From Research to Reality: The Journey of Mayhem in Securing Applications

The following interview is a conversation we had with David Brumley, CEO of ForAllSecure, on our podcast Category Visionaries. You can view the full episode here: $38 Million Raised to Build the Future of Security Testing

David Brumley
Thanks for having me on.

Brett
Yeah, no problem. So before I begin talking about what you’re building, let’s start a quick summary of who you are and a bit more about your background.

David Brumley
Yeah, I have came through a very atypical path. I was actually a high school dropout, and at some point in my life I was working as a cook and I ended up living with actually a crystal meth dealer. And police came in, arrested him one night, decided my life wasn’t where I wanted to be. So really went back to school, got a university degree, and then started working in cybersecurity. And what really got me interested in this field was this idea that attackers could bend computers to their will. I found it really freeing, actually, to think that I wasn’t constrained by that. And so most of my work has been in cybersecurity. And my first job out of college was at Stanford University doing this as really their siso. And this is around 2000. So one of the interesting things that happened to me was I was sitting there one night, saw a computer that was compromised.

David Brumley
It turned out it was a computer that belonged to a physicist. And I called this physicist and his computer had just been hacked a couple of weeks before we figured out what had happened. A hacker had found a brand new zero day and then they had used that to compromise everything at Stafford to break into all the systems. One of them was actually Google Stafford.edu. And so one of the weird claims to fame I had is I actually going to turn off Google Stafford.edu when it was hacked in, like, 1999.

Brett
Wow, that’s crazy. And what was that like being in Silicon Valley back in 1999? What was the ecosystem like for you?

David Brumley
The ecosystem was quite different than it is now. So at that time, it felt like all the best work was happening in universities and startup scene was just starting out. I remember actually being approached by Google at one point asking, are you interested in being a computer security guy for us? And I was like, how are you going to make money? You’re like selling classified ads? And they were the small 30 person startup on University Avenue. I think today right. The default is whatever the idea is, we’re going to create this billion dollar startup, but that’s not what it was like back then.

Brett
Interesting. And two questions we’d like to ask just to better understand what makes you tick as a Founder and as an entrepreneur.

David Brumley
So is there a specific CEO or.

Brett
Team that you’ve really learned from and studied the most over the years?

David Brumley
I tend to like to study lots of different people, so I’ve never had one particular CEO that I study and look at. I think probably the most influential book I’ve read, though, is the hard thing about hard things by ben horowitz. And I think he has amazing advice on really just what the struggle is being a CEO and the struggle of building a startup and is very real about it. A lot of people, when you read the management books, try to mask the difficulties.

Brett
Yeah, I really like just the whole premise of that book. When he was in Ward time as a CEO, he turned to some of these books and they were just written by management consultants that were very fluffy, high level concepts, and he needed a manual of actually what to do in these crazy situations. So just run off the bat. I love that book as well. It’s so good.

David Brumley
Yeah, it’s amazing. And that’s most of what your life is as a CEO. Your job is making the hard decisions, right. The easy decisions you want to delegate down for other people to make.

Brett
Yeah. One thing you have in that book that always resonated with me is it’s not hard to have a big crazy vision to change the world. That’s not the hard part. The hard part is when your vision fails and you have to go and fire 90% of your team and then try to keep you building the vision from there. That’s what takes guts as an entrepreneur. And I always really found that to be pretty interesting. It’s not hard to have the vision. It’s hard when things don’t work out as planned.

David Brumley
Absolutely. There’s a lot of great gems in there. That one is great. The other one I really liked is what to do when you have a Star player but they’re a jerk because it’s issue startups early side wrestled with where you hire someone who’s amazing, like, what happens if I lose them but they end up bringing the rest of the team down? What do you do then? And of course, the right answer is to let them go. But it’s a hard one to make when you’re small.

Brett
Yes, totally.

David Brumley
Nice.

Brett
Well, let’s dive in now to what you guys are building. So can we start with the origin story behind the company?

David Brumley
Yeah, well, I’ll go back to where I was at Stanford. So what I realized back then was hackers always had the advantage, people who could break into system. And I got really interested in this question of like, why is that? Why can’t we beat attackers? I mean, defense should have all the advantages. They have code, they have people, they have resources. And attackers, of course there’s more of them, but they’re not quite as motivated. And so I went back to Stanford University, got a master’s, got a PhD. And I kept looking at this problem and really settled on this question of how can I teach computers to do what the top end hackers do? How can I teach them to find brand new zero day exploits that will allow me to break into systems? And the purpose of that was not to break into other people’s systems.

David Brumley
It was to find those same sorts of flaws before attackers and get them fixed. And our big breakthrough came when were able to show we could do this with common off the shelf code someone could give us an app and we could automatically produce exploits for it. We wrote a paper about it. It was great. We actually got made fun of by a lot of people industry at that time. I remember sweating over Christmas once as a very famous security person in the enterprise space was making fun of the work. But a few years later, it gained some traction, and DARPA ran something called the Cyber Grand Challenge. They put out a challenge to say, can we build self driving computer security systems so that humans don’t have to worry about that? And it really was a question. They didn’t know if it could be done or not.

David Brumley
DARPA spent about 60 million on that. We built from the university prototype, a new prototype of this to enter the contest. And we ended up winning. And what came along with winning was $2 million. And we use that really, to seed our company. And so really, what you see from us is going back to my original problem, how do I find those problems that attackers are going to exploit? And even in research, we recognize that the current approaches weren’t working, and our approach is a little bit different. What we’re really trying to do is take what a hacker actually does to find new exploits and automate it and put it on hundreds of different computers with the idea that’s how you can scale up.

Brett
Interesting to zoom in on a few things there. So what year was that you published it? And others in the industry were having their doubts.

David Brumley
This was around 2010, 2011. So we published the paper, and I remember there was this big, long blog post where I won’t say who it was, but it was a reasonable company, and their Founder was making fun of the paper, saying, like, oh, these people don’t actually know what attack is or hacking is, and they’re just deluding themselves. And I remember my grad students actually like, why is this guy attacking us? He doesn’t really understand the work. And he’s just taking potshots. And so it was really a difficult time because this conversation kept up for like three or four months. But what was funny is everything that he was saying was things that we knew were true in the research. We knew that there were limitations. But the point of doing that research is to show incremental progress and push those assumptions. And if we hadn’t been able to get through that, I don’t think we could have pushed state of the art.

David Brumley
It’s really a hard time. It’s kind of one of the, I guess, net negatives with the big social presence, right, is learning to live with all the people who are going to take potshots at you and how have.

Brett
You learned to live with that? One of the things that you have to live with, right, when you’re really disrupting or bringing change to an industry is you get a target on your back. So how have you learned just live with that criticism or doubters or people think negative things.

David Brumley
I’d like to say something really clever here, but really I can’t really it comes down to two principles. One is I don’t spend a lot of time actually looking at what other people say. The more time you look at what other people are saying, the more time you’re sinking into something that’s not bringing value to you or your company. And the second is just don’t respond. The more you try to respond or think you need to respond, people will move on. If you respond. You’re just feeding that devil. And so I think just those basic two techniques are the ones that I’ve used.

Brett
Makes a lot of sense. Now, when it comes to adoption, what types of customers are you seeing really embrace this platform right now?

David Brumley
This is one where we’ve had a shift. So when we came out of this big US dartbud challenge, we had a.

Brett
Lot of people at the DoD, the.

David Brumley
Defense Department interested in mayhem, and we actually had a lot of international interest as well. But most of it revolved around offense, and we’re not really interested in becoming an offense company. We wanted to protect computers to make them safer. And so while our initial interest was in that, what we’ve been seeing over the last few years is a lot more from commercial industry where they’re just tired of getting hacked and always being reactive and they want to be a little bit more predictive about what’s going to come. And that’s when they’re coming with mayhem. I’d say our sweet spot is really customers who think of security and availability in the business all as the same thing. And what I mean by that is there’s some people who security just means, like, how does my credit card database not get hacked or my user database not get hacked?

David Brumley
When you look at our customers, like Cloudflare and Roblox, a hack brings down their entire business, right it’s unavailable. If someone takes down a cloudflare node, they’re not making money. And so those tend to be the early adopters that we’re seeing the most success with now.

Brett
So is that like the Forbes Cloud 100 then?

David Brumley
I don’t know what the Forbes Cloud 100 is. Mostly what we do is we go talk to people in security who seem to know what they’re doing, talk about the benefits of mayhem, get them to try it out, and a lot of them end up liking it. I think what I remember about Roblox was interesting. They said ours was the first tool that developers actually chose to use. A lot of security tools are kind of pushed down on people. They don’t like it, and so they liked ours.

Brett
And are there any numbers that you can share just to highlight the growth in progress that you’ve seen so far?

David Brumley
I can highlight a couple of numbers. So we’re about doubling year over year, as you would expect. Number of customers keeps doubling. And I think one of the things that I find most encouraging is really this notion of land and expand is playing out. I look at that as really like proof that you have some product market fit. When you can land in a particular business, they buy a small amount to try you out, and then usage keeps growing. And so we’ve had a large number of customers where that’s happened. In fact, I don’t think we’ve had anyone reduce the size of mayhem.

Brett
And what’s that go to Market Motion look like then? Is that PLG or top down or what approach are you taking?

David Brumley
When we first did a start of a startup, we did a pure B to B Motion with a professional sales organization, and we’ve recently changed it over the last year and a half. And I don’t know whether it’s the market shift or we just opened our eyes to a more PLG. The old way is you set up a sales team and everything on your website is getting someone to fill out a contact me form so that a sales rep can give them a call back. So that’s what we used to do, and that was mildly effective. It lands really big deals that take a long time. A couple of years ago, we opened up with a Freemium to start with the PLG Motion and we’ve been excited about that. The other kind of unexpected advantage of the PLG Motion is it just reduces the time for those enterprise customers to do a pilot because often they’re already using it or can experiment with it without talking to a sales rep.

David Brumley
And.

Brett
Was it difficult doing that transition to a PLG company or PLG Motion?

David Brumley
It’s something we’re still learning on. There’s quite a different Motion right before when you’re thinking of direct enterprise sales. And this classic I call it the John Draper approach, you’re trying to give people just enough information that they give you their email address and phone number and then you’re going to just try to get a hold of them, figure out their problem and expect a long conversation. And it’s very top down. And a lot of things can break in top down. A lot of things can break in bottom up as well. But in top down, what were finding sometimes is we’d have the leader who wanted to buy had the pain point and the leader had his team implemented it, but the implementation team was overworked. And so you really had to work carefully that make sure that you weren’t just talking to the buyer and the economic buyer and all that, but really working with who is going to be the day to day driver of these tools.

David Brumley
And so we got really good at that with the PLG motion, the harder issue that we’ve ran into is actually making sure people have budget when you go talk to them. So top down, you know, there’s budget. The question is, can you actually get people to spend time on your tool? When you’re doing bottom up, you get a lot of people who are using your tool. And we actually have customers who are clearly tried to circumvent any sort of limitations we have by creating multiple accounts and then figuring out ways. What do you do with this? Do you try to monetize it? Do you take it as a win? Every board report, right, the very first number everyone wants to see is Arr. Not really a number of users, at least in our space. And so that’s been part of the attention that we’ve had.

Brett
And what about culturally? I think that’s something that I’ve heard from other guests who’ve come on. They say that PLG is really a cultural shift that you have to instill in the organization and get everyone really bought in with it. Is that something that you had to do as well? And culturally, did you have to really make a big push to get everyone to believe in PLG?

David Brumley
Actually, quite the opposite. What was interesting is with the straight B, two B, enterprise sales motion. The typical engineer never saw the results of their work at our company, they released a new feature would go out and then CS would take it and release it to the enterprise customer. And the engineers didn’t like that. I think most people at a company have at least some part of them that wants to see that change in the customer for the better. And so when we started our PLG, actually, it was immediately adopted by our engineering and sales staff. I think the harder sell actually is just figuring out like the economics are quite different, right? You’re trading volume for overall deal size and how to go about that. Motion makes a lot of sense.

Brett
And what about market categories? How do you think about market categories? Are you creating a new one. Are you transforming and disrupting an existing one? What are your thoughts there?

David Brumley
That’s a good question. I’m going to be direct on this.

Brett
Right?

David Brumley
So I’ll have to say something interesting. I think that the categories are really defined by the analysts, and the analysts really don’t know what they’re doing. So are we creating a new one? We don’t get to say that the analysts do, but I can tell you that the analysts are getting the categories wrong right now in our space. Right. So in computer security, it’s actually a big space. It’s kind of like saying you’re a doctor and you immediately have to qualify that. Are you a medical doctor? Are you a surgeon or you general practitioner? Are you a specialist in some other area, like an endocrinologist? So our area is really the sweet spot is application security. There’s another area of security. It security where people are mostly concerned with network defenses. What we’re mostly concerned with are what are those applications that are going to get compromised or be used to pivot in an attack?

David Brumley
Right now, the market really, when you look at it, there’s a big company called Synopsis that has tried to buy kind of one of every tool category that Gartner has. And advantage of that to customers is they have like, just one stop shopping, but they’re really not best to breed anywhere. What we’re trying to do is be really laser focused on how do we make sure when we’re trying to find flaws, that everything we say is real. Every time we say there’s a problem, that it’s not what’s called a false positive, it’s a real problem so that it gets fixed. And that’s really the novel part.

Brett
And do you engage with analysts at all, or do you view them as essentially irrelevant to what you’re trying to build?

David Brumley
We engage them. I think you have to take it as a cooperation. What was always puzzling me so my background, I’m a tenured university professor at a tier one university in computer science. And me and actually most of the faculty had to spend quite a few weeks trying to figure out what analysts were calling different sectors. Like the terms they were using didn’t correspond to what they thought they corresponded to. And so a lot of what we do with analysts is we try to just educate on what are the real differences between the tech out there and why one might succeed and one might not.

Brett
And I do a little bit of work in cybersecurity or at some cybersecurity companies, and it’s always blown my mind how confusing the ecosystem is and how much they love these category terms like Cloud security, posture management. I think someone’s trying to do application security, posture management, SIM all of these different buzzwords. It gives you a headache just trying to navigate that and understand all of that. I’ve never seen that in any other industry. Really besides cybersecurity.

David Brumley
It’s crazy and it’s just a very noisy place and it’s hard to be original. Like everyone out there wants to talk about, well, if you don’t use us, you’re going to get compromised. And the last compromise was a billion dollars. That’s kind of like saying everyone should buy tornado insurance because the last person who had a tornado had their house destroyed and everything, right? What we are looking at is how do you build trust in the software? And so when we go to customers, we never tell them, hey, we’re going to certify. Everything is 100% secure. What we want to do is give you trust that as you push out software, it’s good and that you can quickly update as the market evolves or if someone does find a bug.

Brett
And something you said there about noise, I’d love to talk about that. So I went to my first black hat this year in August. It was a lot of fun, but walking around, I just had to think, like, how does anyone navigate this ecosystem? Because everyone is saying the exact same thing. All of the vendors there, many of the vendors there seem to have the same core message. So how are you breaking through the noise and how are you standing out for customers?

David Brumley
The biggest thing that we do when we go in is we don’t try to use fear. We don’t try to go in and say, hey, there’s a single compromise, we’ll kill you. I actually don’t believe in that approach because what ends up happening with security tools is there’s a race to detect or at least report as much as possible. And naively, you might think that’s good, they’re going to get better and better. Instead, what happens is they find more and more trivial issues to report just so that they can say they found more. We’re flipping it. We’re going in and saying, hey, look, we’re never going to tell you that we found every issue. People who do are flat out lying to you. But for us, our goal is just to every time we tell you something, we can show you an actual exploit, we can prove it.

David Brumley
So it is noisy, it’s hard to do. And the other funny thing I guess about this is when you go to black hat and RSA, those are completely different sets of people that you’re going to talk to. As far as security, RSA is all corporate types. Black hats are more like the sizzos that are trying to learn. And then if you go one conference down, you go to Defcon, right, you get a completely different set of message. And so I think you’re right. It’s really kind of interesting how noisy it is, how they all have kind of the same message. But as you go through different conferences, you start to get more and more technical. And that’s the part I really enjoy.

Brett
Which is your favorite of those three to attend?

David Brumley
Oh, that’s a hard question. I mean, RSA is my favorite because they have the best schwag and parties, right? People will go get major league players and people like that to come to their party. So it’s awesome. But schwag aside, I think probably Defcon is the most interesting. I still mentor a Defcon hacking team. We’ve actually won, I think, seven black badges. So it’s like lifetime entry into Defcon. It’s a pretty big award. And I like going to Defcon because that’s where you get to meet the people who are actually doing the work and are growing day to day.

Brett
Nice. That’s awesome. And last question here for you. If we zoom out into the future, what’s the three year vision for the company?

David Brumley
The vision for the Company is that we want to automatically check and protect the world software from exploitable bugs. It’s not a small slogan, but let me tell you why we chose that. What we want to do is we want to find only those problems that someone is actually going to exploit. We want to take human time and focus it on the things that matter. The second is we want a fully autonomous system. So what really changed, why were different and why DARPA had this challenge was we designed our approach so that the whole system could be autonomous. And what I mean by that is the system completely autonomously. And AI is analyzing. It finds a new bug, it proposes a patch. It tests that patch to make sure nothing breaks, that it doesn’t hurt performance, and that it improves security, and it deploys that patch.

David Brumley
And this can happen within, like, I don’t know, 30 seconds, as opposed to hours, days, weeks, even years in the DoD. And so really, our three year vision is to bring that reality as far as a pull product suite. And then the reason we exist is to make that part of the reality for everyday security.

Brett
Amazing. I love it. Well, that’s all we’re going to have time to cover before we wrap. If people want to follow along with your journey, where’s the best place for them to go?

David Brumley
Best place to go is our website forallsecure.com. Or follow us on LinkedIn or Twitter.

Brett
Awesome. David, thank you so much for taking the time to chat and share your vision. This is all super exciting and wish you best of luck in executing on this vision.

David Brumley
Thanks, Fred. All right, keep in touch.