Subscribe
Share
Share
Embed
In this episode of Inside the Network, we sit down with Sumit Dhawan, CEO of Proofpoint, one of the largest private cybersecurity companies in the world. With over $2 billion in ARR, Proofpoint protects 85 of the Fortune 100 and is on a bold path toward $5 billion in revenue by 2030.
Sumit’s journey is a masterclass in modern leadership. Having graduated with degrees in engineering and business from IIT Roorkee, the University of Minnesota, and the University of Florida, Sumit led major business lines at Citrix and VMware, including overseeing VMware’s $70 billion divestiture to Broadcom, before making the leap to cybersecurity. In 2023, he joined Proofpoint as CEO and began executing an ambitious strategy: consolidate the sprawl of human-centric security, go deep instead of broad, and prepare the company for its next chapter of growth.
In our conversation, Sumit shares why he believes empathy is the most underrated CEO trait, how acting like a founder, even inside large enterprises, shaped his leadership, and what it means to have “Apple Watch governance” under Thoma Bravo. He explains how Proofpoint has evolved from email security leader to a broader platform for human and data protection, including its acquisitions of Tessian (AI-native email protection), Hornetsecurity (MSP-focused email security), and Normalyze (DSPM).
Sumit also pulls back the curtain on the AI threat landscape, including how prompt injection attacks are already targeting copilots and agents, why AI is both supercharging attackers and empowering defenders, and how Proofpoint built intent-based detection models to defend against sophisticated zero-link phishing. Finally, he lays out three categories of viable cybersecurity startups today: gap-fillers, AI defenders, and category disruptors, and why the last two are more likely to be successful.
Whether you’re scaling a cyber startup, selling into the enterprise, or navigating PE-backed growth, this episode is full of hard-earned wisdom from a leader who’s operated at every level of the stack.
Creators and Guests
What is Inside the Network?
Welcome to the inside track of cybersecurity entrepreneurship. We bring you the best founders, operators, and investors building the future of cybersecurity.
Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk:I am Ross Haleliuk.
Mahendra Ramsinghani:And I am Mahendra Ramsinghani. We have spent decades building, investing, and researching cybersecurity companies.
Sid Trivedi:On this podcast, we invite you to join us inside the network where we bring the best founders, operators, and investors building the future of cyber.
Ross Haleliuk:We will talk about the hard parts of the founder journey, launching companies, getting to product market fit, raising capital, and scaling to an exit.
Mahendra Ramsinghani:And, yes, we will also be talking about epic failures.
Sid Trivedi:But, Mahendra, we're here to make the founder journey easier.
Mahendra Ramsinghani:That is correct, Sid.
Mahendra Ramsinghani:But we cannot make it too much easier because startups are hard, And, of course, you already knew that.
Ross Haleliuk:Alright. You too. And now, let's get started with this week's episode.
Mahendra Ramsinghani:Today, we're joined by Sumit Dhawan, CEO of Proofpoint. Sumit has spent his entire career at the intersection of infrastructure, cloud, and cybersecurity, holding leadership roles at companies like Citrix and VMware. Before taking the helm at Proofpoint, as president of VMware, he led the $70,000,000,000 divestiture to Broadcom. And along the way, he's built a reputation for being a leader who combines empathy, technical depth, and above all, a founder's mindset, acting like a owner no matter the role. In this episode, Sumit shares the pivotal lessons he learned scaling some of the world's most iconic companies and why empathy is the cornerstone of great leadership.
Mahendra Ramsinghani:Above all, how he's shaping Proofpoint to grow rapidly and tackle the evolving threats enterprises face today. This is a conversation full of hard earned insights you won't wanna miss.
Sid Trivedi:Welcome, Sumit, to Inside the Network.
Sumit Dhawan:Thank you for having me.
Sid Trivedi:So we're gonna talk about a whole bunch of different topics today, but we really wanna start by talking about your early days. You got multiple degrees in computer science and business. You're at IIT Roorkee, and then you're at University of Florida for your MBA. And you have a pretty impressive track record leading at some pretty large companies, Citrix and VMware in particular. Take us back to the beginning and what the journey of tech and leadership was like.
Sid Trivedi:Were there a few, you know, pivotal moments or lessons from those early days that shaped the way that you lead as a CEO today?
Sumit Dhawan:Great question. Thanks for having me again. Listen. I've been fortunate to to work at great companies under amazing CEOs and leaders who I've had a pleasure of learning from, observing, and they have mentored me whether it was the CEO at Citrix or the CEO of VMware. And, you know, my pivotal moments through all of those were different as I was growing up in my career.
Sumit Dhawan:Early in my career, the pivotal moment for me was to gain as strong of a background in doing multiple roles so that you can build empathy across functions. It does make you jack of all, you know, master of none, but still it gives you the background and foundation to actually then leave the company. And then later on as you start running more and more of business line leadership, I think a pivotal sort of learning I had was acting as a founder and the owner of the company regardless of the role you're in. And, and that gives you sort of this sense of ownership, which is very much needed as you step into, more and more senior leadership roles of running a company. At the end of the day, you know, you're accountable for thousands of employees that are working for you and the company that you're leading, and you're accountable for leading them and taking them to the best possible successful outcome that they all deserve.
Sumit Dhawan:So I think those were the two pivotal learnings for me in these great companies and amazing growth stories that both of these two companies, as you mentioned, have and the amazing leaders that they both had in in terms of their CEOs.
Sid Trivedi:Sumit, I'd love your thoughts also on just being an IIT alum. I mean, a lot has happened in terms of the importance of the, you know, the group of universities and how much of an impact they have had in terms of creating amazing CEOs. Did those early years at IIT influence you in some way?
Sumit Dhawan:Yeah. I think IIT is an amazing place, you know, and for any of the listeners here who have been to IIT or know people from IIT, it sort of creates this sense of ambition and aspiration. You sort of come to a place that has amazing group of students who have maybe done well in their own small communities or schools that they have grown up with, but then when they land into this place, they find that, you know, there there is is many many many more people with tons more acumen, ambition, you know. And and so that that is a that's just an a moment of humbling. So that was kind of a humbling exercise for me and built a sense of ambition for wanting to do more and and wanting to learn from both the people who were there as well as making sure that you can do more because you kinda see how more can be done by having all of this intellectual horsepower around you.
Ross Haleliuk:Sumit, after leading several large teams at, established enterprises, you joined the web app security startup, InStart, as a CEO. At the time, Instart was just over 100 people, at least that's however many I was able to find on the Internet, and the company was playing in a highly competitive, in a very fast moving space. You were able to restructure the business. You were able to drive growth and ultimately lead the company to an exit to Akamai. Talk to us about the experience and what it taught you about cybersecurity and the startup world given that you came from larger enterprise into this massive startup universe.
Sumit Dhawan:It's great learning. Okay. I think I came in, and, the company had this great unique technology that had been purposed into multiple product solution areas. And, and, unfortunately, what that led to was, very high spend because you're acquiring customers and solving the needs of these enterprise customers. And as we all know, when you're building a new business in the venture world and you're acquiring enterprise customers, these enterprise customers don't just buy the product as it stands today.
Sumit Dhawan:They just keep expecting a certain pace and certain set of capabilities to be built. And the company had stretched itself, even though there was a common technology platform, stretched itself for doing so in three different areas on top of the same technology platform. And so as a result, just the required rate of investment to keeping up with customer expectations, not to mention the spend that more these growth the growth companies have to have to acquiring new logos was so high that we had we had to focus. We had to restructure ourselves. That's sort of what I'm what I sort of mean by restructuring.
Sumit Dhawan:And so we focused out of those three problems into one problem, and we had to also almost let go of certain customers and revenue in other areas and then build the company up from there. And then once you build the company with one specific focus areas where you have a repeatability and a successful outcome of meeting these enterprise customers with needs of not just today, but in their future roadmap asks. Then we had enough of a momentum where we could find the right home for their technology and the people who are working on it to be something that was extremely complementary to Akamai's business. So that's what led to it. I mean, learning for me was essentially in a larger company, the importance of cash flow is a little less and you're looking at several other metrics.
Sumit Dhawan:You you you learn the importance of cash flows. And then when you have even a smaller group of employees who on an everyday is looking up to you to how they're gonna make, you know, their paycheck true or not next at the next paycheck, that sense of responsibility was something that I learned at InstART. I probably would not have been able to learn it without getting into that seat at InstART.
Mahendra Ramsinghani:And I think it would be fair to say, Sumit, that the the seeds of your cybersecurity journey probably were planted at the time when you are at InstART. Of course, you went back to VMware for, several years, this time four years. Prior to InStar, you spent five years at VMware in two very separate phases of VMware's journey. Know, You before we dive into Proofpoint and the world of cybersecurity, I want to spend a little time on those two phases at VMware. In the first phase of your career, you know, you're heading up the end user computing business as SVP.
Mahendra Ramsinghani:Everything is moving up into the right. In the second phase of your career, you come back. This time, you're leading the entire 10 plus billion dollar operation and, you know, getting the company ready to put it in the hands of Broadcom. Two very different phases of VMware. I mean, share with us some of the experiences in the growth phase and then back into the consolidation phase.
Sumit Dhawan:Yeah. Very well said, Mahindra. The first one was the growth phase. Both of them were transformation phases for VMware. One was one business to multi business and growth phase of diversifying the revenue and the portfolio by having more than one business unit.
Sumit Dhawan:This was the phase where the company went from just having predominantly a data center virtualization business to end user computing and network virtualization and even putting the early beginnings of the cloud business. Those were the business units that were set up. And once you set up up more than one business to multiple business units, there are several implications as you can imagine. So so so that was that phase. And then in the second phase was transformation towards cloud recurring revenue.
Sumit Dhawan:And, and then tail end of my tenure at VMware was obviously making sure that we execute on our plan for both transformation and what we had signed up to our investors and the board, as a standalone company while handling all of the various constituencies that required approvals globally from regulatory perspective and handling both of those and so that you can hand over the company to the new, you know, the new new spot. So so those are very, very different very different times and different roles that I had at the company.
Mahendra Ramsinghani:And, of course, you capped it off nicely with a $70,000,000,000 enterprise value as you transitioned out of VMware. Now being in the world of infrastructure, I'm sure you had a lot of options. The world is a much bigger playground, and you came to the world of cybersecurity. Help us understand how your decision making process went about.
Sumit Dhawan:You know, there were two areas I was kind of intrigued by as I made a decision to go do something different around the time of the acquisition getting completed. One was around the whole developer software. The other one was cyber In both cases, I saw the market structure kind of non sustaining in the state it was in. It was highly fragmented, very point product, and and I sort of felt like this doesn't seem like the right fit. So my thesis is in the future.
Sumit Dhawan:It just doesn't make any sense to let this sort of whole thing continue. And so those were my two primary areas of interest to join because I thought these are this is an industry that's gonna go through a transformation. So so then the the right player in those industries would be one that has incumbency, market leadership, and size. Okay. Once you have incumbency, market leadership, size, and of course, certain sort of differentiation in the underlying technology, that gives you an ability to participate in that next era of a market change.
Sumit Dhawan:Okay? And with the right leadership focus, at least you have a potential and a possibility to go go make that happen. And so looking at that as the backdrop, Proofpoint turned out to be one that I got excited about. The more I learned about it, I sort of saw a company that had huge, you know, market leadership in the space that it played in, which was, you know, email security and had the starting points of certain other areas the company was expanding to and the revenue was diversifying, differentiation from the competition. And there is no there's the the incorrect assessment from the public market that email security is gonna go away or will get sedimented into a network box or an or a platform provider.
Sumit Dhawan:And so once I sort of believed in that fundamental, then that led to a conclusion that, hey. Proofpoint can be a company that really takes helps drive this next era of cybersecurity. You can be a major player in it, and I got excited about leading it and making sure, you know, I participate in that.
Sid Trivedi:Sumit, you you talked a little bit about Proofpoint, so let's dive a little bit deeper. And you described just Proofpoint's commanding position in email security. For for our listeners, many of them will know this, but the company started in 02/2002, and it went public about ten years later. And then subsequently was taken private in 2021 for just over $12,000,000,000 by Thoma Bravo. It it had several leadership changes following that, and you ended up joining the company as the new CEO in in 2023, roughly about two years after Tom had taken the company private.
Sid Trivedi:I'm curious, like, what was the decision making behind joining the company that had gone through its, you know, amazing heydays, had had the complexity of a, you know, a private equity partner, and then had had multiple leadership changes already happen. How did you think about that? And you mentioned Proofpoint's ability to be very much on the top of email security. I a 100% agree with that. But I think, you know, you're a big Warriors fan, and Steve Kerr has said this multiple times that you can't stay on top forever.
Sid Trivedi:I'm sure that was running through your mind that is there you know, there's only one way to go when you're up on top, and that's down. There there's there's no way to go any higher than than number one. How So did you think about
Sumit Dhawan:It's a
Sid Trivedi:it's a
Sumit Dhawan:it's a great, great question. Listen, I think, when I was looking at it, I sort of didn't quite so there are a few questions in there. One was about the fact that, listen, you're a leader. Is there a scope to go any higher? It's one way one question.
Sumit Dhawan:The other question you asked was, is there a, was there a concern I had about just the last two CEOs leaving in the last two years. Okay? I think they to me, the former was easy. Okay? I I wasn't coming here to make Proofpoint an even bigger market share leader for email security.
Sumit Dhawan:That wasn't the goal. That wasn't the thesis. That wasn't the right strategy. It was to coming back to, hey. Cybersecurity has a sprawl.
Sumit Dhawan:There is going to be an architectural consolidation in cybersecurity. And I felt like there were sort of these detection and response technologies. There were networks consolidation happening through SASE, and some consolidation had to happen on the preventive part of cybersecurity. And that's largely become a human thing. It's humans that get attacked and humans that lose data.
Sumit Dhawan:And once I understood that there is a potential for that being something that Proofpoint can have a dominant position in, that's not saying that you're already at the top and you're only gonna potentially hard to go up. That's saying that there is a market that you can take on which is based on where you have strength in. Okay? So that's kinda sort of to me like, okay. Once you become really, really successful in the g league, now you get to play in the NBA.
Sumit Dhawan:Right? So to me, that's sort of how I saw it. Okay. Here is a here's an opportunity to take Proofpoint from G League where we are dominating, we're winning, to now sort of this team that takes on a bigger cybersecurity market. And, you know, listen, when we went private, we went private at at a revenue run rate of 1,200,000,000.0 annually.
Sumit Dhawan:We crossed more than 2,000,000,000 already, and and we are we are well on our way to be close to 2 and a half. And our aspiration is to be a $5,000,000,000 company by 2030. We call it five project five by '30 within Proofpoint. So so that was my frame of mind. So hopefully, that answers the first question.
Sumit Dhawan:Any questions on that before I answer your second one?
Sid Trivedi:No. I think you you put it very well, and we'll talk a little bit about where you expand in subsequent questions, but I think you put you put the framing very well.
Sumit Dhawan:Okay. And then the second question is, listen, the the leadership transitions and whatnot. My perspective is if you believe in the in the fundamentals on the market, if you believe in the fundamentals of aligning with the board and the investment thesis and the aspirations of the board in terms of what they see, then it's a leadership challenge for the CEO to come in and get that sorted out. And I didn't feel like I there is no CEO seat that comes in that says, hey, this is a beautiful ship. It's sort of sailing in the right direction.
Sumit Dhawan:And just come in and make sure that you put your headphones on and sit and do nothing. So to me, that was easy. That was there was no that wasn't a worry at all. It's something, okay. As long as we are aligned on what we wanna go do strategically and we have bold aspirations that's aligned with mine and listen, I had a dinner with the so my interview process was very straightforward.
Sumit Dhawan:We had a discussion on sort of what we wanted to do over a course of few days, you know, and then I said and they said, hey. We're ready to make a decision. I'm like, I'm surprised you are. If you are, I wanna meet for dinner. I met for dinner, both the chair and the lead board members, and I said, here's my plan.
Sumit Dhawan:Here's the aspirations, what I wanna do. Here's how I would do it. They looked at it and they're like, you're wrong on this, but you're right on everything else. I said, explain how I'm wrong. They explained it to me.
Sumit Dhawan:We debated it. They were right. I was wrong. I said, okay. You're right.
Sumit Dhawan:Let's move forward. We had the offer. I signed it. So to me, that's that that showed that there was an alignment with the board, and there was the speed of decision making, which I really liked, that made the decision easier.
Ross Haleliuk:That is a great story. And let's dive deeper into it, and let's talk a bit about the leadership challenges. So you've led business lines at large public companies like like VMware and then now at the private equity owned firm, what do you find different about running a PE backed company?
Sumit Dhawan:This was my first experience with private equity. So I I didn't know what I didn't know. And, you know, I sort of asked a few people in other leadership positions at private equity firms. And what I learned was, number one, I was getting very inconsistent answers, like, so different that I was like, okay. This doesn't quite add up.
Sumit Dhawan:Okay? So my first conclusion I drew when I was sort of comparing notes was there's nothing called working for a private equity as a as a consistent answer. Okay? There is probably some degree of consistency working for a public company. There's probably some degree of consistency working for a venture company, but there is no consistent answer across private equities.
Sumit Dhawan:That's the first thing I learned. In other words, every private equity company sponsor has a different model. Second thing I learned was which was after the fact, was that what really, really matters is no different than what matters in running a public company in a healthy fashion, which is focus on achieving the right business results with discipline. Okay? At the end of the day, the one thing that private equity does really, really well is having spot putting a spotlight on.
Sumit Dhawan:And this is more maybe about Thoma Bravo because I have no experience in any other private equity. So what I really, really liked working with at Proofpoint with Thoma Bravo, which was a strong positive surprise, was just a spotlight on on numbers in beat format, which is really onerous and painful for people in finance and people in business intelligence because the amount of work needed in producing all of that data is high. But I kind of jokingly compare Thoma Bravo as, like, Apple Watch. If any I don't own it. I don't like it, but I know who own it or people who own it.
Sumit Dhawan:You know how it buzzes you every now and then and tells you to stand up if you have been sitting for too long. Okay. Do you always stand up when it buzzes you? No. Okay.
Sumit Dhawan:But it's a good reminder every three times it buzzes you, you know, you maybe you stand up. So my bravo is no different. It'll show you all the metrics and make sure that you have a mirror right in front of you. Now there are always ugly spots that we can see when we have mirror in front of us. Do you always act on them?
Sumit Dhawan:Can you always act on them? You know, no. So that's the relationship we have. Okay? They would there is this healthy healthy discipline of looking at metrics.
Sumit Dhawan:There's a healthy discipline of them pushing me, nudging me, and us debating whether it makes sense for us to fix or what are the things that make sense for us to fix. But then they require and they lean on me and my leadership to make sure that we go sort of plan it and execute it. There is no playbooks. Okay? They don't tell me, here's our playbook.
Sumit Dhawan:Go pursue it. There is no target metrics. There is no none there's as much as it is for any kind of public company, you're operating in a certain growth. There's some rule of expectations. We are very similar.
Sumit Dhawan:And from governance perspective, given we are in much later stage with them, we are operating as if we are in the public company because that's what we aspire to go be as early as as we can. So so so that's kinda how I have learned of working with Thoma Bravo, and it's been quite positive. I know some teams get bothered by Apple Watch nudging you too much. But listen, as long as you can take it the right way and do what's right for you and your health or you and your business in this case, it's not a bad thing.
Mahendra Ramsinghani:So maybe you mentioned, you know, the word empathy early on in our program. And then as we were talking about Thoma Bravo and this notion of results and discipline, how do you look at the future in the go to market and growth areas. These are two broad areas where the numbers roll back in and Toma Bravo or your board is watching the growth. So when you think about go to market, you know, there are different tactics. There are different ways you can reach your customer.
Mahendra Ramsinghani:And we'd love to hear what has worked very well and how are you changing that.
Sumit Dhawan:Yeah. And I think at the end of the day, our our I can sort of say what we've done over the course of last two years, and that's the foundation of where we are headed on the go to market side. Proofpoint, you know, when one of the things we decided when I joined was we I felt like we had too many we had our sort of fingers into too many things. And if we wanted to go win, in the world of cyber, even though we agree that there is going to be fewer players, I didn't think in the world of cyber, good enough is gonna be good enough. Okay?
Sumit Dhawan:You need the depth of the solution as as long as you're serving it to enterprise. The depth of the solution that comes in the form of efficacy and many, many more things these days, you know, now there is more and more sort of, you know, AI in terms of how things like SOC power up, of course, integrations. So there are sort of several elements that go into building that depth of solution. And we had our fingers into maybe too many things because the world of cloud and mobile had opened up this large surface area of threats. And and and CSOs can sometimes lead you into too many things if you you're not careful.
Sumit Dhawan:Right? So we may we had made that mistake, too many acquisitions that were not connected together. So we focused. And by focusing what we were gonna do, we said we were gonna be the best at two things that people do. People collaborate with each other, and people deal with data.
Sumit Dhawan:Okay? And we are gonna build the best possible solution on collaboration security where email is part of it, but collaboration is happening now across multiple dimensions. People are collaborating through suppliers and third parties. There are risks that are happening because of internal people's accounts getting taken over in the service desk and whatnot. So there's a whole threat landscape due to digital collaboration.
Sumit Dhawan:And then there is a sort of data risk and compliance and and just information risk aspect because of people handling data. So we created expertise in those two details that overlay our account teams. And we sunset all the go to markets, and we sunset an end of life everything else. K? It wasn't done to cut costs.
Sumit Dhawan:Actually, we it led to achieving our growth targets and achieving our margin targets because we were able to focus. We actually doubled down in certain areas. Yes. Were we had we gotten fiscally in this not disciplined. Every company does.
Sumit Dhawan:Okay? It's just cycle that you sort of make some investments. Not every investment pans out. And as a leadership team, you have to make a decision to double down in the areas that pan out and take investments out of areas that didn't. You know, you are some of your venture guys, you you guys do that in the form of your portfolios.
Sumit Dhawan:In the in the world of corporate, we have to do that in in the form of our initiatives and businesses and the bets we place. And that's what we'd ended up doing. Okay? And by doing so, on the go to market and the solutions we would go, we built rich expertise and we doubled down on r and d in these areas. And, you know, I was really pleased to see at the beginning of the year whether it's Gartner Magic Quadrant market share and data security, which was a brand new space.
Sumit Dhawan:It's become a sizable part of the business. We took over market share leadership against Symantec and and any of the other DLP players. Now we have expanded into DSPM, and we integrated the first ones to have DSPM and DLP together at our upcoming protect conference. We're gonna expand that for agentic security as well that's related to data. So we feel like we are clearly the innovation leader, market leader there because of focus.
Sumit Dhawan:And we extended our email protection to a full range of threat protection solutions so that just an email security player can't just address the needs of today's threat protection requirements. Okay? And that's what happened through going deep in those two areas. And we really came out of everything else from go to market perspective.
Mahendra Ramsinghani:Thank you, Shubad. And, you know, speaking of AI and speaking of how you've been bolstering up your portfolio, there is a build versus buy strategy. How should we think about Proofpoint's role in building versus buying as you look at the future?
Sumit Dhawan:First of all, I'm very excited about the future. Okay? We didn't of course, I didn't expect that coming into the role. We sort of drew we put in our view, we put human in the middle and we said all aspects of human centric security is what we would sort of sediment into our platform, and we keep going deep into the areas I mentioned. And things have actually gone to some extent, I would even say, of plan in that dimension.
Sumit Dhawan:We, we are looking at two areas of now growth in terms of the future. One is this human centric security problem is now impacting every business of every size in every locale. That's not something that I saw even two years ago. Okay? I have not seen customers of really small size saying they need best in class security for phishing protection and supplier protection and SaaS security protection, things that they would have never brought up two years ago.
Sumit Dhawan:They are bringing it up now. So we expanded into we had an option, to answer your question, Mahendra, where we could have sort of built that. We actually had all the email security underpinnings, and we could have built this solution for micro businesses that are served through MSPs. In fact, we even had a product line. But we saw we didn't have a business.
Sumit Dhawan:You need a reach. You need a program. You need expertise to be able to deal with partners in a certain way. You need academies. You need communities.
Sumit Dhawan:So there is an aspect of this full value chain of everyone from from distributors to ecosystem to MSP providers and, of course, end users. And there's a whole sort of needs that come in for providing that solution when you're serving a brand new market segment. So we decided we were gonna play in that market segment through an acquisition of a market leader in that space, and we announced the acquisition of Hornet Security, and we're really, really excited and waiting to get that closed, hopefully, anytime soon. And then we continue our journey in having, you know, this human centric security now brought to every customer of every size. Okay?
Sumit Dhawan:That's that's our mission there. The second thing is we are quite excited about well, I shouldn't say the word excited because it's a pain for our customers even though this the the era of AI opens up a broad issue when digital assistants and copilots and agent agentic AI comes to shape. Last week, I hosted a special meeting with six CIOs only through the network. It was not with CSOs on purpose. And I was amazed to sort of hear from them how much and how fast and how much AI they're adopting and the pace at which their mandate is at this point in time to adopt AgenTic.
Sumit Dhawan:And and that when I when I showed them, listen, the human security problems extend to copilots and agents, they were like, we gotta solve them. Okay? Humans get socially engineered. Agents get prompt engineered. Humans lose data.
Sumit Dhawan:Agents lose data. Humans get credential fished. You know, agents get certificate fished. But at the end of the day, there is an intent of communication that's going to the agents. And if that's not if that's misunderstood, just like humans misunderstand the intent, if that's misunderstood by agents, that's vulnerability.
Sumit Dhawan:That's risk. So the good news is there is some things we can use from what we have. But there are many things, Mahendra, we don't know, and we are gonna be looking in the ecosystem to see what's complementary that fits into our extension of providing security for AI. Not AI security is gonna be big, but what fits in as a natural extension from humans to digital assistance to humans.
Sid Trivedi:You talked a little bit about the human factor and and AI risks. I'm curious. I mean, even in email, we are seeing a very different type of attack. I think of it as zero day phishing in that this is the first time when a when a, you know, individual, an employee gets an email that is a phishing attempt. Today, we are seeing, you know, these types of attacks where it's the first time that email ID has ever been used.
Sid Trivedi:It's a highly personalized email to that individual, and it doesn't have any links. It doesn't have any attachments. It's, you know, trying to get that individual to to communicate back and forth. There's a lot of different ways that attackers are leveraging the new, you know, kind of tooling that that has been built by some of these large foundation mall companies. I'm curious.
Sid Trivedi:Just in email security, how do you think about that at Proofpoint? How do you think about how do we fight this new type of AI attack?
Sumit Dhawan:Yeah. It's a it's a great one. I think, first of all, we weren't proud of it. But what happened with us after the advent of ChatGPT, and maybe it was not attributed to ChatGPT, even tools like Grammarly could do this. We saw, actually, for the first time, our drop in efficacy was noticeable.
Sumit Dhawan:We take pride in number of sort of things we miss versus number of things we block, and that's usually in 99.9 plus percent. That's how we measure. And these are advanced threats. These are not simple spam. It dropped below 97, and it was all attributed to a more sophisticated set of attacks that were more conversational and had an intent behind them that was malicious, yet the communication was fine.
Sumit Dhawan:So we we determined that semantic analysis is no longer sufficient. K? We've always had all kinds of models that are deep learning models that continue to enhance rapidly after you learn about a potential threat and you improve the semantics. But we ended up building then for the first time intent based models. Intent based models use language models.
Sumit Dhawan:Okay? So they are language models based models that at this point in time are defending and protecting our customers. And these models are detecting the intent of communication. And you can't rewrite a message. You can't as long as the intent is the same, our models will score them to be high risk and then you can, you know, you can do a bunch of things, quarantine to warn, etcetera etcetera.
Sumit Dhawan:And we and our efficacy has gone up back to 99.9 something percent. And so, you know, we feel like this is not gonna be the end of the race. There is a constant investment that we make in new model creation and threat research, and the two work closely together. And and we are seeing more sophistication, not less sophistication. We are seeing compromises across not just an attacker to an individual, but compromise to an individual's ecosystem of collaborators, and then regular communication starts before something nefarious comes in.
Sumit Dhawan:We see we are seeing, you know, channels of communications to be more than one, more than email, you know, sending through teams and whatnot. So so our threat protection now platform is expanding to cover this any to any protection, you know, where more than just an attacker to person, you're protecting all the ecosystem of an individual by building a communication graph and then checking any maliciousness or abnormality in that, as well as doing so across multiple communication channels. And I believe over a period of time, email security will become a feature of that kind of a system that protects from these future generation of attacks that are gonna be multidimensional.
Ross Haleliuk:Sumit, there are many conversations about how AI is changing the threat landscape, like what is happening, how it is enabling the defenders to offer better types of defenses. I'm curious, from your vantage point, you have thousands of customers. You're seeing the kind of things that most startups out there do not have the visibility into. What is like, what are you seeing, when it comes to AI? How is AI being used in the wild?
Ross Haleliuk:What are some of the novel attacks or attack methods? You mentioned some. I'm curious if there is if there is others that you haven't seen being talked about publicly. And what does the actual customer adoption look like?
Sumit Dhawan:Yeah. Firstly, I would say the even though it's very difficult to technically attribute every attack to generative technologies. We tried that first, we were like, what's it's we will only be wrong, and we can be wrong by several percentages. So we we sort of stopped that exercise. But what we see is clear patterns.
Sumit Dhawan:The volume of advanced threats have gone up significantly. It's a big, big jump that we are at this point of time seeing. Second, the places and the type of customers that are getting attacked is changed drastically. We are seeing attacks in Japan, Korea, Middle East. You know, where there is money but language had been a barrier, language is no longer a barrier.
Sumit Dhawan:Okay. Clearly, we know that attackers didn't go out and learn Japanese and Arabic. Know, they this is clearly the the generative technologies that are coming into play. And then what we are starting to see is attacks being made on Copilots. We're starting to see communications with white text in email that is nonhuman readable to build asymmetry in context between copilots and humans so that at some point in time, a prompt come can come into humans with asymmetry in context that leads to potential fraud or malware.
Sumit Dhawan:So we're starting to see those kinds of sophisticated attacks. We see them now in our systems. We're detecting these. And it's hard for us to what do you what do you do with those? Right?
Sumit Dhawan:So we are also in our engineering labs and working with customers figuring out how do you score them. Because it's it's it's got nothing in it. There's no link in it. There's nothing it's just got some white text, which you can clearly tell is text to train a model. It's language.
Sumit Dhawan:It's not like pixels. Okay? So there's clearly something that's intended to happen with the with that communication and is nonhuman readable. So those are the kinds of issues our threat research and our modelers are dealing with at this point of time. And, you know, this is the gross AI defending or competing against AI.
Sumit Dhawan:That's what's happening. And so in terms of adoption, the good news for our customers is, you know, at the end of the day, we take pride in 85 out of Fortune 100, and 30% of enterprise sort of email is secured by us. So at this point, this is global number. So to me, at this point in time, when we enable a new model, it gets activated for our customers within a matter of days. So we just roll it out with any rollout practices you would see in the cloud.
Sumit Dhawan:It's a very modern tech stack. It sort of gets enabled rapidly, which is both good and bad. It protects the customers, but many times the customers don't even know that they got additional protection. So sometimes we have to sort of keep telling them, no. No.
Sumit Dhawan:Trust us. We we added a bunch of these models that without us, you you would have probably seen bad stuff come in. So but that's what's happening. It's AI AI defending against AI every day in our labs today.
Sid Trivedi:Let's talk a little bit about kind of the changes in the email security landscape. I mean, certainly, Proofpoint and Mimecast have been the clear leaders, and Proofpoint well above Mimecast if you just look at pure numbers. And and both of you focused on the secure email gateway approach. And then we saw kind of the second generation of email security players and, you know, let's just highlight two of them, abnormal and material. And their focus was on this API based approach.
Sid Trivedi:Instead of, you know, using the secure email gateway, let's use API to, you know, provide the same level of capability but with a little less kind of emphasis on being in line. Now we're seeing kind of a net new generation of players. Many of them are stealth, which are kind of the AI native startups, the ones who are going to use AI agents instead of the traditional regex based model. I'm curious as you see kind of the the new generations play out, how do you think about changing where areas where you think Proofpoint should change its approach and areas where you wanna stick to the core secure email gateway approach that has allowed Proofpoint to be the significant leader that it has been for well over twenty years.
Sumit Dhawan:You know what we have learned? This is not an either or. It's a market segment issue. That's what we learned. Will there be customers that that'll go from one segment to the other?
Sumit Dhawan:Yes. But broadly speaking, this is a market segmentation aspect. If you look at all of our success, all of our market share, it is typically in larger enterprises. Let's call it 5,000 and above, you know, and maybe those numbers can change based on the geographies and what. And then so what we found out when we did an assessment of speaking with customers and just trying to understand what was happening was larger enterprises, they have teams.
Sumit Dhawan:You know, when they went to Office March, they didn't get rid of their teams that operate the infrastructure for protecting office. So they have the team, and they actually prefer a solution that does multistage defense of predelivery, post delivery, and click time. That's sort of how our system works, which is gateway is a foundation, which is predelivery. But we keep protecting all the way. There is a after the fact API that's built into it, but it it required a gateway.
Sumit Dhawan:But when we spoke with customers that were a little smaller, they said they have cyber teams. They have a CISO. But once they went to Office '3 65, they lost all the teams that managed, operated, and secured exchange. They didn't need them. Okay?
Sumit Dhawan:So there there was no one to operate a gateway. There's nothing wrong with the tech. Just no one could operate it. So there were too many knobs that someone had to make a decision on, and there was no one to make a decision on it. Okay?
Sumit Dhawan:So that's the fundamental issue. There's no other issue, really. So we said, okay. That makes sense. There's, like, this team that needs a set it and forget it and let the configurations as defined by their gateway in Office '3 65 play all the gateway centric things.
Sumit Dhawan:And after that, you clean up anything that comes in after the fact. So that's why we acquired a company called Tessian. We waited for that product to have exact same detection stack as our enterprise product. And that shipped in March, and we're seeing now great traction with that product in that segment that we didn't really play. Okay?
Sumit Dhawan:And that and we are not the I would not say we are the market leader in that segment. We are a challenger at this point in time, and and our team is challenging. Now we are in the market. We are competing with some of the names you mentioned, and we'll see how we fare. Okay?
Sumit Dhawan:It's we're proud of what we bring to the market in terms of efficacy and the quality of efficacy and now a product that integrates with Office three sixty five. And then this new generation of agentic agentic one, I think at the end of the day, there is a lot of models that are already very sophisticated in our solutions and and maybe even the second era solutions. I won't speak for them. But in our solution, these are as sophisticated as they get, and they're only getting better. We're gonna bring some agentic technologies on top, agents that can help end users, agents that help the SOC, and sort of it's our belief is unless you're going to micro customers who really don't want any technologies and they don't have any cyber team, purely providing an agentic solution, It's not just premature, but may not ever be desired.
Sumit Dhawan:We're gonna closely watch. Okay? We we have been wrong in the past. We may be wrong in the future, and we're not gonna hold a firm opinion on this. And we'll be nimble and agile as the customers respond, but we're gonna bring that agentic solutions here at our upcoming conference in September.
Sumit Dhawan:I encourage all the audience here to attend. It's called Proofpoint Protect, but we intend to bring those solutions as something all our customers will be able to avail day one.
Ross Haleliuk:Many of our listeners are founders or aspiring founders in cybersecurity who are maybe going through some ideation journeys. Maybe they're validating the the ideas that they would like to pursue. Given your experience building products at scale and now and also previously leading a startup, what advice would you give to cybersecurity entrepreneurs that are starting out today? Are there areas that they should focus on to avoid some well known pitfalls? Or maybe if they're looking to innovate in a domain with established giants, is there anything else they should be doing?
Sumit Dhawan:Yeah. I mean, I think there are gonna be three three types of startups in the cyber world. Unfortunately, the first one, which is a gap, a problem, and a solution that has tended to be the biggest volume of startups. Okay? I would say be very thoughtful and cautious in that space because you're talking about potentially, you know, the other two being more interesting that I'll go through.
Sumit Dhawan:Second is any aspect of securing AI. I feel like that is an area where enterprises are enterprise architectures are not established. So startups who have the ability to pivot faster and are able to sort of, you know, build solutions at maybe a higher velocity rate of velocity have possibly a leg up just in terms of how they find their wedges in terms of various issues that will exist. Okay? So I think that becomes probably a fairly good area for startups if you are investing in protecting AI.
Sumit Dhawan:I think it will have a very similar dynamic as cloud did for emerging, you know, the whole sort of security space that emerged from it. I think the last one is disruption, which is disrupting the incumbent architectures. You know, SOC, like x t disrupting XDR or disrupting SASE or disrupting Proofpoint, you know, major sort of stents. If you're really one that can take that on, it's not a bad area. You can obviously, a disruption is always a good thing for a startup.
Sumit Dhawan:Obviously, it's the highest risk but highest reward situation, which is what startups sort of tend to get optimized for mostly because of the investment framework from the venture capitalist. So I'd say those are the three broad categories. My only recommendation to the entrepreneurs would be that in the past, the first category was rewarded. It's hard. It's hard in the first category all the way from investors to potentially even at the end of the day, if you wanna be a be a part of a company, it's a little harder.
Sumit Dhawan:The other two just seem instinctively at this point of time, even though I'm not a venture capitalist, a better place is for for entrepreneur.
Mahendra Ramsinghani:Sumit, as we wrap up, you mentioned early on in our conversation today that your internal goal is five by 30, you know, getting to 5,000,000,000 in revenues by 02/1930. Clearly, a very ambitious goal. If you widen the aperture a little bit and look out into the next five years, what are some areas where you feel like large swathes of opportunity lie for a company like yours?
Sumit Dhawan:Honestly, I feel like it's not ambitious enough. But so I I think I think listen. But to answer your question, the markets we are in, we have established ourselves as technology leadership, market leadership, ability to execute and win customers, make them successful with our technology, make them fans of our products. And even in the markets we are in, if I look at just sustaining our growth rate and market and of course, growing our market share because we are growing much faster than the market, we think we, you know, we we have we have ways to to grow and go. K?
Sumit Dhawan:Secondly, I'd say the and that's the reason I say that is because, like I mentioned, we're a challenger in this mid enterprise space through the solution we launched. We've just opened up our sovereign solutions in India, Singapore, Middle East, Japan. These are just new markets. We haven't even we don't have any kind of market presence as we do in The US, for example. So there are sort of significant opportunity for us there.
Sumit Dhawan:Second, I think I see a natural adjacency and growth in the two areas I mentioned. In particular, in going into micro businesses and MSP, we have a we have a great start. Yesterday and day before, we had our top managed service providers hosted as an advisory council. I think they feel a lot of pain right now in terms of providing high security at high service levels through a standardized architecture, and we think we can be the one complementing their XDR solution as that's it. It's us and XDR that can possibly provide the foundation of all MSPs.
Sumit Dhawan:And then lastly, I think the world of digital assistance and agentic security, which is just a natural extension of human security, that's an area where we are setting up a we're calling it horizon three in the whole horizon one, horizon two, horizon three framework as an area of investment for us, and we are gonna invest that both organically and look at landscape of potential m and a opportunities. You know, we the the one thing on this five by 30 is one thing we can lose track of when you're just looking at it through the lens of numbers is who we are. And you sort of start diluting yourself and your focus into many things or little things that are not necessarily related to your mission and purpose at hand and your sort of right to play and right to win. So we have we have used that as a mechanism to define the scope along these three areas I mentioned. K?
Sumit Dhawan:Tons and tons of opportunity to grow by addressable market growth that's happening in the core markets. This MSP space and agentic security. Have you figured out answers in all of those three? No. But that's why I said it's 2030 and not 2025 or '26.
Mahendra Ramsinghani:Thank you, Sumit. Thank you. You know, your background coming from the world of infrastructure and having worked with companies like Citrix and VMware brings a very unique perspective to the world of cybersecurity. And most importantly for our audience, you laid out the three types of companies that founders should focus on, you know, filling gaps, securing AI, as well as disrupting incumbents. You know?
Mahendra Ramsinghani:I feel like this has been a very productive conversation for us today, and I sure hope that our audience will benefit from this. So thank you so much.
Sumit Dhawan:Yeah. Thank you for having me. And, the more the cyber ecosystem develops through the investments, the more we benefit. We obviously love to partner and acquire the technologies that get built. So any of the startup founders, do think about us, talk to us as you're thinking about your growth plans and potentially taking the technologies that you've built to the next heights.
Sumit Dhawan:Maybe we can help.
Sid Trivedi:Thank you for joining us inside the network.
Ross Haleliuk:If you like this episode, please leave us a review and share it with others.
Mahendra Ramsinghani:If you really, really liked it and you have some feedback for us, wrap it on a bottle of Yamazaki and send it to me first.
Sid Trivedi:No. Don't do that. Mahendra gets too many gifts already. Please reach out by email or LinkedIn.