Founder spotlight interview with Varun Badhwar. Varun is the current CEO of EndorLabs, a three-time Innovation Sandbox finalist, and known for founding cloud security posture management startup RedLock, which became Palo Alto Networks PRISMA Cloud.
Varun tells stories about evangelizing the new ways of cloud posture management with RedLock’s Cloud Security Intelligence (CSI) unit that quietly presenting vulnerabilities to potential customers. He contrasts the differences with running startups like EndorLabs, which is in an established Software Composition Analysis (SCA) category with customer budgets vs. establishing new ground with RedLock and CipherCloud.
Throughout the interview Varun weaves in his philosophy of discipline, team building, culture, sticking to the basics, and, well, getting shit done.
You can find Varun Badhwar on Twitter @varun__badhwar or at LinkedIn.com/in/vbadhwar.
Visit EndorLabs, or find them on Twitter @EndorLabs, or at LinkedIn.com/company/endorlabs.
Send feedback to host Paul Shomo on Twitter @ShomoBits or connect on LinkedIn.com/in/paulshomo.
Founder spotlight interview with Varun Badhwar. Varun is the current CEO of EndorLabs, a three-time Innovation Sandbox finalist, and known for founding cloud security posture management startup RedLock, which became Palo Alto Networks PRISMA Cloud.
Varun tells stories about evangelizing the new ways of cloud posture management with RedLock’s Cloud Security Intelligence (CSI) unit that quietly presenting vulnerabilities to potential customers. He contrasts the differences with running startups like EndorLabs, which is in an established Software Composition Analysis (SCA) category with customer budgets vs. establishing new ground with RedLock and CipherCloud.
Throughout the interview Varun weaves in his philosophy of discipline, team building, culture, sticking to the basics, and, well, getting shit done.
You can find Varun Badhwar on Twitter @varun__badhwar or at LinkedIn.com/in/vbadhwar.
Visit EndorLabs, or find them on Twitter @EndorLabs, or at LinkedIn.com/company/endorlabs.
Send feedback to host Paul Shomo on Twitter @ShomoBits or connect on LinkedIn.com/in/paulshomo.
You know, it's funny you say that because I think what people don't realize, especially a lot of the marketeers and security, like they want to pick up the fanciest buzzwords and the EDR and AI and this and that. It's the basics that gets people. At the end of the day, if you look at where a lot of the research has shown, it's the basics that you got to focus on first and get right. But right around the time, when we were building RedLock, you started hearing every week about an S3 bucket being misconfigured data being exposed.
And you know we said, look, the only way to really educate the market is quantify the risk. And so we had a research team. We called it a CSI theme as a cloud security intelligence team. And we produced some incredible research you know. We found exposed cloud environments for Tesla. We found lots of large enterprises where our researchers would privately disclose issues to them you know. We were not trying to make money in a business out of just going public and creating a wall of shame for companies. So we did a lot of stuff in private. And that gained a lot of trust and credibility.
Intro: The Genealogy of Cybersecurity is a new kind of podcast. Here we'll interview notable entrepreneurs, startup advising cisos, venture capitalists, and more. Our topic, the problems of cybersecurity, new attack surfaces, and innovation across the startup world. Welcome. I'm your cybersecurity analyst, Paul shomo.
Varun: So I am Varun Badhwar, founder and CEO of Endor Labs. Prior to this, I built two other companies, cyber cloud, and RedLock and I'm sure we're going to talk a lot more about that background. Yep.
Paul: And you're also, and I think this is the record you brought three startups and innovation sandboxes, finalists, correct?
Varun: Yes. We've been fortunate to bring all three startups to the RSA innovation sandbox. And although I haven't won a single time, but I guess it's the thought that counts.
Paul: I always say all the finalists are winners because you never know which one's going to end up being Palo Alto Prisma Cloud. So there you go. So we already recorded an episode about and or labs that's going to come out and probably three weeks a month, something like that. But I wanted to you to come back and actually I'll come out before this episode. I forget that we're going to be in the future. But I want you to come back on and talk about this influential startup you did called RedLock, which, of course, is now the Palo Alto Prisma Cloud.
And over the years, as I've mentioned to so many founders and leaders in the startup world, came out of RedLock that I bumped into, which always kind of gave me this fascination with RedLock.
Varun: You want to start out by giving an overview of what RedLock is for those who are unfamiliar? Yeah, RedLock was bounded in 2015 with a premise that nobody wanted to build data centers anymore, but as you started moving into the cloud and your developers were going off with credit cards back in the day, the kind of deploying services in the cloud, you as an enterprise had very little idea of what was going on within those cloud environments, what kind of services and applications were being deployed, how they were being configured, what kind of data was in there, who was managing an administering that.
And so the whole idea of run log today, well understood market and problem of cloud security posture management. Back then, the idea was really, how do we give you visibility and comfort and the guardrails such that you can confidently let your developers use cloud infrastructure platforms like AWS Azure and Google without the concern that would slow them down from kind of driving the innovation that they wanted to?
Paul: So you basically built cloud security posture management, which obviously is broad now on splintered off into a number of categories.But you basically built that a few years in front of the broader cloud transformation and a lot of a lot of companies out there, they have their copying competitors, their Gartner analysts is telling them what to do. But clearly, you were you were way out in front. Like what was your formula to be the first through the wall and build it right and align with the customer needs?
Varun: Yeah, Paul, I don't think there's a specific formula but I'll share a few things that have worked out for me in kind of building three companies over the last 13 years is first and foremost, listen to your customers.
Contrary to popular belief that when you're building a startup lab just kind of go into a cave, don't tell anybody anything you do, haven't been assigned heavy NDAs to share your ideas. We were kind of the opinion that we have hundreds of conversations. We need to tell more and more people what to do. And I never bothered asking people to sign NDAs and then hear what I'm working on with the company because my mantra there is if somebody can hear your idea in 30 minutes and then copy it and build a company around it. Well, hallelujah, like kudos to them, they out executed you.
And so I think a lot of this was conversations conversations conversations. And initially, in 2015, we were already starting to think about containers and the original genesis of run log was, how do you secure these distributed cloud environments for your interacting with APIs and containers? And people had us kind of back out. They said, you're going too far. Our basic problem today is just understanding what our developers are doing in the cloud. And are the basic policies and configurations appropriately set up.
You have to remember in an enterprise, IT environment that we were accustomed to back then, people, there was a different team putting in firewall rules, different teams standing up servers and different team managing the vulnerabilities in cloud and kind of all consolidates, right? The same developer is setting up firewall rules through security groups, is setting up the databases, is setting up the connectivity to a virtual VM. And so you know one mistake and you're not exposing your crown jewels to the Internet.
And so we heard this feedback saying, I'm not comfortable, or I'm not sure I'm going to meet my compliance objectives as my team start moving into the cloud. And so we kind of backtracked to say, got to start a visibility, right? You can't secure what you can't see. And really, that's where the genesis of this came from is purely talking to a lot of people.
Paul: So back then to start on preventative visibility was so different because I mean, I was interviewing founders in evaluating the products coming through innovation sandbox. So I began my cloud transition where my thinking in that 2017 to 2019 period with you obviously at the beginning and then a few other products in that general space. But at that time, the cool kids on the RSA expo floor. They were all talking about EDR and how machine learning created next gen antivirus and IoT. And I guess you know that all revolved around malware, like the unit of focus of their attention was files and running processes to catch malware, right?
And so I remember in that period you know, 2017, 19, I would see products like yours, and it was a real shock because where was the files and processes in malware? There's nothing about that. It's all identity configurations, access levels, vulnerability, stuff like that. And what was that like? I mean, because I had a heck of a time trying to get that through editors to explain. What was it like to have to turn the world upside down, educate people just so you could market and generate leads?
Varun: You know, it's funny. You say that because I think what people don't realize, especially a lot of the marketeers and security, like they want to pick up the fanciest buzzwords and EDR and AI and this and that. It's the basics that gets people. At the end of the day, if you look at where a lot of the research has shown, it's the basics that you got to focus on first and get right. And you know the way we actually helped and you know part of it was our researchers, but part of it was also what was happening.
But right around the time, when we were building RedLock, you started hearing me every week about an S three bucket being misconfigured data being exposed. And you know we said, look, the only way to really educate the market is quantify the risk. And so we had a research team. We called it a CSI emails and cloud security intelligence team. And we produced some incredible research. We found exposed cloud environments for Tesla. We found lots of large enterprises where our researchers would privately disclose issues to them you know.
We were not trying to make money in a business out of just going public and kind of creating a wall of shame for companies. So we did a lot of stuff in private. And that gained a lot of trust and credibility to say, hey, this team knows what they're doing in the cloud and B, it actually geared to help. And I'd say, Paul, that's how we did it. Just getting to the basics, showing people examples of how things are going wrong in the cloud every single day. And how easy like you don't have to be advanced attacker to get this, you're a script getting high school, who can find misconfigured environments in the cloud?
Paul: It sounds like a customer references and getting those initial logos was a big part of it.
Varun: Yeah. Yeah. A lot of our business came through word of mouth. A lot of it came through partners you know who were having lunches and dinners with their trusted customers and the network and saying, you know, we're hearing a lot about this company, these other vendors are showing them. But frankly, I'd say the biggest impact for us was how easy it was to demonstrate value to customers. So typically with it was all connected to an API key into your AWS environment.
We would go into a meeting and say you know, look, instead of talking about this, why don't we just show you the situation in your cloud environment? And we had sales conversations lead to war rooms within the customer environment because the stuff we highlighted was just bad news. And you know in other cases, it was almost like, oh my God, you're shined the light on stuff. I don't want you to turn this thing off now. And so I think that was the biggest thing is that our focus on quick time to value, and demonstrating to people in their environment, kind of what the current state of state of the art security they had.
Paul: It's interesting you mentioned that because I've heard that story from some successful startups. And another entrepreneur once told me that their opinion to get a Fortune 500 company to buy immature software, you better have an Einstein problem that they have to handle that you show them like. You have this and I can handle it for you. Do you feel that that's like a bar you're going to have to reach or is there any anything you agree with that about? So there's two things, right? Most security teams are overwhelmed, even with a number of tools that they want to try out.
There's a whole backlog, usually a 6 to 12 month backlog. So the first question is how do you get to the front of the line? Well, you can make it dead simple where somebody can set it up in ten minutes. And not have to bring in somebody in the proxy team and somebody for the endpoints. And so kind of how do you get them the teams who want to test you or your champions in the enterprise? How do you get them to win the political battles to deploy your product? And the second thing is once you deploy, how do you make them look good, but that they brought something into the organization that was high value?
So that was kind of our focus in the kind of sales process yeah. And as far as direction of product and technology, you talked about listening to customers.
Paul: Could you describe your level of collaboration in the venture capital world where the analysts or part of their CISO advisory boards, part of guiding the product, or was it really more focused on the customers that actually were paying for software?
Varun: It was a customer's paying for software. It was a prospect. It was people we would talk to need at conferences here from them.
They may not buy or software today or they may never buy or software, but their insights are still valuable. So I would say that's where we focused. I mean, the most was that the other piece that we focused on is a lot of the security consulting companies that were being brought in to help customers because customers like, I don't know what's going on with the cloud, help me. And so we would try to understand what are the practices they're building. What are the kind of tooling they're using to perform their assessments you know? Where are customers most concerned? Where do they want to go?
And then how can we build technologies to accelerate that journey?
Paul: I want to dig into the culture over at like a little bit. So a lot of CEOs put plaques on the wall and they promote this list of corporate values, which employees we kind of look at and think, okay, wishful thinking. But there was clearly something to RedLock. What would you say is like the raw unfiltered description? What was the culture at RedLock?
Varun: Yeah, it's a great question. Look, first and foremost, and I know you know the whole conversation started with, how come there's so many leaders in the industry and CEOs that have emerged from red law?
I think you know our hiring process really focused on two things. It was one is certainly we want to know what have you done in the past? And how good were you at what you did? But we were looking for people with a personality trait of being very hungry to have the opportunity to prove themselves in the next role. And you know a lot of situations, maybe they weren't before a VP of worldwide sales or a CMO for company, or ahead of solutions engineering before.
Maybe they've done it in a smaller capacity, but they've done it very well. And we gave them the stage to go proof prove that they can do it at that next level at a global scale. And so I think people were appreciative to have that opportunity and also were really wanting to prove themselves to be successful. So I think versus you know, I've done this role ten times over. I'm coming for the love and time. I can do it in my sleep. Not to say there's anything wrong with that. But you know we just had a different focus. So that was one you know.
Our culture stem from just Uber is transparency and you know what we basically said is everybody working here is an adult. They can hear the good news. They can also know how to process the bad news. And so always my job is filtering the bad news, giving them just the good news. People aren't feeling the reality of a startup, a startup is never a Hunky Dory all the time. And so we kind of coach people to understand and kind of process the good, the bad, the ugly, because that's what startup building is all about.
The third thing is the customer focus. I've talked about it a fair bit. And I'd say the fourth thing was really you know I had this belief, which is I have to work myself out of a job. I've always had this belief as I'm hiring. And so when I'm hiring people, that's just not also about what we hire for, but it's like when they're here, they have extreme autonomy you know. We hold them accountable for the higher level objectives, but I tell people that are coming in, especially leaders and executives.
You're not coming here to do everything I tell you to do. You're coming here to tell me what we should do as an organization. And you know a lot of startups, CEOs are like, I know what's going to do to be done. I'm going to tell you what to do with your job is to go do it. And I just think that's then there is no diversity of ideas and experiences and thinking in the mix. So I would say those were probably the key traits and kind of company values that we focused on a lot.
Last one, we would always say is get shit done. Stop talking, just get shit done. You know, it was really around velocity and willingness to take risk knowing very well that 100% of what you do won't always be right. And that's okay, right? We give you safe space to make mistakes and pivot. No. Now, you mentioned always trying to replace yourself when you're recruiting leaders and you said that to me before too.
Paul: That's something that maybe people talk about, but that requires a degree of kind of selflessness and really kind of courage to do that's probably underrated.
Varun: I think the most important thing is security. If you're an insecure about certain things, if you're unwilling to be vulnerable or recognize that you are not as a CEO and expert at every function, you just never will be. I can't be an expert in product and engineering and sales and marketing and business development.
I can't so if you can recognize that, if you can vocalize that to people and say, you know, I'm completely comfortable knowing that I'm a very visionary, maybe I'm a great product leader. I've never done sales before. And so when I hire you, I expect you to come in and run that form for us, just share your ideas on how you want to execute there. Sure, I might have ideas. We will disagree at some point. We'll disagree and come in and move forward.
And so yes, I think the number one thing is just being secure as a leader yourself. Recognizing your strengths and weaknesses, and then hiring around yourself a team that is better than you, because if you're not secure, you'd be very worried to hire somebody better than you. Or that very reason.
Paul: And then I wanted to ask you a little bit about Palo Alto because it seems like science when startups are required by large companies, the founders can't wait to get out.
But it kind of appeared you actually stayed there for a little while. You want to tell me about the acquisition? Yeah. I stayed there and a lot of companies I acquired after me you know, the founders are still there and thriving. So look, the number one reason acquisitions fail is the first thing the acquiring company does is create your small, I'm big, I tell you how to do things because I paid for you. And okay, you have 20 engineers go to our engineering team.
You have 5 salespeople go into our sales team and everybody gets lost. The culture gets compromised. And essentially, when hundred people are going to accompany with a 100,000 people, guess what? Everybody's just disappears. And it's buried into the organizational bureaucracy. The big thing that Palo Alto Networks did ride and kind of kudos to Nikesh [Arora], the CEO who came in because RedLock was the first acquisition he made. And by the way, congratulations to him.
He just completed 5 years of seeing there and it's been incredible to watch his journey is that we had a conversation. We said cloud is different. You can't sell can build service, can't market, cloud products like network security products to be fully recognized it. And we said, we're going to build a separate organization, basically. We call it a speedboat. We said Palo Alto Networks is a yacht, a yacht sailing in the middle of the ocean. Cloud is just taking off.
You're at the harbor in the Marina. You got to catch up to the yacht. That's going to take a different speed velocity to get there. So we called it literally a speedboat. And we created a cloud speed build. And we said a few things. One, we will not tear this organization apart. We will keep it together and add more fuel and actually add more salespeople and more marketing people so I as a general manager of that business had our own dedicated sales team dedicated to marketing team dedicated customer success team.
And we grew that business a 100X within the first two years because we had a working product. We had a working sales motion and now we just expanded that, right? So that was usually successful. The other thing we said is because we have this machinery that's working now, and now we have a capital to invest in it. And cloud is still in its first innings. Let's avoid the sins of the past. And what are those sins of the past and security?
That's that eventually customers have to end up buying a hundred products because they don't want to compromise on best of breed. Yet you don't find best of breed in a single platform. So you buy some network security from somewhere endpoint security from someone great. We said we're at an opportunistic place where cloud is early. We have best of breed on CSPM already. Let's go figure out what are the three or four other areas in cloud that are super critical and either build it, or let's be honest with ourselves if there's somebody better who's already three years ahead of us acquired, integrated it.
So customers don't have to choose best to breed or integrate it, we give them both. And that's where we then made the acquisitions of Twistlock and the container security space and then things like bridge crew in the infrastructure as code space. And today what you have now from Prisma Cloud is it's code to cloud platform. That has several best of read capabilities. And by the way, along the way, if there was something we thought was important, like identity and CIEM, and we didn't think there was you know, we thought we could do it better ourselves than acquire after looking at the market.
We built it ourselves. And so it was being completely honest and analyzing with the database approach of what do we acquire? What do we build? How do we integrate it into a single suite to make customers lives easier both from a purchase licensing perspective, but also from a deployment and operationalization perspective? Very interesting. Yeah, you definitely don't hear that story from a lot of founders after the required by other companies. So that's a very, very fascinating.
So before RedLock, you actually started back in cloud security in 2010. I think it was a CipherCoud. Tell us a little about CipherCloud. So I was working at Salesforce.com for the past four years, and obviously I had a front row seating to how enterprises for thinking about enterprise SaaS, putting customer data in there, thinking about all the compliance and regulatory implications.
Back then, data sovereignty was a huge topic because it's like, oh my God, you're trying to tell me, I'm going to put my customer data outside of my four walls and trust you to do it. Why should I trust you? You know, that's going to be for this term CASB came out, but effectively we said, can we bridge the gap? Can we give customers the best of enterprise SaaS apps that want to use, but give them full control of data? That's moving to the cloud, and that was the genesis of CipherCloud.
It was back in 2010, the term CASB was coined in late 2012, if I remember correctly, but we basically created this idea of you as a customer can control the data movement to the cloud, decide how you want to encrypt tokenize data, monitor what your users are doing, and that was the genesis of CipherCloud. Very different back then.
Paul: So in red light, you're at the beginning of brand new categories like really before they're founded. And then now with ender labs, it's a different kind of deal where you jumped into an existing category with some people in there. Like, what's it like? What's the contrast? To do that?
Varun: Well, let's talk about what's the common thread across all the common thread across all threes. We typically are building this software and security companies that will address the tectonic shift in technology trends. So first was the move from enterprise apps to enterprise SaaS apps.
The second was moving from data center to the cloud. The third company is you now write less software of your own and you borrow more software from strangers on the Internet. Previously, 5 years ago, over 60 70% of the code was written by you in an application. Today, 80, 90% of the code is written by somebody else that you have no contracts or SLAs.
But so I'd say the common theme is that I'd say in Endor's case, there is an existing category that has service parts of the issues that come with this, but even those category of products have got completely overwhelmed with the just shared acceleration of an adoption that you need to kind of take a fresh look at this problem.
For today's risks for the today's level of adoptions, scale, advances in AI, but the thing that's different is with CipherCloud and RedLock, there is a new budget line items within or it's an existing budget, right? Abstract teams have some code security scanning tools that they have budget for. Look, it has its pros and cons. The pros in the current situation are in high economic situations, creating new budget line items for new products is always harder.
Replacement, more optimization, better productivity to you with the same spend. He's a much better value conversation. So that's the nice pro. The call is if somebody asks something and they're like, oh, you know, you want to take the lazy approach of, yeah, I know you're better, but I don't want to kind of shake up the boat. Maybe come back, talk me the next renewal cycle. That's the downside of these conversations.
But we believe strongly that the value proposition of how much engineering productivity boost and or labs can give you is such a no brainer, that's a very tough conversation where somebody to lock the other way and say, you know what? I'm just going to stick with what I have.
Paul: A lot of people don't think about that, but those category names like the Gartner give is essentially our line item and budget. And once that hits there and they say spend all the money floods in. So you were obviously part of building new categories.
So you had to wait till that happens and then now that's a different scenario to jump in.
Varun: Yeah. I think those take longer. There's more evangelical sales processes. You're trying to create budgets and create the urgency in here. You have all established markets. I mean, for example you know, I was reading a Forrester report the other day from last quarter which says application security through our nearly as fast as cloud security now, which is great because for many years, it was underserved. And the biggest spend area in application security is going to be software composition analysis (SCA).
It's great for the business we're in, and we're starting out now. We think SCA as it was needs to be redefined. So here we're not really necessarily going after new category creation, but a redefinition and reorientation and by the way, every analyst gardener for us to talk about this, where SCA needs to shift. There needs to be a different approach to SCN. So that's great.
We are all aligned that we think ST and the name and acronym might stay, but what it is needs to completely be redefined.
Paul: So the rise, everyone's becoming a software company, everyone's writing hiring DevOps people, that's obviously been a huge attack surface, but within that, the reuse of code, as you pointed out, 80, 90%, that's like a big new attack surface or rapidly growing one that sounds like you know. It does seem like there's a pattern of startups.
A new attack surface causes startups to form more so than let's just replace you do the next gen of something that's already there.
Varun: Yeah, look, I think there's the good and the bad, right? I think with cybersecurity getting so much attention, lots of people want to innovate in this space. The good of it is you get more innovation, the benefit is you also get a lot of noise because now you have people from non cyber backgrounds coming in and think because cyber is well spent market. Let's go build a company there.
I'd say that the typical problem we have as an industry is most startups really a very focused on very small slivers of functionality and you have to ask the question, is this a company? Is this a feature? Yeah. And eventually, I think customers are also getting tired of buying hundreds of security products and they want to see consolidation. So now you know the question of the challenge for a startup entrepreneur like myself is don't just define like, yes, you need to start somewhere, but I have a very clear vision of the problems you're going to solve in long term.
And kind of how do you drive the path to get there very, very quickly. So customers can do more things with more consolidated tools in a better, more efficient and more productive way.
Paul: Well, great. Thanks for coming on. A lot of wonderful pieces of wisdom here from you and telling the red light story that I've always been fascinated for. Thanks so much. And you know hopefully I'll see you back in what 6 years in innovation sandbox.
Varun: Thanks so much, great to chat with you all.