Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
From Zero Funding to India's Only Listed Cybersecurity Firm: Quick Heal
32 Plays1 hour ago
In this conversation, Sanjay Katkar, Founder, Quick Heal Technologies, India's only listed cybersecurity firm, breaks down 30 years of fighting hackers, the real mechanics of ransomware, and why your Gmail password may already be for sale on the dark web. Sanjay Katkar started debugging viruses on floppy disks as a college student in Pune in 1990, eventually building Quick Heal Technologies into India's only publicly listed cybersecurity company with over 25,000 channel partners, a ₹350 crore revenue run rate, and an enterprise security brand, Seqrite, that competes directly with CrowdStrike and SentinelOne in the Indian mid-market. In this episode with host Akshay Datt on Founder Thesis, Sanjay reveals the counterintuitive truth that being a small business does not make you safe - it often makes you the easiest backdoor into a much larger organisation, a tactic called supply chain attacks that is reshaping India cybersecurity risk for every SMB. He explains how the AIIMS ransomware attack involved months of silent reconnaissance before a single file was locked, how North Korea's Lazarus Group stole ₹89 crore from Cosmos Bank using coordinated ATM withdrawals across multiple countries, and why ransomware gangs actively protect their own brand reputation to ensure victims keep paying. With India's DPDP Act now law and AI enabling 10,000 personalised phishing emails per second, this episode arrives at the most consequential moment in India's digital security history. 👉How Quick Heal bootstrapped to ₹100 crore in revenue before raising a single rupee, and why Sequoia Capital approached them, not the other way around 👉Why the AIIMS ransomware attackers spent months silently mapping the hospital's entire infrastructure before locking every system in a single night 👉How hackers use one stolen password from a food delivery app to reset your Gmail, and then use Gmail to break into your bank account 👉What the difference between EPP, EDR, and XDR actually means in plain language, and why even a 10-person company needs to care about endpoint security India 👉Why India's geopolitical moment, combined with bans on Russian and Chinese cybersecurity products, is opening a genuine global opportunity for Quick Heal Technologies in Southeast Asia and the Middle East 👉How AI is replacing L1 and L2 SOC analyst jobs entirely, and what Sanjay Katkar believes will be left for humans to do in cybersecurity operations Subscribe to Founder Thesis for weekly founder conversations and follow Akshay Datt on LinkedIn https://www.linkedin.com/in/akshay-datt for daily insights from India's most compelling builders 00:00 - India's Cybersecurity Problem Is Everyone's Problem 00:02:05 - What Quick Heal and Seqrite Actually Do 00:04:32 - Breaking Down the India Cybersecurity Market 00:14:07 - EPP vs EDR vs XDR Explained Simply 00:20:51 - How Ransomware Really Works in India 00:29:30 - The Quick Heal Origin Story: Floppy Disks to IPO 00:41:24 - Why Sequoia Came to Them, Not Vice Versa 00:46:22 - How Cyber Threats Evolved From Nuisance to Crime 00:53:55 - Inside the AIIMS Ransomware Attack 00:56:38 - The Cosmos Bank Heist and Lazarus Group 01:19:04 - AI Is Now the Attacker and the Defender 01:33:38 - Quick Heal's Global Expansion and 3X Growth Plan #IndiaStartups #QuickHeal #SanjayKatkar #CybersecurityIndia #RansomwareIndia #FounderThesis #AkshayDatt #EndpointSecurity #QuickHealTechnologies #Seqrite #DataProtectionIndia #DPDPAct #AIcybersecurity #IndianFounder #BootstrappedStartup #CyberattackIndia #SupplyChainAttack #StartupIndia #CybersecurityStartup #AIMLIndia Disclaimer: The views expressed are those of the speaker, not necessarily the channel
Recommended
Transcript
The Rise of AI in Cybercrime
00:00:00
Speaker
AI being used by hackers and malware writers. So fraud is becoming more personal, more convincing. Anything that is smart is hackable. There was one famous at attack where the Cosmos Bank was hacked. They almost lost 89 crore or something like that. How can the money vanish when it's taken out of a bank? hacked data is available on Darkwave, it is being sold because there is a value, somebody is paying for that. Nobody was willing to sell product that is built in India. MNCs were having deep pockets, it's easier to wipe out anybody if you keep on distributing free for say one year or two years. You crossed 100 crores revenue while still being bootstrapped, which is phenomenal. Do you regret being publicly listed?
Founding of Quick Heal
00:00:41
Speaker
In 1993, Sanjay Kartkar was a computer science student in Pune fighting viruses using just floppy disks. 30 years later, Sanjay runs Quick Heal, which is India's only publicly listed cybersecurity company. In this episode, Sanjay taught me how hackers make crores vanish from banks, why no business is too small to be a target for hackers, and how Quick Heal is beating global giants at their own game.
00:01:06
Speaker
Sanjay, welcome to the Founder Thesis podcast. I, of course, grew up in an era where I saw Quick Heal personally. Like my first computer was an assembled computer I bought from Nehru Place. And I remember Nehru Place used to be full of Quick Heal posters and signs in all shops selling Quick Heal.
00:01:23
Speaker
But I suspect that a lot of listeners today, especially like a young 20-year-old, may not know what is Quick Heal. Can you give a reverse pitch? Why does Quick Heal matter?
00:01:34
Speaker
Why should they listen to this story? Very interesting, I'll say ah analogy that you put. You're right. So, Quick Heal, as people know, it it is all started with all antivirus.
00:01:47
Speaker
And today, antivirus means people think like, okay, it's just like scanning a file, removing viruses, which is no more needed nowadays. and to what is Quikhil.
00:01:57
Speaker
but If you see, of course, Quikhil started in those old days where PCs were offline, we used to have floppies and all that viruses were a completely different challenge.
00:02:08
Speaker
But over the years, the threats have evolved, evolved to the level where we are now seeing very sophisticated threats are more silent, more targeted, and they've like kind of evolved into, I'll say, money making machines where lot of scams, frauds,
00:02:25
Speaker
and means fraudulent activities happen and that's where now Quick Heal has also changed its place. since It's not only protecting you from viruses but it's also protecting you from scams, frauds, fraudulent applications and links and then of course making sure your identity is safe. So it's no more about protecting PCs, it's protecting identity I'll say. yeah And this is not the only business that Quick Heal has, right? You have, of course, a consumer business, but you also have an enterprise business. Yeah, yeah, that's all. Yeah. So we also have a vertical for enterprise security. It's a completely cybersecurity solutions vertical, which is under the brand. sec right
00:03:07
Speaker
And in that we we are more focused on endpoint side. So we are having an endpoint security, endpoint detection and response, extended detection and response. These are the services and solutions that we provide for large enterprises side.
00:03:20
Speaker
And but you are a publicly listed company as well. Yeah, we got listed almost 10 years back. 10 years, wow. Yeah, and I'll say only cybersecurity solutions provider that is listed in it here.
00:03:32
Speaker
Oh, amazing. See, since we are into the vertical where we have to invest a lot into cybersecurity, new innovations, newer technologies, products and we are in that phase. So if we see if you see and if you track our list journey after listing our EBITDA has like been from say 45% and then now to the level where it is in single digits. It's just because cyber security is going through transition phase a lot of investment is happening into new generation security and we being in India we don't want to stay behind we have to make sure we are up to mark and that's where the most of the investment is going on.
00:04:11
Speaker
So let me start by asking you first about the space.
Evolution of Cybersecurity Industry
00:04:17
Speaker
If I'm an investor, why should I invest in cybersecurity businesses? You're the only listed business. So in a way, also a case for investing in Quick Heal. But what is the case for cybersecurity businesses? How big is the TAM in cybersecurity? Help me understand that a bit.
00:04:36
Speaker
So, see, cybersecurity as a vertical is a quite, I'll say, very wide and and so it involves a lot. It means it has evolved over the period. started, as you rightly pointed, it started from simple days of virus, antivirus.
00:04:51
Speaker
Now it has evolved into a very big industry and especially on the enterprise front, which I'll say globally contributes more than 90% to the cybersecurity overall business. And it's in billions. its like 200-300 in the range of 200-300 billion. But then if you talk about us, we are into endpoint side more ah prominently. So our focus and our strengths lies in endpoint detection and response, EDR, XDR and threat intel and all these services. So that vertical, if you see in India, it is around to 600 crore market and that is that is growing in ah in the range of ill say 10 to 15 percent but at the same time if you see cyber security as a vertical is a vertical that is never going to be out of fashion. One because technological evolutions are happening like anything and if when there is technology being innovative and if it is
00:05:50
Speaker
It has to be smart. And if it is smart, it can get hacked. Anything that is smart is hackable. And that's how I always say we are into the era of AI, we are into the era of quantum computing and all. So the more sophisticated things are getting released and newer versions ah of AI are being released, the more sophisticated attacks we are going to see, the more sophisticated attackers are going to become. And at the same time, cybersecurity is going to become a very interesting vertical. and protecting them is going to be a very important business, I'll say. In a way, it's like pharma, how pharma protects the biology of human beings, you protect the digital lives of human beings.
00:06:32
Speaker
That's a perfect analogy, I'll say. Yeah, it's it's going to be there forever, I'll say. Okay. Now, you said you're more on the endpoint side. Can you break down this industry? What are the different...
00:06:43
Speaker
buckets or sub-sectors within cybersecurity and who are major players in each of those sub-sectors? Just so I want to understand the sector. We are, as I said, we are on the endpoint. So here, when I say when we are focused on endpoint, that i talk about I talk about devices that connect to Yarn in network. So these are laptops, PCs, even servers and anything that is at the endpoint side. Okay. And then there's a network.
00:07:11
Speaker
Then network infrastructure involves servers and your applications, web applications and these applications are behind firewall. So something that can protect these is like firewalls or web application firewall and these are means I'll say infrastructure security. Many times I'll recall as a network security.
00:07:33
Speaker
And then there are um ah other applications wherein now that we are having a cloud everywhere and people are digitizing and moving to cloud, again, a cloud security is completely different, vertical altogether. So we putting our applications on cloud and allowing access to our cloud applications to our customers or our employees from anywhere, from their devices, any devices, then it becomes a completely different aspect to protect. So cloud security is one more vertical.
00:08:03
Speaker
And along with that, I'll see, Compliance and governance is something which is a vertical again inside cybersecurity which is getting very much prominence because of the regulations. As we are, see for listed companies there are different regulations, for BFA said there are different regulations. So vertical wise these are different regulations and gradually these regulations are also um making enterprises think about data protection.
00:08:32
Speaker
Now we are into cybersecurity, but data protection has again become a vertical altogether where people have to use solutions like data DLP, data data leak prevention, data loss prevention.
00:08:47
Speaker
And now with the release of this law like DPDP, which is a very talked after discussion in India nowadays, because the law has become reality.
00:08:59
Speaker
Protecting user's privacy become again a very big important aspect and compliance part. Now compliance is causing enterprises to invest into data privacy, invest into solutions that can protect that data. and How can do that? They have to encrypt the data. They have to make sure they disc discover what data is there, how to encrypt it, how to mask it. how to anonymize it while using it and as we all know that we are using technologies like ai and all that where data is the I'll say most important aspect without data you cannot train the models so now that law has come at the right time I'll say it is going to make sure that you're not going to misuse the data or in the sense you're not blindly going to use the data you will
Enterprise Security and SOCs
00:09:44
Speaker
have to mask it you will have to encrypted. All these things have become very important. so So these are the, I'll say, more prominent verticals, network security, infrastructure security, compliance, data protection and cloud security.
00:09:57
Speaker
And stitching all together that into a single dashboard, creating a SOC operation center to handle by an expert to have a complete view of your organization is itself a one vertical.
00:10:09
Speaker
So we call it a SOC operations, security operations center where people, banks like means large enterprises like banks and huge call group mates have their own SOC where people use different tools to have dashboards and control of the complete security of their enterprise and it may be their remote places, remote employees, remote locations, everything and of course cloud and data centers, everything are the one. So these are the, I'll say, different verticals and they are being stitched together by different tools.
00:10:43
Speaker
Okay. Okay. um So can you also give me some prominent names? So in cloud security, I think cloudfware ah Cloudflare would be the big name. Cloud security, if you see many of the prominent cybersecurity vendors like Sophos or CrowdStrike or even Polo they have their cloud security verticals.
00:11:03
Speaker
But if you see Polo Alto is more prominently on the network firewall. So they are in the firewall side. And CloudStrike is something similar to us. They are in to endpoint and detection and extended detection. But along with that, since they are also adding these other verticals like SSC, which we call as secure service layers, and they are protecting not only on the endpoint, but now they are trying to correlate that with the central firewalls as well. actually So these these are like gradually the need for large enterprise security is going up. These newer ah solutions are being stitched together to make it sense actually. Okay. And for infrastructure, what's like a prominent company?
00:11:47
Speaker
For infrastructure, if you see again, Polo Alto is there, then Sentinel one is there. And having a good central dashboard and stitching together. yeah Endpoint you already told me like you are from Semantic, Penmicro, Kaspersky.
00:12:08
Speaker
they Okay. All these companies which I remember selling CDs with antivirus software, these are all in the endpoint space. Okay. Understood. And what about governance and data protection?
00:12:20
Speaker
So governance and a data presence, there are a lot of different startups out there, but now these, o the top brand names that we just took, Amensys, they gradually have acquired these companies and now they have started providing data protection as well. So if you see data protection, DLP related verticals are very, very much into a different league altogether. Like their focus was DLP, but gradually they've started stitching because see, if you see,
00:12:47
Speaker
In threat landscape, there is one vertical which is called as ransomware, which is against your data and they are like on encrypting and shiffing of your data. And now data protection is not only about having backups and making it available all the time, but making sure it is encrypted, making sure it is not, it doesn't fall in ransomware's hands and all that. So that is there actually. And so if you see Traditional players like Veritas or even Dhruva, these are the data backup companies, but they are now claiming data protection with data protection services with ransomware protection kind of layers and all that.
00:13:26
Speaker
Okay. Okay. Okay. And SoC operations? So they are more in the, I'll say network side. So players like Zscaler or yeah they are providing these because they also have cloud based firewall and appliance as well. So that's where they land up actually. Okay. Okay. and Understood.
00:13:47
Speaker
I want to kind of now go more towards endpoint and understand that more from a layman friendly angle. So you said you you use some terms like you said EDR, XDR. So endpoint is essentially protecting the device which a consumer is using. So what exactly is EDR, XDR? What are these terms like?
00:14:09
Speaker
So, I will explain you what is EPP first, which is a basic or fundamental security for endpoint side, which is endpoint protection, EPP. Now, EPP is similar to antivirus on a single standalone machine, but here the importance and the difference is that since enterprise has a multiple or hundreds of thousands of net endpoints,
00:14:35
Speaker
then they need to apply policies actually. They need to monitor the policies, how they are being applied. They need to monitor the updates. They need to monitor all the compliance. They need one single dashboard to monitor all the endpoints so that the IT or a vertical where a CISO is there and then there is a ID team who is a security team. They are monitoring the dashboard and making sure that all the departments, all the endpoints are protected up to date.
00:15:02
Speaker
and anything malicious happening they come to know on their dashboard. So now all the reporting and all ah everything is going central not on the endpoint but protection is there on the endpoint. Now with this the EPP story goes but then what happens you know nowadays the threats are so fast and their life of threat is I'll say Sometimes, even if they are APT kind of threats, they are like say a couple of days life. In the sense they keep changing, evolving very fast. They are cloud based. So a threat changes itself in few seconds because it realizes it is being getting detected. So that level of sophistication has made these enterprises think that They just don't need to only depend on updates and signatures. They also need to take control of their network by sensing all these things. So the way it works is EDR is like endpoint detection and response where every endpoint has a sensor and it keeps telling the admin or the with this sensor that what process is running, what process connected where and it has its own intelligence correlation where it tells that, OK, this species should not be connected to this or this.
00:16:13
Speaker
This email should not be opening executable file from a PDF. These kind of alerts have been generated and then um only when no known threats are detected. This is beyond the new threat. So it's all about newer detections.
00:16:28
Speaker
And then the head of the security can take decisions, do um write ah alerts. ah Once they see the alerts, they take care of the alert by removing the process, quarantining these things or quarantining the endpoint altogether if it is a risk to the organization.
00:16:44
Speaker
Now what goes in XDR is about now with EDR we are only monitoring anything that is happening on that particular endpoint. But with respect to processes and um whatever the antivirus is monitoring.
00:16:59
Speaker
Now imagine your large enterprise also has a central firewall. you have a you have your own ah operating system's logs as well.
Advanced Security Technologies
00:17:10
Speaker
You have network related tools or um things running at the background and they are doing their own logging.
00:17:17
Speaker
And so now if these logs are also trying to show you some error alerts and your endpoint is doing that in isolation, then there is no correlation happening. So there, HDR comes into picture. Now HDR is something that correlates all the logs. It takes all your logs, not only your endpoint side, it also goes into your firewall logs, it also goes into your operating system logs and tries to correlate what is happening on the network. And this makes much bigger sense and much better sense because now you are not only monitoring the endpoint signals, but you are monitoring everything. And this goes
00:17:54
Speaker
XDR is like monitoring everything and gradually people are adding more and more logs. If you see nowadays, earlier like we used to have SIM, which is like a central logging machine where everybody, every application, central application logs things and then it used to monitor those logs and promote the alerts.
00:18:13
Speaker
But now with XDR, this has gone beyond that. Instead of central, it is taking logs from every endpoint and making some correlation and showing it on your dashboard. So that is where the XDR comes into the picture Okay. ah Just like a very simplistic analogy to compare these. So EPP endpoint protection would be like, say, if I take a vaccine for protecting myself from virus that is there. EDR would be like, say, if I'm wearing an Apple watch, which is tracking my statistics, my heart rate, BP, et cetera, cetera. And there is some sort of an alert mechanism that your BP is spiking or something like that. That would be EDR. XDR would be if there was some way to have a very, very 360 degree view of all my vital statistics, everything and somebody who's monitoring. Including your environment where you are there. Including the environment. Okay.
00:19:09
Speaker
Okay. um What is the size of business which needs these kind of services? Would a company with say 100 headcount need this or would a company with 10,000 headcount need this?
00:19:24
Speaker
I'll say more than headcount, we should talk about devices. of keyha And if you so if you ask me in the kind of threads we are seeing, anybody having say 100 headcount or endpoints, this is needed by them as well. So XDR is something that is needed by every one of those.
00:19:43
Speaker
Only difference is that ah If you want to save then you will go for EDR. If you want to save further you can go for EPB. But you will be missing on those threats that are at that shortest time and you will be open for that kind of risk actually. That's what I'll say.
00:19:59
Speaker
Convince me that this is needed. because I'm not convinced. I'll tell you why I'm not convinced, and then you present me your counter argument. I'm running a small business, so I don't understand, for example, the context of a 10,000-member company. But as a small business owner, for example, we use G Suite for emails. So Google provides its own security. there is two-factor authentication. The risk of somebody's email getting hacked, I have not seen in the last 10 years that somebody's Google account got hacked.
00:20:29
Speaker
businesses would use something like, say, a HubSpot, Salesforce, all of these tools to manage the customer data. Most of these come with their own security. Why maybe even in devices like Apple, Microsoft, or even Chromebooks, all of them come with their own device management policies, which give administrators a lot of ability to manage devices. So why do I need? Well, I'll explain. See, if you see, if you are a small business, and if your business is independent where you don't need to interact with any other business or not dependent on or not providing service to any other business but you are directly providing service to your end customers then then your requirements are different now who will be it all depends on like who is going to target you okay that's the question you need to ask if you are ah that kind of business Only thing I can imagine from current threat landscape can target you is the ransomware. Okay. and
00:21:26
Speaker
And then comes like how sophisticated are ransomware growing? Are they growing faster? Are they changing it faster? So then targeted attacks. Ransomware lock me out of my say HubSpot, Salesforce, Gmail, ah Google Suite. Can it lock me out of these? Yeah. Okay.
00:21:42
Speaker
Okay. Yeah, they can do. Why and how? Because, so see targeted attacks, how they happen is, no if if your credentials are lost in certain breach where you don't have control. Say if you have an account on say a food application and your account is, that food application provider got hacked.
00:22:01
Speaker
And your credentials are if you buy mistakenly use the same credentials which you are using for your business login, which is generally the behavior like many of them, this password, guessable after that as well. So that is where these these hacked data is available on Darkwave. It is being sold and why it is being sold because there is a value somebody is paying for it. And so why somebody is paying for that? Because they are now going to use those credentials and target your organization. And how ransomware works is they only target those organizations where they feel that that organization can pay them.
00:22:35
Speaker
Okay, it involves either you are insured or you are having your business completely dependent on your back end which once locked you cannot do business then you are bound to pay.
00:22:46
Speaker
so You mean like for example, if I'm a tech startup, I'm a B2B SaaS company, so I have customer data also on my servers and things like that. One aspect I explained you that now consider so yeah that independent organization or that business is the target of transfer can be okay, but he cannot be a target more prominently for APTs where it's like advanced persistent threat where they are very much targeted, they are nation's state sponsored and all that. so that will only go in a different angle different way if you are a supplier to a large organization now imagine you are a supplier to a large automobile organization or a telecom or a or a power supply company like a nuclear power plant or whatever now you become a way for them to enter into that organization
00:23:34
Speaker
Now, even though you are a small, even though you may be playing a small part in your that bigger organization by supplying say components or supplying some managing a payroll or something, anything, but you are a small organization.
00:23:46
Speaker
But why or these and ransomware will still target you is because they want to target that organization. And they see that that organization has done well, protection, they have we invested so much into cybersecurity that it's little difficult to enter through that. So they'll try to enter using your credentials or your entry into that organization. So that's we call as supply chain attacks. So then if you're not having EDR, XDR,
00:24:10
Speaker
Eventually, that organization whom you are supplying will themselves will carve you out because they don't want to take that risk. Because EDR, XDR are the tools that will point alerts and give you alerts when things are going wrong and before things go means two way actually so that's why i suggest uh even if you are a hundred machine network organization or even a 10 machine network now imagine a ca firm he just has 15 computers but he is a ca for a pharmaceutical
00:24:42
Speaker
and he's having crucial data of that pharmaceutical and they are regularly exchanging data having one channel that goes inside that organization now it becomes easy for a threat to enter through that CA firm if he is not using the latest technologies protect himself okay got it isn't there a constant effort by the OEM by o I would mean someone like, say, Microsoft, Google, or ah Apple, to bundle security and therefore tell a customer that you don't need endpoint protection, it's bundled. Microsoft, I remember, did it.
00:25:19
Speaker
Chromebooks, I believe, are seen to be unhackable. Even MacBooks are generally not seen as risky. So doesn't that constant struggle happen where your offering is being made irrelevant by the OEMs?
00:25:35
Speaker
Yeah, and see now I am into this business for 30 years. I have seen these operating systems providing security is not a new thing. It is it has been there since the 90s.
00:25:47
Speaker
I'll give you an example. Microsoft was bundling MSAV, which they acquired a Central Point Antivirus and they renamed it to Microsoft Antivirus, MSAV, and they bundled with the DOS. So starting from DOS, they have been acquiring security companies. and improving their security and providing it to the end users. Their main purpose is to make sure that their operating system is secure. But then if you see over the history, every operating new operating system they release, they always had been talking about it. That is the best secure operating system, having best of the security features, the newer security features and they improve. Of course, they have been doing good job making it
00:26:27
Speaker
on HackerBee. But it is not a, I'll say, one time job. You have to keep improving and hackers are something that they keep on improving again. They also, if you see when XP was released the day one or day first week, nobody was thinking that it can be hacked. It was so much complex and all that. But after say after releasing XP after say one or one, years it was the most hacked and operating system. So you have to release service pack after service pack to fix it. So this is something that hackers take time, but then they keep evolving and they hack into that. And this is the ongoing game. And I've seen these over 30 years and it's not stopped yet actually. But I'll, what of course I'll tell you is that since Microsoft has faced it a lot,
00:27:15
Speaker
and They have um now designed things which are like secure by design. They have made security as a design implementation itself and that has made the operating system so much more stable, much more robust against the hacking. But not impossible I'll say. Because see, vulnerabilities are something that are always being searched by these hackers. They keep on finding out new vulnerabilities and they keep on attacking the operating system.
00:27:38
Speaker
Only thing is operating system now being serious, they keep on releasing updates. Again, every operating system receiving updates every week was not a thing in 90s or even 2000. Now, if you see every week, you get an update to your operating system. So most of it it is security patches. So that's the case, but I'll say not impossible. At the same time, threats has gone threats have gone silent, threats have gone, I'll say targeted. They don't want to make noise and get caught. They are more focused on where they are being not noticed and they can use their way to either chiffon of money or ransom or a way to ah get something that can be sold outside actually.
00:28:20
Speaker
So in a way, the OEMs are winning that battle of making endpoints more secure, reducing the need for- You can say that, yeah yeah. Okay, okay, okay. and Understood. ah And which also then makes enterprise business more, I'm guessing that is the big bet for the future. um I want to understand a little bit about your
Challenges and Growth of Quick Heal
00:28:43
Speaker
journey. like how did Tell me about the birth of QuickHeal. What made the idea come to your mind and how did that idea become a product and the product become a business?
00:28:55
Speaker
So if you see, we started in 95, we actually announced the first version of Quick Hill, but the real journey began almost 18 months before that in the year 93 itself. The beginning, it was not about like creating a product.
00:29:10
Speaker
It was more towards like, see my elder brother had his business of a small workshop of repairing computers, okay, repairing printers, computers, monitors.
00:29:21
Speaker
And in those days, um those days were those years, I'll say when internet and email was yet to get announced actually. So we were transferring data with the help of floppies and vi yeah I realized that I was telling Bachelor in the Computer Science at that time, BCS and MCS. So in those days, I realized on computers in college were also and infected by viruses many times and it used to really hamper our practicals. And then when I used to visit Kailash, I also saw in his workshop the computers that were coming there from his customers, clients.
00:29:56
Speaker
ah Some of them were not having hardware challenge altogether. Still they were not properly functioning and the reason was virus. And that's how um my interest in that began. I started developing tools to help him clean that virus. And it was all about tool. I never thought it about as an antivirus ad altogether. So customers ah customers would come in with systems that would like say not boot or or that was corrupt or files behaving strangely. And I started writing small utilities to remove infections and recover system to the on to the level where it can work well.
00:30:33
Speaker
So I then i carried my these utilities to clean viruses in the in the floppy everywhere where I used to go even in college or even in friends home. And these tools became popular actually just to clean certain viruses which were popular at that time.
00:30:50
Speaker
So that was the beginning, I'll say. Actually, when I started getting good feedback from people that your tools are really helping them ah solve problems, people were coming and giving me feedback feedback that in spite of having good MNC products at that time, they were still having challenges of cleaning certain viruses. and when they came across my tool and it really solved the problem. So once that kind of feedback started coming in, I thought, okay, it can it can become a product actually. And I was in my last year and Kailash as well said to me, now I was also giving campus interviews for placement. That was the training masters. In the last semester, we were
00:31:30
Speaker
have We have to work as an intern and then i was getting selected but then he said ah instead of doing job why can't you focus on developing a product out of it and I like that idea because virus fighting was something that I loved and that's why I started doing that. So that's why I started giving a thought okay I can do that and in 94 I created a first version of QuickHeal, combining all those tools, making it into a single utility and we released it as a single antivirus named QuickHeal in 1995.
00:32:06
Speaker
ah How did you sell it? Because you've been bootstrapped. I believe you crossed 100 crores revenue while still being bootstrapped, which is phenomenal. But you know how did you earn your first 1 crore revenue? like How did you manage to get it out and sell and make a profit and all of that? like How did you learn all that?
00:32:26
Speaker
So it it was a very big challenge at that time. If you see... Those days piracy was at the peak, I'll say. People never used to pay for software license. Yeah, I'm sure Tally would have also, I think like something like 95% of Tally's base used to be all pirated only at that. Yeah, and so making people understand that they need to pay was a big challenge. People used to just pay for assembling the computer, buying the new hardware. But after that, used to they wanted everything free. But then if you see virus problem was not constant, it was evolving, it was changing. And it was troubling users day to day activity that itself ah it became a pain point for everybody. And that is the time when I realized that ok people are getting dependent on these tools to solve the problem. And that's how even though we announced it in 1995, we had kept the price around 450-500 rupees. But if you see, we hardly sold any copy in first three years, almost three years. But how we kept going was and why we kept going was because computer maintenance was his business and kalashes and he was able to create a differentiator in that business by saying that he also solves virus problems, okay which other computer maintenance guys were not able to do that. And that way I was thinking, okay, somewhere it is getting help. okay I'm not getting some license or paid for that license. but
00:33:57
Speaker
maintenance business is getting growing. so there's Services revenue which was helping. You can say that it was something of revenue coming through services. So that made me learn by sitting with computers, how I mean sitting with customers, how customers think, how about for what they pay, for what they are very curious and like eager to solve. And and i in fact, I'll say those were the years when I also started building differentiator in the product.
00:34:26
Speaker
I never followed mc products because even though even in those days, there were a lot of competition products out there. McAfee was there, Dr. Solomon, everything and many of them were available.
00:34:38
Speaker
I'll say people were trying to you use pirated copies. And still they were facing challenges and I was trying to make sure that my product should not have those challenges which customers were having. And some of them were typical challenges and in India where the internet speeds were slower.
00:34:55
Speaker
as internet started coming up or network or people were needing bootables, people not not having licensed Microsoft operating system and so bootable was a challenge. All these smaller, smaller things, I embedded good features of around that which no other product had and it created differentiator and gradually people started trusting my product for solving their problems. And once that trust started growing, i was able to charge. i started We started separately charging it.
00:35:23
Speaker
And we were able to build a product and started charging them. And in Pune, we were able to start earning revenue out of that. That was year, I'll say 1998, 99 people started paying. And this was enterprises or end consumers? Home office.
00:35:40
Speaker
People having computers, four five computers. DTP software's or DTP operations. And you had like a sales team which would visit them and sell this. Yeah, yeah. Maintenance, computer maintenance key sales team, way the same team was working. yeah And gradually we got a good name among all the computer maintenance guys because every computer maintenance guy i as I'll say organization or small shops in Pune started using our floppies because it was solving their customers' virus challenges which were not being solved by any other products and then that became a um brand itself in Pune.
00:36:18
Speaker
But then after the bigger challenge was we started investing into branding and all that but we realized nobody was ready to distribute Indian product. That was the biggest challenge.
00:36:29
Speaker
There were a lot of MNC product distributors. So national distributors like big brands were there Ingram or Vipro or all these were selling software like Oracle, Microsoft, type everything. But nobody was willing to sell a product that is built in India.
00:36:46
Speaker
India didn't have that reputation of building software. They never trusted that it could come out of India, a product they of that quality. But then um I'll say that was a blessing in this case for us. if We decided to build our own distribution network.
00:37:01
Speaker
if I'll tell you in 1999 or 2000, we started building our own distribution network first in Pune, making our own contacts with the these computer maintenance guys or hardware selling guys that, okay, sell our software, you will learn more margins kind of approach.
00:37:17
Speaker
And we really stood behind them for all kinds of challenges in selling or supporting the customer, handling the customer challenges. And it really helped us to create a good network in Pune. And then we thought, okay, this is working. In couple of years, we were, I'll say, number one in Pune. And we thought, why can't we work out the same thing out of Pune? And that's how gradually we thought we need to be present in that city. So we started opening branch offices.
00:37:44
Speaker
So we first opened our branch office in Nasik instead of Mumbai just to see how it goes in lesser expense. But we were getting success very fast. we In 3-4 months, the branch was break even and started making profits.
00:37:58
Speaker
And that's how we started growing. So we every 6 months we started opening new branch in a different city. capture the market, become market leader and by 2009 were the market leader across India. We had market share of around 30% in paid I'll say and a very good brand presence across India.
00:38:20
Speaker
Wow, so it sounds like by 2009 you were a very sales heavy organization. but because you would have needed a lot of salespeople for each and every city Who was leading sales? How did you learn to scale up sales?
00:38:36
Speaker
So, yeah, you can say that sales heavy in the sense we we worked with partner network a lot. So if you will say partner network driven sales.
00:38:48
Speaker
So if you see by 2009-10, we were having 25,000 partners selling quickly across India. And what was your employee headcount?
00:38:58
Speaker
Employee headcount wass for in sales was like around 50-55. Oh, wow. Okay. Very lean. Yeah. Yeah. See how it used to work was it was multi-tier per city partner ecosystem. So there were tier three partners means all these shop owners who were selling computers. Like Nehru place kind of shops. And then there was a tier two partner who was dealing a particular region for all handling all these shops to supply with our products.
00:39:24
Speaker
And then there was a tier one partner for one or maybe couple of them for a city. They used to handle the complexity. ecosystem and then our team used to make sure that all these tier 1, 2, 3 partners are connected, pulling, pushing products, helping them for support, everything. So it was not like we are just more connected just to ti one partners. We used to be talking to even the tier 3 partners. So the sales team was only doing that, making sure everything works smooth and helping partners do good business.
00:39:59
Speaker
And technologically, i made sure that the product is technologically and technically superior having mean the features and solving the challenges that Indian customers face. And what was your revenue by 2009 when you were national 30% market share?
00:40:14
Speaker
Around 60-70 crore I'll say. yeah Yeah, and we were doing almost 70% every year. I think this is when you raised from Sequoia Capital, right? Yeah, 2010 they approached us. I think we raised in 2010. Okay, they approached you. So what was the that like like? What was the reason to take funds when you were already ah profitable and like you know growing every year? So yeah, it was ah like when we needed fund, we had approached banks and all that. That was in 90s. But we realized nobody was entertaining us. And then, um but once we started doing good sales and we became market leader, having largest market share, we became household name. Then a lot of venture funds started following us and and they approached us, including Sequoia. And so we were
00:41:13
Speaker
happy that okay dear these guys are showing interest but at the same time we really don't didn't know that why do we need to take money and why because now we are generating cash we are having good enough cash in my banks but um at the same time we realized that okay oh There could be an expansion plan, we can go beyond India, we can try to also enter enterprise security. All those thoughts were there. and So among all the people who were following Sequoia guys were really really professional, they really helped us understand the importance of
00:41:50
Speaker
bringing venture fund, setting up valuation expectations and benchmarking yourself in the market and then being ready for any kind of competition from MNCs. Because MNCs were having deep pockets, it's easier to wipe out anybody if you keep on distributing free for say one year or two years. It's easy to wipe out players like us actually. All these things were there and it really happened actually. clean I'll say once we were having funds with There were coming players from China and all that as well. They distributed free of cost antiviruses. But um we were good because we were having... We have raised these funds and then we had also started expanding into enterprise.
00:42:31
Speaker
Okay. ah In the meantime, how was the industry changing? Like when you started, you said you were selling quick heal in floppy disks. How did that evolve by 2010? Was it still... being sold as a one-time sale as a product, like say how a mobile phone is sold or had it switched into more of the SaaS kind of a thing, which is there today? How had threats, the threat landscape changed by then? So antivirus had from the beginning been like annual subscription offer. So from the day one itself, even though we were selling things software in the form of floppy, it was being sold as one year license.
00:43:11
Speaker
Okay, and after every year, they need to renew it actually. How how would they pay for a renewal? Like they could buy a coupon or something or... um So floppy days were those days when we used to like mostly they used to come here back and say their like subscription has expired and and we used to hand over them a new floppy actually. okay That was that easy. Gradually when internet and email become prominent subscription renewals started happening over online actually and as well as through shops as well because we had a good distribution network. so or
00:43:44
Speaker
Then as the volumes grow, we had this renewal packs separately available in shops. People can just pick up renewal pack and just put in the renewal key and the software used to get renewed without uninstalling. And it used to just change their expiry date and start taking updates because once the product is expired, it doesn't pull updates actually.
00:44:05
Speaker
And updates were very crucial for like security products. Like say a Microsoft Excel, where you can use an Excel version release in 2005, you can even use it till 2013, but here you cannot do that because the threat landscape is changing so rapidly, so you need updates to detect. yeah Okay.
00:44:27
Speaker
And what about the nature of threats itself? Like, I assume it would have largely been your hard disk getting infected with a virus. That's what I remember when I bought my first computer. The big risk was... So early days, it was all about viruses, mostly. Because now if you see total threat landscape, virus is the small percentage. But then in the early days, viruses were the only threats.
00:44:49
Speaker
Viruses, when I say the smart... smart code that attaches itself to either a floppy boot record or a file and it used to spread automatically without user intervention and that was the um i'll say early days but then gradually as oh email and these internet started penetrating a newer trade started making use of internet and then instead of infecting your files they started creating their own files so we call them as trojans or ah worms and gradually that became more successful because worms used to spread mostly through flop means emails and internet and because of that there's
00:45:38
Speaker
spreading time had come down actually. So any new worm that is started spreading in say China, it would end up across the globe in just a couple of days time actually which was not there before earlier viruses used to spread only through floppies it used to take I'll say months to a new virus from say Europe to reach India and somebody has traveled with floppies and all that actually but then with email and broadband it changed and when broadband or I'll say wow fiber optics came malware started spreading in say I'll say minutes any malware that is started spreading in the US it would
00:46:16
Speaker
end up in India in say a few minutes actually not even minutes I'll say so that fast actually so it was the I'll say spreading ecosystem but at the same time threats earlier were earlier were designed for kind of creating trouble or say just showing their technical skills if you see viruses. but you sign value mostly yeah yeah But once people started using computers for serious business, like when it became internet started become common and people started using computers for banking or doing shopping, e-commerce or anything that is
00:46:54
Speaker
related to money or business then threats evolved to the level where they started thinking about how to earn out of that so credit cards were used a lot during those times so started stealing credit card numbers or your pin number and password and then those credit card numbers were sold on dark web and then these hackers who used to buy those credit card numbers used to use for whatever they want to purchase and you used to get I'll say defrauded because of that. So that's how it began. And gradually that ecosystem grew so fast that it become an industry altogether, I'll say on the dark web. Now, there's very big industry out there. they
00:47:35
Speaker
um there There are different verticals, people selling credit card numbers, people selling account numbers, people selling ah username, passwords for even Gmail. There's a different value are available there. and then people selling your data.
00:47:47
Speaker
data includes anything whatever your organization deals with every data has some value on the dark web and that's how it has begun and i'll say since 2008-9 we started seeing ransomwares they become became prominent initially they targeted any systems and common man like you me anybody used to get infected by ransomwares but gradually ransomware also evolved to the level where now they are very professional, organized industry where they select their targets by profiling them, studying them for months. They even enter their target customers, organization infrastructure months before they do the attack.
00:48:27
Speaker
They study the whole organization, where, who is the decision maker, where is the real data, How can it lock the complete organization? All that is done. And then once they are thorough, then the locking happens. So that level of sophistication has gone into ransomware. And APTs have become a new threat since I'll say long back, where we used to categorize threats into three buckets earlier. One was viruses which were just like for fun and one was for these cyber criminal activities used to steal all credentials and sell and then there used to be hacktivists who used to hack your systems for their some particular purpose like they are they were after certain certain cause if they are
00:49:14
Speaker
protecting or protest protesting against certain cause then they will try to hack all the organizations that are dependent on that. Like if somebody is against pollution they will try to hack into the organizations who are polluting the nature and all that and then they will bring out that data. So that was the purpose.
00:49:30
Speaker
Hacktivism was completely different, like in more against government will say. And then Gradually when governments started using threats for monitoring other governments or other states for any other release reason, maybe for their strategic advantage or something, that became a completely different vertical. then We call them as like state sponsored attacks. And then since they are sponsored by a certain state, they are having kind of, I'll say, huge budgets. So their sophistication levels are always high. And they are always high. I'll say among all the sophisticated threats, cyber criminal threats had been one of the highest complex and sophisticated, but then state sponsored are way beyond that.
00:50:16
Speaker
They go to any level, they select the target, they make sure that they penetrate there. So no OS can stop them, no kind of activity or I'll say protection mechanism, they will go to the level where they will even bug your hardware to enter that organization. So that level of sophistication is there. So APTs we call them.
00:50:36
Speaker
What is APT? advanced persistent threat where they keep on evolving. Whatever we see is always or just a small tip. We never able to see the complete threat because it is behind. It doesn't come at once. It only studies and then gradually they bring in their components actually. So that's how it works. and ah So APTs in nowadays geopolitical situations, smaller wars, regional wars, APTs are very big players. And not only that, even countries who are not at war, but are not at good terms, they are still using APTs to monitor, spy each other. So you'll see China spying US a lot, US spying China a lot. And similarly, other, like if you see our neighbors, Pakistan,
00:51:22
Speaker
doing espionage on us, we doing espionage on them and not only that, it's like even things where we feel as a friendly friendly country, you never know if they are monitoring us or not. So, it's it's a very complex world out there under actually I'll say.
00:51:38
Speaker
ah What's a publicly known famous example of APT? Anything that comes to mind? Publicly known in the sense, see many of the times these APT's are designed for silent attacks. So it will hardly come into public. But among ah researchers, we we always say, for for example, India, Pakistan, there's a threat called as APT 36. We call it as APT 36 or side loader ah because we named it actually because no one was tracking that. We being in India, we tracked it a lot. And it does a lot of selected targeting, critical sectors of targeting of Indian critical sectors and all that. so like like It is trying to leak out information.
00:52:17
Speaker
That is the goal. Currently, not they don't leak, they steal. They steal and we don't know how and where it will be misused. okay But did they steal data.
00:52:29
Speaker
Like sensitive defense data. The goal of APT36 is to... Defense data or your critical sector. It can be power sector. It can be transport. It can be telecom. They target and then they try to enter and then they try to steal whatever they can find any sensitive information.
00:52:44
Speaker
Okay. What's ah an example of ransomware? Like ah any famous case that comes to mind? So ransomware, if you see ah in three years back, the most famous in India india was the yeah Ames hospital was locked by ransomware and it was completely locked. So no OPDs, no OT, nothing was working and being one of the biggest hospital in national capital. So if you see, ransomware works that way and that is one of the best examples of targeted attack, I'll say. Because it was not like they came one fine day and suddenly attacked.
00:53:19
Speaker
It cannot happen. You cannot lock a hospital of say thousands of beds and so many operating OTs and OPDs in one fine day. Then they're done, Ricky. They're done, studied. They entered every and device that is not properly protected and then one fine weekend they suddenly did that attack on one night and everything was locked so that is how it works actually.
00:53:43
Speaker
And how did ah Ames fight this? or How did it come out? like Did it pay the ransom or what did they do? Yeah nothing thing is in public records. so Many of them helped a lot them from cleaning and restoring the miss machines and everything. It took months not days I'll say months and Kind of it was paralyzed for one size.
00:54:07
Speaker
Because they didn't pay the ransom. Yeah. See, paying ransom may not still solve your problem. The thing is, these attacks are so sophisticated many a times. Of course, ransomwares are always trying to keep their promise because they want to make sure that they are a brand.
00:54:24
Speaker
Unless they are a brand, nobody will pay them. Okay. Okay. Interesting. Yeah, so to make them trustable, they'll always try to recover your things. But when things are not in the right condition, maybe their infection or encryption was halfway or something something went wrong, they themselves cannot still recover completely.
00:54:43
Speaker
And of course, ransomware, paying for ransomware is very costly. it's It's very costly. How does the payment mechanism mechanism work? Mostly it's all ah and through crypto actually. so Okay, they'll ask you to send Bitcoin to a wallet which is untraceable.
00:54:59
Speaker
right okay okay Okay. There was this Lazarus attack. What was that about? Lazarus is group out there and it's a North Korea based it's attributed to North Korea globally by all the researchers and they are the um kind of attackers where means it is believed we don't have proofs but it is believed and it is being supported by their state. okay Now they not only do espionage but they also do hacking or um of this level where they steal money actually so if you see there was one famous attack on impuni where the cosmos bank was hacked and at the weekend they almost lost almost 89 crore or something like that
00:55:48
Speaker
and many of the crypto exchanges have been hacked by this group now the money that is being earned by a hacking these two when when i say this money was gone it has gone somewhere so somewhere it is being used and people believe that it is being used for anti-national purposes so um like north korean state always use this money to strengthen their military or do things that are good for their country but of course not good for others actually yeah But like, how can how can the money vanish when it's taken out of a bank? Like you said, this bank in Pune lost 80, 90 crores.
00:56:27
Speaker
How did they manage to make the money untraceable? Because like, it leaves a trace, right? When it's in a banking system. Yeah, so here there are multiple, I'll say, groups involved and interestingly you will be surprised that these groups work coordinate with coordinating each other but they don't know each other, they have never seen each other.
00:56:50
Speaker
Still they work in coordination in the sense, for example, in this particular case, the money was taken out from ATMs. and from different countries. so So they had field operators or like feet on street who were going to ATM machines and. Yeah. So money moons were used, moons who had account access and they were in hundreds because you cannot take out so much amount of money from ATM in one day. So you have to be in hundreds and in different countries, different locations and still doing that in a certain hours, in few hours time.
00:57:28
Speaker
and So they had well coordinated plan already informed that you will be getting these details, account number and and you just have to go once we say yes. And once the the switch and everything was hacked, they were not able to train um and protect the things, malicious transactions. They were informed and immediately this mool started taking money out of the ATM.
00:57:52
Speaker
and they themselves were not knowing what whom they are working for. They were just had to do we withdraw the money, keep certain percentage for them, give rest to the person. They were like gig workers almost.
00:58:04
Speaker
So that's how it worked actually. so and So when it's like ah this kind of money, which is not crypto. Yeah, there's cash. Yeah, this can vanish. And crypto is completely different. So when Lazarus Group does hack exchanges, crypto exchanges, and they ship off and they wipe off all the wallets once they get access. And this crypto money goes to some wallet, which they are controlling and gradually they...
00:58:30
Speaker
convert convert that to money. actually This WazeerX hack, was that Lazarus group? I believe WazeerX got hacked or something. No, WazeerX, there were multiple times they were hacked actually. And one of the things was, I think their bridge got hacked actually. And bridge hacking was, at that time was not done by Lazarus, I think. So there was a different group out there. What does that mean? Bridge hacking? Bridge hacking is like one exchange dealing with other exchange, different currencies,
00:58:58
Speaker
But they have to ah send money from one person to other and so then there is a bridge between that actually which does that connection. Bridge was on a weaker side where it got hacked and people stole that cryptocurrencies.
00:59:14
Speaker
Okay, fascinating, fascinating. ah Has there been like a major data leak in Indian startups, all these consumer startups? Many times it happens. Which is the biggest one in your memory? We do see a lot of data available from a lot of lot of organizations. Mostly I've seen why they have happened is because of the example that I gave was a weaker supply chain.
00:59:38
Speaker
So, if even if you see for example, a certain set of other card is available on say Darkwave, but it doesn't mean that other is hacked. The thing is somebody who is storing other and not protecting it well, they got hacked.
00:59:52
Speaker
Like some fintech or a lending company? or give me Any, any, yeah. Nowadays, everybody stores Aadhar. I don't know why. and In fact, even if you go for a two-wheeler loan, you will be asked for Aadhar actually.
01:00:04
Speaker
or We don't know where they're storing, how they're storing actually. And many hotel chains, people while doing check-in, they submit Aadhar, which is not good. But then they're scanning their Aadhar there actually.
01:00:16
Speaker
Okay, okay, okay. Any of these tech companies which have got hacked? Like all these food delivery apps or UPI apps or any of these? Yeah, if you see and one of the food delivery apps, Zomato, is already out there known for that one big hack that happened.
01:00:35
Speaker
And it's long back actually. Like customer data came onto to the dark web. Okay. So the the big risk when this happens is that your password for, say, Zomato is exposed on the dark web. Like anyone can buy ah that data and then they have access to your email ID and password for Zomato, which there's a high chance that you will be reusing that same thing for your bank also. So that is the risk for a consumer when this data breach happens. You are not using for bank, but you are using it for your Gmail. And when you...
01:01:07
Speaker
Your Gmail is hacked after that. Then you can ask for password reset with the bank. And then your email can be, you can use your email and reset your password for other services. It can be bank, it can be any other. That's how hackers are very smart. They only one entry and they will go through all these different different combinations.
01:01:28
Speaker
So if you see everywhere, your email is very crucial. You can reset password if you have the email access. exercise Okay, okay. So what are like some best practices for consumers? Like if I am a Zomato user, what are like some best practices for me?
01:01:45
Speaker
Firstly, I'll say, we rightly pointed in overall conversion, we should not be reusing passwords everywhere. So that is the most important thing to follow. I think there is a trend now increasingly apps are doing OTP login.
01:02:00
Speaker
Anyway, I see more and more apps now have stopped password. Yeah. Yeah, but nay only OTP login is a different thing where we are not hey we are not registered there. You but go to a website, you buy something and while checkout, they just ask your mobile number OTP is there and you are guest logged out actually. That's how it works.
01:02:22
Speaker
But that is not going to be permanent. You are not storing there and there is no password out there altogether. but then services or your accounts like social media accounts and all then there are two-factor authentication enabling feature you can always do that enabling that will help you to have additional layer of otp to protect your login apart from that i'll always say whatever you are using any device always keep your device up to date whatever os it is using it can be a laptop mac or phone anything you're using make sure you have up to date
01:02:57
Speaker
apps up to date operating system and then always be i'll say curious and aware about anything that is coming your way just don't blindly click read it understand it and anything that is giving you something free something oh with no money you should doubt that actually because then that is free actually are going to use you for something else.
01:03:24
Speaker
So, and anything that is tempting offer or ad which promises something impossible, doubling your money in one say five months or two months or a stock, I'll say a tip that can grow five times in two months. All these are like scams. They are going to, you are going to end up losing money.
01:03:44
Speaker
That's what I'll say. Never, never, never follow those ads. you know Okay. Okay. Okay. So let's come back to your journey. So 2010, you raised money from Sequoia. By that time, I think you must have started selling instead of CDs. Did you start selling it as a SaaS like pure buy online or till when did sales through CDs continue?
01:04:06
Speaker
Sales through CDs was there for a long time, almost till 2018, 2019, I'll say, before pandemic.
01:04:17
Speaker
Pandemic really made the big shift, actually, all e-downloads and all that. So when you listed, tell me about that. Like, what was the reason to decide to list and what kind of revenue were you at by that time? So...
01:04:32
Speaker
so ah The biggest shift was, I'll say, um we wanted to give exit to our investor. The only investor we had was Sequoia and we always had a choice to like either bring in another investor or um buy out their stake or or an IPO was one of the route.
01:04:53
Speaker
And we thought of going for IPO just because we thought We were there, were going to be there for long term. We never decided to like sell everything and okay now it's over. So we had been getting a lot of opportunities to get acquired but we never go that route. So our plan was to be there for long term and so IPO felt much better because having a feeling that we are listed is a different feeling altogether. And then next is about listing helps us to
01:05:25
Speaker
establish myself as a long-term reliable brand because that was very important for enterprise sales because enterprise is like all about trust and that could have been ah one of the trust factor was the thought and that's how we decided to go for listing instead of bringing in any other investor like it was a good choice i'll say yeah but by 2016 your enterprise division was contributing how much to the top line 5% or less. Okay. So early stage of our enterprise. but But listing was the way to grow that business. Like you would have more trust. great Did you actually use the money you raised from Sequoia?
01:06:03
Speaker
Money, of course, means it's not like we were already generating cash as well. So we used that money. We were and also saving some other money. So entirely the thing was... We were there, money was more than money, I'll say, the bridge of having Sequoia on board was help bringing in good governance, setting up finance department and ah discipline, I'll say, all together, like getting ready for board meetings and bringing in independent board, all that was set during that time. So it was a completely completely different change, I'll say.
01:06:37
Speaker
It was a governance upgrade. but Yeah. But of course, that was the single investor. But then after IPO, it was completely different. I'll say IPO is more of like,
01:06:48
Speaker
ah You're being monitored or I'll say, look after by everybody. when It's like you cannot be, are is your single mistake is always under lens. I'll say ah halson that is how IPO life is. Like it's all about making sure you are compliant and you are having the best of the governance, best of the transparency. And so that was the change after IPO. see I'll say accountability mainly customers. So we were before IPO, we were accountable to only say customers or say our employees or the single investor. But after listing, we were also accountable to thousands of publicly um means holding shareholders of ours that that changed a lot like how carefully
01:07:35
Speaker
you take decisions. It's always because every decision is always in public lens. That's the one important aspect that we realize actually. Do you regret being publicly listed or overall do you think it's a net good, net positive?
01:07:52
Speaker
No, i we never regret it because as I said, you know, it really brought in that completely different angle. We were never focused being on a tech startup. Our focus always had been research, new products and Then gradually this distribution and all. But after listing, it also became part of like how to build a public company, how to be having the best of the governance, how to leverage the, I'll say, share value as the currency. How can you attract best talent? How can we go deep with respect to leadership? All these changes, it really grew us actually, I'll say. It was a good learning. Tell me a bit about this. Like how do you leverage share value as currency? Like just can you share some of your learnings, that things you learned as a public company, and things which you have access to, like you have more options in front of you as a public company. What what will what options did it open up? So if you see leverage, when I say, if you want to and invest into an organization, if you want to acquire a company,
01:08:53
Speaker
You didn't don't need to be always full cash, you can always give them in terms of your share value. Because your shares are listed, they have they have been accepted as your currency actually.
01:09:06
Speaker
So is there is one aspect and it is very important aspect. So you can always, because it gives you power to Think of a larger acquisitions okay without having cash in your hand and still you can do that transaction. So that kind of advantage you have.
01:09:25
Speaker
Apart from that, I'll say um when you are dealing with the other large organizations, MNCs, when they want to work with you, the first thing they look is how how are you valued and they listing value is something that is most respected rather than anybody CA or somebody giving you a valuation certificate is completely different. And the same goes with And if you are bidding a large tender where your organization revenue and market cap is also important.
01:09:57
Speaker
Again, this this is something that comes into picture. So, everywhere will say once you are listed, your market cap and your governance and all these things are already under public lens. So, those are never under question and they are always respected. So, that really helps actually.
01:10:14
Speaker
Have you done any acquisitions? We have invested smaller startups and not complete large organization kind of acquisitions. yeah And what was the rationale?
01:10:25
Speaker
um No means our thought was to acquire technologies rather than markets because our focus has been India and um see one is like we want to be cautious we never done that and we have already mis heard a lot about that acquisitions not all are successful many a times it can make or build or even break the company as well. so instead of going on the bigger way we always like were looking for some technologies that we want to acquire and we did that actually at least two three acquisitions we did in terms of technological which we add up into our product and we can offer something to the customer side like for ah enterprise side
01:11:08
Speaker
yeah Most of these were in enterprise side. What were they? We acquired a sandbox company from Pune. It was long back. Then we also acquired a US based company, which was for behavior detection.
01:11:23
Speaker
on the trade side, actually. yeah We acquired a data device control company, I mean, some technology from Romania, again. and That was for DLP kind of solution, actually. OK. Your ah sales team and like sales leadership would have also had to evolve over the years. ah How much of your effort is still on consumer sales versus how much is it on enterprise sales? How does consumer sales happen? is it still through partners ah or is it more digital sales, online, online ads and things like that? Help me understand how that has evolved.
01:12:02
Speaker
So yeah, consumer and enterprise are still separate. and Teams are also separate. So enterprise again, even since we are into SMB and mid-market, not very large enterprises, um most of the sale happens through channel partner. The ecosystem on enterprise front is are different. we there We deal with system integrators who are supporting and supplying to mid-market or SMBs.
01:12:28
Speaker
How do you define mid-market? What's the revenue? More than revenue for us, it's a number of devices. So anywhere between, 1,000 to 5,000, we call them mid-market. Okay. Okay.
01:12:41
Speaker
below 1000 or maybe 500 is all SMB, small, medium businesses. And ah for consumers, we have both online sales, digital, as well as the ecosystem of partner ecosystem that we have already built that is still there. So both are contributing to the revenue actually.
01:13:00
Speaker
and But what is the bigger share? Yes, it is still offline. yeah Still offline. Okay. ah Wouldn't this be like, wouldn't it be easy to just spend money on Google ads, grow that business? We do spend, we do. And so if you see gloop in India, if you measure the kind of antivirus sale that happens, paid antivirus, we still has the have the major market share in even on digital.
01:13:24
Speaker
So it is there, our online spending and ads are there. But that market itself is a shrinking market. One is shrinking and a on the other hand also I'll say one like as a on as a India as a market if you see if there is certain sale happening online there is much bigger sale opportunity offline as well. India is still that country.
01:13:47
Speaker
Even for software you're saying that India ah you're saying this even for software. That's why I'm saying my offline sale is still contributing. See, the reason is people still in India go for assisted buying.
01:14:03
Speaker
They want software, but they want somebody to come and install. They want somebody to take care of if there is a virus problem even though they can do it online but then we realize if they do it by online then nobody's going to come and install they have to do it on their own so there's still that market out there okay typically i guess the trigger would be when your system is affected then you would go find out yeah i can say that yeah okay okay okay interesting interesting uh okay uh you know do you think uh
01:14:38
Speaker
you took too much time to pivot to enterprise and the reason why I'm asking is because I believe your revenue has been kind of flat for a couple of years um and you know even the the share price of like because it's a shrinking market so I assume that would have had an impact did you take too much time to pivot or you know what what do you think about that oh See, you can say that the in the sense um you need to
AI's Impact on Cybersecurity
01:15:07
Speaker
understand this. If you see our current enterprise revenue, and if you compare any other startup in India, we still have the largest revenue in cybersecurity products in enterprise vertical.
01:15:22
Speaker
But then to reach that revenue, it took us time because cracking on consumer and market is different and cracking on enterprise market is different.
01:15:33
Speaker
Enterprise market and first of all, we need to learn that. of it took us time to learn that. And second, that is dominated by MNCs where it is already established market globally and it is a very sticky market. It takes time for somebody to have already installed endpoint security to take a decision to remove it even if he doesn't like it actually. Okay. Because it it takes time and all these factors affected. But at the same time, we created our own space by enterprise, ah small and medium businesses who grieve to mid market and they are with us since which days.
01:16:10
Speaker
And along with that, our partner ecosystem that we had for consumer also started selling enterprise products, certain, not all. But then all that has helped us to reach to the stage where we are now competing and giving tough competition to MNCs in SMBs and now in mid-market actually. Okay. Okay. So this enterprise revenue you're saying is very sticky revenue. but Once you acquire a client, that revenue will...
01:16:37
Speaker
the churn will be lower what is the turn for uh consumer consumer re renewal happens less than 20 percent times oh wow first of all it's very difficult to calculate the reason is people may not have the same key they will go and buy a new product but our quick hill only and install it in for us it is a new sale but it is the same sale happening on the already protected so that way it is difficult to calculate but still whatever we can calculate earlier the renewal rate was around 50-60% actually and gradually it has come down and so currently you can see it's 20-25% but an and enterprise side it more than 80%.
01:17:19
Speaker
Okay. So there's very high quality revenue, basically the enterprise revenue. Yeah. How much of this is services revenue? How much is like a pure SaaS subscription revenue? We hardly do services actually. So for services, we have recently started giving MDR services managed detection response for our XDR offering because XDR does need that.
01:17:40
Speaker
Even certain organizations choose their own SOC. So even though they buy our XDR, they have their own team to manage that. But certain organizations are dependent on us. So for that, is ah it's a service. so But that's a very small factor. How does the threat landscape change going forward? Like, how do you see?
01:17:58
Speaker
ah And again, let's focus on enterprise because I feel that is where the future of Quick Heal is on the enterprise side. ah What kind of new threats are coming in now with AI coming in? How does that change the... threat landscape, does it help you also, AI? Like, like are you also able to make use of AI or is AI more of a threat factor that something like, say, phishing can be highly customized and you can have an agent which is just doing phishing at scale, ah makes it easier for the bad guys See, you have rightly entered or pointed the thing where in future, I'll say it has already started happening.
01:18:36
Speaker
AI being used by hackers and malware writers or I'll say bad actors quite prominently because as it is more accessible now, so fraud is becoming more personal, more convincing. Earlier scams were generic but today you see messages are tailored, voice can be cloned or videos can be fake. So attackers use local language, emotional pressure and urgency to manipulate the people. So AI is being used to scale deception, I'll say. ah Create more fake videos at a very higher scale and more convincing. Not just automated attacks, I'll say they make
01:19:14
Speaker
awareness and early detection extremely important. And so that's where the challenge is no longer just spotting bad actor or a thing. It is it is identifying a false trust or false process altogether, I'll say. So one is that AI has really changed the whole thing.
01:19:35
Speaker
It has And as ah as you rightly pointed on consumer side, it is more towards scams and frauds. But on enterprises side, these scams and frauds are at a very bigger level like CEO frauds. We say we tell them that like business email compromise, we call it BEC where the attacker sends you a mail as if he is your CEO and from his mail only. And it can also contain everything that you feel that it's a CEO and then you end up doing the transaction and
01:20:06
Speaker
the loss is bigger to the organization. So all those things have already started happening. But at the same time, you know, ah if you see traditional way of hacking and you can relate it to ransomware or attacks, which are even state sponsored or even cyber crime motivated, or is commercially motivated. These are also gone sophisticated. Now they search for vulnerabilities automatically with the help of AI.
01:20:36
Speaker
which is much faster and 24 by 7. So now this has become more complex. You have to be like alert and active and you have to find these level of threats with that level of automation. So that's why AI is already there. We are already using in all our technologies. If you see detection, threat correlation, threat,
01:21:00
Speaker
bifurcation classification everywhere we are using AI. We have it as under the name of GoDeep AI. But the thing is, it has already captured the market. Now,
01:21:11
Speaker
With Agenetic AI, we are seeing on the horizon and the kind of people habits are now going to change, the kind of browser usage is going to be changed.
01:21:22
Speaker
These attacks are going to be more sophisticated and you need to be at the, I'll say, forefront to protect it. and you will have the window of protection goes very small. and In very short time you can have a bigger shock of getting attacked and you have to protect in that shorter window as fast as possible. So it has to be automated. That's how have seen it.
01:21:48
Speaker
Is the AI coming for ah MDR jobs, you know, managed detection and response, the people who do that? I feel like maybe an AI agent could easily do. So if you if you see SOC operations, and there are always L1, L2 and L3.
01:22:03
Speaker
According to me, L1, L2 is going to be replaced by AI. Just can you define what does L1 do? L1 is the first line of response for all the alerts that are seen. So what happens, you know, mostly large banks, what they do, they have their SOC operated by somebody or if some SOC is being operated,
01:22:22
Speaker
in-house they always outsource L1, L2 because they are trivial alerts that they need to deal with but they are in thousands. So and there is always team of L1 responders and then there is L2 responders who are handling little sophisticated threats.
01:22:40
Speaker
And then l three is something that is only if these guys are not able to handle and it's so much bigger, and some deeper than the L3 guy comes in. So if you see L2 is going to be completely replaced by A. I've seen the solutions that are already being under development. in giving good results and then very soon they will be in the market and you will see these L1, L2 getting replaced.
01:23:02
Speaker
Now then, large organization will not need to outsource the SOC operations. They already have to already means they L3 could they in a they always have in-house and L3 will be there. L1, L2 will be handled by agents. that That's going to be the case actually. Is that something on your roadmap also to create these agents for L1, L2? No, we are not into SOC side actually. So as I said, we are on the detection and response. So we are making sure that our dashboards, our product dashboards are more efficient.
01:23:34
Speaker
giving more insight to the user. Now it is not only about your internal protection. you As I said, things are yet to be released but if you see your external activities are going to impact your organization. Your leak on food and delivery app is going to create problem to your organization. So how can you solve that?
Pricing and Market Strategies
01:23:55
Speaker
You are not having control over what is there on the dark web. only thing you can do is you should be aware what is there on the dark web making sure that you are protecting those things here. So if your data is leaked, you should change the passwords. But at the same time, you should be having a protection that can have that can show you both the things on the single pan. And that is what we are working on actually. So making sure you are your external things are being correlated with what is happening inside and giving you insights
01:24:26
Speaker
With AI intelligence, this is happening and you can potentially see a ransomware attack in next XYZ weeks or something like that. Okay. So this is a separate service altogether, right? The threat intel.
01:24:40
Speaker
Yeah. You are scanning the external environment and based on the signals of external environment, you're able to give some flags to the company that this could happen.
01:24:51
Speaker
Yeah. So yeah you started selling this as a service? or Yeah, we started DRPS, we call them actually Digital Risk Protection Service, which which is already out there in the market.
01:25:01
Speaker
We launched almost two quarters back and to not only also monitors these signals but it also monitors your reputation. I mean something that is completely out of your control and not going to infect your network as well. For example, your fake app of your bank is out there and somebody is using that. Okay, then that can be monitored, fake so social media handles. Of course, if you see why these are coming up,
01:25:30
Speaker
Ultimately, they are after your credentials. What the fake app is going to do? you Capture your credentials. What the fake website is going to do? Capture your credentials. Yeah, like lot of companies are facing this fake job offer scam.
01:25:42
Speaker
who and then fake social media handles and then and giving them oh I'll say um um schemes that are fake actually of course certain depends on organization if there is an say investment related ah oh capital market related organization which does investments for customers and grow their money now if their fake website is out there they will be collecting money on his name and they will not be returning altogether altogether. That's going to be a Rathbun kind of scam. But whose name is under reputation, um is a repe reputation under stake, the person whose fake is created. So and he's and he cannot monitor that sitting inside his network. It has to be on the dark web. It has to be on the social platforms. Can you help me understand how your enterprise products are priced at? Is it a per device pricing or like, you know, how do you price it? What kind of revenue, your average contract value per customer? What does that look like? It's it's difficult in the sense, it all depends on what all services they select.
01:26:49
Speaker
Basic protection can go somewhere around say 400 per endpoint or 400 to 500.
01:26:56
Speaker
But um people may not go only for basic because there are a lot of other things involved. Device controls are needed or DLP is needed. What is DLP? Data leak prevention.
01:27:07
Speaker
Okay. And then all these are additional services which many a times they select and based on what they select the pricing changes. And then again if it is a cloud based service the price goes up actually.
01:27:18
Speaker
And then many a times if it is on premises it's a different pricing. servers and operating systems again they are dependent but then overall mostly large enterprises deals happen on like i'll say the volumes that they are picking the kind of points they are going to deal at the time and then based on the volume this pricing happens actually And what's like an ah average contract value across your enterprise customers? Is there some number that you can share? No, I can only tell you the endpoints. Since we are into SMB and mid-market. So SMB, our average in number of endpoints is say 50 to 50.
01:27:57
Speaker
500 in that range many of these SMBs are there. So most of them are in the range of 50 to 100. Okay. Now there the pricing is because they are small and medium the pricing is low we can keep it low and they don't go for other services but then ticket size is not big.
01:28:14
Speaker
But then for us, organizations which are say 500 and above or even 1000 and above, there are quite a big number of customers we have. then Then these become a contract. It doesn't become only like how many endpoints because number of endpoints keep changing throughout the year and it doesn't depend on that actually. So that's how it works. we Once we sign the deal, we see how many assets we need to protect. That also includes endpoints, but overall deal depends on what all we need to protect actually.
01:28:42
Speaker
and How do you do data leak protection? Like how does that service work? So it's a combination of multiple services. We have say one of them is like making sure all the endpoints are having device control where no pen drive is allowed to connect or no Wi-Fi separate connection is allowed. Only orientation Wi-Fi is allowed.
01:29:02
Speaker
These kind of device controls are there. Then additionally, anything that is sent over the mail, we monitor what is being sent, any other Google Drive or any other cloud drive.
01:29:13
Speaker
ah Indirectly, we have we are monitoring every data that the user wants to monitor. They can configure accordingly and then there are policies that these confidential files cannot outside the organization. Then we make sure that anything that is being sent or attached, we warn the user and the admin that this is being done. So this is how DLP works.
01:29:34
Speaker
and For different networks there is a different need, but mostly it is again monitoring the confidential data which users or organization has already defined that these are my confidential documents, it should not go out.
01:29:48
Speaker
So, these SMBs do? Do they need an expert to do the configuration? ah Like, is there a person in the team who's like a cybersecurity person? Well, it's much easier. The technology, we have made it more simple.
01:30:04
Speaker
our But of course, somewhere at least some technology is needed because if they are going to use endpoint security and they need to know how to use central configuration dashboard actually to configure But, you know, most of the softwares, including ours,
01:30:21
Speaker
is having such a settings by default that it does its job much better. And at mid-market level, I guess you it would be more complicated. why it's more complicated. yeah Do you think that job will also go away to AI? like Like someone could just type in English and the AI could ask questions and then do the configuration like you don't need an expert.
01:30:42
Speaker
yeah It's already there. It is also there in our software. Recently, like i' three quarters back we released. So AI prompter is there. Users can only write in the form of prompt and the settings are done or you don't want to answer.
01:30:56
Speaker
There's a lot of lot of graphs shown on dashboard where the user doesn't understand what it's saying. You can just prompt the AI and the AI tells what it means actually, when what he needs to do next.
01:31:09
Speaker
yeah Okay, amazing. So that is growing and gradually this automation will also go to the level where it will just say, okay, I can do it for you. Just say yes, no, whatever. right ah Typically, your customer is a first-time customer of EPP-EDR or is it a customer who's replacing an existing? Replacing existing software, yeah.
01:31:30
Speaker
Okay, okay. That's pretty amazing. Like you're able to replace Western solutions. Typically, you'd be... Yeah, yeah. Yeah, so usually many of the customers when we see geographically, we we hardly go for small businesses. We mostly go for mid-market there. And then mid-market are ah regulated algorithm is industry where they will be already having some kind of protection. you not leave with and And what's the factor which allows you to win over what they are replacing? Is it a cost saving or is it feature addition or...
01:32:08
Speaker
horse hardly Because we don't like to compete with cost because see cost is always going to bring down our margins because it's always a costly affair. Our thing is we try to create differentiators, something that are more important for that industry. And maybe many of these MNCs have not put attention to them. actually It's like, okay, MNCs are having larger market. World is a, globe is a much bigger market.
01:32:33
Speaker
Their feature focus is on all the large enterprises and mid market have a certain different requirements many a time. So then we being into mid market already in India are Our thoughts are always on those lines. So that really helps actually. and People feel okay, they've been heard and then they give us a try. So we always tell them to do a POC for our one certain department. If you don't like, don't you can don't replace. But if you like, you replace. And that's how it is helping. And gradually, ah see product is solid. air
01:33:03
Speaker
Technology wise, if you see our product gets certified globally and we are getting good results in certification. So, people know that protection wise this is still going to do the job only now remains is the how they ma ah i meanqua show up to their usage or I'll say and expectations whether it is fulfilling all other expectations
Adapting to Geopolitical Influences
01:33:27
Speaker
actually. So, that way and now with this Really geopolitical situation, certain products get suddenly banned and people really start feeling, array and now what to do, harm we need to replace.
01:33:39
Speaker
And people really are worried about whom and where they are sharing their critical infrastructure with. Because the security office is at the lowest level actually. So you have to make sure that whoever you are giving control of your systems is your friendly country or something like that. detect like like say I think Kaspersky is a Russian company. right yeah that That would have suddenly become a concern. Interesting. ah Give me an example of how you are able to meet the mid-market needs better than MNCs, like some feature example that you understood mid-market needs. If you can see and ah a lot of features and like the same example I can give is a DRPS service that I talked about, digital risk protection and monitoring, dark web and all that.
01:34:25
Speaker
This only available for large enterprises by MNsys. It's because it's so we they feel that mid-market or SMBs are not into that. But we have automated it in a such a way that we are trying to bring it even to the SMBs actually. Then they'll start suddenly start feeling okay they are being listening means we are being heard. And if you see these are going to affect these guys also. If you see a small chain of say pathology labs, they are having a website, they are having their apps and they are being targeted by these fake apps. fake
01:34:58
Speaker
And nobody is paying attention to them. So if our e EDR or XDR start showing their external vectors as well. And here ah AI would be able to help you in automating, reducing the cost of doing this. Because AI would be able to yeah read through apps and would be able to scan advertisements. So one is AI. At the same time, I'll say we being into this industry for 30 years,
01:35:22
Speaker
And knowing how the threat landscape has evolved, a lot of back-end automation has already built at our end. So it really helps us. It really helps us come out with these services. Somebody who is into ah say a newer startup coming out with us say data protection, DPDP software or even a DLP software.
01:35:45
Speaker
they will not have that history of ransomware attacks that we have seen. So that really helps actually. So when we are designing something, we with there is some some different aspect. Our focus is more towards threats and that is there actually. So not just an SaaS application that we are designing.
01:36:03
Speaker
okay Okay. Let me end with this. One last question. i've made you speak for almost two hours. I'm going to finally let you
Strategic Business Advice
01:36:11
Speaker
go. ah You know, what's your advice to young founders? Like you started as a, maybe I guess you must have been in your teens or just out of your teens and you've been building for 30 years. What's your advice to the similar age group who's listening to this podcast and also dreams of being an entrepreneur?
01:36:28
Speaker
yeah only thing i can tell and i've seen because i interact with a lot of founders i've seen the early mistakes that they do is for certain founders if certain things starts working now they immediately start thinking about adding more um services or products because since they are founders and they are techies they are they know like okay i can solve this i can solve that and they try to invest in these things and they end up in like investing too much.
01:36:58
Speaker
And I'll always always keep telling them that whatever you are good at, focus on that. And once that is doing good, make it a strongest offering. Get the maximum market share. Focus on grabbing the market share.
01:37:12
Speaker
So learn about markets more than innovating new products immediately. Whatever you are good at, unless you have that innovation, you will not do that. I know. But once you have something and start moving, start getting real customers,
01:37:24
Speaker
There is a lot big journey for ahead with that. You have to listen to customers. It's a repeat cycle. You have to listen, you have to create differentiators, you have to bring out products. So that is the one first advice I'll say.
01:37:36
Speaker
And wherever possible, keep bootstrapping. If there is a need of early investment, of course, without that, if it's not going to go, I'll I'll say, okay, go for funding. But wherever possible, keep it bootstrap because unless you are able to prove that you can be profitable business, it cannot go a long way actually. So, I mean, there very few businesses and there are different league businesses where they are not profitable for 10 years, 15 years, they keep getting investment. That's a different thing altogether. But many of the startups are into smaller ideas where they can become profitable very soon.
01:38:13
Speaker
Just they need to Make sure that they don't raise immediately so that scarcity automatically brings out the best in the product, the best in the processes and the governance. Automatically, you only focus on the pain points which is paying you, not those things which are not paying or not there or fancy, I'll say. Automatically, your focus changes. So that's that's second advice I'll give actually.
01:38:37
Speaker
Amazing. So like operating under constraints that force you to focus is the secret. Amazing. Amazing. Thank you so much for your time, Sanjay. It was a real pleasure. Thank you. Yeah, it was a real pleasure and nice talking to you. Thank you