DREAMTECH NEWS

Jamf snags zero trust security startup Wandera for $400M

Jamf, the enterprise Apple device management company, announced that it was acquiring Wandera, a zero trust security startup, for $400 million at the market close today. Today’s purchase is the largest in the company’s history.

Jamf provides IT at large organizations with a set of management services for Apple devices. It is the leader in the market, and snagging Wandera provides a missing modern security layer for the platform.

Jamf CEO Dean Hager says that Wandera’s zero trust approach fills in an important piece in the Jamf platform tool set. “The combination of Wandera and Jamf will provide our customers a single source platform that handles deployment, application lifecycle management, policies, filtering and security capabilities across all Apple devices while delivering zero trust network access for all mobile workers,” Hager said in a statement.

Zero trust, as the name implies, is an approach to security where you don’t trust anybody regardless of whether they are inside or outside your network. It requires that you force everyone to provide multiple forms of authentication to prove their identity before they can access company resources.

The need for a zero trust approach became even more acute during the pandemic when employees  have often been working from home and have needed access to applications and other company resources from wherever they happened to be, a trend that was happening even prior to COVID, and is likely to continue after it ends.

Wandera, which is based in London, was founded in 2012 by brothers Roy and Eldar Tuvey, who had previously co-founded another security startup called ScanSafe. Cisco acquired that company, which helped protect web gateways as a service for $183 million back in 2009. The brothers raised over $53 million along the way for Wandera. Investors included Bessemer Venture Partners, 83North and Sapphire Ventures.

Sapphire co-founder and managing director Andreas Weiskam had this to say about the deal: “[Wandera] created a unique security product which addresses mobile threats by leveraging the increasingly important zero trust network. By joining the Jamf family, the two will help shape the future of the zero trust cloud. And it goes without saying that this is a big win for the customers, especially for those in the Apple ecosystem.”

Jamf now has access to all of that technology and everything else the company has developed since. Under the terms of the deal, Jamf is paying Wandera $350 million in cash, then paying them two $25 million payments on October 1, 2021 and December 15, 2021. The deal is expected to close in the third quarter assuming it passes regulatory scrutiny.

 


By Ron Miller

DataRobot expands platform and announces Zepl acquisition

DataRobot, the Boston-based automated machine learning startup, had a bushel of announcements this morning as it expanded its platform to give technical and non-technical users alike something new. It also announced it has acquired Zepl, giving it an advanced development environment where data scientists can bring their own code to DataRobot. The two companies did not share the acquisition price.

Nenshad Bardoliwalla, SVP of Product at DataRobot says that his company aspires to be the leader in this market and it believes the path to doing that is appealing to a broad spectrum of user requirements from those who have little data science understanding to those who can do their own machine learning coding in Python and R.

“While people love automation, they also want it to be [flexible]. They don’t want just automation, but then you can’t do anything with it. They also want the ability to turn the knobs and pull the levers,” Bardoliwalla explained.

To resolve that problem, rather than building a coding environment from scratch, it chose to buy Zepl and incorporate its coding notebook into the platform in a new tool called Composable ML. “With Composable ML and with the Zepl acquisition, we are now providing a really first class environment for people who want to code,” he said.

Zepl was founded in 2016 and raised $13 million along the way, according to Crunchbase data. The company didn’t want to reveal the number of employees or the purchase price, but the acquisition gives it advanced capabilities, especially a notebook environment to call its own to attract those more advanced users to the platform.The company plans to incorporate the Zepl functionality into the platform, while also leaving the stand-alone product in place.

Bardoliwalla said that they see the Zepl acquisition as an extension of the automated side of the house, where these tools can work in conjunction with one another with machines and humans working together to generate the best models. “This [generates an] organic mixture of the best of what a system can generate using DataRobot AutoML and the best of what human beings can do and kind of trying to compose those together into something really interesting […],” Bardoliwalla said.

The company is also introducing a no-code AI app builder that enables non-technical users to create apps from the data set with drag and drop components. In addition, it’s adding a tool to monitor the accuracy of the model over time. Sometimes, after a model is in production for a time, the accuracy can begin to break down as the data the model is based is no longer valid. This tool monitors the model data for accuracy and warns the team when it’s starting to fall out of compliance.

Finally the company is announcing a model bias monitoring tool to help root out model bias that could introduce racist, sexist or other assumptions into the model. To avoid this, the company has built a tool to identify when it sees this happening both in the model building phase and in production. It warns the team of potential bias, while providing them with suggestions to tweak the model to remove it.

DataRobot is based in Boston and was founded in 2012. It has raised over $750 million and has a valuation of over $2.8 billion, according to Pitchbook.


By Ron Miller

ServiceNow leaps into applications performance monitoring with Lightstep acquisition

This morning ServiceNow announced that it was acquiring Lightstep, an applications performance monitoring startup that has raised over $70 million, according to Crunchbase data. The companies did not share the acquisition price.

ServiceNow wants to take advantage of Lightstep’s capabilities to enhance its IT operations offerings. With Lightstep, the company should be able to provide customers with a way to monitor the performance of applications with the goal of detecting problems before the grow into major issues that take down a website or application.

“With Lightstep, ServiceNow will transform how software solutions are delivered to customers. This will ultimately make it easier for customers to innovate quickly. Now they’ll be able to build and operate their software faster than ever before and take the new era of work head on with confidence,” Pablo Stern, SVP & GM for IT Workflow Products at ServiceNow said in a statement.

Ben Sigelman, founder and CEO at Lightstep sees the larger organization being a good landing spot for his company. “We’ve always believed that the value of observability should extend across the entire enterprise, providing greater clarity and confidence to every team involved in these modern, digital businesses. By joining ServiceNow, together we will realize that vision for our customers and help transform the world of work in the process […], Sigelman said in a statement.

Lightstep is part of the application performance monitoring market with companies like DataDog, New Relic and AppDynamics, which Cisco acquired in 2017 the week before it was scheduled to IPO for $3.7 billion. It seems to be an area that is catching the interest of larger enterprise vendors, who are picking off smaller startups in the space.

Last November, IBM bought Instana, an APM startup and then bought Turbonomic for $2 billion at the end of last month as a complementary technology. Being able to monitor apps and keep them up and running is crucial, not only from a business continuity perspective, but also from a brand loyalty one. Even if the app isn’t completely down, but is running slowly or generally malfunctioning in some way, it’s likely to annoy users and could ultimately cause users to jump to a competitor. This type of software gives customers the ability to observe and detect problems before they have an impact on large numbers of users.

Lightstep, which is based in San Jose California, was founded in 2015. It raised $70 million from investors like Altimeter Capital, Sequoia, Redpoint and Harrison Metal. Customers include GitHub, Spotify and Twilio. The deal is expected to close this quarter.


By Ron Miller

Activist investor Starboard Value makes official bid for Box board seats in letter

Last week activist investor Starboard delivered a public letter rebuking the company for what it perceives as under performance. Today the firm, which owns 8% of Box stock, making it the company’s largest stock holder, took it a step further with an official slate of four candidates it will be putting up at the next stockholder’s meeting.

While the company rehashed many of the same complaints as in last week’s letter, this week’s explicitly stated its intent to run its own slate of candidates for the Box board. “Therefore, in accordance with the Company’s governance deadlines and in order to preserve our rights as stockholders, we have delivered a formal notice to Box nominating four highly qualified director candidates (the “Nominees”) for election to the Board at the Annual Meeting,” Starboard wrote in a public letter to Box.

Box responded in a press release that the Board as currently constituted categorically rejects this attempt by Starboard to take over additional seats.

“The Box Board of Directors does not believe the changes to the Board proposed by Starboard are warranted or in the best interests of all stockholders. The Box Board has been consistently responsive to feedback from all of its stockholders, including suggestions from Starboard, and open-minded toward all value enhancing opportunities. Furthermore, Starboard’s statements do not accurately depict the progress Box has made,” the Board wrote in a statement this morning.

Box further points out that the company overhauled the Board last year with three new board members specifically receiving Starboard approval.

What is driving Starboard to take this action? Like any good activist investor it wants a higher stock price and is seeking for more growth from Box. Activist investors often come in and try to extract value by brute force when they perceive the company is under performing. The end game were they successful could involve removing Levie as CEO or more likely selling the company and grabbing its profit on the way out.

Box asserted that “Starboard’s statements do not accurately depict the progress Box has made,” highlighting some of its recent financial performance including “a $127 million increase in free cash flow in fiscal 2021.” The former private-market darling also argued that its fiscal 2021 “revenue growth rate plus free cash flow margin [came to more than] 26%,” which beat its own target of 25% and was “nearly double” what it managed in its fiscal 2020.

This is a good time for a ‘yes, but‘: Yes, but Box’s ability to improve its profitability does not change the fact that its growth rate has been in steady decline for years. And while a company’s growth rate can cover nearly any sin, slowing growth that has already slipped into the single digits doesn’t cut Box much slack. (For reference, in its most recent quarter, the fourth of its fiscal 2021, Box grew just 8% on a year-over-year basis.)

It’s worth noting that the company did promise “accelerated growth and higher operating margins in the years ahead” in its most recent earnings call, but the company’s recent $500 million investment from KKR particularly irked Starboard, which asserts that it was akin to ‘buying the vote.’

“[Box] made several poor capital allocation decisions, including its recent entry into a financing transaction that we believe serves no business purpose and was done in the face of a potential election contest with Starboard at the 2021 Annual Meeting of Stockholders.”

Now it’s becoming a battle over more board seats. Box is putting up Levie, Verisign CFO Dana Evan and Peter Leav, Chief Executive Officer of McAfee and former Chief Executive Officer of BMC.

Starboard nominees include Deborah S. Conrad, former executive at Intel; Peter A. Feld, Starboard’s head of research; John R. McCormack, former CEO of WebSense and Xavier D. Williams, a director of American Virtual Cloud Technologies.

The vote will take place at the Box stockholder’s meeting, which has traditionally been held in late June or early July. To this point, the company has not put out the exact date publicly.


By Ron Miller

How a band of P2P hackers planted the seeds of a unique expense management giant

Individuality often has no place in the enterprise software space. In a market where a single contract can easily run into the millions, homogeneity is the herald of reliability and serves to reassure buyers of the worth of their potential purchase.

So it’s natural to think a company in the expense report management business would keep it simple and play it by the book. But one look at Expensify is enough to tell you that this is a company that never even looked for the book.

Expensify’s origin story is one of a scrappy group of developers who turned travel into a catalyst for ideas and stuck together through highs and lows, ending up building one of the most unexpectedly original companies in enterprise software today.

Right from its famous “workcations,” to its management structure and its decision-making policies, Expensify has it in its DNA to eschew so-called best practices for its own ideas — a philosophy rooted in its founder and early team’s P2P hacker background and do-it-yourself attitude. As a result, Expensify is atypical of startups in many ways, inside and out.

Founder and CEO David Barrett made it clear his company was different in our first call itself: “We hire in a super different way. We have a very unusual internal management structure. Our business model itself is very unusual. We don’t have any salespeople, for example. We’re an incredibly small company. We focus on the employees over the bosses. Our technology stack is completely different. Our approach toward product design is very different.”

That description would make some people call Expensify weird even by startup standards, but this essential difference has set it apart in a space dominated by giants such as SAP Concur and Coupa. And that’s ultimately been to its benefit: Expensify reached $100 million in annual recurring revenue in 2020, with hefty 25% EBITDA margins to boot. There were also rumors of the company planning to go public during our interviews for this EC-1, but they stopped speaking to us in March, and now we know why: Expensify confidentially filed to go public on May 3.

Expensify’s origin story is one of a scrappy group of developers who turned travel into a catalyst for ideas and stuck together through highs and lows, ending up building one of the most unexpectedly original companies in enterprise software today.

When David met Travis …

To truly understand Expensify, you first need to take a close look at a unique, short-lived, P2P file-sharing company called Red Swoosh, which was Travis Kalanick’s startup before he founded Uber. Framed by Kalanick as his “revenge business” after his previous P2P startup Scour was sued into oblivion for copyright infringement, Red Swoosh would be the precursor for Expensify’s future culture and ethos. In fact, many of Expensify’s initial team actually met at Red Swoosh, which was eventually acquired by Akamai Technologies in 2007 for $18.7 million.

Barrett, a self-proclaimed alpha geek and lifelong software engineer, was actually Red Swoosh’s last engineering manager, hired after the failure of his first project, iGlance.com, a P2P push-to-talk program that couldn’t compete against Skype. “While I was licking my wounds from that experience, I was approached by Travis Kalanick who was running a startup called Red Swoosh,” he recalled in an interview.


By Anna Heim

The Expensify EC-1

Let’s make it clear from the outset that this story is about an expense management SaaS business called Expensify. As you’d expect, yes, this is about the expense management market and how Expensify has grown, its technology and all of that. Normally, that would make us change the channel. But this is also a story about pirates; peer-to-peer hackers who asked, “Why not work from Thailand and dozens of countries across the globe?” and actually did it using P2P hacker culture as a model for consensus-driven decision-making — all with pre-Uber Travis Kalanick in a guest-starring role.

Most interestingly, this is a story about just not giving a damn about what anyone goddamn thinks, an approach to life and business that led to more than $100 million in annual revenue, and an IPO incoming on what looks to be a very quick timetable. Prodigious revenues, 10 million users and only 130 employees running the whole shebang — that’s a hell of an achievement in only 13 years.

If you’re going a bit “WTF,” well, we’d concur. Expensify is as contradictory as they come in the enterprise world. It’s managed to take what might well be the most boring part of the corporate business stack and turn it into something special. It doesn’t borrow its culture from other startups, it built its own tech stack from the ground up, and even hires in a completely radical way. Oh, and no one really has job titles either, because why the hell bother with hierarchy anyway? They’re pirates after all.

If expense management is about avoiding corporate plunder, then letting the pirates and hackers run the ship is probably the best approach. And now, Expensify is plundering the corporate spend world one travel ticket and business meal at a time just as the world is rebuilding in the wake of COVID-19.

TechCrunch’s writer and analyst for this EC-1 is Anna Heim. Heim is a tech journalist and former startup founder who has written for different tech publications since 2011. She recently joined Extra Crunch as a daily reporter, where she will be sharing insights on startups, particularly in SaaS. The lead editor of this package was Ram Iyer, the series editor was Danny Crichton, the copy editor was Richard Dal Porto, and original illustrations were created by Nigel Sussman with art direction from Bryce Durbin.

Expensify had no say in the content of this analysis and did not get advance access to it. Heim has no financial ties to Expensify or other conflicts of interest to disclose.

The Expensify EC-1 will be a serialized sequence of five articles published over the course of the coming weeks. We interviewed the company in February and March, well before the company announced a confidential filing of its S-1 to the SEC. Let’s take a look:

  • Part 1: Origin storyHow a band of P2P hackers planted the seeds of a unique expense management giant” (2,400 words/10 minutes) — Explores the colorful history of the Expensify founders’ days with Travis Kalanick’s venture before Uber, a P2P content distribution startup called Red Swoosh, and how that experience would eventually influence what would one day become an expense management giant.
  • Parts 2-5: Upcoming shortly.

We’re always iterating on the EC-1 format. If you have questions, comments or ideas, please send an email to TechCrunch Managing Editor Danny Crichton at [email protected].


By Anna Heim

5 investors discuss the future of RPA after UIPath’s IPO

Robotic process automation (RPA) has certainly been getting a lot of attention in the last year, with startups, acquisitions and IPOs all coming together in a flurry of market activity. It all seemed to culminate with UiPath’s IPO last month. The company that appeared to come out of nowhere in 2017 eventually had a final private valuation of $35 billion. It then had the audacity to match that at its IPO. A few weeks later, it still has a market cap of over $38 billion in spite of the stock price fluctuating at points.

Was this some kind of peak for the technology or a flash in the pan? Probably not. While it all seemed to come together in the last year with a big increase in attention to automation in general during the pandemic, it’s a market category that has been around for some time.

RPA allows companies to automate a group of highly mundane tasks and have a machine do the work instead of a human. Think of finding an invoice amount in an email, placing the figure in a spreadsheet and sending a Slack message to Accounts Payable. You could have humans do that, or you could do it more quickly and efficiently with a machine. We’re talking mind-numbing work that is well suited to automation.

In 2019, Gartner found RPA was the fastest-growing category in enterprise software. In spite of that, the market is still surprisingly small, with IDC estimates finding it will reach just $2 billion in 2021. That’s pretty tiny for the enterprise, but it shows that there’s plenty of room for this space to grow.

We spoke to five investors to find out more about RPA, and the general consensus was that we are just getting started. While we will continue to see the players at the top of the market — like UiPath, Automation Anywhere and Blue Prism — jockeying for position with the big enterprise vendors and startups, the size and scope of the market has a lot of potential and is likely to keep growing for some time to come.

To learn about all of this, we queried the following investors:

  • Mallun Yen, founder and partner, Operator Collective
  • Jai Das, partner and president, Sapphire Ventures
  • Soma Somasegar, managing director, Madrona Venture Group
  • Laela Sturdy, general partner, CapitalG
  • Ed Sim, founder and managing partner, Boldstart Ventures

We have seen a range of RPA startups emerge in recent years, with companies like UiPath, Blue Prism and Automation Anywhere leading the way. As the space matures, where do the biggest opportunities remain?

Mallun Yen: One of the fastest-growing categories of software, RPA has been growing at over 60% in recent years, versus 13% for enterprise software generally. But we’ve barely scratched the surface. The COVID-19 pandemic forced companies to shift how they run their business, how they hire and allocate staff.

Given that the workforce will remain at least partially permanently remote, companies recognize that this shift is also permanent, and so they need to make fundamental changes to how they run their businesses. It’s simply suboptimal to hire, train and deploy remote employees to run routine processes, which are prone to, among other things, human error and boredom.

Jai Das: All the companies that you have listed are focused on automating simple repetitive tasks that are performed by humans. These are mostly data entry and data validation jobs. Most of these tasks will be automated in the next couple of years. The new opportunity lies in automating business processes that involve multiple humans and machines within complicated workflow using AI/ML.

Sometimes this is also called process mining. There have been BPM companies in the past that have tried to automate these business processes, but they required a lot of services to implement and maintain these automated processes. AI/ML is providing a way for software to replace all these services.

Soma Somasegar: For all the progress that we have seen in RPA, I think it is still early days. The global demand for RPA market size in terms of revenue was more than $2 billion this past year and is expected to cross $20 billion in the coming decade, growing at a CAGR of more than 30% over the next seven to eight years, according to analysts such as Gartner.

That’s an astounding growth rate in the coming years and is a reflection of how early we are in the RPA journey and how much more is ahead of us. A recent study by Deloitte indicates that up to 50% of the tasks in businesses performed by employees are considered mundane, administrative and labor-intensive. That is just a recipe for a ton of process automation.

There are a lot of opportunities that I see here, including process discovery and mining; process analytics; application of AI to drive effective, more complex workflow automation; and using low code/no code as a way to enable a broader set of people to be able to automate tasks, processes and workflows, to name a few.

Laela Sturdy: We’re a long way from needing to think about the space maturing. In fact, RPA adoption is still in its early infancy when you consider its immense potential. Most companies are only now just beginning to explore the numerous use cases that exist across industries. The more enterprises dip their toes into RPA, the more use cases they envision.

I expect to see market leaders like UiPath continue to innovate rapidly while expanding the breadth and depth of their end-to-end automation platforms. As the technology continues to evolve, we should expect RPA to penetrate even more deeply into the enterprise and to automate increasingly more — and more critical — business processes.

Ed Sim: Most large-scale automation projects require a significant amount of professional services to deliver on the promises, and two areas where I still see opportunity include startups that can bring more intelligence and faster time to value. Examples include process discovery, which can help companies quickly and accurately understand how their business processes work and prioritize what to automate versus just rearchitecting an existing workflow.


By Ron Miller

Shift Technology raises $220M at a $1B+ valuation to fight insurance fraud with AI

While insurance providers continue to get disrupted by startups like Lemonade, Alan, Clearcover, Pie and many others applying tech to rethink how to build a business around helping people and companies mitigate against risks with some financial security, one issue that has not disappeared is fraud. Today, a startup out of France is announcing some funding for AI technology that it has built for all insurance providers, old and new, to help them detect and prevent it.

Shift Technology, which provides a set of AI-based SaaS tools to insurance companies to scan and automatically flag fraud scenarios across a range of use cases — they include claims fraud, claims automation, underwriting, subrogation detection and financial crime detection — has raised $220 million, money that it will be using both to expand in the property and casualty insurance market, the area where it is already strong, as well as to expand into health, and to double down on growing its business in the U.S. It also provides fraud detection for the travel insurance sector.

This Series D is being led Advent International, via Advent Tech, with participation from Avenir and others. Accel, Bessemer Venture Partners, General Catalyst, and Iris Capital — who were all part of Shift’s Series C led by Bessemer in 2019 — also participated. With this round, Paris and Boston-based Shift Technology has now raised some $320 million and has confirmed that it is now valued at over $1 billion.

The company currently has around 100 customers across 25 different countries — with customers including Generali France and Mitsui Sumitomo — and says that it has already analyzed nearly two billion claims, data that’s feeding its machine learning algorithms to improve how they work.

The challenge (or I suppose, opportunity) that Shift is tackling, however, is much bigger. The Coalition Against Insurance Fraud, a non-profit in the U.S., estimates that at least $80 billion of fraudulent claims are made annually in the U.S. alone, but the figure is likely significantly higher. One problem has, ironically, been the move to more virtualized processes, which open the door to malicious actors exploiting loopholes in claims filing and fudging information.

Shift is also not alone in tackling this issue: the market for insurance fraud detection globally was estimated to be worth $2.5 billion in 2019 and projected to be worth as much as $8 billion by 2024.

In addition to others in claims management tech such as Brightcore and Guidewire, many of the wave of insuretech startups are building in their own in-house AI-based fraud protection, and it’s very likely that we’ll see a rise of other fraud protection services, built out of fintech to guard against financial crime, making their way to insurance, as the mechanics of how the two work and the compliance issues both face are very closely aligned.

“The entire Shift team has worked tirelessly to build this company and provide insurers with the technology solutions they need to empower employees to best be there for their policyholders. We are thrilled to partner with Advent International, given their considerable sector expertise and global reach and are taking another giant step forward with this latest investment,” stated Jeremy Jawish, CEO and co-founder, Shift Technology, in a statement. “We have only just scratched the surface of what is possible when AI-based decision automation and optimization is applied to the critical processes that drive the insurance policy lifecycle.”

For its backers, one key point with Shift is that it’s helping older providers bring on more tools and services that can help them improve their margins as well as better compete against the technology built by newer players.

“Since its founding in 2014, Shift has made a name for itself in the complex world of insurance,” said Thomas Weisman, an Advent director, in a statement. “Shift’s advanced suite of SaaS products is helping insurers to reshape manual and often time-consuming claims processes in a safer and more automated way. We are proud to be part of this exciting company’s next wave of growth.”


By Ingrid Lunden

Emerging open cloud security framework has backing of Microsoft, Google and IBM

Each of the big cloud platforms has its own methodology for passing on security information to logging and security platforms, leaving it to the vendors to find proprietary ways to translate that into a format that works for their tool. The Cloud Security Notification Framework (CSNF), a new working group that includes Microsoft, Google and IBM is trying to create a new open and standard way of delivering this information.

Nick Lippis, who is co-founder and co-chairman of ONUG, an open enterprise cloud community, which is the primary driver of CSNF says that what they’ve created is part standard and part open source. “What we’ve been really focusing on is how do we automate governance on the cloud. And so security was the place that was ripe for that where we can actually provide some value right away for the community,” he said.

While they’ve pulled in some of the big cloud vendors, they’ve also got large companies who consume cloud services like FedEx, Pfizer and Goldman Sachs. Conspicuously missing from the group is AWS, the biggest player in the cloud infrastructure market by far. But Lippis says that he hopes as the project matures, other companies including AWS will join.

“There’s lots of security programs and industry programs that get out there and that people are asking them to join, and so some companies want to wait to see how well this pans out [before making a commitment to it],” Lippis said. His hope is that over time, that Amazon will come around and join the group, but in the meantime they are working to get to the point everyone in the community will feel good about what they’re doing.

The idea is to start with security alerts and find a way to build a common format to give companies the same kind of system they have in the data center to track security alerts in the cloud. The way they hope to do that is with this open dialogue between the cloud vendors and the companies involved with the group.

“So the structure of that is that there’s a steering committee that is chaired by CISOs from these large cloud consumer brands, and also the cloud providers, and they provide voting and direction. And then there’s the working group where all the work is done. The beauty of what we do is that we have now consumers and also providers working together and collaborating,” he said.

Don Duet, a member of ONUG, who is CEO and co-founder of Concourse Labs, has been involved in the formation of the CSNF. He says to keep the project focused they are looking at this as a data management problem and they are establishing a common vocabulary for everyone to work within the group.

“How do you build a consensus on what are the types of terms that everybody can agree on and then you build the underlying basis so that the experts in your resource providers in this case, Cloud Service Providers, can bless how their data [connects] to those common standards,” Duet explained.

He says that particular problem is more of an organizational problem than a technical one, getting the various stakeholders together and just building consensus around this. At this point, they have that process in place and the next step is proving it by having the various companies involved in this test it out in the coming months.

After they get past the testing phase, in October they plan to actually demonstrate what this looks like in a before and after scenario, with the new framework and without it. As the group works toward these goals, the hope is that eventually the framework will become more established and other companies and vendors will come on board and make this a more standard way of sharing security alerts. If all goes well, they hope to build in other security information into this framework over time.


By Ron Miller

Cymulate nabs $45M to test and improve cybersecurity defenses via attack simulations

With cybercrime on course to be a $6 trillion problem this year, organizations are throwing ever more resources at the issue to avoid being a target. Now, a startup that’s built a platform to help them stress-test the investments that they have made into their security IT is announcing some funding on the back of strong demand from the market for its tools.

Cymulate, which lets organizations and their partners run machine-based attack simulations on their networks to determine vulnerabilities and then automatically receive guidance around how to fix what is not working well enough, has picked up $45 million, funding that the startup — co-headquartered in Israel and New York — will be using to continue investing in its platform and to ramp up its operations after doubling its revenues last year on the back of a customer list that now numbers 300 large enterprises and mid-market companies, including the Euronext stock exchange network as well as service providers such as NTT and Telit.

London-based One Peak Partners is leading this Series C, with previous investors Susquehanna Growth Equity (SGE), Vertex Ventures Israel, Vertex Growth and Dell Technologies Capital also participating.

According to Eyal Wachsman, the CEO and co-founder, Cymulate’s technology has been built not just to improve an organization’s security, but an automated, machine-learning-based system to better understand how to get the most out of the security investments that have already been made.

“Our vision is to be the largest cybersecurity ‘consulting firm’ without consultants,” he joked.

The valuation is not being disclosed but as some measure of what is going on, David Klein, managing partner at One Peak, said in an interview that that he expects Cymulate to hit a $1 billion valuation within two years at the rate it’s growing and bringing in revenue right now. The startup has now raised $71 million, so it’s likely the valuation is in the mid-hundreds of millions. (We’ll continue trying to get a better number to have a more specific data point here.)

Cymulate — pronounced “sigh-mulate”, like the “cy” in “cyber” and a pun of “simulate”) is cloud-based but works across both cloud and on-premises environments and the idea is that it complements work done by (human) security teams both inside and outside of an organization, as well as the security IT investments — in terms of software or hardware) that they have already made.

“We do not replace — we bring back the power of the expert by validating security controls and checking whether everything is working correctly to optimize a company’s security posture,” Wachsman said. “Most of the time, we find our customers are using only 20% of the capabilities that they have. The main idea is that we have become a standard.”

The company’s tools are based in part on the MITRE ATT&CK framework, a knowledge base of threats, tactics and techniques used by a number of other cybersecurity services, including a number of others building continuous validation services that compete with Cymulate. These include the likes of FireEye, Palo Alto Networks, Randori, Khosla-backed AttackIQ and many more.

Although Cymulate is optimized to help customers better use the security tools they already have, it is not meant to replace other security apps, Wachsman noted, even if the by-product might become buying less of those apps in the future.

“I believe my message every day when talking with security experts is to stop buying more security products,” he said in an interview. “They won’t help defend you from the next attack. You can use what you’ve already purchased as long as you configure it well.”

In his words, Cymulate acts as a “black box” on the network, where it integrates with security and other software (it can also work without integrating but integrations allow for a deeper analysis). After running its simulations, it produces a map of the network and its threat profile, an executive summary of the situation that can be presented to management and a more technical rundown, which includes recommendations for mitigations and remediations.

Alongside validating and optimising existing security apps and identifying vulnerabilities in the network, Cymulate also has built special tools to fit different kinds of use cases that are particularly relevant to how businesses are operation today. They include evaluating remote working deployments, the state of a network following an M&A process, the security landscape of an organization that links up with third parties in supply chain arrangements, how well an organization’s security architecture is meeting (or potentially conflicting) with privacy and other kinds of regulatory compliance requirements, and it has built a “purple team” deployment, where in cases where security teams do not have the resources for running separate “red teams” to stress test something, blue teams at the organization can use Cymulate to build a machine learning-based “team” to do this.

The fact that Cymulate has built the infrastructure to run all of these processes speaks to a lot of potential of what more it could build, especially as our threat landscape, and how we do business, both continue to evolve. Even as it is, though, opportunity today is a massive one, with Gartner estimating that some $170 billion will be spent on information security by enterprises in 2022. That’s one reason why investors are here, too.

“The increasing pace of global cyber security attacks has resulted in a crisis of trust in the security posture of enterprises and a realization that security testing needs to be continuous as opposed to periodic, particularly in the context of an ever-changing IT infrastructure and rapidly evolving threats. Companies understand that implementing security solutions is not enough to guarantee protection against cyber threats and need to regain control,” said Klein, in a statement. “We expect Cymulate to grow very fast,” he told me more directly.


By Ingrid Lunden