In a typical security team, engineers write one-off scripts to track a particular problem on a cloud vendor such as an unauthorized user on your GitHub account, and while engineers are capable of writing such scripts, it’s not exactly an efficient or scalable way to deal with the range of security problems these pros need to track.
Vectrix, a member of the Y Combinator Summer 2020 cohort started by three security veterans, wants to fix that problem. It has created a security marketplace where fellow security pros write modules to automate these kinds of fixes, and other security pros can take advantage without reinventing the script-writing wheel every time.
Alex Dunbrack, company co-founder and COO, says that he and fellow co-founders, CTO Matthew Lewis and CEO Corey Mahan saw this problem firsthand in their previous jobs at PlanGrid, Vimeo and Autodesk. So like many YC company founders, they decided to build a solution.
“It’s a marketplace of automated security tools that monitor tech and have response capabilities for any security issues that a company may have within their cloud vendors,” Dunbrack explained. He says this could be on GitHub, AWS, G Suite, potentially any cloud service.
The idea is to have security professionals build these modules, then give them a “royalty” and bragging rights for coming up with a viable solution. Dunbrack says it’s not unlike the HackerOne model, which provides a financial incentive and community recognition to find vulnerabilities in code.
Users don’t actually download anything. They simply select a module, enter their cloud service credentials and provide an output like Slack or Jira for any alerts the module generates.
The startup vets the modules and the developers before allowing them in the marketplace. While this is a manual process at the moment, he says they are working on bringing more automation to it. For now, for each person that wants to contribute modules, they do an interview, a reference check, employment background check and similar types of investigation.
Once they pass this, and the security pro writes the module, it has to pass further scrutiny. “We basically scope exactly what they’re going to build and the kinds of alerts that will come out of it. Then from there, we have an extremely templated logic scheme on the code side where they’re just writing the logic to go do the scan,” he said.
Module writers can’t see any user information on the service, and Vectrix makes sure there are no issues like outbound requests for data. Presently they have 10 modules with plans to add several more soon. While they are working on the pricing model, today customers pay a flat fee for access to the entire marketplace, rather than paying per module.
The company is currently just the three co-founders, but they hope to expand, and when they do they have already given a lot of thought about how to build a diverse and inclusive company. He says, for starters, they are not swayed by the Silicon Valley network effect.
“A lot of people will say ‘We simply want the best people,’ but our interpretation of the best people is really a collective of differing thoughts and experiences that really make someone’s perspective unique. That comes from diversity in the way that we see it, so in a lot of senses bringing the best people on is bringing the widest range of thinking processes, and that comes with diversity and being inclusive, and kind of taking all of those factors into account,” he said.
As for the YC experience, Dunbrack says he was mostly looking forward to learning from the network of companies that came before him, and he says that even virtually the company has succeeded in giving him that experience.
So far, the company has bootstrapped and used the money from Y Combinator, but it intends to do a fundraising round soon. “We’re cognizant of what we’re bringing to the industry and the value there. So bringing on strategic partners is really how we’re going to be approaching this,” he said.