Overview
Marc Frankel is one of the few people on earth to have worked at not one but TWO successful defense tech companies: Palantir, and Expanse. Now he's taking on the problem of software supply chain vulnerabilities with his new venture, Manifest Cyber. In this conversation we dive into what he's applying from past experience, what he's learning fresh for the first time, and what the future holds.
⏲️Timestamps:
1:43 - Marc's background
4:40 - How to build for national security
6:20 - Why Software Bill of Materials and supply chain vulnerabilities matter now
11:15 - What are the components of software?
12:05 - Why the Log4Shell vulnerability was a nightmare scenario
14:35 - How Manifest solves the SBOM usability problem
17:35 - Why Marc and Daniel are the right team to take on this problem
20:30 - How Palantir culture concentrated so many entrepreneurs
24:55 - Palantir Go to Market approach
29:05 - Expanse Go to Market motion
30:25 - Marc's lessons for SBIR companies
33:00 - Manifest Go to Market approach
37:15 - Manifest's STTR transition plan
39:30 - How icebreaker companies laid the groundwork for Manifest
41:10 - AIBOMs: the future of Manifest
About Marc
Marc was a Russian major, before getting a Watson fellowship to travel the world. After spending time at a quant trading firm and a Master’s degree, Marc joined Palantir, which showed him how he could contribute to the mission of national security, even if he wasn’t in the military. From Palantir, he went to the cybersecurity company Expanse, before starting his own company, Manifest Cyber.
About Manifest
“Software is the only thing that we buy that we don’t know what’s in it.”
From groceries to computers, most things we buy come with an ingredients list. Except, historically, software. An “SBOM” or “Software Bill of Materials” is like an ingredients list for software.
Few customers ask “what’s inside this piece of technology.” You may ask about the backgrounds of developers, or foreign ownership and control, but not the components of the product itself.
Manifest builds the platform that manages the entire SBOM lifecycle - from generation to storage to sharing, making these technical artifacts usable by non-technical people.
Software Supply Chain Vulnerabilities
Over the last few years, the vulnerability of software supply chains has become increasingly apparent.
The reality is that software development is more like an assembly line than an invention; coders are often stringing together different modular capabilities to produce a cohesive product.
The Log4Shell vulnerability was a major wakeup call because of the reach of the vulnerability, and the maturity of the team behind the software. For context: Log4J was a logging application used by 12 million developers. The vulnerability was a “Zero Day” meaning that the vendor had no advance notice of the breach. The exploit was in the wild the same day it was disclosed. People had to scramble manually to identify where this one ingredient was present. Vulnerabilities like this one showed how important it is to have an active inventory of what’s in enterprise software - so that in the event of a breach it could be quickly addressed.
In the wake of this breach (and others like it), regulations started pouring in. Whether you’re Lockheed Martin, Microsoft, or small startup, federal and international regulations increasingly require the disclosure of what is in your software. In 2021, President Biden issued Executive Order 14028 on Cybersecurity, which laid the groundwork for implementing SBOM requirements across civilian agencies.
These regulations created a torrent of new information coming from software suppliers. But the next issue was helping people act on this information.
Enter Manifest, which builds a platform to consume these artifacts, generate reports, and integrate with workflows and ticketing platforms.
Marc’s Lessons
The Holy Trinity of a Government Deal
Marc explains that the key to closing any government deal is bringing together three interrelated pieces: Mission, Budget, Contract. Without any one of them, your deal is dead.
Time and time again great products die on the vine without all three. Teams can deliver a lights-out demo, declare victory, and then 7, 9, or 15 months later, find themselves still languishing, waiting. You lose momentum really, really quickly.
Marc explains that Palantir focused on the mission leg of the stool – they valued the mission more than anything else. This was something of an insurgent go to market strategy, for better or worse. For example, Marc told a story of a time when Palantir was shipping server racks to a Middle Eastern country for a customer group, only to have them held up in customs. Rather than despair, the company chartered a plane, loaded it with a new server rack and two engineers, and got it there the next day. That story became legendary as Palantir established itself as a trusted mission partner to those for whom failure is not an option.
Manifest Go to Market
Like many of the dual-use companies we profile on Crossing the Valley, Manifest’s first revenue came from commercial customers. Even before the company was formally incorporated, Marc and his cofounder Daniel closed some relationship-driven deals with close confidantes who knew and trusted them. Manifest started right as the regulatory tailwinds picked up, which positioned them well for what happened next.
The company began operating in May 2022. In September of that year, DHS put out a solicitation for software supply chain visibility tools. These were exactly the sorts of things that Manifest was planning to build. DHS Science & Technology department had a Silicon Valley Innovation Program, which issued Topic Calls for pressing areas of need. So at 9 months old, Manifest now had a DHS Other Transaction Agreement (OTA), which further accelerated a virtuous cycle: they received more validation for private sector companies, and validation elsewhere in the government.
Timing, truly, is everything.
Key Takeaways from this Episode
Know Your Customer: Marc has an incredibly deep and nuanced understanding of his customer. “SBOMs are technical artifacts predominantly beneficial to non-technical people,” he explains. Third party risk management, vendor due diligence / risk management, ATO-granting roles, and similar roles may not have a background in cybersecurity, but need to request, ingest, analyze and report on supply chain vulnerabilities. That helps Manifest build for a particular user, with particular needs.
Timing is everything: Like so many others in this space, the right company still requires the right time. The regulatory tailwinds in 2021 helped propel Manifest forward, as the government established SBOM requirements across the federal government. This catalyzed banks, defense contractors, DoD and the Intelligence Community to do the same.
There is no substitute for embedding with users. Manifest’s early deals, just like Palantir’s, are focused on getting the company’s engineers in close proximity with their end-users. This helps them understand how systems are connected to one another, and where they have blind spots. One of Manifest’s first federal deals is working with a software factory and a software engineering group. Both of these entities exist all over the government today. While no two are identical, the idea is that, if they can nail delivery for a software factory and software engineering group (SWEG), then Manifest will likely have an 80% solution that can scale.
The Founder relationship is the foundation of a company’s success. Daniel and Marc knew each other for nearly 10 years before starting to work on Manifest together. They bonded during Palantir orientation, meeting each other on the first day. Marc shared that he could not imagine starting a company with someone he just met. Having that trust and experience together was essential for the difficult swings of managing a startup.
Maintain empathy for counterparts. In addition to knowing his cofounder for 10 years, both Marc and Daniel had spent time in and/or working with government customers, understanding how they thing and operate. They have deep empathy for their government colleagues who are constantly overwhelmed with vendors hitting them up with the “new hot thing.” This helps them temper their frustration at times, and to solve problems, rather than cast blame. As he says of SBIR reviewers, “spare a thought for the poor soul” expected to adjudicate from night vision goggles, to software and back. As the program grows, these folks are expected to do more and more. The fact that this comes up again here is a testament to Marc’s heart as a leader.
For more on Manifest:
Website: Manifestcyber.com
BOM Working Group Slack: info@manifestcyber.com
YouTube: @manifest-cyber
Ep. 08 - From Scaleup to Startup: Marc Frankel is Solving Software Supply Chain Vulnerabilities with Lessons from Palantir and Expanse