288 comments

[ 4.5 ms ] story [ 181 ms ] thread
This is great news !

I use wiz for my home lighting and automation, I'm so glad that google did not buy it due to its habit of killing things that I find useful.

I want my hardware to last longer than the current decision makers employment.

Edit: hah, the site becomes available AFTER i submit so now I can read it.

This is not the same Wiz.
Didn't realize there was a WiZ that specializes in home lighting https://www.wizconnected.com/en-us

Per their About Us page, they are an "IoT platform for smart lighting solutions and smart services" and "offer people connected lighting".

That's actually the only "wiz" I was familiar with in the tech space. They're Philip Hue's budget line for the past 5 years and they've got various partner brands (most the notably Walmart house brand) that use their smart platform.
How are you using a cyber security platform for home lighting/automation?
This is wiz.io BUT I appreciate the enthusiasm
After the acquisition, I think Wiz would have to only focus on Google Cloud which might be a major limiting factor in the company's future. But other than that, It surprises me that, a $23B offer is rejected from the perspective of Employees. IPO won't provide the same level of liquidity opportunities.

I have used Octa and it's a decent platform, not a magical one. Creating a similar platform for Google Cloud should be feasible with the level of Google resources.

> It surprises me that, a $23B offer is rejected from the perspective of Employees

HA! Who asked them? I've never seen a startup ask the employees whether to take an acquisition offer.

Yep. I'm pretty sure just the C suite made this decision unilaterally.
The board makes the decision, but needs management to make things work either way, so management has a pretty big voice, too.
Cause their founders are already Billionaires.

Can you imagine Billionaires reporting to the average corporate robot at large corp?

Which founder is a billionaire? What is their net worth?
(comment deleted)
Oh yes, I fancy that. Quite a lot actually. The joy of seeing equal humans.
Ah yes, the fact that I have the wealth of a small nation should not by any means mean I cannot mingle amongst equal humans who work for me. Just a bunch of equal humans hanging out. How nice and equal indeed!
Far more likely is Google was not willing to complete the deal and was pulling the plug after looking at internal data. Wiz, fearing the bad press of Google backing out rushes to tell journalists that THEY are walking away because they are worth more.

Wiz's valuation is insane. Most people havent even heard of them. I think it was a > 60x ARR multiple on this deal. Id actually be kinda pissed if I was a google shareholder and they went through with it.

Something very strange is going on with Wiz. My gut tells me if they ever IPO to go big on puts.

While I don't have any comment on this instance, in general I think it's easier to hype the public markets who have limited information than it is to type a bunch of people doing due diligence on an acquisition, even if ultimately the latter is still a case of public market valuation through the acquiring public company. This is particularly true in the current age of extremely hype driven retail investing.
> a bunch of people doing due diligence on an acquisition

I bet those people rarely get promoted for preventing an acquisition, though. Probably that is why we see so many crazy acquisitions, in general.

At the SVP level, sure, but at the IC level, I doubt any accountant gets promoted for saying "looks fine", whereas highlighting details that superiors can use to make a decision like this might be something that gets you promoted.

This is a misunderstanding I think many non-googlers have, thinking people only get promoted for launches (or in this case acquisitions). It's more nuanced than that: people get promoted for impact and while launches are one obvious form, you can sell pretty much anything useful as impact if you can show how it's useful. In the case of M&A, avoiding a bad acquisition, if you can justify it, would be impact.

I think the argument is that it's much easier to show impact when you go with the flow and launch a product or complete an acquisition no matter how shitty. It's a lot harder to get promoted for saying that you need to delay launch by 6 months because of some metrics or details even if that would eventually prove to be the right decision.
If only that were the case. I can think of many instances where someone pushing for a bad deal/acquisition/product were rewarded for the visible outcome. Killing a bad idea is incredibly valuable, but I am struggling to think of an instance where that was used to justify kudos. Especially if you are the one who torpedoes a big wigs initiative.
> a bunch of people doing due diligence on an acquisition

Granted, it was nowhere near this scale, but I've gone through this process as the head of Engineering for the company being acquired. At that point, the business had already decided to acquire, so the process felt more about finding any red flags and/or identifying reasons to adjust the price.

For the process itself, the company looked at nearly everything over the course of a few months. Every detail of finances, sales, tech, operations, etc. was scrutinized, culminating with 16 hours (4 for business and 12 for tech/ops) over two days of standing in front of a room with 30 people.

Having done compartmentalized (I wasn't on the team acquiring) technical due diligence two times, my job had nothing to do with if the acquisition was a good idea or not. My job was to vet if they had what they were saying they had or if it was all smoke and mirrors. As others have said, the decision was already made to buy them, I was just vetting that we were buying what we thought we were buying. I also would look for the smouldering tech debt and cost out moving to our tech platforms (AWS). And I'd answer risk but not IP questions for the acquiring manager.

The only way I'd tank a deal was by identifying that it was in fact smoke and mirrors.

(comment deleted)
Add me to the haven't heard of them list. Mind you I almost hadn't heard of Crowdstrike and they managed to brick the world.
Yup the world is big and even though we think we have heard stuff, there are more things beyond that. For example, I know a dev who makes mobile apps and clears 500_000 / month in profit and yet their app isn't really "popular". It is crazy.
Huh, cool.

What sector is the app in, what are some other interesting (non-identifying) aspects of the app that stand in contrast to revenue? Is that in ads, or does the app have in-app purchases et al?

The only way to make that much of money is with dating apps, IMHO. There’s a million out there and some of them make really good money in certain niches.
You are going to say what the app is, right? right?
I hadn't heard of either Wiz or Crowdstrike before... while reading the article I was thinking "$23B? Probably AI! And called Wiz? Yeah, must be AI...". Turns out I was wrong after all...
Crowdstrike is enterprise only.

Do you know of Active Directory? Most have no idea, even though it is a Windows Server feature from 2000.

Some will live a life and even work not knowing.

AD is fairly well known due to its relationship with LDAP and Kerberos.

Samba can act as an AD DC.

AD is incredibly more popular than Kerberos despite part of it using the protocole. Microsoft is everywhere in the corporate world and most people know of AD but have never heard of neither LDAP nor Kerberos.

And to be honest, it's fairly understandable. AD manages to be somewhat turnkey while doing the same thing on Linux systems is a major pain.

What is the usual way of doing this on Linux systems?
Every time I've ventured into it I ended up using Samba to pretend to be Active Directory vs LDAP + Kerberos ...
Using ‘ldap+kerberos’ is like saying your api is ‘rest+tls’. It is a protocol/format. The value in AD is how the format is used and its impact on systems and users. So yes, Samba sounds more sensible.

When I played with it I stayed away from self-managing something like it for linux-only systems and for mixed/cloud/online systems I use Entra Id

OpenLDAP and SSSD via PAM. It’s - well - let’s leave it at not very nice to put in place. It does the job once there however.

I am fairly convinced that Redhat, Novel and Oracle probably have a nice interface on top of it all to make it manageable and therefore have a vested interested in keeping it as awful as possible for the rest of the world.

I don't know what Active Directory, LDAP, Kerberos, or AD DC are. I've at least heard of Active Directory though! The programming industry is vast. I've never touched webdev so I don't know countless things that most programmers know.
Best part is, Active Directory, is not webdev related at all. :)
Active Directory, is not webdev related at all.

If you work on internal company systems in a Microsoft environment it often can be.

It can be when you're supporting AD authentication on an intranet site. I did a bunch of these for government type web apps. Not the most fun to be sure.
(comment deleted)
This is exactly how I felt as a shareholder. There is no real reason to pay this much and it seems like Google is the one that walked away from the deal.
Shareholder in Wiz, or Crowdstrike?
Google wasn't trying to buy Crowdstrike, so Wiz
Eh, more likely OP is a shareholder of Alphabet.
They’ve had some really nice writeups but I always thought they were your generic security firm doing some bug hunting. Recently I happened upon their domain submissions to HN and saw they raised $1b+ and was like wtf? What do they actually do? I mean what are their products that people pay for?

Maybe there are obvious answers to these questions, but if a company is worth $23bn I’d expect that as somebody in the industry, I could answer them without doing in depth research.

This is exactly the kind of gut feeling of “something’s off” that I’ve learned to pay attention to.

https://old.reddit.com/r/cybersecurity/comments/1c1s9r2/wiz_...

> Wiz combines a graph search for asset management with agentless vuln and malware scanning that clones EBS volumes and scans them on their infrastructure. That's a great combo for vuln management, but has some downsides like delays between scans and cloud costs. They have a sensor with solid detection rules, and are okay at a bunch of other stuff like cloud log threat detection and sensitive data detection. They've basically pushed what you can do without an agent to the limit.

> clones EBS volumes and scans them on their infrastructure

Crowdstrike: “you just install a kernel module with ring zero access and we’ll make sure you’re protected”

Wiz: “hold my Red Bull…”

From the explanation here it sounds completely opposite concept, they download the server and check it rather than doing the checks on production environment
Yeah, I was thinking more about the risk of data leaks.
This sounds uselessly crippled, as it's not going to catch malware that doesn't drop anything to disk, or that adequately cleans up after itself if it does.
I would assume they could also dump memory, i.e. `/dev/mem`. Agreed they would need to also do frequent memory snapshots, but lots of malware will also run in the background waiting indefinitely, and often as the same name as common Linux processes but different hashes.
You would need an agent to do this. Cloning EBS won’t dump memory.
The people who have /dev/mem and run this garbage must form a complete overlapping circle.
Even if it’s sitting in the background under a spoofed process name, it can be caught with memory dumps.

Memory dumps are obnoxiously useful for detecting stealthy malware, especially if you do the memory dumps from the hypervisor instead of from the VM itself.

The hard part is parsing :)

A company built during the pandemic, likely peaked following the Solar Winds aftermath.

yup, overvalued

Wouldn't they be giving up a huge breakup fee if that were the case?
Maybe not if the breakup fee is forfeited if due diligence reveals fraud? Not sure.
No, breakup fees are post term sheet.
Well realistically if they have a chance to take on Crowdstrike they might not be wrong to walk away.
On the one hand, even with the post-crash dip, CRWD has a $60.9 billion market cap, there's certainly marketshare to be taken from them. On the other hand, Wiz doesn't have an endpoint protection product (which is what failed for CRWD). They'd have to build one from scratch, which requires dedicated talent (engineers with kernel experience) that they might not have.

If anyone is going after CRWD it'll be one of their other competitors.

These numbers sound like a complete out of world fantasy to me. CRWD has a product that the user is not going to notice, best case. Now you said Wiz doesn't even have that one (what does it have then?)

And their valuation is on par with the whole annually Western support of Ukraine. A country at war and with 30M people in it. That for some completely invisible product.

It is also 17 millions of these most expensive brand new 155m artillery shells.

Crowdstrike does endpoint security (user's PCs and servers too for checkbox ticking reasons).

Wiz does cloud security. The same thing as Crowdstrike, but runs in your cloud environment (AWS/GCP/Azure) to detect issues there.

Different customers, different profiles, different costs and prices.

I just don't see why that should have $23B market cap as opposed to $230M. A small team can challenge them with similar product.
I think this is just a representation of where the money is in the world. Two things:

- stocks are called stocks for a reason, they're not flows. $60bn is effectively an estimate of all future profits of the company over its lifetime

- Crowdstrike generates a return by charging enterprises huge amounts of money to feel secure and tick security boxes (Actual security is questionable). Big enterprises have a lot of money to waste, but they feel they're getting a return on it

- hardly anyone outside Ukraine gets a specific return from backing Ukraine. The same goes for all sorts of other worthy projects of the "end world hunger" kind - there's huge benefits, but not to the people actually spending the money.

>stocks are called stocks for a reason, they're not flows

Indeed, and of course we have Kalecki's famous quip that economics is "the science of confusing stocks with flows"

Pretending that being geopolitical superpower has no direct economic benefits is just silly. If USD lost the status of world's reserve currency it would have pretty catastrophic consequences for US economy.
How do I, as an individual investor, capture the return of sending a shell to Ukraine?

> If USD lost the status of world's reserve currency it would have pretty catastrophic consequences for US economy

.. but for everyone at once. Collective action problem. You've argued why it's in the interest of the US government to tax people and send shells to Ukraine, but this is not an argument for Blackrock to divert VC funding to individual armored brigades.

Very true
It's hard to make a leap from war to company valuation. Also Ukraine support is highly inflated number. If say Ukraine gets supplied with an old design MLRS rockets from US that was slated to be replaced in a few years and had very limited shelf life remaining the number counted is not the market cost of that old rocket (which would be a few 100K) but the 3 mil new top of the line replacement thing that US is producing for itself and Ukraine will never see.
Wiz does not do endpoint security. Different products entirely.
They certainly have resources to expand into that if needed
They’d be competing with Crowdstrike, SentinelOne, Microsoft Defender, and Trend Micro not to mention existing CNAPP/CSPM offerings that have an agent for cloud runtime security as well as other cloud runtime security focused startups.

Adding a runtime security and EDR offering is not going to get them to a $23B valuation.

Sure and many others but outside of CrowdStrike most are not very competitive and being a fresh entry has it's benefits.
(comment deleted)
“Fresh” is the key word. You need to have fresh ideas, and I am certain Wiz doesn’t, as it relates to endpoint security.

I agree Crowdstrike sucks. I’ve been beating that drum for the better part of a decade.

Building a “new crowdstrike” by a different name won’t win.

Honestly you just need to have good marketing and a passable product. The "secret" none talks much about all top tier APT groups run labs and test their exploit families agains all top tier Endpoint solutions. So none of them can stop a determined well resourced adversary but that not in any of the marketing booklets.
Oh, of course. I was that well-resourced adversary (through the USG) for some time. :)

I just mean that if you want to own the market, you will not be able to do that unless you provide something fresh, and it will be a race to the bottom otherwise, in the long run. The same as dynamic web app scanning is today.

At Wiz's valuation, if they were to enter that space, they couldn't be 'just another player.' They'd have to own the space. And I don't think they can do that purely through marketing, as others are already much more entrenched.

It is an entirely different problem with almost nothing in common with their existing product, and there are a ton of incumbents, some of whom are even quite good (Carbon Black, SentinelOne, etc)
There were quite a few of those when CrowdStrike entered there is always room there.
You’re trying to prove a point with no point. Yes, anyone can build anything. There is always room for more contenders when there are existing incumbents. The sky is still blue, and the grass is still green.

But it would make no sense for Wiz to do that, as they don’t have any “secret sauce” as it comes to endpoint security. They haven’t solved the problems that took Crowdstrike down.

It is not in their wheelhouse. It would be a waste of money and time.

Could they? Sure. Should they? Definitely not. It’s a commoditized space at this point, unless they have some new ideas which, if they did, they’d have already begun discussing.

Carbon Black did well because it turned endpoint security on its head. Not because it was a “better AV”

My $.02

I work for a smaller player and we have solved the problem that took crowdstrike down from the get go agent will rollback to previous content version if it crashes on the content related steps. That had 0 value for marketing till now. Crowdstrike has never being at the top of the pile on efficacy of detection either so your idea that market position is even remotely related to some secret sauce is a fantasy.
Hang on, please don’t misread what I wrote as implying that Crowdstrike had some “secret sauce.” They suck, so much. I have been beating that drum for the better part of a decade. (My former boss founded Carbon Black, and my background is in vuln RE and exploit dev/weaponization)

I agree - them being at the top of the market implies exactly nothing about whether their product is any good or has any special moat or differentiator.

All I am saying is to beat them, you’d need something new. “The same as Crowdstrike but we use 2-stage recoverable updates” is fine, but not enough of a compelling pitch to swap vendors en masse. Not even now.

And given that it’s a pretty commoditized space (to which I think you’d agree, at least for “classic” tools), it may not be worth beating if you don’t have anything new.

Endpoint is an incredibly crowded market, difficult to break into unless you really have a solid USP.
> Far more likely is Google was not willing to complete the deal and was pulling the plug after looking at internal data

Wouldn't it be more likely that they would have lowered their offer after seeing the internal data - perhaps so much that Wiz would certainly walk away.

(comment deleted)
Where are you getting >60x??

> For Wiz, a $23 billion sale price was irresistible. Google would value the startup at 46 times the $500 million in annual recurring revenue it currently generates, a person familiar with the matter said.

https://www.wsj.com/tech/how-startup-wiz-went-from-zero-to-a...

I'm very curious about what due diligence found, but we aren't likely to get more info until we see their s-1

Sometimes it's not about the money, it's actually about systems security and the level of which you actually want to build, deploy, and protect great products and infrastructure. 23 billion is a LOT of money. Looking forward to see how the IPO plays out.
> Sometimes it's not about the money

it's always about the money.

Yeah now that I think about it I realize how many times I've said that to people.
Whenever somebody says to you "it's not about the money" or "i'm not doing this for the money"

It's (entirely) about the money.

Well, Wiz's founders reportedly made $10-$30 million each on the Adallom sale. It might be about the money but it's not like they need it.
> it's not like they need it.

you dont know that. when you start getting high networth, you end up comparing yourself to the _even higher_ networth people.

> it's not like they need it.

The love of money isn't driven by need. It's driven by want.

(comment deleted)
Can they just buy all the shares on the open market then?
That won't be all the shares of the company, just a lot of them. And doesn't give you the control like an acquisition would.
If you mean before the IPO, it depends on the stock plan of the company. They may have clauses that prevent trading on secondary markets. I don’t think this is fair to employees personally, but it is the norm for companies to have various abusive forms of control over the options they grant employees.
Once it IPOs?

Wiz might not mind at that point.

But if they did mind, it would be a hostile takeover. The way Wiz can prevent it is by approaching their largest shareholders and asking them to help prevent it.

Depends on what % of the company is put on the market. Could Google buy every available share if they are willing to spend enough money? Sure. But if there are not enough shares on the market to give them a controlling interest they still can't hostile takeover that way.
Relatively few shares will be on the open market. If these few shares are sought after (bought by Google), the price will go way higher as more shares are bought out by Google. It's possible to mount actions where things are kept "quiet" and "hard to notice" (See Hermes vs LVMH a few years ago in France) - but even then it can fail (it did). Overall no, you can't buy the whole company at anywhere close to the stock market "market cap". It "works" when the acquirer gets control (enough shares to eventually vote out the current board leadership.)

What sometimes does work is to make a formal offer to buy all the shares that are presented, at some price quite a bit higher than the current market price. Sometimes that works. Occasionally that works for very little above the current market price.

I doubt it since this would be seen as a hostile takeover. They would then issue more shares in response to the takeover attempt.
Founded in 2020, with a $23B valuation, aiming for $1B ARR?

CloudFlare is worth $26B and had ~$1.3B revenue last year. Something's fishy here.

Look at their financials, CloudFlare might be popular among the HN crowd but the stock is massively overvalued. At the end of the day they are a commodity CDN that somehow can’t run a profitable business.
And now with their bad hiring practices and shady business deals they might not be popular among HN crowd for long too.
Yeah nah... they have great products and their primary business is allowing them to enter markets where other companies can't compete. The valuation is based on potential not the business as it stands today.

And to your point they are popular with the HN crowd which is usually a strong indicator.

(comment deleted)
I think GP's point is that wiz's valuation makes even less sense.
I did look at their financials - 77% gross margin with 30% revenue growth. Much higher than “commodity cdn” can command. If they cut marketing and r&d they’d be bagging half a b a year in profit but they are investing in growth as they should because it’s working
Cloud flare will still be the internet in ten years, while Amazon will just be Walmart,
Amazon is the internet too. The us-east-1 outage in 2023 took down a lot of stuff.
AWS is making $100+bn per year and growing at about 20% per year.

Good job, "Walmart"!

WalMart has a market cap of almost 600 Billion dollars. Weird dis.
It’s even weirder since Amazon is at $2T, and has long been worth far more than Walmart.
Well, not weird, you got it exactly! Thats the point :) It would be "just Walmart"
cloudflare is a commodity CDN, amazon is an ecommerce site
They have a lot of products.
Because they have so many using their cdn functionality they can upsell them on other products such as domain registration, video streaming, s3, etc
So they have similar valuation and ARR as Cloudflare. What is fishy?
Cloud flare has it, they are aiming for it. Definite income vs possible income cannot be priced in the same way, assuming the CF valuation is justified.
Cloudflare has a much smaller ACV than Wiz, as a CDN play is very different from a CNAPP play.

Wiz also has amazing product market fit (almost everyone who's used it has raved about it).

And in the hierarchy of needs, it's easier to place infra security over "yet another CDN"

Wiz hit 100M in mid 2021 and 350M ARR last year; now they're going to automagically get that to a Billion in a much tougher climate?
They have amazing product market fit in the security industry and a lot of dry powder.

They've already started developing an M&A strategy and are closely linked with Gil Ranan of Cyberstarts

Valuations have always been more about potential than about current state in startup world. Wiz is 4 years old and already at $350M ARR, that's a meteoritic rise.
Meteorites crash & burn, honestly, what is a "meteoritic rise"?
Fast enough to cash out at highly favorable and ambitious valuations while the ARR trajectory supports it. You’re selling potential, you don’t have to deliver; that’s the next team’s problem.
Wiz: Got to 350m ARR

Hacker news: "you don't have to deliver. That's the next team's problem".

Apparently 350m isn't enough to prove potential.

It's certainly not enough to justify a $23B valuation target, or even $12B assuming reasonable multiples in the space (average is ~15x in cyber tools and controls). Lacework went from an $8B valuation to $200M–$230M (first with Wiz attempting to acquire, and now Fortinet at the valuation I mentioned, roughly ~2x revenue, ~3x if we want to be generous). A case can be made that Wiz is a more mature platform and Lacework is a fire sale (which it is, but also not a great sign for the rest of the space), but I'll argue a lot of Wiz's revenue is likely premium pricing with current customers that can cram them down on at their next renewal cycle, and the TAM is simply only so big (with competitors being as, if not more, resourced to compete and stay ahead).

You can't grow into something there isn't room to grow into.

https://techcrunch.com/2024/04/18/wiz-is-in-talks-to-buy-lac...

https://www.forrester.com/blogs/fortinet-acquires-lacework/

meteorites shine briefly, swiftly, and suddenly

so i guess as an adverb it relates to how quickly the rise is happening and how hot/bright it burns

Not even knowing about Wix until today, I had no idea what to make of it, I wasn't trying to be snarky with that comment.

I was actually interested to know what they meant because it sounds like saying: "let's take a walk down to the top of the highest mountain".

Wix, on the other hand, is a website builder, not a cyber security firm.
I did mean Wiz. I guess my brain just substituted that. I guess I'm at least familiar with the Wix name in that I saw ads all over the net ~a decade ago?
Not understanding an idiom is something you should just discuss with ChatGPT, it'll set you straight, show you the ropes, right your ship, and whatnot.
I very much doubt that. This as a phase doesn't even seem to exist online till today, even much less as an idiom, telling me the equivalent of "just google" for someone specific's thinking is entirely unhelpful.

I wasn't interested in what ChatGPT can hallucinate or even output. I was after Voloskaya's context, Voloskaya would be the one to provide this insight, which is who I chose to ask for that.

The actual spelling is "meteoric rise", so that might be why.
It is indeed. Thank you.
Genuinely asking here; have you really never heard the phrase "meteoric rise" before?
Yes, all the time. It is a common idiom, especially in history books.
It's easy to miss the difference between "meteoric rise" and the OP's typo, "meteoritic rise".
Also easy to recognize that it was a typo and interpret it as intended.
Indeed even gpt-3.5-turbo recognizes the typo and gives a proper explanation. Can't wait until everyone has an LLM baked into their device that makes submitting stupid content a two step verification.
> I very much doubt that.

Might want to update your priors, I put your exact comment into ChatGPT and it handled it flawlessly.

Is this your first day or are you looking to be snarky?
It's a rise about as far as a quantum leap
Their last raise was two months ago at a valuation of $12bn. Google was offering a premium to take them off the market.

https://techcrunch.com/2024/05/07/wiz-raises-1b-at-12b-valua...

Likely offering a very large premium to offset the risk of antitrust holding up the deal.

The Activision-Blizzard sale was at a premium of around 60% from stock price ($56 per share trading the day before the announcement, compared to $95 per share offer). Wiz was offered a premium of almost 100% on latest valuation.

Both Wiz and Google know that the FTC will hold up the deal, and in that time, Wiz has to convince customers not to jump ship (Google will likely not support AWS forever), and risk that the deal falls through - in which case they've gone a year without momentum.

If they really believe they can make a strong IPO, and keep growing past IPO, their decision makes a lot of sense.

You raise an important point. To me, pre-IPO "valuation" is mostly VC bullshit. Remember WeWork's pre-IPO valuations??? Jan 2019: 47B USD! What really matters: Post-IPO market cap, as long as there is significant float. (See VinFast IPO with a ridiculously small float.)
Why settle for a measly $23B, when a successful IPO will get them 10x that?
There are a lot more factors that they will be subject to in an IPO that I think they could have avoided through this deal. IPOs/Stock market has not been kind to companies that do not have great margins and the current rumor mill has Wiz spending quite a lot in infrastructure costs to power their platform (a lot of it is built on Neptune and snapshot data transfer/processing is costly).

At the end of the day there were a lot of employees up and down the organizational chart that would have been very happy with this deal. So I wish that we could see the inner workings of what went wrong.

The constant rumor mill around Wiz keeps turning, and one starts to ask if there are nefarious actions at play.

Could it be cold feet or fallout from the Crowdstrike debacle?
https://www.calcalistech.com/ctechnews/article/b1a1jn00hc

> [Cyberstarts] has a portfolio of only 22 companies whose combined value is $35 billion. Five of these companies are unicorns, first and foremost Wiz, which seems to be breaking all the rules of growth and success and setting new standards in the industry.. In all three of his funds, Ra'anan shows an internal rate of return of more than 100%, an unusual figure even for the best funds in the world.. The first sales come from the loyal CISOs who work with the fund.. The whole CISO advisory committee issue has gotten out of hand for corporate America.

https://www.calcalistech.com/ctechnews/article/hjpwti2dr

> Wiz announced two months ago that it had raised $1 billion at a $12 billion valuation, bringing the company’s total funding to $1.9 billion.

The first link alleges that Cyberstarts pays kickbacks to CISOs who buy their products. Is that legal?
It's definitely not uncommon. Illegal? Should be, the question is how they got paid and for what. There are so many C-level shills these days, it's sickening.
Everything is securities fraud, so a payola consortium pumping Wiz through funding rounds sounds bad. Wiz is great, so the question is if they are > $23B great, and how they got there. And more so, why would a gov prosecutor bet on this case over others, or a private investor who has shares & reputation at risk.

OTOH, maybe The Honest Services Statute where CISOs violate their fiduciary duty by prioritizing security/risk budget & focus to a VC paying them. I don't see most impacted companies making this public vs a warning or voluntary resignation.

It clearly happens a lot, but the only successful prosecution I remember was at Netflix: https://www.justice.gov/usao-ndca/pr/former-netflix-executiv... . A funny thing is the VC is doing all this semi-officially: many but not all of the illegal bits go away - the gov has less to prosecute on when everyone files their taxes accurately !

It's not a kickback because Cyberstarts is providing 'points' which eventually equate to carry for them as advisors to the startups in the fund, to which they donate their time, expertise, and so on.

The implication, you could argue, is that that also includes purchases from the startups, but that isn't at all a requirement of the program, at least as far as anything legal is concerned, to my knowledge.

That said, it makes sense that if you're advising companies that are building products with your advice in mind, they're going to be solving problems you need solved, so you're more likely to buy from them. The fact that you have a good working relationship with them already is a bonus, of course.

That's the optimistic view.

The cynical view is that it's no different from drug companies paying doctors to shill their pills.

From the start this seemed more like a PR move from Wiz than a real offer.
Lots of companies have regretted passing up on an acquisition, especially one this large and of a company this young. My bet would be that this company is making the same mistake as Yahoo, Groupon, etc.
A lot of them didn't, ie, Facebook, Google, Twitter, Netflix, Snapchat.

I wonder if this rejection is related to the CrowdStrike incident. Are they expecting or already experiencing a significant influx of new clients? I'm unsure if their services overlap, just curious.

tbh, Google itself rejected the acquisition.
Snapchat is still not profitable and doing very poorly in the public market.
The offer was for $3 billion. They are worth $24 billion today…

In absolutely no world would have taking that offer been the right decision.

23B is a staggering number for a 4 year old cyber security startup with 900 employees
As with most things in tech, time served is pretty much irrelevant. If you do something valuable fast you can build a lot of value quickly.
You can build a lot of perceived value, as we've learned from so many acquisitions becoming hot potatoes a few years down the run.
That's 800 employees too much.

The reason why tech sucks these days is because everyone over hires and empire builds.

Sales. They have huge ARR after a few short years because it’s a sales org with a few engineers scattered about.
So not a tech company. Fair enough.
Too much to build the product, but you need researchers (check out their blog), marketing, sales, solutions engineers, support, legal, accountants, etc.
That's a big claim. Have you seen their product? It's basically a collection of 10-15 distinct cloud security products - CDR, data classification, vulnerability scanning, asset inventory, etc. etc. etc. all working together.

Each one of these is a 50-person company on its own.

Quick build your 100 person company and beat them. It's still early days for them, and you.
It isn't unheard of in the tech world. WhatsApp sold itself for $19 billion in 5 years. A lot of people thought it was outrageous when facebook bought whatsapp for $19 billion. Today, everyone views it as a great investment.
Major respect. I can only wonder what it feels like to possess that intense confidence. The appeal of 'a bird in hand' would almost certainly overwhelm most of us.
(comment deleted)
I feel like I am uninformed.

Can someone provide some background?

Who in the fuck is Wiz, and why in the fuck might anyone think that they're worth 11 figures?

I've been waiting for the Silly Valley insanity to stop for about the past 15 years, but its like its been permanently stuck in 1999 mode. With a few brief hiccups like Juicera and Theranos. I guess VCs just don't have anything better to do with their money, than throw it at a wall of shit and see what sticks
Im afraid its been 25 not 15 years since 1999 ;(
Whoosh… that's the entire point you missed right there.
… what was the point? I missed it too!? VCs returns looking like power law investment in the back end / mud on wall in the front end of a fund?

Or that the author has been waiting for VC investment to stop? I don’t understand what he’s trying to suggest.

The dot-com bubble? Which ballooned in the late 90s, then burst, with investment not returning to 1999 levels for about a decade (also thanks to the 2008 financial crisis).

Their point is that we've been stuck in 1999 for 15 years, and not the decade before that.

Disagree all you want, but “it's been 25 years since 1999, you fail at math” makes no sense as a rebuttal.

In a ZIRP era, they'd be non-optimal to do anything else.

80 failed projects is still a +ev outcome for a VC if they hit their 100x proposition on the 81st.

Instead of old-school installing agents to run on your VMs Crowdstrike style, with all the maintenance, performance and crash-the-world risks that entails, with Wiz you can clone your EBS volumes and examine them for vulnerabilities at your leisure. It's a neat party trick, but I'm also not convinced it's worth 11 figures.
> with Wiz you can clone your EBS volumes and examine them for vulnerabilities at your leisure. It's a neat party trick,

wouldn't that constitute forensics instead of EDR?

meaning that they can't catch attack immediately?

[flagged]
>Wiz’s founders previously built security startup Adallom, raised money from Sequoia and Index and sold the startup to Microsoft for $320 million in 2015.

Copy, Paste and ask for 70 times more?

Totally different business, problem and solution. You should read abit before commenting like that.
I think there's some behind the scenes drama. It takes a LOT of time and investment from both sides to build up to a $23B offer. I wonder if there was something some Alphabet exec did to piss off the founders. Or Wiz was stringing Alphabet along to hype up the IPO.
(comment deleted)
> The company hit $100 million in annual recurring revenue after 18 months

That's fast... Is that 18 months after launch or literally 18 months after starting development?

Your quote from the article, is a link to another article, which provides the answer:

> The cybersecurity software vendor said in August that it reached $100 million in annual recurring revenue after selling its product for just a year and a half.

So that's 18 months after formal launch. Since we don't have their financial statements, you can only guess wether this is the value of signed deals or a review of actual recognized revenue for those 18 months. I suspect the first.

Why would Google even consider this? They're an advertising company and haven't really made any money from anything but advertising. What would they do with this?
I suppose they'd add this to the GCP family of products, same as Apigee.
Maybe this was about advertising after all ;). I now know there is a company named Wiz.
Adding a cloud security offering to your existing "cloud infrastructure" suite makes sense.

Buying a strategic complement where you can multiply the company's ARR overnight by integrating with your own suite makes sense.

Or commoditizing this complement by offering it for free as a differentiator to competitors (Azure, AWS) would also make sense.

Plenty of options to choose from.

sometimes it works snapchat rejecting facebook offere which is worth more now, sometimes it doesn't groupon rejecting googles offer.
Fun fact:

> Wiz was founded in January 2020 by Assaf Rappaport, Yinon Costica, Roy Reznik, and Ami Luttwak, all of whom previously founded Adallom

> Adallom was founded in 2012 by Assaf Rappaport, Ami Luttwak and Roy Reznik, who are former members of the Israeli Intelligence Corps’ Unit 8200

https://en.wikipedia.org/wiki/Wiz_(company)

8200 veterans are highly sought after, and you can probably get a blank check from any VC if you have that on your resume.
Most likely reason is FTC. Wiz integrates with big 4 cloud providers. No way FTC is allowing Google to take control. JD Vance's nomination and support for current FTC chair(Lina Khan) doesn't help.

Current FTC is good(personal opinion) from anti trust point of view but maybe bad for startup exits[0].

[0] https://x.com/ID_AA_Carmack/status/1812978264484552987

If they’re actually worth anything near $23B they can just go public. I’m sure they’ll be fine haha
Wiz has tons of competitors, and Microsoft is one of them, so are Palo Alto Networks, Tenable, Crowstrike, SentinelOne, etc... Wiz is definately a leader but are in no way a monopoly, so I do not see this as an FTC play to stop the deal.
I think the antitrust argument is more about preventing Big tech from getting even bigger rather than directly related to Wiz.
Can someone explain to me how a young security company with few employees can be worth millions?

It's not like Google is after they client list, they would probably limit them to Google services after acquisition anyway.

> Can someone explain to me how a young security company with few employees can be worth millions?

I assume you meant to say billions, since this is a $23B offer they turned down.

If I had to positive spin on the valuation: it's chump change if Wiz (who seem to be a very capable cybersecurity firm) are able to integrate themselves deeply into Google's infrastructure and secure it up the wazoo, since a 5% cost to Google's share price for reputational damage caused by GCP getting r00ted would be ... 5% of Google's 2.25T market cap ... $112.5B.

cf. Crowdstrike's share price after some bad news: they are down 30% over the last five days.

> cf. Crowdstrike's share price after some bad news: they are down 30% over the last five days.

The stock is recovering. Traders have short memory. By the end of the year, it'll probably be $400 unless there's a huge class action against them that starts looking really bad for them.

I had a quick look and it seems to have recovered nominally today - 2% at most. If you look at the 5D and 30D view it seems to have taken a beating and is now flat.
Yeah, I think the slight uptick was people believing it will make a full recovery and buying the stock since it's on a heavy discount.