3rd Party Risk Management
Palo Alto Networks’ 19-Month Acquisition Dry Spell Soon to Be Over, Calcalist Says
Palo Alto Networks has been in a 19-month dry spell when it comes to major acquisitions, but it looks like that’s about to change.
See Also: C-Suite Round-up: Connecting the Dots Between OT and Identity
The Silicon Valley-based platform security behemoth went on an acquisition tear that began just before Nikesh Arora joined as CEO in 2018 and accelerated in the years to follow, spending $3.46 billion on 12 deals over less than three years. The company opened its checkbook for everything from attack surface management vendor Expanse to analytics and automation firm Demisto and SD-WAN player CloudGenix (see: Nikesh Arora on the Palo Alto Networks Growth Strategy).
But Palo Alto Networks’ M&A bonanza stopped just as quickly as it started. The company has stood pat since purchasing cloud security startup Bridgecrew for $156 million in February 2021, with Arora telling investors in August 2021 that he didn’t plan to pursue any large acquisitions since the company already had a product in virtually every category where it wished to play. He reiterated that point this August.
“The public market has rationalized; the private markets probably haven’t yet,” Arora told investors Aug. 22. “It’s a bit like real estate, and people remember what the neighbor’s house sold at and kind of forget what their house is worth. So until people realize the true value of their house, it’s going to be a little longer before acquisitions come into the security market again.”
Singing a Different Tune
Less than a month later, Arora appears to be singing a different tune. Israeli business publication Calcalist reported Monday that Palo Alto Networks is closing in on a deal to buy New York-based code risk platform provider Apiiro for around $600 million. Apiiro emerged from stealth in October 2020 with $35 million of funding and won the RSA Conference’s prestigious Innovation Sandbox Contest in May 2021.
Today, Apiiro employs 91 people and has eight products addressing everything from application and cloud security to software supply chain security, according to LinkedIn. Palo Alto Networks declined to comment on the Calcalist report, while Apiiro didn’t immediately respond to an Information Security Media Group request for comment.
Apiiro is co-founded and led by Idan Plotnik, who previously established and sold user and entity behavior analytics pioneer Aorato to Microsoft and led the software giant’s advanced threat analytics practice for 2.5 years. Co-founder and CTO Yonatan Eldar worked alongside Plotnik at Aorato and Microsoft, serving as a software engineering manager at the Seattle-area company for nearly 4.5 years.
Where does Apiiro fit into Palo Alto Networks product portfolio? And does this acquisition signal a return to Palo Alto Networks’ trigger-happy M&A strategy? Is this a deviation from a business plan oriented around organic growth?
Another Tool in the Prisma Cloud Toolbox
Bridgecrew plays in a similar space to Apiiro, given the former company’s focus on giving developers and DevOps teams a systematic way to enforce infrastructure security standards throughout the development life cycle. The Bridgecrew technology today lives within the Palo Alto Networks Prisma Cloud portfolio, with the firm’s open-source Checkov tool powering Prisma Cloud’s infrastructure-as-code security product.
Similarly, Apiiro focuses on proactively fixing critical risks in applications across the software supply chain before they’re released to the cloud. The company says its technology performs continuous risk assessment of an organization’s software supply chain, discovering every API, service, sensitive data and artifact, as well as secrets, infrastructure-as-code misconfigurations, architecture drifts, and API and open-source software vulnerabilities.
Buying Apiiro would put Palo Alto Networks at the center of the conversation around the software bill of materials. Apiiro’s risk assessment product allows customers to build an accurate application inventory, map the application attack surface and assess risk across each step of their software supply chain. This would allow customers to automate their responses to time-consuming risk assessment questionnaires.
Apiiro would likely follow in Bridgecrew’s footsteps and become part of Palo Alto’s fast-growing Prisma Cloud practice, which secures hybrid and multi-cloud environments across the full development life cycle from code to runtime. Palo Alto Networks is the fourth-largest player in the highly fragmented cloud workload security market, notching 5.8% market share in 2021, up slightly from 5.6% a year earlier, IDC found.
As for Palo Alto Networks’ M&A strategy, don’t count on a return to Arora’s first few years as CEO. Arora reiterated in August that it’s harder to do acquisitions now since Palo Alto Networks needs to ensure both that potential suitors don’t overlap with what the company is already doing today and that the deal doesn’t bring the company into a market such as identity or email, where it isn’t interested in playing.
“We are not in the mindset of acquiring large deals. We’re in the mindset of looking for great product teams that we can complementarily attach to our capabilities. So we keep scanning the market and if something shows up, we’ll do it,” Arora said last month. “[But] we’re not jumping at the bit right now.”