Powered by Snowflake: Why the Hunters Team Embraces a Connected App Model

My co-founder and I started Hunters in 2018 with a mission to revolutionize security operations. We designed the Hunters security operations center (SOC) platform to automatically identify threats, enable fast responses across the entire attack surface, and empower security teams to mitigate real threats and reduce security risk. 

Early in our development, Hunters established a strong partnership with Snowflake. We discovered firsthand the benefits of building on top of the Snowflake Data Cloud and becoming a Powered by Snowflake partner. If I said this partnership accelerated our growth trajectory, solution capabilities, and customer acquisition strategies, it would still understate the importance of the relationship. 

Here’s why every SaaS provider should consider adopting the connected app model.

In 2019, Snowflake became one of Hunters’ first customers. As a startup, we did what our new customer required and integrated with Snowflake, which turned out to be a pivotal decision. It wasn’t long before the Snowflake security team came to us with a challenge: Could we provide the ability to detect and respond to advanced threats in their cloud environments (AWS, Azure, Google Cloud)?

The answer came during an aggressive “red team exercise” staged by Snowflake. The purpose of the fire drill was to conduct an advanced security assessment of Hunters and other security solutions. As part of the exercise, the red team simulated actions such as stealing employee credentials, accessing the cloud environments, and touching customer data. 

Remarkably, Hunters was the only SaaS provider to uncover these malicious actions. Thanks to our integration with Snowflake, we demonstrated the full value of our solution, impressed the Snowflake security team, and solidified our nascent partnership. In addition, two important realizations came out of this exercise:

• 1. Snowflake’s security team determined that Hunters’ SOC platform could provide the ability to engineer domain expertise into its environment automatically. This capability was viewed as an important accelerator to support Snowflake’s business expansion.

• 2. Both companies recognized that the security needs of Snowflake are similar to those of many Snowflake customers, and the benefits Hunters provides could be replicated for these customers.

This second realization was the driving force behind a new vision for deploying our product. Both teams saw that, in the same way Snowflake separates data compute from data storage, Hunters could separate where security data is stored from where security data is analyzed.

It makes sense, right? Hunters is a security company, not a data company. There’s no reason for us to collect security data and create another data silo for the customer. Instead, why not sit on top of Snowflake and use the Data Cloud to access customers’ data? 

Thus was born the connected application model where customers maintain control of their data in a single location (Snowflake) and grant SaaS providers access. This is a different approach from a traditional “managed app” where SaaS providers create application data that is stored and processed in the SaaS provider’s own data platform, which can make it difficult for customers to govern, analyze, and access data.

We realized what a strong go-to-market strategy the connected app would be for Hunters, for Snowflake, and for customers—and we were right. There was an immediate understanding and appreciation of the connected app model and how it eliminates the challenges of security data silos.

Learn more about Hunters: Watch the Powered by Snowflake episode featuring CEO Uri May.

Today, Hunters’ customer base is split between connected app customers and managed app customers (where we host the customer’s data in Snowflake). However, momentum is clearly moving toward the connected app model. It’s a much stronger position for SaaS providers for two important reasons: data infrastructure costs and ease of management and deployment.

When customers maintain control over their own data, cost of goods sold (COGS) is lower for SaaS providers because data storage and analytics are located within the customer’s Snowflake instance. That means margins improve for SaaS providers, and it’s faster and easier to onboard new customers who already use Snowflake’s Data Cloud. 

For SaaS providers that rely on enormous amounts of data and require data retention and long time horizons, you also benefit from Snowflake features such as performance, scale, and cost. Big and expensive data sets may have been prohibitive in the past, but they can now be stored and analyzed with ease within the customer’s instance.

For a company such as Hunters, this capability is transformative, as the only way to build a strong security posture is to load, analyze, and store data for long periods of time. We can now help CISOs who need visibility into what’s happening year after year. Otherwise, companies find themselves paying security providers increasing amounts of money (sometimes 25-35% more each year!) because their data environments keep growing. In essence, they’re paying more each year for the same security job, all due to the costs associated with siloed security data. 

With the connected app model, the vendor doesn’t need to worry about how much data the customer is storing because those ingestion and storage costs are not part of our pricing. Customers pay for using the solution, not for data. That means solution pricing can remain more stable over time, even as data usage increases, which is very attractive to CIOs. 

Another benefit we discovered lies in the fact that both Snowflake and Hunters are SaaS providers. This commonality equates to ease of management and deployment, which can be illustrated by three Hunters examples:

• 1. For Snowflake customers, adopting Hunters SOC is as easy as clicking on a tile in the Snowflake console and automatically spinning up a trial account. Snowflake has removed barriers, making it easy and seamless for us to acquire new customers.

• 2. Hunters recently announced a new offering, Security ETL for Snowflake, that helps customers load on-premises security data into the Snowflake platform through an ETL we built specifically for security data sources. It addresses the lack of standardization across security data and represents a robust and unique ingestion engine. Security ETL for Snowflake will not only help customers solve data retention issues for security data, but it will also enable Hunters to deliver stronger analysis by including historical data, which is often siloed and expensive to keep. Included with this release is a new feature set called self-serve ingestion (SSI), which gives Snowflake customers the ability to integrate existing security products by themselves. This level of self-service and ease can only happen when SaaS companies integrate tightly and work in a collaborative way.

• 3. In part, we built our ETL to support Snowflake sellers, who can use it to drive engagement with customers and sell Hunters on their own—without any involvement from Hunters. This ease of customer acquisition demonstrates a true partnership model. Snowflake benefits from its customers consuming credits in Snowflake while using Hunters, and Hunters benefits from bringing on new customers without any deal coordination or pain.

Regardless of what SaaS solution you provide, the connected app model presents many advantages for Snowflake customers. Here are three benefits Hunters has discovered, from which it’s easy to extrapolate and see the value for any customer or SaaS provider:

• 1. Data control: Customers want all of their data in a single accessible location. With the connected app model, customers maintain complete control over their own data and determine data retention timelines. In addition, customers only pay for storage once with Snowflake, rather than paying SaaS providers to store siloed data.

Because Snowflake’s data architecture separates data storage and compute, customers can store and process more data while paying less. This benefit for customers is also a benefit for SaaS providers, who can tap into customers’ full data sets (as needed and allowed) to deliver stronger data-driven solutions. 

• 2. 80/20 principle: Depending on your solution, chances are about 80% of your functionality is shared across customers and can be standardized, and only 20% needs attention or customization. 

Using security as an example, we believe most cyber threats are shared across customers, rather than being unique to a particular environment. Hunters enjoys economies of scale because we run a multi-tenant environment where we can build rules, tune and test across environments, and automatically deploy analytics into every customer’s environment.

From a customer perspective, this provider capability shortens the time to respond and reduces total cost of ownership because there’s no need to keep implementing and spending money on professional services. Most importantly, it gives security teams the ability to focus on the threat vectors that are unique to their environment. 

• 3. Aggregated results: The third benefit is found in leveraging data for aggregated analytics and providing real value-add for customers.

For example, some companies use between 25 and 80 different security tools to cover the entire attack surface. One of the biggest challenges an SOC analyst faces is figuring out how to fuse everything together into something that makes sense. 

At Hunters, we call it “automatic investigation.” By leveraging all the data collected in Snowflake, we correlate signals and entities across the entire attack surface. This process powers our analytical capabilities and graph technologies for all customers. What would normally appear noisy is correlated into a high-fidelity story. As a result, analysts have more visibility and detection capabilities. They understand the root cause and blast radius by looking at an incident rather than single point alerts. 

Of course, the more data there is in Snowflake, the more analytics we generate automatically, which leads to more interesting graphs and better security stories. And the more customers we have, the better that story becomes. Without a system like Snowflake, there would be no way to build and use collective knowledge and learning, which ultimately benefits customers the most. 

Recently, a joint Snowflake and Hunters customer, TripActions, highlighted the importance of aligning their security operations to their data lake, thereby modernizing their SOC. With Hunters, powered by Snowflake, their team was able to understand exactly what was happening in the network, and better use their time and resources on the threats that mattered most.

The Powered by Snowflake program is designed to help organizations build, market, and operate applications in the Data Cloud, but that’s only the beginning. In our experience, being a Powered by Snowflake partner brings an unparalleled level of collaboration and support. 

For starters, Hunters entered a highly competitive security market. Our ability to operate in that market, penetrate it, and cut through the noise was accelerated by the support we received from Snowflake. In a very fast and efficient way, Snowflake put us in front of high-profile customers, CISOs, and security teams, and we managed to replace big brand names and become the main security platform.

That’s because the sales cycle through Snowflake and the connected app model is approximately 20-30% faster than our normal go-to-market. Customers come with a stronger buying intent and already understand the benefits of the Snowflake platform, which makes it much easier for us to take them through the sales journey. 

As a startup, it was incredible to work with Snowflake as design partners and pioneer the new go-to-market strategy for connected apps. We discovered one of the great things about Snowflake: the people. Everyone was ready to innovate and work together creatively, and we accomplished in months what could easily have taken years. In a similar vein, the Snowflake security team continues to collaborate with us. For example, as they harden their Kubernetes stack, we are working together to study how advanced attackers target this kind of environment and to develop analytics in Snowflake that automatically detect and correlate it with other environments.

The Powered by Snowflake program provides marketing support and works with us on blog posts, video series, interviews, and conferences such as Snowflake Summit. It delivers an ecosystem where we can network, collaborate, solve problems together, build alliances, and discover opportunities to work with other Snowflake partners. 

When entrepreneurs come to me for guidance, I always tell them to look at partnering with Snowflake. However, I add the caveat that it’s important to ensure business alignment around three pillars: consumption, integration, and value.

Ideally, you create this perfect triangle between happy customers who receive strong value, good fundamentals and strong integration capabilities as a company, and the ability to generate and drive consumption. If you build a SaaS solution that speaks to all three, you’ll be on the right path to truly benefit from a strong partnership with Snowflake.