SNEHAL ANTANI

>> Craig Gould: Snehal Antani, thank you so much for joining me today on the podcast. Snehal, you’re the CEO of Horizon3, a provider of autonomous penetration testing solutions designed to help organizations discover and fix exploitable attack vectors before adversaries can exploit them. There’s lots of defense language in what you guys do and threat mitigation. And I’d love to learn more about you, your organization, your journey. I’d like to start all these conversations with one common question, which is, Snehal, what are your memories of your first job?

>> Snehal: So my first job was, selling pizza at the mall when I was 15 years old in New Hampshire.

>> Craig Gould: And it was at a Sbarro.

>> Snehal: Yeah, it was a, Roman Delight Pizza, better version of Sbarro. And, you know what was fun about that job outside of just the, the pride of being able to earn money and just blow it on friends for ice cream or try to save up for a car or whatever. And kind of the pride that comes with, learning, responsibility. Early age was being super uncomfortable talking to strangers, even work in the front as a cashier or whatever, and just learning and being more comfortable in social interactions, learning and being more comfortable in, in a variety of settings. And I feel that it’s really easy to shy away from being uncomfortable. And every job I’ve taken, if I think about it, it’s a job that optimized first for learning and whatever the skill might be, learning how to manage people or learning how to launch a product, or learning how to talk to folks randomly even at a young age. And, I think that if you have this learn it all mindset approach to your career, then things will just work out for, you know, really well.

>> Craig Gould: Were you strategic enough to have that as a mindset, or are you so naturally curious that that led you?

>> Snehal: It was both. So I was very fortunate, that my dad was an electrical engineer. And I really just wanted to be him in every way. And it’s when I thought about kind of the, the, the areas my dad struggled in. You know, he’s super smart, but he would always kind of miss out on certain opportunities. He’d be frustrated and get a promotion or whatever. And from that experience, I said, all right, what are the characteristics of the people that I look up to that I admire, that I want to be and let me work backwards? Well, they are, they’ve got some mastered core competency. So I’ve got to be a core expert in my field, in this case computer science, software engineering, distributed systems. So be A technical expert, then it’s, they are all great communicators. I better learn how to communicate, written communication standing in front of 5,000 people and everyone in between. And then they were brilliant at launching products. At the end of the day, the best, even today, if you see the best CEOs are product CEOs at heart. You know, there’s a lot of drama between Space X and Boeing and the difference between a product CEO and a spreadsheet CEO. So you have to learn how to launch product. You’ve got to learn how to organize or run large organizations. You have to learn how to build a repeatable sales motion and scale, go to market. So I kind of dissected what those skills were and every job I took, optimized towards, well, what skill am I really going to focus on learning? Either directly in the job, or more likely I’m in a position where I’m able to observe a peer who is already doing that job. So at Splunk, when I was the CTO of Splunk, I got to focus down and in on product and up and out with our strategic customers. But I got to work alongside Susan St. Leger, who is a world class chief Revenue officer, and I got to learn from her how she scaled sales and carried a bag. I got to learn from Dave Conti at Splunk, who’s a CFO and a world class CFO who’s now at Databricks. I got to learn about, transactional velocity and financial, operations and so on. So if I wasn’t doing the job directly, or whatever job I was in, I was able to observe those around me and keep my mouth shut, listen and learn as much as I could.

>> Craig Gould: So you started your career at IBM. I guess every step along the way you, you added more arrows to your quiver. Right? But did those early days at IBM provide a framework for you to, you know, start kind of building on these things and, and can you tell me how that sort of advanced as you. Because, you know, there’s a point where you kind of take a left hand turn that many people wouldn’t, or should I say an atypical career path kind of in the middle of your trajectory.

>> Snehal: My early career at IBM was probably the most formative of my career for, for a couple of reasons. The first is in 2002 when I graduated undergrad. This was right after the bubble had burst. And you know, it was while it was tough to get jobs, I was lucky that I had a bunch of job offers and a bunch of offers in Silicon Valley. Yet I still took a job in Poughkeepsie, New York, you know, the bastion of tech innovation in the 2000s. at least that’s what my friends used to joke at me about. What they didn’t realize is Poughkeepsie is where the mainframe had been built and kind of pioneered. And the folks I’d interned at Poughkeepsie, with the IBM team, I ended up working full time for when I graduated. And what was amazing about those folks is you could actually derive their lineage from the original systems 360 designers, architects and so on. And there’s this funny quote. The difference between those that say cloud and those that say mainframe is the year they were born. And I had this incredible opportunity to go really deep into enterprise computing, architecture, virtualization, efficient software design, just in time. Languages, compile languages, interpret, all sorts of really deep areas that are nuanced on the mainframe that you had to deeply understand to be successful. That I was able to get in kind of one hyper compressed window of time. And so a lot of the problems that I later in my career struggled with in cloud adoption were, experiences I could rely on from my time working at IBM Poughkeepsie in the mainframe. And then number two, though, there’s this book titled Mastery by Robert Greene. It talks about everyone goes through these phases of apprenticeship, active innovation and mastery. And I learned this from my dad as well, which was when you get into a role, keep your mouth shut, listen, learn and absorb as much as you can. And once you’ve got understanding, you move towards a bias for action and then you can crush things. And there’s a parallel in the book where in active innovation or in apprenticeship, you sit down, listen, learn. I literally used to sit in the hallway in front of the office of my team lead because, because I was afraid to ask him questions that were dumb. I would just listen to him talk and watch his whiteboard and so on, just to absorb everything I could. And there were five, I call them the fab five, the architects there that I got to learn from in a tremendous way. And I, put myself in a position after that to be under tons of pressure. Really high and high stakes projects triggered this active innovation. Got to really connect the dots of my brain across different problems and eventually became an expert in a bunch of really fundamental areas like distributed computing, secure computing, scaled computing, data processing, and whatever. So everything came down to jobs where I was going to learn the most.

>> Craig Gould: You know, you mentioned, Your time at Splunk. And it seems like from what I can understand your story, that your idea for Horizon3 3 really kind of originated from your time at Splunk, driven by your time as a customer. Can you kind of talk about identifying that product need and your response to, you know, identifying what could turn into product market fit?

>> Snehal: Yeah. so there’s actually two parts to this. The first part was the intrigue and allure around hacking and offensive cyber. At the end of the day, at Horizon3, 3, we pioneered the concept of AI hackers. There’s a lot of companies now trying to copy that concept, but we pioneered it. And I’ve been obsessed with this product, Craig, since I was 12 years old. I have dreamt about, thought about this company, this product, this concept, since I got into hacking culture early in my life, once again introduced by my dad. And so I’ve thought about this for decades and actually my time in special operations. So I left Splunk to serve as the CTO within jsoc. I got a much deeper understanding of offensive cyber operations, defensive cyber operations, combined with my experience at Splunk dealing with large scale data analytics, and then combined with my time as a CIO at GE Capital, where I had no idea I was secure until the bad guys showed up. Are we fixing the right vulnerabilities? Is my EDR actually configured correctly? Are we logging the right data from our siem? And so on. And the answer is, I don’t know. I have to hire a mediocre consultant to pen test my network. I wait to get hacked, but really, for every patch Tuesday, I wanted a pen test Wednesday. And so it was this blend of obsession and passion and intrigue about offensive cyber and hacking. My time at GE Capital wrestling with this problem and question of am I secure and how do I prove it? And then the experiences I had, seeing that as a pattern across all my Splunk customers when I was a CTO there, and then the front row seat at DOD for what write could look like. And all of those experiences kind of blended together to form the early concept of Horizon3 3.

>> Craig Gould: How has Horizon3, 3, how has it changed? Have the AI capabilities gotten better in the past five or six years? Or is it just our visibility of AI that’s catching up? I mean, when you started five, six years ago, were you already looking at this from machine learning algorithms, AI? and how has the development of these, you know, large language models come alongside what has been the evolution of AI as part of your product offering?

>> Snehal: Yeah, it’s a Great question. So one, when we were at dod when I was the CTO within Special Operations, I was, involved with Project Maven quite a bit. So we were early Maven users. And for those that, don’t remember, Project Maven was in the news in the 2015, 16, 17, 18, because Google was working with DOD to use AI for warfare. And there’s a whole lot of folks that were not very happy with Google about that. Well, I got to see that from the inside. And, the person in charge of Maven at the time, Drew Cukor, Colonel Cukor, who’s now I think at JP Morgan, just a brilliant Marine colonel turned tech wizard. And I got to really understand and spend time chatting with him. And he said something profound. He said, what I’ve learned in our early AI days, this is 2018, was the models and weights don’t matter. Those are going to constantly change. You’re going to constantly throw them out. What matters is the underlying training data. That’s the sustainable differentiation. And that phrase had stuck in my head in early 18 and I kind of kept going back to it. So when I started Horizon3 3 in, early 2020, I said, we’re a data company, like every AI company is a data company first. And in offensive cyber operations, there is no corpus of training data anywhere in the world. No different, by the way, than Tesla full self driving. There was no data set for full motion video of driving. So what did Tesla do? They installed sensors on every car and they collected all of this full motion video for years. And once they had enough training data, they were able to start to accelerate their innovation around the algorithms. Right. And now we see FSD 14 or whatever coming out, and it’s just profoundly better. The same problem with offensive. So I said there is no training data, so we’re going to be autonomous pen testing, no humans involved. But pen testing is not the end, it’s the start. It’s the first use case. And it’s a sensor that collects telemetry of production systems. And with that, production systems telemetry every host config, firewall config, EDR config, identity active, directory config, so on and so forth. I’m going to be able to use that to improve the core algorithms of hacking and use that to capture adjacent opportunities in deception and security controls validation and so on. And that’s really the X factor, I think, between us and everybody else is I viewed us as a data company with pen testing as just the sensor in the journey towards AI fighting AI with humans by exception. And so it’s all about autonomous security, offensive fighting, defensive AI. And it’s a training data problem first.

>> Craig Gould: Well, you know, when you describe it that way, it just means that the more you scale, the better your product’s going to become.

>> Snehal: Exactly right. When you think about what does it take to build an iconic company? From my experience, number one is you need an incredible product experience. Godfrey Sullivan, who is the CEO of Splunk when I joined, used to say, your product experience must be so emotionally invigorating, your end users need a cigarette at the end. He came from a different generation, but his point was key. The second thing is, your data advantage. You need to be collecting data that compounds in value over time. And if you don’t design that from the beginning, and this has never been more important than the age of or era of AI companies, you’re not going to create that compounding value in that moat. You also need to build a distribution advantage. How do you cultivate or how do you build partners, resellers, MSSPs and so on that can advocate and carry your flag and extend your sales reach and so on? And then finally, how do you build a community advantage, cultivating radical champions that advocate for you when you’re not in the room? something Splunk did really well with. When you think about people running around with fez caps and capes and Splunk tattoos is because they loved the product and they loved being part of that community. So if you nail those four, you’ve built something iconic. Data advantage being a key part of those four items.

>> Craig Gould: Can you talk about how tactically how hackers are attacking companies now than maybe they did five or ten years ago?

>> Snehal: Yeah. Let’s first talk about the steps of hacking. At the end of the day, the attacker is going to find a way in. It doesn’t really matter if it was a zero day in a custom app you just deployed or a flaw in a vibe coded Crap location is what I call some of those vibe coded apps right now. Or a, misconfigured Jenkins server, or a cisa, Kevin and Avanti server, or even insider threat or whatever. There’s a multitude of ways to get in. At the end of the day, every cyber attack basically starts with shell on a single host. How they got that shell, irrelevant, to be honest with you. And from that shell, they’re going to conduct reconnaissance and enumeration and identify everything that is network reachable. They’re also going to harvest credentials through a variety of techniques. They’re also going to fingerprint and identify really attractive and likely, not well observed components. Veeam, backup and recovery, Dell, idrac, hp, ilo, these kinds of services that tend to be virtual appliances with no EDR agents running on them that are not often patched and are only accessed by privileged users. And my point is, in chess you’ve got well defined opening moves. You have the same in pen testing. In chess you have well defined closing moves, to use your bishops or your rooks to roll up the king or whatever. You’ve got well defined closing moves in pen testing. But the middle of the game is totally dynamic. In the middle of pen testing is totally dynamic. So that general structure is still true. When you look at, there’s a new AI tool by the bad guys called Villager, or if you look at, which is an MCP server in front of Kali, Linux and a bunch of really interesting plugins and so on, there was a, write up by Anthropic around how a ransomware actor was able to defeat their safety mechanisms and ransomware 17 organizations. Those techniques are lowering the barrier of entry to mastering the middle game of pen testing. You don’t have to be as intense an expert, you don’t have to spend as much time because these AI tools are augmenting you. So the middle of the game, which is the toughest, that is becoming faster and executed by folks with lower skills because of the role that AI plays.

>> Craig Gould: Can you tell me about the opening moves of Horizon3 as a company? because you’re growing to a point where people, you know, CISOs, CIOs, know you and trust you. But you know, when you were first starting you had to establish that trust. How do you go about establishing trust when you’re innovating in technology that maybe people aren’t so sure is ready for prime time?

>> Snehal: Cybersecurity is a last mile of trust sale. You’re not going to win security deals one steak dinner at a time. You’re not going to win security deals, cold calling or spamming, you’re going to win security deals because you know, if I’m a CIO or when I was a cio, if a person in my network that I trust said, I just checked this tool out, it is awesome, you should go take a look at it, that’s going to have the most influence over me exploring and looking at a piece of technology. It’s all about reference based selling and therefore it’s all about cultivating radical champions that’s what’s key. I had an unfair advantage because I was a cio. I had cultivated a, very large and vast CIO and CISO network from being on the speaking circuit with, HMG strategy and Humpter Muller’s outfit and the Avanti guys or Avanta guys and so on and so forth. And so I’d spent years building that relationship, building that network. And so I was able to go to my network and say, hey, here’s what I’m thinking about. What do you think? I was able to bring them along early in the journey and they got excited and if they weren’t customers, then they were radical champions celebrating from the sidelines. And so that was kind of the key part. The second part is we started right before COVID And so during COVID how am I going to cultivate championship? Well, local partners became key. So that local reseller in Austin or that local reseller in Atlanta. As we hired sales reps, part of our criteria was who is the local partner you’ve worked with for years? If you don’t have one, you’re not going to work here. But if you do have one, great, let’s go give that local partner outstandingly favorable terms and get them to be champions and let them utilize their last mile of trust with customers they’ve built years or decades of relationships with. So everything was about cultivating trust and reference based selling, at scale in a time where it was Covid and it was all remote. So resellers and channel partners were key, to doing so. And probably the final part is you just have to be authentic. Every person in the early days held the jobs of all of our users. So we were all practitioners. We all understood the pains our folks went through, our customers went through because we, we were in those seats. So we were able to speak from a very technically authentic, language and point of view. And that provided instant credibility because we weren’t just selling snake oil. We talked about it in the language that resonated with the end user.

>> Craig Gould: What were those pains? My perspective is that the way things were done before you, you enter this market was, you know, expensive, slow, you know, a prevalence, to getting nickeled and dimed. If a problem was identified, you know, the follow up, you know, cost even more money. Can you talk about how your competition pales in comparison to the product offering you’re able to bring to the market?

>> Snehal: Yeah. So let’s, let’s go back to, the pains, because that’s what matters the most. When I Was a cio. The hardest part of the job was deciding what not to fix. I would get 100,000 vulnerabilities or more from a vuln scanner team. Maybe 10 to 20 actually mattered. And even then they were only exploitable if the attacker had physical access to the network backplane, standing on one foot holding a pizza or some other obtuse conditions that led to it. And so deciding what not to fix fix was super hard. And the way I thought about risk and risk management was number one, is this problem even exploitable? If it’s just vulnerable, but it’s not exploitable because I have compensating controls or something in place, I don’t want to hear about it. I only want to focus on what’s exploitable first and foremost. The second is are there any threat actors known to be abusing this particular problem? If so, I need to treat that differently. Like this is known to be abused by salt typhoon. I’m going to prioritize that different than something that has no known abuse by a threat actor. And then the third is what is the precise business impact that that I need to evaluate and accept risk or not? Because I need to be able to marshal resources and adjust priorities to do something right. Because we’re always test saturated. So don’t just tell me I have ransomware risk. Tell me that an attacker can steal the credentials of accounts receivables employees, take over accounts receivable systems and interdict and steal financial payments. That level of precision allows me or my boss to say, okay, well how many payments are at risk? Well, if you’re a mortgage company, the answer is a lot because most mortgage, closures are done over email. But if you’re a local dentist, the answer is probably not much at all because nobody really uses email to make payments. So that context and that precision of impact matters. So that was kind of the first big problem, the what should I go fix and why? The second hardest problem was looking at ITM in the eyes and telling them they had to skip their kids basketball game to stay late and patch a bunch of servers that we knew didn’t actually matter. So if I’m going to tell someone to skip their vacation, skip their dinner, skip their kids game, it better be for who a good reason? It better be because if we don’t, we’re going to end up in the news and it’s going to be worse for all of us. And that goes back to precision impact and prioritization. The final part as a CIO was my boss Asked, are we secure? Are we getting better? You know, is the money we’re spending on security actually worthwhile? And the answer is, I don’t know. I got to wait to get hacked. How do I prove my security posture over time? The only way to solve all three of those pains is pen testing for every patch Tuesday, you want to pen test Wednesday, and pen testing comprehensively. And the only way to comprehensively pen test is with some sort of force multiplier, that is an AI hacker, which is why we ended up down this route.

>> Craig Gould: How do you establish a culture in your organization? What steps do you take?

>> Snehal: So culture in a scale up is something you have to very carefully track and be aware of, because about every 12 to 18 months, we’re doubling the size of the company. Every 18 months, we’re doubling headcount at this point. And when you’re hiring that many people, your culture gets lost very quickly. In fact, I went from 25 to 125 employees back in 2022, and I did so a bit recklessly. And we lost our culture and identity in that short burst. It took quite a while to rebuild the original core culture of the company, which is learn it alls that can solve any problem as a team under pressure. That’s kind of core. And that is derived from my experiences in, in the world of special operations. So I was a CTO of Splunk. I left industry to serve at JSOC as its first cto. And remember, my military experience was watching Jack Ryan and Tropic Thunder. Like, I didn’t come from that world. And so I was a tourist. And what I learned is that what makes people in special Ops special is not that they can run far, shoot well, or swim fast. It’s that they are learn it alls that can solve any team, solve any problem as a team under pressure. That’s what was key. And so that really underpinned the early group. About a third of my people at Horizon3 3 were former Special Operations, NSA, CIA types that came from that culture and that mindset. And then I’d pair them with nerds in skinny jeans that know how to build, chip, and sell software. So how do I do that while preserving that learn it all mindset? Well, one, we don’t tolerate smart jerks. If you’re a smart jerk and you slip through the process, you’re not going to last very long. Are you coachable? There are these just intangibles that you’re able to figure out. The second part of culture, though, is More defined by how you execute as a leader and as a company. So what makes JSOC the best performing organization in the world, I believe are three organizational characteristics. Number one is they empower those closest to the problem to do their jobs because those closest to the problem have the most context. And your job as a leader is to enable them with resources and, and advocate and unlock barriers so they can do their jobs. Number one. Number two is about shared understanding. Information cartels in that world will lead to mission failure and death, like loss of life. So if everyone doesn’t understand what’s going on, if you’ve got information silos, data cartels, or anything that disrupts any form of shared understanding, you lose. Everyone needs to know what’s going on. So you have to have very open flat communications. I am shockingly transparent with the financial state of the company, what’s working, what’s not working, and so on. Because how can I trust and empower you to make decisions if you don’t know what’s going on? And the third part of JSOC was cadence. They used cadence to drive accountability. So the cadence was, you know, we’re going to get together in a highly frequent basis. Everyone knows what’s going on, everyone’s surfacing news whether it’s good or bad. If it’s bad news, you’re preserving decision space, we can do something about it and, and so on. And you are accountable for being the most prepared person in the room during that period of time. And so empower those closest to the problem. ensure shared understanding and use cadence to drive accountability and preparedness. I think underpin JSOC as a high performing team and we do our best to exemplify those same characteristics at Horizon3 3.

>> Craig Gould: Has it gotten easier or harder to, to hire as you’ve grown?

>> Snehal: Yeah, you know the, when I, when I had the first surge of hiring, the biggest mistake I made in that group was I didn’t have, I didn’t hire my managers first and get them indoctrinated. I hired managers and within two or three weeks they were tasked with hiring more people, but they hadn’t really been indoctrinated into the company. They didn’t understand who we were, what we were about. And so we ended up hiring folks that just weren’t a great fit. The second time we had a big hiring surge where we jumped from 100 to now 300 people. We took it a little slower and we hired player coach, managers first and we made sure they indoctrinated, they were indoctrinated into the company. They understood the culture, they fit in the culture, they understood the problem, the tech and so on. Then we allowed them to start hiring and that allowed us to make sure that they hired people that were also a cultural fit. And that worked out really well. We continue to get even better with our hiring process. We now use bar raisers and other things like that. And so now my bottleneck at scale is interviewing capacity. I don’t have enough people to interview for the positions we’re trying to hire. And that just comes down to you want to slow down to speed up and make sure you’ve got the right hiring managers that are indoctrinated before you ask them to hire people.

>> Craig Gould: you know, you’ve scaled from a million to 100 million in five years. You just recently received additional funding that, you know, obviously we’ve gone from product market fit. Now we’re going to hyperscale. Originally it felt like Horizon3 3 was kind of a single product company, with a product that was suitable for small, small, medium, up, to larger customers. But with the growth that you have planned in front of you, what do you see changing? How do you plan on changing your footprint or your target market? What’s ahead of you?

>> Snehal: Yeah, so let’s break that down into a few things. So first is, we hit a million in ARR in October of 2022. We will hit or October of 2021, I think October 2021 we hit a million ARR. We’ll hit 100 million in ARR, before October 2026. So we should hit sometime in end of first half of next year. And then as long as we hit that plan, we’ll go from a million to 100 million in ARR in about four and a half years. And for framing, that’s as fast or faster than CrowdStrike, Sentinel One, Zscaler, Splunk, and Datadog, all companies I’ve admired throughout my career. And it’s pretty phenomenal to see that level of execution. So the question is, how did we do it? And this is something that’s super important. And there’s a couple of philosophies for go to market. First and foremost, when you’re, when you’re early in Horizon 3’s go to market days, I prioritized transaction velocity over average deal size. What I mean by that is I would rather have five deals at 20 grand than one deal at 100 grand early, because I’m going to get that repeatable sales motion. I’m going to have more predictable cash flow. Because if one of the five deals slips, I’m still at 80k, but if that 100k deal slips, I’m at zero. Right. And so early on it was all about transaction velocity and driving as many deals as we could. I didn’t even care about the deal size. So we had early on, you know, Fortune 250 down to the local law firm and everyone in between. But our real sweet spot was upper mid market companies where IT and Security were the same team. They were barely treading water. They had the authority to use our tool, they cared deeply about prioritization and quickly fixing problems that mattered. And when we hit that sweet spot, we had a six to eight week sales cycle. What that meant was a single sales Engineer was running 50 proof of concepts in parallel. Unheard of at Splunk, I believe one SC was maybe running three to five proof of concepts in parallel. And so transaction velocity, ease of use of the product, all these other factors allowed us to build a great machine. Now as we matured, we methodically moved up market where we started to move into lower enterprise, upper enterprise and then majors. Majors has an average sales cycle of, I mean it could take up to a year depending on how big, like a top 10 bank or something. What I didn’t want to do was get really choppy, lumpy revenue I couldn’t forecast. So by building this transaction velocity motion, and I learned that term from Dave Conti who’s now at Databricks. He was a splunk cfo. If you can build a high flow transaction velocity business, you get much more predictable cash flow and you can manage the business better. And then early on you use the whales as a way to beat your targets. And then if you coordinate it right, you’ve got whales closing every quarter, to help beat your number. But you had started selling them a year, year and a half earlier. And that’s exactly what we moved into. So now we have three of the Fortune 10. MSSPs are my fastest growing segment. And we’ve got 4,500 companies globally using Horizon3, 3, 65% of which are serviced through MSSPs, the rest being fully serviced by us. So just unbelievable transaction velocity. Once again, every one of those companies is providing telemetry that feeds into my data mode.

>> Craig Gould: And I mean it sounds like in a lot of ways compliance drives your business, right? Because the majority of these corporations need to be able to demonstrate pen testing as to get some of these compliance measures that they need in their markets.

>> Snehal: Right, yeah. So this is a good way to tie into go to market. When you build up a sales team, you’ve got inside sales reps and you need to qualify opportunities. And when you want to use partners to extend your reach and sales, capacity, you need to give all of these folks well defined hooks, really simple plays that they can understand and execute against. So we actually have a really simple sales qualification question with an unlimited budget, how many pen tests would you run a year? 1 to 2 or 4 or more? If the answer is 1 to 2, you are compliance only. I’m going to hand you to a partner or an MSSP and they’re going to take take great care of you for your SoC2 compliance or whatever. If the answer is four or more, you want to run at least quarterly pen testing or you believe in proactive security and you want to run as many tests as you possibly can. You’re in my wheelhouse. That simple question allowed partners in our sales teams to quickly qualify who to focus on and who not to focus on. Because in sales you’re in the disqualification business. Your job is to find a reason not to have the next meeting and move on. And that was the simplest question. Now to your point on compliance. The first budget we pull from is the consulting pen test budget used for SOC2, NIST2, Dora, GDPR, CMMC, PCI11, 4 or whatever that was unemotional, primarily labor fulfilled dollars we could grab and use to shift towards this continuous pen testing world. That also is why our sales cycles have been so fast.

>> Craig Gould: Horizon3 3 is AI hacker. And so to this point you have been identifying vulnerabilities. But my impression is that one of the things that you’re headed towards is not just identifying, but providing the ability to fix certain vulnerabilities that are identified. Can you talk about that vision?

>> Snehal: Yeah. So I believe pen testing and SOAR are converging into an integrated set of remediation workflows. Because the goal of running a pen test isn’t to find problems, it’s to quickly fix problems that matter. That’s the objective. Now while running a pen test, I can do a bunch of interesting things. for example, if I find that your DNS records aren’t configured correctly and you’ve got dangling DNS records and you’re at risk of subdomain takeover, which basically means HR Horizon3 3 AI wasn’t registered correctly at the domain name level or DNS level and a hacker could create a fake HR Horizon3 3 AI web page that looks legit and everyone Thinks it’s legit because it’s the HR page. And then you could do all sorts of bad things. Well I can just automatically fix that for you right there in the moment. I can just reclaim the bad DNS record and put a splash page or a landing page or whatever. And there are many other situations like we compromise credentials that belong to a user that allowed us to do a ton of things. Well we should just automatically force a password reset for that domain user and let them go in and change their password. So the question is what parts of the problem can we quickly and automatically fix? A big challenge or frustration I have in cyber is everybody thinks patching is the answer to improving cyber resilience. Patching is actually a pretty small part of the actions to take. What can I do to improve detection response? Are my EDR agents actually able to detect and stifle this attack? I don’t need the patching window to fix a misconfigured defender agent. For instance, can I auto deploy honey tokens or fake AWS credentials? Fake azure tokens? Think of that as while breaking into your house. I can install ring cameras along the way to improve your early warning system. Can I do things to reduce the blast radius? Resetting credentials, recommending ways to change network segmentation, so on and so forth. There are all of these things you can do to reduce the dwell time or blast radius of an attacker while in parallel you’re fixing or patching an issue. And how do I use pen testing as the map and compass to accelerate remediation? That’s the key.

>> Craig Gould: What advice would you have for someone who is trying to climb the corporate ladder? Someone who’s trying to get from mid level, upper mid level to, to the C suite. Is there any specific advice that you would give give to someone who is trying to navigate that part of their career?

>> Snehal: Yeah, there are so many ways to mess that transition up. And you know I, I, I do this talk and I talk about the experience as, as you see someone advance and you’re just standing there at the edge trying to figure out how to cross this chasm and what did they do that was different. And you know there’s all sorts of reasons you’re going to get frustrated inside I wasn’t friends with the right crew or this, that and the other thing, focus first and foremost focus on the variables you can control which are yourself, how you behave and how you prepare yourself. I think there are three fundamental things you can control, and drive that Progression, ah, in your career, number one is your ability to communicate. If you cannot communicate effectively, up to a board member or down and into a nerd, and everyone in between, you’re going to really struggle. A lot of, immigrants, as an example, tend to be super frustrated because they’re really smart. I remember, you know, my dad used to be frustrated about this, and, and he forced himself to get better at communication. And, he’s like, well, I have an accent. I’ve got to get better at communicating to the two executives. And he, he worked as hard as he could to become a great communicator. So communications is number one. And by the way, the secret hack I learned was to be a good, communicator. Learn to be a good joke teller. If you’re good at telling jokes and good at telling stories, you know how to pause for effect, you know how to deliver a punchline. And if you struggle, go take an improv class. So I think first and foremost is your communication skills. And part of communication skills is your executive presence. I remember, if you look like a slob, people are going to treat you like a slob. And executive presence matters. Can you command that room in a bunch of different ways? I think the second part is, preparedness. Are you the most prepared person in the room? If not, you better be. And it’s up to you to be the most prepared person in the room. And you show your preparedness not by being, a smart jerk in the meeting. You show your preparedness through the thoughtfulness of the questions that you’re asking. That’s what was key. I think the third part throughout all of this is don’t make excuses. It’s super easy to get jaded. And the moment you start going down that gripe tribe, the moment you start complaining about other people, the moment you start to, become that toxic cesspool, you may not think people notice. Everyone notices. If you’re frustrated, you take it out, you go to the gym, you do whatever. But you want to maintain that positive, coachable, brand for yourself inside the organization. Those are the three things you can control.

>> Craig Gould: What if you feel like you’ve landed someplace that isn’t a meritocracy, that isn’t acknowledging your value, that for whatever reason, there’s not a culture fit, people have the wrong impression of you? I mean, at what point is it okay to just cut bait? And how. How is the best way. How is the best way to do that?

>> Snehal: It’s a great question. I would say the number one way to build your own brand is to let your results do the talking. If you have world class results and you are jumping on grenades, before they go off, you are seeing around corners and solving problems before they become problems. And you’re doing so because you are obsessed with mastering your craft, that’s the key. If you are not obsessed with mastering your craft, you should not be in that craft. That’s the, that’s the mindset. if you’re doing all that and you’re still, you still feel stifled, then you transition out the right way. When I felt I needed to move on from a ti. From a particular company, I did so quietly. I did so letting my, my boss know it was different because I was an executive at the time. I said, look, I, I don’t know that I can support you in the way that I want to support you. I’m not growing the way I want to grow. I thank you for everything that you’ve done for me, but I’m moving on and I hope that we can stay in touch. If you leave angry, if you leave jaded, if you leave on bad terms, the entire way the job industry works, especially at the executive level, is backdoor references everyone’s going to quietly seek. Hey, you work with this guy. Is he any good? What was your take? And if you melted down on your way out, that’s going to stick with you for decades. So no matter what, know that everyone’s going to be backdoor referencing you for the bigger and bigger jobs and you need to leave respectfully, in the right way, in a quiet way, and always leave on good terms.

>> Craig Gould: So what is the best piece of advice you ever got?

>> Snehal: What you did yesterday won’t keep you here tomorrow. I’m going to tell you a story behind that. So I first, when I first joined jsoc, as I said, my, my, my military experience was watching Jack Ryan in Tropic Thunder. I had no real background in this.

>> Craig Gould: World, so, so a simple Jack, that, that, that was.

>> Snehal: Yeah, yeah, exactly right. so I, I sat in the office of one of the, the Navy admirals that was on the command leadership team. And and two other folks came in, sat down next to me, kind of pinned me in, and, and the Admiral said to me, see these guys here? If these guys don’t think you belong here, you’re gone. What you did yesterday won’t keep you here tomorrow. And you earn the right to be on this team, in this organization every single day. And you do so not by Telling us how awesome you are. You do so by letting your results do the talking. That was probably the best advice I’d ever received because especially I was a young everything. I was a young executive at ge, I was a young CTO of a publicly traded company that was Splunk. And, and you get these chips on your shoulder, you get these insecurities. I was definitely cocky, definitely arrogant in, my mid-30s. And I wanted people to know all these cool things I was doing. And that’s not how you’re going to build that brand. You’re going to build that brand by letting your results do the talking and letting other people share their points of view about you and the impact that you’ve had and so on. I think that really came to a head during my time at jsoc and I really learned to keep my mouth shut, listen, learn, and earn the right to be on the team. At the end of the day, high performing organizations are the equivalent of a professional sports team. And at any given moment the question is, is it worth investing in this person because they’ve got a lot of ceiling left or has this person plateaued? I go through this and we have a, really good, people management processes. my chief people officer, Tori Rundel is just the best people leader I’ve ever worked with. And the way that we think about this as a leadership team is what’s this person’s ceiling? They’ve got a ton of upside. Phenomenal. They’ve got great results. They’ve got the right attitude. Let’s go invest in helping them become an even better leader. And we’ll invest in career coaching and stretch opportunities and so on. Hey, this person’s really plateaued. They’re really struggling, but you know, they’re a great workhorse. Okay, we’ve got it. We understand how they’re going to fit. We’re going to keep them running. They’ve plateaued. But their skills, where they think they are is way up here. Where they actually are is way down here. And nothing we’ve done to coach them is going to close that gap. You know what? They’ve plateaued. They’re not coachable, which is the number one criteria we look for. Let’s respectfully transition them out and work on a backfill and bring somebody in that is, that has the experience, that has the upside and is coachable. And then let’s make a bet on that person instead.

>> Craig Gould: Well, Snehal, if folks wanted to keep track of you wanted to keep track of Horizon3, 3, where’s the best place for folks to, engage with your company?

>> Snehal: So, first with me, I spent a lot of time writing a lot of posts around topics we talked about today on LinkedIn. So track me down on LinkedIn. I do a lot of posts on leadership on startups. all lessons learned. Because we all make mistakes as we go through these journeys. And I try to be very reflective and honest about what’s worked well and where I’ve had to pivot or iterate. And then, of course, you’ve got the company website, we’ve got tons of field marketing events with booths at all the major security conferences. Come by the booth, grab a T shirt, they literally say, go hack yourself. And, our socks are pretty cool too. and say hello to the team. Meet the team. You’ll see the culture permeate and the passion and obsession permeate from every single person that works at Horizon3 3. And all of our partners as well. but LinkedIn is the best.

>> Craig Gould: So how many Horizon, tattoos have you been able to produce out there?

>> Snehal: You know, allegedly, there’s one already. I haven’t seen it, but I’ve been told it’s a place where I wouldn’t easily see it as well, so that’s only more intriguing.

>> Craig Gould: Well, hey, snail. It’s been a pleasure. I really appreciate you, being willing to allow me to, poke and prod you on, everything related to your company and cybersecurity and AI hacking. I really appreciate the time you’ve set aside for us today.

>> Snehal: Amazing. Thank you, Craig. I appreciate it.

>> Craig Gould: Absolutely.