In this episode of the AlchemistX Innovators Inside Podcast, host Ian Bergman interviews Roey Eliyahu and Michael Nicosia, the co-founders of Salt Security—the company that defined the API security category. From Roey’s fearless one-way flight to Silicon Valley to the duo’s customer-first approach that led to $280M in funding and a client roster full of Fortune 500s, this episode offers a masterclass in startup grit, product validation, and enterprise go-to-market strategy.

Here are the five biggest takeaways for anyone building a startup or scaling enterprise innovation.

1. Validate the Problem Before You Build the Product

Roey didn’t just have a great idea—he had a market signal. After spotting a surge in API-related security risks during his time in Israel’s cybersecurity units, he landed in Silicon Valley and immediately began validating the problem with real CISOs. Instead of pitching, he asked:

• “Is this a problem for you today?”
  

• “How are you solving it now?”

• “If you could design the perfect solution, what would it look like?”
  
  Lesson: Before building, ask questions. Customer discovery is the foundation of any product that sticks.

2. Find the Right Early Adopters, Not Just the Right Companies

Salt Security’s earliest wins didn’t come from chasing large logos—they came from identifying individuals inside companies who were passionate about innovation. These early adopters were the same people advising other startups, experimenting with new technologies, and willing to take calculated risks.

Lesson: Your ideal customer profile (ICP) at the start isn’t a company—it’s a person who sees your vision before the market does.

3. Make Complexity Feel Simple

The API security problem is inherently complex, but Salt won early customers by delivering simplicity:

• Instant discovery via AWS integration.
  
  
  
• A no-code policy hub for posture governance.
  
  
  
• Clear ROI through attack blocking and vulnerability remediation.

Lesson: Innovation is about reducing friction. The easier you make adoption, the faster you scale.

4. Align Your Company Goals with Customer Outcomes

Salt Security’s internal metrics aren’t just about ARR or churn—they include:

• Number of attackers blocked
  
  
• Vulnerabilities fixed
  
  
• Operationalized integrations

By tying internal success to customer value, they ensure that every team—from engineering to customer success—is focused on delivering outcomes, not just features.
Lesson: If your customer wins, you win. Structure your company to reflect that.

5. Security Is an Imperfect Art—Be a True Partner

No security solution is bulletproof. Salt knows this and goes beyond the tool with hands-on incident response, custom threat analysis, and proactive support. Their customers don’t just get a product—they get a committed team.

Lesson: In critical spaces like security, trust matters as much as technology. Be a partner, not just a provider.

From API discovery to scaling a global security company, Roey and Michael’s journey with Salt Security is a blueprint for founders and enterprise leaders alike. Their relentless customer focus, ability to adapt, and obsession with solving the right problem are what set them apart.

Have a question for a future guest? Email us at innovators@alchemistaccelerator.com to get in touch! 

Timestamps

🎙️ Introduction to Roey Eliyahu and Michael Nicosia (00:00:00)

🚀 The Bold Pitch: How Roey and Michael Met (00:03:05)

💡 The API Security Problem: Early Market Signals (00:06:19)

🧠 Validating the Idea Through Customer Conversations (00:08:19)

🛡️ Defining the Problem: Discover, Govern, and Protect APIs (00:11:04)

📊 Prioritizing API Security Challenges: Discovery vs. Governance (00:13:01)

🔍 Finding the First Customers and Early Adopters (00:14:35)

🧩 Mapping Out the Ideal Customer Profile (00:17:17)

🎯 Reducing Risk for Enterprise Buyers (00:21:17)

🧪 Making API Security Simple and Scalable (00:24:15)

⚙️ Aligning Internal KPIs with Customer Success (00:26:18)

🔮 The Future of API Security and What’s Next for Salt (00:29:32)

💬 Final Advice for Founders and Enterprise Buyers (00:33:11)

Full Transcript 

00;00;14;04 - 00;00;38;11
Ian Bergman
So welcome to season six of Alchemist x innovators inside the podcast, where we explore the world of corporate innovation and dive deep into the minds and stories of innovation. Thought leaders crafting the future. I am your host, Ian Bergmann, and if you're an innovation agitator like me, then this is where you want to be. Right. Michael, good to see you today.

00;00;38;11 - 00;00;39;09
Ian Bergman
Happy Friday.

00;00;39;12 - 00;00;41;20
Roey Eliyahu
Friday. Thank you. Happy Friday.

00;00;41;23 - 00;00;59;10
Ian Bergman
Yeah. Well, hey, thank you for joining us. Welcome to Alchemist x Innovators Inside. I know you gentlemen are involved in an extremely busy point in your lives running a scaling startup. So thanks for thanks for taking some time. I'm looking forward to the conversation.

00;00;59;17 - 00;01;01;10
Roey Eliyahu
Likewise. Likewise.

00;01;01;12 - 00;01;29;01
Ian Bergman
So by way of introduction, maybe for folks who who don't know you, who don't know Salt security, I am really pleased to have on the innovators inside today, Roy Elliott who the CEO and co-founder of Salt Security, the API security category creator, and Michael Nicosia, CEO and co-founder of Salt Security. So, gentlemen, again, thanks for coming on. Really curious to learn more about your journey.

00;01;29;01 - 00;01;41;16
Ian Bergman
So I'm wondering if maybe you could tell me a little bit more about how you came to be kind of sitting across the table from me today. How did you get to where you are? Nice big question. I'll turn it over to you.

00;01;41;19 - 00;01;46;14
Roey Eliyahu
Wow. We can finish the, you know, the podcast with only the sensor.

00;01;46;16 - 00;01;46;26
Ian Bergman
Right?

00;01;46;29 - 00;02;19;25
Roey Eliyahu
So I'll go short just background and provide some context. So I was born and raised in Israel, started as an engineer or like started programing when I was nine, start to do a lot of freelance work when I was 11. So I was very deep in tech then. I was a recruited to the Army to the to the cyber security units, the intelligence units looking to build systems that defend their army and government infrastructure from a lot of attacks, cyber security attacks, of course, and, releasing APIs, going as a major attack vector.

00;02;19;26 - 00;02;44;13
Roey Eliyahu
And you can double click on what specifically what were the signals that, hey, there's a new problem that didn't exist before, but I started to have this idea for for solving that problem. And basically the first thing I did, literally three months after, had the idea, I took a one way ticket to the Valley. In retrospect, like, I don't believe myself because it was so crazy.

00;02;44;13 - 00;03;05;00
Roey Eliyahu
I didn't have money in the bank like a few thousands of dollars, and that's it. And I and that's it. I took a one way ticket. I slept in some very bad and someone's Airbnb for a 10th of the cost then, and I was looking to validate the idea and had some quick demo and that's it. And I actually targeted Michael because I knew nothing.

00;03;05;02 - 00;03;31;28
Roey Eliyahu
You know, I'm talking about eight years ago, I knew nothing about what is to build in, you know, cyber security company or what is to sell solution, how to go to market, how to market it, how to message it. And I was looking for what big successes of exits in Israel at the time existed. And one of them was an alarm that acquired by Microsoft over, $320 million and became big success in Microsoft.

00;03;31;28 - 00;03;50;04
Roey Eliyahu
Now was looking, okay, let's see who was leading it to go to market function. Then I saw Michael's name and I would say, okay, let's see how early join. And then I saw that it was from day one before there was any revenue. And then I said, okay, I got to meet this guy, and I was looking for ways to get connected with them.

00;03;50;06 - 00;04;11;24
Roey Eliyahu
And I literally kind of found like two different contacts. One is, Assaf, the CEO today known as the co-founder of CEO of with at the time, he was the co-founder of Avalon. And, another person that worked for Michael in the past. I asked both of them to introduce me, and I got to know Michael just after the Adam exit.

00;04;12;00 - 00;04;25;24
Ian Bergman
That's so good. I want to I would, I actually, I want to interrupt because I want to I want the other side of the story, like Michael at the time. Okay. So like talk about the spirit of, well, actually Silicon Valley, but frankly, also like Israel, like we're going to figure it out. We're going to go we're going to.

00;04;25;24 - 00;04;33;00
Ian Bergman
So so this this guy is coming at you in multiple different directions saying, I want to talk and I want to talk to you. What was that like?

00;04;33;02 - 00;04;52;28
Michael Nicosia
Yeah. So I mean, first of all, a humbling. But I remember because I just took this massive journey for the last three and a half years. We just got bought by Microsoft, and I'm getting emails from both Ossoff and another mutual of Haris. And I'm like, you know, this guy wants to meet you. And I'm thinking, okay, why?

00;04;53;01 - 00;05;15;12
Michael Nicosia
Right. I kept asking questions. I remember Assaf saying, hey, meet Roy, you'll love him. And and I did. I took the meeting. I mean, I remember it was like our first month at the new Microsoft, offices off of 101 here in San Diego. And we're in the eighth floor. The top floor is completely empty. Except me. I met Roy at that office.

00;05;15;12 - 00;05;35;10
Michael Nicosia
I brought him in, and I'm like, hey, what? What's up? And, you know, he told me about his idea. And as he was telling me about this idea, I just thought to myself, wow, this pretty amazing. And we literally spent like 4.5 hours. And I remember at the end and I said, hey, Roy, that sounds amazing, but why are you telling me all this stuff?

00;05;35;12 - 00;05;41;12
Michael Nicosia
And he's like, because I want to start a company with you. And I just, you know, I was like, taken aback.

00;05;41;14 - 00;05;58;19
Ian Bergman
I love I love this directness because we often get like, we get so lost up and kind of overthinking and planning like, this was a very precise, action oriented, like we're going to figure out if we can build a team and fail fast, right. What did you pitch them like? What did you say? Did you did you pitch a problem or did you pitch a solution?

00;05;58;21 - 00;06;19;17
Roey Eliyahu
Both. I basically yeah, I was basically very eager to try to learn as much as I can, you know, you know, somebody once asked me, what's your super skill like how you started at age of 22, like, very young, the company I was, like, just to learn as fast as they can, adapt, adapt, adapt, absorb. So I wanted to always attach myself to the best ever.

00;06;19;18 - 00;06;42;10
Roey Eliyahu
Every domain and soak as much as information I can. So I met with Michael and I told him, let me tell you like this story. And I opened like a quick slide deck that I prepared. And I told him, like, here's the problem, and I can go into it. But here is what's changed in the technology landscape. And I think we are the very beginning of API security problem.

00;06;42;12 - 00;07;01;07
Roey Eliyahu
It was 2016. It's like, was this more like this? Like very small. But I told them it's already showing a lot of incidents, a lot of breaches. And let me tell you, Michael, why it's going to be an enormous problem in worth the trend. And then I talked with internally resonated with Michael because he came from the cannabis space.

00;07;01;09 - 00;07;23;16
Roey Eliyahu
Casserly was all about securing, like the adoption of SaaS applications. So they were protecting the user side. They were protecting, you know, the employee using Salesforce or Office. 365 I told them, but what about protecting the SAS application itself, the obviously 65, the Salesforce and all these companies that every new company is now a SaaS company in 2016, wasn't that trivial.

00;07;23;20 - 00;07;40;08
Roey Eliyahu
And and the expansion to microservices and, and you know, and all these things that kind of create an explosion in the amount of APIs you have to create a lot of challenges. So it resonated with Michael. Then he asked me, okay, what's your solution for it? And then I talked with him about how we can leverage big data and AI and so on.

00;07;40;08 - 00;07;59;26
Roey Eliyahu
A lot of like new innovations in order to solve this problem, this new problem that, you know, when the previous tool tried to solve it, like the WAF companies, the application firewalls, it was early 2000, the threat landscape was different. The technology was different. So that the box in line and you still have a box line in the cloud and it's all here.

00;07;59;26 - 00;08;19;12
Roey Eliyahu
We can do something different here. We can do with clouds. They did for the antivirus. We can do the same for API security. We can leverage big data in AI and to be able to address the threats of today, not of day, only 2000. And he said, you know what? That sounds amazing. Let me take you to a few of my customers.

00;08;19;12 - 00;08;27;17
Roey Eliyahu
Yeah. And I want to hear their feedback. Right. And that's what we did. And we started to essentially work together in following until was formal.

00;08;27;17 - 00;08;48;21
Ian Bergman
And what what did the customer say? Just because that is like again, that is such a like beautiful entrepreneurial approach, right. Like validate but also just hear the life for the customers. What were the customers saying? Because you're right at the time, obviously APIs existed head for a long time, but the surface area, was nothing like what we see today.

00;08;48;21 - 00;08;50;13
Ian Bergman
Exactly. So what did you hear from customers?

00;08;50;13 - 00;09;18;06
Roey Eliyahu
I think we so Michael took us like to the more sophisticated customers what he believes to be more an early indicator of the market or same problem. But before anyone else. And the feedback was really positive, like one. It's a real problem too. We like it approach. The only problem they had is I think you need to educate because that's not a it's not something that the entire market knows, but it's it's by the CEO.

00;09;18;09 - 00;09;49;11
Roey Eliyahu
Like you're not trying to solve. Imagine any problem. It's real. It's going to go it's going to get worse and worse the more you innovate faster. We didn't even think about journey AI and the implications to creating APIs with a click of a button and a few problems. I'm not talking about that just even before that. Just like Kubernetes, the microservices, everything that you know, it reminds me this, you talking about guilty pleasure before, you know, in some apps is, I don't know if you know, these videos that you see in spider, somebody tried to kill like, and it's kind of bleak to like thousands of small spiders that run away.

00;09;49;12 - 00;10;11;18
Roey Eliyahu
Yep. Like we looked at monolith application. We said that's like Kubernetes with monolith application. Just dig down to 100 of services in gazillions of API. Just moment one API, the change on a yearly basis. So we saw like a massive change that we say how companies can discover all these APIs can manage these APIs. So it started to kind of have a compounding effect on the problem.

00;10;11;20 - 00;10;27;02
Ian Bergman
Was this a future problem for them though? Or was this like where the people you're talking to is sitting there going like, this is existential. I am worried about this today. Or was it more kind of like academic curiosity, like, oh yeah, you're right. Like this is going to be a real problem.

00;10;27;04 - 00;10;47;12
Roey Eliyahu
It's looking at a spec. I judge it differently. Sure. And Michael can give you steak. I think they said it's a problem today. Knowing what we know today. Like I will put a lot of doubt in like. Yeah. Because in it they said that that it's a problem they have today. But in order to know if they will pay for it today, like I said, yeah, we'll pay for it today.

00;10;47;12 - 00;11;04;10
Roey Eliyahu
But yeah. So they will ask more sophisticated questions. And it's good that we did by the way, because otherwise we're not starting the company topic because we didn't realize it. We are solving a problem that that will be mostly for most people like three years from that point. Yeah, 2 to 3 years. But you have time to build the technology.

00;11;04;13 - 00;11;16;00
Ian Bergman
Okay. So give me the one line of the problem that exists that you have honed and understood over the last and number of years.

00;11;16;03 - 00;11;41;04
Roey Eliyahu
It's discover governance and protect the APIs. Yeah. And the simplest way for me to explain to anyone when I talk to my cousin or whatever, not from tech is think about it. Companies are building in all the doors and windows are APIs. Yep. In the old days you had one door. No windows, just one door. You put a security guard at the front.

00;11;41;06 - 00;11;58;07
Roey Eliyahu
Today, with so many APIs, you have tons of buildings, tons of doors. So windows we help companies map, first of all, where they have windows. Well, they have doors. Will they have any path to get in the second we opt in to government. So we tell them you're missing a lock here. No, this window is open. You know, it's this glass is horrible glass.

00;11;58;07 - 00;12;16;28
Roey Eliyahu
You can easily break it. So we help them to be proactive about their security. And lastly, we detect any attackers that try to break in. So anyone try to break the window, break the door open. You know, the lock. Whatever it is we'll tell them, hey Ian, he's trying to hack like now at the front gate before they entered the yard.

00;12;17;01 - 00;12;24;13
Roey Eliyahu
Make sure he's not coming in again because he doesn't have a good intent and he has malicious intent. So that's like the simplest way to explain what we do.

00;12;24;15 - 00;12;35;29
Ian Bergman
Well, and it's such a good metaphor. And I think, you know, in my mind you can actually kind of extend that metaphor because, yes, there's more doors and windows and all that good stuff, but there's also more people who are allowed to create doors and windows, and.

00;12;36;02 - 00;12;36;06
Roey Eliyahu
It.

00;12;36;06 - 00;13;01;04
Ian Bergman
Starts proliferating. And I think, you know, discover, I think is probably one of those words that it may or may not surprise your customers, but I suspect it will surprise a lot of our listeners, like just discovering the surface area of these connections that the engineering teams have built to the outside world. In your mind today, like how do you stack rank these problems like the the features is discovery.

00;13;01;04 - 00;13;04;02
Ian Bergman
The issue is protection. The issue?

00;13;04;05 - 00;13;27;24
Roey Eliyahu
I think that it's honestly means the, the magnitude of the problem more is like the order of problem needs to be solved. And you have to discover because you can protect what you don't know. So it's absolutely like a foundational step. But discovery by itself doesn't reduce so much risk. Right. The posture governance piece is the it's the part that they need to do this knowing that you have a open window, it's a prerequisite to to lock the window.

00;13;27;25 - 00;13;51;05
Roey Eliyahu
But if you don't lock it, you know, you didn't reduce a lot of risk. You just know which kind of makes it worse. At least you are now concerned and you don't do anything about it. So I think like posture, governance is definitely like the number one that if I'm a company, the best ROI for effort to value to risk reduction is posture governance like discovery and posture governance for all these APIs.

00;13;51;06 - 00;13;55;09
Roey Eliyahu
Yeah, yeah. Then you start to detect threats. Yeah. Sorry. Go ahead Michael.

00;13;55;12 - 00;14;26;21
Michael Nicosia
Yeah I was going to say think of it in as like a crawl walk run type of scenario. Right. You can't run before you crawl, right? So if you think about from a discovery perspective, understanding, you know that that threat landscape is critical. And then obviously the posture governance side of that follows from a lock perspective. And then as you're ready then you obviously want to run and protect, you know, the APIs that are already in production.

00;14;26;21 - 00;14;35;01
Michael Nicosia
So we always look at it as more of a journey. And it always starts with you know, crawling, which is the discovery aspect.

00;14;35;03 - 00;14;56;07
Ian Bergman
100%. And so, you know, Michael, maybe a little bit of a pivot, but building on on some of this crawl, walk, run, I want to I want you to continue to reflect back to your early days. I'm always really fascinated by, you know, the question of, do organizations understand they have a problem? Do they prioritize it, and what does it take for them to invest against it?

00;14;56;07 - 00;15;15;20
Ian Bergman
Right. Because you can only like you can only focus on so many issues at once. So when you're kind of in your early, early days, who did you think your customer was? Did they did they care enough to take action? And how did how did that change? How did the understanding of your ICP change, maybe over the first year or so?

00;15;15;23 - 00;15;36;14
Michael Nicosia
Yeah, it's a great question because and the the trick in the early days is to validate, you know, that there is a problem. How big is that problem? And are are people willing to spend money to solve that problem? So, I mean, Roy and I spent a ton of time in terms of who's going to care about this and who's the buyer.

00;15;36;14 - 00;15;59;22
Michael Nicosia
And we need to think about security perspective. You always think about, you know, the ultimate decision makers to CSO and you always want to get to that CSO individual because they usually, you know, hold the budget associated with that. So what we did and this was, I think critical and I had done this, you know, at all along is, you know, you know, Roy and I sat down and took a look at all my contacts from a CSO perspective.

00;15;59;22 - 00;16;18;14
Michael Nicosia
And there is many, which is cool and we started to map out, okay, who do we want to go and reach out? And as Roy mentioned, you know, we were looking for early adopters, like thought leaders that would get this problem right away. And then the trick is all about going in and you're not trying to sell them anything.

00;16;18;14 - 00;16;37;20
Michael Nicosia
You're trying to validate that there is a problem in the market. And you know, how big is that problem to you specifically with services? She said, sure, sure. And then if they say, yeah, I have this big problem, how are you solving it today? Right. And it's usually either manual or no, we don't we don't know how to solve it.

00;16;37;20 - 00;16;56;23
Michael Nicosia
Right. And then it's like, so if we gave you a canvas and you were to paint a perfect picture of how you would solve that problem, what would that look like? So you give a and the reason why you say that is because you want to get that buyers kind of first opinion or first diagnosis of how they would go and approach that.

00;16;56;25 - 00;17;16;27
Michael Nicosia
And what you're really doing is you're validating everything that you want to build in the product to make that solution and appetite for people to buy. And then the last question is, obviously, if you had that, you know, how how much is that worth to you? And then that's when you can start determining, you know, kind of where you could, you know, pitch in terms.

00;17;17;01 - 00;17;17;12
Michael Nicosia
That's when.

00;17;17;12 - 00;17;17;21
Roey Eliyahu
Things.

00;17;17;28 - 00;17;19;16
Ian Bergman
Commercial is the size of.

00;17;19;23 - 00;17;41;08
Michael Nicosia
Your customer. Yes, definitely. I mean, obviously we always want to target to CISOs. I mean, they're, you know, if you look at any security landscape or opportunity, it's always the CSO that ultimately makes decision decisions. Obviously, there's a whole bunch of individuals underneath the CSO that would actually take a closer look at, you know, the solution and what it does and features, functions and all that stuff.

00;17;41;13 - 00;17;57;15
Roey Eliyahu
And I think on the, the your point on. So first of all, absolutely. And, and of course, we always want to talk with the person that he's the person that decide, the person that cares most about this problem. It gets an application security, security architect and so on. But when I look at, you know, many founders consult with it.

00;17;57;15 - 00;18;19;10
Roey Eliyahu
It says, hey, what should be ICP, how you look at I said, look, as an early stage start up, your ICP as a person. It's not a company. In fact, you cannot say it's, oh, I need the airlines and the tech companies. I need this size. It's not relevant. Like you want to look for people. The arts have banners inside organizations, the down looking to see what's the latest and greatest.

00;18;19;13 - 00;18;41;24
Roey Eliyahu
They want to, you know, they are the ones that trying the the Apple Vision Pro when it comes out. Like they want to extend like the best technology and be ahead of the market. Many of our early stage customers actually became founders of cybersecurity companies. Some of them sold it for hundreds of millions of dollars to companies. So you can see the persona of that eager to be part of innovation they want to influence.

00;18;41;24 - 00;18;55;10
Roey Eliyahu
How are you going to build the solution? Right. And they're willing to take some, you know, that it's rough around the edges. It's early and all of that. It doesn't. They have like fancy are back in the 40s. But as you evolve it change. Right. And there's something.

00;18;55;10 - 00;19;16;07
Ian Bergman
Really special about that profile of customer. But I'll say like they're rare and I'd say people like that are rare, like at the global scale for a reason. Right? There's a lot of forces that conspire against the ability of even a senior executive to take risks, be curious, be engaged with with the new startup, how how did you manage that?

00;19;16;07 - 00;19;22;25
Ian Bergman
Was it just all about like trying to find those curious people, or did you have some other approach to be able to, you know, sort.

00;19;22;25 - 00;19;23;10
Roey Eliyahu
Of.

00;19;23;13 - 00;19;25;19
Ian Bergman
Filter for folks who would take a risk?

00;19;25;21 - 00;19;37;21
Michael Nicosia
Yeah, I mean, it's it's a numbers game, right? I mean, because it's always interesting at the very beginning, getting to your first customer, your first ten customers, it's probably the hardest thing in the world. Right.

00;19;37;21 - 00;19;47;27
Ian Bergman
So how did you qualify at. One of the smartest things I ever heard was a founder who told me their story of how they qualify out a prospective customer in three questions. What was your approach?

00;19;47;29 - 00;20;05;13
Michael Nicosia
Yeah, the same. I mean, you you want you know, obviously I was going to say like, you know, we we looked at maybe, what, 30 to 50 CISOs that we wanted to go after. And, you know, going through all of these things, it's always, you know, the question is, you know, we think we have this problem in the market.

00;20;05;13 - 00;20;11;28
Michael Nicosia
What are your thoughts? And the quick qualifier out is I don't think that that's a problem. Right. So that's.

00;20;11;28 - 00;20;12;12
Roey Eliyahu
Easy.

00;20;12;13 - 00;20;28;16
Michael Nicosia
Right. So it's really you know it's that. And then you know obviously you know a lot of times they said yeah I think it's a problem. The second part of it is how big is that problem. Obviously if they think it's a small problem you want to qualify that that right. It's so it's it's just easy to get.

00;20;28;18 - 00;20;29;21
Ian Bergman
It's all about that problem.

00;20;29;21 - 00;20;56;04
Roey Eliyahu
Engagement. Yeah. And I think in that, you know like my advice to anyone looking to go through these phases besides like the numbers. Right. It's like there is a common theme for these people. They are often an advisory board of startups that are often on the testimonial stage of early stage startups. And you'll see the same folks appears in multiple startups that are typically advisors to be seeds that are in stage right.

00;20;56;04 - 00;21;17;11
Roey Eliyahu
So there is a lot of like common characteristics of of these people that probably say, okay, he he's an early adopter. I think that's kind of the first part. The second part, I think, is to make it as easy as possible for them to test or to give feedback or to partner with you if you are okay. I found this person, but like you said, there is a risk to their job.

00;21;17;11 - 00;21;39;07
Roey Eliyahu
You need to eliminate this risk. You need to oh, let's do it in QA environment where you don't have let's, let's let's do it offline. Like what. Depends on what you do like but like the court some files and send it to us will show results based on the files offsite recording or something. Whatever it is like, you try to really load the bar in the risk of somebody just take time and you don't create risk for them.

00;21;39;09 - 00;21;57;04
Ian Bergman
I think that's actually a really important point I want to double down on, because it's something that I think is really hard to understand sometimes coming from the startup environment is that the number of risk management forces that exist in your customers, it's insane. Right? Like procurement, it legal, not getting fired like it's all a risk management function.

00;21;57;05 - 00;22;20;07
Ian Bergman
And you know, your customers are constantly kind of fighting the tension, the tension of moving forward while managing risk. So I love how you kind of framed that as like, how do you burn down the risk for them as much as possible. So Social Security, you know, you've done very well. You're scaling well, you're defining the category. You've raised 280 million, including from from top name investors.

00;22;20;10 - 00;22;40;10
Ian Bergman
And I think maybe more importantly, you have a long list of customers that you're bringing a real impact to. When when did you know that? You know, what was the moment when you realized, oh, like our approach is working and what is it that you realized is working, but that makes you stand out in the market?

00;22;40;12 - 00;23;04;05
Roey Eliyahu
Yeah. It's, like the cynical side of me saying it's working, and then you break it and then it's like at this stage of the company, you kind of you learn, like you adjust, adapt yourself. And the market is changing. Evolving, by the way, it's not static. So but if I'll take like the serious answer of, okay, what's really set us apart in the market, I think in a very high level we are very, very customer focused.

00;23;04;07 - 00;23;30;24
Roey Eliyahu
I think like a lot of companies talk about it, but they don't practice it. So when we are going to partner with someone, say partner on purpose, not selling to someone, we put a focus of how we created the successful API security plugin or our solution. It's a big component of it, but it's not. The only part is how you implement it, how you onboard, how you operationalize it within their ecosystem, how you make it easy for them to see the value from your solution.

00;23;30;26 - 00;23;50;06
Roey Eliyahu
And if you think about that, you need to structure a company accordingly. You have to have it teams that have expertise for it. We have security research team. It's not mandatory. But if you want to define to to to detect the latest and greatest threats, you have to research upfront. Of course, if you want to innovate. So there's a lot of things you need to put a lot of investment.

00;23;50;08 - 00;24;15;08
Roey Eliyahu
But if you think about just on sending a solution, it's it's not required. But if you're thinking about kind of going to be company, you need to put that in place. Now if I go a level below for a product perspective, we simply build things that because we are so customer focused, we identify the problems or the challenges first, and it allows us to really orient our solution accordingly.

00;24;15;11 - 00;24;38;19
Roey Eliyahu
So for example, we have today the like the fastest way to discover is like you can literally minutes. If you have an AWS account or cloud account, I can give you our our platform. You can connect to it to more like instantly and get all of the value and things you need to fix. Yeah, well, other companies that have more complex I say like process their of deploying traffic collection.

00;24;38;20 - 00;24;55;03
Roey Eliyahu
It's like a lot of complexities. And then the last point I will make like posture governance. We mentioned it a lot like we're all you're missing locks and opening windows. Every company in the space tells you here is a here's an engine, build it yourself. Build whatever you want to sell. You want to build this, this governance.

00;24;55;03 - 00;25;16;28
Roey Eliyahu
Like open windows, you need to define it. And so, so forth. We said, let's build a policy hub, let's create an app store. So instead of they build like each company needs to build it and it's 80% the same. We will give you a policy hub. You can click to apply. So a lot of things like that that we just made it easy for them to reduce rates for their API.

00;25;16;29 - 00;25;25;01
Roey Eliyahu
It sounds simple but but there's a lot of nuances and complexity to how you make a problem or the solution. Very simple to solve.

00;25;25;03 - 00;25;55;01
Ian Bergman
You know, there is and I actually think that's a really interesting point, right. Like there's a ton of complexity that sits behind simplicity. But the I love where you're going, I'm going to articulate this so poorly. But there is a statement that's been resonating with me for a very long time. Right? That is, if you can't predict what's going to happen in the future, like with precision, and it's impossible, you cannot predict what the next security gap or API vulnerability or, you know, bug was discovered is what can you do?

00;25;55;02 - 00;26;18;07
Ian Bergman
You can prepare. So it sounds what I hear is it sounds like you're giving a kind of a preparation template and support services along with your products and technology to say, like, how do our customers have confidence that they are well prepared from both a defensive but also a response perspective is that is I poorly said, but is that a fair articulation?

00;26;18;09 - 00;26;40;27
Roey Eliyahu
Yeah, I think it's like hitting the point. But it's also I think the other part is we also aren't talking about company building. We put the incentives and goals aligned to the customer goals. So for example, if you look at our customer success teams, their their goal is not just, hey, retention of customers, it's the usage. Yep.

00;26;41;00 - 00;27;08;20
Roey Eliyahu
How many attackers they've blocked, how many vulnerabilities they fix. That's the main KPI because we know if somebody blocking attacks and fixing vulnerabilities, they see value. If not, it means something block. Then maybe it's not connecting to their ticketing system. Maybe they don't. They need some education on how to fix something, whatever it is. But we want to align all with our interest in how we measure ourselves and put goals for people in the company that align for the customer interest.

00;27;08;23 - 00;27;29;29
Ian Bergman
So as somebody who's built, you know, a whole career in the security space, how do you deal with what seems to me to be kind of the obvious, but also really frustrating question that's going to come up, which is, you know, how do you guarantee prevention or maybe better said, like what happens when they get through the walls because it's going to happen, right?

00;27;30;01 - 00;27;32;24
Ian Bergman
How do you deal with that set of questions?

00;27;32;26 - 00;27;42;19
Roey Eliyahu
I don't know what you're talking about. Never happened. And I'm saying that's, by the way, never not going to voids. I cannot, you know, jinx us. But but but this has.

00;27;42;19 - 00;27;56;12
Ian Bergman
Come up in your customer conversations like this must this must come up in terms of a like, you know, security is generally an imperfect art, right? Every wall can be held eventually with given sufficient resources.

00;27;56;14 - 00;28;20;02
Roey Eliyahu
Yeah. So I'll give my quick take. And Michael, please add that my quick take. Is that what we have experience and we have some miles. We are in hundreds of companies. Fortune 500 across like the biggest sectors. There are incidents that we detect. We always have full the list. A lot of indication on our platform of these attacks and data and so on, so forth.

00;28;20;04 - 00;28;43;14
Roey Eliyahu
That alert to them sometimes you don't have, like in the worst cases, you don't have everything super clear laid out. Right? That's like the worst. I'm not talking about the obvious day to day cases. So what we did, talking about the same approach. We have sick ops team that actually will join incident response meetings of the customers and help them and investigate what is happening even outside of our system.

00;28;43;17 - 00;29;01;28
Roey Eliyahu
And you'll gather some more Intel internally with us and help them with their incident to help them investigate until they get to a resolution. So basically, our message to customers is like, look, we have a partner for you, which means we're going to help you in any way shape possible because we want you to be successful. Because if you are successful, we are successful.

00;29;02;01 - 00;29;14;27
Roey Eliyahu
So if it means doing things beyond our solution, if it's to give you data that is not maybe visible here, if you need certain logs, you go up to our expertise. Whatever it is, we are there to help you solve this problem.

00;29;14;29 - 00;29;30;05
Ian Bergman
Whatever it takes. And what maybe gets overlooked sometimes, but I think is really is probably pretty powerful, is that that commitment to that individual customer is also a commitment to all of your customers in that you're going to learn, you're going to stay at the cutting edge of threat, understanding, etc. it's a wonderful set.

00;29;30;10 - 00;29;31;02
Roey Eliyahu
Exactly.

00;29;31;05 - 00;29;32;05
Ian Bergman
So look.

00;29;32;09 - 00;29;32;27
Michael Nicosia
What.

00;29;32;27 - 00;29;55;22
Ian Bergman
Is your kind of coming to the end of the discussion here? But you built a fascinating company, but you are in an evolving space, right? What is on your radar? What is sort of is it a threat landscape issue? Is it a technological change issue? Is it you mentioned Gen AI earlier. What's on your radar and what should companies be thinking about in the API security space today?

00;29;55;25 - 00;30;03;18
Roey Eliyahu
So I think, you know, we we have something big coming up from salt. And so unfortunately like we're just in a time where you're not sure that.

00;30;03;20 - 00;30;06;02
Ian Bergman
Oh but let's tease it. Let's fix it. Something to think.

00;30;06;05 - 00;30;29;29
Roey Eliyahu
About. But I will say, I think the biggest challenge in API security is how can you apply a solution so quickly. You get full coverage inside a very large organization. And something we're going to announce is related to how we're going to make it not twice as easy, ten times easier than anyone in the market to have API security for all their APIs.

00;30;30;01 - 00;30;32;14
Roey Eliyahu
So that's my TS. Oh yeah.

00;30;32;16 - 00;30;50;26
Ian Bergman
You know what? It's a great tease. Speaks to a very real problem. And it lets me ask this incredible question. So because, gentlemen, you guys are building something awesome. You're you're busy, you've got a company to run. We're going to get wrapped up here. But for the people who want to follow along, how do they follow you? They go to the website.

00;30;50;26 - 00;30;59;09
Ian Bergman
Do they hit you on LinkedIn? You know, is there a subreddit of your fans? Where do folks follow you so that they can stay on top of your journey?

00;30;59;12 - 00;31;29;03
Michael Nicosia
Yeah, I think all of the above them in the website, LinkedIn and we get we get webinars, we do blogs. I mean, you know, there's a lot of activity that both Roy and I, you know, are involved with. And we love this year, you know, insights and love they hear from you know obviously security folks that that are interested not only in the journey but what's happening in the landscape of security because there's a lot of things that is evolving as we continue to kind of migrate to where we want to get to.

00;31;29;05 - 00;31;33;21
Michael Nicosia
So, yeah, I don't know if there's any other avenue. Yeah.

00;31;33;23 - 00;31;59;04
Roey Eliyahu
Yeah. I think if it's for the technical part, like if somebody is interested in API security vulnerabilities, we have Salt Labs that do amazing super advanced publications on critical vulnerabilities that being found and showing the technical details like step by step, it's in our blog so they can follow their follow. Great content, as Michael said. And of course, for if somebody wants to connect with us, LinkedIn is great.

00;31;59;10 - 00;32;20;26
Roey Eliyahu
Probably worse than Michael. Michael is like like a machine responding to everyone. I'm slower. So definitely that's a great way to connect then. And one last thing I will say, which I just thought about if somebody is looking for starting somewhere in a very talking about very low bar, how to make it very easy, what we have something called solid surface.

00;32;20;26 - 00;32;40;14
Roey Eliyahu
So we actually you can go to our website. If it's not available there, you can contact us and we'll give it to you like a free, mapping of your attack surface. It doesn't query anything from you. You just say yes and we do it. And typically we see a lot of interesting gaps from the outside. We map through the internet all your API exposure, or at least and so on, doesn't acquire anything.

00;32;40;14 - 00;32;46;03
Roey Eliyahu
You just get it. I think it's a good starting point to know how your being viewed from the outside. Yeah. So that's our guest.

00;32;46;03 - 00;33;11;06
Ian Bergman
I'm going to straight up run that on one of our small systems as well and see how it goes. I appreciate it gentlemen. It's been it's been a pleasure. I really appreciate you coming on. Innovators inside. I'm going to put you on the spot for one more quick question before we wrap up here. Right. One thought for an aspiring young founder building their first company, do you have one additional piece of advice?

00;33;11;08 - 00;33;15;18
Roey Eliyahu
No fear. Like don't fear. Go for it. One. Just go for it.

00;33;15;24 - 00;33;16;07
Ian Bergman
Just go.

00;33;16;12 - 00;33;34;06
Roey Eliyahu
Yeah. Like if I knew what everything I know today, I probably would not have started the company because of the complexity of. The journey is so complex. You have highs and lows. It's super challenging. But this, this coming to the valley and don't think about, hey, will do in a year how it will work while doing three months.

00;33;34;06 - 00;33;43;29
Roey Eliyahu
I don't know I'll figure it out. Like just start. Worst case you fail, you pivot. But I would say that's my my advice.

00;33;44;01 - 00;33;51;07
Ian Bergman
Amazing. And Michael, one piece of advice for an enterprise buyer of, you know, early stage tech.

00;33;51;09 - 00;34;16;12
Michael Nicosia
Yeah I mean I think, you know, proving time to value as quickly as possible so that they see that I think is is is critical. I do want to state going back to to Roy's point, it's super hard to start a company but super rewarding. So understand that balance and making sure that, you know how to iterate as you go along.

00;34;16;12 - 00;34;30;19
Michael Nicosia
And that's super important, even as from an enterprise buying perspective and what you provide, there's so many iterations and know that you're going to fail tremendously before you succeed. And, having that in front of you, I think is super important.

00;34;30;19 - 00;34;31;16
Ian Bergman
Amazing. Yeah.

00;34;31;16 - 00;34;47;18
Roey Eliyahu
And as soon as Michael said it, I said, like, the advice four divided by 40 is fine or it can be the same is like finding the right partners for you. Even whether you buy something you want a partner. It's not about the tech, it's about the company who will be there for you. And it's the same for the other side.

00;34;47;18 - 00;35;06;01
Roey Eliyahu
For entrepreneurs. You want the early adopters. It's not just for your tech, it's for your initial investment. They will talk with the investors and talk about how big it is, how inspiring it is, how, how revolutionary it is. And you want the right partners. You want the people that believe in what you're doing almost to the same level that you believe in.

00;35;06;03 - 00;35;08;26
Roey Eliyahu
Right. So that's my quick take.

00;35;08;28 - 00;35;21;06
Ian Bergman
Those are wise words. Right? Michael, it was a pleasure. Thank you for coming on. Innovators inside. Have an incredible weekend and best of luck. I can't wait to, reconnect in the future and follow Social Security's journey.

00;35;21;07 - 00;35;24;21
Michael Nicosia
Thank you very much, Jess.

00;35;24;23 - 00;35;45;11
Ian Bergman
And that's a wrap for today's episode of Alchemist x Innovators Inside. Thanks for listening. If you found value in today's discussion, be sure to subscribe to our podcast and check out our segments on YouTube. Links and follow ups are in the show notes, and if you have questions you want us to feature in future episodes, email innovators at Alchemist accelerator.com.

00;35;45;14 - 00;35;50;04
Ian Bergman
Stay tuned for more insider stories and practical insights from leaders. Crafting our future.