No Priors Ep. 38 | With Material Security Co-Founder Ryan Noon

1. 0:00 – 5:02

   How 2016 Election Hacking Inspired Ryan to Start Material Security

   1. EGElad Gil0:06

      So this week I'm joined by Ryan Noone. He's the co-founder and chairman of Material Security, the cyber security company making cloud-based email a safe place for sensitive data. He previously started Parastructure, which was acquired by Dropbox, where he was an engineering manager prior to starting Material Security. Ryan, welcome to No Priors.

   2. RNRyan Noon0:22

      Hey. It's g- it's great to be here, man. Always lovely to talk to you.

   3. EGElad Gil0:25

      Ah, yeah, it's always fun to chat with you. Um, so one of the reasons I was excited to be chatting with you today is, I feel like you have such a great perspective on, uh, both the broader security industry, various tech topics, et cetera, but also specifically how this all starts to tie into AI. And I know that at Material you were, um, a very fast adopter actually of, um, AI-related technologies as the first sort of APIs really came out, and you started playing around with them quite early and doing interesting things with them. Do you wanna first talk a little bit about how you started Material, and then maybe we can touch on how you started getting involved with the AI side of it?

   4. RNRyan Noon0:55

      Yeah, sure. Um, so we started Material, I guess, 2016, 2017 or so. Uh, I had left Dropbox and, um, you know, was living in Europe, and fell in love with, uh, all the election hacking that happened year, um, you know, that year was pretty nasty (laughs) . Like, every random Gmail account kept getting, like, dumped on the internet. So, I, I had an idea for, like, you know, how to protect a Gmail account, you know, just an ordinary personal one in, like, a fairly novel way. Uh, I coded it. It shockingly worked, the Gmail API let you do it. I brought it back home and, and showed it to some friends, and, uh, we realized this is actually a special case of a broader way of thinking. Now, seven years later, it's a, you know, whatever cyber security unicorn thing, and we get to work with the coolest companies, you know, in the world by far, and the stuff that you get to do at- at this scale is just mind-blowing. It's (laughs) , it's wild to think just where it started and- and- and where it's come.

   5. EGElad Gil1:50

      And what- what are the main products that Material focuses on? Just for the- the audience, so they have a better sense.

   6. RNRyan Noon1:55

      Yeah, so, um, the- the broad thesis is basically we've all kind of got these Google and Microsoft accounts. Um, you know, email is- is sort of where we started, but, you know, since then we've kind of, uh, just went deeper and deeper and deeper into sort of everything that you can use, uh, you know, a Gmail account or a Microsoft account for. Uh, the bread and butter of the business is selling, you know, to- to companies, you know, mid-size and up, uh, with these kind of, these big Google Workspace and Office 365 deployments. Uh, the product has a bunch of different modules that are all kind of based around the- the main things people worry about. Um, the- the kind of, the first big product that you mentioned, you know, in the intro was, people have years and years of sensitive information sitting in these accounts. If somebody, you know, gets into your Google account, they're just gonna download all of your email, uh, and go through it later, and your whole life is in there. It's even worse, you know, in- in a corporate environment. And so that product, what it can do actually is, uh, it finds, you know, sensitive stuff that's just sitting around, kind of just sitting in your inbox, uh, in your archive, whatever, and then it can basically redact it and then replace it with a clean copy so that if somebody gets in and downloads the whole thing, they don't get anything good. Uh, but then if you happen to need it, like I- I- I like having all this information at my fingertips, you can just press a button and you have an extra face ID or a touch ID or, you know, more advanced policies and- and- and work, but just something that's easy for you but hard for the attacker. So we started there, and then we expanded into anti-phishing. You know, people can send you tricky emails and get you to do things and steal money from you. Uh, we expanded into account takeover protection which is, you know, more of the things that people do, uh, after they compromise the account, and you know, I try to reset all your other accounts and steal your bank account and all of that. Just, the- the operative concept is defense in depth, which is just, you know, like, just assume that the bad guy got in, like, what do they want, you know? Like, they got over the wall, there should be another wall and a machine gun. You know, it's like history has all these fairly basic lessons about resiliency (laughs) that, uh, never really always get applied the right way when it comes to computers. So...

   7. EGElad Gil3:58

      Yeah, so it's kind of like a... I guess the- part of the impetus was the 2016 election, where, you know, there was all the things around the Podesta emails and Hillary Clinton and everything else, and the basic idea is, um, somebody's able to hack your account, but it doesn't matter because your email's not accessible to them, or the sensitive information that you designate.

   8. RNRyan Noon4:15

      Yeah. I mean, it matters, but we used to call the company, like, seat belts for email or whatever back in the day.

   9. EGElad Gil4:20

      Yeah, yeah.

   10. RNRyan Noon4:20

       It's like, it sucks to crash your car, it really sucks to go through the windshield. Google and Microsoft, you know, have a- a- a total duopoly on all of this, and kind of whatever little thing that they miss from a security perspective is, you know, world altering. You got, like, I mean, there's a headline every couple of months, like, every Cabinet Secretary just got their email hacked because all of the eggs were in Microsoft's basket, you know? And- and so we kind of just exist to fill the gaps in wha- whatever doors they leave open. That's, you know, it's- it's very fragile having a duopoly (laughs) .

   11. EGElad Gil4:54

       Yeah. Yeah, yeah.

   12. RNRyan Noon4:54

       Duopolies are stable in the market but- but very fragile when it comes to security.

   13. EGElad Gil4:59

       Yeah, that makes a lot of sense. You were one of the fastest adopters, I feel, in

2. 5:02 – 11:50

   Generative AI Use Cases in Cyber Security & Fine Tuning

   1. EGElad Gil5:02

      terms of hands-on use of LLMs for security applications. How did you start thinking about the use cases where generative AI would be useful?

   2. RNRyan Noon5:09

      The- the second you give a coder a repl, uh, you know, we will- we will start iterating basically, right? And ChatGPT, if nothing, was not the world's greatest repl. So, I mean, we just started playing with it, and then we're like, there's a lot of security domain knowledge, like, baked into this thing. It turns out if you feed, you know, precisely one internet to precisely a million GPUs (laughs) , it picks up a thing or two about cyber security. And so, you know, it's- it's the kind of thing that obviously, like, the bad guys are- are- are starting to figure out in earnest, uh, and, you know, it's not like you can prevent this stuff from getting democratized. But we just- we just...You know, you could do simple things, like you could feed it, you know, like a bunch of, you know, raw email headers. Anyone who's coded with these things, it's, it's like this weird wetware grafted into the middle of a computer, you know? It's like, it's, uh, it's, it's squishy and, and sarcastic in parody, you know, but you have to integration test and, and model around it. I think the analogy I used at the time is like Shang Tsung from Mortal Kombat. Like, it has, it has eaten the souls, you know, of, of thousands of, of security engineers (laughs) . And so, like, you might as well use it, 'cause h- honestly, like, there's a lot of just raw operational work that happens in security of just, like, we need to, you know, rarify this signal, filter out the noise, and then honestly, feed it through a human being who has some experience as to what the bad guys are trying to do. Uh, and, you know, it turns out LLMs are fantastic at that. And so that was, that was the first use case, um, that we really kind of productionized. But, you know, beyond that, it's, it's kind of gone crazy (laughs) . So there's a lot of engineering you have to do, though.

   3. EGElad Gil6:42

      It's kind of amazing, 'cause if you look at modern LLMs, they have this mixture, to your point, of sort of this deep knowledge base, which is the internet, and to your point, sort of the souls of security engineers on the internet. And then, you know, it has this sort of chain of thought or sort of reasoning that is very useful to use in certain circumstances. Is there any data that you feel is really missing or a specialized corpus you need to provide or anything else that really helps from a security perspective that you, you know, you need to augment or fine-tune or do something with?

   4. RNRyan Noon7:06

      Honestly, like, you know, I, I've seen a lot of, you know, startups starting from scratch here and, and whatever. And, you know, as, as an engineer, like, I know when I have headroom (laughs) . And honestly, even in, like, GPT-3.5, there was plenty to work with (laughs) . I'm seeing a lot of shovel-selling, obviously, right now in the AI market. Uh, and I'm seeing a lot of, like, you know, "I need to pretend that I have a moat, so I need to, you know, fine-tune all this stuff," and whatever, whatever. But yeah, no, I mean, so many things that were very, very, very hard for computers, you know, 18 months ago are very, very easy for off-the-shelf models (laughs) . So, like, I, I think, you know, maybe chew your food first, security industry (laughs) .

   5. EGElad Gil7:48

      Yeah. What do you think are the best application areas, then, for generative AI and security? Is it pen testing? Is it phishing? Is it something new? Is it some form of, like, supply chain?

   6. RNRyan Noon8:00

      Yeah, I mean, it's obviously the, uh, the offensive side is what you're not supposed to talk about too much (laughs) , uh, but obviously the bad guys are talking about it. And, and in security, you know, it, it does have this arms race-y sort of aspect to it. So, like, you know, we need security LLM companies, uh, because the bad guys exist. Honestly, like, the, the order zero thing, when I keep meeting with founders, 'cause you, you hear this. There's all these, like, kind of classic cliches in the cybersecurity industry, like, "The cybersecurity skills shortage." Like, "America needs, you know, to bring back the draft and make everyone get a security certificate," or something. Okay. Like, you, you know that you have, like, 90% of a human that you can use for, like, a penny and a half, right? Okay. Start there (laughs) , you know? Uh, and so, like, there's just basic things like that. But it, it gets, it gets more interesting, I think, from there. But, like, let's go to Disney World collectively after we do that, and then we'll come back. You know? (laughs)

   7. EGElad Gil8:57

      Do you, do you see any CISOs actively using, um, LLM tools today? Or is it still kinda early and it's like there's an adoption curve, and... Or is it gonna just be in the hands of the vendors?

   8. RNRyan Noon9:07

      Well, I, I think the best thing about the security industry, uh, is that there's also the security cottage industry of, like, it's not the fancy security vendor who's, you know, buying the CISO stake and having them drive Ferraris around Vegas every August. It's, like, just a strong, like, security engineer who's just hacking something together. And so some of the best companies that I've seen, you know, are just that. Uh, and, and so you're seeing all these, like... There, there are cool projects out there. Um, you know, I, you know, I, I don't wanna name drop too many of my friends on this podcast, but, like, you know, just s- like, the, the stuff that Socket's doing, just, like, analyzing NPM dependencies. Like, you know, e- even just, like, stack analysis, like, looking for, like, you know, hey, you, you dropped sensitive information in the middle of your code base. Like, that's, like, such a messy, hard problem, as any, like, computer science can, you know, person can tell you. And, like, these things are pretty good at reading code (laughs) , you know? So, like, all sorts of just basic stuff like that is, is starting to, to pull through, so...

   9. EGElad Gil10:07

      What do you think is the biggest, um, risk or cyberthreat from this technology?

   10. RNRyan Noon10:11

       Oh, I mean, like, it can be a human. And, and I'm just, I'm just talking about the text models, right? Like, so much of cybersecurity is just text. Uh, and there's nasty hacks, you know, that are, that are reported, you know, where someone's voice was faked very convincingly and they made a phone call and blah, blah, blah. Like, humans, you know, trust humans through computers. Uh, that was, I think, the key mistake we made (laughs) , you know?

   11. EGElad Gil10:35

       Yeah, I guess there's a lot of APIs now that do voice cloning, like LMNT or, um, Eleven or some of these other folks, right? And so basically, I guess the threat is that somebody voice clones, and then they can use it to call you and pretend that you're, they're your bank and ask for permission to do a wire or spoof you on the other side, where...

   12. RNRyan Noon10:52

       It doesn't even have to be that hard. Like, as in the standard, like, you know, new employee joins company, receives text message claiming to be CEO thing. Like, it works at scale, you know (laughs) ? Like, uh, so, like, it, it's... Y- you know, the sheer amount of, like... You know, you go, you go see these attacks that, that random bad guys are sending to people, and, like, they're not even, like, using grammar properly. Like-

   13. EGElad Gil11:14

       Yeah (laughs) .

   14. RNRyan Noon11:15

       ... if all they could do was-

   15. EGElad Gil11:15

       Yeah.

   16. RNRyan Noon11:15

       ... like, spell check the bad guys, and that's all you were using, like, whatever off-the-shelf, you know, open source LLM for (laughs) , like, even that would make a, a, a difference materially on, you know, cybersecurity policy returns (laughs) .

   17. EGElad Gil11:29

       How bad do you think this gets and what timeframe? So say we're at, you know, it's three years from now and we're at GPT-6 or something. Do you have any predictions in terms of the, the sort of effective threat level or the capabilities or what might happen then?

   18. RNRyan Noon11:42

       Yeah, I think we all kind of, like, wonder about this. Um, I was talking to somebody from the White House who was like-... trying to figure out how to talk about

3. 11:50 – 15:39

   Predictions on Effective Threat Levels from AI Hacks

   1. RNRyan Noon11:50

      security in LMS a little bit. Like, think the operative analogy that ended up helping was, like, Bronze Age versus Iron Age kind of thing. And that, like, if you're, you know, if you're, if you're a, a, a, like, a tribe or something and you have bronze weapons, and your neighbor next door gets iron weapons, uh, then, like, you're, you're gonna have a bad time. Like, you're gonna need to go and get iron weapons. And so all of this talk about, like, you know, we need to, you know, airstrike the data centers and, and prevent it from being aligned or not aligned or whatever the current term is. Like, that's like saying, you know, well, this super high grade carbon steel from space, you know, needs to be restricted. But honestly, like, if someone's got iron weapons against your bronze armor, like, good night (laughs) , you know? And so these LLM things, it's, it's a step function. Like, you know, forever often, you know, we used to whine that we only had, you know, 140 characters and not, like, flying cars. Like, technology does give you step functions every once in a while, uh, and, like, this is just that, you know? So it doesn't mean that, like, you know, we're all doomed now, uh, and I think we... Getting a, a s- like, a sense of the scope of the threat is really hard in cybersecurity, 'cause you could be like, you know, "Hey, you know, we're a Fortune 500 and we left the front door open for a year and no one walked in it. Like, hackers are fake. Cybersecurity industry is BS," right? Or you can be some, like, little no-name company and just get run over, and you're like, "The barbarians are at the gate." And it's, like, really hard to know exactly what you're up against, right? Uh, but what's interesting is that, like, automation, like, it's like the, you can be more human and you can... Like, one human can now supervise a thousand humans, you know? You don't need a room full of, like, jerks trying to hack grandma or whatever, uh, when honestly, like, one jerk will now suffice, you know? With a for loop (laughs) , you know?

   2. EGElad Gil13:35

      Yeah, yeah. To that point, it feels like there's a, a few different types of actors in the cybersecurity world, right? To your point, there's sort of individual players. Sometimes that's ransomware, sort of financially driven folks, and then there are state-based actors, right? And it seems like some of the attacks we had a year or two ago on parts of our more physical infrastructure and supply chain may have been through state-based actors. How do you think about that in the context of these things? Is it, you know, we must continue to invest in LLMs at scale as a broader national security side of things? Does it modulate your thinking at all?

   3. RNRyan Noon14:07

      Yeah, I mean, uh, fundamentally, like, you have to invest in cybersecurity. Like, my, my moral basis for cybersecurity existing is that it is essentially, like, the, the waste heat of all other innovation in, in computing and information, which is like, you know, if, if a computer is doing something new for you that it wasn't doing last year, then, like, the utility of that will drive adoption. And then, like, cleaning up after it for, like, whatever the side effects of that are, uh, is what, you know, essentially cybersecurity, you know, does, right? And so we are the, the cleanup crew for all other innovation, uh, which is, you know, it's, it's a, it's a living, it's a- you can... It's an honest living.

   4. EGElad Gil14:45

      It's a living (laughs) .

   5. RNRyan Noon14:46

      (laughs) So, whatever innovation happens, like, the entire world will adopt it before they realize, like, "Oops, it messes up democracy," or, like, "Oops," whatever, you know? Like, utility drives adoption, not safety, like, welcome to Earth (laughs) , you know? And so, uh, so I, I think, like, the, on the, the nation state side, like, it, it's... You know, you don't have to even be hyperbolic with, like, you know, "It's the atom, it's the whatever." It's because, like, you know, fundamentally, like, intelligence is now a commodity that we can arms race, you know? (laughs) Like, weird. You know, it's, it's not, uh, you know, like, atomic power can arms race. Like, no, like, intelligence itself can now go Red Queen.

   6. EGElad Gil15:25

      Yeah, that was the original premise under OpenAI, right? The concern was that, uh, Google and a few other folks had an- uh, you know, real advancements in AI, and they were driving most of it. And so OpenAI I think originally was meant to be kind of a counterbalance to that, so there wasn't a single player

4. 15:39 – 20:17

   Democracy, the Department of Defence, DARPA and Cyber Security

   1. EGElad Gil15:39

      that would effectively dominate all of AI, or if it was, it'd be under this sort of, um, philanthropic, uh, guise, right? And so it's, it's ins- er- it's interesting that even in the early days of this stuff, um, a lot of the emphasis was on this, "Let's avoid some over-aggregation of power, uh, within AI."

   2. RNRyan Noon15:58

      But if you have a lot of intelligence that is extremely online, like, you, you have a, a ton of power, and, you know, the, the West, I think, is especially vulnerable to this. Like, open societies, I think, are extra vulnerable when it comes to InfoSec stuff, because, like, we, we put it all out there. We, we adopt these systems, we open them up, we let the private sector totally handle them, you know? Like, we, we, we are early adopters of every digital technology, and we are very happy to wave our soft underbelly on the internet (laughs) as a society. We don't, we don't lock it down (laughs) .

   3. EGElad Gil16:30

      How, how does that differ from totalitarian states, from a cybersecurity perspective?

   4. RNRyan Noon16:34

      Like, you could literally, you know, if you're like North Korea, you're gonna say, "You're all gonna use this Linux distribution." "But it doesn't support, you know, whatever I want." "I'm sorry, we're an authoritarian state." Like, "Oh, oh, well, what" you know, like, "What if I get phished?" "Sorry, like, that's not how bank accounts work in our country." You know (laughs) , like, it's just like, you can control information, you know? You can't... This usually gets, like, viewed through the lens of, like, social media disinformation. If you can, you know, regulate and lock down, you know, the entire social media discourse, then, like, you know, what election is going to get hacked (laughs) and where would it get hacked, you know? Uh, but the same thing, I think, holds true for all of, all of cybersecurity. The other interesting, you know, like, way of looking at this that's always kind of baffled me is that, you know, if, if cyberspace is a space, right? Like, in, in, like, U.S. military terminology, it is a command. Just like, you know, North Africa is a command, like, cyberspace is a command. Like, William Gibson, you know, would be proud, right? But, like, in this space, like, you are kind of on your own as an American (laughs) . Like, you know, it's like, if I, if I was in, you know, like, like, the, the military protects Americans and guards our borders. What does that even mean (laughs) , you know, with, like-

   5. EGElad Gil17:45

      Yeah, yeah.

   6. RNRyan Noon17:46

      ... cyberspace? Like, "I hope you're hired a CISO," uh (laughs) , you know? Like...

   7. EGElad Gil17:51

      Is there anything specific you think the DoD should be doing relative to these sorts of threats right now?Or if you were magically in charge of it, like what, what would you change or what would you do differently?

   8. RNRyan Noon18:00

      I mean, they do a fantastic job in a lot of levels. Like, I'm, you know, it's like, obviously, like we were all, had to, the Valley had to deal with, like, Snowden and everything, you know, 10 years ago and whatever. Uh, and I'm, I, I'm not, I don't need to take a side on that one. But the point is, like, we have some pretty incredible people, you know, doing offensive stuff as well in cybersecurity, and deterrence works pretty well a lot of the time as w-, you know. So I, when it comes to LLM specifically, I think everyone is still figuring out what the hell is even going on, you know. Like, it's, it's gonna take them a while. I think you see DARPA doing really interesting stuff, you know. Like, there are interesting projects out there, um, but I think, e- and this is maybe a motif that I see broadly with LLMs, is like, you know, the, u- un- unless you go super, super deep on this stuff, you kinda see everything through the lens of, like, the popular discourse of ChatGPT. Like, whatever, you know, the, the, the, you know, uh, The New York Times or whatever has said about ChatGPT, or whatever experience you had the first time you used it six months ago when you were on the free version is how you see everything. And so they'll be like, "We need to make sure it doesn't make stuff up. We need to, you know, have it generate blah, blah, blah." Like, it's, it's all kinda like Order Zero stuff. I think people have yet to realize that, like, the computer can think in, like, a much more salient way than, like, it ever could before. And so I, I think people are still playing catch-up.

   9. EGElad Gil19:23

      Yeah. That makes sense. Yeah. It feels very underappreciated. Yeah. I feel like there, in general, people are viewing, um, AI as this continuum where it's like, it's a CNN, an RNN, and now we have transformers and it's just a straight line. And instead, obviously, it's a big discontinuity in terms of capabilities, and I think most people still don't think about it that way, or at least I should say many people, particularly outside of tech. And I actually think it's underhyped in all sorts of ways, which may be a different conversation.

   10. RNRyan Noon19:43

       Shovel-selling is overhyped, but I think the, uh, the, the thoughtful, you know, discourse on what our society will be like in 10 years is probably underhyped (laughs) .

   11. EGElad Gil19:51

       Yeah. Yeah. Good point. So one of the big debates that people have in this area is what degree of things will go to incumbents versus startups? And in security, the incumbents are really strong, right? They are very good at buying things and bundling and cross-selling and sort of the traditional enterprise playbook, which parts of tech have sort of forgotten for a while and maybe are coming back to now that we don't have ZIRP anymore. Um, how do you, uh, how do you think about the things that incumbents will do versus startups? Like, is there any

5. 20:17 – 27:13

   Is there room for startups in the Cyber Security industry?

   1. EGElad Gil20:17

      room for startups right now in the sec- on the AI security side?

   2. RNRyan Noon20:20

      I mean, there's, there's always room for startups. The cynical take here, or like the, the, the take I can give that is perhaps most informed and most cynical, uh, whether this is whatever uninformed, informed pessimism versus informed, uh, whatever, is, uh, is that basically, you know, in the cybersecurity industry, there's some basic economics, right? There's, if, if you care about this, like, there's a great paper that is actually required reading for everyone who's ever joined Material, which I've never enforced. Uh, but it's called The Market for Silver Bullets, right? Like, Ian Grigg wrote it. I think I've sent it to you once. And it's like fundamentally, you know, there's, there's like markets for lemons and whatever, but there's markets for silver bullets, which is that, like fundamentally, there's, there's the buyer, there's the seller, and there's the attacker, you know? And so like, the buyer cannot really be sure of the effectiveness of what they're buying and whatever, whatever. And so you can't really, like, look at a solution and be sure that it will save you, right? Like, you know, you, you could buy an insurance policy, you know, and, and there's a, you know, like a truism that all cybersecurity products are just, you know, complex insurance policies or whatever, right? But the, the, the point is like that, that mushiness exists. And so what has resulted in, in, in the free market here is these incredible distribution machines, right? You have, you know, think like Cisco or Palo Alto Networks or even, you know, Microsoft and Google to an extent, right? where they just, they have the sales force, they have, you know, the, the bundle, they have, you know, the, the big conference with all the glitzy stuff or whatever, right? But they don't really know. Like if, if you ask the product manager at that company or whatever, like, and they're being honest, like they don't know what bad guys are gonna be doing in five years any better than anybody else does, right? Uh, and they don't know what's gonna be effective. So why would they plant seeds from scratch when they could just go harvest crops that are already growing and, and transplant them into their yard and water them with all these salespeople and all this bundling and all this market power, right? Uh, and so these, these like paved roads, I think they're just a function of, of the extra, you know, like technological and product uncertainty that is just compensated for. That, that risk must be compensated for with extra low market risk, you know? And so that's what you see. You know, like Cisco just bought Splunk, but Splunk buys things. The whole market just works this way. I think I, I wrote a blog post once where I called it the, the cybersecurity industrial complex, you know, and it's the, they're PE firms, you know, dressed up as innovators, blah, blah, blah, blah. I was angry. I was very angry.

   3. EGElad Gil22:50

      Ah. Yeah, yeah.

   4. RNRyan Noon22:50

      But, uh, but, but fundamentally, this, this happens. And so that means that we are kind of, you know, entrepreneurs, you know, at, at, at their worst. Like, there can be new great cybersecurity companies. There are... There's still creative destruction that happens, you know. Some of the best cybersecurity companies, you know, didn't really exist 10 years ago, and that's... Like, you can still build big ones. Like, VCs d- you know, don't stop... You know, like VCs, you know, when it comes to cyber stuff, will, will like, you know, just go for base hits constantly, the worst ones, you know. And a lot of the best VCs, like never t- you know, make bets in cybersecurity because, you know, at best you're gonna get a $200 million takeout to Palo Alto Networks or whatever, right? That's the, the typical outcome. But, you know, you can still build these big companies, uh, and, and, you know, people should still try. Uh, but, you know, there's... But that, that, that farm system is still active. Like no one really knows, like innovation will happen. And if the market's big enough and, you know, you don't w- w- w- as a founder, you know, you don't wanna stop the game on second base or whatever (laughs) uh, and you wanna keep going, those opportunities are there.Uh, and honestly, like, discontinuities breed new companies, you know? And there's entire classes of things that are unnecessary and obsolete now. So much of security is, uh, is, is, emitting logs and alerts, and then parsing those logs (laughs) alerts again and aggregating them. You know, I, I spent a lot of time doing, you know, data infrastructure and analytics in my life, you know, before... After my cybersecurity grad degree, but before I started using that degree. Uh, and, and it's just like, you know, s- serializing and deserializing data, and parsing some old firewall thing from 20 years ago or whatever, and like, an LLM can just eat that, you know? Like depending on volume and, and all that stuff. But there's just, like, uh, a lot of spend I think is up for grabs, uh, as long as, you know, people have their expectations, uh, in the right place.

   5. EGElad Gil24:38

      I guess outside of Material, like, um, is there any larger scale security vendors that y- that you've, uh, you know, publicly talked about rapidly adopting LLMs? I know Material's been very fast on it.

   6. RNRyan Noon24:49

      I mean, obviously M- Microsoft had this, you know, top-down mandate, and had a year on everybody, and so they've been, they've been making a lot of noise and, and marketing it. Um, but, you know, and that's theoretically cool, but, um, I don't know how, uh... I haven't used it personally yet. Um, but I, yeah, I, y- you kind of... You probably saw this pattern, which is that, like, uh, you know, kind of the, the growthy companies with the nerdy founders, like, immediately started integrating this into the product, right? Uh, and then the, like, youngish public companies that, like, totally still got it, you know, would do like a thinner feature a little bit later (laughs) , you know? The big Fortune 500s are doing science projects, god bless them, you know? Uh, and so I, I think I'm seeing that. And I, I haven't... I've seen plenty of first bucket things that are very impressive. Uh, I've seen, you know, like the, the, the, "Look, you can type in the box, and if you have typos, the LLM doesn't care." You know, I've seen that from, from the public companies that totally still got it, you know? And then, uh, and then the science projects, you know, are, uh, just, just really good for OpenAI's revenue, I, I assume (laughs) .

   7. EGElad Gil25:57

      Yeah, yeah, that makes sense, yeah. And I, I guess there's also sort of the hybrid or overlap or partnership stuff. Like for example, last year I know Material did a partnership with Snowflake to support Office 365 and Google Workspace, and provided sort of enhanced security benefits to joint users. And so there's like... there's also that sort of approach, where you, you partner with the large incumbents to, to bring these new things to market in some sense, yeah.

   8. RNRyan Noon26:17

      Yeah. I mean, cybersecurity partnerships are super, super, super important. 'Cause like people, people hate to have to buy, like, individual things in their cybersecurity stack, but they also hate when they buy a big bundle that sucks, you know? (laughs) So like the, the right answer for the customer is to like just... for, for the vendors to be grownups and to work better together (laughs) where possible.

   9. EGElad Gil26:37

      Yeah. I guess, uh, more generally, you know, it's been about seven years since you co-founded Material. What do you think are the biggest, uh, changes or evolutions in security since then?

   10. RNRyan Noon26:47

       Oh, that's a good question. Um, honestly, like, I don't know how much has changed (laughs) . Like, it's like, you know, people still send emails, people still reply to text messages. I think, uh, you know, the, uh, there's always like the, "But Slack is gonna have all those problems too," or whatever, whatever. And I think at the end of the day, like if something's a walled garden,

6. 27:13 – 30:32

   New Challenges On Horizon After 7 Years as Cofounder

   1. RNRyan Noon27:13

      uh, like it will be involved in attacks. You know, someone will go in and like own you because they compromised Slack after they compromised this, and, and escalated their whatever. But like, entirely new attack surfaces of like, you know, ways to get to users from across the internet broadly speaking, uh, like I think have, have, uh, somewhat, somewhat stable. I... What's... The sad thing. I, I spend a lot of time thinking about, like, mobile stuff, and it's, it's sort of this like tragic thing where, like, locked these things down, like hard core now, right? It's actually like super limited what like vendors can do and, and the average employee I think understands that their company probably owns their work email account or whatever, uh, and has, has carte blanche to protect that and protect the company. But, you know, like do you have your phone? Is it my phone? I brought it, I signed it in. Do I have MDM on it? All this stuff. And so, that ends up being the situation where, uh, you know, even Apple who's like so good at locking it down to the extent that, you know, Zuck is super sad or whatever, like will, will lock down the device and prevent, you know, the most, you know, obvious forms of cybersecurity software being made. But like, uh, like but then will sit on the problem for years while like everyone gets run over, you know? So it's, people are, are usually... It's a sad thing in the tech industry that you probably see. People are better at keeping people out of their territory than using their territory (laughs) , you know? Uh, it's this very, very nasty, sad thing. So, uh, so I, I think some of these problems I think have just gotten worse, you know? Um, I think there's always the, the, you know, infrastructure story of like, you know, the multi-decade mega trend of people getting rid of their data centers and allowing only a small handful of companies to buy all the semiconductors (laughs) and then renting them from people. That centralization, uh, you know, it's, it's not like the most interesting thing for a lot of us, you know, but it's... You, you go to security conferences and it's, you know, "I, I had to buy these seven things when I had a, had a data center. Now I have to buy this one thing, but it comes with Amazon, but it sucks, but I have to buy this other thing." So that, that trend is not done. And there have been some great companies that have been built in, in that space, uh, in the last seven years that, you know, like I... You'd think that like AWS and Google and Microsoft could, like, keep this shit secure that they're renting you, but no (laughs) . You know? Like, so I think that's, that was, that's been one of my biggest probably misses as a, as a, as an investor. Not even independent of security. There, you know, there's years of like, "Well, AWS will handle this one," you know? And then no, they don't (laughs) , you know?Even like, Snow- I did diligence on Snowflake's B and told whoever asked me to pass, 'cause I'm like, "Red Shift exists. Like, AWS is not asleep at the wheel." And then, you know, AWS subsequently told me when I talked to them about this, they're like, "You know, we get paid either way. Like, we, (laughs) they don't own any CPUs. Like, we can be lazy." (laughs)

   2. EGElad Gil30:10

      Yeah, yeah, yeah. Yeah, they're the platform, so it works, yeah. Are there other areas, um... I, I know that a lot of founders in both security but also in enterprise come to you adv- for advice as they first get started, um, in terms of starting their companies. Are there other areas of, like, enterprise that you're most excited or interested in right now?

   3. RNRyan Noon30:27

      Oh, man. I have this love-hate thing just with, with security. Like, if I, if there's any founders listening to

7. 30:32 – 36:22

   Advice to Founders

   1. RNRyan Noon30:32

      this, like, security, like, like, what's annoying is because it's very mushy, no one necessarily knows what products are effective and whatever, whatever. You can kind of just, like, really put your head down and, like, grind and sell, and, like, build a beachhead with your company. Uh, you know, and, and some might be a totally okay product. Like, I was, I was talking to a great founder yesterday, and they're like, thinking about what to build and whatever, whatever. And, uh, and it's like, take a step back and just, like, try and build an incredibly useful thing that everyone should buy. Stop thinking about the Gartner categories and, you know, whatever, CASB, UBA, SIM, whatever, DNR, something, something, something. Like, stop, like, trying to, like, look at, at this, like, big, like... And you see these, like, the, some of the cybersecurity, you know, i-bankers and stuff will put out these big quadrants of everything and how it all fits in. The thing that consumer people make fun of us enterprise people for, uh, are, are extra make funnable, uh, in cybersecurity, (laughs) you know? And so, uh, so I, I'm always just like, you know, like, go in, go in there and like, just, like, if it, if it's a thing that connects to an API that everybody uses and saves them all a bunch of time and makes it way easier, like, just build that, okay? Like, stop worrying about your Gartner category. You got, like, five years, uh, to even, like, you know, start paying Gartner, you know? (laughs) Like, stop it. Well, you know how many people I've, like, sent your blog post of, like, what is a good market? Like, market is not the same thing as marketing, (laughs) you know?

   2. EGElad Gil32:01

      Mm-hmm. Yeah, yeah, yeah, yeah.

   3. RNRyan Noon32:01

      And so, like, that's a product that should exist. Everyone should just buy that. And like, then we have to X-ray it with, like, where distribution's gonna come from and, and like, you know, like, is this gonna be easy to sell on a reasonable time scale and whatever? I think my, my favorite companies that I'm spending the most time with tend to be in security. But, uh, if you, if you want a, a, a, a grouchy yet somehow still optimistic guy, uh, on your cap table, just, you know, give me a call. (laughs) But I, I'm looking to do less stuff in security. (laughs)

   4. EGElad Gil32:29

      Uh, is there any other advice that you tend to give, um, people starting companies for the first time?

   5. RNRyan Noon32:34

      Oh, man. Uh, y- yeah, I, I mean, there's just the basics, like figure out your team. You know, like, being a solo founder is actually totally okay. It's way better than being like, "We had three coffees together, and we just got married." You know? (laughs) So, like, like, just start with the team. Like, everything is built on the team. Like, it's the saddest thing in the world when you see, like, a beautiful company and then, like, it just, the foundation has a, has a crack in it, and you have to tear the whole thing down, you know? Make sure you have the same, like, risk appetites and stuff like that. Just those basic, basic, basic stuff, like, you know, especially when, you know, we are irrationally exuberant again in Silicon Valley. We had a solid six months of being depressed because the end of, of free money.

   6. EGElad Gil33:15

      I kind of wish it lasted, um, a year, a year longer or something. I think it would have been very, uh, very healthy for everyone.

   7. RNRyan Noon33:21

      I know, people stepped, like, all the Warren Buffett quotes came back. I think S-

   8. EGElad Gil33:25

      Yeah.

   9. RNRyan Noon33:25

      ... quotes like, "RIP good times like seven," or whatever, you know, and now it's gone again, (laughs) you know? Like...

   10. EGElad Gil33:31

       Yeah, it's, it's back to ZIRP if you're in AI.

   11. RNRyan Noon33:33

       Just honestly, like, just pick a good market. Like, look for a lot of dollars and a lot of other shitty people that, (laughs) like, you can take those dollars from. The analogy that stuck for people was, like, the difficulty level of the game that is starting a company is essentially just, like, the size of the market, like the inverse of that, you know? Like, the bigger the market, like, you can, you can eat mistakes. You know, you can, you can burn time. You know, like, you, it's just play, play the game on easy if you possibly can, you know? (laughs)

   12. EGElad Gil34:00

       Yeah, it's kind of interesting. That's the kind of advice that I tend to give people who are working in AI right now because I feel like there's so much low-hanging fruit. And you see these people doing these incredibly complicated things or incredibly hard things, and you're like, "Why are you doing something so hard when it's an early industry," right? In the, in the latter part of an industry when things have matured and sort of saturated, that's when you do the hard stuff. But in the early days of a new market, you just wanna do the easy stuff 'cause that's, that's very tractable. It's faster. It's easier, you know, higher velocity.

   13. RNRyan Noon34:24

       Right.

   14. EGElad Gil34:25

       So.

   15. RNRyan Noon34:25

       Like, I'm not the only one with this pet peeve. But you see, like, y- you need, like, really talented technologists on founding teams. Like, I really think it's like, we're in the technology industry. Like, you know, if you leave the MBAs alone, they're gonna do, like, Casper mattresses but for mattress pads this time, but they come with razors on them and stuff. Like, they're gonna follow the same templates. God bless them. They need to exist. But, like, the best companies have a, a technologist, like, you know, maybe not in the CEO role, but, like, someone there. Uh, and, and technologists, like, we love to, to do what we know, and so there's this, like, massive, you know, like, overabundance of engineering recruiting companies and, you know, DevOps, but this time totally different, dev tooling, like, infrastructure monitoring, blah, blah, blah. And it's like, dude, just, like, get out there and, like, learn a market that's not your own, okay? Like, it's just, like, like, the world needs your creative energy, to paraphrase one of our slogans from Dropbox back in the day. But, like, you're gonna have to, like, m- maybe leave your house, sort of, at least on Zoom, you know, and talk to people (laughs) and find, like, find a, find a market, you know? And so, and I think with AI you're seeing just the overabundance of shovel-selling. Like, the world needs next generation Datadog for AI, but not that one 'cause there's already that guy. This one's for testing, but the, not that kinda test, but mobile testing, that one. Yeah, right? And it's like, stop. Like, combinatorics will never let you down.

   16. EGElad Gil35:48

       Yeah, yeah, yeah.

   17. RNRyan Noon35:48

       There's always gonna be a way to cross these things, (laughs) you know? But, like, how big is that actual market? How big is it? (laughs) You know?

   18. EGElad Gil35:56

       Yeah, yeah. Makes a lot of sense. So Ryan, thank you so much for joining us today on No Priors.

   19. RNRyan Noon36:00

       Yeah, it was great, Alon.

   20. EGElad Gil36:00

       Yeah, it was really fun.

   21. NANarrator36:01

       (instrumental music plays) Find us on Twitter @nopriorspod. Subscribe to our YouTube channel if you wanna see our faces. Follow the show on Apple Podcasts, Spotify, or wherever you listen. That way, you get a new episode every week. And sign up for emails or find transcripts for every episode at no-priors.com.

Episode duration: 36:22