July 2024
From: Brian and Tobias
Subject: The future of cloud security
Welcome back to the July edition of the B&T infra newsletter. Last month, we wrote about security. This month, we’re continuing on that theme, except this time focusing on cloud security (and almost nothing about AI!)
We think the most impressive startup of the last 5 years (OpenAI is 8 years old) is Wiz, a cloud security business started in 2020 that burst onto the scene by scaling to $100M in ARR in 18 months, self-proclaiming it was the fastest growing software company ever. The company has raised almost $2B, including $1B in May at a $12B valuation. The company recently made headlines by reportedly turning down a $23B acquisition offer from Google.
And yet, we think there’s still opportunity within cloud security, specifically to remediate and address threats and vulnerabilities instead of just surfacing them. Wiz has the chance to be a generational company, but they have a lot of surface area to cover within the “posture management” market, and others could still compete to win the remediation market. Let’s dive in.
The oversimplified security workflow: identify and respond
Despite the seemingly unending number of abbreviations for different categories and tools within cyber, there are really two jobs to be done by software in the space: identify threats and resolve them (this workflow is pre-attack/breach; we won’t get into what happens if there is an actual attack). Both of these jobs are complex, and different solutions are needed to do these jobs in different environments, for different types of data, on different devices, etc. However, at the end of the day, that’s really all there is.
For cloud, Wiz won the identification race. As companies migrated more workloads to the cloud, tools were needed to protect cloud assets, from storage to workloads to data to domains and beyond. Many acronyms emerged to represent companies that solved this set of problems, including Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), and Cloud-Native Application Protection Platform (CNAPP). Whatever acronym you want to use, Wiz won the startup race. There were many fast-growing companies in this space when Wiz came onto the scene, like Lacework and Orca. All of them got trounced by Wiz. The only exception is Palo Alto Networks, which has a cloud product, Prisma, that is still larger than Wiz (surpassed $500M in ARR as of late 2023). However, Wiz has built a comparable cloud business to Palo in just four years, steamrolling all startups in its wake.
Wiz: the king of posture management
Today, Wiz’s product page is almost laughably large (see screenshot below).
They do a lot, but most of it revolves around posture management. By this, what we mean is, defining what your security posture is by tracking your cloud assets and then surfacing threats and vulnerabilities. Wiz has expanded outside of just cloud posture management into categories like Data Security Posture Management, competing with Cyera along the way. It’s worth noting that when we talked to an investor in Cyera, he acknowledged the convergence of what were once discrete posture management categories. The real race among these companies is not CSPM or DSPM – it is owning the alerting, vulnerability management, and prioritization dashboard for enterprises. This is a massive prize, and although companies started in different places, this is the market that will support a multi-billion dollar business.
Google was so drawn to this that it reportedly offered to buy Wiz for $23B, which would have been over 60x 2023 revenue. This makes perfect sense for a cloud provider – they already offer cloud security tools but are notorious for being laggards behind state-of-the-art, focused startups (see Google’s Chronicle product for a prime example). Cloud providers manage all the cloud resources Wiz seeks to protect. It makes sense that they should be rolled together. Additionally, in our opinion, GCP was the most logical acquirer because it lags behind Azure and AWS, which both have impressive moats and means of differentiation (AI/OpenAI and scale, respectively) as well as more advanced native security tooling. Being the “secure” cloud is a massive selling point, and Google would logically pay a premium for that.
After identification: remediation
In the last 2-3 years, CISOs have become more attuned to alert fatigue. If we were to put every security pitch we’ve ever heard into ChatGPT and ask it what the problem statement for all those companies was, we can 100% guarantee you it would read something like, “CISOs are inundated and overwhelmed by alerts.”
Wiz was not the first company to capitalize on creating alerts and surfacing vulnerabilities, but it did highlight how lucrative that business could be. Many followed across different categories, and CISOs soon became restless to turn the alerts into actions, to get to the second part of the security workflow: remediation. In fact, just last week we were talking to a knowledgeable cyber investor who manages a fund with an extensive CISO network in Israel. His main message: “CISOs are tired of alerts. They want remediation.”
The question on our minds is whether just because Wiz won the identification race, will it also win the remediation one? We think it’s possible, but not a foregone conclusion. The identification and remediation products and experiences are quite different.
To identify threats, the core capability is effective scanning of cloud resources and assets, which means integrating different pieces of software running in the cloud and effectively interpreting log data coming out of cloud applications. A good cloud threat detection tool understands the cloud environment, picks up on abnormalities, and then tries to decipher which ones are worth paying attention to.
A remediation solution is different. It requires understanding how problems get solved, how issues get patched, and the context of the full system. What workflow solutions does a company use? What does the organization look like, and who is responsible for what kinds of threats? How do I know how to evaluate different looking alerts coming from different systems?
Additionally, remediation requires identifying the vulnerabilities that are actually exploitable and surfacing those potential exploits as soon as possible, which is technically complex and necessitates deep run-time visibility. Having visibility into the cloud environment certainly helps, but prioritizing and triaging is a different exercise that requires different integrations and technology.
Wiz’s success has also exacerbated the need for better remediation tooling. As of 2023, SOC teams on average receive 4,484 alerts per day, which implies ~1.6 million alerts a year. As security teams need to triage a soaring number of alerts, they also need better tools for remediation. Wiz’s success has created an even bigger problem for CISOs – what to do with alerts. As a result, remediation is a bigger opportunity than it has ever been.
Wiz has made a play in remediation, buying Gem Security (offering deeper run-time visibility, as mentioned above). However, based on speaking to customers, Wiz’s solution is still incomplete, and no one seems satisfied with how they prioritize and remediate threats today. We think there are three reasons for this:
- Different integrations – building a commodity remediation system is relatively easy, but optimizing for the correct and most efficient remediation is technically challenging. Importantly, this requires integrating into different data sources, like Jira and workflow tools, and creating a contextual understanding that sits on top of other security tools. This is a different type of intelligence and technology than threat identification.
- Different teams – Wiz primarily sells into cloud security engineering teams. To get into the remediation workflow, other parts of the security team would need to be key stakeholders, including the SOC. This team uses different tools and has different processes than engineering-focused security teams. Although the CISO manages both, their processes and tools are distinct.
- Competition and the identification opportunity – there is also just so much room for Wiz to continue growing in the identification space. The number of cloud resources is growing, the cloud attack surface is becoming more difficult to secure, and attackers are getting more sophisticated. The need for excellent identification is not going away, and Wiz has fierce competition from companies focused on different niches (e.g. data, identity) to fend off.
We expect to see more remediation-focused companies come onto the scene. One that we think is interesting is ZEST Security, which is going right after cloud remediation. We have a portfolio company that is inflecting because of an automated remediation product (in data security) that they just released. Additionally, one new category we are tracking on this theme is Continuous Threat Exposure Management (CTEM), which takes into account continued remediation in the same solution as identification and prioritization of threats. Dazz is an example of a company that has raised a lot of capital marketing itself as a CTEM – we expect there to be more to come, riding the trend of remediation as a core selling point.
We have some strong opinions about the kinds of companies that will win in remediation:
- Automation will win – new technologies enable workflow acceleration like never before. Manual processes can become expedited. Companies building automation will offer better products.
- Breadth and ease of integration will win – remediation requires integrating with many different tools, and different customers use different stacks. As a result, remediation is an integration-heavy undertaking, and the companies that figure out how to be compatible with different stacks while minimizing integration burden will be in a good position.
- NYC is a great place to build – the Israeli market is saturated, and more commercial teams of best-in-class cyber companies are setting up shop in New York. The biggest buyers with the deepest security needs are here, and the talent is starting to emerge here too.
Wiz may very well be the winner across the whole cloud security workflow, from identification of threats to remediation of them. However, Wiz has a lot of ground to cover and a lot of competition to fend off just winning the alerting and identification market, and the remediation problem requires a fundamentally different set of integrations and a mapping of personnel within a company that is arguably new terrain for Wiz. We’re excited about companies tackling this remediation problem across the security landscape, even for cloud.
As always, any thoughts and questions are appreciated. And it's always deal season at Primary. If you know someone working on the next great startup, please share this newsletter and send an intro. We will likely skip August but excited to be back in full force in September!
Until next time,
B&T