950 comments

[ 3.5 ms ] story [ 371 ms ] thread
Wow. That's a huge amount for Cybersecurity.
Anyone got a sense for where the value is in Wiz? Revenue? IP? Any customers here?
People seem to really enjoy their product, which is very uncommon in the Enterprise Security Tools space.
Next year's revenue estimated to be $1B, so definitely real money there but that doesn't speak to value... 32.0x is wild
Data for nation state espionage and industrial espionage?

Whoever owns Wiz obtains read only access to large company and government cloud networks. Even in the Wiz outpost model where the scanning engine is deployed into the user's own cloud network, results from scans are sent back to Wiz Cloud, and this includes sensitive information such as "Installed packages, Exposed secrets, Malware detection".[1] For an example real world deployment, GitLab SaaS public documentation expects the "Wiz Runtime Sensor" to be installed in every container.[2] This Wiz software requires highly elevated privileges to a level that the GitLab security risk assessment only briefly describes.[3]

The data Wiz collects on customers appears to allow answering of queries such as:

1. Which containers of government agencies in country X have the xz-utils library installed? Of these containers, what other software is installed alongside? How many of these containers are exposed to the Internet, directly or indirectly?

2. Which government agencies in country X have a publicly exposed service vulnerable to CVE-20xx-xxxx?

3. For top 200 companies, plot the popularity of AWS or Azure service ACME123 over the past 12 months compared to competing Google service ACME456.

Aside from security risks of having sensitive information of entire governments or large organisations hoovered up by Wiz, use of the "Wiz Runtime Sensor" also includes the risk of an incident similar to the failed CrowdStrike Falcon Sensor update of 2024.

The criticisms above are not specific to Wiz. There are many other competing products/services with similarly poor architectures and lack of protection of sensitive IT system information of governments and large organisations.

[1] https://cloud.google.com/architecture/partners/id-prioritize...

[2] https://gitlab.com/gitlab-com/gl-infra/readiness/-/tree/mast...

[3] https://github.com/wiz-sec/charts/blob/master/wiz-sensor/tem...

One wonders if $32B spent "pluggin' up the holes" would accomplish more. A lot of open source code could be rewritten at this price point.
But not by tomorrow. Google is trying to pay their way into cloud leadership. Because they can’t catch up organically.
They're paying mostly for Wiz's customer book, who they will quickly alienate and drive to competitors.
Paying $32 billion dollars for a customer book with no network effect is insane
A lot of "holes" are misconfigurations. Not sure how rewriting open source code helps with that.
Imho, and as a xoogler who's been in Google Cloud's ecosystem the past few years, Google Cloud's three big focus areas have been AI (this is an evolution from their historical focus on data, then also analytics), Distributed Cloud (Anthos++) and security (post the Mandiant acquisition). They'll never be able to compete on base infra, given their late entry into the game, lack of presence in certain markets, and the lock the competition has in some industries (Azure in industrial/mfg, AWS in pharma, etc), and they know that, so they've lately been focused on what they believe they can control. One of those things is the narrative that Google Cloud is the most secure cloud.

It shouldn't be overlooked that acquiring Wiz is also a way for Google to secure a beachhead in half the Fortune 100, many of which are "enemy" territory.

The price is high, but there aren't many options available and Wiz has the advantage of being built on Google Cloud natively, and already have Marketplace integrations completed.

https://cloud.google.com/customers/wiz

I can't help feel like this will be rolled into GCP and quickly lose support for Azure and AWS and then just die. That's a lot of money to spend to kill off a business.
GCP has been doing more multi cloud stuff lately though: Anthos for K8s in other clouds, BigQuery Omni for bigquery in other clouds
They even had a whole campaign recently (maybe reInvent?) that said something to the effect of “we know we’re you’re second cloud”
I rolled out their "workloads for AWS" stuff recently, it was pretty slick to be able to have AWS IAM roles just translate to GCP roles. You don't have to run your own CA like you do for AWS Anywhere.
that would immediately shed half the value of the company and Google would need to book a huge loss

e.g. half of Fortune 100 use Wiz and I assure you most of them do not use GCP (or do not use only GCP)

That hasn't stopped them before. Fitbit and Nest, for example. Granted, this is an order of magnitude more money to waste. Maybe they'll come up with a better strategy this time.
Neither of those are enterprise products, though. Looker, as a better comparison, is still available on AWS and Azure.
Google doesn't have a strong record keeping enterprise products around either. I would expect them to absorb this product, release a similar product based on the technology but fully integrated, then sunset Wiz asap.
half of Fortune 100 use Wiz

gonna need a citation on that. All I could find was their own quotes.

it's obviously from their own quotes but you can get most of the names in their various customers use cases, joint PRs and the likes (and those required the customers' direct approval )
I would think the majority of f100 is multi cloud and absolutely uses GCP for at least some workloads.
"(or do not use only GCP)"
I don't think that makes much sense in business. They want to move customers from competitors and as an underdog you need to provide some migration path. You don't get these kind of system integration freely. Provide your service in competitors to smooth their transition path but keep the latest and best features in GCP. This was the idea of k8s.
I'm slightly baffled by this acquisition but arguing against you actually helps me make some sense of it.

If Google wants to be "the best of the best" at security and some set of potential customers use Wiz as their "best of the best" security, then this is a way to convert those customers to Google.

Consider some org that prioritizes security, like at the board level. They maybe don't really care about the nickel and dime cost of AWS vs. Azure vs. GCP since it comes out to 10s or 100s of millions of opex in the end. What they do care about is the cleanest record possible with respect to security. And Wiz is a key component to their position on security that is communicated to investors - it is a social proof that they are taking security very seriously.

This now becomes a tool for Google when trying to win their business. By degrading the value of Wiz on AWS/Azure/Oracle/Salesforce they are taking away that bullet point on security for a subset of competitors customers. And that may entice some of them to move their entire cloud service to GCP. So whatever revenue they lose on the Wiz side from a dozen or so cancellations they would hope to make up with a few 100 million dollar whales.

I just find it hard to believe that enough whale level cloud compute business will be generated in this way to justify $32b. This is really the best take I have on the acquisition and it feels unsatisfying, as if there is some other decisive information that would provide a justification for such a valuation.

Maybe there is some government mandate coming down the pipeline that isn't very public yet? Some kind of legislation that will force companies to adopt stricter security policies? That could precipitate the kind of changes that would justify this kind of massive valuation.

Customers will not start using GCP more instead of AWS for example just because Google owns Wiz.

Degrading Wiz capabilities on AWS/Azure/etc will not drive more customers to Googke. CSPM and cloud workloads don’t go hand in hand. What will happen is that other companies will capture the market share left by Google. Will the offerings be less then Wiz quality-wise? Sure, but it will be way cheaper than moving to GCP.

The best option will be to leave Wiz as it is - standalone.

> a way for Google to secure a beachhead in half the Fortune 100

If that is their objective, they will fail again, since this is the land of good account management. Being able to call somebody on the phone if required. Something AWS excels on, Microsoft a little bit, while Google is rumored to have humans working there, but they are rarely seen.

This is such an underrated weakness of Google. When I was working at AWS ProServe, we never even took GCP as a serious competitor. Their customer service, acount management and enterprise sales team was so horrendous it was laughable.

I don’t think we even had talking points about why AWS was better than GCP like we did Azure.

what drives me mad is that it's not even underrated! everyone knows, everyone has been talking (and complaning) about this for something like 15 years!

I personally know of 2 big GCP customers who, over the years, left GCP because of this and the impact it had in critical situations. This very feedback was given in both cases to people considerably high up on GCP's ladder and... nothing's ever changed.

I'm sure plenty other big migrations off GCP provided the same feedback, to no avail.

When Diane Greene first and then Thomas Kurian became Google Cloud CEOs people thought that finally, due to their previous experiences in very Enterprise-aggressive companies, they would improve massively on that front.

Did they improve the situation? a bit. Massively? bringing GCP finally on-par with anyone else (not better than anyone else, just... the same)? nope, not even close.

Google is, at its core, an advertising company that tries to disguise itself as a technology company. When necessity calls, they will undoubtedly elect to divert resources towards their core business and away from their hobby projects (which GCP is).
I think you'd be quite surprised by how big it is inside Google. & Kurian won himself a lot of favor when Cloud figured out how to make sure it became profitable in Q2? 2023.

It was the last Google organization to have a genuine sustained hiring spree and didn't face nearly the same amount of cutbacks

(comment deleted)
Yep. That is top of my list when choosing a cloud provider.
Google simply does not have a culture of giving a shit about people's experiences with their product. If you are having a problem you better either have that problem so frequently and severely that it shows up on whatever monitoring system they're using to evaluate release health, or you better get comfortable with it for the long haul.
Why do you think some of the largest companies are using GCP though? If there customer support is really that atrocious, what is the explanation?
>and security (post the Mandiant acquisition)

As a Googler who works in GCP security, security has been a key differentiator for GCP long before the Mandiant acquisition. Google invented BeyondCorp (a primary driver of Zero Trust). Google helped create security keys (U2F, FIDO, Webauthn), and was I think the first major company to adopt them, both for employees, and for consumers. Google was one of the first major companies to offer a bug bounty, in 2010. Google's Project Zero searching for vulnerabilities in other companies'/organizations' software I think was pretty much unprecedented when it was created. Look at the number of times other tech companies get hacked compared to Google. Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".

Disclosure: my thoughts are my own.

> Look at the number of times other tech companies get hacked compared to Google.

Your whole post is confusing Security of the Cloud with Security in the Cloud. And conflating GCP with Google but those are just examples of why GCP has such a small market percentage.

The security of GCP rests on the security of Google. If Google gets hacked, GCP customers are not secure.

Additionally:

Google offers BeyondCorp products as GCP products. A big example is IAP. Do AWS and Azure offer something like IAP? If so, I think they were created in response to IAP.

Another Google/GCP security product related to zero trust is Chrome Enterprise Premium: https://cloud.google.com/blog/products/identity-security/int... .

Another innovative GCP security product is VPC Service Controls. Do AWS and Azure offer something like that? If so, I think they were created in response to VPC Service Controls.

Security keys: I mentioned in my previous comment how they're used by consumers (that includes GCP customers). GCP is making MFA mandatory this year: https://cloud.google.com/blog/products/identity-security/man...

Bug bounties protect GCP customers by making sure GCP products don't have vulnerabilities.

Project Zero protects GCP customers by finding vulnerabilities in products that GCP customers use (although it also finds vulnerabilities in products that AWS and Azure customers use).

When Microsoft got hacked by China in 2023, China stole Microsoft's signing key, and used it to mint tokens to impersonate Azure AD users of Microsoft customers. That's relevant to security in the Cloud.

GCP products are also recognized for security:

https://cloud.google.com/resources/forrester-unstructured-da...

https://www.varonis.com/blog/forrester-wave-data-security-pl...

https://cloud.google.com/blog/products/infrastructure-modern...

https://cloud.google.com/blog/products/identity-security/goo...

https://www.teradata.com/press-releases/2020/forrester-2020-...

To me, the security posture of Android (esp, the Pixels) & Chromium stands out as an outstanding contribution to humanity (given the reach of both those platforms).

> Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government).

Do they mind if they're legally "hacked" by a (Western) govt? All that security sophistication couldn't prevent LEAs from owning us all, unfortunately: https://therecord.media/google-refuses-to-deny-it-received-u... / https://archive.vn/mzZtI

Having previously used AWS, I would also say that GCP IAM is much better.

Yes, it's a lot less flexible than AWS IAM, but complicated IAM policies with conditions and stuff can be really hard to reason about.

Disclosure: my thoughts are my own.

That is insane. AWS has more complicated policies, GCP literally lacks ability to even have easy security posture in many cases.
That's quite the claim, can you provide an example?

GCP is permissive out of the box and things like the Compute Engine service account having the basic Editor role by default is a bit of a footgun, but they're trivially turned off.

I'm afraid it's something I need to agree with.

So many areas where resource-based conditions just do not work with particular GCP product offerings and you're forced to give out much broader access than you should be giving out. It's half-arsed and prevents you implementing PoLP.

AWS has a steeper learning curve here, but I've never been unable to constrain down e.g. access to an SNS topic in the way I want to.

Feel like AWS is the opposite. It’s often a pain to go as granular as you can go.
In GCP there are many tier-1 services where that is not even possible. It's also definitely gotten way easier to do this using IaC etc.
The best way to use AWS IAM policies is to not use them at all.

AWS allows to use multiple accounts easily, and accounts are (by default) completely isolated from each other. That's actually how services work internally at AWS, it's not uncommon for a service to have hundreds of AWS accounts (one for each region multipled by the number of environments).

It's not so easy with GCP.

I think this is also a good argument for why it is beneficial for society that Chrome stays in Alphabet; Google is good at some things and bad at some things - that people have access to a reasonably safe browser for free should not be underestimated
Adding to it: deps.dev, osv.dev, SLSA (all are either free or fully open source) Google has been great contributor to the AppSec and Software Supply Chain community. I just pray daily that the “google graveyard” curse doesn’t touch these important projects.
> (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".

There was one other time Google was hacked by a major government that also spurred massive internal security posture changes! https://en.wikipedia.org/wiki/Snowden_effect#Tech_industry

As a GCP user, my view is that Google does Googly things and hopes others will use them. And if not enough people don’t buy into whatever Google builds because it is built by Google, they will cancel it.
Even before the Mandiant acquisition they integrated Chronicle into Cloud. It's clear that they were focusing on security very early on.
Nobody Beats the Wiz is great, but $32B is so much money.
Could have gotten a better deal for Crazy Eddie
The Craziest part about Eddie was his business plan. Steal from your own company for 10 years, take the company public, gradually reduce your stealing over the course of 5 years to show a rapidly increasing profit margin, sell company to a hedge fund and cash out the profit. Then, go to jail for 8 years.

https://www.financialpipeline.com/financial-scams-the-too-cr...

(comment deleted)
Can anyone with security expertise clarify what Wiz actually does? Is it a legitimate company or is it fuzzy consultingware?
Wiz uses various API's via read access in your accounts/orgs/subscriptions to assess risk of configuration.

They also snapshot your disks, cloning them to Wiz accounts to provide secrets scanning / vuln scanning / etc against your infra.

These resulting risks / findings are scored and provided in their SAAS Wiz console via dashboards / APIs / integrations with remediation guidance.

> They also snapshot your disks, cloning them to Wiz accounts

I can see how that could be worth $32B.

They were the one's to first report on DeepSeek's recent data leak, and they've found a few others.

One exploit I remember Wiz finding was "ChaosDB". A flaw in Microsoft's Cosmos DB allowed anyone to use the default-enabled Jupyter Notebook to basically dump and modify anyone's databases, without authentication. Full admin access.

Would also be interested in this. I don't know anyone who uses Wiz. Google says they had 350 million in revenue last year, aiming for 1 billion this year. So 100x revenue TTM. Crazy stuff.
FYI we don't really value companies on a TTM basis so 32.0x Revenue would be the right multiple to quote
That's because A) big companies that use it don't really like bragging about their security tooling, lest it be used to better profile their infrastructure by attackers, and B) it's basically enterprise-only and insanely expensive.

Source: worked for a large enterprise company that used it, and I loved it. Phenomenal tool, will be a shame to see it die (or at least its non-GCP aspects wither and die) under Alphabet's ownership.

Basically give it read access to your cloud account, and it will scan all of the resources to identify potential miss-configurations. Identifying CVE in software is one thing, but it's identifying incorrectly configured resources that would otherwise be secure can dramatically reduce the risk surface.

A lot of cloud providers already have little hints like "hey - did you mean to create this account in God mode?" or "It is recommended not to create this god mode json key file" - Wiz is taking this to the next level of detail

It is a very legitimate tool. It identifies misconfigurations and vulnerabilities in cloud deployments. Anything from a container with a known-vulnerable package in the manifest to a workload with improper firewall rules.
Isn't this what tool like MEND or Black Duck (formerly Synopses)?
I understand those (I haven’t used them) to primarily be about software composition analysis. Wiz does that, but they are mainly known for Cloud Security Posture Management (the “you have an exposed S3 bucket”, “you have a workload with no inbound firewall”, “etc.”) and integrating things like SCA to increase alert fidelity (do you care as much that a workload has an inbound ACL allowing MongoDB connections from the Internet if the workload isn’t running MongoDB?)
Wiz is closer to the CNAPP field instead of the software composition analysis tools you mention, Snyk would fit here for SCA.

Sysdig, Palo Alto's Prisma Cloud, or a few others compete with Wiz's CNAPP offering. Wiz also strays into some SCA and SCA-alike tooling for containers, code or XDR with their CDR/XDR products log ingest and agents available for response/quarantine.

(comment deleted)
It’s a security-as-a-service platform that monitors whatever clouds or systems you plug into it for security vulnerabilities, but is built specifically for public cloud service providers and their workloads. I quite liked the product, as it would notify my team of erroneous configurations, outdated AMIs, exposed ports, vulnerable workloads, and whatever custom policies we setup (e.g., SSH open between VPCs in AWS, rather than via a Jumpbox).

I loved the product when I used it (huge improvement over Nessus), and am immensely disappointed Google owns it as it means I’ll have to find something else going forward. This is the sort of acquisition a regulator should block, because Wiz really is best-in-class at what they do for every cloud they support, and customers benefit more from it being agnostic.

My last company used it to complement other cloud security scanning products. It’s probably a bit of an understatement to call it a scanning tool. It was easy to integrate with our other systems so we could assign vulns to different teams.
Wiz seems to only be about 4 years old, as per wikipedia. That valuation in such a short amount of time surely must be some kind of record? Or am I missing something?
~5 years by now. But there is a bit of fine print. The founders all founded another cloud security company in 2010, which was acquired by Microsoft. They were all graduates of Israel's famous Unit 8200. So while the literal company was founded in 2020, it is very likely a lot of both the knowledge, expertise and quite possibly product was already in development before it.
yes, every 8200 founder i know already has the next product ready to launch in alpha the day after the time limit on their previous acquisition runs out
You joke, but something similar happened at my old company, and I suspect it's relatively common for serial entrepreneurs.

The founders, who are now flush with cash, time and ideas; are quickly speedrunning the steps creating their previous company, in the same market, but now with more access to capital and employees from their previous company who would rather work for a startup than a large conglomerate, while fixing all the mistakes from their previous venture.

I 90% meant that it was the skills, industry knowledge and connections/reputations they built before Wiz, but it is true that most companies are conceived and planned far ahead of their actually registrations. Sensible people don't exactly just quit their jobs and start a company in a few days. They conceive, do research, discuss and (I suspect in Wiz's case) prototype before they commit. Its definitely a smart move, there's a very real valuation and PR advantage if you delay your actual founding, so your time to X revenue looks shorter.
Not sure if it's a very wise move to hire foreign intelligence offers and give them access to the core of your tech products and to the customers data.
Probably the entire company's purpose is to gain access to secrets.

Anyway, Chomsky claims that there's 0 distinction between USA and Israel, so if you see it from that point of view, it makes little difference.

A dumb conspiracy theory. Israel has mandatory conscription (barring some cases), and many of the smart ones are recruited into Unit 8200. It's not surprising that they go on to start cyber companies once conscription ends, given that's a major focus of the Unit.
"But Chomsky said so!"
So you think they shouldn't be trusted because they have ties with a foreign nation or they should be trusted because their foreign nation is really a puppet state of your nation?

It's unclear to me what you're thinking besides the wish to troll.

"conspiracy". When you meet employees of such companies they brag about it and sometimes even do special tricks through their contacts to impress you.
For me it's enough that if Chinese intelligence officers were founding software security companies, I'd not use the product. It's the same idea for Israel. Conscription just makes it worse, because more of their citizens are then suspect.

Not supporting people who take part in the crime of persecution, is a nice side effect.

Google has some amazing negotiating skills - paying 50% more for something they literally tried to get not even a year ago... (they tried to get it at 23 billing not even a year ago)

https://news.ycombinator.com/item?id=41042034

That being said, Instagram and WhatsApp were expensive for Facebook and those ended up being a steal. Time will tell, as usual.

The difference is that Google is the worse product company among the big tech companies. It’s like the modern day Yahoo! - where acquisitions go to die.
I don't know man, iPhones and Macs are really buggy, bloated/full of unnecessary features, and user hostile. Microsoft products are also hot garbage. The cars we get to pay tens of thousands (or even hundreds) are pretty much garbage now. It's not just Google.
I am not talking about opinions on quality. I’m talking about objective measures in introducing a new product that moves the needle as far as revenue/profit and market share that is not cancelled quickly
Again, the parent's point stands. Apple is not changing the game with Apple Vision Pro or Apple Intelligence. Microsoft isn't getting accolades for Windows 11 and Copilot. It's not always smart to bet the farm on a product that nobody wants to pay for.

Objectively speaking Google is one of the few companies that saw where the puck was headed and skated there. They built TensorFlow, they sponsored serious local AI research. Now they build their own in-house training and inference hardware. Relative to the struggling we see from the rest of FAANG, I would argue Google is perhaps the only successful competitor left. I despise their monopoly abuse of AdSense, but they're not going to be effectively prosecuted with protectionist American policy defending them. Google "won" the services sector and now everyone and their mother is butthurt.

TensorFlow is a technology not a product. Having things in a “research” lab are not products. What product have they introduced in the past decade? 15 years? Android is the only one that has gotten any meaningful traction.

Does Google have a better LLM based product than OpenAI’s ChatGPT? Well personally for my use case, NotebookLM is better for some things. But it isn’t a better product for most people.

Androids position is so bad in the market as far as convincing consumers with money to buy one, Google has to pay Apple $20B+ a year to be the default search engine. I wouldn’t be surprised if Google pays more to be the default search engine on Apple devices than Google makes in mobile for Android.

From a consumer standpoint, Android has seen declining market share in the US, the Nest acquisition is floundering, Stadia was a failure, Pixel ships about the same number in a year that Apple ships iPhone in a a couple of weeks, WearOS has gone nowhere, no real tablet strategy (I Chromebooks have been a success in education so that’s kind of a mitigating factor), their tv strategy has pivoted a half dozen times, their messaging app strategy is schizophrenic (they had 5 separate messaging apps simultaneously at one point), AI summaries for Google search are half baked.

On the business side, GCP is just pathetic. I don’t mean as far as technology. But their account management, enterprise sales team and customer service is lackluster. I mentioned in another comment that when I worked at AWS ProServe, we never considered them a serious competitor.

GSuite has gained some traction in smaller companies. But hasn’t made a dent in government and enterprise where the real money is.

Look at Microsoft and Apple’s product mix as far as successful profit generating products and compare that to Google’s.

> Android is the only one that has gotten any meaningful traction.

In my book, Android doesn't count as a Google product, as it was a 2005 acquisition:

https://www.androidauthority.com/google-android-acquisition-...

Almost every part of the iPhone is also based on acquisitions. Android was a bad BlackBerry knock off before Google acquired. Android as it exists today is mostly Google.

YouTube and even AdSense were based on an acquisition.

Heck, Apple as we know it today was based largely on the Next acquisition.

Google made $34.68B in FY2023 from “app, media, and hardware”, so you’re not too far off I reckon.
Turns out McKinsey is really bad at business and letting a McKinsey ghoul run your company is a good way to run it into the ground.
GOOG is up ~152% since Sundar took over...
Since Sundar took over as CEO at Google (August 10, 2015):

  - Google is up 5.2X - I am not sure how you got 152%
  - Apple is up 10X
  - Microsoft is up 8.25X
  - Netflix is up 7.45X
  - Amazon us up 7.28X
  - Facebook is up 6.27X
Google has the worst returns in ten years of the FAANG(+M) companies. A 5X increase in ten years is still phenomenal, but it's important to not look at that number in isolation.

And for fun:

  - Nvidia is up 207X
  - Intel is down 12%
  - The S&P 500 is up 2.72X
Microsoft was also up by leaps and bounds when Ballmer was in charge and RIM had its highest market cap in 2010 - three years after the iPhone was introduced.

That has nothing to do with whether Google has the ability to create new great products and it has failed miserably at that over the past decade.

What do you know, Assaf Rappaport also worked at McKinsey.
This is meant to be politically-neutral commentary: this deal doesn't happen without a Republican in office that will squash the antitrust bent that the Biden administration started.

It's also possible the last Wiz deal happens without the antitrust swirling over Google.

Depends on how many complements Google gives the emperor on his clothes. The DOJ reiterated selling off chrome last week, so it's not off the table.
Some policy is being continued, https://natlawreview.com/article/antitrust-under-trump-initi...

> FTC Chairman Ferguson and Omeed Assefi, Acting Assistant Attorney General of the DOJ’s Antitrust Division, announced on February 18, 2025, that the FTC and DOJ will continue to use the 2023 Merger Guidelines as the framework for their merger review process.

Rump likes to play favorites and use any power at his disposal to hurt his political / personal enemies or people he thinks don't "respect" him enough. He also is a fan of extorting people.

So I wouldn't count on it based on some generic "pro-business" position. Google is going to have to kiss the ring one way or another.

I just don't think the anti trust case is as strong in the security industry vs. many other parts of the software industry. I don't think a Biden admin would necessarily have jumped to try and block this sort of acquisition either.
Yeah, but Instagram and WhatsApp have billions of users. Everybody has heard of them. Advertising on Instagram generates revenue.

Wiz is a SaaS b2b startup. Even on a forum for startups most people haven't heard of them.

Wiz reportedly has a revenue of 750m. It would take Google 30 years or more to break even on this deal. But like all bs startups Wiz will fade into irrelevancy 6 months after being acquired.

Google is getting completely scammed.

This: "But like all bs startups Wiz will fade into irrelevancy 6 months after being acquire"
Nobody thought Instagram and WhatsApp were good acquisitions at the time.
Instagram was roughly 10 people when it got bought, had less than 30M users and $0 in revenue.
Kinda confusing given Wiz is also a Google internal frontend framework.
big tech should be forbidden of purchasing anything, especially big 5
The voters disagreed and elected an extremely big tech friendly government.
I'm sure that didn't factor in at all in why the voters voted what they voted.
This represents 32 billion good reasons to build products to serve big techs platforms and customers.

Sherlocking is obviously the risk.

(comment deleted)
The Trump admin has shown the same attitude as the Biden admin when it comes to mergers. So why do they think the merger will go through this time?
Because the one thing I don't think you can plausibly say about the security software space is that there is a lack of options.

It uniquely seems to be fragmented and messy compared to most other parts of the software industry,(not sure why, just saying what I observe.

So the market situation looks very different to the ones that the DOJ was going after (like Google in ads,if Wiz was a big ad company then maybe the government would be more interested in trying to block it). Wiz isn't even close to having some kind of insurmountably dominant market share in their specific area of expertise either.

(comment deleted)
What changed from last year? The deal that failed?

The article says:

> The price tag is much higher than the roughly $23 billion Google had offered for Wiz last year before antitrust worries forced the startup to shelve the deal.

> Wall Street is optimistic that the Trump administration would drop some antitrust policies

Is that it? It's crazy to announce the deal before there's any actual policy changes. Why the rush? It's not like someone is outbidding them here.

Did you read the article?

> The price tag is much higher than the roughly $23 billion Google had offered for Wiz last year before antitrust worries forced the startup to shelve the deal. ... A harsh regulatory environment in 2024 had made it difficult for many firms to push through large deals, but Wall Street is optimistic that the Trump administration would drop some antitrust policies.

Yes, I made my comment more clear.
There is a new administration, and the new one doesn't have a DOJ that is extremely anti big tech, and going after them for antitrust on everything.
Reminder they also bought Mandiant for $5.4B in 2022
For hardcore Wiz users: What are their killer features that you use day in, day out?
We use wiz and rapid7, so I can compare these two:

Usability of Wiz and the ability to adapt it is so much better. Everyone can get a seat without extra costs, enabling shift-left for the dev teams. Projects make sure they only see what they need to see.

The query engine is top. There are very good presets. Create Boards to share custom queries with the teams.

Compliance frameworks are available. You could inspect the rules, they are written in OPA rego and you could add your own rules.

Cloudtrail search is also a lot better than the one aws is providing.

I could go on and on and on .. this solution has so many powerful features.

This was the most detailed and helpful explanation of what exactly the deal is with Wiz I think in this whole comment section.
> $32 billion in an all-cash deal,

Wow. I wonder how Google justified this acquisition. I fear they will eventually shutter this service, and likely without even pulling anything good into their own cloud offerings.

I wonder what level of insight Google will now have in to how AWS, Oracle and Azure’s customers use their cloud. Even just in aggregate I imagine there’s some useful data.
biggest Google acquisition yet or what?
Yes. The company’s previous biggest deal was its $12.5bn acquisition of Motorola Mobility in 2012, which it sold two years later for $2.9bn. [0]

[0] https://www.theguardian.com/technology/2025/mar/18/google-pa...

Can’t help but predict that this will be a similar outcome. If they did not have a security division, this acquisition could work. But colliding two heavy security behemoths together is like the collision of two galaxies with a higher enteopy.
What I don't understand is how you get to a valuation of $32B. My quick googling showed me that the revenue for Wiz is about $700M. Even if I assume the existing customers + name + platform/assets is worth several billion, where is this number coming from?

To be clear: I am young and ignorant. I am trying to learn, not criticise

My estimation is that there is another competitor that they wanted to out compete ... like Facebook paid $19B for whatsapp to outcompete google. The maximum market cap Wiz had was $13.2 Billion. So Google is paying 3x times the price.

> Wiz has agreed to a termination fee of more than $3.2 billion, a source told Reuters, one of the highest fees in M&A history.

Not sure how they can afford this if it doesn't work.

Motorola was bought for patents to defend Android, it was a clear win.

Wiz is much harder to understand.

The patents they received from Motorola effectively put an end to Apple's Android witch hunt.

Prior to this acquisition, Apple was determined to sue Android out of existence. They were on a rage-fueled mission to end a product they viewed as a copycat, and they knew Google didn't hold any patents to defend themselves.

When Google acquired Motorola's patents, the tables turned and it was Google that could end Apple or at least turn it into mutually assured destruction.

Those patents alone were worth a hundred billion for the headache they saved Google and the market position they opened up.

This was one of Google's smartest moves of all time.

I definitely did not consider this earlier. Do you know of some other big examples where monetary loss was actually a win when considered in an overall context?
This is probably a dumb question, but what does all cash mean? Does it literally mean that they are putting $32bn in Wiz's bank account (or probably some kind of escrow, who knows) which then gets dispersed to their shareholders?

What usually happens otherwise? Would they do partly google stock, etc? And each shareholder gets some kind of multiple? (you get your N amount of Wiz shares X .72 = your number of google shares), or something of that sort?

Yes. They became billionaires overnight.
Acquisitions often involve swaps of shares.
The press releases say cash deal.
The question was about what happens in other cases.
Otherwise it depends on the deal structure. Especially if it's an acqui-hire, or founders are involved, it can be a combination of shares, options, earn-out, guaranteed bonus, certain salary levels (much higher then their current one) etc etc, and cash. Usually 100% cash deal is the most sought after unless the acquirer has a very solid business (in that case shares and options could be valuable too).
They say that's an all-cash purchase. So it seems that they really put $32bn in the bank account.
Ultimately they are buying the shares of all existing shareholders. Wiz tells Google who the shareholders are after all triggers of options to shares are resolved. Then Google wires each shareholder after the signatures are complete. No money should go into Wiz bank account. 10-25% of the cash is held back to make sure the company and key employees fulfill promises made as part of the transaction.
Right - the Wiz bank account is about to be the Google bank account, so it wouldn't make any sense for them to receive the funds.
In an all cash deal the Vendor (buyer) will purchase all shares of the Target (seller) for cash and cancel those shares. A substantial amount of the cash will be held back in escrow subject to a number of clauses and released at a future date.

This will protect the buyer against misrepresentations.

There are often also targets that have to be met to achieve the full purchase price but not always disclosed

Yes on all of that. All Cash means Google is essentially writing a $32Bn check which is dispersed to the Wiz shareholders. (It wouldn't go to Wiz's bank account since Google owns the bank account once they send the money.

Typically these involve at least some stock (cash + stock or all stock) which would mean that each Wiz share gets some amount of money and some multiple of Google stock per share.

> Does it literally mean that they are putting $32bn in Wiz's bank account (or probably some kind of escrow, who knows) which then gets dispersed to their shareholders?

Google pays each of Wiz's shareholders 75-90% of the deal amount. The remainder is held in escrow and paid some time later based on a variety of conditions.

> What usually happens otherwise? Would they do partly google stock, etc? And each shareholder gets some kind of multiple? (you get your N amount of Wiz shares X .72 = your number of google shares), or something of that sort?

Yup, that's exactly how it works.

Part of the acquisition process is putting together a “funds flow” which is simply a model that lays out how much $ each shareholder gets and then also you collect all the wire details, etc. But anyway, it can be a bit surreal seeing how much cash will be deposited into various accounts once the deal closes
It means if you were a shareholder of Wiz, you will have cash in your checking/savings account within few days and you will no longer have the shares.
What if I don't want to pay capital gains?
Then you should not have owned assets that someone else had the power to sell.
For example: any publicly traded shares.

I have had shares that are 1. force sold, 2. shares that were force split into two companies and 3. shares that are force acquired so they become another companies shares.

Lol coincidently had some publoc traded shares force sold last month. Didn't realize (they didn't send me an email). I have a weird ability to pick these kinda stocks! Unfortunately it hasn't been a profitable strategy.
There's going to be teams of lawyers and financial managers that will guide that money into various financial structures and / or shell companies so that none of it shows up on the records used to calculate that.
Is enterprise security software like consumer antivirus software (i.e. unnecessary (or even harmful) if you know what you're doing)?
"Enterprise" and "you know what you're doing" don't go hand-in-hand. You might know what you're doing, but does everyone else at your enterprise?

Every single devops person who can push a CL to staging (that may not get properly reviewed)? Every marketing whiz who is using a dataviz tool against a cloud storage bucket you didn't even know existed? Every support engineer who is on-call at 2:#0am and can fix a customer's problem with one tiny IAM change?

I think that is obviously the case.

That being said, one of the reasons these things sell is that the majority of people sitting behind computers in large enterprises absolutely DO NOT have any idea what they were doing.

Once you get to a certain scale, the idea that you can "just be competent" and maintain high standards and configure your boxes the right way the first time every time btecomes logistically impossible.

Liability and insurance also is a big concern for large companies. The ability to blame somebody else for your security failings and check off all the silly boxes is pretty valuable. I'm sure consumer windows antivirus software would become a big hit again if you were for all intents and purposes being legally strong armed into purchasing it.