Skip to content
Uncapped with Jack AltmanUncapped with Jack Altman

The Future of AI Software Security | Ep. 39

Daniele Perito is Co-founder and Executive Chairman of depthfirst, an AI-native security platform that understands your code, business logic, and infrastructure to find real vulnerabilities, slash false positives, and give developers actionable fixes in their workflow. Daniele is also Co-founder and Board Member of Faire, where he previously served as Chief Data Officer and helped build the company’s data, risk, and analytics foundations from the early days to a multi-billion dollar valuation. Before co-founding Faire, Daniele worked at Square and was on the founding team of Cash App, where he focused on security, fraud, and risk systems supporting products used by millions of merchants and consumers. We covered: - Inception stories from Faire and Cash App - The ultimate truth seeking machine - Building superhuman attackers with AI - Who wins over time: attackers vs defenders - Why security feels like its own world Timestamps: (0:00) Intro (0:40) The founding Faire insight (4:34) Operational rigor of marketplace businesses (10:39) Starting a company now vs in 2017 (12:01) The inception story of Cash App (16:22) depthfirst’s mission (18:08) AI security landscape (26:10) Security is a fantasy world (31:15) Building superhuman attackers for defense (38:27) Roles of humans and AI in security (39:14) Platform vs pipeline businesses More on Daniele: https://depthfirst.com/ https://www.linkedin.com/in/danieleperito/ More on Jack: https://www.altcap.com/ https://x.com/jaltma https://linktr.ee/uncappedpod Email: friends@uncappedpod.com

Daniele PeritoguestJack Altmanhost
Jan 14, 202645mWatch on YouTube ↗

EVERY SPOKEN WORD

  1. 0:000:40

    Intro

    1. DP

      There is this saying in, uh, uh, security circles that in order to survive a bear attack, you don't need to outrun the bear, but you need to outrun the person running next to you. That's the way that the business has been operating for a very long time. But with AI, you can think about the fact that there isn't just going to be one bear, there's gonna be a thousand AI bears.

    2. JA

      That's terrible.

    3. DP

      [chuckles] Like, so we're really trying to secure the world's software from AI bears, really. [upbeat music]

    4. JA

      Today, I'm here with Daniele Perito, who co-founded Faire. Before that, you were a founding team member at Cash App at Square, and you also ran data and security there. And then most recently, you've now become the founder of Depthfirst, which is an awesome AI security company. Really excited to be doing this, uh, podcast with you today.

    5. DP

      Thank you for having me.

  2. 0:404:34

    The founding Faire insight

    1. JA

      I want to start by learning about Faire and sort of like, what your experience was like there, but maybe if you could take us back to sort of the founding insight or what sort of led to the creation of the company.

    2. DP

      I would say that Faire was probably a little bit of a contrarian bet. Uh, people at the time didn't think that brick-and-mortar retail was this place where there was gonna be a lot of growth, like Faire proved. But, uh, at the time, Max, Marcelo, and I were talking about ideas on companies to start together with Geoff Golitzen as well, and, uh, Max was introducing a high-end umbrella from the-- from New Zealand to the US market. He was seeing, uh... That was a side gig. You know, he was working at Square, but he had a little bit of a side gig, and he, he was seeing how getting sales on Amazon was extremely hard. Getting into a Nordstrom or a Walmart was also extremely hard, and working with the hundreds of thousands or millions of retailers was just impossible because there were, like, many, many regional sales reps and things like that.

    3. JA

      Mm.

    4. DP

      So we thought that there had to be a better way, and then from Square, we knew that sort of taking risk on behalf of your customers w- it was always a good way to create value because, you know, Square is in the risk management business, in a sense, and we had learned that there. So we decided to give retailers the ability to order and not have to pay for sixty days and be able to return anything that they don't like. So... And taking the discovery risk off of their balance sheet, and then not even asking brands to offer that value prop, but us sort of trying to use technology to offer that value prop. So that was a big insight-

    5. JA

      Yeah

    6. DP

      ... in starting Faire.

    7. JA

      Did it go sort of the way you expected from the beginning? Like, how linear was it from, like, that concept to just, like, the company, you know, taking off and going the way that it ended up going?

    8. DP

      Yeah, I would say the pre-- through product-market fit, there was a little bit of meandering. I think at the time, we were un-- we were unsure exactly what was going to give enough value to retailers to order on Faire. We were experimenting with a lot of things. We were experimenting with something called consignment, which i- is a little bit of a technical term in the business, but it's just the ability to, like, put something on someone else's shelves without actually, uh, with without them having to actually buy the merchandise, right? And, uh, we were experimenting with consignment. That was, like, extremely capital-intensive for us and very, very risky. We were experimenting with, like, points programs, and we were experimenting with other things. And I remember one night, this was maybe August of... July or August of twenty seventeen. Max was at a trade show in Atlanta. Every single day, he was at a trade show, and Marcelo and I were in the background, like, coding changes so that he could, like, sell them the day after. And he was just like: "I think we need to go with, like, try before you buy," which is the same thing we've been throwing, experimenting around, which is like net terms plus the ability to return, but I'm gonna talk about it as try before you buy. And so at night, I coded that behind the scenes.

    9. JA

      Mm-hmm.

    10. DP

      The day after, he went in front of customers, they immediately got it, and that's when we knew we had something.

    11. JA

      Yeah, it's amazing how, like, those, uh, early days, the speed you can move, the way customers react when you do that is crazy. You know, like, I remember we had some experiences like this early on at Lattice, where you, like, take, you know, take some customer's, like, bug, and you fix it within the hour, and then it just, like, it completely changes the relationship. I'm sure you had a lot of that.

    12. DP

      Yeah, a hundred percent. And I think it's really... You know, product-market fit is this thing that everybody talks about, of course, but I feel like until you see it not being there, to then it being there-

    13. JA

      Yeah. Yes

    14. DP

      ... and that shift that is real-

    15. JA

      It's crazy. I know

    16. DP

      ... because before the, that actual shift, you try to convince yourself, "I think we have product-market fit."

    17. JA

      Yeah, because you don't want to tell yourself you're wasting all your time.

    18. DP

      Right.

    19. JA

      Yeah, that's the alternative.

    20. DP

      But after that, is that, uh, you actually say, "Oh, yeah, I was fooling-

    21. JA

      Yeah

    22. DP

      ... myself before," and-

    23. JA

      Yeah

    24. DP

      ... this is actually what it is.

    25. JA

      Yeah. I don't know. I mean, for us, we had some-something, something similar, where it's like a product was built, and all of a sudden it went from, like, no to yes. I think maybe there's some companies where it's more of, like, a gradual thing that happens. I don't know.

    26. DP

      Yeah.

    27. JA

      We can talk about this when we get to Depthfirst, but, like, I'm curious, like, how that experience compares to, like, the current

  3. 4:3410:39

    Operational rigor of marketplace businesses

    1. JA

      experience. Before we get there, I want to stick with Faire a little bit longer. You, you talked about how, like, it was an operationally intensive business that required a lot of rigor. Can you talk about, like, what that looked like in practice?

    2. DP

      Look, one of the, our values at Faire is seeking the truth, um, and that is sort of necessary in operating a marketplace business. You are providing value to retailers by having more brands on the platform that can sell to them, providing value to brands insofar as there are retailers on the platform that buy from them. There are all sorts of balances you're trying to make sure that exists between supply and demand. You want to give retailers an amazing discovery. You want to manage risks so that retailers can get as much payment terms on the platform, they can order on terms as much as possible-

    3. JA

      Yeah

    4. DP

      ... uh, but without, you know, risking too much on your end. And to brands, you want to onboard them as fast as possible, but also making sure that in their first week, in their first month, they get as many orders as they possibly can. So there is many, many factors in a marketplace business, and, and you're trying to make decisions in, uh, within a system that is highly recursive, where small-- it's chaotic, uh, small changes can sort of ripple out.

    5. JA

      Yeah.

    6. DP

      And so intellectual rigor and data analysis is crucial. But of course, that always needs to be paired with, uh, sort of intuition and, uh, sort of a vision, because otherwise you can be a little bit, uh, too incremental, right?

    7. JA

      Yeah.

    8. DP

      So you want to balance out these two things. But in, in operating a marketplace business, you really need to be rigorous.

    9. JA

      Yeah, I often think about that we're like a software business-... you know, another, another cut on this software business has these high margins, and that affords a lot of, you know, error underneath. When you're operating a business that has a different margin structure, let's say, of a ten percent margin versus a eighty-five percent margin, there's just a lot less underneath there that you can operate within. So I imagine the sort of daily workings of the company have to be more precise and measured.

    10. DP

      Yeah. I mean, one thing to say is that marketplace businesses are not, you know, depending on how you compute them, but usually you compute them over sort of gross revenue.

    11. JA

      Yeah.

    12. DP

      So in general, they are more like fifty percent margin businesses.

    13. JA

      Yeah, yeah, yeah.

    14. DP

      So-

    15. JA

      Yeah, I was even thinking of, you know, there's like a business like Amazon or something like that. You know, it's like at the extremes, like, how careful do you have to-

    16. DP

      Absolutely

    17. JA

      ... be day to day?

    18. DP

      There is a lot of, um, rigor that you need to build in. And, you know, you have all of these machine learning models that are making predictions at all times, and the business really relies on them-

    19. JA

      Mm

    20. DP

      ... to actually operate and flourish. Uh, the marketplace is really something that needs to flourish, where demand must, uh, meet supply and really-

    21. JA

      I'd imagine that means you also need, like, a culture of, like, a lot of testing rather than, like, maybe in, like a B2B company, you can do a lot of sort of just like: Here's a plan. We kind of know this is roughly gonna work. It takes a lot of effort, and you, like, do the plan once. Versus I'd imagine in a marketplace business, there's a lot more like, test things, like, see what happens in reality, and then you can grow programs over time.

    22. DP

      Yeah, I would say that operating Faire has given me a healthy amount of epistemic modesty and humbleness because-

    23. JA

      About, like, how much you can really know?

    24. DP

      How much you can really know. And I come from academia, right? Where I was trained, in some sense, to be skeptic of my own beliefs. But there is noth- nothing quite like trying to test your beliefs in the market-

    25. JA

      Yeah

    26. DP

      ... to actually know the limits of your beliefs.

    27. JA

      Yes.

    28. DP

      Where you will launch in an AB test and be like, "I am certain that this AB test will land."

    29. JA

      Uh-huh.

    30. DP

      And then you'll discover that there is a second, third order concern that you ha-- you will never have anticipated, that completely sort of undermines the hypothesis that you had.

  4. 10:3912:01

    Starting a company now vs in 2017

    1. JA

      When you look around, like, AI landscape right now, and you think about, like, comparing this moment in time, starting a company today versus, you know, when you started Faire, does it feel qualitatively different in sort of like the psyche of founders or how people are thinking about these types of questions, or is it similar?

    2. DP

      Very different. I feel like you could rely on an assumption of some type of steady state system underneath you nine years ago, and right now, the assumption is that everything is about to change every three months in ways that are hard to predict.

    3. JA

      Mm-hmm.

    4. DP

      And you have to s- just stay alert-

    5. JA

      Yeah

    6. DP

      ... to all the potential changes, and everybody is sort of trying to see where the puck is going, and it's extremely hard. So I would say the level of energy, paranoia, the level... A- a- and I think it's also because the, the, the rewards are-

    7. JA

      Much bigger than ever.

    8. DP

      Much bigger than ever.

    9. JA

      I mean, stuff growing faster than it ever has.

    10. DP

      Yeah, exactly. And so there is just a level of, the stakes are higher, and everything is just so intense all the time. And this was-- I mean, don't get me wrong, things were extremely intense-

    11. JA

      Yeah

    12. DP

      ... at Faire too, but it was kind of like we had our market where we knew that it was there, and we, we just had to figure it out within that market.

    13. JA

      Right.

    14. DP

      But now things are just changing all the time.

    15. JA

      Right. Both because it's like, you know, the market might completely change, what product you can build might completely change, competition might completely change. Just, like, way faster.

    16. DP

      Yeah, or we, we might get the singularity in a month, and- [chuckles]

    17. JA

      Yeah

    18. DP

      ... everything changes.

    19. JA

      That's

  5. 12:0116:22

    The inception story of Cash App

    1. JA

      right. Yeah. Can we talk about Cash App, your time at Square, and sort of the beginnings there? So I-- you know, you were on the sort of founding team at Cash App, and, um, you talked to me about how, like, there was a certain mindset that you went into that with, where you're like, you know, taking a bet-... inside a big company. Can you talk about that?

    2. DP

      Yeah. So this is something that I like to tell people a lot. Just establishing my f- frame of mind at the time. I joined Square as my first sort of corporate job. I was a researcher before, like, in ac- uh, in academia. I was doing a postdoc, and I joined, uh, corporate America, and at first-

    3. JA

      Went into industry.

    4. DP

      Went into industry.

    5. JA

      Yeah.

    6. DP

      And at first, my feelings were, "Oh, my God, everybody's gonna be on top of it. I don't know," you know, sort of, uh, imposter syndrome. But then I think, uh, right after that, I started having this belief, and the belief was simply like, literally, it was stated in my mind as, "Individually, in a company of a few hundred people, there has to be a way for me to, to x the value of this entire business." I don't know how, why I had that belief, but I did. And I think that when you have a belief like that, a belief like that, it has a way of being, uh, self-fulfilling. B- why? Because I think you-- another way of saying it is, if you know-- if you knew that success was, was guaranteed, what would you do to achieve that success? If you knew there was a way, then your brain is just gonna try to find a way through solution space to try to find the set of actions that you can actually take. So the way that manifested itself for me was, Cash App was a Hack Week project. It was spearheaded by Jack. At the time, we were using a trick, which was sending an email cc'ing cash.square.com, and as you know, emails can be spoofed and things like that, so everybody was a little bit worried at Faire, at Square, that, uh, things were gonna get weird with security.

    7. JA

      Mm-hmm.

    8. DP

      I was working in security at, at the time at Square.

    9. JA

      Mm-hmm.

    10. DP

      And I was just like, "Hey, put me in, coach. I want to work on this problem." And I was like, "I want to make sure individually that this is implemented correctly."

    11. JA

      Yeah.

    12. DP

      Now, a few months later, we moved away from the email trick, and luckily, because we built an app, and it was much better. But the, the other thing that then happened is that, uh, the, our risk losses, our fraud losses from sort of stolen credit cards and things like that, were a little too high. And I remember going to my boss at the time and being like: "I wanna work on this problem. Uh, I think I can make a big dent." And it was still through this mindset that I had at the time, which was like, "What is the biggest thing where I can have an impact?" You know, my-- I think my brain is very sort of anxious, paranoid, and I try to, like, always find ways in which things can go wrong, but that was very well suited to the problem of fraud-

    13. JA

      Yes

    14. DP

      ... and, and combating fraud. So I came up with a whole system. I implemented all these rules and, and these machinery models, where I had, like, uh, one or two people helping me at the time. And so we implemented the system, and we reduced the risk losses by eighty percent. We brought them into, um, a sort of range that was actually, like, healthy. And then, you know, in some sense, that allowed Cash App to thrive and survive and, and go on to become the massive business that it is today. I think according to pub- to public data and earnings calls, I think it's a ten-plus billion dollar revenue business.

    15. JA

      Amazing.

    16. DP

      So in some sense, that did end up happening.

    17. JA

      Yeah.

    18. DP

      You know, that belief ended up materializing. Of course, it was a large team, like many, many people had-

    19. JA

      Yeah, but it's a good-

    20. DP

      great impact

    21. JA

      ... it's a good mindset 'cause I also think when you, um, when you either feel like, "I could work really hard, and nothing's gonna come of it," that's super demotivating. Or if you're like: "I can work really hard, but it, you know, the best I can accomplish just doesn't matter that much," like, that sort of mindset, it's hard to, it's hard to care when you think those things.

    22. DP

      Yeah, and absolutely, and I think it's actually a mindset that is related to security in a sense, right?

    23. JA

      Mm-hmm.

    24. DP

      Because what do hackers do? Hackers find a way in where nobody else sees a way in. This suspension of disbelief is similar-

    25. JA

      For the hacker.

    26. DP

      Uh, it's similar to how a hacker would think.

    27. JA

      Mm-hmm.

    28. DP

      It's like, there has to be a way to create value. There has to be, like, a path for me, a set of actions, a, a few, a few words to whisper to the right people at the right time, a piece of code that I can write, an idea that I can have, a partnership that I can form, a customer, and, you know, whatever that may be-

    29. JA

      Yeah

    30. DP

      ... that will inflect the business. And there is. You know, no, I guarantee you, no matter who you are, in whatever company you work at-

  6. 16:2218:08

    depthfirst’s mission

    1. DP

      outsized impact.

    2. JA

      So let's talk about depthfirst. So you're doing it again. Um, you got sort of the, the motivation to, you know, go back through the journey, and you're sort of doing it with full force. What's the sort of idea behind it? What's the mission that you care about with depthfirst?

    3. DP

      I think I'm doing this again, f- for me, it's a very, uh, mission-driven, um, endeavor. Maybe a year and a half ago, I was listening to a podcast episode between Sam Harris and Max Tegmark, and they had this point that really resonated with me, which was, without much better computer security, we do not get to play the AI safety and control game. If you think about it, AI safety and control are gonna be mediated by software.

    4. JA

      Mm-hmm.

    5. DP

      And to the degree that our software is not secure, which it isn't, and we need to make it a lot more secure, then what are we even talking about? And so I was like, "Okay, if I can create a business that is both commercially, uh, successful, but it's aligned with the mission of making the world software more secure, then maybe I can create a flywheel there." And the flywheel is, like, helping secure open source software, building better AI to find vulnerabilities and fixing them in, you know, the software that runs the world, creating infrastructure, open source, anything.

    6. JA

      Mm-hmm.

    7. DP

      Creating goodwill with, with that, and on the other hand, using the same technology that we build to create a product a customer, customers want, and here we're talking about corporations like Square, Faire, Lattice, uh, you know, companies that are trying to secure their perimeter, making sure that their customers' data is secure.

    8. JA

      Yeah.

    9. DP

      And I really thought that there was a way to create a massive business with a tremendous amount of positive impact by creating this, like, flywheel. I would say that I think we're, we're starting to get a good way, uh, of the way there, and, like, the pieces are really falling in place, and I'm really excited about the mission. I could not be more excited.

  7. 18:0826:10

    AI security landscape

    1. JA

      What's like, broadly speaking, before we get into the specifics, what is the sort of landscape, uh, for security with AI? Like, what's the... If you had to sort of try to, like, describe the most important parts of, like, the new territory now that, like, you know, there's AI, AI-generated code, you know, sort of the ability to sort of, you know, do reasoning, to look at, you know, if you're an attacker. Like, what does this all mean for security?

    2. DP

      There are multiple lenses through which we can answer that question, but-... at the macro level, like at the mission level, I'll start with the mission level, and then sort of the commercial side.

    3. JA

      Mm-hmm.

    4. DP

      At the mission level, software runs the world. There are billions and billions and trillions of lines of code and systems and configurations that make, you know, that turn the lights on, and they operate the banks and all the things. Every sort of serious security professional will tell you that there is always a way in. I think AI is fundamentally changing the equation there. We can go maybe into that a little bit later, if you like. On the commercial side, I think people are figuring it out. Our take at depthfirst, is that two years from now, a company like Faire will operate pretty differently than the way that it operates today. Today, a company like Square or Faire will buy a cert-- a number of, um, SaaS security products. They scan certain subsets of their code or their infrastructure. They do so m- largely using old-school techniques-

    5. JA

      Mm.

    6. DP

      -like heuristics and rule-based systems. Those techniques necessarily have higher false positives, lower detection rates, and can only discover shallower problems. With reasoning and AI, what we really see happening is a convergence of all of these sub-categories in security. And essentially, what we're building is an AI security engineer. Think about a swarm of independent agents that are going through your organization, going through the lattice infrastructure, and they're saying, "Hey, there is a code bug here-

    7. JA

      Mm-hmm

    8. DP

      ... that allows someone to log in as someone else." And nothing before could detect that. That was not possible. It needed, like, the intuition and judgment of a human.

    9. JA

      Yeah.

    10. DP

      But today, we're starting to approach the, the point where we can do that. Or there is a misconfiguration in your cloud that will, will allow someone to get in into this way. The pieces were there, the de- detection rates were lower, the false positives were higher. The technology only before only allowed to, like, solve a little sliver of the problem.

    11. JA

      Mm-hmm.

    12. DP

      But with AI, we really think we can put it all together-

    13. JA

      Yeah

    14. DP

      ... and make it feel like you have an AI security engineer all, all the time.

    15. JA

      Should it end, like self-driving, you know, to a degree where it's like you don't need to like name, "Okay, here's it for permissions, and here's what we care about for logins, and here's what we care about for API keys," and whatever else, and you're able to just say, "I want this thing to just very intelligently say, like, what are all the possible vulnerabilities, and just swarm and look at it all?"

    16. DP

      I think a lot of that is true. I think there is probably the human element, uh, is still gonna be something different.

    17. JA

      Like, call somebody, be like: "Oh, I dropped my password. Like, can you give me your login?"

    18. DP

      Yeah, I think the human element, I think there is always companies that need to, like, understand how to interact, uh, with the human side-

    19. JA

      Yeah

    20. DP

      ... and make sure that they authenticate properly, and they don't do something.

    21. JA

      So on the software side-

    22. DP

      On the software system side-

    23. JA

      Do you think that's basically where this is getting?

    24. DP

      ... I think there is going to be a great unification. Because the technology, I mean, to me, it's just a mechanistic-

    25. JA

      Mm-hmm

    26. DP

      ... claim. Before, technologies could address small slivers-

    27. JA

      Yeah

    28. DP

      ... of problems, and now the technology is actually able to generalize a lot better.

    29. JA

      Do you think, in theory, at the end state, like let's go ahead four or five years and just assume things kind of stay what we expect, which who knows what we expect, whatever that means. Do attackers or defenders have the edge over time?

    30. DP

      So I think it's a dynamic system. Um, I'll, I'll use an analogy. Like, perfect security is not achievable, and I think this might seem like a scary claim if you're, if you're not into security, but everybody understands this intuitively. Like, everybody knows that there is no such a thing as a perfect bank vault, that a bank vault is only as secure as two things. Number one is, how difficult we can make it to attack it, to, like, get in. [chuckles] And that's a matter of, like, cost, equipment, expertise to actually, like, drill into it or-

  8. 26:1031:15

    Security is a fantasy world

    1. DP

      because I want to sort of tell how-- to people how cool security is.

    2. JA

      Mm.

    3. DP

      So I got into security originally in grad school because of how fantastical it is. You know-

    4. JA

      Yeah, it's funny-

    5. DP

      ... there's attackers, and defenders, and firewalls, and bashers.

    6. JA

      Yeah.

    7. DP

      It's really just like a fantasy world.

    8. JA

      It's really funny 'cause like with security, like, uh, the, the excitingness of it ranges from like password manager and, you know, just like somebody at your company telling you, like: "Hey, you got to follow these protocols." Like, that's one side, and then the other side is like Ocean's Eleven.

    9. DP

      Exa- [chuckles] exactly. So people... I think the first thing, if I ever say, tell someone that I'm working on security, I think the first thing that they think about is just like: "Oh, shoot, the other day I had to reset my password."

    10. JA

      Yeah.

    11. DP

      "That was painful." Like, I think that's the first thing they think about, but the reality is that what they should really be thinking about is those crazy hackers that are doing, like, daring-

    12. JA

      Yeah

    13. DP

      ... things to get into systems-

    14. JA

      High-level government agencies and stuff.

    15. DP

      High-level government agencies. That actually is what security is at the limit.

    16. JA

      Uh-huh.

    17. DP

      And it's incredibly intellectually stimulating. It's really just at the edge of technology.

    18. JA

      It's also possible that, like, sort of like by the end of, like, the cloud software generation, like, it was getting a little bit boring, and now with AI, it's like back to this, like, very fresh thing.

    19. DP

      Right, because I think it goes back to that point I was making, which is security is relative to the level of attacks, right? So we had reached sort of a steady state where a company like Faire or Lattice could operate and having a team of ex-security engineers, and business would go on, and the likelihood of attacks was relatively low. So you could just do your thing-

    20. JA

      Yeah

    21. DP

      ... and, and, and put security a little bit on, on the, on the back burner. There is this saying in, uh uh, security circles that in order to survive a bear attack, you don't need to outrun the bear, but you need to outrun the person running next to you. I think that's the way that the business has been operating for a very long time. But with AI, you can think about the fact that there isn't just going to be one bear, there is going to be a thousand AI bears.

    22. JA

      That's terrible.

    23. DP

      [chuckles] Like, so we're really trying to secure the world's software from AI bears, really.

    24. JA

      Why does it seem like security is its own sort of ecosystem, echo chamber world? Like, to me, I'm not like, d- you know, I was lucky to invest in you, but in general, I don't do security companies, and I... What I've found is it seems like its own world. Why is that? Like, why is it not similar to just, like, other software categories?

    25. DP

      For context, I was in charge of security at Faire, uh, during my tenure there, uh, and I had a team of folks that was super talented, su- is super talented and as, as well as Cash App that was within the Square ecosystem. I would say that security is such a different market just because of how hard it is for both buyers and sellers to know what they're buying and what they're selling. Like, when you're selling, say, observability software or databases, you know, someone can try your database, you make a claim, I test it, I see it, and it's done. If I run a company like Faire, I don't necessarily know everything that is wrong or like Lattice or anything, or any other business, really. And a vendor, a security vendor comes in saying, "I think these things are wrong." And I was like: "Are they really wrong?"

    26. JA

      Mm-hmm.

    27. DP

      First, you don't know, because the claim may be partially incorrect, because many security issues may be false positives, because it's almost true that someone could take advantage of it, but there's this one little detail that makes it not true, right?

    28. JA

      Right.

    29. DP

      So first, you need to in- investigate every single claim, right? So that's the first part. Sort of really, both the buyer and the seller might have different opinions on what's really a false positive and what's really a true positive.

    30. JA

      Mm-hmm.

  9. 31:1538:27

    Building superhuman attackers for defense

    1. JA

      Getting into sort of the tactics of depthfirst, what are the important pieces of technology for you all to build to be able to accomplish this?

    2. DP

      Yeah. So maybe let's digress a little bit. Uh, so I'm one of the founders. I'm the executive chairman. Kasim is the CEO. He comes from Databricks. He was, uh, director of, uh, infrastructure there, also in charge of security. And then Andrea is the CTO. He comes from DeepMind, and he was one of the authors of, uh, AlphaDev, which is the reinforcement learning algorithm that found a better way to sort than hash on Google. And I think this is almost like the perfect team to, to go after this problem because AI... So to answer your question, AI has a big infrastructure component, especially when you're doing AI for security. We're doing these technical things. I don't want to go into much tech-- too much technical detail, but we're spinning up Docker containers to, like, run code inside so that the LLM can test whether certain hypotheses are true or not. And having hired a bunch of folks from Databricks has helped us a ton-

    3. JA

      Mm.

    4. DP

      -in setting up that infrastructure. People have been calling it the scaffold, the harness, but, you know, it's our intelligence layer that allows us to really repurpose the technology that we built on, on each new, uh, problem. So vulnerability discovery is one thing we've applied it to, but we also applied it to other things. And each one thing that we apply it to becomes easier and easier because we built, like, a really solid AI infrastructure there.

    5. JA

      Mm.

    6. DP

      The second piece is more like the deep research side, which Andrea has done before at DeepMind. Fundamentally, I believe that reinforcement learning, plus, uh, large language models, will allow us to sort of create a superhuman hacker for defense purposes. We're talking about the fact that systems, you know, we're only able to find a certain low fraction of the real problems that existed.

    7. JA

      Yeah.

    8. DP

      And that was because the, the other problems were deeper and deeper and deeper and more and more complex. And I think with reinforcement learning, we can teach these LLMs to go deeper, to, like, find those clever ideas that will allow them to put two small vulnerabilities together and combine them into something that is actually real. We have some security researchers on the team coming from Apple and, uh, um, security service like IDF, and the way that they, they work is phenomenal. Like, their, their brain work differently. When Mav on the team tells us that he's discovered a vulnerability with our LLM-

    9. JA

      Mm-hmm

    10. DP

      ... and how he's, like, he verified it and how he actually sometimes pieces it together, it's, it's wonderful to see.

    11. JA

      Is that way of thinking learned, or is that, like, a certain brain type that exists from the beginning? Is it something that comes out of experience, or is it something that's by nature?

    12. DP

      I feel like just almost like everything, it's probably a combination of nature and nurture. Personally, I feel like the-- my inclination of being a little bit of anxious, paranoid person, that it's always trying to see how things will go wrong-

    13. JA

      Mm-hmm

    14. DP

      ... helps. It's definitely like the background thread in my brain that is constantly seeing how-- catastrophizing and seeing how things can go wrong is definitely helping in that pursuit. And there are definitely people that are more apt at sort of stepping out of the box and seeing things from a different angle, which is you clearly need. But I will say that it's probably just als- almost like every other thing. It starts with probably a small talent, which then tells you, "Oh, I'm good at this."

    15. JA

      Mm-hmm.

    16. DP

      And then you, you-

    17. JA

      Yeah

    18. DP

      ... you invest more in that.

    19. JA

      Yeah.

    20. DP

      And then you get better at it. But if my-- if I had to guess, the seed was actually quite small, and it blossomed because you invested a lot of time, because you were good at it.

    21. JA

      So this is sort of like some of the technology underlying, you know, the, the product. And then, I guess, is the idea with the product itself, should it get to a place where, you know, a customer can basically just install depthfirst, and they just know that you're constantly exposing vulnerabilities at a way higher rate than people, and you're doing it more thoroughly, faster, cheaper? Is that basically it?

    22. DP

      Yeah, that's the goal. And I think by training our own, uh, post-training our own, uh, LLM, uh, which we're experimenting with right now, the hope is that we will have a technological edge, and we can tell customers. I think it's, it's two things. One is the technological edge of our sort of AI stack, and then two is really thinking about the problems the right way. So, for example, we started with code, but, uh, we are now telling customers, "Hey, if you link your staging environment, we can test the findings against your staging environment to tell you whether something is real or not." So I think, uh, expanding into other areas that our customers, uh, care about is gonna be crucial. And really, def-- uh, giving them an interface, whatever that may mean. You know, right now we have a web app.

    23. JA

      Mm.

    24. DP

      But I'm also thinking that at some point, you need to be able to talk with this thing as if you were talking with a security engineer-

    25. JA

      Right

    26. DP

      ... being like: "Hey, can you double-check this thing, please, for me?" And then giving the AI access to the components, giving them the context. I think the context is super important. Another thing about security is that it's really context specific. If you're opening a social network, the fact that people can see a customer's profile is the way that it works.

    27. JA

      Yeah.

    28. DP

      But if you're creating a, you know, corporate Slack platform, you know, a messaging platform or corporate, you probably don't want the profiles to be public. So that's context specific. So our, um, systems, again, as I said earlier, spends hours in a code base, sometimes going into the old commits.

    29. JA

      Mm.

    30. DP

      Because if you think about it, whether something was done differently earlier than it is done today may tell you, "Hey, we actually had an assumption a year ago about how this thing was supposed to work, but now it's not like that anymore. Why?" And so it's really about building a centralized repository of context about the security posture and organization, and that's what we're building. Then adding agents-... they can go in and say, "Let me look at your code. Let me look at your infrastructure. Let me look at your configurations. Let me look at-

  10. 38:2739:14

    Roles of humans and AI in security

    1. DP

      there is some.

    2. JA

      Do you think of depthfirst, you know, when it's a security engineer operating on the team, is it like, is its role to, like, help manage the human security engineers, or are the human security engineers managing the AI?

    3. DP

      I think it's gonna be a collaborator. I think it's gonna be—like, the humans will probably have the ultimate amount of, uh-

    4. JA

      Final say?

    5. DP

      ... final say in context. I think, I think you still need that, um-

    6. JA

      For now. Probably one day you don't.

    7. DP

      At that point, it's not this company that changes. I think the whole in, the whole society changes, and I don't know what happens-

    8. JA

      By the time that's happening, it's like all these rules don't apply anyway. [chuckles]

    9. DP

      Yeah, and then I think we need to figure-- we need to have an entire different conversation as a, as a society about w- what, what's going on. But before that, I think that, uh, no, the security engineers will be the ultimate judges of, of what's going on and making sure that everything works.

  11. 39:1445:27

    Platform vs pipeline businesses

    1. JA

      Okay, I want to maybe kind of switch to, um, back to sort of like generalities around building this company versus building Faire. And we talked a little bit about sort of like the mindset of like, the grounds are shifting faster, the rewards are bigger than ever, so that kind of changes some things. I also imagine just that in some ways, like, the types of culture inputs that you want are a little bit different. Maybe the types of people are a little bit different. Like, what have you found when you take that difference in the sort of environment? How does that apply to, like, building a company now in this era? Like, whether it comes to recruiting or, you know, the way you manage the team or anything else like that.

    2. DP

      So there's this book called The Platform Revo- Re- Revolution, and they talk about two types of businesses: platform businesses and pipeline businesses. Platform businesses are dual-sided marketplaces, social networks, and things like that.

    3. JA

      Faire.

    4. DP

      Exactly, like Faire. Pipeline businesses are businesses that produce a service or good and sell it to their customers, and there isn't much interactions between the customers, or there isn't, like, a lot of interactions on the other end.

    5. JA

      Mm-hmm.

    6. DP

      I would say that in a comp-- in a platform business, a marketplace like Faire, I think you need to keep a tighter grip on the business just because everything is so interconnected that it's hard to just let people completely run with things, because there is always gonna be second- and third-order things that might happen. In a pipeline business, I'm, I'm noticing with that first, I think there is a little bit more of, uh, letting, letting a thousand, thousand flowers bloom and seeing what works. But, um, so that's one potential, uh... But it's, it's a small difference. I'm, I'm not saying that it's huge. I mean, you're-

    7. JA

      No, it makes sense. So it's almost like you just, you need, um, you need, like, greater coordination of efforts in a marketplace business versus a pipeline business. You need like a... You, you basically need systems that, like, let the flowers bloom.

    8. DP

      I think so. I think so. I think that's a, I think that's a fair characterization, so that's one thing. Though a lot of things are the same. For example, one of the things I, I tell to folks, uh, that I work with is: Don't shy away from putting thirty data points on a spreadsheet, and look at them-

    9. JA

      Mm

    10. DP

      ... and see what's going on. And da- data points here is a generic term. It may be, like, thirty customers, it may be, like, thirty issues of, uh, chargebacks on your platform. It may be whatever it is.

    11. JA

      Thirty is, like, approachable. I'm like, I could do that in two days for most things.

    12. DP

      Yeah. Yeah, it could be two days, it could be two hours. You know, just spend some time. You're gonna... A few things are gonna happen. One, you're going to build so much intuition about whatever that is.

    13. JA

      Mm.

    14. DP

      You know, you're gonna be like: "Oh, actually, that is how that works," you know, and, and, and that is already incredibly valuable. But then I think it forces you to overcome this almost, like, anti-pattern that we have as tech people, which is, like, we want big data.

    15. JA

      Mm.

    16. DP

      Because, you know, that's the only way to know. Like, a lot of data is the only way to know. But the reality is that with thirty data points, you're going to know whether something is sixty percent plus or minus ten percent, or it's ten percent plus or minus ten percent, and you can, like, know a lot from that fact alone.

    17. JA

      Yeah.

    18. DP

      You know, is your conversion rate, is your chargeback rate, whatever that may be-

    19. JA

      It's roughly good, or it's roughly bad.

    20. DP

      It's roughly good, or it's roughly bad, and make a decision.

    21. JA

      Yeah.

    22. DP

      And then, you know, take the top three things you've learned and try to, uh, uh, address them. So even like in everything, like when it came to Faire, like get actual a bunch of search results and look at them one by one-

    23. JA

      Mm-hmm

    24. DP

      ... and form an opinion about when is it that you don't think they're good enough and why, and is it because they're completely irrelevant-

    25. JA

      Yeah

    26. DP

      ... or is it because they're, uh-

    27. JA

      Yeah

    28. DP

      ... just, yeah.

    29. JA

      Even though it's, like, s- theoretically a little bit less accurate, I also think when you spend time in thirty anecdotes versus, like, three thousand, like, sort of unemotional pieces of data, it's just very different.

    30. DP

      Yeah, and, you know-

Episode duration: 45:27

Install uListen for AI-powered chat & search across the full episode — Get Full Transcript

Transcript of episode 3SIY1Y7fy6M

Get more out of YouTube videos.

High quality summaries for YouTube videos. Accurate transcripts to search & find moments. Powered by ChatGPT & Claude AI.

Add to Chrome