Security
Auto Added by WPeMatico
Auto Added by WPeMatico
JFrog, the company best known for a platform that helps developers continuously manage software delivery and updates, is making a deal to help it expand its presence and expertise in an area that has become increasingly connected to DevOps: security. The company is acquiring Vdoo, which has built an AI-based platform that can be used to detect and fix vulnerabilities in the software systems that work with and sit on IoT and connected devices. The deal — in a mix of cash and stock — is valued at approximately $300 million, JFrog confirmed to me.
Sunnyvale-based, Israeli-founded JFrog is publicly traded on Nasdaq, where it went public last September, and currently it has a market cap of $4.65 billion. Vdoo, meanwhile, had raised about $70 million from investors that include NTT, Dell, GGV and Verizon (disclaimer: Verizon owns TechCrunch), and when we covered its most recent funding round, we estimated that the valuation was somewhere between $100 million and $200 million, making this a decent return.
Shlomi Ben Haim, JFrog’s co-founder and CEO, said that his company’s turn to focusing deeper on security, and making this acquisition in particular to fill out that strategy, are a natural progression in its aim to build out an end-to-end platform for the DevOps team.
“When we started JFrog, the main challenge was to educate the market on what we saw as most important priorities when it comes to building, testing and deploying software,” he said. Then sometime around 2015-2016 he said they started to realize there was a “crack” in the system, “a crack called security.” InfoSec engineers and developers sometimes work at cross purposes, as “developers became too fast” the work they were doing has inadvertently led to a lot of security vulnerabilities.
JFrog has been building a number of tools since then to address that and to bring the collective priorities together, such as its X-ray product. And indeed, Vdoo is not JFrog’s first foray into security, but it represents a significant step deeper into the hardware and systems that are being run on software. “It’s a very important leap forward,” Ben Haim said.
For its part, Vdoo was born out of a realization as well as a challenging mission: IoT and other connected devices — a universe of some 50 billion pieces of hardware as of last year — represents a massive security headache, and not just because of the volume of devices: Each object uses and interacts with software in the cloud and so each instance represents a potential vulnerability, with zero-day vulnerabilities, CVEs, configuration and hardening issues, and standard non-compliance among some of the most common.
While connected-device security up to now has typically focused on monitoring activity on the hardware, how data is moving in and out of it, Vdoo’s approach has been to build a platform that monitors the behavior of the devices themselves on top of that, using AI to compare that behavior to identify when something is not working as it should. Interestingly, this mirrors the kind of binary analysis that JFrog provides in its DevOps platform, making the two complementary to each other.
But what’s notable is that this will give JFrog a bigger play at the edge, since part of Vdoo’s platform works on devices themselves, “micro agents” as the company has described them to me previously, to detect and repair vulnerabilities on endpoints.
While JFrog has built a lot of its own business from the ground up, it has made a number of acquisitions to bolt on technology (one example: Shippable, which it used to bring continuous integration and delivery into its DevOps platform). In this case, Netanel Davidi, the co-founder and CEO of Vdoo (who previously co-founded and sold another security startup, Cyvera, to Palo Alto Networks) said that this was a good fit because the two companies are fundamentally taking the same approaches in their work (another synergy and justification for DevOps and InfoSec being more closely knitted together too I might add).
“In terms of the fit between the companies, it’s about our approach to binaries,” Davidi said in an interview, noting that the two being on the same page with this approach was fundamental to the deal. “That’s only the way to cover the entire pipeline from the very beginning, when they go you develop something, all the way to the device or to the server or to the application or to the mobile phone. That’s the only way to truly understand the context and contextual risk.”
He also made a note not just of the tech but of the talent that is coming on with the acquisition: 100 people joining JFrog’s 800.
“If JFrog chose to build something like this themselves, they could have done it,” he said. “But the uniqueness here is that we have built the best security team, the best security researchers, the best vulnerability researchers, the best reverse engineers, which focus not only on embedded systems, and IoT, which is considered to be the hardest thing to learn and to analyze, but also in software artifacts. We are bringing this knowledge along with us.”
JFrog said that Vdoo will continue to operate as a standalone SaaS product for the time being. Updates that are made will be in aid of supporting the JFrog platform and the two aim to have a fully integrated, “holistic” product by 2022.
Along with the deal, JFrog reiterated financial guidance for the next quarter that will end June 30, 2021. It expects revenues of $47.6 million to $48.6 million, with non-GAAP operating income of $0.5 million to $1.5 million and non-GAAP EPS of $0.00 to $0.01, assuming approximately 104 million weighted average diluted shares outstanding. For Full Year 2021, revenues are expected to be $198 million to $204 million, with non-GAAP operating income between $5 million and $7 million and an approximately 3% increase in weighted average diluted shares. JFrog anticipates consolidated operating expenses to increase by approximately $9-10 million for the remainder of 2021, subject to the acquisition closing.
Powered by WPeMatico
As the second quarter races to a close, we’re down to the wire for IPOs looking to get out before June ends. One such company is SentinelOne, a cybersecurity startup backed by Insight Venture Partners, Redpoint, Tiger Global Management, Data Collective and Anchorage Capital, among others.
SentinelOne raised an ocean of capital while private, including nearly $500 million across two rounds in 2020. Its debut is therefore a huge liquidity event for a host of investing groups. And today, the cybersecurity unicorn had good news in the form of an upgrade to its IPO price range.
The Exchange explores startups, markets and money. Read it every morning on Extra Crunch or get The Exchange newsletter every Saturday.
Last week, The Exchange wrote that the company’s IPO would be a “good heat check for the IPO market” given its rapid growth and pace of losses. How investors valued it would help explain the public market’s current appetite for loss-making startups. Today’s news implies healthy appetites.
SentinelOne raised its IPO price range this morning from $26 to $29 per share to $31 to $32 per share, a sizable lift to its valuation and IPO raise.
This morning, we’re unpacking the company’s new valuation range, thinking about SentinelOne’s growth and revenue results compared to similar public companies, and working to understand if the company is inexpensive, neutrally priced or expensive compared to current comps. Sound fun? It will be!
Recall that when SentinelOne last raised capital it was valued at $2.7 billion on a pre-money basis. The company was therefore worth just under $3 billion after the $267 million round. The unicorn is going to yeet that figure into space in its IPO, barring something catastrophic.
Its new IPO price range of $31 to $32 per share values the company on a much richer basis. With an anticipated simple share count of 253,530,006 after its IPO, inclusive of a private placement, the company would be worth $7.86 billion to $8.11 billion.
Powered by WPeMatico
Turning the page from the early-stage venture capital market to the super late-stage exit market, this morning we’re talking about endpoint security company SentinelOne’s IPO in the context of Sprinklr’s own. We’ll have more on the public offering market later today when Doximity and Confluent price their respective IPOs after the close of trading.
The Exchange explores startups, markets and money. Read it every morning on Extra Crunch or get The Exchange newsletter every Saturday.
SentinelOne’s IPO, expected to price on June 29 and trade June 30, is a fascinating debut. Why? Because the company sports a combination of rapid growth and expanding losses that make it a good heat check for the IPO market. Its debut will allow us to answer whether public investors still value growth above all else. And this week, the company gave us an early dataset regarding its market value in the form of an IPO price range. This means we can do some unpacking and thinking.
A reminder regarding why we dwell on the exit market for unicorns: We care because the value of late-stage startups when they reach a liquidity point helps set valuation comps for myriad smaller startups. Furthermore, the level of public-market enthusiasm for loss-making, growth-focused companies will determine the scale of returns for many a venture capitalist, founder and early employee.
So, let’s talk about SentinelOne’s cybersecurity IPO price range; Sprinklr’s social-media software debut will play foil.
It can make good sense to pay up for a quickly growing company’s shares. This is why you may hear of a startup raising an early-stage round at a very high revenue multiple.
Why put a $50 million price tag on a startup that just crossed the $1 million annual recurring revenue (ARR) threshold? If it’s growing sufficiently quickly, the math can pencil out. If that startup was growing at 300% per year, say, the revenue multiple that you paid in the round valuing the startup at $50 million would fall sharply over the next year, at which point other investors would probably scramble to put more capital into the firm at a higher price.
Bingo! You just got a markup on your initial investment, and the company has found someone else to lead their next round at a higher price, giving it even more capital to keep its growth game going and make your early investment appear prescient. See? Venture capital is easy.1
The same general idea applies to companies going public. Growth matters, and the more rapidly a company is adding revenue, the more money it will be worth because investors can anticipate its future scale (within reason). Some companies that sport quick growth can have other issues that impact their value. Extensive debt, for example, a history of uneven growth, or deteriorating economics could come into play. Or simply very high losses.
Powered by WPeMatico
Fraud protection startup nSure AI has raised $6.8 million in seed funding, led by DisruptiveAI, Phoenix Insurance, AXA-backed venture builder Kamet, Moneta Seeds and private investors.
The round will help the company bolster the predictive AI and machine learning algorithms that power nSure AI’s “first of its kind” fraud protection platform. Prior to this round, the company received $550,000 in pre-seed funding from Kamet in March 2019.
The Tel Aviv-headquartered startup, which currently has 16 employees, provides fraud detection for high-risk digital goods, such as electronic gift cards, airline tickets, software and games. While most fraud detection tools analyze each online transaction in an attempt to decide which purchases to approve and decline, nSure AI’s risk engine leverages deep learning techniques to accurately identify fraudulent transactions.
NSure AI, which is backed by insurance company AXA, said it has a 98% approval rating on average for purchases, compared to an industry average of 80%, allowing retailers to recapture nearly $100 billion a year in revenue lost by declining legitimate customers. The company is so confident in its technology that it will accept liability for any fraudulent transaction allowed by the platform.
Founders Alex Zeltcer and Ziv Isaiah started the company after experiencing the unique challenges faced by retailers of digital assets. The first week of their online gift card business found that 40% of sales were fraudulent, resulting in chargebacks. The founders began to develop their own platform for supporting the sale of high-risk digital goods after no other fraud detection service met their needs.
Zeltcer, co-founder and chief executive, said the investment “enables us to register thousands of new merchants, who can feel confident selling higher-risk digital goods, without accepting fraud as a part of business.”
NSure AI, which currently monitors and manages millions of transactions every month, has approved close to $1 billion in volume since going live in 2019.
Powered by WPeMatico
Last year, Seattle-based network security startup ExtraHop was riding high, quickly approaching $100 million in ARR and even making noises about a possible IPO in 2021. But there will be no IPO, at least for now, as the company announced this morning it has been acquired by a pair of private equity firms for $900 million.
The firms, Bain Capital Private Equity and Crosspoint Capital Partners, are buying a security solution that provides controls across a hybrid environment, something that could be useful as more companies find themselves in a position where they have some assets on-site and some in the cloud.
The company is part of the narrower Network Detection and Response (NDR) market. According to Jesse Rothstein, ExtraHop’s chief technology officer and co-founder, it’s a technology that is suited to today’s threat landscape, “I will say that ExtraHop’s north star has always really remained the same, and that has been around extracting intelligence from all of the network traffic in the wire data. This is where I think the network detection and response space is particularly well suited to protecting against advanced threats,” he told TechCrunch.
The company uses analytics and machine learning to figure out if there are threats and where they are coming from, regardless of how customers are deploying infrastructure. Rothstein said he envisions a world where environments have become more distributed with less defined perimeters and more porous networks.
“So the ability to have this high-quality detection and response capability utilizing next generation machine learning technology and behavioral analytics is so very important,” he said.
Max de Groen, managing director at Bain, says his company was attracted to the NDR space, and saw ExtraHop as a key player. “As we looked at the NDR market, ExtraHop, which [ … ] has spent 14 years building the product, really stood out as the best individual technology in the space,” de Groen told us.
Security remains a frothy market with lots of growth potential. We continue to see a mix of startups and established platform players jockeying for position, and private equity firms often try to establish a package of services. Last week, Symphony Technology Group bought FireEye’s product group for $1.2 billion, just a couple of months after snagging McAfee’s enterprise business for $4 billion as it tries to cobble together a comprehensive enterprise security solution.
Powered by WPeMatico
When it comes to meeting compliance standards, many startups are dominating the alphabet. From GDPR and CCPA to SOC 2, ISO27001, PCI DSS and HIPAA, companies have been charging toward meeting the compliance standards required to operate their businesses.
Today, every healthcare founder knows their product must meet HIPAA compliance, and any company working in the consumer space would be well aware of GDPR, for example.
But a mistake many high-growth companies make is that they treat compliance as a catchall phrase that includes security. Thinking this could be an expensive and painful error. In reality, compliance means that a company meets a minimum set of controls. Security, on the other hand, encompasses a broad range of best practices and software that help address risks associated with the company’s operations.
It makes sense that startups want to tackle compliance first. Being compliant plays a big role in any company’s geographical expansion to regulated markets and in its penetration to new industries like finance or healthcare. So in many ways, achieving compliance is a part of a startup’s go-to-market kit. And indeed, enterprise buyers expect startups to check the compliance box before signing on as their customer, so startups are rightfully aligning around their buyers’ expectations.
One of the best ways startups can begin tackling security is with an early security hire.
With all of this in mind, it’s not surprising that we’ve witnessed a trend where startups achieve compliance from the very early days and often prioritize this motion over developing an exciting feature or launching a new campaign to bring in leads, for instance.
Compliance is an important milestone for a young company and one that moves the cybersecurity industry forward. It forces startup founders to put security hats on and think about protecting their company, as well as their customers. At the same time, compliance provides comfort to the enterprise buyer’s legal and security teams when engaging with emerging vendors. So why is compliance alone not enough?
First, compliance doesn’t mean security (although it is a step in the right direction). It is more often than not that young companies are compliant while being vulnerable in their security posture.
What does it look like? For example, a software company may have met SOC 2 standards that require all employees to install endpoint protection on their devices, but it may not have a way to enforce employees to actually activate and update the software. Furthermore, the company may lack a centrally managed tool for monitoring and reporting to see if any endpoint breaches have occurred, where, to whom and why. And, finally, the company may not have the expertise to quickly respond to and fix a data breach or attack.
Therefore, although compliance standards are met, several security flaws remain. The end result is that startups can suffer security breaches that end up costing them a bundle. For companies with under 500 employees, the average security breach costs an estimated $7.7 million, according to a study by IBM, not to mention the brand damage and lost trust from existing and potential customers.
Second, an unforeseen danger for startups is that compliance can create a false sense of safety. Receiving a compliance certificate from objective auditors and renowned organizations could give the impression that the security front is covered.
Once startups start gaining traction and signing upmarket customers, that sense of security grows, because if the startup managed to acquire security-minded customers from the F-500, being compliant must be enough for now and the startup is probably secure by association. When charging after enterprise deals, it’s the buyer’s expectations that push startups to achieve SOC 2 or ISO27001 compliance to satisfy the enterprise security threshold. But in many cases, enterprise buyers don’t ask sophisticated questions or go deeper into understanding the risk a vendor brings, so startups are never really called to task on their security systems.
Third, compliance only deals with a defined set of knowns. It doesn’t cover anything that is unknown and new since the last version of the regulatory requirements were written.
For example, APIs are growing in use, but regulations and compliance standards have yet to catch up with the trend. So an e-commerce company must be PCI-DSS compliant to accept credit card payments, but it may also leverage multiple APIs that have weak authentication or business logic flaws. When the PCI standard was written, APIs weren’t common, so they aren’t included in the regulations, yet now most fintech companies rely heavily on them. So a merchant may be PCI-DSS compliant, but use nonsecure APIs, potentially exposing customers to credit card breaches.
Startups are not to blame for the mix-up between compliance and security. It is difficult for any company to be both compliant and secure, and for startups with limited budget, time or security know-how, it’s especially challenging. In a perfect world, startups would be both compliant and secure from the get-go; it’s not realistic to expect early-stage companies to spend millions of dollars on bulletproofing their security infrastructure. But there are some things startups can do to become more secure.
One of the best ways startups can begin tackling security is with an early security hire. This team member might seem like a “nice to have” that you could put off until the company reaches a major headcount or revenue milestone, but I would argue that a head of security is a key early hire because this person’s job will be to focus entirely on analyzing threats and identifying, deploying and monitoring security practices. Additionally, startups would benefit from ensuring their technical teams are security-savvy and keep security top of mind when designing products and offerings.
Another tactic startups can take to bolster their security is to deploy the right tools. The good news is that startups can do so without breaking the bank; there are many security companies offering open-source, free or relatively affordable versions of their solutions for emerging companies to use, including Snyk, Auth0, HashiCorp, CrowdStrike and Cloudflare.
A full security rollout would include software and best practices for identity and access management, infrastructure, application development, resiliency and governance, but most startups are unlikely to have the time and budget necessary to deploy all pillars of a robust security infrastructure.
Luckily, there are resources like Security 4 Startups that offer a free, open-source framework for startups to figure out what to do first. The guide helps founders identify and solve the most common and important security challenges at every stage, providing a list of entry-level solutions as a solid start to building a long-term security program. In addition, compliance automation tools can help with continuous monitoring to ensure these controls stay in place.
For startups, compliance is critical for establishing trust with partners and customers. But if this trust is eroded after a security incident, it will be nearly impossible to regain it. Being secure, not only compliant, will help startups take trust to a whole other level and not only boost market momentum, but also make sure their products are here to stay.
So instead of equating compliance with security, I suggest expanding the equation to consider that compliance and security equal trust. And trust equals business success and longevity.
Powered by WPeMatico
Uptycs, a Boston-area startup that uses data to help understand and prevent security attacks, announced a $50 million Series C today, 11 months after announcing a $30 million Series B. Norwest Venture Partners led the round with participation from Sapphire Ventures and ServiceNow Ventures.
Company co-founder and CEO Ganesh Pai says that he was still well capitalized from last year’s investment, and wasn’t actually looking to raise funds, but the investors came looking for him and he saw a way to speed up some aspects of the company’s roadmap.
“It was one of those things where the round came in primarily as a function of execution and success to date, and we decided to capitalize on that because we know the partners and raised the capital so that we could use it meaningfully for a couple of different things, primarily sales and marketing acceleration,” Pai said.
He said that part of the reason for the company’s success over the last year was that the pandemic generated more customer interest as people moved to work from home, the SolarWinds hack happened and companies were moving to the cloud faster. “We provided a solution which was telemetric powered and very insightful when it came to solving their security problems and that’s what led to triple digit growth over the last year,” he said.
But Pai says that the company has not been sitting still in terms of the platform. While last year, he described it primarily as a forensic security data solution, helping customers figure out what happened after a security issue has happened, he says that the company has begun expanding on that vision to include all four main areas of security, including being proactive, reactive, predictive and protective.
The company started primarily in being reactive by figuring what happened in the past, but has begun to expand into these other areas over the last year, and the plan is to continue to build out that functionality.
“In the context of SolarWinds, what everyone is trying to figure out is how soon into the supply chain can you figure out what could be potentially wrong by looking at indications of behavior or indications of compromise, and our ability to ingest telemetry from a diverse set of sources, not as a bolt-on solution, but something which is built from the ground up, resonated really well,” Pai explained.
The company had 65 employees when we spoke last year for the Series B. Today, Pai says that number is approaching 140 and he is adding new people every week, with a goal to get to around 200 people by the end of the year. He says as the company grows, he keeps diversity top of mind.
“As we grow and as we raise capital diversity has been something which has been a high priority and very critical for us,” he said. In fact, he reports that more than 50% of his employees come from under-represented groups whether it’s Latinx, Black or Asian heritage.
Pai says that one of the reasons he has been able to build a diverse workforce is his commitment to a remote workplace, which means he can hire from anywhere, something he will continue to do even after the pandemic ends.
Powered by WPeMatico
APIs make the world go round in tech, but that also makes them a very key target for bad actors: As doorways into huge data troves and services, malicious hackers spent a lot of time looking for ways to pick their locks or just force them open when they’re closed, in order to access that information. And a lot of recent security breaches stemming from API vulnerabilities (see here, here and here for just a few) show just how real and current the problem is.
Today, a company that’s building a network of services to help those using and producing APIs to identify and eradicate those risks is announcing a round of funding to meet a growing demand for its services. Salt Security, which provides AI-based technology to identify issues and stop attacks across the whole of your API library, has closed $70 million in funding, money that it will be using both to meet current demand but also continue building out its technology for a wider set of services and use cases for API management.
The funding is being led by Advent International, by way of Advent Tech, with Alkeon Capital, DFJ Growth and previous backers Sequoia Capital, Tenaya Capital, S Capital VC and Y Combinator all also participating.
Salt, founded in Israel and now active globally, is not disclosing valuation, but I understand from a reliable source that it is in the region of $600-700 million.
As with many of the funding rounds that seem to be getting announced these days, this one is coming on the heels of both another recent round, as well as strong growth. Salt has raised $131 million since 2016, but nearly all of that — $120 million, to be exact — has been raised in the last year.
Part of the reason for that is Salt’s performance: In the last 12 months, it’s seen revenue grow 400% (with customers including a range of Fortune 500 and other large businesses in the financial services, retail and SaaS sectors like Equinix, Finastra, TripActions, Armis and DeinDeal); headcount grow 160%; and, perhaps most importantly, API traffic on its network grow 380%.
That growth in API traffic underscores the issue that Salt is tackling. Companies these days use a variety of APIs — some private, some public — in their tech stack as a way to interface with other businesses and run their services. APIs are a huge part of how the internet and digital services operate, with Akamai estimating that as much as 83% of all IP traffic is API traffic.
The problem, Roey Eliyahu, CEO and co-founder of Salt Security, told me, is that this usage has outpaced how well many manage those APIs.
“How APIs have evolved is very different to how developers used APIs years ago,” he said. “Before, there were very few, and you could say they were more manageable, and they contained less-sensitive data, and there were very few changes and updates made to them,” he said. “Today with the pace of development, not only are they always getting updated, but you have thousands of them now touching crown jewels of the company.”
This has made them a prime target for malicious hackers. Eliyahu notes Gartner stats that predict that by 2022, APIs will make up the largest attack vector in cybercrime.
Salt’s approach starts with taking stock of a whole network and doing a kind of spring clean to find all the APIs that might be used or abused.
“Companies don’t know how many APIs they even have,” Eliyahu said, noting that some 40%-80% of the APIs in existence for a typical company’s data are not even in active operation, lying there as “shadow APIs” for someone to pick up and misuse.
It then looks at what vulnerabilities might inadvertently be contained in this mix and makes suggestions for how to alter them to fix that. After this, it also monitors how they are used in order to stop attacks as they happen. The third of these also involves remediation “insights”, but carrying out the remediation is done by third parties at the moment, Eliyahu said. All of this is done through Salt’s automated, AI-based, flagship Salt Security API Protection Platform.
There are a number of competitors in the same space as Salt, including Ping, and newer players like Imvision and 42Crunch (which raised funding earlier this month), and the list is likely to grow as not just other API management companies get deeper into this huge space, but cybersecurity companies do, too.
“The rapid proliferation of APIs has dramatically altered the attack surface of applications, creating a major challenge for large enterprises since existing security mechanisms cannot protect against this new threat,” said Bryan Taylor, managing partner and head of Advent’s technology team, in a statement. “We continue to see API security incidents make the news headlines and cause significant reputational risk for companies. As we investigated the API security market, Salt stood out for its multi-year technical lead, significant customer traction and references, and talented team. We look forward to drawing on our deep experience in this sector to partner with Salt in this exciting new chapter.”
Powered by WPeMatico
Britive, an early-stage startup that is trying to bring privileged access control to a multi-cloud world, announced a $10 million Series A this morning. Crosslink Capital led the investment, with participation from previous investors Upfront Ventures and One Way Ventures.
The company helps automate permissioning across multiple cloud vendors and software services, whether that involves a human or a machine seeking permission. In a world of increasing automation, it’s often a machine seeking access, and that makes permissioning all the more critical, says Britive co-founder and CEO Art Poghosyan.
“What we offer is an automated approach to access, [moving from] what we call statically granted access, which constantly gets added all the time […] to completely ‘just in time access’,” he said. That means that after you define a policy, it sets the ground rules for access, and grants it based on that policy for the time required, and nothing more, whether you’re a human or a machine.
In today’s complex development, world that could take many forms, including API keys and secrets. “Yes, sometimes those things are granted to a human actor like a DevOps engineer, but a lot of times it also needs to be granted — quote, unquote — to a Terraform script or to GitHub to go and build out application infrastructure or deploy an application,” he said.
The company currently has 40 employees, a number that Poghosyan expects to double in the next 12 months as he puts this capital to work. As a first-generation Armenian immigrant, Poghosyan says that he takes diversity and inclusion extremely seriously as he hires more employees.
“We’ve always been committed — in this business and our previous startup — to providing equal opportunities to talented people, no matter what background they come from. I’m really proud that even as a small company — we’re 40 at the moment — we have more than 50% of our workforce which comes from ethnic minority groups,” he said.
Britive, which is based in Los Angeles, launched in 2018 and brought its first product to market in 2019. The company raised a $5.4 million seed round last July, which it announced in September, making the total raised so far approximately $15.4 million.
Powered by WPeMatico
Cisco has been busy on the acquisition front this week, and today the company announced it was buying threat assessment platform Kenna Security, the third company it has purchased this week. The two companies did not disclose the purchase price.
With Kenna, Cisco gets a startup that uses machine learning to sort through the massive pile of threat data that comes into a security system on a daily basis and prioritizes the threats most likely to do the most damage. That could be a very useful tool these days when threats abound and it’s not always easy to know where to put your limited security resources. Cisco plans to take that technology and integrate into its SecureX platform.
Gee Rittenhouse, senior vice president and general manager of Cisco’s Security Business Group, wrote in a blog post announcing the deal with Kenna that his company is getting a product that brings together Cisco’s existing threat management capabilities with Kenna’s risk-based vulnerability management skills.
“That is why we are pleased to announce our intent to acquire Kenna Security, Inc., a recognized leader in risk-based vulnerability prioritization with over 14 million assets protected and over 12.7 billion managed vulnerabilities. Using data science and real-world threat intelligence, it has a proven ability to bring data in from a multi-vendor environment and provide a comprehensive view of IT vulnerability risk,” Rittenhouse wrote in the blog post.
The security sphere has been complex for a long time, but with employees moving to work from home because of COVID, it became even more pronounced in the last year. In a world where the threat landscape changes quickly, having a tool that prioritizes what to look at first in its arsenal could be very useful.
Kenna Security CEO Karim Toubba gave a typical executive argument for being acquired: it gives him a much bigger market under Cisco than his company could have built alone.
“Now is our opportunity to change the industry: once the acquisition is complete, we will be one step closer to delivering Kenna’s pioneering Risk-Based Vulnerability Management (RBVM) platform to the more than 7,000 customers using Cisco SecureX today. This single action exponentially increases the impact Kenna’s technology will have on the way the world secures networks, endpoints and infrastructures,” he wrote in the company blog.
The company, which launched in 2010, claims to be the pioneer in the RBVM space. It raised over $98 million on a $320 million post-money valuation, according to PitchBook data. Customers include HSBC, Royal Bank of Canada, Mattel and Quest Diagnostics.
For those customers, the product will cease to be standalone at some point as the companies work together to integrate Kenna technology into the SecureX platform. When that is complete, the standalone customers will have to purchase the Cisco solution to continue using the Kenna tech.
Cisco has had a busy week on the acquisition front. It announced its intent to acquire Sedona Systems on Tuesday, Socio Labs on Wednesday and this announcement today. That’s a lot of activity for any company in a single week. The deal is expected to close in Cisco Q4 FY 2021. Kenna’s 170 employees will be joining the Security Business Group led by Rittenhouse.
Powered by WPeMatico