Everyone, thank you for joining us today. Welcome to our webcast focused on Elastic Security Business. My name is Anthony Luscri. I'm the Vice President of Investor Relations at Elastic. Today, I'm joined by Santosh Krishnan, General Manager of Security Solutions at Elastic, who will discuss our security offering, differentiation, go-to-market, and we'll conclude with a short product demonstration. We'll then be joined by Tyler Hopperton, Director of Managed Security Services at AHEAD, a partner of Elastic, and Koji Ikeda, Senior Analyst, Enterprise Software at BofA Securities, who will moderate the discussion. We will then conclude with a Q&A session. Please send your questions to Koji at koji.ikeda@bofa.com or via your Bloomberg terminal. Before we begin, let me cover our brief safe harbor statement.
Our discussion may contain forward-looking statements and involve risks and uncertainties, which include, but are not limited to, statements regarding our features and solutions, the expected strength, performance, and benefits or features and solutions, and innovation regarding our features and solutions. These forward-looking statements are subject to risks and uncertainties that could cause the actual results to differ materially, and we disclaim any obligation to update such statements unless required by law. For additional information, please see the risk factors in our SEC filings. Now, for those of you potentially not familiar with Elastic, Elastic, the Search AI company, is used by tens of thousands of customers, including more than 50% of the Fortune 500. The Elastic Search AI Platform combines the power of search with AI to help companies get real-time answers, solve real-time business problems, and achieve better outcomes.
We focus on three solutions built on the Elastic Search AI Platform: observability, security, and search. That allows customers to realize value quickly with ease of use and compelling features in those areas, all built on a single stack, which in turn drives technology advantages across each of these solutions. Now, it's important to note that we do not sell separate products or multiple SKUs. What we do sell is the extensible technology stack or the Elastic Search AI Platform that can be used by customers for a wide variety of use cases. We expose purpose-built features via our solutions that drive out-of-the-box capabilities to address the specific needs of practitioners that are focused on search, observability, and security use cases. It's also important to note that we have focused on being wherever the customer needs us to be.
So of course, the platform can be deployed anywhere, whether it's on cloud or whether it's on-premise or via managed service via one of our cloud partners. Now, finally, today's call will be focused solely on our security solution, which is slightly greater than 25% of our total business. Now, with that, I'll turn it over to Santosh Krishnan, who is the General Manager for Elastic Security Solution. Santosh joined Elastic through the acquisition of Cmd in 2021, a cloud infrastructure security startup, where he served as CEO. Santosh?
Thanks, Anthony. Getting into our security solution, our objective or mission in Elastic Security is to bring the power of search and AI to large datasets in order to modernize the Security Operations Center. That's in one line, what we, what we do over here. In terms of the functions that we cover, it definitely covers threat protection, investigation, and response. To be a little bit more specific, in regards to what it entails, we are in the business of collecting data from as wide an attack surface as possible, so ingesting data at scale, storing them, storing the data in a very economical fashion using hierarchical storage technologies, but at the same time, keeping it searchable so that we can run real-time detection rules on it, as well as keep the data available for investigative purposes.
And last, but not the least, from that platform, our goal is also to orchestrate response and close the loop. So that, in a nutshell, is why we exist as Elastic Security. To give you a little bit of a context on where we participate in the security space and where we have been, it's important to look at the evolution of the SIEM use case itself. So SIEM is our primary use case, as a lot of you know. If you look at the evolution of the SIEM, the SIEM 1.0, call it legacy, since it came about in the 2000s, and largely speaking, these were operational systems. So these were systems where you would centralize all your logs, you would essentially run your compliance workbooks through it.
You would, of course, use it for some amount of investigations and so on, but it was still quite separate from the detection and response systems and so on. So it was largely for visibility purposes, ticketing purposes, assigning triage responsibilities to InfoSec team members and such. So that's sort of the birth of the SIEM, what we call 1.0. Elastic did not participate in this. In fact, Elastic didn't exist as a company at that time. We participated squarely in the next evolution of the SIEM, call it more the analytical SIEM, and this is when people started expecting things like, threat detections, investigative workflows, orchestrating response, features like UEBA. So application of analytics on the data in order to render all those functions.
Of course, those operational features which were required for case management and ticket management, and all of those also came for the ride as well, meaning those were subsumed into that second generation of SIEMs. Now, interestingly, we introduced our product into market in 2019. So prior to 2019, we were not participants in a direct way inside of security. However, the community as a whole, people were actually building SIEM-like systems on top of Elastic's ELK Stack, and that's what prompted the company to get into that. So largely speaking, we have been beneficiaries of that first evolution of the SIEM, from an operational to more an analytical SIEM, and we have been beneficiaries of that replacement cycle so far, and that's really what has been driving our growth to a large extent from 2019 to today.
Now, an important thing to note, when we first introduced the product. We were largely augmenting existing SIEMs. So existing legacy SIEMs, as well as some of the newer players at that time. We were augmenting them to provide those analytics functions on top of the data which was collected. And there were some feature functionality side of things that, of course, as any new product, we were not ready at that time. Over time, over the next couple of years, we actually added all those features. So we added, we added features in terms of out-of-box detections, integrations, entity analytics, orchestrating a response, also made our feature set richer by the introduction of new query languages. In fact, some of you probably heard about our ES|QL query language, which really surpasses most of the query languages out there for a SIEM.
So by adding all of that feature functionality, we essentially transitioned away from augmenting an existing SIEM system to actually replacing them, and that's what has been driving our growth over the last couple of years now. Now, the interesting part is that our view is that we are at the beginning of the next evolution of SIEM, which is why SIEM seems to be a little bit sexy again at this point. And that part of the evolution really is to bring to bear AI-driven technologies in order to automate still largely manual processes in the SOC. I'll actually go a little bit more into what those manual pain points are in the SOC today, despite the availability of second generation and analytical SIEMs.
While we were, let us call it, late entrants into the SIEM market in the past, we are leading the charge in the evolution to that AI-driven future. We call it AI-driven security analytics. Maybe the word SIEM itself might go away. We will see what we call, what Gartner calls it in the future, and so on. The idea over here is not just AI assistance. Every company in the world is going to have AI assistance. What we are talking about over here is really to embed AI in practically every workflow that you associate with a SIEM. Some of those we have already introduced to market. We were the first in market with our AI assistant in security. And of course, it's one of the best still in the market today.
But since that time, we have also introduced a lot of AI features which are embedded into the workflow of the SIEM. So that's where we are leading the charge. So while we benefited from the legacy displacement cycle, we are leading the charge in the next evolution of the SIEM, and that's really, let us call it a summary of how we participate in the market today. So when we look at our product portfolio, in a nutshell, while we look at it as a holistic platform where we collect data, render detections, provide investigative workflows, and orchestrate response, SIEM is still our majority use case. So most of our customers start their journey with security analytics and SIEM with us.
The idea over there, of course, is you can bring all your data as opposed to very specific, you know, endpoint data and cloud data and so on. You actually can bring all your data, and we provide all the functions which I alluded to. As an option, we also provide extended protection for endpoint and cloud. The goal over here is not to offer point products for endpoint security or cloud security, but think of it as an attachment to the security analytics platform. In fact, we don't compete in an isolated fashion on endpoint security and cloud security, but the customers who actually choose us for security analytics and SIEM, they end up using our contextual investigations, our extended detections, and our response orchestrations in order to provide extended protections for endpoint and cloud as well.
In most of those cases, customers actually keep their existing EDR systems and their cloud systems in place, so there's no new tool to be added. But then they pipe all of that data into our security analytics system itself so that we can make this, you know, this XDR thing a reality in some sense. Now, at the end of the day, we also have our own agent. That's another option as well. So think of it as we start our customer journey with security analytics, where we bring in all the data, and as an option, we essentially provide extended contextual protections for endpoint and cloud.
And some of our customers also, in the end, end up deploying our own agents so that we can actually provide the full solution in terms of EDR, as well. So I did want to clarify that aspect because you will see us participate in many use cases, but at the end of the day, we are a true platform. It's not a portfolio of point products, and that platform is really an AI-driven security analytics platform. Now, so that's where we are today. A brief note, we also have this team inside of my organization called Elastic Security Labs. It is your typical research and response team. They keep abreast of all the latest threats. We do a lot of first-party research as well.
I urge you to go to our Elastic Security Labs webpage, and you will see a lot of the newest threat findings from that team over there as well. Now, a little bit about the vision. So I talked about this next evolution of the SIEM. If you look at the, let us call it the Pyramid of Pain, in the InfoSec. If you look at all of those functions, which is the function of ingesting the data itself, how do you bring all of that data into into a security analytic system? Most systems, like ours as well, we cover, let us say, 90% of ingest with out-of-box connectors. But there is still that 10% of data that you need to bring in, which might be custom data, which might be very specific to your organization.
That does lead to a lot of friction in adopting that security analytics solution. So you start from ingesting data. Same story on detection rules. We actually provide the 90th percentile of rules out of the box, but then an organization might be interested in that last 10%. So you do have to do rule authoring and such. You have to create your own rule book as an organization. That's also manual effort. And from there, of course, investigations. All of you have heard about alert fatigue. Frankly speaking, I'm fatigued hearing about alert fatigue, because, you know, you write more rules and you see more of these signals popping up on your screen, what to do about them. There is a lot of manual processes involved over there as well.
And of course, to get a consolidated risk posture of your entire IT infrastructure and orchestrating response, there is a lot of manual processes in all of these, even in the second generation systems that we have today. Our vision for the future, and some of it we have already introduced to market, is really to bring to bear the power of AI on that same large dataset in order to reduce the need for all of those manual processes. So for example, at RSA, we introduced this, this thing called Attack Discovery. And the idea behind Attack Discovery is not to focus on logs, but how those logs all coalesce into an attack pattern. So we essentially show you the end-to-end attack pattern so that your infosec analysts don't have to worry about the thousands of alerts which do get generated every day as a...
Let us call it that, their highest priority. We are working on other similar innovations. Very soon you will see us introduce automations on how to generate a pipeline for that custom data pain, which I mentioned. You can already use our AI assistant in order to author rules. So I, I mentioned this query language called ES|QL. You can author ES|QL rules. You can talk to our assistant in natural language, so that takes the pain away, the manual pain away, in actually creation of the rule book itself. And then looking more towards the future, we are also working on automation, on how to use AI to create run books, how to orchestrate those responses and such. So if you notice, what I'm talking about over here is not an assistant. It's not just about an AI assistant.
Practically every company in the world is going to have an AI assistant. Our goal is to actually embed AI in the workflow of the SIEM, every one of these functions. We are, I wanna say, a good portion of the way already there. Many of these functions are in technical preview right now, so it is not generally available. But we have been launching these capabilities at a constant clip since the beginning of this year. One of them, so this is just a - this is just to highlight the latest one, is this thing called Attack Discovery. If you think about the previous generation of security systems, we took raw logs, we applied analytics on it, we applied machine learning on it in order to give you, let us call it, interesting events, and we alerted you on it.
So we essentially took logs, converted that into alerts. This takes it to the next level, where we are essentially taking hundreds, thousands of alerts. We are vectorizing all of those alerts using Elastic's platform, using the vector database, which is inside of the Elastic platform itself. So really bringing the power of search and RAG together in order to paint you the picture of a potential attack in progress. The idea over here being, we don't want infosec analysts to be worried about all the alerts which are in progress, but only on the most relevant attacks that demand their attention. And this is what we launched recently. I want to say this is probably one of our best received launches ever in Elastic Security.
When we showed that at RSA, we had everybody from partners to competitors at our booth the entire time. This is one of those capabilities that we are extremely, extremely proud of, and it's really exciting times for security as a whole. A short note on our go-to-market. Suffice it to say, based on everything that I have said, our sales team lands with SIEM. SIEM is the primary use case that they actually focus on. A little bit of how we actually operationalize our sales. We still use a general sales model, because at the end of the day, Elastic is a platform that actions data across multiple use cases. We do mirror that in our sales organization.
So our sales team is a general sales team, but we do have an overlay team of security specialists that accompany those generalists as well. So that's really how we operationalize our sales model for security. And their primary purpose in security is to land with SIEM. Much like we land with logs in observability, we land with SIEM in security. The expansion from there to extended protections for endpoint and cloud, for example, that's all product-led growth. We actually don't have our sales team go and sell and bake off endpoint on its own and cloud on its own. It's really all product-led growth. It's really our security analytics and SIEM customers who start trying out all these extended features that we have in product, and a good portion of them convert.
At the end of the day, we see that more as a consumption of the Elastic Security analytics platform, not necessarily as a, "I have some adoption of endpoint and some adoption of cloud," and so on. So for us, it's really consumption of that entire analytics platform. That ties in with how we price things as well. So our pricing today is not based on use case. It remains. So our pricing today is still based on consumption of the Elastic platform itself. That actually works out for us, because there is no special license that is necessary either to adopt any of our solutions or use cases within our solution. So when customers use more and more of these use cases, we see that as a increment in the consumption of the Elastic platform.
So that continues to be our model over there. I'll sort of end the prepared part of this with some core differentiators, because this comes up quite a bit. So in this evolution, how is Elastic placed? I mean, at the end of the day, our core differentiator is the Elastic Search AI Platform. This was the reason for us to enter the market. That remains our core differentiator as well. Now, when you tease that apart, in reality, our differentiator remains how we handle data at scale. Now, there are a couple aspects to it. One of them is, how can we retain data for large periods of time without breaking the bank? So you might have heard about technologies like Searchable Snapshots, which are available as part of Elasticsearch.
It is that technology which allows us to store data, keep it searchable, so these are all index data, so that you can use it for your detection, you can use it for your ad hoc investigations, but keep it in an economical fashion. That's one part of data at scale. The other part of it is a technology called Cross Cluster Search, and this allows us to have hybrid deployments. So we essentially have Elasticsearch clusters next to where the data is initiated, as opposed to centralizing and backhauling all of that data into one place, because that would then be associated with a lot of data transfer costs and latencies and so on. So we like to keep data locality using technologies like Cross Cluster Search.
At the end of the day, how we cover that widest attack surface without the need for rehydrating data from data lakes and archival storage and so on and so forth, it's all out of the box. Our system takes care of that. That's one of the key reasons why customers choose us. At the end of the day, since we keep it searchable, is the speed. So if you talk to most of our customers, it's the speed at which you can interact with this data, interact with the detections, fire off ad hoc queries, and get results in record time. So that speed is, it comes because of the indexing architecture of Elasticsearch itself in the platform.
Last but not the least, and more recently, it is the combination of search and RAG that we provide in our GenAI stack that really provides that accuracy which is required for all of those AI-driven automation, which I, which I mentioned. The accuracy and the hyper relevance, those are our, our core differentiators. Now, of course, there are feature-level differentiators that we do have. I mean, I talked about Attack Discovery, I talked about our AI Assistant being first to market in security. All of those are feature-level differentiators, so to speak, but our core differentiators remain in the platform itself. Just to show some of these things in action, let me actually show you how, you know, Attack Discovery brings all of these things together. That's sort of a good, let us say, example of the kind of things where my team has been spending our R&D dollars.
Hello, everyone. My name is James Spiteri. I'm a product manager at Elastic, and I focus on our security solution. Today, I have the absolute pleasure to be able to introduce our latest addition to Elastic Security, which is a feature we're calling Attack Discovery. This is designed to be able to help security operations teams of any shape and size to triage and investigate alerts really, really quickly, thanks to generative AI. So let's go ahead and dive right in. What you're seeing on my screen right now is the current alerts view within Elastic Security. So this is typically where, as part of your daily security operations, you would go in to see what alerts would have triggered within your environment.
These are alerts either that we, as Elastic, have provided as part of Elastic Security, thanks to our security labs team, or perhaps any alerts you might have crafted yourselves through our custom rule concepts. It's a slow day today, still. Like, there's still 30 alerts, right? Which isn't a significant number, but it's still not a relatively small one either. Where do I even start? This is a challenge that security analysts and teams face every single day. That's normal. And again, I only have 30 alerts today. It's very common that you have a lot more than this. This is where Attack Discovery comes in, right? Instead of having to go through all of these, I'm just gonna go pivot to this new Attack Discovery tab.
You can see here, it's a nice, it's a nice, very simple interface because we've tried to make this as simple as possible. I think you've got 30 alerts are gonna be analyzed. This is, like I said, using generative AI, so we do need our large language model hooked up, which is, you can see I've picked my large language model up here. This is an advantage of Elastic, is we allow you to bring whatever model you prefer. Of course, we are the search AI platform, so we're gonna be doing a ton of things under the hood, leveraging all the power of Elastic to make sure you get the best and most accurate results as well. All you have to do after you select the best model, is hit the Generate button.
This may take some time because, again, as a large language model, it's still gonna have quite a bit of data to churn through to give you these results. So, I'll pause the video right here and then come back as soon as these results are generated, and we'll go through them together. Okay, so we've got our results back. I'll take a look at this now. At the top, we have a nice summary of what happened. We had our 30 alerts, and they were broken down for us into four discoveries, which means these are four active things happening within my environment, which I'm definitely going to want to look into. And what Attack Discovery has done is, not only has it told me there's four discoveries, it's gave me as much detail about them as possible.
So just really quickly glancing over them, if I just, collapse all of these here, you can see there's pretty much something happening on each of the hosts we have here, and it's given a nice title to these discoveries, depending on what's going on. So anywhere from a malware attack on macOS to a ransomware attack, malware attack by a malicious Office document. So it's trying to make that title a bit descriptive into what it's discovered. I probably won't go through each and every one of them here, but let's just start with this first discovery, and take a look at this content. Attack discoveries, remember, went through all the alerts, identified these attacks, and correlated any behavior, so it's then easy for me to understand in one go. So we have a very nice, very quick summary here, which describes the entities involved.
In this case, we have this particular host and this user. You can see there's interactions for all of these as well. So I can open the existing host and alerts flyouts you might already be used to. So that's all something you have at the tip of your fingers. But let's take a look at this. So it said, we take a look at the summary first. There are multiple alerts indicating potential malware attack on this macOS host, involving suspicious processes, credential phishing attempts, and execution of untrusted code. The attacker appears to be a multi-stage and targets an elevated user account. So immediately I know, okay, this is definitely a discovery that I should be interested in. But then take a look at the details.
So there was multiple instances of a suspicious process name, which is MyGoApplication.app. They had these characteristics. The process launched by the parent process launchd. The process failed code signature validation, indicating it may be malicious, and then the process attempted to execute this command. Then a process named osascript was detected attempting to display a fake system dialog to potentially phish for user credentials, and it gives me the command line as well. A suspicious file name was then created with, you know, full permissions and then executed with these arguments, potentially attempting to access the user's login keychain. So perfect, right? What more could I want than this? We also have a really great visualization indicating the MITRE ATT&CK tactics over here. We can see the alerts which were involved, so we don't hide those from you.
If you wanted to pivot to the alert view, that's where... That's, you know, the alerts that were involved in this, this discovery, you can. So we highlight all of this here, and you get the same alerts experience you're already used to within Elastic Security. And we also take it a step further for you. So, you know, typically during an investigation, the actual investigation part is half the job. We then have to start reporting on it. So we've tried to make this really easy for you, too. So, with a couple of clicks, we can go to this Take action menu and say, we want to create a new case with this discovery. So we can add to a new case. You can see we automatically populated the name there as well as the description. Let's just change the severity.
That's the only thing I'm gonna change, and then create the case. That's it. Now, if we actually take a look at the case, we not only have the name and the description, but we get all of that richly formatted data that was in the discovery, and we get all the alerts attached that were included as well. So now it couldn't be easier for me to just continue this investigation, bring in other members of the team, so on and so forth. I didn't have to spend the time doing all of this. Very similarly, we've made it really easy for you to continue to ask questions about this. So perhaps you might want to say, "Okay, fantastic discovery. How do I potentially remediate it?" Well, let's send this discovery to our assistant. So I can simply click on the View in AI Assistant button.
You can see we get a new chat with the discovery name. We also get the actual content from the discovery, and now I can simply ask the question about it. So like, you know, how would I remediate this, for example? And then the assistant is gonna do its thing and give us a really nice answer there as well. And by the way, all the privacy features you might already be used to with the assistant are all available within Attack Discovery, with things like anonymization, field selection. You still have full control over that. So we've, we've put in a lot of hard work to make sure that, you know, your privacy is taken into consideration.
Like I said in the beginning, you have the choice of models to use here as well, so we haven't taken that away from you. Now you can see the assistant gave me this really nice steps to potentially remediate this. I could continue the conversation if I want. I could also go ahead and add this to the case that we just created, right? Why not? Let's go ahead and do that. Now we have the remediation steps as part of the case. So we've really tried at every step to give you as much help as possible, thanks to Attack Discovery and the AI assistants. I hope you're as excited as we are. We feel this is a really revolutionary bit of technology that's now available to all users of Elastic Security, and we're only just getting started. That's all I have time for you today. Please visit our website for more information, or perhaps go ahead and start the cloud trial, and I will see you next time.
Awesome. Thank you very much, Santosh and James, for the informative discussion as well as the demo. We're gonna transition this to a more interactive session now. This is a discussion with our partner, Tyler Hopperton, at AHEAD, and will be moderated by Koji Ikeda at BofA Securities. Koji, please go ahead. And by the way, please send your questions to Koji at koji.ikeda@bofa.com or via the Bloomberg terminal. Thanks.
Yep. Thanks, Anthony. Thanks, everybody, for joining here. Tyler, thank you so much for doing this. Santosh, thanks for your presentation. Super informative. I, I learned a lot, so thank you so much for doing that. Tyler, so got a couple questions for you. I've also fielded some questions from investors already, so lots of different areas to go. But just... Let's just start from a big-picture perspective and, and to give the investors some, you know, some guidelines for, for the next 30 minutes here, I'm gonna ask Tyler some questions for about 15 minutes, and then, you know, I- I want to ask Santosh and Tyler some questions that I fielded, from, from the investors out there and digging in a little bit more.
So, to kick it off, Tyler, just, you know, from a big-picture perspective, what is your role and responsibilities at AHEAD? And maybe tell us a little bit about AHEAD, to get us, you know, a little bit more knowledgeable about who we're speaking with here.
Yeah, definitely. So, Tyler Hopperton, director of managed security services here at AHEAD. I am responsible for ensuring, you know, people, process, technology that we use to deliver managed security services for our clients, are the best they can be for them, and that we're ultimately delivering a quality service to them 24/7, 365.
Got it. Got it. And, you know, you've been so you're a partner, and you're a customer of Elastic. So, so maybe talk a little bit about what was that journey in becoming a customer, and, and maybe some of the other challenges that you had with some of the other vendors that you may have used in the past, and how Elastic helped solve you those pains?
Yeah, definitely. So I, since starting at AHEAD, and the managed security practice about 5.5 years ago, my focus has been building enterprise-grade security solutions for our clients that we deliver 24/7, 365. The cyber threat landscape, as we just heard, constantly evolving, and while everyone was on board with digital transformation with IT and business, it seems, you know, from our perspective, security operations was being left out or being left behind. So we wanted to build managed security service that would allow us, and by extension, all of our clients, to keep up with those threats at the speed at which business is now needing to operate at to stay competitive. And we needed a platform that could support that. When I started, we didn't have that. Became my mission to define how we get there and then ultimately execute on that vision, which is where we ultimately settled on Elastic.
Yep. No, no, that makes sense. Thank you for that. And you touched upon it a little bit, but just wanted to, you know, dig into it because I think the partner aspect here is very interesting. And so what does Elastic help you do to drive, you know, certain outcomes for your businesses and ultimately generate business for AHEAD?
Excuse me. Yeah, I mean, since that move and, yeah, everything we've talked about and everything we just heard from Santosh, we have seen nothing short of drastic improvements in really every metric that we track from, you know, typical security metrics and, you know, coming to the business side and when we're talking at a managed services. You know, the security side, we've seen a 73% reduction in time it takes to investigate those security alerts that are being detected, along with a 92% automated resolution rate of those alerts, which really allows our team to focus on what truly matters, by cutting through a lot of that noise.
You know, end result, we're delivering an average of 6.9 minutes mean time to respond to our clients, which is doing well for the industry and the managed security and general security response space. Yeah, again, flipping to the business side, all of that, you know, easily translates, and we see it in customer satisfaction survey scores to client satisfaction, as well as employee satisfaction and retention. Again, by eliminating a lot of that noise, focus on what's matter, what's important, Elastic is directly helping us reduce and eliminates, a lot of times, analyst burnouts, which is a problem, again, not only just for cybersecurity internally, but especially in the managed security space.
Yeah. Yeah, I know. I wanted to dig into that comment a little bit. You just mentioned 6.9 minutes for the mean time to response. You know, help us frame what that means. What's kinda like the best-in-class mean time to response? And sometimes I'm sure you've seen customers come in, and you're like, "Oh, my gosh, I can't believe this is your, you know, MTTR." I mean, like, well, what does 6.9 mean in the context of the security world?
Yeah. So, you know, 6.9 mean time to respond, so by the time, you know, we and Elastic are detecting a potential security threat, our team, leveraging Elastic and all its power, is going from we know about a potential threats. We've now investigated all aspects of that. We have that clear picture of what's truly going on, and we know what steps need to be taken in order to properly remediate that, and then close it out and actually take those actions. So 6.9 minutes to go from, "We have a problem," to, "We can go back to sleep at night.
Got it. Got it. I wanted to ask you if you could walk us through, you know, some customer examples. Of course, don't, don't name the customers unless you absolutely want to. But just, you know, how are your customers thinking about using SIEM from Elastic? And maybe, maybe share a little bit with us of how it's being applied today and, and the value proposition, right, from Elastic. What is generally the most powerful things that are coming out of the Elastic offering as you're implementing the solution at your customers that is really resonating out there?
Yeah. I'd say our biggest, you know, overall theme with Elastic, we've positioned it with our service to be both the hearts and brain of everything we deliver out of our managed security service. Every piece of data generated by our clients with security contacts, as Santosh mentioned, audit from audit logs, network traffic, visibility, user authentications, you know, jumping to vulnerability data, threat intelligence indicators, all of that's ingested, correlated together to make one platform for us and our clients to be able to quickly answer really any question they could ask about their security operations and posture.
Thank you for that. So within software, one of the themes that we think about is, you know, time to value, ease of implementation. Is this thing gonna be a painful two-year process? Is it gonna be, you know, can I set it up in the next five minutes? You know, I walk us through with Elastic. I think it would be helpful for the investors on the call to understand, specifically with the security side, you know, how easy is Elastic to set up? I mean, is it generally easy to set up in most instances? Are there certain instances where it could be a little bit harder? And when you are speaking with your customers out there, you know, how are they telling you or, or describing to you how fast, you know, they're seeing that value come through the Elastic solution?
Yeah, and that's one of our bigger decision criteria as we were evaluating potential options and moving away from our legacy platform was how easy it is to stand up, manage, maintain, keep it running, keep it functioning from a day-to-day basis. We ultimately... You know, big decision on Elastic was, it checks all of those boxes for us. We can easily and centrally deploy new clients, new Elastic clusters, manage them, monitor them, maintain them, all, you know, within AHEAD self-service manner. You know, we have great relationships with Elastic as a partner, and we've jointly worked on, you know, new features, new ways to help us be even more efficient. And that's, you know, end result, there's, we've got a lot of high-level automations really at all layers from, you know, day zero, day one deployment to, again, the operations, the aspects I touched on earlier. All of that leads to, again, very fast time to value for our clients, which ultimately is time to security.
Tyler, you know, got an inbound here, and I was thinking about this too. So, you know, you mentioned a couple times that you did have a different offering before Elastic. Could you... You know, you don't have to tell us the name of the vendor unless you want to, but or maybe help frame, you know, what was that type of vendor? Was it a super old legacy security vendor? Was it, you know, more next generation? You know, was it an open source solution that you created, that you were selling? I mean, what did it look like? And maybe what was the trigger, you know, for you guys to reach out into the market and say, "Hey, maybe Elastic could be this differentiated solution for us"?
Yeah. So, you know, that platform we did have was AlienVault, AT&T Cybersecurity at the time. And it was, you know, very much in that, you know, in that model. We were looking at that legacy SIEM, trying to get to those, you know, security analytics use cases. We found, you know, great for... It's, I mean, designed and worked well with, you know, small, you know, some medium-sized clients. With our focus on, again, speed, scale, you know, everything we just talked about, and being able to deliver enterprise-grade security services, ingest any type of data source a client may want to have, the AlienVault platform really wasn't able to be as flexible or as efficient as we needed it to be.
You know, or just on the speed side, a query that took, that takes an Elastic, you know, on the order of magnitude seconds to return data in an active security investigation, took at best case minutes with the AlienVault tool set. And that really wasn't acceptable to us or our clients, when every second really matters in a security investigation.
Yep. Yep. Yep. And so, you know, maybe the natural follow-up there is, you know, as you tried to get off this AlienVault and look for, you know, a new solution out there, I mean, you could just go to Google and type in SIEM and a lot of vendors show up. And so, you know, what specifically from the partner lens is so attractive about Elastic? It's offering, maybe it's, you know, pricing model, the brand. Whatever it may be, you know, there is something else there that helped drive that decision to pick up Elastic, and maybe help us walk through that.
Yeah. So it's both for us. You know, Elastic as a platform and Elastic as a partner. You know, both great to work with. We're, you know, a very firm believer in Elastic's, you know, open and transparent approach to security. And, you know, everyone benefits if one organization benefits from a security perspective. So it's, you know, as defenders, we're always going to be at a disadvantage compared to the attackers. But Elastic's approach in the security space means everything they're doing and by extension, now we're partners, everything we're doing helps raise that collective bar for cybersecurity, you know, across the entire market.
Yep. Yep.
Uh-
I'm sorry, go ahead. Sorry about that.
Yeah, and then again, on the, you know, the, the business side, the practical side, again, platform tool sets, capabilities, they were the best out of everyone we've evaluated. Again, the, the flexibility, the openness was big for us, but just out of the box, you know, plug it in and hit go, was already above what we were looking at in terms of evaluations as well.
Got it. I'm gonna ask you two more questions, and then we're gonna, you know, kind of segue into investor Q&A that we fielded over, you know, the past 24 hours. And for the investors on the call, if you have questions, you know, please feel free to ping me on Bloomberg, and we'll work in your questions from there. So, okay, so last two questions for you here, Tyler. Before that Q&A session, you know, we just saw a pretty interesting demo, you know, that YouTube video for the Attack Discovery, and Santosh was talking about it too. You know, I am by no means a security expert. I mean, it looked pretty cool to me, but a lot of it flew over my, you know, my bald head here. It's just like: what, what, what is it about that Attack Discovery functionality, you know, that excites you about it? You know, are you looking into it as a potential offering for your clients?
Yes. Short answer, definitely yes. We're always looking for new ways to bring, you know, value to our clients. When we're talking managed security, value means quicker, more accurate time to detection, and taking the appropriate and measured response to those cyber threats. So, you know, Attack Discovery is allowing our teams to more efficiently link together, you know, dozens, hundreds, thousands of alerts into a cohesive story that enables, you know, our team to understand what's going on and paint a picture for our clients, so everyone knows what's going on for a potential security threat and what we need to do to properly remediate that.
Yeah. Yeah. Okay. Last question for you. Actually, no, I do, I do have a follow-up for you here on Attack Discovery. You know, it seems very exciting. Are customers looking for this tool? Meaning, "Hey, hey, you know, hey, Tyler, can this happen today?" Or are you presenting or do you, do you foresee, as you talk about Attack Discovery, you know, clients will be like, "Oh, I can't believe, you know, this could be done today. That's super exciting." Or, or is the end market already yearning for something like this today?
I would say they're both yearning, and are pleasantly surprised that this exists with, you know, our service powered by Elastic. So, you know, we're having a lot of conversations with clients. You know, we have a lot of alerts, and we don't know if they're related, how they relate to each other. We need help. And what Attack Discovery does is, again, help paint that picture of, you know, turning alerts into discoveries, turning it into that story. So you're not just looking at, you know, 10 alerts, and you have to sort out whether they're related or whether it's, you know, 10 unique alerts that you have to sift through. They're asking, and we're delivering now with Elastic, that ability to say, "These are related. This is what you need to be looking at." We solve, you know, one problem, and all of these alerts kind of fall into place.
Okay. Okay. I think this is a good, good time here to segue into kind of the investor Q&A, and I have some Q&A for you, too. And these questions are for both Santosh and Tyler. You know, I'll, I'll let you know which, which one it is for or if it's for both of you. And so I do think the big picture question here, Tyler, you know, from the partner perspective is, you've been doing this for a long time. You know, from your seat, you've seen the ecosystem and the competition from Elastic, you know, kind of evolve here within security and, and broadly, you know, with an observability too. And now, now there's some consolidation in the space, but other vendors out there are talking about, you know, expanding their product portfolios. You know, frankly, from my seat, it sure seems like a lot of people could do a lot of things, and a lot of companies have, you know, gone the way of, of this way and that way. So what, what does that look like to you from your seat, and how has that maybe changed the demand environment?
I can take that, Koji.
Okay, sure, sure.
So, I think what happened probably maybe nine, 12 months or so, is that SIEM definitely has become sexy again, as you can see. And a lot of that has got to do with the fact that, in some sense, we are working towards SIEM 3.0. It's sort of the time for the next evolution of the SIEM. So analytical SIEMs are already expected from a modern system. Now we are going towards an age of what I myself call, this is a private opinion, insightful SIEMs, right? So together with that, it is natural, I think, to see a lot of the legacy vendors consolidating and some new leaders emerging.
And we do count ourselves as leading the charge in this next evolution of the SIEM, and there probably will be some others coming from the startup ecosystem and so on as well. So I think the inflection point for that evolution definitely was the emergence of GenAI, and that's what has probably made SIEM a little bit sexy again.
Yeah.
So, and that goes towards a lot of the M&A and consolidation and so on, which we are seeing.
Yeah. No, no, that makes sense. Maybe a question here, for Tyler or Santosh. You know, typically... And maybe this is a better question for Tyler. You know, when you're landing with your customers with, with SIEM and expanding to, to endpoint and cloud security, you know, can you talk a little bit about that process? What does that cross-sell conversation talk, you know, sound like? And where do you potentially get pushback from your customers as you try and expand out to these other adjacent categories?
Yeah. I'd say, and it's, you know, as Santosh mentioned in his presentation, the biggest, you know, benefit, the biggest, you know, easiest conversation to help make is, you know, consolidated view into one platform. The, you know, Elastic is deployed. It's, you know, a flip of a switch, and we now have native endpoint protection, native cloud security protection in place, you know, in a day, overnight, where, you know, we're talking, you know, if someone wants to switch from, you know, one EDR vendor to another, it's, you know, how do I plan out, you know, migration of 50,000 devices and do all that tuning again? I just. It becomes, it becomes a chore. And with Elastic and our service, we're able to say, "We can do this tomorrow. We're deployed, we're ready." And so it's, you know, time to value is, kind of, the biggest, you know, reason we're seeing of why, you know, comes, you know, SIEM, and we're able to expand into the endpoint and cloud space.
Yeah. Yeah. Maybe a couple of technological question, inbound questions here and, and, you know, kind of good follow-up here on the endpoint. Maybe a good question for Santosh or Tyler. You know, does, does Elastic plan on introducing any third-party, bi-directional integrations for EDR? You know, right now it seems like it's, it's Elastic EDR only, but are those integrations already here or are they coming?
There are ways, by the way, to do bi-directional integrations with Elastic already today. Because if you think about it, we sort of offer the platform as a whole with APIs. So using webhook APIs and various other methods, one can, like, for example, MSSPs, for example, can actually build some of those bi-directional integrations anyway. But to answer your specific question, we are also embarked on building some of those bi-directional integrations and offering them out of the box ourselves. And that's a key part of the extended protections use case, which I mentioned. So you start with SIEM, we add contextual investigations coming from data coming from, say, SentinelOne, CrowdStrike, so on and so forth, and then we can orchestrate response with that bi-directional integration. So that's in plan.
Got it. Got it. Another technical question. I think this one will be for Santosh, but again, Tyler, if you have any thoughts, you know, please, please chime in. So historically, you know, it does seem like Elastic may not have been as competitive in enterprise SIEM, because some of the, you know, scalability questions on ingest or index, maybe in the way that data was partitioned. You know, is that, is that historically accurate, and what has changed, if, if anything? Because it does seem like, you know, prior in your commentary, you talked about the core differentiators, you know, data at scale, speed, hyper relevance. I mean, are these some of the things... themes there that helped you overcome prior challenges, if, if that was historically accurate? And, are those three core differentiators helping you, you know, with these kind of big deals that you've been talking about?
Yeah, no, the interesting thing is, actually, from our point of view, those were not the things that were holding us back on the enterprise displacement. So historically, when you look at the Elasticsearch platform, scale and speed at which we action data has been our bread and butter. That's been what we have been doing across the board for other use cases as well. If I were to hazard a guess on, you know, what has taken the ramp in some sense, it's really on the feature side. So when you look at our products, say, circa 2019, we were providing a lot of ad hoc analytics out of the box, but we were not providing as many, say, out-of-the-box integrations, out-of-the-box detection rules, and perhaps the most important, the query language.
So when you looked at, say, Splunk versus Elastic in 2019, Splunk had this thing called SPL. We did not have an equivalent query language for attaining that functionality. So, but with the release of this thing called ES|QL, which we released to market last year, we have leapfrogged pretty much everybody in the market on that. So it is really the filling in all of all the feature functionality and out-of-the-box features that you would expect from a SIEM that has allowed us to do a lot of the large enterprise displacements. The scale part of it was already there. In fact, that was the reason for us to exist in the beginning itself.
Got it. Okay, couple more questions for me. I know we're running up on time here. So question for Tyler and Santosh. Please, answer in your own ways. Okay, so Tyler, from a partner perspective, when you are winning new business for Elastic and there's a displacement there, some legacy tool, you know, what are your customers telling you, the reasons why? Is it a cost to performance type win, you know, or are there some varied types of unique capabilities or pain points or use cases that have come up that the legacy tool, you know, maybe can't address and Elastic can? I mean, you know, help us understand, you know, kind of why your customers are going with Elastic today. And the same question for Santosh, you know, we'd love to hear your view, too.
Yeah. Yeah, I'd say, the biggest ones we run into, are, and we touched on them, the, you know, previous tool, whatever they have, isn't able to keep up, both from, you know, speed, just general searching. It's, it's difficult or it's not able to do it, you know, fast enough, efficiently enough to... It's, you know, not - it's not easy to work with. It's, we have to have, you know, three dedicated engineers just to keep the thing up from, you know, crashing or just keep it operational. Those are probably the biggest pieces. And then, you know, on the positive side, when we're doing and talking the capabilities Elastic has and how Elastic makes it easy, and, you know, AHEAD as the managed security partner-...
Makes it even easier to consume everything Elastic has to offer, and everything AHEAD is able to add on top of that. You know, when they see that coupled with, you know, and I don't have to have all this headache of, you know, maintaining the platform myself, it's, you know, typically a no-brainer when we're talking to clients as those are the major reasons we're seeing. Yeah.
Yeah, I definitely resonate with that as well. A lot of times, there are architectural capabilities that masquerade as cost to performance reasons. So speed, in some sense, that's an enabler. I mean, and of course, doing that in an economical fashion is where we shine. You can throw a lot of dollars with perhaps some other solutions, so that's sort of the cost part of it. But speaking about the, let us call it, the architectural capabilities, support for hybrid environments is another thing that people do appreciate us for. Like, in a lot of our large public sector deals, for example, it's really the cross-cluster search, where you can keep data local, but still able to action that data from one SIEM platform.
So that, that kind of a hybrid deployment across on-prem and various cloud environments, that does, that does resonate as well. And last but not the least, in some sense, the ability... Let us call it data management. The ability to store long, you know, long retention data without having to worry about managing archival storage and rehydrating and all of those things that you might have to do with other platforms. We just take care of that out of the box. We have customers, for example, storing for 13 months because, you know, that's their compliance window and, and so on. That comes out of the box without breaking the bank. So a, a lot of these are look like cost performance, but when you dig beneath the surface, these are all architectural capabilities.
Yep, yep. Okay, a couple more questions here. Question for you, Tyler, specifically. You know, when you're talking with your customers and you're selling Elastic SIEM into them and the broader security offering, you know, are you seeing it's mostly new budget, or is it shifting budget? And, you know, is it when it is shifting budget, where is that budget coming from? You know, is it a specific type of use case that may be less important? Is it, you know, it's kind of profile of vendor that might not be less important? I mean, you know, shifting a budget, I think, is the theme here that we wanna go with. New budget we get. Shifting of budget, most important here.
Yeah. And I'd say, most of the conversations now, it is, a shifting of budget conversation. A lot of that is, you know, we have a tool, we have a team today that is responsible for upkeep of that tool. It's costing us way more money than we're comfortable spending in relation to the value that we're getting out of this, 'cause just because you have the people to manage it, you still need the people, you know, from an architecture standpoint, they don't necessarily have the people doing that threat research and making sure detections are staying up to date, they're staying relevant to the organization. And then, you know, the actual operations of it, of when an alert fires, who's gonna look at it, who's gonna understand if it's something actionable or not? So typically, we're seeing, you know, if they're doing some or attempting all of those aspects today in-house with current toolsets and resources, it's more cost efficient, and they get a better results coming to organizations like ourselves or AHEAD that have partnered with Elastic.
Got it. In the last, last minute here, big picture question, first to Santosh, same question, Tyler. You know, Santosh, what gets you, you know, what is the most exciting aspect for you of the security strategy for Elastic over the next 12 months? And then, Tyler, same question to you. You know, what is most exciting that you see coming out of Elastic over the next 12 months?
For me, the answer is simple. By far, it is the ability to convert manual processes to automation and enable all, all our customers and partners. That's what wakes me up in the morning. The product you will see, say, one year from now to even today, you will see the benefits of all of these automations that GenAI brings to us. That excites me the most.
Got it. Same question for you, Tyler.
Yeah. I'd say in addition to that, it's being able to do really whatever you can think of doing with Elastic. It's an open platform. We can throw anything we want at it, and as long as we have, you know, creative imagination, we can answer the question: How can we make this security relevant to our clients? And Elastic, you know, as a platform and partner, is, is never gonna say, "No, we weren't built for that. We can't do that." It's they're gonna jump in, and we're gonna find a way to make, you know, get that valuable to our clients.
Got it.
Yep.
Thank you. Thank you, Santosh and Tyler. Anthony, back over to you to close up this awesome webinar. Thank you guys so much.
Great. Thank you, Koji, for hosting, and thank you, Tyler and Santosh, for your insights. And thank you all for tuning in. That concludes our webcast. If you have any additional questions, please direct them to the Elastic Investor Relations team at ir.elastic.co, and we hope you have a great day.