‘Mass demand’ is building for cloud-native security, Aqua CEO says

Enterprises are poised to accelerate their adoption of security for cloud-native technologies starting this year, with many companies now placing a higher priority on modernizing their applications and embedding security during development, Aqua Security cofounder and CEO Dror Davidoff told VentureBeat.

When it comes to securing cloud-native technologies such as containers and microservices, there is now “a clear realization in the market that [companies’] existing security solutions do not apply for this new stack,” Davidoff said in an interview.

“I think the education part is very much done. Everyone gets it,” he said. “It’s now a matter of organizations actually adopting and moving.”

Aqua Security offers a cloud-native application protection platform that spans the app development lifecycle, with capabilities for securing the build, infrastructure, and workload/runtime. The company acquired a startup in December, Argon, that will add a solution for securing the software supply chain to the platform, as well.

Aqua’s various modules are offered individually, but are also integrated in order to “connect the dots” and provide a full security picture for a customer’s cloud-native stack, Davidoff said.

Based on what the company has seen around exploration of cloud-native security in its customer base, “many organizations that have toyed with the idea and did it on a very small scale, have now gained the confidence to go on a broad scale or much bigger scale,” Davidoff said.

“We have Fortune 100 companies—very large-scale—that are going all-in. They have plans that within three to five years, everything will be in the cloud. Everything will be cloud-native and modernized. And then there are other organizations that take a much slower pace, but they have the same understanding that this is the direction,” he said. “So, yes, we definitely saw in ’21 that there was a turning point. And I think in ’22 and ’23, we will see mass demand for these solutions.”

The Ramat Gan, Israel-based company was founded by Davidoff and chief technology officer Amir Jerbi in 2015 — at a time when “containers and serverless technologies were just emerging,” Aqua notes on its website.

Last March, Aqua raised $135 million in series E funding, led by ION Crossover Partners, at a $1 billion valuation. The company expects to double its revenue in 2022, Davidoff said.

“I think there is a potential for hyper growth,” he said. “At our scale, to double is a great challenge.”

What follows is an edited portion of the interview with Davidoff.

What was 2021 about for Aqua Security, and what do you see as the key themes for 2022?

For us, the main theme of the past year, or even the past 18 months, was really the transition that the market is seeing from [relying on] multiple point solutions. Organizations, CISOs, practitioners, they all understand that you can’t keep slicing cloud-native security into many, many point solutions. You have to frame it differently. And we’ve been thinking this way for quite some time. We’ve pretty much pioneered [the idea of] looking at the full lifecycle of the cloud-native application—really connecting the dots and looking at it as one thing. I think this notion is finally being adopted by the market.

What are the signs that you see of this?

We see more and more that CISOs are understanding, No. 1, that the number of vendors that they have to deal with is overwhelming. But also, when you buy those disparate solutions, then there’s a huge overload on the organization to put it all together.

For us, it’s much more than that. We actually see an opportunity to do security better by connecting the dots. If we identify a vulnerability in the build stage, we can then put a policy that if anyone tried to exploit the vulnerability in runtime, we will be able to protect [the customer]. So, connecting the dots. If we set a certain threshold as an organization for not allowing a certain vulnerability in the organization, we can now monitor that in multiple control points—in the build stage, in the Kubernetes staging, in the runtime.

What are the benefits of this for customers?

[It’s about creating] a much more consistent security posture for your cloud environment as a whole and the application itself. I think this is a huge vision. The big theme of last year was the fact that it’s turning into a reality. Looking forward, I’m sure we will see a lot of consolidation. Because the demand from the market is for more complete solutions, we will see a lot of consolidation. The different vendors will try to expand and complete their offering.

And Aqua, of course, is in a very strong place from that perspective. We already have a platform with the most comprehensive coverage. And we just announced a very important acquisition, of Argon, that further extended the scope of our platform. So right now, I can say very comfortably that we’re the one that’s really looking at the complete lifecycle—from your software supply chain all the way to your production, and having all the [solutions] along the way. So, this is something that started last year, and this is the year where it’s going to happen. We will see CISOs really reframing the problem. Rather than having five different RFPs, they will go for one RFP [that says] “this is the problem I need to solve: the cloud-native application.”

Do you think it’s likely that you’ll make an acquisition in 2022?

I think there are good chances. We’re in a position that we are actively looking for the next thing for us.

[The Argon acquisition] was very big and strategic for us. I’m sure there will be more. And again, Aqua is already in a place that we have the platform. We have that advantage. So we can now, relatively easily, add the components that we want. A lot of it we do organically–but there are certainly opportunities to do non-organic additions to the platform.

What are the other vendors that you see as the major consolidators in this cloud-native security market?

Palo [Alto Networks] has shown a great appetite. They’ve done a series of acquisitions for their Prisma cloud. I think we’ll see more of that. And I’m sure we’ll see many more [beyond Palo Alto Networks]. There’s a lot of money funneling into this market. And some of that would go into acquisitions.

In terms of your platform, are there any challenges that come from this approach, rather than being focused on one specific area within cloud security?

We’re not forcing a customer to take the full platform. The platform is the vision—that this is where we want to take our customer by the end. With the addition of the Argon solution, we have four modules that our customers can buy independently. They don’t have to buy the full platform. They can decide, I want to start with supply chain. I want to start with securing my build phase. I want to start with securing my infrastructure, or with securing my workloads. There are four modules right now in our offering. And each one of them is also an independent offering.

But we’re investing very heavily to not only put them on one platform, but also create a lot of complementary value between the different modules—and really turn it into one solution. Which, I think, is where everyone will get to. Now, it depends on the maturity level, depends on the skill set, depends on the capacity of the enterprise to say, “OK, this is what we need to do.” Like I said, it’s something very new in this market. But when we think about the platform, this is where we want to take our customers. Even if they decide to buy one subset of the capabilities that we have, for them, it’s very important to understand what their roadmap is—and how they can grow their security posture and improve their security posture by using more and more Aqua offerings.

Security is always a journey. There are always more and more layers of defense. Securing something that is very new, like cloud-native, is even more so—because you’re constantly learning, evolving, using new services in the cloud, implementing new processes. And then there are more and more new security requirements, which we try to help enterprises to address.

Are a lot of your customers using more than one module at this point?

We have a very healthy percentage of our customers using more than one module. We still have a relatively small percentage using the full range of capabilities. Like I said, this is a very advanced concept to deploy. But yes, it’s something that we certainly see. And like I said, there is complementary value between the different components, and I think eventually the entire market will get to that.

For customers that are using all four modules, how does that increase their security in a way they wouldn’t be able to do otherwise?

The beauty of the cloud is that it connects the dots. Everything sits on one pipeline, the CI/CD pipeline. With the application lifecycle, there are continuous updates and new software that is being pushed into the application. So, imagine you scan for malware and vulnerabilities in the build stage. And everything’s good. But now, you want to make sure that as this piece of code is being pushed out, no one is tampering.

So there’s “day one” security—hygiene cleaning, inventory, understanding what you have out there, seeing if there are any vulnerabilities that you need to fix. That’s day one. Day two and day three, you want to start to implement more advanced control—runtime control, risk prevention. Once you sign something, you don’t let anyone tamper with it. So if any little thing changes, you immediately can identify it and block it. These are the more advanced controls. But it’s an evolution. It’s like the Maslow pyramid of needs. There are some basic things that you have to start on day one. And then as you evolve, you add more and more layers and more advanced controls. So security posture is an ever-evolving thing. By the way, the bad guys are ever-evolving, too.

At this point, how mainstream is it to be thinking about security at the early stages in the application development lifecycle?

What we saw in 2021 was certainly a turning point in the market. It moved from the early adopters into the mainstream market. Almost any organization is interested. We see two dimensions of growth. No. 1, there are many more enterprises where it’s now becoming a priority for them. But No. 2, many organizations that have toyed with the idea and did it on a very small scale, have now gained the confidence to go on a broad scale or much bigger scale.

Now, everyone understands that they have to move to the cloud. And everyone also understands that in their move to the cloud, there is an opportunity to modernize their applications and move into a cloud-native stack. Maybe there is a longer nurturing process for some organizations, but everyone understands that this is the direction.

And then, I think there is also a clear realization in the market that their existing security solutions do not apply for this new stack—for the cloud-native stack. And they have to look for new security tools, processes, measurements—because it’s a new world. So I think the education part is very much done. Everyone gets it. It’s now a matter of organizations actually adopting and moving. And each organization does it at its own pace. We have Fortune 100 companies—very large-scale—that are going all-in. They have plans that within three to five years, everything will be in the cloud. Everything will be cloud-native and modernized. And then there are other organizations that take a much slower pace, but they have the same understanding that this is the direction. So, yes, we definitely saw in ’21 that there was a turning point. And I think in ’22 and ’23, we will see mass demand for these solutions.

So you’re basing that on what you’ve been seeing among your customers?

We’ve doubled our installed base. We have 30 Fortune 100 customers and more than a quarter of the Fortune 500. Half of the top 20 banks in the world are our customers. And then there are hundreds of smaller enterprises. We see a shift in the market, shift in adoption. And we also see a shift in the scale of the projects that are being deployed into Kubernetes, into cloud-native. And I can very comfortably say that we are securing the largest Kubernetes deployments out there.

Would you say you were earlier on Kubernetes security than others?

Absolutely. Docker, Kubernetes, [AWS] Lambda, all these modern cloud-native technologies—this is our bread and butter. This is where we started. When we started, it was Docker. And then we evolved into Lambda, and then we evolved into Kubernetes. Now, like I said before, we don’t think about it anymore in small pieces—we think about cloud-native as a whole and the full lifecycle of the application. Obviously, Kubernetes is an important component of that. And Docker is an important component of that. But there are many other important components in there.

[On container security] we were the first one from a security perspective. From a security perspective, we were the first one that said, containers are going to be huge and containers will need a dedicated security solution. And we were very right.

That gives us a lot of advantages—certainly in the runtime, because we gained a lot of experience growing with our customers. In the early days, those used to be deployments of dozens or maybe a few hundred containers. Now we’re securing deployments of millions of containers. So the scale, understanding the needs and the security threats, improving our control, improving the deployment mechanism—there is a lot of experience that we can build into our product. And it’s a continuous effort with our customers, to really understand what’s the next thing for them and how we can help them do that in a secure way.

What kind of growth are you aiming for in 2022?

Doubling again—that’s the pace. We’re growing at a very high pace, and we think the market is there for us. So I think there is a potential for hyper growth. At our scale, to double is a great challenge.

The other thing is this new expansion of how we can help our customers. The acquisition of Argon is a great example. We scan for malware and vulnerabilities at the build stage, but there is an earlier stage—the supply chain—where these pieces of code are coming from. With Argon, they’re a young company, and this whole problem of securing the supply chain is very, very new. Aqua was the first one to make such a move to integrate the supply chain with the entire cycle. So again, using the same philosophy that everything has to be integrated, I think we will see great demand for that solution. And I think that it will also help us to keep differentiating from the other players.