►
From YouTube: Growth team & Sec Section brainstorming
Description
PM members from Growth, Secure, and Protect discuss features and upcoming initiatives to identify new opportunities for growth experiments. Keep unlisted as this discusses some forward-looking strategic items that may not be public.
A
Cool
so
I'll
go
ahead
and
kick
it
off
with
just
a
quick
reason.
Behind
setting
this
meeting
up,
I
was
chatting
with
hila.
I
guess
it
was
maybe
a
week
ago,
two
weeks
ago,
on
slack
her
and
sam
a
and
realizing
that
security.
They
ran
a
test,
and
that
was
a
really
big
driver
for
something
like
upsell
and
conversion.
A
So
that's
why
our
respective
teams
are
here,
and
I
thought
we
could
just
start
by
start
with
the
growth
team
talking
about
any
other,
like
maybe
large,
relevant
initiatives
that
you
have
planned
for
the
rest
of
the
year
and
then,
if
you
could
also
give
a
quick
recap
of
any
other
secure,
protect,
related
tests
or
performance
results.
The
one
that
caught
my
interest,
selfishly
was
one
of
mine
around
security
dashboards.
A
A
Ideally,
we
can
show
visually
some
of
the
different
pieces.
If
that's
cool,
I'm
happy
to
go
first,
I
put
my
name
kind
of
towards
the
end
there,
but
I
can
jump
to
the
front
but
yeah
just
so.
We
can
kind
of
show
off
things
that
the
growth
team
may
not
be
aware
of
that.
We've
got
in
the
product
and
then
we'll
leave
the
rest
for
brainstorming.
B
B
What
if
sam
joins
later,
he
probably
has
some
more
specific
experiments
he
can
share
as
well.
So
growth
team
has
been
focused
on
kind
of
the
new
user
experience
and
our
primary
goal
is
to
drive
free
to
paid
conversion
among
all
the
new
users
within
their
first
90
days,
and
there
are
a
couple
kind
of
streams
of
work.
One
is
sam's.
Team
has
been
primarily
focused
on
trial
experience
because
trial.
B
We,
we
will
work
on
a
lot
of
experiments
trying
to
highlight
what
are
the
paid
features
you
you
have
used
and
try
to
guide
people
to
those
better
paid
features,
and
a
lot
of
the
experiments
like
sam
has
planned
will
be
around
if
you
use
a
feature,
a
free
version
of
a
particular
feature.
B
How
we
can
capture
that
maybe
guide
you
to
use
the
better
paid
version,
so
that's
one
potential
and
if
we
saw
you
use
certain
like
secure
features,
free
versions,
how
do
we
make
sure
we
guide
you
to
the
right
place,
rather
than
you
have
to
explore
on
your
own,
so
understanding
for
from
your
team?
What
are
the
possible
ch
opportunities
right?
What
if
there
is
a
free
version
of
this?
There
is
a
better
version
in
paid.
That's
very
helpful.
Also.
What
are
some
potential
contexts?
B
We
can
upsell
about
free
features
of
paid
features.
For
example,
if
you
you
run
pipeline
or
something
is
there
a
right
moment?
We
actually
talk
about
security
in
that,
so
that
will
be
something
really
helpful
for
for
our
team
and
then
mike
and
jensen,
and
their
teams
will
be
focused
on
a
new
user
onboarding.
They
actually
are
specifically
going
to
drive
some
feature
adoption.
B
One
thing
we
are
working
on
is
so
in
terms
of
real
estate.
We
are
working
on
the
overall
sign-up
flow,
the
trial
flow.
We
are
also
working
on
some
persistent
onboarding
experience
after
you
finish,
the
initial,
more
structured
sign-up
flow
or
trial
flow,
so
basically
in
the
product,
if
you
are
beginning
to
explore
what
are
the
zero
page
experience?
The
first
time
you
go
to
the
secure
tab,
the
first
time
you
go
to
the
verify
tab.
B
How
do
we
get
you
started
and
also
some
sort
of
like
a
ch
checklist
or
very
new
user,
focused
on
boarding
experience
to
try
to
understand
what
you
are
here
for
that
your
your
your
job
to
be
done
and
guide
you
through
a
list
of
tasks
to
walk
you
through
that
mike,
you
can
add
more.
I'm
sure
you
have
more
kind
of
details
on
that.
C
B
C
Thank
you.
I
think
you
did
a
great
job
covering
everything
there,
so
yeah
kind
of
what
he
was
saying.
We
think
about
the
new
user.
Experience
is
kind
of
the
the
first
mile
we
call
it
is
your
initial
like
first
couple
minutes
the
account
setup,
if
you
will
so
get
your
group
created,
get
through
the
initial
flow
and
then
you're
in
the
product
and
then
from
there
we're
exploring
this
continuous
onboarding,
which
is
kind
of
more
of
this
checklist,
which
is
you
know,
we're
gonna
start
mvc.
C
But
ultimately
you
can
see
an
experience
where
I
come
to
gitlab.
I
say
why
I'm
here
what
I'm
interested
in
learning
more
and
then
I
get
a
customized
kind
of
like
okay.
You
said
this,
so
here's
what
you
should
do
and
here's
the
things
you
should
experience.
It's
gonna
take
a
while
to
get
to
a
full-fledged
solution
there,
but
that's
kind
of
the
structure
and
the
framework
we're
thinking
of
in
terms
of
things
we're
doing
related
to
secure.
C
So
jensen
is
the
one
working
to
drive,
verify
he's
out
on
parental
leave
for
the
next
few
months,
so
I'm
helping
to
cover
for
his
work
there,
but
he
already
has
plans
in
which
to
try
to
introduce
users
to
verify
via
a
sas
template.
So
this
is
where
there's
kind
of
some
overlap,
I
think
with
verify
as
well
as
aspects
of
secure.
So
that's
I
think
another
opportunity
if
we
can
drive
people
into
experiencing
more
of
those
stages.
C
Ultimately
I
think
you
know
one
thing
we're
trying
to
do
is
get
people
to
experience
more
stages
as
an
organization
that
spell
metric
that
we
have
is
very
interesting,
and
I
think
that
that
is
kind
of
the
the
value
of
git
lab.
Is
you
know
more
than
just
one
point
solution?
It's
all
the
solutions
underneath
you
know
a
single
umbrella
and
if
we
can
get
you
to
experience
that
early
and
how
those
stages
work
in
concert
with
each
other,
that's
kind
of
the
aha
moment.
C
A
Cool
well
thanks
mike
and
gila,
were
there
any
other,
so
you
mentioned
trying
to
introduce
users
to
verify
via
sas
templates
and
then
what
kind
of
triggered
this
for
me
was.
I
guess,
showing
users
the.
I
think
it
was
the
security
dashboards
in
particular.
I
may
have
the
exact
test
wrong,
but
it
was
something
around
the
dashboards
or,
if
that's,
where
users
sort
of
landed
first,
making
sure
that
they
returned
to
that.
Have
there
been
any
other
security
related
tests
so
far,
or
is
that
kind
of
the
extent
of
it?
I
think
sam?
So
sam.
C
Owezek
has
done
a
couple
I
think
related
to
secure.
There
was,
I
think,
one
around
kind
of
expressing
interest
in
the
feature,
and
then
that
lettings-
I
don't
know
the
exact
details
of
the
two
that
he
had,
but
I
think
that's
what
initiated
this
conversation,
so
hopefully
he
can
jump
in
or
provide
a
little
more
color
than
later.
I
don't.
I
don't
have
a
ton
of
info
on
those
specific
tests.
Unfortunately,.
A
C
I
think
in
general,
in
growth,
we're
kind
of
just
starting
to
scratch
the
surface
on
a
few
of
these
things
and
we're
starting
to
see
some
some
promising
areas
and
like
we're
digging
in
a
little
deeper
on
them.
But
you
know
we're
still,
I
think,
getting
to
us
a
good
rhythm
of
getting
experiments
launched
and
analyzing.
A
D
D
So
right
now
the
main
things
that
you
can
see
I've
got
a
security.
Tab
is
right
here
here
we
go
so
in
this,
mr.
This
is
a
test
project
that
I
did
for
a
demo
unfiltered
blog
post.
D
Basically,
all
I
did
was
add
the
dependency
scanning
default
template
to
the
my
test,
ruby
on
rails
project,
which
is
the
default
starter
project
template
when
you
are
starting
up
a
new
project,
you
can
pick
from
the
templates
and
then
I
added
the
default
template
ran
it
and
out
of
the
box.
It
said
that
there
were
four
criticals
and
14
high
findings
with
my
dependencies,
so
really
where
somebody
using
ultimate
is
gonna,
see
my
stuff
is
here
and
then
also
here
and
then
on
matt's
dashboards.
D
You
need
to
merge.
This
merge
request
in
to
see
it
on
the
dependency
list.
Page
which,
let
me
go
see
if
it's
over
on
the
dependency
list
page,
because
I
don't
think
yeah
here
we
go
so
this
is
kind
of
what
we've
been
saying
is
as
close
to
we
have
as
an
s-bomb,
and
it
tells
you
what
dependencies
are
in
your
project
and
we
sort
by
vulnerable
stuff
first
and
so
between
the
dashboard,
and
here
this
is
the
value
that
people
get
out
of
my
dependency
scanning
and
license
scanning
because
license
compliance.
D
We
basically
have
the
same
list.
Well,
I
didn't
run
a
license
scanning
job,
but
it's
the
same
list
as
dependencies,
except
it
tells
you
if
you're
using
permissible
stuff
or
not,
but
people
don't
run
these
because
they
are
going
to
get
perceived
value
out
of
it.
They
run
it
because
they
have
to
because
their
security
team
has
said
we're
not
going
to
allow
criticals.
D
D
So,
even
if
they
do
set
this
up,
unless
you
can
get
them
to
the
merge
request
approvals,
it's
not
going
to
do
what
the
customer
wants
and
that's
actually
the
number
one
question
we've
been
steadily
trying
to
improve,
merge,
request
approvals
for
a
little
bit
now,
but
obviously
that's
owned
outside
my
team.
So
we
do
what
we
can
where
we
can,
because
I
don't
own
it.
D
D
So
I
like
the
idea
of
you
having
that
you're
talking
about
that
checklist,
because
if
people
are
interested
in
security
and
compliance
or
enforcing
internal
policies,
if
you
could
walk
them
through
like
okay,
do
you
want
to
have
dependency
sas?
You
know
whatever
types
of
scans
check
these
we'll
put
in
the
default
templates.
By
the
way.
Now
you
need
to
set
up
your
merge
request
approvals
and
now
put
whatever
security,
people
or
manager.
People
have
to
sign
off
to
exceptions
that
will
get
them
kind
of
to
like
the
baby
steps
of
being
compliant.
C
Work
but
I
know
I'm
jumping
into
brainstorming,
but
I
can't
help
it.
I
wonder
if
there's
something
there
that
we
could
kind
of
expose
that
these
vulnerabilities
exist,
but
maybe
not
give
you
all
the
details
underneath
it
it's
like.
I
use
grammarly.
C
I
don't
know
if
you're
familiar
with
it
but
like
they
have
the
kind
of
basic
like
you
spelled
this
wrong,
or
this
is
the
you
know
grammatically
incorrect,
but
then
they
have
some
other
premier
features
or
premium
features
that
around
like
tone
and
word
choice,
and
I
always
see
like
I
have
four
or
five
things,
but
I
can't
actually
see
what
they
are
and
I
haven't
ponied
up
and
paid
yet,
but
I
wonder
there's
something
like
that
that
we
could
potentially
introduce
or
even
have
as
like
a
top
of
the
funnel
entry
point
into
git
lab.
D
D
We
would
have
to
have
that
discussion,
probably
with
sid,
because
gymnasium
was
an
acquisition
and
so
up
to
this
point,
everyone
has
been
super
reluctant
to
give
any
of
it
away
for
free
for
kind
of
two
reasons,
one
because
you
know
it's
internal
ip
and
really
once
we
generate
that
artifact
file,
even
if
the
ui
only
exposes
a
little
bit.
The
customer
has
all
the
information
like
there's,
whatever
secret
thing.
D
C
D
If
you're
trying
to
show
it
to
free
people,
it's
got
to
be
able
to
be
seen
at
that
lower
level.
Although
the
upgrades
only
work
in
ee,
don't
yeah.
D
Right,
the
problem
is
that
we've
been
trying
to
keep
ce
and
core
equal.
So
if
something
is
available
in
core,
it
should
also
be
available
in
ce
just
because
otherwise
you
start
having
a
disparity
and
then
it's
confusing
to
explain
to
customers
like,
oh
well,
you
don't
have
that
because
you're
in
ce,
not
ee,
but
if
we're
doing
it
like
as
a
small
experiment,
we
might
be
able
to
get
away
with
something
like
that.
C
E
Too
so
on
this
note,
this
is
where
all
of
the
things
that
I've
been
working
on
come
in
and
I'll
give
you
a
quick
sort
of
like
where
we're
at
with
it,
because
we
just
gave
up
last
week,
basically
as
nicole,
this
explained
we're
basically
not
focusing
on
the
foster
use
case
at
all.
This
is
ee
specifically,
which
does
get
us.com,
given
it's
an
e
licensed
instance.
E
So
I
realize
you
all
probably
haven't
seen
a
full
end-to-end
demo
of
all
the
stuff
that
sas
has
been
working
on.
So
let
me
give
you
a
a
demo
of
what
that
looks
like
with
a
core
account
running
on.com.
E
Okay,
so
we've
got
here:
a
free
com
account
just
to
prove
that
I
can
start
an
ultimate
trial,
so
I'm
on.com
as
you
can
see,
this
is
just
a
free
project
that
is
public
open
to
the
internet.
I'll
start
by
going
to
the
security
clients,
page
you'll
notice.
It's
this
menu
item
now
shows
when
you
click
it,
you
get
a
call
to
action
for
audit
events.
This,
actually,
I
think,
is
the
first
thing
that
I
would
recommend
you
all
to
change.
E
This
should
talk
about
security
tools,
not
audit
events,
but
if
we
go
over
to
the
configuration
tab,
you'll
see
that
we've
now
got
a
configuration
experience
that
explains
to
you
that
you
have
access
to
sas
and
that
you
can
configure
it
via
a
merge
request.
We
also
push
you
into
the
documentation
pages
for
all
of
the
various
scan
types
we
also
have
upgrade
messaging
available.
If
I
try
to
go
to
this
upgrade
message,
we
direct
you
to
a
discover
page.
I
know
you
all
have
been
looking
at
some
of
these
issues.
E
Basically,
this
is
just
our
here's,
some
contextualized
information
about
what
ultimate
and
security
tools
we
have
trying
to
push
you
to
upgrade.
We
use
this
in
a
few
other
places,
but
this
is
a
page.
That's
available
now
slash
discover
it's
a
little
hard
to
build
the
url,
because
you
have
to
be
in
the
context
of
a
project
which
maybe
is
something
that
you
all
want
to
change,
but
no
we've
got
this
page
now
to
kind
of
give
that
sort
of
guided
experience
about
why
you
might
want
to
upgrade.
E
So
that's
the
configuration
page
I'll
just
note.
We
are
working
on
trying
to
get
a
configuration,
mr
button
for
secret
detection.
So,
from
my
perspective,
sas
and
secret
detection
are
the
what's
the
word.
I
want
it's
the
gateway
into
ultimate,
because
we
have
sas
and
secret
detection
available
to
all
customers,
so
I
would
recommend
any
sort
of
growth
or
upgrade
opportunities
to
be
through
the
lens
of
sas
and
secret
detection.
So,
okay,
let's
pretend
that
we
went
and
configured
this
real,
fast
it'll
open
with
the
setting
the
default
templates.
E
If
you're
an
ultimate
experience,
you
get
a
whole
guided
experience
where
you
can
change
variables
and
all
of
that
once
you
merge
that
merge,
request
you'll
then
start
getting
security
scans
running.
This
is
what
this
looks
like
now
in
core
will
tell
you
that
the
scan
has
run
you
don't
get
any
of
the
nice
information
or
inline
details
about
it.
You
just
get
to
be
able
to
download
your
your
json
reports,
and
these
are
our
available
sas
and
secret
detection
scanners.
E
I
will
note
that
there
is
one
improvement,
we're
making
to
this
to
bring
you
the
colorized
counts.
This
has
been
a
whole
journey.
Trying
to
get
this
enabled
it
is
built
we're
just
trying
to
get
it
enabled.
But
this
is
what
this
looks
like.
If
you
click
this
little,
I
we
actually
try
to
promote
upgrading
to
manage
vulnerabilities.
E
This
learn
more
goes
to
that
same
discover
page
as
I
mentioned
earlier,
so
that
you
can
see
contextualized
information
about
why
you
might
want
to
upgrade.
So
this
is
the
first
time
that
we've
done
any
type
of
upgrade
experience
in
line,
but
it's
hinged
on
the
fact
that
you
need
to
have
security
scans
running,
which
means
you
need
to
be
able
to
get
to
that
compliance.
E
Configuration
security,
configuration
page.
So
to
me,
this
is
the
main
page
that
you
all
should
focus
getting
people
to
to
sort
of
start
that
whole
experience
just
try
sassed
in
secret
detection,
because
it's
free
for
everyone
and
then,
if
you
like
it,
upgrade
to
get
that
additional
experience
and
additional
skin
types.
A
B
E
B
Yeah
and
then
the
do
you
think,
I'm
just
yeah.
This
is
probably
brainstorming
as
well
for
do
you
think
approach
where
maybe
we
don't
show
all
of
this?
We
start
from
only
sas
and
sacred
and
and
try
to
get
everyone
to
do
that
and
then
maybe
in
somewhere.
Next,
we
show
all
the
other
options.
Will
that
be
better
or
worse,.
E
Really
complicatedly
fast,
this
page
things
and
ultimate
too
so,
there's
stuff
here
that
is
not
exposed
in
the
court
edition.
So
there
there's
a
lot
of
logic
on
this
page.
We
did
exper
one
route
where
what
we
could
do
is
when
you
click
security
and
compliance.
We
land
you
on
the
discover
page
and
there's
just
sort
of
a
call
to
action
for
you
to
go
and
configure
that
that's
kind
of
reversing
what
we've
got
today.
I
actually.
I
think
this
would
be
a
really
strong.
D
Be
so
just
a
note,
we
technically
got
approval
for
everything
based
on
open
source
to
become
available
for
free,
but
just
like
sassed,
where
you're
just
getting
the
artifact,
so
we're
giving
you
all
the
information,
but
we're
not
giving
you
a
pretty
dashboard
and
we're
not
giving
you
the
standalone
vulnerabilities
to
make
management
and
triage
easy,
and
so
the
gymnasium,
like,
I
said,
is
not
open
source.
That's
proprietary,
some
of
the
fuzzing
stuff
is
proprietary,
but
a
lot
of
the
other
stuff
we're
using
today
is
open
source.
D
It's
just
that
as
taylor
found
it's
more
work
than
expected,
and
I
think
all
of
us
just
don't
have
engineering
time
right
now.
If
we
suddenly
got,
maybe
somebody
to
help
out
that
could
accelerate.
If
you
wanted
to
do
something
around
that,
but
just
kind
of
for
context
around
everyone's
stuff,
we
do
have
approval.
I
think
right
now
for
the
open
source
stuff
too,
be
as
free
as
we
want
it
to.
If
we
get
engineering
time.
E
The
only
other
thing
I
would
mention
is
that
from
a
helping
users
understand
what
they've
got
access
to
it's
a
little
bit
of
a
story,
and
I
think
that's
where
any
type
of
growth
or
upgrade
experience
could
help
sort
of
put
those
breadcrumbs
along
the
way.
I
get
asked
for
this
specific
page,
a
lot
in
sales
calls
and
with
customers.
E
B
Yeah,
I
have
a
quick
question.
This
is
kind
of
maybe
more
beginner
type
of
question
so
for
sas
and
secret.
Can
we
do
something?
What
mike
suggested
like?
Can
we
expose
that
you
already
have
this
this
number
of
issues
or
or
vulnerabilities?
E
Yes,
we've
built
that,
like
I
said,
we're
having
some
trouble
getting
that
colorization
text
enabled
for
com,
but
that
is
actually
built
again.
You
still
need
to
have
security
reports
running
which
you've
got
to
get
them
configured.
First
yeah.
We
don't
just
run
that
in
the
background
and
always
have
that
data,
that's
something
that
you
have
to
enable
and
has
to
run
via
your
ci.
C
E
Something
that
sid
has
been
interested
in
was
allowing
everyone
to
have
access
to
secret
detection
for
free
on
by
default,
and
we
just
eat
the
cost
of
the
runner
minutes,
because
secret
detection
is
pretty
fast
with.
That
said,
there's
a
lot
of
work
that
would
need
to
happen
to
make
that
happen.
So.
B
That's
that
and
and
a
related
question
is
does
so
what
we
saw
in
the
data
is
actually
early
on.
There
are
users
or
namespaces
setting
up
secure,
but
the
just
absolute
number
is
really
small,
so
based
on
this
are
only
are
the
main
users
interested
in
seeing
all
of
this
mainly
only
secure
and
compliance
person,
not
everyday
developers
like
do
you
who,
who
should
be
our
audience
if
we
try
to
upsell
those
features
or
showcase?
Those
features
is
that.
D
D
It
would,
I
think
it
depends
for
secrets,
I
think
everyone's
interested
like
even
a
regular
everyday
developer,
who's
working
on
a
personal
project
or
an
open
source
project
or
whatever
everyone
wants
to
know.
If
they've
leaked
secrets,
that's
like
the
thing
I
think
everyone
can
get
behind
is
did
I
include
a
secret.
G
B
G
G
Yeah,
I
was
gonna
say
I
think
that
it
really
like
for
sast.
You
know
you're
gonna
get
a
lot
more
of
the
developer
personas,
I
think,
and
probably
for
like
dependency
scanning
as
well.
One
thing
to
think
about
with
secure
is
that
you
really
have
two
sides
of
things:
you've
got
the
side
that
is
scanning
static
code,
so
sas
dependency
scanning
the
fuzzing.
G
I
can't
remember
exactly
what
what
they
call
it
for
the
static
code,
fuzzing,
but
so
you've
got
that
side
and
then
you've
got
the
side,
that's
scanning
or
dealing
with
running
applications,
so
dast
and
api
fuzzing,
and
then
that
also
gets
into
the
protect
stuff
with
sam
white's
stuff
and
that
that
a
lot
of
times
appeals
more
towards
the
security
and
compliance
personas.
G
Dast
can
appeal
somewhat
to
developers,
but
my
research
and
talking
to
developers
and
security
people
is
that
developers
typically
don't
run
das
scans.
So
it
really
depends
on
what
area
within
security
you're
talking
about
and
even
like
with
das,
the
ci
cd
scans.
Maybe
we're
trying
to
get
more
into
the
developer
personas,
but
the
on-demand
scans,
which
is
configured
completely
differently,
is
gonna.
Definitely
be
more
interesting
to
security
and
compliance
personas.
So
it's
it's
kind
of
split
between
the
different
functionalities.
D
I
also
think
that
it
kind
of
splits
like
you
could
even
have
quality
people
interested
in
dastin
fuzzing,
for
example.
So
I
think
first
off
it
depends
on
who
the
person
is.
Do
they
wear
multiple
hats,
because
if
they're
responsible
for
quality
and
development,
because
it's
a
small
team,
you
know
test
driven
development,
they
may
be
very
interested
in
the
fuzzing
in
the
desk
or,
if
they're,
very
security
conscious.
D
They
may
be
interested
in
all
the
things
they
may
be
interested
in
security
because
it
will
get
security
off
their
back
and
they
they
know.
The
security
team
keeps
keep
saying
we're
gonna
buy
this
stuff
and
integrate
it
in
and
they
could.
They
might
see
this
as
a
way
to
be.
Like.
Oh
look,
we've
already
got
this.
Please
leave
us
alone,
so
I
think,
depending
the
way
that
you
pitch
it,
you
could
attract
a
developer
depending
how
many
hats
they're
wearing,
but
exactly
like
derek
said.
B
B
We
should
begin
to
focus
on
is
the
typical
past
everyday
developer
like
are
interested
using
some
of
the
general
features
and
they
pitch
to
the
security
person
or
the
the
more
typical
paths
or
how
people
buy
is
there
is
a
security
need
or
security
team
already,
and
they
really
want
to
buy
the
more
advanced
ones
and
that's
how
they
get
started,
become
a
paying
customer.
G
Yeah,
I
think
I
mean
anybody
else,
can
correct
me
if
they
have
a
different
view.
I
I
agree
with
taylor
that
what
we've
seen
is
that
sas
and
secret
detection
tend
to
be
sort
of
the
entry
point
since
gitlab
is
a
developer
focused
product
you're
gonna
get
a
lot
of
developer
interest
in
that,
and
then
you
know,
as
we've,
we've
updated
our
marketing
and
kind
of
got
the
sales
teams
to
focus
more
on
security.
G
There
has
been
a
little
bit
more
interest
in
some
of
the
security
teams
looking
at
dastard
compliance
or
things
like
that
first,
but
I
would
say
in
general
your
your
static
code
scanning
between
dependency
scanning
sas
secret
detection.
That's
going
to
be
the
main
entry
point
for
secure
for
most
get
lab
customers
in
mind.
Yeah.
D
If
I
had
a
magic
wand
and
taylor
had
100
more
developers,
my
wish
would
be
like,
as
somebody
is
going
in
and
setting
up
a
project
kind
of
like
you
were
saying,
there
was
like
a
checklist
or
questions
or
something
like
you're
setting
up
the
project
and
right
next
to
the
project.
It
would
say:
hey
by
the
way,
did
you
know
as
a
free
user?
You
can
get
secret
detection
incest
and
make
sure
that
your
code
or
your
open
source
project
or
whatever
is
more
secure
and
at
higher
levels.
D
You
can
get
more
features
and
just
like
just
leave
it
at
that,
and
once
you
get
them
to
run.
That
first
thing
then
suddenly,
like
have
a
thing
of
like
by
the
way,
does
you
know?
Does
your
security
department
want
you
to
integrate
all
these
other
things
in
you
know
you
can
tell
them
like
we've
got
these
and
you
could
just
turn
them
on
and
you
don't
have
to
do
any
of
the
work
of
integrating
it
in
so
like
once
they
kind
of
the
first
one's
free
type
situation
run.
D
That
saw
how
easy
it
was
to
get
it
in
their
pipeline,
like
have
some
kind
of
nice
little
hint
to
the
side
like
by
the
way
we
see
you're,
running
sassed
and
secrets.
We've
got
these
other
security
things.
If
your
security
team
or
you
or
whatever's
interested
you
can
test
them
out
with
a
free
trial
and
see
how
easy
they
are.
That
would
be
kind
of
my
pitch
to
most
users.
G
And
and
we've
been
obviously
focusing
on
the
secure
side
of
things,
because
you
know
that's
where
what
we've
been
talking
about,
but
yeah,
I
sam,
you
can
correct
me,
but
I
feel
like
maybe
for
protect.
This
is
also
very
different
and
that
things
follow
a
completely
different
path.
F
Yeah
I
mean
protect
is
complicated
right,
like
we,
we've
got
a
lot
of
different
stuff
in
protect.
At
the
moment,
we've
got
sort
of
the
original
side
of
things
that
used
to
be
defend,
which
is
protecting
applications
in
a
production
environment,
and
for
that
we
have
container
network
and
container
host
security,
but
we
also
have
container
scanning
and
at
the
moment,
that's
done
in
the
pipeline,
so
that
part
is
much
more
in
line
with
everything
that
we've
been
talking
about
with
secure.
F
So
protect
is
a
little
bit
of
a
complicated
space
and
I
guess,
like
the
users
that
would
be
targeting
it's
not.
It
depends
on
which
part
of
protect
you're
talking
about
taking
care
of
the
production
side,
applications
like
securing
applications,
while
they're
running
in
production
that
usually
falls
on
a
secops
team,
which
is
not
a
persona
that
we
typically
have
as
a
user
of
gitlab
today,
they're
different
from
the
application
security
users
that
review
the
scan
results,
and
so
it's
really
a
net
new
persona
for
us.
F
For
the
most
part,
there
are
exceptions
in
smaller
organizations
where
you
have
one
person
wearing
multiple
hats,
but
like
in
larger
organizations.
That
would
be
a
new
person
for
us
entirely
and
that
one's
really
tricky
to
run
experiments
against
too,
because
we
do
have
both
container
network
and
host
security
in
core.
But
there's
no
ui
around
that
at
all.
It's
all
set
up
to
get
lab,
managed,
apps
b2,
and
it's
new
enough
that
again,
the
core
experience
has
no
ui.
So
you
go
into
your
config
file.
F
Your
yaml
file-
and
you
add,
in
you
know,
to
turn
on
these
capabilities,
and
then
we
go
install
it
into
your
production
cluster.
And
then
you
go
edit,
some
more
yaml
to
define
what
policies
you
want
to
apply
there.
So
the
experience
in
core
is
a
little
bit
tricky,
I'm
not
sure
where
or
how
you
might
prompt
them
to
even
start
to
adopt
that
right
now
and
you
know
or
where
you
might
suggest
that
they
upgrade
to
ultimate.
I
mean
I
guess
you
could,
as
they're
editing
their
yaml
file.
F
If
you
see
those
you
would
have
to
like
parse
it
and
look
for
the
text
in
there
and
if
they
were
already
using
it,
then
you
might
suggest
that
they
upgrade
to
ultimate
to
get
a
better
editing
experience.
But
there's
not
a
lot.
It's
not
really
ui
driven
at
the
moment
in
ultimate.
We
do
have
a
ui
that
is
a
little
bit
easier
to
use,
but
again
that's
all
gated
behind
ultimate.
C
Experiments-
sam,
I'm
wondering
you
mentioned
there-
is
a
ui
in
ultimate.
Would
we
ever
consider
an
experiment
that
is
kind
of
leveraging
that
ui,
but
maybe
locking
it
down
a
little
bit
or
so
I
don't
know
what
the
ui
looks
like.
So
it's
hard
for
me
to
really
visualize
it,
but
is
that
something
that
you've
thought
about
at
all
as
a
way
to
just
increase
visibility
and
overall,
like
top
of
the
funnel.
F
Maybe
I'm
really
hesitant
to
move
that
ui
down
to
core,
because
that's
a
pretty
big
value
add
that
we've
been
invested
in
a
lot.
You
know
that's
kind
of
a
big
part
of
the
selling
story
there,
but
let
me
pull
up.
F
I
guess,
potentially
you
could
let
them
see
this,
but
then
not.
Let
them
see
any
details
of
the
alert
I
I
would
go
over,
but
you
know
we
could
potentially
like
bring
this
down
to
core
and
just
let
them
get
the
list
of
alerts
with
no
additional
information
or
something
like
that.
C
Yeah
and
something
like
that,
I
think
the
the
tricky
thing
which
I
think
you're
getting
at
is
like:
how
can
we
do
this
in
a
way
where
we're
not
upsetting
the
users?
Ultimately,
because,
hey
you
know,
there's
a
vulnerability
in
my
code,
but
you're
keeping
it
hostage
for
me
without
forcing
me
to
pay
you
it's
like
kind
of
extraordinary
it's,
so
it's
a
very
fine
line
to
do
this
well
and
not
have
it
be
perceived
as
like?
A
money
grab
have.
D
F
D
Yeah,
because
I'm
actually
thinking
for
at
least
some
of
sam
white's
stuff,
like
having
a
short
little
video
on
a
lander
page,
could
be
a
simple
thing
where
we're
not
scanning
their
code
and,
like
you
said,
holding
data
hostage
because
you're
right,
that's
not
gonna
go
over
well,
but
I'm
just
wondering
if
we
have
some
opportunities
to.
I
think
that
would
be
relatively
cheap
to
to
record
that
and
put
it
in
a
page
somewhere
and
just
be
like.
F
F
But
to
detect
that
we
would
have
to
parse
out
their.
I
forget,
which
yaml
file
exactly
it's
the
one
that
configures
getlab
managed
apps
version
two.
C
Yeah,
I
guess
that
the
trick
would
be
where
to
show
the
video
right
where
and
to
whom.
But
I
like,
I
think,
that's
a
it's
a
great
idea
to
think
about
leveraging
video
content
nicole.
Instead
of
trying
to
do
heavy
engineering
lifts
to
to
move
things
down,
just
to
keep
them
gated.
F
But
yeah
it
would
be
in
the
skip
dot,
get
lab,
slash,
managed,
app,
slash,
config.yml
we'd
be
looking
for
either
psyllium
installed.
True,
actually,
that's
probably
the
one
we
would
start
with.
There
are
other
things
we
could
look
for
in
the
future,
but
that's
probably
the
best
starting
spot,
so
we'd
have
to
see
if
they
had
psyllium
set
to
install
true
and
if
they
were
on
a
core
or
free
plan,
then
that
might
be
a
prompter
for
some
sort
of
a
video
to
show
the
potential
for
an
improved
experience.
C
F
F
Project
and
in
the
assuming
they're
using
auto
devops,
so
they
would
have
to
be
using
autodevop.
You
go
to
the
gitlab,
folder,
slash
autodeployvalues.yaml,
and
then
they
would
manually
put
in
their
network
policy
and
yaml
here.
So
it's
not
a
great
experience.
They
have
to
know
how
to
write
a
network
policy.
First
of
all,
because
there's
no
guidance
here,
but
we
I
mean,
I
don't
know
if
it
would
be
too
intrusive
or
if
it
would
be
perceived
as
an
ad
to
have
like
hey.
F
You
know,
watch
a
video
like
see
what
you
could
get
an
ultimate
some
sort
of
a
link
up
here,
but
it
would
be
like
when
they're
editing.
This
file
would
probably
be
the
best
thing.
Otherwise
it
would
just
be
like
in
an
email
might
be
the
other
way
to
do
it.
Like
I
get
emails
from
my
mortgage
company
that
says:
hey
watch
a
personalized
video
based
on
your
mortgage.
You
know
we
might
do
something
like
that.
B
C
We
could
probably
just
try
a
campaign
like
basically
identify
all
those
that
have
that
configuration
in
the
the
ci
file
and
then
pull
that
list
create
a
one-time,
email
and
see.
You
know
what
percent
of
folks
we
can
get
to
adopt
the
higher
tiers
and
decide.
Is
this
an
automated
thing?
We
should
have
send
every
week
on
a
certain
date
and
just
collect
everyone
from
the
previous
week
that
set
up
their
email
file.
That
way.
F
Yeah,
that
sounds
like
probably
the
easiest
and
best
first
step
here
and
there's
more.
We
could
potentially
do
later
we're
working
to
allow
our
policy
editor
to
work
for
like
requiring
scans
to
run,
but
that's
on
the
map.
So
that
might
be
a
topic
we
revisit
in
a
few
months.
A
Well,
quick
time
check,
so
we've
got,
I
think,
less
than
10
minutes
left
here.
Did
anybody
else
have
anything
they
wanted
to
show
before
I
wanted
to
run
through
a
couple
of
my
things.
G
A
All
right
so
vulnerability
management
is.
We
do
have
a
lot
of
the
ui
components
that
this
is
where
you're
going
to
see
a
lot
of
the
information.
So
we
already
looked
at
the
merge
request,
so
we
do
have
something
in
core
there,
which
is
nice
right
now.
The
experience
is
you
do
get
a
little
bit
more
in
ultimate.
You
can
actually
see
the
individual
reports.
A
I
thought
the
pipeline
might
be
an
interesting
place
to
add
a
hook
and
mic.
It
was
something
you
had
mentioned
that
when
people
end
up
going
to
the
pipeline
to
check
out,
you
know
maybe
they're,
just
looking
at
their
configuration
or
job
or
something
the
security
tab
only
appears
for
those
in
ultimate.
This
may
be
a
place
where
you
can
call
it
out
and
then
put
some
sort
of
a
very
similar
cta.
A
This
is
a.
I
don't
think
that
there's
really
a
lot
that
we
could
do
to
cut
this
back,
because
otherwise
it
would
be
effectively
duplicative
of
what
taylor
was
already
added
on
the
mr,
so
by
showing
them
all
the
vulnerability
details.
This
is
the
you
know
the
premium
functionality,
the
step
back.
Is
you
would
get
the
same
jsons
that
came
from
the
last
pipeline
run
in
the
mr,
but
this
was
kind
of
one
of
the
main
areas
that
I
thought
would
be
an
interesting
cpa
for
the
pipeline
interaction.
A
Interestingly
enough,
some
of
my
data
shows
that
only
about
five
to
ten
percent
of
people
that
land
on
the
security
tab
do
not
come
from
the
mr.
So
on
the
mr,
when
you
say
I
want
to
view
the
full
report,
it
actually
takes
you
here,
so
ultimate
customer
wise
at
least
on.com.
That's
where
the
majority
of
traffic
to
this
is
so
even
just
exposing
its
existence
would
be.
I
think
interesting.
C
A
The
same
limitations
as
the
mr,
so
you
have
to
have
a
scan
configured
and
have
run
in
that
pipeline
if
it's
only
sas
and
secret
detection.
That's
the
only
thing
you
would
see
here
and
you
know
the
counts.
This
is
actually
something
excuse
me
working
through
from
a
ux
perspective.
This
can
be
a
little
confusing
because
the
mr
only
shows
scan
results
from
that
branch.
A
A
C
C
E
C
Not
paying
attention
to
security
because
they
haven't
set
this
up,
and
it's
just
hitting
them
in
the
face
every
day
that
you
don't
know
if
you
have
vulnerabilities,
that
might
be
just
a
way
to
get
them
like
you
know
what
I
probably
should
do
that,
let
me
click
through
and
we
can
make
that
a
few
clicks
and
fairly
easy
to
set
up.
Then
we
could
really
open
up
again
the
top
of
the
funnel
there.
C
Yeah
and
then
it
kind
of
goes
nicely
to
kind
of
our
strategy
and
growth
of
like
get
them
using,
create
and
verify,
and
that's
going
to
be
the
jumping
off
point
to
other
areas
of
the
product.
And
you
know
the
mr
and
seeing
other
pipelines
running,
maybe
for
just
general
ci.
A
Okay,
let's
see
real
quick,
so
you
get
the
security
dashboards.
Obviously
this
is
none
of
this
is
going
to
work
without
any
underlying
scan
results.
This
is
one
of
the
kind
of
we're
going
to
say
sort
of
off
limits
to
taking
down
tier.
Eventually,
this
is
we're
going
to
build
out
a
lot
more
functionality
for
the
security
teams,
potentially
some
compliance
features
as
well.
A
I
think
that's
kind
of
interesting,
but
maybe
just
kind
of
exposing
like
hey.
You
have
these
things
here.
This
is
what's
going
to
happen.
If
you
were
to
sort
of
drill
into
them,
you
know
the
focus
can
be
a
little
bit
different
as
well.
This
is
more
high
level
I
want
to
see.
This
is
maybe
a
little
bit
more
like
a
team
leader
manager.
A
C
D
C
For
a
video
like
hey,
this
is
what
a
you
know.
Security
engineer
would
do
with
this
page
and
how
it
would
you
know
we
could
figure
out
the
value
prop
and
but
like
a
quick
30.
Second,
like
click
around
the
page
and
I've
triaged,
five
issues
and
ten
seconds
kind
of
thing
might
be
pretty
powerful
and
I
don't
know
exactly
like
how
this
works
well
enough
to
know
if
that's
feasible,
but
these
just
the
ideas
are
coming
to
me.
A
Yeah,
I
don't
know,
I
think
the
it
shouldn't
be,
I
say,
shouldn't
shouldn't,
be
a
huge
lift.
The
main
change
would
be
showing
the
security,
dashboard
and
vulnerability
report
as
part
of
the
menu
structure
in
a
non-ultimate
and
then
putting
whatever
video
we
have
in
there,
but
it
seems
pretty
straightforward.
D
I
think
the
only
risk
is
I
know
I
see
in
the
sus
and
nps
survey
a
lot
that
people
want
to
be
able
to
hide
features
they're
not
using
and
if
we're
adding
even
more
to
the
sidebar
they
might
get
agitated.
D
So
I
don't
know
if
there
is
anyone
working
on
enabling
people
at
the
instance
or
group
level
to
hide
or
disable
things,
but
I
almost
feel
like
you
know
like
if
this
was
a
short-term
experiment.
Yeah,
let's
go
for
it,
but
then,
if
we
found
it
effective
and
wanted
to
go
long-term,
I
think
we'd
have
to
work
with
someone
to
make
it
be
like
at
an
instance
level
or
whatever
somebody
could.
A
Yeah,
that's
actually
in
my
backlog,
that
was
a
really
old
request
from.
I
think
it
was
from
eric
brinkman's
team
to
add
our
little
areas
over
here
to
the
configuration
to
be
able
to
turn
them
off.
So
that's
something
that
we'll
be
getting
to
pretty
shortly
on
the
flip
side,
if
you're
a
free
user,
I
don't
know
if
you
you
get
the
right
to
remove
the
stuff
because
you're
not
paying
us
yet
but
it'll,
be.
C
A
The
last
one
this
is
a
new
feature
that
came
out
in
13.9.
I
don't
have
it
set
up
oops,
actually
wrong.
One
stick
on
this
one.
A
A
All
right,
I
think,
that's
that's,
probably
all
the
the
hooks
that
we've
got
from
vulnerability
management
that
are
worth
mentioning
for
this
kind
of
stuff
and
we're
already
a
little
over
time.
G
And
I'd
also
say
that
you
know
if
you
do
want
to
go
over
any
of
the
desk
stuff,
like
the
on-demand
stuff,
that's
different
than
what
anybody
else
is
is
doing
at
this
point,
although
I
know
that
everybody
else
wants
to
have
on-demand
scans
as
well,
we
can
go
over
that
in
a
separate
call.
C
Cool
yeah,
I
mean
I'd,
be
game
for
that.
I
think
this
has
been
super
helpful
for
me
personally
to
understand
more
about
this
area.
As
in
southern
area,
I've
had
a
chance
to
interact
with
a
ton,
so
I
think
there's
lots
of
opportunities
for
growth
to
try
to
drive
more
adoption
of
this
stage,
and
I
think
we
have
lots
of
data
showing
a
lot
of
the
higher
tier
plans
and
purchases
is
because
of
the
work
that
you
all
are
doing
directly.
C
So
as
we
maybe
figure
out,
create
and
verify
there'll
be
more
opportunities
to
drive,
secure
and
then
some
of
the
other
stages
related
to
compliance
and
security
and
making
sure
that
the
the
code
is
is
safe.
I
think
that
could
be
a
huge
lever
for
us
to
try
to
drive
more
growth.
B
Yeah,
definitely,
I
think
in
q1
our
primary
focus
will
still
likely
be
create
and
verify,
but
we
are
actively
thinking
through
the
roadmap,
ideas
for
q2
and
secure,
potentially
because
it
ties
to
so
closely
to
mr
to
verify
as
well
as
trial.
So
that's
why
we
we
really
appreciate
this
so
that
we
can
learn
more.
B
A
Sure
yeah,
thanks
for
all
the
great
questions
and
everybody
for
hopping
on
together,
so
I
think
we'll
go
ahead
and
call
it
and
we
can
have
follow-ups
as
needed.