ESW #286 – Ragnar Sigurdsson, Roey Yaacovi

Unicorns gone wild - do we really think Wiz has hit $100M in 18 months??? Let's dive in. The Timeline: the company was founded in Jan 2020, so it wasn't zero lines of code to 100M in 18 months - they've existed for 32 months now, so it's likely the first line of code was written LONG before they started generating revenue (which is where the clock begins for the 18 month figure) Their Past: These same founders built, grew and sold Adallom to Microsoft for $320M in ~3 years on $49.5M of funding. That was long before funding rounds and valuations went crazy. Public indicators: They're private, so they could say anything, but I've generally found the amount of funding and employee count on LinkedIn to be decent indicators of growth and size. I can't recall a case where I saw these factors off by an order of magnitude or anything like that in the ~10 years I've been using them to estimate size and growth. They raised $600M in 22 months. That's bonkers and would certainly enable them to pull off some crazy growth (as much as money alone can, I guess?!?) They've got ~500 employees on LinkedIn and nearly doubled their employees in the last 6 months. I don't even know how you do that, but when you do the revenue per employee math, it comes out a bit low, if anything, based on what I'm used to seeing for security startups ($200k per employee) In conclusion, I wouldn't be surprised to hear that this $100M took some creative work and squinting to produce, but hell - they've got experience building and growing fast and the rest of the numbers are equally crazy but back up the claim, so maybe they really are at $100M? ¯_(ツ)_/¯ If we knew net new ARR and burn, we could REALLY form an opinion though. Is this a PR stunt? Absolutely - why else share private revenue numbers? There are some interesting startup growth metrics out there, and one we can calculate with the info they've given us is Dave Kellogg's Hype Factor Capital Raised / ARR = Hype Factor $600M / $100M = 6 Kellogg suggests the following scale: A hype factor of 1-2 is target A hype factor of 2-3 is good, particularly well before an IPO A hype factor of 3-5 is not good, too much hype and too little ARR A hype factor of 5+ suggests there is very little “there there” at all. Dave’s take is that some hype can be good, as it creates a halo effect that can help increase ARR (e.g. ”they’ve raised a ton of capital, must be worth checking out!”) But too much (5+) might be a negative indicator

Hands on training that demystifies Zero Trust? Yes please!

Free attack mapping tool, very cool!

https://seraphicsecurity.com/seraphic-data-sheet/

DLP 2.0

Hard to attack your target directly? Go after their third parties!

Hard to attack your target directly? Go after their third parties!

From the desk of Cory Doctorow "This weekend, I watched a hacker jailbreak a John Deere tractor live on stage"

Reads a lot like a puff piece to me - one tiny exit does not translate into "cornering the market", even a niche one.

From Jerry Gamblin on Twitter: "The House passed a defense spending bill saying you can't sell software to the DoD that has *any* known CVEs in it."

Catalin Cimpanu on Twitter: "Snyk finds 12 Python libraries that steal Discord and Roblox credentials and payment info"

Roll your own DLP for GDrive/Google Workspace!

DIY AWS honeypots and decoys!

Al Sutton on Twitter: "If you are wondering if the stuff about Twitter security being lapse is just one person complaining, you might be interested to know that, 18 months after being let go from the company, I've not been removed from their employees GitHub commiters group."

What about collateral damage from state-sponsored attacks, like NotPetya?