Yashin Manraj, CEO of Pvotal, redefines enterprise scalability and security by eliminating tech debt and building resilient systems for future innovation.
Yashin, to kick things off, could you share what inspired you to transition from a career in academia and engineering to founding Pvotal Technologies?
Growing up, I thought a lack of proper education was the root of many societal issues and inefficiencies.
Idealistically, I entered academia thinking I could become a professor who would nurture the issues leading to a wavering generation of talent, innovation, and development. Unfortunately, I quickly realized how some processes were limiting, stifling, and stuck in an antiquated age.
I could not build or address problems I saw in my niche field due to software issues, data breaches, the high cost of licensing fees for some critical tools, and the poor integration of tools. These issues led me to lose thousands of hours in frustration fixing technical problems rather than focusing on my growth, thesis, and research. The tools I used became a greater source of frustration than my research, constantly distracting me from my objectives.
My skills and resolve were too limited to reform academia from within, so I decided to focus on the issues within the software industry to limit the problems that more talented academics faced. I co-founded Pvotal with Ashley to build a new generation of solutions that helped customers focus on the value they bring to customers rather than get stuck in an iterative cycle of integrating code and debugging updates.
Pvotal emphasizes creating “Infinite Enterprises.” Could you explain what this concept entails and how it aligns with your overall mission?
While many industries have adopted different interpretations of the ideal Infinite Enterprise, we believe the “infinite enterprise” is any company that has achieved an infinitely scalable, independent, resilient, and secure infrastructure. Once these criteria are met, we observed that it allows businesses to truly innovate, improve, and elevate their value proposition to customers.
The age-old adage of teens or some fresh graduates going into “founder mode” can build the next generation of software in their proverbial garage, shared workspace, or dorm room is simply no longer possible.
The rise of hyperspecialization, wanton integration of third-party code or vendors, and the unmanaged accumulation of technical debt has led most software companies to become antiquated, vulnerable, and overbloated pieces of code that can no longer efficiently protect their customers’ data, provide a competitive edge to their users, and have a reasonable cost/utilization footprint.
Most modern enterprise software has at least 17 paid or free SaaS, PaaS, and third-party code powering its operation or development. With a tough economy, inflation, and squeezed supply chains, these different services are forced to raise prices continually, thus shifting the burden on the end consumer. In addition to the increasing costs, these software are often abandoned or introduce vulnerabilities to the enterprise supply chains, which is why we have experienced a record-breaking number of successful cyberattacks, ransomware, and fraud every year for the past decade.
Our version of the Infinite Enterprise is to break the vicious cycle we have been forced into and empower businesses to move forward unhindered by these financial, technical, and logistical barriers placed by the status quo.
Threat intelligence is a critical aspect of cybersecurity. How does Pvotal approach proactively identifying and assessing potential threats in today’s rapidly evolving landscape ?
We started by recognizing that we cannot be reactive to threat actors and trying to defend against each type of potential threat. It is futile to try to anticipate how nation-state actors like Russia, Iran, and North Korea will act or how private groups may attack our systems.
We developed a proactive methodology similar to that of Google, Netflix, or Uber. In our version of Zero Trust Methodology, we created our own privilege engine and network isolation protocols. We are able to minimize the potential attack surface and shift key processes and infrastructure to be accessible only to core automated services. We use secure runtimes like restricted Golang and Rust binaries within containerized images and automate our deployment to eliminate human intervention and the potential for human error. Our core services have no third-party code, service, or API, giving us unparalleled flexibility to iterate, ideate, and price our services competitively.
By significantly reducing the potential surface attack vectors, we can skip on expensive, tedious, low-performing identification or assessment libraries that often fail to yield significant results in shielding businesses from the rapidly evolving threat landscape: we limit the potential for initial exposure and post-exploitation phases. Our skeptical approach of “never trust, always verify” allows us to successfully enhance our security posture and minimize the risk of lateral movement in the unlikely event of a significant breach.
We further decouple infrastructure components through Infrastructure as Code (IaC) to enable rapid patching cycles, automated library updates, and reduced human activity within fast deployment cycles. We can push thousands of daily updates without downtime or impacting our clients, services, or usability.
Your company advocates for a comprehensive security stack. Can you discuss the key components of this strategy and why a layered defense is essential ?
A layered approach is the only practical approach to providing redundancy and resilience. It ensures that if one layer is compromised, others remain in place to prevent a full-blown security breach.
However, our underlying strength lies in how each layer is selected, engineered, and structured. Each layer adopts the best industry practices from mature cloud-native open-source projects; no third-party code or licensed product is included, and code is constantly refactored to reflect changing attack methodologies and zero-day vulnerabilities. We have a dedicated team that engineered the layers and maintained their operational excellence by continuously monitoring threats and vulnerabilities exploited globally.
This helps us maintain a lean and tightly controlled ecosystem with a manageable number of operational runtimes that power even the most complex use cases: we attempt to maintain less than 5% of legacy code and no shadow IT/API.
We extend our infrastructure level defenses to applicative level security through carefully choosing languages where all our projects use Golang for backend development Flutter/Dart for multiplatform frontend development with transpilation. Our developers can seamlessly use our policy engines to delegate authentication and authorization within carefully designed protobuf definitions to prevent accidental misconfiguration or vulnerabilities introduced by less experienced developers.
The last line of defense is in our sensible employee selection, training in our security mindset, and ensuring we are not compromiseable at any potential endpoint. Our processes, tools, and technology allow us to focus on the customer and their product while providing them with the best experience possible without any security concerns or the need for expensive cybersecurity tools.
Continuous security monitoring is more important than ever. How does Pvotal utilize advanced analytics and AI to detect anomalies and respond to incidents in real-time?
One key benefit of container implementations, often overlooked, is isolating and terminating compromised workloads without impacting the overall system or client experience. This contrasts sharply with traditional monolithic server architectures, where a single compromised element can jeopardize the entire system.
Pvotal utilizes Falco alongside Istio to gain granular visibility and control containerized environments. This combination allows us to monitor system calls and control network traffic, detecting suspicious activities that might indicate a security breach. Furthermore, we are experimenting with Falco Talon, which is currently in its alpha stage, to automate incident response. This technology empowers us to define rules within specific Kubernetes environments that automatically terminate workloads exhibiting anomalous or unauthorized behavior in real-time.
This proactive and automated approach significantly reduces the need for large-scale human intervention in incident response. By taking swift and immediate decisive action by robots with predefined rules against potentially compromised containers, we minimize the window of opportunity for attackers and limit the potential impact of a security incident. Our philosophy is to err on the side of caution and aggressively contain any suspicious activity within our containerized environments, ensuring a highly secure and resilient infrastructure.
We leverage event sourcing for long-term storage and large-scale analytics for our digital transformation with big query event deduplication for machine learning and advanced analytics.
It’s important to note that while we leverage advanced analytics and automation extensively, our current security practices do not involve AI intrinsically outside of specific use cases like Google reCAPTCHA for bot detection and image scanning within our infrastructure. We prioritize robust and proven algorithms over probabilistic models to ensure the highest levels of security and reliability.
Employee education is often overlooked in cybersecurity. How does Pvotal integrate training and awareness programs to cultivate a security-conscious culture within organizations?
Unfortunately, over 90% of the current cybersecurity landscape is dominated by snake oil salesmen masquerading their products as useful defensive tools with fancy dashboards, analytics, and features that most clients never use.
One of the biggest failures of modern cybersecurity awareness and education is the fallacious concept that cybersecurity is a divorced, separate concept from software development.
At Pvotal, we ensure that everyone from our business team to designers and engineers receives continued education on cybersecurity, whether on zero-day vulnerabilities, reading about ongoing threats, or discussing failures at other companies or businesses. Another undervalued aspect of infrastructure as code is the core capability to distribute the responsibility of security at every step of our development pipeline with an opportunity for everyone to learn while enforcing that the code performing the complex work deployment or processing work remains maintained with the proper expertise.
We regularly share recent attacks, ideate with the team how we would have defended against it, and proactively make necessary changes to ensure that our clients would not be vulnerable to these vectors. But more importantly, we also try to see how infrastructures can be breached and proactively fight against our defenses. Similarly to our body’s immune system, we can only thrive with constant challenges and pushbacks.
Given your background in computational chemistry and engineering, how do you apply this expertise to the development of more secure systems at Pvotal?
While we are still far from any form of biomimicry, we constantly inspire ourselves from nature’s biological processes to handling. Our core Pvotal engine – Infrastream – has been built with that idealogy in mind – an independent set of mechanisms that is capable of withstanding any level of attacks.
Pvotal aims to offer enterprises scalability without limits. How do your solutions ensure that businesses can grow and adapt without compromising on security or efficiency?
Our primary product – Infrastream – aims to aid companies in their digital transformation journey and convert their stack into a mature IaC platform that defers all security concerns, reduces common issues with cloud development, and helps benefit from sweeping changes across their operational pipeline: we automate most of their operations, provide internal analytics and logging services so they don’t have to constantly exfil or provide access to consumer data to third parties, and we reduce their reliance on third parties so they can avoid recurring costs that scale with their growth.
Most importantly, our clients immediately gain a five-year-old mature engine that can help them be immune to a wide range of standard hacking tools and methodologies. This redirects their concerns about auditing, compliance, data governance, privacy, and security: we help them focus on their product and the value they bring to their clients rather than the mundane operational challenges that can be distracting or disastrous if done incorrectly.
What are some of the unique challenges you’ve faced in building Pvotal, and how have you overcome them to maintain your commitment to innovation and security?
Biomimicry starts with the understanding that evolution did not happen overnight but was a long process sustained over time. It was initially challenging to find investors willing to fund this endeavor. They were not interested in us trying to reinvent the wheel or applying natural ideologies to something as definite and stoic as cybersecurity. We were lucky to eventually find the right investors and support network to provide us with enough time, resources, and knowledge to fail thousands of times so that we could eventually find the one successful path ahead.
Once we secured the proper funding, new challenges came with the ideological differences of our first hires. We found superstars and experts we admired from afar, but they were dismissive of our approach and philosophy, which constantly led us to question ourselves and our direction. We decided to stand our ground and we realized we had to screen employees differently: the talent from mature companies or experts in other domains was often too combative to share this radical vision. They preferred to use established third parties rather than recreating and rebuilding everything from scratch within our constraints and platform. However, after years of hiring cycles and evolution, we found a high-performing team that shares our vision, drive, and the need for such a product in the market.
Amplified by fantastic team chemistry and cadence, we faced the final obstacle: convincing clients to abandon industry leaders and technologies they believed were the best in class. The initial sell was tough when we started years ago, however, the rise of successful cyberattacks and breaches and the rising cost of all software solutions have given us the ideal product-market fit and timing to scale and thrive going forward.
Looking ahead, what are your long-term aspirations for Pvotal, and how do you see the company evolving to meet the future needs of the cybersecurity landscape?
We want to help shift the conversation from enterprise leaders accumulating “cybersecurity tools, certifications, and third-party products” to understanding that every company can achieve a cybersecurity goal by shifting their development methodology, philosophy, and operations.
We understand that it may be difficult for nontechnical organizations to benefit from our development philosophy, so we are releasing a tool—Infrastream—that will empower businesses to deploy the right environment to manage their entire platform without the need for multiple third parties, subscription services, and consistent integration headaches.
Infrastream is designed to help enterprises focus on consumers and their businesses rather than reactively or proactively fight against the threat actors and suppliers, forcing them to pay more for subpar services.