A Secure Web Gateway (SWG) isn’t the place most people would go when looking to build a breakthrough cybersecurity product. That is, unless you’re deeply experienced in this space and know the opportunities others have missed.
Enter Kunal Agarwal, the founder and CEO of dope.security. He and the team at dope.security are re-imagining the SWG using a “fly direct” model built for today’s remote first, cloud-based world.
I spoke with Kunal before their recent Series A announcement. We covered several topics, including:
- The making of dope.security: How the experiences gained from a decade at large cybersecurity product companies led to dope.security.
- The tech behind fly direct: Why the fly direct architecture is a breakthrough for SWG.
- Cybersecurity marketing, but make it dope: An approach to marketing that’s both authentic and clear.
- The future of dope.security: Where all of this is headed for the company and our industry.
Note: This interview has been lightly edited for clarity.
The making of dope.security
Cole Grolmus: Your background is super relevant to the dope.security story. You worked for Symantec and Forcepoint, two large product companies, both in the SWG product domain and adjacent domains in their product portfolio. I definitely would like to hear about the connection between what you learned there and the reasons you decided to start dope.security.
Kunal Agarwal: My background has always been in hacking since a very young age. After university, I moved to Symantec, and then to Forcepoint for almost 10 years between the two companies. I started out as an engineer and then moved into product management.
Moving from a large cybersecurity company into a startup is unusual, right? I didn't really have any specific need to do that. But really, what made this whole thing come together? It was the day to day customer experience. You cannot imagine the amount of people that would be complaining on a regular basis about Forcepoint's web proxy capability. The same thing happened at Symantec. Every single day.
Rehan Jalil, the CEO of a company called Securiti.ai, came in and said, "If you were not going to do some random big company, what would you do?" And I was like, this is the most mainstream problem that exists today. Every single company out there has this issue because they all use a capability like this. And we can fix it. Because right now, there's an architectural change. There's a terrible user experience. I mean, this is ripe for disruption. Rehan said, "That sounds great Kunal. Go do it!"
It's a scary thought, right? But this whole company has been born from the experience of that, and just kind of making changes and saying, "hey, maybe we could do it better ourselves."
Cole Grolmus: I definitely think that's the best way to do it — being well grounded in experience and knowing what you're getting into. And having the expertise to actually be able to do it is something that's really important.
Kunal Agarwal: I work a lot with musicians. There are two types of musicians. There's career musicians that are gonna go in, and that's their life and blood, and they're gonna crush it. And then there are tourist musicians who happen to have a decent voice that go into a studio, record a voice and do one single. Which one are you? Are you the person that's going to be in this day in and day out, no matter if we were making a living or not making a living?
That is what the people in dope.security are. We are so passionate about this. We want to make it good. We're not just people that stumble into this just because we want a stint and tour around saying, "Oh, how in cybersecurity today?" These are people that have done this for their whole lives.
It's not saying that you have to be a hacker to be able to do this stuff and that you have to do black hat hacking like myself to do this. But you should have the energy. This is something I really, really, really enjoy doing. And I would not be doing anything else but this. That is the underscore of dope.security.
The tech behind fly direct
Cole Grolmus: Can you talk about the serious advantages of fly direct as compared to the old SWG architecture? To me, that's the clear benefit of what's going on here and something that's radically different from a tech perspective.
Kunal Agarwal: It's like taking a flight. If you're flying from Minneapolis to San Francisco, would you stop over in New York? No. That's the answer.
When every single person who's at a company accesses the internet today, they stop over. You access the internet, it goes to a data center, and from there, it's processed, decrypted. And then it goes to its destination, which could be anything from YouTube, to Gmail, to Office 365, to pretty much anything on the internet.
The fly direct architecture is: why stop over if you could fly direct? We actually implemented those capabilities into the device itself rather than in some remote data center.
There are a few big challenges we used to see with these stopover approaches which just don't exist with the fly direct approach. You have a huge reliability challenge when data centers are having a problem. Maybe your internet is getting blocked to that data center. It could just be a performance problem where it's slow and not working correctly. Or it could be a privacy problem where you're decrypting everything in a data center.
If you take those three together, it's a pretty awful experience. With fly direct, we make it a much better architecture, and then we wrap it in a beautiful user experience. That is the heart of what dope.security is.
Cole Grolmus: I suspect this is one of those things that sounds simple because you explained it in a really elegant way, but it's deceptively hard to execute.
If you're not thinking critically, you sit there and listen to the explanation you just gave and start to wonder things like: "Well, why hasn't this been done before? Oh, this can't be that hard to build. Why don't Forcepoint and others build this instead?
Unpack that a little bit for me. What makes this actually hard to do?
Kunal Agarwal: Think about 20 years ago. You'd be sitting in an office, and in your office, there would be a back room with a mini data center in the closet. You'd have a proxy, a secure web gateway, and that SWG would take all the traffic from all the devices in the office and then only send it out if it's acceptable. So it's very close to the user.
When Zscaler, Symantec, Forcepoint, and all these other companies came about, they all said, "Well, what if we hosted that proxy for you so you didn't have to install it in everyone's environment?"
And then the evolution came where your laptop is actually moving in and out of the office. "So what if we give you some software agent that reroutes the internet, no matter where you are, to our data center for protection?"
If you think about, it's a very big company mentality. It's, "Hey, we're not able to just fix the problem. We need to make a patch or an enhancement to the existing infrastructure to actually allow for people that are outside the office to be secure." It makes perfect sense, then 10 or 15 years later, it doesn't really make that much sense. It's 2023. These products were built in 2010 or 2011.
Cole Grolmus: From a technical perspective, what all of a sudden made it possible to build a SWG that works on-device?
Kunal Agarwal: The first part of it is the willpower. If you went back a couple of years ago when I raised the first round of funding, and you asked everyone, "Hey, what do you think of this?", probably 60 percent of people would say this is not possible. That is half of it: so many people out there think this is not possible.
What they don't realize is that our software is 50 to 100 megabytes of RAM max. My browser uses gigabytes. That's because it's doing tons and tons more processing than SSL decryption, re-encryption, and some regex's for for security purposes — block this URL, inject this, that kind of stuff.
It's actually not just that so many people have said "no" and that's why it was never done. The architecture from the past was like a Titanic ship. It's going in a direction, and you can't shift it at all. You can't change it.
That's the genesis for dope.security: we're able to do something because we wanted to do it and we knew it was possible. So we built it.
Cole Grolmus: Among the people who were in the "this isn't possible" camp, did you ever get anybody to substantiate why it wasn't possible? Or, was it more of the overall inertia where people feel like a SWG is what it is and needs to be routed through some central proxy?
Kunal Agarwal: No. We quickly started to see that there was an old school mentality, which is like, "The CFO is gonna hate the name dope.security. It's too colloquial, etc." "Oh, and it'll never work on a device. It's not powerful enough and, and, and, and, and..."
Then, there's the shift to the new thinkers, the creative people that are thinking, "look, why isn't this possible?" At some point, people said that machine learning couldn't be done on an endpoint protection platform or EDR software on the device. These things are possible. They just have to be rethought.
And they can't be done by companies that have existed for 10 or 20 years, because they can't let go of all their existing investment and all the infrastructure around the world. You can't let go of that overnight. For them, there isn't even value in doing something like this.
In fact, we used to think about doing this at Symantec many times. Even one of our board members will always tell you they thought of it at Symantec, but it was not possible due to bureaucracy. There's too much infrastructure around what's being built. It's not possible just go in and say, "take this out, build it from scratch, and make it modern."
Cole Grolmus: I want to make sure we don't lose a technical point that you touched on. I could definitely see technical skeptics saying, "Doing all of this client side is going to impact the performance on my clients. And I already have enough agents running on there, yada yada yada."
I'm sure you run into this objection at least once in a while. Talk about that a little bit. Is that problem even true? Or, how were you able to engineer this in a way that runs efficiently client-side?
Kunal Agarwal: Your viewpoint of practitioner versus enthusiast is completely in this spectrum here. A practitioner will quickly realize that "Hey, I already have an agent on my system. So I'm just replacing it with a nice, beautiful, natural one." You're not taking up more room on the block. You're just renovating the old house renovated with a nice, new, beautiful house.
It's the enthusiast that gets confused, right? The person that heard at some point, "Oh, people don't like agents anymore" and this and that. Yeah, but you're not looking at it from a practitioner perspective, you're looking at from an enthusiast perspective, where you're just reading about things.
It's like when you hear from people, "Yeah, and you can take all these things and it all work together and it's gonna be great, and that's the platform pitch, and we're all integrated together!" That's not the way the world works, unfortunately, and that I have always believed is missing from cybersecurity.
As a person in a company, whether you are an engineer, or a leader or The Supreme Leader, it doesn't matter. You must know how your capabilities and products work. I've worked with CEOs and vice presidents who have never even used their product. I've even worked with product managers who have never used their product before. They cannot set it up.
At dope.security, everyone, from your engineer, to your QA, to your marketing, to your sales person, have all used the product and they can show it to you right now.
Cybersecurity marketing, but make it dope
Cole Grolmus: What led you to call the company dope.security? It's a really unique name — maybe a turn-off for some people, and I'm sure other people love it. I think it's awesome. I was just curious how you decided on it.
Kunal Agarwal: The name has been in my head for years and years, all the way back to Symantec. I would be chatting with my bosses at the time and just saying this name. It was just a pipe dream at the time. It took something that you get really passionate about — not just something that works really well, but also something that can be a very successful business.
Ultimately, I want the reaction that you had when you went website and you're like, "damn, that website is dope." And I'm not saying this in a different way — this is exactly what we see from pretty much anyone in the company.
All of us look at something, we see it, we feel it and then we put our signature on it when it goes out there into the world. And we say, "that's dope because we stand behind it.”
Cole Grolmus: The vibe of your marketing and brand is clearly a lot different than your plain old cybersecurity marketing site. I would even include a lot of the new marketing sites from other startups.
What gave you the confidence to be able to do that instead of being afraid it might turn a bunch of people off and work against you?
Kunal Agarwal: The first thing that people see when they see dope.security is think, "Oh dope, that's too crazy a word for us." We want people to like take one level deeper and ask, "why do they call it dope.security?" It's because this is a labor of love. The company, the product, all of us at the company.
The average age of the company is 40 or 50 years — we worked ages in big cybersecurity companies. We were the people that would probably get laid off because we were working really hard on a product that just wasn't the main line stuff. Products that were built on a direction by some executive who really didn't understand the product and had never even seen the product, never used the product.
That is why we call it dope.security. When you look at the website, the words are very, very specific. We do SSL inspection. We do URL categorization. We do cloud application control. We do this all from a cloud-based console.
It's very, very, very clear because that's what we wanted. We wanted those product requirements. We wanted those visions of the company. We wanted everything to be clear so we could go in and crush it, add our beauty, add our designs, add our passion and energy into the product.
Why is it dope.security? Because our vision is to give the customer, the person, the user, the viewer, a first class experience.
The future of dope.security
Cole Grolmus: Where is all of this going? You're starting with a SWG — that's something you knew really well. You have a lot of product management experience at senior levels and other domains. SWG just happens to be part of SASE, which is a very popular, big, and highly valued domain. You've got some room to maneuver here. What's the plan?
Kunal Agarwal: First off, Secure Web Gateway can directly replace any existing Secure Web Gateway that's out there. There is no if, ands, or buts — we will replace it.
The second part of that is enhancing it with what I consider as two parts of CASB. One is really making the shadow IT nature and the inline control nature come through in the product. Such as, for example, being able to actually identify all the personal emails that are being used in your organization and the content that's been uploaded to those Google Drives. That is not possible, very easily, today. It's extremely difficult to get up and running.
After the CASB part, there's also the API controls which says, "here's all the applications that have been connected into your GitHub, your Google your 365," or "here's all the files that are externally shared, that have PII in them," that kind of stuff.
And last, but not least, is what we call private access. The grand finale, which is the private access, is ultimately a fly direct private access the same way we have a fly direct Secure Web Gateway.
If you FaceTime audio me right now, it'll connect from your phone to my phone, and then it's done. Data does not flow through Apple servers. Similarly, your endpoint can directly connect behind a firewall through NAT traversal to a connector, and we will have a fly direct capability on the private access at the same time.