Wiz - Visible Vulnerabilities
2540 words, 15899 characters
It’s not often that a company’s first round of institutional funding is for $100m. It’s also not often that a company reaches $100 million in Annual Recurring Revenue (ARR) from $1 million ARR within 18 months.
In fact, there’s only one company that can boast of both achievements: Wiz.
Wiz’s products analyze cloud infrastructures from providers like AWS, Azure, and GCP for security risks. They’ve been described as the “one tool to rule your cloud” and “frictionless visibility”. In the process of scaling up, Wiz has also uncovered various vulnerabilities including:
- ChaosDB - A series of vulnerabilities in Azure’s Cosmos DB’s Jupyter Notebook feature where attackers could obtain credentials to the Cosmos DB account.
- OMIGOD - A series of vulnerabilities in Azure’s Open Management Infrastructure (OMI) where attackers could gain root privilege and remotely execute malicious code.
- AttachMe - A vulnerability in Oracle Cloud Infrastructure (OCI) where attaching a disk to a Virtual Machine didn’t require any permissions. Attackers could access and modify data from any OCI customer.
Taken together, Wiz is both a business and technical success story. This is their story.
Funding
| Round | Date | Amount | Narrative | Lead Investor |
|---|---|---|---|---|
| Series A | Dec 2020 | $100m | Experienced founders | Sequoia, Index, Insight, Cyberstarts |
| Series B | Mar 2021 | $130m | COVID acceleration | Advent Venture Partners |
| Series B-2 | May 2021 | $120m | Speed of growth | Salesforce Ventures, Blackstone Growth |
| Series C | Oct 2021 | $250m | Vulnerability WoM | Insight Partners, Greenoaks Capital |
| Series D | Feb 2023 | $300m | Increased cyberattacks | Lightspeed Venture Partners |
Wiz skipped a traditional seed round since the co-founders had a previous $250 million exit
Founding Story
From one perspective, Wiz is the latest case of a long string of successful Israeli security companies. From another perspective, Wiz is in a league of its own, it has grown faster than any other startup in the security ecosystem.
Like Drata and Snyk, Wiz was started by a team of veteran co-founders: Assaf Rappaport (CEO), Ami Luttwak (CTO), and Roy Reznik (VP R&D), and Yinon Costica (VP Product). Of the four, Rappaport, Luttwak, and Reznik co-founded Adallom back in 2012 while Costica joined Adallom as VP of Products in 2014.
The four men first met while serving in the Israeli Intelligence Corps’ Unit 8200. After their terms of service, Rappaport went on to McKinsey, Luttwak joined a data & software agency, Costica stayed with IDF as the head of a department, and Reznik became a Software Team Lead at the IDF.
In late 2011, Rappaport, Luttwak and Reznik came together with an idea - “SaaS as a class is secure, but the way end users actually utilize SaaS isn’t.” The three started Adallom on that premise, building products to audit employee SaaS activities and detect usage anomalies.
This would be great practice for their future journey at Wiz. Rather than solve security problems, Adallom focused on bringing visibility to vulnerabilities. It was a delicate balance. Adallom’s products had to be both frictionless such that employees wouldn’t feel burdened, but also substantial enough to be useful for IT teams.
In 2013, Adallom discovered a Token Hijacking Vulnerability within Microsoft Office 365. [0] Two years later, in September 2015, Microsoft acquired Adallom for $250 million. [1]
All four future co-founders of Wiz took on prominent positions within Microsoft as part of the acquisition. In particular, Rappaport became the General Manager of the Cloud Security Group and scaled the business-line to a $1.5 billion annual run rate.
In January 2020, four years after the acquisition, the co-founders were itching for another adventure.
At Microsoft, Rappaport had witnessed firsthand the growth of cloud. Platforms such as AWS, Azure, and GCP were seeing year-over-year double-digit growth. In 2021, AWS alone generated $62.2 billion with $18.5 billion in operating profit.
With more and more systems moving to the cloud, Wiz’s thesis was that companies would place additional emphasis on security for cloud deployments.
At the outset of starting Wiz, the co-founders brought on former co-workers at Microsoft and Adallom. This included software engineers like Eyal Wiener (Jan 2020) and Avihai Berkovitz (Mar 2020), security & devops experts like Raz Shaken (Mar 2020) and Liran M (Apr 2020), and even operations and product managers like Adi Sharon (Feb 2020) and Raaz Herzberg (Apr 2020).
Two months after founding, Wiz had already assembled the core founding team (along ********with a cute dog). Most of the team had overlapped with the co-founders at Microsoft, Adallom, IDF, or even all three.
Just as the team had assembled, COVID threw a wrench into their plans. In February 2020, the global pandemic shut down commercial activity across the globe. Sequoia Capital even released a memo titled, “Coronavirus: The Black Swan of 2020”. For all of Wiz’s experience and planning, a pandemic was not on their radar. Recalling the early days of Wiz, Rappaport said, “We were meeting CISOs, shaking hands.”
After a few months of uncertainty, thankfully, their fortunes started to look up. After triggering a global slowdown, COVID led to an incredible bull market. Investors came back to the market and companies started loosening their budgets. Both groups were especially interested in cloud tools.
To keep operating, legacy companies and startups alike had to adapt to a remote work environment. Meetings were now held over Zoom. Coffee chats turned into Slack conversations. And technical infrastructure moved to the cloud. In the transition, security teams had to keep up with the influx of cloud attack surfaces.
That’s where Wiz came in.
By providing visibility across a company’s entire cloud deployment, security teams could proactively assess and resolve vulnerabilities.
Just nine months after starting the company, in December 2020, Wiz came out of stealth with a $100 million Series A, co-led by Sequoia Capital (publisher of the black swan memo), Index Ventures, Insight Partners, and CyberStarts.
Not a bad start for a company that was shaking hands in the midst of a pandemic.
Product-Market Fit
Coming out of stealth, Wiz invested heavily in sales.
In October 2020, they hired Ryan Buchanan as Director of Business Development. While the core engineering team was in Israel, Wiz would build out its sales and marketing team in the US.
In February 2021, Colin Jones and Katie Kilroy joined Wiz as SVP, Sales & Business Development and Chief of Staff, Sales. Both Colin and Katie had spent years working in security sales at Duo Security. The move signaled serious commitment to sales-led-growth.
The growth from their new strategy led to a $130 million check from Advent Ventures Partners at a $1.7 billion valuation in March of 2021, four months after coming out of stealth.
Part of what made Wiz such an explosive hit was their cloud-first mentality.
Wiz connects to a company’s cloud environments. From there, a dashboard maps out various threats, levels of risk, and a guide on how to resolve these vulnerabilities. The security or IT team can then use Wiz as a checklist on what to focus attention on.
From their Adallom experience, the Wiz team knew that a key differentiator in building security tools was friction or lack thereof. Wiz’s product was magical for security teams because they could get it up and running in just 15 days. Compared to legacy providers that take anywhere from 12-18 months in installation time, Wiz was light-years faster.
This speed came in handy with the COVID acceleration. As Satya Nadella put it, COVID led to “two years’ worth of digital transformation in two months.” [3] Companies couldn’t wait a year to implement cloud security - they needed it now and Wiz was there to deliver.
This thesis was best articulated by Bryan Taylor, Managing Partner of Advent’s technology investment team:
With every company now a software company, more and more business is shifting to the cloud – creating a massive market opportunity for Wiz to help CISOs and CIOs effectively identify and eliminate attack vectors across their cloud infrastructure environment. This demand for cloud-focused security solutions has enabled Wiz to deploy its product at-scale with leading global customers in a remarkably short timeframe. Wiz’s efficient growth to-date is a strong indicator of where we think the business is going and we believe the company is well positioned to lead a growing industry.
Larger players also started taking note. In May 2021, Salesforce Ventures and Blackstone Growth pledged another $130 million to Wiz, upping their Series B to a total of $250 million.
Growth
With the new funding, Wiz drew from their Adallom days for inspiration.
Back in 2013, Adallom had discovered a vulnerability with Microsoft Office 365 that eventually led to their acquisition. Looking to repeat that success, Wiz invested heavily into an internal white-hat security team that looked for exploits in cloud environments.
This investment started with Luttwak writing and explaining recent security attacks like Solarwinds and Linux Sudo vulnerabilities in February 2021.
In August, the team, led by Alon Schindel, discovered a Chaos DB vulnerability. September, they published OMIGOD. December, they found NotLegit where the Azure App Service exposed hundreds of source code repositories. April 2022, ExtraReplica, a cross-account database vulnerability in Azure PostgreSQL. September 2022, AttachMe (explained above). December 2022, Hell’s Keychain, a supply-chain vulnerability in IBM Cloud Databases for PostgreSQL.
The first two findings would cement Wiz’s reputation in the cybersecurity space and accelerate its growth even further. With the increased word of mouth, security consultants and managed security service providers began approaching Wiz to enter into channel sales partnerships.
It paid off.
In October 2021, Wiz raised $250 million Series C funding led by Insight Partners and Greenoaks Capital at a $6 billion valuation.
By then, Wiz had signed on companies like MassMutual, Fox, Blackstone, Salesforce, Slack, The Home Depot, Rivian, DocuSign, and UiPath as customers. They had sold to 10% of the Fortune 500.
In the funding announcement, Rappaport wrote:
COVID spurred the biggest migration wave the cloud has ever seen. As Satya Nadella put it, “we saw two years of digital transformation in 2 months.” It was a matter of survival. 81% of business leaders in a recent survey said COVID accelerated their cloud migration timelines and plans.
But the pandemic also laid bare problems that have been simmering below the surface. Cloud costs are skyrocketing, security breaches are proliferating, and companies can’t hire enough in-house talent to manage and secure their ever-growing environments.
It was a good time to be Wiz. The product was in the right place, right time, and best of all, the right team.
The early employees that Wiz had hired had blossomed into leaders within the company. Adi Leist Sharon had been promoted to VP Global Operations and Raaz Herzberg was now VP Marketing and Product Strategy.
As the team grew to 168 employees, they also took on some new faces. Nir Dagan joined in May 2021 as General Counsel following 4 years at Meitar, Israel’s Leading Law Firm. Anthony Belfiore joined in February 2022 as Chief Security Officer, previously the CSO at Aon (a $60+ billion company that was also a Wiz customer since the start of 2021).
Expansion
As if there weren’t enough already - even more good news before the end of 2021.
Running a security company can sometimes be a strange business. While new vulnerabilities pose a major headache for most businesses, they have security companies chomping at the bit.
On November 24, 2021, Chen Zhaojun of the Alibaba Cloud Security Team discovered a new vulnerability within Log4j. And on December 1st, attackers exploited the vulnerability in an attack on Minecraft servers.[5]
On December 6th, Log4j released a patch for the vulnerability. December 9th, the issue, named Log4Shell, was made public on Twitter. And on the 10th, CVE-2021-44228 (public vulnerability disclosure) was published. US officials called this the most serious flaw ever seen. The world started panicking.
In their rush to patch the Log4Shell vulnerability, security teams started increasingly turning to Wiz. Wiz’s speed to implementation was once again a major differentiating factor against competitors. Companies no longer had the luxury of evaluating and finalizing security software terms.
Wiz also helped attract customers with a series of blog posts talking about what Log4Shell is (December 9th), the impact of Log4Shell on enterprise cloud environments (December 20th), how to patch the vulnerability (December 20th), and even a fireside chat with Bridgewater on how Wiz’s product helped (Jan 2022).
Log4Shell brought enough attention to Wiz that seven months later, in August 2022, they crossed the $100m ARR mark. From launch, Wiz had reached this milestone in just 18 months, making them one of the fastest companies to grow from $1 million ARR to $100 million ARR.
Wiz was widely adopted by both non-technology companies like BMW, Blackstone and Costco as well as software companies like Salesforce, Snowflake and Slack. Now, more than 25% of Fortune 100 companies were customers.
By this point, the company had also grown to over 400 employees with offices in New York, Colorado, and Tel Aviv.
In February 2023, Wiz announced a $300 million funding round at a $10 billion valuation, led by Lightspeed Venture Partners.
Conclusion
Wiz’s journey has been nothing short of incredible. One of the fastest-scaling companies in history, they’ve broken milestone after milestone. Today, Wiz’s products include:
- Cloud Security Posture Management - Detect and remediate for cloud misconfigurations
- Container Security - Visibility and risk assessment on containers, Kubernetes, and cloud environments
- Infrastructure as Code Scanning - Security inputs during development and policies in deployment pipeline [6]
- Cloud Native Application Protection Platform - Wiz’s core product. Scan cloud environments, and understand context and prioritization around risks
- Vulnerability Management - Discover nested dependencies, solving supply-chain security
- Cloud Detection and Response - Monitor cloud actives (Adallom but for the cloud)
- Cloud Infrastructure Entitlement Management - Permission mapping and find IAM (identity access management) risks
- Compliance - Automated compliance against PCI, GDPR, HIPAA, and more
Each of these products could be a separate company.
At the end of the day, Wiz is much more than a simple security company. They’re the fastest growing company (ever!) with an established sales engine and the right suite of products for the future security world.
In the words of Rappaport:
We are at a stage that could be a turnaround for the industry here. There was a stage where we quickly sold companies for an exit and moved to companies in the growth and unicorn stage, and now we have the opportunity to build really big, balanced and profitable companies.
[0] Complete with a 2013 era promotion video.
[1] Previous reports of the Adallom acquisition had pegged the figure at $320 million. TechCrunch uses the $250 million figure. Adallom was also one of the first acquisitions under Satya Nadella’s tenure as CEO of Microsoft.
[2] Rappaport’s dog, Mika, even has its own LinkedIn page.
[4] In fact, Microsoft’s security business (that Rappaport had helped build) was doing $10 billion in annual revenue. Up 40% from the previous year due to COVID acceleration.
[5] Gaming and security have a surprising amount of overlap. Most great hackers were also avid gamers, and I guess it’s not such a far leap to go from, “let me get better at this game” to “let me hack this game to get a high score”.
[6] The IaC Scanning product reaches into the territory of Snyk, which we previously profiled.