Why We Invested: Revelstoke

Next Generation SOAR

Security Orchestration, Automation and Response (SOAR) tools are software products that enable organizations to automate or semi-automate security tasks. This enables a quicker response to attacks and the overall strengthening of a company’s cybersecurity system.

The number of security attacks that organizations face is only going to increase. SOAR makes it possible for security analysts to manage the sheer amount of alerts coming into their systems.

Unfortunately, in spite of the success of the start-ups that created them, the first generation of SOAR solutions didn’t quite hit the mark. Traditional SOAR tools are too complex, don’t scale well and require an army of developers to create workflows.

To solve these problems, Revelstoke launched the next generation SOAR platform. Its patented Unified Data Layer eliminates nearly all coding requirements and creates the flexibility to switch out technologies and products. And their cloud native architecture lets you scale and take in many more alerts than earlier solutions.

It’s a compelling and much needed solution created by cybersecurity veterans with a deep understanding of the market and prior success with SOAR. We were excited to invest in Revelstoke’s $14M Series A financing along with frequent Rally co-investors Crosslink Capital and Clearsky, who have strong experience in the cybersecurity space and a history of adding significant value to their portfolio companies.

We sat down with the Revelstoke team to dig into the details of their SOAR platform and why now is the time to rethink the approach to this market. Below are excerpts of our conversation with Co-Founder and CEO Bob Kruse, Co-Founder and CPO Josh McCarthy, CTO Dave McKinley and VP of Marketing Pete Johnson.

1. What core problem does Revelstoke solve?

Before SOAR solutions existed, security analysts would have a physical book or binder that would give you steps to take for different security incidents. For example, if there was a phishing incident — when attackers send malicious emails designed to trick people into falling for a scam — there would be a series of steps to follow outlined in this book.

SOAR allows you to automate many of these steps. A computer can send messages, look up files and URLs that are part of the phishing message, gather information and present its findings in a report. Automating these steps drastically reduces the workload of security analysts.

One big reason why it’s important to make this process more efficient is because there just aren’t enough people to fill these jobs. There are currently hundreds of thousands of security analyst jobs going unfulfilled. You can’t train fast enough for that volume of jobs. The only way to fix it is automation.

The first generation SOAR platforms took aim at security automation, but they fell short in many ways. So, our team took all of our experience in the cybersecurity automation space, went back to the drawing board and came up with a solution that does address the full scope of issues faced by CISOs and security teams today.

“My co-founder Josh and I started Revelstoke to solve a problem we helped create. There are so many security devices on the market, and I’ve sold a number of them over my career. It was necessary to create a solution to help manage them all.” — Bob Kruse, Co-Founder and CEO.

2. One of the key differentiators for Revelstoke is that it’s a low-code platform. What is the benefit to building and using no-code/low-code solutions?

The few people who were able to make traditional SOAR platforms work were typically business/response owners who also knew how to code, which means they could build the security playbook on their own.

Web developers and security experts are usually different people in an organization. When you have to keep introducing more people into the process, things get confused and incorrectly implemented because the person writing the code doesn’t have the full knowledge and view into why decisions are being made.

We’re seeing this trend towards no-code/low-code because it allows the person who fully understands the security landscape to directly design the workflow. Revelstoke is low-code, which provides the best of both worlds: no-code capabilities to achieve basic functionality, while also enabling low-code capabilities for customization of workflows.

Another key benefit to low-code/no-code solutions is system stability. With low-code/no-code solutions, you have a backend and data schema that’s standardized. And finally, the ability to switch vendors is key. If you do use code, that code is usually specific and not reusable. If you follow a low-code approach, products can snap in and snap out quickly. You don’t have to take the network offline for long periods of time to install new technologies.

3. Is the problem you’re solving accelerating in terms of its scale? Why?

In terms of scale, the number of alerts the security team has to deal with is only going up. And this problem is compounded by the hiring crisis. Having a platform that’s more accessible just makes sense because companies can hire people who are passionate and knowledgeable about security, not about coding.

We want to free humans to do things that actually require a human. A security analyst might spend all their time on phishing attacks, but they don’t have to if that’s automated. Now they can focus on the more complex and unique attacks that we’re increasingly starting to see.

The shift to remote work also accelerated the need for a great next-gen SOAR solution. When the pandemic pushed everyone into a remote environment, many of the security protocols around breaches and attacks didn’t work anymore. What works within the four walls of a corporation doesn’t necessarily translate to what happens when senior executives are accessing sensitive data in their homes. Revelstoke helps address the new challenges and security concerns created by the shift to remote work.

4. How do you think about fostering great culture at a remote company?

We hired several senior level employees early, and then as we gradually hired junior level employees we tried to hire them in locations where the senior level employees are located.

We are a fully remote company, but we intentionally co-located juniors with seniors so they have the opportunity for in-person development and career pathing. It’s really powerful to create those in-person opportunities, even if it’s only one or two days per month.

We (the senior leadership team) have been in the workforce for decades. When we were junior employees, a lot of our development came from physically working alongside people and being able to ask questions. There are many benefits to remote work, but we need to be intentional about creating those learning opportunities for junior people joining our team.

Another one of our key tenets is to over communicate. Early in the life cycle of a company, it’s important to have open door policies and one-on-ones with everyone in the company. This won’t necessarily be sustainable as we grow larger, but for now we want to make sure everyone is approachable. There are no dumb questions, and you can come to us with anything.

We’re truly having a great time building this company, and I think that trickles down to the team.

“It’s been a dream of mine to start my own company and make it a fun and fulfilling place to work for everyone. Becoming an entrepreneur is an incredibly risky decision, but, in the end, life’s too short not to just go for it. Josh and I have pulled together a strong team, and you can see everyone’s passion shine through from every corner of the company.” — Bob Kruse, Co-Founder and CEO.

5. What cybersecurity thought leaders/books/podcasts do you look to for continued learning?

A few of our favorite resources are Dark Reading and Krebs on Security. Gartner can also be a great resource. You really just have to get out there and look at what the analysts are seeing, because things change fast in our space and you want to know what people on the front lines of cybersecurity are saying.