One of Snowflake’s newer growth strategies, beyond their core data platform, is to enable other companies to build their businesses on top of Snowflake. The value proposition is that new companies with a heavy data processing function in their product can bootstrap their launch by leveraging Snowflake’s platform. There are multiple benefits in taking this approach, including reducing time to market, eliminating infrastructure overhead and avoiding hiring dedicated technical staff. Snowflake has invested years building out and refining their data platform for high scale operations.
In most cases, it doesn’t make sense for a new vertical software provider to build their own data platform, which arguably duplicates a lot of Snowflake’s functionality. Given Snowflake’s high volume, they are likely able to provide a new business with data processing capabilities for the same or lower cost than if they tried to manage their data platform themselves. This allows the new business to focus on their core competency, not figuring out how to build a big data solution.
Audio Version
View all Podcast Episodes and Subscribe
Snowflake formalized this type of customer relationship in June 2021 through their Powered By program. As of the most recent quarter, the program had 590 participants, growing an amazing 35% sequentially. In order to increase the focus of the Powered By program, Snowflake is creating audience-specific workloads within it. The first audience-specific solution is for cybersecurity teams. The product team has shared plans to launch more of these audience verticals next year. The benefit to Snowflake is that these Powered By program participants become heavy users of the Snowflake platform. Even though participants tend to start as smaller companies, their Snowflake spend can grow higher than larger Snowflake customers, because the data platform is core to their operations. During Snowflake’s recent Investor Day, the leadership team shared that 9% of their $1M+ customers are participants of the Powered By program.
To get an appreciation for this program and its implications in the cybersecurity vertical, I recently participated in a webinar during Cybersecurity Day from Snowflake called “Deploy a security data lake to unlock new use cases”. In this presentation, the Snowflake product team engaged two Powered By program members to share their experience with Snowflake and demonstrate their products for potential customers. The two program members were Hunters and Anecdotes.
Hunters offers a SOC (Security Operations Center) platform that helps security personnel to better detect and respond to threats using automation. The Hunters Platform is purpose-built to support SOC workflows from data ingestion all the way to incident response, serving as an ideal approach for replacing their SIEM. Hunters operates like an open XDR platform, but they have shifted towards the SOC product label to better describe the product’s fit within a customer organization. Hunters is based in Israel and were named Snowflake’s partner of the year last year. They have landed a few notable customers, including TripActions, Upwork, Netgear, Booking.com and BlockFi. They even power Snowflake’s own SOC. Earlier this year, the company closed a $68M Series C funding round.
Anecdotes provides a platform for compliance automation. Anecdotes collects data from 70 different sources like identity providers, security tools, collaboration software, ticketing, cloud infrastructure and enterprise resource systems to maintain a company’s compliance with various industry certifications and security programs (PCI, SOC 2, HIPAA, etc.). They too are based in Israel and recently raised a $25M Series A round. Anecdotes has landed a number of large customers as well, including TripActions, GitLab, JFrog, Fiverr and Unity.
Cestrian Capital Research provides extensive investor education content, including a free stocks board focused on helping people become better investors, webinars covering market direction and deep dives on individual stocks in order to teach financial and technical analysis.
The Cestrian Tech Select newsletter delivers professional investment research on the technology sector, presented in an easy-to-use, down-to-earth style. Sign-up for the basic newsletter is free, with an option to subscribe for deeper coverage.
Software Stack Investing members can subscribe to the premium version of the newsletter with a 33% discount.
Cestrian Capital Research’s services are a great complement to Software Stack Investing, as they offer investor education and financial analysis that go beyond the scope of this blog. The Tech Select newsletter covers a broad range of technology companies with a deep focus on financial and chart analysis.
The presenters from both Hunters and Anecdotes are the co-founders and CEOs of their respective companies. As the CEO’s discussed their experiences with Snowflake, they made a number of interesting points. First, they outlined why they chose to run on Snowflake’s platform. They both agreed that the main driver was that Snowflake frees up their core team to focus on the part of their business where they have expertise (threat hunting and compliance). They thought it would be inefficient to build a new data platform from scratch. The Hunters CEO said they wanted to partner with “the best data platform out there”. This way, as start-ups, the companies could take advantage of Snowflake’s big data scale and high performance out of the box. Also, Snowflake’s operating volumes and pricing model enabled them to provide their customers with much higher data storage thresholds than they could have achieved on their own.
Another major reason that they like Snowflake’s approach has to do with the Data Cloud and maintaining control of customer data. The two partners shared that their customers increasingly like the idea that all of their data remains within Snowflake. Customers are less and less interested in shipping sensitive operational data to another destination for a security vendor to analyze. Log shipping and agent data collection are the typical deployment models for most security analytics services. In these cases, the customer’s data is copied out to the security vendor’s data platform. This creates two levels of impedance for the customer. First, they have another copy of their sensitive data within the security vendor’s environment. While most security vendors maintain secure environments (we would hope), this does represent an additional risk. If the relationship ends, they also have to assume the vendor deletes all of their data. Second, the security vendor is incurring cost to maintain that data in their environment. This is an expense that they presumably pass back to the customer through their service fees.
In the Snowflake Powered By model, both of these architectural disadvantages are addressed. All source data remains within the Snowflake Data Cloud. In order for a security vendor to access a customer’s data, their application connects to the customer’s data directly within Snowflake. There is no streaming or copying the data out to another environment. Within Snowflake’s Data Cloud, the security vendor can aggregate the customer’s data with other sources, filter, analyze and model it – all to generate security events. Hunters asserts that threat hunting is made more effective with more data sources, often going beyond what is collected from data center infrastructure and applications. Some useful data sets for threat evaluation, like employee data, may not be shipped to a third-party security XDR vendor for privacy reasons. However, on Snowflake, that employee data is likely already stored in the customer’s instance. Hunters can then access the employee data directly for security analytics within the Snowflake environment. There are no copies of it shipped elsewhere.
Hunters also claims that running on Snowflake allows them to place no limits on the amount of data that can be ingested. This is an important component of their service. Alternate data analytics platforms that charge by volume of data ingested inherently force the customer to limit the data sets that they might send to the security vendor. The Hunters CEO cited the example of a firewall log, which can be very noisy. Some customers will choose to only sample this data or ignore it completely. This filtering can limit the effectiveness of threat hunting by leaving out useful signals. Hunters offers unlimited TB/day of data ingestion and all storage is hot (versus being archived into cold storage and retrieved when needed).
Without these limits on data storage, Hunters claims that their customers have experienced a 3x increase in data retention. And, because they are leveraging Snowflake’s massive scale and just adding their security analytics tools and security expertise, they can operate very efficiently. Hunters asserts that their customers gain a 4x cost reduction over competitive SIEM solutions.
While this model is very powerful for Snowflake and the Powered By partners, it does operate best when the customer is already on the Snowflake platform. In that case, the on-boarding process is very straightforward, as it’s just a matter of granting permissions to the customer’s existing Snowflake instance. New customers can be brought onto the Snowflake platform, but that requires a data migration. Over time, I think these additional Powered By service offerings will increase the appeal of Snowflake for potential customers. More importantly, they make use of Snowflake even stickier. It is worth noting that Powered By partners are free to work with other data platforms in the same way. Hunters has mentioned plans to provide a similar solution on top of Databricks, when an application hosting capability is available.
Of course, the primary business driver for Snowflake from the Powered By program is to capture even more data processing workload spend. If Snowflake’s customers contract with other XDR or compliance vendors for their security needs, those vendors would presumably be generating revenue from the data processing component of their solution. The Powered By program allows Snowflake to capture that portion of the external vendor’s revenue that would be applied to that vendor’s data infrastructure. Snowflake plans to repeat this model across multiple software categories, beyond cybersecurity. In a recent Protocol article, Snowflake’s head of cybersecurity strategy mentioned that they have plans to launch two more audience-specific workloads next year.
As the Powered By program continues to expand and participating companies keep growing their businesses, I would expect more Powered By program members to break into the $1M+ spending level in the future, increasing from the 9% share currently. This could help drive the next leg of Snowflake’s revenue growth, beyond their core data processing workloads for enterprise customers.
NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.
Thanks for the update. Is there a reason why the two program members featured in Cybersecurity Day were businesses I’ve never heard of, rather than Crowdstrike, Zscaler, Palo Alto etc? I’m wondering if Snowflake and maybe Databricks are going to enable a wave of small software businesses to eventually displace many established SaaS companies. Is it time to start thinking of SaaS businesses not likely to get on “Powered by” as legacy?
Hey Peter,
Oracle announced MySQL HeatWave Lakehouse yesterday:
“MySQL HeatWave Lakehouse delivers significantly better performance than competitive cloud database services for running queries and loading data, as demonstrated by industry standard benchmarks. In addition, in a single query, customers can query transactional data in the MySQL database and combine it with data in the object store using standard MySQL syntax. Oracle also announced new MySQL Autopilot capabilities that improve performance and make MySQL HeatWave Lakehouse easy to use.”
They claim it is up to 17 times faster than Snowflake in query performance (6 times faster than Redshift) and up to 2.7 times faster than Snowflake in load performance (8 times faster than Redshift). All of these benchmark scripts are available on GitHub to replicate.
I suggest that Snowflake will have a harder time capturing more market share at this rapid pace. What do you think about that?
Edit: Forgot to paste the source:
https://www.oracle.com/news/announcement/ocw-oracle-announces-mysql-heatwave-lakehouse-2022-10-18/
Hi Defo – Oracle is certainly making a big push forward with their cloud offering. As far as MySQL HeatWave and its potential disruptive impact on Snowflake, I have a few thoughts:
– I am generally skeptical of these performance tests. The “tests” are usually conducted in a way that skews the outcome towards the vendor conducting the tests.
– The value proposition for Snowflake goes beyond the raw query performance, and includes governance, data sharing, application runtimes, AI/ML, etc.
– Snowflake has a much better relationship with the hyperscalers than Oracle (who would prefer that customers move their whole installation to OCI). This generally means that AWS and Azure sales teams are happy (or at least okay) if a large enterprise uses Snowflake on their cloud. Oracle wouldn’t get this cross-sell benefit, even if HeatWave is available on AWS or Azure.
Peter — thank you (once again) for both the original post and this helpful reply to Defo. Your insights are unequalled and greatly appreciated!