Joni Klippert

And before that, he ran functional security teams throughout GoDaddy for 10 years. And so he also had a very interesting disdain for products that were available because it was his job to try to make cybersecurity tooling accessible and approachable to software engineers in 10, 15 years of operating security teams. And he knew how deficient they were.

And before that, he ran functional security teams throughout GoDaddy for 10 years. And so he also had a very interesting disdain for products that were available because it was his job to try to make cybersecurity tooling accessible and approachable to software engineers in 10, 15 years of operating security teams. And he knew how deficient they were.

And so we totally bonded over how do we support the software engineer and the software engineering lifecycle and also build and maintain secure software. So I met him, let's see, two or three times and said, hey, do you want to do this thing? He fortunately said yes. And that's how the company was started.

And so we totally bonded over how do we support the software engineer and the software engineering lifecycle and also build and maintain secure software. So I met him, let's see, two or three times and said, hey, do you want to do this thing? He fortunately said yes. And that's how the company was started.

And so we totally bonded over how do we support the software engineer and the software engineering lifecycle and also build and maintain secure software. So I met him, let's see, two or three times and said, hey, do you want to do this thing? He fortunately said yes. And that's how the company was started.

The thing that bothered me about this space is there were a couple of open source products available. And anytime there's open source products in the space, people aren't building what's possible. Like, it's interesting. It's like, how come nobody has modified any of these products to... actually make them usable earlier in software delivery lifecycle.

The thing that bothered me about this space is there were a couple of open source products available. And anytime there's open source products in the space, people aren't building what's possible. Like, it's interesting. It's like, how come nobody has modified any of these products to... actually make them usable earlier in software delivery lifecycle.

The thing that bothered me about this space is there were a couple of open source products available. And anytime there's open source products in the space, people aren't building what's possible. Like, it's interesting. It's like, how come nobody has modified any of these products to... actually make them usable earlier in software delivery lifecycle.

So we chose an open source scanner that did DAST that had some support for APIs. We got it to run. We looked at the output. And what we realized is part of the problem is DAST was just so hard to use. It's like being in a Michelin star kitchen, right? There are a million tools, but the average human being, they just want to make a sandwich.

So we chose an open source scanner that did DAST that had some support for APIs. We got it to run. We looked at the output. And what we realized is part of the problem is DAST was just so hard to use. It's like being in a Michelin star kitchen, right? There are a million tools, but the average human being, they just want to make a sandwich.

So we chose an open source scanner that did DAST that had some support for APIs. We got it to run. We looked at the output. And what we realized is part of the problem is DAST was just so hard to use. It's like being in a Michelin star kitchen, right? There are a million tools, but the average human being, they just want to make a sandwich.

You're like, I don't even know just how to find like a knife and something simple and be able to actually use this capability. It's highly capable in terms of the different tools that are involved, but getting an average person to use it was nearly impossible. So what we decided is, okay, the world doesn't need a better scanner.

You're like, I don't even know just how to find like a knife and something simple and be able to actually use this capability. It's highly capable in terms of the different tools that are involved, but getting an average person to use it was nearly impossible. So what we decided is, okay, the world doesn't need a better scanner.

You're like, I don't even know just how to find like a knife and something simple and be able to actually use this capability. It's highly capable in terms of the different tools that are involved, but getting an average person to use it was nearly impossible. So what we decided is, okay, the world doesn't need a better scanner.

Oh, I found another six vulnerabilities out of 3000 possible vulnerabilities. What it actually needs is something that people can use. And so we took this open source capability and made it very highly opinionated about how it should run and what the output should be such that it was accessible to software engineers.

Oh, I found another six vulnerabilities out of 3000 possible vulnerabilities. What it actually needs is something that people can use. And so we took this open source capability and made it very highly opinionated about how it should run and what the output should be such that it was accessible to software engineers.

Oh, I found another six vulnerabilities out of 3000 possible vulnerabilities. What it actually needs is something that people can use. And so we took this open source capability and made it very highly opinionated about how it should run and what the output should be such that it was accessible to software engineers.

We took something that might take weeks or months to deploy and we made it deployable via Docker and eventually a CLI. So it can run on your machine. It can run in CICD. You could point it at production assets if you wanted to, though that's not what we recommend. We informed it via a YAML file. With a few lines of YAML, I can actually identify a target and get a scan running in just minutes.

We took something that might take weeks or months to deploy and we made it deployable via Docker and eventually a CLI. So it can run on your machine. It can run in CICD. You could point it at production assets if you wanted to, though that's not what we recommend. We informed it via a YAML file. With a few lines of YAML, I can actually identify a target and get a scan running in just minutes.

We took something that might take weeks or months to deploy and we made it deployable via Docker and eventually a CLI. So it can run on your machine. It can run in CICD. You could point it at production assets if you wanted to, though that's not what we recommend. We informed it via a YAML file. With a few lines of YAML, I can actually identify a target and get a scan running in just minutes.