Why a Wiz-SentinelOne acquisition could have made sense
Providing a modern end-to-end cloud security solution
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
A few weeks ago, I wrote about How Wiz fails, and coincidentally, when I was writing the article, there were rumors about Wiz acquiring SentinelOne. A week later, SentinelOne reported they were ending their strategic relationship with Wiz. There’s a lot to unpack here, and I plan to touch on some of this in this newsletter. I will also make an argument about why this partnership makes sense and why it would have been a good move to avoid a potential failure state I described in “How Wiz fails.”
As a disclaimer, I don’t have a direct financial interest in Wiz or SentinelOne, and I don’t currently use either product. I don’t have plans to initiate a financial position in the next 72 hours or buy either product in the short term.
What is Wiz and SentinelOne?
I describe a Wiz in my previous post, so I won’t go into too much detail here. Wiz is a “next-generation” cloud-native application protection platform (CNAPP). It first started as a cloud security posture management (CSPM) and expanded its platform to cover more parts of infrastructure security. It essentially monitors your cloud infrastructure for misconfigurations.
SentinelOne is an endpoint detection and response product. Its closest competitor is Crowdstrike, which I’ve written about in the past. The product detects malware and issues on endpoints where many breaches start. Like Crowdstrike, it also has a log management solution as part of its XDR offering. A few notable differences that will be relevant later in the newsletter:
In general, Crowdstrie is known to have a much better security services division, especially for incident response. After all, it started as primarily a services company while SentinelOne started as a product company
SentinelOne’s story around XDR and log management with its acquisition of Scalyr is stronger than that of Crowdstrike
Why would these companies want an acquisition?
The answer seems obvious to me. First, SentinelOne is clearly the second player behind Crowdstrike in the space. Having Crowdstrike services and their product makes sense because it’s easier for their services to access your endpoints during an incident. Crowdstrike, in my opinion, probably has the best incident response service right now. That’s a hard barrier to get past for SentinelOne since Crowdstrike just has a better track record of incident response services, so it’ll take substantial investment to catch up. What that means is that if Crowdstrike and SentinelOne end up having similar quality products, Crowdstrike’s value-add services are a clear tiebreaker. (From what I hear, Crowdstrike’s endpoint product is as good if not better than SentinelOne in most use cases.)
Second, Wiz, as I described in my previous newsletter, is likely to face existential threats and needs to expand its platform to meet its valuation. It doesn’t currently have too much technological defensibility, which is fine, but it needs to build more onto its platform to deliver value to its customers. Otherwise, others will slowly chip away at its market share and/or their growth stagnate as customers will be unwilling to pay and justify Wiz’s high price tag.
In other words, acquiring SentinelOne would have added capabilities to the Wiz platform, and I believe they would have been a great value-add for Wiz’s customers.
How would have SentinelOne fit in with Wiz’s platform?
The answer is terse but complex. It provides the first modern end-to-end cloud security product. What does this mean? Wiz provides visibility in a company’s cloud infrastructure while SentinelOne provides visibility into activity in a company’s endpoints. Each product sees an isolated part of a user’s access to the cloud.
More specifically, Wiz only sees the activity in the cloud but has no way to correlate that to the endpoint activity, but having SentinelOne will allow for that. On top of that, SentinelOne will provide customers with a way to analyze and correlate this activity in their log management. This will also give SentinelOne’s log management and analytics tool better telemetry so that they can reduce false positives.
I think this combination would have been particularly useful because most breaches start with some sort of malware or malicious activity on an endpoint that grants access to the cloud. If a product is able to correlate malicious activity on the cloud with an endpoint, that would be powerful. In general, security struggles to have proper visibility in one tool, so combining multiple pieces of telemetry in one platform would simplify security operations. On top of that, SentinelOne will already have a log management solution for a customer to process this telemetry, allowing them to get deeper into the SIEM market that Splunk currently dominates.
Once they get a strong foothold around cloud and endpoint activity, it would make it easier for the companies to start adding additional capabilities to their platform, such as being able to do a more complete data loss prevention (DLP) strategy to manage information flowing out of both the endpoint and cloud infrastructure. They can start competing with the likes of Cloudflare and Zscaler potentially.
They can also choose to go into vulnerability management and application security by being able to provide security from code development to runtime. In fact, Crowdstrike is currently doing this with their acquisition of Bionic. Having a cloud infrastructure security product like Wiz would provide an even more complete cloud security platform because it’ll show vulnerabilities in the cloud infrastructure itself in addition to the application. The acquisition would have easily opened up the platform to a variety of potential new market opportunities.
What might be some risks?
After this rumor got out into the wild, SentinelOne denied this and also canceled their exclusive partnership with Wiz. The reason they stated was “lack of performance.” Honestly, I’m not too surprised. Wiz was the best-of-breed product for CNAPP, and it’s likely their customers wanted to use the best-of-breed EDR product, Crowdstrike. The question is whether the combined product would convince Wiz customers to use SentinelOne instead of Crowdstrike. My guess is that the answer they reached was no. It probably would have taken too long for customers to see the true value of SentinelOne + Wiz. Moreover, the main differentiator for Crowdstrike is their strong security services, especially in incident response, and Wiz wouldn’t be able to provide that. That was always the risk. It seemed like it would have potentially been a great product, but unfortunately, they would have been competing against an especially strong product, Crowdstrike, in EDR that is already a proven winner.
Takeaway
It seems like a combined Wiz and SentinelOne would have been mutually beneficial and opened up markets. However, it would have been a hard sell, and convincing customers to move off of Crowdstrike might have been hard. Crowdstrike’s strong services division is definitely a differentiator for them, and the acquisition wouldn’t have provided SentinelOne with that capability.
My question is what’s next? Does SentinelOne need to find a way to acquire a strong services company? Does Wiz need to find a company in a different space to acquire to open up their platform?