Welcome to Snowflake’s Startup Spotlight, where we learn about awesome companies building businesses with Snowflake. In this Q&A we’ll hear from Matt Caulfield, CEO and Founder of Oort, a startup focused on identity threat detection and response, about how Oort strives to give its customers visibility into suspicious circumstances—and where it got its out-of-this-world name.

What prompted you to start Oort?

I am an engineer turned entrepreneur with a passion for solving big, complex problems. I led the Boston Innovation Team for Cisco after years of working on cloud, networking, and security. I started Oort to address the shortcomings of network and device security that we saw at Cisco by instead taking an altogether different approach, based on identity.

What inspires you as a founder?

I love analogies. You can think of any company as a solar system of sorts. It’s a system of applications, data, processes, and tools. Now zoom way out, and orbiting the system is this swirling mass of users, employees, vendors, contractors, and third parties. Our solar system is like that, too: you have eight planets and multiple exoplanets, but you zoom out and the Oort Cloud comes into view, the swirling mass of comets and asteroids that extend far beyond Pluto and the Kuiper Belt. I’m inspired by that analogy and by the enormity of the problem that we solve.

What problem does Oort aim to solve?

Oort is a cybersecurity startup based in Boston and focused on identity security. Our mission is to help modern security teams stop account takeovers.

As companies go through their digital transformation, moving applications, data, and users out of their perimeter, identity has become the center of attention for hackers, and therefore for security teams. According to the 2022 Verizon Data Breach Investigations Report, 80% of all breaches (including a lot of successful breaches you’ve heard about in the news) involved the use of lost or stolen credentials. 

From the security investigation side, identity and the authentication flow is the only place where you can get back the level of visibility and control you had before the perimeter started to dissolve. Put simply, identity is the new perimeter.

Cybersecurity is a crowded field. What is Oort doing differently? 

Oort collects a huge amount of data about accounts and users from a variety of sources like identity providers, multi-factor authentication (MFA) systems, instant messaging, and so on. 

One thing that makes us different is the sheer depth and quantity of data we pull out of the systems. Often we’re surfacing data that isn’t even available in the native platforms’ interfaces. 

Of course, the real value is bringing all this data together, which enables us to provide unique behavioral insights based on our own risk models and algorithms. This means we’re always detecting strange and risky behavior. For example, our customers tell us that we’re the only solution on the market that can identify session hijacking in Okta.

What’s the coolest thing Oort is doing with data? 

Oort collects a huge amount of data about accounts and users from a variety of sources like identity providers, multi-factor authentication (MFA) systems, instant messaging, and so on. It then builds an identity graph representing the posture of identity security for the environment, as well as the behavior of users and accounts. That graph is then used by our risk models and threat detection algorithms. This enables us to give our customers a single pane of glass to perform complex investigations, and to detect and alert on suspicious behavior reflecting an ongoing or successful attack or account takeover.

For example, we look at data coming from identity providers, single sign-on, and MFAs like Azure AD, Okta, and Duo, but also HR systems like Workday. And we are expanding in more areas relevant to identity security, and always collecting more data to feed into our models.

When you were implementing Snowflake, how did you decide which architecture to use? Managed, connected, or hybrid? 

We decided to offer a choice to our customers. The managed architecture currently in place was designed to solve some of the performance issues we were seeing with the database we were using at the time. The managed model helps us onboard and get customers started as fast as possible, giving them the best time to value possible.

At the same time, a lot of our customers already use Snowflake as the core part of their security data lake strategy. In those cases, we can quickly switch them to a connected model. The ease of integration offered by Snowflake made that hybrid model really easy to implement by our engineers.

How has Snowflake enabled you to push the envelope in your market?

As we are onboarding more and larger customers, and as existing customers connect Oort to more pieces of their identity stack, the amount of data we need to store, manipulate, and display is growing exponentially. Because a core piece of our value proposition is to correlate large numbers of events to find anomalies, it is critical that we can work on those large data sets very fast. Snowflake allows us to do just that.

Now that Oort has outsourced its day-to-day data management to Snowflake, what has that opened up for your team?

Budget. The amount of dollars we were spending on our previous service was obscene and we’ve essentially eliminated that cost altogether. That enables us to keep our costs lower and our gross margins the range we need as a SaaS startup. 

From a people perspective, we’ve dramatically reduced the burden on our SRE team and enabled our data science team to simply work 10x more efficiently. Even the cost of running ad hoc queries for exploratory purposes was noticeably eliminated by the move to Snowflake.

Paint a picture of Oort before Snowflake vs. after Snowflake.

Before: Limited data set size, limited query engine, limited concurrency.

After: Ability to fully support our customers large data set, flexibility of a full-blown data warehouse solution, better performance, optimized queries, simplified ETL thanks to baked-in analytical functions. And much better ROI.

Looking ahead, what’s next? What are you hoping to build out in the next few years, and what role will Oort play in your industry’s future?

So far we are fully focused on expanding our integrations both within the IAM stack (more data, you say?) and the existing SOC stack (SIEM, XDR, and so on). We will also keep improving our automation capabilities to always reduce the amount of work security teams have to do manually to keep their companies safe.

The emergence of identity threat detection and response (ITDR) as one of the major trends is big for us. There’s an ongoing realization that implementing an identity security program is critical for the future, and we’re very excited to accompany our customers through that journey.

Learn more about Oort here, and check out the Snowflake Startup Program today. And if you’re an early-stage startup, don’t forget about the 2023 Snowflake Startup Challenge—submissions are due March 1!