The Product Person - Wiz: Visible Vulnerabilities
Hi everyone, sorrry about the hiatus. Between our new jobs and figuring out the direction for Product Person, we’ve been a bit behind on writing new content. That being said, we’re back. Over the next couple of weeks, we’ll be breaking down the stories of the most notable cybersecurity startups such as Wiz, Drata, Auth0, Snyk, VGS, and more. Then, combining the lessons/history of these distinct startups, we’ll try to map together a landscape of what security is and how it evolved in the past decade. Our first installment is about Wiz - which just raised $300 million at a $10 billion valuation. Hope you enjoy. It’s not often that a company’s first round of institutional funding is for $100m. It’s also not often that a company reaches $100 million in Annual Recurring Revenue (ARR) from $1 million ARR within 18 months. In fact, there’s only one company that can boast of both achievements: Wiz. Wiz’s products analyze cloud infrastructures from providers like AWS, Azure, and GCP for security risks. They’ve been described as the “one tool to rule your cloud” and “frictionless visibility”. In the process of scaling up, Wiz has also uncovered various vulnerabilities including:
Taken together, Wiz is both a business and technical success story. This is their story. FundingRound Date Amount Narrative Lead Investor Series A Dec 2020 $100m Experienced founders Sequoia, Index, Insight, Cyberstarts Series B Mar 2021 $130m COVID acceleration Advent Venture Partners Series B-2 May 2021 $120m Speed of growth Salesforce Ventures, Blackstone Growth Series C Oct 2021 $250m Vulnerability WoM Insight Partners, Greenoaks Capital Series D Feb 2023 $300m Increased cyberattacks Lightspeed Venture Partners Wiz skipped a traditional seed round since the co-founders had a previous $250 million exit Founding StoryFrom one perspective, Wiz is the latest case of a long string of successful Israeli security companies. From another perspective, Wiz is in a league of its own, it has grown faster than any other startup in the security ecosystem. Like Drata and Snyk, Wiz was started by a team of veteran co-founders: Assaf Rappaport (CEO), Ami Luttwak (CTO), and Roy Reznik (VP R&D), and Yinon Costica (VP Product). Of the four, Rappaport, Luttwak, and Reznik co-founded Adallom back in 2012 while Costica joined Adallom as VP of Products in 2014. The four men first met while serving in the Israeli Intelligence Corps’ Unit 8200. After their terms of service, Rappaport went on to McKinsey, Luttwak joined a data & software agency, Costica stayed with IDF as the head of a department, and Reznik became a Software Team Lead at the IDF. In late 2011, Rappaport, Luttwak and Reznik came together with an idea - “SaaS as a class is secure, but the way end users actually utilize SaaS isn't.” The three started Adallom on that premise, building products to audit employee SaaS activities and detect usage anomalies. This would be great practice for their future journey at Wiz. Rather than solve security problems, Adallom focused on bringing visibility to vulnerabilities. It was a delicate balance. Adallom’s products had to be both frictionless such that employees wouldn’t feel burdened, but also substantial enough to be useful for IT teams. In 2013, Adallom discovered a Token Hijacking Vulnerability within Microsoft Office 365. [0] Two years later, in September 2015, Microsoft acquired Adallom for $250 million. [1] All four future co-founders of Wiz took on prominent positions within Microsoft as part of the acquisition. In particular, Rappaport became the General Manager of the Cloud Security Group and scaled the business-line to a $1.5 billion annual run rate. In January 2020, four years after the acquisition, the co-founders were itching for another adventure. At Microsoft, Rappaport had witnessed firsthand the growth of cloud. Platforms such as AWS, Azure, and GCP were seeing year-over-year double-digit growth. In 2021, AWS alone generated $62.2 billion with $18.5 billion in operating profit. With more and more systems moving to the cloud, Wiz’s thesis was that companies would place additional emphasis on security for cloud deployments. At the outset of starting Wiz, the co-founders brought on former co-workers at Microsoft and Adallom. This included software engineers like Eyal Wiener (Jan 2020) and Avihai Berkovitz (Mar 2020), security & devops experts like Raz Shaken (Mar 2020) and Liran M (Apr 2020), and Two months after founding, Wiz had already assembled the core founding team (along with a cute dog). Most of the team had overlapped with the co-founders at Microsoft, Adallom, IDF, or Just as the team had assembled, COVID threw a wrench into their plans. In February 2020, the global pandemic shut down commercial activity across the globe. Sequoia Capital even released a memo titled, “Coronavirus: The Black Swan of 2020”. For all of Wiz’s experience and planning, a pandemic was not on their radar. Recalling the early days of Wiz, Rappaport said, “We were meeting CISOs, shaking hands.” After a few months of uncertainty, thankfully, their fortunes started to look up. After triggering a global slowdown, COVID led to an incredible bull market. Investors came back to the market and companies started loosening their budgets. Both groups were especially interested in cloud tools. To keep operating, legacy companies and startups alike had to adapt to a remote work environment. Meetings were now held over Zoom. Coffee chats turned into Slack conversations. And technical infrastructure moved to the cloud. In the transition, security teams had to keep up with the influx of cloud attack surfaces. That’s where Wiz came in. By providing visibility across a company’s entire cloud deployment, security teams could proactively assess and resolve vulnerabilities. Just nine months after starting the company, in December 2020, Wiz came out of stealth with a $100 million Series A, co-led by Sequoia Capital (publisher of the black swan memo), Index Ventures, Insight Partners, and CyberStarts. Not a bad start for a company that was shaking hands in the midst of a pandemic. Product-Market FitComing out of stealth, Wiz invested heavily in sales. In October 2020, they hired Ryan Buchanan as Director of Business Development. While the core engineering team was in Israel, Wiz would build out its sales and marketing team in the US. In February 2021, Colin Jones and Katie Kilroy joined Wiz as SVP, Sales & Business Development and Chief of Staff, Sales. Both Colin and Katie had spent years working in security sales at Duo Security. The move signaled serious commitment to sales-led-growth. The growth from their new strategy led to a $130 million check from Advent Ventures Partners at a $1.7 billion valuation in March of 2021, four months after coming out of stealth. Part of what made Wiz such an explosive hit was their cloud-first mentality. Wiz connects to a company’s cloud environments. From there, a dashboard maps out various threats, levels of risk, and a guide on how to resolve these vulnerabilities. The security or IT team can then use Wiz as a checklist on what to focus attention on. From their Adallom experience, the Wiz team knew that a key differentiator in building security tools was friction or lack thereof. Wiz’s product was magical for security teams because they could get it up and running in just 15 days. Compared to legacy providers that take anywhere from 12-18 months in installation time, Wiz was light-years faster. This speed came in handy with the COVID acceleration. As Satya Nadella put it, COVID led to “two years’ worth of digital transformation in two months.” [3] Companies couldn’t wait a year to implement cloud security - they needed it now and Wiz was there to deliver. This thesis was best articulated by Bryan Taylor, Managing Partner of Advent’s technology investment team:
Larger players also started taking note. In May 2021, Salesforce Ventures and Blackstone Growth pledged another $130 million to Wiz, upping their Series B to a total of $250 million. GrowthWith the new funding, Wiz drew from their Adallom days for inspiration. Back in 2013, Adallom had discovered a vulnerability with Microsoft Office 365 that eventually led to their acquisition. Looking to repeat that success, Wiz invested heavily into an internal white-hat security team that looked for exploits in cloud environments. This investment started with Luttwak writing and explaining recent security attacks like Solarwinds and Linux Sudo vulnerabilities in February 2021. In August, the team, led by Alon Schindel, discovered a Chaos DB vulnerability. September, they published OMIGOD. December, they found NotLegit where the Azure App Service exposed hundreds of source code repositories. April 2022, ExtraReplica, a cross-account database vulnerability in Azure PostgreSQL. September 2022, AttachMe (explained above). December 2022, Hell’s Keychain, a supply-chain vulnerability in IBM Cloud Databases for PostgreSQL. The first two findings would cement Wiz’s reputation in the cybersecurity space and accelerate its growth even further. With the increased word of mouth, security consultants and managed security service providers began approaching Wiz to enter into channel sales partnerships. It paid off. In October 2021, Wiz raised $250 million Series C funding led by Insight Partners and Greenoaks Capital at a $6 billion valuation. By then, Wiz had signed on companies like MassMutual, Fox, Blackstone, Salesforce, Slack, The Home Depot, Rivian, DocuSign, and UiPath as customers. They had sold to 10% of the Fortune 500. In the funding announcement, Rappaport wrote:
But the pandemic also laid bare problems that have been simmering below the surface. Cloud costs are skyrocketing, security breaches are proliferating, and companies can’t hire enough in-house talent to manage and secure their ever-growing environments. It was a good time to be Wiz. The product was in the right place, right time, and best of all, the right team. The early employees that Wiz had hired had blossomed into leaders within the company. Adi Leist Sharon had been promoted to VP Global Operations and Raaz Herzberg was now VP Marketing and Product Strategy. As the team grew to 168 employees, they also took on some new faces. Nir Dagan joined in May 2021 as General Counsel following 4 years at Meitar, Israel’s Leading Law Firm. Anthony Belfiore joined in February 2022 as Chief Security Officer, previously the CSO at Aon (a $60+ billion company that was also a Wiz customer since the start of 2021). ExpansionAs if there weren’t enough already - even more good news before the end of 2021. Running a security company can sometimes be a strange business. While new vulnerabilities pose a major headache for most businesses, they have security companies chomping at the bit. On November 24, 2021, Chen Zhaojun of the Alibaba Cloud Security Team discovered a new vulnerability within Log4j. And on December 1st, attackers exploited the vulnerability in an attack on Minecraft servers.[5] On December 6th, Log4j released a patch for the vulnerability. December 9th, the issue, named Log4Shell, was made public on Twitter. And on the 10th, CVE-2021-44228 (public vulnerability disclosure) was published. US officials called this the most serious flaw ever seen. The world started panicking. In their rush to patch the Log4Shell vulnerability, security teams started increasingly turning to Wiz. Wiz’s speed to implementation was once again a major differentiating factor against competitors. Companies no longer had the luxury of evaluating and finalizing security software terms. Wiz also helped attract customers with a series of blog posts talking about what Log4Shell is (December 9th), the impact of Log4Shell on enterprise cloud environments (December 20th), how to patch the vulnerability (December 20th), and even a fireside chat with Bridgewater on how Wiz’s product helped (Jan 2022). Log4Shell brought enough attention to Wiz that seven months later, in August 2022, they crossed the $100m ARR mark. From launch, Wiz had reached this milestone in just 18 months, making them one of the fastest companies to grow from $1 million ARR to $100 million ARR. Wiz was widely adopted by both non-technology companies like BMW, Blackstone and Costco as well as software companies like Salesforce, Snowflake and Slack. Now, more than 25% of Fortune 100 companies were customers. By this point, the company had also grown to over 400 employees with offices in New York, Colorado, and Tel Aviv. In February 2023, Wiz announced a $300 million funding round at a $10 billion valuation, led by Lightspeed Venture Partners. ConclusionWiz’s journey has been nothing short of incredible. One of the fastest-scaling companies in history, they’ve broken milestone after milestone. Today, Wiz’s products include:
Each of these products could be a separate company. At the end of the day, Wiz is much more than a simple security company. They’re the fastest growing company (ever!) with an established sales engine and the right suite of products for the future security world. In the words of Rappaport:
[0] Complete with a 2013 era promotion video. [1] Previous reports of the Adallom acquisition had pegged the figure at $320 million. TechCrunch uses the $250 million figure. Adallom was also one of the first acquisitions under Satya Nadella’s tenure as CEO of Microsoft. [2] Rappaport’s dog, Mika, even has its own LinkedIn page. [4] In fact, Microsoft’s security business (that Rappaport had helped build) was doing $10 billion in annual revenue. Up 40% from the previous year due to COVID acceleration. [5] Gaming and security have a surprising amount of overlap. Most great hackers were also avid gamers, and I guess it’s not such a far leap to go from, “let me get better at this game” to “let me hack this game to get a high score”. [6] The IaC Scanning product reaches into the territory of Snyk, which we previously profiled. Enjoyed this? Please share it with a friend or two. |
Older messages
Snyk: Shift left security
Wednesday, April 19, 2023
Catching the shift-left security wave and building a generational security platform
Nirav Tolia on Growing Nextdoor and the Path to Monetization
Wednesday, January 4, 2023
Inside are 5 actionable insights from former CEO and co-founder of Nextdoor, Nirav Toilia
The Rise and Fall of FTX – Part Three
Monday, December 26, 2022
FTX's presidential tokens, FTX.US, Serum, Blockfolio, and Alameda's risky bets in 2020.
The Rise and Fall of FTX - Part Two
Tuesday, December 13, 2022
Building a crypto exchange, the early days of FTX, the magic beans token (FTT), and Binance vs FTX.
The Rise and Fall of FTX - Part 1
Thursday, December 1, 2022
A history of FTX, from inception to disgrace.
You Might Also Like
Daily Coding Problem: Problem #1647 [Medium]
Tuesday, December 24, 2024
Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are
Sentiment Analysis, Topological Sort, Web Security, and More
Tuesday, December 24, 2024
Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the
🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make
Tuesday, December 24, 2024
Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a
😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative
Tuesday, December 24, 2024
Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI
Mapped | The Top Health Insurance Companies by State 🏥
Tuesday, December 24, 2024
In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power
The Stanford Grad Who Forgot How To Think
Tuesday, December 24, 2024
Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 24, 2024? The
The next big HDMI leap is coming
Tuesday, December 24, 2024
Sora side hustles; Casio's tiny watch comes to the US -- ZDNET ZDNET Tech Today - US December 24, 2024 Ecovacs Deebot T30S Combo robot vacuum and mop The next big HDMI leap is coming next month -
⚙️ Robo-suits
Tuesday, December 24, 2024
Plus: The data center energy surge
Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
Tuesday, December 24, 2024
THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest
Edge 459: Quantization Plus Distillation
Tuesday, December 24, 2024
Some insights into quantized distillation ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏