Adam Berman

Exactly, we started as, there's an open source project that came out of Meta, Facebook back in the day, called S-Grep and it's static analysis tools in the past. It's been very heavyweight, very slow. You had to pick between slow and powerful or fast and couldn't really find much. This project eventually evolved into an analyzer that had the right combination of powerful enough to find all the things fast enough that it could run in a typical development environment and also easy enough to understand that someone could reason about why it had found the thing that it had found. So we built that out into a product and it has been very successful at helping companies find the vulnerabilities that matter instead of either this huge overload of tons of false positives you have to sift through or not enough power to find things that really could be vulnerable.

Exactly, that's what we always say. I think the interesting part is it's like spell check and allows humans to scale to the, if you think about an editor isn't thinking about, did you spell things right? They're thinking about, have you structured your paper correctly? Have you structured your piece correctly? A lot of security people are stuck in manual spell check are saying like, oh, did you, is there, did you do sanitization of all of your, like all your SQL queries? That's not something a security person should be looking at. A security person should be looking at the architecture of your application overall and saying, is this architected in a way that will allow us to scale, allow us to be secure as a less humans to like kind of go up the pyramid of the hierarchy of needs.

We were founded in 2017, 2018, somewhere there.

Totally, in a bunch of ways. It's kind of funny, like we're a static analysis company. We're like close to the formal methods and the programming languages community. A lot of people say like, what do you need AI for? And it's like, well, we like, we are the like so in tied into AI in so many different ways. One is like, we're a product or tool to be used by AI where AI is generating code. That code could be secure, that code can have vulnerabilities and we can be, and we are in that loop for a lot of different companies to help prevent the generation of insecure code. But then we use AI as well as like as a low pass filter. Like can we rule out false positives? Like, hey, does this file have comments in it that like say, this is a test, great. We don't have to like surface that vulnerability to a developer.

Then also by the nature of our product, we're only as good as the engine can like detect vulnerabilities. We're only as good as rules that people have written to be able to say, hey, this is a vulnerability. And like when a new library comes out, we like, we can scale to be able to meet the needs of how fast developers are evolving like developer infrastructure with AI to be able to kind of ride shotgun with us to be able to help us develop the next generation analyzers.

Oh yeah.

I don't know if you saw, there's this thing on Twitter where someone was like, I'm gonna vibe code like out in public and kind of started to live tweet. Like I'm gonna build an application. And then, you know, what, 12, 24 hours later was like, why are people hacking me? But stop doing this. Like I'm just trying to do my best. And it's like, yeah, because like you're not a software engineer and you built something and that's great, but also like security matters and will kind of end your business if you don't know what you're doing. That's someone who isn't a software engineer, but there's being a software engineer is really hard. You have to think about reliability. You have to think about the user. You have to think about product. To also be an expert at security is really, really hard. And we've known that for decades. And it's why we have a lot of security vulnerabilities out in the world. It's why there was, you know, the like all our security, our social security numbers are out in the world from the like Equifax breach and things like that. Like I think people are realizing how hard this is and AI is really amplifying that. And so I think a lot of people are realizing like, oh man, if we're gonna do this, we need to figure out how to use security properly, use security tools properly or like build security into this. And the people who haven't, I think like will pretty soon, like pretty quickly find out.

I think it's like, you see, like we use AI to like, you know, play defense, try to protect against things. There's also like AI for people who are on offense. So we can see the like rate of attacks and the types of attacks, both like amplifying. It's never been easier to be like some teenager who wants to try to attack somebody because like all these tools give you those capabilities. And then there's also like more and more tools to go attack that are getting built.

But I think also like the attack vectors have changed. So we've seen a bunch of like we call these like, you know, P zero incidents in the security side pop up over the last six months. Shai Hulud is this one that became very popular. It was, you know, it's named after the Dune book, but it was like a worm basically that was propagated through like AI based attacks, like something that wasn't possible to do prior to like, you know, Claude being installed on everyone's laptop.

And you know, if you downloaded a package within the right period of time, it injected a prompt into that, like when you loaded Claude and then it would exfiltrate like something back to some server somewhere. That's not something that was possible prior to this because like we had a little bit more control over things. So it's not only our attacks like easier, like the bear to entry is easier. You don't have to be a skilled, but also like if you are skilled, there are more and more creative and complex ways to go attack.

I guess that's, you know, that's the million, billion, trillion dollar question.

I think like you can ask that, I think across like every vector of software development today, which is like, okay, we're going to, if everyone's a developer, will we be able to scale the number of like servers and stuff? If everybody tries to use Claude, will Claude melt? Like, well, everybody tries to use it. I think our, what we're trying to figure out is like, hey, can we get fast enough? Can we get easy to use enough? Can security tooling, can security evolve faster than the rate that like threats evolve? And that's been a cat and mouse game like forever. That's like, you know, the cold war. There was this interesting book that came out. This is how they tell me the world ends. I can't remember her name. She's a New York times author wrote it. And she was a journalist from New York times. And it was about like the evolution of the zero day black market. And in the seventies, a lot of like tech across different countries, for example, was like completely different. The US and the Soviet Union had like completely different technologies. So you'd, if you figured out a vulnerability in like the Soviet computer system, it wasn't also a vulnerability in yours today. That's not true. Every vulnerability that we find in like someone that we can exploit is also something that can be exploited for us. And so there's this like interesting cat and mouse game of like, there are zero days out there that people definitely know about the boat, you know, like NSA knows about, for example, that like,

they like, we needed to be able to do the things we need to do. And we also like can't, we also need to be able to defend ourselves against them. So it's a, it's a, I am really curious how this will evolve.

Semgrap is like 250, 300 people. Engineering is about a hundred.

I think scaling up, but also changing the way they were hiring. So I think there was a moment in the like the AI hype cycle where everyone said like, what's the point of a junior dev or like, how are we going to train them? I think what we realize now is like, if you hire smart people, they will figure out how to be effective.

So we want to just keep on hiring smart people. And we think like even more so the, if we feel like we have an opportunity to hire smart people and we have, as like Rob said earlier, like our backlog is infinite. And the number, like, as you said, like we need to be able to scale faster than we feel like we could possibly can. So our bottleneck is can we find the right people who can fit in? But figuring out how to find those people is getting harder and harder as well.

It's like, it's, I think people are a little overblown about like, oh, the resumes and whatever. And it's pretty easy to tell who's like literally faking things in an interview, but it's harder than ever to get the signal about like, will you actually be a really good builder? Because there are like things that make like many, many people like the baseline is pretty high. So when we think about, but when we think about like, can you use these tools, can you do these tools amplify your abilities? Will you be able to like train junior developers? Will you be able to give feedback? Are you a good technical communicator? Those things, like those are even more important now. And it's like even harder and harder to get that signal.

Yeah.

Totally.

Yeah, yeah.

Like someone said earlier, something that really resonated with me. We're like really, really looking for like curiosity spike. We're looking for like, it's not just you ask the question. It's do ask like the five follow-up questions. Are those questions like, do they seem rote? Or they come from a place of like, you're really trying to understand the subject matter. I think like I was a philosophy major undergrad. I think like I feel like I was trained to learn how to analyze problems. I was trained to learn how to dig into new topics. And I think people who have that kind of like mindset, like everything is gonna be new every three months, every six months, whatever. And they're excited about that. And they're high on curiosity and they wanna figure out how it works. Like those people really thrive. We wanna find those people.

I think the like,

there's like kinds of engineers who look like, are you a programming languages? Which one is best? Or who like love their tool set? And like, I think there are definitely places for those people. But for most of us who are in product oriented companies, like I want people who are like more okay with what we call like the boring tech. Who are gonna say like, hey, we're gonna use the thing that we know that like the tool kit is gonna work. And we're gonna spend most of our time thinking about the problem, the customers, who are gonna like go ask a lot of questions. And who are gonna be like kind of flexible enough to say like, hey, I was wrong. I'm now excited about this other thing I've learned about.

I love to hear people say, I don't know. Or I was wrong and I like now I believe this. Cause it feels like it gives me some signal but like you have the plasticity, you have the like the low ego and the like high like emotional intelligence to like be able to adapt and evolve.

Yeah, totally. And who like, you know that I think we talk about like, oh, it's can feel like, oh, we're talking about the business and the corporate and the shareholders, whatever. It's like to me at the end of the day, it's like, it's the users. I really like, I like to help people. I think I got into tech because I was like, I really enjoy the like, I can talk to a person, I can hear what pain they have. I can go solve that problem for them because I have a skillset to do that. I like to work with other people who have like the same kind of belief that like, yeah, yeah. I can hear what they have, what they say is wrong, what they wish was better. And then I can go get creative and I can figure out a way to do it that's better than they could have ever imagined. And you get to like feel that delight. To me, that is like the dopamine hit. That's the like real thing that motivates me is like getting to see those people who are like, yeah, that's cool. I can't believe you did that. That's really cool.

Totally. And there's like, I think there's this interesting intersection of like people who are technically strong enough to know like what's possible, be able to guide, be able to like, like creativity, unrestrained creativity is like often not productive. You can go off in wild goose chases. Or you like never know if you're going in the right direction. But having that kind of constraint of I know what's possible, I know how to be creative within those like boundaries. And to have those boundaries be set instead of by like the technical specifications, but from like your own personal conversations with users, your own feeling of like, I can walk in my users shoes and I understand them. And I understand like what will be better for them. Having that be the boundary, like I think unlocks a lot of things. I think like for better or for worse, we've evolved in the direction of like software engineers and then product managers as a layer between them and customers. And I think like with the way we've talked about like product and the product engineering is like, that's how I've always, always identified. It's like, I love like,

I'm not saying product managers will go away, but I think like product managers, I think don't need to be such a strong layer. And we can like have software engineers be really much more hand in hand with customers and getting that empathy like directly.