How Wiz fails
The need for defensible tech and/or a broader platform
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
We have several positions open at Headway! If you’re interested in building a new mental healthcare system that everyone can access, please apply.
Self-promotion: I recently did a podcast with Dave Cole for Security Voices and talked about this newsletter, my career, and random thoughts on security. Please give it a listen!
I’ve written various newsletters on companies and their failure modes. For some, I’ve also written why they are underrated or could have a path to success. However, I mainly focused on public companies until a couple of weeks ago when I talked about how one of the more notable security startups Snyk could fail. If you’re interested, you can subscribe and give it a read.
This week, I continue the theme of talking about mature startups. This newsletter is also timely as Wiz is looking to make a bid for SentinelOne, which I believe is an interesting move to both grow into their market capitalization and prevent the failure modes that I plan to describe. Talking about this acquisition and how it allows Wiz to win is for another newsletter!
What is Wiz?
Wiz is a “next-generation” cloud-native application protection platform (CNAPP). It first started as a cloud security posture management (CSPM) and expanded its platform to cover more parts of infrastructure security.
First, some cloud security history. The first generation of CSPMs required agents on an organization’s cloud infrastructure, which required substantial buy-in from DevOps/infrastructure teams because it required a somewhat complicated and intrusive deployment. Consequently, the most successful companies had either security-minded DevOps teams or security teams with DevOps expertise, which led to the “beginnings” of security engineering.
What Wiz did differently compared to its predecessors, namely Redlock, Dome9, etc. was that it was agentless, so it was classified as “next-generation.” It provided basic cloud security posture management alerts by calling and analyzing the cloud infrastructure APIs, i.e. AWS APIs, and snapshots of the EBS volumes. This approach substantially reduced deployment costs for DevOps while delivering visibility for the security team. With this platform, they also expanded into cloud identity entitlement management (CIEM) to manage AWS IAM roles, policies, and users. Finally, it recently expanded into cloud workload protection (CWPP) with the introduction of an agent to monitor real-time workloads.
Fast growth in ARR and sales
For Wiz, it invested heavily in its GTM and focused on a simple, low-friction solution. As a result, it was able to upsell on further additions to the platform and enable security to demonstrate the eventual need and value of an agent. The advantage for most of the cloud security products, in general, is that it was a new but business-critical category. Many companies moved to the cloud as part of the digital transformation accelerated by COVID, which introduced new risks for most security organizations.
Because this was a priority, many CISOs created a budget to quickly procure a solution. A reason for the fast sales is that most security teams knew they had risk exposure but had no product that would provide visibility, so having any sort of product was a top priority. In addition, most security teams weren’t knowledgeable about cloud-related risks, so in a sense, Wiz productized cloud security risk research. Even if teams had some knowledge, they didn’t have the capabilities or resources to build such a tool themselves in a reasonable timeframe. To them, Wiz was the perfect solution: a comprehensive tool that was low friction to install and could provide immediate value.
Sales grew quickly, and they surpassed 100M ARR within 18 months. Although they had competitors, they were able to use savvy sales and marketing tactics to lock in customers. Rumor has it that they have many large enterprise customers with multi-million dollar contracts.
The need to demonstrate more value
Honestly, Wiz has had fast growth, but the company is still nascent. This means that most customers haven’t had a chance to renew. Wiz tends to lock companies into multi-year contracts, so they haven’t had a chance to evaluate whether Wiz provides strong ROI.
Having evaluated and used Wiz in the past, I found it to be a simple but slick product. (I am currently a Lacework user and fan.) My main criticism is that there were some rules out of the box, but it required substantial operational effort to curate these rules, especially if my environment didn’t fit their standard, i.e. I needed to create exceptions to rules, such as bastion hosts, etc., that required non-trivial engineering context. Moreover, Wiz is primarily rules-based, so it would work well for an operational security team rather than a security engineering one. Finally, its CWPP and real-time monitoring tool are relatively immature, which doesn’t work well for more complex environments.
In general, my impression is that Wiz’s current product is not complicated to build and doesn’t have much defensible tech. Similar to other SaaS companies, it was quick to build and sell, but that also means it’s easy for others to compete in this space. Smaller startups and companies that are more resource-constrained will likely buy it. That is, it’s cheaper to buy it than to develop it in-house and maintain it, especially since it’s most likely not strategic to a company’s core product.
Although Wiz will capture more companies who have operational security organizations that need this type of security visibility, larger contracts will likely go away. Without acquisitions or substantial innovation in the platform, they can’t demonstrate technological value that justifies the 1M+ contracts. When these larger contracts come up for renewal, these companies will choose to look for a cheaper alternative or build it themselves. We are already starting to see this happen.
As a result, competitive pressures will cause Wiz to lower their prices and spend more money on sales and marketing. Their margins start to suffer, but they are forced to increase operational costs as they need to stay competitive on both product and technology. They might try some acquisitions that fail or innovate unsuccessfully internally. Slowly, companies continue to put pricing pressure as competition mounts and companies move toward security engineering teams who are capable of building this product themselves. Wiz becomes a mid-market product that has mediocre LTV to CAC because they lack substantial technological differentiation.
In the end, an endpoint company like Crowdstrike or a security platform company like Cisco comes and acquires them to enhance their cloud security platform and reduce their GTM costs.
Takeaway
Wiz is a great product, and I don’t see it going anywhere soon. In fact, I do think it’s capable of capturing more market share. The product fills an immediate gap and is simple but slick. However, this quickness means that it’s easier for competitors to come into the space. If they don’t create more technological value and defensibility into the platform, it will face mounting competition and pricing pressure, especially from its largest customers, who might try to build it themselves.
Hey Frank,
Great article. What resonated with me is how you see the difference between security engineering and operational security.
Our product sells to the bottom half of the cloud developers. The ones who never have the time, skill or inclination to do security unless it is for SOC2. All of these folks are doing something in between security engineering and secops.
The title was too tempting to start the free trial. Now paying for the year. Great stuff. Thanks! 😀
Cisco in fact recently acquired Lightspin, another security company with a similar technology as Wiz. It's going to be part of Cisco's Panoptica. If they were just looking for the technology, then with Lightspin they got it for much cheaper.