Google to buy Wiz for $32B(reuters.com) |
Google to buy Wiz for $32B(reuters.com) |
Wiz will do it.
Always happy to see a good exit, good show.
I've worked with cloud for a long time. I sorta blame myself for not seeing the market for this and not starting up my own company. I was too busy messing with machine learning, but never going much beyond sentiment analysis. Had I also stayed on that path, and maybe had a few million dollars in startup Capital laying around I'd be a billionaire by now ( yes this is hyperbole).
Oh well, time to cry myself asleep as a forever middle class software engineer...
And best of luck to the Wiz folks! Whenever I see Google acquisitions I just wonder how long until they end up in the graveyard listing.
Google could have built this in-house.
While millions and billions struggle this is how you do it at high level.
SoonDar goes brrrrrrr.
People who haven't forgotten what happened with Revolv remember.
It uniquely seems to be fragmented and messy compared to most other parts of the software industry,(not sure why, just saying what I observe.
So the market situation looks very different to the ones that the DOJ was going after (like Google in ads,if Wiz was a big ad company then maybe the government would be more interested in trying to block it). Wiz isn't even close to having some kind of insurmountably dominant market share in their specific area of expertise either.
Sherlocking is obviously the risk.
While it seems like we aren't getting a ton of people who have used the product in the comments. I can tell you it checks a lot of boxes to make people sleep better at night with customer data in the cloud.
Mandiant wasn't/isn't "cloud security" - they're primarily security research, threat intel, and incident response. Completely different space, customer base, and product set.
Google + Wiz: Strengthening Multicloud Security
https://cloud.google.com/blog/products/identity-security/goo...
Being owned by Google probably would help in those regards too now.
The article says:
> The price tag is much higher than the roughly $23 billion Google had offered for Wiz last year before antitrust worries forced the startup to shelve the deal.
> Wall Street is optimistic that the Trump administration would drop some antitrust policies
Is that it? It's crazy to announce the deal before there's any actual policy changes. Why the rush? It's not like someone is outbidding them here.
> The price tag is much higher than the roughly $23 billion Google had offered for Wiz last year before antitrust worries forced the startup to shelve the deal. ... A harsh regulatory environment in 2024 had made it difficult for many firms to push through large deals, but Wall Street is optimistic that the Trump administration would drop some antitrust policies.
Usability of Wiz and the ability to adapt it is so much better. Everyone can get a seat without extra costs, enabling shift-left for the dev teams. Projects make sure they only see what they need to see.
The query engine is top. There are very good presets. Create Boards to share custom queries with the teams.
Compliance frameworks are available. You could inspect the rules, they are written in OPA rego and you could add your own rules.
Cloudtrail search is also a lot better than the one aws is providing.
I could go on and on and on .. this solution has so many powerful features.
[0] https://www.theguardian.com/technology/2025/mar/18/google-pa...
Prior to this acquisition, Apple was determined to sue Android out of existence. They were on a rage-fueled mission to end a product they viewed as a copycat, and they knew Google didn't hold any patents to defend themselves.
When Google acquired Motorola's patents, the tables turned and it was Google that could end Apple or at least turn it into mutually assured destruction.
Those patents alone were worth a hundred billion for the headache they saved Google and the market position they opened up.
This was one of Google's smartest moves of all time.
Wiz is much harder to understand.
Every single devops person who can push a CL to staging (that may not get properly reviewed)? Every marketing whiz who is using a dataviz tool against a cloud storage bucket you didn't even know existed? Every support engineer who is on-call at 2:#0am and can fix a customer's problem with one tiny IAM change?
That being said, one of the reasons these things sell is that the majority of people sitting behind computers in large enterprises absolutely DO NOT have any idea what they were doing.
Once you get to a certain scale, the idea that you can "just be competent" and maintain high standards and configure your boxes the right way the first time every time btecomes logistically impossible.
Liability and insurance also is a big concern for large companies. The ability to blame somebody else for your security failings and check off all the silly boxes is pretty valuable. I'm sure consumer windows antivirus software would become a big hit again if you were for all intents and purposes being legally strong armed into purchasing it.
Google is arguably a thought leader in security, but from a revenue and customer base standpoint? Not even close.
To be clear: I am young and ignorant. I am trying to learn, not criticise
> Wiz has agreed to a termination fee of more than $3.2 billion, a source told Reuters, one of the highest fees in M&A history.
Not sure how they can afford this if it doesn't work.
Currently, Crowdstrike, Zscaler and other solutions compete in a similar space than Wiz.
Google likely believes if can offer Wiz sec products bundled with Google Cloud. It isn't a terrible idea.
But Wiz itself works on multiple clouds, so it seems that Google can also grow it on their own.
Cloud security companies are growing a lot, and might be a growth lever for Alphabet, as its other businesses' revenue growth are slowing down.
My assumption is that this will actually make it easier for Crowdstrike and Zscaler to keep their market share, as they are pure-play companies on Cloud security and Alphabet has too many businesses to manage.
For me, it looks overpriced. Wiz has been growing a lot, but under Alphabet it might not perform as well as it did.
The big winners are the founders and whoever owned Wiz options.
ZS specializes in SSE/SASE - and does really well in that segment.
https://www.forbes.com/sites/iainmartin/2024/10/28/this-vc-b...
https://web.archive.org/web/20250312193110/https://www.forbe...
[1] https://www.bankinfosecurity.com/blogs/cyberstarts- program-sparks-debate-over-ethical-boundaries-p-3763
[2] https://www.forbes.com/sites/iainmartin/2024/10/28/this-vc-b...
- Businesses pay the cloud providers to allow them to use compute/disk/network
- Businesses pay to hire the engineers who can work on cloud
- Businesses pay to hire security engineers who can secure the applications in cloud
- Businesses pay to hire FinOps to optimize their cloud usage
- Businesses hire security companies to secure their cloud usage (e.g. Wiz was one such company)
- Now cloud provider has to acquire the security company to secure their own cloud?
Either I am too old, or there is something wrong here. Let's not forget that at the same time many big businesses do just fine by not using AWS/GCP/Azure.
No - this acquisition is about selling Wiz to cloud customers. Deploying on cloud securely is a solved problem if you set and follow good policies. Virtually nobody is doing this, ergo companies like Wiz that will tell you when you're doing something stupid.
Is it really that hard? like I listed out, it is definitely not cheap. There isn't a shortage of skilled engineers in IT after massive layoffs. What's the catch then?
Among the wiz customers if they use GCP already then surely they will be willing to try the functionality of google builds it.
If the customer doesn’t use GCP, chances are they wont move to GCP and probably move away from wiz too after the acquisition.
I don’t get why they bought them instead of copying them
It helped them “get to the point” quicker and “cleaner”.
The most amazing thing is that Wiz is a fairly young company. Founded in early 2000.
One thing for sure. If this guy ever starts another company, I'm sending my resume :)
There has been a full and total coup of Zionist influence peddles over over the United States government. This is the lens in which you should look at this deal.
The Department of Education is on the verge of being abolished, and the remaining skeleton staff have been redirected to investigate cases of "antisemitism". [2]
The administration is weaponizing 'antisemitism' to unleash once unthinkable retributions against opponents of the State of Israel. The Zionist lobby is using the full levers of the US government to direct their wrath against opponents, and no one is being spared, not universities, students and even entire nations.
It would be naive to think the leadership at Alphabet are unaware of that good things happen when you be good to Zionists.
It's really a shame really, from 'Don't be Evil' to funding decades more years of 'Israeli Americans' using this wealth to funnel to AIPAC and other nefarious political causes. [3]
[1] https://www.timesofisrael.com/trump-israel-literally-owned-c...
[2] https://time.com/7268749/education-department-staff-cuts-imp...
[3] https://www.timesofisrael.com/whatsapp-founder-jan-koum-dona...
Let me guess, when Trump says some crazy exaggeration you will immediately believe him if it sheds a bad light on Israel - but only then. Otherwise you wouldn't believe him because he's a pathological liar right?
The silly thing is he said it was a decade ago and today its the exact opposite, so that doesn't agree with what you said at all.
Wow. I wonder how Google justified this acquisition. I fear they will eventually shutter this service, and likely without even pulling anything good into their own cloud offerings.
G might be the modern day IBM.
You would think G would have the brain power to compete and provide out of the box security for their own platform. I guess the MBA losers at the top have been shaving too much from engineering to do this properly.
The acquisition hiring in big tech is wild to me. And the consolidation of power into a few companies continues.
https://www.financialpipeline.com/financial-scams-the-too-cr...
There is no pressure or need to buy Wiz.
Whoever owns Wiz obtains read only access to large company and government cloud networks. Even in the Wiz outpost model where the scanning engine is deployed into the user's own cloud network, results from scans are sent back to Wiz Cloud, and this includes sensitive information such as "Installed packages, Exposed secrets, Malware detection".[1] For an example real world deployment, GitLab SaaS public documentation expects the "Wiz Runtime Sensor" to be installed in every container.[2] This Wiz software requires highly elevated privileges to a level that the GitLab security risk assessment only briefly describes.[3]
The data Wiz collects on customers appears to allow answering of queries such as:
1. Which containers of government agencies in country X have the xz-utils library installed? Of these containers, what other software is installed alongside? How many of these containers are exposed to the Internet, directly or indirectly?
2. Which government agencies in country X have a publicly exposed service vulnerable to CVE-20xx-xxxx?
3. For top 200 companies, plot the popularity of AWS or Azure service ACME123 over the past 12 months compared to competing Google service ACME456.
Aside from security risks of having sensitive information of entire governments or large organisations hoovered up by Wiz, use of the "Wiz Runtime Sensor" also includes the risk of an incident similar to the failed CrowdStrike Falcon Sensor update of 2024.
The criticisms above are not specific to Wiz. There are many other competing products/services with similarly poor architectures and lack of protection of sensitive IT system information of governments and large organisations.
[1] https://cloud.google.com/architecture/partners/id-prioritize...
[2] https://gitlab.com/gitlab-com/gl-infra/readiness/-/tree/mast...
[3] https://github.com/wiz-sec/charts/blob/master/wiz-sensor/tem...
That was the fastest to $100m ARR in history
> Some nobody company
That was a Decacorn ~3yrs after its founding
> Some nobody company
With ~half of the Fortune 100 as paying customers.
I get it - most people here aren’t in cybersecurity, nor do they understand the space, but let me put it this way - if you are looking for the top 5 cybersecurity companies by mindshare of people in the industry, Wiz is in the conversation.
"The first sales come from the loyal CISOs who work with the fund. Although it may be considered "small money", the jumps between the first stages of fundraising are the most difficult. “Until a ‘regular’ startup company reaches sales of $2-10 million it grinds itself to a pulp, but with Gili Ra'anan, this happens in the first year of sales. He creates a mechanism that is difficult to compete against because his companies immediately jump to a valuation of $100-200 million, raise more money, and then also have more resources to compete later,” a partner in an Israeli venture capital fund tells Calcalist. “With a seemingly small purchase of $100,000-$200,000, a CISO increases a startup's value by dozens of times.”"
...
"I recruited a new CISO for a financial organization that I managed out of a desire to refresh the cyber defense system. I gave him a free hand because I trusted him and I see this position as a position of trust. Six months later, I noticed that, surprisingly, almost all of the new logos that the CISO introduced were portfolio companies of Cyberstarts [Of which Wiz is their most notable]," describes a former senior executive at a large financial institution in the U.S. "It's not that these were necessarily bad solutions, but that some of them were a very low priority for us or solved problems that were not particularly urgent. After I confronted the CISO on the subject, he admitted that he is on the list of advisers of Cyberstarts and receives a percentage of the funds from them. Shortly after this, he left the company and immediately upon the appointment of a new CISO, I asked him to inform me if he was contacted by Cyberstarts. Within a few weeks, he had already received an email from them with a description of their kind of 'loyalty program' that details exactly what he will receive the more he works with the fund."
Just because your ignorant about significant portions of the tech industry doesn't mean you need to be dismissive.
> Wiz agreed to acquire Tel Aviv-based Raftt, a cloud-based developer collaboration platform, for $50 million in December 2023. In April 2024, the company acquired cloud detection and response startup, Gem Security, for around $350 million
> Wiz was founded in January 2020 by Assaf Rappaport, Yinon Costica, Roy Reznik, and Ami Luttwak, all of whom previously founded Adallom.
> Adallom was founded in 2012 by Assaf Rappaport, Ami Luttwak and Roy Reznik, who are former members of the Israeli Intelligence Corps’ Unit 8200 and alumni of the Talpiot program.
> Adallom was reportedly acquired by Microsoft for $320 million in July 2015
> On March 18, 2025, Google announced an all-cash acquisition of Wiz for $32 billion
Had never heard of Wiz until they posted the blog post about the DeepSeek database being public earlier this year.
https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepse...
Incognito unicorns.
There are many companies like these in security space. Another company I can think of is Rubrik. All these large security companies under the radar success.
Also looks like Google is desperate for growth in Cloud and they need to do something.
They are paying as much money as their whole Google Cloud revenue in 2023. Revenue multiple is like 40x times revenue for Wiz. Exceptionally high, even for a high-growth company. Clearly overpaying.
Wiz had nine rounds so massive dilution, and VCs need to recover the money...
You never heard of them since perhaps your decisions were not in the cycles of their product. Those who are , heard indeed (type of folks who look at Gartner magic quadrants).
The whole thing reads like all the dozen or so "cloud security" plays out there.
Either I'm missing something big, or their products are outrageously far ahead of all the other similar sounding products out there.
I've been known to roll my eyes at a lot of these sorts of product catalogues in the past though and so I'm definitely biased and not the target audience for their marketing.
Some CIO out there probably really does think that their security problems will finally be over once they purchase another half dozen dashboards click through and look at.
They add features weekly or faster.
It's interesting that many people working in intelligence found ways to become very successful in business. I wonder what is the reason.
See [1] to see the flow of people. I explain the connections a lot in [2], and [3] is our initiative to work on it.
[1] https://www.instagram.com/p/DAYsSPxpHFP/?img_index=1
[2] https://www.youtube.com/watch?v=LxvaembyMcQ&list=PLjHqnRFDnc...
Imagine if all the ivy league graduates in the US would be forced to work together for the same company, for free, for 4-6 years. Would you be surprised if suddenly former employees of that company found ways to become very successful in business?
* - Technically they get something like 3rd pick and there's negotiations and it depends on what sort of roles are involved etc. In practice, conscripts have some influence on where they'll go and if you have a choice in any role in the military, you are going to pick "write code in an air-conditioned office" over any other available option.
You'll find former-intelligence blob operators in a great many cyber security companies. Including former American intel employees[0]. Hell, the CIA basically has their own VC fund[1].
Also, there is zero evidence any of these people are currently acting at the behest of their former employers, apart from obviously the CIA venture fund acts at the behest of the CIA.
0 - Robert M Lee https://dragos.com, Keith Alexander (formerly https://ironnet.com,) amongst many others
1 - In Q Tel https://www.iqt.org/
The mafia charges protection from itself, here the bad actors are out there and wiz help you protect from them.
Wiz selling doors with appropriate locks for your bussines.
Companies hire private physical security all the time. Why is digital security different?
Do you think that's what they do?
How on earth is it the government's job to protect people's software? It's a mere digital product, not human life or property.
Besides, people also buy padlocks and door locks for safety. Wiz is no different.
It shouldn't be overlooked that acquiring Wiz is also a way for Google to secure a beachhead in half the Fortune 100, many of which are "enemy" territory.
The price is high, but there aren't many options available and Wiz has the advantage of being built on Google Cloud natively, and already have Marketplace integrations completed.
Assume 1,000 customers each generating $2m in ARR with contracts. That’s $2 billion. Assume generous 6x ARR valuation, that’s $12 billion.
Where is this $20 billion premium coming from? How could the board approve this? How is this fair to shareholders?
Heck, as a minor shareholder in GOOG, I don’t find this financially responsible at all.
I can’t help but think sometimes these tech acquisitions have some hint of nepotism/deeper underlying motivations behind them than meets the eye.
But also, and may more important, you get to see everyones cloud usage, across all providers, with a high level of permissions. Said differently, Google can now target customers with massive spend across other cloud providers and work to migrate them to GCP, at a price that's just cheap enough to over come the switching cost.
Google already have one of the best security teams in the industry - Project Zero [0]. They don't need Wiz's "enterprise" expertise for security.
This deal is about DATA. Wiz, as a cybersecurity vendor, have full remote access to their customers cloud compute storage (EC2 EBS volumes, etc) in the name of "security scanning" - this is actually part of their unique selling point - "agent-less scanning" which is unlike traditional security tools that require an agent installed in the OS. Instead, Wiz is able to just clone your full data volume and scan it locally in their cloud accounts/VPC.
With this deal Google has bought a ton of confidential data from Wiz's customers without their explicit knowledge or approval, and they will use it to improve Google's AI models like Gemini and probably several other products.
A year ago Google struck a $60M/yr deal with Reddit to exclusively license their content [1] for the same reason, and that data is probably much smaller and less valuable than the data Wiz has access to from their customers, which include companies like Morgan Stanley, DocuSign, Slack, Plaid, and others. [2]
Sources:
0: https://googleprojectzero.blogspot.com
1: https://www.reuters.com/technology/reddit-ai-content-licensi...
https://www.theverge.com/2024/7/23/24204198/google-wiz-acqui...
> Wiz combines a graph search for asset management with agentless vuln and malware scanning that clones EBS volumes and scans them on their infrastructure. That's a great combo for vuln management, but has some downsides like delays between scans and cloud costs. They have a sensor with solid detection rules, and are okay at a bunch of other stuff like cloud log threat detection and sensitive data detection. They've basically pushed what you can do without an agent to the limit.
VC approach to enterprise sales, https://www.calcalistech.com/ctechnews/article/b1a1jn00hc & https://news.ycombinator.com/item?id=41042462
> [Cyberstarts] shows an internal rate of return of more than 100%, an unusual figure even for the best funds in the world.. The first sales come from the loyal CISOs who work with the fund.. Ra'anan offers [CISOs] the big dream of the world of employees - shares in a venture capital fund.. all funds that specialize in cyber go after CISOs and entice them with dinners, conferences, and some also offer them holdings in the fund. However.. he perfected it to a completely different level.. No CISO has ever received compensation for purchasing products.. They receive 4% of the success fees of the general partner (GP) in the fund.
I'm just trying to make sense of the numbers.
Craftsman Tools was sold to Black and Decker for $500 Million. This was and is a respected tool brand with an international presence making physical and tangible products and it is apparently worth 1/64th of Wiz.
I'm not even saying Wiz is overvalued, I don't know, I'm just not sure how they come up with these numbers.
I don’t know the details of either deal but it’s easy to imagine a case where Craftsman tools is just a brand in a crowded market with no special sauce. For example Sears never even made the tools, they outsourced it. Also it sold for 900m, 500m was the initial payment.
https://news.ycombinator.com/item?id=41042034
That being said, Instagram and WhatsApp were expensive for Facebook and those ended up being a steal. Time will tell, as usual.
What usually happens otherwise? Would they do partly google stock, etc? And each shareholder gets some kind of multiple? (you get your N amount of Wiz shares X .72 = your number of google shares), or something of that sort?
For Instagram and WhatsApp it was the user base and growth that was being bought, which is much harder to acquire than some random B2B saas security software.
They announced in a blog post that they went from $1m ARR to $100m ARR in 18 months (Feb 2021 -> July 2022). [1]
Reuters in the article posted here reports they were at $500m ARR when they last raised in mid-2024, meaning they went from $100m to $500m in around 2 years.
One would thus speculate they are likely a few hundred million above the half-a-billion figure today.
The multiple still appears a little high to me (particularly given it's all-cash, which Google doesn't even have) but what do I know.
[1] https://www.wiz.io/blog/100m-arr-in-18-months-wiz-becomes-th...
GOOG's latest balance sheet showed $96B in cash.
Like 32B is no small sum, and I don't really understand Wiz business (product yes, business and numbers much less).
Founders previously sold their security company to microsoft as well.
Even if they did, I just don't see the play.
A PE of 5 is not a growth stock - that’s the kind of PE you’d see on a barely surviving mid-cap in decline…. The combined PE of the S&P500 is in the low to mid 30s these days!
https://en.m.wikipedia.org/wiki/Wiz_(company)#/media/File%3A...
It makes no sense for a company to have two mapping applications, yet 15 years later, more than a billion paid, one of the most valuable companies in the world failed to integrate another app.
Most people using Waze have no idea that it is owned by Google.
Absurd take. Google is the one AI company that is not completely dependent on Nvidia because they now use their own TPU chips for both inference and training.
As a Googler who works in GCP security, security has been a key differentiator for GCP long before the Mandiant acquisition. Google invented BeyondCorp (a primary driver of Zero Trust). Google helped create security keys (U2F, FIDO, Webauthn), and was I think the first major company to adopt them, both for employees, and for consumers. Google was one of the first major companies to offer a bug bounty, in 2010. Google's Project Zero searching for vulnerabilities in other companies'/organizations' software I think was pretty much unprecedented when it was created. Look at the number of times other tech companies get hacked compared to Google. Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".
Disclosure: my thoughts are my own.
Your whole post is confusing Security of the Cloud with Security in the Cloud. And conflating GCP with Google but those are just examples of why GCP has such a small market percentage.
Yes, it's a lot less flexible than AWS IAM, but complicated IAM policies with conditions and stuff can be really hard to reason about.
Disclosure: my thoughts are my own.
There was one other time Google was hacked by a major government that also spurred massive internal security posture changes! https://en.wikipedia.org/wiki/Snowden_effect#Tech_industry
> Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government).
Do they mind if they're legally "hacked" by a (Western) govt? All that security sophistication couldn't prevent LEAs from owning us all, unfortunately: https://therecord.media/google-refuses-to-deny-it-received-u... / https://archive.vn/mzZtI
If that is their objective, they will fail again, since this is the land of good account management. Being able to call somebody on the phone if required. Something AWS excels on, Microsoft a little bit, while Google is rumored to have humans working there, but they are rarely seen.
I don’t think we even had talking points about why AWS was better than GCP like we did Azure.
If Google wants to be "the best of the best" at security and some set of potential customers use Wiz as their "best of the best" security, then this is a way to convert those customers to Google.
Consider some org that prioritizes security, like at the board level. They maybe don't really care about the nickel and dime cost of AWS vs. Azure vs. GCP since it comes out to 10s or 100s of millions of opex in the end. What they do care about is the cleanest record possible with respect to security. And Wiz is a key component to their position on security that is communicated to investors - it is a social proof that they are taking security very seriously.
This now becomes a tool for Google when trying to win their business. By degrading the value of Wiz on AWS/Azure/Oracle/Salesforce they are taking away that bullet point on security for a subset of competitors customers. And that may entice some of them to move their entire cloud service to GCP. So whatever revenue they lose on the Wiz side from a dozen or so cancellations they would hope to make up with a few 100 million dollar whales.
I just find it hard to believe that enough whale level cloud compute business will be generated in this way to justify $32b. This is really the best take I have on the acquisition and it feels unsatisfying, as if there is some other decisive information that would provide a justification for such a valuation.
Maybe there is some government mandate coming down the pipeline that isn't very public yet? Some kind of legislation that will force companies to adopt stricter security policies? That could precipitate the kind of changes that would justify this kind of massive valuation.
e.g. half of Fortune 100 use Wiz and I assure you most of them do not use GCP (or do not use only GCP)
I think Wiz accepted 15x because it is all-cash.
The rate at which they are still growing, a series C/D company would dream of.
[1] https://www.wiz.io/blog/100m-arr-in-18-months-wiz-becomes-th...
So that number isn't really signal. Now that they're not paying CISOs to adopt the product they're not going to be growing as fast.
[1] https://www.bankinfosecurity.com/blogs/cyberstarts-program-s... [2] https://www.calcalistech.com/ctechnews/article/b1a1jn00hc
The current Slope-Intercept is (NTM Revenue Multiple) = 36.677*(NTM Rev Growth Rate) + 2.0013. If Wiz is doubling revenue (100% Growth Rate) and they are at about $500M of revenue today [2], then the multiple according to that calculation is ~38.7 X Next Twelve Month Revenue ($1B) or $38.7B.
So, the price is in line with the market...or you could argue even a discount to it.
[1] https://cloudedjudgement.substack.com/p/clouded-judgement-31... [2] https://www.barrons.com/articles/google-stock-price-wiz-deal...
That's the thing , were any numbers released or are we all just gonna speculate here ? What is their growth rate, profit margin etc etc ? How do they fit in Google's business, can current Wiz clients be upsold on GCP more easily now? Can other clients be brought more easily to GCP now that Google has a good (I hope) cyber security solution to go with its cloud? Clearly there is some strategy going on here that is more than just the ARR of Wiz.
As a minor shareholder in GOOG as well I have no freaking idea about any of this, I sort of trust that they probably took a calculate risk and know what they're doing (and even if this is a mistake by 20B, that's not much for a company the size of Google).
Now we know that was an excellent deal for Google (now Alphabet), despite being a long bet.
Good to have top security talent and good cloud security tooling if you're in a cloud play.
One way to reduce that tendency is to use multiple POVs of analysis. You could phrase it as a question instead: what assumptions would you need to change for the valuation to make sense?
Other questions: What factors are you not including? / What would it take for nepotism to survive scrutiny and how much nepotism would be tolerated?
My guess here is there are long-term strategic factors that the decision makers weighed heavily. I’d be very interested in understanding their world view, since they have much better internal visibility of both companies.
They surely expect some kind of strategic advantage from that, probably something to do with security of their own infrastructure, or maybe competitive advantage for gaining government or gov-adjacent contracts, or maybe they were afraid that Microsoft or Amazon could buy it and hurt their existing business.
Take a look at other Unit 8200 startups, or even Palantir. Palantir is much much much more worth than what they are on paper, especially with their Lavender AI involvements.
Cyber strategies have become so critical that it's a race between nations right now. The leading ones being Russia, Iran, China, North Korea and the US (while the US is heavily losing control, just in terms of malware and campaigns). Stuxnet forced the hands of the other nations, and they invested fully in Cyber eversince.
These deals always have more than meets the eye. Google wouldn't acquire revenue at a fair market price just for revenue's sake - there's some reason they expect to get value beyond the revenue.
That doesn't mean its nepotism. It could be that they think they can triple revenue per customer with some synergy. Or any number of a large set of other possibilities.
If you want to understand this type of transaction better, you can read a book on M&A
I remember 2005/2006 there were many websites competing for the video-website role, YouTube's luck was that...they were very permissive on uploads while competitors like Vimeo e.g. employed a reasonable amount of content moderators.
Sure, your valuation could be based on revenue today. But why would you sell if you're "worth" $12bn right now, but you'll be "worth" 32bn in a few years? Why give up the control?
The only way for a company like Google to buy Wiz is to add a premium. Otherwise the company will just say "no".
This literally happened to Figma as well. And there is a history of this with companies like Instagram/WhatsApp.
In retrospect, was it stupid for Facebook to acquire Instagram/WhatsApp for large premiums?
Maybe they just need the tech. With Google behind, they can have 10,000 customers.
Disagreements on board levels are less and less frequent in the corporate world.
On top of that, many huge voters are simply ETFs, and their representatives virtually always side with management (state street, vanguard, etc have documents that explain their voting, but they are far from any kind of activist or naysayer.
Wiz and other tools in the same space tell you and tracks compliance across your fleet.
Idk if wiz does this, but their competitors have “compliance packs” which are preset compliance patterns, IE hipaa, finra, etc.
That way you click a button and it tells you every change you need to make to be compliant
Edit: this is all just examples
Here's the letter sent by the CEO Assaf Rappaport to his team at the time (2024):
"Wizards,
I know the last week has been intense, with the buzz about a potential acquisition. While we are flattered by offers we have received, we have chosen to continue on our path to building Wiz.
Let me cut to the chase: our next milestones are $1 billion in ARR and an IPO.
Saying no to such humbling offers is tough, but with our exceptional team, I feel confident in making that choice."
https://techcrunch.com/2024/07/22/wiz-walks-away-from-google...
The window is closed and locked. Haven't closed the storm shutters yet.
Yeah - that’s not likely to happen. Even the current in-house developed multi-cloud security stuff Google has doesn’t let internal people see customer data. It’s right there in the T&Cs they publish and agree to.
I suppose they could be violating them in egregious ways, but that wouldn’t last long before one or more of the 170,000 employees got upset and went all whistleblower, which would lead to billions of dollars in lawsuits.
Then you slice and dice the analytics data to extract what you need in the name of planning & improving the product.
(Cloud Access Security Broker)
Am I just naive?
You are not naive, you are not considering that at certain scales, your concerns are the cost of doing business.
maybe this deal is about a company with a lot of revenue in an area google is heavily investing in: cloud security?
So as a pure speculation on Goog's motives, it doesn't sound farfetched enough to call ridiculous. Competitive data is valuable, particularly if you want to strangle the youth in their cradles (or acquire them).
Hypothetical question as much as anything: If Google purchases a company and the data the company stores about their customers, is it illegal for them to use this data for whatever they want?
Lets say it would give them an understanding of what features from AWS people tend to use the most, and they use that to improve Google Cloud, would that be illegal?
At least say why you think so and contribute to the conversation a bit.
[0] https://news.ycombinator.com/newsguidelines.html#comments
Wiz is a "security product"? Security isn't something you can buy and bolt on to your systems as an afterthought. It doesn't work like that!
How is "trusting wiz" (trusting some icons on website controlled by wiz leading to publicly inaccessible reports, half of which are done by a single company somewhere in Florida) related to what Google might do with it after aquisition?
I highly doubt Google or Wiz have a legal avenue that allows them to use customer data beyond fulfilling their product needs. Products like Wiz (voluntarily) go through security audits and certifications, from SOC2 type 2 to FedRamp. Also enterprise customers actually do read T&C (their legal team does at least) and having terms and conditions that allow you to train models on customer data without their consent is not going to fly under the radar for long.
Care to elaborate?
The field of security is huge. It's unhelpful to lump unrelated things together.
Oh they do. https://www.wiz.io/blog/tag/research
A few fun ones are the multiple cross-tenant security exploits they found in Azure (which is why, among the tons of other reasons, Azure is just the worst possible choice for a cloud vendor from the big 3 - their security is a joke, and none of the vulnerabilities below should have passed even a cursory security review, but they did, which means the whole org doesn't take security seriously. Add in the fact that it's slow as hell, and has the UX worthy of an Enterprise vendor, the only reason to choose it is because you're getting a good deal on the golf course for it):
https://www.wiz.io/blog/azure-active-directory-bing-misconfi...
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-o...
https://www.wiz.io/blog/secret-agent-exposes-azure-customers...
https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-a...
Yes, because exploit discovery is exactly what enterprise security is.
1) Hidden cabals colluding in secret to control world events.
2) Extraterrestrial beings live among us secretly controlling world events.
3) Google illegally steals private data to secretly control world events.
According to Amazon's Wiz integration (https://aws.amazon.com/marketplace/pp/prodview-ibgbkrqusncsm), the lowest cost they have is $24,000/year.
This is an enterprise product in a space where companies spend millions of dollars.
Still seems like an insane amount though.
I don't really see the benefits of this acquisition for Google, but congrats to the Wiz team!
Wiz is a SaaS b2b startup. Even on a forum for startups most people haven't heard of them.
Wiz reportedly has a revenue of 750m. It would take Google 30 years or more to break even on this deal. But like all bs startups Wiz will fade into irrelevancy 6 months after being acquired.
Google is getting completely scammed.
It's also possible the last Wiz deal happens without the antitrust swirling over Google.
> FTC Chairman Ferguson and Omeed Assefi, Acting Assistant Attorney General of the DOJ’s Antitrust Division, announced on February 18, 2025, that the FTC and DOJ will continue to use the 2023 Merger Guidelines as the framework for their merger review process.
So I wouldn't count on it based on some generic "pro-business" position. Google is going to have to kiss the ring one way or another.
Google pays each of Wiz's shareholders 75-90% of the deal amount. The remainder is held in escrow and paid some time later based on a variety of conditions.
> What usually happens otherwise? Would they do partly google stock, etc? And each shareholder gets some kind of multiple? (you get your N amount of Wiz shares X .72 = your number of google shares), or something of that sort?
Yup, that's exactly how it works.
This will protect the buyer against misrepresentations.
There are often also targets that have to be met to achieve the full purchase price but not always disclosed
Typically these involve at least some stock (cash + stock or all stock) which would mean that each Wiz share gets some amount of money and some multiple of Google stock per share.
I'm sad they're being acquired, especially by a FAANG company. This constant consolidation is bad for IT (and the economy in general). I am happy for the employees holding shares though!
Growing up in NYC, it is was impossible to not remember the "Nobody Beats the Wiz" jingle
I like it too. Don't care much for google buying them, it can only end badly.
Companies like CrowdStrike have copied a lot of what Wiz has been doing (and I'm sure wiz has copied some CrowdStrike features).
This announcement is pretty disappointing to me. I would have more faith in Wiz as an independent company than as part of Google. I expect their innovation to fall off a cliff.
Revenue from Wiz's customers will not make back $32 billion dollars even in 30 years.
Wiz's technology is irrelevant. I think Google already scans for vulnerabilities and misconfigurations. And can build similar for low millions of dollars.
How easy is this? Especially if you're doing it on an accelerated timeline, it seems like you'd have to pay above market to poach thousands of best-in-class engineers, and then you're stuck with higher salary expenses forever.
What is hard about that is actually selling your product to customers, which Wiz managed to do in a way never seen before.
I loved the product when I used it (huge improvement over Nessus), and am immensely disappointed Google owns it as it means I’ll have to find something else going forward. This is the sort of acquisition a regulator should block, because Wiz really is best-in-class at what they do for every cloud they support, and customers benefit more from it being agnostic.
They also snapshot your disks, cloning them to Wiz accounts to provide secrets scanning / vuln scanning / etc against your infra.
These resulting risks / findings are scored and provided in their SAAS Wiz console via dashboards / APIs / integrations with remediation guidance.
I can see how that could be worth $32B.
A lot of cloud providers already have little hints like "hey - did you mean to create this account in God mode?" or "It is recommended not to create this god mode json key file" - Wiz is taking this to the next level of detail
Source: worked for a large enterprise company that used it, and I loved it. Phenomenal tool, will be a shame to see it die (or at least its non-GCP aspects wither and die) under Alphabet's ownership.
One exploit I remember Wiz finding was "ChaosDB". A flaw in Microsoft's Cosmos DB allowed anyone to use the default-enabled Jupyter Notebook to basically dump and modify anyone's databases, without authentication. Full admin access.
The product though is easy to set up, no friction - like 5 minutes per tenant; and in a few hours you have a really good picture of your security posture with very detailed explanations for every finding.
And the graph… very useful to understand why a finding is marked as high ir critical even though at first glance it does not look like it.
For Google they are worth 32B, they ARE the Google Security business from now on. They don't even have to be profitable themselves, having this aspect working means google get access to additional enterprise clients and in place they weren't previously present.
I mean, their revenue? They're apparently on track to do a billion this year, growing pretty fast, so 30 billion seems fair enough.
And since most people's experience is shallow, the only analog they can muster is the mafia.
Yep, you're definitely right, I misread. Still less than a billion.
> I think the main calculus is around estimating future profits. Do they make a profit? Is it a crowded space? Is the market space growing? What assets do they have? People, land, factories, or intellectual IP? Etc etc.
Yeah I guess that makes enough sense, though I have to admit that sometimes it feels kind of removed from reality sometimes.
The founders, who are now flush with cash, time and ideas; are quickly speedrunning the steps creating their previous company, in the same market, but now with more access to capital and employees from their previous company who would rather work for a startup than a large conglomerate, while fixing all the mistakes from their previous venture.
PE is not the same as PS (price to sales or revenue). Startups and growth companies are often valued by PS since they have revenue growth, but are often not yet turning a profit (making their PE < 0).
In fact price/revenue of sp500 is a disaster right now: 2.92.
That means that SP500 companies on average are worth 3 times their sales!
What we use it for: - vulnerability assessments for containers and VMs (they give a list of vulnerable or outdated packages) - initial access vulnerabilities: what happens if an internet facing component is compromised because you have a vulnerable package and to what kind of data it has access to (it has some regexes and what not to figure out if in your database you have PII data, HIPAA etc.), what lateral movement is possible etc. - provides information on what you can do to fix a finding - IAM checks for overly broad permissions - Service account age and overdue key rotations
Take your pick.
Additionally:
Google offers BeyondCorp products as GCP products. A big example is IAP. Do AWS and Azure offer something like IAP? If so, I think they were created in response to IAP.
Another Google/GCP security product related to zero trust is Chrome Enterprise Premium: https://cloud.google.com/blog/products/identity-security/int... .
Another innovative GCP security product is VPC Service Controls. Do AWS and Azure offer something like that? If so, I think they were created in response to VPC Service Controls.
Security keys: I mentioned in my previous comment how they're used by consumers (that includes GCP customers). GCP is making MFA mandatory this year: https://cloud.google.com/blog/products/identity-security/man...
Bug bounties protect GCP customers by making sure GCP products don't have vulnerabilities.
Project Zero protects GCP customers by finding vulnerabilities in products that GCP customers use (although it also finds vulnerabilities in products that AWS and Azure customers use).
When Microsoft got hacked by China in 2023, China stole Microsoft's signing key, and used it to mint tokens to impersonate Azure AD users of Microsoft customers. That's relevant to security in the Cloud.
GCP products are also recognized for security:
https://cloud.google.com/resources/forrester-unstructured-da...
https://www.varonis.com/blog/forrester-wave-data-security-pl...
https://cloud.google.com/blog/products/infrastructure-modern...
https://cloud.google.com/blog/products/identity-security/goo...
https://www.teradata.com/press-releases/2020/forrester-2020-...
https://www.bbc.com/news/world-us-canada-24751821 > Snowden leaks: Google 'outraged' at alleged NSA hacking
Degrading Wiz capabilities on AWS/Azure/etc will not drive more customers to Googke. CSPM and cloud workloads don’t go hand in hand. What will happen is that other companies will capture the market share left by Google. Will the offerings be less then Wiz quality-wise? Sure, but it will be way cheaper than moving to GCP.
The best option will be to leave Wiz as it is - standalone.
They're thus probably higher than 500m now although the multiple still seems really high to me. But what do I know.
[1] https://www.wiz.io/blog/100m-arr-in-18-months-wiz-becomes-th...
- it was just one of many potential interesting players. To think it could've been Vimeo, but the founders cared more about their main project: collegehumor
also, the vpn example ended in court
Given that likely rolls up other products I doubt it's all coming from Whatsapp.
[0]: https://d18rn0p25nwr6d.cloudfront.net/CIK-0001326801/1f8bf8e...
You can read my praise of ChromeOS here: https://news.ycombinator.com/item?id=41178525
To add a few, Chrome was the first browser to introduce process isolation: Every browser tab, every site (second-level domain) and every iframe runs in its own sandboxed process.
With that it's the only end-user software (alongside the other browsers) that actually is secure against Spectre and Meltdown. Operating systems only protect against Specre/Meltdown leaks between processes.
Google invented Certificate Transparency and Chrome enforces CT since years. Firefox added CT enforcement only a few days ago.
CT solves the following: For example, if a rouge Chinese Certificate Authority decides to issue a cert for google.com to the Chinese government for Man-in-the-Middle attacks, CT blows their coverand makes it known to everyone that the CA issued a fraudlent cert.
#/media/File%3AWiz_company_logo.png){kind=link}
- Google is up 5.2X - I am not sure how you got 152%
- Apple is up 10X
- Microsoft is up 8.25X
- Netflix is up 7.45X
- Amazon us up 7.28X
- Facebook is up 6.27X
And for fun:
- Nvidia is up 207X
- Intel is down 12%
- The S&P 500 is up 2.72XThat has nothing to do with whether Google has the ability to create new great products and it has failed miserably at that over the past decade.
Sysdig, Palo Alto's Prisma Cloud, or a few others compete with Wiz's CNAPP offering. Wiz also strays into some SCA and SCA-alike tooling for containers, code or XDR with their CDR/XDR products log ingest and agents available for response/quarantine.
Anyway, Chomsky claims that there's 0 distinction between USA and Israel, so if you see it from that point of view, it makes little difference.
Not supporting people who take part in the crime of persecution, is a nice side effect.
In other words, their webpage is not telling me anything. Companies like these, always feel like instead of having a useful product, they hired useful networks of people to "spread the word" and sell sell sell to your network. Apparently I wasn't in the network. Sorry old and salty.
- scan cloud configurations for policy violations - detect and remediate infrastructure misconfigurations - real-time visibility into cloud resource inventories - early detection of issues - container vuln. scanning - runtime anomalous behavior - alerts and correlate security events - compliance mappings - id risky permissions in IAM policies - track changes and configuration drift over time - implement zero-trust policies across microservices - eforce network seg in containerized environments - run security checks during build and deploy stages - vulnerability assessments on running VMs and containers - policy-as-code for consistent security standards
If you do interesting work, you’ll get cold emails unless you take steps to avoid them.
Wiz has only been around for 5-years.
To answer your question. Google doesn't acquire Wis because Google can’t build a comparable product themselves. The real driver is that Wiz has already achieved market penetration and trust. Replicating that from scratch would be a massive undertaking, requiring not just a sophisticated product but also the brand credibility, customer relationships, and reputation for reliability. establishing that level of traction and trust is difficult, time-consuming, and expensive. I highly doubt Google would try to build a direct competitor from the ground up when acquiring Wiz allows them to leverage its existing success right away.
Regarding your google comment: Google builds Google products that can also be used by other people. I am pretty confident they cannot build something like Wiz. And not because they don’t have researchers and developers.
This assumption that a tech company is going to keep reinventing or inventing new wheels all the time has very little evidence in human history, while the opposite one, the many great tales of that super company that did so many great things and then is far more common.
The only exceptions are...academic? And that's because innovation and moving the field IS the role of research and academy, not companies returning earnings to investors.
Wiz isn’t a new industry for Google, but adjacent expansion. Not seeing the reinvention remark.
The real value is it's linter for _any_ cloud config - you can use terraform or cloudformation or just click around in user interface, and Wiz's rules would still work.
Analysts sometimes refer to the enterprise networking market as "Cisco and the Seven Dwarves". Nobody has ever said that about Symantec (prior to the Broadcom acquisition) or Palo Alto Networks.
It is often the case that in a new security product category, the products are so different, it is hard to collect them together in a single category with a straight face. Example: next generation AV circa 2015-2016. AV was a well-worn product category. All of the legacy products did basically the same thing. More or less at the same time, a bunch of new products came to market that all claimed the mantle of "next generation AV:"
* Bit9 did process whitelisting, later adding Carbon Black for endpoint forensics
* Fire Eye had a proto-EDR solution
* Cylance did ML-based malware detection
* Palo Alto Networks had an exploit-mitigation focused agent that they bolted ML-based malware detection onto.
The industry slowly converged on EDR as the sort-of successor to endpoint AV budgets.
A few years later, the cloud security space was the same fragmented mess. Some were what we now know as CSPM, some were glorified DLP solutions, some container security solutions, etc.
actually, it makes perfect sense. it's just that you (and I) don't have the right perspective.
these giantcos are sitting on Himalayan ranges worth of cash, which is burning a fiery hole in their butts, and they don't know what to do with it.
and they have more cash than sense, even though they always brag about having some of the smartest people in the world, and also have FOMO (to competitors and upstarts).
Facebook buying WhatsApp for 19 billion did not make sense to us laymen either, but it happened.
I was flabbergasted when I read about it. ignorant me.
https://en.m.wikipedia.org/wiki/Himalayas
https://en.m.wikipedia.org/wiki/WhatsApp
go figure (pun intended)
edit: you answered your own doubt about why does not make sense:
>Also looks like Google is desperate for growth in Cloud and they need to do something.
that's what I said, FOMO.
man, if i sold even one of my software products for even a zillionth of such amounts, I would be on Mount Kailash (cloud 9 to you :)
grrr. envy emoji here.
wow, faaak. I wrote my above comment off the cuff, although based on my intuition and common sense, but just now thought of googling FOMO, to check what Wikipedia says about it, and it seems they agree with me:
https://en.m.wikipedia.org/wiki/Fear_of_missing_out
relevant excerpt, from near the top of the above page (emphasis mine):
>FOMO can also affect businesses. Hype and trends can lead business leaders to invest based on perceptions of what others are doing, rather than their own business strategy.[19] This is also the idea of the bandwagon effect, where one individual may see another person or people do something and they begin to think it must be important because everyone is doing it. They might not even understand the meaning behind it, and they may not totally agree with it. Nevertheless, they are still going to participate because they don't want to be left out.[20]
leaders, huh? more like followers, aka sheep. include me out.
AWS allows to use multiple accounts easily, and accounts are (by default) completely isolated from each other. That's actually how services work internally at AWS, it's not uncommon for a service to have hundreds of AWS accounts (one for each region multipled by the number of environments).
It's not so easy with GCP.
GCP is permissive out of the box and things like the Compute Engine service account having the basic Editor role by default is a bit of a footgun, but they're trivially turned off.
So many areas where resource-based conditions just do not work with particular GCP product offerings and you're forced to give out much broader access than you should be giving out. It's half-arsed and prevents you implementing PoLP.
AWS has a steeper learning curve here, but I've never been unable to constrain down e.g. access to an SNS topic in the way I want to.
I personally know of 2 big GCP customers who, over the years, left GCP because of this and the impact it had in critical situations. This very feedback was given in both cases to people considerably high up on GCP's ladder and... nothing's ever changed.
I'm sure plenty other big migrations off GCP provided the same feedback, to no avail.
When Diane Greene first and then Thomas Kurian became Google Cloud CEOs people thought that finally, due to their previous experiences in very Enterprise-aggressive companies, they would improve massively on that front.
Did they improve the situation? a bit. Massively? bringing GCP finally on-par with anyone else (not better than anyone else, just... the same)? nope, not even close.
It was the last Google organization to have a genuine sustained hiring spree and didn't face nearly the same amount of cutbacks
Large enterprises don't sign the stock terms and conditions that would enable this, most do or should have legal teams redlining contracts around how cloud data is accessed and used by vendors. Maybe Wiz is so good they would agree to it, but it would get challenged and negotiated during the sales cycle.
https://shelly.guide/add-a-shelly-to-your-wi-fi-through-web-...
In my setup I have Home Assistant running on an N100 mini PC and that's what I use as an HomeKit bridge.
If possible I'd use ZigBee or Z-Wave bulbs (or even better, switches) though.
It's unclear to me what you're thinking besides the wish to troll.
If google wants to maintain those audit findings, which they’ll need to do to keep most of their customers, that’s going to limit the kind of data collection they can do. Unless, of course, you want to propose a new conspiracy theory (which I guess would be par for the course in this thread) that Google is going to lie to their auditors to get at that sweet, sweet data (most of which they already have for their GCP customers and don’t need to buy Wiz to obtain.)
Some things are self evidently stupid, cynical and/or disingenuous to anyone with a modicum of intelligence and a cursory understanding of the field.
Use your hall monitoring energy to add value. The type of post I call out here reduces the value of the forum.
At the very least it's a giant book of sales leads.
Obviously hard to source this old stuff but I found an old Reddit comment that backs up my recollection: https://www.reddit.com/r/whatsapp/comments/xesw29/comment/io...
EDIT: just checked my payment history and in November 2013 I paid €0.89 for "One Year Service"
I think the other part of the equation missing is if Google did create their own Wiz, Wiz would still be on the market, and it'd be a bitter fight which they could very well lose.
Citation please? Last layoff at Google of any significance was over 2 years ago in the post-pandemic cleanup era..
That's probably cos I am far away from this space.
gonna need a citation on that. All I could find was their own quotes.
The wikipedia page has a handy list of companies to avoid at all costs: https://en.m.wikipedia.org/wiki/Unit_8200
I have had shares that are 1. force sold, 2. shares that were force split into two companies and 3. shares that are force acquired so they become another companies shares.
> The industry slowly converged on EDR as the sort-of successor to endpoint AV budgets.
This was a dedicated effort by CrowdStrike working with analysts back in 2017-2018. EDR capabilities themselves, interestingly, grew out of forensics companies like Guidance Software. HBGary and Mandiant were the early players. FireEye killed Mandiant's EDR off, but HBGary's lives on to some extent today, two or three acquisitions later, at GoSecure.
The most recent figures I’ve seen are that Microsoft has around 25% of the endpoint market[0], which is a plurality because the market is so fragmented. Proofpoint claims around 24% of the email security market[1].
The only security market you can say they “dominate” is identity, if you ignore the MFA market. AD is, at least, almost everywhere.
> This was a dedicated effort by CrowdStrike working with analysts back in 2017-2018.
That’s one interpretation of events. It’s also completely orthogonal to what I wrote.
0 - https://www.microsoft.com/en-us/security/blog/2024/08/21/mic...
1 - https://www.proofpoint.com/us/blog/email-and-cloud-threats/p...
Proofpoint is the clear number two, but Microsoft always sits behind Proofpoint (and Mimecast, IronPort, etc.). They're also always in front of Abnormal and other API-only options. Every big company has E5 with Defender for Office 365 on their email, and the rest either still have E5 or they have EOP.
> That’s one interpretation of events.
In 2017 EPP and EDR were distinct categories, and CrowdStrike had a big internal initiative (driven top-down by Kurtz, but managed by a PM director under Rod Murchison) to merge them, while Cylance and others that had separate SKUs for each area worked to keep them apart. CrowdStrike was more effective.
I mentioned this because it wasn't just a natural market convergence; B2B companies spend absurd amounts of money with the Gartners and Forresters of the world to align their products with line items in budgets. It's capitalism all the way down.
Not speculating on anything here. I was at or worked closely with all of the companies mentioned in both posts.
Objectively speaking Google is one of the few companies that saw where the puck was headed and skated there. They built TensorFlow, they sponsored serious local AI research. Now they build their own in-house training and inference hardware. Relative to the struggling we see from the rest of FAANG, I would argue Google is perhaps the only successful competitor left. I despise their monopoly abuse of AdSense, but they're not going to be effectively prosecuted with protectionist American policy defending them. Google "won" the services sector and now everyone and their mother is butthurt.
Does Google have a better LLM based product than OpenAI’s ChatGPT? Well personally for my use case, NotebookLM is better for some things. But it isn’t a better product for most people.
Androids position is so bad in the market as far as convincing consumers with money to buy one, Google has to pay Apple $20B+ a year to be the default search engine. I wouldn’t be surprised if Google pays more to be the default search engine on Apple devices than Google makes in mobile for Android.
From a consumer standpoint, Android has seen declining market share in the US, the Nest acquisition is floundering, Stadia was a failure, Pixel ships about the same number in a year that Apple ships iPhone in a a couple of weeks, WearOS has gone nowhere, no real tablet strategy (I Chromebooks have been a success in education so that’s kind of a mitigating factor), their tv strategy has pivoted a half dozen times, their messaging app strategy is schizophrenic (they had 5 separate messaging apps simultaneously at one point), AI summaries for Google search are half baked.
On the business side, GCP is just pathetic. I don’t mean as far as technology. But their account management, enterprise sales team and customer service is lackluster. I mentioned in another comment that when I worked at AWS ProServe, we never considered them a serious competitor.
GSuite has gained some traction in smaller companies. But hasn’t made a dent in government and enterprise where the real money is.
Look at Microsoft and Apple’s product mix as far as successful profit generating products and compare that to Google’s.
as well as this is the surest way for GCP to spectacularly commit suicide
AFAIK, there are no explicit laws forbidding that. Maybe you could share what law you think this would be breaking?
GDPR, CCPA, HIPAA, etc, as Google has no way of knowing which data they will train on, add to that copyright and that's just off the top of my head
cloud contract obligations are also pretty clear about customer data.
furthermore it would be bad engineering and security if Wiz had actual direct access to customer data, versus having their code having access to said data. That would be a huge issue in due diligence for example
Maybe like the Motorola acquisition - not so much the profit attributle from the acquisition but the profit they *won't* lose by not acquiring them.
I am sure I am misunderstanding something, but I'm not sure what.
You're missing that a lot of "security" is in reality just a bunch of check-boxes for a form that someone asks you to fill out.
The security you need to really think about is outside of those checkboxes, and it seems like Wiz is not for this type of security, but the former.
And that still provides a lot of value to the right customers.
Yes there are other parts to HIPAA than just VM config, but it’s just giving you policies and checks out of the box
They have other capabilities, but that’s the primary value add.
Imagine you are working for a fortune 100 company with hundreds of thousands of cloud resources. You can’t manage them individually.
/s
The problem with the cloud, from a security standpoint is that is it much more complex than a traditional on-premise infrastructure, especially if you go the "managed services" route and have minimal code.
I constantly get ads to learn how to code. Ok I've been doing that professionally for over a decade and I have a real degree from a real university… why would I do some online programming course?
https://www.bleepingcomputer.com/news/security/rubrik-rotate...
https://www.bleepingcomputer.com/news/security/rubrik-confir...
This one is straight up embarrassing:
https://techcrunch.com/2019/01/29/rubrik-data-leak/
> The exposed server wasn’t protected with a password, allowing access to anyone who knew where to find the server.
So much about "zero trust", at this point it's nothing but a marketing term and has lost it's true meaning
It's more likely backroom kickbacks (and/or mossad) than invisible unicorn.
Most of their competitors, like Palo Alto, have a very convoluted offering from gluing together several acquisitions. Wiz is very cohesive with a much nicer API and great UX, which is very underrated in the security space imo.
I have zero trust in Google’s promise to keep supporting the tool for multiple clouds or maintain the high quality of product design that makes Wiz great. It’s great for my job security, but I’d call it a net loss for the industry.
I actually don't care for Wiz's UX.
If you're a manager and just want to get an idea of what your security posture looks like, it's great. They have a million dashboards for you.
But if you're an AppSec Engineer that just wants to see which EC2 instances have which CVEs, it's kind of a pain in the pass and takes way too many clicks.
No they aren't.
I've been a cybersecurity SWE, PM, and VC for a decade at this point and I've almost never found any relevant security or enterprise SaaS related content on HN.
For a hot second (around 2018-2019) there was solid conversations around eBPF, io_uring, or cloud posture management, but that doesn't happen on here anymore.
Same with MLOps and ML Infra as well - almost no one on here understands Infiniband, RDMA, or BLAS
The tech industry is MASSIVE - and most people are only clued into their own little niche. And according to HN, the only tech companies that exist are FAANG, Nvidia, Tesla, TSMC, and BYD.
FWIW "here" could mean "in this thread". It's pretty normal (and very visible here) that threads about X attract people working in X. I'm not sure this is happening here, I work in IT security but I clicked the thread because 32B caught my eye.
I never even looked at a CSPM, and from my point of view[1] CSPMs are a tool only relevant for a small part of security teams focused on enterprise cloud security. Today is the first time I heard of Wiz.
edit Actually my partner works in policy/compliance/legal side of security, and I'm pretty sure she never heard of Wiz too.
[1] I wrote this only to stress how different people in the same field can see things differently.
IT security a very wide field. For example, a lot of positions in IT security are actually about compliance (i.e. lots of documentation), and ensuring the rollout of all necessary application patches in the whole company.
What is a CSPM? Some cloud monitoring tool? What does it provide over open-source security and monitoring tools with years of field use that would make me invest time into it? Also, have these tools been thoroughly audited, scanned, fuzzed, and pentested by reputable people like some of the open source tools we've been using? Since tools are part of the attack surface, do these tools themselves increase or reduce it?
Serious questions since you think I should be very knowledgeable about these tools. My tech stack just works with minimal maintenance. So, I'd have to lose time on more important or fun stuff to even study CSPM or Wiz. Not counting setting it up.
Does it protect stuff? Somewhat.
Is it the best product out there - no.
Are CISOs happy? CSPM is mostly a checklist item in their bucket to things to do.
It depends on what kind of security you are working in. Most of the people in CSPM, CNAPP world have heard their name.
It is product built for cloud security/devsecops folks.
Would we (i.e. anyone not in the intelligence space) know how intelligence service-y software would look like ? . Aren't all such organizations trained and designed to be inconspicuous and in places we are unlikely to expect.
I’d also bet on this being more of a kickback, rather than an invisible unicorn. Between a visible elephant (Trump/Israel) and an invisible unicorn, betting on an elephant is more reasonable.
1.) Most people here are likely not in security.
2.) I’m only adjacent to security but have heard of Wiz. If you work in security and haven’t, are you sure you’re good enough to subject us to your opinion?
For some reason I picked this hill to die on in this thread. I work in IT security for a long time, and I have never heard of Wiz. My focus is malware reverse engineering and adjacent subfields. I have no interest in anything Cloud.
"are you sure you’re good enough to subject us to your opinion" feels a bit dismissive.
If you were to look through the System -> Inbound Mail settings for every PPS customer, you'd find a sea of x.mail.protection.outlook.com, some on-prem Exchange servers, and practically nothing else. I'm comfortable with "always" as a description of this state of affairs, but you do you.
In my book, Android doesn't count as a Google product, as it was a 2005 acquisition:
https://www.androidauthority.com/google-android-acquisition-...
YouTube and even AdSense were based on an acquisition.
Heck, Apple as we know it today was based largely on the Next acquisition.
Sometimes the simpler explanation is the correct one.
That is the space
The performance matters much less than the UI
And the UI sucks because if you know what your doing you can type a command
But the people who write the cheques do not know that, and equate UI with GUI
So we get Azure (where I found this)
Squinting mousing and clicking a dozen times to do the equivalent of one rsync command....
There's a single button I click that'll list all my VMs, then a single click (usually a middle click to open a new tab) to view all the CVEs in each VM.
Obviously, existing agreements would need to continue to be run properly, no question about that. But there is always plenty of other data that probably could be used by Google to gain some insights.
that might be legal and interesting but i highly doubt it's 30+ billion dollar interesting
i imagine you can buy that data from data brokers without any legal exposure but that's only a guess
—
Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
—
Or if reading terse legal documents isn’t your thing, go ahead and just read through Wiz’s own blog post about how their scanner works, which confirms they have full, direct access to customer EBS volume snapshots in the default “full SaaS” deployment model. [1]
Your point that due diligence would have taken issue with this might not be grounded in Google’s reality.
0: https://wiz.pactsafe.io/legal#wiz-subscription-agreement
1: https://www.wiz.io/blog/the-wiz-approach-to-agentless-scanni...
"Services" – which you'll note is capitalized... lawyers do that for a reason – has a very specific meaning that very obviously does not include "whatever the fuck Google wants to do with it", nor "training general purpose AI models" in particular.
Why are you intentionally and blatantly misinterpreting Wiz's policies? Or are you just that good at ignoring/missing details in order to weave the story you've already decided to believe?
Here are some things that counter this:
https://users.ece.cmu.edu/~adrian/731-sp04/readings/Ptacek-N...: A paper that rocked the security industry at the time.
Tptacek also was cofounder of Matasano, now part of NCC; also cofounder of Latacora.
More info: https://sockpuppet.org/me/
Also the co-author of https://cryptopals.com/, https://microcorruption.com/login.
The author of https://www.latacora.com/blog/2018/04/03/cryptographic-right..., https://sockpuppet.org/blog/2015/01/15/against-dnssec/, https://sockpuppet.org/stuff/dnssec-qa.html,
These are about what I call hard-core security, hardly insanely niche, and hardly lacking critical knowledge.
I suppose if your company prefers to build over buy, you won’t be exposed to the kind of knowledge and vocabulary that buyers in the space use to orient themselves.
Imagine if you found an authentication backdoor - a way to impersonate any account and you could start sucking down data. You do it for 5 billion people and charged google $6.40 per person not to put it on Tor.
$32 billion would be a steal.
Old but relevant - https://scheerpost.com/2022/11/01/revealed-the-former-israel...
Cybersecurity goes hand-in-hand with IT, DBA, Networking, DevOps, and OS/Systems Programming - all functions that were previously looked down upon over the last 15-20 years.
Furthermore, most American CS programs made OS internals, Computer Architecture, or Distributed Systems optional, so the junior portion of the ecosystem doesn't exist in the US anymore.
AquaSec is built by an Isreali company and looks and feels much like any other SaaS product.
Also, if you've worked with Israeli government cybersecurity teams, they aren't much different in caliber from the kind you'd find at the NSA, GCHQ, or Netherlands.
To save others looking up what 'suave arsim' meant:
1. suave -- a normal English the word for charming/confident
2. "arsim" [1] -- apparently a former ethnic slur for Mizrahi Jews [2] now repurposed to mean crude, loud and brash (which sound to me like the equivalent of the British slang term 'chav').
And saying "Mossad"-this/"Mossad"-that just feels like it's increasingly being used as a dogwhistle.
https://undercodenews.com/from-idf-intelligence-to-a-2b-goog...
A lot of the 8200 hype is just hype though, because Gili Ranaan and Shlomo Kramer became billionaires earlier than alumni from the other cyber units.
I (and most here) wouldn't really know what that caliber is in these other organizations either to compare
What we do hear is of how the Hubble's tech stack is hand me down previous gen(i.e. 70s) spy satellites or exploits like Stuxnet, Pegasus or the recent pager supply chain attacks. On pure technical level those are all pretty impressive things well beyond what I or even anyone I may personally know do.
There of course is definitely certain amount of propaganda that would project much higher capability than reality, being mindful of that misdirection and the visible evidence, we civilians can only reasonably conclude that we will never have a clue what these organizations can or cannot actually do.