hckrnws

This is meta, but I really hate the way this post is written. It's full of the "startup cool" aesthetic, which I'm really averse to.

The main elements of the aesthetic that I can pinpoint are things like everything being a superlative ("security leaders" instead of just "people who work in security", "legendary investors" instead of just "experienced/well-known investors"), the bullet format, heavy use of buzzwords when more everyday words would do, etc.

It comes off as trying to elicit a fake "let's all get hyped up and build unicorn moonshots wooo" feeling.

IMO it’s mostly luck. Right place, right time, right connections. Look at the founders in the US, many of them are from already privileged backgrounds. True rags to riches stories like that of Jack Ma are rare.

It's got all the hallmarks of a piece written by AI. Lots of purple prose, adjectives where they add no information, bullet lists, etc. All this sits alongside banal content like "[Wiz] Use colors and designs to signal reliability in a high-stakes industry."

It may have been lightly edited & enriched by a human, but most of this article was written by an AI.

I've always understood the bullet format to simply be good for readability, e.g. as presented here https://www.nngroup.com/articles/presenting-bulleted-lists/ (though I remember learning that idea from the same site about a decade earlier)

Startup valuation is based mostly on sentiment in the current age so if you're not breathlessly hyping up your shitty product you're almost literally leaving money on the table.

for AI companies, sure. for non-AI, the microscope is brought out.

for this specific company, there is specific value to Google, that is included in the valuation. this isn't unfair at all; lots of startups are acquired for strategic value, not intrinsic value.

> Of course, in retrospect, Wiz had many key ingredients working in their favor:

>Strong, proven founding team (Adallom founders + Microsoft Cloud Security Leadership) Great, sticky product Solving deeply felt pain point(s) Timing (founded just as the world goes remote due to COVID-19 + cloud boom) Legendary investors + network effects (Sequoia Capital, Cyberstarts, Index Ventures etc.) Lots of early funding ($480M+ within a year of emerging from stealth ) Relentless execution

Why is nearly half a billion in funding so far down on the list?

That’s probably the most important factor here

I'd say it is actually perfect that it is last on the list.

Capital alone won't make a business succeed, and more capital won't make a business necessarily better. A big investment is typically the result of doing everything right before that. They would have never been able to get that amount of capital without a very solid foundation.

Capital is just a small piece of a business, it's not the hardest part by far. Capital is also relatively accessible, it's not an 'unfair' thing. There seems much unfairness sentiment nowadays where people think companies with access to lots of capital are guaranteed to succeed, like some kid with rich parents. Many seem to think that all there is between them and success is money, but in reality that's rarely the case.

>There seems much unfairness sentiment nowadays where people think companies with access to lots of capital are guaranteed to succeed, like some kid with rich parents. Many seem to think that all there is between them and success is money, but in reality that's rarely the case.

Yes, Rich kids tend to have better chances than poor kids. Get in any trouble, you'll have a decent lawyer. You'll attend better schools, your parents will probably buy or help you buy your first home.

Need a doctor or want to see a therapist, you can do so within 24 hours. I'd even argue therapy is largely a luxury for the middle class and up- most of the time Medicare doesn't cover it at all or you have like a year waiting list.

I've been evicted twice in my youth and now I've made 6 figures for a good while.

Money makes things easier. You might run into issues with your friends trying to rob you, but they'll rob you when you're poor too.

Likewise, a company with no funding is basically an idea. Might be a good idea, might be a God awful one.

> Capital is also relatively accessible, it's not an 'unfair' thing.

Hilariously out of touch, even for a hackernews comment.

Funding doesn't cause growth. If anything, funding causes Juiceros and Magic Leaps. Growth, however, can definitely cause funding and that's what happened with Wiz I think.

> Lots of early funding ($480M+ within a year of emerging from stealth )

> By May 2023, ARR reached $200M, and by February 2024, it was $350M

There is little substance about how the invested money was absorbed and how that absorption led to such an ARR. Did it pay for integrations and hand holding for each contract? Or was it used to bluntly bribe the CISOs to use their product?

Some kind of additional leverage and/or connections were certainly used.

The open dirty secret of infosec is that outside of authentication systems, the products and services sold do not actually work. Usability and real world functionality are not box-tick items in feature matrix comparison. It is enough that a security[tm] product does something technically correct to get a green tick in the relevant feature list row.

As a result the products are not commonly sold to their end users. They are sold to C-suite, and inflicted upon their victims. And how do C-suite choose what vendor to throw their money at? DDQ/RFx templates. I wish I was joking.

The other dirty secret of infosec is that everyone does their vendor/client/etc. vetting with bingo sheets full of meaningless, context-free questions that try to enumerate SYMPTOMS of different kinds of breach scenarios - they do not attempt to look at root causes, and they certainly do not consider threat models. These bingo sheet templates are used by everyone: vendor teams, insurers, auditors, you name it.

And now we finally get to how Wiz pulling connections intersects with the above. A fair number of the bingo sheet templates come with pre-populated dropdown choices. The choices usually include no more than 8 options, including "Other". The implication is very clear: "if you use one of these known & approved vendor products, then we are fine with it".

Wiz got their offering included in the bingo sheet templates in approximately 18 months from launching publicly. That has provided them with constant advertising from the countless infosec questionnaires thrown around the various industries and the implied checkmark of being pre-approved as a vendor of choice. Given the landscape and the general quality of competing vendors, your product needs to be merely not-shit to stand out and get traction through the various back channels.

Now, from personal exposure I can say that Wiz's product (or at least those I have been faced with) are still better[ß] than their competition. A recent security scan report from a client using Wiz had only ~85% of false positives. The average FP rate for other vendors tends to be 95% or even higher.

ß: security products must be the only segment where vast majority of results being false positives is considered both acceptable and normal. In any other field a product that routinely gets >90% of its answers wrong would be consigned to rubbish heap.

my experience as well. better product, and a very aggressive sales team which is something you missed. they were very willing to cut any deal at all, to get the sale. win-win IMO, and exactly the VC 101 playbook.

For some reason Google's early large acquisitions were amazing, but its later large acquisitions have not been. YouTube and DoubleClick were absolutely key to Google. And Nest seems pretty critical until you notice that Google is slowly letting its lead in home automation slip the last 5 years or so - I guess a strategy shift occurred?

But HTC, Motorola, Waze, Fitbit were definitely not amazing. All sort of died within Google. I guess Waze might have been an acquisition to just keep it from competing, so it was destined to die a slow death.

I'd say the jury is out on Mandiant.

https://www.cbinsights.com/research/google-biggest-acquisiti...

I am missing something big here. How and why did they raise 480 million dollars in a year for a cloud security product? It doesn't sound like a capital intensive business to me. Is that all going to employees?

> I am missing something big here. How and why did they raise 480 million dollars in a year for a cloud security product?

I am not an expert at Wiz specifically but I understand this is a "sales lead SaaS business" rather than "product lead SaaS business."

Sales lead Saas companies are incredibly costly from a sales and marketing standpoint, you hire a ton of sales people, BDRs and event marketing and other types of outreach and you fly your sales people around the place to win and dine your customers. So you basically invest all your VC money into your sales organization and it probably takes up 65% or maybe more of your head count. The sales people also take a decent percentage of all the ACV contracts they bring in, thus even if you make a ton of sales, they are not profitable for at least the first year. This is growth at all costs.

The answer is that it was 2021 and they were in an incredibly favorable fundraising environment. It's not "what are we going to use this funding for?" It's "investors are flush with stimulus cash and leveraged to the tits from low interest rates and they're banging down our door to invest, let's take the funding"

Nope. They bought up many similar companies in the space to monopolize the niche market. Got big enough to act as bait for some fossilized big tech company.

Now that would make sense, like private equity. The Wikipedia page lists three acquisitions at 50,350 and 450 million dollars. But none of them happened until 2023,a couple of years after they raised 450m - by that point they'd raised another 300m and were about to get another billion!

This seems to be a very marketing-heavy view of things. It would be good to know what they actually did better in security, if anything, in a substantive way, or if it was indeed all dashboards and exciting colour choices.

My favourite part of this was 10-15 calls a day with potential buyers, and they kept changing what they were offering until responses went from “that sounds cool” to “when can I get a PoC?” presumably without a line of code being written.

Having launched a couple of dead startups that started with several months of writing code first, this way definitely sounds better.

> Having launched a couple of dead startups that started with several months of writing code first, this way definitely sounds better.

This is basically what startup 101 tells you. This is what every successful entrepreneur will tell you. This is what every coach tells you. This is what every entrepreneurial book or blog will tell you.

But, this is also what every tech entrepreneur will ignore anyway.

This is one of those things that you have to experience a few times before you look back and think 'oh... they were right'. But coding is comfortable and cold calling is very scary. It's also against our nature to ask anyone what they think of your idea, because it might shatter your dream.

YC Startup school nailed this in one of their talks, the presenter opened the talk with something like "this is important advice that you will all ignore, and that's okay, my goal is to make you recognise the situation after you'll inevitably make one of these mistakes".

I'm not being a snob here. Trust me, I made this very same mistake. I ignored all the advice and poured years into building products that nobody wanted.

> This is what every entrepreneurial book or blog will tell you.

because all such books are entrepreneurial. this is the sales led approach.

there are other, very valid and successful, approaches. they aren't captured in "entrepreneurial" blogs or books.

100% agree, and of course, I absolutely knew this going in. Not building my next thing until I have something someone will start paying for before it’s even built

If the term "reconnaissance marketing" does not yet exist, it should.

This is indeed genius. I wonder if this were the same potential buyers or different 10-15 people every day.

The mystery is what happened between that phone call and the $100M ARR. The customer says "Can I get a PoC" but you don't actually have any code yet. You just hope your tech team is able to conjure whatever you were able to sell?

Yes.

Enterprise software rollouts can take months to actually get started from the point of procurement.

This happened at one startup where the sales team bid on a RFP, won, and then had to build it while finalizing the deal.

(First cut ended up being trash and crashed as soon as the customer took it global. It was replacing a paper process and had worked fine in a small scale pilot with one sub org. Customer ended up going back to paper and it took 4 years to rectify and try again)

i always feel that stories are written from the public facts. but what about the private facts, connections etc which are never told and might be the real secret?

Saw this on HN a while ago [1], really eye-opening: https://www.calcalistech.com/ctechnews/article/b1a1jn00hc

> The first sales come from the loyal CISOs who work with the fund.

> This "loyalty program" - which encourages deepening the relationship between the CISO and a party other than his employer - is seen by many in the industry as a red line crossed by Ra'anan and Cyberstarts.

> Cyberstarts vehemently denies [...] and claims that CISOs were never remunerated for purchasing the products of the portfolio companies.

[1] https://news.ycombinator.com/item?id=41042462

calcalistech article was interesting with a bunch of light on the industry. It is basically a no brainer to first talk to CISOs to develop a product that solves problems, but the ability to establish close relationships with those people and then convert them is “magic”. We all have a hunch what that magic ingredient is though.

That magic ingredient is the golf course. Not really kidding. That’s where the deals are made.

Such a well-tuned machine, there has to be some grease somewhere.. Otoh, there's a lot more shady things going on everywhere in business.

If anything, I'm envious that _I_ don't have access to a system like that (only half joking)

> he promises teams of fresh graduates from the technological units not only investment and support in establishing a startup but also "initial revenues of $2 million per year".

Wow this is huge. Ya I have been feeling this for a while now.

This whole product market fit and things like that are Important, but not as important as connections The way I see a lot of deals going down is the customer will buy the product from that founder No matter what the quality is and that is how a lot of them get high initial.

That is why a lot of VC firms exclusively focus on B2B SaaS these days.

Exactly, you don't just exit for $32B. There's definitely more to the story, which feels "manufactured" for lack of better words.

I'm honestly curious, but what do you think that is?

I'm still not entirely sure what exactly they were selling during the first year to get to that $100M ARR. Most customers expect to get quite a bit of functionality for $millions.

Don't forget having a VC who allegedly bribes CISOs to use your product!

See https://updates.techforpalestine.org/wiz-and-google-the-deal...

I have no idea what is their playbook by reading this. I have no idea what they even do, reading this.

Maybe it's not written for me.

Is CSPM real, or is this just some BS that sounds good to middle management and ticks of some 'security'-checkboxes?

Well it depends on what you mean by "real" :) I'd say CSPM (like many security tools) can help if used well, but it's quite common to see it used as a blunt instrument, which does not help.

CSPM helps to apply sets of security rules across cloud resources, with the rules usually being based on external standards or custom rules per organization.

It suffers from the downsides of any rules based check system which is that it can be quite inflexible and noisy. Like many security systems it needs to be tuned to the specific environment its running in to be really useful.

What can complicate things is compliance requirements from external or internal bodies that require 100% pass rates or similar. That kind of inflexible approach often just causes needless work and people focusing on the wrong areas to achieve that externally imposed requirement.

I work in the security industry and use WIZ and while I do despise all of the buzzword acronyms this industry has come up with, CSPMs have been one of the few tools that have actually made my life significantly easier. Due to the nature of the industry I work in, there is a lot of regulation that we need to comply with, and CSPMs (and wiz in particular) gives us both observability and alerting for all of our resources in our cloud environments, including the configuration of the cloud environments themselves. I don't know how they managed to get a $32B offer so soon after coming out of stealth, but considering the amount of problems it solves for me and my team, I can see why they're doing well financially. We're definitely happy with the pain point the product fixes.

I can now say "I know for a fact we have x number of AWS/GCP/Azure accounts that are either not using our IdP or 2A, here's a list" without having to script across multiple cloud APIs

Similarly, I can say "here's a list of people that accessed x resource in the last y days". It really makes my life easier when I want to access metrics about my company's cloud environments

Is this a difficult problem to solve? There’s only a handful of major cloud players and these questions don’t seem terribly complicated.

Or is it that it lets you answer arbitrary questions of this sort without having to figure out how to get that data?

CSPM is most valuable for large enterprises that have many cloud tenants as they can provide visibility across the entire footprint in one place.

Consider an enterprise that wants to say "list all the cloud storage buckets we own that are not in the US and are publicly readable and have a name containing 'foo'" - and they have several of each of AWS, Azure and GCP organixations because of acquisitions that aren't fully integrated yet.

Wiz answers that in ~5 seconds, with a rich query language and a bunch of prebuilt rules and detections on top of it, including for tracking compliance with various frameworks.

Conceptually, I don't think CSPMs are answering complicated questions, however there's quite a lot of complexity (IMO) in scaling the answers consistently, and keeping up to date with all of the tests that need to be implemented.

If you think about the number of services that AWS/GCP/Azure have, adding good compliance checks across even a portion of those is quite a lot of work :)

A small example from an area I know something about is maintaining the CIS Kubernetes benchmarks (which are used by a lot of CSPM products as a source of rules).

Here you've got the different Kubernetes distributions and then each of the cloud distributions has its own CIS benchmark as the checks are different depending on the cloud in use. Then you have changes over time as different clusters run different versions of Kubernetes, so have different checks. Then you add in that the benchmarks don't release with every new version of Kubernetes, and you can end up with quite a complex matrix of checks.

This is not Wiz the smart lighting company.

And apparently it's not about them having a Google TagManager playbook either.

He forgot to mention that founders are all veterans of Unit 8200, the signals intelligence division of the Israeli military.

Someone explain to me how this works?

Big Tech acquires companies founded and run by literal foreign spies and recruits said agents into critical positions with their departments. Meanwhile their alumni buddies down the street over at proscribed companies like NSO and Candiru hack into the products and services of these very same companies and use it to target citizens (including journalists, activists, politicians, diplomats) of America and its allies? And no one thinks there is a conflict of interest or threat to national security here?

Yep, these guys have a very powerful network with access to a lot more CISO offices than you or I can get into. That network also includes a lot of the people who develop malware and exploits.

The network Assaf got from founding and selling a big cybersecurity company and then being a VP-equivalent at Microsoft for 5 years (immediately before found Wiz) is more relevant than what he had from being an IC in the army 15 before that.

https://en.m.wikipedia.org/wiki/Unit_8200

Well the context is how they built and sold a business so unless that information is pertinent then why would he? Perhaps you can elaborate its relevance in more detail?

The post tells that the product should be explained, yet does not explain what that company does.

Looking at wikipedia I also dont know what are their products.

What’s there to "dEcOdE"? They received a mega shit ton of seed investment, super aggressive acquisition/acquihire strategy, monopolized the market (so to speak), then gets gobbled up by big G for a $32B (G cut so many jobs to get the leverage necessary to fund this acquisition).

Could G have _competed_ in the same space without Wiz? Yes.

Could other cloud providers have done the same from a first party perspective rather than rely on a shitty third party product suite? Yes.

"Journalism" like this make me lose faith in this industry. There’s no "secret sauce". There’s nothing special. It’s the same old tired formula that billionaire class have been using:

1) extract as much value from labor

2) prep company for unicorn by getting investor buddies in an investment frenzy

3) buy up other smaller companies to appear bigger

4) then wait for some fossil at big tech to take the bite and reap massive returns for the bois

This is more of a finance bro piece to be honest.

[dead]

[flagged]

Is “they were bought because they’re Israeli intelligence” the new “Jews control the banking system”? Please update, I’m somehow missing the residuals from both :(

if you read all the previous Wiz related threads, you'd know that the elders of zion had decided to finance their world domination efforts through selling companies that start with W to Google

I’m not really sure what you’re trying say, but I would assume Waze’s valuation came from some combination of their user base, their crowdsourced data (to know where there is an object in the road, or a car stopped on the side of the street, for example), and their algorithms, which I remember finding far more accurate than anyone else’s back then.

Well, you tell me what their valuation comes from. given Google already had a maps service, acquired earlier. Perhaps the prospect of having everyone's data while they move is a nice thing to have.

Not sure why people are so offended by the citation from Wikipedia, though. It seems like a bait, but is not - is an actual quote. I didn't make up this text - it is the first paragraph. Besides to me it implies s.o. who knows how to value data made a big company crowdsourcing and also collecting data 24/7 and knew how to sell it.

Or perhaps a company doing crowdsourced navigation is a new thing in 2013? You tell me, I'm just stating the facts.

You're going to have to be more explicit for me. Can you elaborate? And are you suggesting that Wiz and Waze had a similar implied advantage? Or just the names being similar reminded you?

I really dont' care about the names, but given this massive valuation and the value of asset from security perspective, I can see some similarities. Of course 1.2 bn in 2013 is not 36bn in 2025... but still seems (to me at least) a massive over-valuation if you consider the workforce size, or the fact this company sells nothing (explicitly at least), but only collects data.

So I guess this data was either super useful, or it was a way to take some money out from the corpo in a very convenient way. But I can tell you there are hundreds of map companies which crowdsource one way or another, and dozens if not more navigation companies, and none was similarly valued in 2013.

MapBox is valued at 1.2b in 2023, though it's much more influential than WAZ for the whole GIS market (which is 0.8 in 2013 money perhaps). Carto is valued at roughly $350m, TomTom, a market leader is at $500m iin 2025, so you tell my how Waze is 1.2bn at time of acquisition in 2013, having had zero technical or other innovative contribution for the geomatics or gis or web cartography? It was created to avoid road closures in Jerusalem or Tel Aviv?

I mean - let's put this in perspective for a moment, and somebody tell me why was Waze priced at 1.2bn if not for its founders and its very useful crowdsourced data.