On today’s episode of Startups On Demand, I am joined by Udi Cohen, CEO and Co-Founder of Vendict – an Israel-based technology startup that leverages the latest advancements in linguistic generative AI to power security compliance teams. We talk about how they do “generative AI for real,” solve the unsolvable, and the network effect for technology buyers and sellers.
Omri: Thank you for joining me, Udi! Firstly you guys are very central to the Israeli ecosystem and have very prominent backing by NFX, which is probably the largest seed backer in Israel and the United States. Let’s start with this: tell me a little bit about how that investment came through.
Udi: Our story is a lot about network effect, which they are experts in, because we are solving the same problem for both the technology buyers and the technology sellers – I will speak more about it later. But they are very much into that and also they looked for the right teams to do generative AI for real. As you know, everyone speaks about generative AI, every startup in every deck, but we – the founder, the founding team, and the first employees – are all either AI or GRC experts, which is the domain we are targeting. So even before the boom of generative AI, we were very much focused on this use case.
Omri: You just mentioned “generative AI for real.” What does that mean? And how does it make you guys different?
Udi: So first of all, the first tip I would like to give you if you want to see whether a company is really “AI first” and working hard on their own AI is to look for data scientists: do they have data scientists in the company or not? In our case, both me and my co-founder are data scientists and we have more data scientists than software developers.
You can also see it in the product. For example, Siri. It’s not just that they are saying, “Okay let’s take the regular operating system of the iPhone and just add voice understanding.” If it was this way, you would start by saying “Take me to the navigation application,” “Take me to the search,” or “Now look for my home, then navigate.” But you are not doing that, right? You don’t say “I open the navigation.” You just say “Siri take me home,” or “Siri I want to buy this and that.” And the interface itself is different. It’s typically simpler, and more intuitive, and this is also what we are doing. It’s not solving the same problem in the same way with a little bit better technology. It’s solving a problem that until now was not solvable.
It was just a lie, the TPRM (third-party risk management) was like CISO, security officers, GRC, and Risk Managers – they all knew that when they were saying “yes, we do it” but they weren’t really, because if you think about a large company, they have thousands of third parties to analyze the risk of each, like assessing their own risk. So let’s say if they have 20 security employees to assess their own, and you have 1,000 third parties, you would need 20,000 security people for just assessing the third party. That’s not doable. They will probably have one if they have 20 to assess their own. They will have one or two people to assess all of the third parties so of course it’s not doable.
But on the other end, you cannot just ignore any innovation. You do need to work with technology vendors, so companies today, either compromise or choose between absorbing innovation and developing new tools, working with more third parties, etc., or managing the risk. So you can see some companies that just don’t have innovation. I spoke with the head of security of a large bank and he told me “I know that we are dying slowly and everyone knows that but we cannot just work with AI. We cannot work with new technology vendors.” And we know that there will be other types of banks that are born in the cloud that will win them someday. And other companies just say “We need to innovate.”
Omri: Can you talk more about the complexity of the security and compliance space?
Udi: This is something that is completely ignored today. It is one thing to assess the third parties, but there are also the fourth parties and the entire technology supply chain. This is where it’s become really non-feasible, even if you hire those 20,000 employees, in the end, you will need to assess every tech vendor in the world and make sure that they meet all the regulations that you need to meet.
Each company needs to assess different things, so this is why it’s the only way to solve it for real: to use a generative AI that can actually master language security compliance, which is a very complex language. You need to understand security, you need to understand technology, but also compliance, legal, finance even. It’s a very difficult language to master, and at the end of the day, when it’s done manually, it’s done by very important people in the organization. Those people can really bridge the gap between technology and legal and compliance. This is a problem for the technology buyer and the technology seller.
Today, everyone knows the capability of AI. Everyone tried ChatGPT and other tools, so the technology is there. What we are doing is adding the surrounding technology to enable the full pipeline so that it will not be just calling LLM. For example, one of the important things we are doing is, once we get the documents of a company, whether it’s audit reports, policies, evidence, or security questionnaires they filled out in the past, we can take all of this information and instantly understand the risk posture and risk program of this company. So this is completely around our own AI pipeline.
The goal is – and this is also a recommendation for any founder of an AI company – you need to think about the problem you want to solve, then think about the ideal solution, and then see whether the solution is all AI or all LLM, is it all proprietary AI, or is it something in the middle. Try to think about the best approach. After you understand how it should look like, you should be able to develop the missing parts in the pipeline in order to bring real value.
Omri: What does your business model look like?
Udi: In the end, if we think about this problem, it’s painful for both the technology buyer and the technology seller. We have spoken with far too many technology buyers who need to choose between Innovation and risk management, but there is also the technology seller. Now, 65% of technology providers speak about security compliance as a major growth barrier because they not only need to be able to respond to questionnaires but also to audits. There are different gates to different markets and some companies will send you 1,500 questionnaires and most companies cannot deal with that. They just say “Okay we lose anyway to a more mature company.”
So, we are helping both sides. We are helping the technology seller to respond to the most complicated questionnaires in a day and to pass the most difficult audits. And instead of spending a year doing it, you can do it in a month. But we also help the buyer to analyze the third party much faster, much better, and independently of the technology seller. So in the end, we are adding the value for both and it’s enough that one of them, either the buyer or the seller, uses Vendict for both of them to get the value. It allows us to give more competitive prices because, in the end, we have this network effect.
Some companies, if you get a questionnaire from them, it will take you months to manually answer. If you get it via the Vendict platform, it will only take you 2 days, because Vendict takes the information you already have and just auto-completes the questionnaire based on that.
Omri: How do you handle the stress of being an entrepreneur?
Udi: I try to combine my free time with sports, family, and friends so I can do many things at the same time like riding the bicycle with my kids. I try to get enough family time and enough sports in the little free time that I have. In the end, as long as you enjoy that, it’s manageable.