Risky Business - Soap Box: Using threat hunting to drive detection

Episode Date: July 8, 2026

In this wholly sponsored Soap Box edition of the podcast Patrick Gray chats with Damien Lewke, the CEO and founder of Nebulock, about the future of threat hunting and de...tection. Damien spent a decade in the EDR and MDR space before founding Nebulock in 2024. It started off as an AI-powered threat hunt platform but has evolved into a broader security data platform that can answer questions, drive hunts and drive detections. This product is engineered around the idea that a lot of security is a data problem. So, if we accept this premise, how do we solve security? And how much of that solution is about agents, vs building a good graph? And if you’re going to build a good graph, do you want to build it for a person to use, or an agent to use? This is truly a conversation for the security nerd’s nerd. Enjoy! This episode is also available on YouTube Show notes

Transcript
Discussion (0)
Starting point is 00:00:03 Hey everyone and welcome to this soapbox edition of the Risky Business Podcast. My name's Patrick Gray. For those of you who don't know, each edition of the Soapbox podcast here at Risky Business Media, it's sponsored. It's always sponsored and that means everyone you hear in a Soapbox edition of the show paid to be here. And as a further disclosure, today we're chatting with Damien Lucie, who is the chief executive and founder of Nebulok, which is a company that I also serve as an advisor to, which means that I do have a teeny teeny share option. package in the company. So yes, Damien, smart dude. He has worked at CrowdStrike. He's worked at Palo Alto Networks. He worked at Arctic Wolf. So he's worked in the EDR and MDR space
Starting point is 00:00:45 for quite a long time. He even worked in the defense industrial base like straight out of college. And yeah, so he's had a front row seat to all sorts of carnage over the last decade plus and that means he's had a bunch of opinions and ideas on what sort of security technology we all should be building. So the original pitch for Nebulauch was AI threat hunting, right? Which is you can leverage agentic AI, you know, collect a bunch of data and then send these agents out doing hunts. And, you know, Nebulauch still does that. But I guess the pitch has broadened now at customer request. You still start with these sort of hypothesized threat hunts, but then you can do stuff like build detections based on what you've
Starting point is 00:01:30 find. You know, Nebula lock has sort of become a tool that's very handy for detection teams, and it's also just a great platform for asking questions of. And a big part of the reason that it's useful for doing that, as you'll hear, is because Damien and his team have really done a lot of work building a really cool graph out of the data that Nebulauk collects. So, I mean, that's really what this interview is about. Like, to what degree is security a data problem and if it is a data problem how do you solve that and if you're going to use something like a graph do you want to build that graph to be optimized for human consumption where we've got you know seams these days where we try to flatten everything for human consumption but now we're sort of
Starting point is 00:02:12 throwing agents at a problem where we flattened it for human consumption so that doesn't seem quite right so do we now start have to you know should we now not be flattening things so that agents can use them a little bit better it's that sort of conversation right it's it's one for the the security nerds nerd. So I'll drop you in here where Damien is giving a one-minute pitch just on what Nebulaq is to help frame the conversation. So here is Damien. Lukie from Nebioch. Enjoy. We're a hunt for security operations platform, right? Like everything is still hunt first. We still start with the like unknown unknowns hypothesis based hunting, right? We use intelligence, we infer based on what we know in your environment and we drive the hunt. But the idea is
Starting point is 00:02:57 like hunts should have outputs and those outputs become detection. So ultimately, like, the pitch really is, look, you've got a brilliant group of folks. You've made a ton of investment in security. Breaches happen because of low and no signal events. We're going to find those, but we're not just going to find those. We're going to translate those ideas, even if you don't find something, into detections. And you can run them in Nebulauch. You can run them in your SIM.
Starting point is 00:03:19 Like, wherever you run detections is fine by us, right? But the whole idea is that you should have this continuous analytical layer that's being built over time. Everybody's curious about what's running in their environment. Everybody knows that there are always things that we might, you know, that would be good to know and good to find. And then the real value is, okay, great. And now instead of, you know, GRI tickets and two-week sprints, I can write detections, test, and validate them in, you know, three minutes. And they capture intent and behavior instead of, we need to make sure that we wrote the SIM correlation rule the right way. So that's really been the pitch.
Starting point is 00:03:53 Look, that's a really succinct pitch. And I thank you for that. And the listeners thank you for that for keeping that down to like a minute. But one thing I wanted to ask you about is like, you know, very early on in Nebulauk, it was all about finger guns, AI threat hunting, right? Like that was the whole thing. It's a threat hunting, agentic platform, puo, pule. But nowhere in the pitch just then, you know, did you mention AI, despite the fact, and I know this, you're still very much an AI forward company. So I'm just saying, it's interesting. It's not the primary message anymore. It's the primary hook in the message. So, like, maybe you could tell us why that is.
Starting point is 00:04:29 One of the key lessons that we learned was, again, understanding what an agent is and is not good at. So a lot's been learned since the seed round. The real unlock for us was making the shift from agentic threat hunting, which was great. It was all about like behavioral hypotheses, understanding behavior, using that to surface what might have been missed by your existing systems. and then translating that more to the problem of, and this is something our customers really helped us with, is the age-old question of, okay, great, so like I've run a threat hunt and maybe I found something or I didn't,
Starting point is 00:05:11 how do I keep that information? How do I take those lessons learned? The more we thought about it, the more we dug into it, we were like, well, you know, we're writing detections within our platform. What if we expose that to customers? So you had this hunt piece and detection piece. And really like the underlying mechanism that united it, it's kind of funny, we'd had it all along, was a graph. So that was going to be my next question, which is like what?
Starting point is 00:05:39 So you get one more like Splunk extension or Splunk plugin or, you know, how does this work? And it sounds like, no, you're actually building your own sort of data structure here and turning it into a graph. And like that's kind of the approach you've gone with. No, 100%. Right. I think the term now would be like context engine
Starting point is 00:05:58 or context graph if you want to go big, but context engine is the truer technical term. But yeah, we built a graph and then that graph is something that the agents
Starting point is 00:06:06 can access and reference so they can walk the graph and look at different identities tied to different hosts and different service accounts tied to an identity and ultimately be like, hey, wait a minute,
Starting point is 00:06:16 is Damien in accounting actually who he says he is or is it his open-claw agent that's access in critical infrastructure when it shouldn't. that was a really key unlock for us, was just uniting those together and having data structure,
Starting point is 00:06:28 owning that, building the graph, was just really helpful. And that was a big shift for us, right? Evolving beyond the initial hypothesis and really realizing that we could scale beyond that. And when I say like hunt for security operations, really what it is is like, if you think of threat hunting,
Starting point is 00:06:47 you know, that is a traditionally ad hoc workflow. We want to make it continuous. but ultimately good hunting should inform good detections and good incident response. And that's really what we're driving towards as a company. So, I mean, is the idea here, right, that you think you can be the detection stack, or are you trying to complement the detection stack? I think to start, really, we want to complement the existing investments people have made. But eventually, yes, I would love to own the detection stack.
Starting point is 00:07:17 But that is a journey. and I think it's disingenuous of a company to come out, raise a series A and say, yep, you don't need all the things that you had before. Rather, like, there's a world where you can start to build better, more accurate, more performant detections in Nebula and provided we continue to grow,
Starting point is 00:07:34 earn the trust of our customers, and do our jobs. Eventually, yes, that's what we'd like to do. But that takes time and that takes trust. Well, yeah, yeah. I mean, it's funny, right, because your background is in EDR, and then MDR and building a sort of platform where you're like, okay, well, we started off doing AI threat hunt.
Starting point is 00:07:55 Now we're just going to build a graph and let agents crawl all over it and do everything with it. And eventually own the detection stack is exactly what happens when you give someone who worked in MDR a bunch of money and say go do. Right. Like, I mean, this is like, I'm guessing a lot of what you're doing now is informed by that sort of experience. And I think, you know, everyone I know who worked in MDR has been proud of what they've been able to. to achieve, but also frustrated with what they can't achieve, given the gaps in tooling that we all suffer from, right? I mean, you said it well, Patrick.
Starting point is 00:08:30 I think the one piece in my background that's not covered is like, I began as an operator in the dib. So, like, when you deal with nation state cyber defense is your first job out of uni, that changes you. And then you join an EDR company and then you go to an MDR. I think a lot of folks end up being inspired by that first order problem. And that's really what we're trying to solve, which is how do you solve for the breach? Because in an MDR, when you integrate with the smorgasbord of solutions that are out there,
Starting point is 00:08:58 you actually see, like, some are very good, but they're really good in their specific niche. And when you try to take a more holistic approach to, like, how do you look at risk management and resilience for an enterprise? Like, that's a much bigger problem. And, like, no one solution, no one EDR or I am or C. ESPN solves for that. And I think we live in a world where it's really easy to believe that if I buy the right tool, I am resilient. When in fact, no tool, and this is why we all do telemetry logging, so you can search it, is perfect. So I think that's why a lot of us MDR folks get inspired by that is because we've seen the systems problem of breach prevention at scale.
Starting point is 00:09:46 Yeah, and I mean, this isn't a prevention product, but if you wanted to build, you know, so much of security these days, right, detection, hunting and whatever, it is just a data problem. Yes. Right. And so the solution to that is going to be something along the, I mean, you know, you've been a listener to the show for a long time, and you've heard me say this for a long time that, like, detection and response and, you know, threat hunt and all of that sort of stuff. Eventually, it's got to collapse into one thing. because all of it, I mean, I guess response is a bit different, but, you know, detection and, you know, threat hunt is, and we've talked about this, you and I, right? Yeah.
Starting point is 00:10:27 It's kind of the same thing, just at different speeds. So eventually you would think all of this is going to collapse into one thing, like, for example, a giant graph database. And I'm not, you know, I'm not sitting here with my hand of my heart saying, yes, Nebulauk has solved the detection problem by building a giant graph that could, You know, like, obviously I'm not saying that, but like, you know, that I guess I agree with you that the solution long term, that's what it's going to look like. It's going to look more like that and less like Splunk and less like, you know, Google Cloud Cloud Splunk and Microsoft Cloud Splunk, right? Which is everybody's thing. And it's going to be more like a graph with agents crawling all over it and answering questions. I mean, you know, this is where we got to go, right? Yeah. I couldn't agree with you more on the security being a data problem. And that also goes back to the whole, like, I have these 18 widgets and they all tell me they solve this very specific problem in my organization. And the great thing is, is they all have different schemas. And then I try and put it into a SIM. And that, you know, has six different case types for event ID. You know, like, it just is such a challenge. And I completely agree. That was actually the core realization and, like, first real play that we figured out. Again, like, pre- And really after the seed with the investment was like, oh, we have to build like the underlying schema and do normalization because I can only like, you cannot build a good graph
Starting point is 00:11:49 if you don't have consistent data structures. You cannot do streaming detections. If you don't normalize the data. And there are really efficient ways to do it. But if you don't solve the data problem, what use are your analytics? Your queries will break. Like nothing will work. So I completely agree with you, Patrick.
Starting point is 00:12:08 I completely agree. Now look, I think one thing that's, you know, we've sort of talked a little bit about AI, and then we've sort of talked about the data problem and building a graph, right, and trying to, you know, normalize data to an extent to get it in there. But I also think that like once you've built this graph, right, where you've got all of this information about devices and identities and events and traffic and things that have happened and you put that all in one place, I mean, that's more useful in the AI age, right? So that's the thing, right?
Starting point is 00:12:35 Like what you build now is, different because of what you can do agentically. Yes. Like do you agree with that that like this graph is probably more viable, you know, as a product because of what you can do with once you get agents crawling all over it? And indeed, building it is easier now because you were just talking about how you got to normalize data going in there and like figure it all out properly. I mean, AI is pretty good at like building you a script to do that, for example. So like, you know, as much as we're talking about, how the exciting thing here is to do something not really AI-related in terms of building this
Starting point is 00:13:14 graph, it still kind of is AI-related, because the graph is more useful now and easier to build, thanks to AI. Well, I would posit the graph is different because of AI. The nice thing is really, what's fundamentally changed, in my opinion, is like, back in the day, well, you had tables and a SQL database. Then you have... had graphs, but ultimately like the human still had to walk the graph. And these graphs can get really... Well, that's what I mean. They're going to get really complicated and a human's going to look at it and just go, man,
Starting point is 00:13:49 I don't know what to do with this. I can't even understand this, whereas an agent doesn't have these concerns. It'll just randomly stumble around until it finds something interesting. Correct. Now I honestly, and this is the nuance, right? It's like you now have this agentic layer on top of it that you can build. Ideally, you want to have the agent manage enough context and understand the graph well enough to not go on a wild goose chase and burn a million tokens to try and figure out,
Starting point is 00:14:13 hey, did Damien Loogie log in at 9 a.m. Eastern? So that's also part of the learnings when you have agents working with the graph. I think the real unlock, because it's funny, going back to graphs five, 10 years ago, that's not true, 10, 15 years ago. Let's think about like OG Crowdstrike, Carbon Black, Silance, folks that were building graphs. The graph, the graph was the first step. The real unlock was, and I'm biased, because I saw what we did at CrowdStrike with the threat graph, the real unlock was not, hey, can I use the technology,
Starting point is 00:14:50 but rather like, what do I enrich the graph with? You know, when you have a Falcon Overwatch or Nation State threat intelligence and you use that to enrich the graph, that's what really builds compounding value. So one of the things that... Well, yeah, I mean, you take your crowd strike, and then you throw some coalite data at it,
Starting point is 00:15:08 and all of a sudden, you know, it's more than the sum of its parts, right? It's like 10 times more useful. Well, and that I think, you know, just in general for folks who are looking at messing around with graphs, I think the big question you have to ask yourself is like, okay, great, I can use a graph and that's really efficient, but like what other enrichment sources can I use? And am I thinking about what those enrichment sources would look like to an agent? So when the agent engages with the graph and the different nodes on it and the edges it's got to traverse, can it make sense of that so it can go back to Patrick or Damien and go...
Starting point is 00:15:37 It's funny, man. It's like designing to make something user-friendly whether a user is not human. Yeah. It's, I don't know. I heard someone say this and I think it's true to an extent, right? Like, we have a new hybrid workforce and it's not hybrid like sometimes in the office and I'm at home. It's like I have humans and I have agents. We now have to figure out a way to get the agents to understand things so that we can use them more effectively and vice versa.
Starting point is 00:16:01 Which is interesting, right? If you told me 10 years ago that we'd be trying to figure out this problem, I'd be surprised. But here we are. So look, look, look. So here we are, right? So we've got to the part of the discussion where we're like, okay, let's stop and see where we are, right? And you've come along, you know, AI threat hunting, original proposition. And now you're like, well, we're just going to build a giant graph and, like, do a lot more with it.
Starting point is 00:16:27 And let agents do stuff with that and let humans do stuff with, you know, with that. So all of a sudden we've gone from something very niche to, okay, well, we're going to build a graph for everything and solve a whole bunch of different problems. I mean, this is a pretty drastic expansion in scope. Don't you think, Damien? It is. I think one of the key things was figuring out how to build the right graph. So, you know, the way that we build our graphs is we build context graphs per enterprise that we work with. Really, the problem that the graph is trying to solve is can I build a behavioral system of record for the enterprise that I work with? And then the agents know how to work with that graph. Whereas the temptation originally was Patrick, and when you're like, oh, yeah, like this big graph. The temptation originally was, can I just like build the world's greatest graph database and take billions of events and put it all in?
Starting point is 00:17:17 That was another thing when trying to figure out what AI is and isn't good at, like trying to have it run on a hypergraph or like a really, really big graph database was not efficient. The real value is building graphs per customer. And those graphs are plenty big. They break down, don't they? They just, like, when things get to a certain size, they just like, eh. You know, they do. And it's not the fault of the agent. Really, I think a lot of the times you run into agenic problems, it's, you know, a layer
Starting point is 00:17:43 eight error. It's because we try to give it a problem that was too big for it to solve. You know, the context window is only so big. You keep asking your questions, and it's traversing something huge. It just becomes unmanageable. I mean, it either falls over or just starts spouting absolute nonsense, right? It's kind of funny what happens to them when you push them too far. They just get real stupid.
Starting point is 00:18:04 To be fair, I think we humans can also, if you give us too much all at once, we don't sound the best either. But it's, no, it's been interesting, right? Like one of the core things, though, when it goes back to why you build a graph is fundamentally what's the problem you're trying to solve. For us, with AI threat hunting, the idea was always behavior. and behavior was all about relationships. So the best way to model relationships with behavior was a graph. So it worked for the problem that we solve.
Starting point is 00:18:32 And then, yes, you're right. Like, as we expand with this context graph, as we expand into detection, like it's opened up a whole bunch of new use cases with the same core technology, which is really exciting because we're doing more all on the same platform. This was always the thing with the threat hunting stuff, right, like that you initially pitched the company with. Then I'm thinking, look, AI threat hunting, that's really cool. You know, you can go and ask a bunch of questions and whatever.
Starting point is 00:18:57 But it's like, you know, I'm a car person, right? I'm a car person. And if you're going to pull the engine out of a car just to replace, like, one part, while you're in there, you may as well do a bunch of other stuff. Replace a bunch of seals. Replace a bunch of parts that commonly fail once you've done all of that work to get the engine out of the car. And I think when you're building a software, platform that can do AI threat hunting. Once you've brought all of that data into one place,
Starting point is 00:19:28 like while you're there, you know, I think it's like having the engine out of the car. Like, while you're there, there's probably a lot more that you can do there. So I've always seen that opportunity to do more. And indeed, you know, you've been steered by some of your customers in terms of what they want while that data is there. And it's like not even necessarily security use cases. Like, a lot of what they're looking for is maybe like weird software in their environment that shouldn't be there or people accessing AI services that they shouldn't access and just that sort of governance piece has actually been surprisingly in demand for you, right? Oh, yeah. I mean, we've seen a tremendous amount of demand around shadow AI. We,
Starting point is 00:20:13 because again, we focus on behavior, have gotten really good at insider risk. detection. Now, there's a fun philosophical discussion that I always like to have, which is technically a successful threat actor who gets creds and logs in, and Damien in accounting, who's, you know, trying to download corporate secrets to his desktop to, you know, X-Vil. They're both insiders. But yes, we've definitely played into that. And I think it's really indicative of two core problems. One is, like, security is being asked to do a lot more than they were traditionally because the world is changing so fast. And people say, suddenly go like, oh, that looks like a, it's a governance problem, but it's a data problem.
Starting point is 00:20:53 Therefore, it's now the CSO's problem. And for us, what, you know, we figured out pretty early on was actually, you know, you have a strong EDR. And especially if you get any sort of network telemetry, you see a whole lot of stuff. And then it's just a question of like classification. And then once you have strong classifiers, handing that off to an agent to say, yep, this is indeed. you know, a shadow AI use case because of reasons X, Y, Z. So, yeah, it's been interesting to see that shift. You know, soapbox moment, though, AI versus traditional signal extraction. I think a core piece, though, was not to just say, like, here are a bunch of command line arguments.
Starting point is 00:21:38 Search the table. But rather, like, we realized, you know, if you want to define what shadow versus legitimate AI was, needed to build like decent heuristics and eventually models that would tell you what like a person versus an AI would do and then if that AI were writing commands like when was it going too far versus doing something that seems weird but totally cool and that my friend was honestly a there was a learning curve with that you can't solve it right the first time but I think it's I think it's interesting because there's so many ways to like the shadow AI thing right when people are using it via a
Starting point is 00:22:15 browser like one of the wonderful ways to solve for that is to use like some of these browser plugin based products yep you know push security comes to mind they're another decibel you know portfolio company like you guys are and you know but the point I think that's the point right when you've got all of that EDR data you've got data from everywhere right and you're throwing it into that graph and that's my point about hey threat hunting's great but like while you got the engine out of the car you know maybe we want to replace this part that fails at you know a hundred thousand miles You know, the car's got 80,000 miles on it.
Starting point is 00:22:47 We've got the engine out of the car. Let's, you know, let's replace that part. But then I'm, I guess, you know, you've obviously got a lot more ambitious with this thing. And you're saying, well, you know, eventually we want to turn it into a, you know, detection and threat response unigraph that can do everything. I guess I'm wondering, like, take me on that journey to how you get to that endpoint, you know, from where you are now. Like, what's next?
Starting point is 00:23:13 you know, because you've got the threat hunt piece, you've got the informing detection piece, but you're not quite the detection stack. How do you go from here? Like, what are you replacing? What are you displacing? How does that work? Yeah, so, I mean, fundamentally,
Starting point is 00:23:29 going back to first principles, so if you do behavioral threat hunting, you find either an instant or you build a detection. Now, hunting is typically defined by analytical, that you write. I ascribe to the school of continuous hunting, right? There are different triggers, different kinds of behaviors that I should always be monitoring. Not all of them are bad, but it's useful to know when who am I runs on a Windows system. Or it's useful to know when
Starting point is 00:24:01 someone's doing SSH port forwarding or port 3389 is open. You know, the real drive, if you think about what behavioral detections, both event-based, so if I do like a behavioral detections, for a MacOS device or a Linux box versus a correlation rule, which is like I look for multi-events on one system or different events across identity, cloud, endpoint, network, you name it. Ultimately, build analytics, right? Like, that's really what you start to build is like an analytical layer on top of that.
Starting point is 00:24:35 So, you know, I describe what we do as like hunt for security operations. If I already use the term that's on our website, it's a contextual security analytics platform. Really, the idea is you build these analytics. Like, if you hunt, if you're constantly looking for abnormal behavior and convicting that and attributing it, you build these really strong analytics. These analytics end up being really robust detections. Can you give us an example there, though, like a concrete example of what sort of detection you wind up with? So one is a really interesting password manager analytic that we wrote.
Starting point is 00:25:10 It was driven off of a hunt. So basically we, the hypothesis was we were looking for password manager compromise and there were different kinds of behaviors that you would look for if a password manager was compromised. You know, you'd see vault files on
Starting point is 00:25:26 an endpoint accessed, but you would miss credentials being used in identity. So you'd need that. And then if you wanted to see from the cloud side, the identity and different service accounts that it might be using once it had compromised the password manager, like those all in isolation,
Starting point is 00:25:46 A, like live in their respective data silos, and B, you can build each of these detections, but like, okay, is it useful if I see a vault file? So the analytic that we wrote was we were able to go, okay, we see like multiple credentials being used across different service accounts after vault files are accessed on an endpoint. So that's like one example. That's really cool. And it's, okay, so we're all able to sit down, right? As people who know a bit about security and think of these sort of sequenced stateful patterns
Starting point is 00:26:20 that turn into really actually quite high quality detections. The problem is always where to put them. Like, you know, how do you actually get that detection to run in a typical detection stack? Where does it, is that in the seam? Can you even instrument that easily in the seam? Or are these detections that you actually now run? in your platform. So you run them in our platform.
Starting point is 00:26:42 So you'd run them, I mean, that's a correlation rule. You need many events to happen, but we have like a streaming detections pipeline. So as the events come through, we'd see it. Because I think all of the seam people are like, oh yeah, you can correlate so much. You can you can correlate so many things in this bad boy, you know? It seems to be the thing. But I mean, it gets, it kind of falls over after a bit, right? Like it gets, it, oh, it's just too hard.
Starting point is 00:27:04 And you need to be pulling in too much and then these seam bills going to the moon. and like it just gets hot. Yeah, and you know, like, the pipe character was wrong, so you actually are searching for the wrong thing the whole time. No, the other piece, and it's interesting, this is like a whole other topic, but detection drift monitoring is another core piece that we look at, right?
Starting point is 00:27:25 Like, analytics are good, but like environments evolve. So you also want to be continuously monitoring these analytics being like, hey, are they performing? Like, are they working as they should? Which is why, like, whenever you create detections in Nebulon, like we require test against production data. So you don't just like throw something at data being like this should be good because there's a big difference between like a query that you run on a back end
Starting point is 00:27:49 and a correlation rule that's battle tested. And that was really key piece. You asked about what we replaced though, Patrick, and I just want to make sure we touch on that. Well, because by the sounds of things these detections that you're doing, the logical place, like if one of these correlation based detections fires, the obvious thing you would do is like kick that out, I guess either into Slack or into a seam or whatever. But I'm guessing like what are most people doing? Into the seam? Into the seam and into Slack. We've also exposed APIs so you can like
Starting point is 00:28:21 hunt and do a bunch of stuff just via API in Nebulauch, which is great. But we are this very organic layer that kind of sits atop or alongside the seam. Now we get to the question about what do you replace? Yeah. So I mean like... Seeing as we're on the topic of seams. Seeing as we're on the topic of seams, you know, for folks that want like a really direct analytics platform that, like, is able to log key telemetry pieces that matter when it comes to security were perfect. On a replacement piece, we're really good at the like insider risk, insider threat.
Starting point is 00:28:54 I don't want to say UEBA, but, you know, those analytic platforms that were false positive holes and have large costs in terms of rent space for security operations teams but are required at times, that's been a very organic replacement motion for us. The thing that, you know, is missing from all of those is like a Z score on top of an analytic telling you that something is a critical, in my opinion, is not going to cut it in this dynamic threat environment. You need something that's pragmatic, that reasons on top of it, that understands context, and that's what we do. So that's really what we're replacing right now. But then there's a whole component around like efficacy, right?
Starting point is 00:29:35 We've been able to help teams, you know, security teams of four people do things that they never could before because now they have this like hunting and detections, Iron Man suit that they can run alongside and like plays nicely with the other tools that they have. So right now, I mean, you know, that that's the efficiency use case, right? getting that team of four people to be able to do more. Yes. You know, I mean, it sounds like you're not gunning for the seam world, right? Like you want to be the seam, which makes sense.
Starting point is 00:30:09 But you do sort of wonder, and I'd love to hear your thoughts on this, you know, even if this is not the market that you want to eat, someone's going to eat it, right? Like, surely, I just feel like seams at this point are just outdated tech. You know, like we've got these things trying to do what they can. can to produce a human readable result. Mm-hmm. And even that is breaking down because there's too many alerts, there's too much to process.
Starting point is 00:30:35 So now we've got this situation where we're getting agentic platforms to consume the output of something that already simplified things for humans. And then we're, you know, getting an agentic analysis of that to do sock triage. It just seems like the whole thing is ridiculous. And eventually what's going to make more sense is to have something, a bit more three-dimensional being analyzed by, you know, AI developed rules, if not directly by LLMs. And, you know, that's just going to give us just better results. Fewer false positives, better results. I mean, is that where you see this going, right? Because you are playing in this
Starting point is 00:31:16 space. You've come from the EDR world. You've come from the MDR world. And now you're doing some applied technology here. You're building a graph. You're seeing what's possible. Is that where we're heading? Because it's where I think. we're heading. And look, it's long term. I'm not saying like Splunk is still going to be around in 15 years, right? Like we can't escape that. But I think the Greenfield's businesses in five, 10 years from now, you know, their detection stack is going to look radically different to what's in place now. No, no, Patrick, I completely agree. I think the sim as we understand it will just not be able to deal with the load. Like, before we think about threat actors that move at
Starting point is 00:31:55 machine speed. Like, let's think about the amount of it. We're already there. Yeah, we're already there. Yeah, we're already there. Well, and, and you're also dealing with, like, exponential amounts of exhaust from agents that you have to log. Like, where is this all going to go? How is this going to work with a system that's already broken? So, you see what I mean? Like, we're flattening all of this data into, like, human readable. Yes. But there's too much of it, so the humans can't read it? So then we're, you know, we're saying, hey, agents, can you go grab this stuff that we've flattened into human? Like, it just doesn't make sense. It just seems, if you would design, finding detection from scratch, it wouldn't look like what it looks like now.
Starting point is 00:32:30 No. And I think, you know, you, because different players, like, we're in this, I think we're in this very interesting transition moment where I agree with everything you say, Patrick, but also, like, detection doesn't really have a single home. Like, I talk to most customers and they say, we run detections in our SIM. And then I'm like, do you do, okay, like, but where do you run, like, these endpoint detections? like, oh, and our EDR. Great. Two homes. Right. But I think more and more it doesn't matter because of agents, because an agent is going to be really good at saying, well, I need a bit of context
Starting point is 00:33:08 from this system over here. I'm just going to go grab it. And an agent's going to say, you know what? I'm regularly grabbing context from over here. Maybe we should pull that into the graph that the make life easier graph. You know, I think at that point, the graph is the make life easier tool for the people, for the agents. And it can be informed, like what goes into the graph can be informed by the people and the agents, you know. But you're right. Like it doesn't, it doesn't need to be in one place anymore. No, I think like this concept of data gravity like is not what it needs, what it used to be before. You do need like a centralized operating core, right, this graph, this idea of a place where agents can go, that does exist. So it's this interesting combination of
Starting point is 00:33:47 like a centralized place of intelligence, but also we don't need to backhaul our sales force logs and store them for two years, right? Like, that world is gone, should be gone. We don't need to do that anymore. I completely agree. So it's like centralized intelligence with data where it's supposed to be, which builds a really interesting,
Starting point is 00:34:08 flexible way that ultimately allows this human plusogenic, this hybrid future to happen. The real trick is figuring out how to make the right graph, how to make a good data normalization. And, you know, I'm biased, but I think that's something that we've done an excellent job at because I've hired people smarter than me, Patrick.
Starting point is 00:34:30 They've really helped along this path. It's always a good idea. Yeah. If I was the smartest person in the room, we'd be in trouble. I know that feeling well running this company. But Damian Lukie, you are building a monster. It is awesome. Thank you so much for joining us to talk through all of that.
Starting point is 00:34:47 In light of your wonderful Series A announcement, I can't wait to see what this thing turns into over the next couple of years. It was great to see you, my friend. Right back got you, my friend. Appreciate it. We're just getting started. Thank you.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.