Container security acquisitions increase as companies accelerate shift to cloud

Last week, another container security startup came off the board when Rapid7 bought Alcide for $50 million. The purchase is part of a broader trend in which larger companies are buying up cloud-native security startups at a rapid clip. But why is there so much M&A action in this space now?

Palo Alto Networks was first to the punch, grabbing Twistlock for $410 million in May 2019. VMware struck a year later, snaring Octarine. Cisco followed with PortShift in October and Red Hat snagged StackRox last month before the Rapid7 response last week.

This is partly because many companies chose to become cloud-native more quickly during the pandemic. This has created a sharper focus on security, but it would be a mistake to attribute the acquisition wave strictly to COVID-19, as companies were shifting in this direction pre-pandemic.

It’s also important to note that security startups that cover a niche like container security often reach market saturation faster than companies with broader coverage because customers often want to consolidate on a single platform, rather than dealing with a fragmented set of vendors and figuring out how to make them all work together.

Containers provide a way to deliver software by breaking down a large application into discrete pieces known as microservices. These are packaged and delivered in containers. Kubernetes provides the orchestration layer, determining when to deliver the container and when to shut it down.

This level of automation presents a security challenge, making sure the containers are configured correctly and not vulnerable to hackers. With myriad switches this isn’t easy, and it’s made even more challenging by the ephemeral nature of the containers themselves.

Yoav Leitersdorf, managing partner at YL Ventures, an Israeli investment firm specializing in security startups, says these challenges are driving interest in container startups from large companies. “The acquisitions we are seeing now are filling gaps in the portfolio of security capabilities offered by the larger companies,” he said.

He says that it’s also about the changing nature of workloads as they shift to cloud native. “More and more workloads are migrating from legacy on-premise environments to cloud-native environments (containers, serverless, etc.). The large cloud providers are leading the migration trends, and so security vendors must address this growing segment,” Leitersdorf explained.

But Sandy Carielli, a Forrester analyst specializing in cybersecurity, says that it’s about more than these changing workloads. She said companies specializing in a single area like container security are ripe for acquisition by larger companies. In the next year, we won’t see any vendors who only do container security without being part of a broader portfolio of services, something we have seen in other parts of the security market over the years, Careilli said.

“This is a market that was ripe for consolidation. In the last couple of years, we saw a few container security specialists gain market mindshare while many others addressed more niche use cases or struggled to get their message out. Today, even the container security leaders are expanding into adjacent markets like serverless security or software composition analysis.”

Part of the reason is the unique design of containers, according to Enrique Saleem, a partner at Bain Capital who has been investing in security companies for many years. “Containers are fundamentally different in architecture and existing security solutions find that they have no visibility into what is happening within containerized environments — a prerequisite for good security,” he explained.

He says that as a result, customers typically look for newer container security-focused startups to address their challenges. Eventually the bigger companies want a piece of that market too, and choose to buy instead of building the new functionality themselves. “This is also what existing security companies are finding and hence, their push to acquire expertise rather than build container and cloud awareness into their existing products,” Saleem said.

Security in general is always a moving target with markets shifting with changing requirements. As one area consolidates, another is always opening up, leaving lots of room for security startup ecosystems to continue to grow and develop, says Shuly Galili, founding partner at investment firm UpWest.

“Cloud adoption is evolving and represents a huge market opportunity for new startups. Many traditional industries with legacy infrastructures such as healthcare and manufacturing are yet to migrate to the cloud and COVID-19 was a pivotal opportunity for them to notice the gaps they have in driving efficiency and innovation,” she said.

This in turn has created new opportunities to fill these gaps and solve the new set of problems. “As Kubernetes becomes the de-facto [cloud] operating system, the need for additional innovation and services on top of it such as streamlining deployments, AI and risk management is growing exponentially,” she said.

Leitersdorf also sees new opportunities emerging. “New cloud security threats will continue to emerge as enterprises learn how to deal with new attack vectors and vulnerabilities in cloud native environments.” As a result he sees growing markets in a variety of areas.

“An interesting angle that we’ll see more activity in is data security within cloud-native environments. New capabilities around data flow mapping and technologies such as distributed tracing will enable a new category of companies,” he said.