Incognito unicorns.
There are many companies like these in security space. Another company I can think of is Rubrik. All these large security companies under the radar success.
https://www.bleepingcomputer.com/news/security/rubrik-rotate...
https://www.bleepingcomputer.com/news/security/rubrik-confir...
This one is straight up embarrassing:
https://techcrunch.com/2019/01/29/rubrik-data-leak/
> The exposed server wasn’t protected with a password, allowing access to anyone who knew where to find the server.
So much about "zero trust", at this point it's nothing but a marketing term and has lost it's true meaning
It's more likely backroom kickbacks (and/or mossad) than invisible unicorn.
Most of their competitors, like Palo Alto, have a very convoluted offering from gluing together several acquisitions. Wiz is very cohesive with a much nicer API and great UX, which is very underrated in the security space imo.
I have zero trust in Google’s promise to keep supporting the tool for multiple clouds or maintain the high quality of product design that makes Wiz great. It’s great for my job security, but I’d call it a net loss for the industry.
I actually don't care for Wiz's UX.
If you're a manager and just want to get an idea of what your security posture looks like, it's great. They have a million dashboards for you.
But if you're an AppSec Engineer that just wants to see which EC2 instances have which CVEs, it's kind of a pain in the pass and takes way too many clicks.
No they aren't.
I've been a cybersecurity SWE, PM, and VC for a decade at this point and I've almost never found any relevant security or enterprise SaaS related content on HN.
For a hot second (around 2018-2019) there was solid conversations around eBPF, io_uring, or cloud posture management, but that doesn't happen on here anymore.
Same with MLOps and ML Infra as well - almost no one on here understands Infiniband, RDMA, or BLAS
The tech industry is MASSIVE - and most people are only clued into their own little niche. And according to HN, the only tech companies that exist are FAANG, Nvidia, Tesla, TSMC, and BYD.
FWIW "here" could mean "in this thread". It's pretty normal (and very visible here) that threads about X attract people working in X. I'm not sure this is happening here, I work in IT security but I clicked the thread because 32B caught my eye.
I never even looked at a CSPM, and from my point of view[1] CSPMs are a tool only relevant for a small part of security teams focused on enterprise cloud security. Today is the first time I heard of Wiz.
edit Actually my partner works in policy/compliance/legal side of security, and I'm pretty sure she never heard of Wiz too.
[1] I wrote this only to stress how different people in the same field can see things differently.
IT security a very wide field. For example, a lot of positions in IT security are actually about compliance (i.e. lots of documentation), and ensuring the rollout of all necessary application patches in the whole company.
What is a CSPM? Some cloud monitoring tool? What does it provide over open-source security and monitoring tools with years of field use that would make me invest time into it? Also, have these tools been thoroughly audited, scanned, fuzzed, and pentested by reputable people like some of the open source tools we've been using? Since tools are part of the attack surface, do these tools themselves increase or reduce it?
Serious questions since you think I should be very knowledgeable about these tools. My tech stack just works with minimal maintenance. So, I'd have to lose time on more important or fun stuff to even study CSPM or Wiz. Not counting setting it up.
Does it protect stuff? Somewhat.
Is it the best product out there - no.
Are CISOs happy? CSPM is mostly a checklist item in their bucket to things to do.
It depends on what kind of security you are working in. Most of the people in CSPM, CNAPP world have heard their name.
It is product built for cloud security/devsecops folks.
Would we (i.e. anyone not in the intelligence space) know how intelligence service-y software would look like ? . Aren't all such organizations trained and designed to be inconspicuous and in places we are unlikely to expect.
I’d also bet on this being more of a kickback, rather than an invisible unicorn. Between a visible elephant (Trump/Israel) and an invisible unicorn, betting on an elephant is more reasonable.
1.) Most people here are likely not in security.
2.) I’m only adjacent to security but have heard of Wiz. If you work in security and haven’t, are you sure you’re good enough to subject us to your opinion?
For some reason I picked this hill to die on in this thread. I work in IT security for a long time, and I have never heard of Wiz. My focus is malware reverse engineering and adjacent subfields. I have no interest in anything Cloud.
"are you sure you’re good enough to subject us to your opinion" feels a bit dismissive.
In other words, their webpage is not telling me anything. Companies like these, always feel like instead of having a useful product, they hired useful networks of people to "spread the word" and sell sell sell to your network. Apparently I wasn't in the network. Sorry old and salty.
- scan cloud configurations for policy violations - detect and remediate infrastructure misconfigurations - real-time visibility into cloud resource inventories - early detection of issues - container vuln. scanning - runtime anomalous behavior - alerts and correlate security events - compliance mappings - id risky permissions in IAM policies - track changes and configuration drift over time - implement zero-trust policies across microservices - eforce network seg in containerized environments - run security checks during build and deploy stages - vulnerability assessments on running VMs and containers - policy-as-code for consistent security standards
If you do interesting work, you’ll get cold emails unless you take steps to avoid them.
Wiz has only been around for 5-years.
To answer your question. Google doesn't acquire Wis because Google can’t build a comparable product themselves. The real driver is that Wiz has already achieved market penetration and trust. Replicating that from scratch would be a massive undertaking, requiring not just a sophisticated product but also the brand credibility, customer relationships, and reputation for reliability. establishing that level of traction and trust is difficult, time-consuming, and expensive. I highly doubt Google would try to build a direct competitor from the ground up when acquiring Wiz allows them to leverage its existing success right away.
Regarding your google comment: Google builds Google products that can also be used by other people. I am pretty confident they cannot build something like Wiz. And not because they don’t have researchers and developers.
Also looks like Google is desperate for growth in Cloud and they need to do something.
They are paying as much money as their whole Google Cloud revenue in 2023. Revenue multiple is like 40x times revenue for Wiz. Exceptionally high, even for a high-growth company. Clearly overpaying.
Wiz had nine rounds so massive dilution, and VCs need to recover the money...
Analysts sometimes refer to the enterprise networking market as "Cisco and the Seven Dwarves". Nobody has ever said that about Symantec (prior to the Broadcom acquisition) or Palo Alto Networks.
It is often the case that in a new security product category, the products are so different, it is hard to collect them together in a single category with a straight face. Example: next generation AV circa 2015-2016. AV was a well-worn product category. All of the legacy products did basically the same thing. More or less at the same time, a bunch of new products came to market that all claimed the mantle of "next generation AV:"
* Bit9 did process whitelisting, later adding Carbon Black for endpoint forensics
* Fire Eye had a proto-EDR solution
* Cylance did ML-based malware detection
* Palo Alto Networks had an exploit-mitigation focused agent that they bolted ML-based malware detection onto.
The industry slowly converged on EDR as the sort-of successor to endpoint AV budgets.
A few years later, the cloud security space was the same fragmented mess. Some were what we now know as CSPM, some were glorified DLP solutions, some container security solutions, etc.
actually, it makes perfect sense. it's just that you (and I) don't have the right perspective.
these giantcos are sitting on Himalayan ranges worth of cash, which is burning a fiery hole in their butts, and they don't know what to do with it.
and they have more cash than sense, even though they always brag about having some of the smartest people in the world, and also have FOMO (to competitors and upstarts).
Facebook buying WhatsApp for 19 billion did not make sense to us laymen either, but it happened.
I was flabbergasted when I read about it. ignorant me.
https://en.m.wikipedia.org/wiki/Himalayas
https://en.m.wikipedia.org/wiki/WhatsApp
go figure (pun intended)
edit: you answered your own doubt about why does not make sense:
>Also looks like Google is desperate for growth in Cloud and they need to do something.
that's what I said, FOMO.
man, if i sold even one of my software products for even a zillionth of such amounts, I would be on Mount Kailash (cloud 9 to you :)
grrr. envy emoji here.
wow, faaak. I wrote my above comment off the cuff, although based on my intuition and common sense, but just now thought of googling FOMO, to check what Wikipedia says about it, and it seems they agree with me:
https://en.m.wikipedia.org/wiki/Fear_of_missing_out
relevant excerpt, from near the top of the above page (emphasis mine):
>FOMO can also affect businesses. Hype and trends can lead business leaders to invest based on perceptions of what others are doing, rather than their own business strategy.[19] This is also the idea of the bandwagon effect, where one individual may see another person or people do something and they begin to think it must be important because everyone is doing it. They might not even understand the meaning behind it, and they may not totally agree with it. Nevertheless, they are still going to participate because they don't want to be left out.[20]
leaders, huh? more like followers, aka sheep. include me out.
You never heard of them since perhaps your decisions were not in the cycles of their product. Those who are , heard indeed (type of folks who look at Gartner magic quadrants).
The whole thing reads like all the dozen or so "cloud security" plays out there.
Either I'm missing something big, or their products are outrageously far ahead of all the other similar sounding products out there.
I've been known to roll my eyes at a lot of these sorts of product catalogues in the past though and so I'm definitely biased and not the target audience for their marketing.
Some CIO out there probably really does think that their security problems will finally be over once they purchase another half dozen dashboards click through and look at.
The product though is easy to set up, no friction - like 5 minutes per tenant; and in a few hours you have a really good picture of your security posture with very detailed explanations for every finding.
And the graph… very useful to understand why a finding is marked as high ir critical even though at first glance it does not look like it.
For Google they are worth 32B, they ARE the Google Security business from now on. They don't even have to be profitable themselves, having this aspect working means google get access to additional enterprise clients and in place they weren't previously present.
I mean, their revenue? They're apparently on track to do a billion this year, growing pretty fast, so 30 billion seems fair enough.
They add features weekly or faster.
What we use it for: - vulnerability assessments for containers and VMs (they give a list of vulnerable or outdated packages) - initial access vulnerabilities: what happens if an internet facing component is compromised because you have a vulnerable package and to what kind of data it has access to (it has some regexes and what not to figure out if in your database you have PII data, HIPAA etc.), what lateral movement is possible etc. - provides information on what you can do to fix a finding - IAM checks for overly broad permissions - Service account age and overdue key rotations
Take your pick.
