Thats the kind of a company everyone wants to build in enterprise security.
Incognito unicorns.
There are many companies like these in security space. Another company I can think of is Rubrik. All these large security companies under the radar success.
Security is a big field. I’m in the CSPM space and Wiz is a major player here, I actually had a bit of an existential crisis about what we were building when I first saw a demo of their platform.
Most of their competitors, like Palo Alto, have a very convoluted offering from gluing together several acquisitions. Wiz is very cohesive with a much nicer API and great UX, which is very underrated in the security space imo.
I have zero trust in Google’s promise to keep supporting the tool for multiple clouds or maintain the high quality of product design that makes Wiz great. It’s great for my job security, but I’d call it a net loss for the industry.
> Wiz is very cohesive with a much nicer API and great UX
I actually don't care for Wiz's UX.
If you're a manager and just want to get an idea of what your security posture looks like, it's great. They have a million dashboards for you.
But if you're an AppSec Engineer that just wants to see which EC2 instances have which CVEs, it's kind of a pain in the pass and takes way too many clicks.
There's a single button I click that'll list all my VMs, then a single click (usually a middle click to open a new tab) to view all the CVEs in each VM.
I've been a cybersecurity SWE, PM, and VC for a decade at this point and I've almost never found any relevant security or enterprise SaaS related content on HN.
For a hot second (around 2018-2019) there was solid conversations around eBPF, io_uring, or cloud posture management, but that doesn't happen on here anymore.
Same with MLOps and ML Infra as well - almost no one on here understands Infiniband, RDMA, or BLAS
The tech industry is MASSIVE - and most people are only clued into their own little niche. And according to HN, the only tech companies that exist are FAANG, Nvidia, Tesla, TSMC, and BYD.
>I've been a cybersecurity SWE, PM, and VC for a decade at this point and I've almost never found any relevant security or enterprise SaaS related content on HN.
FWIW "here" could mean "in this thread". It's pretty normal (and very visible here) that threads about X attract people working in X. I'm not sure this is happening here, I work in IT security but I clicked the thread because 32B caught my eye.
Lobste.rs for technical stuff. But most security related conversations by security SMEs aren't happening online anymore. We have specific user conferences and regional user groups now.
The cybersecurity industry is almost entirely located in the Bay, Seattle, Tel Aviv, and Blr/Hyd, so the really active user groups are mostly in those cities.
Cybersecurity goes hand-in-hand with IT, DBA, Networking, DevOps, and OS/Systems Programming - all functions that were previously looked down upon over the last 15-20 years.
Furthermore, most American CS programs made OS internals, Computer Architecture, or Distributed Systems optional, so the junior portion of the ecosystem doesn't exist in the US anymore.
I don't use Lobste.rs anymore because the owner irrationally blocked the browser I'm using, and I refuse to switch to a different browser just to read Lobste.rs. The owner seems like he has some issues to say the least.
Well, it depends what it does to your liability. If, in case of attack, it ends up shifting the blame to a third party, then yes, that's considered adding security in enterprise space.
If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do. I'm not saying you have to be a CSPM expert, but not even hearing about Wiz, when they are the largest CSPM, is somewhat concerning.
I am in security for many years now, my main focus is reverse engineering (but I did many diverse things, including cryptography, some exploit development and the opposite, AV work, I did R&D in security automation and some development of security tools and engines).
I never even looked at a CSPM, and from my point of view[1] CSPMs are a tool only relevant for a small part of security teams focused on enterprise cloud security. Today is the first time I heard of Wiz.
edit Actually my partner works in policy/compliance/legal side of security, and I'm pretty sure she never heard of Wiz too.
[1] I wrote this only to stress how different people in the same field can see things differently.
I've heard of Wiz, but would have had a hard time listing out their feature/benefit statement, because I don't work with CSPM tools. I don't think this "I have doubts about what you actually do" line is doing the work you want it to; it may be backfiring on you a bit.
CNAPPs and CSPMs are extremely common tools in cybersecurity. This is my concern. If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have. There's a big responsibility as a security practitioner to stay up to date on new tools and techniques. CNAPP and CSPM is not some new thing that was invented last year. It's been around for a decade.
> . If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have
I’ve never heard or seen either of those terms before reading this thread. What you’re calling “CNAPP” I’ve been calling “endpoint security”. I’ve been building internal “CSPM” tooling since 2014 with like raw cloud api calls feeding into graphviz, CI-like tests in a terraform repo, transforming the state of a set of cloud accounts into a form I can shove into z3 and ask questions about, that kind of thing, but never heard it called that.
I suppose if your company prefers to build over buy, you won’t be exposed to the kind of knowledge and vocabulary that buyers in the space use to orient themselves.
CSPM solutions are what corporate buys when they don't want to invest in security. It is rubber-stamping and ass covering. From my experience most people involved with such platforms are rather technical sales people than actual security experts.
> If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do.
IT security a very wide field. For example, a lot of positions in IT security are actually about compliance (i.e. lots of documentation), and ensuring the rollout of all necessary application patches in the whole company.
I've been securing my cloud instances the same way I would for dedicated hardware. I use the same tools. I periodically eyeball usage data from the service providers to make sure their end is OK. Takes 5-15 minutes. Occasionally run updates. It all mostly just keeps chugging along.
What is a CSPM? Some cloud monitoring tool? What does it provide over open-source security and monitoring tools with years of field use that would make me invest time into it? Also, have these tools been thoroughly audited, scanned, fuzzed, and pentested by reputable people like some of the open source tools we've been using? Since tools are part of the attack surface, do these tools themselves increase or reduce it?
Serious questions since you think I should be very knowledgeable about these tools. My tech stack just works with minimal maintenance. So, I'd have to lose time on more important or fun stuff to even study CSPM or Wiz. Not counting setting it up.
Bullshit. Infosec is not just about highly inflated startups or whatever the fuck CSPM means. I know people who do exploit dev, reverse engineering, blue teaming and they have never heard of wiz. Stop overexaggerating
Would we (i.e. anyone not in the intelligence space) know how intelligence service-y software would look like ? . Aren't all such organizations trained and designed to be inconspicuous and in places we are unlikely to expect.
Mossad aren't the guys doing cyber ops in Israel. They're suave arsim (how else can you blend in Beirut or Tehran).
Also, if you've worked with Israeli government cybersecurity teams, they aren't much different in caliber from the kind you'd find at the NSA, GCHQ, or Netherlands.
> They're suave arsim (how else can you blend in Beirut or Tehran).
To save others looking up what 'suave arsim' meant:
1. suave -- a normal English the word for charming/confident
2. "arsim" [1] -- apparently a former ethnic slur for Mizrahi Jews [2] now repurposed to mean crude, loud and brash (which sound to me like the equivalent of the British slang term 'chav').
It was a bad attempt at humor, but pretty much my point is there are a couple other cybersecurity/sigint specific units unrelated to Mossad. And "arsim" isn't as loaded a term anymore - everyone is mixed in Israel now because it's a melting pot.
And saying "Mossad"-this/"Mossad"-that just feels like it's increasingly being used as a dogwhistle.
> they aren't much different .. NSA, GCHQ, or Netherlands
I (and most here) wouldn't really know what that caliber is in these other organizations either to compare
What we do hear is of how the Hubble's tech stack is hand me down previous gen(i.e. 70s) spy satellites or exploits like Stuxnet, Pegasus or the recent pager supply chain attacks. On pure technical level those are all pretty impressive things well beyond what I or even anyone I may personally know do.
There of course is definitely certain amount of propaganda that would project much higher capability than reality, being mindful of that misdirection and the visible evidence, we civilians can only reasonably conclude that we will never have a clue what these organizations can or cannot actually do.
This is google. They've got everything. I use google password manager, wallet, biometrics to log into my google smartphone and google authenticator for my 2FA. I use google voice and maps, photos, youtube, search, docs, gmail and gemini for AI.
Imagine if you found an authentication backdoor - a way to impersonate any account and you could start sucking down data. You do it for 5 billion people and charged google $6.40 per person not to put it on Tor.
The article talks about Trump inserting himself into larger deals, there is no reason to think this one is an exception.
I’d also bet on this being more of a kickback, rather than an invisible unicorn. Between a visible elephant (Trump/Israel) and an invisible unicorn, betting on an elephant is more reasonable.
I feel like the majority of anti-jew sentiment is from pro-palestine arab people and adjacent. At least In my country. They really believe "jews run the world" once you debate them enough they admit it and there is no changing of their minds.
> I feel like the majority of anti-jew sentiment is from pro-palestine arab people and adjacent
Most people haven't met an Israeli or traveled to Israel.
Also, most users on HN are Americans or Northern European who overwhelmingly use Reddit, so everyone has some weird fringe mentality about one side or the other.
Honestly, most Israelis and Arabs act the same - I mean most Israelis are Mizrahi and normal/collquial Hebrew is heavily Arabic based (where else will you here people say "Yalla" in every other sentence)
> Most people haven't met an Israeli or traveled to Israel.
I have travelled to Israel a bunch of times and worked with a lot (proportionately) of Israelis and Jews. I generally really really like working with them, like their attitude and love the vibe of Tel Aviv.
That doesn't mean that I support or agree with their behaviour in Palestine particularly.
Like, I have often hated US foreign policy, but have always been OK with US citizens. The two things are very different.
Ik. I have friends from Haifa, Nazareth, and Beersheba. There isn't an easy way to write Israel, Israeli Arab, Palestinian Arab, and non-Palestinian Arab.
My point is, anyone who isn't Israeli (be they Mizrahi, Ashkenazi, Ethiopian, Arab, Druze, Chechen, etc) or Palestinian should stfu (me included).
You have wackos saying "Israel is a fake state" or "raze Gaza into a parking lot". Yet if you talk to an actual Israeli their opinions are much more prosaic. It's just a complex situation that outsiders shouldn't comment on.
> My point is, anyone who isn't Israeli (be they Mizrahi, Ashkenazi, Ethiopian, Arab, Druze, Chechen, etc) or Palestinian should stfu (me included).
On the contrary: for the vast sums of money and military power we contribute to keep the lights on over there, US citizens should have two or three votes each in Israeli elections and free airfare to and lodging in the country. Oh, and access to their quite generous healthcare subsidies as well.
Anti-semetic talking point, nice. From an american too. Wow. I keep seeing this talking point, but the money to Israel is nowhere near to fund healthcare. You are just lashing out like a little rat.
You are so right! Only whites can be racist. As a northern European, how can I ever repent and make you happy?
I will never have an opinion on this conflict again, as I am white. I am so sorry. I will listen and learn while pro palestine people protest here in Sweden and advocate for Israel to be wiped off the map.
That is totally unfounded. Their book of business is huge. You think Google is paying 32B of shareholder dollars because of a foreign intelligence agency? Keep your conspiracism to yourself.
2.) I’m only adjacent to security but have heard of Wiz. If you work in security and haven’t, are you sure you’re good enough to subject us to your opinion?
>2.) I’m only adjacent to security but have heard of Wiz. If you work in security and haven’t, are you sure you’re good enough to subject us to your opinion?
For some reason I picked this hill to die on in this thread. I work in IT security for a long time, and I have never heard of Wiz. My focus is malware reverse engineering and adjacent subfields. I have no interest in anything Cloud.
"are you sure you’re good enough to subject us to your opinion" feels a bit dismissive.
Same here, I guess it's the circles you run. I just went to their homepage and I have no idea what they do. I already have CI/CD, code, etc.. "securing" it seems like, use aws secret stores?
In other words, their webpage is not telling me anything. Companies like these, always feel like instead of having a useful product, they hired useful networks of people to "spread the word" and sell sell sell to your network. Apparently I wasn't in the network. Sorry old and salty.
Companies have problems securing their workloads. Not just storing secrets. Off the top of my head, I've personally been able to centralize the following with a single tool (instead of gluing together a dozen different providers)
- scan cloud configurations for policy violations
- detect and remediate infrastructure misconfigurations
- real-time visibility into cloud resource inventories
- early detection of issues
- container vuln. scanning
- runtime anomalous behavior
- alerts and correlate security events
- compliance mappings
- id risky permissions in IAM policies
- track changes and configuration drift over time
- implement zero-trust policies across microservices
- eforce network seg in containerized environments
- run security checks during build and deploy stages
- vulnerability assessments on running VMs and containers
- policy-as-code for consistent security standards
In your opinion, are they a whale because they make a great product... or just have a great marketing/PR/sales team? I am guessing "great product" because I cannot believe that Google cannot just rebuild it themselves (if not a great product).
Wiz is widely considered one of the strongest CNAPP/CSPM products on the market. I haven’t personally tested every single competitor’s solution, but I’ve found Wiz to outperform pan, crowdstrike, and prisma.
To answer your question. Google doesn't acquire Wis because Google can’t build a comparable product themselves. The real driver is that Wiz has already achieved market penetration and trust. Replicating that from scratch would be a massive undertaking, requiring not just a sophisticated product but also the brand credibility, customer relationships, and reputation for reliability. establishing that level of traction and trust is difficult, time-consuming, and expensive. I highly doubt Google would try to build a direct competitor from the ground up when acquiring Wiz allows them to leverage its existing success right away.
The product is great. We’re using it since 2023. Very happy.
Regarding your google comment: Google builds Google products that can also be used by other people. I am pretty confident they cannot build something like Wiz. And not because they don’t have researchers and developers.
It does not make sense. In 2024 Wiz had 10.7% market share. Revenue in the 1,5 to 1,7 Billion but they were not profitable in 2023. Become profitable in 2024 meaning costs are very high.
Also looks like Google is desperate for growth in Cloud and they need to do something.
They are paying as much money as their whole Google Cloud revenue in 2023.
Revenue multiple is like 40x times revenue for Wiz. Exceptionally high, even
for a high-growth company. Clearly overpaying.
Wiz had nine rounds so massive dilution, and VCs need to recover the money...
10% market share in any industry with an even slightly healthy level of competition is huge. The fact that people think it's not for tech feels like an indictment of the overall health of the industry to me.
Perhaps I should have been clearer, but especially compared to the rest of the enterprise tech market, security is unusually fragmented. There is no Microsoft or Cisco of the security market in the way those companies dominate the desktop operating system and core networking markets, respectively.
Analysts sometimes refer to the enterprise networking market as "Cisco and the Seven Dwarves". Nobody has ever said that about Symantec (prior to the Broadcom acquisition) or Palo Alto Networks.
It is often the case that in a new security product category, the products are so different, it is hard to collect them together in a single category with a straight face. Example: next generation AV circa 2015-2016. AV was a well-worn product category. All of the legacy products did basically the same thing. More or less at the same time, a bunch of new products came to market that all claimed the mantle of "next generation AV:"
* Bit9 did process whitelisting, later adding Carbon Black for endpoint forensics
* Fire Eye had a proto-EDR solution
* Cylance did ML-based malware detection
* Palo Alto Networks had an exploit-mitigation focused agent that they bolted ML-based malware detection onto.
The industry slowly converged on EDR as the sort-of successor to endpoint AV budgets.
A few years later, the cloud security space was the same fragmented mess. Some were what we now know as CSPM, some were glorified DLP solutions, some container security solutions, etc.
Microsoft is the Microsoft of the enterprise security market, more or less. They completely dominate email, largely dominate identity, have a plurality if not a majority on endpoint, but don't compete in network.
> The industry slowly converged on EDR as the sort-of successor to endpoint AV budgets.
This was a dedicated effort by CrowdStrike working with analysts back in 2017-2018. EDR capabilities themselves, interestingly, grew out of forensics companies like Guidance Software. HBGary and Mandiant were the early players. FireEye killed Mandiant's EDR off, but HBGary's lives on to some extent today, two or three acquisitions later, at GoSecure.
> Microsoft is the Microsoft of the enterprise security market, more or less. They completely dominate email, largely dominate identity, have a plurality if not a majority on endpoint, but don't compete in network.
The most recent figures I’ve seen are that Microsoft has around 25% of the endpoint market[0], which is a plurality because the market is so fragmented. Proofpoint claims around 24% of the email security market[1].
The only security market you can say they “dominate” is identity, if you ignore the MFA market. AD is, at least, almost everywhere.
> This was a dedicated effort by CrowdStrike working with analysts back in 2017-2018.
That’s one interpretation of events. It’s also completely orthogonal to what I wrote.
> Proofpoint claims around 24% of the email security market
Proofpoint is the clear number two, but Microsoft always sits behind Proofpoint (and Mimecast, IronPort, etc.). They're also always in front of Abnormal and other API-only options. Every big company has E5 with Defender for Office 365 on their email, and the rest either still have E5 or they have EOP.
> That’s one interpretation of events.
In 2017 EPP and EDR were distinct categories, and CrowdStrike had a big internal initiative (driven top-down by Kurtz, but managed by a PM director under Rod Murchison) to merge them, while Cylance and others that had separate SKUs for each area worked to keep them apart. CrowdStrike was more effective.
I mentioned this because it wasn't just a natural market convergence; B2B companies spend absurd amounts of money with the Gartners and Forresters of the world to align their products with line items in budgets. It's capitalism all the way down.
Not speculating on anything here. I was at or worked closely with all of the companies mentioned in both posts.
You like to make absolute statements like “always”, but I know of large organizations (Fortune 500) that use Proofpoint, but not Microsoft email security. And in endpoint, there are shops that license defender as part of an EA, but don’t use it - of course, those seats go into the Forrester figures that Microsoft likes to tout.
Sure, I can enumerate the handful of the Fortune 500 that don't use Microsoft. Palo Alto Networks, for example, has TAP sitting in front of Google. In PANW's case it's because of a broader partnership Nikesh put together with Google in 2018, which also involved moving from AWS to GCP. This is stupendously uncommon, though.
If you were to look through the System -> Inbound Mail settings for every PPS customer, you'd find a sea of x.mail.protection.outlook.com, some on-prem Exchange servers, and practically nothing else. I'm comfortable with "always" as a description of this state of affairs, but you do you.
actually, it makes perfect sense. it's just that you (and I) don't have the right perspective.
these giantcos are sitting on Himalayan ranges worth of cash, which is burning a fiery hole in their butts, and they don't know what to do with it.
and they have more cash than sense, even though they always brag about having some of the smartest people in the world, and also have FOMO (to competitors and upstarts).
Facebook buying WhatsApp for 19 billion did not make sense to us laymen either, but it happened.
I was flabbergasted when I read about it. ignorant me.
wow, faaak. I wrote my above comment off the cuff, although based on my intuition and common sense, but just now thought of googling FOMO, to check what Wikipedia says about it, and it seems they agree with me:
relevant excerpt, from near the top of the above page (emphasis mine):
>FOMO can also affect businesses. Hype and trends can lead business leaders to invest based on perceptions of what others are doing, rather than their own business strategy.[19] This is also the idea of the bandwagon effect, where one individual may see another person or people do something and they begin to think it must be important because everyone is doing it. They might not even understand the meaning behind it, and they may not totally agree with it. Nevertheless, they are still going to participate because they don't want to be left out.[20]
leaders, huh? more like followers, aka sheep. include me out.
$350M ARR in less than 5 years. Aiming towards $1B by the end of 2025.
You never heard of them since perhaps your decisions were not in the cycles of their product. Those who are , heard indeed (type of folks who look at Gartner magic quadrants).
I read their website and there must be something secret they've got cooking behind the scenes cause the valuation makes zero sense to me.
The whole thing reads like all the dozen or so "cloud security" plays out there.
Either I'm missing something big, or their products are outrageously far ahead of all the other similar sounding products out there.
I've been known to roll my eyes at a lot of these sorts of product catalogues in the past though and so I'm definitely biased and not the target audience for their marketing.
Some CIO out there probably really does think that their security problems will finally be over once they purchase another half dozen dashboards click through and look at.
The product though is easy to set up, no friction - like 5 minutes per tenant; and in a few hours you have a really good picture of your security posture with very detailed explanations for every finding.
And the graph… very useful to understand why a finding is marked as high ir critical even though at first glance it does not look like it.
For Google they are worth 32B, they ARE the Google Security business from now on. They don't even have to be profitable themselves, having this aspect working means google get access to additional enterprise clients and in place they weren't previously present.
We use them and the product is very very nice and very lightweight to set up. Like for a cloud environment it takes about 5 minutes to get it up and running for a tenant.
What we use it for:
- vulnerability assessments for containers and VMs (they give a list of vulnerable or outdated packages)
- initial access vulnerabilities: what happens if an internet facing component is compromised because you have a vulnerable package and to what kind of data it has access to (it has some regexes and what not to figure out if in your database you have PII data, HIPAA etc.), what lateral movement is possible etc.
- provides information on what you can do to fix a finding
- IAM checks for overly broad permissions
- Service account age and overdue key rotations
My company just started using them and I was part of the due dilligence evaluation of their product. I had never been so impressed with a cloud security provider before I started using their product. Absolutely phenomenal product offering l.
