Dr. Jeremy Weisz: 15:35
You don’t have to talk specific pricing, but I mean, I’m looking at your website here and there’s when we talk about big problem, this could be huge for a company. We’re looking at, you know Google, there’s a settlement. This is $350 million, right? Meta 1.2 billion. PayPal 2 million. Uber.
You know, obviously you can go, hey, do you want to spend this or do you want to lose 350 million? So like, how do you decide on pricing? Because it’s obviously a value. But you know, I don’t know how many people are really going in. And I figure I kind of see this as like a really a niche within a niche. Right? It’s just like you’re specific to these AI agents and APIs. So how do you determine pricing early on?
Michael Nicosia: 16:25
Yeah, initially, I mean, you take a closer look at what the industry has done in the past, maybe some of the other successful SaaS organizations, you know, you can think about Palo Alto, you can think about CrowdStrike, and you look at, you know, some of the, you know, even Splunk, some of the models that they use And how we came about it was just we wanted to make it super simple. And obviously, you know, there’s a big impact if you do get breached and there’s a lot of money associated with some of the breaches that that companies have to pay. And not only do they have to pay, obviously, then there’s a brand awareness that creates, you know, disruption from that perspective. Especially if you’re, you know, financial services company or retail company or any other digital services where.
Dr. Jeremy Weisz: 17:09
Lack of trust immediately.
Michael Nicosia: 17:10
Yeah. Because you have lack of trust. So we basically thought, you know, the consumption model like a Splunk and some of the other SaaS organizations use would be ideal. And, you know, obviously the trick is once you have that, it’s simple to kind of identify with. It’s all about how you create that perceived value of the amount of money that, you know, customers are willing to spend on that problem.
Dr. Jeremy Weisz: 17:35
Talk about so like the customer says, like, because I know on your site you help a lot of different types of companies, right? There’s transportation companies, health care companies, retail companies, software companies, finance companies. You know, what does the implementation look like? They go, yeah, let’s do this. Then what?
Michael Nicosia: 17:55
Yeah. Yeah. I mean, it’s super simple. Because normally what happens in our industry is they do a proof of value. And once you do a proof of value, and there’s a variety of ways that we can get up and running. We can do traffic lists where we can, you know, via an API, just get up and running to your cloud environment, whether you’re AWS, Azure or GCP, just like the Wiz model.
And then once you get up and running, you can, you know, we could provide the discovery and the governance part of it and posture gaps that you might have. And then you know, if you and then once you know the customer says yeah let’s go. I mean we could just translate that into, you know, live in production kind of movement. So it literally takes minutes for us once, you know, once the POV is secure into that technical win and into yes, we’re fully deployed and then we can expand whether it’s, you know, a division or then, you know, company wide. It’s very simple for us.
Dr. Jeremy Weisz: 18:51
Talk about your roles between you and Roey because I know you have different skill sets.
Michael Nicosia: 18:58
Yeah. Yeah. It’s very bifurcated if you think. And if you look at it, you know, obviously Roey is way, way more technical than I am. And he’s kind of a genius from a product perspective.
So, you know, he basically manages all of our R&D and product security research team. Obviously our Salt labs and I do the rest. I mean, if you think about go to market, you know, sales, marketing, you know, operations, you know, and then we split everything from, you know, finance to, you know, HR. So that’s really how we kind of, you know, kind of break up the organization between the two of us.
Dr. Jeremy Weisz: 19:37
I know I’m going to pull up the site again on your site. You know, it says get a free API attack surface assessment. And then it says, see your APIs like an attacker does. So I was looking at that. You know, I was like, yeah, I want to see my what my API looks like from an attacker standpoint.
What is the what does the assessment look like? How does that work?
Michael Nicosia: 19:59
Yeah. Yeah. It’s super simple to do. You can do it on your own. And it’s basically a scan of your environment.
And it gives you an attacker’s viewpoint of what they would see if they were trying to, you know, kind of infiltrate your organization. And it gives you all the details of your APIs, where they’re housed, where they’re, you know, flowing through all of that great stuff. And it gives you some really, really good data in terms of a lot of the zombie APIs or zombie MCP server protocols that, you know, other functional areas within the organization that the CISO isn’t aware of, that just get up and running, right. So it gives you a really good detailed view of what an attacker would see if they were trying to infiltrate within your organization.
Dr. Jeremy Weisz: 20:45
Does the company usually start there? They’re like, let’s take a look at this and see what’s exposed first.
Michael Nicosia: 20:50
Yeah, exactly. I mean, what we normally do is we’ll run it for a lot of our, you know, customers initially just to give them an idea of what that, you know, kind of what their API environment looks like. And we always find some incredible insights that CISOs, you know, kind of have that oh my gosh moment, you know, or wow moment, if you will. And you know from there we just normally move into, you know, the very first thing which is visibility. Right. What do I have? Because I don’t, you know, I don’t know what I don’t know. So, you know, it’s that visibility and then it’s the governance, the posture gaps. You know how, you know what exposures might I have that I can truly jump into.
And we could do that in minutes again. We don’t even need traffic in order for us to be able to do that. It’s surface and then it’s connect. And then once you know, they want to achieve that and then they want to move into protecting their APIs, then we go into, you know, connecting through API gateways or API management tools, you know, to get traffic so that we can we can create a baseline and protect against any kind of deviation that might be causing them to have any awareness of, oh, I’ve got to take a closer look at what’s happening, you know, in my specific API.
Dr. Jeremy Weisz: 22:14
I’m curious what the evolution of the customer looks like for you, where it started, and kind of what the ideal is now. But I’m curious, when you talk about this, do you have like IT professionals using this on the back end for clients to like are there IT agencies being like, okay, they’re just implementing your technology?
Michael Nicosia: 22:36
Not at this point. Yeah. Not at this point. I mean, it’s something like if you think about, you know, organizations that create managed services for other companies, we haven’t gone that route.
But like one of our you know, obviously we’re a portfolio company of CrowdStrike. I know that they’ve done that in the past, and it’s something that we might be thinking about doing. So it hasn’t really kind of come to our attention at this point in time. You know, we want to make sure that we’re creating the, you know, the value and making sure that the customers see the value. And then once it’s so ingrained in API security or AI security, whatever you want to call it becomes so prevalent that that might be an avenue for us.
Dr. Jeremy Weisz: 23:25
I’m curious, and maybe it’s the same. What does an ideal customer look like now compared to the beginning of the journey?
Michael Nicosia: 23:34
Yeah, it actually hasn’t changed at all. You know, we’re specifically focused on, you know, the fortune 500 global 1000 type of organizations. Obviously anybody that you know creates their own application. So if you think of financial services, you know, I’ve got a mobile app that I log into from a consumer perspective, you know, to two retail outlets to transportation to airline industries. You know, we’ve got, you know, the top airline industries that are customers of ours.
So it goes across the board, which is awesome and an opportunity for us and why we’ve got such amazing investors because they see this as a very, very, very big market.
Dr. Jeremy Weisz: 24:19
I don’t know, I love to talk more thoroughly, maybe on the retail side or the airline side. Which one do you think would be better to talk through and like how it works for that industry?
Michael Nicosia: 24:29
Sure. I mean, airline industry, we can talk about that.
Dr. Jeremy Weisz: 24:33
Yeah. Awesome. So talk about it. I mean, I could see there’s a lot of data passing for, you know, passed back and forth. Even when I go to check in, I like to get a physical ticket. So in case my battery runs out on my phone, I’m like going in . I’m typing in this, you know, the code there’s, it’s there’s a lot of data back and forth with email and the app and everything. How does it work for the airline?
Michael Nicosia: 24:54
Yeah. So think about all the airlines, any airline. Now you can, you know you can check in digitally. So they’ve got a mobile application that they check in digitally. They’ve got you know their rewards points are all digital. So think about the mobile app that basically you know you do all of the you know kind of I’m checking I’m buying, you know a trip I’m checking my flight. I’m, you know, checking into my flight. I’m checking bags.
All of those elements are all API driven. So think about the exposure that, you know, that has to millions of consumers that are using or flying you know, that specific airline. And then think about all the sensitive data you’ve got my contact information, credit card information. You’ve got a lot of, you know, sensitive data associated to that, you know, is rich for, you know, kind of a bad actor to want to infiltrate that application and, you know, through the APIs to steal data. Because once I’ve got certain amount of information, I can use it, you know, potentially to other means of digital services that you might be, you know, using whether it’s your bank or whether it’s, you know, I buy, you know, clothes, you know, online, you know, all of those elements. So that’s really, you know, what we’re protecting against and what we’re safeguarding, you know, in that specific scenario from an airline perspective.
Dr. Jeremy Weisz: 26:20
I don’t know how long, you know, the sales cycle is for you. But I mean, in any enterprise when you’re dealing with these companies, I’m sure it’s long. I mean, maybe it’s not as long as like, hey, we have this airline, this airline, this airline, do you want yours? But the first airline or the first couple. So that goes into kind of the fundraising question because, I mean, you need a certain amount of runway to like get in these conversations and have them make the decision. Talk about the fundraising journey.
Michael Nicosia: 26:48
Yeah, I mean, look, fundraising, if anybody tells you that it’s fun, it’s not. It’s rewarding at the end when you do get money. But initially it is a lot of work. And when I say about a lot of work, it’s you have to have kind of like not only a plan of what you’re doing today, but like a three year and a five year plan of where you see the company going and you know, the amount of money that you raise, you know, how is it going to be utilized within the organization as you continue to scale? So you’ve got to have all of these elements budget, you know, you know, not only budget but, you know, sort of spend and calculations in terms of, you know, the growth rate that you’re going to have quarter over quarter year over year, you know, the amount of people that you’re going to hire. All of these elements.
And, you know, initially when it was just Roey and I, we were doing everything right. We, you know, spreadsheets, budget allocations, you know, forecasting, all of it. It is brutal. And, you know, and it’s, you know, probably every organization has gone through. We went through a ton of no’s before, you know, we got our first yes. And then once you get your first yes and then you’re able to stabilize yourself, get customers and you know, see that trajectory, then it gets easier and easier. But it’s hard.
Dr. Jeremy Weisz: 28:07
Was the first yes through Y Combinator?
Michael Nicosia: 28:11
So Y Combinator you know as you’re going through their you know, kind of incubation. Yeah the incubation they actually invest in the company and they give you, you know, X amount of money. And then they’ve got an interesting little scenario in that until you raise, you know, X amount of money. Then they get to come back and do their pro rata if they want or you know, they can invest.
And we were you know, we were lucky enough that during our series D which was led by capital G which is Google’s venture arm, YC wanted to like I want to say double down. It was more than doubled down. I mean, they added quite a bit of money to the round because they were so convinced that we were going to be an amazing company.
Dr. Jeremy Weisz: 29:05
Was this before customers or after you started?
Michael Nicosia: 29:08
No, our series D this was after we had.
Dr. Jeremy Weisz: 29:10
Oh after okay.
Michael Nicosia: 29:11
You know.
Dr. Jeremy Weisz: 29:11
Yeah. Oh you’re serious. Oh. Gotcha. Yeah.
Michael Nicosia: 29:13
Yeah. Yeah. So that’s. Yeah.
Dr. Jeremy Weisz: 29:18
What I know along the way, you get no’s, you get yeses, and and you probably get a lot of advice along the way. Was there anything that sticks out from investors from the advice perspective whether they invested or not?
Michael Nicosia: 29:30
Yeah. I mean, you know, usually, you know, you’re fortunate enough to to understand why they’ve decided not to, to invest and whether it’s, you know, they’re not sold on the team or they’re not sold on the technology or they’re not sold on kind of, you know, the market potential and or they’re just not sold on kind of your vision of how you’re going to grow the organization. So obviously, the no’s that we got were actually really beneficial because we got so much insight and information in terms of what we needed to do to tweak our story, to make it better, to make it more exciting, to make it more, you know, kind of easier, you know, per se, for, you know, organizations like Sequoia and, you know, capital G, you know, to say absolutely, categorically, this is the organization we want to invest in.
Dr. Jeremy Weisz: 30:21
You mentioned, you know, you and Roey, right, early on talk about the evolution of the team. I’m sure like when people invest like, okay, what are you gonna do with the money? And you’re hiring people? What did that team look like? Team growth?
Michael Nicosia: 30:36
Yeah. I mean, first, you know, you’ve got to get your first developers on board. I think we had 10 to 20 developers, you know, because, you know, after YC, we we had a number of angel investors just to get started and just to, to kind of build the the development organization and then, you know, as and then Roey and I were doing everything from a go to market, you know, not only, you know, sales, pre-sales. We’re doing marketing, we create our own website. I mean, all of this stuff that we did.
But the focus is really, you know, developers and then it’s product people and then it’s, you know, marketing, you know, product marketing is your first and then sales, right. So, you know, I think the first probably, you know, two years that we started the company or 18 months, it was just Roey and I with developers and, you know, maybe one product individual. And then I think we hired our first product marketing. And then once we had our product marketing, then we hired our first, you know, rep along with an SE. And then things just started scaling from there.
Dr. Jeremy Weisz: 31:41
I know it’s not easy to find good developers. So how did you go about doing that?
Michael Nicosia: 31:49
Yeah, I mean, so, you know, all of our developers, because we’ve got our R&D centers in Tel Aviv, so all of our developers are from Israel. And, you know, the market in Israel from a cybersecurity perspective, obviously, with all the amazing, you know, companies like Armis, Wiz and I can go on and on, it’s really difficult to get talented people. So, you know, not only do you have to have, you know, all the perks associated with launches and, you know, all the nice offices and, and things, but also, you know, they want to be sold on, on the story, the journey, the growth potential, the market potential. So there’s a lot of discussions of here’s what we think the company is going to, you know, be in the next three, five, ten years. So, you know, you kind of have to have that storyline, that narrative that gets people excited to want to join you.
And then once you show some success, it’s a lot easier because then they read about you and they’re like, oh my God, you know? And obviously when you start raising a ton of money like we have, like, you know, close to 300 million, you know, then you know, it’s like, whoa, something’s going on here at cyber security that I want to be part of.
Dr. Jeremy Weisz: 33:00
And did you have a lot of connections there that helped or?
Michael Nicosia: 33:06
Yeah, I mean, look, you know, you went through the Israeli armed forces. So, you know, there’s a ton of connections associated with that. Obviously, we’ve got a ton of connections to other co-founders of other companies. So yeah, I mean, it’s, you know, Israel is an amazing country and, you know, it’s a close knit community and we leverage as many relationships as we can. Obviously, even investors help from that perspective.
Other employees, you know, so you get a lot of employee referrals. Help us from that perspective. You know, past lives, you know, past companies that you’ve had success with other individuals, you know, all of those things contribute to, you know, the capabilities of hiring talented employees.
Dr. Jeremy Weisz: 33:53
Yeah, it’s super interesting. I did do an Israel Business series on the podcast and had one of the founding engineers at Mobileye, and he did talk about, I think he corrected me at one point. Michael, I think I said like something like, oh, you were acquired by Intel for 13.1 billion. He’s like, Jeremy, it was 13.2. I’m like, oh, I guess that decimal does make a difference in this case. But no, we talked about like just the ups and downs of the journey. I mean, it looks like this clear path, but it was just like, you know, just hills and valleys, even that journey, too.
Michael Nicosia: 34:31
Yeah, yeah, it’s always a lot of, you know, hard work. I mean, I’m giving you all of the, you know, kind of nice highlights associated. But in between those highlights, there’s a lot of, you know, valleys that you have to, you know, kind of crawl through. And it’s sometimes it is crawling through. You know, devastating no’s from a, you know, from an investment perspective, you know, customers not wanting to move forward with you initially just because they feel it’s too risky.
I mean, there’s a lot of, you know, a lot of, you know, areas where, you know, you can get gutted, if you will, on a day to day basis. And, you know, having that positive mental attitude and making sure that you’re focused on your vision is really important because you can get down pretty quickly.
Dr. Jeremy Weisz: 35:16
Yeah. I’m curious, Michael, scaling. From a scaling perspective. I mean, you know, as you grow up, I want to talk about the scaling, but I want to go back to just to give people an idea. Your first customer, how long did it take from, like the idea to you actually got your first customer?
Michael Nicosia: 35:38
Yeah, it took about two and a half years, to be honest. You know, and I say two and a half years because, you know, I’m starting from scratch, like 2016, where it was just an idea. So there was no product or anything like that. You know, to about 2018 is when we really, you know, at the beginning of 2018 is when we got our first couple of customers and it was before our, our angel investment from S Capital. But yeah, I mean, so it took a while and I always because I’ve been through this journey before, I always say that the first ten customers are your hardest.
It is hard because then after that then you know from ten to like 20 it’s easier, from 20 to 50 a lot easier from 50 to 100, right? Because then you’ve got a proven track record and you can, you know, call other CISOs from a reference perspective. They, you know, they tell you how amazing the product is. They can tell their friends how their product is, you know, what a great customer or what a great partner we are, all of those elements that kind of come into play, which just makes it easier.
Dr. Jeremy Weisz: 36:41
No, I just want to give people a perspective. Because people see, oh, look at where they’re at now. But that’s not how it was in the beginning. And I’m also curious, I don’t know what your family looked like at the time and what you tell them. And if they’re like, Michael, you know, Citrix is looking pretty good right now. Like it’s two years, you know. What does family look like for you around that time? And what’s the conversation and the dialogue look like there?
Michael Nicosia: 37:08
Yeah. Yeah. I mean, you know, I have two kids and it was a lot of sacrifices. So they’re not seeing dad as much because of all the, you know, travel and not only just the travel. It’s also just the amount of time and effort that you, you know, you spend, you know, within, you know, the company outside of the family.
So it’s a lot of discussion points. And look, there’s a lot of sacrifices that we’re doing. It’s going to get better and it’s going to be easier. So definitely you know, not you know, for the faint at heart, I mean obviously, you know, when we started you know Roey didn’t have a family. So it was much easier for him.
But because I had done it before, you know, my family was in tune to the type of effort, you know, and time commitment it would take. So, you know, I was lucky enough to have individuals within my family that understood exactly what we were doing and why.
Dr. Jeremy Weisz: 38:07
Yeah, it’s not easy. So now talking about scaling wise, what are some things you think about when you’re scaling an organization raised beyond I don’t know if it’s beyond a series D, but and you’ve grown the team you have big clients. Talk about now kind of the next phase of your thoughts on scaling?
Michael Nicosia: 38:27
Yeah, I mean, you know, scale for us is all about, you know, people, right? And if you think about all the functional areas, developers, marketing, sales, all of those elements, you just need to continue to have amazing individuals that that can not only do what they need to do today, but can grow within the organization so that they eventually can become leaders themselves and hire, you know, themselves, the replacements for individual contributors. So I think the hardest part, from a scale perspective, is always finding the right individuals. The right individuals that you know and you know the story of a players, right. That really can help you continue to create, you know, the solution that provides value to customers and so on. But that’s really kind of, you know, what we think about from a scale perspective.
And I think what’s happening now because of, you know, agentic AI, like it’s exploding because if you think about AI, you know, AI agents, you know, MCP protocols or servers and protocols and agent to agent protocols, I mean, all of those elements are APIs. So it’s like the market is exploding now in terms of the potential of making sure that not only are you discovering these, you know, APIs, you’re also being able to govern them, and you’re also being able to protect them. And if you think about it, you know, we’re the only organization that’s done it since, you know, almost 2016. You know, obviously we’ll continue to do it, you know, and beyond. So yeah.
Dr. Jeremy Weisz: 40:06
In 2016, it’s funny like we’re talking now. Right. That’s kind of normal speak to talk about this. But if you said that in 2016 people are like what the heck are you talking about? There was no ChatGPT. I mean or anything. So I mean there were obviously APIs, but that’s definitely evolved a lot.
Michael Nicosia: 40:24
Yeah. I mean, you know, the conversations were well, tell me, what do you mean by APIs to. Well, why can’t I, you know, like my wife do this or my second generation wife do this or why can’t my API management, you know, solution do this? So there’s a lot of explanation of why you are still exposed, even though you’ve got current, you know, security tools in place that, you know, potentially or they thought could manage this. So there’s a lot of explanation as to why we needed to exist and why they were so exposed.
And it’s interesting how that transformation goes from at the very beginning to now. It’s all about, you know, CISOs call us and say, hey, we’re looking at an API security solution. You know, we heard Social Security is the best. You know, tell us, you know, how we can get started. So that that evolution of conversation is immense and it’s exciting.
But at the very beginning, it’s all about explaining why you exist and why it’s important.
Dr. Jeremy Weisz: 41:28
Yeah. I have a question about.I have one last question, but it’s funny because if I was one of your salespeople. Here’s what I would say. They get on the phone. They have like Sam Altman coached us. That’s really all you need to know. Like.
Michael Nicosia: 41:42
Yeah, exactly. I wish it was that easy. But yeah.
Dr. Jeremy Weisz: 41:45
And they just ask another question. Sam Altman coached us.
Michael Nicosia: 41:49
Yeah, exactly. Where do we sign?
Dr. Jeremy Weisz: 41:52
But you talked about mental mindset. And so my last question, first of all I want to thank you. Before I ask my last question, people should check out Salt.Security to learn more. Really amazing story. They have lots of resources there that you can check out even from like an API dummy security in a bunch of other kind of white papers that they have there. So you can check it out there.
But when you talked about mental mindset, I think of mentors and I think of it could be actual mentors that you’ve had, or it could be distant mentors. Maybe it’s a favorite book or podcast or something like that. So when you look back over your journey, who are some, it could be in-person mentors or distant mentors, like some of your favorite books or resources?
Michael Nicosia: 42:36
Yeah, yeah. Look for me personally, and I think Roey would agree, like Carl Eschenbach, who was the general partner at Sequoia, when, you know, he led our series B, who is now the CEO of Workday. I mean, he helped us tremendously. He was amazing. Great, great individual, great human, great mentor, just so business savvy. He also introduced us to a ton of, you know, potential customers. I think about him.
I think about Mark McLaughlin, who’s the former chairman of the board and CEO of Palo Alto Networks. He’s given us a ton of unbelievable insights. And why is that important is because these people have done it before.
I mean, they’ve got tremendous careers and they’re just phenomenal in helping you kind of see above kind of the weeds that you’re in on a day to day basis. So I would mention those two individuals because, you know, we spend a ton of time with them. And you know, we constantly, you know, have, you know, at the early stages like weekly discussions, you know, turned into biweekly, turned into monthly, now in some cases quarterly. But yeah, I would look at those two.
You know, I’m trying to think of a book. The reality is because I spent so much time, you know, from a work perspective, anything that I read, I want to just be, you know, some, you know, pleasing thing that I don’t have to think about.
Dr. Jeremy Weisz: 44:06
So you’re like, not any business books. Just like, exactly my mind off of business.
Michael Nicosia: 44:12
Exactly.
Dr. Jeremy Weisz: 44:13
Yeah, I totally get it. Yeah. There’s one. This reminds me of one of the interviews. And that’s why I love these interviews. Because I learned a lot. And I had Brett Browman, from Khosla Ventures, and he was talking about some of the companies and mentors he worked with. And, you know, so it’s always good to hear because then I go down that rabbit hole and go, oh, that’s cool. I’ve never heard of that person. I’m going to go study and look at some of what they’re doing.
So I encourage people to check those out and just thank you everyone. Check out Salt.Security. You can check out more episodes of the podcast and we’ll see everyone next time. Michael, thanks so much.
Michael Nicosia: 44:54
Thank you.
