What is Palo Alto Networks doing?
Acquiring products to expand their core cloud security business
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m finally getting around to discussing the rumors of two potential Palo Alto Networks acquisitions: Talon Cyber Security and Dig Security. It’s been 10 months since their last acquisition of Cider Security. I’ve done a couple of posts on Palo Alto Networks about how it could fail and how it could succeed.
As a disclaimer, as of this writing, I don’t have any direct financial interest in Palo Alto Networks, Talon Security, or Dig Security, and I don’t plan to initiate a position in the next 72 hours. I also don’t currently use these products but am open to trying them!
What are these companies?
I gave a summary of Palo Alto Networks in my post about how it fails. It is currently a cloud security company with a legacy firewall business, but almost the whole cloud security business was created through acquisitions.
Talon Cyber Security started in 2021, and they are building a Chromium-based enterprise browser. It’s an interesting company that believes that the increased use of SaaS apps and as a result, the browser, has made the browser a larger threat vector.
Dig Security also started in 2021, and they are focused on building a data security platform for the cloud. Given the modern data stack and the large amount of data in the cloud, organizations need new tools to securely manage and monitor this data. It can also be viewed as a cloud-focused data loss prevention (DLP) tool.
The question is why is Palo Alto Networks interested in these companies.
Focused on acquisition to innovate
In a previous post, I talked about how the lack of innovation and failure to capture market share in new security markets, specifically the developer security market, will be a failure mode for Palo Alto Networks. In fact, it would be unclear where Palo Alto Networks would be right now if it didn’t enter the cloud security business with Nikesh Arora making several acquisitions to develop the business from scratch. Although highly profitable, their legacy firewall business is shrinking.
In a follow-up post, I described that Palo Alto Networks needs to continue to grow its business to stay relevant. They can either innovate organically/internally or acquire companies. My opinion is that they have decided that they are incapable of doing cloud security product development quickly and efficiently within the company. This could be the lack of technical talent and/or product and engineering processes around fast development.
However, they believe that most of these startups spend large amounts of capital (inefficiently, of course) on GTM through sales and marketing, and it’s easy to sell these startups’ products through their GTM motion. Although Palo Alto Networks might pay a seemingly high price, they can recoup it easily because they can accelerate the startups’ GTM motions with low integration costs. They have shown this to work through their acquisitions of Redlock, Twistlock, etc. Since it’s working for them, they believe their path to product growth is through acquisition rather than organic innovation.
Re-focusing on cloud infrastructure security
In my mind, the failure mode for Palo Alto Networks in the long run is the inability to capture the rising developer security market. It’s already appearing in application security and will likely move into infrastructure security soon. It seems that Palo Alto Networks tried to enter this market with their acquisitions of Bridgecrew and Cider Security. Both of these companies cater to developers but have some elements of cloud infrastructure security, which is the core part of Palo Alto’s cloud security business.
Bridgecrew is focused on scanning infrastructure as code, e.g. Terraform. Cider Security is focused on application security posture management, but there is a strong emphasis on securing deployment, which is typically owned by infrastructure teams. Both companies have code security elements and have flavors of application security, but they are also focused on parts that infrastructure owns. It’s likely that Palo Alto Networks believes the GTM is easier if there’s a cloud infrastructure security component since they have some existing sales and marketing experience there.
My opinion is that these companies were harder to integrate and plug into their GTM motion than they thought. As a result, they have decided to go back to their core cloud security platform by acquiring startups that obviously fit into their Prisma Cloud platform. They are also finding products that are used by their main customer base, which is primarily operational security organizations.
Why Talon and Dig Security?
The simple answer is that they both fill gaps in their current cloud security platform: data security and network security. (On a separate note, I’m surprised that they haven’t tried to acquire any WAF companies.) The goal is to add more telemetry about an organization’s cloud infrastructure into the platform so that organizations can have better context.
Although Talon advertises itself as an enterprise browser, it solves the problem of a secure web gateway (SWG). Secure web gateways, such as Zscaler, Cloudflare Gateway, etc., have gained popularity in the last few years because of the rise of SaaS applications. Consequently, security teams want to do DNS filtering and policy management on outgoing traffic. However, most of the traffic worth monitoring these days is on endpoints/laptops and originates from the browser. I still believe the adoption of enterprise browsers might be a struggle as Chrome and Firefox have built great products and provide familiarity. It’s possible that Palo Alto Networks is buying the technology, which seems to be a mode of operation for them. The technology likely has the ability to filter DNS, decrypt TLS, and inventory corporate applications. Palo Alto Networks can repackage this into a secure web gateway product to compete against Zscaler and Cloudflare.
Dig’s product might be a slightly easier and more straightforward integration. As someone who has worked in the modern data stack, this is the first data security product to be used toward cloud data and the changing data landscape. I’ve discussed this before in past posts that I believe security is losing visibility with the move to the cloud, and the move toward the modern data stack for data teams is further exacerbating this issue. This is an area in cloud security where security, especially operational security teams will struggle to understand and will require more visibility in the near future. Moreover, it seems that Dig Security has some cloud infrastructure security capabilities to augment Palo Alto Networks’s CSPM and CNAPP products.
Takeaway
Palo Alto Networks is starting up acquisitions again and using it as the main form of innovation rather than innovating organically. It seems that they are going back to the fundamentals of focusing on products that have easy integrations both product and GTM-wise for them. That is, they have decided to fill gaps in their core Prisma Cloud platform rather than expanding out to capture new markets and explore new GTM motions. There’s plenty of market to capture for Palo Alto Networks, so I think this is smart. However, they likely need to go beyond their core customer base or else they will be in for another reckoning soon!