Last week was huge for cybersecurity funding, but it reveals the reality of building successful cybersecurity companies - shortcuts sell more than security.

1. Vanta Raises $150 million at $2.45 billion valuation

2. Chainguard Raises $140 million at 1.12 billion valuation

3. Wiz backs out of $23 billion deal

Part of my background is slinging “SOC 2 automation” software. Like most cyber startups, we forked some open source software, slapped some features around it, and were able to build the outcome of “automated compliance.” As part of this, I was on over 100 sales calls with startups looking for the software they were going to use to achieve SOC 2. The key lesson I learned is that security is a differentiator, not a product. Below I’ll talk about why, and two important outliers from this.

First, some prolegomena summarizing what these companies are:

1. The heart of early Vanta was an OSQuery agent applied to SOC 2 compliance, together with connectors for other data. They work with auditors to run checks on your configurations, the auditors give you a pass and everyone goes on their merry way. They can now be considered a next generation GRC platform by including things like questionnaire management, risk assessments, and user tracking.

   1. Selling Point: Vanta continues to be the fastest and easiest way to get compliance done

   2. DIY Alternative: For a software, OSQuery + ScoutSuite (Optionally GuardDuty, Google Drive, and Policy Templates). Other alternatives. And everything you need to know about SOC 2.

      

2. Chainguard started with supply chain integrity before releasing Wolfi and their own “no vulnerability 😉” images. Chainguard is beginning to be considered a solution for the container vulnerability problem, especially when it comes to federal requirements, but is really more of a new Linux distro with its own pros and cons.

   1. Depending on your existing infrastructure and image needs, Chainguard images are an easy way to meet FedRAMP and other compliance standards.

   2. DIY Alternatives: Alpine images, Ubuntu CIS images, Slim Toolkit, Update your own Ubuntu image, or Google Distroless

      

3. Wiz scans for cloud misconfigurations and vulnerabilities, but has a nice search and a decent endpoint agent

   1. Wiz is a shortcut for vulnerability scanning in the cloud due to the flexibility of agentless scanning and the flexibility of good searching and dashboarding

   2. DIY Alternatives: CloudQuery, Prowler, Inspector

This post isn’t meant to be negative against these companies, in fact, I have recommended, and continue to recommend them frequently. Instead of being negative, this post is an attempt to explain why they’re successful, despite being some of the least security focused options in their category.

1. Scaling is about the lowest common denominator

The cybersecurity market wants Toyota Corollas, not Lamborghini Huracans.

I’m not an expert, but it seems enthusiasts talk about Lamborghinis about 100x as much as Toyotas. Nonetheless, Toyota sells 100x the product (in terms of revenue) because it’s a great fit for most people. While Lamborghini’s come with more features, those features cost money, and it’s just not worth it for most people just driving to home and back, and not driving on a race track.

In security, a lot of companies make Lamborghini products; however, these products only have a chance of selling to the race enthusiasts of the industry. These are mostly finance and healthcare, industries which have actual money at risk in their data security. A market exists for these products, it’s just not the same size as the broader one.

Most companies just want a Corolla security product, the one that reliably gets them where they’re going without too much headache. This is why Wiz, Crowdstrike, and Palo Alto are so successful - they’re just well rounded products that are harder to not recommend than to recommend (when it comes to their core product offering). On Palo and Crowdstrike, a firewall and endpoint agent are where 90% of companies start with security - I’m talking about everyone from a local doctors office to a regional bank. When I worked for a managed services provider, this was most of the security work we did - installing antivirus and a firewall, because not doing that basic work was risky for a business of any size. These products are relatively easy to setup for the amount of security you get as a result.

Likewise, Wiz is now this de facto choice for the cloud. If you’re born on the cloud, you probably don’t have a traditional network architecture or endpoint protection stack, like using VPNs with RDP to access Windows servers. The common problem in the cloud is viewing your assets and what’s running on them. A bunch of EC2 instances called `i-1029312e1e1` and ip addresses give people zero insights into what’s actually going on in their cloud environment. This is why I commonly consider Wiz, and CNAPPs more broadly, asset management with vulnerability scanning more than security tools - the pitch is simple visibility with enough runtime security to check the box.

In a similar way, Chainguard and Vanta solve basic problems people have, and are harder to not recommend than to recommend. For Vanta, it’s about making workflows and checks as simple as possible. Sure you could work with an auditor and use open source to do it all yourself, but recommending Vanta is a lot easier.

For Chainguard, it’s about solving the STIGs/CIS and vulnerability problem with container images. Finding low profile base images to use is a problem harder than you’d think, and while I’d argue for setting up either Ubuntu or RHEL yourself for developer ease of use, most people don’t want to deal with that. To make things even more complicated, by suggesting that I open a giant can of worms about the “proper way” to build base images. All that really matters is if the application runs or not - some applications will just work and Chainguard will be an automatic buy, others will be a nightmare and the company will probably just pass.

These problems are all Toyota kind of problems - they’re not about stopping the most sophisticated hackers in the world, they’re just about overcoming common challenges presented in security.

2. Most people don’t care about the security details

Below are some details about these tools that illustrate their shortcomings, especially from a security perspective; however, my point is that these shortcomings are easily & often overlooked when compared to the benefit you’re getting.

1. Before the agent response actions, Wiz didn’t stop anything malicious, and is fundamentally a work generation tool.

   1. You’ll never hit zero vulnerabilities

   2. Wiz only added response actions to their agent very recently, before this happened, the number of attacks it stopped was precisely 0. Your engineering team stopped the attack by doing something about the alert.

   3. Compliance rule packs will never be that useful because your compliance team builds their own controls.

   4. Fundamental Question: Do I want easy asset management, CSPM, and vulnerability scanning?

2. Vanta likewise isn’t really doing anything to stop attacks, and it doesn’t really give a granular picture of your environment, but that’s part of the charm.

   1. The endpoint agent is a read only query of what’s on your system

   2. Likewise, the cloud compliance is querying your infrastructure configuration for very general checks.

   3. The out of the box experience only really works if you adopt the prescribed controls as your own

   4. Fundamental Question: Do I want the most painless audit experience possible?

3. Chainguard images are just a different supply chain vulnerability, and, while it certainly reduces CVEs, it does little to make you more secure than any other distro.

   1. There’s no package manager, but there sure are a lot of packages people end up needing.

   2. The packages are updated from source via automated PRs for new versions - this means sometimes they’re updated faster and sometimes they’re not. Since they’re built from source, the supply chain vulnerabilities persist, but now without the maintainers in the middle.

   3. Latest base images almost never have fixed or actually exploitable vulnerabilities in a container context, no matter the distro.

   

   

4. Your container vulnerability problem is actually a patch management problem, one that using Chainguard does nothing to help with. The best way to fix container vulnerabilities is nightly rebuilds and service re-deploys, if you don’t do this, using Chainguard does very little to change anything besides having less packages to worry about getting out of date.

5. Most CVEs in other distros are not applicable in containerized environments because they’re not used. While Wolfi is smart and an objective benefit to just remove them, the actual risk to just leaving them there is usually minute - but good luck explaining that to an auditor. This video I did of Oligo is an example of how few things actually run inside a container.

6. Fundamental Question: Do I want to make my vulnerabilities go away?

Let’s use a hypothetical ChainGuard purchase decision as an example of how decision making happens:

I’ve found that people tend to make decisions under ideal circumstances. In other words, the pitch that resonates is “wow that’s so much easier” rather than the more nuanced, “depending on how long this takes for us to switch over to this may or may not take less time than doing it ourselves or using a vulnerability management solution.” In other words, simplicity sticks.

Choosing a distro for your container base images is super complex, and really dependent on your environment - a great overview video is here. Security teams are usually pretty detached from these choices, and these decisions are typically guided by deciding what the easiest thing is to get working the fastest. When a pitch like ChainGuard’s comes along, it becomes “would you rather spend 6 months getting your exiting infrastructure compliant, or spend maybe less than that switching over to our images for your FedRAMP environment?” When framed this way, ChainGuard comes across as an obvious purchase.

These examples are meant to show that things aren’t as easy as they might seem; however, the payoff is seen as easily worth the potential drawbacks. A few examples:

1. I’ve seen companies intentionally use bad scanners because they made compliance easier

2. The comparative success of platforms is a tacit admission that in depth point solutions are not worth the investment for larger markets

3. Many companies have turned off blocking builds for vulnerability detections because developer speed is more important than blocking vulnerable deployments

Again, I’m not saying these decisions are bad, just that they show security is not the primary motivator of businesses, because…

3. Risk Reduction is about more than defending attacks

Security engineers like myself tend to focus too much on risk reduction in the sense of defending against attackers: if I can stop attacks than we have stopped risk. However, CISOs and companies have a much broader view of risk, here’s some examples:

1. I might see runtime Kubernetes security as stopping attacks, but CISOs see it as stopping the work of multiple teams and potentially taking down production, and as a knowledge gap for existing teams.

2. I might see building customized security controls for your environment as ensuring in depth protection, but CISOs see it as grinding work to a halt as their overworked compliance team needs to spin up conversations across the company with a technical depth they don’t have

3. I might see implementing your own Ubuntu images as safer and easier for developers, but CISOs see it as confusing work for other teams that makes them potentially miss their FedRAMP milestones.

Here’s the thing: we’re both right, and it’s a balance. Most security purchase decisions walk this tight rope: what’s going to give us the biggest increase in security for the minimum disruption while we meet our goals.

Based on these lessons, here’s some high level advice for companies building product:

1. Focus on addressing broad market needs, not segmented to specific industries or sizes of companies.

2. A 50% security solution that deploys & runs on auto-pilot will always sell better than a 95% security solution with a lot of drawbacks

3. Every early expansion into securing a new technology needs to be laser focused on easy implementation for big visibility or outcome pay offs

4. The onboarding experience should make users immediately aware of how the product is making their scary goals an achievable reality

5. You’re selling the feeling of safety more than the technical details of achieving it. Part of that is user education - many Vanta customers don’t know anything about SOC 2, ChainGuard about FedRAMP, etc.

At the end of the day, the pitch has to be, “We make it easier than the alternatives, but we also make you way more secure than them.” Not, “we’re harder to setup and use, but you get a way bigger security payoff when you do it.”