#338 From Silicon Valley to Global Impact: Buchi Reddy’s Journey in API Security

[00:00:00]

Mehmet: Hello and welcome back to a new episode of the CTO Show with Mehmet. Today I'm very pleased joining me, Buchi Reddy from Silicon Valley. Buchi, the way I love to do it is I keep it to my guests to introduce themselves. So tell us a little bit about you and what [00:01:00] you're currently up to.

Buchi: Right. Um, thank you, Mehmet

Buchi: first of all, really appreciate the opportunity to be here. And I am Butchi Reddy. I'm originally from India. I've been in the Silicon Valley for the last 11 years. I'm the founder and CEO of Levo. ai. Levo is a proactive API security platform. Um, started this company about three years ago. And, you know, we have a bunch of customers.

Buchi: Um, several in fintech, uh, even a couple of public companies as well. Um, but we are still very early in the journey and, uh, looking forward to actually helping enterprises secure their APIs.

Mehmet: That's great. Thank you again, Buchi, for being with me here today. Now, this is a question that usually I like to ask.

Mehmet: Every founder I interview on the podcast, you must have seen some gaps in the market when it comes to API security. So, and you figured out that there's a huge problem that needs [00:02:00] to be sorted out. So I like to hear these stories, which is like, where the idea came from, what were the gaps that you see in the market and how you are trying to.

Mehmet: Close these gaps with level. ai.

Buchi: Yeah, totally. Uh, this story is really important, right? Um, so first of all, all of us know APIs have been around for a while. The API is not a new thing. Um, and I've written my first API almost 15 years ago. Um, but my first encounter with some of the API and application security came when Cisco acquired AppDynamics.

Buchi: Uh, so I actually, I spent five plus years at AppDynamics, uh, leading the backend services team, backend metrics service team, which is the core backbone of monitoring and I was there when Cisco acquired us and when Cisco acquired us. We all know the gold standard of Cisco security team and amazing folks, uh, very knowledgeable.

Buchi: And they came and say, Hey, you know, AppDynamics is now Cisco. Uh, [00:03:00] we, we got to make sure your applications are secure and cloud is secure and everything. Right. And we, uh, naively volunteered to be the first team to, uh, go under their scrutiny. And I think that was the best thing we have done. Uh, they basically started showing all the things that, that, that experience.

Buchi: First, I started understanding. Oh my god, these security people, I started sympathizing with them, or empathizing with them actually. Because their, their job is to secure something that they didn't even write. And even worse, as developers we are writing, but they are not necessarily in the loop always before this gets released.

Buchi: So I've started, I've experienced it that firsthand. And after that, when I was working in the API security domain, what I saw is, Oh my God, apply that the security taking care of security posture of APIs, uh, apply that to APIs. There is no product that is actually solving it the right way, in my opinion.

Buchi: There were a few products which were actually trying [00:04:00] to solve it like in production, saying, okay, you put, you're already running your APIs in production, we're going to look at the production APIs traffic, or you're going to look at them in production, and we'll try to tell you if somebody is trying to attack you.

Buchi: Like, what is the problem? The problem is vulnerabilities in APIs. They were introduced when somebody is writing the code, which is the developers and why are we waiting until they go into production? So this was like the aha moment that I learned firsthand. Okay. First of all, what I was super. Surprised about is, okay, APAs have been around for 15 years.

Buchi: Why are, why is the tooling lagging by so many years and why aren't we doing anything about it? And all the approaches that are, were out there, I felt that they're not the right approaches. So that, that's when, uh, started, uh, thinking about doing something. And that's why I highlight the word proactive, right?

Buchi: Levo is about proactively taking care of API securities. So I, like we were determined to actually solve this problem and started a company and started [00:05:00] working on a product for this.

Mehmet: That's amazing. And, you know, just, you know, to your point, it's surprisingly Um, something's been around for 15 years, as you said, and now, even if you ask someone non technical, they know that APIs are the main, to make it simple, even for people who doesn't understand tech, but people knows that applications need to talk to each others.

Mehmet: And these applications need to, to, to have exactly like some secure ways to talk to each other. And it's not only about the connection. It's about much more about the, you mentioned something about, you know, preventive versus reactive measures. Um, Like, there's a lot of talk when it comes to cyber security about, you know, this, should I focus more on the preventive part?

Mehmet: Should I focus on, on the reactive part? But with, with what you did with Levo, and correct me if I'm wrong, and I'm just [00:06:00] trying to open a little bit more, you know, the space. You know preventive thing. Is it like I try to understand What do I have first and then apply the security measures? Is this exactly what you try to do with with level?

Buchi: Yeah. Yeah. Um, so yeah, just like you said preemptive versus uh, reactive even discovery is also very common thing in uh, In cyber security whether it is your endpoints, whether it is your servers or cloud everywhere The discovery comes first and API security is not an exception Um, so discovery is common you, but I think when you want to one big difference that I started noticing, and especially the, which is why where level is like super specialized when you want to proactively secure things, your discovery has to be super comprehensive.

Buchi: Because when you are reacting, you are actually reacting, detecting on few things that wherever you see activity, like apply that to, uh, you know, web application firewall, apply that to endpoints. [00:07:00] Um, but when you want to be proactive, you have to do a lot more comprehensive discovery. So, but it starts with that, like you pointed, it starts with the discovery and then what all you can do, how comprehensively you can do something about it before the APIs and applications get released into production.

Buchi: So that you give the assurance. I think another terminology that I use actually is insurance versus assurance. You know, insurance is about like, okay, if something goes wrong, then things come in, whereas assurance is like, before you even go, uh, you know, before you even put into production, you want to give that assurance.

Buchi: Um, so it's about discovery. And doing the best that you can before your API is going to production so that you can actually give that assurance.

Mehmet: That's great. So I understand Buchi and just this again for the sake of making sure that we get the thing in the right way. So you detect any, let's [00:08:00] say API security anomalies, I mean, wrong code basically before it goes to production.

Mehmet: Am I right?

Buchi: Yeah, so I'll describe it this way. Basically, I think you can now probably is the time to describe the product. So what does Levo do? We find every API that you have in the company, every API, uh, internal, external, and even third party APIs or the egress APIs that you might be calling somebody, find every API out there and let you know about those APIs and we document them continuously.

Buchi: So you can actually even see the changes. So going back to my earlier point, security teams does not have to be at the mercy of somebody documenting this stuff or somebody informing them. Actually with our product, it's the other way. Security people often are knowing now a lot more about APIs than some of the developers because developers are implementing only few APIs, but security team with our tool is able to tell across the entire company, which APIs are newly introduced, which APIs [00:09:00] have changed recently and all this.

Buchi: So we, we. We go, we discover, document, uh, every API out there, and we give several details to help security teams understand the risk posture of these APIs, and then we do something called continuous testing. We continuously go and offensive test these APIs, much like penetration testing, uh, for all the possible ways this API could be abused.

Buchi: So that again, going back, we want to give the assurance. So we only, if you tell the API for a thousand different ways, it could be abused and prove that it cannot be abused. You will get that assurance. So that's what we do.

Mehmet: Absolutely. Fantastic. But now I like always to relate what we are talking about.

Mehmet: So maybe, you know, people get, we need to secure the APIs because you know, this application kind of application security measure to avoid. You know, bad consequences. So mainly what we usually, we see the consequences, the bad [00:10:00] consequences of a bad, I would not say bad, like not complete API security solution, or maybe if I don't have even an API security solution.

Mehmet: So what are the risks that are awaiting me from a business perspective?

Buchi: Yeah. The risks, major risks are data breaches. Or somebody, uh, depending on your application, if it is an e commerce, somebody ordering for free or, or, or even, um, or getting a lot of gift cards for free and stuff like that. If it is a bank, maybe somebody doing a fraudulent transaction or somebody stealing the data.

Buchi: So the day stealing data or money to put it very short, um, then obviously reputation, uh, that goes along with them. That is a risk that you are taking. If you don't think about securing this, I think just to give you an idea, going back to your earlier point, um, how big this API is, is, uh, why you should care about it, [00:11:00] um, there is a start.

Buchi: I think Akamai did some research. They say about 80 percent of the internet traffic is, uh, over APIs. Even this. The video that we are recording or like a lot of parts of this probably is going over apis Like it's that common every message that you are typing on whatsapp or any other chat is going over apis So when 80 percent of the internet traffic is apis And you are in your applications logic and most of it is actually getting communicated through apis You know, if you don't secure it the risk is very high.

Mehmet: Absolutely and I was you know last year I remember, you know You to your point about the APIs, you know, mentioning how much we were, we became dependent on them. And even I'm saying non technical people, because, you know, I was always giving, you know, the examples of automation, right? So when we do any kind of automation, this automation, of course, it's not like a wizard that is sitting behind and making things done.

Mehmet: It's all done by APIs. [00:12:00] And to put it in the context, So if you are using it, you know, from customer perspective, if you're using a, a, an accounting software or a booking software, and you want to connect it to the bank. So there's something called, you know, open banking API. So you get the fees from your bank and then they get into your accounting.

Mehmet: And to your point, which is, this is very critical because data breaches, you know, the consequences of data breaches, people think it's only, you know, okay, my data is stolen, but it's very dangerous because first someone can actually. You know, put some kind off a blackmailing, especially they do it in the dark web, right?

Mehmet: So we'll sell your data if you don't pay us money. Sometime it can affect that. It's always actually affect the reputation of the organization, especially if you are like in any very high regulated, um, vertical like banking or e commerce and the ones that you mentioned. So, you know, and I'm trying not to make here a kind of a, [00:13:00] uh, fear effect.

Mehmet: It's more like I'm trying to do an awareness why the API security and actually cybersecurity in overall is important. And this would bring me Buchi, like as level as an API security, uh, company, how do you see yourself in the whole ecosystem of, of the cybersecurity because you work on the preventive.

Mehmet: part. Now, of course, you know, when we say preventive, people think about things like EDRs and these kinds of solutions. So how do you position, uh, level in, in, in a, in a broader, I would say, cybersecurity, uh, perspective?

Buchi: Yeah. Um, Cybersecurity is pretty big, you know, and, uh, defense in depth is the word that they use to describe that, right?

Buchi: Because basically, if you take house as an analogy, especially if your house has several, uh, rooms, windows, and several doors, and there is a compound wall or maybe multiple [00:14:00] compound walls. Cybersecurity is about like, okay, you, you got to have something at the network level itself, like just entering into the network and you got to have something for the applications.

Buchi: So the network firewalls, web application firewalls, and you got to look at all the endpoints that are connecting to your network or if it is car network. So that's where the endpoint, uh, the security comes in. Um, but when you go into the The actual backend services are in general, the applications itself, applications of a cloud, the product, take Uber, their entire ride sharing platform is running as a, as an application, right?

Buchi: It is, it will be running in some cloud. Um, maybe multiple clouds, maybe multiple clouds and their own data center. Uh, depending on the company, just several companies are on it differently. They use different clouds and then there is. Kubernetes kind of stuff that they will be putting, and then they are running applications there.

Buchi: So in this whole stack, we are specially focused [00:15:00] on the applications which are API based. That's like the innermost core. And they are the ones sitting closest to the data, if you think about it, right? They are the ones which are writing the data into the database and reading from database and serving through these APIs.

Buchi: Fortunately, the cloud security and some of the infrastructure security has, they have been several products and they are even little ahead. Um, maybe because people think that, okay, you know, we come, we all come from data centers world where like once upon a time, we used to think that, okay, just protecting my, just throwing in a firewall and just protecting the gate or entry point was enough, uh, because of that, probably people tend to naturally think from outside in, so they go layer by level, uh, layer.

Buchi: And API security is like the innermost core. A application and API layer, which is dealing with the data and we come in there. So if you like you people or our customers usually have some cloud security products, the endpoint security products, and, uh, and they might even have some [00:16:00] WAF and CDN where some of these are being taken care and we are taking them all the way to the lowest level and giving visibility into this entire data plane in the data flows in their environment, um, through APIs.

Mehmet: Yeah, to your point, you're right, like you are the closest, you know, thing to the data because this is where you are writing and, you know, accessing the database and, um, actually carrying data from sometime, as you said, from one cloud to another cloud. Now, before I ask you about how easy it is to implement Vucci, I want to, you know, understand, and this is because of the name of the company, about the AI part.

Mehmet: Like, are you leveraging any artificial intelligence, you know, within the solution, or are you planning to do so if not today? And how do you think this, the AI is able to, you know, help to fortify your positioning?

Buchi: So we use some basic machine learning, uh, especially in the data [00:17:00] classification area. Uh, all the proactive testing and all of it that today it is still not, uh, AI driven.

Buchi: Uh, we have a lot that can be done, not just in the proactive testing, but even in the discovery in general, even surfacing some insights to the customers. Um, And even the documentation, there are several use cases, but going back, like I said, we are a seed stage company and we just got started. We focused actually the, about the AI one comment I would like to make, I think a lot of people said this, um, you know, if people say if AI is like the, um, the engine data is like the oil, I don't know if I got it right, but you get the point data is a super important.

Buchi: And strategically what we have done, we, our current product actually helps us get the right data. We are in the data plane and we look at all the data and we help customers to capture this data so seamlessly. Now, next step, we want to actually start building several use cases on top of it. [00:18:00] The AI is only as useful as the quality of the data that you have.

Buchi: And that's why we focus on this data. And we, we unlocked several initial stepping stone use cases with this data captured. Some basic machine learning algorithms are used in data classifications and student data discovery and stuff like that.

Mehmet: Thank you for mentioning this Buchi because again, um, and I, and I had like other, uh, founders in the cyber space as well.

Mehmet: And we focus that, you know, when we say artificial intelligence, people mind goes to now chat GPT, of course, and large language models and all this. And we say like there are multiple use cases other than LLMs. I'm pretty sure that you might find something, you know, in the future where you can go and talk to your APIs maybe and say, Hey, like, I don't know, um, how I can enhance, you know, the system.

Mehmet: security between this application and this application something like this, right? So it was a

Buchi: lot. I can, I can even tell the use cases. We keep thinking and discussing about these [00:19:00] use cases. There is a lot that can be done. Uh, we are, uh, we are just taking one step at a time and like I said, actually, we are not getting into too many details of the product, but what we have built so far itself is actually a significant build.

Buchi: And as a start up, you need focus and context.

Mehmet: I like this.

Buchi: So the AI come like there are two philosophies, right? But if somebody is providing a quality data for you to do the right AI on top of it, then maybe that's the right approach. But in this case, I actually don't see anybody providing this quality data.

Buchi: So we actually started capturing the data now, you know, for us. And even maybe at some point we might even give this data to somebody else if they want to unlock some other use cases. Um, but. We focused on the right thing.

Mehmet: I like this approach actually, because you know, you, you, you're not Doing it for following a buzz or, you know, a following a trend, which you are focused on solving the main use case you [00:20:00] started with, which is like completing, you know, the gaps or filling the gaps of is currently existing in the market.

Mehmet: So a hundred percent on this one. And to your point about the data, and I think we repeated this here on, on this podcast a lot of times. If you have garbage data, we call like garbage in garbage out. So, you know, like AI deals with data and based on the data, it can take decisions, especially when you do this data classification and the other use cases as well.

Mehmet: Now, would you tell me? You know, for such solution, is it like it like how implementing such solution looks like? Is it something that I need to plan and do architecture days and nights? You know, because I used to work on the other side of the table at some stage of my career, or is it something really straightforward?

Mehmet: Walk me through, you know, how a typical, you know, implementation for your solution would look like.

Buchi: Yeah. Um, great. Uh, thanks for asking because, uh, [00:21:00] this is where there will be a lot of different, there could be a lot of difference from product to product, solution to solution. And this is where we have innovated.

Buchi: Uh, so first of all, we use a technology called EBP of, uh, Linux Kernel Technology, extended Berkeley packet filtering. We just, uh, demo it as well. It's there on our LinkedIn, uh, live page. Uh, we, you, we leverage the powerful technology to capture the data of customers or APIs in applications in an unprecedented way with the least friction possible.

Buchi: Like we have our product was installed in some of the largest environments with one command within a couple of hours We discovered even 15 000 plus apis. I think it's like it was close to 20 000 actually. Um, so One command especially in kubernetes environments you do one helm install And that's it. In real time, within minutes, you actually start seeing the API inventory and and every application and every API will be covered [00:22:00] as part of that.

Buchi: So we innovated a lot in that area on how easy it can get, how seamless it is to actually insert this product. So no mammoth. Fortunately, it's not, uh, It's not months quarters of effort. It's not even weeks Our fastest installation was done in like, you know, 10 10 to 15 minutes and already seeing the value They don't have to do anything else.

Buchi: They install one command and they started seeing the value within 10 minutes

Mehmet: Wow, this is really fascinating, you know If I was the customer i would say this is a music to my ears because you know, like usually when we talk about security um products specifically and you need a lot of preparation and a lot of Integrations and for you like it's just Kind of out of the box, as you said, you just, you know, like you do the command and you're ready.

Mehmet: Maybe it's a traditional question and I'm asking because here in the region, sometimes still people, although like we have all the hyperscalers over here, um, but they ask this, [00:23:00] can I install this in my data center?

Buchi: It was a no until recently, but we said yes, because it's actually not just from that region. We constantly keep hearing this from some Europe regions, some European countries and India as well, like where I am from. So I think it is becoming a need. There are multiple reasons. One, every country in every jurisdiction is coming up with their own data protection laws and all this.

Buchi: They're getting complex and complex. Uh, and other thing is there is also a reverse in trend, uh, with respect to cloud. Some companies, especially the, the big ones or the paranoid ones, are starting to build their own cloud and they, they just want to keep all these workloads in their, uh, you know, even if you don't call it cloud, cloud or data center, but basically.

Buchi: They want to keep it on their side. So we spotted this trend and we wanted to be the first one to actually start offering this to customers. And we have a complete on premises solution that they can install completely in their [00:24:00] network.

Mehmet: I think this is already also another competitive advantage for Yobuchi in this domain.

Mehmet: Uh, probably, especially, you know, I'm talking about the region and yeah, the data protection laws are very tricky, I would say, and they, you know, differ from country to country. I mean, within the EU itself, as you know, for example, and here, even in the Middle East region, like it can be different. And I know in the U S also, like when you deal with, uh, you know, some entities in the government and so on.

Mehmet: So you need to have like some special requirements. So would she like, it looks like, you know, you, you have a product market fit, as we can say, can we claim this?

Buchi: Like, uh, I would not already claim it. I think we, first of all, we took a very big problem and we solved, uh, you know, different pieces of it. We innovated and we tried to solve it the best possible way as quickly as possible for adoption for customers as easy and quickly both.[00:25:00]

Buchi: Uh, I think we, uh, We have already gotten into several, uh, some very large FinTech companies. We won deals again, as some of the biggest competitors. Um, but I think I would wait for another, you know, another 10 large enterprises to adopt. And, uh, you know, for the, for this to get to a stage where we can rinse and repeat, the PMF word is super important and you have to be very careful about it, how you use it and how you play around.

Buchi: Um, but indeed, think for me, we, the good news is all the customers that we have installed, the use cases are exactly same. It's like, it's the same exact use case. We have all, we have gotten to a point where like we just have a template, uh, for proof of concepts or proof of value as we call it as, uh, it's the same template, same use cases, everything.

Buchi: That's a good news. Uh, but I think we probably would wait for another 10 customers. This is one reason where we are not trying to scale super fast, rather trying to work with these early customers and solve those problems, not only. Uh, easily adaptable and all this, but like all the way [00:26:00] till the end, like, you know, we care about, okay.

Buchi: Even if you find some vulnerabilities, how do these teams actually take and get them fixed? How much time does it take? Are we routing it to the correct person, correct development team? So we care about all of these things. And given the product surface area, it's uh, um, I think it, it probably will take another a quarter or two for us to cross the line.

Mehmet: That's fantastic actually, but you know, all the use cases, if I think about it, and again, I'm not a pure cybersecurity guy, but you know, You do the prevention, you know, which is important. You do the real time monitoring for these APIs. You do, you know, the documentation part also as well. You make sure that you have continuous, um, scanning for these API.

Mehmet: So when I think about you, you've built like kind of an Automated system that covers all the need that, you know, today's organization. And by the way, I think Bucic, your, your, your customers could be any customer. It's not like we, of course [00:27:00] we gave the examples of the FSIs, you know, the financial institutions and the e commerce, but in today's world, every company is using, you know, became kind of a software company by themselves.

Mehmet: You mentioned Uber, you know, Of course, Uber is a software company, although that they do, uh, cap sharing business. So, so this is very important part. Now, a little bit shifting gears here, Vuchi, and I know that, you know, you, you, you are a solo founder in this, right?

Buchi: Yeah. I mean, uh, Okay. Yeah, I can guess where you're going, but yeah, please finish the question.

Mehmet: So, so the reason I ask you this, because how, you know, I get a lot of questions sometimes because they say, okay, I, we know that you didn't find found a company yourself, but you work in a lot of startups before. And I interacted, how challenging is it [00:28:00] to build, you know, on your own and with all these. You know, unique set off of features.

Mehmet: And, you know, how did you manage to, to, to have this diverse also of your role, because I know how much you are obsessed about customer centricity and making sure that, you know, whatever you have built is actually fit to the customer. So tell me about the experience of being a solo founder.

Buchi: Well, I mean, I think I definitely, uh, steal a bit of credit from my extended team, whether it is my, uh, investors, my founding members of my current team, uh, obviously they are all doing a lot of, uh, heavy lifting, uh, for all of this to come together.

Buchi: Um, so, but just as a founder, if you are alone, there is too much to do. And you are always like, it's 24 by seven on, uh, your, your brain is always thinking about, it's like, and you've got to do, there's huge sacrifices to make, [00:29:00] uh, you know, family time and all of that goes in, but that extended team around you, whether it is your investors, whether it is your advisors, whether it is your team.

Buchi: Team was actually doing the actual work, implementing the product and making customers successful. Um, all of these actually matters a lot and I'm surrounded by like, you know, my team, uh, you know, I'm very thankful for every one of them. I, I don't know if you follow me on LinkedIn, you would actually see like recently I started this series called unsung heroes of love.

Buchi: Because there that is actually the case. Uh, you know, I, I get most of the credit because I'm the front facing, uh, you know, public facing one. But they do, uh, they're here to support and they're doing a lot of, uh, great job and we have excellent people, uh, joining us. Like, you know, we just, uh, got a, uh, you know, somebody to lead the customer success in.

Buchi: 20 plus years of experience in cyber security. Um, they've seen, um, you know, several startups from the beginning and they were super excited about what we are building here and the kind [00:30:00] of product that we have and immediately joined us. So it's not just me. Um, but yeah, I mean, if you just see the founder, the standpoint, yes, it is a very hectic job.

Buchi: Um, it's not impossible to do. I think surround yourself with a lot of good people is the first recommendation that I would say. Um, because, uh, you cannot do it alone as at least spiritually and, you know, um, inspirationally, they should be there with you, even if you are doing a lot of work on a day to day basis.

Buchi: Um, that, that inspiration and like the motivation from the sidelines is super, super important.

Mehmet: Bhushi, I know also you mentioned you were in, in AppDynamics and, you know, you work with, with, with a lot of companies. So is that like really kind of a role model for you, that inspiration? as well. And, you know, encouraged you also to take this, this journey, which is, I always tell people, you know, building companies is not, is not a joke.

Mehmet: Again, maybe I didn't do it by myself, but I was lucky enough to be part of [00:31:00] building companies. And it's not, it's not a, it's not like a, you know, you're not going to a picnic indeed. So who was your role model?

Buchi: Well, I think again, coincidentally, just this morning, I published a post on LinkedIn on the exact same topic.

Buchi: This is not the first time I'm hearing this question. People ask me, Hey, who is your inspiration? Do you have any? I think at today's post I wrote about my grandma. Uh, she's not a startup founder. She's not a serial entrepreneur. Uh, but, uh, she, but I wrote a post about her because I learned several things about, The resilience about not playing victim card in life, uh, about actually, you know, being empathetic and loving and kind to people and being nice to people around you.

Buchi: So I, I think I learned several first principles, uh, from her and she was, she was a huge inspiration for the things that she has gone through in life and how she's still stood [00:32:00] there with a smiling face and how she's shaped up her entire family. That's, that's in general. Like, so I was basically. While growing up, I was thinking about some of these things.

Buchi: When I came to US, I was definitely thinking of doing something on my own. But after coming to US, I think it's countless people. We are always learning, right? Like, first of all, AppDynamics, I was, I spent five plus years there. I saw Jyoti Bansal, founder of AppDynamics, actually, how he does all hands, how he's motivating everybody in the team, how he's, Selling his vision, both inside and out.

Buchi: I think I've watched some of those things very closely. He definitely had as a huge influence on, um, some of what I'm doing, especially in the enterprise world, but, uh, but, but a lot of other people as well, like, you know, if you see, I have this habit of. reading, um, and learning from sidelines. And some of these people I probably have never met, but I think a lot of people have this habit, not just me, maybe, but, um, now [00:33:00] all that we can follow them.

Buchi: And a lot of these other people, uh, the way I see is all of us are. It doesn't matter if you didn't start your own company. You're saying, right, like the role that you played in all the other companies that you were part of, that's super important. That's when somebody has to do the role, it's not, uh, ignorable.

Buchi: Um, so all of us are on our missions and. Different people step up for different roles based on their own personal stories and all, and we all directly and indirectly keep inspiring each other. That's my motto generally. So yes, I mean, I'm learning from all directions, but personally, I was like, I had, you know, my hero, uh, my grandma raising me and I have learned a lot from her and a lot of those values still carry.

Mehmet: That's fantastic. I love to hear these stories, Bucci, because myself also. You know, and by the way, so this is for the audience and I think you get it. Right. Thank you very much When I say role model, it's not like okay. I want to be like [00:34:00] someone it's like to be inspired by someone to me You know, I know I cannot become you I cannot become I don't know someone else.

Mehmet: You should not

Buchi: You should yeah

Mehmet: exactly exactly and that's why always, you know, even People who follows me when I talk, I talk too much about authenticity, you know, and I believe, you know, the, the people who succeed in their startups are the people who stay authentic and they focus to your point on the, what I want to do.

Mehmet: And, you know, their, their end goal, the mission, how to serve the customer, how to be empathic, as you mentioned also as well. And by the way, I'm a fan of, uh, Jyoti myself also as well. Like I, I follow him and the recently started some series, you know, he writes Great articles about how founders for example, they need to learn because he comes also from an engineering background and he had to learn You know sales marketing and this is again something we remind founders here on the podcast Yeah, of course, you should be good at your Core, uh, what do you call it?

Mehmet: Like a function. If you are a technical [00:35:00] founder, of course you should be good at tech, but also you need to learn some other stuff as well. So a hundred percent on this. If I want to ask you, Buchi, what's your, you know, how do you see the, you know, level in, in, in, let's say, I don't want to tell you 10 years, 10 years.

Mehmet: I think it's long time in five years from now. What's your vision for level?

Buchi: Yeah. Oh. Good question. I think earlier you also asked, like, where do you see yourself in the bigger, broader, uh, cyber security landscape?

Mehmet: Yes.

Buchi: I think, uh, when I see the current situation, I am, uh, excited, but also a bit, uh, you know, disappointed at the same time.

Buchi: Uh, and I'll tell you why. Disappointed because I actually see like, you know, several tooling. We go ahead and start embracing them, start using them without thinking about the security repercussions of it, including myself, like probably like, you know, I, I brought in in 2016 when Kubernetes was very early on, I brought in Kubernetes into my company and we started betting on [00:36:00] it.

Buchi: I mean, several people said, Hey, you know, are you crazy or what? Like. Kubernetes is not even mature and you're betting on it. But in hindsight, when I see like we were not thinking about the security implications of some of those and all of it. So there is a huge lag between some of the innovation and security.

Buchi: In some cases, it's good because I mean, we cannot actually completely boggle it down completely. But If we can, with automation, with right tooling, if we can actually reduce that lag between the core innovation and the security implications of that innovation, um, that's where we want to play a big role.

Buchi: Uh, and that's what, that's what drives me, basically. And that's what I was disappointed about. Why APS, in spite of being there for 15 years, why we are still talking about the security of APS today. Uh, but that's what excites me as a challenge in somebody who wants to be challenged. It's like, okay, this is a great challenge Now, let's actually try to you know, narrow the gap or between how quickly so I think [00:37:00] lovers vision Obviously we'll be thinking beyond just apis or within apis itself already We are working on on several other like in graphical is well something that People keep asking about, but beyond APIs, much broader application security.

Buchi: There's lots of problems. The biggest problem that I see is actually a lot of application security solutions. The left hand does not talk to right hand. That static side analysis does not understand the runtime side. These are all like independent pieces. They don't talk to each other. They don't even understand the latest tech stack.

Buchi: They were built for like, you know, previous generation applications. There's a lot to be solved. And like a lot of security teams, when we were talking to them, uh, they say, you know, with a very disappointing face, Oh, we have 800, 000 vulnerabilities in our vulnerability management. Like, I, it's like, I don't know, apart from declaring bankruptcy on it, I don't know what else they can do.

Buchi: So level's goal is actually to, you know, help security teams. Um, maybe the broader application security in the long term, but [00:38:00] in the short term, we are staying focused on API. So API security there is a lot to be done there itself.

Mehmet: I love this because I remember on one of the episodes it was with Richard.

Mehmet: So, you know from RISC crew, so he was, you know, kind of I'm not say angry, but he was, you know, Some point very similar to what you said Like he said like we've been talking cyber security for a long time and we still have you know, all these things and actually we became part of the problem because When you add, you know multiple levels to your point like and I when I was also sitting on the customer side I would say yeah, I was excited when I see that new toy.

Mehmet: Let's let's bring it I remember like I was the first one to play back You know, it was a new here at least in 2006, you know, I discovered this thing called VMware. You can install a machine inside a machine and, you know, you start to play with it. And then I remember we discovered about the next generation firewall.

Mehmet: And yeah, let's, let's try to play with this. [00:39:00] And, you know, like to your point, so we built this stack very fast and a lot of, of gaps, maybe This is good for you, but she actually, because you have a lot of gaps to fill with this vision, which is really, really amazing. Now, as we come almost to an end, but she, if you want to give final word of wisdom to anyone, wherever they are, maybe in Silicon Valley, maybe they are here in the Middle East.

Mehmet: And I'm, I'm happy that I start to see even local startups in that domain. And in tech in general, what kind of advice you give for fellow tech founders?

Buchi: Yeah, I think one I already said like, you know surround yourself with great people try to get great advisors and mentors, uh, you know with now Because they will be life changing But again that will take some time for them to identify who are really great mentors Cause not everybody is same and not everybody can really empathize with the founder and give the advice, but surround yourself [00:40:00] with great people, pick a problem and, you know, work on it, like your life depends on it.

Buchi: Like think about the customer standpoint, basically you think you've got to be passionate about the problem and you've got to be empathizing with the customer to, for you to really be motivated, um, and solve it the right way, because the journey is going to be hard and the materialistic things are not going to Push you to keep going.

Buchi: Actually, the only thing that can, uh, push you keep going is actually the real motivation. Um, so you, you got to be motivated and connected to the problem. That's what I would say. Um, apart from that, I think there are other several tactical things, uh, you know, don't raise too much money and, uh, don't tell lies and try to.

Buchi: Uh, you know, don't, don't sell vaporware, . This is, or don't, don't just follow the buzzwords. Like, there are several things that we can tell, but I think fundamentals, these are the . Yeah. Fake it. Fake

Mehmet: it till you make it. Right. It's not working anymore.

Buchi: Well, I mean, I think [00:41:00] a lot of people interpreted differently.

Buchi: I, I, I'm pretty sure the person who originally said it probably didn't mean, uh, didn't mean, uh, uh, of course, uh, didn't mean it the way that a lot of people are interpreting. Um. Fake it till you make it does not mean fabricate the data or fabricate the metrics.

Mehmet: Yeah, absolutely. Two things I highly and strongly agree with you on, and I tell founders this, fall in love with the problem that you are solving because otherwise you will not be passionate about it.

Mehmet: So you will give up very early, especially if things. Don't move very fast. So absolutely on this to the point of, you know, fake it till you make it. And this is why I tell people there is a very thin line, especially, but you cross this pucci thankfully when they are still in the validation phase. As founders between what they have in their hands and you know what they are trying to show people [00:42:00] right and they tell them you need to be transparent and say hey i'm trying to build or i build a model of this it's not complete tell me what you think about it because people come and say how we can validate our ideas and they say Of course, you know, when, when you work in the field, you can understand this more.

Mehmet: So I was a consultant, so I know how to talk to customers and I know what, you know, what the customers want. So I can give my two cents on this. I said, you just go there and tell them what you have. Okay. You have a landing page. That's fine. Tell them to go to the landing page and tell you what they think about your idea.

Mehmet: You have a video that you have recorded. Fine. Do it. You've built a product. Fantastic. Again, go show them. And to your point, which is just that can don't sell vaporware. Ask me as a guy who used to sell in the field, I hate to sell vaporware and I used to go and said no multiple times. I'll not mention of course, where to say, I'm not going to tell the customer about this because I don't believe.

Mehmet: It is up there. So [00:43:00] the hundred percent finally Buchi, where we can find more or how people can interact with you. Um, and find about level.

Buchi: Yeah. Yeah. I think, uh, uh, website, uh, you know, level. ai, levo. ai. And, uh, you know, I'm pretty active on LinkedIn and Twitter as well. You can find me with just which ready B U C H I R E D Y.

Buchi: Uh, both on Twitter as well. I think that that's great. I'm happy to answer any questions. Happy to, you know, show the demo for those who are interested or, um, and we are also doing, uh, demo days where we are actually demonstrating the product and just follow our page and they can actually see, see, uh, you know, they say walk the talk, right?

Buchi: Like, you know, earlier I claimed that, oh, we can install super easily. Like we have done that in the demo. You can actually see it in action.

Mehmet: Exactly. Seeing is believing, as we say. 100%. And for the folks who are listening or watching, uh, this episode, the links that pushy mentioned that are in the show [00:44:00] notes, which you thank you very much for being with me here today.

Mehmet: I know as a founder, and you just mentioned, you have to do multiple things at the same time, and I know how busy you are and how busy your schedule is, but still you took the time to be with me here today. I really appreciate this. Thank you very much for all your insightful, uh, you know, Tricks about API security that you gave us today.

Mehmet: And you know about, uh, the information you gave us about VO ai. Thank you very much for this, and this is how usually end my podcast episodes. This is for the audience if you just discovered this podcast by luck. Thank you for passing. Bye. I hope you enjoyed it. If you did, so please subscribe and share it with your friends and colleagues and if you are one of the loyal followers.

Mehmet: So keep coming. Thank you very much for all your comments, all your emails, all your suggestions. I read them all don't hesitate to reach out to me I'm also available on linkedin most of the time so reach out to me anytime And also if you are interested to be on the show, don't hesitate Although we have some backlogs now, but still I would love to talk to you You have you know, some great [00:45:00] idea you're working on a product you have something and you want a space.

Mehmet: This is the space This is why this show exists. Don't hesitate reach out to me and we can find a way to do it Thank you very much for tuning in. We'll meet again very soon. Thank you

Buchi: Thanks a lot for the opportunity, actually. I really enjoyed chatting here and.