The Big Interview: Kong CTO Marco Palladino
API management startup has hit $100m in ARR, achieved a rare profitability and is still in hyper-growth mode. What next? Well, AI opportunities, of course.
To Kong CTO Marco Palladino, “APIs are the new internet.” Across industries from banking to logistics, products are becoming services that are delivered via APIs (a way for software components to talk to each other; for example to access application functions or connect modular microservices.) As Palladino puts it on a call with The Stack, “almost everything enterprises do is now powered by an API. Websites, mobile applications, generative AI: API's are the interface of the business…”
The numbers bear this out: API calls are the fastest growing form of traffic out there. Even back in 2018 one Akamai report found that they represented 83% of web traffic. (In 2022 Cloudflare put the figure at a more modest 54% but “growing twice as fast as traditional web traffic.”)
With many organisations still having API management fragmented across an archipelago of developer teams or individual products that often include design which expose APIs – creating latency and security issues – API gateways and one-stop API management platforms like Kong’s have been an increasingly popular proposition; something that’s paying off for its founders. (In late 2023 Kong hit the $100 million ARR mark and the company is now also profitable, The Stack can reveal. Startlingly few SaaS providers launched in an era of loose money can say the same thing.)
Palladino presciently saw coming the criticality of APIs in an increasingly digitalised world. With Kong’s co-founder Augusto Marietti he left his native Italy in his early twenties looking for funding for an API marketplace startup – and after two years of fruitless efforts in Italy to raise funds, secured $101,000 within 15 days of landing in the US.
(Viva the American Dream. His team also went on to secure backing from Jeff Bezos and Eric Schmidt of Google’s Innovation Endeavours…)
Their early experience building an API marketplace made them realise that it was an integrated platform for API management that was the market sweet spot and where a real end-user need could be found. They sold the marketplace and in 2015 they launched Kong Gateway, an Apache 2.0-licensed open source API management platform (simply put, a single hub for handling API authentication, routing, load balancing, and more).
“20 trillion requests every month”
The two then launched Kong in 2017 with a pure focus on API management. It is fair to say that adoption has been enthusiastic.
“Kong today has more than seven million instances of the gateway running in the world,” says Palladino proudly. “We're processing something like 20 trillion requests every month – that’s what we know of, because you can disable the telemetry, or run it in a private environment.”
That growth has come, Kong CTO Marco Palladino tells The Stack, as organisations increasingly “bring APIs into core platform teams; they want developers to be users of infrastructure, not builders of infrastructure, so we see real centralisation of that API practice in platform teams.”
Kong versus "monolithic" rivals
There’s no shortage of other compaies doing All-The-API-Things out there but Palladino is quick to highlight how Kong is differentiated.
One key reason is that it was built for a microservices world, he suggests.
(Modular, microservice-based systems can comprise hundreds of individual services communicating with each other via APIs. They are typically designed to scale services independently according to load; something that can be done through API gateways like, yes, Kong’s…)
Palladino claims: “Before microservices APIs were almost an afterthought.
“An organisation would have a monolithic application, then they would build a mobile app: 'Oh, we need an API to connect these new mobile apps with our back end'. So they would go ahead and build API's on top of their monolithic applications,” he says, adding: “With microservices, that mindset shifted. API's are not an afterthought anymore. API's are there since Day #1, because you need an API to be able to build a micro service-oriented architecture that can scale. It's all about API's.
“The Apigees, the MuleSofts of the world, are monolithic middleware technologies that are monolithic themselves; they're quite slow… you can put a CDN [in front of them] and figure out ways to make that performance hit less noticeable. But in microservices, we're doing a lot more traffic and every millisecond of latency starts to count more.”
Getting people Konnected
Kong Gateway Enterprise is the company’s on-premises/self-hosted option but it also provides Kong Konnect;a cloud-based SaaS. That brings together a trio of its offerings as a unified cloud control plane for handling APIs themselves, along with the “service mesh” that controls how different parts of an application share data with one another.
“Konnect” now accounts for around 20% of the company’s revenues and it’s encouraging on-premises customers to make the jump – because “Konnect”, as Palladino puts it, “is very cool; it’s the full stack of L4-L7 connectivity; we don't have that in the self hosted product…”
Like most companies with a strong, open-sourced on-prem offering and a large customer base in heavily regulated industries like financial services, encouraging that shift is not the world’s easiest thing, The Stack suggests.
Are customers not concerned about concentration risk for example?
Kong’s CTO is quick to respond: “Our cloud offering is production ready.
“It has been out thee for three or four years and we offer a very flexible deployment model. Let's say that you are a bank, and you still want to own your API traffic. We'll provide you with a cloud control plane, but you can still run the gateways in a hybrid mode in your own infrastructure... so the actual API traffic doesn't go on our cloud, you can still own that.
“But the whole management of your API infrastructure for that is in the cloud; not the actual traffic; the configuration,” he explains, adding in response to a question on failovers: “We built our technology in such a way that if you're running a hybrid gateway, or a hybrid mesh, that mesh or that gateway, is not affected by the control plane going down.
“It will keep running with the latest version of the configuration that it was able to cache from the Cloud Control Plane. So there is a whole system in place that keeps the uptime, even if there is a [cloud] catastrophe, and the whole cloud gateway were to go down, it would still run locally.”
Kong and AI
Few interviews in 2023 or 2024 can avoid AI.
For Kong it’s a genuinely significant opportunity. The company has just released a suite of open-source AI plugins for Kong Gateway 3.6 that let users turn it into an AI Gateway – i.e. centrally manage AI credentials, AI logs, manage all AI API call traffic, build advanced prompts, detect and prevent abuse, and collect AI observability. As enterprises mix up their use of cloud-based and on-premises LLMs, that could be a real boon,
As Palladino puts it: “We provide one interface to consume one or more LLM providers…running cloud [AI] models is very expensive. Many organisations are training their self-hosted models to be able to respond to most queries to save money on a per request basis., and using cloud models as a fallback. So we're improving developer productivity by giving you one interface that you're building against, then you can choose on Kong what API you should be using for that request. You can do that dynamically. You can do that in a static way. So you can make one request on Kong, and then choose ‘I want to consume OpenAII; I want to consume Mistral. I want to consume Llama. I want to consume Cohere…”
Stepping back, he says: “Back in the days, when you wanted to connect software, you were buying switches and routers in the data centre to enable connectivity among every individual part of your applications. Now it’s the L4-L7 connectivity, middleware software, the meshes, the gateways that companies are deploying to create these new digital experiences. We think that Kong has an opportunity to be a defining company in this new networking, microservices connectivity world.”
It's certainly now in a financially robust position to keep trying and with MuleSoft snapped up by Salesforce and Apigee by Google Cloud, Kong's claim to be the "Switzerland" of API management might just look attractive to many.