Risky Business - Soap Box: Using threat hunting to drive detection
Episode Date: July 8, 2026In this wholly sponsored Soap Box edition of the podcast Patrick Gray chats with Damien Lewke, the CEO and founder of Nebulock, about the future of threat hunting and de...tection. Damien spent a decade in the EDR and MDR space before founding Nebulock in 2024. It started off as an AI-powered threat hunt platform but has evolved into a broader security data platform that can answer questions, drive hunts and drive detections. This product is engineered around the idea that a lot of security is a data problem. So, if we accept this premise, how do we solve security? And how much of that solution is about agents, vs building a good graph? And if you’re going to build a good graph, do you want to build it for a person to use, or an agent to use? This is truly a conversation for the security nerd’s nerd. Enjoy! This episode is also available on YouTube Show notes
Transcript
Discussion (0)
Hey everyone and welcome to this soapbox edition of the Risky Business Podcast.
My name's Patrick Gray.
For those of you who don't know, each edition of the Soapbox podcast here at Risky Business Media, it's sponsored.
It's always sponsored and that means everyone you hear in a Soapbox edition of the show paid to be here.
And as a further disclosure, today we're chatting with Damien Lucie, who is the chief executive and founder of Nebulok,
which is a company that I also serve as an advisor to, which means that I do have a teeny teeny share option.
package in the company. So yes, Damien, smart dude. He has worked at CrowdStrike. He's
worked at Palo Alto Networks. He worked at Arctic Wolf. So he's worked in the EDR and MDR space
for quite a long time. He even worked in the defense industrial base like straight out of
college. And yeah, so he's had a front row seat to all sorts of carnage over the last
decade plus and that means he's had a bunch of opinions and ideas on what sort of
security technology we all should be building. So the original pitch for Nebulauch was AI threat
hunting, right? Which is you can leverage agentic AI, you know, collect a bunch of data and then
send these agents out doing hunts. And, you know, Nebulauch still does that. But I guess the
pitch has broadened now at customer request. You still start with these sort of hypothesized
threat hunts, but then you can do stuff like build detections based on what you've
find. You know, Nebula lock has sort of become a tool that's very handy for detection teams,
and it's also just a great platform for asking questions of. And a big part of the reason
that it's useful for doing that, as you'll hear, is because Damien and his team have really
done a lot of work building a really cool graph out of the data that Nebulauk collects.
So, I mean, that's really what this interview is about. Like, to what degree is security a data
problem and if it is a data problem how do you solve that and if you're going to use something
like a graph do you want to build that graph to be optimized for human consumption where we've got you know
seams these days where we try to flatten everything for human consumption but now we're sort of
throwing agents at a problem where we flattened it for human consumption so that doesn't seem
quite right so do we now start have to you know should we now not be flattening things so that
agents can use them a little bit better it's that sort of conversation right it's it's one for the
the security nerds nerd. So I'll drop you in here where Damien is giving a one-minute pitch
just on what Nebulaq is to help frame the conversation. So here is Damien. Lukie from Nebioch.
Enjoy. We're a hunt for security operations platform, right? Like everything is still hunt first.
We still start with the like unknown unknowns hypothesis based hunting, right? We use intelligence,
we infer based on what we know in your environment and we drive the hunt. But the idea is
like hunts should have outputs and those outputs become detection.
So ultimately, like, the pitch really is, look, you've got a brilliant group of folks.
You've made a ton of investment in security.
Breaches happen because of low and no signal events.
We're going to find those, but we're not just going to find those.
We're going to translate those ideas, even if you don't find something, into detections.
And you can run them in Nebulauch.
You can run them in your SIM.
Like, wherever you run detections is fine by us, right?
But the whole idea is that you should have this continuous analytical layer that's being
built over time. Everybody's curious about what's running in their environment. Everybody knows
that there are always things that we might, you know, that would be good to know and good to find.
And then the real value is, okay, great. And now instead of, you know, GRI tickets and two-week
sprints, I can write detections, test, and validate them in, you know, three minutes. And
they capture intent and behavior instead of, we need to make sure that we wrote the SIM correlation
rule the right way. So that's really been the pitch.
Look, that's a really succinct pitch. And I thank you for that. And the listeners thank you for
that for keeping that down to like a minute. But one thing I wanted to ask you about is like,
you know, very early on in Nebulauk, it was all about finger guns, AI threat hunting, right?
Like that was the whole thing. It's a threat hunting, agentic platform, puo, pule. But nowhere in the
pitch just then, you know, did you mention AI, despite the fact, and I know this, you're still
very much an AI forward company. So I'm just saying, it's interesting. It's not the
primary message anymore. It's the primary hook in the message. So,
like, maybe you could tell us why that is.
One of the key lessons that we learned was, again, understanding what an agent is and is not good at.
So a lot's been learned since the seed round.
The real unlock for us was making the shift from agentic threat hunting, which was great.
It was all about like behavioral hypotheses, understanding behavior, using that to surface what might have been missed by your existing systems.
and then translating that more to the problem of,
and this is something our customers really helped us with,
is the age-old question of, okay, great,
so like I've run a threat hunt and maybe I found something or I didn't,
how do I keep that information?
How do I take those lessons learned?
The more we thought about it, the more we dug into it,
we were like, well, you know, we're writing detections within our platform.
What if we expose that to customers?
So you had this hunt piece and detection piece.
And really like the underlying mechanism that united it, it's kind of funny, we'd had it all along, was a graph.
So that was going to be my next question, which is like what?
So you get one more like Splunk extension or Splunk plugin or, you know, how does this work?
And it sounds like, no, you're actually building your own sort of data structure here and turning it into a graph.
And like that's kind of the approach you've gone with.
No, 100%.
Right.
I think the term now
would be like
context engine
or context graph
if you want to go big,
but context engine is the
truer technical term.
But yeah,
we built a graph
and then that graph
is something that the agents
can access and reference
so they can walk the graph
and look at different identities
tied to different hosts
and different service accounts
tied to an identity
and ultimately be like,
hey, wait a minute,
is Damien in accounting
actually who he says he is
or is it his open-claw agent
that's access in critical infrastructure
when it shouldn't.
that was a really key unlock for us,
was just uniting those together
and having data structure,
owning that, building the graph,
was just really helpful.
And that was a big shift for us, right?
Evolving beyond the initial hypothesis
and really realizing that we could scale beyond that.
And when I say like hunt for security operations,
really what it is is like,
if you think of threat hunting,
you know, that is a traditionally ad hoc workflow.
We want to make it continuous.
but ultimately good hunting should inform good detections and good incident response.
And that's really what we're driving towards as a company.
So, I mean, is the idea here, right, that you think you can be the detection stack,
or are you trying to complement the detection stack?
I think to start, really, we want to complement the existing investments people have made.
But eventually, yes, I would love to own the detection stack.
But that is a journey.
and I think it's disingenuous of a company
to come out, raise a series A and say,
yep, you don't need all the things that you had before.
Rather, like, there's a world
where you can start to build better,
more accurate, more performant detections in Nebula
and provided we continue to grow,
earn the trust of our customers,
and do our jobs.
Eventually, yes, that's what we'd like to do.
But that takes time and that takes trust.
Well, yeah, yeah.
I mean, it's funny, right,
because your background is in EDR,
and then MDR and building a sort of platform where you're like, okay, well, we started off doing AI threat hunt.
Now we're just going to build a graph and let agents crawl all over it and do everything with it.
And eventually own the detection stack is exactly what happens when you give someone who worked in MDR a bunch of money and say go do.
Right.
Like, I mean, this is like, I'm guessing a lot of what you're doing now is informed by that sort of experience.
And I think, you know, everyone I know who worked in MDR has been proud of what they've been able to.
to achieve, but also frustrated with what they can't achieve, given the gaps in tooling that we all
suffer from, right?
I mean, you said it well, Patrick.
I think the one piece in my background that's not covered is like, I began as an operator
in the dib.
So, like, when you deal with nation state cyber defense is your first job out of uni, that changes
you.
And then you join an EDR company and then you go to an MDR.
I think a lot of folks end up being inspired by that first order problem.
And that's really what we're trying to solve, which is how do you solve for the breach?
Because in an MDR, when you integrate with the smorgasbord of solutions that are out there,
you actually see, like, some are very good, but they're really good in their specific niche.
And when you try to take a more holistic approach to, like, how do you look at risk management and resilience for an enterprise?
Like, that's a much bigger problem.
And, like, no one solution, no one EDR or I am or C.
ESPN solves for that.
And I think we live in a world where it's really easy to believe that if I buy the right tool, I am resilient.
When in fact, no tool, and this is why we all do telemetry logging, so you can search it, is perfect.
So I think that's why a lot of us MDR folks get inspired by that is because we've seen the systems problem of breach prevention at scale.
Yeah, and I mean, this isn't a prevention product, but if you wanted to build, you know, so much of security these days, right, detection, hunting and whatever, it is just a data problem.
Yes.
Right.
And so the solution to that is going to be something along the, I mean, you know, you've been a listener to the show for a long time, and you've heard me say this for a long time that, like, detection and response and, you know, threat hunt and all of that sort of stuff.
Eventually, it's got to collapse into one thing.
because all of it, I mean, I guess response is a bit different, but, you know, detection and, you know, threat hunt is,
and we've talked about this, you and I, right?
Yeah.
It's kind of the same thing, just at different speeds.
So eventually you would think all of this is going to collapse into one thing, like, for example, a giant graph database.
And I'm not, you know, I'm not sitting here with my hand of my heart saying, yes, Nebulauk has solved the detection problem by building a giant graph that could,
You know, like, obviously I'm not saying that, but like, you know, that I guess I agree with you that the solution long term, that's what it's going to look like. It's going to look more like that and less like Splunk and less like, you know, Google Cloud Cloud Splunk and Microsoft Cloud Splunk, right?
Which is everybody's thing. And it's going to be more like a graph with agents crawling all over it and answering questions. I mean, you know, this is where we got to go, right?
Yeah. I couldn't agree with you more on the security being a data problem. And that also goes back to the whole, like, I have these 18 widgets and they all tell me they solve this very specific problem in my organization. And the great thing is, is they all have different schemas. And then I try and put it into a SIM. And that, you know, has six different case types for event ID. You know, like, it just is such a challenge. And I completely agree. That was actually the core realization and, like, first real play that we figured out. Again, like, pre-
And really after the seed with the investment was like, oh, we have to build like the underlying
schema and do normalization because I can only like, you cannot build a good graph
if you don't have consistent data structures.
You cannot do streaming detections.
If you don't normalize the data.
And there are really efficient ways to do it.
But if you don't solve the data problem, what use are your analytics?
Your queries will break.
Like nothing will work.
So I completely agree with you, Patrick.
I completely agree.
Now look, I think one thing that's, you know, we've sort of talked a little bit about AI,
and then we've sort of talked about the data problem and building a graph, right, and trying to,
you know, normalize data to an extent to get it in there.
But I also think that like once you've built this graph, right, where you've got all of this
information about devices and identities and events and traffic and things that have happened
and you put that all in one place, I mean, that's more useful in the AI age, right?
So that's the thing, right?
Like what you build now is,
different because of what you can do agentically.
Yes. Like do you agree with that that like this graph is probably more viable,
you know, as a product because of what you can do with once you get agents crawling all over it?
And indeed, building it is easier now because you were just talking about how you got to normalize
data going in there and like figure it all out properly. I mean, AI is pretty good at like building you a script to do that, for example.
So like, you know, as much as we're talking about,
how the exciting thing here is to do something not really AI-related in terms of building this
graph, it still kind of is AI-related, because the graph is more useful now and easier to
build, thanks to AI. Well, I would posit the graph is different because of AI. The nice thing
is really, what's fundamentally changed, in my opinion, is like, back in the day, well, you had
tables and a SQL database. Then you have...
had graphs, but ultimately like the human still had to walk the graph.
And these graphs can get really...
Well, that's what I mean.
They're going to get really complicated and a human's going to look at it and just go, man,
I don't know what to do with this.
I can't even understand this, whereas an agent doesn't have these concerns.
It'll just randomly stumble around until it finds something interesting.
Correct.
Now I honestly, and this is the nuance, right?
It's like you now have this agentic layer on top of it that you can build.
Ideally, you want to have the agent manage enough context and understand the graph
well enough to not go on a wild goose chase and burn a million tokens to try and figure out,
hey, did Damien Loogie log in at 9 a.m. Eastern? So that's also part of the learnings when
you have agents working with the graph. I think the real unlock, because it's funny,
going back to graphs five, 10 years ago, that's not true, 10, 15 years ago. Let's think about
like OG Crowdstrike, Carbon Black, Silance, folks that were building graphs. The graph,
the graph was the first step.
The real unlock was, and I'm biased,
because I saw what we did at CrowdStrike with the threat graph,
the real unlock was not, hey, can I use the technology,
but rather like, what do I enrich the graph with?
You know, when you have a Falcon Overwatch
or Nation State threat intelligence
and you use that to enrich the graph,
that's what really builds compounding value.
So one of the things that...
Well, yeah, I mean, you take your crowd strike,
and then you throw some coalite data at it,
and all of a sudden, you know, it's more than the sum of its parts, right?
It's like 10 times more useful.
Well, and that I think, you know, just in general for folks who are looking at messing around with graphs,
I think the big question you have to ask yourself is like, okay, great, I can use a graph and that's really efficient,
but like what other enrichment sources can I use?
And am I thinking about what those enrichment sources would look like to an agent?
So when the agent engages with the graph and the different nodes on it and the edges it's got to traverse,
can it make sense of that so it can go back to Patrick or Damien and go...
It's funny, man.
It's like designing to make something user-friendly whether a user is not human.
Yeah.
It's, I don't know.
I heard someone say this and I think it's true to an extent, right?
Like, we have a new hybrid workforce and it's not hybrid like sometimes in the office and I'm at home.
It's like I have humans and I have agents.
We now have to figure out a way to get the agents to understand things so that we can use them more effectively and vice versa.
Which is interesting, right?
If you told me 10 years ago that we'd be trying to figure out this problem, I'd be surprised.
But here we are.
So look, look, look.
So here we are, right?
So we've got to the part of the discussion where we're like, okay, let's stop and see where we are, right?
And you've come along, you know, AI threat hunting, original proposition.
And now you're like, well, we're just going to build a giant graph and, like, do a lot more with it.
And let agents do stuff with that and let humans do stuff with, you know, with that.
So all of a sudden we've gone from something very niche to, okay, well, we're going to build a graph for everything and solve a whole bunch of different problems.
I mean, this is a pretty drastic expansion in scope. Don't you think, Damien?
It is. I think one of the key things was figuring out how to build the right graph. So, you know, the way that we build our graphs is we build context graphs per enterprise that we work with.
Really, the problem that the graph is trying to solve is can I build a behavioral system of record for the enterprise that I work with?
And then the agents know how to work with that graph.
Whereas the temptation originally was Patrick, and when you're like, oh, yeah, like this big graph.
The temptation originally was, can I just like build the world's greatest graph database and take billions of events and put it all in?
That was another thing when trying to figure out what AI is and isn't good at, like trying to have it run on a hypergraph or like a really, really big graph database was not efficient.
The real value is building graphs per customer.
And those graphs are plenty big.
They break down, don't they?
They just, like, when things get to a certain size, they just like, eh.
You know, they do.
And it's not the fault of the agent.
Really, I think a lot of the times you run into agenic problems, it's, you know, a layer
eight error.
It's because we try to give it a problem that was too big for it to solve.
You know, the context window is only so big.
You keep asking your questions, and it's traversing something huge.
It just becomes unmanageable.
I mean, it either falls over or just starts spouting absolute nonsense, right?
It's kind of funny what happens to them when you push them too far.
They just get real stupid.
To be fair, I think we humans can also, if you give us too much all at once, we don't sound the best either.
But it's, no, it's been interesting, right?
Like one of the core things, though, when it goes back to why you build a graph is fundamentally
what's the problem you're trying to solve.
For us, with AI threat hunting, the idea was always behavior.
and behavior was all about relationships.
So the best way to model relationships with behavior was a graph.
So it worked for the problem that we solve.
And then, yes, you're right.
Like, as we expand with this context graph, as we expand into detection,
like it's opened up a whole bunch of new use cases with the same core technology,
which is really exciting because we're doing more all on the same platform.
This was always the thing with the threat hunting stuff, right,
like that you initially pitched the company with.
Then I'm thinking, look, AI threat hunting, that's really cool.
You know, you can go and ask a bunch of questions and whatever.
But it's like, you know, I'm a car person, right?
I'm a car person.
And if you're going to pull the engine out of a car just to replace, like, one part,
while you're in there, you may as well do a bunch of other stuff.
Replace a bunch of seals.
Replace a bunch of parts that commonly fail once you've done all of that work to get the engine out of the car.
And I think when you're building a software,
platform that can do AI threat hunting. Once you've brought all of that data into one place,
like while you're there, you know, I think it's like having the engine out of the car. Like,
while you're there, there's probably a lot more that you can do there. So I've always seen that
opportunity to do more. And indeed, you know, you've been steered by some of your customers in
terms of what they want while that data is there. And it's like not even necessarily security
use cases. Like, a lot of what they're looking for is maybe like weird software in their
environment that shouldn't be there or people accessing AI services that they shouldn't
access and just that sort of governance piece has actually been surprisingly in demand for you,
right? Oh, yeah. I mean, we've seen a tremendous amount of demand around shadow AI. We,
because again, we focus on behavior, have gotten really good at insider risk.
detection. Now, there's a fun philosophical discussion that I always like to have, which is
technically a successful threat actor who gets creds and logs in, and Damien in accounting,
who's, you know, trying to download corporate secrets to his desktop to, you know, X-Vil.
They're both insiders. But yes, we've definitely played into that. And I think it's really
indicative of two core problems. One is, like, security is being asked to do a lot more than
they were traditionally because the world is changing so fast. And people say,
suddenly go like, oh, that looks like a, it's a governance problem, but it's a data problem.
Therefore, it's now the CSO's problem. And for us, what, you know, we figured out pretty early on was actually, you know, you have a strong EDR.
And especially if you get any sort of network telemetry, you see a whole lot of stuff. And then it's just a question of like classification.
And then once you have strong classifiers, handing that off to an agent to say, yep, this is indeed.
you know, a shadow AI use case because of reasons X, Y, Z.
So, yeah, it's been interesting to see that shift.
You know, soapbox moment, though, AI versus traditional signal extraction.
I think a core piece, though, was not to just say, like,
here are a bunch of command line arguments.
Search the table.
But rather, like, we realized, you know, if you want to define what shadow versus
legitimate AI was,
needed to build like decent heuristics and eventually models that would tell you what like a person
versus an AI would do and then if that AI were writing commands like when was it going too far versus
doing something that seems weird but totally cool and that my friend was honestly a there was a
learning curve with that you can't solve it right the first time but I think it's I think it's
interesting because there's so many ways to like the shadow AI thing right when people are using it via a
browser like one of the wonderful ways to solve for that is to use like some of these browser
plugin based products yep you know push security comes to mind they're another
decibel you know portfolio company like you guys are and you know but the point I
think that's the point right when you've got all of that EDR data you've got data from
everywhere right and you're throwing it into that graph and that's my point about
hey threat hunting's great but like while you got the engine out of the car you know
maybe we want to replace this part that fails at you know a hundred thousand miles
You know, the car's got 80,000 miles on it.
We've got the engine out of the car.
Let's, you know, let's replace that part.
But then I'm, I guess, you know, you've obviously got a lot more ambitious with this thing.
And you're saying, well, you know, eventually we want to turn it into a, you know,
detection and threat response unigraph that can do everything.
I guess I'm wondering, like, take me on that journey to how you get to that endpoint, you know,
from where you are now.
Like, what's next?
you know, because you've got the threat hunt piece,
you've got the informing detection piece,
but you're not quite the detection stack.
How do you go from here?
Like, what are you replacing?
What are you displacing?
How does that work?
Yeah, so, I mean, fundamentally,
going back to first principles,
so if you do behavioral threat hunting,
you find either an instant
or you build a detection.
Now, hunting is typically defined by analytical,
that you write. I ascribe to the school of continuous hunting, right? There are different
triggers, different kinds of behaviors that I should always be monitoring. Not all of them are bad,
but it's useful to know when who am I runs on a Windows system. Or it's useful to know when
someone's doing SSH port forwarding or port 3389 is open. You know, the real drive, if you
think about what behavioral detections, both event-based, so if I do like a behavioral detections,
for a MacOS device or a Linux box versus a correlation rule,
which is like I look for multi-events on one system
or different events across identity, cloud, endpoint, network, you name it.
Ultimately, build analytics, right?
Like, that's really what you start to build
is like an analytical layer on top of that.
So, you know, I describe what we do as like hunt for security operations.
If I already use the term that's on our website,
it's a contextual security analytics platform.
Really, the idea is you build these analytics.
Like, if you hunt, if you're constantly looking for abnormal behavior and convicting that and attributing it, you build these really strong analytics.
These analytics end up being really robust detections.
Can you give us an example there, though, like a concrete example of what sort of detection you wind up with?
So one is a really interesting password manager analytic that we wrote.
It was driven off of a hunt.
So basically we,
the hypothesis was we were looking for
password manager compromise
and there were different kinds of behaviors
that you would look for if a password manager was
compromised.
You know, you'd see vault files on
an endpoint accessed,
but you
would miss credentials being used in identity.
So you'd need that. And then
if you wanted to see
from the cloud side,
the identity and different service accounts
that it might be using once it had compromised the password manager, like those all in isolation,
A, like live in their respective data silos, and B, you can build each of these detections,
but like, okay, is it useful if I see a vault file?
So the analytic that we wrote was we were able to go, okay, we see like multiple credentials
being used across different service accounts after vault files are accessed on an endpoint.
So that's like one example.
That's really cool.
And it's, okay, so we're all able to sit down, right?
As people who know a bit about security and think of these sort of sequenced stateful patterns
that turn into really actually quite high quality detections.
The problem is always where to put them.
Like, you know, how do you actually get that detection to run in a typical detection stack?
Where does it, is that in the seam?
Can you even instrument that easily in the seam?
Or are these detections that you actually now run?
in your platform.
So you run them in our platform.
So you'd run them, I mean, that's a correlation rule.
You need many events to happen, but we have like a streaming detections pipeline.
So as the events come through, we'd see it.
Because I think all of the seam people are like, oh yeah, you can correlate so much.
You can you can correlate so many things in this bad boy, you know?
It seems to be the thing.
But I mean, it gets, it kind of falls over after a bit, right?
Like it gets, it, oh, it's just too hard.
And you need to be pulling in too much and then these seam bills going to the moon.
and like it just gets hot.
Yeah, and you know, like,
the pipe character was wrong,
so you actually are searching for the wrong thing the whole time.
No, the other piece, and it's interesting,
this is like a whole other topic,
but detection drift monitoring is another core piece that we look at, right?
Like, analytics are good, but like environments evolve.
So you also want to be continuously monitoring these analytics
being like, hey, are they performing?
Like, are they working as they should?
Which is why, like, whenever you create detections in Nebulon,
like we require test against production data.
So you don't just like throw something at data being like this should be good
because there's a big difference between like a query that you run on a back end
and a correlation rule that's battle tested.
And that was really key piece.
You asked about what we replaced though, Patrick, and I just want to make sure we touch on that.
Well, because by the sounds of things these detections that you're doing, the logical place,
like if one of these correlation based detections fires, the obvious thing you would
do is like kick that out, I guess either into Slack or into a seam or whatever.
But I'm guessing like what are most people doing?
Into the seam? Into the seam and into Slack. We've also exposed APIs so you can like
hunt and do a bunch of stuff just via API in Nebulauch, which is great. But we are this very
organic layer that kind of sits atop or alongside the seam. Now we get to the question about
what do you replace? Yeah. So I mean like...
Seeing as we're on the topic of seams.
Seeing as we're on the topic of seams, you know, for folks that want like a really direct
analytics platform that, like, is able to log key telemetry pieces that matter when it comes
to security were perfect.
On a replacement piece, we're really good at the like insider risk, insider threat.
I don't want to say UEBA, but, you know, those analytic platforms that were false positive
holes and have large costs in terms of rent space for security operations teams but are required
at times, that's been a very organic replacement motion for us. The thing that, you know, is missing
from all of those is like a Z score on top of an analytic telling you that something is a critical,
in my opinion, is not going to cut it in this dynamic threat environment. You need something that's
pragmatic, that reasons on top of it, that understands context, and that's what we do. So that's really
what we're replacing right now.
But then there's a whole component around like efficacy, right?
We've been able to help teams, you know, security teams of four people do things that they
never could before because now they have this like hunting and detections, Iron Man suit
that they can run alongside and like plays nicely with the other tools that they have.
So right now, I mean, you know, that that's the efficiency use case, right?
getting that team of four people to be able to do more.
Yes.
You know, I mean, it sounds like you're not gunning for the seam world, right?
Like you want to be the seam, which makes sense.
But you do sort of wonder, and I'd love to hear your thoughts on this,
you know, even if this is not the market that you want to eat, someone's going to eat it, right?
Like, surely, I just feel like seams at this point are just outdated tech.
You know, like we've got these things trying to do what they can.
can to produce a human readable result.
Mm-hmm.
And even that is breaking down because there's too many alerts,
there's too much to process.
So now we've got this situation where we're getting
agentic platforms to consume the output of something that already simplified things for humans.
And then we're, you know, getting an agentic analysis of that to do sock triage.
It just seems like the whole thing is ridiculous.
And eventually what's going to make more sense is to have something,
a bit more three-dimensional being analyzed by, you know, AI developed rules, if not directly by
LLMs. And, you know, that's just going to give us just better results. Fewer false positives,
better results. I mean, is that where you see this going, right? Because you are playing in this
space. You've come from the EDR world. You've come from the MDR world. And now you're doing some
applied technology here. You're building a graph. You're seeing what's possible.
Is that where we're heading? Because it's where I think.
we're heading. And look, it's long term. I'm not saying like Splunk is still going to be around in
15 years, right? Like we can't escape that. But I think the Greenfield's businesses in five,
10 years from now, you know, their detection stack is going to look radically different to
what's in place now. No, no, Patrick, I completely agree. I think the sim as we understand it will
just not be able to deal with the load. Like, before we think about threat actors that move at
machine speed. Like, let's think about the amount of it. We're already there. Yeah, we're already there.
Yeah, we're already there. Well, and, and you're also dealing with, like, exponential amounts of
exhaust from agents that you have to log. Like, where is this all going to go? How is this going to work
with a system that's already broken? So, you see what I mean? Like, we're flattening all of this data
into, like, human readable. Yes. But there's too much of it, so the humans can't read it? So then we're,
you know, we're saying, hey, agents, can you go grab this stuff that we've flattened into human? Like,
it just doesn't make sense. It just seems, if you would design,
finding detection from scratch, it wouldn't look like what it looks like now.
No.
And I think, you know, you, because different players, like, we're in this, I think we're
in this very interesting transition moment where I agree with everything you say, Patrick, but also,
like, detection doesn't really have a single home.
Like, I talk to most customers and they say, we run detections in our SIM.
And then I'm like, do you do, okay, like, but where do you run, like, these endpoint detections?
like, oh, and our EDR. Great. Two homes. Right. But I think more and more it doesn't matter
because of agents, because an agent is going to be really good at saying, well, I need a bit of context
from this system over here. I'm just going to go grab it. And an agent's going to say, you know what?
I'm regularly grabbing context from over here. Maybe we should pull that into the graph that
the make life easier graph. You know, I think at that point, the graph is the make life easier tool
for the people, for the agents. And it can be informed, like what goes into the graph can be
informed by the people and the agents, you know. But you're right. Like it doesn't, it doesn't need to be
in one place anymore. No, I think like this concept of data gravity like is not what it needs,
what it used to be before. You do need like a centralized operating core, right, this graph,
this idea of a place where agents can go, that does exist. So it's this interesting combination of
like a centralized place of intelligence, but also we don't need to backhaul our sales force logs
and store them for two years, right?
Like, that world is gone, should be gone.
We don't need to do that anymore.
I completely agree.
So it's like centralized intelligence with data
where it's supposed to be,
which builds a really interesting,
flexible way that ultimately allows
this human plusogenic, this hybrid future to happen.
The real trick is figuring out
how to make the right graph,
how to make a good data normalization.
And, you know, I'm biased,
but I think that's something
that we've done an excellent job at because I've hired people smarter than me, Patrick.
They've really helped along this path.
It's always a good idea.
Yeah.
If I was the smartest person in the room, we'd be in trouble.
I know that feeling well running this company.
But Damian Lukie, you are building a monster.
It is awesome.
Thank you so much for joining us to talk through all of that.
In light of your wonderful Series A announcement, I can't wait to see what this thing
turns into over the next couple of years. It was great to see you, my friend.
Right back got you, my friend. Appreciate it. We're just getting started. Thank you.
