Brian McCullough (4:26)

Right? But speaking of customers, let's imagine I'm a CIO listening right now and I'm thinking okay, what does this actually change for me because of this deal? What would you say say to them?

Sanjay Poonen (4:36)

Yeah, let's take three categories of customers. Someone Who's a coast to customer, coming from someone who's a net backup customer and someone who's net new. Okay, so if you're a KOH customer, you're like, oh my gosh, you've got a bigger engineering team to work on. Innovation. For me, nothing's changing my platform data protect, the core platforms thing. I have now twice as many engineers, connectors to all these workloads. Speed of innovation goes faster. Oh, they love that. And you know, 4,500 customers, of course you're going to see innovation. Like example, we've released things in security and AI, more workloads and it's happening really fast. Some of those customers want to also modernize their older platforms, which may have been netback. Couple of others, they're able to now modernize the data protect if you're a net backup customer, you know, so 4,500, that first patch, so to speak, about 9,000. Netbackup as a data mover lives forever. But netbackup is now going to sit on top of the coast file system platform coming out this month. And that is an incredible innovation that nobody else can do. You can't put netbackup on top of the platform of one of our competitors. In many cases they don't have a platform and that's not mandatory that they move off. For example, some customers are running netbackup on top of data domain. They could keep using that. But in many cases, if you wanted to move NET Backup to Cohesity or Rubik or Lean, it was disruptive. Now you can, in the evolution of. NET backup in the next version, you can keep using NetBackup as a data mover, but running on our platform. And all of this will work from one management console, the Koista console called Keily. So that's beautiful in that backup customers, they just keep paying us their maintenance and they get in essence data protect the underlying platform for free. I mean, as part of the upgrade and to the third base, they don't worry about any of this sort of transition. They're just getting kind of the net new code base, which was sort of inherently what Cohesity had built. So we have a very good roadmap for all three of those CIOs, whether it came from Heritage Cohesity, Heritage Net Backup Veritas or a net new one. And that's what we've been doing the last 10 months, you know, and the ones we had to really take care was that list in the middle. The Heritage Veritas customers needed to know for Certainty that there was no risk to their platform and it's been great. And that's why we've been seeing no defections in the past. That middle category had a lot of risk because they were trying to figure out how to modernize cohesity and other competitors were competing against them. That competition now has become a very collaborative discussion about their go forward roadmap. And I've had a chance now to talk to all the high net worth net backup customers when I say that the people are spending million ARR on US or 100k ARR or higher. And those are fantastic customers who love what we're doing for them because they're now getting innovation that they weren't seeing as much from Veritas, which we're now bringing to them from cohesive.

Brian McCullough (7:23)

Let me ask you a few sort of like broad macro questions about security. I think I've heard you say recently that you're saying to folks now assume you will be attacked and focus on fast recovery. Is recovery actually more important than prevention at this point?

Sanjay Poonen (7:42)

Yeah, I think if you think about the NIST framework, right? Detect, prevent, recover, remediate, that's sort of the security framework NIST and I've been in the security industry 15 years. If anything, I'm much more security person. I was an investor in that in between my years at VMware too. Acquired businesses at Airwatch Carbon Black. So I know the space very well and have hundreds and thousands of CIOs and CISOs. I've talked about this over years. The analogy I would use is very similar. There's a lot of parallels in security with the healthcare industry. So imagine during the pandemic, Covid, someone came and told you I'm never going to get the virus. I said okay, that's great, I want some of your immunity. You have incredible immunity. The more relevant question isn't that you're not going to get the virus if you get it, or maybe in many cases it's a matter of when that you get it, how quickly can you recover. So you were out for a day or two and you came back as opposed to having to be in the hospital and a ventilator for weeks and months. And it's very somewhat security when you have a sort of exercise and a posture that says we're going to be attacked. Okay, so let's prepare for the scenario where we are going to get attacked and prove that to our company, to our management, to our board, maybe even to even external shareholders, that we practice remediation. Then you know, we believe it's a matter of when rather than if that every company is going to get attacked. Then you're prepared to say, I've cut all my applications. My category 0 apps will come back in an hour. My category 1 apps will come back in a day. My category 2 apps will come back in a week. My category 3 apps will come back in a month. And the rest I don't care about. Okay, It's a lot like earthquake preparedness, fire preparedness or a health test. Right. So we instruct our clients having seen cyber attacks in practically every industry. Colonial Pipeline, United Healthcare Group, there's a number of industries, healthcare, oil and gas, financial services, hospitals, school districts. You know, recently I came back from Japan, Asahi was hit there, some of the retailers and then Land Rover in uk. So when you see this happening, you have to basically say I'm going to resume a posture where that I am going to get attacked. And the more important procedure which we do really well is focus on rapid recovery, cyber recovery of your data. And that's certainly something that is distinguished, cohesive from the get go of the 12 year history of this company.

Brian McCullough (10:07)

I've also heard you say that you've been warning folks that a lot of employees still will not report a suspected cyber incident, at least like right away. Number one, culturally, why do you think that is? And then number two, how should companies think about fixing that with their employees?

Sanjay Poonen (10:26)

Yeah, I think first off you do need detection, prevention exercises. These are like early warnings. So we work with Mandiant, now part of Google, Google, Threat Feeds, CrowdStrike, Palo Alto, Microsoft. These are companies who send feeds to us and they think of them like the World health organization and U.S. disease Control for our particular universe. And then we have an event response team, it's called cert, Cyber Event Response Team. That's like a mini instant response team focused on data protection and data use cases. That works very closely with the incident response teams of Mandiant unit 42 inside Palo Alto and others and ensures that we're constantly giving our customers, we offer that service for free to our customers. Especially for example now in Cyber Awareness Month you're going to see a higher incidence and we, we give those people a lot of best practice. So it's a little bit like calling a health service that you have a concierge service that's going to give you advice on how to handle. So give you one example of a very good piece of advice we give our customers. You should have three copies of your data with your third copy Always being in a bunker called an air gap cyber vault. We have a cyberwault called Fort Knox. It's one of the best cyberwalls. It won the gold medal at a conference I think a year or two ago. It's the best in the industry. It can run aws, Azure in clouds or on prem. That practical example of a three copy. So often we find a cyber attack happens with the first copy and sometimes the second copy gets corrupted. Effective the third copy though, being in an air gap, meaning disconnected to your network bunker is safe and you can recover from there. So things of those kinds. And then I can go to. We have an entire five step cyber resilience process that we encourage our people to go through. It's like a five step health process. You do these five things. It doesn't mean that you're going to be complete, but the likelihood that you can recover much faster is. So these are things a lot of it is not just about product. We find it's about process, about education, educating our clients on best practice. And as the market share leader in this space, you have to develop great product and of course take care of your customers. But a good part of this is thought leadership and client best practice that you know, we're constantly. And having people like Kevin Mandy on our board. We have a fantastic security advisory council led by Dave DeWalt who's been one of the best security minds in the industry. It has great people like Alex Stamos, who was the CISO at Facebook on it. We have these CISOs and I'm constantly looking for other security people to advise us because they have great amount of experience. We just did, for example, a security advisory council meeting on people like Dave Devault and Alex Stamos and you know, Kevin Mandu. You get smarter in a topic because you surround yourself with people who are extremely savvy and themselves are talking, by the way. They do the same thing with the government. We work with agencies of the government. We have a very successful government business both in the federal defense departments and civilian and we have contexts that are helping United States stay free. But we also have. We are very strong in almost all the big NATO friendly countries where the governments use our technology. And a lot of the things that we're learning in the US Government could be helpful to many of the governments because many of these attacks are nation state actors.

Podcast Sponsor/Announcer (13:49)

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans. Send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com this episode is brought to you by Rumchata a delicious creamy blend of horchata with rum. It's best enjoyed over ice or in your coffee. Rumchata Delivering vacation vibes anyway or anywhere you drink it. Find out more@rumchata.com drink responsibly Caribbean rum with real dairy cream, natural and artificial flavors. Alcohol 13.75% by volume 27.5 proof. Copyright 2025 Agave Loco Brands, Pojoaquee, Wisconsin. All rights reserved.

Podcast Sponsor/Announcer (14:46)

This episode is brought to you by State Farm Listening to this podcast Smart move Being financially savvy Smart move. Another smart move having State Farm help you create a competitive price when you choose to bundle home and auto bundling. Just another way to save with a personal price plan like a good neighbor, State Farm is there. Prices are based on rating plans that vary by state. Coverage options are selected by the customer. Availability, amount of discounts and savings and eligibility vary by State.

Podcast Sponsor/Announcer (15:18)

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles Terms apply. Does not replace Safe driving. See ford.com bluecruise for more details.

Brian McCullough (15:47)

Gaia is your AI agent. I believe that you've introduced into this when you when you bring in AI into I think it reasons over background data. When you bring AI into this mix, how do you mitigate hallucinations or like data governance risks when you're using AI?

Sanjay Poonen (16:06)

Yeah, it's a good question, Brian. The way Just back up for a second how we began to motivate ourselves for data. If you think about our mission is to protect, secure and provide insights into the world's data. So if you think of data like an iceberg, the top of the iceberg is hot data which is active that you're dealing with day to day. And as that data ages, okay, it becomes what's called backup or secondary data archive vaulted data. It's all older data, but it's a time series index of everything you have now the value of that data. And by the way, we have the largest amount of secondary data that we protect, 200 exabytes bigger than all of our competitors put together. Now, the value that is not just keeping it safe in a bunker, but being able to then get insights from that. For a company, it's not our data, it's the company's data. So initially we built this technology where it was searchable and so on and so forth, but it was 12 years ago that people weren't doing talking generative AI, but the founders were a company, ex Google folks, so they built it to be, you know, kind of, I might say, search ready or analytics ready. Generative AI comes out. Two years ago, I was playing with ChatGPT and it dawned on me that if we could make our data available to these LLMs, maybe we could allow people to query this. Yes. And we'll get to the governance aspect of IT and responsibility and hallucination in a second. So I, you know, I had been friends with Jensen for years because he'd helped us at VMware quite a bit. I reached out to him and I reached out to Satya, Nadella and Microsoft and they opened my eyes to this technology called RAG retrieval augmented generation. I had no idea what it was. If you'd asked me what RAG was two years ago and I said it's a piece of cloth you wipe your windshield with. But I was able, we came back, we studied that technology, kept under stealth, and we were the first to build a RAG based capability directly on top of backup. So now you can build vetting vector databases that goes at your data and can summarize that. And you could have, for example, let's say 200 million PDFs, which has lots of vendor documents, contracts, other people, you can say, please summarize over the last 10 years, crossed by 200 million PDFs, all the discounts, the years, you know, patterns of years of agreement, all of those contract in a nice table for me. Now how does it not hallucinate? First off, these retrieval augment generation is first off, it's doing the retrieval augmentation, the RA on your data, it's building embeddings. It's not some third party random data. It feeds the results set to the G rag, which is an LLM. And the LLMs are getting better and better at not hallucinating. And the final part of your question was how do you ensure that the wrong person does not get access to that data? So we have a responsible AI framework which allows you to only access the data that you could recover. So example, if you are not allowed to read that document in a recovery process, remember it's inside a backup. You shouldn't be allowed to query that data. And it builds a very sophisticated kind of recovery. Sorry, responsibility, security, privileges. So both the first part of the question, which is how does Hallucination offer and how does you ensure that there's security to the data that comes back, is very much a key part to what we call a responsible AI framework for Gaia.

Brian McCullough (19:21)

Final question. Let's talk about IPOs. The industry's really sort of busy right now. Like Rubrik is public and there's been hints that 2026 is a realistic window for you all to possibly go public. But I've read you also said that you believe that if you did go public, you'd want a valuation comparable to Rubrik, which is around 15 to 17 billion dollars. Why do you believe Cohesity deserves Rubrik level or better in terms of public market valuation?

Sanjay Poonen (19:53)

Listen, first off, in IPO is a milestone, it's not a destination. I've been officer of a public company eight years at VMware, eight years at SAP, did many, many earnings calls. So for us, it's not the destination, it's an important milestone of an independent company and do it when it's right. But we've got very good numbers, right? We're number one in market share. I think Rubrik is number six in market share. And our size and profitability and combination of growth and profitability is one of the best in the industry. So at the right point in time, the markets, aided by analysts and so on, will value that. We think we have a sense of what that valuation is, but we're not fixated on that. We're just basically right now building a great company that goes, we can see eyesight to 2 billion in revenue. That's kind of in our near term future, like it could come soon. And then we want to create a 5 billion revenue company which has never been done in this space. And as you do that. And the valuation will be with the valuations. Yes, the benchmarks of both. In our space, two companies are public. Rubric and Commbold give a benchmark to our bankers and others to say, hey, you know, this should be for a company that's bigger and has got good. Rule of 40 business evaluation, you've got two benchmarks. I think whenever you have public companies in space, they just serve as benchmarks for a comparison. And then, you know, if you're bigger, you should hopefully get better metrics than a smaller company. And both Rubrik and Commod I think are number five and Number six in market share were number one. And market share is measured by size and revenue and so on. So we'll let the valuation perspective talk. But you know, when that's, when that's ready for us. Right now we're very focused on customers and partners. I mean to me it was very important, you know, to get this combination together and get new investors like Nvidia. Having Nvidia invest in cohesive is more important than ipo. Okay, because like for me, having the influence of Nvidia, now we've got not just great venture investors like in Sequoia, SoftBank, Carlyle Valley and so on, but we've got incredible corporate investors. We've got Nvidia, we've got Amazon aws, we've got Google, we've got Cisco, we've got IBM. Five really good tech investors who are collaborating with us to ensure we're successful. That to me is very important. And then along the way those customers investors want return on their money too. They will find the right time when that's doable. And I think that we're building a long lasting company with incredible. I mean like my focus is really on employees. First to ensure employees are engaged, building great innovation, especially product innovation because I'm a product guide heart. And then second focus is customers, really customer obsession. And along the way I've done this at SAP, I've done this in VMware. There comes a good time to potentially do an entry to the capital markets. We'll do it when the, when the time is right.

Katie Drummond (22:42)

What the hell is going on right now and why is it happening like this? At Wired, we're obsessed with getting to the bottom of those questions on a daily basis. And maybe you are too. I'm Katie Drummond, the global Editorial director of Wired and I'm hosting our new podcast series, the Big Interview. Each week I'll sit down with some of the most interesting, provocative and influential people who are shaping our right now. Big Interview conversations are fun.

Sanjay Poonen (23:09)

I want a shark that, that eats.

Katie Drummond (23:10)

The Internet, that turns it all off, unfiltered and unafraid. So in a lot of ways I.

Brian McCullough (23:15)

Try to be an antidote to the.

Sanjay Poonen (23:17)

Unimaginable faucet of reactionary content that you see online.

Katie Drummond (23:21)

To the best of my ability, every week we're going to offer you the ultimate luxury of our times. Meaning and context. True or false. You, Brian Johnson, the man sitting across from me. One day, at some point, as of yet undefined in the future, you will die. False. Tell me more. Listen to the big interview right now in the same place you find WIRED's Uncanny Valley podcast. Subscribe or follow wherever you get your podcasts.