Update – Nov. 17, 2022: This story has been updated with information and quotes from the press release announcing the acquisition.
Palo Alto Networks will make its first major acquisition in nearly two years, scooping up application security startup Cider Security for at least $195 million.
The Silicon Valley-based platform security behemoth will fork over $195 million of cash as well as replacement equity awards for Tel Aviv-based Cider Security, a 100-person firm that secures engineering processes and systems from code to deployment. The value of the equity awards will be disclosed in an upcoming regulatory filing with the U.S. Securities and Exchange Commission, the company says (see: Why Palo Alto Networks Now Wants Cider Security, Not Apiiro).
“Any organization using public cloud has an application infrastructure with hundreds of tools and applications that can access their code, and yet they have limited visibility to their configuration,” Palo Alto Networks Chief Product Officer Lee Klarich says in a statement. “Cider has made it possible to connect into infrastructure, analyze the tools, and identity the risks, as well as how to remediate them.”
News of the acquisition was initially reported by Calcalist, which said the deal would include $200 million in cash and $100 million of Palo Alto Networks stock. Similarly, a source told TechCrunch that the $100 million share part might be disclosed later in order to not alarm the market.
The company’s stock was down $2.53 – 1.59% – to $156.56 per share in trading Thursday afternoon. The Cider acquisition is expected to close by Jan. 31, 2023, and isn’t expected to have a material impact on Palo Alto Networks’ financials, according to the company.
Calcalist first reported last month that Palo Alto Networks had abandoned negotiations to buy code risk platform provider Apiiro for $600 million in favor of a $200 million purchase of Cider Security. Apiiro instead opted for a $100 million Series B funding round led by General Catalyst to strengthen its ability to analyze code and developer activities across the software supply chain.
Who Is Cider Security?
Cider Security was founded in December 2020 and emerged from stealth in March 2022 with a $38 million Series A funding round led by Tiger Global Management. The company helps optimize an organization’s CI/CD security based on a set of prioritized risks and recommendations tailored to its environment. Cider customers include security firm Perception Point and insurance vendor Lemonade.
The company is led by its co-founder Guy Fletcher, who previously spent three years spearheading the security and privacy program at mobile attribution and analytics vendor AppsFlyer. Co-founder and CTO Daniel Krivelevich previously spent four years at cyber consulting and IR vendor Sygnia, where he led the application and cloud security teams. The two met in late 2014 at conversational AI vendor LivePerson.
“We designed an AppSec platform that allows engineering to continue to move fast, without making compromises on security,” Cider Security CEO Guy Fletcher says in a statement. “By scanning and securing your CI/CD pipeline, we can help identify where there may be vulnerabilities in your code. Prisma Cloud will now be the ultimate solution for code to cloud security.”
Since emerging from stealth, Cider Security has brought in Snir Ben Shimol, who built Varonis’ security practice from the ground up, to serve as chief strategy officer and former ShiftLeft sales leader Carl Elsinger to serve in a similar role at Cider, where he’ll focus on growing the company’s global sales operations and serving new enterprise customers. Cider’s platform debuted last month on the AWS Marketplace.
Where Does Cider Fit Within Palo Alto?
Cider Security plays in a similar space as Bridgecrew, which Palo Alto Networks bought for $156 million in February 2021 in the company’s last significant acquisition. Bridgecrew focuses on giving developers and DevOps teams a systematic way to enforce infrastructure security standards throughout the development life cycle.
The company’s technology today operates within the Palo Alto Networks Prisma Cloud portfolio, and the firm’s open-source Checkov tool powers Prisma Cloud’s infrastructure-as-code security product. Similarly, Cider Security assesses the posture of a firm’s engineering systems and processes to see how it would fare in realistic attack scenarios and identify the controls needed to reduce its CI/CD attack surface.
Cider will follow in Bridgecrew’s footsteps and become part of Palo Alto’s fast-growing Prisma Cloud practice, which secures hybrid and multi-cloud environments across the development life cycle from code to runtime. Palo Alto Networks is the fourth-largest player in the fragmented cloud workload security market, notching 5.8% market share in 2021, up slightly from 5.6% a year earlier, IDC found.
Buying Cider will further Prisma Cloud’s mission by unifying cloud and application security with a unique approach that cannot be achieved by point solutions, Palo Alto Networks says. Bringing Cider and the company’s recently announced software composition analysis capabilities together means Palo Alto Networks will be able to provide comprehensive supply chain security as part of Prisma Cloud.
While much attention in recent years has been focused on where code comes from, Palo Alto Networks says very little attention has been paid to the actual applications and software used in the development pipeline. The average CI/CD pipeline can have hundreds of developer tools connected to it, which Palo Alto Networks says poses an enormous security risk.
Will Palo Alto Return to Its M&A-Heavy Ways?
Palo Alto Networks has been on a 20-month dry spell when it comes to major acquisitions, dating back to the company’s buy of Bridgecrew. That’s a far cry from early 2018 to early 2021, when Palo Alto spent $3.46 billion on 12 deals during Nikesh Arora’s first few years as CEO. Palo Alto bought everything from attack surface management vendor Expanse to SOAR firm Demisto and SD-WAN player CloudGenix.
Arora told investors in August 2021 and reiterated this August that Palo Alto Networks doesn’t plan to pursue any major acquisitions since the company already has a product in virtually every category where it wishes to play.
“The public market has rationalized; the private markets probably haven’t yet,” Arora told investors Aug. 22. “It’s a bit like real estate, and people remember what the neighbor’s house sold at and kind of forget what their house is worth. So until people realize the true value of their house, it’s going to be a while longer before acquisitions come into the security market again.”