The Wiz acquisition of Lacework makes sense
They fill gaps in each other's companies
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
One of the biggest rumors of last week was that Wiz was in talks to acquire Lacework. For me, it was shocking and not shocking at the same time. I felt that Lacework was at the cusp of a breakthrough because people would realize they needed a more sophisticated cloud security product. However, at the same time, I knew it was hard to beat the Wiz GTM engine, especially in a somewhat new market where legacy players are just failing and most companies just need a solution, not necessarily the best one. With that said, I did believe that the Lacework product might do better under a more established GTM, which meant that I wasn’t surprised to hear about an acquisition. The surprising part is that the acquirer was Wiz.
Several people have asked me my take on this acquisition, and I thought a lot about it in the past week. It’s starting to make more sense to me, at least theoretically. Before we dive deeper into my reasoning, here’s some quick background information. I’ve written about how I believe that Wiz will continue to struggle to meet their growth. I think this acquisition is a strong signal that they are being pushed to grow faster than they can organically with their current capabilities. Let’s not forget that there were rumors of a Wiz acquisition of SentinelOne a few months back, and they also recently acquired Gem Security.
Here are the posts. I’ve unpaywalled the “How Wiz fails.”
What is Wiz and Lacework?
Wiz and Lacework are similar products. I talk about Wiz in the article above, but they are part of the category known as the cloud-native application protection platform (CNAPP). Wiz first started as a cloud security posture management (CSPM) and expanded its platform to cover more parts of infrastructure security.
For context, I’ve used both products, and I currently use Lacework. I will explain later why this is the case. One main difference worth noting is that Lacework started with an agent-focused real-time product and then created an agentless product. Wiz did the opposite. It started with an agentless and went to agent-focused.
The agent product for real-time monitoring was more useful for more sophisticated security teams that could dig deep into cloud security and/or were at companies with more complicated tech stacks, such as Kubernetes. Wiz catered more to the more IT-focused security teams who were just ramping up on understanding cloud security risks. For Wiz customers, it’s too heavy a lift to ask DevOps to install a potentially disruptive agent without being able to clearly articulate its value.
Anyway, this is a key product difference. As a result, the agent-based real-time product is more mature with Lacework, and they have a machine learning-based algorithm that can baseline an environment and only alert when there’s a deviation. Cloud environments and their configurations can vary a lot, which can lead to noise, especially if there’s a default set of rules.
Consolidation needed to happen in cloud security
Why do I think this acquisition makes sense? To start, I predicted in the past 2 years that security needs to undergo consolidation.
There are more vendors than problems to solve. (However, despite this, problems are going unaddressed. That’s a different discussion.) This is especially true in cloud security. There’s more funding in cloud security companies than there is TAM. We saw a trend with EDR companies, such as Crowdstrike, Cylance, Carbon Black, etc., and we all know how that ended.
One similarity is that like EDR, most companies only need one cloud security platform. That is, a company only needs Lacework or Wiz and rarely uses both. In the past, from my experience (and others), I’ve seen Wiz customers sign a multi-year contract only to realize they don’t provide sufficient visibility for applications with more real-time threats, especially ones that use Kubernetes, so they also buy Lacework. Usually, those customers gravitate over to Lacework after the Wiz contract ends. Other than that edge case, having both is rare. From what I hear, typically, Wiz and Lacework go head-to-head, meaning they have similar customer profiles. Sometimes, Palo Alto Networks is in the mix, but regardless, it’s better to have one competitor than two.
For EDR, Cylance had the better prevention platform, but Crowdstrike had the better detection and response platform. There was no reason to have both agents running on your laptop, but in a different world without founder conflicts, that could have been a good consolidation story. Maybe Wiz realized this and decided not to repeat the past.
Wiz needs to grow… but efficiently
Lacework was valued at 8.4B, and Wiz was valued at 10B+ in recent funding. It seems that Lacework’s growth has plateaued, but Wiz is growing. The problem is that it’s not growing fast enough to meet its goals.
Wiz’s CEO and co-founder Assaf Rappaport — who co-founded and sold a previous security startup, Adallom, to Microsoft — has said on a number of occasions (such as here) that Wiz is looking to hit $1 billion in annual recurring revenue ahead of an IPO. We understand that its soft deadline is the end of 2025, but considering it announced ARR of only $350 million in February 2024, the company has to get aggressive to reach its goal. Lacework, we understand, has ARR of around $100 million.
$1B in ARR is a lofty goal, and it’s hard to double at that run rate. On top of that, efficiency is the name of the game for IPOs now. With Lacework around, it would have to spend more on GTM to compete on top of the GTM costs it will spend to acquire customers to reach $1B ARR. Acquiring Lacework seems to accomplish two important goals: growth AND efficiency. Why not get Lacework’s customers and revenue, and at the same time, reduce GTM costs because you have to deal with one less direct competitor?
Wiz has likely realized that it can’t grow organically, so it has to do so with acquisitions.
Wiz needs a technology upgrade
I have seen both Lacework and Wiz. Wiz definitely had the better product-GTM fit. It had a product that was easy for organizations to say yes to and adopt, especially during a time when security teams. However, I’ve discussed this point before, the technology for Wiz isn’t complicated and not as defensible. It’s mostly taking snapshots and querying cloud APIs to get information. Therefore, it’s hard for Wiz to land and expand without providing more value because, at a certain point, companies will wonder if it’s a better value to build vs. buy. An important part of growing aggressively is that you maintain a high NRR through growing your existing contracts. With strong technology, you can increase the “ceiling” ARR number where customers likely will not pay more, which cuts into your margins, or churns, which reduces your ARR and NRR.
Enter Lacework. I have to admit, as a user of Lacework, the product is not the easiest to use, but the technology is superior to Wiz. There are two main areas where Lacework has created a defensive moat: a well-functioning agent that’s easy to deploy for real-time visibility (and also works well with Kubernetes) and machine learning-based analysis of cloud logs and other alerts to reduce the number of alerts. This is highly attractive to engineering-focused teams that want to reduce their operational work. The hope is that Wiz can integrate these features and create a product that has a more defensible technological moat.
In summary, Wiz has the product and GTM engines. Lacework has the technology. It seems like the combination will make them the most dominant player in the market.
What now?
I do think Wiz has a lot of work ahead. If they choose to do this acquisition, they really need to get the integration right. There’s a lot of potential here but making sure they retain key talent on the engineering side is critical to the success of the acquisition. Overall, it’s a bold move, but if they get it right, it can be big for them and the security industry as a whole.