Security has a data problem. That’s according to Kfir Tishbi, who led the engineering team at Datorama, a marketing analytics company that was acquired by Salesforce in 2018. Tishbi — who spent time at CitiBank and digital entertainment startup Playtika before joining Datorama — says he often worked with security teams that had to juggle dozens of different tools, each with their own taxonomies and outputs, in order to get projects finished on time.
“The amount of data points getting generated is immense. Instead of making sense of it, more tools are being created and are generating even more data,” Raanan Raz, a former colleague of Tishbi’s, told TechCrunch in an email interview. “It’s a vicious cycle. We want to make sure that decisions and actions are data-driven and not based on half-truths.”
Setting out to solve the problem, Tishbi and Raz co-founded Avalor, a platform that acts as a source of truth for cybersecurity assets, controls, identities, vulnerabilities, bugs and other data points. Avalor allows security teams to aggregate, normalize, de-duplicate and track risk data from discovery to remediation — at least the way Raz pitches it.
Investors appear to be bullish on the idea. Avalor today announced that it raised $25 million in a Series A funding round led by TCV with participation from Salesforce Ventures, bringing its total raised to $30 million inclusive of a $5 million seed round led by Cyberstarts last year. Raz says that the new cash will be put toward expanding operations in the U.S. and Israel, in particular growing Avalor’s R&D, product, sales, marking and customer success teams.
“Our platform can cover the entire enterprise data surface, so both security teams and their internal partners like CTOs, engineering and IT can benefit from its benefits, including real-time transparency into data sources with labeling and lineage,” Raz, who serves as CEO, said. “We also overlay business context on the security data, meaning organizations can eliminate the noise of security scanners and prioritize vulnerabilities based on their specific business.”
Them’s fighting words considering the wide range of startups out there tackling the same problem. Securiti, a cybersecurity firm backed by hundreds of millions in venture capital, recently launched a “data security cloud,” which aims to provide a layer of data protection and transparency wherever data lives. A more direct competitor is Dig Security, which builds tools to address outstanding observability issues in security.
What sets Avalor apart, Raz asserts, is three things, mainly. The first is the ability to handle data from virtually any source in any format. The second are vulnerability risk management and prioritization tools. As for the third, it’s scalability — Raz claims that Avalor can handle up to “zettabyte-sized” data volumes. (That’s a trillion gigabytes.)
“We’re building a security data lake that’s not ‘garbage in, garbage out,’ so that the data layer can be used for multiple use cases, like vulnerability management,” Raz said. “Some of these use cases share competitors who build only for a single application. Our data fabric architecture allows us to scale an integrated solution across the security team and their business partners so they have a single source of truth from their data.”
As time goes on, the plan is to allow third-party security vendors to build apps for specific use cases on top of Avalor. In this way, Raz sees the platform more as a unified database powering various modules and software rather than an all-in-one, holistic solution to a company’s cybersecurity woes.
Raz wouldn’t volunteer Avalor’s revenue figures or the size of its customer base. But the company’s investors seem in support of its strategy, for what little difference that makes. Morgan Gerlak, a partner at TCV, had this to say via email:
“An ever-growing number of tools have left organizations scrambling to extract signal from noise. Avalor takes aim at this problem with an extensible solution that supports several common security use cases. Importantly, each of these use cases has a well-defined budget and buyer today, not tomorrow.”
Of course, it’s true that VCs are generally enthusiastic about startups involved with cybersecurity — and have been for some time. 2022 saw $16 billion invested in emerging cybersecurity firms, a dip from $23 billion in 2021 but double the total from 2020.
In a recent report, Crunchbase forecasted that the cybersecurity sector would likely see valuation cuts but that demand would remain strong as high-profile attacks capture the headlines — and as companies look to consolidate their security tools. According to a 451 research survey, the average IT and security team are using between 10 to 30 security monitoring solutions for apps, network infrastructures and cloud environments — a lot by any measure.
“Our data fabric helps security teams make faster, more accurate decisions by making sense of their data with real-time access to complete, accurate and precise information in any format from any source — including legacy systems, data lakes, data warehouses, SQL databases and apps,” Raz said.
Avalor has 35 employees today and expects to double that number by the end of the year.