*AST and *SPM: Acquisition Magnets

There are a whole lot of these *SPM and *AST startups.

I’m talking ¹:

• Application Security Posture Management
• Cloud Security Posture Management
• Data Security Posture Management
• Static Application Security Testing
• Dynamic Application Security Testing
• Attack Surface Management (ignore the acronym mismatch, there is huge overlap here)

I think these are a couple drivers of such busy spaces. First off, MVPs are relatively derisked, undifferentiated, and in the case of *ASTs especially, quick to get up and running. Evidence can be found in the frequent appearance of open source options². Additionally, these tools get deployed externally, can operate well locally or as SaaS software, and can be cheap to stand up. This all allows them to easily onboard beta customers and development partners with low cost and risk. This ability to lean into PLG can help get the early traction that makes startups visible. It also keeps them alive long enough to get early funding, and potentially exit with a small acquisition or acquihire versus shutting down entirely.

〰️ Disclaimer: this is definitely vulnerable to confirmation bias, I suspect the same is true in other areas of security startups

There are also a whole lot of acquisitions of these startups.

I think there are a few reasons for that:

1. These tools are easy to integrate into the acquirer. *AST tools are sometimes already third-party integrations with the acquirer that just need to be repackaged as first-party. *SPM tools are often either rolled into a different *SPM vertical, or can quickly bootstrap an acquirer into a “platform.”
2. These tools can be a quick way to fill a product gap. For example, expanding an AppSec platform into Cloud as Snyk tried to do with Fugue.
3. These tools can drive Product Led Growth, they’re often cheap to run and easy to onboard new customers for trials.
4. It’s hard for startups in these categories to grow to any other outcome. These spaces are immensely competitive, and there are many sizable Platforms offering good-enough solutions.

What options does this imply for these startups?

• Bootstrap, and avoid the VC velocity pressure. See: Portswigger (Burp Suite)
• Raise less, or exit earlier: See: Bridgecrew
• Hit escape velocity, be so good they can’t ignore you. See: Wiz, Snyk

🫵 Shout out to The Cloud & App Security List by Latio, which I leaned on to generate these lists

Some data to chew on

Application Security Posture Management - Notable Startups

Company	Launched	Status
Code Dx	2015	Acquired by Snyopsys, 06/08/2021
Bionic	2019	Acquired by Crowdstrike, 09/19/2023 est. $350m, raised $82 million raised in total
Enso Security	2020	Acquired by Snyk, 08/2023 $32.7M, <10m raised
Oxeye Security	2020	Acquired by Gitlab, 03/20/2024 est. $30-40m, raised 10m
Silk Security	2022	Aquired by Armis, 04/16/2024 $150m, raised $12.5 million
Qwiet.at (fka ShiftLeft)	2016	$58.3m total, including $29m expansion in 2022
Apiiro	2019	$135m, including a $100m series B in 2022 PAN acquisition reportedly fell through
Kondukto	2019	$1m seed, 2022
Rezilion	2018	$30m series A in 2021
Cycode	2019	$81m, including a $56 million Series B round in 2021
ArmorCode	2020	$65m total, $40m series B in 2023
Boost Security	2020	$12m seed round, 2022
Jit	2020	$38.5m seed round, 2022
Legit Security	2020	$77 million total, $40 Million Series B in 2023
Arnica	2021	$7 million in seed funding, 2022
Ox Security	2021	$34 million in seed funding, 2022
Phoenix Security	2021	???
Tromzo	2021	$8m seed, 2023
Aikido	2022	€5 million in Seed funding, 2023
Backslash	2022	$8 million round in 2023
Xygeni	2022	€4M in funding in 2023

Cloud Security Posture Management - Notable Acquisitions

Company	Acquirer	Year	Price	Raised
Evident.io	Palo Alto Networks	2018	$300 million	$49.1 million
RedLock	Palo Alto Networks	2018	$173 million	$12 million
Cloudsploit	Aqua Security	2019	???	???
Cloud Conformity	Trend Micro	2019	$70 million	$3.7 million
Cloudneeti	ZScaler	2020	$8.9 million	$500k
Divvy Cloud	Rapid7	2020	$145 million	$27.5 million
Bridgecrew	Palo Alto Networks	2021	$156 million	~$18 million
CloudQuest	Deloitte	2021	???	???
DisruptOps	Firemon	2021	???	$9 million
Fugue	Snyk	2022	???	$85 million
Prevasio	AlgoSec	2022	???	???
Prowler	Verica	2022	???	$6 million
Ermetic	Tenable	2023	$265 million	$100 million
Lightspin	Cisco	2023	~$200 million	$25 million
Longbow Security	Veracode	2024	???	$10.5 million
PingSafe	Sentinel One	2024	???	$3.3 million
Runecast	Dynatrace	2024	???	~$2m

Data Security Posture Management - Notable Acquisitions

Company	Acquirer	Year	Price	Raised
Dig Security	Palo Alto Networks	2023	$400 million	$45 million
Laminar	Rubrik	2023	$200-250 million	~$67 million
Polar Security	IBM	2023	$60 million	$8.5 million
Flow Security	CrowdStrike	2024	est. $200 million	$13 million

Static Application Security Testing - Notable Acquisitions

Company	Acquirer	Year	Price	Raised
Goanna Software	Synopsys	2015	???	???
RIPS Tech	Sonar Source	2020	???	$0
Sken.ai	Fortinet	2021	???	<$500k
Bearer	Cycode	2024	est $10 million	$8 million

Dynamic Application Security Testing - Notable Acquisitions

Company	Acquirer	Year	Price	Raised
Cenzic	Trustwave	2014	???	$43.8 million
NTO	Rapid7	2015	???	???
White Hat Security	NTT	2019	—	—
Peach Tech	GitLab	2020	???	???
Tinfoil Security	Synopsys	2020	???	$100K
Crashtest Security	Veracode	2022	???	???
White Hat Security	Synopsys (from NTT)	2022	$330 million	~$50.6 million

Attack Surface Management - Notable Acquisitions

Company	Acquirer	Year	Price	Raised
Expanse	Palo Alto Networks	2020	$800 million	$136 million
Intrigue	Mandiant	2021	$12.3 million	$2 million
Bit Discovery	Tenable	2022	$44.5 million	$6.6 million
Cybersprint	Darktrace	2022	$53.7 million	$3 million
Randori	IBM	2022	???	$30 million
Reposify	CrowdStrike	2022	???	$8.5 million
Sweepatic	Outpost24	2023	???	$5.23 million
Informer	Bugcrowd	2024	???	bootstrapped