RSA Innovation Sandbox Finalist: VulnCheck with Jay Wallace, VP of Global Sales

[00:00:00] Hey, it's Andrew. And just quickly before we start this episode, I want to tell you about one of my favorite podcasts is the Bear Knuckles and Brass Tax podcast.

[00:00:09] Not only does it have a great name, it also has a really good format that's interesting. The two hosts are both named George. That's not what's interesting about it.

[00:00:18] It's that George K is on the vendor side and George A is a sysso on the customer side. And they have real conversations sometimes with guests about the world of vendor customer interactions.

[00:00:30] They're not afraid to call a bad behavior on both sides and talk about the weird and wonderful nature of this world of ours in cybersecurity.

[00:00:39] Recent favors of mine are the one about building trust called taking a flamethrower to FOD and buzzword mumbo jumbo. And also the one with someone who's a field sysso and advisor to startups called how security buyers think and go to market strategies for young companies.

[00:00:56] I'm not getting paid for this promo. I just really enjoy the show that two Georges put on. Check it out. It's the Bear Knuckles and Brass Tax podcast. Now on with this episode.

[00:01:15] Welcome to the cybersecurity go to market podcast for a special showcase episode where we are talking to leaders of the company selected for the 2024 RSA conference innovation sandbox.

[00:01:28] And these are just 10 companies that the judges have selected from many, many hundreds of entries as the most innovative startups in cybersecurity today.

[00:01:37] I am your host Andrew Monaghan and today we're talking with Jay Wallace, the VP of global sales at Von check. Jay welcome to the podcast.

[00:01:45] Thanks for having me Andrew.

[00:01:47] And Jay I say welcome to the podcast is the second time I believe maybe someone will correct me if I'm wrong but I think you might be the first time we've had a return guest on so welcome back to the podcast.

[00:01:58] Well I'm certainly honored I really appreciate you having me back.

[00:02:01] Well the crowd and the audience were clamoring for more Jay Wallace so here we go right the innovation sandbox has been the impetus for us to get you back on and have another chat.

[00:02:11] So this is a special showcase episode.

[00:02:13] So we're going to run through these questions and we're looking for the best and most interesting answers to the questions that we have.

[00:02:19] So here's the first one for you Jay.

[00:02:21] Where in the world did you have your first sandbox as a kid?

[00:02:25] I would say it was at the dreaded daycare was my first sandbox as a child of the 80s that meant like the little turtle sandbox that you shared with other kids in retrospect probably a very disgusting place to play but of course as a kid who cares you just having fun and

[00:02:44] I just was trying to avoid the gross snacks they served at daycare so the sandbox was the right place to be.

[00:02:50] And where in the world was this daycare?

[00:02:52] This was in a small town called Hico Texas.

[00:02:55] There is not many people that know where Hico is but I like to call it the Bermuda Triangle of Texas.

[00:03:01] If you were to draw a triangle from Abilene to Dallas to Austin it's just square in the middle.

[00:03:06] I had a group like graduating class is 43 people three exchange students and I always wondered to myself how in the world did you travel across the world as an exchange student land in Hico Texas still not sure the answer to that but it was certainly entertaining.

[00:03:21] It's funny the places people end up sometimes right?

[00:03:23] Alright so what is the story of the founding of Volncek?

[00:03:28] Yeah so Anthony Bettini is the founder of Volncek and I was introduced to him by way of a VC that we shared with my former company and this company.

[00:03:38] He's a third time founder all the way back to Foundstone Head of Security Research at Foundstone.

[00:03:45] Went through the McAfee acquisition stayed on with security research leading that team for about 10 years until he went to start his own company.

[00:03:53] The first company was called App Authority it was a mobile application security company in the early days of mobile application security.

[00:04:00] Sold that company to Symantec decided to found another company after that called Floucek.

[00:04:07] But it was a container security company that was sold to Tenable and he stayed on with Tenable for about three years and decided he wanted to go found his own thing again but wasn't quite sure which so he took a bridge job as the CTO at White Hat Security.

[00:04:25] Running all things research and technical related and once he had enough shape of Volncek he went on to found Volncek.

[00:04:34] And it's still a very young company but a really exciting space in the vulnerability management space obviously not without its challenges and issues but it's a great place to be.

[00:04:43] He's got a huge history and you know exploitation and weaponization of exploits and vulnerability management so he's bringing all that to the table with Volncek.

[00:04:52] I also hired a stellar team both on the executive side and in the grid to contribute a level so really fortunate to be working here with such good talent.

[00:04:59] An entity is a sole founder which I guess if you get all the experience that he has of doing it before is you know I have okay is the right word but you know normal.

[00:05:09] Not not for people that are doing it for the first time though they probably have the benefit of wanting to have a founding team.

[00:05:14] Yeah absolutely I think Experience shows he's made a lot of really good decisions even the way that he structured the team the talent that he's brought on early.

[00:05:22] We like to consider ourselves very small but mighty so even though today we're a team of 21 we still have a ton of output we're outpacing some of the competitors we have in the space by a lot of key metrics not just in growth metrics and ARR but in actual product velocity so I think I would say a little bit strange for me.

[00:05:43] I've pretty much always worked with there was a group of co-founders but certainly seems to be working out.

[00:05:48] So what's the problem that Volncek solves and for whom?

[00:05:52] Yeah I think that we are solving a huge problem for cybersecurity companies large enterprise that are dealing with a ton of vulnerability that they have to manage every day everybody's trying to solve the vulnerability prioritization problem and for a large government as well.

[00:06:08] And the reason I say we're solving a problem for these folks is the standard today is that everybody starts to solve this problem with people.

[00:06:16] Well more Volncek means more people more CBEs means more people even most recently NIST has had their issues because they experienced a budget cut after requesting a budget increase because they are trying to solve the problem with more Volncek more people.

[00:06:30] The problem that we're solving is the people we think is the real issue it's too slow to go through multiple channels before you can get to patch radiation even when a vendor does come out with an O-Day and issues remediation advice immediately it still takes a long time for that to make its trek across

[00:06:47] MITRE for enrichment make it into NVD or possibly the CISA kev and then eventually make it to a vulnerability scanner where they write a plug in create a signature and you can start testing against your environment.

[00:07:00] During that time attackers have a chance to move laterally within your environment.

[00:07:05] There is in certain cases when you have massive exploitation events such as like Cisco IOS XC, Avanti or Confluence there's just not enough time to wait for you to get a signature or plug in written at one of the management solutions.

[00:07:18] And so this is where this where Volncek really lives we provide real time exploit and vulnerability intelligence everything we build is meant to be machine to machine.

[00:07:27] So what we're effectively saying is skip the analysts get it into the tools that the analysts use and move at a much faster pace than your adversaries.

[00:07:35] So what is the transformation then is it many days and weeks down to you said real time is that the difference or what do you say to the process when you're talking to them.

[00:07:45] Yeah, I'll give you an example. This one I will to be fair is a little bit of an easy example because we could find everything we needed for the detections on the internet.

[00:07:53] But Cisco IOS XC this was a vulnerability that didn't make it through Mitre and onto the NBD for five days.

[00:08:00] And around the same time it landed on NBD it landed on the cystic have list.

[00:08:04] Well, that's all fine and good. But again, it took five days where Volncek we had a version scanner written for this and found 8000 compromise routers on the internet three hours after the disclosure was made by Cisco.

[00:08:15] And this is because we have such a wide abundance of intelligence that we can look at our own intelligence and sort of predict if something's going to land on an own exploited vulnerabilities list.

[00:08:24] And if that's the case and we understand that it's remotely executable, we make that a priority to build detection artifacts for and deliver that to our customers.

[00:08:31] And who was it inside the enterprise that buys this that cares most about it?

[00:08:35] I would say there's two groups of people that care the most about it. It's the vulnerability management team and it's the cyber threat intelligence teams.

[00:08:42] Sometimes those folks can live in the sock or they can live independent of the sock, but we're finding that most of the folks that find value out of this is we give them speed.

[00:08:50] They already have tools. It's not a tooling problem. It's a people problem.

[00:08:54] And so they see the value immediately because they likely been struggling this for some time now.

[00:08:58] Now when you say people problem, is it because there's a bloat and then I'm where people in the team require to keep up or they just can't get the head kind.

[00:09:04] So therefore they can't even get to some of the work they need to do anyway.

[00:09:08] I think it's a combination of both quite honestly. Whenever we talk to customers, it's for example, I was talking to large pharmaceutical company the other day and their workflow involved is very analyst heavy.

[00:09:22] They're managing what you can imagine is hundreds of thousands of vulnerabilities that they need to remediate between their software and hardware inventory.

[00:09:29] They have a team of three people. And so when they're thinking about how do I solve this problem without people?

[00:09:34] Well, I don't have headcount to hire or double or triple my staff.

[00:09:38] Not to mention that the pace of vulnerabilities new vulnerabilities that are coming out today is much higher than it was just a few years ago.

[00:09:44] I think one of the stats that I saw was back in 2018 it took almost a year for a vulnerability to be exploited in the wild in 2022 was down to eight days.

[00:09:53] My suspicion would be in 2024 it's even less than that.

[00:09:56] And so we're talking hours not days and you're talking less people less headcount more tools to manage.

[00:10:03] That's why I mentioned it's not a tools problem. It's a people problem.

[00:10:07] I'd say in the most cases, a lot of large enterprises already have the tools that they need in place.

[00:10:12] They simply don't have the bodies or the headcount to address the vulnerabilities that are coming yet.

[00:10:16] So what is the big innovation that the judges would have seen in what you're doing to say there's a company we need to showcase?

[00:10:22] Yeah, I think there's a few different reasons why.

[00:10:25] I think everything that we deliver being machine consumable really struck a chord.

[00:10:30] In the age of AI and the age of machine learning, there's got to be a way that you can get data to people who run those machines faster.

[00:10:38] And so we monitor around 270 million data points every hour on the hour that's getting refreshed.

[00:10:46] It also includes data such as Chinese exploit data and Russian exploit data.

[00:10:51] Very hard to get data from across the internet.

[00:10:54] We're monitoring everything from get repositories at the fire hose.

[00:10:58] So as soon as something's committed, we pick that up.

[00:11:00] But before it ever hits a customer, before a customer ever plugs this into their SIM or their SOAR or their threat intelligence platform,

[00:11:07] it's completely normalized and we put it in an easy to consume JSON image.

[00:11:12] So whether you'd like to take a full offline backup of all of the data that we produce

[00:11:16] or you just like to plug in certain indexes that we cover into your system, so you can do that.

[00:11:22] And the people part is the smallest part of the problem we're solving.

[00:11:26] So I think that's the thing that really stuck out to my knowledge and what I've seen across the landscape.

[00:11:31] We're the only company that's taking this approach to vulnerability management to help end users

[00:11:36] in the Vuln Management Program and CTI program get data faster.

[00:11:39] And is a secret sauce therefore in the normalization and how you work with the data

[00:11:44] or is it how you do it, how you do it at such scale?

[00:11:47] I think it's the scale at which we do it.

[00:11:50] You know, there's a lot of companies out there that'll take data in and normalize it.

[00:11:53] I was on a call with one of our partners just earlier today.

[00:11:57] He said the biggest struggle his customers have is that they bought all of these different tools.

[00:12:02] They've gone to posture management.

[00:12:04] They brought in the SIM, the SOAR, the hyper automation.

[00:12:07] They brought in all of these tools, but all they're doing is correlating bad data.

[00:12:11] So when you look at public sources, many times they don't have citations.

[00:12:15] They're not doing things what we're doing, which is like tying things back to minor attack techniques.

[00:12:19] So not only do you know what a CVE is, how it's being exploited,

[00:12:22] but you also know the techniques that your attackers are using to attack you.

[00:12:26] And then we provide you with all of the detection artifacts to defend against those things.

[00:12:30] So we're really providing this fully well-rounded approach to

[00:12:35] we'll give you all of the information at large scale.

[00:12:38] There's nobody out there that's collecting and updating 270 million unique data points every hour.

[00:12:44] It just doesn't exist.

[00:12:45] So I think it's scale normalization and just making it very simple for users to consume.

[00:12:50] And Jay, what are your big goals for the Go-To-Market team for 2024?

[00:12:55] I think I'll probably say something that a lot of sales leaders feel and Go-To-Market leaders feel.

[00:13:00] We want to grow, but not grow at all costs.

[00:13:03] We're doing pretty well in terms of our revenue goals for the year.

[00:13:07] We had just finished up a 200% revenue goal quarter.

[00:13:10] We're looking pretty good to do something very similar,

[00:13:13] and we're doing it with a 21 person team.

[00:13:15] My idea would be that if I could do this with the minimum amount of salespeople,

[00:13:19] I think everybody's happy.

[00:13:21] That means we've got happy customers.

[00:13:23] Most people are making money, but we can stay very efficient while we grow.

[00:13:26] That would be the goal.

[00:13:28] And then whatever you go to Market Leader wants, well, we're on a podcast for a reason.

[00:13:32] I'd love to win the Innovation Sandbox.

[00:13:34] I think that would be a banner accomplishment for us and the team.

[00:13:38] Some of us have participated in Innovation Sandbox challenges before,

[00:13:42] been down selected into the top 10.

[00:13:44] Others have not.

[00:13:45] This is my first time at a company that's been selected and is running in the top 10.

[00:13:49] So really excited about that.

[00:13:51] I think that paired with revenue goals for the year,

[00:13:54] it was a pretty successful year for us here at Vault Check.

[00:13:57] And then let's talk about the week of the RSA conference,

[00:14:00] except for wild overexuberation celebration for winning the Sandbox.

[00:14:04] What else do you have planned for that week?

[00:14:07] Well, a few things.

[00:14:09] We have some new partnerships that we're announcing coming up in the RSA.

[00:14:12] We're going to be doing some co-sponsored happy hours with those folks

[00:14:15] while we make the announcement.

[00:14:17] More on that to come with the press release.

[00:14:19] We've also are opening up some new markets.

[00:14:22] We're doing some business in the UK and Europe.

[00:14:25] Our next frontier is Australia.

[00:14:27] So we'll be with some folks that we can help open the market with in Australia

[00:14:30] while we're out, as well as some of our partners that we have in the UK now.

[00:14:34] As a small team, we want to make sure that we make bets that we know we can win.

[00:14:38] And so we've got some really exciting partnerships that I think we're going to be able to take advantage of that week.

[00:14:42] In addition to that, RSA for me and most of the folks that I know

[00:14:46] always feels like a family reunion.

[00:14:48] You're getting back together with people that you haven't seen maybe since the last RSA

[00:14:51] or since Black Hat.

[00:14:53] You get to catch up with people that have left old companies and joined new ones.

[00:14:56] You get to hear about all the new exciting startups that are taking place.

[00:14:59] Maybe it's their first RSA or maybe it's their fifth RSA

[00:15:02] and they finally caught lightning in a bottle or having a banner year.

[00:15:05] So to me, that's the best part about RSA.

[00:15:08] You get to go see folks that you haven't seen in a while learn about new innovative technology.

[00:15:11] And this year, it's just the cherry on top that we get to participate in all the fun with RSA Sandbox.

[00:15:16] That's fantastic.

[00:15:17] And Jay, I'll put your LinkedIn profile link in the show notes.

[00:15:21] Is that the best way to get ahold of you or do you want to give some other way?

[00:15:25] Yeah, best way to get ahold of me is probably on LinkedIn.

[00:15:28] You can also always reach out to me by email.

[00:15:31] It's Jay, the letter J, Wallace at volncheck.com.

[00:15:35] I'll stop short of giving out my cell phone number for all you BDRs out there listening to this podcast.

[00:15:40] But you know, reach me through the other channels if you can.

[00:15:43] That's awesome.

[00:15:44] Jay, listen all the best for RSA.

[00:15:46] Good luck in the final round of selection for the Sandbox.

[00:15:50] I wish you and the team a lot of success for that and for 2024 and beyond.

[00:15:53] Thanks.

[00:15:54] It's on Andrew.

[00:15:55] Really appreciate it.

[00:15:56] Thanks for having me back on and I hope to see you at the conference.

[00:15:58] We'll do.

[00:15:59] I'll see you there.

[00:16:21] Thank you.

[00:16:51] It will last in 30 seconds to do and it will mean the world to me.

[00:16:54] So thank you.