Digital Forensics with Emre Tinaztepe

Gregor Vand

Digital forensics is the process of identifying, preserving, analyzing and presenting electronic data for investigative purposes. It's often related to addressing cybercrime and is crucial in tracing the origin of breaches, recovering lost data and security hardening. Emri Tenas Tepe is the founder and CEO of Binalyze, which is a cybersecurity company specializing in digital forensics and incident response solutions. He joins the podcast with Gregor Vand to talk about his path into engineering, his time in the infantry, Bin Alais, digital forensics and more. Gregor Vand is a security focused technologist and is the founder and CTO of MailPass.

Emri Tenas Tepe

Previously, Gregor was a CTO across cybersecurity.

Gregor Vand

Cyber insurance and general software engineering companies. He has been based in Asia Pacific.

Emri Tenas Tepe

For almost a decade and can be.

Gregor Vand

Found via his profile@vandhk hi Emery, welcome to Software Engineering Daily.

Emri Tenas Tepe

Hi Gregor, it's a pleasure being here. Thank you for the invitation.

Gregor Vand

Yeah, great to have you here, Emery. Yeah, we've as we might get into we've met once before back when I was at a company, Blackpanda and as we might imagine here, that's now a customer of Binalyze, which is what we're here to talk about today. So normally I kick off these episodes with a background of yourself. I'm actually going to just add in one pre question just to help, I think our listener base because we're going to be talking a lot about digital forensics today and I think just to make sure there's no misunderstanding around what we're talking about, actually could we just define digital forensics and then we'll jump into your background.

Emri Tenas Tepe

Sure. So digital forensics is actually a pretty old profession. It's an industry on its own these days. I see that it's kind of seen as just a feature when it comes to endpoint security, but it's actually, it's an industry on its own and it's even longer than the endpoint security industry. So it's basically the art of collecting evidence, preserving it and analyzing it. And the way we define digital forensics in traditional aspect is this collecting it, preserving it, analyzing it and then like presenting it to the court for solving an investigation. But what we do is a modern way of doing digital forensics which we'll be digging deeper into.

Gregor Vand

Exactly, exactly. Okay, but that's great. We've got sort of a basis of what is digital forensics. So I will now go to the normal start which is tell us a bit about yourself. You know, before founding Binalyze. Love to just hear sort of how. What was the road to founding Binalize?

Emri Tenas Tepe

Sure. Before we start today, I learned you were the one who referred our product to Blackpanda and also our chief investigator. Now you guys were working there together. That's another indicator of like developing a product that solves a challenge, that addresses a need. So thank you once again for the.

Gregor Vand

Invitation that did happen. Yes.

Emri Tenas Tepe

Thank you so much. 39 years old. I started coding at the age of 11 12. So it's been a very long time. And I don't remember myself without like having access to a computer, like not coding something. So maybe like two months, three months break. But I was always developing something because that's the passion. And the way I started was like we had five computers at that time and we were sitting, I clearly remember that moment. We were sitting like three students in front of every PC. So we were like coding interns. And I think this is very important because the teacher who taught us how to code, she said this is not actually a part of the semester, so this is not a part of the curriculum. I'm supposed to teach you Windows 95, but I studied archaeology and I wasn't able to find a job. So I'm going to be teaching you qbasi because that's how I started making money and that's how I decided to be a computer teacher, like programming teacher. So she said, I'm going to teach you just in case you use it in your career. So that's how things started for me. And then again, I'm an ex military. I started military high school after that one. After the secondary school, at the end of every computer class, our teacher was giving us some like 10 minutes for us to like play or do whatever we want. Because if he didn't, then people were finding ways to do it like in between the class. So in the last like 10 minutes, I was coding something on Cubase. I was probably writing some like for loops, like printing some numbers to the screen. And then he asked me, what are you doing? I said, I'm learning Cubasic. And. And at that time I was also like jumping to Perl, which was another programming language which was quite popular at that time. So I mean, these are happening at a very like early age. So I'm really grateful for meeting these teachers. And then I started military academy in that period again, I had like access to computer all the time and started learning Mason32, which is Microsoft assembler. So I was going deeper and deeper. Started with Q BASIC and then Perl. I remember working with Java for around a year. And then PHP was getting quite popular those days. So we were designing not with frameworks. So I really envy the ones who started later because there are no frameworks for that. So you were basically writing everything from scratch. So all the content of that web page was delivered by code. There was no like middleware in between. So I started to go deeper and deeper. And I remember at the last year of the university, it was Muslim days, Microsoft assembler, which was basically 32 bit instruction set. And I was fascinated with. Because that was the moment I understood that, okay, all these codes that I've been writing is basically translated into this that executes on the machine. So, yeah, that's how it started. And my career has nothing to do with computer science actually, because I was in infantry. My first mission was in Iraq, so I stayed there for two years. I was an infantry paratrooper. And in that process I proposed 14 projects. None of them were accepted because, you know, military is quite strict when it comes to innovation. That's not the best place to do stuff if you're coming up with like new ideas. And my role had nothing to do with innovation. I was an infantry. So I proposed 14 projects. These were like mainly robotic, like devices like small circuits and some software projects as well. None of them were accepted. And on the 14th one I decided, okay, I think I'm in the wrong place, so I shouldn't be here, I should be somewhere else in private sector. And I resigned and I was offered to work as a malware researcher because those days I was like digging deeper into how to reverse engineer malware, how computer viruses work. That was quite a fascinating idea for me. Like I'm having a small. A few kilobytes of binary that can do stuff autonomously and then like spread around the world bus. It also like sounded quite dangerous and I wanted to know how it worked. So I started as a malware researcher and then I received an offer from Comodo. I led their mobile malware research team for a year and that was the moment I understood enterprise is not for me because I really missed being in a startup. My first career opportunity was in a startup. And then I returned back to that startup that I joined after the army, this time as a shareholder, and then worked around like seven, eight years. It was quite an experience. So I learned what to do, what not to do also because startups are great for learning what not to do. And then I started plan away. So that's the quick background on me.

Gregor Vand

Awesome. So, I mean, I think it's fair to say that, you know, a lot of founders, they end up founding something that's solving a problem they've personally experienced. So I guess sort of leading on from the sort of history leading up to that point of what you've just explained, was there some kind of something you'd experienced already that then drove you to say well finalize this should be a thing? Like what was the sort of moment there?

Emri Tenas Tepe

Actually my background is not digital forensics, but I was pulled to digital forensics because of like working with our advisors. So the first time I realized that there is a need was I met one of our advisors and they were looking for someone who was like going to help them spot an insider case. So there was a malware infection or claimed to be an infection, but this needed to be approved. So the claim is like the person like the suspect was saying I did not do it, my computer was hacked and it was done by the attacker. So we had to prove this. So it was a combination of forensics and reverse engineering malware analysis. So all of them were getting like close to each other around like 15 years ago. And then the second investigation, this time with our second advisor from New York Police Department, they had a big financial institution, another breach and the claims are really high. They will get this from the insurance provider. But the problem is the ftk, the platform, like the software they were using at that time, it shows a file, but no one knows what the contents of that file is. So it shows that potentially encrypted. And the interesting part was this file was starting as an autorun, so it was like automatically running when the machine rebooted. It didn't make sense. So I mean it shouldn't have some like encrypted contents if there is some data. So and then it turned out to be a trick that was used by attacker to run another binary. So these were the indicators that traditional forensics was actually coming to evolve in a way that traditional antivirus industry evolved. Because when we started on the antivirus industry, first it was the on demand scanning. So you were scanning your computer. And then antivirus companies introduced new methodology like on access scanning. So this way whenever you or a process accesses a file, it was automatically scanned. And then we came up with the idea of why don't we make it like faster and introduce on execution scanning. So if something is not running on your machine, why am I supposed to touch that? Because when the first antivirus was introduced, computers were very small, like the hard drives were very small. But the last time I remember having a hard drive like in my hand it was two terabytes. So if I'm supposed to scan all those files, it takes like hours. So that was the moment we decided, why don't we introduce our own execution scanning? So these type of innovations were being done on the AV industry, but forensics was an exception because we can, like dig deeper into this why. But I believe it's because it's very traditional. It has its roots from the law enforcement. It's a very strict profession that does not allow people to like innovate, come up with new ideas, because at the end of the day you are going to the court, or that's the assumption which we're going to discuss further. So we started experiencing these type of problems and I was trying to basically solve the problems we were facing ourselves with our advisors from nypd. And to be honest, I was quite frustrated because we were waiting for FedEx to ship us hard drive images which didn't make sense. So some, like, from time to time I was asking them, can I get access to that machine over Team Mirror? So give me the access, I want to check some stuff and then you won't be needing the disk image at all. That's how we started. So the need was there. And in simple terms, I wanted to sleep more because I was waiting for evidence to be sent.

Gregor Vand

Yeah, I like that. So it's solving a pain. Point of sort of the profession that you are in, and I would say like a similar one that's popping up more and more now is I've seen a couple of startups of SREs, like Site Reliability engineers. They're very keen to develop tools that will make their lives, as you just called out, so that they can sleep more as well, because they're getting fed up of their routines and they know that obviously AI et cetera can come help them out on that one. So I really like that you had a lot of skin in the game in terms of what this was actually solving. So that's very interesting. And then if we look at sort of what the product is, a big part of it is the fact it's all around automation and the fact that it's cloud based. And you kind of touched on it there you were saying you were waiting on hard drives being FedExed to you, but what was it that really led you to believe? And you also touched on the fact that it's quite a sort of, we would say, a staid industry where, as you called out, law enforcement has driven most of the sort of direction of it up until a certain point in time. So yeah, what sort of led you to believe that being able to move this in the direction of cloud and automation was even possible and like that you could be the one to actually be the disruptor here? Like what was the thinking behind that?

Emri Tenas Tepe

Great question. Actually it's another shift that we observed at that time. So in my previous company we signed a deal with one of the largest telcos operators in the US and we were expecting to have around like 50,000, 60,000 customers. It was an anti malware product, so it was running on their machines, scanning their machines, but it turned out to be much bigger than we expected. I remember looking at the dashboard and I remember seeing like 100,000 and we thought, okay, that's going to stop now. So because they already deployed more than we expected and then it became 200,000, 500,000 million. And I remember at the end of that period, deployment period, I guess it was around like 8,9 million end users. But before it hit that threshold, we have started to like run out of bandwidth in everything. Like all the infrastructure was based on virtual PCs, VPCs on data centers. So that was the moment we started to work with shifts with our currently SVP engineering. We are working at panelists together now. So that was the moment we decided to okay, we need to solve this problem, because we cannot solve this with a data center that is located somewhere in Germany. And then we started digging deeper into how we can migrate our infrastructure to cloud. And I remember when I first logged in into Azure, it really felt like a huge data center waiting for me to like run. So it was much, much more advanced than consoles of data centers. So everything was moving to cloud at that time except the forensics, because forensics was supposed to be shipped with FedEx and DHL. So we were persuaded that if we want to like make this technology available to enterprises, there is no way we can do this on a based on the traditional methodology. And the AV also like antiviruses also had a similar evolution. So first it was antivirus and then endpoint protection platform and then they started introducing cloud antiviruses, which was again quite a paradigm shift because people were against the binary going to cloud, but then comparing it against the trade off. I mean, do you want to be safe or do you want an executable sent to some cloud? So people started to accept the trade off there. So it was hard, to be honest, the first three, four years of binab was really hard because everyone was asking the chain of custody, like where do you save the data? And that's the reason we introduce our on Prem version. The same architecture, the same functionality. But if the enterprise is not ready for that mindset shift, then we were providing them with the on Prem version and it was running on their environment. But most of them, even the most mature enterprises, they started to like ask for the cloud version themselves because they don't want to worry about the deploying a product, maintaining it like running the infrastructure. They just want the value that that product provides. So it was quite a shift at that time. And now Gartner recognized this as a new category and guess what, the first letter in this new category is cloud. So Cloud Investigation Response automation, they call it cira. So it requires us a lot of time and resources to talk with the customers, tell them why it has to be scalable. It has to be running somewhere, either on our machines in the cloud or on their environments. But that was quite a mindset shift.

Gregor Vand

Yeah. So I'd love to dig into this quite a lot. We've already sort of moved to the point of okay, today finalize runs on the cloud and there's obviously been a mindset shift of. Sounds like a lot of companies by this point that this is the way it should be done and it's okay. And so long as they trust the technology behind it. That's kind of the key thing there in terms of, I believe. Okay, so before cloud, the by Nollie's proposition was the automation aspect to it, I sort of believe and sort of what that could lead to in terms of time reduction for people like yourself who was in digital forensics generally. So what was the kind of catalyst, the moment that you understood that what could be done in this sense? Like you thinking, okay, something that's taking me weeks even can actually come down to hours. What did that kind of look like in terms of realization?

Emri Tenas Tepe

Actually the traditional digital forensics market was moving really slowly at that time. And it really felt like it's at the end of its evolution. And when we started, this is something we haven't covered by the way. So when we started, our product was a dangle based product. So it wasn't an enterprise product. We were just trying to solve the problem of collecting evidence and analyzing it from a single machine. And they are also like used to, you know, like police officers are used to having a dongle. That's how they use all the traditional forensic products. So we started that way as well. But shipping dongles were really hard because we were getting orders from Australia from the Us like from all around the world. And again we were waiting for preparing the dongle packages and then shipping them and we were receiving a lot of.

Gregor Vand

Feedback and just for our listeners, some might not even just in terms of realize age groups. Dongle here is like a USB plug in adapter, right. So this physical thing you plug in and it's effectively like a USB drive.

Emri Tenas Tepe

It's kind of a USB drive that also has some like licensing unit in it. So it's both for saving the evidence and also activating the license. So and law enforcement is like very familiar with this approach.

Gregor Vand

Yeah.

Emri Tenas Tepe

Okay. And then the customers started to ask, actually customers started asking, I mean we really like the product but can we run this remotely? And when you talk about running it remotely then there shouldn't be any danger. So then, then we release the first version that does not depend on it's called soft licensing. So we called it like dangle licensing and then soft licensing. And then the needs also like started to come from the enterprises. They were asking us can we integrate with our cm? And based on our previous experience, previous startup experience, listening to customer was a big part of developing your product. The way I describe it, even now if you go to our release notes, you'll see every release has at least 2, 3 credits given to our customers because customers are asking the releases like the features that we release and we are giving them credits. Release no credits. So basically the disruption was requested by the customers. So can we run this remotely? Can we integrate it with our cm? Can we run it with our soar? So these are the platforms that they were using at that time. Edr, XTR were not that popular at that time. So SIEM was the most popular product. So that persuaded us to see that there's disruption needed here. And also I remember having Encase certification books and the checking the release notes of Encase. At that time the product was basically not being updated anymore. So they were basically maintaining the product, not adding like disruptive features. And also our advisors were like constantly asking can we integrate your anti malware SDK with Forensic Explorer? I remember that was one of the programs that they were using or like these type of like integration requests were constantly coming from the advisors which was also like proceeding me, okay, there's something needed here. We need to focus on this.

Gregor Vand

Yeah, I mean it's a good problem to have when it's not that for lack of people wanting to use the product or using the product, it's actually they're saying we're using the product, but we'd use it even more if you could provide it in this other form. And obviously that's kind of a nice thread that you were able to pull on and move along to, not dongle.

Emri Tenas Tepe

Are your software deployments secure by design? Lately, Secure by Design and Shifting Left principles have been hot topics in the software industry, pushing development teams to make security a foundational part of software development. Today's sponsor, Bitwarden, supports developers in securing every phase of the development lifecycle with end to end encrypted credential management. This ensures software is built on secure principles to prevent data leaks and unauthorized access. Try Bitwarden Secrets Manager, built specifically for developers to safeguard infrastructure and machine secrets, or Bitwarden Password Manager for everyday logins and other sensitive information. Start a free trial today@bitwarden.com so maybe.

Gregor Vand

Let'S sort of jump into more from a technical standpoint, just kind of actually what's going on here, like what's happening kind of semi under the hood. So am I right in saying that today the product we're talking about is called air?

Emri Tenas Tepe

Is that sort of binalyser?

Gregor Vand

Yeah.

Emri Tenas Tepe

Air.

Gregor Vand

Is that like an acronym for something?

Emri Tenas Tepe

It's Automated Investigation and Response. It was initially our product name, but now there are three products that has the name AIR in it. So it's kind of becoming a category name.

Gregor Vand

Nice.

Emri Tenas Tepe

Based on what I've been observing for the last few months.

Gregor Vand

Okay. And this was actually a very interesting thing when I sort of first came into the space and admittedly I didn't need to handle a lot of this side of things and mainly talking about my time in Blackpanda. I didn't need to really handle any sort of forensic collection or incident response directly. But I was made very aware of one of the big challenges there is the cross OS like across system architecture. Is it Linux, Windows, Mac, Android, iOS, et cetera. So how does AEIR handle? We talk about automated collection and I think that again that was almost an argument put to me as to why this was so challenging and could not be automated was the cross OS aspect. So how does AIR actually handle that in terms of across the different operating systems?

Emri Tenas Tepe

So that was actually one of the selling points because we realized the fact that in order to be a good investigation platform we need to support multiple operating systems. My background is also Windows, Windows operating system, Windows Kernel, and at that time macOS was getting quite popular in enterprise environments. Especially developers were using macOS. But it's like much more common now and when we checked the market reports, MacBooks were on the rise and then Chromebook also like showed the same patterns and as far as I know they even like they were above MacBook sales now. So we were getting the signals. I mean we are already like really good on Windows. Now it's time to like focus our resources on macros, Linux and also Chromebook. So currently we have Windows, Linux, macOS, IBM, AX, Chromebook and even ESXA. So this is one of the hard parts of digital forensics. And combining this data in a single like in a unified hub is also another challenge. So that was a need and some of the customers were like specifically choosing our product because of the cross platform support.

Gregor Vand

Okay. I mean there must have been challenges though sort of in being able to handle the different, you know, so was it that it started with Windows, but I think you said moved to Kos fairly quickly or I mean what kind of things especially sort of maybe just slightly higher level have to be considered when trying to create the same product in this space across the different operating systems.

Emri Tenas Tepe

I think the biggest thing is biggest challenges. MacOS said because macOS is a closed operating system. So even when you on Windows you can get a lot of like details if you want to dig deeper into the operating system architecture, the kernel, the forensic side of the things. But when it comes to macOS it's not that easy. So even the books that are written on the subject are fairly old. So it requires us like a lot of research on the macOS side. And then once we have macOS, Linux was much like easier for us because the architecturally. So we developed two products. The first one was for Windows specifically and then we developed Tactical Cross which was collecting evidence from both macOS and Linux. And we use like choosing the language, choosing the framework and then making the research was the hardest part on that.

Gregor Vand

Yeah, and I think you know, just sort of pointing to the recent cases like Egg CrowdStrike. And why was that such a problem? Well, as you called out, macOS is this closed system where access to the kernel is not possible basically. And that's where Windows differs. And I think it's often been misunderstood as to why people say you don't get viruses on Mac, period. And it's sort of obviously not entirely true, but it's more along those lines where Windows was just built from that standpoint of the kernel can be accessed actually and Mac can't. But yeah, inherently makes when people want to do good things and actually be able to investigate it obviously makes your job a bit harder when it comes to actually creating a tool that's supposed to be figuring this out for say macOS.

Emri Tenas Tepe

Yeah. And macOS was not targeted. When I was in malware research, macOS was not targeted as much as Windows and even Android was much higher when it comes to like malware numbers. So that was the reason. But currently macOS 4.6 is a big niche in the industry.

Gregor Vand

Yeah, I think that's just a very interesting evolution there. In terms of forensic investigation. We're kind of talking about the difference of how quickly can we do this, but also then how thorough is that? How many files have we actually pulled up and what have we gone through? How does, if we were automating that, how are you when designing the product, how are you considering the speed versus the thoroughness? And is it a trade off? Or would you say you've actually kind of figured out the win win of being able to do it much faster and just as thorough?

Emri Tenas Tepe

That's actually where the domain expertise gets into the picture. So if you try to collect everything from that machine, then you basically go back to traditional forensic base and then there's no point of like designing a new product because it's basically like getting a full disc image. So you need to find that balance that gives all the value without slowing down the investigation. So that's how our product is able to deliver the investigation times from weeks to hours. So there's a balance there. I mean, you cannot collect everything. It should be incremental. It should be like gradually, like increasing. You should be able to, but you shouldn't in the first stage. That's how I define it.

Gregor Vand

Yeah. Okay, makes sense. Especially in today's world, what, if any, in terms of machine learning does that play a part in building up? I mean, this is not an area product that I'm super familiar with from a pure technical standpoint. So you can help us out here. Is this a case where you are able to bring in machine learning and then sort of have these, I guess, catalogs of understanding of what's bad, what's good and et cetera? I mean, talk to us about that. Exactly.

Emri Tenas Tepe

So that's actually one of the biggest differentiators because in traditional forensics you have a desktop based product that runs on a single image by an individual analyst. So like there is one to one to one relation in that investigation. But in our case in modern approach, you can have access to thousands of machines in a single platform. That gives you a baseline to like what is normal, what is not normal. When I see something on one of the machines, is this also like the case in the other devices as well. So you have access to this and based on this information you can easily use machine learning or even like AI now to get an understanding of like much faster understanding of what happened on that environment. Because we're not talking about a single machine anymore. It's an enterprise problem. So you need to have access to all the assets that may be involved in that case.

Gregor Vand

And that's obviously sort of touching on the cloud component. And with I think when you were talking about sort of the concerns around cloud, you know, when you were thinking through the move or shifting the product to be able to run in cloud, basically the big sort of pushback is around anything to do with data privacy and compliance. How do you handle that? And you're vacuuming up effectively all the data off a machine and there has to be some pretty sensitive data there. How do you work with that when it comes to cloud?

Emri Tenas Tepe

Sure. So basically the regulations and certifications, as long as you have these certifications then you don't face that much of an issue. But still there are always some questions, but when it comes to which one is important. So business continuity, find the root cause. Finding the root cause or having our data in the cloud. And especially with the migration from traditional on prem based antiviruses to EDRs and now ETRs, almost all the ETRs on the market are like cloud based. So they already like started that shift. In our early days as a startup it was hard for us to like train, like increase the awareness, like educate the potential customers. But with the exterior, the shift to exterior and CM products this is already happening. So these are already cloud based products and the customers started to ask like can we get a cloud version? Can we get a SaaS version of your products? But when they ask this you need to provide them with these certifications. And as long as they see that it's not that much of an issue. Now there are still some enterprises that especially government and military. We also have like military and government customers. Some of them they still prefer to have on prem environments but that's not that common now, especially in the last year.

Gregor Vand

Yeah, when we're talking about cloud, is the majority on sort of your cloud? On private cloud, is it a pure mix? Like how does that look?

Emri Tenas Tepe

They mostly ask us to host it because they don't want to deal with like maintaining a platform. It's already very hard for secret operation centers. And MSSP is also like they're fairly compact teams. So we are not talking about like hundreds of people on MSSPs. Because we have two types of customers, MSSPs and enterprises. And on enterprise it's even a bigger problem because it's really hard to find people for the secret operation centers and it's like hard to retain them. So if you ask them to maintain a platform then it becomes even like bigger problem for them. So they just want to be doing what they're supposed to do rather than maintaining. So that's why they generally ask us to host it.

Gregor Vand

Just an interesting point where I think a lot of people assume that products like this, the customer is going to demand that it is run either on prem or on private cloud. And actually for all the reasons you've just said, when smart people and these customers actually think about it, they realize, yeah, they're creating more headaches for themselves often so long as again it comes down to the product itself. Do they trust the, the company, the product, et cetera. But that should be one of the big value propositions is that you as Bindley know how to run the product in the most optimal way on cloud. And so if you let you guys manage that, that makes a lot of sense. And you touched on enterprise and obviously selling to enterprise is very challenging. You do seem to have quite a lot of enterprise customers just from your website, et cetera, testimonials. So they've clearly sort of adopted obviously in relative terms for SaaS it feels like enterprises adopted finalize quite quickly. And yeah, what sort of surprised you about how enterprises are actually using Binalyze?

Emri Tenas Tepe

That's a great point and that was one of the things that surprised me, to be honest. So in our previous company we were evolving from, we were making our product from a consumer based antimalware product to an enterprise product. But the fact was we had many competitors at that time. So when we introduced our enterprise antivirus we had almost 50 competitors on the market and I guess that number is now even higher. So 70, 80 maybe antiviruses. So it was really hard because you had to be like superior in everything and also in terms of pricing. So I was expecting something similar here. But something I forgot was that we don't, we didn't have. Now we started to get like some, some competition on the market but when we started with the enterprises we didn't have a strong competition. So it was quite surprising. And especially I have like several funny stories about this but like one of our, a few of our actually enterprise large enterprise contacts contracts started with a single line of email. Like a few of them, like just one line of email. Can we get A price code for 30,000 assets. And like some of these, I ignored them because I mean, being in an enterprise sales environment in my previous company, I know how hard it is, how hard it's supposed to be in an enterprise environment. And like seeing a personal email asking for a price quote for 30, 50,000 assets didn't make sense. We were lucky because our previous SVP growth took one of these like emails and replied and they became a customer for five years. So it was kind of surprising because the competition was not there yet and we were solving a real challenge that they were trying to implement themselves. So like in general, when we meet with an enterprise customer, the, the moment they see the demo of the product, they generally say, this is exactly what we've been trying to solve internally for the last two years. But we had to give up because it got too complex. So, and they generally do this for one operating system and then they need to do it for the other operating systems as well and then they need to build a lot of other features on top and then they decide, okay, this is a product, this is a profession on its own. We had to stop. So it was surprising for me. I was expecting it to be harder.

Gregor Vand

And just, I mean like that example you get an email of, as you say, one line, what's the price for a large number of assets? How in your mind, how are they discovering finalize back then?

Emri Tenas Tepe

So this is one thing that most startups do not embrace. They generally think about, okay, we release the product, let's, let's price it, let's charge it. I think that's one of the things that we learned in our previous company. Again, as I told you, like we learned what not to do as well. What not to do is a startup. I mean there may be exceptions, but this is how we perceive, this is how we see it. So the product should meet the potential customers without thinking about any pricing, licensing, revenue and etc. Because what matters is what the customer thinks. Is this solving the real problem and how much of that problem is that product solving? Because there is always more to solve. So what we did was before releasing the first version of our dungle based, USP based product, we first created a join wait list six months before the initial announcement and we started collecting emails and then we released the first version, IREC free instant response evidence collector. It's irec. IREC Tactical was the paid version, but we waited for, I guess around six months before thinking about pricing or like subscriptions and a server. And then we released the tactical version with additional evidences and additional features. So customers were basically downloading the free product and they were testing it on their like individual machines and they were asking questions, can I run this remotely? Because remotely, like it was basically a window based application. So there wasn't even a command line like argument option because it was just you run it, you select some checkboxes and then click start like collection. So they were asking these questions. That's how they learned about Finalize. We didn't have any adverts, we didn't have any like paid advertisement, nothing. It was just a website with some keywords and they were finding it themselves.

Gregor Vand

Yeah, that's very cool.

Emri Tenas Tepe

This episode of Software Engineering Daily is brought to you by leanware. Struggling with development teams that say yes to everything but deliver on nothing, leanware offers a refreshing approach. They're a Colombia based team delivering top tier software development with full transparency and world class engineering standards. They've honed their craft over nearly five years, sticking to technologies where they have senior expertise. This means no compromises on quality ever. Their C level executives are always accessible. Ensuring seamless communication and a genuine partnership. Plus being in a similar time zone to the US makes collaboration effortless. Don't settle for less. Partner with leanware for software development done reliably. Visit leanware Co or see the show notes to get started. That's leanware Co leanware redefining software development with exceptional quality and realistic expectations.

Gregor Vand

And in terms of you kind of just mentioned there, people would download it and then they would say how can I run this remotely? Or so on and so forth. But otherwise once people were sort of handsing on with the product. What have customers taught you in the past and what are they teaching you now that sort of has actually made its way into the product? Maybe let's just say not to do with just oh, move it to cloud. But what maybe feature wise have kind of customers taught the team in terms of features that are now in there today?

Emri Tenas Tepe

I think the biggest input we received from customers were the investigation hub. So collecting evidence and analyzing it on a, on an asset basis, like per asset basis was already in the product. But we decided to like prioritize the consolidation of multiple reports. And the second one was integrations. So that made us realize that these guys already have everything money can buy. But still they are spending a lot of time understanding what's happening. And that was the moment we decided to prioritize integration with CM EDR and like XDR products. So that's the reason we have support for all major products on the market. So those two things were the things that we learned from the customer.

Gregor Vand

Nice. And I guess then looking at the other side, what has been from a technical standpoint, what's actually been one of the hardest problems you actually had to solve, whether that's something that has been suggested in or just something that you as a team have thought this needs to be in the product. But what has actually been one of the sort of big technical nuts to crack on the product, it was actually.

Emri Tenas Tepe

About the release cycles. So we had to spend a lot of time and resources because enterprise is not a SaaS platform. So in essence it's a SaaS platform. But the product you develop is running on 32 bit Windows, 64 bit Windows, Windows 7, macOS, Azure, Cloud, like, I mean it's basically running everywhere. So you need to have a very robust quality assurance and continuous integration, continuous delivery pipeline. So our team has spent a significant amount of time on the testing of the platform. And I'm really proud that this is again like based on our previous experiences as well. So when you change a single line of code in our product, there are like thousands of tests running in the background. And at the end of the day we are having a release and we know that there is a like very strong automation running in the background. And the biggest thing was it's an emerging category. So you shouldn't be releasing any version every three months, every six months, which can be sometimes hard for our customers because they are used to other vendors that are releasing like four releases a year, which is not the case for finalize. Finalize releases. Every 15 days we release a new version and then we announce it publicly at the end of the month. So this was the thing, I guess, like setting up the infrastructure so that we can reduce the release cycle so that we can listen to customers in a much shorter sales feedback cycle and then fix the product, add a new feature for the product and then release it to the market. This was the hardest part, in my opinion.

Gregor Vand

How does that sort of work in practice? Let's take the sort of, the person who asked for, let's just say 30,000 assets. If we're thinking, okay, every 15 days a new version has to go out to, in theory, 30,000 assets of very varying operating system types. I imagine the percentage of actual update, let's just say on the day after that it comes out, is not 100%. Right. So then you're working with 30,000 assets across then quite a different spectrum of, well, previous version and current version, I guess. What sort of challenges come with that in terms of why I'm thinking about sort of backwards compatibility? Almost exactly. Yeah. So.

Emri Tenas Tepe

So like initially we didn't want to deal with that until we started to like get the product deployed on environments that are like a hundred thousand like assets. So that's when we decided to prioritize the backward compatibility. So you don't need to like make it like big roll out to your environment. You can do it incrementally because most of the time the features that we are adding are on the console site, not on the responder side. So that's why our team prioritize that. That one. And I think that was one of the learnings because that's not something we did in our previous products. And it's, it's. To be honest, it's easier for a startup. You know, like in our startup days, it was easier to have one product that has everything inside. So rather than like thinking about the communications protocol between the assets and the console. But that's not the case anymore.

Gregor Vand

Yeah, I think you know this in my mind anyway, that's kind of what set yourselves apart. I basically had to do kind of vendor assessment on products in your space. And that's when I became aware of Binalyze. And yeah, it just seemed fairly evident fairly quickly. And also getting. We actually spoke, I think it was about two years ago at this point on a call. I'm going to throw in a funny anecdote here which is I genuinely hadn't maybe done my research exactly on how large you were as a company at that time. And I think I remember asking you, oh, so is it just you and your co founders? I think you said, no, we have like 200 employees. I said, oh, right, okay. So sorry, I slightly misunderstood the size of the company, but that's a great.

Emri Tenas Tepe

Point because we were laser focused on the product side. Again, something that I've been a firm believer. Make a great product and the growth happens. When we started seven years ago, people were asking, so how much? Even in our first investment, how much budget you're going to spend on the marketing? Zero. No marketing budget. We'll fully focus on the product side. And even when our VP marketing started, she said, my first responsibility is to take the company out of stealth. Because even in our like 5th year, 6th year, by the still in stealth mode. So it was all about like developing the best product on the market, not making that much noise, not like making ourselves that visible. We want a product to make noise. We wanted product to make people like talk about, not even about the company. We wanted people to like talk about the product. So like Spotify is a great example. Like I deployed, installed Spotify to all my family, all my friends because I was in love with the product. I was able to listen any, any music I wanted. That's why we didn't spend that much effort to promote the company, the team. It was always about the product.

Gregor Vand

Yeah, I love that. Really like that approach. And as they just kind of showed when we did have that call two plus years ago at this point and you know, looking forward, how do you just sort of see automated forensic collection and changing? I mean any hints to sort of what's on the horizon with FinaleYes, anything that you can share.

Emri Tenas Tepe

Even hearing this question excites me by the way. And the reason is so far Finalize received more than 10 M&A requests, mergers and acquisitions requests.

Gregor Vand

Wow, nice.

Emri Tenas Tepe

And these generally came from traditional forensic vendors and also Endpoint security monitoring vendors. And soon it's going to be our seventh year and we said no to all of them. And we'll keep saying this because it's not even 50% of the roadmap. So when we started seven years ago, we had a vision and we are just about to introduce new use cases that are not available on any other product on the market. And that's because I see this as our product is kind of like similar to James Webb Telescope. So James Webb Telescope allows us to discover a water molecule in a planet that is million light years away. I mean it's, it's unbelievable, but it does that. And how. Because it has different like cameras, different spectrum scanners. So it has that visibility. And when you have that visibility, then it's not about like finding a planet, finding stuff inside that planet that probably we will never be able to touch in our lifetime. So I see my analyze AIR as that kind of a platform. So this is just the beginning of the journey. And on top of this we'll be building new use cases. So that's the reason, like I say, we have just started all the time because we literally have just started. So this was just building the, I mean this, this doesn't mean that we still have stuff to do in order to like capture the market. Our product is already like at least two and a half, three years ahead of the competition. So the closest competitor in terms of feature set. Like when you take a look at it from a competitive intel point of view, I can see that they're developing, they're implementing the features that we implemented Two years ago. But this is just the beginning. There is a lot of stuff on the horizon, and even thinking about it excites me.

Gregor Vand

Yeah, that's very exciting. I mean, the way you're talking about it, it reminds me a bit of Shopify, actually, where I'm quite familiar with that platform from a past life. And I was familiar with that platform from the very early days and when they were seven years in and saying to people, we're just getting started, and people didn't believe them whatsoever. Like, yeah, come on. No, it's done now. Yeah, E Comm on the cloud. Great, well done. You've done it. And, like, we're done here. And of course, they were not even close, and I knew that was the case. I'm a big fan of Toby, Luke K. The CEO, and I've met him a few times, and it was just so obvious that when he said it, it was true. And I think I'm just hearing and feeling the same from yourself, you know, this space. And when you say we're seven years in and only just getting started, that just sounds like another case of this. So I think that's incredibly exciting. Just kind of wrapping up here. Thanks so much for coming on. And I'd like to just ask a couple of questions just to sort of you as Emri, looking back on things when you kind of started out in. Well, you're in the military for a while, but if you could sort of tell yourself something now, but to yourself back then, of whether it was anything to do with technology or just something to be aware of, thinking about sort of how you approach your career, like, what might that be?

Emri Tenas Tepe

I mean, I'm learning every day. That's the fun part. So that makes Finalize even more exciting than the years we started. And I think the biggest learning I had in the last, like, almost seven years now is the balance between mind, body and soul. In the early days of Finalize, it was all about, like, working super hard, not sleeping. But now I learned that I can work, like, much harder by also, like, meditating, breathing, finding that balance in a much more, like, productive way. So I think that's the biggest learning I had in this period. So for the new founders or, like, people who are going to be like CEOs, I suggest them to. I mean, even if you suggest them, they won't be able to because everything happens at the right time. But this is my biggest learning. So, like, spending time to sharpen your blades so that you can perform better.

Gregor Vand

I like that a lot. Yeah, maybe My version of that is in sports generally, I've traditionally been more of a sort of just call it a sprinter effectively. And over time, I've learned how to elongate that and actually become more of a. Let's just like use broad terms here, like middle distance is probably the easiest way, you know, and cycling is a. Is a big sport for me. But being able to kind of change the mindset around this is not a sprint, it's a marathon, effectively has been hugely helpful. And I think that's kind of what you're getting at, as well as being able to be able to perform at a very high level, but consistently, as opposed to sort of pulling all nighters and then feeling terrible the next day kind of thing.

Emri Tenas Tepe

Exactly. And I mean, if that's not your passion, you cannot continue. So instead of finding that balance to perform even better and longer, that's the biggest learning I had. And I think finding a philosophy that helps you analyze things, helps you understand things, and all the challenges that is happening in a company are natural. That's how disruption happens. So if everything is normal, then if there's no crisis, if there's no problem, then there's no growth. That's what I learned, especially in the last few years. So there should be a lot of problems and we should be prepared to handle them. That's how growth happens. That's how big companies become big companies.

Gregor Vand

I think that's a great one to end on. Yeah, Just always leaning into problems. Someone else said it's not failure, it's feedback. And I think that's always a great way of looking at things. So thank you so much, Emery, for coming on today. I think we've learned a lot here, and I really do just think that Binalyze as a product is one of these few products in a category that is just light years ahead of. Of anything else. So I really recommend people to check it out. Whether. Whether you're in this industry and needing the product or even not and just checking it out. Where's the best place, you know, for someone just to kind of check it out and get started?

Emri Tenas Tepe

Just binalyze.com There we go.

Gregor Vand

So Binalyse, that's B I N A L Y Z e dot com. So again, thank you so much for coming on. I hope we get to do this again in the future and catch up with where Binalyse is next.

Emri Tenas Tepe

Thank you so much, Gregor. Looking forward to it.