Today, we’re excited to announce our investment in Pangea, a security platform for application builders that unites previously disparate and hard-to-integrate security services into a single developer experience. Much like how AWS and Twilio simplified compute and communications infrastructure with a Platform-as-a-Service model, Pangea unifies the fragmented set of cybersecurity functions that developers need through the creation of Security Platform-as-a-Service. Pangea provides a framework of security building blocks, delivered as API-based services, for developers to embed into their applications to get compliant apps to market faster. It integrates best-of-breed open source tools, proprietary data sources, and commercial offerings from leading vendors into easy-to-consume APIs and cloud services. Designed for app builders large and small, Pangea makes it possible for everyone to provide globally available cybersecurity services without having to become a cybersecurity expert.
The founder and CEO of Pangea, Oliver Friedrichs, has founded 4 successful cybersecurity companies including Phantom Cyber (acquired by Splunk), the category leader in security orchestration, automation, and response (SOAR). We asked him to share his vision for Pangea in our founder Q&A:
I grew up in a small town called Winnipeg, Manitoba, right above North Dakota in the middle of Canada where there is not much to do except farm the land. My dad was a stonemason, and my mother was a nurse. I was fortunate to grow up right when the personal computer was growing in popularity in the 1980s and my school had an Apple II which I could use in my free time. I learned how to program on it and eventually bought a Hayes 2400 modem - there was no “Internet” as we know it, but back then we could join remote BBS (bulletin board servers) which hosted online forums on almost every topic. I found a new online community of like-minded people that I would never have met in my hometown and it was my gateway to entrepreneurship in the tech world.
The early years of the internet had an exciting and vibrant hacking culture. If you could find the right online BBS and later, when the Internet emerged, IRC channel, you could find a lot of creative and devious ideas online and there were a lot of famous hackers that published their exploits. In my late teenage years, I became quite experienced with discovering networks and exploring them - so much so that at one point the Royal Canadian Mounted Police (the “Mounties”) came and talked to me when they caught me breaking into the University of Manitoba UNIX network. They told me I was either going to get arrested and get a criminal record, or I could join the team at the university to defend the network. Clearly things were a lot more forgiving back then, so I took the job and started my career in cybersecurity at age 19.
Q: You have been a several-time successful founder - what lessons have you learned along the way?
I like to remind founders that the early days of a startup feels like the wild west. It’s usually complete chaos, and you have to be comfortable with that. Some people feel they can use a formal product management approach to create a new company, but I’ve found that this doesn’t really work for an early stage startup trying to create an entirely new category. The difficulty is that even the customer doesn’t quite know what they want from you yet and it’s your job to educate them, work with them, learn from them, but also apply a lot of your own gut instinct. You need to be forward-thinking and be willing to move fast and iterate a lot; else, you are vulnerable to competition from incumbents that will likely see the same opportunity. I’ve started several cybersecurity companies and every time when there is a change in compute architecture (like cloud computing today), it creates an entirely new attack surface, new assets to protect, and new opportunities for startups that are willing to move faster than everyone else. I think every founder should also ask themselves if they have the best people in the world to attack a unique problem - we’ve always tried to bring together a diverse founding team in all of my companies and it’s been a key ingredient to our success.
Security isn’t the easiest thing to learn if you’re new to the space, and it’s only gotten more complex throughout my career. In our last company, Phantom, that I also co-founded with Sourabh Satish, we integrated dozens of open source and commercial security applications together for some of the largest and most sophisticated customers in the world. We did this by connecting to the APIs of hundreds of enterprise security products that customers had in order to orchestrate defensive playbooks and treat their environment as a single platform. After our acquisition by Splunk, we kept hearing from customers that a similar problem existed on the software development side. There was no “lingua franca” to unify security functions and no common interface for anyone to use as a starting point. We felt there was a huge pain point that could be solved uniquely by us to make security easy to build into any application.
The name Pangea is no accident - it was originally a supercontinent that tied together all of the landmasses on earth a few hundred million years ago. We’ve been inspired by what Amazon has done for computing, what Twilio has done for communications, and what Stripe has done for payments - nobody in cybersecurity has a similar ambition to us and we think the timing is right to give application builders a simple experience that doesn’t sacrifice flexibility, global availability, or depth. We want developers to be able to start small with us, and ultimately scale up to meet the demands of the largest web-scale companies.
The Security Platform-as-a-Service framework that we’re building at Pangea lets developers embed security functions into their applications - letting them log security events, manage export restrictions, handle personally identifiable information (PII), identify malicious files being shared, and block users from risky internet domains to name just a few. Services are offered just like Amazon Web Services, but with a focus on cybersecurity, where you can get every security function in one place. We plan on releasing several dozen API-based security services over the next 12 months.
After four previous cybersecurity companies, I can honestly say that this is both the biggest opportunity and the biggest challenge that I’ve had the chance to be a part of yet!
To hear more from Oliver, please listen to his episode of “Founders Helping Founders” on the Decibel podcast: