Host Intro (Gene Kim)

Gene Kim: All right. Some of you may remember, in 2018 and 2019 I got to do a fireside chat with Chris O'Malley, who was then CEO of Compuware, along with their CFO Joe Aho. I learned so much from him, like many of you, because he so brilliantly modeled how business leaders can lead the charge on creating dramatically new and better ways of working.

In his words, Compuware went from a company that hadn't shipped a feature in decades to one that was shipping quarterly and brought that platform into the modern software age. It didn't surprise me at all that Compuware was eventually purchased by BMC, which handsomely rewarded all their hard work.

I was so delighted to hear from Chris O'Malley again, this time as the CEO of Exabeam. Again, it didn't surprise me to see him at the forefront of thinking about how AI can reshape his organization. Alas, he isn't able to be here today, but two people who work with him are.

Steve Wilson is their Chief AI and Product Officer, who you may know from his fantastic work on the OWASP AI guidance team. David Rizzo is their Chief Development Officer, who also worked with Chris at Compuware. I'm so delighted that they are going to share their story on how they're using AI, not just for development, but across the organization. You'll hear some themes that echo from yesterday. So here is Dave, David, and Steve.

David Rizzo

David Rizzo: All right. Good morning, everyone. It's good to see you all here. Nice crowd, and glad to be back having time with Gene. Thank you, Gene, for the great introduction.

We're here today to talk about Exabeam and how we're transforming a technology enterprise at scale, and how to bring AI to an existing party that's already running and moving along.

I'm David Rizzo. I'm the Chief Development Officer for Exabeam. On the screen here we show Chris O'Malley, and Gene did a great job of talking about Chris. Chris wanted to be here but could not be here, but wants us to share the story and the things that he has helped to drive with us.

Steve Wilson

Steve Wilson: And I'm Steve Wilson. I joined Exabeam about two years ago as the Chief Product Officer, and I'm such an AI fanboy and pain in the ass that they also asked me to be the Chief AI Officer about nine months ago.

David Rizzo: That's an accurate self-description.

David Rizzo

David Rizzo: All right. So what is Exabeam? Exabeam is a leading AI-driven security operations platform. But how did we get here? Two years ago there were two companies. One was LogRhythm, one was Exabeam. We did much of the same things. We competed in the same space, but we had different expertise.

LogRhythm had its high expertise in SIEM and that arena, and Exabeam was very strong in user behavior analytics. A year and a half ago we started the endeavor to bring those two companies together. It was finalized about a year ago. For the last year we have been running as one company under the Exabeam name.

That company today has all those capabilities brought together from the two companies, including the SIEM, UEBA, and SOAR capabilities. We are 3,000 customers around the world, strong in 22 different countries, and we are setting the world on fire, we hope, within the cybersecurity space.

Steve Wilson

Steve Wilson: One trivia fact that David didn't add is those two companies, LogRhythm and Exabeam, one of them was 20 years old and one of them was 14 years old when we merged them. This slide has some smaller numbers of years on it. What this slide actually is, is the fastest companies to ever grow from $1 million in revenue to $100 million in revenue.

I think you know where this is going. The ones that have done this the fastest are this new generation of AI-native companies. That's really cool if you are going to go do a startup and you're looking for venture funding; you want to think about how to build one of those companies.

But what if you are a 15- to 20-year-old company or older? What are you going to do about it? Everybody says be Amazon, don't be Sears; be Netflix, don't be Blockbuster. But that's almost a set of truisms. The fact is, though, there are a lot of existing big companies that did make the transition. Maybe the more accurate thing is don't be Sears, be Walmart. Don't be Blockbuster; be HBO. They both made the leap. They became the things that they needed to be on the other side of that transition.

So the question is: how do you take your existing business that may have thousands of employees, hundreds of millions of dollars in revenue, thousands of customers, and make that a strength and make yourself thrive in this environment of AI-native predators that are coming to eat your lunch with AI coding agents who think they can rebuild your business in six weeks?

The way we've been looking at this is you need to do three things. It's not just a one-trick pony that you need. We've talked a lot over the past couple days about this idea of shifting your software development to be AI-native, and David is going to walk us through what we've been doing in that arena because it's important. But I think you need to look at the second two columns if you're really going to make this transition. We're going to talk about those as well: how do you take your products and not just develop them with AI, make them AI-native products? And the last one is you need to completely transform the way that you do business with AI.

I'm going to turn it back over to David.

David Rizzo

David Rizzo: AI-native development. As Steve mentioned, when we brought the two companies together, we had a development organization and a product code base that were 20 years old, 15 years old, and anywhere in between those age ranges. We had to make sure that we were continuing to innovate and continuing to move forward.

I'm going to start my presentation with something I'm very, very proud of: we were recently awarded one of the 2025 DORA Awards for our use of AI within our development process. Not only are we doing it and talking about it, but we're getting recognized for it. I'm very proud to be able to show this, that Exabeam has moved through and done things that are being recognized in the industry.

What did we do, and what were we recognized for? Improving our developer productivity and velocity. We talk about DevOps and having a good pipeline and using that pipeline to deliver with continuous improvement. We took it a step further at Exabeam and introduced AI into that pipeline, through the process, to use in many different areas, including our code review.

One hundred percent of our code reviews of code that we put out to our customers has a code review that is done by Gemini, and we get feedback from Gemini, which is an amazing gift to us to be able to use. Now, for anybody listening out there, our code is also reviewed by humans. Of course, anything Gemini tells us, we validate. But that is allowing us to accelerate in one area.

In addition to introducing it in different areas of the pipeline, we decreased our lead time for changes from two days to eight hours. Our mean time to recovery improved from two hours to one hour. Deployment frequency continued about the same. Pretty proud that we had gotten our deployment frequency to multiple deployments a day, so we've stayed there and it's helped us maintain that. We felt we were at a pretty good pace to begin with. And we're improving our failure rate so that we get better every day.

That was kind of the end of the story of accelerating development with AI coding tools. The things that we did in the pipeline: we did the code review piece, which was pretty significant. When we wanted to introduce that code review piece into our pipeline, of course developers and our most expert developers said, why would I let some AI review my code or review what we're going to send out to our customers, because I know best?

One of the things that we did as a test was say, okay, you know best. We'll do Gemini, we'll do human, and we'll see what happens. Humans did a good job. They did a good code review. Gemini pointed out things, and the AI pointed out things, that they did not find. It became evident that together we're better: using the AI to augment the humans and provide us faster, better moving of code and moving through the pipeline.

So we use AI, of course. That's the big piece we talk about with the code review piece, but we've used it throughout the pipeline. We continue to introduce it throughout our pipeline.

That's how you can build product using AI. You can incorporate it. But can you improve products? Can a company that's 20 years old and drives $100 million in revenue improve products with AI? The answer is absolutely yes, you can. AI empowers teams to safely modernize legacy code. Problems become advantages to us.

I'm going to tell you a story about AI-driven code refactoring, modernizing our legacy code. We had a piece of code whose basis originally started in about 2005. So, LogRhythm, founder-led company. One of the founders, as in many startups, had written code 20 years ago that was still part of a piece of code that had continued to grow and expand and was part of a process that our customers used to improve and update their system.

We had gotten to a point where that process was taking 20 minutes, which meant the product was not available for them for 20 minutes while they made this update. There were complaints about that, and that was a pain point for our customers.

We sat down with the development team and said, what should we do? They said, don't do anything. No one should touch this because it's 20-year-old code; the founder is no longer there, and we're scared of it. We said, okay, we've heard that a lot. We're going to see what we can do with that.

So in comes Claude. We brought Claude in, who is now our number one developer, and it took a while for people to understand what Claude was. I had a few people ask, who is this Claude guy? We brought Claude in and did analysis. Claude was able to give us an architectural diagram, explain what the code did, and identify opportunities for improvement.

Because we didn't trust AI so much, or developers didn't, we went through an additive process. This process I talked about was taking 20 minutes. Our first iteration with Claude got us down to 15 minutes. Our second, third, fourth iteration, we got to the fourth iteration of Claude and the code that we ultimately put out for our customers. We took that 20-minute process down to two minutes. That's a 10x improvement on a reduction in that downtime for our customers. That was all done through the use of Claude and accelerating our process that impacts our customers directly.

So an amazing success story. Our developers didn't think it would work. They believed it. Our customers wanted something, we delivered something, and Claude helped us do it. You can introduce the AI into these established enterprises and make them more successful.

Steve Wilson

Steve Wilson: David's talked about how we accelerated our development of our products, both what I'll call our legacy on-prem, self-managed product, as well as our cloud-native product. But the next challenge is not just how do you develop faster. It's how do you change what you are developing to meet the needs of the market?

I think we've all seen it over the past two, three years. AI has gone from being a really not-cool term for crazy people to being the hip thing. When I go to the cybersecurity trade shows now, all of the booths, people have just taken whatever they used to do and sprayed AI-native, AI-enhanced on the side. I'm sure whatever trade shows you go to, it's the same thing. They're all AI something.

But what does this mean to me? It means looking at the biggest problems that you have in your product set and saying, can I now attack these? David took the biggest problems in the code base and attacked them. Can we do the same thing with the biggest problems in the way our products work and the way people use them?

I'm going to show you a slide. This is a hairball. You can't read it in the back of the room, and that's kind of the point. The net of it is what Exabeam does with what we named user behavior analytics, which we should have just called AI something, but it wasn't fashionable then. The fact is we can sort through terabytes, even petabytes of cybersecurity data to find evidence of hacker intrusions and shut them down. It's amazing. We built the company up beyond $100 million on that strength alone.

But as growth started to slow down, we had to look ourselves in the eye and say, what's going on here? The fact is, this slide is the hard part. What you see in the middle there is a log-file line from a cybersecurity product. What we were great at doing was finding the needle in a haystack that says, this means there's probably an intrusion going on. What happened then is that got handed to a human, and that human might spend the next several hours asking many of these 47 questions that are on the screen. But the human has to know to ask them, has to know how to ask them, and what to do about it. That meant our products needed truly expert users, and that was limiting our growth.

So what do you do about it? You say, great, I've got some machine learning algorithms underneath that are helping me find stuff. Let me now use the latest AI technologies, and we're going to build an agent that is going to completely automate the first level of analysis of that. It's going to go ask those 47 questions and figure out what to do about it and start you down that path before the human even clicks that case to open it up and start the investigation.

We've had this capability in the market since the beginning of the year. Another talk, we can talk about how we managed to do that in a cost-effective way without bankrupting ourselves on token bills. But we managed to put this out to our entire customer base. We've gotten a lot of feedback on it, and people are telling us they're three to five times faster in their security operation center at investigating things. This is unlocking value for our customers and allowing us to go after new and different types of customers that couldn't meet that expertise bar that we had.

Now I'm going to tell you another story. This one's in flight, but I think the story is interesting enough at the point we are that I want to share it. David shared we went through this merger. Part of the merger was we wound up with one of the world's largest private equity firms backing the company. We have access to a lot of capital now. We have access, if we can make the business case for it, to go acquire other large companies.

We spent some time in a space that was adjacent to us looking at the idea that we could do that. There were some synergies there. We went and looked at some companies that ranged in price tags from $20 million to $100 million. But at the end of the day, with what we knew about our ability to build software more rapidly, we looked at these products that these other companies had built and I said, it's not that hard. Maybe we could be the AI-native predator in somebody else's market.

What did we do? We picked something insane. We said, we're going to build a two-pizza team. It's got to be limited to that. We said we're going to take eight people. Only two of them are going to be engineers. We're going to have product managers, somebody from product marketing, a designer, and me. Mind you, I hung up my IDE 20 years ago. I don't know how to program in Python. I don't know how to program in JavaScript. But we locked ourselves in a room in Colorado for a week and said, let's see if we can rebuild one of those competitors' products. In fact, let's not just build what they built 10 years ago; let's build what they would have built today with the tools that are available.

This one's still in flight. What we left with at the end of that week was, don't be shocked, not a complete product that we were ready to take to market. We're not quite there yet. But what we did leave with was an amazing proof of concept. In the old days, we would have gone to the designers and said, build me some Figma screens and we'll go shop them with customers. What we've been out piloting with a handful of customers now is real working code that does the thing that we want to do, that is completely interactive, that works. We're getting a ton of great feedback about it while we figure out exactly what our route to market is going to be with that.

The thing this implies here is that you can accelerate what you're doing on your own code base. You can add to your product new AI-native capabilities. But also what you get is the ability to look at adjacencies around your current market and say, can I be that predator?

To wrap this up, the next thing to do is transform your business. Everybody in your company should have access to AI tooling. The fact is, they already do. They're all using stuff that you don't necessarily want them using in your enterprise. We've got a whole new class of shadow AI technologies.

There is a recipe to get through this: curate your tools, pick a handful of them, put them through the full security review, integrate them with your identity systems, train people how to use them, and then build guidelines for your employees on how to use them safely. If any of you came to my talk about AI security yesterday, I'm going to tell you, don't use terms like prompt injection and hallucinations. You'll scare everyone away from using the tools you want them to use.

The core of our AI effective use policy is that you, the human, are responsible for the content that you create using these AI tools. You're not allowed to come back later when you've left hallucinations in your business plan and say it's the bot's fault. It's just another tool that you have access to. Get everybody in that mindset and we can move forward.

But the big payoff isn't just giving everybody chatbots. It's true targeted business use cases. We went through exploring a lot of these. Give everybody ChatGPT, they will get better at writing emails. Is that going to move the needle on your business? It will not.

On the other hand, we had a problem where, as a cybersecurity company, we would get 50 requests a week from customers and prospects for us to detail our cybersecurity internal processes and controls. These questionnaires are completely bespoke and different and needed to be filled out by hand. We created an agent that accelerated that by 100x.

Answering routine support questions is fine. What if you instead could look at every support ticket that you've gotten in the first 90 days of deployment of your new product, have an agent analyze that and find every sharp edge on your product, and prioritize what you need to go fix? NLP search on your Jira and Confluence sounds great and is pretty easy to do. I'm going to give you a hint, and you all know this: your Jira and Confluence are full of garbage, and your bot is not going to know the difference. On the other hand, having each department curate and groom a set of data is going to pay off.

What we'd love to talk to you about if you find us the next couple days is: what's a recipe that some of you have for just enough AI training to get your non-technical users up to speed? And what are strategies for sharing agents internally? What tools are you using? With that, thanks a lot.

David Rizzo: Thank you all.