Snowflake’s Powered By Program for Cybersecurity and Media

One of Snowflake’s growth strategies, beyond their core data platform, is to enable other companies to build their businesses on top of Snowflake. The value proposition is that new companies with a heavy data processing function in their product can bootstrap their launch by leveraging Snowflake’s platform. There are multiple benefits in taking this approach, including reducing time to market, eliminating infrastructure overhead and avoiding hiring dedicated technical staff. Snowflake has invested years building out and refining their data platform for high scale operations.

In most cases, it doesn’t make sense for a new vertical software provider to build their own data platform, which arguably duplicates a lot of Snowflake’s functionality. Given Snowflake’s high volume, they are likely able to provide a new business with data processing capabilities for the same or lower cost than if the start-up tried to manage their data platform themselves. This allows the new business to focus on their core competency, not figuring out how to build a big data solution.

Snowflake formalized this type of customer relationship in June 2021 through their Powered By program. As of the most recent quarter, the program had 590 participants, growing an amazing 35% sequentially. In order to increase the focus of the Powered By program, Snowflake is creating audience-specific workloads within it. The first audience-specific solution is for cybersecurity teams. The product team has shared plans to launch more of these audience verticals next year. The benefit to Snowflake is that these Powered By program participants become heavy users of the Snowflake platform. Even though participants tend to start as smaller companies, their Snowflake spend can grow higher than large Snowflake customers, because the data platform is core to their operations. During Snowflake’s recent Investor Day, the leadership team shared that 9% of their $1M+ customers are participants in the Powered By program.

To get an appreciation for this program and its implications in the cybersecurity vertical, I recently participated in a webinar during Cybersecurity Day from Snowflake called “Deploy a security data lake to unlock new use cases”. In this presentation, the Snowflake product team engaged two Powered By program members to share their experience with Snowflake and demonstrate their products for potential customers. The two program members were Hunters and Anecdotes.

Hunters offers a SOC (Security Operations Center) platform that helps security personnel to better detect and respond to threats using automation. The Hunters Platform is purpose-built to support SOC workflows from data ingestion all the way to incident response, serving as an ideal approach for replacing their SIEM. Hunters operates like an open XDR platform, but they have shifted towards the SOC product label to better describe the product’s fit within a customer organization. Hunters is based in Israel and was named Snowflake’s partner of the year last year. They have landed a few notable customers, including TripActions, Upwork, Netgear, and BlockFi. They even power Snowflake’s own SOC. Earlier this year, the company closed a $68M Series C funding round.

Anecdotes provides a platform for compliance automation. Anecdotes collects data from 70 different sources like identity providers, security tools, collaboration software, ticketing, cloud infrastructure and enterprise resource systems to maintain a company’s compliance with various industry certifications and security programs (PCI, SOC 2, HIPAA, etc.). They too are based in Israel and recently raised a $25M Series A round. Anecdotes has landed a number of large customers as well, including TripActions, GitLab, JFrog, Fiverr and Unity.

The presenters from both Hunters and Anecdotes are the co-founders and CEOs of their respective companies. As the CEO’s discussed their experiences with Snowflake, they made a number of interesting points. First, they outlined why they chose to run on Snowflake’s platform. They both agreed that the main driver was that Snowflake frees up their core team to focus on the part of their business where they have expertise (threat hunting and compliance). They thought it would be inefficient to build a new data platform from scratch. The Hunters CEO said they wanted to partner with “the best data platform out there”. This way, as start-ups, the companies could take advantage of Snowflake’s big data scale and high performance out of the box. Also, Snowflake’s operating volumes and pricing model enabled them to provide their customers with much higher data storage thresholds than they could have achieved on their own.

Another major reason that they like Snowflake’s approach has to do with the Data Cloud and maintaining control of customer data. The two partners shared that their customers increasingly like the idea that all of their data remains within Snowflake. Customers are less and less interested in shipping sensitive operational data to another destination for a security vendor to analyze. Log shipping and agent data collection are the typical deployment models for most security analytics services. In these cases, the customer’s data is copied out to the security vendor’s data platform. This creates two levels of impedance for the customer. First, they have another copy of their sensitive data within the security vendor’s environment. While most security vendors maintain secure environments, this does represent an additional risk. If the relationship ends, they also have to assume the vendor deletes all of their data. Second, the security vendor is incurring cost to maintain that data in their environment. This is an expense that they presumably pass back to the customer through their service fees.

In the Snowflake Powered By model, both of these architectural disadvantages are addressed. All source data remains within the Snowflake Data Cloud. In order for a security vendor to access a customer’s data, their application connects to the customer’s data directly within Snowflake. There is no streaming or copying the data out to another environment. Within Snowflake’s Data Cloud, the security vendor can aggregate the customer’s data with other sources, filter, analyze and model it – all to generate security events. Hunters asserts that threat hunting is made more effective with more data sources, often going beyond what is collected from data center infrastructure and applications. Some useful data sets for threat evaluation, like employee data, may not be shipped to a third-party security vendor for privacy reasons. However, on Snowflake, that employee data is likely already stored in the customer’s instance. Hunters can then access the employee data directly for security analytics within the Snowflake environment. There are no copies of it shipped elsewhere.

Hunters also claims that running on Snowflake allows them to place no limits on the amount of data that can be ingested. This is an important component of their service. Alternate data analytics platforms that charge by volume of data ingested inherently force the customer to limit the data sets that they might send to the security vendor. The Hunters CEO cited the example of a firewall log, which can be very noisy. Some customers will choose to only sample this data or ignore it completely. This filtering can limit the effectiveness of threat hunting by leaving out useful signals. Hunters offers unlimited TB/day of data ingestion and all storage is hot (versus being archived into cold storage and retrieved when needed).

Without these limits on data storage, Hunters claims that their customers have experienced a 3x increase in data retention. And, because they are leveraging Snowflake’s massive scale and just adding their security analytics tools and security expertise, they can operate very efficiently. Hunters asserts that their customers gain a 4x cost reduction over competitive SIEM solutions.

While this model is very powerful for Snowflake and the Powered By partners, it does operate best when the customer is already on the Snowflake platform. In that case, the on-boarding process is very straightforward, as it’s just a matter of granting permissions to the customer’s existing Snowflake instance. New customers can be brought onto the Snowflake platform, but that requires a data migration. Over time, I think these additional Powered By service offerings will increase the appeal of Snowflake for potential customers. More importantly, they make use of Snowflake even stickier. It is worth noting that Powered By partners are free to work with other data platforms in the same way. Hunters has mentioned plans to provide a similar solution on top of Databricks, when an application hosting capability is available.

Of course, the primary business driver for Snowflake from the Powered By program is to capture even more data processing workload spend. If Snowflake’s customers contract with other SIEM or compliance vendors for their security needs, those vendors would presumably be generating revenue from the data processing component of their solution. The Powered By program allows Snowflake to capture that portion of the external vendor’s revenue that would be applied to that vendor’s data infrastructure. Snowflake plans to repeat this model across multiple software categories, beyond cybersecurity. In a recent Protocol article, Snowflake’s head of cybersecurity strategy mentioned that they have plans to launch two more audience-specific workloads next year.

As another example in the media and advertising space, Snowflake recently invested in OpenAP, which provides ad targeting and placement for television networks. They centralize data activation on behalf of premium national TV publishers, bringing “efficiency and scale to audience-based campaigns.” Audiences are aggregated using the OpenID protocol. A sampling of participating publishers includes Disney, Fox, NBC Universal, Univision and A+E.

The OpenAP Data Hub is a technology solution that will provide advertisers with rich campaign data to power more effective and targeted campaigns. By building the OpenAP Data Hub on the Snowflake Media Data Cloud, OpenAP and its customers will take advantage of Snowflake’s Data Clean Room capabilities, which allows them to share data while keeping their customers’ personal information hidden. Being able to securely share data with another organization means they can find matches and better target individual users, while maintaining the anonymity of those users.

As with the cybersecurity use cases, aggregating, filtering and sharing these large data sets for media companies would presumably drive a lot of utilization of the Snowflake platform. This usage is outside of the normal enterprise-specific functions for data processing.

As the Powered By program continues to expand and participating companies keep growing their businesses, I would expect more Powered By program members to break into the $1M+ spending level in the future, increasing from the 9% share currently. This could help drive the next leg of Snowflake’s revenue growth, beyond their core data processing workloads for enterprise customers.

  • Peter Offringa, @StackInvesting