Hello everyone,
Microsoft is further equipping Security Copilot with “Agentic AI” capabilities, including semi-automated DLP, phishing triage, or patching based on company context, i.e., to the point where operators only need to approve the action. Reinforcement learning ensures continuous training based on user reactions. Currently, precisely these activities that the agent can (or should) perform are still part of some of our tenders for Managed Services. Visibility without action is just noise, as Yaron Levi (CISO of Dolby) put it. And we’re now getting the “Next action to take”… as an intermediate step towards Security Autopilot.
The inevitable topic in the security market world is, of course, the acquisition of Wiz by Alphabet/Google for 32 billion USD, instead of the previously targeted IPO. This could pay off if GCP is perceived as the most secure cloud, especially for AI applications, and gains market share as a result. GCP generates approximately 40 billion USD/year in revenue, AWS almost three times as much, and Microsoft Azure lies in between. This is where the action is. The purchase cannot be financially justified based on security revenues alone (at least not on my calculator).
What does Wiz actually do, and what is behind the term “Cloud Native Application Protection Platform / CNAPP”? Here is a simplified classification of the main functions, knowing that there are overlaps in the categories:
- Application Security / AppSec Posture Management (ASPM), i.e., development tools: Direct integration into IDEs, version control systems, and CI/CD toolchains to detect insecure code (such as linking to outdated libraries) and suggest secure code to programmers. A combination of static + dynamic testing, Software Composition Analysis, and prioritization based on internet reachability of the components, etc. Competitors here include Aqua, Semgrep, Snyk/Apprisk, OX, Cycode, Checkmarx, Legit, Apiiro, and Veracode.
- Cloud / Data Security Posture Management or Exposure Management (CSPM, DSPM, CTEM): Inventory of assets, classification according to criticality, and assignment of misconfigurations and vulnerabilities with recommended actions. Competitors are almost all XDR and Vulnerability Mgmt solutions (e.g., Microsoft, Palo Alto (Prisma), Crowdstrike, SentinelOne, Tenable, Qualys…), Cloud Security providers like Orca, and specialized solutions like Varonis or Cyera. Wiz relies on an agentless scan with all the known advantages and disadvantages, as well as a graph data model.
- Cloud Infrastructure Entitlement Management (CIEM): Could also be seen as part of CSPM, it’s about managing access rights by users + machine identities, including on SaaS applications. Smaller providers in this segment include Oasis, Aembit, and Clutch.
- Cloud / Application Detection + Response (CDR/ADR): Monitoring of workloads (including containerized ones) during runtime, i.e., attack detection in near real-time. Of course, the XDR manufacturers also offer alternatives here. In addition, there are specialized providers such as Sweet, Armo, Deepfence, Contrast, or Miggo.
- The entire code-to-cloud chain mentioned above should of course be able to be run iteratively, e.g., if a container image or an API is identified as vulnerable during a scan, a responsible person must be assigned and then the line of code that needs to be changed must be found.
- Overall, Microsoft, Palo Alto, and Crowdstrike most closely cover a similar feature set. I would probably locate SentinelOne, Orca, Sysdig, Lacework/Fortinet, or Upwind close by.
By the way, also an interesting question in this context: Microsoft’s security products generate an estimated 25 billion USD in revenue / year (i.e., ~15% of the global security market). Would Defender, Sentinel, Entra, Purview, etc., as products of a standalone company, be worth more or less than in conjunction with Microsoft operating systems, Office applications, and cloud infrastructure? My assumption (other opinions welcome): A standalone security company would achieve less revenue with the identical product portfolio at a lower margin. Sales alone would be many times more expensive.
Why now? The always-readable Ross Haleliuk of Ventures in Security has broken down the history of some security success stories from the aspect of how enterprise customers could be convinced of the need for a new solution from a startup in the initial phase after founding. Anyone who has ever been in the situation knows how lengthy the decision-making processes are for major customers – especially in security, where the career risk of decision-makers (“Cover my…”) also plays a major role. At its core, the transformation to cloud infrastructures was decisive for most of today’s billion-dollar companies in the security sector, coupled with a pinch of complacency from the previous market leaders. In almost all cases, the founders previously worked for “Incumbents.” Here is an extract:
Company | Founded | Key customer motivations for purchase/switch |
|---|---|---|
Palo Alto Network | 2007 | ⦁ Increasing prevalence of web-based applications where attackers exploited vulnerabilities at the application level.
⦁ Available firewalls only filtered ports/protocols (the founder was previously a developer at Check Point). ⦁ Customers were provided with the PAN Firewall in monitoring mode in parallel to their existing FW during PoCs (Proof of Concepts) to demonstrate the advantages. |
ZScaler | 2008 | ⦁ VPNs were detrimental for SaaS applications (the founder had previously successfully built up + sold 3 other security companies). |
Okta | 2009 | ⦁ Increasing prevalence of SaaS.
⦁ The founder was previously at Salesforce and had recognized the need for SaaS access management. ⦁ Microsoft did not yet have a comparable product for Cloud IAM like Entra ID, but only on-premise AD. Even AWS did not yet have an IAM service (it only came in 2011). |
Duo (now Cisco) | 2010 | ⦁ Increasing prevalence of smartphones.
⦁ Previous MFA solutions were hardware token-based => Much more cumbersome to manage than via an app (the founder was previously at Arbor Networks and had specialized in the security of ISPs). |
Crowdstrike | 2011 | ⦁ Available AV products were essentially on-prem and signature-based, i.e., without behavior-based threat detection (the founder first had his own consulting company, and then sold it to McAfee, where he worked as CTO for a few more years). |
Abnormal | 2018 | ⦁ Microsoft and Google had introduced APIs around 2015 that could be used to check emails for malware (previously only possible via email proxy/gateway).
⦁ Simultaneously, a rise in Business Email Compromise attacks. |
There’s always a first time: The former CEO of Cybereason (EDR provider) is suing the supervisory board of his former employer. Despite having ~2000 corporate customers, Cybereason is still evidently loss-making and burning cash; the lawsuit mentions a turnaround. The point of contention: The necessary funding round was repeatedly blocked by representatives of VC investors (including Softbank). Cybereason has since received approximately 120 million USD in new funding, but the merger with Trustwave has been canceled. The cash injection may be enough to survive until a buyer is found.
And just before the editorial deadline, I read that a short report on Kyndryl has been published. The core argument is that Kyndryl allegedly understated costs (especially recharges from IBM) and the resulting losses, and overstated realized revenues and cash flows. The company has strongly rejected the allegations. We’ll see if it turns out to be true. The business in recent years of declining revenues and staff reductions has certainly not been fun.
Other M&A and Funding News:
- Varonis (DSPM, DLP) is acquiring Cyral (database monitoring).
- F5 (WAF-/DDoS-Protection etc.) is buying LeakSignal (data classification).
- Pentera (Automated pentests, now 1100 customers) was valued at 1 billion USD in the new funding round.
- Island (Enterprise Browser, approx. 500 customers, 500 employees) on the other hand, was already valued at 5 billion USD.
Notes from Vendor Conversations:
Sentrybox:
- German startup for on-prem honeypots (as mini-appliances), targeting users in banks, the defense industry, and OT (Operational Technology).
- The decoy bodies simulate Linux and Windows devices such as servers, routers, or storage/backup solutions, including headers and services, i.e., an nmap fingerprint should be hardly distinguishable from the real original device for attackers (apart from IP/MAC address).
- Advantage, as with all deception solutions, is of course that there are no false positive alarms (any kind of login = abuse).
- Alerting via SIEM / ticket system or visually directly on the box.
- First customers are currently testing the solution => Of course, more are wanted, the founder Benjamin Krüger welcomes inquiries.
- Price point approximately ~1200 EUR/year per box.
Vulncheck:
- Vulnerability, Exploit + Initial Access Intelligence to prioritize vulnerabilities. HQ in USA.
- Covers IT, OT, IoT systems.
- Uses, in addition to NVD, CVE, also OEM advisories and exploit databases such as Packetstorm and repositories such as Github/Gitlab/Gitee or Bitbucket => For example, 2x as many exploited vulnerabilities as contained in the CISA KEV.
- No own dashboard, but data feed that can be integrated with vulnerability scanners, asset management solutions or SIEMs.
- Also offer Detection Engineering as a service.
- Customers primarily among other security providers (including Palo Alto, Crowdstrike, Netrise, Brinqa), defense and critical infrastructures, so rather something “for advanced users”.
- First customers in the EU, are currently building a sales team here and are also looking for channel partners in the DACH region (Germany, Austria, Switzerland).
Netwrix (Update):
- Known from the area of Identity Threat Protection (like the ITD/ITP modules of the XDR manufacturers).
- New DLP module (similar to DriveLock or Matrix42): The Endpoint Protector from Cohosys was purchased here.
- For Windows, Linux, Mac.
- In addition to USB Device Control, also Discovery + encryption of sensitive data on clients+servers.
- In the core area of AD Security, a few additions:
- PingCastle (AD and Entra ID Assessments, probably everyone knows it) was acquired this year.
- Backup + Recovery of DC, restoration of individual AD attributes/objects up to complete forests. Previously, Semperis, Quest and Cayosoft were mainly represented here with specialized solutions.
- Free trial versions for almost all products.
- New customers in the DACH region include Sandoz, GLS.
Aembit:
- US Startup for Non Human Identity (NHI) Management.
- Similar to OASIS, but with a different focus: Less on lifecycle management, more on access permissions. “The IdP for NHIs”.
- Rule-based access Just in Time.
- Multi-stage attestation (to get as close as possible to MFA for machine identities):
- First, the identity of an application is assigned to an authentication credential of a workload. “Trust providers” such as on-prem Kerberos or metadata from cloud providers are used.
- Then, the plausibility of the access is checked behaviorally.
- Integration with the common vaults from PAM and DevOps tools.
- So far, only a handful of customers, but apparently including Snowflake and Starbucks.
- Crowdstrike and Okta are both invested in Aembit.
By the way, my colleague Philipp Pelkmann has withdrawn from the operative business at CyberCompare, but, as his primary task on the advisory board, of course continues to review the market comments. He sends his best greetings to all readers at this point (and also to his parents – Shoutout to Gütersloh, Ostwestfalen).
As always: Questions, suggestions, comments, testimonials and also conflicting opinions or rectifications are welcome via email. Ditto for unsubscribing from the mailing list.
For the people who have had this email forwarded to them: You can register here if you are interested or browse the archive.
Best regards,
Jannis Stemmann
