Episode 61
· 30:59
Invest in content from day 1 and also, you know, having great interactions with the community. I think it has been responsible for a lot of new users, a lot of new business opportunities for Escape.
Jack Bridger:Hi, everyone. You're listening to scaling dev tools, and we're joined today by Tristan and Antoine from escape. Tech. So this is a company that got started after Tristan got hacked. Right?
Tristan Kalos:Yeah. Thank you for for having us today, Jack. Exactly. So escape is a a a an API security company for developers. So we help developers secure their applications while they're building them during the CICD.
Tristan Kalos:And and it all starts with a personal story, of course. So basically, when I was 19 years old, I knew that I wanted to create a company one day. So I went to the Bay Area and I started working for tech companies in San Francisco. And at some point, I was building chatbots. You know, it was 2017.
Tristan Kalos:It was a trend. They were not at all as good as today. It was not chat GPT or or LNMs. It was very bad. And I was building, chatbots and APIs for companies in the Bay Area.
Tristan Kalos:And at some point, I have one of my customers that calls me and says, Tristan, I don't I don't get it. Like, I cannot access the the platform anymore. Like, the the application that you built, it's it's just broken. So I said, hey. I'm gonna take a look, you know.
Tristan Kalos:I'm gonna see what what happened. And I log in to the database. It was a MongoDB database. Again, 2017 trends. And the database was empty.
Tristan Kalos:There was nothing in it. There was just one single message, which was, do not worry. Your data is safe. In order to get it back, please pay 10 Bitcoin to this address. And there was, like, a Bitcoin address in on the on the bottom of the message.
Tristan Kalos:So Oh my gosh. I got I got hacked. The application was was was breached, and and they sold all the data, and there was the it was a very professional message with explanation how to buy Bitcoin and how to send it. So very, very, professional thing. Obviously, I had a backup, so it was it was, not that tough for me at this time, but it made me realize, how fragile, the application that we create as developers are.
Tristan Kalos:And I wondered, like, what if if I build other applications one day, I I wake up and there is nothing, everything is gone, the data is empty. What can help me ensure that what I'm building as a developer is secure, and I'm not at risk of, of being stolen? And there were no tools in 2017 to help with that. Snyk was just at the beginning, and the vulnerability was not a vulnerability in an open source component like Snyk was doing. So it was quite different.
Tristan Kalos:And and I I really this stayed on my mind. So finding a solution for for this problem. And 2 years and a half after that, I met with Antoine. And Antoine was on the penetration testing side, of the force. He was an expert in cybersecurity.
Tristan Kalos:We met at UC Berkeley. We were students there together. He he was, out of, he worked as a penetration tester, and then he worked at Apple. And he was out for doing MBA at, at, Berkeley. And when we met, we're like, hey.
Tristan Kalos:You want to create a company? You are expert in cybersecurity. I want to create a company. I had, you know, some trouble with hackers. I know the problem.
Tristan Kalos:I know the pain. I know the the developers market. Let let's let's do it together. And that that's how we started this game.
Antoine Carossio:I I need to add some precision here. I was not the person who hacked Tristan.
Jack Bridger:Yeah. That that that he knows of. So just keep it, I guess, keep it quiet for now anyway. Absolutely. Okay.
Jack Bridger:So instead of becoming, like, hacker, like, starting a YouTube channel, taking down hackers, you thought technology can save, developers from getting
Antoine Carossio:hacked. Yeah. I think buzzer first are big fans or, deep technologies.
Tristan Kalos:Yeah.
Antoine Carossio:So we really wanted to bring, technology, into the developer space and the cybersecurity space in order to solve that kind of, problems in a very fascinating and interesting way.
Jack Bridger:Yeah. I guess it's pretty hard. So that must have been, like, a difficult part of it. Like, if it's something that's really difficult, how did you get started?
Tristan Kalos:That that is super interesting. So, first, we we were buff, doing deep tech before. So I was actually working in a company. It was named, sourced, and it was dedicated to source code analysis using machine learning. So using IA to analyze source code and find vulnerabilities inside of it.
Tristan Kalos:So I was already kind of working in deep tech, with with security. And Antoine as well, was already working in in automated penetration testing. And and we started by doing a, a state of the art of what existed for automated, security testing. And we found, we found a paper from Microsoft Research, which is called Ressler. And, basically, it was the basic automated security testing for applications.
Tristan Kalos:But it was very theoretical, and difficult to apply to developers because it took 24 hours of computation time to give the result. So we said, okay. We can we can do better than that. We can create a new technology that will do better than that, but we knew it was possible in a large amount of time. We just had to do better and in a shorter, time span in order to be integrated into the development process.
Jack Bridger:And so you found, yeah, something that actually could do the job, but it was way too slow to be usable?
Antoine Carossio:Absolutely. And I think the challenge too was a real product challenge because actually, developers, they are not used to cybersecurity. All right? So we had to build a cybersecurity product that was compatible with the developer mindset, but also the way they're working, which means we had to have a product that is appealing, that goes fast, that runs in CICD. And that is really able to bring value to the developer, which means we really help them, to remediate, to understand why there are security concerns, why the security is important, and to remediate the different issues.
Antoine Carossio:So as Tristan mentioned, it was a huge technical challenge, which was, in fact, first of all, a product challenge. And we solved the product challenge with this technique from a research paper, by Microsoft originally.
Jack Bridger:Yeah. That's so I think that's a really good point about, like, developers. And as for me, it it's always like you're just doing tickets. Right? And, like, it's you're creating features or fixing bugs, and it's rare that someone in the team is gonna kind of allow you or, like, encourage you to just spend time making your project more secure?
Tristan Kalos:2 things about that. So the first thing is, you're right. Like, developers, they are their job primarily, is to shift features and not to do security. So there is a trend, it's called the dev sec ops, where the developers have more responsibility for creating secure applications. But they don't want to spend a large amount of time doing this because they have other priorities.
Tristan Kalos:And so the challenge when you're building a product in dev sec ops space, and Snykday understood that well, you want to be super seamless in the way you integrate within the dev process. You want to be, to have a very good developer experience. You want to be fun and easy to use, so the developer actually use you instead of, you know, just skipping this step. And especially when you are doing a deep tech company like Escape, you have to take, a a technology that is extremely complex, that is slow, that is prone to, crash, and you must transform it into a product that is developer friendly, easy to use, and and and that, is is seamless in its integration. And there is a lot of work for doing that.
Tristan Kalos:So taking, research and putting it into production with a good developer experience. That was a huge change.
Jack Bridger:Yeah. And then once you get that kind of, like, seamless developer experience, I'm guessing it's just, you know, you set it up and it it runs in the background, tells you when things are going wrong. Right? But how, like, for developers, unless, like, they had an experience like Tristan and they feel very passionate about it, or they're in a space that requires a lot of security, it like, how do you get them to, like, care about this? Because it's always, like, everyone would say it's important, but it feels like one of those things just like, yeah.
Jack Bridger:It's really important. I'll do it next week. How do you kind of, like
Tristan Kalos:Yeah. So there are 2 things. First, you need you need to create interest. Developers are curious persons. They they are curious.
Tristan Kalos:They want to learn more about their applications. They want to you know, they're interested. So when you they they can use Escape very quickly. We will come back to that later, but time to value is very important to us. And you can set up escape very quickly, and it will make you learn things about the code that you're actually writing.
Tristan Kalos:Like, hey. You forgot this year. Perhaps you can change that. And this creates interest. That that is the the the first, the first thing.
Tristan Kalos:And the second thing, we have added, a few, more metrics that the developer care about, which is, like, for instance, the performance metrics. And so they can see at at each commit, they have an automated benchmark of how their application reacts, from a performance point of view. And this is the the kind of stuff that they like and that they like to see, at every commit.
Jack Bridger:Oh, yeah. That's cool. So you're giving them, some extra incentives. Yeah. That's it.
Tristan Kalos:Yeah. Exactly. Yeah. Yeah. Yeah.
Tristan Kalos:There
Antoine Carossio:is kind of, gamification, I would say. Learning and gamification.
Tristan Kalos:But but the main point, is developers, they like to write codes, but they don't like to write tests. And what escape does is writing the security test automatically for them. So the the hassle that we are removing from them is a huge one.
Jack Bridger:That makes sense. So then it's, like, save time, essentially, or save do something we don't you don't wanna do.
Tristan Kalos:Yeah. There there is this, and there is also, like, you know, about partnering with a company that have expertise, in security for developers. So there is kind of a a teaching, part where the developers, we are advocating the best practices. We show why is this a problem, how it can be solved. So in a way, it's also, you know, yeah, making, the the development team to be more aware of, the security consequences at the same time.
Antoine Carossio:And in addition, we constantly keep up to date with the latest cybersecurity news, which means when a company comes and see us, we ensure that their applications are tested against the latest vulnerabilities that come out in the in the space.
Jack Bridger:Yeah. That makes sense. And that's a really cool, thing that you're doing because, yeah, it's, I I know, like, I'm pretty sure, like, all of a lot of the apps I've built is, like, you know, there's very rarely time to, like, really think about, like, security. Yeah. So how could you tell us about, like, how you got, like, your first few customers here?
Tristan Kalos:So this is, first of all, this is a hard part, in any startup, not especially dev 2 startup, but any startup. So first, we we were insanely focused on lowering the time to volume. So it was very important to us to have a super seamless onboarding and to have immediately the results that you could see and that you could play with the tool and you you to make it interesting, and and and the the the for the user to to have a good experience with the tool. So this was very hard, but we managed to have a very good, you know, setup, of the tool, very seamless. And so the first long term users, we got them because they were curious, like, we we published on the social networks, on Twitter, on LinkedIn.
Tristan Kalos:We we created the Hacker News post. A few people signed up, and they tried the tool and escaped uncovered vulnerabilities that were critical in their applications. And so they they had a low time to value. They learned interesting stuff, and then they became long term users. That's that's how we got the the first the first users.
Jack Bridger:Yeah. That's like a that's a very interesting approach. It's like just get get, like, lots of people kind of interested and then just hit them with, like, a really, really interesting thing.
Tristan Kalos:Yeah. I I'm I mean, for like, when we created Escape, it was really a goal for us to create a product that grows. And we created the product in this with this in mind. And so the lowering the time to value and having good quality of result to create, like, you know, a moment, when arriving in front of the result, was something very important to us, and and we can see that it works. There were also challenges from a product point of view, but this part was really our focus at the beginning, and it was great.
Tristan Kalos:It was it was very tough from a tech point of view because as always, when you're building deep tech with a lot of, code, algorithms, the first time a user signs up, it crashes. The second time, it crashes. The third time, it crashes. And but crash after crash, you improve your code base. And at some point, it's it becomes stable, and people are actually able to sign up and do the full process without talking to you.
Tristan Kalos:And then they they get very good result and they stop being real users.
Antoine Carossio:Yeah. That's the magic of the product.
Jack Bridger:Yeah. Yeah. And it like, as you're just digging in there, like, if someone if I see, like, oh, wow. There's this big vulnerability. Yeah.
Jack Bridger:Do do people tend to then stick around? Is it? Or is it still, like, then you need to help them to actually change it to make sure that they stick around? Or
Tristan Kalos:Yeah. There there are 2 things here. It depends on the company. Some companies, they're I mean, if you are a 10 people startup and you don't have a business model yet, you will not care about security. Because first, you need to create a business before protecting it.
Tristan Kalos:And that that is the right way of doing things. Right? But if you speak about a 500 people scale up, like big startup, tech company, then if you find the critical vulnerabilities inside of that, critical vulnerability inside of this, they have to react. They have SLA. They have contracts with their customers that enforce that they have proper scanning, proper management of the of the vulnerabilities.
Tristan Kalos:So they have to do it, and they care about it because it's important to the business. Their data being stolen can, you know, get them out of business. So it's it's critical.
Jack Bridger:Yeah. That's really interesting. And I asked you, like, 2 questions from that. So one is the 500 people start up, like, of 500 people company. 1 is would they just, like, try it out, like, from interest?
Jack Bridger:And then the second thing is, like, where does the who pays for this, essentially?
Tristan Kalos:Yeah. That's a that's a great question. So, yeah. They try from from just interest. That's the that's the magic because, you know, like, the difference, so when when you're doing your product that grows, you you need to you need there is a setup and you need to do your security get your security data from somewhere.
Tristan Kalos:The the special thing with Escape is we are scanning from an exterior point of view. We can do within the CICD or we can do full SaaS, on development environment or even a production environment. And so that allows a single developer to actually try escape without telling the management
Jack Bridger:Oh, wow.
Tristan Kalos:Without telling anyone. Just you you go on the platform, you log in, and you try it, on your on your application. So there is, like, a huge bottom up motion, that allows us to to get big corporations to try escape just because a single developer went for it and just was curious about the results. So so that is the the the first thing. And then about who pays, it really depends.
Tristan Kalos:It really depends. It's, it can be the the engineering team. It can be the cloud, team. It can be the security. It really it really depends on on the the the structure of the company that you are you are working with.
Jack Bridger:And do they know do they typically know what to do once they find this vulnerability to get a, like, to continue to use escape? Also, like, do they do they then normally go pitch it?
Tristan Kalos:So mostly, when when they find a vulnerability, they put someone, in the in the management in the loop. Someone like a director of, of product or platform or something or security. We discuss altogether and they're like, oh, yeah. We we should avoid this from reproducing in the future. And and then, they integrate escape directly in the development process, so it never happens again.
Jack Bridger:Okay. And is and is that because that sounds very easy, but is it has there been any challenges, in
Tristan Kalos:I I think, like, the one of the big challenges was, as as I said, was, stability. Because when you're integrated in the development process, I mean, you can't make the deployment of your customers to fail. Right? If you block the deployment, they're not gonna like it. So you have to be super stable in order not to be the bottleneck of their engineering process.
Tristan Kalos:And that takes time. And then, of course, you have to learn to speak to multiple people. Like, you have to learn to speak to developers, to speak to security, to speak to, the the DevOps teams. So you there are multiple people involved in this process of cloud security, develop like, DevSecOps, and you have to learn to to speak with everyone.
Antoine Carossio:Yeah. And I think one of the difficulty here is that, there are some features, on the products that are really liked by developers, but they are in the in the way they are currently presented, they are not perfectly suited to the security guys. And on the on the other side, there are some features for the security guys that are that could bring value to the developers that they were presented in another manner. So you have to have ways to create features and to present the information to the user in different ways depending on the persona you're, you have. And so that's, that's quite a big challenge from a product point of view again.
Antoine Carossio:And in addition, you have to integrate with different tools and the developer tools, well, the tools for developers or the tools that the developer love, they are different from the security tools, so you have to create different kind of integrations for different personas. That's that's quite challenging.
Jack Bridger:Yeah. Have you got any tips for anyone that's, like, kind of at that edge of security and dev?
Antoine Carossio:I I think you you have one, dear, Tristan. Like, I think, like, the developers, they are, they they focus on on projects, I will say. And I mean, they are working on a specific vulnerabilities or the issues of a specific project. While the security people, they want a more global vision of all the projects and all the vulnerabilities of the organizations. That's it is different 2 different point of views, which makes, building, the products, challenging but fascinating too.
Tristan Kalos:Yeah. Like, developers have a vertical view and and security has a horizontal view of of what happens.
Antoine Carossio:Yes.
Jack Bridger:Yeah. And are you trying to make it, like, is it, like, customized, or is it just you're trying to make it appeal to both people?
Tristan Kalos:We were trying to make people to make both teams speak with each other, actually. Like, we're trying to create a, like, the place where they can actually exchange on a common grounds, about the security. So for the security to see all different applications from all developers team, and know, what what are the best practices applied to each team. And for a secure like, for the developer team to know precisely the application that they are developing, what are the main threats, what are the main vulnerabilities, and what they should do. Like, a a road map in a way for improving the security.
Jack Bridger:Yeah. Sounds really hard. It's like really you're like you you have to figure out, like, go to market on both sides.
Tristan Kalos:Dev tools are hard in any case.
Jack Bridger:Yeah. Yeah. Is there, like, ever hardware that's, like, kind of internal politics or something between, within the company.
Tristan Kalos:I I think the market is evolving. I think originally the dev team and the security team are very saluted, one with another. And I think the evolution, the way the market is is going to is, more security team integrated within the development team. This is also another part of the DevSecOps, but now you have application security engineers. They understand the code base, and they are very close to the developers.
Tristan Kalos:Yet, there are security people, so they are bridging the gap. And those guys are very good champions for escape because they understand the development part. They understand the security part and they want to have their the tool for them. So they they they really like escape and they're a huge advocate for it.
Jack Bridger:Yeah. They're like the human versions of escape and escape.
Tristan Kalos:Yeah. But we we had to find, the right person. And it's not it's not something easy, like finding exactly the right person. I mean, not all developers are equal. They have different priorities, different, topics, and and we had to find the right person.
Jack Bridger:How do you do that?
Tristan Kalos:It's I I think it's related to the way we got our users. So, basically, like a lot of developer tools, we have a huge inbound strategy, content. We we created content. So we had we have a blog where we publish about, GraphQL, about security, about API security, different kind of of developer stuff as well. It's very technical, and it brings, people to to to know about the scape, and it brought us, most of our users, at the beginning.
Tristan Kalos:And then we started doing also engineering as marketing, and this has worked very well for us. So it creates side projects, free website where you can, you know, quickly test the security of your application with 10 best practices. It's called graphql dot security and and open API dot security. So you can you can try it out. It's it's very easy.
Tristan Kalos:And, and this brings a a lot of traffic as well of people that are interested and curious. So those were the the two things that I think brought the early users. And and then also open source and speaking to conferences, are are the way to to meet the community, to discuss with them, and to understand. And all that put together, you know, you start having a vision of who does what, in companies, and you can understand the who will be your user at the end.
Jack Bridger:Yeah. That's really interesting. So you're just, like, spreading the word, like, reaching a lot of people, and then some of the people that come to you will be the right people, and you're starting to learn who to really spend spend a lot of effort, like, helping and
Tristan Kalos:Yeah. I think, like, it's it's linked to to, you know I I don't know if you have, seen this article, like, how to create luck, but the theory about So it's theory the main theory about this article is, you have to do a lot of things interesting and and tell a lot about it, tell about it to a maximum of person. And that's what we did. We created a lot of side projects. We we talked to community about it.
Tristan Kalos:So this interaction with the community and this engineering, capacity internally was what created the escape brand.
Jack Bridger:Yeah. That's awesome. Yeah. I I think I've read I don't know if it's the same one. I read one by Swix, you know, the
Tristan Kalos:This is Yeah. Yeah. It's a
Jack Bridger:really good one. I just wanted to ask you 2 really quick questions that I think are quite unconventional in your onboarding. So I tried I was trying out escape. Tech. I haven't got a GraphQL endpoint, so although I know you're doing REST as well now.
Jack Bridger:Yeah. But when I signed up, I tried to sign up my Gmail account, and it said, I can't sign up for my Gmail account. I have to use a business account. And then secondly, I got an email immediately inviting me to Slack. So both of those, I think, are quite unconventional.
Jack Bridger:And I wondered if you could talk about why you did that.
Tristan Kalos:Yeah. Yeah. Of course. So the first thing, escapee is a dev tool, but it's also a cybersecurity tool, and it can be used for offensive purposes. And especially, it could be used, for doing bad things, that you're not authorized to.
Tristan Kalos:And so to limit the risk of people abusing escape and using it for, you know, real offensive, task, we limit it to business accounts and not the Gmail personal accounts. That could be anyone.
Antoine Carossio:The goal is to identify the people.
Tristan Kalos:Yeah. Yeah. That that's the goal. And for the and for the the the Slack. So we we are strong believers in the interaction with the users.
Tristan Kalos:We believe to to make a great product, you you must interact, with people. It's not just through the product. It's directly talking to them. And so that's why we decided, like, to we we noticed actually that as soon as we had a Slack channel with people, the usage of the product grew by a lot. So that was quite interesting.
Tristan Kalos:It was very, very different from people we don't have channel with and people that had support channel. So we decided to create just create one for every single user on on the product. Then it it does work well so far.
Jack Bridger:That's really cool. Is that, like, out the box, or did you build it yourself, though?
Tristan Kalos:How we build it ourselves. Yeah.
Jack Bridger:Really? Okay. Okay. Yeah. So okay.
Jack Bridger:So reach out to Tristan and Hansworth if you wanna build that. That's awesome.
Antoine Carossio:We've been asked a lot of questions about this, feature, of, inviting, people on Slack automatically. Yeah. Whereas the people are wondering what we do here.
Jack Bridger:Engineering is marketing. Really cool. Okay. I think that's all the questions I had. Is there anything you guys wanted to talk about before we finish?
Tristan Kalos:Yeah. I I have I think I have 2 interesting learnings that I would like to share with the community of DevTools founders. The first one would be invest in content from day 1. This has really be a game been a game changer for Escape, creating good quality content, having regular readers. Like, sometime I talk to people, users, and they're like, hey.
Tristan Kalos:I read your newsletter every time. I love it. Like, your articles are very cool. And I think it has been responsible for a lot of new users, a lot of new business opportunities for escape, and also from, you know, having great interactions with the community. So that would be my first, advice.
Tristan Kalos:And the second advice is, when we think about dev tools, we think about open source a lot, because product led grows open source. I think it's interesting, and I love open source. We have a lot of open source project at Escape. I also think this is not the only way of creating a good dev tool. You should take Snowflake for instance, as an example.
Tristan Kalos:It's a great dev tool. It's absolutely not open source. And if you take Snyk as well, it's not open source. So basically, there are other ways of creating a dev tool that would not be open source, and one of them is integrating directly within the tools they already use. So for instance, GitHub or GitLab or or this kind of, this kind of tool.
Tristan Kalos:So yeah. Open source core open core is not the only way to creating great dev tools, but you need to also keep in mind that the community, to give back to the community. So contributing to open source, I think when you're doing a dev tool is a great thing, and every company should do it.
Jack Bridger:Yeah. Really good points. Yeah. It's this, I guess, so many examples of really successful companies that aren't, like, OpenCore. Yeah.
Jack Bridger:Yeah. Really good point. Okay. Great. Well, thanks for coming and speaking to us.
Jack Bridger:So, yeah, if anyone's listening, they wanna learn more about escape, escape dot tech. Right?
Tristan Kalos:Yeah. Exactly. Yeah.
Jack Bridger:And you're launching your REST API or it's already out now? Security as well?
Tristan Kalos:It's in it's in beta now, and
Jack Bridger:it should
Tristan Kalos:be out in September.
Jack Bridger:K. Amazing. And I saw you had a video with Jamie who's been on the podcast as well Yeah. Trying out. So, yeah, Jamie Barton.
Jack Bridger:Shout out Jamie Barton. Yeah. Yeah. Thanks for joining. And, Yeah.
Jack Bridger:Thanks everyone for listening.
Tristan Kalos:Thank you, Jake, for having us.
Antoine Carossio:Thank you very much.
Listen to Scaling DevTools using one of many popular podcasting apps or directories.
