $50,
which tells you 90% of this market is really
driven by services, which makes sense to me.
In my past lives, running large cyber teams is a very heavy manual labor,
and there was only so much you could automate. You could automate technical controls,
but there's a whole bunch of controls that were very difficult historically to automate.
And so because of that, because there were huge unstructured data problems,
there was just no other way other than sampling and throwing humans at it,
issuing periodic audit reports. But today's nature of cloud,
it's not acceptable to have, you know,
some sort of object store with all your company's PI and at this public.
And maybe I'll find it if it's in the sample once a year,
once every three years, when you look at it.
This stuff has to be more real time.
It's an operational risk imperative to make it real time.
The cool parts is that all those services things, our thesis is AI is largely going
to eat it over the next three to five years.
And so if you look at what AI does well, synthesizing large amounts of data, writing about it, I think
many of these things we're doing by humans on a sampling basis
can be done by AI on a real time basis at higher quality, lower
cost. And it should lower risk in the environments that adopt
CCM platforms.
Can we talk about ROI? I mean
what are organizations experiencing from that direction? So if you look at jobs
that you can do with generative AI using let's say Microsoft OpenAI behind
RegScale, we have things that would literally take teams of people three to
six months in a conference room to build out all the attestations.
We can do an under an hour in AI.
And so you're talking about hundreds of thousands of dollars
potentially saved on these.
And for companies that have many, many of them to do
and maintain, you can be talking significant ROI.
And a core part of our CCM platform is that average
you're leveraging AI in the background
or automation to do tasks, you get a running ROI calculator on the back end that tells
you all the manual savings avoidance that you have.
And so now CISOs can take those dollars and put them towards operational excellence and
hardening their environment and less towards the paperwork, check the box stuff, which
largely can become set and forget.
You know, Kevin, one of your responsibilities there at Microsoft is
looking for these innovative cybersecurity startups.
I'm curious, what about RegScale really caught your eye?
Oh, I always kind of thought the GRC space was one of those
kind of parts of the industry that really wouldn't benefit from from innovation and I've completely flipped my thinking on this.
It is probably one of the areas that are most ripe for innovation and where I'm sort of looking for investment strategies as well too.
Because we can sort of approach it from exactly the perspective that Travis was talking about.
It's very manual. It's not only very manual, it's very inefficient.
And it's also just so cumbersome and so difficult
for the employees.
I can't imagine what it's like to get another spreadsheet
to fill out or another form to fill out
or whatnot constantly.
So maintaining staff morale, making sure
that we're using resources wisely or whatnot.
This is one of those areas that it's really,
I think, ripe for innovation and has been largely ignored
because it's sort of the boring end of the business.
In fact, I would say the GRC space
is probably where most of the innovation,
some of the coolest stuff is happening right now.
And it's not an exact analogy,
but I remember looking at the Red Scale demo
for the first time thinking,
wow, this is sore, but for compliance,
this is something that you don't see very often,
sort of a real innovation that has a true ROI story.
And I think it's going to be coming full circle
that CISO telling that ROI story to the board,
to executive management, to the users,
that's going to change the culture.
But once they really start to see the tools in action,
the automation and the benefits from that automation
I think that will shift the cultural quickly and they'll see the they'll see the benefits and and just immediate results
Which will change the market and change the advantage for the company
Well Travis wrapping up it by getting back to the report here. I mean, what are the take homes for you?
What do you hope folks come away from having read the report?
I mean, what are the take homes for you? What do you hope folks come away from having read the report?
Well, I always say I had a boss who was my mentor, always told me the best plan start
with the truth.
The truth is that this area in the cyber domain is going to be eaten by automation and AI
over the next five years.
We have really strong conviction around that. We all stand
on the shoulders of giants. We're innovating on top of some world-class tooling provided
by Microsoft and Azure and OpenAI that allows us for the first time to have hope. Because
the first couple of decades of my career, there was no hope. This was boring. It was
painful. It was terrible, everyone hated
doing it, but it was the price of admission to certain markets that were very lucrative.
So you had to do it. Today, I think that's changed. Now, this is stuff that should become
commoditized over the next five years as AI sort of gives set and forget options of how you do
these things. And now it's less about manually doing all this work
and spending all this money on expensive consultants.
It's how do I buy down risk in my organization
and repurpose all those savings I generated,
the things that help protect my organization
that I can talk to our board about risk reduction
and how we can get them into more markets.
So we think it's a really exciting time to be in the most boring field on earth.
You know it strikes me too that there must be a satisfaction component to this
for the employees where you're helping to remove some of these tasks that as
you say are the boring ones, the drudgery ones, these are through automation,
they're able to spend their time on the things
that are a lot more gratifying and fulfilling.
100%.
And the things that add more value to the business.
You hire some of the smartest people in the world
to make risk-based cyber decisions for your organization,
and then you waste 80% of their time chasing down evidence,
doing data calls, waiting outside people's office
to get something who's been ignoring them for two weeks.
Like it's just an insanity problem
that we've had as an industry.
Now, instead you've got a heads up display,
you know where things are at.
And now it's sort of where can we buy down
the next level of risk?
What decisions do we need
to make. So you're getting more ROI out of those people so we don't talk about it as replacing
people so much as it is how do we supercharge human beings to get more out of your risk professionals
because as much as I love AI, I don't know anyone who wants AI making risk-based decisions for the
strategy of their organization. Almost everybody I've talked to is willing to make the drudgery and the sort of mind-numbing
paperwork go away. So Travis, when we're talking about things like FedRAMP and OSCAL and these
programs evolving, what are your insights there? I think compliance is code as the foundation for this work is the future.
Because at some level of scale,
you can't handle these processes manually.
At the same time, what you need is
a high amount of precision in what you're trying to execute.
The best way to do that that I know of is to structure these things.
We've been building our platform on top of something called NIST
OSCAL, the Open Security Controls Assessment Language, run by Dr.
A. Orgas team. David Walter Meyers now at FedRAMP have been major innovators
there, but they take all these huge thousand page document spreadsheets we used to generate by hand. And now there are sort of tightly formatted
XML, JSON, YAML representations of it
that are machine readable.
And so what that allows you to do
is do automated assessments of these artifacts
you used to have to do by hand.
And so I think of it like a compiler.
And so since we're with some Microsoft folks,
they're one of the biggest software enablers in the ecosystem. When I write code, I'm in a
development environment and I compile it at the end. And at the end, it may tell me an error,
I screwed something up, I can't proceed. Right? That's kind of what OSCAL does. You can set your
risk thresholds, what I'm expecting in my inside or outside of that. Maybe it's not an error.
It's a warning.
I'll let you proceed, but you're still sort of out of the norm of what I expected.
And so now you can dial in your risk tolerance as code, apply it to the things
you're building and have sort of a risk and compliance compiler that tells you,
am I still in the safety zone of where I expected to be?
Because the hard part of this industry for me for decades
is getting invited to those meetings
where you're asked to explain to them
why you're not stupid,
because something stupid happened.
And at one point it was in a good state,
it changed and went to a bad state and I didn't know it.
And so this allows you to sort of compile that
as often as you want based off real time speeds and feeds
and make sure you're always inside this boundary
that you want.
So we see it as this basis
for dynamic operational control assurance.
Being able to know that the controls I have are in place,
they're effective,
they're operating the way I thought they were
and no more surprises for CISO's and ODIs.
Our next guest is a name that resonates across the cybersecurity world.
With more than 25 years of frontline experience, Carl Mattson has helped shape security strategy for some of the most complex sectors out there.
Finance, retail, and tech.
Today he's the CISO at Endor Labs, a startup laser-focused on securing the software supply
chain and a rising star in the Microsoft for Startups ecosystem.
Before joining Endor Labs, Karl was CISO at No Name Security, where he tackled API and
application security head on.
His resume reads like a roadmap through high-stakes cybersecurity leadership.
He's held CISO roles at City National Bank and Penny Mac Financial, served on the FS
ISAC Mortgage Risk Council, led the LA Cyber Lab, and even graduated from the FBI CISO
Academy.
When he's not leading security teams,
he's been shaping minds as an adjunct faculty
at the University of Minnesota for over a decade.
Well, let's start out with a little bit
of the origin story here.
I mean, I have to say I'm enamored with the company name,
but tell us about how the company started
and what your mission is.
Sure, the company started just over three years ago.
Varun Banwar at the time was leading
the Palo Alto Prisma business unit.
He had previously founded the company RedLock
that was acquired by Palo Alto.
And while he was there at Palo Alto,
there was a major open source vulnerability event.
And it was at the scanning of that environment where Varun sort of had the seed of an idea And while he was there at Palo Alto, there was a major open source vulnerability event,
and it was at the scanning of that environment where Varun sort of had the seed of an idea
that scanning software is extremely noisy and error-prone.
And so he started Endura Labs with Dimitris Stylianos, who was a counterpart at Palo Alto.
So Dimitris and Varun about three years ago started the company with the mission,
essentially of reinventing software vulnerability analysis.
We commonly have in the software industry noisy, antiquated open source scanners, and
so we've eventually reinvented the scanner and reinvented the way that we look at software
vulnerabilities, starting with SCA, starting with open source, and now with a much broader
set of capabilities.
Well, I think we have to talk about AI, which I know is a big part of your technology and your product here.
How do you apply AI to this task?
Yeah, great question. So there's really a couple of ways to look at it. The first is, as a company, we have a whole range of proprietary open source research
that we've performed. I would call it an enrichment layer on top of the national vulnerability
database and other vulnerability databases. That enrichment layer is really our data moat.
And so when we roll out capability that sort of,
with the concept of a RAG,
a retrieval augmented generation,
that is essentially a local data set
that can be utilized by our customers
in an agentic AI sort of efficient operating model
that really accelerates an AppSec teams capabilities,
but kind of leverages that data set
in our new
agentic AI offering. And then the second area of that is then MCP, which an
anthropic protocol, a model context protocol that came out about six weeks
or six months ago. That protocol really is for LLMs to talk with each other.
And so we have also released an MCP server that allows organizations that use Cursor or Copilot,
this sort of code generation revolution.
It's an integration pathway for those platforms that's really remarkably fast and efficient.
When we're talking about boards of directors and organizations, some of the places that
you serve, are their expectations realistic when it comes to AI?
Are they prepared for the types of things
that are the reality of this technology?
Oh, of course not.
I think we learned that in each technology revolution
is that there is a trough of disillusionment.
So if you think back to like the mid 1990s
and the sort of the dot com sort of explosion,
it was many years later before turning that into revenue became a realistic possibility.
E-commerce didn't blow up the moment the internet occurred. It took a decade. So I think that
what we're going to certainly see is board level expectations to push the needle and
capitalize on AI. However, there are not yet a lot of examples of business models that have
thrived with that kind of direction.
I think it's a matter of time,
but right now I think we're still in the very earliest stages of value capture in AI.
Kevin, is that aligned with what you're seeing?
I spent a lot of times speaking to boards of directors,
senior execs, and it is exactly aligned.
I mean, we've really shifted from this RRUV secure
discussion, this sort of negative security discussion
to, hey, let's do everything with AI.
Just the optimism is really refreshing,
but it's challenging, because how do we safely do things
with AI really needs to be the conversation.
So I think, you know, startups like Indoor Labs that are empowering this vision of AI
and building in safety and security as part of the workflow are really something I'm interested in
from an investment perspective, but also just a capabilities perspective.
How do we make these innovative leaps, but do it safely and not go back to
and repeat history where we've launched new technologies, run out with them to improve
efficiencies to build value, to create opportunities which organizations should be doing and then
figure out how to bolt on security afterwards.
So I think there's a unique opportunity right now.
Well, Carl, let's talk about the security workforce themselves, you
know, when it comes to hiring and training and even retaining these
people. With AI, is this requiring a new skill set? Are folks having to come into
the job with new skills or are organizations finding themselves having
to train people up? Both are true. I think that anybody who's a job seeker right now would best be served focusing on upskilling
themselves in terms of basic generative AI, agentic AI technologies, but also internally
for teams.
For organizations to look at AI as a, and not just a short-term fad, but a long-term capability that employees and the organization need to have really across the board,
and supporting those trainees with, those employees with the training required to upskill them to a baseline level of knowledge.
I think we all need to look at this as an opportunity to upskill ourselves.
And that is actually very good news in terms of like the equalizing the cybersecurity workforce.
I think that the individual who really wrap their arms around AI capabilities and begin
to master them soon will become very, very valuable to their organizations quickly.
Well, let's flip the question around.
I mean, in terms of the people who are looking
to take these jobs, what are they looking for
in terms of security culture within an organization?
What are the things that they value?
One of the interesting things that we see
continuing to happen finally,
let's go back to a couple of years
to the origin of the concept of shift left.
And there was a moment in time where shift left looked kind of like tossing things over
the fence back to the developers or back to the DevOps teams.
And that was oftentimes a recipe for failure.
And so there are certain successes.
But for the most part, it was not a wild success.
But here we are today in a really interesting place because now we can actually, with for example,
MCP integrations, we can put our security capabilities
inside the developer's context
or inside the DevOps team's context window.
So really quickly, we now have security technologies
that I would, let's call them headless.
The UX isn't all that important
because the technology is running under the hood
of the developer's tools or under the hood
of a DevOps team's tools and pipelines.
That's a great move.
That is an incredible upward trajectory of possibility
for remediating vulnerabilities
or getting attention on security
is to have those security technologies
inside of the developer's tools.
So I think culturally, what that gives a security team the opportunity to be a welcome asset
at the table, not just the team that tosses vulnerabilities over the fence to you.
Kevin, I'm curious, you know, the startups that you work with, the ones who are having
success both attracting talent and retaining them, what sort of commonalities are you seeing there?
I think startups are really becoming talent incubators.
What they really can offer are hands-on AI security experience
and capabilities development to employees.
That's the real value.
It comes from working from a startup.
Not only is it fun,
it's really a chance to explore and learn very quickly how
to implement
some of these workflows or whatnot as well. But then startups also create value at scale
for customers, and I think that's the key. So it's not just learning those skills or
whatnot. It's really often encapsulizing some of this innovation into a product that
customers can purchase to benefit from that rather than having to source
and find all those employees and develop them on their own.
I think it's a much more efficient way of using talent more effectively.
So that's one of the things that has me most optimistic about startups and their role in
moving just workflows and cultures to this AI experience. So, Carl, you know, digging into open source software itself and how organizations calibrate
their risk when it comes to OSS, in your estimation, are organizations properly calibrated?
Are they overconfident or are they underconfident?
You know, where do most organizations stand? That's a great question. Are they overconfident or are they underconfident?
Where do most organizations stand?
That's a great question.
I think that organizations are almost exhausted, perhaps is the word I'd use, for, let's say,
open source scanning that's historically produced a lot of false positives or poor quality results
and incidents still occurring.
And so that endless cycle of chasing this
enormous quantity of vulnerabilities and particularly finding out that they're
not true positives. That's an exercise in frustration and it's
exhausting and that's really where we come in and where we come in
and clean that noise up so that it does not become exhaustive. And so I
think that what that does is it frees up an enormous amount of capacity and there's a sense of relief
when we can get the noise out of the open source scanner world.
You know, not all risks are created equal
and they have different degrees of seriousness
relative to any organization's risk posture.
Is that a big part of what you're helping folks with here
as well of prioritizing the things that are actually dangerous to
the company itself? Yeah, absolutely because think of the OWASP top 10
and there's a lot of risks that are not software vulnerabilities. So in our
sort of open source model there's eight risk areas, legal risk, intellectual property risk,
operational risk. For example, there are certain organizations whose ability to be precise in their
use of open source or third party licensing makes a dramatic difference in the value of the company.
That's a very important feature of what we do is to focus on all of these
different aspects of risk because it isn't just the software vulnerabilities, it's all
these other operational viability issues to solve for. And that's really important for
us to look at the whole context of risk of software and be able to provide different
organizations of different shapes and sizes the insight that they need for their risk
profile. Kevin, I'm need for their risk profile.
Kevin, I'm curious for your insights here.
Well, the CISOs really described the problem articulately.
I think that makes the most sense to me.
Wouldn't it be great if we made sure there were no sharp edges
on our products before we shipped it kind of thing?
And they were in the manufacturing industry.
And this makes sense to us in IT because we want to make sure that we're pushing
production code that has no errors, that it is error-free.
But it's not really embedded in a lot of organizational cultural approach to
innovation, you know, build the application.
And they don't really know what's involved in it.
It makes sense to leverage open source.
It makes sense to leverage what's already been created and build on what others have already built to empower
and move faster. But in moving fast, you know, we have to make sure we look at all the associated
risks. And I think some of the ones we've discussed now are good or articulate. It's
not just a matter of is it code going to break or is it insecure? You know, what are the
copyrights? What are some of the other challenges?
What are the dependencies?
And thinking through those challenges allows us to make better decisions.
The farther left we can shift that,
the more secure we're going to be and the less challenges we're going to have in
responding to some of these either complaints legally or
actual loop software failures when code reaches production.
So this is an area that's really interesting to us.
And especially with our investment in GitHub
and our capabilities in GitHub, how
do we extend those capabilities?
How do we provide more value to our customers in this space?
And those are a lot of the conversations
we have with Endor jointly with our customers.
Well, Carl, how do you support that desire for velocity to make sure that security isn't
the thing that's throwing sand in the gears or the famous saying about being the department
of no?
I think it comes down to two touch points that we focus on that when you get them right,
they become accelerators.
The first is the quality of the information
about vulnerabilities.
Reducing false positives may sound like a punchline,
but it really is a very specific thing for us,
which is to understand application context
and its nuance.
Because when we call it program analysis,
but performing that analysis gives exceptionally detailed
insight into vulnerabilities. Less noise, more actionable, specific information. And then the
second thing is giving the opportunity to embed that scanning activity, that program analysis,
inside developer workflows so that developers don't have to context switch, whether that's in their Git repo,
whether that's in their CI-CD pipeline.
We need to give that high quality information,
now put it in the place and time
where it can be actionable,
and with the sort of amplifying supporting information
that allows the developer, the DevOps engineer,
to make a great choice in terms of how to remediate quickly.
So both of those touch points give us opportunities to
really move the needle and allow those teams to move forward,
move faster, just ship better software faster.
Kevin, when you look at a startup like Endor Labs,
what stands out to you?
Why is a company like this of interest to Microsoft?
It's velocity with visibility.
I really think that's sort of the sweet spot.
How do we make security a multiplier,
a value creator rather than a bottleneck?
And how do we remove the challenges to a great experience
for the developers or whatnot?
So they'll choose the right tools.
They'll make security the easy thing to do.
Because we know when security is the easy thing to do,
people will do the right thing.
The more difficult we make it to security,
the harder it is to get them to comply.
So how do we really build it into
the workflows right from the beginning of software creation?
I think that's what really interested me when I saw
the first demos of vendorer Labs is that,
again, the philosophy with visibility was the key thing that stood out to me.
Carl, what's your message to the CISOs in our audience here?
Words of wisdom based on your own experience?
Well, I think that we have to prepare everything in our organizations for the long haul right now.
And I know that the world changes very quickly with AI, but by the long haul, I mean upscaling
teams, rethinking our telemetry, rethinking that visibility, rethinking that technology
touch point.
Because what's going to continue to happen is that there's this logarithmic increase
in expectations and quantity of software and noise in the environment. And if we don't start preparing for
that long haul right now, but with a sense of urgency, we're gonna get behind
very quickly. If we're not already behind, we're about to fall behind. And I think
that's where we need to be looking at that future state right now and be implementing that action
plan without meeting the expectation of the board to be clear.
We need to internalize that and know that it's coming sooner or later. And that's a wrap on this special edition, the Microsoft Startup Spotlight.
A huge thanks to all of our guests, Kevin McGee, FC, Matt Chiodi, Travis Howerton, and
Karl Mattson for sharing their insights, experiences, and the incredible work they're doing to
shape the future of cybersecurity.
From tackling software supply chain risks and redefining GRC,
to hacking for good and building global startup ecosystems.
These founders and leaders are proof that innovation thrives
when community, trust, and cutting edge tech come together.
We'd also like to thank Microsoft for Startups Founders Hub
for making this episode possible.
If you're a startup founder looking to level up your business
with access to AI tools,
Azure credits and expert guidance, this is your moment.
And of course, thank you for tuning in.
We'll be back with more stories, more innovators
and more reasons to believe in the power
of the cyber startup community.
Until next time, stay safe, stay curious and keep building.
I'm Dave Bittner, we'll see you next time, stay safe, stay curious, and keep building. I'm Dave Bittner.
We'll see you next time.