Request // Response
Request // Response Episode 4: API Security, LLMs, and Internal Developer Tools
Sagar Batchu
May 6, 2025 - 22 min read
Sinan Eren is the CEO and co-founder of Opnova .
In this episode, Sinan shares how Opnova is building AI-powered automation for enterprises, specifically targeting companies that rely on legacy systems and lack modern APIs. We discuss:
- Automation in systems without APIs
- RPA, LLMs, and new standards like MCP
- The rise of browser-based automation
- The long-term vision of API-first ecosystems
Listen on
Show Notes
Introduction [00:00:00]
Overview of discussion topics: automation in legacy systems, RPA, LLMs, MCP, and the evolution toward API-first ecosystems
What OpNova Is Solving [00:00:42]
- Sinan’s background in cybersecurity and founding OpNova
- Automating rework: repetitive, manual tasks in regulated industries like healthcare and finance
Bridging the API Gap [00:02:00]
- Most enterprise systems lack modern APIs
- How OpNova helps these companies automate despite missing APIs
- The challenges of working beyond the Silicon Valley tech bubble
Leveraging RPA and LLMs for Automation [00:03:00]
- How OpNova uses robotic process automation and large language models
- Modeling user behavior to automate UI actions via screenshots and intent recognition
Standards Like MCP and Tool Calling [00:04:58]
- MCP (Model Context Protocol) and its potential to become a new standard
- Bridging the gap for underserved industries lacking API exposure
- Sinan’s take on early adoption and long-tail enterprise needs
APIs as a Deal-Maker [00:06:00]
- APIs enabling last-minute customer wins in previous startups
- Command-line over UI: why customers sometimes prefer APIs to interfaces
- Rapid feature delivery via API access
The API Tax Debate [00:07:54]
- Comparing API access to the “SSO tax” of the past
- Concerns about hiding APIs behind enterprise pricing tiers
- Why APIs should be a baseline offering
APIs as the New Sitemaps [00:09:00]
- API discoverability as a critical factor in tool ecosystems
- Drawing parallels between SEO-era sitemaps and today’s OpenAPI specs
- The risk of exclusion from LLM-powered interfaces
Browser Automation as a Transitional Layer [00:11:58]
- Why browser-based agents are a temporary solution
- The long-term goal: native APIs everywhere
- Transitional tooling as a necessary bridge
Tool Discovery and Registries [00:13:58]
- The need for robust API registries to support tool discovery
- From proof-of-concept to production: bridging the enterprise automation gap
- The challenge of finding the right tools at the right time
Closing Thoughts and Opnova’s Vision [00:15:28]
- Browser orchestration vs. API-driven workflows
- Why APIs are the true endgame
More Quotes From The Discussion
The API Tax Revolution
“We have this curse in our space, it’s changing now—it’s called SSO tax, single sign-on tax. Why? You will have like the cheap tier, free tier, and then you’ll have the enterprise tier, if you want single sign-on, if you want to tie your Okta, your EntraID into the SaaS, right? You need to buy the enterprise tier so that you can have the benefit of SSO. But I’m noticing APIs are now put in place of SSO. So SSO tax—now I worry that it’s becoming API tax.”
APIs as the New Sitemaps for the Agentic Era
“I feel like not having API actually is similar now. It’s going to exclude you from a rapidly emerging ecosystem of tools and tool use where the discovery problem is now distributed. And so, like, what sitemaps did for websites was it said, ‘Hey, I’m a website. I’m going to broadcast. I do this thing.’ And then therefore any scraper ecosystem could pick it up. I think the same thing’s happening with APIs.”
Browser Automation: The Necessary Bridge to an API-First Future
“All this browser use models, right? Like computer use, browser use models. They are an intermediary kind of a solution, a transitional solution, right? Because we’re waiting for the APIs to be exposed. So nobody really genuinely loves the idea of an agent orchestrating a Chrome browser. Really, it’s just a temporary point in time that we have to do it because like you said, like, sitemaps had to be invented for better SEO.”
Referenced
Production by Shapeshift .
For inquiries about guesting on Request // Response, email samantha.wen@speakeasy.com.
Transcript
Introduction
[00:00:00] Sagar Batchu: Everyone, this is Sagar, CEO of Speakeasy. On today’s episode of Request Response, we had Sinan Aron, CEO and co-founder of OpNova, and previously VP at Barracuda Networks. We chatted about the emerging ecosystem of tool use and tool discovery, and how that’s helping companies without APIs solve the last mile problem of automation.
[00:00:19] Sagar Batchu: MCP and tools are super new, but tune in to learn how big enterprises are leveraging them today.
[00:00:24] Sagar Batchu: Everyone. Welcome to another episode of Request Response. I’m your host, Sagar, co-founder of Speakeasy. We are the modern tool chain for API development. I’m joined today by Sinan Aron, co-founder and CEO of OpNova and previously VP at Barracuda Networks. Sinan, how are you doing today?
[00:00:42] Sinan: Good. Great. Good to be here. Thanks.
About OpNova: Automating without APIs
[00:00:44] Sagar Batchu: You told me a lot of great things we want to talk about today, but I’d love to start by just learning more about OpNova, what you guys do, kind of your background as well.
[00:00:52] Sinan: Yeah, sure. Happy to. Personal background. I’ve been in cyber security for over 20 plus years now. But mainly in cyber security use cases at a starting point, but we are able to automate entire back office functions for regulated industries.
[00:01:06] Sinan: We started with a focus on repetitive, mundane and error-prone tasks, which we call rework - repetitive work.
[00:01:12] Sagar Batchu: That’s really cool. I feel like APIs for you are such a unique thing, but like for most companies, we think about APIs as just, hey, you either have a public API, that’s how you know, you ship your product, it’s your revenue driver, or you have internal APIs and how you build. I feel like you are really working with companies and ecosystems that almost don’t have them, and you’re kind of bringing some of the automation that usually isn’t possible when those pre-existing APIs don’t exist.
[00:01:38] Sinan: That’s spot on. That’s what I was excited about this conversation because, you know, look. If we have APIs, we will use APIs, right? That will be the preferred mode of execution automation, right? That would make things a lot more deterministic, a lot simpler, a lot more efficient, you know, cost effective, you name it.
[00:01:56] Sinan: Therefore, you know, these internal applications or some of these legacy applications with potential overlays, if they can expose APIs, will do our jobs much better. But you’re right, we’re kind of trying to figure it out and bridge that gap of lack of APIs, lack of modern protocols.
[00:02:11] Sinan: How can we expand these platforms and connect it to them?
The API Gap in Non-Tech Industries
[00:02:16] Sagar Batchu: New age suddenly where I think we’re realizing with, you know, with LLMs, with AI, there’s so much automation, operational work we can offload, but so many systems today actually don’t have APIs. I was reading some crazy stats the other day around how just so many websites and products out there don’t have APIs.
[00:02:37] Sagar Batchu: And I think in the, in maybe the, you know, Silicon Valley and broader VC power tech ecosystem where we somewhat take for granted that every system out there has any programmatic interface to leverage, but really, the majority of them don’t. And you look across, you know, Healthcare insurance, as you said, like, there’s so many industries where APIs are not the norm.
[00:02:58] Sinan: You definitely tapped on something important. We do not sell or work with, you know, these early design partners anybody in the valley, right? We want it to expand beyond this tech bubble. This time we’re looking into completely outside of the valley, trying to serve the underserved. They do want to be more modern and cost effective, but yet some of these applications that they depend on a daily basis do not offer any means for automation or improvement. So that’s where we come in and try to help them out.
Bringing Automation to Legacy Systems
[00:03:26] Sagar Batchu: Yeah, that’s super cool. I’d love to understand a little bit more how, you know, you’re bringing that kind of automation when systems don’t have APIs, like kind of what tech are you leveraging?
[00:03:37] Sinan: That’s right. I’m sure a lot of the folks are familiar with kind of the RPA, Robotic Process Automation.
[00:03:44] Sinan: So think about all these amazing multimodality models that we can leverage to do a recording, have that recording break into chunks, understand the intent behind the action and from that built an automation prompt or a template, then the agent can repeat you know, take a screenshot.
[00:04:03] Sinan: You know, process the screenshot, understand the intent for the action, decide what the next action should look like, then translate that action into a click, a text entry, a drag and drop it, you know, a scroll. So that’s kind of how it works. It models essentially the operator doing the task from that. It generates some byproducts that you can use to automate it end to end.
The Evolution of Tool Calling and MCP
[00:04:25] Sagar Batchu: You brought on an interesting point and, you know, our own tool calling and the ecosystem suddenly has seen like, literally in the last few weeks, like a real surge and excitement on, like, what tools can unlock for companies and both internally externally. I think a lot of it is actually centered around kind of automation experience that you’ve described. We’ve seen a ton of movement here in the kind of overall tool calling landscape. I think one that stands out is MCP from Anthropic, the Model Context Protocol. How do you see this evolving? Like, do you think something like MCP is going to become the new standard?
[00:04:59] Sinan: It might very well become the lay of the land and the standard here in the valley. Or maybe in the East Coast in New York, you know, the tech centers of the country. I can see that. Right? I’d become the standard for builders. Like, if you’re building a SAS product, a vertical SAS product, whatever it is, you’re going to definitely standardize behind one of these, you know, protocols.
[00:05:19] Sinan: I get it. But what I see with the long tail of, you know, all these companies that I mentioned, the underserved, right? What I see is that there’s going to be a lot of bridging.
[00:05:30] Sinan: I can totally see in this long tail of underserved industries that could be MCP bridges. That’s how usually these things are adapted by the tech industry very quickly. You know that one of them becomes the dominant play. Great. We are all happy, you know, with each other, but when it comes to these, you know, manufacturing, banking, credit unions, right, they can benefit maybe with some sort of a bridge, a proxy approach to those modernized protocol.
The Future of API Consumption
[00:05:58] Sagar Batchu: I’m also kind of curious to get your take. What changes are you anticipating in how API consumption is going to change with this new model, right? Do you foresee like a broader adoption?
[00:06:10] Sinan: Yeah, I’ll share kind of, anecdote from the former startups that I build, or I work that I see, like, tremendous value in APIs because we were able to, you know, for example, ship a feature. Let’s say a deal depends on a particular feature, right? There’s always that, like the customer is going to ask you for something that you thought about, but you didn’t prioritize.
[00:06:30] Sinan: And now, in order to win the deal, you have to ship it, right? It could be some security feature. It could be some sort of an integration. What I found out, you know, that we were able to say, you know what, the UX, the UI part is going to take time. But why don’t I ship you an API right, and then tie it to our CLI, and then you get to consume it that way.
[00:06:50] Sinan: Guess what? In almost all cases, we won that deal, and hardly ever baked it into the UI, right, because it was good enough. It was actually, in some cases, preferred, because people have this fatigue about going between, you know, management interfaces of 100 different tools, especially if you’re in IT, especially you’re in cyber security, right? They’d rather have CLIs that they can bake into some automation that can just orchestrate API. They don’t really need to see your crappy UI really. So API saved me so many times because if I went through the design process that would have pushed us out three months at a minimum, and we would have lost that deal, right?
[00:07:30] Sinan: But I do have a question in return for you.
The Emerging “API Tax” Concern
[00:07:32] Sinan: Actually, the only concern that I have is you notice that I’ve been talking a lot about identity. I am, you know, a lot of cyber security around user management. So we have this curse in our space, it’s changing now, it’s called SSO tax, single sign on tax. Why? You will have like the cheap tier, free tier, and then you will have the enterprise tier, if you want single sign on, if you want to tie your Okta, your EntriD into the SaaS, right?
[00:07:59] Sinan: You need to buy the enterprise tier so that you can have the benefit of SSO, the benefit of two factor. This was usually You know, there’s like SSO wall of shame. It’s been, you know, vendors who do this practice have been shamed for the last decade or so, right? Now they’re changing their tune. SSO is almost by default.
[00:08:17] Sinan: It’s not hidden behind some sort of a very steep enterprise pricing tier. But I’m noticing APIs are now put in place of SSO. So SSO tax, now I worry that it’s becoming API tax. So what do you think? Do you observe this? Where do you think this is going?
[00:08:33] Sagar Batchu: Yes. Wow. I love this. Such an interesting point of view. I think like over the last 10 years, like we’ve seen a couple of shifts in the developer ecosystem and in SAS in general. Like, I think there was a time and no SAS had APIs and like it was very much exception. And then you’ve had this kind of API first mark both modernization as well as a business, you know, kind of business model update that a lot of sass went through the last 15, 20 years. And then now, I think we’ve gone to the point where I actually feel that, like, for the best companies out there, not going API first is a is actually a huge mistake and a mess in terms of being able to do early signal and discovery around how people would use their product. Of course, there’s always exceptions. There’s some businesses where, like, your ICP just has no, you know, need to integrate with an API. That being said, I think now, all of a sudden, with tool calling, like, if you have an API, sure, your ICP may not be developers, but someone may make an MCP server for your API and then let the non-developer persona actually access the data in the API through, you know, whatever MCP client, whether it’s Cloud or Cursor or whatever.
[00:09:43] Sagar Batchu: So I think actually that it’s a mistake to have APIs behind kind of enterprise tier of walled garden because API is no longer just the interface for developer persona. It’s actually interface now for all personas.
[00:09:58] Sinan: That makes a lot of sense. So in the fullness of time, you think that this API tax is going to disappear because the need is immense. It’s not just a luxury to offer it up to developers, but it’s just, you know, part of the tool use. It’s just, if you expose any kind of LLM driven workloads. If you want to expose it to the Chet GPTs of the world, it needs to be available right through an MCP set up. Yeah that, that’s hopeful. I appreciate that. Yeah, that’s a vision because some of these companies, yeah, they might afford it, but they really turned off by this, right? Like it’s feels like it’s just a basic block like SSO that should come by default, not as an add on.
APIs as the New Sitemaps
[00:10:36] Sagar Batchu: Yeah, I do agree. I think it’s no longer an add on. Another kind of analogy I’ve been thinking about and just to get your take is, you know, a lot of websites went through an evolution in the last, you know, early in the century around making sure they have site maps so that web crawlers can go out and kind of get information on them.
[00:10:53] Sagar Batchu: It works with SEO. I feel like not having API actually is similar now. Like, it’s going to exclude you from a rapidly emerging ecosystem of tools and tool use where the discovery problem is now distributed. And so, like, the, what sitemaps did for websites was it said, Hey, I’m a website, broadcast. I do this thing. And then therefore any scraper SEO system could pick it up. I think same things happening with APIs, right? Like people try to build centralized catalogs and governance platforms and all of that. And we’re realizing like, adoption of that is really hard. Instead, if everyone launches and releases an API, and then like, let’s say a tool definition, then suddenly there’s a, you know, a wide variety of clients that can take advantage of you. So, yeah, that’s the analogy I’m seeing is like not having, you know, a public OpenAPI spec and not having an API broadcasted means you’re just going to get excluded from this kind of LLM and agentic ecosystem.
Implications for B2C and Commerce
[00:11:49] Sinan: That makes a ton of sense. I’m thinking in my day to day use of these, you know, these models like perplexity search is now almost, you know, 100 percent of the time I would say baked into that chat like interface, right? I don’t navigate to web pages. I kind of get something dense. Maybe I can follow some reference, some link to the website if I want to get to more details or whatever.
[00:12:12] Sinan: But so if that’s the experience, if the e-commerce experience is going to become that, if you are a B2C business, I guess it might be super damaging to your upside not to expose APIs, you know, if you’re a travel business, right? If you’re selling flights, whatever it is, right? Tickets. If you don’t expose it to these interfaces. Yeah, I mean, I can see myself not wanting to buy anything through that e-cart process anymore. Like add to cart and check out. No, I just want to say, buy it. Give me some options, do some research for me. Okay. I want that one, buy it for me. Right.
[00:12:43] Sinan: If you don’t expose an API how is that going to work? Yeah. Makes a ton of sense. It lines up for B2C very well lines up. You’re a hundred percent right.
[00:12:49] Sagar Batchu: Yeah, absolutely. I think it’s really day zero of like a new ecosystem emerging. And I think for companies with APIs like you just want to be involved, right? It’s moving so quickly that not being involved means you’re going to miss out on. It’s very hard to guess who the winners and losers are going to be, and I think the best thing you can do is kind of be in that stream, in that river as it’s flowing. It’s one kind of, you know, thing that I mention to a lot of companies we work with.
Browser Automation as a Transition Technology
[00:13:14] Sinan: Maybe I wanted to touch base on something. That’s something that really plays into what you guys are building. So all this browser use models, right? Like computer use browser use models. They are an intermediary kind of a solution, a transitional solution, right? Because we’re waiting for the APIs to be exposed.
[00:13:32] Sinan: So nobody really genuinely loves the idea of an agent orchestrating a Chrome browser. Really, it’s just a temporary point in time that we have to do it because like you said, like, sitemaps had to be invented for better SEO, right? Now we’re waiting for the APIs to be kind of be in place to be able to drop that whole click and click orchestration stuff and direct access to the API.
[00:13:53] Sinan: So it’s a transitional phase. But it’s also important because we don’t have what we need, right? Once we have APIs on every direction that we look at every application that we want to interact with, expose those APIs, I think we’re going to be in a great spot. So you are actually the destination, you know, so that’s a good place to be at.
Tool Discovery: The Next Frontier
[00:14:13] Sagar Batchu: Yeah, no, absolutely. It’s really early here. Like what I kind of see is that still a pretty big gap between like POC and enterprise usage. But yeah I do see that. I’m also seeing something similar and that people are asking, like, do you need a model for tool discovery? As well, right?
[00:14:32] Sagar Batchu: Like models very specifically optimized for actually finding the right tools to work with. And as you said, like, if there is something like site map that appears, then there is a search problem. All of a sudden right now, there’s no search problem because these ecosystems are small and it’s just small little tool registries that people are running. But yeah, no, absolutely.
[00:14:50] Sinan: Yeah, an API registry is a great idea. Tell me what you’re capable of. Show me how it’s done. Give me some examples and let me consume them in real time. I like that vision. And yeah, I mean, definitely you’re building something that will become how we interact with the web going forward for sure.
[00:15:06] Sinan: You know, as I said, like, it’s not a transitional technology. It’s where the destination is the end point. It’s the end game, right? Yeah, but we do need that transitional period and in cybersecurity is endemic, by the way. You end up building a lot of features that are, well, you’re building a lot of products that are going to be a feature of the platform in the fullness of time.
[00:15:23] Sinan: There’s no way avoiding that you have to build it. It’s a need in the market, but, you know, very well, right? In 3, 5, 10 years out, it’s going to be a feature of the bigger platform that you’re overlaying, right? So transitional stuff, a lot of computer use, a lot of browser orchestration has to happen before API is take hold everywhere.
Conclusion and Looking Forward
[00:15:43] Sagar Batchu: Absolutely. Yeah, no, I agree. It’s another analogy. I tell people, it’s kind of like the autonomous way more cars on the street. Like, we’re in an in between period where there’s driverless cars and then drivers as well. But once you have all driverless cars, like, suddenly, I think you get new interfaces open up and like, you know, you can address the whole fleet of cars in one go make changes.
[00:16:06] Sinan: We’ll see where the POCs are going to materialize production use. But yeah, we’re also seeing a lot of that. A lot of kick in the tires, a lot of excitement, but let’s see if it’s going to be really transformative. But I do believe, you know, we have to be optimistic.
[00:16:18] Sagar Batchu: On that note, you know, we’ll come to the end of this awesome chat. You know, and thanks so much for, joining us today. I know OpNova is doing some awesome stuff and you guys are just getting started. If people want to find out more about what you’re doing there, where can they kind of go to reach out to learn more?
[00:16:34] Sinan: OpNova.ai please fill out the contact form, depending on what kind of interest that you have. We can set you up. Thanks. This was super fun. Yeah.
[00:16:41] Sagar Batchu: Thanks.
Frequently Asked Questions
What is OpNova and what does it do?
OpNova automates back office functions for regulated industries, focusing on repetitive, mundane, and error-prone tasks, especially for companies that lack modern APIs. It helps bridge the gap between legacy systems and modern automation needs.
How does OpNova bring automation to systems without APIs?
OpNova leverages Robotic Process Automation (RPA) technology combined with multimodal AI models. These models record user actions, break them into chunks, understand the intent behind each action, and then create automation templates that can replicate those actions through clicks, text entries, and other interface interactions.
What is MCP and why is it important?
MCP (Model Context Protocol) is a standard developed by Anthropic for tool calling in AI systems. It’s becoming an important standard for builders in tech centers but may need “bridges” to work with underserved industries that don’t yet have modern API infrastructure.
Why should companies care about having APIs in the age of AI?
APIs are becoming essential infrastructure for participation in the emerging AI ecosystem. Without APIs, companies risk being excluded from tool discovery systems, AI agents, and other automation technologies. As Sinan explains, it’s similar to how websites needed sitemaps to be discovered by search engines.
What is the “API tax” problem?
Similar to how Single Sign-On (SSO) was often locked behind expensive enterprise tiers (the “SSO tax”), some companies are now putting API access behind premium pricing tiers. This practice could hinder adoption and integration with the broader AI ecosystem, especially as APIs become necessary infrastructure rather than optional features.
How will browser automation and API development evolve together?
Browser automation (like what OpNova does) is seen as a transitional technology while waiting for universal API adoption. In the future, direct API access will likely replace browser automation for most use cases, but the transition period is necessary and could last several years.