Jeremy talks to host Evgeniy Kharam about his experience as CEO of cybersecurity startup FireTail and shares what he has learned from managing the company since 2021. Listen in to hear about FireTail’s mission and the importance of API security.
In this episode of the Cyber Inspiration podcast, FireTail CEO Jeremy Snyder breaks down the basics of cyber and API security, and dives into his background and what led him and his co-founder Riley Priddle to launch FireTail in 2021. Tune in to learn about the biggest risks and challenges in today's cyber landscape, the growing need for API security, the fundamental principles of API security, and how you can apply this knowledge to your own cybersecurity posture today.
Topics covered include
Evgeniy
Hello everyone. Welcome to Cyber Inspiration podcast. My name is Evgeniy. I've been around security for the last 20 years, and I have a lot of experience working with a variety of security vendors, and my main work is vendor consulting and security advisory for companies. As part of my passion in technology and cyber, I am always intrigued to learn how a company starts. I started the podcast to understand the thinking process and what motivated people to start their own company. This podcast is also affiliated with Security Architecture Podcast. I have a pleasure today to speak with Jeremy about his company and his motivation to start his own company. Jeremy, can you please introduce yourself and the company?
Jeremy
Sure thing Evgeniy, and thanks so much for having me. My name is Jeremy Snyder. My company is called Fire Tale. You can find us online at Fire Tale io and we work on API security.
Evgeniy
Even so, this podcast is not security related. It's more about storytelling. I always ask people to do like an elevator pitch about the company and what they do.
Jeremy
Yeah, so our elevator pitch is really to help companies design and deploy more secure APIs. We really believe that the API will become a very crucial attack surface in the next couple of years. And we think that the main attack vectors are application layer related, and companies don't have the necessary visibility or security controls around APIs right now. And we're on a mission to help them do better.
Evgeniy
Right. It's interesting that ten years ago, the entire idea of API was it even existed in a way, because everything was on prem. And right now everybody talks about API all the time. That's confusing. We're not going to explain what's API right now and different security models because it's a different show, but it's definitely an important topic for future generation. If somebody wants to get into cybersecurity, understanding API is mandatory in my mind.
Jeremy
Definitely.
Evgeniy
This is not your first rodeo.
Jeremy
It's not.
Evgeniy
And the company's been around for like 2 or 3 years.
Jeremy
No, the company's been around for like seven months at this point. We started working on this last year in October, my co-founder and I, but we officially incorporated in February of this year. So we're, I guess, right at eight months officially in business.
Evgeniy
Okay, so what happened a year ago that you decided. Okay. No. What? I'm not going to go to Miami or Florida or Hawaii, and I'm going to start another company.
Jeremy
It actually started more like three years ago. So at the time, I was working for a cloud security posture management software company called Divvy Cloud. I was part of the leadership team there and at Divvy Cloud, I think the most interesting thing was that we had two groups of customers. One was our digital native early adopters. And so for us, this was companies like Spotify, Twilio, like very large scale, born in the cloud kind of companies. And then we had everybody else and we really focused on listening to the digital native companies for kind of the pushing the envelope use cases that they were bringing, and you could look at them and their architectures to see where everything was moving to, because they're very much ahead of the curve.
Evgeniy
Right.
Jeremy
And we started to see a shift a couple of years ago where even in the cloud, they were changing the way that they were designing their applications. They were moving away from, let's say, virtual machines moving towards containers and serverless functions and so on. And you realize that the natural evolution path is towards API centric designs, where what's exposed at the edges, the API.
So I started thinking about that problem all the way back in 2020. And, you know, the company I was working for ended up getting acquired in May of 2020. I spent some time with the company that acquired us, moved into an M&A role over there, and in my M&A role, I did a lot of research, a lot of research.
I tell anybody who's interested, if you ever want to read a lot, get a job in M&A because you spend the most the majority of your time reading analyst reports, reading company pitches, reading feature sets, reading documents produced by various vendors, and so on.
But during that time, I started analyzing the space in some level of detail, and I realized that the approaches that I saw out in the market didn't match with what I perceived the attack vectors to be. So I saw this kind of fundamental mismatch between application layer attack vectors, but network layer defenses. And I said to myself, like that just doesn't make sense.
And I, you know, kind of continued to do more and more research about it last year. Towards the end of the year, I found this report from Akamai. They produced this annual state of the internet report. And in that report they talked about the API as the attack surface that connects us all. It really is kind of the backbone of the modern internet, as you said.
It's interesting. Like ten years ago, you wouldn't think about it, but now more than 80% of internet traffic is actually API calls. It's not human generated calls. It's actually, you know, system to system, computer to computer. And so in there, kind of one of the last things that really confirmed the approach that I had been thinking about was Akamai, who is a network company. They made this statement and they said, you know, companies that are trying to defend their APIs with network security tools are going to have moderate success at best, at best. And so that really confirmed to me, like, we need to think differently about how we defend APIs. And, you know, that's what really kind of started our journey down this path of creating the company and so on. And like you said, it's not about the architecture, but that was one of the last data points that we needed to support our hypothesis about where the problem lies and how we defend against it.
So you have an idea. You. The theoretical validation? Yep. Now you need to go and actually do market validation that whatever the baby you want to create, you don't want anybody to code ugly. So what was the process to go talk to people to understand what you want to build? People actually going to buy. So three things. So first I built a pitch deck for myself. And it's funny because like, yes, we used it in some of those customer conversations, but it was actually primarily to help me organize my own thinking on the subject. There was this TechCrunch post a couple of years ago people can find it's like the 10 or 11 slide pitch deck format, and I find for myself, if I can't organize my ideas into those 10 or 11 slides, like probably my idea needs more thinking still. So that was one to just start with that, organize it, you know, build some data points and so on. Number two, I started talking with my co-founder about like, what would a really quick and dirty prototype look like that we can kind of validate the idea and do like even a three minute technical demo to prove that this is even possible. Of course, you don't want to start, as you said, like you don't want to people that say your baby is ugly, but you also don't want people to say like this is just impossible because they'll never believe you. So we started that and we actually wrote, you know, a couple hundred lines of prototype code. And the third was actually reach out to people. So I reached out within my network to about 15, 20 companies that I knew, people that I trust, people that I know are influential in the cyber community, that are, let's say, well connected to early adopters as well as, you know, companies that I know directly. I probably had. 1s
30 conversations over the course of two months with, you know, VCs, angels, but mostly customers or potential customers and, you know, kind of say, hey, look, this is how we're thinking about it. Use a couple of the slides from that pitch deck that I built. You know, this is why we think it's a problem. This is where we think the problem is. This is how we're thinking about solving that and taking feedback from them. And through that process, we actually managed to get six customers signed up to be kind of beta customers before we really had anything. So they agreed, like, hey, no promises, of course, but hey, if you produce something, when you produce something, we'll give it a test. No commitment as to becoming customers down the road or to paying even a single dollar, but at least a good starting point to have those kind of validation conversations. And
I guess you got the positive feedback from the people,
at least from these. And then, you know, from certain investors that we had talked to, quite a lot of investors that we talked to, had actually talked to a number of API security companies. It is kind of a very popular space right now. As we record in October 2022, there's been a lot of talk about this space and there's been some pretty high profile breaches. So yeah, we got good feedback from potential customers. We got good feedback from potential investors. And so that kind of told us keep going.
So what's next? You had an idea. You validated the idea. You have a alpha up. Yeah. Starting hiring people or raising money.
No raising money. And also something that like early admin stuff that you need to do. So think about a domain name, think about a brand, think about putting up a placeholder website, a lot of this kind of early stuff. So we worked on some of that.
Kept
improving the messaging based on the conversations that we had and with those customers who agreed to be beta customers like continue to send them updates as we go. So every couple of weeks, reach out to them and tell them, like, hey, we're thinking about this. We discovered an additional thing. What do you think about that? So continue to get feedback, refine the story, and so on. And then with the investors it was a process of
probably.
Eight weeks from that point to go through the process of saying like, hey! This is a budget that we think is realistic. That would help us build the team that we need to bring on board in order to deliver something in order to, you know, really bring something to market, you know, and went through the fundraising process. Thankfully, we closed our seed round within that eight week time period. So it was a pretty, pretty quick fundraise but worked out successfully for us.
What is your lesson learned from the second time building a company? And I'm not sure if you were. I guess you raised money in the first time as well, but what was the difference? Raising money first time and raising money the second time.
This is my third time raising money or being part of the team that's raised money. And I think the things that I've learned are, you know, don't over invest in things that are not important in the early phase. So when you think about kind of where that money is going to go to focus much more on the product than on anything else, from my perspective, and this is like a little bit of a personal opinion. Don't separate yourself as one of the founders. Don't separate yourself from the customers. So I see a lot of companies that say, you know, one of the things they want to do is they want to hire a sales team very early on. And I think that's like a definite mistake. You know, if the founders aren't engaged directly with the customers in the early stage, I think it's very easy to lose touch and lose focus. So that's another big lesson from my perspective. This is
an interesting point you bring. And I want to kind of not to challenge, but maybe go deeper on this, especially for the last two years, three years when we all work from home and we realize there is less touch and feel, less confrontation, physical and more digital stuff. Like, I have a podcast, you have your own podcast as well. Yeah, 1.1s it sounds like everybody in the market have a podcast right now as well. Everybody's trying to do some kind of live show and internet and it's great. 1.1s But it's mean that there's a lot of potential local noise, but there's a lot of things happening. So I believe that if you're not starting to market yourself right away because it may take you 2 or 3, four months, people will know who you are. You may be ready with the product, but the other, like the entire world, will not know who you are. So that you can act from this perspective. And I want to hear what you think. How hard is to promote yourself to people, to understand who you are and why you should care about. 1.5s
Look, it's a great point. There is a ton of content out there, and I do agree with you that you do need to promote yourself. I mean, that's why I spend the time that I don't spend on, you know, kind of talking to customers and being the interface between customers and the product team, translating requirements I spend out there working on promotion. I've actually outsourced a lot of the admin side of the company, you know, legal, finance, payroll, etc. those things can take a lot of time. And frankly, they still do take a couple hours a week from my schedule. But I've tried as best as possible to like, outsource those and free up time to work on promotion for the company. So that is, you know, going to events when they are happening, speaking at them, you know, being on other shows, being, you know, doing appearances in the media. I do this probably 3 or 4 hours a week that I'm on camera or on audio talking to people because I think it's true. You do need to raise your profile, not necessarily for me personally, but for the benefit that it has for the company.
Yeah. So in what point you hire a marketing specialist or you have a PR company that start to promote the product to promote the brand, not you exactly mean the brand itself.
Yeah. We've gone through this exact evaluation in this exact question over the last couple of months. So I can tell you our answer in our answer is marketing person in month nine and PR firm sometime early next year. You know, we've talked to a bunch of PR firms and I think they all have their, let's say their strong points and so on. There's a value to PR, but there's also a high cost to engaging a PR firm, not only financially, but in terms of the time engagement that you have to spend with them. And I realized for myself, like, I don't have that time to work with a PR firm right now, you know, to kind of feed them the content and the understanding of the domain space that we're working on. Like that's a commitment of a few hours a week that I just don't have right now. But to your point about marketing or to your question about marketing. We've kind of been a little quiet for the first 6 or 7 months, and that was by intention, right? So we've done a few things here or there. I've done some things to promote the company, etc., but we're actually just doing our first conferences now starting in October. We're hiring a marketing person, or we've hired a marketing person who starts next month who's now charged with kind of building, you know, a lead pipeline and getting some top of the funnel leads for us and so on. Um, but it's for us, it's more like the last few months have been focused on working with the beta customers to go, like, continue to improve the product and the requirements. And so we feel ready to launch. I know a lot of people will say, like, if you're not embarrassed, you launch too late. You hear that a lot? Yeah, I don't know. I mean, I think there there is a middle point where you can say like it's not embarrassing. It's still a pretty minimal set of features, but it actually provides value to the customer. And that's what we were going for by working with these customers for these months. You know, when we do come out with something in like November or December timeframe, it works. It's proven, you know, there's we've got customers up and running on it. It's actually solving problems for them. And we'll feel like very confident in that. 1.7s
So there are a lot of tasks as part of starting the company. Yes. And managing people. And you have a partner that I believe, the CTO. How do you help yourself to stay on top of the tasks? What do you do? How do you decide what's important right now? And you mentioned a lot of what you do now and later. This is a very good point. I like them a lot. Yeah. Help yourself kind of.
Yeah. Boy that's tough. 1.3s Like one guiding. Principal that I have is customers are number one. And so when I look at my priorities and I look at what's in my list, you know, try to keep them in front of mind. Every Monday morning at 8 a.m., I have a block in my calendar to review customers from the previous week. So any open items, any like follow ups, any next steps, etc. that's always Monday morning, 8 to 9 a.m.. I mean, you know, sometimes it'll move, of course, but that's my principle. Start the week with kind of a review of customers. 1.7s Employee stuff. I try to separate. Admin from, you know kind of value that they create. Admin stuff outsource as much as possible. So we find an HR partner firm that we can work with that takes care of, you know, benefits, payroll, all these types of questions, etc. like that's not high value work for me to spend my time on. There are people who do that better specialize in that. Like, let's get that off my plate. What I do think is super important on the employee side. And what I do prioritize is making sure that employees are productive and that we remove anything that's blocking their progress. So little things that can be as little as like, hey, I need a mouse in an extra monitor. It would make me 10% more productive. That's just like, yes, get it done, you know, very quickly move past those items. But when it's bigger things, that's like, hey, I'm working on this set of features around API security, posture management. How should I think about it? Then I try to prioritize that stuff. You know, whether that means a quick meeting, whether that is a quick set of research that I can do or I can assign to somebody else on the team to enable somebody else to move forward. Like that's always a high priority as well. So those are kind of the first two like customers number one and then team number two with the specific focus on keeping the team productive. You know let's talk about hiring and you mentioned team. Yeah. It is important because if you don't have good people you can have good product. Yes. What are your ways. What's the magic about how you hire people to make sure they like the work they produce? Good work and the state. 1.9s So we have two kind of a little bit of let's say different thoughts around hiring people. So number one is I really like to hire people who are young and looking for the next step up. So if you look at our team, we've got our team design is that we've got a few very senior people who are very experienced and kind of they're designed to enable the rest of the organization provide expertise and guidance. But then when you look at the rest of our development team, it's a lot of young people who come from startups and are looking for an opportunity to have a bigger stake and a bigger, you know, a bigger voice within a startup. You know, maybe they worked at a startup as an entry level person previously, and now they want to be kind of one step higher. That's a real that's a real big plus for us. So we look for those types of people. The other thing is we really look for diversity. Currently we have no two of the same passport in the company. So we've got a very international team with a lot of different thoughts and a lot of different thought process that they bring to the company. I always try to prioritize that in our hiring because I my personal experience, my personal background, I've worked with a lot of very international teams over time, and those have been the ones that have always been the most productive. There are people who would say like, oh, you bring so much baggage and cultural communication differences and so on. But I've looked at it more from the standpoint of the different perspectives that people bring. And like once you get that team communicating well and working together well, they really produce high quality, like good output, high quality, and typically with more creativity than you get from just a team of, let's say, just Americans or so.
Right. Interesting. I think different opinions and different cultures definitely bring different results as well. And cases like. They're kind of not attention, but the different ways to look and stuff will produce a better product, more resilient product as well. 3.7s Was there an event in the last year that show you? Oh, you know what? I am the right track. The company is going where I want it to go. Maybe a customer told you something. Or industry when you realize, yes. All good. I need to continue where I'm going. Yeah.
I'll share this story. We were earlier this year. We were at Blackhat, and at Blackhat there's the open source tools area called the Arsenal. We were selected for that, which to me was already like a pretty big honor because at that point we had no community. We had like no developers, like we probably had like five stars on GitHub. Even for our open source component, our product is kind of there's a mix of some open source components and then some commercial stuff. And so I was quite surprised that we were selected in the first place. But then we got there, and I think what was really interesting for me, we saw one of our competitors come over and watch our session. And watching the body language of this individual as we presented our open source tool was just like perfect validation for us because we started our presentation by kind of laying out our thesis statement like, why we're doing this, the way we're doing it, why we're approaching it, the way we're approaching it, and like why you have to approach it that way if you actually want to solve the problem and you kind of see these nods and you kind of see these, oh yeah, that's right. Like that for us was a really great day. I mean, we've had customer validation. We've had customers who say they're ready to pay money. That's all great. But to me, like seeing that from a company that's been in the space for, you know, a couple of years at this point and we're just coming out of the gate like that was great. That was really so you're saying for me, my
competition is good and I like it. I think it is good. I do think competition is good.
Absolutely. Absolutely. 1.3s
Even so, the company doesn't exist a long time. If you can go back a year, what do they advise you give to yourself? The potential to do something different. 1.6s
I would actually say we should have done more customer conversations and tried to get more customers on board at the beta stage. I mean, I think six has been great, don't get me wrong. We and we've worked with them and we've engaged with them. But there's a reality that, like sometimes other priorities pop up. And so even from those six, there's a couple that aren't, you know, responding all the time. So like expanding the pool of beta participants early on, getting a little bit more feedback early on, and also having some buffer for customers who might need to drop out for one reason or another. That would be something that I would definitely advise people to do is like, there's this saying I heard a few years ago that's like a good entrepreneur builds a product and finds customers, a great entrepreneur finds customers and then solves their problem. And I would say, like, you could find even more customers to solve the problem for early on. So that would be one thing. Another thing that I would say is like. 1.9s We've definitely wasted some time with certain things, like we started with a placeholder name early on and we just got going, and we probably spent more time and effort on thinking of a name than it might have been worth. I like the name that we ended up with in the end, you know, but we had to change away from this. We spend some money on it. We spent a lot of time on it. I mean, yeah, I'm not sure that was like the best time investment that we had. You find a name that's good enough. Like, good enough is good enough. Just get going.
Okay. We're going to move to a dark side. So dark side of the show is when we talk about stuff that didn't go well and forever. Thank you for listening. Please continue listening. Eventually this part maybe will be a part of Patreon. Close, but for now, it's still open. So Jeremy, tell me about stuff that didn't go as you expected that customers meeting VCs, you know, have to mention. But we do understand that not everything is smooth, and everybody I speak with in the podcast always stays as an up down up down up down
For sure. Yeah, most of the time it feels like. 2 to 3 steps forward and one step back. That's the normal thing. And that's like week by week. Usually every week there will be a couple of things that go well and a couple things where you think like, ah, crap. I think the one that sticks with me so far is um. 1.9s We had our initial round defined, laid out, most of it allocated and so on. And then we decided, because of the financial markets, that we had an opportunity to actually expand the round size. And did we really want to do that. And there's a whole set of calculations behind whether you want to do that or not, including like founder dilution and so on. Right. We ended up deciding to expand the round size, and we started going through that process. So we had to go through another round of VC pitches. We had one VC that said yes every step of the way until the final moment, and they said no. And it left us with a chunk of equity and investment that we needed to fill at the pretty last minute. And I think it was actually completely foreseeable that this would this VC would not work out. But we listened to the signal instead of also digging into like do it deeper. Like if you talk to a customer, you would go through a qualification process, right? And you would say like, really, is this customer a good fit for us? But when you go through the VC side, you kind of you want to hear. Yes. So when you hear that, yes, you say, yeah, that's great. And you don't really examine or question it or challenge it. Right. And like we did that, we made that mistake and it left us in a position where towards the end of the round, we ended up having to like go back to some of our existing investors and say, hey, look, this happened and it's bad, right? It's bad from the standpoint of like, we now don't look like super professionals, like we did our job as founders to really, you know, to really do that challenging, but also then you have to go back to people who had already gone through the process of approving how much money they were going to invest in you and asking them to give more. And that's not necessarily like a great look, you know, kind of sets the precedent or may set the precedent that later we're going to come back asking for more money when, you know, that's not the yeah, you know, it's not kind of the confidence you want to project to your investors.
One of the founders that I was interviewing a couple of weeks ago, he told me that he learned that you need to treat VCs as a sales cycle. If it doesn't work. Yeah, it doesn't make just move on and don't let them drag you. And it's an interesting point. Funnily enough, I'm working right now on a presentation on how better to sell in US for sales engineering. I'm talking about soft skills and presentation this week, and one of the things I'm going to start the presentation with is. 1.2s People remember how you make them feel versus what you actually told them. And I think it resonate to what you're saying. He was saying. Yes. But the feeling you got from him was not the yes, it was something else.
I mean, for the first couple of conversations, we felt good with the yes. And it was only kind of looking back that we realized like, yeah, that was a false yes, that we were feeling. It was like the wrong feeling without any substance behind it. I think the point that you raised about treating VCs like a sales cycle, 100%, and we kind of did that. We actually put all the VCs into kind of a pipeline in Trello, and then we were moving them across from column to column. But what we weren't doing was like, when you do a sales pipeline review, you don't just look at the deal, you look at all the qualifying questions, right? You ask the customer, like, and you confirm again and again, is it this amount, is it this timing? Is it this set of use cases. We didn't do that deeper qualification on them. Yeah. We moved them like from stage to stage in our pipeline. But yeah it never qualified deep.
Right. Anything else you want to add?
I mean there have also been of course, customer conversations. There have been product conversations. There's been, you know, a false start on hiring a couple people that, you know, didn't, you know, join the organization and then or one who didn't join after saying they were going to and one that, you know, that joined but then left after a couple of weeks. And you find those things those are, I think, quite normal for a lot of startups. So nothing in particular that I think was a huge eye opening learning lesson for us there. But but on this VC side, that was the one that's really stuck with me.
Got you, gentlemen. Thank you very much. A lot of interesting and good advice. I really enjoyed talking to you today. And good luck in journey, guys.
Jeremy
Thanks so much. It's been a pleasure, Evgeniy.
Evgeniy
Thank you for everybody listening. Thank you very much. Please join in the next episode and we'll talk to you more soon.
