Palo Alto Networks to Buy Startup Cider Security for $250MPalo Alto's First Big M&A Since Early 2021 Will Help Secure Engineering Processes
Update - Nov. 18, 2022: This story has been updated with information and quotes from regulatory filings, Palo Alto Networks' earnings conference call and the press release announcing the acquisition.
Palo Alto Networks will make its first major acquisition in nearly two years, scooping up application security startup Cider Security for $250 million.
The Silicon Valley-based platform security behemoth will fork over $194.6 million of cash as well as $55.4 million of replacement equity awards for Tel Aviv-based Cider Security, a 100-person firm that secures engineering processes and systems from code to deployment. The cash portion was disclosed in Thursday's deal announcement, while the value of the equity was revealed in regulatory filings Friday (see: Why Palo Alto Networks Now Wants Cider Security, Not Apiiro).
"Any organization using public cloud has an application infrastructure with hundreds of tools and applications that can access their code and yet, they have limited visibility to their configuration." Palo Alto Networks Chief Product Officer Lee Klarich says in a statement. "Cider has made it possible to connect into infrastructure, analyze the tools, and identity the risks, as well as how to remediate them."
News of the acquisition was initially reported by Calcalist, who said the deal would include $200 million in cash and $100 million of Palo Alto Networks stock. A source told TechCrunch the equity part might be disclosed later in order to not alarm the market.
The company's stock is up $13.74 - 8.78% - to $170.30 per share in trading midday Friday, which is the highest Palo Alto Networks' stock has traded since Nov. 1. The Cider acquisition is expected to close by Jan. 31, 2023, and isn't expected to have a material impact on Palo Alto Networks' financials, according to the company.
Calcalist first reported last month that Palo Alto Networks had abandoned negotiations to buy code risk platform provider Apiiro for $600 million in favor of a $200 million purchase of Cider Security. Apiiro instead opted for a $100 million Series B funding round led by General Catalyst to strengthen its ability to analyze code and developer activities across the software supply chain.
Who Is Cider Security?
Cider Security was founded in December 2020 and emerged from stealth in March 2022 with a $38 million Series A funding round led by Tiger Global Management. The company helps optimize an organization's CI/CD security based on a set of prioritized risks and recommendations tailored to its environment. Cider customers include security firm Perception Point and insurance vendor Lemonade.
The company is led by its co-founder Guy Fletcher, who previously spent three years spearheading the security and privacy program at mobile attribution and analytics vendor AppsFlyer. Co-founder and CTO Daniel Krivelevich previously spent four years at cyber consulting and IR vendor Sygnia, where he led the application and cloud security teams. The two met in late 2014 at conversational AI vendor LivePerson.
"We designed an AppSec platform that allows engineering to continue to move fast, without making compromises on security," Cider Security CEO Fletcher says in a statement. "By scanning and securing your CI/CD pipeline, we can help identify where they may be vulnerabilities in your code. Prisma Cloud will now be the ultimate solution for code to cloud security."
Since emerging from stealth, Cider Security has brought in Snir Ben Shimol - who built Varonis' security practice from the ground up - to serve as chief strategy officer and ShiftLeft sales leader Carl Elsinger to serve a similar role at Cider, where he'll focus on growing the company's global sales operations and serving new enterprise customers. Cider's platform debuted last month on the AWS Marketplace.
Where Does Cider Fit Within Palo Alto?
Cider Security plays in a similar space as Bridgecrew, which Palo Alto Networks bought for $156 million in February 2021 in the company's last significant acquisition. Bridgecrew focuses on giving developers and DevOps teams a systematic way to enforce infrastructure security standards throughout the development life cycle. Today, 65% of Palo Alto's customers use Bridgecrew, CEO Nikesh Arora says.
The company's technology today operates within the Palo Alto Networks Prisma Cloud portfolio, and the firm's open-source Checkov tool powers Prisma Cloud's infrastructure-as-code security product. Similarly, Cider Security assesses the posture of a firm's engineering systems and processes to see how it would fare in realistic attack scenarios and identify controls needed to reduce its CI/CD attack surface.
Cider will follow in Bridgecrew's footsteps and become part of Palo Alto's fast-growing Prisma Cloud practice, which secures hybrid and multi-cloud environments across the development life cycle from code to runtime. Palo Alto Networks is the fourth-largest player in the fragmented cloud workload security market, notching 5.8% market share in 2021, up slightly from 5.6% a year earlier, IDC found.
"We're beginning to see more and more seriousness on cloud security from our customers," Arora told investors Thursday. "I highlighted a customer which has four public clouds deployed. They can't secure it with four different native cloud CSP platforms."
Buying Cider will further Prisma Cloud's mission by unifying cloud and application security with a unique approach that cannot be achieved by point solutions, Palo Alto Networks says. Bringing Cider and the company's recently announced software composition analysis capabilities together means Palo Alto Networks will be able to provide comprehensive supply chain security as part of Prisma Cloud.
"Customers have some legacy tech vendors in place, which they're deploying, and they're trying to use that to take care of supply chain security," Arora says. "Some of that is older architectures, older ways of doing things. But we decided we want to do it differently."
While much attention in recent years has been focused on where code comes from, Palo Alto Networks says very little attention has been paid to the actual applications and software used in the development pipeline. The average CI/CD pipeline can have hundreds of developer tools connected to it, which Palo Alto Networks says poses an enormous security risk.
"Anyone who is developing and deploying applications in the public cloud - which today is basically everybody - has a supply chain risk that they're dealing with," Klarich told investors Thursday. "That supply chain risk can come in the form of open-source software that they're building into their applications."
Will Palo Alto Return to Its M&A-Heavy Ways?
Palo Alto Networks has been on a 20-month dry spell when it comes to major acquisitions, dating back to the company's buy of Bridgecrew. That's a far cry from early 2018 to early 2021, when Palo Alto spent $3.46 billion on 12 deals during Nikesh Arora's first few years as CEO. Palo Alto bought everything from attack surface management vendor Expanse to SOAR firm Demisto and SD-WAN player CloudGenix.
Arora told investors in August 2021 and reiterated this August that Palo Alto Networks doesn't plan to pursue any major acquisitions since the company already has a product in virtually every category where it wishes to play.
"The public market has rationalized; the private markets probably haven't yet," Arora told investors Aug. 22. "It's a bit like real estate, and people remember what the neighbor's house sold at and kind of forget what their house is worth. So until people realize the true value of their house, it's going to be a while longer before acquisitions come into the security market again."