EPISODE 1784

[INTRODUCTION]

[0:00:00.6] ANNOUNCER: Digital forensics is the process of identifying, preserving, analyzing, and presenting electronic data for investigative purposes. It's often related to addressing cybercrime and is crucial in tracing the origin of breaches, recovering lost data, and security hardening. Emre Tinaztepe is the founder and CEO of Binalyze, which is a cybersecurity company specializing in digital forensics and incident response solutions. He joins the podcast with Gregor Vand to talk about his path into engineering, his time in the infantry, Binalyze, digital forensics, and more. 

Gregor Vand is a security-focused technologist and is the founder and CTO of Mailpass. Previously, Gregor was the CTO across cybersecurity, cyber insurance, and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at Vand.hk.

[INTERVIEW]

[0:01:07.8] GV: Hi Emre, welcome to Software Engineering Daily

[0:01:11.0] ET: Hi Gregor, it's a pleasure being here, thank you for the invitation.

[0:01:14.6] GV: Yeah, great to have you here, Emry. Yeah, as we might get into, we've met once before back when I was at a company, Black Panda, and as you might hear, that's now a customer of Binalyze, which is what we're here to talk about today. So, normally, I kick off these episodes with a background of yourself. I'm actually going to just add in one pre-question, just to help, I think our listener base because we're going to be talking a lot about digital forensics today, and I think just to make sure there's no misunderstanding around what we're talking about, actually, could we just define digital forensics and then we'll jump into your background.

[0:01:50.4] ET: Sure, so, digital forensics is actually a pretty old profession. It's an industry on its own, these days, it's - I see that it's kind of seen as just a feature when it comes to endpoint security but it's actually, it's an industry on its own and it's even longer than the endpoint security industry. So, it's basically the art of collecting evidence, preserving it, and analyzing it and the way we define digital forensics in traditional aspect is this: collecting it, preserving it, analyzing it, and then like, presenting it to the court for solving an investigation but what we do is the modern way of digital forensics, which we'll be digging deeper into.

[0:02:28.2] GV: Exactly, exactly. Okay, but that's great, we've got a sort of basis of what is digital forensics. So, I will now go to the normal start, which is tell us a bit about yourself, you know, before founding Binalyze? I love to just hear sort of how, what was the road to founding Binalyze. 

[0:02:44.1] ET: Sure. Before we start, today I learned you were the one who referred our product to Black Panda and also our chief investigator now. So, you guys were working there together. That's another indicator of like, developing your product that solved a challenge that advertisers need. So, thank you once again for the invitation.

[0:03:01.3] GV: That did happen, yes.

[0:03:04.0] ET: Thank you so much. 39 years old, I started coding at the age of 11, 12, which has been a very long time and I don't remember myself without like, having access to a computer like not coding something. So, maybe like, two months, three months break but I was always developing something because that's a passion, and the way I said it was, like, we have five computers at that time, and you were sitting. 

I clearly remember that moment, you were sitting, like three student in front of every PC. So, we were like coding interns, and I think this is very important because the teacher who taught us how to code, she said, "This is not actually a part of the semester. So, this is not a part of the curriculum. I'm supposed to teach you Windows 95 but I studied archeology and I wasn't able to find a job." 

"So, I'm going to be teaching you QBasic because that's how I started making money and that's how I decided to be a computer teacher, like programming teacher." So, she said, "I'm going to teach you just in case you use it in your career." So, that's how things started for me, and then again, I'm an ex-military. I studied military high school after that one, after the secondary school. At the end of every computer class, our teacher was giving us some, like, 10 minutes for us to like play or do whatever we want because, if he didn't, then people were finding ways to do it like in between the class. 

So, in the last like, 10 minutes, I was coding something on QBasic, I was probably writing some like, four loops, like printing some numbers to the screen, and then he asked me, "What are you doing?" And I said, "I'm learning QBasic," and at that time, I was also like, jumping to pro, which was another programming language, which was quite popular at that time. So, I mean, this are happening at the very like, early age. 

So, I'm really grateful for meeting these teachers, and then I started military academy in that period again, I had like, access to computer all the time, and started learning MASM 32, which is Microsoft Assembler. So, I was going deeper and deeper, I started with QBasic, and then Pearl. I remember working with Java for around a year, and then PHP was getting quite popular in those days for viewer designing, not with frameworks. 

So, I really envy the ones who started later because they are now frameworks for that. So, you're basically writing everything from scratch. So, all the content of that webpage was delivered by code. There was no like, middleware in between. So, I started to go deeper and deeper and I remember, at the last year of the university, it was MASM-based, Microsoft assembler, which was basically to read the instruction set, and I was fascinated with it because that was the moment I understood that "Okay, all these codes that I've been writing is basically translating into this, that executes on the machine." 

So, yeah, that's how it started and my career has nothing to do with computer science actually because I was an infantry. My first mission was in Iraq, so I stayed there for two years, I was an infantry paratrooper, and in that process, I proposed 14 projects. None of them were accepted because you know military is quite strict when it comes to innovation. That's not the best place to do stuff if you're coming up with like, new ideas, and my role had nothing to do with innovation, I was an infantry. 

So, I proposed 14 projects, these were like mainly robotic, like devices, like small circuits, and some software projects as well. None of them were accepted, and on the 14th one, I decided, "Okay, I think I'm in the wrong place. So, I shouldn't be here, I should be somewhere else in private sector." And I resigned and I was offered to work as a malware researcher because those days, I was like, digging deeper into how to remove your malware, how computer viruses work.

That was quite a fascinating idea for me, like I'm having a small - a few kilobytes of binary that can do stuff autonomously and then like, spread around the world was - it also like sounded quite dangerous and I wanted to know how it worked. So, I started as a malware researcher, and then I received an offer from Comodo. I led their mobile malware research team for a year and that was the moment I understood enterprise is not for me because I really miss being in a startup. 

My first career opportunity was in a startup, and then I returned back to that startup that I joined after the Army, this time as a shareholder, and then worked around like, seven, eight years, it was quite an experience. So, I learned what to do, what not to do also because startups are great for learning what not to do, and then I started Binalyze. So, that's the quick background on me.

[0:07:34.3] GV: Awesome. So, I mean, I think it's fairly fair to say that you know, a lot of founders, they end up founding something that's solving a problem they've personally experienced. So, I guess, sort of leading on from the sort of history leading up to that point of what you've just explained, was there some kind of something you'd experienced already that then drove you to say, "Well, Binalyze, this should be a thing," like, what was this sort of moment there?

[0:07:58.8] ET: Actually, my background is not digital forensics but I was pulled to digital forensics because of like, working with our advisors. So, the first time I realized that there is a need was I met one of our advisors and they were looking for someone who was like, going to help them spot an insider case. So, there was a malware infection, or claim to be a malware infection but this needed to be uproot. 

So, the claim is, like, the person, like the suspect was saying, "I did not do it, my computer was hacked and it was done by the attacker." So, we had to prove this. So, it was a combination of forensics and reverse engineering, malware analysis, so all of them were getting like close to each other around like 15 years ago, and then the second investigation, this time with our second advisor and from your police department. 

They had a big financial institution, another, like breach, and the claims are really high. They will get this from the insurance provider and what the problem is the FTK, the platform, like the software they were using at that time, it shows a file but no one knows what the contents of that file is. So, it shows up potentially encrypted, and the interesting part of this file was starting as an aut run. So, it was like, automatically running when the machine rebooted. 

It didn't make sense. So, I mean, it shouldn't have some like, encrypted contents if there is some data. So - and now it turned out to be a trick that was used by attacker to run another binary. So, these were the indicators that traditional forensics was actually coming to evolve in a way that traditional antivirus industry will because when we set up on the antivirus industry, first, it was the on-demand scanning.

So, you were scanning your computer, and then antivirus companies introduced new methodologies, like on-access scanning. So, this way, whenever you or a process accesses a file, it was automatically scanned, and then we came up with the idea of, "Why don't we make it like faster and introduce on-execution scanning?" So, if something is not running on your machine, why am I supposed to touch that? 

Because when the first antivirus was introduced, computers were very small, like the hard drives were very small but the last time I remember having a hard drive, like in my hand, it was two terabytes. So, if I'm supposed to scan all those files, it takes like, hours. So, that was the moment we decided, "Why don't we introduce only one execution scanning?" So, this type of innovations were being done on the industry. 

But forensics was an exception because we can like, dig deeper into this. Why? But I believe it's because it's very traditional, it has its roots from the law enforcement, it's a very strict profession that does not allow people to like innovate, come up with new ideas because, at the end of today, you're going to the court, or that's the assumption, which we're going to discuss further. So, we started experiencing this type of problems and I was trying to basically solve the problems we were facing ourselves with our advisors from NYPD. 

And to be honest, I was quite trust with it because we were waiting for FedEx to ship us hard drive images, which didn't make sense. So, some like, from time to time, I would listen to them, "Can I get access to that machine or routine meter? So, give me the access, I'm want to click, check some stuff, and then you won't be needing this image at all." That's how we started. So, the need was there - and in simple terms, I wanted to sleep more because I was waiting for evidence to be like sent.

[0:11:19.0] GV: Yeah, like that says you know, it's selling a pain point of sort of the profession that you are in and I would say like a similar one that's popping out more and more now is I have seen a couple of startups of SREs like cyber reliability engineers. They're very keen to develop tools that will make their lives, like as you just called out, so that they can sleep more as well because they're getting fed up of their routines. 

As if they know that you know, obviously, AI, et cetera can come help them out on that one. So, I really like that, you know, you had a lot of skin in the game in terms of what this was actually solving. So, that's very interesting, and then you know, if we look at sort of what the product is, you know, a big part of it is the fact, it's all around automation, and the fact that it's cloud-based, and I mean, you kind of touched on it there. 

You know, you were saying, you're waiting on hard drives being FedExed to you but what was it that really led you to believe like - and you also touched on the fact that it's quite a sort of we would say like a state industry, you know, whereas you called out, law enforcement has driven most of the direction of it up until a certain point in time. 

So, yeah, what sort of led you to believe that being able to move this in a direction of cloud and automation was even possible and like, that you could be the one to actually be the disrupter here? Like, what was the thinking behind that? 

[0:12:35.1] ET: Great question. Actually, it's another shift that we observed at that time. So, in my previous company, we signed a deal with one of the largest Telco operators in the US and we were expecting to have around, like 50,000, 60,000 customers. It was an antimalware product, so it was running on their machine, scanning their machines but it turned out to be much bigger than we expected. 

I remember looking at the dashboard and I remember seeing like, hundred thousand and we thought, "Okay, that's going to stop now." So, because they already deployed more than we expected and then it became 200,000, 500,000, a million, and I remember at the end of that period, deployment period, I guess, it was around like, eight, nine million end users but before it hit that threshold, we have started to like, run out of bandwidth, in everything. 

Like, all the infrastructure was based on virtual PCs, many PCs on data centers. So, that was the moment we started to work with shifts with our current DSVP engineering, we are working at Binalyze together now. So, that was when we decided to, "Okay, we need to solve this problem because we cannot solve this with the data center that is located somewhere in Germany." And then we started digging deeper into how we can migrate our infrastructure to cloud. 

And I remember when I first logged in into Azure, it really felt like a huge data center waiting for me to like, run. So, it was much, much more advanced than some consoles of data centers. So, everything was moving too close at that time, except the forensics because forensics was supposed to be shipped with FedEx and DHL. So, we were persuaded that if we want to like, make this technology available to enterprises, there is no way we can do this on a - based on the traditional methodology, and the AV also, like antiviruses also had a similar evolution. 

So, first, it wasn't diverse, and then endpoint protection platform, and then they set it into this cloud antiviruses, which was again quite a paradigm shift because people were like, against the binary going to cloud but then, comparing it against the tradeoff, I mean, do you want to be safe or do you want an executable, like send to some cloud? So, people started to like, accept the tradeoff there, so it was hard, to be honest. 

Like the first three, four years of Binalyze was really hard because everyone was asking the chain of custody. Like, where do you save the data? And that's the reason we introduced our own prime version, the same arctic truth, the same functionality but if the enterprise is not ready of that mindset shift, then you are providing them with the on-prem version, and it was running on their environments.

But most of the time, even the most mature enterprises, they started to like, ask for the cloud version themselves because they don't want to worry about the deploying your product, maintaining it, like running the infrastructure. They just want the value that the product provides. So, it was quite a shift at that time, and now, Greg, now recognize this as a new category, and guess what? The first letter in this new category is cloud. 

So, cloud investigation is also automation, they code CIRA. So, it requires us a lot of time and resources to talk with the customers, tell them why it has to be scalable, it has to be running somewhere, either on our machines, in the cloud, or on their environments but that was a mindset shift.

[0:15:55.8] GV: Yeah. So, I'd love to dig into this quite a lot. We've already sort of moved to the point of, "Okay, today, Binalyze runs on the cloud." And it's all CB up, a mindset shift of, sounds like a lot of companies by this point that this is the way it should be done and it's okay, and as long as they trust like the technology behind it, that's kind of the key thing there. In terms of I believe of - okay, so before cloud, the Binalyze proposition was the automation aspect to it. 

I sort of believe and sort of what that could lead to in terms of time reduction for people like yourself, who was in digital forensics generally. So, what was the kind of catalyst and moment that you understood that what could be done in this sense? Like, you're thinking, "Okay, something that's taking me weeks even can actually come down to hours." Like, what did that kind of look like in terms of a realization?

[0:16:46.1] ET: Actually, the traditional forensics markets was moving really slowly at that time, and it really felt like it's at the end of its evolution, and when we started, this is something we haven't covered by the way. So, when we started our product was a dongle-based product, so it wasn't an enterprise product. We were just trying to solve the problem of collecting evidence and analyzing it from a single machine. 

And they are also like, used to you know, like police officers are used to having a dongle. That's how they use all the traditional forensic products, to reset it that way as well but shipping dongles were really hard because we were getting orders from Australia, from the US, like from all around the world, and again, like we were waiting for like preparing that dongle packages and then shipping them, and you were receiving a lot of feedback.

[0:17:30.7] GV: And just for our listeners, some might not even, just in terms of I realized age groups, dongle here is like a USB plugin adaptor, right? You know, sort of this physical thing you plug in and it's in fact like a USB drive.

[0:17:43.1] ET: It's kind of a USB drive that also has some, like, licensing unit in it. So, it's both for saving the evidence and also activating the license. So - and law enforcement is like, they're familiar with this approach.

[0:17:57.2] GV: Yeah, okay.

[0:17:58.0] ET: And then the customers started to ask actually, customers started asking. "I mean, we really like the product but can we run this remotely? And I need to look about running it remote data and there shouldn't be any dongles." So, then we released the first version that does not depend on - it's called soft licensing. So, we called it like dongle licensing and then a soft licensing, and then the need, this also like started to come from the enterprises. 

They were asking us, "Can we integrate it with our CM?" And based on our previous experience, previous startup experience, listening to customer was a big part of developing your product. The way I describe it even now if you go to our release notes, you'll see every release has at least two, three credits given to our customers because customers are asking the releases, like the features that you release and we are giving them credits but this is not credits, and so basically, the disruption was requested by the customers. 

"So, can we run this remotely? Can we integrate it with our CM? Can we run it with our store?" So, these are the platforms that they were using at that time, EDR Exterior were not that popular at that time. So, CM was the most popular product. So, that persuaded us to see that there's disruption needed here, and also I remember having end case certification books and the checking the release notes of end case at that time. 

The product was basically not being updated anywhere. So, they were basically maintaining the product, not adding like disruptive features, and also our advisors we're like constantly asking, "Can we integrate your anti-malware SDK with the forensic explorer?" I remember that was one of the programs that they were using or like, this type of like integration request were constantly coming from the advisors, which was also like, proceeding me like there's something needed here, we need to like focus on this.

[0:19:36.7] GV: Yeah. I mean, that's a good problem to have when it's not like, you know, for a lack of people wanting to use the product or using the products, it's actually, they're saying, "We're using the product but would use it even more if you could provide it in this other form." And they'll say that's kind of a nice thread that you were able to pull on and move along to not dongle-ize, finalize. 

So, maybe let's sort of jump into more from a technical standpoint, just kind of actually what's going on here, like what's happening kind of semi-under the hood. So, am I right in saying that today, Binalyze, the product we're talking about is called AIR, is that that sort of? Yeah.

[0:20:09.3] ET: Yeah, Binalyze AIR.

[0:20:11.1] GV: Yeah, AIR, is that like an acronym for something or?

[0:20:13.4] ET: It's automated, investigation, and response. It was initially our product name but now, there are three products that has the name "AIR" in it. So, it's kind of becoming a category name.

[0:20:23.7] GV: Nice.

[0:20:24.5] ET: Based on what I, you know, serving for the last few months.

[0:20:27.0] GV: Okay. So - and this is actually a very interesting thing when I sort of first came into the space and you know, admittedly, I didn't need to handle a lot of this side of things and mainly talk about my time in and I didn't need to really handle any sort of forensic collection or incident response so directly but I was made very aware of one of the challenges there is that you know, Cross OS, you know, like a cross-system architecture. 

Is it, you know Linux, Windows, Mac, Android, you know, iOS, et cetera? So, how does AIR handle you know, we're talking about automated collection and I think that again, that was almost an argument to me as to why this was so challenging and could not be automated was the cross-OS aspect. So, how does AIR actually handle that in terms of across the different operating systems?

[0:21:17.9] ET: So, that was actually one of the selling points because we realize the fact that you know, to be a good investigation platform, we need to support multiple framed systems. My background is also Windows, Windows Operating System, Windows Eternal, and at that time, Mac was getting quite popular in enterprise and runs, especially developer, we're using macros but it's kind of like much more common now. 

And let me check the market reports, Mac books were on the rise, and then Chromebook also, like showed the same patterns, and then as far as I know, they even like they were about Mac books sales now. So, they were getting the signals. I mean, we are already like, really root on Windows. Now, it's time to like, focus our resources on Mac OS, Linux, and also Chromebook. So, currently, we have Windows, Linux, Mac OS, IBM AX, Chromebook, and even ESXA. 

So, this is one of the hard parts of digital forensics, and combining this data in a single, like, in a unified hub is also another challenge. So, that was a need and some of the consumers were like, specifically choosing our product because of the cross-platform support.

[0:22:22.6] GV: Okay. I mean, there must have been challenges though, sort of in being able to handle the different, you know, so was it that it started with Windows but I think you said move to Mac OS fairly quickly? I mean, what kind of things, especially sort of maybe just slightly higher level have to be considered when trying to create the same product in this space across the different operating systems?

[0:22:43.7] ET: I think the biggest thing is, biggest challenge is Mac OS side because the Mac OS is a closed operating system. So, even when you - on Windows, you can get a lot of byte details if you want to dig deeper into the operating system, architecture of Eternal, the forensic side of the things but when it comes to Mac OS, it's not that easy. So, even the books that are written on the subject are fairly old. 

So, it requires us like a lot of research on the Mac OS side, and then once we have Mac OS, Linux was much like easier for us because they architecturally - so, we developed two products. The first one was for Windows, specifically and then we developed tactical cross, which was collecting evidence from both Mac OS and Linux, and we used, like choosing the language, choosing the framework, and then making the research was the hardest part on that.

[0:23:31.6] GV: Yeah, and I think you know, just sort of pointing to sort of recent cases like EG CrowdStrike and you know, why was that such a problem? Well, as you called out, you know, Mac OS is this closed system, where access to the kernel is not possible, basically, and that's where Windows differs, and you know I think it's often been misunderstood as to why you know, people say, "You don't get viruses on Mac, you know?" 

Period and it's sort of obviously not entirely true, but it's more along those lines where Windows was just built with that from that standpoint of the internal, it can be accessed actually and Mac can't but yeah, inherently makes when people want to do good things and actually be able to investigate, it obviously makes your job a bit harder when it comes to actually creating a tool that's supposed to be figuring this out for say, Mac OS, yeah, so. 

[0:24:16.4] ET: Got it, when Mac OS was not targeted. When I was in malware research, Mac OS was not targeted as much as Windows, and even Android was much higher when it comes to like malware numbers. So, that was the reason but currently, Mac OS 160 is a big need in the industry. 

[0:24:32.0] GV: Yeah, I think that's just a very interesting evolution there. In terms of you know, forensic investigation, we're kind of talking about the difference of you know, how quickly can we do this but also then how thorough is that, how many files have we actually pulled up, and what we've gone through. How does if we're automating that, how are you, you know, when designing the product, like how are you considering the speed versus the thoroughness and is it a tradeoff or would you say you've actually kind of figured out the win-win of being able to do it much faster and just as thorough? 

[0:25:02.2] ET: That's actually where the domain expertise gets into the picture. So, if you try to collect everything from that machine, then you basically go back to traditional forensic days and then there's no point of like designing a new product because it's basically like getting your full in this image. So, you need to find a balance that gives all the value without slowing down the investigation. 

So, that's our product, it is able to deliver the investigation times from weeks to hours. So, there is a balance there. I mean, you cannot collect everything, it should be incremental. It should be like gradually, like increasing. You should be able to what you shouldn't in the first stage. That's how I define it. 

[0:25:42.4] GV: Yeah, okay, makes sense, especially you know, in today's world, what if any, you know, in terms of machine learning, does that play a part in building up? I mean, this is not an area or product that I am like super familiar with from a pure technical standpoint. So, you can help us out here, like is this a case where you are able to bring in machine learning and then it's just have this, I guess, like catalogs of understanding of what's bad, what's good, and etcetera? I mean, talk to us about that, yeah. 

[0:26:12.3] ET: Exactly, so that's actually one of the biggest differentiators because, in traditional forensics, you have a desktop-based product that runs on a single image by an individual analyst. So, like there is one to one to one probation in that investigation but in our case, in modern approach, you can have access to thousands of machines in a single platform. That gives you a baseline to like what is normal, what is not normal. 

When I see something on one of the machines, is this also like the case in the other devices as well? So, you have access to this, and based on this information, you can easily use machine learning or even like AI now to get an understanding of like much faster understanding of what happened on that environment because we're not talking about the single machine anymore. It's an enterprise problem. So, you need to have access to all the assets that may be involved in that case. 

[0:27:04.4] GV: And that's also touching on the cloud component and with I think when you're talking about sort of the concerns around clouds, you know when you're thinking through the move or shifting the product to be able to run in cloud. Basically, the big sort of pushback is around anything to do with data privacy and compliance. How do you handle that and you know, you're vacuuming up effectively all the data of a machine and you know, there has to be some pretty sensitive data there, how do you work with that when it comes to cloud? 

[0:27:33.5] ET: Sure. So, basically the regulations in search pages, as long as you have the certifications then you don't face that much of an issue but still, there's always some questions but when it comes to which one is important, so business continuity, find the root cause, finding the root cause, or having our data in the cloud? And especially with the migration from traditional on-prem base into our assist to EDRs are now XDRs. 

Almost all the XDRs on the market are like cloud-based, so they already like started that shift. In our early days as a startup, it was hard for us to like train, like increase the awareness of like educate the potential customers but with the XDR, the shift to XDR and CM products, this is already happening. So, these are already cloud-based products and the customers started to ask like, "Can we get a cloud version? Can we get a SaaS version of your product?" 

But when they ask this, you need to provide them with the certifications and as long as they see that, it's not that much of an issue now. There are still some enterprises that especially garment in the military, we also have like a military and garment customers. Some of them, they still prefer to have on-prem environments but that's not common now, especially in the last year. 

[0:28:47.1] GV: Yeah, when we're talking about cloud, is the majority onto your cloud, on private cloud, is it a pure mix, like how does that look? 

[0:28:54.3] ET: They mostly ask us to host it because they don't want to deal with like maintaining a platform. It's already very hard towards secret operation centers and MSSPs also like they are fairly compact teams. So, we're not talking about like hundreds of people on MSSPs because we have two types of customers, MSSPs and enterprises, and on enterprise, it's even a bigger problem because it is really hard to find people for the secret operation centers and it is really hard to retain them. 

So, if you ask them to maintain a platform, then it becomes even like a bigger problem for them. So, they just want to be doing what they're supposed to do rather than maintaining their platform. So, that's why they usually ask us to host it.

[0:29:32.4] GV: That's an interesting point where I think a lot of people assume that products like this, the customer is going to demand that it is run here on-prem or on private cloud and actually for all the reasons you've just said, when smart people and these customers actually think about it, they realize yeah, they're creating more headaches for themselves often as long as I get it, you know it comes down to the product itself. 

Do they trust the company, the product, etcetera? But that should be one of the big value propositions is that you know, you as Binalyze know how to run the product in the most optimal way on cloud, and so if you let you guys manage that, that makes a lot of sense, and you touched on enterprise and obviously selling to enterprise is very challenging. You do seem to have quite a lot of enterprise customers just from your, you know, website, etcetera, testimonials. 

So, you know, they've clearly sort of adopted those in relative terms for SaaS. It feels like enterprise has adopted Binalyze quite quickly. Yeah, what sort of surprised you about sort of how enterprises are actually using Binalyze? 

[0:30:36.7] ET: That's a great point and that was one of the things that surprised me, to be honest. So, in our previous company, we were evolving from like we were in like making our product from a consumer-based anti-malware product to an enterprise product but the fact was we have many competitors at that time. So, when we introduced our enterprise antivirus, we had almost 50 competitors on the market and I guess that number is not even higher. 

So, 70, 80, maybe antiviruses, and so it was really hard because you had to be like superior in everything and also in terms of price. So, I was expecting something similar here but something I forgot was that we don't - we didn't have. Now, we started to get like some competition on the market but when we started with the enterprises, we didn't have a strong competition. So, it was quite surprising and especially, I have like several funny stories about this. 

But like one of our - at fuel for actually enterprise, large enterprise contacts, contracts started with a single and a female. Like, it fuels them, like just one line of female, "Can we get a price quote for 30,000 assets?" And like some of these, I ignored them because I mean, being in an enterprise seals in my rent. In my previous company, I know how hard it is, how hard it was supposed to be in an enterprise environment. 

And like, seeing a personal email asking for a price quote for 30, 50,000 assets didn't make sense. We were lucky because our previous SVP growth to run off these like emails and replied and they became a customer for five years. So, it was kind of surprising because the competition was not there yet and we were solving a real challenge that they were trying to implement themselves. 

So, like in general, when we meet like an enterprise customer, the moment they see the demo of the product they generally say, "This is exactly what we've been trying to solve internally for the last two years but we have to give up because it got too complex." So, and they generally do this for one or pre-existing and now they need to do it for the other operating systems as well, and then they need to build the - a lot of other features on top. 

And then, they decide, "Okay, this is a product." This is a profession on its on, we had to stop. So, it was surprising for me, I was expecting it to be harder. 

[0:32:52.4] GV: And just I mean, like that example you know, you get an email of like you say one line, what's the price for, you know, a larger number of assets. How in your mind, how are they discovering Binalyze back then? 

[0:33:04.4] ET: So, this is one thing that most startups do not embrace. They generally think about, "Okay, we release a product, let's price it, let's charge it." I think that's one of the things that we learned in our previous company and again, as I told you, like we learned what not to do as well. What not to do is a startup, I mean, there may be exceptions but this is how we perceive with this how we see it. 

So, the product should meet the potential customers without thinking about any pricing, licensing, revenue necessarily because what matters is what the customer thinks. Is this solving a real problem and how much of that problem is that product solving? Because there is always more to solve. So, what we did was before releasing the first version of our dongle-based, USP-based product, we first created a joint waitlist six months before the initial announcement. 

And we started collecting emails, and then we released the first version, IREC free, it's a response evidence collector. It's IREC, IREC tactical was the paid version but we waited for I guess around six months before thinking about pricing or like subscriptions and a server, and then we released the tactical version with traditional evidences and additional features. So, customers were basically downloading the free product and they were testing it on their like individual machines and they were asking questions. 

"Can I run this remotely?" Because remotely, like it was basically a Windows-based application. So, there wasn't even a command line, like early adoption because it was just you run it, you select some checkboxes, and then click start like collection. So, they were asking these questions, that's how they learned about Binalyze. We didn't have any adverts, we didn't have any like paid advertisements, nothing. It was just the website with some keywords and they were finding it themselves. 

[0:34:50.3] GV: Yeah, that's very cool, and in terms of you kind of just mentioned there, you know people would download it and then there was a, "How can I run this remotely?" or so on and so forth but otherwise, you know once people were sort of you know, handing on with the product, what customers taught you in the past and what are they teaching you now that sort of has actually made its way into the product. 

And maybe you know, let's just say not to do is just, "Oh, move it to cloud" but what maybe feature-wise have had kind of customers taught the team in terms of yeah, features that are now in there today? 

[0:35:22.8] ET: I think the biggest input we received from customers were the investigation hub. So, collecting evidence and analyzing it on an asset basis, like per asset basis was already in the product but we decided to like prioritize the consolidation of multiple reports and the second one was integrations. So, that made us realize that these guys already have everything money can buy but still, they are spending a lot of time understanding what's happening.

And that was the moment we decided to prioritize integration with CM, EDR, and like XDR products. So, that's the reason we have like support for all major products on the market. So, those two things were the things that we learned from the customer. 

[0:36:01.9] GV: Nice, and I guess of then looking at the other side, what has been from a technical standpoint, like what's actually will be more of the hardest problems you actually had to solve, whether that's something that has been suggested in or just something that you as a team have thought, "This needs to be in the product" but what actually has been one of sort of big technical nuts to crack on the product? 

[0:36:22.2] ET: It was actually about the release cycles. So, we had to spend a lot of time on resources because enterprise is not a SaaS platform. So, in essence, it's a SaaS platform but the product we've developed is running on 32-bit Windows, 64-bit Windows, Windows seven, Mac OS, Azure, Cloud, like I mean, it's basically running everywhere. So, you need to have a very robust quality insurance. 

Like, in continuous integration, continuous delivery pipeline. So, our team has spent a significant amount of time on the testing of the platform and I am really proud that this is again like based on our previous experiences as well. So, when you change a single line of code in our product, there are like thousands of tests running in the background, and at the end of the day, we are having it released and we know that there is like a very strong automation running in the background. 

And the biggest thing was it's an emerging category, so you shouldn't be releasing any version every three months, every six months, which can be sometimes hard for our customers because they are used to other vendors that are releasing like four releases a year, which is not the case for Binalyze. Binalyze, we do this every, like every 15 days, we release a new version, and then we announce it publically at the end of the month. 

So, this was the thing I guess, like setting up the infrastructure so that we can reduce to release cycle so that we can listen to the customers in a much shorter sales feedback cycle and then fix the product, and then you feature the product, and then release it to the market. This was the hardest part in my opinion. 

[0:37:51.5] GV: How does that sort of work in practice? Let's take the sort of the person here asked for let's just say 30,000 assets. You know, if we're thinking, "Okay, every 15 days a new version has to go out," to, in theory, 30,000 assets of very varying you know, operating system types. I imagine the percentage of actual, you know, update let's just say on the day after that it comes out is you know, the most - 

It is not a hundred percent right, so then you're working with 30,000 assets across and require a different spectrum of what previous version and current version I guess. What was the challenges come with that in terms of why I'm thinking about sort of backwards compatibility of ours to them? 

[0:38:32.4] ET: Exactly. 

[0:38:33.0] GV: Yeah, yeah, yeah, so how does that work? 

[0:38:35.4] ET: So, like initially we didn't want to deal with this until we started work, get the product deployed on environments that are like 100,000, like assets. So, that's when we decided to prioritize the backward compatibility, so you don't need to like make your like deep grow out your environment. You can do it incrementally because most of the time the features that they are adding are on the console site not on the responder site. 

So, that's why our team prioritized that one and I think that was one of the learnings because that's not something we did in our previous products and this is, to be honest, it's easier for a startup, you know? Like in our startup days, it was easier to have one product that has everything in sight. So, like I am thinking about the communications protocol between the assets and the console but that's not the case anymore.

[0:39:17.6] GV: Yeah, and I think you know, this in my mind even, that's kind of what set yourselves apart. I basically had to do kind of vendor assessment on products you know, in your space and that's when I became aware of Binalyze and yeah, it just seemed you know, fairly evident, fairly quickly, and also getting you know, we actually spoke I think it was about two years ago at this point on a call. 

I'm going to throw a funny anecdote here, which is I genuinely hadn't maybe done my research exactly on how large you are as a company at that time and I think I remember asking you, "Oh, so you know, is it just you and your cofounders?" And I think you said, "No, we have like 200 employees." So, I said, "Oh, right. Okay, sorry I've slightly misunderstood the size of the company." But - 

[0:39:58.6] ET: That's a great point because we were laser-focused on the product side. Again, something that I've been like firm believer, make a great product and the growth happens. When we started seven years ago, people are asking, so like how much, like even in our first lesson, how much budget are you going to spend on the marketing? Zero, no marketing budget. We were fully focused on the product side. 

And even when our VP of marketing said it, she said, "My first is functionality to take the company another step." Because even in our like fifth year, sixth year, by the way, we're still in stock mode. So, it was all about like developing the best product on the markets, not making that much noise, not like making ourselves that visible, we want our product to make noise. We want our product to make people like talk about not even about the company. 

We wanted people to like talk about the product. So, like Spotify is a great example like I deployed [installed? inaudible 0:40:47.6] Spotify to all my family, all my friends because I was in love with the product. I was able to listen to any music I wanted, that's why we didn't like spend that much effort to promote the company and the team. It was always about the product. 

[0:41:01.9] GV: Yeah, I love that. I really like that approach and as they just kind of showed when we did have that call two plus years ago at this point, and you know, looking forward how do you sort of see automated forensic collection and like changing? I mean, you know, any hints to sort of what's on the horizon with Binalyze, anything that you can share? 

[0:41:21.9] ET: Even hearing this question excites me what we're doing and the reason is so far Binalyze, we seat more than 10 M&A requests, mergers, and acquisitions requests. 

[0:41:31.5] GV: Wow, nice. 

[0:41:32.4] ET: And these generally came from traditional forensic vendors and also endpoint secret to launching vendors and so this is going to be our seventh year and we said no to all of them and we'll keep saying this because it's not even 50% of the roadmap. So, when we started seven years ago, we had a vision, and we are just about to introduce many used cases that are not available on any of the product on the market. 

And that's because I see this as our product is kind of like similar to the James Webb Telescope. So, James Webb Telescope allows us to discover a water molecule in a planet that is million light years away. I mean, it's unbelievable but it does that and how, because it has different like cameras, different spectrums, scanners. So, it has that visibility and when you have that visibility, then it's not about like finding new planet. 

Finding stuff inside that planet that probably we will never be able to touch in our lifetime. So, I see Binalyze there as that kind of platform. So, this is just the beginning of the journey and on top of this, we'll be building new used cases. So, that's the reason like I say we have adjusted it all the time because we literally just that. So, this was just building that. I mean, this doesn't mean that we still have stuff to do in order to capture the market. 

Our product is already like at least two and a half, three years ahead of the competition. So, the closest competitor in terms of feature set, like when you take a look at us from a competitive intel point of view, I can see that they are developing, they are implementing the official that we implemented three years ago but this is just the beginning. Like, there is many, a lot of stuff on the horizon, and even thinking about it excites me.

[0:43:13.0] GV: Yeah, this is very exciting. I mean, the way you're talking about it, it reminds me a bit of Shopify actually, where I'm quite familiar with that platform from a past life and you know, I was familiar with that platform from the very early days and you know, when they were seven years in and saying to people, "We're just getting started." And people didn't believe in them whatsoever. 

Like, "Yeah, come on. No, it's done now, you know? Yeah, yeah, you know, you come on the cloud, great. Well done, you've done it, and like we're done here." And of course, they were not even close, you know? And I just - and I knew that was the case. Like, you know I'm a big fan of Tobi Lütke, the CEO, and I have met him a few times and it was just so obvious that when he said it, it was true, and I think I'm just hearing and feeling the same from yourself. 

Like, you know the space, and when you say, "We're seven years in and only just getting started," like that just sounds like another case of this. So, I think that's incredibly exciting. Just kind of - 

[0:44:05.0] ET: Thank you. 

[0:44:05.0] GV: Wrapping up here, you know, thanks so much for coming on and I like to just ask like a couple of questions just to sort of you, you as Emre, like looking back on things, you know, if - when you kind of started out in well, you know, you're in the military for a while but you know, if you could sort of tell yourself something now but to yourself back then of like, whether it was sort of how - anything to do with technology or just something to be aware of, thinking about sort of how you approach your career, like what that might be?

[0:44:36.2] ET: I mean, I'm learning every day, that's the fun part. So, that makes Binalyze even more exciting than the years we started, and I think the biggest learning I had in the last, like almost seven years now is the balance between mind, body, and soul. In the early days of Binalyze, it was all about like, working super hard, not sleeping but now I learned that I can work like much harder by also, like meditating, breathing, finding that balance in a much more like productive way. So, I think that's the biggest learning I had in this period.

So, for the new founders or like people who are going to be like CEOs, I suggest them to - I mean, even if you suggest them, they won't be able to because everything happens at the right time but this is my biggest learning. So, like, spending time to sharpen your blades so that you can perform better.

[0:45:28.6] GV: I like that a lot, yeah, and maybe my version of that is in sports generally, I've traditionally be more of sort of, just call it a sprinter effectively, and over time, I've learned how to elongate that and actually become more of a, let's just - like, you brought terms like middle distance is probably the easiest way, you know? And cycling is a big sport for me but being able to kind of change the mindset around this is not a sprint, it's a marathon, effectively, has been hugely helpful. 

And I think that's kind of what you're getting at as well of being able to - be able to perform at a very high level but consistently as opposed to you know, sort of pulling all-nighters, and then you know, feeling terrible the next day kind of thing, so.

[0:46:07.6] ET: Exactly, and I mean, if that's not your impression, we cannot continue. So, it's that finding that balance to perform even like, better and longer, that's the biggest learning I had, and I think finding a philosophy that helps you analyze things, helps you understand things, and all the challenges that is happening in a company are natural. That's how disruption happens. So, if everything is normal, then if there is no crisis if there is no problem, then there is no growth, that's what I learned, especially in the last few years. 

So, there should be a lot of problems and we should be prepared to like, handle them. That's how growth happens, that's how big companies become big companies.

[0:46:45.0] GV: I think that's a great one to end on. Yeah, you know, just always leaning into problems but not - someone else says, you know, it's not failure, it's feedback and I think that's always a great way of looking at things. So, thank you so much Emre for coming on today. I think, you know, we've learned a lot here, you know, and I really do just think that Binalyze as a product is one of these few products in a category that is just lightyears ahead of anything else. 

So, I really recommend people to check it out, whether you're in this industry and needing the product or even not, and just checking it out. Where is the best place, you know, for someone just to kind of check it out and get started?

[0:47:20.6] ET: Just Binalyze.com.

[0:47:21.5] GV: There we go. So, Binalyze, that's B-I-N-A-L-Y-Z-E.com. So, again, thank you so much for coming on. I hope we get to do this again in the future and catch up with where Binalyze is next.

[0:47:35.0] ET: Thank you so much, Greg. I'm looking forward to it.

[END]