*AST and *SPM: Acquisition Magnets

May 13, 24

There are a whole lot of these *SPM and *AST startups.

I’m talking 1:

  • Application Security Posture Management
  • Cloud Security Posture Management
  • Data Security Posture Management
  • Static Application Security Testing
  • Dynamic Application Security Testing
  • Attack Surface Management (ignore the acronym mismatch, there is huge overlap here)

I think these are a couple drivers of such busy spaces. First off, MVPs are relatively derisked, undifferentiated, and in the case of *ASTs especially, quick to get up and running. Evidence can be found in the frequent appearance of open source options2. Additionally, these tools get deployed externally, can operate well locally or as SaaS software, and can be cheap to stand up. This all allows them to easily onboard beta customers and development partners with low cost and risk. This ability to lean into PLG can help get the early traction that makes startups visible. It also keeps them alive long enough to get early funding, and potentially exit with a small acquisition or acquihire versus shutting down entirely.

〰️ Disclaimer: this is definitely vulnerable to confirmation bias, I suspect the same is true in other areas of security startups

There are also a whole lot of acquisitions of these startups.

I think there are a few reasons for that:

  1. These tools are easy to integrate into the acquirer. *AST tools are sometimes already third-party integrations with the acquirer that just need to be repackaged as first-party. *SPM tools are often either rolled into a different *SPM vertical, or can quickly bootstrap an acquirer into a “platform.”
  2. These tools can be a quick way to fill a product gap. For example, expanding an AppSec platform into Cloud as Snyk tried to do with Fugue.
  3. These tools can drive Product Led Growth, they’re often cheap to run and easy to onboard new customers for trials.
  4. It’s hard for startups in these categories to grow to any other outcome. These spaces are immensely competitive, and there are many sizable Platforms offering good-enough solutions.

What options does this imply for these startups?

🫵 Shout out to The Cloud & App Security List by Latio, which I leaned on to generate these lists

Some data to chew on

Application Security Posture Management - Notable Startups

Company Launched Status
Code Dx 2015 Acquired by Snyopsys, 06/08/2021
Bionic 2019 Acquired by Crowdstrike, 09/19/2023
est. $350m, raised $82 million raised in total
Enso Security 2020 Acquired by Snyk, 08/2023
$32.7M, <10m raised
Oxeye Security 2020 Acquired by Gitlab, 03/20/2024
est. $30-40m, raised 10m
Silk Security 2022 Aquired by Armis, 04/16/2024
$150m, raised $12.5 million
Qwiet.at (fka ShiftLeft) 2016 $58.3m total, including $29m expansion in 2022
Apiiro 2019 $135m, including a $100m series B in 2022
PAN acquisition reportedly fell through
Kondukto 2019 $1m seed, 2022
Rezilion 2018 $30m series A in 2021
Cycode 2019 $81m, including a $56 million Series B round in 2021
ArmorCode 2020 $65m total, $40m series B in 2023
Boost Security 2020 $12m seed round, 2022
Jit 2020 $38.5m seed round, 2022
Legit Security 2020 $77 million total, $40 Million Series B in 2023
Arnica 2021 $7 million in seed funding, 2022
Ox Security 2021 $34 million in seed funding, 2022
Phoenix Security 2021 ???
Tromzo 2021 $8m seed, 2023
Aikido 2022 €5 million in Seed funding, 2023
Backslash 2022 $8 million round in 2023
Xygeni 2022 €4M in funding in 2023

Cloud Security Posture Management - Notable Acquisitions

Company Acquirer Year Price Raised
Evident.io Palo Alto Networks 2018 $300 million $49.1 million
RedLock Palo Alto Networks 2018 $173 million $12 million
Cloudsploit Aqua Security 2019 ??? ???
Cloud Conformity Trend Micro 2019 $70 million $3.7 million
Cloudneeti ZScaler 2020 $8.9 million $500k
Divvy Cloud Rapid7 2020 $145 million $27.5 million
Bridgecrew Palo Alto Networks 2021 $156 million ~$18 million
CloudQuest Deloitte 2021 ??? ???
DisruptOps Firemon 2021 ??? $9 million
Fugue Snyk 2022 ??? $85 million
Prevasio AlgoSec 2022 ??? ???
Prowler Verica 2022 ??? $6 million
Ermetic Tenable 2023 $265 million $100 million
Lightspin Cisco 2023 ~$200 million $25 million
Longbow Security Veracode 2024 ??? $10.5 million
PingSafe Sentinel One 2024 ??? $3.3 million
Runecast Dynatrace 2024 ??? ~$2m

Data Security Posture Management - Notable Acquisitions

Company Acquirer Year Price Raised
Dig Security Palo Alto Networks 2023 $400 million $45 million
Laminar Rubrik 2023 $200-250 million ~$67 million
Polar Security IBM 2023 $60 million $8.5 million
Flow Security CrowdStrike 2024 est. $200 million $13 million

Static Application Security Testing - Notable Acquisitions

Company Acquirer Year Price Raised
Goanna Software Synopsys 2015 ??? ???
RIPS Tech Sonar Source 2020 ??? $0
Sken.ai Fortinet 2021 ??? <$500k
Bearer Cycode 2024 est $10 million $8 million

Dynamic Application Security Testing - Notable Acquisitions

Company Acquirer Year Price Raised
Cenzic Trustwave 2014 ??? $43.8 million
NTO Rapid7 2015 ??? ???
White Hat Security NTT 2019
Peach Tech GitLab 2020 ??? ???
Tinfoil Security Synopsys 2020 ??? $100K
Crashtest Security Veracode 2022 ??? ???
White Hat Security Synopsys (from NTT) 2022 $330 million ~$50.6 million

Attack Surface Management - Notable Acquisitions

Company Acquirer Year Price Raised
Expanse Palo Alto Networks 2020 $800 million $136 million
Intrigue Mandiant 2021 $12.3 million $2 million
Bit Discovery Tenable 2022 $44.5 million $6.6 million
Cybersprint Darktrace 2022 $53.7 million $3 million
Randori IBM 2022 ??? $30 million
Reposify CrowdStrike 2022 ??? $8.5 million
Sweepatic Outpost24 2023 ??? $5.23 million
Informer Bugcrowd 2024 ??? bootstrapped
  1. I’m going to ignore AI-SPM & IAST, and roll “Enterprise Attack Surface Management” under Attack Surface Management - as I think they’re not notable categories on their own. I’m skipping SCA, but suspect there is a similar point to be made with “legacy” SCA startups that are doing dependency vulnerability detection and management. 

  2. Take a gander at https://github.com/topics/sast, https://github.com/topics/dast, or https://github.com/topics/cspm