Patrick Gray (4:44)

And was it the fact that you were the Prowler guy that got you the job at aws? I can't imagine it hurt.

Tony De la Fuente (4:51)

It helped a lot. Yeah, it helped a lot by that time because I tried to join AWS many times and never worked out. Probably because I wasn't ready. Probably because I didn't prepare the interviews very well back in the days or probably because my English wasn't very good or everything together. But at some point when Prowler was way more popular, everything went very well in the hiring process and I ended up joining aws Just to step back.

Patrick Gray (5:27)

There for a moment, right? So you said like all of a sudden, you know, you've written this one thing that's like command line, very simple, very easy. You don't have to configure it to look specifically anywhere because it looks everywhere and you just get green or red, right? Like I 100% understand how you get up at a conference and say I've built this like single line tool, you know that you just feed it a cred and it will go and do this for you. I can understand why people are going to start using that. But like everybody talks about how they'll contribute to open source software, but nobody ever actually does Right. So I'm wondering how did this, who was it, who was jumping on this? Was it other practitioners? Was it pen testers? Like, how did you actually get people to put time into this as a project? Because that's, that's like so hard.

Tony De la Fuente (6:09)

Well, the goal was to not to make this hard because cloud security is hard already. Right. So. And to create Prowler checks and Prowler categories and compliance frameworks in Prowler for from the day one was very easy, very easy. And I wanted also to add good documentation. I always loved to write blog posts, documentation, et cetera. So that helped a lot.

Patrick Gray (6:37)

Yeah. Okay. So you're like the one guy on the planet who likes writing documentation, but yeah, cool, go on.

Tony De la Fuente (6:43)

I mean, I wouldn't say I love writing documentation, but I've been writing in my personal blog post many, many years. So. And it's something that, I mean I like to communicate what is needed and the how to's and you know, tutorials and all that stuff. So I wanted to help myself first to learn hardening and assessment of the cloud security, but also I wanted to help others. Basically that is the key of open source. Right. And challenging myself every time that there is a new threat in the cloud or new service for AWS back in the days now is pretty much any cloud. So that was very, very good because IAM vulnerabilities were everywhere, right. Insecure APIs or API calls, all that stuff. So that was a way for me to stay up to date with all that was happening. Everything that was happening in the cloud.

Patrick Gray (7:45)

Yeah. So it sort of became a way for you to a sort of cornerstone of your way to understand what was happening in your field, I guess is like, well, I have to learn about this new thing that we need to check for. And the best way to do that is by writing a check for this framework that I've got.

Tony De la Fuente (8:03)

Yeah. Basically when I started with computers, that was when I was 19, I got amazed within the Internet, right. And the different protocols and I started learning Internet protocols. Do you remember that? The O'Reilly books that for SNMP or POP3, IMAP, all that stuff. I have all those books because I loved to learn from the very basic or the foundation of the Internet with the cloud. What I did with Prowler was more or less the same, but for services, for example SQL. Okay, let's learn about SQS security. And everything that you can do to secure SQL is something that I implemented in Prouder, then SNS, then S3. Everything related to VPCs everything related to security groups, all that stuff. Or then AWS released the elasticsearch service that is now open source. Right. I did all the security checks for them because I wanted to know all the security misconfigurations and threats and the hardening of that service. So that was a way for me to become kind of an expert. I don't consider myself an expert because the cloud is very broad, but it helped me a lot to learn how to do different configurations in the cloud and understand the APIs and how all that stuff works in the cloud.

Patrick Gray (9:39)

Just going back though, because like we've established how you are able to flush out contributors. What's the sort of loose demographic info for a prowler contributor? Are they also just like cloud security architects or admins or just a whole mix? Because there's quite a few. You've got quite a few contributors now, right. So I'd imagine it's pretty broad now.

Tony De la Fuente (9:59)

But 250 or almost 300. Yeah, almost in global contributors. The point of the cloud is that everybody that moves to the cloud has at some point or realized at some point how important security is. So we have of course the cloud security practitioners, pen testers, cloud architects, not cloud security architects, but also cloud security architects.

Patrick Gray (10:30)

Yeah, the ones who get given big binders full of compliance requirements and are told to by the board that they.

Tony De la Fuente (10:37)

Have to meet them infrastructure developers because they are writing code and they are deploying code and they want to make sure that in runtime their code is working fine. And also at some point the technical, you know, the VPs of it or CISOs, that they have some sort of techy skills, they can run prouder very well as well. And now it's even easier because we have the web UI, the SaaS platform. But yeah, cloud security engineers, architects, compliance auditors, if you see it's very broad because when you move to the cloud, as I said, at some point you realize, hey, I have something to do here.

Patrick Gray (11:24)

Now you just mentioned the SaaS thing, right? So I've seen you've demoed to me. Both people can, you know, click through to the demo you and I have already published on the YouTube channel. But you know, you've got this command line one which is great. You could throw like a cred into it or an API key or whatever and get it to actually go and fix stuff, which I really like because for a lot of these SaaS platforms, right, that do like, that do security, they're like, yeah, sure, give us an API key and like we'll Totally take care of it and go and you know, use this privileged access to only do good stuff in your environment. So one thing I really like about Prowler is you can actually use the SaaS platform for the discovery part just with read only access. And then if you actually want to get Prowler to go and fix stuff, just spin it up on a laptop, you know, give it a credential, do the thing and then burn the credential, that's fine, you can do that. So I really dig that, but it strikes me like I know you a little bit, right. And you're like old school security person. Did it break your soul a little bit having to make a pointy clicky like SaaS version of this? Did it make you sad?

Tony De la Fuente (12:31)

Not really. Not really because. Because I mean I started product from the CLI because I love the cli, you know.

Patrick Gray (12:39)

Yeah, because you're. Because you're an old school turbo geek, right? Yeah, I get it.

Tony De la Fuente (12:43)

Exactly. There is a book that I love that is at the beginning was the command line and I love doing that and the power of doing that for one point in time assessments. But at some point I realized that hey, we need to offer a platform. The whole platform, as you said, the whole enchilada.

Patrick Gray (13:05)

Yeah, yeah.

Tony De la Fuente (13:07)

From the CLI to detect, but also remediate to the continuous monitoring. Because one time security is not security and not even in the cloud. It's one time assessment is fine, you get a photo, right. Of your status, but in the cloud that everything is changing all the time, you need continuous monitoring. That is why we started building the application parallel the application parallel the platform. Right. And we have from the CLI also local dashboards. Because if you are a practitioner and you are assessing something today for a customer or for your own company, you want to see data straight away. You can do that as well from the CLI with the local dashboards. But if you are maintaining an infrastructure over the time and you want to see also how you have been improving or, or the other way around with your infrastructure, you need something else. So that is why we started Parallel Cloud or the application that is available open source but is in our SaaS where you can see the progress that you are building the cloud, if anything new is happening, you can see that very quickly. We are adding new checks and new features all the time. And that is one of the reasons also that we created Prowler Hub is a way for everybody to see everything that you can do with Prowler and also to learn how to do everything with Prowler.

Patrick Gray (14:44)

Yeah, because I mean, previously you would have a situation where someone might write a check. They don't really describe it very well. It's just sitting there in GitHub. What does it do? Who can say? Right. And so you fix that with ProwlerHub, where you could really go in there now and actually know what you can expect from a particular check.

Tony De la Fuente (15:02)

You can learn all the metadata, all the attributes that that check is doing, but also see the code and understand everything. And the same for remediations that we call fixers. So you can learn cloud security for any of our supported cloud providers from the very, very beginning. And also the compliance part, because at the end of the day we do the mapping between the technical checks and the compliance requirements. And that is also available to consume in the web UI, but also via an API in ProwlerHub. That is hub.prowler.com yeah.

Patrick Gray (15:42)

Now let's talk about the sort of hosted SaaS version, right? Because it's interesting, you're really committed to the open source thing. I think it's cool. Like you are 100% committed to making all of this stuff available, both Command line and the SaaS platform. If you want to spin it yourself up, run your own web server with the Prowler SaaS platform on it, you can absolutely do that. As far as I know at the moment the only thing that you're charging for is actually the hosted version. You could just go do it with a credit card, which is quite nice. But then that begs the question, right? So let's talk about for a moment Prowler the business, because we've been talking about Prowler the platform. What's the play here? What are you cooking up, Tony Delafuente?

Tony De la Fuente (16:28)

Well, the point of cloud security is, I think we said this at the beginning, is that to access a proper cloud security platforms is hard, are black boxes. They have a lot of controls and sometimes you don't even have that visibility. So what I wanted to do is, hey, don't worry because you can, since you have the need until you have the solution. Instead of going through procurement processes, black boxes solutions, go get an open source, an open platform, and in five minutes you get the results and if the value is enough, you pay us.

Patrick Gray (17:12)

Yeah. And is that for the hosted version? You mean they pay you?

Tony De la Fuente (17:17)

Yeah. So I mean our pricing model is based on resources, but also we are adding a new pricing model based on accounts or subscriptions or projects, depending on the cloud provider you use, which is even easier. The easy that Prowler is, it has to be also easy to consume and easy to buy. And that is what we are building in the platform. So we want you to have the solution as soon as possible and pay for it if it gives you value. And we are sure that Prowler is giving you value because we are, we have more controls than most of the cloud security vendors and growing all the time because we have an incredible community that is helping us improving controls, adding new controls and of course now with AI is even giving us a big push to improve everything that we do and help also our customers with end users. With everything that an LLM can do for cloud security, for example, I mean we call our AI capabilities is Prowler Lighthouse. You can ask Prowler Lighthouse pretty much anything that is going on in your cloud security and also ask Lighthouse to give you or any template to prevent anything new to happen, all the guardrails so you can create a very nice service, control policies or cloudformation or terraform templates to prevent resource exposure or to have for example, a database properly configured that is now easier than ever.

Patrick Gray (19:01)

Is that part going to be open source, right. Where you are shipping it with like some open source model or something or like how does that work?

Tony De la Fuente (19:09)

That is exactly what you said. We wanted also to have that open source because first, because it's very helpful and second, because nobody else is doing something like that open source. So you don't go to Wiz or Prisma Cloud, Palo Alto or anything and say, okay, give me your chatbot that I want to learn about that. So we are doing that to improve the product and to improve also the user experience. Because at the end of the day, we are builders and we are practitioners building something for our practitioners. Right. And is the way to learn. And of course, if you come to our platform, everything is already configured for you.

Patrick Gray (19:49)

Yeah.

Tony De la Fuente (19:50)

But if you get the open source option, you have to maintain and configure everything by yourself, which is fine if you want to, but you don't have to. If you come to our SaaS platform, we have users and customers in any place in the planet. Because at some point, any company, any organization goes to the cloud or for some tests or for some proof of concepts, but also for production workloads. And I'm talking from New Zealand to India to us, Argentina, Colombia, Brazil, pretty much anywhere in Europe as well, has cloud security needs. And if you have a cloud security need and you want a comprehensive platform that is offering you a solution in minutes, that is prouder.

Patrick Gray (20:43)

Yeah. So let me ask you a question though, and this is more on the business side just because I'm curious, right. Like how much does the fact that all of this is available as free and open source code, how much does that complicate how you calculate your pricing? Right. Because there's going to be that point where people are like, that's too expensive, I'm going to do it myself. And you've chosen this path, so how do you navigate that? Because I've always wondered how you do that.

Tony De la Fuente (21:17)

The cloud paradigm is different to back in the days of UNIX than Linux, but it's kind of similar. So not everybody wanted to admin and build everything by themselves and a lot of companies preferred and wanted to have Red Hat for example, because was everything ready? Because the, the storage storage, enterprise storage management that came with Red Hat was working way better and faster than anything that you had to, to compile or build by yourself at the end of the day.

Patrick Gray (21:52)

Yeah. And wind up in, you know, spending like 10 hours per box in dependency hell.

Tony De la Fuente (21:56)

Right, yeah, exactly. If you have cheap resources, you are going to have, you will want to build that by yourself and that is fine. But not everybody has cheap resources, not everybody has the time and not everybody has the knowledge. So that is why the business model works. And you can, you can see Mongo, the same for MongoDB, the same for Redis, the same for Elastic. Elastic. Elasticsearch with Elasticsearch is a very good example of something that was very accessible for everybody and everybody had the opportunity to, to build their search capabilities etc. With elastic but also building a company around, around that for massage also of course different type of services, which is what we are doing. We are building also business, we are doing business with oem. So other platforms that they are doing their security using Prowler or covering the security part of different type of platforms in the cloud with Prowler also intelligent services, different governments using Prowler and new cloud providers. There are new cloud providers, new players that we will see some coming up soon and they don't have a third party companion for their security and they trust Prowler and they pay us to support them.

Patrick Gray (23:24)

Now look, Tony, in the past when I've spoken to you and I'm like, well this kind of sounds a little bit like an open source whiz, you know, you've sort of resisted that characterization, but I've noticed you are resisting it a little bit less these days. I mean, is part of the vision here to go after companies like that, are you seeing wiz customers churning onto.

Tony De la Fuente (23:47)

Prowler in the cloud when if we talk about cspm, kspm, sspm, whatever or cnapp, pretty much everything because Gartner and other, they want to put everything in a box, that is fine. But honestly I don't care about that. I do care about solving the problems that everybody has in the cloud. Right. Helping the cloud security engineers, the architects, et cetera. And that looks like is the dashboard solution that all those solutions are offering. But there is a shift now to that is changing everything. Of course, that is AI.

Patrick Gray (24:27)

Yeah.

Tony De la Fuente (24:28)

So we want to be able to provide beyond the mapping with the. I mean finding that issue, but going beyond with Prowler. So the good thing of Prowler being open source, that adopting new technologies is also very easy. The example is now that we have released with Prowler, Lighthouse that is inside Prowler, we want to be able to go from the detection plane detections to being your engineer, your cloud engineer. That is not easy nowadays because LLMs are work in progress and MCPs, etc. But you are going to come to Prowler that already has the access to all your clouds to do whatever else you want to do because it's already built in Prowler.

Patrick Gray (25:19)

Yeah. So this is less about the sort of wiz approach of cnappy kind of stuff and more about like if you want to have, you know, a securely administered cloud environment, I guess is more the thinking here, which is a different. It is coming at it from a different angle. So I can see why you would resist the, you know, you would say that they're not really doing the same thing.

Tony De la Fuente (25:40)

The point is, at the end of the day, people knows about the big ones and they want to see their mapping also in their heads. Right. And of course there are some basic needs in any security platform. Right. Like the integrations, alerts, this reporting, you know, the compliance part. That is fine and that is something that we have in Prowler and we are adding more features.

Patrick Gray (26:04)

But it's not what gets you going. Right? Like it's not what gets you excited. Yeah, yeah, yeah, I get it.

Tony De la Fuente (26:09)

Exactly. Exactly. So let's have the basics, but let's go beyond that. Let's fix the cloud security problems of tomorrow with tomorrow technology as well. Right. Or the current technology and AI is changing all that stuff. And we are, that is why we are so excited with Lighthouse is because we want to be also telling the people, hey, before this is happening, do this, et cetera. So. And also with the MCPS and the agentic AI, considering that we have at Prowler the access to all the clouds. So you can keep building the new way of assessing the cloud, but also fixing the cloud.

Patrick Gray (26:51)

Yeah. So you talk about AI. I recently caught up with an old friend in Melbourne who is just such an old school guy and very much a cynic on all new technologies. Just nothing impresses him. And I caught up with him and I said, what have you been up to? He said, I've been playing around with AI. It's amazing. And this is the thing, like you're jazzed about this. I can see why. Like I work with a bunch of startups and increasingly the interface for a security product these days doesn't look like a console with charts all over it. It looks like the search box from Google 20 years ago. You know what I mean? It's just like a blank page with a box in and you just tell it what you want to do. I mean, it does. And when you see that it works for a lot of stuff. I feel like the hype around stuff like ChatGPT as like a general model has distracted from the stuff where AI is actually really useful, which is for specific tasks which can be mundane but require a whole bunch of book knowledge, like working in a soc, like sysadmining and whatnot. And that seems to be what you're finding as well, right? Have you got demos of the AI stuff already?

Tony De la Fuente (28:03)

Yeah, I mean, we have been working on that in the last six months already. Now it's in production, kind of in preview mode. Like everything in AI is preview. Right.

Patrick Gray (28:15)

Are you surprised, Let me just ask, are you surprised by how well that stuff works? Because most founders, I know, when they actually mess around with it, they say it's not perfect, but they are surprised at just quite how much they can get done with it.

Tony De la Fuente (28:26)

Yes and no. Let me explain. It's very helpful and the AI and the gen is helping a lot to glue words and to put things together. That is great to do a brief summary about an assessment, for example, for us, or tell me more about the risk of this or how to break into that. All that stuff is very good. But when it comes to the integrations and getting specific information with a vast amount of data, you have to fine tune prompts. You have to do a lot of things.

Patrick Gray (29:05)

Yeah, they do tend to fall over once you hit a certain level of complexity. Right?

Tony De la Fuente (29:10)

Yep. Yeah. The point is, if you have a JSON file with 200 entries and you ask an AI to do something with that based on whatever additional model is easy. But when you have a lot of files or database entries and you want to put things together, that is not that easy. And the information you get, the advice that you get is not always perfect.

Patrick Gray (29:42)

What are people using it to do? Like now, like, do they just turn up and ask the AI, hey, it's my first day using this tool. What should I do? Do you sort of find people are using it as like a bit of a coach?

Tony De la Fuente (29:52)

Yeah, we do that with Product Lighthouse. So we tell you, hey, try to ask this or that. And also we give you proactive information every time that you. You do an assessment. But the point is that when you. When it comes to using an MCP or the way we have it is like on top of our database there is a rollback access control and our AI is on top of our RBAC to make sure there is no information leak.

Patrick Gray (30:23)

Yeah.

Tony De la Fuente (30:24)

That is also key in any type of deployment of security tools with AI. So to make sure a user can access the information that that user has to access, not more, not less. And that is key also. And that is a challenge. It's a huge challenge now with mcps, because MCP are something that are working very well. But when. You know what happens when something is very helpful that is used widely and probably too much and without even having security into consideration. We have also an MCP for Prowler Studio. That is our platform to create new controls with AI. And that is not a security problem because you are. For example, you can install that MCP into cursor, with cursor to create your checks. And that is working directly with our database of checks and generating new checks. But when it comes to customer data or your own security data, that is different. And that is what we built in Prowler Lighthouse on top of our rbac.

Patrick Gray (31:32)

Yeah.

Tony De la Fuente (31:32)

So all those challenges are very important to take into account when you develop your AI strategy. Right?

Patrick Gray (31:40)

Yeah, 100%. Well, that's all really interesting stuff. Tony De la Fuente, it's fantastic to see you again and to, you know, hear about. I always like talking to you about Prowler because you are so enthusiastic about it. It's always good to hear what you've been up to. Great to see you, my friend. And we'll chat again soon.

Tony De la Fuente (31:59)

Thank you, bud. See you soon.