Dropzone AI Founder Edward Wu

Listen on Spotify, Apple, and Amazon | Watch on YouTube

This week, Partner Vivek Ramaswami hosts Edward Wu, the founder of 2024 IA40 winner Dropzone, which is building a next-generation AI security operation center. Edward decided to take the leap and start his own company after spending eight years at ExtraHop, where he rose to the role of senior principal scientist, leading AI/ML and detection. Now at Dropzone, he’s tackling some of the most pressing challenges at the intersection of AI and cyber security.

On this episode, they explore Edward’s decision to leave ExtraHop to build Dropzone, his thoughts on why generative AI is uniquely suited to addressing alerts and investigation in cybersecurity, and how Dropzone is redefining the role of AI in the security operations center. They unpack Edward’s decision to leap into entrepreneurship, how he landed key customers like UiPath, and why transparency is vital in a category often skeptical of AI. He also shares his perspectives on how AI unlocks new opportunities in cybersecurity, along with lessons he learned as a first-time solo founder.

This transcript was automatically generated and edited for clarity.

Edward: My pleasure.

Vivek: Let’s kick off with having you share a little bit about your journey into security. What sparked your interest in the space, to enter into security?

Edward: I would say, quite similar to a lot of security practitioners, I grew up playing with computers, playing games, cracking games, and I think that’s what got me started with security, because a lot of the, you can say, skills or tools you use to crack games or cheat in games, jive with reverse engineering and malware analysis. Then, after I got into my undergrad program at UC Berkeley, I really made the decision to eventually pursue a PhD in cybersecurity, and that’s kind of where I spent three years in my undergrad, doing cybersecurity related research, like automated malware analysis, binary analysis, reverse engineering, Android apps.

Vivek: Yeah, that’s great. So, even back then, you were thinking about security and cybersecurity and obviously there was a lot of attacks and things like that, even back then. You spent eight years at ExtraHop, which is a Madrona portfolio company, and eventually became the senior principal scientist, led AI/ML and detection there. Tell us a little bit about that journey, and then you can tell us a little bit about why you decided to leave and launch your own company in Dropzone.

Edward: ExtraHop was definitely a very fun ride for me. I joined when I decided to quit my PhD, due to a variety of reasons. Part of it was cybersecurity academic research, frankly, is not as interesting as the real thing in the industry. When I decided to quit my program, I applied and interviewed at, practically, any and every stage cybersecurity companies I could find. I remember one of them was Iceberg. I was offered to be employee number four, and Iceberg was a Madrona portfolio company as well, so while I was looking around, ExtraHop really struck me, because back then, ExtraHop wasn’t in cybersecurity at all. It was in network performance analytics.

When I saw the demo of ExtraHop’s product, I saw so much potential, because what ExtraHop had in terms of potential is very similar to what police departments and state agencies discovered about traffic cameras. You initially have a lot of traffic cameras for monitoring traffic, but after a while everybody discovered how much more valuable information you can get out of traffic cameras from tracking, whether it’s fugitives or helping to identify other sorts of suspicious activities, so I really saw that opportunity, and ended up joining ExtraHop. Essentially helping ExtraHop to build and pivot from a network performance company to a network security company and, along the way, built ExtraHop’s AI/ML and detection product from scratch, and really spent a lot of time working with ExtraHop customers in understanding how security teams actually work.

Vivek: How did you think about even joining a startup or a scaling startup back then? Obviously, you’re interest in security, you probably could have looked at Palo Alto Networks, Fortnite, or a much larger platform. What attracted you to a startup at the time?

Edward: While I was in college, I came across a couple of blogs talking about the founding journey of different security startups, and I think those really struck me and got me excited and interested to eventually start my own company. While I was looking for my first job out of college, the number one criteria was the opportunity to learn and how to build a startup someday in the future for myself. When I interviewed with ExtraHop, and I met ExtraHop Co-founder and CEO at the time Jesse Rothstein, I told him, “Hey, the reason I’m looking at startups is I want to start my own company someday,” which is great foreshadowing for when I told him I’m going to resign and start my own thing eight years later.

Vivek: So, he couldn’t act shocked, because he would’ve known eight years from before.

Edward: Correct, correct. Back then I was looking for the opportunity to learn how to build a product from scratch, and that’s kind of where, between the choices of ExtraHop and Iceberg, I picked ExtraHop, because it was a little bit more mature. I could learn from the existing lessons and the potholes ExtraHop fell into, and then dug themselves out of.

Vivek: It sounds like you had that kernel of idea in your head, from early on, that you wanted to start your own company. Before we get into the aha moment that led you to founding Dropzone, would you suggest to other founders that it’s helpful to spend time at a company? Even if you had that idea early on in academia, thinking about starting a company, would you suggest it’s good for founders to go and spend a number of years at another startup to learn, or how would you think about that journey that founders have to go on before they start their own business?

Edward: At least in my experience, I believe that if you’re going to start a B2B company, it’s vitally important to work somewhere first, because you’ll have the exposure to how B2B actually works. I think there’s a number of, you can say whether it’s processes, or structures, that all B2B companies have to go through, and by working at an established organization, it teaches you what good engineering looks like, what good customer success looks like, what good marketing looks like, and what good sales look like. All of these will become tremendously important when you do start your own B2B company.

Vivek: So, now you’ve been at ExtraHop for eight years, you’ve learned good marketing, and good sales, you’ve seen this journey, and you’ve obviously had this idea now for eight years in your head that you want to go found your own company. What was the aha moment? Walk us through the idea you had in your head? Where did you see the opportunity that led you to actually go out and leave ExtraHop and found Dropzone?

Edward: The biggest thing was, while I was at ExtraHop, I had been keeping track of industry movements and trends, because I know the only way I could found my own company someday was by looking for the next big thing. During my time at ExtraHop, I had done a lot of analysis and paid attention to every single RSAC Innovation Sandbox, as well as other movements within cybersecurity to see, “Okay. What are other people building?” And if I were to be an investor, would I invest my money or time, right? Because as a founder, to some extent, you’re also an investor.
You’re investing in the most precious resource you have, which is your time. I’ve been doing a lot of that for years. Then, when GenAI came around, that got me excited, because for the first time I saw an idea where we can tackle one of the holy grail unsolvable problems within cybersecurity by leveraging this new technical catalyst. That combination of a very concrete, universal pinpoint, and a new technical catalyst, which essentially means there was no way to solve this problem previously, makes starting a new company a lot easier, because you don’t have tons of incumbents to deal with, and all the factors combined are reasonings behind my departure.

Vivek: You bring up a good point, and I think many of the founders that listen to this podcast and that we work with, over the last few years, after college ChatGPT came out or after Transformers really were becoming a big thing, is that they also said, “Hey, there’s an opportunity in AI. I want to go found a business.” You mentioned that, if it wasn’t for AI or the current versions that we have in AI, some of these problems likely couldn’t have been solved in security. Maybe just take us through that. What, specifically, were you seeing in this intersection of AI and security that said, “Hey, there’s a technical change. Something is different now, that’s going to unlock problems that we couldn’t unlock before,” and then maybe you can tell us a little bit about how that led you to what your core focus is at Dropzone today.

Edward: For people who are not familiar with security, one of the biggest challenges within cyber security today is the ability to process all the security alerts. To some extent, it’s actually a very similar problem to modern day police departments, which is they have all sorts of crime reports, but not enough detectives to follow up on every single report. This is kind of where, historically, it has been a very difficult problem to solve, because the act of investigating security reports and alerts requires tons of human intelligence.
You cannot hard code your way through an investigation process, because when a security analyst is looking at security reports and alerts, what they’re going through in their head is a very detective recursive reasoning process, so that has been one of the biggest bottlenecks within cyber security. There’s a couple workforce reports out there that shared, as a world needs around 12 million cyber defenders today, and there are 12 million job postings out there, but the actual workforce is only around 7 million, so there’s this shortage of 5 million cyber security analysts or defenders that a world needs to truly protect themselves, but unless somebody invents cloning or some sort of mind transfer, then some sort of software-based automation seems to be the only other solution.

Vivek: As you say, there is a shortage in the number of security practitioners that can do these kinds of things. It’s interesting, because I feel like in this first wave of AI, we saw a lot of companies going after, “Hey, there’s this intersection of AI and security. Let’s just go secure the models, or let’s think about the models themselves.” It seems like what you were thinking about is there’s an existing workflow today that is understaffed, and that’s where we see AI actually helping. Had you worked with these practitioners before, in your time at ExtraHop? Had you seen these problems of alerting and alert fatigue, and how do we actually get AI to solve problems where we don’t have enough people to scale and solve these problems?

Edward: To some extent, what I did at ExtraHop was probably one of the reasons why security practitioners are overwhelmed by alerts, because what I built at the ExtraHop is a detection engine, so it looks at network telemetry and identifies suspicious activities. User A uploaded five gigabytes of data to Dropbox. User B established a persistence connection with an external website for 48 hours, right? User C, SSH linked to the database. All of these security alerts takes time to investigate, and those are exactly the type of alerts that historically have overwhelmed security practitioners.

So, to some extent, my work in the past eight years has contributed or maybe partially caused some of the alert fatigue and overload, so I’m definitely intimately familiar with this particular problem. The way you said when genAI came along, a lot of people had this idea, “Oh. Let’s just secure the models,” my train of thought is very similar to a post I saw on Twitter, which says, one way you can think of genAI is, essentially, we as humans are discovering a new island where there are a hundred billion people with college-level education and intelligence, willing to work for free. We just talked about this huge staff shortage in cybersecurity, so why don’t we take those a hundred billion people with college-level intelligence, willing to work for free, and have them look at all the security alerts and help to improve the overall cybersecurity posture?

Vivek: You have this great term that you were describing to us, Dropzone is having a number of interns or having a whole new set of staff. How do you describe it?

Edward: If we were to zoom out, we view Dropzone as essentially a software-based staff augmentation agency for cybersecurity teams. What we’re building is, essentially, you can say AI agents or AI digital workers that work alongside of the human cybersecurity analyst engineers to allow security teams to do 5X to 10X more than what they’re capable of doing today, but without 5 or 10X of budget or headcount.

Vivek: You’re primarily selling to CISOs, the Chief Security Officer, Chief Information Security Officer, but the actual practitioners of who is using Dropzone tends to be folks that are in the security operation center, right? Who are usually the people who are using Dropzone on a day-to-day basis or interacting with it?

Edward: The primary user of our product are essentially security analysts who work in SOC or security operation centers, and are responsible for responding to security alerts and confirmed breaches.

Vivek:
Going back to one thing you were saying before, which was the nice thing about building, when there’s a new tech change, what we have with AI, is that you don’t have these incumbents, right? Or the incumbents tend to be a little bit slower to move or they’re more reactive. In this case, you can build a net new business, and you can help create a category. One thing you and I have talked about is this is such an obvious problem, in the sense that every large company or mid-market enterprise company has an understaffed security operation center.

A number of startups have sort of popped up and started to build what they call AI SOCs or agents for the SOCs, and so, if we zoom out, how do you view this landscape, how do you view this category where, on one hand, it’s a total validation of the market, saying that something like this needs to occur because people clearly want this product. On the other hand, it’s like, “Okay. Well, how am I supposed to disaggregate and decide between 10 or 12 competitors that all maybe look the same on the surface?”

Edward: If you were to zoom out, the market Dropzone operates in, the AI SOC analyst market or autonomous SOC platform market is probably the single most competitive market within cybersecurity today. Like you said, one challenge is the intersection of cybersecurity and AI is tremendously interesting. The alert investigation use case, to some extent, is kind of an obvious use case a lot of people can see. The way we think about competition is actually not as different from all previous generations of the startups, which is having a lot of competitors is great validation for the market, but the reality is most startups or most players are not going to be successful for a variety of different reasons.

So, to some extent, it’s not a competition in terms of who gets the highest grades. It’s actually a competition of who finishes the marathon, so from our perspective, when we think about competition, a lot of it has to do with how could we do better? How can we ensure that we’re delivering real world, concrete value to our end users? Because we know we’re solving a very large problem with a lot of needs and very large market. We don’t need to worry too much about our competitors right now, because frankly most of them are still pre-product at this moment. Our focus is solely on, can we sign up 1, can we sign up 5, can we sign up 10, 20, 50 paying customers who are getting real world value out of our technology? As long as we could do that, the success will come, regardless of what our competitors do.

Vivek: So, focus. You just have to focus, focus on your customers, and make sure that you’re delivering a product and experience that they really like.

Edward: Yeah.

Vivek: You could say this about other areas of security in the past too, right? I mean, endpoint security 10 years ago was a very hot category and it’s created several, multi-billion dollar companies, CrowdStrike, SentinelOne, and others. As you say, the reason that there’s so many competitors is because people clearly see there’s a lot of value in this market, but as you think about the ecosystem many existing security tools already, and you went to RSAC, and you’ll see 1000 booths and everyone has a booth. So, outside of even the AI SOC space, but in security in general, as an early stage startup, that’s not as much on the map as some of these incumbents, what are the things that you find are valuable to have customers recognize you and think about you? What are some of the tips you have for other founders in a crowded market and how to stand out?

Edward: The biggest learnings we had so far, on marketing front, is making sure you are very precise on how you describe yourselves. Cybersecurity is so fragmented, if you say, “Hey, we are using AI to solve all the problems with cybersecurity,” that’s not going to work, because there are too many vendors out there, but instead, you need to be very focused in your messaging and positioning, so the prospects or security buyers can immediately tell where do you fit in the larger security ecosystem? There are no security teams that only uses a single product.

Most security teams has 5, 10, 15, 20 products. It’s very important to be precise so people don’t conflate you with other products, and they can immediately understand what you’re trying to do. That’s kind of where you mentioned RSAC. I always love RSAC, and I love walking through Expo force, because I find that to be a really good opportunity to level up product marketing. When you walk through the Expo halls and see 1000 vendors, you can really quickly tell who has good product marketing, because every time you walk through a booth, you might have like five seconds right before you start looking at the next fancy, shining booth.

Within that five seconds, you can immediately tell what they’re doing or you’re confused like, “What is this thing?” I think that’s a great exercise. I know I, myself, have been doing this, and I’ve encouraged a lot of folks in my company to do as well, to really make sure our positioning and messaging is very clear so people can immediately tell what we’re trying to do, versus some Panacea AI magic.

Vivek:
Well, there’s a lot of those. Now that we’re a few years into this post ChatGPT wave, we’ve seen so many of these vendors that say they do AI security. If you go to the last two RSA conferences, all you would hear is AI, AI, AI, but then what are you delivering to customers, right? And so, in that way, I think it’s really helpful to hear from you, Edward, about how you all landed UiPath as a customer, really impressive, and they’re obviously a very discerning and sophisticated business themselves. Take us through that journey. How did you land UiPath? What went into that? Are they finding value from Dropzone today?

Edward: UiPath, one of their security engineers reached out to me personally on LinkedIn saying, “Hey, I saw a Dropzone somewhere. It seems you guys are doing interesting stuff. Can I get a demo?” And then, we kicked off the POC, where the end goal of the POC is to evaluate how much time saving we can create for their security team, because UiPath is growing very quickly, and unsurprisingly their security budget is not growing linearly compared to the overall headcount. As a result of that, during the POC, we worked with UiPath very closely to, not only make sure our product is automating tasks that allow their security engineers to essentially get higher leverage, but also working with them to align on the future roadmap of the product.

They’re not only buying us for what the product can do today, but also what the product can be three months, six months down the road, and that’s very interesting, because most of the time it’s a founder reaching out to 1000 people, leading, begging for a demo, not the other way around, and I think we have a very large chunk of our customers and active prospects come from organic inbound. I think part of that is because, echoing my previous point, by having really good positioning and messaging, and also very transparent product marketing, it allows security buyers to find you, versus you trying to push the ropes and trying to force the product down people’s throats.

This is where we took a very conscious effort and a strategic decision to be very transparent. For example, our entire product documentation is public on the internet. We have over 30 interactive recorded product demos, as well as an un-gated test drive and full transparent pricing. We are able to allow interested early adopters within security community to complete, essentially, 80% of the buyer journey without talking to us, and that really allows us to get these high-quality handsraisers who have already, to some extent, self-qualified themselves and know they want to try this technology.

Vivek: I love the point you made about being very transparent and being open, and that’s not common in security, right? There’s a lot of clothes selling, and you never really know how deals are done. I think I’m sure there’s some set of new generation of buyers that want that transparency. What led you to sort of stray from the path of what we would call as normal in security to be more transparent than what the norm is?

Edward: A lot of it came from my time at ExtraHop. While I was at ExtraHop, I really advocated for an interactive online demo. Back then, ExtraHop was probably the single security vendor in the entire detection and response space, where you can access an un-gated interactive demo, like actual product, not like recorded video, but an actual product. I saw how much additional credibility that marketing tactic really helped, so I decided to bring that and keep that with Dropzone as well.

Vivek: Well, last point on this is that I’m sure, as you’ve noticed, CISOs are sold a lot of bad products, and we have a CISO Advisory council here at Madrona, and the one thing that they’ll say is that they’re just inundated with products and a lot of inbound to them. With you, with this transparent marketing, and being able to show the demo and show the value, is there another step that needs to happen for you to bridge that gap to have them come and say, “Hey, take a look at our products”? Is that an evolution? How do you think about the push versus pull nature of what you’re selling and how CISOs are typically sold into?

Edward: I think it’s definitely a combination of the two. Over time, generally, what I’ve seen within cybersecurity is initially most startups are in a push market, because there’s no category awareness. Most of the security startups solve a problem that’s more or less kind of obscure to the general public, so they need to do a ton of eventualization. I would say, for us, it’s a little bit easier, because the problem we solve, again, is one of the most universal and concrete and well understood problem within cybersecurity. It’s just that nobody has been able to come up with a technical solution to solve it, so that definitely makes our lives a lot easier, because to some extent we don’t really need to evangelize the problem we solve due to the fact that it’s already been there for 20 years, and every single team experiences that every single day.

Part of getting security teams to raise their hand, part of it also has to do with the overall macro environment. For example, people have heard of Stargate projects, $500 billion of investment, as well as DeepSeek and all sorts of interesting reactions from different vendors when they really start to see competition, as well as genAI becoming real, and I would say that played in a big part as part of our marketing tailwind, because now it’s very common. I mean, obviously, I’m sure you guys have been saying the same thing to your portfolio companies, right? Which is regardless what kind of business you are in, I want to know why you are not using genAI in every single business function, and that’s a question I would say every single board has been asking the executives. When that trickles down to security teams, alert investigation, and software-based documentation for SOC, it is generally one of the first places people look for.

Vivek: To your point, we’re seeing our own companies and the customers of the companies we work with, everyone is saying we’re using AI, but they don’t want use AI foolishly. They want to be smart about how they use AI, and to your point, in the security space, it’s hard to just put AI and say, “Hey, let’s walk away,” right? Security is security. It’s a very important piece of both the application and the infrastructure side of businesses, so being able to already have that pull from the SOC team, saying, “We’re already drowning in alerts. We need help. However way you can help us is going to be important,” and you can come in and execute against that, I think, is really interesting.

Edward: Absolutely. We have seen, thanks to ChatGPT, I think ChatGPT is probably the biggest marketing gift OpenAI has given to all these genAI startups, because it enlightens everybody, whether they’re technical or non-technical, on the potential and capabilities of genAI or this kind of new technology. I remember getting calls from my parents, asking like, “Hey, Edward. You have been doing AI stuff for eight years.This genAI thing looks very cool. Why don’t you go build a stock trading thing using this technology?” Because of that, I think that made a lot of security practitioners start to play with this technology themselves.

We have seen a good number of open source projects, and a good subset of the prospects we run into, a lot of times they’ll be like, “Hey, Dropzone seems very cool,” and by the way, we have been internally playing with GPTs and trying to build our own open source AI agents who automate small stuff within cybersecurity, so we know the technology can get there, but at the same time, we know, as a security team, we’re not like a hundred percent developers. This is not our specialization, so we already built confidence, have confidence in the technology. All we need to find is a reputable, trustworthy, actually technology solution provider. That definitely, again, makes it a little bit more kind of a pool-based marketing, versus trying to push ropes.

Vivek: Yes. Well, you can tell your parents that, “Hey, you may not be building a stock trading app, but stock trading apps can use Dropzone,” which is really cool.

Edward: Correct, yeah.

Vivek: I’m going to transition into some rapid-fire questions we have for you. Edward, you’ve been a founder for a couple of years now. You’re both a solo founder and a first-time founder, so what are the hardest-learned lessons that you’ve had so far? What is something that you wish you knew or wish you did better on this early journey of yours?

Edward: Probably the biggest thing, and surprisingly, as a solo, first-time founder with a engineering background, is I wish I learned more about sales before I started. One common misconception technical founders have is, as long as we build the best product on the planet, people will magically come to us. But that’s definitely not the reality. You could argue I couldn’t be further from the truth. So, sales is actually very important.

To be frank, while I was at ExtraHop, I obviously had a number of engagements with customers, but one thing I always wanted to do at ExtraHop, that I wasn’t able to, is work part-time as a sales engineer, for like six months. I never got a chance to do that, even though I always had this idea in the back of my mind, but after funding Dropzone, I think that kind of forced myself to learn how to be a sales engineer and how to be a account executive. I think those skills are tremendously important, because if a technical founder cannot sell a technology or a product with all the vision, enthusiasm, and in-depth product understanding, then nobody else could. I think sales capability and knowing how to use different techniques, how to qualify customers, and how to have a good sales demo are the key skills I wish I had before I got started.

Vivek:
Great point. Sales is so important. It doesn’t matter what your product or businesses. Sales is very important. What is something you believe about the AI market that others may not?

Edward: One thing I believe about the AI market is the fact that distribution is going to be a very important factor, and how I think most people probably underestimate the power of human trust, and how much that plays within the overall business ecosystem. This is where I’ve seen a number of startups trying to build technologies that completely substitute certain roles and responsibilities. I think, at least from my perspective, I think there are roles where the technical deliverables is maybe a fraction of the value proposition, but the other fraction is actually this human trust, human responsibility, and accountability.

This is where AI startups are looking at different industries and verticals, and try to identify insertion points for AI agents. I do believe we should be very respectful of the fundamental human trust, and how having automation itself is not completely obvious. That’s one of the reasons why I suspect software engineers will get more automation versus, for example, account executives because nobody is going to really build, have a relationship with an AI agent, posing as an account executive. This is where this human relationship, human trust building channel is something that I think it’s a lot more difficult for AI to substitute.

Vivek: Well, we see this when you’re driving down the 101 and you see multiple AISDRs. Which do I go with, right? Who do I have a better relationship with? I’m not sure right now, but outside of Dropzone, or you can even think outside of security, what company or trend are you most excited about?

Edward: Probably robotics. Part of it is I love watching animes, and there’s a number of animes where they talk about future societies with all sorts of cyborgs and robots, and I think humanoids robots. I think those are all very cool, but also part of it is a little bit maybe self-fulfilling, because obviously, as a cybersecurity vendor, I see more robots there are around us, I think the more important cybersecurity will become as well.

Vivek: Last question. This will be an easy one for you. There’s a 90s movie with Wesley Snipes called Dropzone. Is the company named after that movie, or what was the basis for calling the company Dropzone?

Edward: I actually have never heard of that movie, so maybe I should check it out or maybe ask ChatGPT about it. We named the company Dropzone, because we envision the future, when we have the resources and the needs to sponsor a Super Bowl ad. We want the ad to involve a scene where you have cyber defenders surrounded at the hilltop, overwhelmed by attackers, and then cyber defender essentially deployed Dropzone, which is, in my mind, I’ve been thinking about some sort of portal or Stargate, kind of a warp gate kind of a construct. They’ll deploy this portal, and through that, they can summon additional reinforcements to help them push by the attackers, so we named the company Dropzone, because we view Dropzone as a portal of, you can say, software-based staff augmentation for cybersecurity teams.

Vivek: Love that. Well, thank you so much, Edward. We really appreciate it.

Edward: Great to be here.

‍