Google to buy Wiz for $32B
reuters.com> Wiz has raised a total of $1.9 billion from a combination of venture capital funds and private investors
> Wiz agreed to acquire Tel Aviv-based Raftt, a cloud-based developer collaboration platform, for $50 million in December 2023. In April 2024, the company acquired cloud detection and response startup, Gem Security, for around $350 million
> Wiz was founded in January 2020 by Assaf Rappaport, Yinon Costica, Roy Reznik, and Ami Luttwak, all of whom previously founded Adallom.
> Adallom was founded in 2012 by Assaf Rappaport, Ami Luttwak and Roy Reznik, who are former members of the Israeli Intelligence Corps’ Unit 8200 and alumni of the Talpiot program.
> Adallom was reportedly acquired by Microsoft for $320 million in July 2015
> On March 18, 2025, Google announced an all-cash acquisition of Wiz for $32 billion
Had never heard of Wiz until they posted the blog post about the DeepSeek database being public earlier this year.
https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepse...
I never heard of them until they were purchased for $32 billion.
Thats the kind of a company everyone wants to build in enterprise security.
Incognito unicorns.
There are many companies like these in security space. Another company I can think of is Rubrik. All these large security companies under the radar success.
Rubrik had pretty bad breaches in the past:
https://www.bleepingcomputer.com/news/security/rubrik-rotate...
https://www.bleepingcomputer.com/news/security/rubrik-confir...
This one is straight up embarrassing:
https://techcrunch.com/2019/01/29/rubrik-data-leak/
> The exposed server wasn’t protected with a password, allowing access to anyone who knew where to find the server.
So much about "zero trust", at this point it's nothing but a marketing term and has lost it's true meaning
most people here are also in security and still haven't heard.
It's more likely backroom kickbacks (and/or mossad) than invisible unicorn.
Security is a big field. I’m in the CSPM space and Wiz is a major player here, I actually had a bit of an existential crisis about what we were building when I first saw a demo of their platform.
Most of their competitors, like Palo Alto, have a very convoluted offering from gluing together several acquisitions. Wiz is very cohesive with a much nicer API and great UX, which is very underrated in the security space imo.
I have zero trust in Google’s promise to keep supporting the tool for multiple clouds or maintain the high quality of product design that makes Wiz great. It’s great for my job security, but I’d call it a net loss for the industry.
> Wiz is very cohesive with a much nicer API and great UX
I actually don't care for Wiz's UX.
If you're a manager and just want to get an idea of what your security posture looks like, it's great. They have a million dashboards for you.
But if you're an AppSec Engineer that just wants to see which EC2 instances have which CVEs, it's kind of a pain in the pass and takes way too many clicks.
> and takes way too many clicks.
That is the space
The performance matters much less than the UI
And the UI sucks because if you know what your doing you can type a command
But the people who write the cheques do not know that, and equate UI with GUI
So we get Azure (where I found this)
Squinting mousing and clicking a dozen times to do the equivalent of one rsync command....
How would you like to consume that information?
I like the way InsightVM does it.
There's a single button I click that'll list all my VMs, then a single click (usually a middle click to open a new tab) to view all the CVEs in each VM.
CSPM is very crowded space. There are quite some new and emerging providers. Wiz out of the scene opens up new opportunities.
Opportunity for opportunity sake isn't a virtue if it gets rid of one of the few providers that was any good.
How does Wiz work? What is the ELI 5 or tldr?
> most people here are also in security
No they aren't.
I've been a cybersecurity SWE, PM, and VC for a decade at this point and I've almost never found any relevant security or enterprise SaaS related content on HN.
For a hot second (around 2018-2019) there was solid conversations around eBPF, io_uring, or cloud posture management, but that doesn't happen on here anymore.
Same with MLOps and ML Infra as well - almost no one on here understands Infiniband, RDMA, or BLAS
The tech industry is MASSIVE - and most people are only clued into their own little niche. And according to HN, the only tech companies that exist are FAANG, Nvidia, Tesla, TSMC, and BYD.
>I've been a cybersecurity SWE, PM, and VC for a decade at this point and I've almost never found any relevant security or enterprise SaaS related content on HN.
FWIW "here" could mean "in this thread". It's pretty normal (and very visible here) that threads about X attract people working in X. I'm not sure this is happening here, I work in IT security but I clicked the thread because 32B caught my eye.
Exactly, parent commenter is excercising the same bias they’re accusing others of. Rookie move imo.
I vaguely remember this hot second you refer to. What is the HN equivalent where those conversations are happening today?
Lobste.rs for technical stuff. But most security related conversations by security SMEs aren't happening online anymore. We have specific user conferences and regional user groups now.
Cool, any in central Louisiana? Poland? That'll teach the AI!
The cybersecurity industry is almost entirely located in the Bay, Seattle, Tel Aviv, and Blr/Hyd, so the really active user groups are mostly in those cities.
Cybersecurity goes hand-in-hand with IT, DBA, Networking, DevOps, and OS/Systems Programming - all functions that were previously looked down upon over the last 15-20 years.
Furthermore, most American CS programs made OS internals, Computer Architecture, or Distributed Systems optional, so the junior portion of the ecosystem doesn't exist in the US anymore.
I don't use Lobste.rs anymore because the owner irrationally blocked the browser I'm using, and I refuse to switch to a different browser just to read Lobste.rs. The owner seems like he has some issues to say the least.
i don't consider installing yet another 3rd party keys on my 3rd party cloud vnet as adding security... but maybe that's just me.
Well, it depends what it does to your liability. If, in case of attack, it ends up shifting the blame to a third party, then yes, that's considered adding security in enterprise space.
If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do. I'm not saying you have to be a CSPM expert, but not even hearing about Wiz, when they are the largest CSPM, is somewhat concerning.
I am in security for many years now, my main focus is reverse engineering (but I did many diverse things, including cryptography, some exploit development and the opposite, AV work, I did R&D in security automation and some development of security tools and engines).
I never even looked at a CSPM, and from my point of view[1] CSPMs are a tool only relevant for a small part of security teams focused on enterprise cloud security. Today is the first time I heard of Wiz.
edit Actually my partner works in policy/compliance/legal side of security, and I'm pretty sure she never heard of Wiz too.
[1] I wrote this only to stress how different people in the same field can see things differently.
I've heard of Wiz, but would have had a hard time listing out their feature/benefit statement, because I don't work with CSPM tools. I don't think this "I have doubts about what you actually do" line is doing the work you want it to; it may be backfiring on you a bit.
CNAPPs and CSPMs are extremely common tools in cybersecurity. This is my concern. If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have. There's a big responsibility as a security practitioner to stay up to date on new tools and techniques. CNAPP and CSPM is not some new thing that was invented last year. It's been around for a decade.
> . If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have
Here are some things that counter this:
https://users.ece.cmu.edu/~adrian/731-sp04/readings/Ptacek-N...: A paper that rocked the security industry at the time.
Tptacek also was cofounder of Matasano, now part of NCC; also cofounder of Latacora.
More info: https://sockpuppet.org/me/
Also the co-author of https://cryptopals.com/, https://microcorruption.com/login.
The author of https://www.latacora.com/blog/2018/04/03/cryptographic-right..., https://sockpuppet.org/blog/2015/01/15/against-dnssec/, https://sockpuppet.org/stuff/dnssec-qa.html,
These are about what I call hard-core security, hardly insanely niche, and hardly lacking critical knowledge.
I’ve never heard or seen either of those terms before reading this thread. What you’re calling “CNAPP” I’ve been calling “endpoint security”. I’ve been building internal “CSPM” tooling since 2014 with like raw cloud api calls feeding into graphviz, CI-like tests in a terraform repo, transforming the state of a set of cloud accounts into a form I can shove into z3 and ask questions about, that kind of thing, but never heard it called that.
I suppose if your company prefers to build over buy, you won’t be exposed to the kind of knowledge and vocabulary that buyers in the space use to orient themselves.
CSPM solutions are what corporate buys when they don't want to invest in security. It is rubber-stamping and ass covering. From my experience most people involved with such platforms are rather technical sales people than actual security experts.
You might want to google the person you’re arguing with
One of those beautiful HN moments where just clicking the profile link would have helped them shift from such an authoritative tone.
> If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do.
IT security a very wide field. For example, a lot of positions in IT security are actually about compliance (i.e. lots of documentation), and ensuring the rollout of all necessary application patches in the whole company.
I know diabetologists in India who didn't hear about Ozempic till late 2024.
Sometimes the simpler explanation is the correct one.
Compliance and patch/vulnerability management teams are a major constituency for CSPM tools.
I've been securing my cloud instances the same way I would for dedicated hardware. I use the same tools. I periodically eyeball usage data from the service providers to make sure their end is OK. Takes 5-15 minutes. Occasionally run updates. It all mostly just keeps chugging along.
What is a CSPM? Some cloud monitoring tool? What does it provide over open-source security and monitoring tools with years of field use that would make me invest time into it? Also, have these tools been thoroughly audited, scanned, fuzzed, and pentested by reputable people like some of the open source tools we've been using? Since tools are part of the attack surface, do these tools themselves increase or reduce it?
Serious questions since you think I should be very knowledgeable about these tools. My tech stack just works with minimal maintenance. So, I'd have to lose time on more important or fun stuff to even study CSPM or Wiz. Not counting setting it up.
Bullshit. Infosec is not just about highly inflated startups or whatever the fuck CSPM means. I know people who do exploit dev, reverse engineering, blue teaming and they have never heard of wiz. Stop overexaggerating
kickbacks, may be. I have seen the product. It is not so mossad-y. It fairly straight forward cloud, VM, kubernetes scans.
Does it protect stuff? Somewhat.
Is it the best product out there - no.
Are CISOs happy? CSPM is mostly a checklist item in their bucket to things to do.
It depends on what kind of security you are working in. Most of the people in CSPM, CNAPP world have heard their name.
It is product built for cloud security/devsecops folks.
> It is not so mossad-y.
Would we (i.e. anyone not in the intelligence space) know how intelligence service-y software would look like ? . Aren't all such organizations trained and designed to be inconspicuous and in places we are unlikely to expect.
Ghidra from the NSA at a glance looks and feels like normal software.
AquaSec is built by an Isreali company and looks and feels much like any other SaaS product.
Mossad aren't the guys doing cyber ops in Israel. They're suave arsim (how else can you blend in Beirut or Tehran).
Also, if you've worked with Israeli government cybersecurity teams, they aren't much different in caliber from the kind you'd find at the NSA, GCHQ, or Netherlands.
> They're suave arsim (how else can you blend in Beirut or Tehran).
To save others looking up what 'suave arsim' meant:
1. suave -- a normal English the word for charming/confident
2. "arsim" [1] -- apparently a former ethnic slur for Mizrahi Jews [2] now repurposed to mean crude, loud and brash (which sound to me like the equivalent of the British slang term 'chav').
It was a bad attempt at humor, but pretty much my point is there are a couple other cybersecurity/sigint specific units unrelated to Mossad. And "arsim" isn't as loaded a term anymore - everyone is mixed in Israel now because it's a melting pot.
And saying "Mossad"-this/"Mossad"-that just feels like it's increasingly being used as a dogwhistle.
I mean, it is used as a substitution for 'Israel', but I don't see how that's a dogwhistle. Or do you mean antisemitic?
I think you just watched Asi Cohen skit https://youtu.be/bN-en_7KGT8?si=xqhHaa9lBXpjntEq
I actually didn't see this before, but that is absolute gold - Asi Cohen is a national treasure (and absolutely a suave arsim XD)
Unit 8200 is cyber ops and the main people of this company are all from that unit.
https://undercodenews.com/from-idf-intelligence-to-a-2b-goog...
There are a couple other units beyond 8200.
A lot of the 8200 hype is just hype though, because Gili Ranaan and Shlomo Kramer became billionaires earlier than alumni from the other cyber units.
81 is other one I am familiar with but I believe they focus on OSINT
> they aren't much different .. NSA, GCHQ, or Netherlands
I (and most here) wouldn't really know what that caliber is in these other organizations either to compare
What we do hear is of how the Hubble's tech stack is hand me down previous gen(i.e. 70s) spy satellites or exploits like Stuxnet, Pegasus or the recent pager supply chain attacks. On pure technical level those are all pretty impressive things well beyond what I or even anyone I may personally know do.
There of course is definitely certain amount of propaganda that would project much higher capability than reality, being mindful of that misdirection and the visible evidence, we civilians can only reasonably conclude that we will never have a clue what these organizations can or cannot actually do.
We would actually. Lot of the intelligence orgs. use COTS these days.
Bingo, a huge kickback to some "invisible" hands. They're probably already creating the new "unicorn" to sell to another FAANG company.
If a security firm could blackmail Google, what would that look like?
What could possibly be worth 36 billion? That we don't already know?
This is google. They've got everything. I use google password manager, wallet, biometrics to log into my google smartphone and google authenticator for my 2FA. I use google voice and maps, photos, youtube, search, docs, gmail and gemini for AI.
Imagine if you found an authentication backdoor - a way to impersonate any account and you could start sucking down data. You do it for 5 billion people and charged google $6.40 per person not to put it on Tor.
$32 billion would be a steal.
Do you think you could get away with doing that?
If you have alumni at senior positions internally, it shouldn't be that hard to strike a deal.
Old but relevant - https://scheerpost.com/2022/11/01/revealed-the-former-israel...
For $32 billion?
It's cheaper to, well, you know.
Ya, Mossad's primary task is enterprise sales for Israeli tech.
The article talks about Trump inserting himself into larger deals, there is no reason to think this one is an exception.
I’d also bet on this being more of a kickback, rather than an invisible unicorn. Between a visible elephant (Trump/Israel) and an invisible unicorn, betting on an elephant is more reasonable.
100% the case
HN is not the entire industry. Not even close. It’s a small subset.
That is totally unfounded. Their book of business is huge. You think Google is paying 32B of shareholder dollars because of a foreign intelligence agency? Keep your conspiracism to yourself.
Wiz is a private company but the street's assumption is $1B/ARR over the next year or so.
Two things:
1.) Most people here are likely not in security.
2.) I’m only adjacent to security but have heard of Wiz. If you work in security and haven’t, are you sure you’re good enough to subject us to your opinion?
>2.) I’m only adjacent to security but have heard of Wiz. If you work in security and haven’t, are you sure you’re good enough to subject us to your opinion?
For some reason I picked this hill to die on in this thread. I work in IT security for a long time, and I have never heard of Wiz. My focus is malware reverse engineering and adjacent subfields. I have no interest in anything Cloud.
"are you sure you’re good enough to subject us to your opinion" feels a bit dismissive.
This is wild to me. As someone in security, Wiz is definitely one of the whales.
Same here, I guess it's the circles you run. I just went to their homepage and I have no idea what they do. I already have CI/CD, code, etc.. "securing" it seems like, use aws secret stores?
In other words, their webpage is not telling me anything. Companies like these, always feel like instead of having a useful product, they hired useful networks of people to "spread the word" and sell sell sell to your network. Apparently I wasn't in the network. Sorry old and salty.
Companies have problems securing their workloads. Not just storing secrets. Off the top of my head, I've personally been able to centralize the following with a single tool (instead of gluing together a dozen different providers)
- scan cloud configurations for policy violations - detect and remediate infrastructure misconfigurations - real-time visibility into cloud resource inventories - early detection of issues - container vuln. scanning - runtime anomalous behavior - alerts and correlate security events - compliance mappings - id risky permissions in IAM policies - track changes and configuration drift over time - implement zero-trust policies across microservices - eforce network seg in containerized environments - run security checks during build and deploy stages - vulnerability assessments on running VMs and containers - policy-as-code for consistent security standards
As a meaningful tangent, how many layers of obscurity do you use to keep sales people from contacting you?
If you do interesting work, you’ll get cold emails unless you take steps to avoid them.
It's a whale, but a young whale.
Wiz has only been around for 5-years.
In your opinion, are they a whale because they make a great product... or just have a great marketing/PR/sales team? I am guessing "great product" because I cannot believe that Google cannot just rebuild it themselves (if not a great product).
Wiz is widely considered one of the strongest CNAPP/CSPM products on the market. I haven’t personally tested every single competitor’s solution, but I’ve found Wiz to outperform pan, crowdstrike, and prisma.
To answer your question. Google doesn't acquire Wis because Google can’t build a comparable product themselves. The real driver is that Wiz has already achieved market penetration and trust. Replicating that from scratch would be a massive undertaking, requiring not just a sophisticated product but also the brand credibility, customer relationships, and reputation for reliability. establishing that level of traction and trust is difficult, time-consuming, and expensive. I highly doubt Google would try to build a direct competitor from the ground up when acquiring Wiz allows them to leverage its existing success right away.
I highly doubt Google would be capable of building something like this from the ground up. Just take a look at one of their recent efforts Stadia.
The product is great. We’re using it since 2023. Very happy.
Regarding your google comment: Google builds Google products that can also be used by other people. I am pretty confident they cannot build something like Wiz. And not because they don’t have researchers and developers.
It does not make sense. In 2024 Wiz had 10.7% market share. Revenue in the 1,5 to 1,7 Billion but they were not profitable in 2023. Become profitable in 2024 meaning costs are very high.
Also looks like Google is desperate for growth in Cloud and they need to do something.
They are paying as much money as their whole Google Cloud revenue in 2023. Revenue multiple is like 40x times revenue for Wiz. Exceptionally high, even for a high-growth company. Clearly overpaying.
Wiz had nine rounds so massive dilution, and VCs need to recover the money...
10% market share in security is huge. It is an extremely fragmented market, across almost all product segments.
10% market share in any industry with an even slightly healthy level of competition is huge. The fact that people think it's not for tech feels like an indictment of the overall health of the industry to me.
Perhaps I should have been clearer, but especially compared to the rest of the enterprise tech market, security is unusually fragmented. There is no Microsoft or Cisco of the security market in the way those companies dominate the desktop operating system and core networking markets, respectively.
Analysts sometimes refer to the enterprise networking market as "Cisco and the Seven Dwarves". Nobody has ever said that about Symantec (prior to the Broadcom acquisition) or Palo Alto Networks.
It is often the case that in a new security product category, the products are so different, it is hard to collect them together in a single category with a straight face. Example: next generation AV circa 2015-2016. AV was a well-worn product category. All of the legacy products did basically the same thing. More or less at the same time, a bunch of new products came to market that all claimed the mantle of "next generation AV:"
* Bit9 did process whitelisting, later adding Carbon Black for endpoint forensics
* Fire Eye had a proto-EDR solution
* Cylance did ML-based malware detection
* Palo Alto Networks had an exploit-mitigation focused agent that they bolted ML-based malware detection onto.
The industry slowly converged on EDR as the sort-of successor to endpoint AV budgets.
A few years later, the cloud security space was the same fragmented mess. Some were what we now know as CSPM, some were glorified DLP solutions, some container security solutions, etc.
Microsoft is the Microsoft of the enterprise security market, more or less. They completely dominate email, largely dominate identity, have a plurality if not a majority on endpoint, but don't compete in network.
> The industry slowly converged on EDR as the sort-of successor to endpoint AV budgets.
This was a dedicated effort by CrowdStrike working with analysts back in 2017-2018. EDR capabilities themselves, interestingly, grew out of forensics companies like Guidance Software. HBGary and Mandiant were the early players. FireEye killed Mandiant's EDR off, but HBGary's lives on to some extent today, two or three acquisitions later, at GoSecure.
> Microsoft is the Microsoft of the enterprise security market, more or less. They completely dominate email, largely dominate identity, have a plurality if not a majority on endpoint, but don't compete in network.
The most recent figures I’ve seen are that Microsoft has around 25% of the endpoint market[0], which is a plurality because the market is so fragmented. Proofpoint claims around 24% of the email security market[1].
The only security market you can say they “dominate” is identity, if you ignore the MFA market. AD is, at least, almost everywhere.
> This was a dedicated effort by CrowdStrike working with analysts back in 2017-2018.
That’s one interpretation of events. It’s also completely orthogonal to what I wrote.
0 - https://www.microsoft.com/en-us/security/blog/2024/08/21/mic...
1 - https://www.proofpoint.com/us/blog/email-and-cloud-threats/p...
> Proofpoint claims around 24% of the email security market
Proofpoint is the clear number two, but Microsoft always sits behind Proofpoint (and Mimecast, IronPort, etc.). They're also always in front of Abnormal and other API-only options. Every big company has E5 with Defender for Office 365 on their email, and the rest either still have E5 or they have EOP.
> That’s one interpretation of events.
In 2017 EPP and EDR were distinct categories, and CrowdStrike had a big internal initiative (driven top-down by Kurtz, but managed by a PM director under Rod Murchison) to merge them, while Cylance and others that had separate SKUs for each area worked to keep them apart. CrowdStrike was more effective.
I mentioned this because it wasn't just a natural market convergence; B2B companies spend absurd amounts of money with the Gartners and Forresters of the world to align their products with line items in budgets. It's capitalism all the way down.
Not speculating on anything here. I was at or worked closely with all of the companies mentioned in both posts.
You like to make absolute statements like “always”, but I know of large organizations (Fortune 500) that use Proofpoint, but not Microsoft email security. And in endpoint, there are shops that license defender as part of an EA, but don’t use it - of course, those seats go into the Forrester figures that Microsoft likes to tout.
Sure, I can enumerate the handful of the Fortune 500 that don't use Microsoft. Palo Alto Networks, for example, has TAP sitting in front of Google. In PANW's case it's because of a broader partnership Nikesh put together with Google in 2018, which also involved moving from AWS to GCP. This is stupendously uncommon, though.
If you were to look through the System -> Inbound Mail settings for every PPS customer, you'd find a sea of x.mail.protection.outlook.com, some on-prem Exchange servers, and practically nothing else. I'm comfortable with "always" as a description of this state of affairs, but you do you.
10% market share of a niche part of the CSPM market
>It does not make sense
actually, it makes perfect sense. it's just that you (and I) don't have the right perspective.
these giantcos are sitting on Himalayan ranges worth of cash, which is burning a fiery hole in their butts, and they don't know what to do with it.
and they have more cash than sense, even though they always brag about having some of the smartest people in the world, and also have FOMO (to competitors and upstarts).
Facebook buying WhatsApp for 19 billion did not make sense to us laymen either, but it happened.
I was flabbergasted when I read about it. ignorant me.
https://en.m.wikipedia.org/wiki/Himalayas
https://en.m.wikipedia.org/wiki/WhatsApp
go figure (pun intended)
edit: you answered your own doubt about why does not make sense:
>Also looks like Google is desperate for growth in Cloud and they need to do something.
that's what I said, FOMO.
man, if i sold even one of my software products for even a zillionth of such amounts, I would be on Mount Kailash (cloud 9 to you :)
grrr. envy emoji here.
>that's what I said, FOMO.
wow, faaak. I wrote my above comment off the cuff, although based on my intuition and common sense, but just now thought of googling FOMO, to check what Wikipedia says about it, and it seems they agree with me:
https://en.m.wikipedia.org/wiki/Fear_of_missing_out
relevant excerpt, from near the top of the above page (emphasis mine):
>FOMO can also affect businesses. Hype and trends can lead business leaders to invest based on perceptions of what others are doing, rather than their own business strategy.[19] This is also the idea of the bandwagon effect, where one individual may see another person or people do something and they begin to think it must be important because everyone is doing it. They might not even understand the meaning behind it, and they may not totally agree with it. Nevertheless, they are still going to participate because they don't want to be left out.[20]
leaders, huh? more like followers, aka sheep. include me out.
$350M ARR in less than 5 years. Aiming towards $1B by the end of 2025.
You never heard of them since perhaps your decisions were not in the cycles of their product. Those who are , heard indeed (type of folks who look at Gartner magic quadrants).
I read their website and there must be something secret they've got cooking behind the scenes cause the valuation makes zero sense to me.
The whole thing reads like all the dozen or so "cloud security" plays out there.
Either I'm missing something big, or their products are outrageously far ahead of all the other similar sounding products out there.
I've been known to roll my eyes at a lot of these sorts of product catalogues in the past though and so I'm definitely biased and not the target audience for their marketing.
Some CIO out there probably really does think that their security problems will finally be over once they purchase another half dozen dashboards click through and look at.
Yeah, the website is not very helpful.
The product though is easy to set up, no friction - like 5 minutes per tenant; and in a few hours you have a really good picture of your security posture with very detailed explanations for every finding.
And the graph… very useful to understand why a finding is marked as high ir critical even though at first glance it does not look like it.
IMHO you are missing something big...
For Google they are worth 32B, they ARE the Google Security business from now on. They don't even have to be profitable themselves, having this aspect working means google get access to additional enterprise clients and in place they weren't previously present.
>Either I'm missing something big,
I mean, their revenue? They're apparently on track to do a billion this year, growing pretty fast, so 30 billion seems fair enough.
You didn't hear about them last time on HN, when it was $23 billion?
We use them and the product is very very nice and very lightweight to set up. Like for a cloud environment it takes about 5 minutes to get it up and running for a tenant.
They add features weekly or faster.
Just curious, what problem do I need to have that they'll solve for me?
No problem in particular.
What we use it for: - vulnerability assessments for containers and VMs (they give a list of vulnerable or outdated packages) - initial access vulnerabilities: what happens if an internet facing component is compromised because you have a vulnerable package and to what kind of data it has access to (it has some regexes and what not to figure out if in your database you have PII data, HIPAA etc.), what lateral movement is possible etc. - provides information on what you can do to fix a finding - IAM checks for overly broad permissions - Service account age and overdue key rotations
Take your pick.
My company just started using them and I was part of the due dilligence evaluation of their product. I had never been so impressed with a cloud security provider before I started using their product. Absolutely phenomenal product offering l.
In cash!
I am hearing for first time, I thought Google is buying Wix the website builder and was thinking why!
Guess what is common between Wix and Wiz....
Wiy?
I feel like the other commenters whooshed here.
8200
What a strange shorthand. 73
8200 is an Israeli spy agency, whose alumni turn up in security companies almost as often as CIA alumni turns up in US newsrooms.
Thank you, didn't know about this rabbit hole.
The wikipedia page has a handy list of companies to avoid at all costs: https://en.m.wikipedia.org/wiki/Unit_8200
Yea, good luck with that, especially when 8200 alumni are embedded deeply in the vast R&D sites all major US tech giants have in Israel (Apple alone employs thousands in Israel), whether by direct recruitment or by buying Israelis startups.
It stands for 8 smart people that run it and 200 clueless children that have no idea how the world works. Maybe it's the other way around, I can't tell.
>Adallom was founded in 2012 by Assaf Rappaport, Ami Luttwak and Roy Reznik, who are former members of the Israeli Intelligence Corps’ Unit 8200 and alumni of the Talpiot program.
It's interesting that many people working in intelligence found ways to become very successful in business. I wonder what is the reason.
Tight networks largely. THey've invested heavily into having these "assets" in US tech companies, and so pro-Israel folks in the US work hard to acquire them in.
See [1] to see the flow of people. I explain the connections a lot in [2], and [3] is our initiative to work on it.
[1] https://www.instagram.com/p/DAYsSPxpHFP/?img_index=1
[2] https://www.youtube.com/watch?v=LxvaembyMcQ&list=PLjHqnRFDnc...
Military service in Israel is mandatory and the conscription rate in the core "educated" areas is ~90%. Each year, the intelligence corps then gets what is practically* first pick of the best minds of that year (typically kids who are already skilled in programing). They then get to have them for 4-6 years meaning unlike modern employers, they have time and motivation to invest in training them. Then you get the most apt programming minds of a generation spending six years together learning and building connections with each other in core programming and security skills.
Imagine if all the ivy league graduates in the US would be forced to work together for the same company, for free, for 4-6 years. Would you be surprised if suddenly former employees of that company found ways to become very successful in business?
* - Technically they get something like 3rd pick and there's negotiations and it depends on what sort of roles are involved etc. In practice, conscripts have some influence on where they'll go and if you have a choice in any role in the military, you are going to pick "write code in an air-conditioned office" over any other available option.
Intelligence communities tend to pick very smart people who are particularly good at acquiring niche skills and operating under extreme situational uncertainty. I think those are valuable attributes for someone in business.
It surely must be exactly that.
Network
Blackmail
well you might get downvoted, but its still true, just look what Robert Maxwell did with the PROMIS software. That was also coincidentally Mossad.
Looks like a payoff to me.
I swear some tech company acquisitions appear like more expensive art purchases for for when you need to launder larger amounts of money...
You are on to something. It is a company of the chosen.
When I read the headline, I assumed the IoT platform and smart light brand, the now Wi-Fi arm of Signify, the smart home people who do (Philips) Hue smart lighting.
This is the logo I envision in my head when hearing Wiz.
Didn’t Palo Alto Networks come out of 8200 too?
The primary founder (Nir Zuk) is a Unit 8200 alumni, as are the founders of Checkpoint and a bunch of other cyber security companies. Nir Zuk is also a US citizen and went out of his way to base PANW in the US, including their hardware manufacturing and software engineering operations.
You'll find former-intelligence blob operators in a great many cyber security companies. Including former American intel employees[0]. Hell, the CIA basically has their own VC fund[1].
Also, there is zero evidence any of these people are currently acting at the behest of their former employers, apart from obviously the CIA venture fund acts at the behest of the CIA.
0 - Robert M Lee https://dragos.com, Keith Alexander (formerly https://ironnet.com,) amongst many others
1 - In Q Tel https://www.iqt.org/
These companies are the closest you can get to a legal mafia, they are effectively charging companies around the world to keep them "safe". In other words, a job that is traditionally considered to be a basic service of the government is now being privatized by people that nobody knows if we can really trust.
This is an absurd take. There’s nothing stopping anyone from building their own cloud security tools (many have), and unlike the Mafia, Wiz isn’t threatening anyone who doesn’t buy their service. I’m also not aware of any government agency providing any reasonable analog to what these tools provide in the physical world.
Big difference
The mafia charges protection from itself, here the bad actors are out there and wiz help you protect from them.
Wiz selling doors with appropriate locks for your bussines.
You’re stretching here.
Companies hire private physical security all the time. Why is digital security different?
because the amount of money is so huge, the grandparent poster imagined there must be something wrong or sus going on. Likely due to personal biases.
And since most people's experience is shallow, the only analog they can muster is the mafia.
It would only be like the Mafia if they launched cyber attacks against your infra if you turned down their services.
Do you think that's what they do?
There are other CNAPP solutions. If you do an evaluation you will see why WIZ comes out on top.
> In other words, a job that is traditionally considered to be a basic service of the government is now being privatized by people that nobody knows if we can really trust.
How on earth is it the government's job to protect people's software? It's a mere digital product, not human life or property.
Besides, people also buy padlocks and door locks for safety. Wiz is no different.
I do wonder how long it'll be until we uncover some scandal showing that the security companies are also the ones creating exploits.
1.) What
Imho, and as a xoogler who's been in Google Cloud's ecosystem the past few years, Google Cloud's three big focus areas have been AI (this is an evolution from their historical focus on data, then also analytics), Distributed Cloud (Anthos++) and security (post the Mandiant acquisition). They'll never be able to compete on base infra, given their late entry into the game, lack of presence in certain markets, and the lock the competition has in some industries (Azure in industrial/mfg, AWS in pharma, etc), and they know that, so they've lately been focused on what they believe they can control. One of those things is the narrative that Google Cloud is the most secure cloud.
It shouldn't be overlooked that acquiring Wiz is also a way for Google to secure a beachhead in half the Fortune 100, many of which are "enemy" territory.
The price is high, but there aren't many options available and Wiz has the advantage of being built on Google Cloud natively, and already have Marketplace integrations completed.
>and security (post the Mandiant acquisition)
As a Googler who works in GCP security, security has been a key differentiator for GCP long before the Mandiant acquisition. Google invented BeyondCorp (a primary driver of Zero Trust). Google helped create security keys (U2F, FIDO, Webauthn), and was I think the first major company to adopt them, both for employees, and for consumers. Google was one of the first major companies to offer a bug bounty, in 2010. Google's Project Zero searching for vulnerabilities in other companies'/organizations' software I think was pretty much unprecedented when it was created. Look at the number of times other tech companies get hacked compared to Google. Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".
Disclosure: my thoughts are my own.
> Look at the number of times other tech companies get hacked compared to Google.
Your whole post is confusing Security of the Cloud with Security in the Cloud. And conflating GCP with Google but those are just examples of why GCP has such a small market percentage.
The security of GCP rests on the security of Google. If Google gets hacked, GCP customers are not secure.
Additionally:
Google offers BeyondCorp products as GCP products. A big example is IAP. Do AWS and Azure offer something like IAP? If so, I think they were created in response to IAP.
Another Google/GCP security product related to zero trust is Chrome Enterprise Premium: https://cloud.google.com/blog/products/identity-security/int... .
Another innovative GCP security product is VPC Service Controls. Do AWS and Azure offer something like that? If so, I think they were created in response to VPC Service Controls.
Security keys: I mentioned in my previous comment how they're used by consumers (that includes GCP customers). GCP is making MFA mandatory this year: https://cloud.google.com/blog/products/identity-security/man...
Bug bounties protect GCP customers by making sure GCP products don't have vulnerabilities.
Project Zero protects GCP customers by finding vulnerabilities in products that GCP customers use (although it also finds vulnerabilities in products that AWS and Azure customers use).
When Microsoft got hacked by China in 2023, China stole Microsoft's signing key, and used it to mint tokens to impersonate Azure AD users of Microsoft customers. That's relevant to security in the Cloud.
GCP products are also recognized for security:
https://cloud.google.com/resources/forrester-unstructured-da...
https://www.varonis.com/blog/forrester-wave-data-security-pl...
https://cloud.google.com/blog/products/infrastructure-modern...
https://cloud.google.com/blog/products/identity-security/goo...
https://www.teradata.com/press-releases/2020/forrester-2020-...
Having previously used AWS, I would also say that GCP IAM is much better.
Yes, it's a lot less flexible than AWS IAM, but complicated IAM policies with conditions and stuff can be really hard to reason about.
Disclosure: my thoughts are my own.
The best way to use AWS IAM policies is to not use them at all.
AWS allows to use multiple accounts easily, and accounts are (by default) completely isolated from each other. That's actually how services work internally at AWS, it's not uncommon for a service to have hundreds of AWS accounts (one for each region multipled by the number of environments).
It's not so easy with GCP.
That is insane. AWS has more complicated policies, GCP literally lacks ability to even have easy security posture in many cases.
That's quite the claim, can you provide an example?
GCP is permissive out of the box and things like the Compute Engine service account having the basic Editor role by default is a bit of a footgun, but they're trivially turned off.
I'm afraid it's something I need to agree with.
So many areas where resource-based conditions just do not work with particular GCP product offerings and you're forced to give out much broader access than you should be giving out. It's half-arsed and prevents you implementing PoLP.
AWS has a steeper learning curve here, but I've never been unable to constrain down e.g. access to an SNS topic in the way I want to.
Feel like AWS is the opposite. It’s often a pain to go as granular as you can go.
In GCP there are many tier-1 services where that is not even possible. It's also definitely gotten way easier to do this using IaC etc.
I second that. AWS is insanely granular.
Adding to it: deps.dev, osv.dev, SLSA (all are either free or fully open source) Google has been great contributor to the AppSec and Software Supply Chain community. I just pray daily that the “google graveyard” curse doesn’t touch these important projects.
> (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".
There was one other time Google was hacked by a major government that also spurred massive internal security posture changes! https://en.wikipedia.org/wiki/Snowden_effect#Tech_industry
I think this is also a good argument for why it is beneficial for society that Chrome stays in Alphabet; Google is good at some things and bad at some things - that people have access to a reasonably safe browser for free should not be underestimated
To me, the security posture of Android (esp, the Pixels) & Chromium stands out as an outstanding contribution to humanity (given the reach of both those platforms).
> Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government).
Do they mind if they're legally "hacked" by a (Western) govt? All that security sophistication couldn't prevent LEAs from owning us all, unfortunately: https://therecord.media/google-refuses-to-deny-it-received-u... / https://archive.vn/mzZtI
I thought your link would be
https://www.bbc.com/news/world-us-canada-24751821 > Snowden leaks: Google 'outraged' at alleged NSA hacking
As a GCP user, my view is that Google does Googly things and hopes others will use them. And if not enough people don’t buy into whatever Google builds because it is built by Google, they will cancel it.
These are all Google things. How do I benefit from them as a GCP customer?
See my reply here: https://news.ycombinator.com/item?id=43399981
> a way for Google to secure a beachhead in half the Fortune 100
If that is their objective, they will fail again, since this is the land of good account management. Being able to call somebody on the phone if required. Something AWS excels on, Microsoft a little bit, while Google is rumored to have humans working there, but they are rarely seen.
We have a relatively modest commit with GCP, around $1M a year, and have a dedicated account rep who I can contact whenever I need to. In fact, we've had a similar relationship even when we were half the size.
And did you ever had the need to escalate something? : https://www.reddit.com/r/googlecloud/comments/1ey0rx8/gcp_su...
Google simply does not have a culture of giving a shit about people's experiences with their product. If you are having a problem you better either have that problem so frequently and severely that it shows up on whatever monitoring system they're using to evaluate release health, or you better get comfortable with it for the long haul.
I previously worked for a startup that used GCP with a less than 7 figure spend each year and we had no problems talking to people at Google.
An experience not shared by others: https://www.reddit.com/r/googlecloud/comments/1ey0rx8/gcp_su...
This is such an underrated weakness of Google. When I was working at AWS ProServe, we never even took GCP as a serious competitor. Their customer service, acount management and enterprise sales team was so horrendous it was laughable.
I don’t think we even had talking points about why AWS was better than GCP like we did Azure.
what drives me mad is that it's not even underrated! everyone knows, everyone has been talking (and complaning) about this for something like 15 years!
I personally know of 2 big GCP customers who, over the years, left GCP because of this and the impact it had in critical situations. This very feedback was given in both cases to people considerably high up on GCP's ladder and... nothing's ever changed.
I'm sure plenty other big migrations off GCP provided the same feedback, to no avail.
When Diane Greene first and then Thomas Kurian became Google Cloud CEOs people thought that finally, due to their previous experiences in very Enterprise-aggressive companies, they would improve massively on that front.
Did they improve the situation? a bit. Massively? bringing GCP finally on-par with anyone else (not better than anyone else, just... the same)? nope, not even close.
Google is, at its core, an advertising company that tries to disguise itself as a technology company. When necessity calls, they will undoubtedly elect to divert resources towards their core business and away from their hobby projects (which GCP is).
I think you'd be quite surprised by how big it is inside Google. & Kurian won himself a lot of favor when Cloud figured out how to make sure it became profitable in Q2? 2023.
It was the last Google organization to have a genuine sustained hiring spree and didn't face nearly the same amount of cutbacks
Yep. That is top of my list when choosing a cloud provider.
Why do you think some of the largest companies are using GCP though? If there customer support is really that atrocious, what is the explanation?
Inertia
I can't help feel like this will be rolled into GCP and quickly lose support for Azure and AWS and then just die. That's a lot of money to spend to kill off a business.
GCP has been doing more multi cloud stuff lately though: Anthos for K8s in other clouds, BigQuery Omni for bigquery in other clouds
They even had a whole campaign recently (maybe reInvent?) that said something to the effect of “we know we’re you’re second cloud”
I rolled out their "workloads for AWS" stuff recently, it was pretty slick to be able to have AWS IAM roles just translate to GCP roles. You don't have to run your own CA like you do for AWS Anywhere.
I'm slightly baffled by this acquisition but arguing against you actually helps me make some sense of it.
If Google wants to be "the best of the best" at security and some set of potential customers use Wiz as their "best of the best" security, then this is a way to convert those customers to Google.
Consider some org that prioritizes security, like at the board level. They maybe don't really care about the nickel and dime cost of AWS vs. Azure vs. GCP since it comes out to 10s or 100s of millions of opex in the end. What they do care about is the cleanest record possible with respect to security. And Wiz is a key component to their position on security that is communicated to investors - it is a social proof that they are taking security very seriously.
This now becomes a tool for Google when trying to win their business. By degrading the value of Wiz on AWS/Azure/Oracle/Salesforce they are taking away that bullet point on security for a subset of competitors customers. And that may entice some of them to move their entire cloud service to GCP. So whatever revenue they lose on the Wiz side from a dozen or so cancellations they would hope to make up with a few 100 million dollar whales.
I just find it hard to believe that enough whale level cloud compute business will be generated in this way to justify $32b. This is really the best take I have on the acquisition and it feels unsatisfying, as if there is some other decisive information that would provide a justification for such a valuation.
Maybe there is some government mandate coming down the pipeline that isn't very public yet? Some kind of legislation that will force companies to adopt stricter security policies? That could precipitate the kind of changes that would justify this kind of massive valuation.
Customers will not start using GCP more instead of AWS for example just because Google owns Wiz.
Degrading Wiz capabilities on AWS/Azure/etc will not drive more customers to Googke. CSPM and cloud workloads don’t go hand in hand. What will happen is that other companies will capture the market share left by Google. Will the offerings be less then Wiz quality-wise? Sure, but it will be way cheaper than moving to GCP.
The best option will be to leave Wiz as it is - standalone.
that would immediately shed half the value of the company and Google would need to book a huge loss
e.g. half of Fortune 100 use Wiz and I assure you most of them do not use GCP (or do not use only GCP)
That hasn't stopped them before. Fitbit and Nest, for example. Granted, this is an order of magnitude more money to waste. Maybe they'll come up with a better strategy this time.
Neither of those are enterprise products, though. Looker, as a better comparison, is still available on AWS and Azure.
Google doesn't have a strong record keeping enterprise products around either. I would expect them to absorb this product, release a similar product based on the technology but fully integrated, then sunset Wiz asap.
I would think the majority of f100 is multi cloud and absolutely uses GCP for at least some workloads.
"(or do not use only GCP)"
half of Fortune 100 use Wiz
gonna need a citation on that. All I could find was their own quotes.
it's obviously from their own quotes but you can get most of the names in their various customers use cases, joint PRs and the likes (and those required the customers' direct approval )
I don't think that makes much sense in business. They want to move customers from competitors and as an underdog you need to provide some migration path. You don't get these kind of system integration freely. Provide your service in competitors to smooth their transition path but keep the latest and best features in GCP. This was the idea of k8s.
Even before the Mandiant acquisition they integrated Chronicle into Cloud. It's clear that they were focusing on security very early on.
This makes no sense.
Assume 1,000 customers each generating $2m in ARR with contracts. That’s $2 billion. Assume generous 6x ARR valuation, that’s $12 billion.
Where is this $20 billion premium coming from? How could the board approve this? How is this fair to shareholders?
Heck, as a minor shareholder in GOOG, I don’t find this financially responsible at all.
I can’t help but think sometimes these tech acquisitions have some hint of nepotism/deeper underlying motivations behind them than meets the eye.
It is one of the fastest growing companies in the cybersecurity space. 6x ARR is quite low for that. 15x is a great deal for Google.
I think Wiz accepted 15x because it is all-cash.
The rate at which they are still growing, a series C/D company would dream of.
[1] https://www.wiz.io/blog/100m-arr-in-18-months-wiz-becomes-th...
Except their ARR is $500m and not $2bn. So that's x60?
Google's whole business for the last 20 years has been buying, growing, and profiting handsomely from acquisitions.
And Apple on an almost 20 years old product, and Microsoft through its enterprise users, like 2 decades ago...Think about it Nvidia in 20 years is still just doing just very fast matrix calculations and idk Toyota is still making hybrids.
This assumption that a tech company is going to keep reinventing or inventing new wheels all the time has very little evidence in human history, while the opposite one, the many great tales of that super company that did so many great things and then is far more common.
The only exceptions are...academic? And that's because innovation and moving the field IS the role of research and academy, not companies returning earnings to investors.
NVIdia reinvented the graphics card towards ML with their massive software investment into CUDA, infiniband (acquisition) among other tech needed.
Wiz isn’t a new industry for Google, but adjacent expansion. Not seeing the reinvention remark.
Fastest growing but because they participated in a pay-for-play kickback scheme [1][2]?
So that number isn't really signal. Now that they're not paying CISOs to adopt the product they're not going to be growing as fast.
[1] https://www.bankinfosecurity.com/blogs/cyberstarts-program-s... [2] https://www.calcalistech.com/ctechnews/article/b1a1jn00hc
There is a correlation analysis in Jamin Ball's "Clouded Judgement" substack [1] which shows the correlation between next twelve month ("NTM") Revenue Multiples and Revenue Annual Growth Rates for public market tech / SaaS stocks.
The current Slope-Intercept is (NTM Revenue Multiple) = 36.677*(NTM Rev Growth Rate) + 2.0013. If Wiz is doubling revenue (100% Growth Rate) and they are at about $500M of revenue today [2], then the multiple according to that calculation is ~38.7 X Next Twelve Month Revenue ($1B) or $38.7B.
So, the price is in line with the market...or you could argue even a discount to it.
[1] https://cloudedjudgement.substack.com/p/clouded-judgement-31... [2] https://www.barrons.com/articles/google-stock-price-wiz-deal...
> Assume 1,000 customers each generating $2m in ARR with contracts. That’s $2 billion. Assume generous 6x ARR valuation, that’s $12 billion.
That's the thing , were any numbers released or are we all just gonna speculate here ? What is their growth rate, profit margin etc etc ? How do they fit in Google's business, can current Wiz clients be upsold on GCP more easily now? Can other clients be brought more easily to GCP now that Google has a good (I hope) cyber security solution to go with its cloud? Clearly there is some strategy going on here that is more than just the ARR of Wiz.
As a minor shareholder in GOOG as well I have no freaking idea about any of this, I sort of trust that they probably took a calculate risk and know what they're doing (and even if this is a mistake by 20B, that's not much for a company the size of Google).
We all know a lot of people frowned when YouTube was acquired.
Now we know that was an excellent deal for Google (now Alphabet), despite being a long bet.
Good to have top security talent and good cloud security tooling if you're in a cloud play.
It makes more sense if you think about how 2006 looked like: - the only way to money in 2006 was advertising and the idea of advertising in internet videos was borderline crazy (remember when internet was tv but without ads?)
- it was just one of many potential interesting players. To think it could've been Vimeo, but the founders cared more about their main project: collegehumor
What about the other companies Google acquired?
According to a few articles (and Reuters) it is $500m/year
Well 500m/year when they last raised in mid-2024. There are hints as to their growth rate from their post about their 100m ARR milestone [1] and thus one knows they went from 100m to 500m in two years (mid 2022 to mid 2024).
They're thus probably higher than 500m now although the multiple still seems really high to me. But what do I know.
[1] https://www.wiz.io/blog/100m-arr-in-18-months-wiz-becomes-th...
Did you have your conclusion in mind before running your back of the envelope calculation? Many people do this much of the time. That often results in motivated reasoning.
One way to reduce that tendency is to use multiple POVs of analysis. You could phrase it as a question instead: what assumptions would you need to change for the valuation to make sense?
Other questions: What factors are you not including? / What would it take for nepotism to survive scrutiny and how much nepotism would be tolerated?
My guess here is there are long-term strategic factors that the decision makers weighed heavily. I’d be very interested in understanding their world view, since they have much better internal visibility of both companies.
Tin foil hat time, Google regularly complies with LEO. It's often joked they are an unofficial intelligence agency; peers being CIA, NSA, FBI, etc. Wiz is a foreign-owned company with a detailed vulnerability map of more than 50% of the Fortune 100. It can be argued this is a matter of national security, and not simply business.
I don't think Google is buying Wiz because they hope that revenue from Wiz will make it worth their money.
They surely expect some kind of strategic advantage from that, probably something to do with security of their own infrastructure, or maybe competitive advantage for gaining government or gov-adjacent contracts, or maybe they were afraid that Microsoft or Amazon could buy it and hurt their existing business.
Cyber warfare and cyber defense cannot be measured in money easily.
Take a look at other Unit 8200 startups, or even Palantir. Palantir is much much much more worth than what they are on paper, especially with their Lavender AI involvements.
Cyber strategies have become so critical that it's a race between nations right now. The leading ones being Russia, Iran, China, North Korea and the US (while the US is heavily losing control, just in terms of malware and campaigns). Stuxnet forced the hands of the other nations, and they invested fully in Cyber eversince.
How is 6x generous? Alphabet's P/E is 23. That means $2 billion rev implies $46b valuation (assuming high margins)
These deals always have more than meets the eye. Google wouldn't acquire revenue at a fair market price just for revenue's sake - there's some reason they expect to get value beyond the revenue.
That doesn't mean its nepotism. It could be that they think they can triple revenue per customer with some synergy. Or any number of a large set of other possibilities.
If you want to understand this type of transaction better, you can read a book on M&A
P/E is the earnings multiple, not revenue. Your assuming high margins is doing a lot of legwork here. Often untrue for growing startups.
It’s the growing part that increases the multiple.
Sure, I was not commenting on the deal per se, but that specific argument to compare Alphabet P/E with Wiz revenue multiple of Alphabet is a deeply flawed one, and is all too common among non-finance people.
They advertise "Unified visibility and security across code, CI/CD, and cloud environments" - maybe it's google's way to siphon off proprietary code from private Azure and AWS environments in order to train their AI. Google does not own Github, they must be severely lacking in private training data.
Same fears we're very loud when Google bought YouTube. GOOG fell 15% because of that IIRC.
It was a huge bet, it paid off for many reasons, not least luck.
I remember 2005/2006 there were many websites competing for the video-website role, YouTube's luck was that...they were very permissive on uploads while competitors like Vimeo e.g. employed a reasonable amount of content moderators.
Yep, and investors' fear was that it would crumble under copyright lawsuits.
I have no basis for this thought other than speculation, but I imagine GCP having previously unaccessible data about a lot of AWS and Azure workloads of potential GCP customers, gotta be worth at least something... if a customer is generating 2m ARR for Wiz, how much of ARR they generate to AWS/Azure if they are not a GCP customer? Again, this is just speculation and I have no idea if it has any basis in reality, but this was my first thought back when they made the first offer.
Imagine you are a company, like Wiz, that is still growing fast.
Sure, your valuation could be based on revenue today. But why would you sell if you're "worth" $12bn right now, but you'll be "worth" 32bn in a few years? Why give up the control?
The only way for a company like Google to buy Wiz is to add a premium. Otherwise the company will just say "no".
This literally happened to Figma as well. And there is a history of this with companies like Instagram/WhatsApp.
In retrospect, was it stupid for Facebook to acquire Instagram/WhatsApp for large premiums?
The top shareholders might want to cash out and move on to their next venture, thus netting more money
Slightly OT but it kinda triggers me this abuse of company's worth and value words are consistently used instead of priced.
>Assume 1,000 customers each generating $2m in ARR with contracts. That’s $2 billion
Maybe they just need the tech. With Google behind, they can have 10,000 customers.
> How could the board approve this?
Disagreements on board levels are less and less frequent in the corporate world.
On top of that, many huge voters are simply ETFs, and their representatives virtually always side with management (state street, vanguard, etc have documents that explain their voting, but they are far from any kind of activist or naysayer.
There are always ulterior motives and I've seen personal and strategic being the most frequent ones.
6x arr is not a generous multiple for this size of business.
Really it makes no sense that Google would want to siphon money off to Israel?
I'm surprised this acquisition didn't happen sooner. The first time I used Wiz I knew a big cloud provider would be snatching them up at some point. Why? Because every enterprise that decides to use cloud providers then needs to find someone to keep that cloud environment safe.
But also, and may more important, you get to see everyones cloud usage, across all providers, with a high level of permissions. Said differently, Google can now target customers with massive spend across other cloud providers and work to migrate them to GCP, at a price that's just cheap enough to over come the switching cost.
If you'd be so kind for those of us that haven't touched cloud in 5/10 years, what is Wiz? from reading the google announcement: solving the supply chain hybrid cloud security issues? I could google I know but you seem to know what you are talking about, so if you'd be so kind. :)
When you use a cloud provider to setup a VM, what policies do you apply to it in order to ensure it’s secure?
Wiz and other tools in the same space tell you and tracks compliance across your fleet.
Idk if wiz does this, but their competitors have “compliance packs” which are preset compliance patterns, IE hipaa, finra, etc.
That way you click a button and it tells you every change you need to make to be compliant
Edit: this is all just examples
I don't know anything about cloud VMs, but I'm confused about how this is possible. Wouldn't determining whether you are HIPAA complaint depend on auditing all kinds of application details about how information flows through the system and how authentication and authorization are done? How could this be validated statically by looking at cloud VM config? Is Wiz doing some kind of AI magic over your whole codebase?
I am sure I am misunderstanding something, but I'm not sure what.
> I am sure I am misunderstanding something, but I'm not sure what.
You're missing that a lot of "security" is in reality just a bunch of check-boxes for a form that someone asks you to fill out.
The security you need to really think about is outside of those checkboxes, and it seems like Wiz is not for this type of security, but the former.
Exactly
They scan for everything they can and report on that. They don't claim to be able to tell you if you're 100% compliant--they just claim to be able to alert you if some subset of the requirements are out of order.
And that still provides a lot of value to the right customers.
It probably appeals to the kind of businesses that see compliance as a list of checkboxes. Just make sure employees have signed the nda and contract and stuff. Doesn't matter if they are a salesperson and the nda says they can't talk about the product.
HIPAA was an example.
Yes there are other parts to HIPAA than just VM config, but it’s just giving you policies and checks out of the box
They don't only look at the configuration of the VM, they also look inside the data inside the VM.
Cloud configuration can create compliance issues that are distinct from codebase compliance issues
Figures. Crazy how badly I midsized this problem. When I was working on a cloud provider I suspected this would be a big problem space for building in, but I thought it was in the low billions, I was thinking (I guess stupidly) that the clouds and tools around them would be kind enough to create a lot of standardization so as at least this stuff wasn't junk. I get wanting to create a bit of friction, but thought "this is a bad place to make high friction". I guess it's pretty bad given the size of this acquisition? Or GCP just wants surface area data on other cloud providers (I presume this would aid in that, but I don't know)?
Idk about other clouds, but Google didn’t eat their own cloud dog food when I was there. We had people food (borg) that was kinda impossible to separate from the infrastructure of google3 (and Google dev processes) and so cloud was built different. It wouldn’t surprise me if that organization just had no awareness of how bad the friction really was for long enough for Wiz to get really good at it?
I'm not at Google, but the usual thinking is that the public product fixed a lot of the design warts of the internal one, but it's only 90% feature compatible, and the internal migration has an opportunity cost that's higher than the cost of maintaining two similar products.
You are telling me it’s a huge excel sheet with all my cloud resources (some colored red) in?
Yes?
They have other capabilities, but that’s the primary value add.
Imagine you are working for a fortune 100 company with hundreds of thousands of cloud resources. You can’t manage them individually.
But...don't these companies already have cloud security engineers on their payrolls?
/s
I don't see the need for sarcasm. Most mid-size and up companies have security departments. And they use tools to make their jobs easier.
The problem with the cloud, from a security standpoint is that is it much more complex than a traditional on-premise infrastructure, especially if you go the "managed services" route and have minimal code.
it's a linter for your yaml spaghetti
And reason they can get recurring revenue for what is indeed basically a linter, is that what it lints your configuration files against is not just best practices but also regulatory compliance. And that gets hairy enough and changes often enough that it's usually worth it to pay for it to be someone else's headache.
That's just one part.
The real value is it's linter for _any_ cloud config - you can use terraform or cloudformation or just click around in user interface, and Wiz's rules would still work.
^ Poetry! If only we had linters for all the yaml spaghetti out there in ops land.
Your system nosediving is the linter.
I thought they made smart lightbulbs (I have some "WiZ" ones installed in fact).
I was worried it was that WiZ, luckily it's not Their bulbs are one of the few WiFi bulbs that don't require an app to operate (only for the initial configuration)
Shelly does not require an app at all. Initial setup can be done via the WIFI AP it generates by default. Cloud is a checkbox in the app/web interface.
https://shelly.guide/add-a-shelly-to-your-wi-fi-through-web-...
Can you elaborate on this? The app (both versions!) barely works, and they don’t appear to be compatible with Apple Home like others.
You can use a Python library/tool to control them (https://github.com/sbidy/pywizlight), which means Home Assistant supports them out of the box.
In my setup I have Home Assistant running on an N100 mini PC and that's what I use as an HomeKit bridge.
If possible I'd use ZigBee or Z-Wave bulbs (or even better, switches) though.
I was worried it was https://en.wikipedia.org/wiki/The_Wiz_(film)
thank you for asking on behalf of the many of us who are in the same boat.
If you don't mind a short blog post I run though the capabilities of something like Wiz: https://rakkhi.substack.com/p/choosing-the-best-cloud-native...
It was going to happen last year but Wiz said they wanted to IPO. Wonder what that implies about the larger IPO/exits market.
Here's the letter sent by the CEO Assaf Rappaport to his team at the time (2024):
"Wizards,
I know the last week has been intense, with the buzz about a potential acquisition. While we are flattered by offers we have received, we have chosen to continue on our path to building Wiz.
Let me cut to the chase: our next milestones are $1 billion in ARR and an IPO.
Saying no to such humbling offers is tough, but with our exceptional team, I feel confident in making that choice."
https://techcrunch.com/2024/07/22/wiz-walks-away-from-google...
Wiz by itself is a great business and public markets will price it accordingly, but Google is able to price it much higher because of its unique position. Wiz + GCP sales team will boost adoption of the main product, a Google branded security tool keeps eyes from looking out, and of course, the ability to move huge amounts of revenue from competitors over to GCP is something only a hyper-scaler can tap. At 36x+ valuation, this is still a great deal for Google.
On what are you basing your opinion that this is a "great deal"? Google is going to have to earn close to $100B in profit attributable to this acquisition over the next 10 years in order to financially justify it.
> On what are you basing your opinion that this is a "great deal"? Google is going to have to earn close to $100B in profit attributable to this acquisition over the next 10 years in order to financially justify it.
Maybe like the Motorola acquisition - not so much the profit attributle from the acquisition but the profit they *won't* lose by not acquiring them.
I don't think that 100B number is correct. It would be if Google had to give back the business (or it imploded) after 10 years
That $100B is a based on a ballpark estimate of how much a passive investor would expect to earn by putting $32B of their money into a high-yield stock fund (yielding 15% per year, which is a conservative annual growth rate for a cloud provider) and sitting on it for 10 years. If Google can't do at least as well as that, the investor would be better off with the stock fund.
Yes but I'm saying that they will still own Wiz at the 10 year mark, so you can discount their valuation at the time from the 100B.
I accounted for that in my math. Investing $32B for 10 years at 15% interest compounded continuously = $132B.
It's smart defense, great offense, and a good product behind it. Each eat a big chunk of that $100B target. I don't see Wiz as a 10 year company, I see it as a forever requirement for companies to manage all of their cloud resources (across all providers). It will be here as long as GCP/AWS are here. I expect a short path to ROI on this one.
Consider that AWS's entire operating income for 2024 was $40B. GCP is 1/5th the size. I admire your optimism, but I think it's unwarranted.
So why do you think Google is making this acquisition?
Wiz is a recognized leader in the CNAPP/DevSecOps market, and so they'd be naturally attractive to any cloud hyperscaler. Google had to either build or buy a similar solution to grow GCP; and they chose to buy. But $32B is an enormous hunk of cheddar, and I don't know why they felt compelled to pay that much. The ROI on such a large investment is unclear.
It gives them (legally debatable) visibility into how customers are using their competitions products. That's part of the reason it didn't happen under the Biden administration. Trump is very much against enforcing anti-competition laws though, so the deal suddenly began to make sense again.
Google would have to be contractually bound not to do that, or Wiz customers would flee like rats off a sinking ship, which would significantly devalue their investment.
A lot has happened in the last 56 days that has resulted in significant uncertainty in the stock markets. That, combined with the higher offer, apparently changed the board's mind.
> Wonder what that implies about the larger IPO/exits market
The window is closed and locked. Haven't closed the storm shutters yet.
LOL IPO market is dead for observable future.
> But also, and may more important, you get to see everyones cloud usage, across all providers
Yeah - that’s not likely to happen. Even the current in-house developed multi-cloud security stuff Google has doesn’t let internal people see customer data. It’s right there in the T&Cs they publish and agree to.
I suppose they could be violating them in egregious ways, but that wouldn’t last long before one or more of the 170,000 employees got upset and went all whistleblower, which would lead to billions of dollars in lawsuits.
There are ways around it. If they look into specific customer's usage it is looking at customer data. If they look at more customers it will just be called anonymous analytics.
Then you slice and dice the analytics data to extract what you need in the name of planning & improving the product.
For a truly multi cloud customer, your second point switches from being a pro to being a con as soon as Google owns it. Why would you give one of your cloud vendors visibility over your footprint across their competition?
It's pro for Google, not pro for customers.
How on earth does buying Wiz force other developers to move? I think the tinfoil is too tight.
They don’t need to force people, just make them a very good targeted offer. This is also great for seeing which features their customers use most to help GCP catch up to the competition, too.
It doesn't force them to move, it just gets Google the information about how you use competitors products so they can out negotiate them come deal time.
Wiz itself doesn’t. But Wiz knows what is going on in everyone cloud. That data could be fed to GCP sales team though customers might riot if that happens.
>That data could be fed to GCP sales team though customers might riot if that happens
Large enterprises don't sign the stock terms and conditions that would enable this, most do or should have legal teams redlining contracts around how cloud data is accessed and used by vendors. Maybe Wiz is so good they would agree to it, but it would get challenged and negotiated during the sales cycle.
Clients can have their lawyers jump up and down but the data is there, you just KNOW the mothership gonna use it. All they need is some obfuscation and plausible denyability. It's just too good to not use it.
There's no force but Google can now leverage the data from Wiz to target good customers for other services.
How is this not a good thing for everyone involved? Or am I wrong for reading the comment in a tone that I perceived to be critical?
I dunno, I don't like the anti-trust implications (using Wiz data to target companies on AWS/Azure) but other than that I don't really care.
That's probably cos I am far away from this space.
So is Wiz just a CASB?
(Cloud Access Security Broker)
Wiz is a CNAPP provider. (Cloud Native App Protection Platform)
They wanted it to happen last year, but Wiz wasn't sure yet whether they would want to go public instead.
If you know the Cloud market you know nobody is moving to GCP :-)
This deal isn't about security, it's about data.
Google already have one of the best security teams in the industry - Project Zero [0]. They don't need Wiz's "enterprise" expertise for security.
This deal is about DATA. Wiz, as a cybersecurity vendor, have full remote access to their customers cloud compute storage (EC2 EBS volumes, etc) in the name of "security scanning" - this is actually part of their unique selling point - "agent-less scanning" which is unlike traditional security tools that require an agent installed in the OS. Instead, Wiz is able to just clone your full data volume and scan it locally in their cloud accounts/VPC.
With this deal Google has bought a ton of confidential data from Wiz's customers without their explicit knowledge or approval, and they will use it to improve Google's AI models like Gemini and probably several other products.
A year ago Google struck a $60M/yr deal with Reddit to exclusively license their content [1] for the same reason, and that data is probably much smaller and less valuable than the data Wiz has access to from their customers, which include companies like Morgan Stanley, DocuSign, Slack, Plaid, and others. [2]
Sources:
0: https://googleprojectzero.blogspot.com
1: https://www.reuters.com/technology/reddit-ai-content-licensi...
I find it hard to believe (or maybe I don’t want to believe) that this could ever happen? Even if Wiz has T&C’s that allow full access to clients’ data, and even if the T&C allow some sort of “use” of that data that includes training an LLM, surely you can’t release an AI trained on private information to the public? You can’t have Gemini spitting out internal/private/confidential information?
Am I just naive?
na you're right this would be a dumb move with a huge blow back
It's only dumb if they get caught doing it. If they do it once and keep it quiet and then someone finds out 2 years later, it's going to be a footnote in history.
I'm guessing you would be the same guy who wouldn't torrent millions of books and copyrighted works to train your LLM. Zuck can afford not to care about that pesky detail
You are not naive, you are not considering that at certain scales, your concerns are the cost of doing business.
Not the same thing at all. Corporations care about their data a lot and would cancel deals over this. Noone cares if some authors get upset, they have no leverage. Disappointing how people will make confident statements while being so clearly clueless.
> Corporations care about their data a lot and would cancel deals over this. Since you have mentioned "a lot" share few examples, pls.
So many sources yet no source of the actually outrageous claim that Google will use this to illegally siphon customer data
maybe this deal is about a company with a lot of revenue in an area google is heavily investing in: cloud security?
Facebook did exactly this with a VPN acquisition. They didn't break into customer data; they just mined it for usage patterns.
So as a pure speculation on Goog's motives, it doesn't sound farfetched enough to call ridiculous. Competitive data is valuable, particularly if you want to strangle the youth in their cradles (or acquire them).
google is not facebook, and an ad-supported consumer software is not cloud. OP talked about AI training which is a bit more than metadata
also, the vpn example ended in court
> actually outrageous claim that Google will use this to illegally siphon customer data
Hypothetical question as much as anything: If Google purchases a company and the data the company stores about their customers, is it illegal for them to use this data for whatever they want?
Lets say it would give them an understanding of what features from AWS people tend to use the most, and they use that to improve Google Cloud, would that be illegal?
yes, due to privacy and contract obligations
as well as this is the surest way for GCP to spectacularly commit suicide
Unless you're talking about some specific Wiz<>customer contracts, how do you know?
AFAIK, there are no explicit laws forbidding that. Maybe you could share what law you think this would be breaking?
OP mentioned training AI on customer data
GDPR, CCPA, HIPAA, etc, as Google has no way of knowing which data they will train on, add to that copyright and that's just off the top of my head
cloud contract obligations are also pretty clear about customer data.
furthermore it would be bad engineering and security if Wiz had actual direct access to customer data, versus having their code having access to said data. That would be a huge issue in due diligence for example
Did you skim through Wiz's Privacy Policy? They're keeping a lot of stuff that isn't "direct access to customer data" and already permitted to be sent to 3rd parties, wouldn't surprise me if you could aggregate what features are most used on AWS by collating some other sources than having actual access to customers cloud.
Obviously, existing agreements would need to continue to be run properly, no question about that. But there is always plenty of other data that probably could be used by Google to gain some insights.
what you talked about is different and is aggregated metrics
that might be legal and interesting but i highly doubt it's 30+ billion dollar interesting
i imagine you can buy that data from data brokers without any legal exposure but that's only a guess
Read through the Wiz MSA [0] at section 6 which discusses “Customer Data” and among other things specifically asks Customer not to send HIPAA data (perhaps to sidestep the issue you just raised) and concludes with this:
—
Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
—
Or if reading terse legal documents isn’t your thing, go ahead and just read through Wiz’s own blog post about how their scanner works, which confirms they have full, direct access to customer EBS volume snapshots in the default “full SaaS” deployment model. [1]
Your point that due diligence would have taken issue with this might not be grounded in Google’s reality.
0: https://wiz.pactsafe.io/legal#wiz-subscription-agreement
1: https://www.wiz.io/blog/the-wiz-approach-to-agentless-scanni...
> [access to use customer data...] *to provide the Services and perform its obligations under this Agreement.*
"Services" – which you'll note is capitalized... lawyers do that for a reason – has a very specific meaning that very obviously does not include "whatever the fuck Google wants to do with it", nor "training general purpose AI models" in particular.
Why are you intentionally and blatantly misinterpreting Wiz's policies? Or are you just that good at ignoring/missing details in order to weave the story you've already decided to believe?
I've been consistently surprised at how common bad engineering and security practices seem to be within the security vendor space though. So idk this just makes it sound more plausible to me cause this would be exactly the type of company to have a scandal like that.
This is an incredibly stupid take on the deal.
This is an incredibly useless comment [0]
At least say why you think so and contribute to the conversation a bit.
[0] https://news.ycombinator.com/newsguidelines.html#comments
theres no need to wrestle with pigs
The comment effectively says "wake up to yourself, this nonsense isn't welcome".
Some things are self evidently stupid, cynical and/or disingenuous to anyone with a modicum of intelligence and a cursory understanding of the field.
Use your hall monitoring energy to add value. The type of post I call out here reduces the value of the forum.
Google isn’t buying Wiz for “security expertise”, they’re buying Wiz for a security product, in a growth area, that customers absolutely love. You’ve provided no evidence for the conspiracy theory that google is buying Wiz to siphon up a bunch of data, and if you’re going to link to Wiz, maybe link to their public list of security certifications, many of which prohibit the type of data harvesting you are suggesting.
"Trust" screams insecurity. Security is in the direction of trustless rather than requiring trust. Do you trust companies which say front and center "you can trust us"?
Wiz is a "security product"? Security isn't something you can buy and bolt on to your systems as an afterthought. It doesn't work like that!
I’m honestly not sure what your point, if any, is.
That the security software industry is kind of full of shit sometimes is I think what they were getting at.
Yes. You put it more eloquently.
Based on the exceptional level of ignorance and outright delusion in this thread, I'd rather not speculate. Easily 1/3 of the discussion is mired in conspiracy theories about Israel, and another 10 - 20% are people who's comments can be boiled down to "you know, I've never heard of this product/company/industry before, but, by God, the world needs to hear my hot take."
I trust open source code I can see and compile and control. :)
How is "trusting wiz" (trusting some icons on website controlled by wiz leading to publicly inaccessible reports, half of which are done by a single company somewhere in Florida) related to what Google might do with it after aquisition?
That’s great. For you. Most businesses don’t have the ability or desire to build every single security tool they use in-house or use open source for everything. So they buy commercial tools. Which are audited by third parties to give the companies that use the commercial tools some idea of how their data will be used.
If google wants to maintain those audit findings, which they’ll need to do to keep most of their customers, that’s going to limit the kind of data collection they can do. Unless, of course, you want to propose a new conspiracy theory (which I guess would be par for the course in this thread) that Google is going to lie to their auditors to get at that sweet, sweet data (most of which they already have for their GCP customers and don’t need to buy Wiz to obtain.)
Google has GCP customer data, but Wiz tool aparently works not just for GCP, so there's a lot of competitor cloud data to be had from aquiring it.
I believe you are right in the direction, but wrong on the details. Yes they will now have tons of otherwise inaccessible data about how Wiz customer use GCP’s competitors (AWS/Azure), eg what workloads, how much they pay, how many EC2 / EKS / ECS / RDS / S3 / SageMaker are actually used and how much they pay. This is by itself highly valuable financial information, that any company would love to have about their direct competition.
I highly doubt Google or Wiz have a legal avenue that allows them to use customer data beyond fulfilling their product needs. Products like Wiz (voluntarily) go through security audits and certifications, from SOC2 type 2 to FedRamp. Also enterprise customers actually do read T&C (their legal team does at least) and having terms and conditions that allow you to train models on customer data without their consent is not going to fly under the radar for long.
Google has the best security. But it is hard to market real security (as oposed to snake-oil), so maybe this acquisition will help.
> Google has the best security.
Care to elaborate?
Google was owned pretty hard in 2009 (Operation Aurora). Following that they put security front and center in a way that few other vendors do.
You can read my praise of ChromeOS here: https://news.ycombinator.com/item?id=41178525
To add a few, Chrome was the first browser to introduce process isolation: Every browser tab, every site (second-level domain) and every iframe runs in its own sandboxed process.
With that it's the only end-user software (alongside the other browsers) that actually is secure against Spectre and Meltdown. Operating systems only protect against Specre/Meltdown leaks between processes.
Google invented Certificate Transparency and Chrome enforces CT since years. Firefox added CT enforcement only a few days ago.
CT solves the following: For example, if a rouge Chinese Certificate Authority decides to issue a cert for google.com to the Chinese government for Man-in-the-Middle attacks, CT blows their coverand makes it known to everyone that the CA issued a fraudlent cert.
Project Zero is about finding security issues, not about developing products to increase security.
Using private data to train a public LLM seems like a huge liability that Google's legal team would never approve. I could see them using the data for all sorts of kinds of analytics though. I heard Google deals in those a lot.
Project Zero and Wiz and have very little in common. It's wrong to bring these two up together as if they are comparable. Project Zero focuses on discovering and analysis of new (including zero-day) vulnerabilities. I do not believe Wiz uncovers new vulnerabilities. The skillset of someone working on Project Zero looks very different from someone working on Wiz.
The field of security is huge. It's unhelpful to lump unrelated things together.
> I do not believe Wiz uncovers new vulnerabilities
Oh they do. https://www.wiz.io/blog/tag/research
A few fun ones are the multiple cross-tenant security exploits they found in Azure (which is why, among the tons of other reasons, Azure is just the worst possible choice for a cloud vendor from the big 3 - their security is a joke, and none of the vulnerabilities below should have passed even a cursory security review, but they did, which means the whole org doesn't take security seriously. Add in the fact that it's slow as hell, and has the UX worthy of an Enterprise vendor, the only reason to choose it is because you're getting a good deal on the golf course for it):
https://www.wiz.io/blog/azure-active-directory-bing-misconfi...
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-o...
https://www.wiz.io/blog/secret-agent-exposes-azure-customers...
https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-a...
> They don't need Wiz's "enterprise" expertise for security.
Yes, because exploit discovery is exactly what enterprise security is.
This theory of yours is a conspiracy. Google would never start training off of confidential corporate information without authorization. The legal team would never allow it. And if they ever got caught, it would be a complete disaster for them.
That doesn't sound very secure at all
Thousands of lawsuits coming up? How are any of the mentioned companies okay with their highly confidential data being scanned by AI?
The top three topics of batshit conspiracy theory supported by precisely zero actual evidence:
1) Hidden cabals colluding in secret to control world events.
2) Extraterrestrial beings live among us secretly controlling world events.
3) Google illegally steals private data to secretly control world events.
Rejecting a $23B offer to get $32B less than a year later doesn't sound half bad.
https://www.theverge.com/2024/7/23/24204198/google-wiz-acqui...
I was trying to figure out where the deja vu was coming from. This explains it!
Google's M&A team: Oops we switched the 2 and 3 on that offer document, let's fix it and try again.
Jimmy switched the numbers!
Customer feedback (2024), https://old.reddit.com/r/cybersecurity/comments/1c1s9r2/wiz_...
> Wiz combines a graph search for asset management with agentless vuln and malware scanning that clones EBS volumes and scans them on their infrastructure. That's a great combo for vuln management, but has some downsides like delays between scans and cloud costs. They have a sensor with solid detection rules, and are okay at a bunch of other stuff like cloud log threat detection and sensitive data detection. They've basically pushed what you can do without an agent to the limit.
VC approach to enterprise sales, https://www.calcalistech.com/ctechnews/article/b1a1jn00hc & https://news.ycombinator.com/item?id=41042462
> [Cyberstarts] shows an internal rate of return of more than 100%, an unusual figure even for the best funds in the world.. The first sales come from the loyal CISOs who work with the fund.. Ra'anan offers [CISOs] the big dream of the world of employees - shares in a venture capital fund.. all funds that specialize in cyber go after CISOs and entice them with dinners, conferences, and some also offer them holdings in the fund. However.. he perfected it to a completely different level.. No CISO has ever received compensation for purchasing products.. They receive 4% of the success fees of the general partner (GP) in the fund.
Isn't this a roundabout kickback scheme?
Discussed last year in the linked HN subthread.
I'm marginally in the IT space... Is there anything to my reaction that at least in dollar terms this is a multiple of the dollar amount of what Whatsapp was acquired back in the day, which was a large consumer facing product that I could see was quite literally taking over messaging all over the world, and this is a... platform I've never heard of?
I'm just trying to make sense of the numbers.
Whatsapp was $1/person/year for a license. Wiz is "contact sales for pricing". Presumably that's more than $1/year.
According to Amazon's Wiz integration (https://aws.amazon.com/marketplace/pp/prodview-ibgbkrqusncsm), the lowest cost they have is $24,000/year.
It's based on your workload you are using it for basically. So its not a set price.
Wiz is enterprise software aimed at and popular with large companies that need to check all the compliancy boxes, and according to sources used by >40% of the Fortune 500 companies. It's also only 5 years old, so that's a ridiculously fast growth.
Valuation multiples for a free direct to consumer messaging company are very different to a paid-for b2b cybersecurity company. It doesn't really matter whether you've heard about Wiz, the important thing is every CISO has heard of it and many of them are prepared to pay actual money for the product.
True, but the vast majority of people spend zero money on WhatsApp. I actually have no idea how I would give them money. There are no adverts, the metadata is not valuable, and no companies even use WhatsApp business, at least in the UK. Their UK revenue is basically 0, despite 100% market share.
This is an enterprise product in a space where companies spend millions of dollars.
Still seems like an insane amount though.
Whatsapp when it was acquired cost $1/year (with a year long free trial) and had a billion users and 55 employees. They were printing money.
As far as I remember they didn't ever really collect that money though. I certainly never paid it. I'm not sure they ever even implemented payment on Android.
Obviously hard to source this old stuff but I found an old Reddit comment that backs up my recollection: https://www.reddit.com/r/whatsapp/comments/xesw29/comment/io...
I'm fairly certain that I paid once for WhatsApp back in the day (on Android)
EDIT: just checked my payment history and in November 2013 I paid €0.89 for "One Year Service"
They were collecting. Everyone I knew was paying.
Just to respond to the Whatsapp part of the comment, apparently Whatsapp made about $1.7 billion in 2024. https://www.businessofapps.com/data/whatsapp-statistics/
That is suspiciously equal to the "Other revenue" line in Meta's 10-K.
Given that likely rolls up other products I doubt it's all coming from Whatsapp.
[0]: https://d18rn0p25nwr6d.cloudfront.net/CIK-0001326801/1f8bf8e...
Like for whatsapp, they're buying the database, not the product.
I don't think WhatsApp had the same kind of revenue that Wiz has, even normalised for 2014 numbers.
Revenue and profit are very different. Like, it's easy to pump revenue at a loss.
I don't really see the benefits of this acquisition for Google, but congrats to the Wiz team!
> I don't really see the benefits of this acquisition for Google
At the very least it's a giant book of sales leads.
Yeah, I see that but it doesn't really feel like $32bn worth of value.
WhatsApp purchase was for that sweet sweet data of everyone's contact lists (this was their original innovation for onboarding — just give us access to your phone book and we'll tell you who else is on WhatsApp). Their earnings were completely irrelevant in price discussions. The billions were paid for the dataset.
Indeed. It's not just an incredible dataset, it's a self-updating one too.
I'd expect a lot of the money was also to prevent a competitor with WhatsApp's ubiquity from existing. (Or selling to another competitor.)
That too, of course. WhatsApp itself was a work of art at that point, its success should be studied and hopefully emulated.
Any idea what profitable things they do with that data?
Mostly ad targeting (you can infer a lot of things from the global graph of contacts). Meta is an attention routing company.
How do they spend insane amount of money in targeted ads and all the ads I get are useless?
I constantly get ads to learn how to code. Ok I've been doing that professionally for over a decade and I have a real degree from a real university… why would I do some online programming course?
There are much more ads than viable targets.
Just think: This company is 5 years old. That's just 1825 days, or 43800 hours, and they've created $32B of "value" in that time. That's an average rate of almost $750k/hour continuously. Incredible.
I have no idea how these corporate acquisitions are valued.
Craftsman Tools was sold to Black and Decker for $500 Million. This was and is a respected tool brand with an international presence making physical and tangible products and it is apparently worth 1/64th of Wiz.
I'm not even saying Wiz is overvalued, I don't know, I'm just not sure how they come up with these numbers.
I think the main calculus is around estimating future profits. Do they make a profit? Is it a crowded space? Is the market space growing? What assets do they have? People, land, factories, or intellectual IP? Etc etc.
I don’t know the details of either deal but it’s easy to imagine a case where Craftsman tools is just a brand in a crowded market with no special sauce. For example Sears never even made the tools, they outsourced it. Also it sold for 900m, 500m was the initial payment.
> Also it sold for 900m, 500m was the initial payment.
Yep, you're definitely right, I misread. Still less than a billion.
> I think the main calculus is around estimating future profits. Do they make a profit? Is it a crowded space? Is the market space growing? What assets do they have? People, land, factories, or intellectual IP? Etc etc.
Yeah I guess that makes enough sense, though I have to admit that sometimes it feels kind of removed from reality sometimes.
Almost... unbelievable.
Google has some amazing negotiating skills - paying 50% more for something they literally tried to get not even a year ago... (they tried to get it at 23 billing not even a year ago)
https://news.ycombinator.com/item?id=41042034
That being said, Instagram and WhatsApp were expensive for Facebook and those ended up being a steal. Time will tell, as usual.
Yeah, but Instagram and WhatsApp have billions of users. Everybody has heard of them. Advertising on Instagram generates revenue.
Wiz is a SaaS b2b startup. Even on a forum for startups most people haven't heard of them.
Wiz reportedly has a revenue of 750m. It would take Google 30 years or more to break even on this deal. But like all bs startups Wiz will fade into irrelevancy 6 months after being acquired.
Google is getting completely scammed.
Nobody thought Instagram and WhatsApp were good acquisitions at the time.
Instagram was roughly 10 people when it got bought, had less than 30M users and $0 in revenue.
This: "But like all bs startups Wiz will fade into irrelevancy 6 months after being acquire"
The difference is that Google is the worse product company among the big tech companies. It’s like the modern day Yahoo! - where acquisitions go to die.
I don't know man, iPhones and Macs are really buggy, bloated/full of unnecessary features, and user hostile. Microsoft products are also hot garbage. The cars we get to pay tens of thousands (or even hundreds) are pretty much garbage now. It's not just Google.
I am not talking about opinions on quality. I’m talking about objective measures in introducing a new product that moves the needle as far as revenue/profit and market share that is not cancelled quickly
Again, the parent's point stands. Apple is not changing the game with Apple Vision Pro or Apple Intelligence. Microsoft isn't getting accolades for Windows 11 and Copilot. It's not always smart to bet the farm on a product that nobody wants to pay for.
Objectively speaking Google is one of the few companies that saw where the puck was headed and skated there. They built TensorFlow, they sponsored serious local AI research. Now they build their own in-house training and inference hardware. Relative to the struggling we see from the rest of FAANG, I would argue Google is perhaps the only successful competitor left. I despise their monopoly abuse of AdSense, but they're not going to be effectively prosecuted with protectionist American policy defending them. Google "won" the services sector and now everyone and their mother is butthurt.
TensorFlow is a technology not a product. Having things in a “research” lab are not products. What product have they introduced in the past decade? 15 years? Android is the only one that has gotten any meaningful traction.
Does Google have a better LLM based product than OpenAI’s ChatGPT? Well personally for my use case, NotebookLM is better for some things. But it isn’t a better product for most people.
Androids position is so bad in the market as far as convincing consumers with money to buy one, Google has to pay Apple $20B+ a year to be the default search engine. I wouldn’t be surprised if Google pays more to be the default search engine on Apple devices than Google makes in mobile for Android.
From a consumer standpoint, Android has seen declining market share in the US, the Nest acquisition is floundering, Stadia was a failure, Pixel ships about the same number in a year that Apple ships iPhone in a a couple of weeks, WearOS has gone nowhere, no real tablet strategy (I Chromebooks have been a success in education so that’s kind of a mitigating factor), their tv strategy has pivoted a half dozen times, their messaging app strategy is schizophrenic (they had 5 separate messaging apps simultaneously at one point), AI summaries for Google search are half baked.
On the business side, GCP is just pathetic. I don’t mean as far as technology. But their account management, enterprise sales team and customer service is lackluster. I mentioned in another comment that when I worked at AWS ProServe, we never considered them a serious competitor.
GSuite has gained some traction in smaller companies. But hasn’t made a dent in government and enterprise where the real money is.
Look at Microsoft and Apple’s product mix as far as successful profit generating products and compare that to Google’s.
> Android is the only one that has gotten any meaningful traction.
In my book, Android doesn't count as a Google product, as it was a 2005 acquisition:
https://www.androidauthority.com/google-android-acquisition-...
Almost every part of the iPhone is also based on acquisitions. Android was a bad BlackBerry knock off before Google acquired. Android as it exists today is mostly Google.
YouTube and even AdSense were based on an acquisition.
Heck, Apple as we know it today was based largely on the Next acquisition.
Google made $34.68B in FY2023 from “app, media, and hardware”, so you’re not too far off I reckon.
This is meant to be politically-neutral commentary: this deal doesn't happen without a Republican in office that will squash the antitrust bent that the Biden administration started.
It's also possible the last Wiz deal happens without the antitrust swirling over Google.
Some policy is being continued, https://natlawreview.com/article/antitrust-under-trump-initi...
> FTC Chairman Ferguson and Omeed Assefi, Acting Assistant Attorney General of the DOJ’s Antitrust Division, announced on February 18, 2025, that the FTC and DOJ will continue to use the 2023 Merger Guidelines as the framework for their merger review process.
Rump likes to play favorites and use any power at his disposal to hurt his political / personal enemies or people he thinks don't "respect" him enough. He also is a fan of extorting people.
So I wouldn't count on it based on some generic "pro-business" position. Google is going to have to kiss the ring one way or another.
Depends on how many complements Google gives the emperor on his clothes. The DOJ reiterated selling off chrome last week, so it's not off the table.
I just don't think the anti trust case is as strong in the security industry vs. many other parts of the software industry. I don't think a Biden admin would necessarily have jumped to try and block this sort of acquisition either.
Turns out McKinsey is really bad at business and letting a McKinsey ghoul run your company is a good way to run it into the ground.
GOOG is up ~152% since Sundar took over...
Since Sundar took over as CEO at Google (August 10, 2015):
Google has the worst returns in ten years of the FAANG(+M) companies. A 5X increase in ten years is still phenomenal, but it's important to not look at that number in isolation.- Google is up 5.2X - I am not sure how you got 152% - Apple is up 10X - Microsoft is up 8.25X - Netflix is up 7.45X - Amazon us up 7.28X - Facebook is up 6.27XAnd for fun:
- Nvidia is up 207X - Intel is down 12% - The S&P 500 is up 2.72XMicrosoft was also up by leaps and bounds when Ballmer was in charge and RIM had its highest market cap in 2010 - three years after the iPhone was introduced.
That has nothing to do with whether Google has the ability to create new great products and it has failed miserably at that over the past decade.
Not the flex you think this is.
What do you know, Assaf Rappaport also worked at McKinsey.
This is probably a dumb question, but what does all cash mean? Does it literally mean that they are putting $32bn in Wiz's bank account (or probably some kind of escrow, who knows) which then gets dispersed to their shareholders?
What usually happens otherwise? Would they do partly google stock, etc? And each shareholder gets some kind of multiple? (you get your N amount of Wiz shares X .72 = your number of google shares), or something of that sort?
> Does it literally mean that they are putting $32bn in Wiz's bank account (or probably some kind of escrow, who knows) which then gets dispersed to their shareholders?
Google pays each of Wiz's shareholders 75-90% of the deal amount. The remainder is held in escrow and paid some time later based on a variety of conditions.
> What usually happens otherwise? Would they do partly google stock, etc? And each shareholder gets some kind of multiple? (you get your N amount of Wiz shares X .72 = your number of google shares), or something of that sort?
Yup, that's exactly how it works.
In an all cash deal the Vendor (buyer) will purchase all shares of the Target (seller) for cash and cancel those shares. A substantial amount of the cash will be held back in escrow subject to a number of clauses and released at a future date.
This will protect the buyer against misrepresentations.
There are often also targets that have to be met to achieve the full purchase price but not always disclosed
Yes on all of that. All Cash means Google is essentially writing a $32Bn check which is dispersed to the Wiz shareholders. (It wouldn't go to Wiz's bank account since Google owns the bank account once they send the money.
Typically these involve at least some stock (cash + stock or all stock) which would mean that each Wiz share gets some amount of money and some multiple of Google stock per share.
They say that's an all-cash purchase. So it seems that they really put $32bn in the bank account.
Ultimately they are buying the shares of all existing shareholders. Wiz tells Google who the shareholders are after all triggers of options to shares are resolved. Then Google wires each shareholder after the signatures are complete. No money should go into Wiz bank account. 10-25% of the cash is held back to make sure the company and key employees fulfill promises made as part of the transaction.
Right - the Wiz bank account is about to be the Google bank account, so it wouldn't make any sense for them to receive the funds.
It means if you were a shareholder of Wiz, you will have cash in your checking/savings account within few days and you will no longer have the shares.
What if I don't want to pay capital gains?
There's going to be teams of lawyers and financial managers that will guide that money into various financial structures and / or shell companies so that none of it shows up on the records used to calculate that.
Then you should not have owned assets that someone else had the power to sell.
For example: any publicly traded shares.
I have had shares that are 1. force sold, 2. shares that were force split into two companies and 3. shares that are force acquired so they become another companies shares.
Lol coincidently had some publoc traded shares force sold last month. Didn't realize (they didn't send me an email). I have a weird ability to pick these kinda stocks! Unfortunately it hasn't been a profitable strategy.
Part of the acquisition process is putting together a “funds flow” which is simply a model that lays out how much $ each shareholder gets and then also you collect all the wire details, etc. But anyway, it can be a bit surreal seeing how much cash will be deposited into various accounts once the deal closes
Acquisitions often involve swaps of shares.
The press releases say cash deal.
The question was about what happens in other cases.
Otherwise it depends on the deal structure. Especially if it's an acqui-hire, or founders are involved, it can be a combination of shares, options, earn-out, guaranteed bonus, certain salary levels (much higher then their current one) etc etc, and cash. Usually 100% cash deal is the most sought after unless the acquirer has a very solid business (in that case shares and options could be valuable too).
Yes. They became billionaires overnight.
I’m just curious if anyone here has actually heard of this company before this announcement? If you have, what is your opinion on this acquisition?
Almost any infosec professional whose company uses an IaaS provider (AWS, GCP, Azure, etc) has heard of them. They are probably the most notable tool for assessing your "Cloud Security Posture". It basically looks at your cloud configuration and alerts you for security issues caused by mis/sub-optimal configurations. It also identifies vulnerabilities, software updates, permissions issues, etc.
I'm sad they're being acquired, especially by a FAANG company. This constant consolidation is bad for IT (and the economy in general). I am happy for the employees holding shares though!
They are huge in the cybersecurity space, led by veteran founders, solve real problems, fastest growth to $100M ARR in the history...
In cybersecurity history or the history?
In history - until Cursor, so like 6 months ago they still held the record.
Cursor, the AI code editor? They have $100 million in ARR??
So it would seem: https://sacra.com/research/cursor-at-100m-arr/
they are selling tons of enterprise subscriptions = $$$
Growing up in the NYC area this is what I think of when someone says the wiz https://en.wikipedia.org/wiki/The_Wiz_(store)
I have 'wiz' lights in my place - home-networked lighting system. Which works. Well. For me....so glad g hasn't acquired them.
I also thought at first that G acquired the budget smart bulb company but then I realized it’s “WiZ” and not “Wiz”.
>> Growing up in the NYC area this is what I think of when someone says the wiz https://en.wikipedia.org/wiki/The_Wiz_(store)
Growing up in NYC, it is was impossible to not remember the "Nobody Beats the Wiz" jingle
As a fan of British comedy, this is what I think of when I hear wiz: https://en.wiktionary.org/wiki/wiz#Etymology_2
We've been using them for 2-3 years. Excellent.
[narrator]: Excellent, until now! Soon, their beloved cloud infra security scanner will to be sucked dry of all the juicy usage data on AWS and Azure customers, bled of its innovation, to be discarded in a few years time...
I like it too. Don't care much for google buying them, it can only end badly.
Last Kubecon / Cloudnative Con they had a HUGE stand. Hard to miss them if you are in this space.
I've seen them at trade shows and heard good things. I had also heard that Google tried buying them last year but it didn't go through, I'm curious about how/why they did it now
What I read is that last year they weren't sure yet if they wanted to go public instead, but the current financial climate isn't good for going public so they went for an acquisition instead.
Yes. We use them for container vulnerability scanning - maybe other things as well.
I've used wiz in a previous job. Its a good product. I don't know if they invented disk snapshot based security scanning, but they certainly popularized it.
Companies like CrowdStrike have copied a lot of what Wiz has been doing (and I'm sure wiz has copied some CrowdStrike features).
This announcement is pretty disappointing to me. I would have more faith in Wiz as an independent company than as part of Google. I expect their innovation to fall off a cliff.
didn't they try to do this several months ago?
This seems like a silly and ridiculous acquisition. Surely for $32 billion almost any security technology could be replicated? You could hire several thousand best in class engineers and build whatever Wiz has in house… buying this almost makes it seem like Google has no idea how to build new innovative products, which I guess a lot of people already think.
For Instagram and WhatsApp it was the user base and growth that was being bought, which is much harder to acquire than some random B2B saas security software.
For $32B Google are buying Wiz's brand, existing customers and their pipeline of customers, along with the technology.
This is the answer, Wiz already has a foot in the door / running contracts with huge cloud consumers, but not all of them are using Google's cloud. I wonder if Google tries to earn more money off of competing cloud platforms by offering services like this.
Wiz has no brand, no one knows who they are.
Revenue from Wiz's customers will not make back $32 billion dollars even in 30 years.
Wiz's technology is irrelevant. I think Google already scans for vulnerabilities and misconfigurations. And can build similar for low millions of dollars.
Plenty of people know who they are and have for quite a while.
A few years is not quite a while.
If they want the customers, they should have to compete for them. Google shouldn't be allowed to acquire any companies. They're already huge.
The issue is a lot of customers are going to run away from Wiz now, due to all the Google uncertainty.
> You could hire several thousand best in class engineers
How easy is this? Especially if you're doing it on an accelerated timeline, it seems like you'd have to pay above market to poach thousands of best-in-class engineers, and then you're stuck with higher salary expenses forever.
Google already employs some of the best software engineers in the world. In fact they’ve been laying off thousands of them. Google, like most big companies struggles to innovate because succeeding at a big company and making something fresh and new are different and often mutually exclusive skills. If they could have built it themselves they would have.
> In fact they’ve been laying off thousands of them
Citation please? Last layoff at Google of any significance was over 2 years ago in the post-pandemic cleanup era..
Apparently they tried to acquire Wiz last year already, which means they've been thinking about it probably since before they let all those engineers go.
There is actually some drama between Wiz and Orca, a company founded one year before Wiz. Orca alleged Wiz copied them, and Orca does operate in the same space. But a lot of hundred billion dollar companies are built on moats, integration and switching costs.
Yeah but Google is a trillion dollar company. Why do they need to spend $32billion on a company whose only value add seems to be they are good at finding exploits? You could hire every cyber security researcher in the country for $32billion.
It is a difficult question to answer. For example, why did Google acquire YouTube in the early 2010s? A platform technically and engineering wise similar to YouTube would have been very easy to replicate. IMO the best explanation goes back all the way to the days of Standard Oil/Carnegie Steel company - and quite possibly even the East India Company. There's an enormous benefit to consolidate various businesses under you and create a monopoly. Today in tech, monopolies are far from being as straightforward as being the dominant producer of a commodity like oil or steel. But there's undoubtedly some similar mechanisms involved. Synergy is one way to put it, but I think it's too restrictive.
I think the other part of the equation missing is if Google did create their own Wiz, Wiz would still be on the market, and it'd be a bitter fight which they could very well lose.
Google did in fact have a product that was technically similar and in fact superior to YouTube. Remember Google Video? It was better and people hated it.
What Wiz/Orca did is easy to copy for any Cloud security company with enough money, there's no moat.
What is hard about that is actually selling your product to customers, which Wiz managed to do in a way never seen before.
Extracting this from my comment on a subthread to add color to the discussion here.
They announced in a blog post that they went from $1m ARR to $100m ARR in 18 months (Feb 2021 -> July 2022). [1]
Reuters in the article posted here reports they were at $500m ARR when they last raised in mid-2024, meaning they went from $100m to $500m in around 2 years.
One would thus speculate they are likely a few hundred million above the half-a-billion figure today.
The multiple still appears a little high to me (particularly given it's all-cash, which Google doesn't even have) but what do I know.
[1] https://www.wiz.io/blog/100m-arr-in-18-months-wiz-becomes-th...
> particularly given it's all-cash, which Google doesn't even have
GOOG's latest balance sheet showed $96B in cash.
Sorry. I pulled my figure from the article in the post which claims "Google had $23.47 billion in cash and cash equivalents as of Dec. 31, implying it might have to seek financing for the deal."
Can anyone with security expertise clarify what Wiz actually does? Is it a legitimate company or is it fuzzy consultingware?
It’s a security-as-a-service platform that monitors whatever clouds or systems you plug into it for security vulnerabilities, but is built specifically for public cloud service providers and their workloads. I quite liked the product, as it would notify my team of erroneous configurations, outdated AMIs, exposed ports, vulnerable workloads, and whatever custom policies we setup (e.g., SSH open between VPCs in AWS, rather than via a Jumpbox).
I loved the product when I used it (huge improvement over Nessus), and am immensely disappointed Google owns it as it means I’ll have to find something else going forward. This is the sort of acquisition a regulator should block, because Wiz really is best-in-class at what they do for every cloud they support, and customers benefit more from it being agnostic.
Wiz uses various API's via read access in your accounts/orgs/subscriptions to assess risk of configuration.
They also snapshot your disks, cloning them to Wiz accounts to provide secrets scanning / vuln scanning / etc against your infra.
These resulting risks / findings are scored and provided in their SAAS Wiz console via dashboards / APIs / integrations with remediation guidance.
> They also snapshot your disks, cloning them to Wiz accounts
I can see how that could be worth $32B.
It is a very legitimate tool. It identifies misconfigurations and vulnerabilities in cloud deployments. Anything from a container with a known-vulnerable package in the manifest to a workload with improper firewall rules.
Isn't this what tool like MEND or Black Duck (formerly Synopses)?
I understand those (I haven’t used them) to primarily be about software composition analysis. Wiz does that, but they are mainly known for Cloud Security Posture Management (the “you have an exposed S3 bucket”, “you have a workload with no inbound firewall”, “etc.”) and integrating things like SCA to increase alert fidelity (do you care as much that a workload has an inbound ACL allowing MongoDB connections from the Internet if the workload isn’t running MongoDB?)
Wiz is closer to the CNAPP field instead of the software composition analysis tools you mention, Snyk would fit here for SCA.
Sysdig, Palo Alto's Prisma Cloud, or a few others compete with Wiz's CNAPP offering. Wiz also strays into some SCA and SCA-alike tooling for containers, code or XDR with their CDR/XDR products log ingest and agents available for response/quarantine.
Basically give it read access to your cloud account, and it will scan all of the resources to identify potential miss-configurations. Identifying CVE in software is one thing, but it's identifying incorrectly configured resources that would otherwise be secure can dramatically reduce the risk surface.
A lot of cloud providers already have little hints like "hey - did you mean to create this account in God mode?" or "It is recommended not to create this god mode json key file" - Wiz is taking this to the next level of detail
Would also be interested in this. I don't know anyone who uses Wiz. Google says they had 350 million in revenue last year, aiming for 1 billion this year. So 100x revenue TTM. Crazy stuff.
That's because A) big companies that use it don't really like bragging about their security tooling, lest it be used to better profile their infrastructure by attackers, and B) it's basically enterprise-only and insanely expensive.
Source: worked for a large enterprise company that used it, and I loved it. Phenomenal tool, will be a shame to see it die (or at least its non-GCP aspects wither and die) under Alphabet's ownership.
FYI we don't really value companies on a TTM basis so 32.0x Revenue would be the right multiple to quote
They were the one's to first report on DeepSeek's recent data leak, and they've found a few others.
One exploit I remember Wiz finding was "ChaosDB". A flaw in Microsoft's Cosmos DB allowed anyone to use the default-enabled Jupyter Notebook to basically dump and modify anyone's databases, without authentication. Full admin access.
My last company used it to complement other cloud security scanning products. It’s probably a bit of an understatement to call it a scanning tool. It was easy to integrate with our other systems so we could assign vulns to different teams.
One wonders if $32B spent "pluggin' up the holes" would accomplish more. A lot of open source code could be rewritten at this price point.
They're paying mostly for Wiz's customer book, who they will quickly alienate and drive to competitors.
Paying $32 billion dollars for a customer book with no network effect is insane
But not by tomorrow. Google is trying to pay their way into cloud leadership. Because they can’t catch up organically.
A lot of "holes" are misconfigurations. Not sure how rewriting open source code helps with that.
What's in for Google?
Like 32B is no small sum, and I don't really understand Wiz business (product yes, business and numbers much less).
The cloud computing market is ~$600B annually. Google has a market share of 12% in it while Amazon sits at 30% and Microsoft at 21%. I'm assuming this is Google trying to stay competitive in that market.
I'd bet, with the price tag, Amazon and MS were also looking to buy Wiz. That's why the price looks a bit outrageous.
Founders previously sold their security company to microsoft as well.
And they gonna get all that cloud needs through Wix?
Even if they did, I just don't see the play.
I sounds insane to me number wise too. Even growth stocks have about 5x the price to revenue.
> Even growth stocks have about 5x the price to revenue.
A PE of 5 is not a growth stock - that’s the kind of PE you’d see on a barely surviving mid-cap in decline…. The combined PE of the S&P500 is in the low to mid 30s these days!
>A PE of 5 is not a growth stock
PE is not the same as PS (price to sales or revenue). Startups and growth companies are often valued by PS since they have revenue growth, but are often not yet turning a profit (making their PE < 0).
Revenue and earnings are separate things.
In fact price/revenue of sp500 is a disaster right now: 2.92.
That means that SP500 companies on average are worth 3 times their sales!
Looks like they already have the Gemini logo so integration should be simple
https://en.m.wikipedia.org/wiki/Wiz_(company)#/media/File%3A...
#/media/File%3AWiz_company_logo.png){kind=link}
Interesting, could it be that their software is built by Gemini, the acquisition is managed by Gemini, and the Gemini in Google made a $32B deal with the Gemini at Wiz?
Wiz seems to only be about 4 years old, as per wikipedia. That valuation in such a short amount of time surely must be some kind of record? Or am I missing something?
~5 years by now. But there is a bit of fine print. The founders all founded another cloud security company in 2010, which was acquired by Microsoft. They were all graduates of Israel's famous Unit 8200. So while the literal company was founded in 2020, it is very likely a lot of both the knowledge, expertise and quite possibly product was already in development before it.
Not sure if it's a very wise move to hire foreign intelligence offers and give them access to the core of your tech products and to the customers data.
Probably the entire company's purpose is to gain access to secrets.
Anyway, Chomsky claims that there's 0 distinction between USA and Israel, so if you see it from that point of view, it makes little difference.
A dumb conspiracy theory. Israel has mandatory conscription (barring some cases), and many of the smart ones are recruited into Unit 8200. It's not surprising that they go on to start cyber companies once conscription ends, given that's a major focus of the Unit.
For me it's enough that if Chinese intelligence officers were founding software security companies, I'd not use the product. It's the same idea for Israel. Conscription just makes it worse, because more of their citizens are then suspect.
Not supporting people who take part in the crime of persecution, is a nice side effect.
"But Chomsky said so!"
So you think they shouldn't be trusted because they have ties with a foreign nation or they should be trusted because their foreign nation is really a puppet state of your nation?
It's unclear to me what you're thinking besides the wish to troll.
"conspiracy". When you meet employees of such companies they brag about it and sometimes even do special tricks through their contacts to impress you.
yes, every 8200 founder i know already has the next product ready to launch in alpha the day after the time limit on their previous acquisition runs out
You joke, but something similar happened at my old company, and I suspect it's relatively common for serial entrepreneurs.
The founders, who are now flush with cash, time and ideas; are quickly speedrunning the steps creating their previous company, in the same market, but now with more access to capital and employees from their previous company who would rather work for a startup than a large conglomerate, while fixing all the mistakes from their previous venture.
I 90% meant that it was the skills, industry knowledge and connections/reputations they built before Wiz, but it is true that most companies are conceived and planned far ahead of their actually registrations. Sensible people don't exactly just quit their jobs and start a company in a few days. They conceive, do research, discuss and (I suspect in Wiz's case) prototype before they commit. Its definitely a smart move, there's a very real valuation and PR advantage if you delay your actual founding, so your time to X revenue looks shorter.
only 2 out of 3 are 8200 alumni.
This feels like Waze, founder origins and name similarities aside. Google acquired them in 2013 for $1.3 billion, and it is still a standalone app, without being fully integrated into Google Maps.
It makes no sense for a company to have two mapping applications, yet 15 years later, more than a billion paid, one of the most valuable companies in the world failed to integrate another app.
Most people using Waze have no idea that it is owned by Google.
>The stock was down 13% this year before Tuesday on worries over its hefty AI spending against the rise of China's lower-cost DeepSeek and a pullback in tech giants that led the market for the past two years.
Absurd take. Google is the one AI company that is not completely dependent on Nvidia because they now use their own TPU chips for both inference and training.
Sometime explain the strategic rationale behind this? Google's previous big acquisition in the cloud space, Looker, didn't exactly pan out.
I think Google sees a fast growing company and is acquiring it. Many GCP related acquisitions are weird, like Looker, Apogee and are awkward fits. Unsure how this goes.
On top of it this one is an amount that you wouldn't pay if it wasn't existential, and it really doesn't feel like it is.
.. and all the talk of multicloud makes me feel like I'm reading an IBM press release, which is never good.
>Assaf Rappaport and his co-founders now stand to make more than $3 billion each from the sale...
tbh all of this sounds extremely suspicious. nothing they do google can't do, market share is not there for $32B, it's a couple of years old company. If it's not money laundering, which I presume it's not, what is it? It doesn't make any sense.
They didn't want to buy Github.. too expensive. But Wiz price tag makes sense to them?
This is one example of ways that the US empire supports the economy of Israel (the 51st state). I would be very surprised if there isn’t a political element here.
American states wish they had as much influence on US politics as Israel.
Say more.
Here's some context in what this means:
Currently, Crowdstrike, Zscaler and other solutions compete in a similar space than Wiz.
Google likely believes if can offer Wiz sec products bundled with Google Cloud. It isn't a terrible idea.
But Wiz itself works on multiple clouds, so it seems that Google can also grow it on their own.
Cloud security companies are growing a lot, and might be a growth lever for Alphabet, as its other businesses' revenue growth are slowing down.
My assumption is that this will actually make it easier for Crowdstrike and Zscaler to keep their market share, as they are pure-play companies on Cloud security and Alphabet has too many businesses to manage.
For me, it looks overpriced. Wiz has been growing a lot, but under Alphabet it might not perform as well as it did.
The big winners are the founders and whoever owned Wiz options.
Zscaler isn't a prominent player in the CNAPP space - they missed the ball on that, but they also didn't need to tbh.
ZS specializes in SSE/SASE - and does really well in that segment.
Great article on the genesis of Wiz:
https://www.forbes.com/sites/iainmartin/2024/10/28/this-vc-b...
https://web.archive.org/web/20250312193110/https://www.forbe...
Wow. That's a huge amount for Cybersecurity.
There is a not-so well known fact about Wiz. Wiz is backed by Cyberstart. They are notorious for running a pay to use thing for CISOs. TLDR; there is a round about way the CISOs get paid for using tools backed by them. Therefore the startups backed by them appears to be fast growing.
[1] https://www.bankinfosecurity.com/blogs/cyberstarts- program-sparks-debate-over-ethical-boundaries-p-3763
[2] https://www.forbes.com/sites/iainmartin/2024/10/28/this-vc-b...
I still find it amazing that:
- Businesses pay the cloud providers to allow them to use compute/disk/network
- Businesses pay to hire the engineers who can work on cloud
- Businesses pay to hire security engineers who can secure the applications in cloud
- Businesses pay to hire FinOps to optimize their cloud usage
- Businesses hire security companies to secure their cloud usage (e.g. Wiz was one such company)
- Now cloud provider has to acquire the security company to secure their own cloud?
Either I am too old, or there is something wrong here. Let's not forget that at the same time many big businesses do just fine by not using AWS/GCP/Azure.
> - Now cloud provider has to acquire the security company to secure their own cloud?
No - this acquisition is about selling Wiz to cloud customers. Deploying on cloud securely is a solved problem if you set and follow good policies. Virtually nobody is doing this, ergo companies like Wiz that will tell you when you're doing something stupid.
> if you set and follow good policies
Is it really that hard? like I listed out, it is definitely not cheap. There isn't a shortage of skilled engineers in IT after massive layoffs. What's the catch then?
You can provision a vm with a click and then after a few years nobody has any clue what these machines do, if they're still needed and if their access levels are reasonable.
Google already owns GCP. Wiz obviously built something that differentiates themselves and fills a need. I am sure they support GCP. If so, why would google not copy and develop this functionality themselves instead of buying them out?
Among the wiz customers if they use GCP already then surely they will be willing to try the functionality of google builds it.
If the customer doesn’t use GCP, chances are they wont move to GCP and probably move away from wiz too after the acquisition.
I don’t get why they bought them instead of copying them
Official Wiz post: https://www.wiz.io/blog/wiz-joining-google
The number of O(10)B$ companies acquired that I never heard of is alarmingly high. Someone should curate a list of them so I don't feel so clueless..
Anyone got a sense for where the value is in Wiz? Revenue? IP? Any customers here?
Data for nation state espionage and industrial espionage?
Whoever owns Wiz obtains read only access to large company and government cloud networks. Even in the Wiz outpost model where the scanning engine is deployed into the user's own cloud network, results from scans are sent back to Wiz Cloud, and this includes sensitive information such as "Installed packages, Exposed secrets, Malware detection".[1] For an example real world deployment, GitLab SaaS public documentation expects the "Wiz Runtime Sensor" to be installed in every container.[2] This Wiz software requires highly elevated privileges to a level that the GitLab security risk assessment only briefly describes.[3]
The data Wiz collects on customers appears to allow answering of queries such as:
1. Which containers of government agencies in country X have the xz-utils library installed? Of these containers, what other software is installed alongside? How many of these containers are exposed to the Internet, directly or indirectly?
2. Which government agencies in country X have a publicly exposed service vulnerable to CVE-20xx-xxxx?
3. For top 200 companies, plot the popularity of AWS or Azure service ACME123 over the past 12 months compared to competing Google service ACME456.
Aside from security risks of having sensitive information of entire governments or large organisations hoovered up by Wiz, use of the "Wiz Runtime Sensor" also includes the risk of an incident similar to the failed CrowdStrike Falcon Sensor update of 2024.
The criticisms above are not specific to Wiz. There are many other competing products/services with similarly poor architectures and lack of protection of sensitive IT system information of governments and large organisations.
[1] https://cloud.google.com/architecture/partners/id-prioritize...
[2] https://gitlab.com/gitlab-com/gl-infra/readiness/-/tree/mast...
[3] https://github.com/wiz-sec/charts/blob/master/wiz-sensor/tem...
People seem to really enjoy their product, which is very uncommon in the Enterprise Security Tools space.
Next year's revenue estimated to be $1B, so definitely real money there but that doesn't speak to value... 32.0x is wild
Thanks
Kinda confusing given Wiz is also a Google internal frontend framework.
They want more wizes
From every angle I try to look at this, it does not make 32B sense.
That's a lot of money for 2000 employees. $16 million per employee. How many employees get something out of this?
A pizza party
This deal might be more than just strengthening cloud security—it could be a strategic move for Google’s multi-cloud positioning. If Wiz’s customer insights help drive migrations to GCP, the $32B price tag starts to make more sense beyond just a tech acquisition
In a recent interview , one of the founders claimed that one of Wiz smart moves was using a graph database for mapping cloud resources and their relations, while perhaps all other competitors used SQL or NoSQL.
It helped them “get to the point” quicker and “cleaner”.
The founder's previous exit in the same space was sold to Microsoft for $350. What a steal.
The most amazing thing is that Wiz is a fairly young company. Founded in early 2000.
One thing for sure. If this guy ever starts another company, I'm sending my resume :)
If AIPAC were a publicly traded company, its stock would be through the roof today.
"Israel literally owned Congress" - Donald Trump [1]
There has been a full and total coup of Zionist influence peddles over over the United States government. This is the lens in which you should look at this deal.
The Department of Education is on the verge of being abolished, and the remaining skeleton staff have been redirected to investigate cases of "antisemitism". [2]
The administration is weaponizing 'antisemitism' to unleash once unthinkable retributions against opponents of the State of Israel. The Zionist lobby is using the full levers of the US government to direct their wrath against opponents, and no one is being spared, not universities, students and even entire nations.
It would be naive to think the leadership at Alphabet are unaware of that good things happen when you be good to Zionists.
It's really a shame really, from 'Don't be Evil' to funding decades more years of 'Israeli Americans' using this wealth to funnel to AIPAC and other nefarious political causes. [3]
[1] https://www.timesofisrael.com/trump-israel-literally-owned-c...
[2] https://time.com/7268749/education-department-staff-cuts-imp...
[3] https://www.timesofisrael.com/whatsapp-founder-jan-koum-dona...
> "Israel literally owned Congress" - Donald Trump [1]
Let me guess, when Trump says some crazy exaggeration you will immediately believe him if it sheds a bad light on Israel - but only then. Otherwise you wouldn't believe him because he's a pathological liar right?
The silly thing is he said it was a decade ago and today its the exact opposite, so that doesn't agree with what you said at all.
My take on why Google bought Wiz is pretty straightforward. First off, Wiz brings a rock-solid CRM loaded with all those juicy contracts from the top cloud players. Add to that a proven enterprise team that knows exactly how to sell the product, and whom to sell to. And you’ve got a recipe for success. Every Wiz win is just a possible upsell for GCP; especially when GCP isn’t even the market leader in cloud. IMO, it opens the door to a whole lot of sales opportunities and deep-rooted relationships with top-tier cloud customers. To me, that all points to a pretty hefty price tag on the table
I imagine Wiz was smart enough to include a big payout if the acquisition doesn't go through. There is a ton of attention on Google by both political parties in the US and the EU is not a fan either.
> $32 billion in an all-cash deal,
Wow. I wonder how Google justified this acquisition. I fear they will eventually shutter this service, and likely without even pulling anything good into their own cloud offerings.
Why isn't there an open source self hosted Wiz competitor, perhaps now one can start to emerge after this acquisition for those who don't want Google.
There's Wazuh, but it's more of an XDR (i.e. anti-virus) and SIEM solution than what Wiz is offering.
What the hell is "Wiz"? Some nobody company that was formed <5 yrs ago and now gets acquired for _$32B_
G might be the modern day IBM.
You would think G would have the brain power to compete and provide out of the box security for their own platform. I guess the MBA losers at the top have been shaving too much from engineering to do this properly.
The acquisition hiring in big tech is wild to me. And the consolidation of power into a few companies continues.
> Some nobody company
That was the fastest to $100m ARR in history
> Some nobody company
That was a Decacorn ~3yrs after its founding
> Some nobody company
With ~half of the Fortune 100 as paying customers.
I get it - most people here aren’t in cybersecurity, nor do they understand the space, but let me put it this way - if you are looking for the top 5 cybersecurity companies by mindshare of people in the industry, Wiz is in the conversation.
Agree with most of your points, the one correction (that I think is important) is that they were the fastest from 1M ARR - 100M ARR. Not a straight fastest to 100M.
It doesn't hurt to be brib...incentivizing the F1000 CISOs (not my words, see article) : https://www.calcalistech.com/ctechnews/article/b1a1jn00hc
"The first sales come from the loyal CISOs who work with the fund. Although it may be considered "small money", the jumps between the first stages of fundraising are the most difficult. “Until a ‘regular’ startup company reaches sales of $2-10 million it grinds itself to a pulp, but with Gili Ra'anan, this happens in the first year of sales. He creates a mechanism that is difficult to compete against because his companies immediately jump to a valuation of $100-200 million, raise more money, and then also have more resources to compete later,” a partner in an Israeli venture capital fund tells Calcalist. “With a seemingly small purchase of $100,000-$200,000, a CISO increases a startup's value by dozens of times.”"
...
"I recruited a new CISO for a financial organization that I managed out of a desire to refresh the cyber defense system. I gave him a free hand because I trusted him and I see this position as a position of trust. Six months later, I noticed that, surprisingly, almost all of the new logos that the CISO introduced were portfolio companies of Cyberstarts [Of which Wiz is their most notable]," describes a former senior executive at a large financial institution in the U.S. "It's not that these were necessarily bad solutions, but that some of them were a very low priority for us or solved problems that were not particularly urgent. After I confronted the CISO on the subject, he admitted that he is on the list of advisers of Cyberstarts and receives a percentage of the funds from them. Shortly after this, he left the company and immediately upon the appointment of a new CISO, I asked him to inform me if he was contacted by Cyberstarts. Within a few weeks, he had already received an email from them with a description of their kind of 'loyalty program' that details exactly what he will receive the more he works with the fund."
I hear the Internet is on computers now.
> What the hell is "Wiz"
Just because your ignorant about significant portions of the tech industry doesn't mean you need to be dismissive.
Nobody Beats the Wiz is great, but $32B is so much money.
Could have gotten a better deal for Crazy Eddie
The Craziest part about Eddie was his business plan. Steal from your own company for 10 years, take the company public, gradually reduce your stealing over the course of 5 years to show a rapidly increasing profit margin, sell company to a hedge fund and cash out the profit. Then, go to jail for 8 years.
https://www.financialpipeline.com/financial-scams-the-too-cr...
Google is making a huge mistake. They are clearly getting scammed, the price is up to $32B from $23B less than a year ago.
There is no pressure or need to buy Wiz.
This is the largest transfer of Israeli intelligence operatives into a US company in history. Y'all are in for a real bad time.
I believe that ‘cloud-neutral’ companies like Wiz must ensure their neutral positioning in order to gain support from various cloud providers. I strongly doubt the willingness of cloud providers like AWS and Azure to cooperate in the future. Google is not only making a major business gamble but also testing the waters in terms of antitrust and judicial challenges.
I can see how Microsoft and AWS would now favor Wiz competitors now (Orca, Palo, Crowdstrike etc)
Proof you don't need to own the .com domain name to make it big?:
`.io` is `.com` equivalent for the market it addresses.
I believe this is actually the second time google has tried to buy this company too. They had to give them a too good to refuse offer.
While it seems like we aren't getting a ton of people who have used the product in the comments. I can tell you it checks a lot of boxes to make people sleep better at night with customer data in the cloud.
Didn't Google acquire another cloud security outfit called Mandiant sometime back? How is this different from that?
> another cloud security outfit called Mandiant sometime back
Mandiant wasn't/isn't "cloud security" - they're primarily security research, threat intel, and incident response. Completely different space, customer base, and product set.
Perhaps Google is scared about losing its cash cow in search, and is needing to cement their position in cloud compute.
Google Cloud post:
Google + Wiz: Strengthening Multicloud Security
https://cloud.google.com/blog/products/identity-security/goo...
Such a weird move. They must have too much cash because they are not buying GPUs from Jensen.
Is there lock-in for Wiz customers, besides the quality of the product? I understand the crazy revenue growth, fastest to 100m ARR, but surely this needs to saturate. Maybe half the fortune 500 use Wiz,but can you imagine 100% or even 80%? Who are their competitors?
The biggest competitor is Orca (pretty much the same product) and they even accuse Wiz of patent infringement. Trial starts in December. https://www.calcalistech.com/ctechnews/article/ryjc8dgnr
Being owned by Google probably would help in those regards too now.
In the meantime, the products that people used to use are decaying. Just today I found out that clicking on the departure date, and viewing the round-trip prices, then changing the departure date is broken in Google Flights. When Pichai leaves, it will be too late.
This is one super weird acquisition
What changed from last year? The deal that failed?
The article says:
> The price tag is much higher than the roughly $23 billion Google had offered for Wiz last year before antitrust worries forced the startup to shelve the deal.
> Wall Street is optimistic that the Trump administration would drop some antitrust policies
Is that it? It's crazy to announce the deal before there's any actual policy changes. Why the rush? It's not like someone is outbidding them here.
There is a new administration, and the new one doesn't have a DOJ that is extremely anti big tech, and going after them for antitrust on everything.
Did you read the article?
> The price tag is much higher than the roughly $23 billion Google had offered for Wiz last year before antitrust worries forced the startup to shelve the deal. ... A harsh regulatory environment in 2024 had made it difficult for many firms to push through large deals, but Wall Street is optimistic that the Trump administration would drop some antitrust policies.
Yes, I made my comment more clear.
For hardcore Wiz users: What are their killer features that you use day in, day out?
We use wiz and rapid7, so I can compare these two:
Usability of Wiz and the ability to adapt it is so much better. Everyone can get a seat without extra costs, enabling shift-left for the dev teams. Projects make sure they only see what they need to see.
The query engine is top. There are very good presets. Create Boards to share custom queries with the teams.
Compliance frameworks are available. You could inspect the rules, they are written in OPA rego and you could add your own rules.
Cloudtrail search is also a lot better than the one aws is providing.
I could go on and on and on .. this solution has so many powerful features.
This was the most detailed and helpful explanation of what exactly the deal is with Wiz I think in this whole comment section.
$32B for an entity with 500M in ARR? What the blazes are they paying for?
biggest Google acquisition yet or what?
Yes. The company’s previous biggest deal was its $12.5bn acquisition of Motorola Mobility in 2012, which it sold two years later for $2.9bn. [0]
[0] https://www.theguardian.com/technology/2025/mar/18/google-pa...
The patents they received from Motorola effectively put an end to Apple's Android witch hunt.
Prior to this acquisition, Apple was determined to sue Android out of existence. They were on a rage-fueled mission to end a product they viewed as a copycat, and they knew Google didn't hold any patents to defend themselves.
When Google acquired Motorola's patents, the tables turned and it was Google that could end Apple or at least turn it into mutually assured destruction.
Those patents alone were worth a hundred billion for the headache they saved Google and the market position they opened up.
This was one of Google's smartest moves of all time.
I definitely did not consider this earlier. Do you know of some other big examples where monetary loss was actually a win when considered in an overall context?
Motorola was bought for patents to defend Android, it was a clear win.
Wiz is much harder to understand.
Can’t help but predict that this will be a similar outcome. If they did not have a security division, this acquisition could work. But colliding two heavy security behemoths together is like the collision of two galaxies with a higher enteopy.
What I don't understand is how you get to a valuation of $32B. My quick googling showed me that the revenue for Wiz is about $700M. Even if I assume the existing customers + name + platform/assets is worth several billion, where is this number coming from?
To be clear: I am young and ignorant. I am trying to learn, not criticise
My estimation is that there is another competitor that they wanted to out compete ... like Facebook paid $19B for whatsapp to outcompete google. The maximum market cap Wiz had was $13.2 Billion. So Google is paying 3x times the price.
> Wiz has agreed to a termination fee of more than $3.2 billion, a source told Reuters, one of the highest fees in M&A history.
Not sure how they can afford this if it doesn't work.
Why? I have a hard time believing the engineer at Google see Wiz as innovative. The front page of Wiz.io reads like a bunch of sales bullshit. I built a security posture dashboard for a competitor and I would not say it's worth anywhere near 1b. Is Google such shit now that runtime scanning in a k8 cluster is worth billions?
Does this mean the Wiz app is now going to include free person category filters for their security cameras? Instead of constantly asking you to subscribe
Nevermind, this looks like a different Wiz.
Can someone tell me what Wiz actually does, I can't make head nor tail of it from their website. Cloud security is pretty meaningless as a phrase
This transaction with an ICC sanctioned country is suspicious to say the least... it's like asking to do business with a Russian company.
Reminder they also bought Mandiant for $5.4B in 2022
Is enterprise security software like consumer antivirus software (i.e. unnecessary (or even harmful) if you know what you're doing)?
"Enterprise" and "you know what you're doing" don't go hand-in-hand. You might know what you're doing, but does everyone else at your enterprise?
Every single devops person who can push a CL to staging (that may not get properly reviewed)? Every marketing whiz who is using a dataviz tool against a cloud storage bucket you didn't even know existed? Every support engineer who is on-call at 2:#0am and can fix a customer's problem with one tiny IAM change?
I think that is obviously the case.
That being said, one of the reasons these things sell is that the majority of people sitting behind computers in large enterprises absolutely DO NOT have any idea what they were doing.
Once you get to a certain scale, the idea that you can "just be competent" and maintain high standards and configure your boxes the right way the first time every time btecomes logistically impossible.
Liability and insurance also is a big concern for large companies. The ability to blame somebody else for your security failings and check off all the silly boxes is pretty valuable. I'm sure consumer windows antivirus software would become a big hit again if you were for all intents and purposes being legally strong armed into purchasing it.
I have a "wiz" app on my phone that controls my lights. When I read the headline I initially thought it was about this.
Why would Google, a leader in security, spend so much on another security firm? Wiz must have something amazing under their sleeve.
This is just how tech has worked forever. Large established companies are not great at developing new products, so they buy startups. Youtube was a startup. Google Docs was a startup. Hell, Network Address Translation was a startup at one point.
> a leader in security
Google is arguably a thought leader in security, but from a revenue and customer base standpoint? Not even close.
Would be cool if they call the new product G-Wiz.
under rated dad joke. 10/10
Don't do it!
I was wondering why like every Wiz business development person was cold-engaging me on LinkedIn and email last year.
its like every problem slice Ive been solving over the decades as a sysadmin is a huge market opportunity
RIP Wiz team.
That's a lot of speed.
This make's Twitter's acquisition look like an absolute steal by comparison.
Seems like an answer to everyone blaming Firebase,AWS, and other cloud providers for not forcing them to do basic security checks
Wiz will do it.
Always happy to see a good exit, good show.
I've worked with cloud for a long time. I sorta blame myself for not seeing the market for this and not starting up my own company. I was too busy messing with machine learning, but never going much beyond sentiment analysis. Had I also stayed on that path, and maybe had a few million dollars in startup Capital laying around I'd be a billionaire by now ( yes this is hyperbole).
Oh well, time to cry myself asleep as a forever middle class software engineer...
I take it this isn't Wiz the smart bulb company but some other Wiz?
Yeah, I was afraid for a second there. I have a few Wiz bulbs and was hoping that ecosystem wouldn't suddenly die
RIP Wiz. Everything that Google puts their hands on, dies within years.
Anyone here heard of Lacework? Nope. Thought so. This could have been Lacework had Mike Speiser not let his hubris catch up with himself.
I immediately went Ctrl + F "Lacework". Another Lacer! Haha, oh well... maybe at the next startup.
Guess this is what laying off thousands of people paid for.
I went "huh, they're buying the smart light company from phillips?" Different wiz.
And best of luck to the Wiz folks! Whenever I see Google acquisitions I just wonder how long until they end up in the graveyard listing.
Open money laundering at its finest. Google, a Jewish company, transfers 45x money times ARR to Israel Jews.
Google could have built this in-house.
While millions and billions struggle this is how you do it at high level.
SoonDar goes brrrrrrr.
They should have used that money to buy Perplexity.
Sounds like Google is compromised through Trump to me, by paying more ( in kickbacks) to his backers. I don't think this will help Google in any way. In fact it will probably cost it, as it may be seen as 'compromised' by other state actors. Not a good thing especially when you are discussing security on your platform.
Did I miss it, or did this entire article neglect to say WTF "Wiz" does?
Stock is down, definitely overpaid
the entire market is down today, tech especially
Wiz is an amazing startup. I really like their marketing, it's so funny and it shines in terms of growth!
Congrats on the acquisition!
I had this confused with Wix
Insider baseball IMO.
100% -- many of these acquisitions don't start through the front door.
Mossad plot
Well, crap. Inb4 their cheap and easily hackable bulbs I have integrated to my self-written automation things go to shit.
People who haven't forgotten what happened with Revolv remember.
The Trump admin has shown the same attitude as the Biden admin when it comes to mergers. So why do they think the merger will go through this time?
Because the one thing I don't think you can plausibly say about the security software space is that there is a lack of options.
It uniquely seems to be fragmented and messy compared to most other parts of the software industry,(not sure why, just saying what I observe.
So the market situation looks very different to the ones that the DOJ was going after (like Google in ads,if Wiz was a big ad company then maybe the government would be more interested in trying to block it). Wiz isn't even close to having some kind of insurmountably dominant market share in their specific area of expertise either.
A good test for the new Trump DOJ to see how much TRUMP coin and $5 million dinners at Mar-a-Lago will be needed to get this through.
wiz probbaly found some big vulnerability in google, and they are now forced to buy them.
big tech should be forbidden of purchasing anything, especially big 5
The voters disagreed and elected an extremely big tech friendly government.
I'm sure that didn't factor in at all in why the voters voted what they voted.
This represents 32 billion good reasons to build products to serve big techs platforms and customers.
Sherlocking is obviously the risk.
GCP needs Wiz, but whether Wiz can actually save GCP is another question—probably not.
I dunno which VCs invested in them, but whoever did is headed for a very, very big payday.
lol, there's somethin wrong here.
Could've bought reddit with the same amount.
Yeah, does WIZ just have a pile of 0 days that they are sitting on? Or a bunch of data stolen from various cloud providers. This is an extremely weird and suspicious acquisition imo.
Gemini cyberattack exploit capabilities about to become better
I wonder what level of insight Google will now have in to how AWS, Oracle and Azure’s customers use their cloud. Even just in aggregate I imagine there’s some useful data.
The acquisition of Wiz by Google raises some interesting questions about the future of cloud security. On one hand, it could lead to better integration and innovation in Google Cloud's security offerings. On the other hand, it might concentrate too much power in the hands of a single vendor. It will be interesting to see how this deal affects the competitive landscape and whether other cloud providers will respond with similar acquisitions or partnerships.
This reeks of GPT.