Jun
29
2021
--

DevOps platform JFrog acquires AI-based IoT and connected device security specialist Vdoo for $300M

JFrog, the company best known for a platform that helps developers continuously manage software delivery and updates, is making a deal to help it expand its presence and expertise in an area that has become increasingly connected to DevOps: security. The company is acquiring Vdoo, which has built an AI-based platform that can be used to detect and fix vulnerabilities in the software systems that work with and sit on IoT and connected devices. The deal — in a mix of cash and stock — is valued at approximately $300 million, JFrog confirmed to me.

Sunnyvale-based, Israeli-founded JFrog is publicly traded on Nasdaq, where it went public last September, and currently it has a market cap of $4.65 billion. Vdoo, meanwhile, had raised about $70 million from investors that include NTT, Dell, GGV and Verizon (disclaimer: Verizon owns TechCrunch), and when we covered its most recent funding round, we estimated that the valuation was somewhere between $100 million and $200 million, making this a decent return.

Shlomi Ben Haim, JFrog’s co-founder and CEO, said that his company’s turn to focusing deeper on security, and making this acquisition in particular to fill out that strategy, are a natural progression in its aim to build out an end-to-end platform for the DevOps team.

“When we started JFrog, the main challenge was to educate the market on what we saw as most important priorities when it comes to building, testing and deploying software,” he said. Then sometime around 2015-2016 he said they started to realize there was a “crack” in the system, “a crack called security.” InfoSec engineers and developers sometimes work at cross purposes, as “developers became too fast” the work they were doing has inadvertently led to a lot of security vulnerabilities.

JFrog has been building a number of tools since then to address that and to bring the collective priorities together, such as its X-ray product. And indeed, Vdoo is not JFrog’s first foray into security, but it represents a significant step deeper into the hardware and systems that are being run on software. “It’s a very important leap forward,” Ben Haim said.

For its part, Vdoo was born out of a realization as well as a challenging mission: IoT and other connected devices — a universe of some 50 billion pieces of hardware as of last year — represents a massive security headache, and not just because of the volume of devices: Each object uses and interacts with software in the cloud and so each instance represents a potential vulnerability, with zero-day vulnerabilities, CVEs, configuration and hardening issues, and standard non-compliance among some of the most common.

While connected-device security up to now has typically focused on monitoring activity on the hardware, how data is moving in and out of it, Vdoo’s approach has been to build a platform that monitors the behavior of the devices themselves on top of that, using AI to compare that behavior to identify when something is not working as it should. Interestingly, this mirrors the kind of binary analysis that JFrog provides in its DevOps platform, making the two complementary to each other.

But what’s notable is that this will give JFrog a bigger play at the edge, since part of Vdoo’s platform works on devices themselves, “micro agents” as the company has described them to me previously, to detect and repair vulnerabilities on endpoints.

While JFrog has built a lot of its own business from the ground up, it has made a number of acquisitions to bolt on technology (one example: Shippable, which it used to bring continuous integration and delivery into its DevOps platform). In this case, Netanel Davidi, the co-founder and CEO of Vdoo (who previously co-founded and sold another security startup, Cyvera, to Palo Alto Networks) said that this was a good fit because the two companies are fundamentally taking the same approaches in their work (another synergy and justification for DevOps and InfoSec being more closely knitted together too I might add).

“In terms of the fit between the companies, it’s about our approach to binaries,” Davidi said in an interview, noting that the two being on the same page with this approach was fundamental to the deal. “That’s only the way to cover the entire pipeline from the very beginning, when they go you develop something, all the way to the device or to the server or to the application or to the mobile phone. That’s the only way to truly understand the context and contextual risk.”

He also made a note not just of the tech but of the talent that is coming on with the acquisition: 100 people joining JFrog’s 800.

“If JFrog chose to build something like this themselves, they could have done it,” he said. “But the uniqueness here is that we have built the best security team, the best security researchers, the best vulnerability researchers, the best reverse engineers, which focus not only on embedded systems, and IoT, which is considered to be the hardest thing to learn and to analyze, but also in software artifacts. We are bringing this knowledge along with us.”

JFrog said that Vdoo will continue to operate as a standalone SaaS product for the time being. Updates that are made will be in aid of supporting the JFrog platform and the two aim to have a fully integrated, “holistic” product by 2022.

Along with the deal, JFrog reiterated financial guidance for the next quarter that will end June 30, 2021. It expects revenues of $47.6 million to $48.6 million, with non-GAAP operating income of $0.5 million to $1.5 million and non-GAAP EPS of $0.00 to $0.01, assuming approximately 104 million weighted average diluted shares outstanding. For Full Year 2021, revenues are expected to be $198 million to $204 million, with non-GAAP operating income between $5 million and $7 million and an approximately 3% increase in weighted average diluted shares. JFrog anticipates consolidated operating expenses to increase by approximately $9-10 million for the remainder of 2021, subject to the acquisition closing.

Jan
13
2021
--

Vdoo raises $25M more to develop its AI-based security for IoT and connected devices

It’s estimated that there were some 50 billion connected devices globally in 2020, and while that really says a lot about how far we’ve come in tech, for many it also speaks to a big issue: security vulnerabilities, with the devices themselves, plus all the components and services running on them, all potential targets for anything from malicious hackers to not-so-intentional data leaks.

Today, Israeli startup Vdoo — which has been developing AI-based services to detect and fix those kinds of vulnerabilities in IoT devices — is announcing $25 million in funding, money that it plans to use to help it better address the wider issue as it applies to all connected objects. With its initial focus on large industrial deployments, medical systems, communications infrastructure and automotive, Vdoo also is looking more deeply now at the wider network of devices that use communications chips, providing quick (as in minutes) assessments to identify and remediate or directly fix various issues: it cites zero-day vulnerabilities, CVEs, configuration and hardening issues, and standard incompliances among them.

The funding — an extension to the $32 million round that Vdoo announced in April 2019 — is coming from two investors, Israel’s Qumra Capital and Verizon Ventures (the investing arm of Verizon, which — by way of its acquisition of Aol many years ago — also owns TechCrunch).

Verizon’s interest in Vdoo is strategic and speaks to the opportunity in the market. As CEO Netanel Davidi (who co-founded the company with Uri Alter and Asaf Karas) describes it, operators like Verizon are interested because of their role as a distributer and reseller of hardware as part of their wider services play, be it for broadband access, or a telematics service or something for the connected home or connected office.

“They sell connected devices to enterprises and home users that are not made by them, yet the carriers are responsible for the security,” he said, “so the solution is to bake that into devices” to make it work more seamlessly, he said.

Verizon is not the startup’s only strategic backer. Others in the first tranche of this round included another carrier, Japan’s NTT Docomo, MS&AD Ventures (the venture arm of the global cyber insurance firm) and Dell Technology Capital, the VC arm of Dell.

The company has now raised around $70 million, and while it’s not disclosing valuation, Davidi confirmed that it has more than doubled this year.

(In April 2019, PitchBook estimated that it was just under $100 million, which would make it now at over $200 million if that figure is accurate.)

Davidi said that the decision to raise this money as an extension to the previous round rather than a new round was strategic: it gave the company the chance to raise funding more quickly, and to take more time to prepare for a bigger funding round in the near future.

And the reason for raising quickly was to address what was a quickly moving target: One of the by-products of the COVID-19 pandemic has been a dramatic shift to people working from home, buying new devices to enable that and in general using their communications networks much more heavily than before.

Connected-device security typically focuses on monitoring activity on the hardware, how data is moving in and out of it. Vdoo’s approach has been to build a platform that monitors the behavior of the devices themselves, using AI to compare that behavior to identify when something is not working as it should. 

“For any kind of vulnerability, using deep binary analysis capabilities, we try to understand the broader idea, to figure out how a similar vulnerability can emerge,” is how Davidi described the process when we talked about the first part of this round back in 2019.

Vdoo generates specific “tailor-made on-device micro-agents” to continue the detection and repair process, which Davidi likens to a modern approach to some cancer care: preventive measures such as periodic monitoring checks, followed by a “tailored immunotherapy” based on prior analysis of DNA.

Vdoo is a play on the Hebrew word that sounds like “vee-doo” and means “making sure”, and points to the basic idea of how it approaches the verification around its device monitoring. It also feels somewhat like the next step in endpoint security, which was the focus of Davidi and Alter’s previous startup, Cyvera, which was eventually acquired by Palo Alto Networks.

The focus on devices, in some ways, is a significantly more complex approach, given that it’s not just about the device, but the many components that go into them. As we have seen with Meltdown and Spectre, vulnerabilities might exist at the processor level.

And as Davidi pointed out to me this week, at times those issues aren’t even intentional but still mean data can leak out, and at worst that can be exploitable by bad actors.

“Backdoors are being built into many devices, and some are not even intentional,” he said. “It may be that the developer wanted to create a shortcut to make something else easier in the future. Some will see that as a back door, and some will not.”

The fractal-like nature of the issue is what Vdoo is digging into with its widening approach.

“Initially we wanted to serve the ecosystem of manufacturers, since they are the cause of the problem and the origin of the security issues,” he said. “We started there with Fortune 500 customers in areas like automotive and industrial and medical and telco and aviation. The idea was to make a platform that could serve and protect security stakeholders. But then we saw that this was a big unserved market.”

Indeed, Vdoo quotes figures from research firm MarketsandMarkets that forecast that the global device security market will grow to $36.6 billion by 2025 from $12.5 billion in 2020.

“The number of connected IoT devices is rapidly growing, creating greater opportunities for security breaches,” said Boaz Dinte, managing partner of Qumra Capital, in a statement. “Vdoo’s unique device-centric, deep technology automated approach has already brought immediate value to vendors in a very short period of time. We believe the market opportunity is huge, and with newly infused growth capital, Vdoo is well-positioned to become the leading global player for securing connected devices.”

“With the expansion of 5G networks and mobile edge compute, there’s a need for an end-to-end, device-centric security approach to IoT,” added Verizon Ventures MD Tammy Mahn in a statement. “As the venture arm of a leading telco, Verizon Ventures is proud to invest in Vdoo and its world-class team on their journey to solve this global need, while ushering in a new era of security by design in our increasingly connected world.”

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com