All right, Abhishek, welcome to unsupervised Learning.
Yeah, thanks for having me. Excited to be here.
Yeah. Awesome. So, uh, you are Abhishek Agarwal and co-founder and CEO at Material Security. Is that correct?
That's right.
Awesome. Well, tell me about your background and, uh, the product and just, uh, get us started here.
Yeah, sure. Happy to. Um, yeah. So I'm Abhishek, um, one of the co-founders of material. Um, before this company, I was an early PM at Dropbox, uh, where I spent time on the data infrastructure side and the cert side, um, when the company was fairly early. So around 250 people. I was, uh, an early PM there, like I said. And then before that, uh, got my start on the
Microsoft at Microsoft Research on the engineering side. So my background before this company was actually more in like the productivity and sort of large data sets, side and data data infrastructure. Um, with this company obviously kind of first foray into security, although at Dropbox, the security team would use our data infrastructure quite a bit. So I had
some interaction with them. Um, and yeah, material. You know, we started a while ago, we're kind of in the email security space, uh, where we're now broadening a little bit more to the productivity suite more broadly, more generally. But, uh, the kind of key insight that led to the company, which actually got started after the 2016 election cycle, where there were a couple high profile email attacks. Uh, the key insight was everybody's really obsessed with trying to stop
someone from getting into email. But but we had this idea which was like, if someone does get into an email account, there's all these downstream things that they can do. What if we could contain that blast radius? Uh, so that was the original insight that led to the company and a lot of what we still do today. And then we also do a kind of more of the traditional email security of trying to, you know, stop attacks that that are still bypassing, um, uh, sort of gateways and, and the like.
Yeah. Interesting. The the front page says, uh, secure email from every angle, which is pretty interesting. I thought that was that was a good tagline.
Thank you.
Yeah. So I looked at your background as well. So I'm surprised we haven't run into each other more. Uh, you're also in the Bay area as well?
I am, yeah. So I moved out here for Dropbox and then, uh, has been kind of bouncing around the Bay area, uh, for the last decade now, so. Yeah.
Nice. Yeah. We should get coffee at some point. Let's do it for sure. I'm just in Newark, so.
Oh. No way. Okay, I'm really close to you. I'm in Walnut Creek, so, uh. Oh. Nice. Not not not just in the Bay area, but nearby. Yeah.
Awesome. Yeah. So, uh, why do product managers make such good CEOs and co-founders? Because I know you started in engineering, but you did a decent amount of time as a product manager. Yeah. What do you think they're so good at? Like, starting and building and pushing products.
Yeah. It's a great question. Um. First of all. I mean, I think that like, you know, I'm a big believer there's like multiple paths to God. So like, you know, there is no kind of one template, like a lot of different profiles, uh, folks, uh, can start companies and make great, uh, founders or CEOs. I think the reason you see product managers kind of maybe overrepresented there is that by definition, product management is kind of a, um,
generalist function. You know, like you're at this intersection of engineering, uh, design business. Uh, that's kind of your job as a product manager. And so if you take that kind of elevate that, like, that's kind of what you're doing as a founder, you know, you're like thinking about what to build. You're thinking about how you're going to sell it, take it to market. You're thinking about, um, how it's going to work, but also how you're going to message it.
And so a lot of these kind of activities are what PMS are doing inside companies for their products. You're kind of doing that for your whole company as a founder when you're when you're, uh, CEO or founder. So I think that's maybe why PMS are attracted to it. Um, in my case personally, you know, I just kind of when I was an engineer, I would really be kind of missing having an input into what the product should be and how it should work and who the customer
should be. Then when I became a PM, I was really missing, like writing code. So I was kind of like, never really happy in one role or the other. Uh, and that also makes for a great trait for founders that are just kind of not satisfied with being in any one specific role. They just kind of want to like, uh, be a little bit of jack of all trades. Uh, so yeah, I think that's why. But I'm not sure.
Yeah, I think that sounds right. I mean, I actually think with all this AI stuff happening, a lot of product managers are going to be like, you know what, screw this. And they're just going to break off and like build their own companies. Yeah. And have a little bit of dev support. But even be able to do like MVP's themselves if they're technical. Yeah. And then be able to do a lot of the marketing themselves, a lot of the user stories and like. It's like a one person company, essentially.
Yeah, I think that's actually one of the most exciting things about all of this stuff. And I know several folks have kind of written about this, but the whole like, when will we see the first, like, you know, billion dollar company that's just got one employee? That's a very,
very intriguing idea. And I think that is you're totally right. Um, that and again, I don't think it has to be just product managers like anyone that can kind of like complement whatever skill set they have with, with a lot of that other stuff is going to be in a position to really get pretty far with, without, maybe not with literally just one person, but with a pretty small team. Um.
Yeah. And I think it goes back to what you said, which is, uh, being able to link these different things. It's like it's almost like the opposite of Google. And I know some people at Google, so I don't want to be too mean here. But like Google in general is almost like engineering focused. Where as opposed to product or problem focused. Hmm. Yeah. And so they they have all this tech that they build, they come out with the attention is all you need paper. Yeah, yeah. And
people just throw random things at the wall. And there's not a product management led thing of like, problem solution, really good marketing that makes it clear and then make and then also product management making it easy to use.
Totally.
It's like so hard to use like Google stuff like, um, Google Eye Studio compared to Claude or one of these other products. It's like impenetrable.
Yeah. Um, no, I agree, I, you know, my favorite kind of recent example of this is that they, they launched a thing recently for Google Drive in the workspace setting, where they will use an LLM to auto classify sensitive content in your drive, which is pretty cool. Uh, to like auto label it. Um, but but the way you have to set it up is like, you literally have to go as a workspace admin and like basically train
a model yourself. And I was like, oh my God. Like, you know, like most of these security folks or IT admins be talked to like they're they're not going to have time to go do that and like back test it and make sure the precision and stuff is good. Like, you know, you would expect that to be more kind of one, one, one click. But yeah, I think um, I think the other thing is that we talk a
lot about product management in the Valley. But for me personally, and I've talked about this before, uh, on another podcast, like, especially as a founder early on, I think learning about product marketing is very, very important because, yes, because half of what you were just saying is, um, it is part of a product managers kind of responsibility, but it's honestly it's product marketing. It's like, well, like, what is this going to thing going to be like, what features
is it going to have? Uh, how are they going to compare to alternatives like how are we even going to describe them? Like, you know, are they going to be bundled this way or that way? These are critical decisions you're making at the beginning of a company, or even if inside a inside a large org that have such a big impact. And I think people often are thinking about them as an afterthought. I know I certainly was guilty of this, like when I was dropped at
a Dropbox. Like product marketing would often be like, you've built the whole product, and now someone needs to write the launch blog post, and that's where product marketing comes in. But honestly, like, I think the right way to do it is invest in product marketing way earlier. Like make your website landing page first and figure out force yourself to understand how you're going to describe it, you know, before writing a line of code.
I think you're exactly right. I think this is the whole thing is like. Have the story, the problem be like in the very front. The problem is everything. Yeah. Then you have the story and the wrapper around it. Then you have your landing page, and then it's kind of like the Amazon flow, which I used a lot at Apple as well. You you ship the PR, you release the PR and it's like, here's what the website looks like. Here's what the marketing looks like. How excited
are we about this? Yes. And if you pass this around the table for this senior meeting and people aren't excited. Yeah. What are you doing?
What is it all for? Yeah. What's the point?
Yeah, yeah, yeah. And if you are no.
Worse feeling than being in like, a company where you've built the product, you've invested all this time engineering, and then you're realizing that there's no worse feeling than that because you're just like, oh God, what have we just do, you know? So yeah, the more you can do it up front, the better.
Yeah, definitely. So. So what do you, uh. There yourself or the company in general believe about email security that other people don't?
Yeah. Um, this is something that, you know, we have been kind of saying from the hilltops for a while, but. The fundamental idea that led to this company was email is seen in the security context as a really, really good way to deliver an attack to you, right? Like, you know, we are all familiar with sort of malware and, uh, phishing and like BCC and and that's true. Like it is an open protocol. Anybody on the internet can send anybody else an email. That's part of what makes it great.
But in a security context, that's what makes it really terrible. And there's been just years and years and years of focus on email as a way to deliver an attack. What's happened, though, at the same time, especially over the last decade, is we all got like cloud email. And that meant that we basically got infinite storage and we started hoarding all of our email. And that means that
it becomes this, like representation of your entire life. Uh, on the personal front, it's like literally like everything in your life, like whether it's like your finances, taxes, your kids stuff, your house mortgage, it ends up in your email, in the corporate setting, obviously, it's like all of the company's IP, like the system of record. Right. And so what that does is it makes it a really big target as well. So it's not just the delivery method
of a bad attack. It's actually the thing that someone wants to steal now because it has all this content inside it. Interesting. The thing that we believe about email security that no one else does is that blocking phishing and stuff is important. Uh, it really is, because it's still a really great entry point. But you also have to think about email as a content repository that needs to be secured, the same way that security has been
securing other content repositories for a long time. Uh, so a lot of what we do at material tries to block inbound emails that are bad, but it also tries to go, you know, have a plan. If someone does get into a mail account and, you know, today, like they would be able to steal all the content inside it or they would be able to go like reset my Dropbox password and take over Dropbox. We try to mitigate those things and limit the blast radius of a
bad of a, of a of a breach. Basically, if someone does get into an account, how can we stop them from not doing as much harm as they would normally have done? That's a thing where complementing traditional email security with.
No, that's interesting. And what are the detection mechanisms for that? So let's say someone has a credential. Yeah. Um like what? How are you detecting if you move around, you do something dangerous inside the account.
Yeah. So the first thing I'd say is, like, it actually doesn't have to be about detection at all. So let me give you an example. So let's say like we take a, the uh, the analogy of a car. So a seatbelt is something you just put on when you drive a car. It doesn't like detect the accident and like go into like motion right before the accident is going to happen. Like it's just there. It does
its job. Yeah. Um, so similarly, you know, we're not necessarily detecting the presence of an attacker and then trying to respond. We're just saying there are certain controls you should just have all the time. So for example, um, if you, uh, one of our products is called, uh, data protection for email. And what it does is it goes through your archive and via APIs, it looks for anything that it thinks is really sensitive, like really juicy
stuff that's in your archives. And if it's like older than some specified period of time, let's say a year or six months, it it can actually redact it inside your mailbox and make you do a side channel challenge, like an MFA or a, you know, touch ID or an octopus or whatever before you can get it back in your mailbox. And, um, that's like a simple control that is not it's not going into place when we
detect an attacker. It's just there all the time. Because, you know, in the same way that, uh, for other content repos, you wouldn't want it to be the case that if I get in once, I just get everything. You would want to have additional checks. We're just trying to do that for email as well. Now, what's cool about that, though, is that it opens up detection capabilities, because now let's say someone was in my account and they're going to try to like retrieve these messages that
have been redacted. Well, yeah. If they like try and they keep failing requests. Now it acts as a canary and it tells us, okay, there might be someone in this mailbox, um, which is actually, you know, funny story. Like, recently there was this big attack, uh, by the Chinese called storm. Uh, uh, it was a storm eight breach. It's a group that attacked the Department of Justice and a State Department and a couple other, uh, federal agencies,
and they basically were after email correspondence. That's why they did it. They went after the content of these mailboxes. And one of the agencies that actually discovered this attack the way they did that is because they were looking at a log of every time an email message inside a mailbox is accessed. It's a very verbose log. Um, most people don't use it or don't, uh, operationalize it, but they were. And it's how they figured out, oh, man.
Like someone is reading all these emails from like, three years ago, and they're doing it at a very high volume versus what the normal usage of the mailbox is. So you do want canaries that can tell you about. The attacker. But more importantly, you want to just like limit what the attacker can do in the first place because it's not just all about detection.
Yeah, I love that because that that kind of takes the realm away from like an email security. Yeah. Vibe, which is very, I don't know, 20 years ago or whatever and moves it into more of like a data security or like an app security.
That's right. That's exactly right. And, and, um, this is one of those situations where like, like the terminology is actually hurting us as an industry because it's like, okay, so email security means what you just said, right? For 20 years it's blocked bad emails.
Yeah. SMTP related settings, whatever. Yeah.
Or like I'm going to send you like the, you know, like, uh, sasser werm over email like 20 years ago, but like, uh, or more than 20 years ago. Man, it's been a while. Um, yeah. But, uh, but I think then what do you call the thing that tries to go protect the sensitive content in your email? I mean, technically, it's security for your email messages. So is it email security? I mean, maybe, but like, yeah, to your point, it's more like data security or app security. Um,
you know, it gets even more like, uh, tricky, like. So, for example, I mentioned that I was at Dropbox before
this company. One of the biggest ways we would see Dropbox accounts get hacked is an email account would get hacked, and then the adversary would just reset a password to Dropbox because, um, back then and I think this is still the case, like, even if you had MFA on your Dropbox account, if you requested a password reset email, Dropbox would let you reset the password without triggering MFA because it assumed that if you had lost your first factor,
you would have also lost your second factor. Um, but that means, like if I get access to an email account now, all of a sudden every service that is connected to that email account, I can just move it to, um, this happened, you know, with like, uh, McDonald's. They had their Twitter account taken over because someone broke into, like a marketing person's email account and then reset the Twitter password and they could just post anything they wanted as McDonald's.
So you kind of see this thing where, like, email is really more than just a bad way to deliver something, uh, or, sorry, a way to deliver something bad. It is like all of these other things open up from an email account if you, if you, um, if you get it access once.
Yeah. I love this idea. It's it's almost like you can make a total list of all the bad things that can happen around email. Yeah. And then not even think about email security. Not even think about any type of security. Just make a list of, like, abuse cases. Yeah, yeah. And then be like, okay, so where are the different layers of control that we could put on this. Is this a. And then you could assign the labels afterwards and be like this is kind of a data security thing.
We kind of think of this as appsec or whatever. Yeah. And then just be like, look there's like 13 of these and they're really important. I mean, what are some of the other ones that are kind of like a more traditional appsec type control that, that you.
Um, I think there's so, you know, there's going after data, uh, then there's using lateral movement, uh, like I said, with the password reset type of stuff. So trying to figure out where else I can get from this. So is a vector for further attack. Um, the other kind of thing that is very common is if I'm in control of a mailbox now, I can send email from it, obviously, and like impersonate the person who I've just taken over.
So this is one of the most common ways that like, uh, business email compromise happens where, uh, let's say you're a big company, you have a vendor that sends you invoices every month. Someone takes over the vendor's account, uh, sends an email from the vendor that's like, hey, we need to change the payment terms of our invoice. And you're like, okay, cool. It's coming from the valid email. And now all of a sudden, you've wired money to the wrong place, right? So, uh,
that's another abuse case of taking over a mailbox. Um, and but but honestly, there aren't that many. And this is kind of like, I, I like your point of, like, making that list. Uh, when we started this company, me and my, one of my co-founders. Big. We're big into analogies. So I'll give you another analogy, right? Like, okay, if you're thinking about, like, protecting your house and you have to make a list of every single way I could break into your house, like, how do I get in? Yep.
And so that's one list. And now you make another list of, like, every single thing. I would actually want a value in your house that you really care about. Yes. Like which list is shorter? I would argue that second list is way shorter, right? It's like okay, like there's a few things that like are your crown jewels, uh,
and you want to protect. So if you take that same idea to email security, if you think about every single way an email account can be compromised, it is like a long list, like I can I can do a malicious OAuth application, I can bypass MFA. Maybe I get a malicious browser extension, I might steal a personal device like client side malware list goes on. And I mean, in the case of like some of these state actor attacks, it's like literally zero days or, you know, a forged
token at the Microsoft level. There's like just a long, long list. But then what do I actually want? Once I get into an email account, it's like 2 or 3 things like, you know, I want the data that's inside the. Mailbox already. I want to move laterally to some other services. I want to send outbound email to a specific people. So it's just a much, much shorter list.
And to your point, you can kind of iterate through each of those abuse cases and say, what controls can I put into place and actually really take a solid dent on, like the harm that you can do from a compromised mailbox? Um, so I like that way of thinking a lot.
Yeah. Yeah, I think it's really interesting. I love that you're thinking in less the same way. I, I very much think that way. I think of a risk register that way. I think of threat scenarios, uh, attack scenarios like defenses. And you kind of just match them up. Yeah. Um, I hate to say the a word, but, um, one one thing, uh, that I think about a lot is, is like, okay, if one of those things is convincing somebody to do something. Yes. Like, hey, it's time to go, uh,
go send this money. I need it urgently. Yeah. You can ask, uh, an LLM or AI or whatever. Like is is someone applying pressure of urgency here? Yes. Yes. Um, and is that sense of urgency tied to a thing that matters a lot, like sending money? Yes.
Right. Yeah.
So you could just build this, you know, very large list of like, all the different bad things. And like you said, it's, um, there could be API keys, there could be, um, uh, one of the big things a lot of foreign actors do, as you know, more than me, is like, go after sources and look for, like, with
reporters and stuff like that. Yes. So if you just had this giant grid of like all these different situations and be like, oh, this one, we could do LLM to detect that this one is just a setting inside the platform to do that one. Yes. I love that comprehensive approach.
100% agree with you. Um, and in fact, the thing that you just pointed out, we literally use LMS for on the detection side because.
Sometimes.
Because sometimes, um, you know, to be honest, like a lot of the kind of NLU stuff of like detecting things like urgency and stuff like that that's been around for a while, but then like there's and it didn't require LMS, you know, you can train like a traditional machine learning model. But what is cool about LMS is that the speed of iteration is very fast. So like you can very quickly put things in. You don't have to worry about things like, you know, multi-language support because
that's handled by the LM. And then also where it really becomes handy is for things that are even more complicated. So, you know, I'll give you an example, like if I'm a company and I'm trying to protect sensitive email, some of it is going to be kind of like the classic like Social Security numbers, credit card numbers, whatever. But some of it is going to be like, is there a negotiation happening in this email thread?
Yes.
It's like, how the hell do you how do you like write a detection for that? You know, like you write, it's really hard. Uh, or like, oh, it's like is a executive abusing power in this email thread, uh, where like if it got if it leaked like it would like, have a reputational damage. Um, that's the kind of stuff that is very difficult or like, you know, you see, kind of like examples of, like extortion or like blackmail. Um, so for those types of things, LMS are fantastic detection
tools because, I mean, their job is to understand language literally. Right? So like, they're very, very good at that. Um, I think a lot of the email security discussion with LMS has actually been pretty like pessimistic because people's heads immediately go to, oh my God, like, this thing can generate text, which means it can generate phishing emails. And so like now all of a sudden any bad guy can write emails and like send them. And, you know, there there
is an element of truth to that for sure. Because like, you can kind of scale up any kind of like phishing, um, uh, campaign just by like, you know, doing research via the LMS and having it customized. So 100% is a valid it's a valid fear. But my kind of answer to that has always been like, well, shouldn't your good security controls be sort of, um, agnostic to how an attack is generated? Like, who cares if it's like a person writing the email themselves after hours of research, or they
just automated it with like an LLM? At the end of the day, if you have a good control in place, like it shouldn't matter. And so and by the way, like a lot of these AI tools like LMS are a fantastic on the defensive side too. So I would personally like to see a little bit more optimism there. Uh, because like so far, a lot of the fear mongering around LMS has been, oh God, they're going to write ten more phishing emails. And it's like, yes, but like
your control should work anyway. Good ones at least. And secondly, you can also use them on the defensive side. So there's there's a lot to be optimistic about.
Yeah I love that. The way I've been framing that is um. Uh, Red is going to have like this massive advantage in the beginning because they could just like they don't have to experiment and be careful. Yeah. They could just like so the spearfishing like, starts the day after an LM comes out. Yes.
Yeah. Exactly.
Yeah.
But um, blue should actually get better with those same AI tools.
Yeah.
So ideally it would be something like oh we have a, we have a Sea team member who is like just so ego driven. And if you compliment them in any way and like say, hey, I want you to lead this new foundation or something like they're going to click that email.
Yeah.
So you flagged that or something.
Yeah.
This goes back to what I think so cool about.
That would be funny.
It's like this email is complimenting you. You don't ever get compliments. This especially.
Right.
That's right. And you click on 94 of them 94% of them when you do get to compliment. So this is dangerous. Um, yeah. Yeah. So it's like. The other thing that's really powerful about this is, um, you can have additional context customized for your particular company. Yeah. So it's like, um, we're doing this thing with France or something. It's really sensitive. Yes. And, uh, so anything around that is, you know, notch that up two levels.
Totally.
Totally. Yeah, yeah. And so, yeah, we've been talking about kind of like suspicious or malicious emails, but LMS like I think you just alluded to also very helpful for the sensitive emails because like yes. Yeah. To your point, like maybe today you want to say something like anything about this project or we're about to we're prepping to go to IPO. Uh, not material, but as a hypothetical.
Right. Exactly.
Like it's like, uh. How any conversation around like IPO prep is pretty sensitive. Like, but how do you how do you declare that as a general sensitive content category, it's pretty hard without something like an LLM. So leveraging them for those custom detection categories or context specific detection categories is very exciting. Um, and I and I think that that is the way the, the sort of like, uh, security controls are headed.
Yeah, absolutely. The other use case I thought about for a long time about that is like, um, legal companies were being attacked.
Um, law.
Firms. Yeah. And they have very little IT staff, very little security knowledge. Yes. And what they have is this list of connections, people interacting with different people. Yeah. Uh, suing different people. And it's like, that's the mapping that that attacker might want, want to use.
Yes. Yeah.
Totally. Well, and that's another I mean, that brings up one other point about email that is hard, is that the way email works is when when a message is sent to multiple people, uh, everyone gets a copy, obviously. Right. So there's no like pointer relationship with email. Like you each get a copy, which means that one of the downsides is that is like you could be doing a great job with your own email security and like, you could have minimized the impact of a compromised account or whatever.
But then like the person who was CC'd, like, you know, they might have terrible, you know, when when we started the company, like I mentioned, it was after the 2016 election cycle, and one of the attacks that happened then was John Podesta, who was Hillary's campaign chairman. He had his personal Gmail account compromised, and all of his emails were put on Wikileaks, like literally like years and years of his personal Gmail. And and there were things in
there that he was just seized on. He had literally no reason to even be on the message. He was just CC. And because of that, all this communication that was about like the election or about like prepping for something that like, frankly, he just was being an FYI on. Yeah. You know, um, so I think the, the fact that
everybody gets a copy is hard. And what that means is you kind of have to think about who you're like trusted parties are that are outside of your control and make sure they have good practices, you know, which which becomes a it's kind of like, uh, similar to
a supply chain security problem, right? Where you're like on the software side, you're thinking about all the dependencies your software has on the kind of email side, you might have to think about all the different, um, associates of your company that have, you know, your email as well.
Yeah. Or like, uh, PCI where the scope is contagious. Yeah. It like slightly brushes up against it. Now that's in scope. It's like yeah, yeah, yeah. Interesting. Um, so so what does it look like to basically onboard the tech. Like what does the integration look like. What's the experience like how fast can somebody get up and running.
Yeah. So it's incredibly fast. And the reason for that is everything we do uh works with cloud mailboxes which have APIs. So our whole integration point, um, is API based. It's just an OAuth grant where we are getting access to email via API. Uh, which is a big difference from like, uh, you know, legacy email security products that some folks might.
Be away or something. Yeah.
Where you're like changing your DNS and like routing email through the appliance, like you're not doing any of that. Um, as a result, the integration is very quick. But also it means that you don't take some dependency on this API based thing going down and like, you know, shutting off your email, like, for example, like if material were to go down, it's not like email stops flowing. You're
still you're still doing email as usual. Of course, some of the detections material does or some of the mitigations it does would be would not be active. But we're not in your email flow. Um, so it's pretty quick. The other benefit of APIs is you can be very selective in how you deploy that, deploy the protection inside your company. So for example, with gateways, it's a kind
of an all or nothing you like do a cutover. Um, but with API based email security products, you can say, hey, for my executives do X, but for my other team Y, you know, you can kind of have different settings, different kind of configurations or policies. So that is something that a lot of our customers also take advantage of.
Yeah, that's really cool. And what does it look like to know that it's working. Like what is the interface look like. Um, if there's nothing wrong, do you just not see it? And then does it sort of move up the level in priority if it sees something?
Yeah.
Well, we have a few different products. So depending on the product we're talking about, you know, what you would see is slightly different. So one of our products that we've been talking about a little bit so far is uh, we go and redact sensitive messages that are older than some specified time frame. And uh, and then an end user has to pass like an Okta challenge or some sort of secondary challenge. Uh, it can be really any IDP or so. If they pass that, then we restore
the message right back into the mailbox. It's really seamless. And then after some amount of time, once the user is kind of done with it, we will redact. Did again. So for that product, what you see as an IT or security admin is really not much on a day to day basis, because it's kind of like just in the background doing its thing. Uh, you do get an
access request log. So every time someone is accessing one of these sensitive messages and having to do the retrieval, now there's a paper trail of that, obviously you could you could pipe that into like a SIM or something and say, okay, like if I'm seeing a lot of these from someone at the same time, that's that's indicative
of something bad. Or if I'm getting a lot of denials in a row, obviously, that that ends up being something bad, but really there's nothing to like, detect or show on a daily basis because people are just doing a self-serve, secure workflow for accessing sensitive content. Um, on the other hand, we do have a product that is a much more in the kind of traditional look for sophisticated attacks that bypass like Google or Microsoft or Proofpoint
or whatever. Um, and there you have like a, you know, an incidence or cases list where you're seeing kind of what material actually detected. Some companies set us up where we're just auto remediating those. And again, you don't really have to log into the console. There's nothing to see. We're just handling them. Other teams are much more hands on where they might auto remediate, but then they want to still like triage the things that we actually caught
make sure they're not false positives. Um, you know, communicate to end users about it, have their sort of, um, SoC watch. That kind of really depends on how much, um, how hands on a company wants to be. But that's what they would see in the console.
Okay, cool. And then what is, um, the threat intelligence story look like in terms of like, hey, there's this new campaign happening, this new vulnerability or whatever. Yeah. And it's like it's being blasted all over the internet. Yeah. Like, what does that turnaround gap look like for you in terms of like, uh, finding out about it and getting into the product and rolling it out?
Yeah, it's a great question. Um, yeah. So email is super dynamic. There's like always new kinds of campaigns. And people are, uh, you know, trying out new tactics to bypass kind of a lot of the traditional defenses. So like one of the, one of the more recent things is like QR codes, right? Like for a while, like a lot of detection engines weren't exploding QR codes or following the links. So that meant that like QR codes were a really great way to deliver attacks. Um, we
have a couple different mechanisms. So first of all, one of the things our product does is it also ingests any user reporting that is happening inside a company. So one of the best practices that every security team tries to implement is they say, hey, uh, if you see something,
say something, right? Like, uh, and with email security, what that normally looks like in most companies is, hey, we have this like phishing mailing list, or we have like a, like a, like a report phishing button or something where please report it to us if you see something. So we have a product that automates the response to those
user reports. So it ingests them. It auto classifies and triages them, uh, looks for similar messages that the user may not have reported, and then even responds back to the user saying, hey, thanks for this report. Uh, it was fine. Or actually that was a true positive. That
was bad. Anyway, so that ends up being a great signal because across all customers, if they are users that are reporting things that then we know are actually malicious, that's a you know, we think of that as like a oh, well, why didn't material just flag that in the first place. And so it becomes this feedback loop. Um, so the more customers we have, the more signal we have from users reporting things. And we can quickly like build it back into the product. The other thing is
we do have an in-house threat research team. You know, their whole job is like focused on looking for these active campaigns that are happening, looking for what some of our more sophisticated customers are telling us that they're seeing, and then quickly kind of iterating on our detection engine to handle them. And then the the sort of like last piece of this is, um, just investing in a
system that has a lot of flexibility. So in in email security, there's kind of this interesting not like really a debate, but there's this interesting kind of, uh, trend emerging where there's a couple different approaches to the email
security problem. Like on the one hand, there's kind of like the black box approach, which is like, hey, like AI, machine learning, we're going to try to detect what we can and like there aren't really knobs and tuning and all that, but like this model is going to be way better than trying to like handwrite a lot of rules. Which makes sense because, you know, a lot of times you have like never before seen attacks or you have like things that are like, you know, there's no signature
that you can kind of rely on. And also, like, no one wants to maintain this big list of rules and things like that. So that's kind of one extreme. The other extreme is, uh, you know, you're kind of seeing like the detection as code, um, philosophy coming to email security as well. And people are like, hey, we have this list of detections we maintain we're going to back test them. We're going to make sure they have
like a good precision rate. Um, and it gives a lot of control, but it means you're doing a lot yourself. You're hand tuning a lot of things. And there are products that kind of help you and make that easier. There are products that help you maintain that, you know, we have customers that. Maintain like GitHub repositories of like detections they've written, but it is kind of like very manual.
And then there's kind of somewhere in the middle where you're like, hey, I don't want to be full black box because they are going to be things that you miss. And in those moments, like, you don't want to be like, oh, I guess I'll just wait for the black box to update and catch this. But on the other hand, you really don't want to live in a world where most of your time as a security team is spent on
like tuning or creating these, like, detections. Um, and so what we're trying to do is like out of the box. It's like, you know, going to be perfectly fine, have a lot of coverage, pretty high precision, but then still give you tools in the product where if you notice something, if like you're aware of an active campaign that we're not, you can quickly like express a detection in our product or express a rule or a search query that will say, hey,
please treat this as malicious. Like, I know your whole product hasn't updated yet, but like I know this is bad, I just want to express it in your platform. I should be able to. Um, so it's kind of a product design philosophy, right? Which is like have the kind of flexibility so that when you need it, it's available. But treat that as almost an anti metric. Like if people are having to create those flexible leverage that flexibility a lot. It means you're kind of doing something wrong, right.
Like you really should have done it out of the box.
I absolutely.
Love that. I don't know if, um, you ever watch Star Trek The Next Generation, but I was obsessed with I was obsessed with the fact that the first time they hit a Borg with the phaser. Yeah, like it would fall over dead. And like, the third time the entire Borg across the entire universe was updated. Yeah. And like, that frequency would not work anymore. And I was just like, yeah, that is, you know, I mean, security maybe.
Yeah.
I've never thought about it that way, but so true.
Yeah, yeah.
So that signal that they create that would obviously apply to their local environment. But is that is that also a signal to the, uh, the T team to be like, hey, maybe we should put this in.
Yes, absolutely. And, um, one thing that we are very conscious of is like, obviously we're getting access to a companies like email. It's very, very sensitive. So, so the whole material deployment and architecture, uh, model is that every single customer has a single tenant environment that is actually in their control. So they, they don't just get access to our admin console like other SaaS, they actually can log in to the underlying infrastructure that is hosting our
application because it's all single tenant. And so we get to make some pretty cool guarantees, like of isolation and making sure that there's no data sharing happening and that like, data isn't leaving that instance unless it's permitted by a customer. Having said that, though, a lot of our customers are okay with a threat research team extracting the signal of, okay, what, you know, what custom detections did you make or what
did your user reports? So where we have permission, which tends to be in most cases, we are able to look for those signals. But I do want to point out that there are some customers who are like, nope, sorry. Like this is too sensitive. Like we don't want your team or anyone in material to have any access to what we're doing. You can you can configure and deploy
us that way as well. And you know, there's kind of like you can probably guess the types of organizations that want to deploy us in that model.
No, that's a great point. And it goes to your earlier point about flexibility. It's like you could be that like three letter agency type group. That's like all closed doors. Or it could be like, yeah, sharing with the Borg or whatever.
Yeah.
Yeah. Exactly. And you know, and like the nice thing here is like obviously like for these attacks and stuff for the most part, like even just like getting like anonymized data in terms of like, like it doesn't really matter. Like which tenant or which customer it's targeting. It's just a fact that like, it got missed. It's something you can tweak so you kind of don't have to reveal
anything to other customers by participating in this. But having said that, yeah, some some companies are just a lot more closed and a lot more strict. And and that's okay. Uh, we also have the other extreme where there's companies that are like, dude, I just want to use this as SaaS. Like, I don't care about the infrastructure. Like, I don't have teams that like, want to, like, log into that and like,
I'm busy. Just just give me an admin console. That's fine too, you know, like, uh, so we kind of have support all of those models.
Okay. And what are the main products? I think we've talked about 2 or 3 already, but like what what are the main core products.
Yeah. So we have four main products. So the first that we've been talking about is data protection. And that's really focused on giving you visibility. And then the redaction of sensitive messages that are in email. And again not like outbound emails, not things I'm now sending, but really focused on what's sitting in your archives that's going to get you in trouble if a, if a mailbox was compromised, or if an insider was trying to walk with a lot of email on their last day or something. So
that's one. The second product is, uh, phishing protection. So that is kind of the traditional email security where we're looking for inbound attacks that may have been missed by like a Google or a Microsoft or whatever other traditional defenses you have in place. The third is a product we call identity. Protection, where it's really focused on that Dropbox example of like, hey, if you get into my email account, can you now go reset Dropbox because you
just request a password reset? Or can you go to slack and say, hey, can you send me one of those magic sign in links? And then I can just get into a slack workspace, even if slack is behind so or MFA or whatever. Yeah. You literally click these magic sign in links bypass link.
Yeah.
Um, so what we do there is something again, very simple. It's another seat belt where we intercept those kinds of messages and we make the end user prove that they were the ones who actually requested them before delivering them. So it's very simple. Like you go request a Dropbox password reset. Now you first get an email from material that says, hey, are you trying to reset your Dropbox password? If you say yes, the Dropbox password reset email comes
in as usual. You go about your merry way. If you say no, though, it means like I can't be in your mailbox and then go get access to these lateral things. And in a in a typical enterprise organization, which is what we normally kind of sell to, um, you will see hundreds of apps that are still doing password resets or sign up verifications over email, even though they're supposed to be under SSL. So like a common culprit is like Salesforce, uh, or, you know, workday where
like you think they're behind. So or ADP is another one where you think you've kind of handled them, but there's some backdoor happening over email that you like, forgot about or you misconfigured. And then there's all these like consumer apps that are like not never going to support SFO but are still valid in the corporate settings. So like Twitter I gave as an example. Right. Like obviously your marketing team has a Twitter account, but Twitter is
not going to support any type of identity thing. Um, and then our fourth product is basically what we call posture management. And it really is about helping you understand what's even going on with your email environment, uh, and
broadly your Google Workspace or M365 environment. So for example, um, when I was at Dropbox, if I walked into our company and created a auto forward of all of my corporate mail to my personal Gmail, literally no one would know and no one would come and do anything about it. And the reason is because, um, just getting that kind of information out of like some of these productivity suites
can be very hard. And a lot of times people haven't really built like detection or response playbooks around them, and they can't outright block this kind of behavior from happening because sometimes they are legitimate use cases for auto forwards, for example. So you can't just like block it at the tenant level. So we look for all sorts of behavior or settings or misconfigurations in M365 or Google Workspace, and we just surfaced them with recommendations of how to
reduce that kind of risk. And that's part of the posture management product. So yeah, those are the four.
Yeah. Those are those are great. That is they all do definitely complement each other. I really like the last one, especially because I feel like that is so much of the game is like just not knowing. It's like leaving open S3 buckets. It's like you're spending all this money on security and then you've got this thing dangling. Yeah. And uh, yeah, there's so many settings as well. So it's hard for me.
I actually think that, you know, it's a funny story about that. When we first started the company, it was just the data protection, uh, feature, the redaction one. That's really what led us to start this company in the first place. When we went and talked to CISOs or security teams about that, the first question we would obviously get is like, hey, cool. Like you have this awesome control for sensitive content in the mailbox. What sensitive content
do I even have in mailboxes? Like, right. Like, do I even need this? Like, I have no idea. Like, it's like, I suspect that I probably need this, but like, I have no idea. And so we were like, oh shit. Like, obviously like step one is to give you visibility and
help you understand what even is there. And so, like, selfishly, for us, it kind of helped us tell the story of why you need some of the controls that we're talking about, but also for, for security teams, it's often step one anyway, which is just like, okay, like now I have a lay of the land. The other thing is you kind of mentioned the S3 bucket. And that
I think is a really great point. Like it is a very well understood in cloud security that like, you know, Cspm is like cnaps all this stuff like are very, you know, well understood category. People understand why they need them because there's all this stuff happening in your cloud environment. There's different teams, uh, creating like software, uh, all these
settings to think about. And so you need a platform that's like looking at behavior, looking at vulnerabilities and kind of like showcasing the top, riskiest ones and helping you address them literally, word for word. Everything I just said applies to the productivity suite, right? Like M365 and Google Workspace. And yet there isn't really a cspm equivalent for just those products. There's there are SPM tools where they're like, oh, well, we cover 50 apps and M365 is one of them.
And because they cover 50. The apps. It's hard for them to go deep on the productivity suite. Um, and so they'll give a some surface level detections, but the sort of like depth of a cspm that is entirely focused on cloud security does not exist for the productivity suite. And it's an area that we're at material like, very excited about pursuing, because I don't really see a good reason that there isn't an equivalent.
Yeah, especially when the implications of a setting being one way versus another are so huge. Yeah, right. And there's also a lot of opportunity there to be like, look you are this type of risk posture of a company. You really care about these relationships or whatever. So out of the 312 settings available in this platform, we recommend the following settings three.
Yeah, totally. Um, and it's kind of similar to what you were saying earlier, right? Like if you make a register of the like most common attacks anyway, and you just start with that, like here, here, like the 10 or 15 things that like are almost always the culprits like and again, Cspm learned that a while ago and I think they're like, okay. Yeah. Like we keep leaving
buckets open, like, let's stop doing this. You know, I think that there are equivalents, uh, in, for example, like we have a product, we have a fifth product that I actually forgot to mention that is very new, and it focuses on Google Drive. So a lot of the same stuff that we had heard over the years with sensitive content in email, people were like, our customers were like, hey, I have a lot of these problems with Google Drive,
like just the files. And, um, and that product is all about detecting kind of oversharing, because a lot of times what happens is it literally equivalent to the S3 bucket? You might have some file that was shared at one point with anyone with the link permissions, uh, even though like it didn't need to be and it's got sensitive content. And now it's been two years since anyone has ever looked at it. But, you know, it's mentioned in some email that might be part of a breach. And now
all of a sudden it's accessible. So how do you go clean that up? Like you're not going to have a security team that's sitting around like auditing their Google Drive, which has like millions of files. So you can automate that. You can do things like, hey, if it has sensitive content and it also has these permissions like revoke them in this way and notify the owner so you can build workflows and kind of get the end users involved. Because that's the only way to have like a tenable
solution there. Otherwise you're just going to have a security team that is trying to like, go through a giant backlog of these and will never prioritize it. And it's just one of those, like, active risks just sitting there.
Um, yeah, absolutely.
Any new research or new new exciting stuff coming out soon?
Yeah. The thing that I'm very excited about is kind of what I was alluding to. So maybe I'll describe it in a little bit more detail. But basically we think that, um, there is an opportunity to do more than just email. Email is just one part of this suite of products, obviously, uh, which includes like files and chat and all the posture and settings that come with the productivity suites. And we kind of want to broaden
and cover more and more of that. Uh, and so the really new thing for us is broadening beyond email. We did that with Google Drive. Um, we plan to do something similar on the Microsoft side in the future. Um, and then, uh, where it gets really interesting though, is you now unlock kind of new types of correlations. You can do if you have access to content, uh, settings and logs, you can really correlate these things together. So
like let me give you a simple example. Um, let's say that I have a Google group that allows external people to post to it. That is a very common thing that exists in basically every company because you have like support at or you have like, you know, help at or whatever. But now let's say that that Google Group also has weak moderation settings, spam moderation settings, which, by the way, is their default for Google groups. Don't
ask me why, but that's the default. Okay, so that's a little worse because now I can like, use this Google group to send you, uh, malicious emails that may bypass your like, existing controls because the spam moderation settings are lower. So that's those two things are a little bit worse. And now let's say that that same Google group is actually the one that like your CEO is a member of, or you're like, finance guy is a
member of. Now it's like even worse because it's like, okay, well, if I want to like do like a high profile attack, I have now a path into a VIP. So in Google Workspace today to get each of these three signals are different API calls. Um, and you have to kind of correlate them together and write your own detection in
the future. What we want to do with material is like basically have our threat research team come up with a lot of these common scenarios that we see express them as detections that just come out of the box and help you really attack these and, and leverage the fact that we have the content access, but we also have the, uh, settings and log data access, because when you can put those three things together, that's where like
you can build some really high signal detections. One big problem with Cspm, since we were talking about them in the past, is a long time, uh, ago, like people kind of almost gave up on them because they used to have so much noise. Right? It's like it was untenable. It's like you go in, it's like million issues detected and you're like, great, I'm never going to do anything about this. What I think the modern Cspm did a really good job with, you know, like, I'm like, thinking of, like,
The Wiz or Orca's of the world. Is. He said, well, actually we are going to have a million issues, but out of those million, there's probably 40 that you really, really, really need to address. And those are like these, uh, those are those like attack paths, the ones that like, correlate 3 or 4 different things together, and they raise the severity of that detection. Um, I think it's a really smart model. And I think it's kind of what we want to do on the, on the, uh, workspace side.
Yeah, I love that. I feel like everything is going eventually towards this, uh, inevitable place, which is gather all the context and point intelligence at it.
Yeah. Right.
And so I love the fact that you're bringing together all that different context, the state of the configuration of the platform.
Yes.
The things you're concerned about, actual logs plus threat intelligence. Now you've got a real picture.
Exactly. And this was kind of the promise of XDR or whatever. But I think that the, the challenge is that like if you try to do it for all security across all platforms, it really does feel like a gnarly kind of untenable problem. So where I think people have done a good job is where they've kind of carved a boundary so that they can focus and kind
of go deep. Uh, the thing that I think hasn't worked is when you kind of create like a very horizontal products that are a mile wide and an inch deep because they just can't really get to the to the true insights, and they end up just spamming you with something that's like, yes, it's a risk, but is
it really your top priority? And you just, you know, I've talked to some CISOs who talk about those products, uh, as like kind of report card products where it's like, let's just make you feel bad, you know, and it's like, yeah, yeah, like much to do. I think what, what we are interested in is trying to find the balance between, yeah, broadened beyond email, but kind of still focus really on this productivity suite so that you can still go deep
and not get overextended. Um, and it's a it's a tricky balance, but I think like that kind of going into the full XDR thing is probably a little too broad. Yeah.
Well, cool.
Where can people learn more about material?
Yeah. Head over to material Dot security. We try to, you know, explain what we do in really simple terms. There's like videos and stuff that show how the product works. So that's the best way to learn about material and reach out if you'd like to learn more.
Awesome. Well, I love the approach. I love the way you're thinking about this. It's exactly the way that I would approach this. Awesome. So I really, really great to hear it. And, uh, I enjoyed the conversation.
Yeah. Me too. Thank you so much.
All right. Take care. See you.