Transcription Episode 59

Hi everyone, and welcome to another episode of Living on Blockchain. Today we are speaking to Sudipan. Sudipan is the founder of UNSNARL.

It’s a cybersecurity platform for Web3. They are basically a little different from the usual lot of security audit firms because they are not a service company. They are actually a product company which is built in India with Indian founders.

A very exciting conversation around how cybersecurity, often overlooked, becomes the very important crux on which everything Web3 kind of stands. So I really can’t wait for you guys to hear this and learn from it. And if you are from the cybersecurity space or learning in this space, this would be really especially meaningful for you.

So let’s deep dive right in. Hi Sudipan, how are you? Yeah, I’m doing good. It’s been a great day from morning and I’ve been doing good right now.

Awesome. So for our listeners, would you like to tell us a little about your background and how you got into the Web3 space? Yeah, sure. So I’m Sudipan.

I’m co-founder and CEO at UNSNARL. UNSNARL is predominantly a Web3 security company. I had a background of Web2 security.

So I do call myself an IIT BH2 dropout because I dropped out of college recently. So both of me and my co-founder dropped out of his colleges recently. So I am in the third year of my college and Orko was in the fourth year of his college.

So I started Web3 only a year back. But before that, I was more of this cyber geek and college hacker sort of a person who used to do a lot of penetration testing and stuff in the Web2 security space. I had learned this for six months and then I practiced for six months.

So that has been quite a bit of my journey. And then it was down around Jan 2022, right in the first year of my college, when I actually thought of building something into cybersecurity. At that time, it was not around Web3 to be specific.

But at that time, it was around something around Web2 and something around to educate people through some gamified version of cybersecurity. That was what I was building at that point. And then I went through several iterations, did a couple of internships in companies for alumni, somewhere around security only, somewhere around deep tech, ML, AI and stuff.

So I did a lot of that stuff and then finally decided because I was there in Bangalore. This is around six months post that, post Jan 2022, around August 2022. I was there in Bangalore and there were a lot of hacker houses occurring over there.

I think there was a Solana hacker house. And then there was this Google workshop as well, which occurred, which was centered on Web3. So I got introduced into Web3 from there.

And it has been a great journey from there. I got introduced into Web3. I got to know about blockchain security to be specific.

I explored that for around a month. And then I wanted to build something then in that space, in the blockchain security space. But I did not have an experience of a lot of this blockchain stuff.

So I started contacting people on LinkedIn. And that’s how I met my co-founder. So, yeah.

And after that, it’s been a roller coaster ride till date. It’s almost a year we celebrated our founder’s anniversary just a few days back on 1st September 2022. Wow.

Wonderful. So, you know, it takes quite a leap and considering I’ve been there, done that. When you’re studying and you want to start your own venture, it has a profound impact on your personal, professional life.

And also just as you as a person. How did you perhaps perceive changes in yourself and the people around you? And what was the take of your family when you decided to perhaps drop out and start your own full-time venture into cybersecurity? So, number one thing is that I am actually a person who, at one point, I’m very enthusiastic about taking risks. Because that’s what my journey has been.

While I was even preparing for the IIT entrance exams, I was doing some side hustles and stuff at that point. I made quite a lot of bucks because at that point, you know, digital marketing was at a peak. Because each and every person was continuously going down through his phones.

I used that opportunity to get into digital marketing. I earned quite a lot of bucks during the COVID times through digital marketing. So, at that point, for me, it was like I was always engrossed into learning skills which could make me financially free.

So, that was one point. And at the same time, I like to call myself a bit paranoid about, you know, whatever is happening throughout the world and whatever competitions are there in the industry. So, I’m very paranoid about the competition.

So, at that point, you know, when we actually started Avansnaal, we did not have a lot of idea about what we are actually building, what we are actually doing. But now that we have the idea of what we are doing or what we are trying to build, at this point, actually, you know, the risk-taking thing actually comes into execution. When it comes into execution, it changes the dynamic of your life.

Because then and there, you have your parents involved in this entire thing where, you know, in India, we have this very common mentality that… And I belong to a middle-class family. And in middle-class family, the degree is your certificate to success because that is what has happened in my entire household. So, that’s a very common thing.

I had to do a lot of persuasion. They’re still not completely into terms with what I say. But yeah, they have, you know, at least understood what I’m doing.

We have numbers in our hand to show that we are earning. We’re not leaving college just on the basis of simple investment money. That’s the thing.

But yeah, we got venture-backed. And post that, we decided that we should go into this full-time and we should, you know, actually build things ground up from cybersecurity. And cybersecurity interested me because, in general, from India, there are not many cybersecurity companies which are growing up and scaling across the world.

That’s a huge potential opportunity down in India. Wow, wonderful. So, tell me a little about the platform itself.

How are you, say, you know, different from a Quill Audit and a little more about, you know, what you guys are building? Yeah, sure. So, Quill Audits has been a good friend of ours. Though we, you know, always have had some considerations whether, you know, they are into audits, we are into audits, or how is this entire thing going on? But, yeah, we are essentially a lot different from them.

We are, like, quite different from all the audit firms that exist. We first launched our first product around the end of May, the first week of June, where we came up with this product called DetectBox, where we initially tried out to conduct security audits in an entire freelance model. So, I think that is where we actually got a lot of insights.

So, we did around eight audits in the last three months. We gathered a lot of insights from the industry. And post that, once we secured our venture funding, we are now going into an entire, you know, brand shift.

Quote-unquote, we are going into rebranding, and we are going into the entire cyber risk sector. So, this entire journey of us getting into audits and actually understanding what’s there in the industry and what’s actually shallow has eventually led us to understand that where actually cyber risks stand and what’s assessment. So, I eventually divide this entire security industry into two parts.

One is the entire security assessments industry, where you have the security audits, penetration testing, bug bounties, audit contest, and stuff like that, where all these great players are already existing. And then you have this entire risk management sector, where you have some great companies like Gauntlet, Chaos Labs, doing financial and economic risk management, as well as there are companies which are trying to mitigate stuff using incident response. But there is a huge gap if you understand this industry.

Once you do audit, and then, you know, you take an incident response, there’s nothing to bridge in the between. That is, in your entire life cycle, that is the life cycle of your company, you do not have anybody managing your company’s risks, your organization risks as a whole, and obviously the cyber risks which are associated with it. So, that is the broad space which we figured out, and that is the space where we are entering.

So, we essentially call ourselves the de facto standard for measuring, managing, and mitigating cyber risks in Web3. So, that is what we are trying to do, and what we essentially look like is sort of a middleware, where, you know, we are throwing you out three very important parameters which are currently missing in the industry. Number one, one of the biggest parameters which are throwing out is the risk score which we give.

Now, the risk score which were there in the industry were very red, amber, green. And what do I mean by red, amber, green is that they were very qualitative. You know, even, I’m not naming any individual firm out here, but if you go down with some of the biggest firms in the industry, they give very qualitative risk scores, and if a protocol is getting hacked, let’s say, they give a risk score of 91 out of 100, and if a protocol gets hacked, the next day it goes down to 61, and that’s a very, very, very distrustful issue for all the users who are connected to, number one, that audit company or that huge security company and their risk scores, and number two, the protocol, because that’s a huge trust gap.

That was the thing which we figured out. So, we give you a risk score which basically predicts the breach likelihood of your protocol in the next six to 12 months, and how do we do that is basically our own proprietary AI model, something involving Bayesian networks. We’re co-developing that with Queen Mary University London.

So, that’s what we are doing. Number one, we give you the breach likelihood score. Then, we give you the dollar value impact of any risk which is there in your organization.

So, the basic problem with all these cybersecurity products and all these security audits which are happening is that, as I said, they’re very qualitative. They do not quantify the risks which are there. That is, they do not connect the risks which are there in your organization to the business impact, and that is where we come in, and we give you the dollar value risk of any threat which is there to your organization, number two.

And number three, one of the most important stuff which we say is that anything that cannot be measured cannot be managed. So, now that we have helped you to measure things out, we help you to essentially manage it in two or three ways. Number one is that we give you financial and technical mitigations in your code.

Number two is we give you insights on where to invest in security and how much to invest in security, because that is what the CEO and the board level understands, because they don’t understand. So, each and every company has some of the other CISO or CRO, Chief Risk Officers, who are presenting the risks of the security threats of the company down to the board, and the board is not able to understand that because they’re presenting some four out of five risk score. But let’s say the CISO or the CRO presents that I’m sitting on a risk score of, let’s say, $100 million currently as of now, and if I am spending $5 million, then I can bring that potential $100 million to $15 million worth of risk.

So, that is what the CEO and the board understands, and that is what we are helping out this entire security in blockchain space to be. So, yeah, that’s pretty much what we are doing, and we consider ourselves to be there in the ecosystem risk space, and not in the audit space right now. Okay, awesome.

So, thank you for giving a very extensive coverage of what you guys are building. So, you would consider yourself a product company or a service company, primarily? Yes, we are a pure product and solutions company where we drive an entire product. So, we’re building up this entire cloud in which you can manage the risks of your protocol.

So, let’s say if you have built a protocol, you can manage the entire risk in an automated way in that entire cloud-based SaaS, which we provide to you, number one. And second, if you also want an entire solution, so let’s say you belong to the DeFi industry, and we have an entire extensive solution for the DeFi industry that specially caters to DeFi. So, we modify our cloud SaaS for you, and then we give down the SaaS to you.

But also, we also have something called a security operations center down in our company, which are a group of very great cyber experts who are constantly sitting, monitoring, and evaluating the risk of your organization or your protocol, and obviously the user’s money which is involved in your protocol or TVS. Very interesting. So, your vision to perhaps build a first virtual web-free security operations center is a very ambitious goal.

Can you elaborate a little upon this particular goal and the components that it will entail? Yeah, sure. So, first of all, security operations center, what do we mean by that? It is all these companies which are, let’s say, today in Fortune 2000s of range, they have their own internal security teams which constantly evaluates, exercises, and mitigates risks which are there in their organization. Now, this could be all cross-functional cyber risks which are there as well as third-party risks which are there.

But the problem with an emerging industry as well as all the companies which are there in the medium to large stage is that they cannot afford an entire security team because security comes very expensive. And that is what it is meant to be. So, what happens in a virtual security operations center is that you do not have to manage the entire security operations center of your company.

You do not need to keep people. We have an expert team of cybersecurity people who will manage your end-to-end risk. As I said, audits is just one thing.

At the end of the stack, that is, at the top-most portion of the need hierarchy, we have the incident response systems. But in the middle, we have nothing currently in Web3. And that is why we have a huge gap because we are measuring things reactively through the incident response.

We are trying to mitigate things in a pattern recognition manner via the audits. But to manage the entire thing proactively, all the risks, there is nothing existing. So, that is where UNSNARL comes in.

And you guys can rely on us for the entire risk management of not only your protocol, not only your user response, but also your organization as a whole. Because your organization has a lot of people. And we have seen in the recent days that there have been a lot of privacy attacks which are happening.

And private keys are getting lost from within the organization. And that is because the people who are involved in the organization are potential risks to the organization. We need to inculcate that also in the risk modeling of the company.

And that is where we provide a very comprehensive solution. Number one, through a product. And also, aided by an entire security operation center, which you could call the command center or one security team outside your company, which is working 24-7 to monitor all your security needs.

Absolutely brilliant. So, you’ve come from Web2 to Web3. What are the kind of challenges that you perhaps come across? And how is the security area different? Is it any different or would you say that it’s pretty similar? Because you come from a background where you were a penetration expert in Web2 and now you are running a Web3 company.

What would be the major differences or challenges that you come across? Oh, like security in Web2 and security in Web3, the fundamentals are very different. What I mean by the fundamentals is that, you know, I said before, in Web2, the security was very static. What I mean by static is that, you know, you have all these security measures coming on at the top of the pile.

Like, for example, you are an attacker, let’s say a potential attacker. And let us imagine that you have a database that I have to breach or you have to breach as an attacker. Then you have to first go through all the firewalls.

Then let’s say there’s some malware protection there. Then there’s some endpoint protection there. You have to manage all that static stack of security.

And then finally, you will be able to reach the database. So, security in Web2 was very static. You need to break through all the measures one by one to get to the database.

But in Web3, it’s very dynamic. Because in Web3, security is at the transactional level. Because once you’ve done a transaction in blockchain, to reverse a transaction, we all know that, you know, even to reverse a transaction, even to reverse a malicious event, Ethereum got divided into two different parts.

So, that is pretty difficult because of the entire community-driven 51% thing that we all know needs to come in from the entire DAO or the community of the protocol. So, that delays a lot of stuff. And in most of the cases, funds are not getting recovered in such cases.

Once you have already a transaction occurring. But in Web2, what was happening is that even after a data loss, you had a lot of significant chances of getting that data back. But in Web3, that is not happening.

So, in Web3, security needs to have a lot of proactive approach as compared to what is there in Web2. Because it is static in Web2, you can have a reactive approach to it. But since it is very transactional and dynamic in Web3, you cannot have a reactive approach to it.

You cannot just go and say that, hey, I just did a blockchain transaction, which was wrong. Some attacker or malicious people took down my money. We just revert that transaction back.

That cannot happen. You need to stop that before the transaction. And that is where the challenge of the potential problem comes in.

And that is where there is a huge gap currently in the industry. Consensus also mentioned that Web3 security is quite underdeveloped. But what we comprehend is that it is not only underdeveloped, it is broken as well.

So, that is where we are trying to bridge that entire thing to one solution. Thank you for shedding light on this. You mentioned about how you guys are doing risk quantification.

And that I find fairly fascinating. So, how does this empower organizations to make informed decisions? Is this something that is open to the end user as well? Or is it just like more B2B in nature? And can you perhaps give an example to tell us how do you go about doing it? Okay, sure. So, let’s say, let’s consider a protocol with which we are working.

And apparently, it has several interactions. So, number one, let’s say it is storing private keys. It is having third-party interactions with several other organizations.

So, if we take the example of Aave in this case, Aave day-to-day interacts with multiple protocols in its environment. And that is where we essentially come in. So, we consist of an entire middleware SaaS solution.

We give the solution directly down to Aave’s team. We pull in signals from all the security controls, all the existing security controls which are there in their organization. And then, using our own vision network models and something called Monte Carlo simulation, we give you these three things that I mentioned.

Number one, the breach likelihood and the dollar value impact. And finally, how to mitigate that. So, this dollar value impact which we give you essentially helps you to make informed decisions on how much to invest in security and where to invest in security.

So, that is pretty important because you need to understand that having multiple audits efficiently does not help you to be more secure, but it decreases the ROI over and over time. And because it decreases the ROI, you should not spend over audits all throughout your season until and unless it’s a major change in the code base which you are going to. Sure.

So, Sudeepan, that’s very, very interesting. What I find very fascinating is that you mentioned risk quantification as a SaaS product. So, how does this empower organizations? Is it available for end users as well or is it just more B2B facing? And could you give us an example and walk us through how you guys do this? Okay.

So, apparently if we talk about the user journey in this case, so we come in as the middleware. So, let’s say if we are serving Aave in this case, then Aave is sort of a protocol which is interacting with several other protocols in its environment. And that is why there comes in several other third-party risks which are associated with it.

So, where we come in is essentially a middleware where all the security controls which Aave already has can be integrated with us. And essentially, if that can be integrated and all the APIs can be integrated, we only need a read-only API access of all the security controls which we have. We pull in signals from them.

These signals are basically data packets from all the security controls. And using our own Bayesian network model plus something what we call the Monte Carlo simulation, we throw out these three important factors to you. Number one is the breach likelihood.

Number two is the dollar value risk. And number three is how to mitigate it and what can be the actionable insights. So, these are the three things we primarily focus on.

And this can eventually help the organizations to make really, really significant decisions on how to spend on security and where to spend on security. Because they’re really having a lot of issues regarding calculating the ROI on security, which we call the ROSI, return on security investments. They’re not able to understand this entire scenario.

Just because you are going on spending on audits on one hand, and you’re going on spending on incident response. You’re spending nothing in between. So, how do you understand what is the return on security investments? Audits don’t give you a continuous return on security investments.

Neither do spending on random incident response tools give you some ROI on the entire security thing. So, how do you bring up an entire track that you’re spending, let’s say, a million dollars on security, then does it give you some great outcome out of it? They’re not able to understand that. And that is where we come in and say that, hey, we have a one-stop solution where you can essentially connect any business risk to the impact, financial impact, which is there associated with it.

So, yeah, that’s pretty much it. And apart from that, we are keeping an angle for the retail investors, where we’re quantifying the risks and the breach likelihood score we are giving. Obviously, this is in consulting with the organization.

Whatever the organization wants to show to the protocols, DAO or the people or their community to build more trust. We are having this entire page for retail investors where they can essentially see the cyber risk on which the organization is sitting on at any given point in time or the protocol is sitting on. And then they can analyze that my funds are how much secure if I invest in this protocol.

And that is how I think the entire community will grow up as a whole. Because, you know, there’ll be protocols. I can bet and I can say that there are protocols currently.

They’re sitting on so much amount of risk. They don’t even understand they’re sitting on so much amount of risk. And we integrate a solution.

They’ll be able to understand that they spend in a proper way. And I think the basic issue with Web3 currently is the adaption problem which we all are facing. And if, you know, these hacks continue on, the adaption will be a huge problem.

Because if you talk about, let’s say I today open one new protocol, the users of Aave only will come to my protocol. I’ll not be able to acquire some new users from Web2 to Web3. That’s the basic problem.

And that problem will get mitigated once you have less and less number of risks associated with the transactions and the users’ interactions with your protocol. So that is very, very critical. And that is where we are playing a pivotal role.

All right. Okay. This sounds, you know, extremely interesting.

So right now, as of now, because, you know, you mentioned that this is probably it makes a little more sense for, you know, businesses than retail users, even though you have an angle for them. Can you tell us a little about the protocols that are utilizing your platform? Sure. So, like, our primary target right now is, you know, to get into DeFi as a sector first, because, you know, we are trying to build things up, down with them, because that is the most affected sector as of now.

And secondly, is to literally go into the infrastructure where, you know, there’s this entire thing around CK coming up. And then we have a lot of stuff around NFC infrastructures, not NFC as a token or as some marketplace, but NFC infrastructures, which are getting built, payment solutions, which are getting built. All these solutions require a very high risk analysis across their organization and obviously across their technical code base as well.

So that is where, you know, we come in, primarily targeting right now DeFi and a few connected industries. But what we are actually interested in and what actually drives us is basically this entire, you know, private blockchain industry where, you know, you have these hyper ledgers and DLTs getting used by over 42,000 companies across their supply chains, as well as banks, some of the biggest banks like HSBC, and as well as Standard Chartered using blockchain across their own banking products. So that is a pretty interesting sector to get into.

That’s a huge sector, to be honest. That’s valued at in 2030, that’s about to be valued at about $54 billion only in securing those assets. So that’s a pretty big industry and that is our final goal to get into.

But yeah, we are now getting into this entire DeFi sector with primarily starting with DEXs and lending protocols. Awesome. So tell me a little about, you know, your product DetectBox.

You mentioned that it is basically creating or helping with more efficient audits. So how is a DetectBox streamlining the process? And again, what is perhaps like one USP as against the traditional auditing services in Web3 space? Sure. So if you talk about auditing, then the problem with the audit sector is that there’s no transparency in the audit sector.

If you talk about all the firms which are doing audits, as in the traditional firms, then they do not let you choose or let you know who the auditor was at the back end and what his experiences are. And that is what we figured out and that is what we gave down to one platform where DetectBox is a platform which gives you permissionless access to all security researchers across the globe. What do we mean by all security researchers across the globe? It’s not 1% of the security researchers across the globe because we have a strong due diligence process on all the security researchers who are entering or getting into DetectBox for performing audits.

So we really have a stringent process by choosing them. But at the same time, you know, once that is done, we also have a lot of huge pool of auditors to be specific. Now, the problem with this was with one particular firm is that not talking of the biggest firms, because they have a lot of people employed, talking of the mid to small range firms who are doing audits is that they cannot handle a lot of projects coming to them just because it’s around 4 to 10 people on average in their team.

And that’s a huge issue. You’re not able to audit more than 5 to 6 projects at a time. And that is where actually the issue of scalability comes in.

Because if you are not able to scale, the projects are facing the issue. So let’s say you are a project, you are going to this particular audit firm. He’s only already handling 5 to 6 projects, and he’ll not be able to take up another project.

So he’ll give you a 30 days of wait time. And then he’ll take another 30 days to do the audit because of his internal operations. And traditional audit firm works in a very traditional manner with their business development team, you know, the sales team, the marketing team working together and then getting the client and then the business development team who does not understand tech, getting the conversations down from the auditor to the development team of the client.

This creates a huge issue. And on average, if you also consider the wait time, then it takes around 2 months to get through the entire audit procedure and then launch your product. What we did at Unsnarl is that, essentially at Detectbox, is we removed the entire wait time at Unsnarl or Detectbox, the wait time is zero.

You can just come in, you can list your project. At the same time, there are auditors who are just waiting, they’ll get a notification directly in their mails from our platform that there’s this project which is listed. They automatically come to the platform, they’ll bid for that particular project.

Once there’s a match in the team, we now take over the entire project. And we say that we manage the entire audit supply chain. We’re not just a matching platform.

Now that the match has occurred, we have something called DetectWarden on our end. We have removed the entire business development layer from the internal operations. Yes, there exists a declined acquisition level, but after that, the business development team has no role.

So basically, we have someone called DetectWarden, who’s again a security researcher from our side. And this security researcher basically does a residual vulnerability check and manages the entire audit procedure and watches the auditors. The auditors were selected by the team of developers of the client, watches them and controls the entire audit procedure.

So that is where we are actually able to maintain the quality of the audit which we are performing. So yeah, that’s pretty much it. And we proudly delivered all these last few audits on an average in 7 to 14 days.

That’s a huge benefit for the client. Because number one, we are globally compliant with all the security standards, which are their standards, smart contract security standards, which are declared. So there’s no way any person can come and tell us that we are not compliant or we did something less than any other big competitor in the market.

Number one is that. And we did that within 7 to 14 days, which means that we’ll be able to launch much faster into maintenance. So we do provide a lot of flexibility and advantage in that case.

Yeah, yeah, that’s pretty much it. I think we solved transparency and the hassle in the industry, which is there. And we got a lot of good reviews while we were building DetectWars.

Awesome. Awesome. That’s brilliant.

I think this is something that I face as well, right? Because every time you go to a security audit company and you request for an audit, there is a very long waiting time. Like even the top-notch security audit firms like Certik and any of them, basically. You go to them and they tell you that they’ll get to it perhaps after a 90-day period.

And that is when they’ll begin. So usually when you’re trying to deploy very quickly, that is obviously not something pleasing to hear. Neither is it very conducive for your business timeline.

So this particular process being streamlined and that too by an Indian company, I could not be more proud. So really kudos to you. And I can’t wait to check out DetectWars now.

Probably we’ll be hearing from my team very soon to audit some of our contracts, considering you’re making it sound so easy and streamlined and quick. Wonderful. So tell me, because you are absolutely the expert in this space, what are the kinds of security threats that you potentially see or how do you think the security threats in Web 3 are going to change in the coming future? Okay.

So what I personally feel is that Web 3 is just another form of Internet. Now, let’s talk about technology in general first and then let’s get into this entire Web 3 thing. So if we talk about the entire world right now, we’re sitting on top of AI revolution, let’s not talk about AI, a deep learning revolution, which is going all across the globe.

Now what’s happening as an effect of it is that we are generating, processing, and storing huge amounts of data. Now when we are generating, processing, and storing huge amounts of data, that essentially means, because we are now in the space where we are into Gen AI, and Gen AI is essentially generating more and more number of data over time, and all these data are again getting stored into centralized servers. So if these are getting stored into centralized servers, like for example, if it’s server of Google, if it’s server of Amazon, or Microsoft, or Open AI, then it creates a single point of failure again.

So definitely Web 2, by saying this I said that Web 2 is definitely not a way where our assets can be secured in the long run because whatever data we are giving down to the Internet is essentially one of our assets. So obviously Web 2 is something which is not scalable beyond a point when we have a lot of data. So how do we decentralize stuff, and what threats do come in along with decentralization? So number one point is that we are already having a lot of infrastructures around decentralized clouds and stuff.

We already have Filecoin doing huge in terms of whatever they’re doing in decentralized cloud storage. So there’s a lot of potential in that, and we eventually will move into decentralized storages because otherwise we won’t be able to store that gigabyte or zettabyte amount of data which is getting produced each and every time. But what comes in essential over here is that since blockchain is more of a public infrastructure, so basically we cannot tamper data on blockchain.

That’s obviously because blockchain is inherently secure, but at the same time if we talk about blockchain, it’s an open infrastructure. Now if it’s an open infrastructure, it essentially cannot hold a lot of your data which is open or open to the government or open to some of the intricate bodies. Like for example, most of your photos which are now stored by Facebook or now stored by Instagram, if all those photos are stored across a blockchain, then it might seem secure, but at the same time that’s going a lot more public with a lot more public access.

So the basic problem which would happen in that case is privacy, number one, which I think is getting tackled a lot through ZK and the initiatives that Polygon has taken on in this. So I think ZK and protection on data is the next big thing in security. We have been only speaking about, hey, we got hacked of $100 million.

We got hacked of this million dollars in DeFi. DeFi is just one segment of Web3 because Web3 is the next internet. You cannot speak like that only DeFi is there in Web3.

You only speak of NFTs in Web3 and NFTs in Web3. Web3 is the next form of internet. If it’s the next form of internet, all data of the public will essentially get stored on Web3.

And if it’s getting stored on Web3, then there needs to be an entire security stack which needs to be built for the data protection layer on Web3, which will be very different from Web2. You cannot simply put firewalls to secure database in Web3. That’s not happening in Web3.

So there’s this entire… And even if that happens, you’ll run into multiple costs because now that you’re saying that you’re decentralizing stuff and it’s an entire decentralized cloud, then how many firewalls do you put? Do you put millions of firewalls across all those decentralized nodes? That’s not possible. So there needs to be some other solutions which are coming in to manage this entire data layer of Web3 because still we do not have people’s data much in Web3. It’s only financial transactions which are happening.

So I think that’s the next big opportunity and next big thing which will eventually come up in Web3 because that’s not there and that’s very essential. Awesome. Awesome.

I think you’re absolutely correct. I believe that this space is already… People, I think, have realized gradually after all of these scams and rug pulls that security audits are very, very important. And I think this entire security space, it’s like an octopus with many, many arms and it keeps growing and evolving.

And you have to, as somebody who’s building in this space, you have to be very dynamic and keep ahead of the innovation. You have to keep ahead of absolutely the bad elements to make sure that the space itself is able to thrive. And users themselves, I think, are now looking and understanding it a little more and they understand the importance of audits and the security aspect of all of these projects before they want to, like, perhaps, tinker with them.

Yeah, sure. So, absolutely. Because, you know, you won’t have any sort of adoption until and unless, you know, people are getting thrust built into this entire ecosystem.

So, you know, just, you know, solving this entire adoption issue through wallet extraction will not help. How much is that wallet prepared, wallet extraction secure? That is the question. And that is where, you know, all financial transactions, and that is why, you know, Web3 itself cannot exist without regulations as well.

In Web3, we do not have any compliance, security compliances, or any regulatory compliances across the organization. And I think that essentially needs to come in because, you know, you just cannot say that all those regulatory compliances which were there or security compliances which were there in Web2 were just for the sake of being there and they are no longer relevant. A lot of them are relevant.

I would say most of them are relevant. You just need to mold things down and apply them to Web3. And you need to have compliance because if you don’t have compliance, it’s people putting in money.

And at any given point in time, governments are not going to support you. You cannot run your organization as a capitalist and then you say, I’ll go to a government and say that, hey, I’ll run my organization as a capitalist. Now, you consider me in your government or not.

That’s your problem. That’s not your problem. That’s your organization’s problem.

That’s not government’s problem. The government will shoot you out. So I think that’s where we need to all come in with regulations, with actual rules and stuff coming in.

And that is where we’ll get support of governments and mass adoption because if government does not promote blockchain, then how will people come into blockchain? That’s evident. Right. Absolutely.

So recently, I think first of all, what you are saying in terms of having some kind of perhaps standards, I think self-regulation is very important. Having some kind of standards when it comes to security is becoming very, very pertinent. There is a big need for people and the people who are building in this space to be a little more aware and perhaps self-regulate themselves till perhaps regulations kick in.

I’m not too sure how keen am I on regulations actually because I feel like it infringes upon the decentralized ethos of the space. But some amount of self-regulation is very important. And I completely concur around that.

Exactly. Like if you talk about the regulations which are there around a lot of taxes and stuff, then that definitely goes, a lot of stuff goes against decentralization and the government needs to make amendments on that. But at the same point of time, if you talk about security, let me get this very blatant point that all these security audits which you guys are currently doing from any firm, I am 90% sure that the auditor who’s doing the audit does not have a certified ethical hacker certificate.

And that certification is very essential. In Web 2, if you do not have a certified ethical hacker certification, you cannot perform any sort of penetration testing. You cannot perform any sort of freelance work for any organization if it’s for security or for code review, if it’s anything.

And that certification is given by top institutions across the world like Microsoft. And you need to go through a course for that. You need to learn a lot of stuff.

How does an organization security work? What do you need to keep in mind? And that is what is not there in Web 3. In Web 3, all the security auditors whom you see have either, the top ones have come from Web 2 security or Web 3 security, but most of the population, the 90% of the population who are participating in Code for Arena Sherlock are college people. They’re college developers who are finally turning out into auditors or they are sort of direct turnouts into auditors because they can directly see that you can earn quite a few bucks over there. So you should not see security in a way that it is being seen currently in the industry.

Auditors should be very credible people. If they are people like this, then it’s a huge issue and that will create a lot of problems in the future. Right, absolutely.

I think that is something that you and I can both agree on. So tell me a little about your recent fundraise. You guys have closed a round from Antler and you’ve also received some grants.

So how has this changed your journey? We had received our first grant from ETH India back in November 2022, I guess. And that was the point when we actually traveled to Bangalore during the last ETH India and we met a lot of people, we did a lot of networking, got to know about the industry and then we finally started building what we are building. What we were building at Detectbox after getting a lot of insights.

And then we actually got our second grant from Starknet and then we got our third grant again from ETH India this year. But the journey with Antler has been pretty interesting because we enrolled into the Antler India Fellowship after the Antler India Fellowship had closed last year. They took us into this year’s cohort and we were the first to get selected over there.

We got into there, we got a $10,000 worth of grant from them. We built out our entire product using that $10,000 plus whatever grant we had received from other places. We built out a team, we built out an entire product, we got some clients, we did a lot of sales.

And now that we have done sales, we have now seen a huge gap in the industry for which we are building out our entire product and for which we are undergoing rebranding as well, which in a few days you will see a change across all our social media platforms and obviously across Telegram as well. The group name will change as well. So we are going into a literal change across that.

So I think on the organization level, a lot of things have changed. But we as people have developed a lot. I think we are shaped as founders during the program that we were there.

The difference between a college student and a founder is that there’s this corporate duties which come over and there’s a lot of corporate responsibilities which you need to take care of, legals, financials, and then there’s operations and stuff, all the system processes which are there. I think all those things we learned and we got a lot of guidance from some of the top people of the industry. We got guidance from the co-founder of Pornstamp as well.

So using all that knowledge, we finally landed up to closing our pre-seed round with Antler. And now we are going up with obviously a bigger seed round with several other VCs coming in. So that’s pretty much been our journey till date.

And Ansanal has radically changed. We at first started off with something around security tooling, audit tooling, somewhat like solidity scan. And then we took a pivot of our idea into something around bug bounties and then we created this entire product called DetectBox.

And then we figured out the next billion dollar opportunity around risks. And then that’s what interested us and intrigued us a lot more and that’s what we’re doing right now. All right.

Awesome. Congratulations. And more power to you guys and what you’re building.

So, you know, this has been such an interesting conversation with you guys. The building is so exciting that I completely lost track of time. I feel like I’m saying this a lot with my recent recordings, but I think that I’m really grateful that I get to speak to such wonderful people who make absolutely that time fly.

So, you know, we’ll have to wrap this up. But before we do, I would like to ask you, you know, one question that I ask everybody who comes on this particular show. If somebody is, you know, peering in from the Web 2 side into Web 3, like you did pretty much, what would be your advice for them to start living on blockchain? Okay.

So, like, if you talk about live on blockchain, essentially, you need to transition from the mentality of centralization to decentralization. And that’s a pretty much mindset which even my parents have today. So, if you talk about the newer generation, the newer generation, I think what is driving people towards Web 3 is the loads of opportunities which are coming in and the face scale of the opportunities which are coming in because, you know, you have a lot of money currently flowing down.

I know it’s a downtime right now, but overall, if you talk about, there are a lot of opportunities which are there in Web 3 which are generally a lot more high paid as compared to, you know, all these Web 2 opportunities which are there. So, I think that that is what was driving people till now. But now that there’s no funds and companies do not have any money, then what actually drives people towards this is the technological stack or the technological innovation which you can bring on in Web 3. You cannot do that in Web 2. Apparently, because it’s almost saturated.

If you talk about FinTech in India, then FinTech is a lot developed already in India with UPI coming in and, you know, the entire stack getting built over UPI. So, you know, for any infrastructure, for that matter, for any internet to flourish, Web 1 was an internet, Web 2 is an internet, Web 3 is another form of internet which is getting built. There needs to be an infrastructure layer which needs to be ready.

Now, there was this EWS and stuff which is coming up on top of which Web 2 was entirely built. And then now, we have this entire stack of Web 3 where still infrastructures are getting built and on top of which several products will get built. This entire decentralized finance will get built.

Supply chains across the world will be much more, you know, sophisticated and very easy to understand via blockchain. So, that entire layer will get built. But how do we build that if we do not build an infrastructure layer? So, you know, we do have a lot of friends from other colleges who are, you know, who have been traveling and traveling down to all these conferences down in Dubai, Singapore and all these stuff.

And the thing that intrigues them about this thing is the community which is especially there in Web 3 because that’s super supportive and that’s super excited as well. So, if you have a lot of excited folks together in one room, then it cannot happen that you cannot build something extraordinary because that’s how you build a great product. That’s how you build great companies.

So, I think that that should be the motivation of, you know, actually building something new or building something where, you know, they can have some command on or they can proudly say that, hey, I actually built this protocol or I actually built this layer of the internet for Web 3. So, I think that is something pretty interesting and that is something which is driving people and which will drive people in the future as well. Absolutely. 100%.

So, thank you so much once again, Sudeepan, for taking out the time to speak to me. Before we wrap this up, any parting thoughts? My only thought, if you talk about at this point of time only give around, you know, entrepreneurship because I recently took the plunge of dropping out of college and, you know, really, really building things down in security which is a deep tech stuff which we are doing. And, you know, a lot of people questioned us because we were two college people 2021 who were going down and building security, company security is essentially a very, very deep and ignored topic at the same time as it’s very complex and difficult to understand.

So, how do you go out and build that? We got a lot of criticism from a lot of people, but I think what matters is the grit with which you are standing at any given point in time and your, and your, you know, understandings about the industry where you are building and your focus and your clarity on that. So, I think I took the plunge. I took the plunge as a third year right from IIT BSU and my co-founder took the plunge in his fourth year.

It was his final year. He did not complete his college. He also took a drop out.

So, if, if, you know, we can do this at 2021, then I think a lot of people can do this and not run behind blindly into, you know, this is a problem with India that people run behind into directly MBA colleges. They want to get a staffing degree done, but if you do have something significant down in college, you should really consider it and if you have some traction, if you are doing something pretty great, then I think you should go ahead and take the risk because opportunities are not going to come again and again in your life. Very well said.

I think that is something that everybody can pick a cue from and perhaps change after their long lost dream or something that, you know, they’ve kept at the backburner for some time. Once again, thank you so much for taking out the time to speak to me, Sudeep, and it was really wonderful talking to you. Great to talk to you too.

Leave a Reply

Required fields are marked *

Comment*

Name*

Website