The Wizard of Cyber: what is behind Wiz's success and what got the security industry craving for magic
How Wiz was able to execute what is probably the most impressive magic trick of a decade in the software world.
I don’t usually write about security companies, but Wiz isn’t a regular company. It is a one-of-a-kind startup that has redefined what it means to build a successful company in security. Wiz has been an exception to many rules so I have no choice but to also make an exception and share some thoughts about it.
In this piece, I am diving deep into the reasons why it happened and the exact tactics the company used to get there.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over 2,600 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.
We thought that security was a market for silver bullets
Several weeks ago, together with Mayank Dhiman from Notion, we published an article titled “Cybersecurity is not a market for lemons. It is a market for silver bullets.” In this piece, we argued that in security, neither the buyer nor the seller can confidently evaluate security solutions. If you’ve read that article (I highly recommend you do!), you can skip this paragraph; if you haven't, here is a quick recap of what’s important.
“Industry participants are forced to make decisions primarily on the basis of other factors that may or may not strongly correlate with the tool’s ability to achieve security outcomes. Here are some of the signals security buyers and other market participants frequently use to understand whom to trust:
Investors backing the company. Being funded by a top-tier VC firm is seen as a sign that the startup is more “promising”.
Mentions by analyst firms. Having an analyst firm mention the company in their report can provide a big boost and generate fresh demand for the startup.
Background of the founders. There is often an implicit assumption that when founders have a big brand name such as Israeli Defense Forces or a US-based three-letter agency on their resume, they are likely to have a better product.
Customer logos on the company website. Buyers are looking for signs that other reputable organizations trust the startup with their security.
Angel investors and advisors. Security buyers are often interested in understanding if the company has the support of reputable industry leaders.
Peer feedback. Security leaders frequently reach out to their peers in private communities to ask about their experience with specific tools. While this feedback in itself can be biased and anecdotal, it’s better than not having anything at all.
User experience and ease of adoption. This includes the presence of technical documentation, product design, the amount of time it takes to get started with the solution, and so on.
Marketing hype and public presence. It appears to us that factors such as the size of the RSA Conference booth may matter in the security industry, hence why year after year, security vendors keep investing in their public image.
Venture in Security has previously discussed that in cybersecurity, the trust factor and time to trust play a critical importance in the buying journey. For CISOs and security practitioners, indirect signals that the company is credible and worth looking at matter much more than the marketing of the products themselves. If customers are buying a promise, the reputation of people (or a company) who are making that promise plays a more important role than what they are promising.” - Source: “Cybersecurity is not a market for lemons. It is a market for silver bullets.”
In reality, security could be a market for magic wands
The sweeping success of Wiz highlighted something else: that security may actually be a market for magic wands. Let me explain.
Doing security is hard. Even if you have silver bullets, you still need to own a rifle, know how to shoot, and be good at it. Moreover, even if you have the right tools, defending yourself against werewolves, vampires, or witches is still hard work: you need to know where they are, when and how they are most likely to attack you, and always be ready.
The story of Wiz shows that security professionals are no longer satisfied with silver bullets. Instead, they want magic wands. They want security to be easy. Seamless. One-click. Pleasant. Wiz founders and investors realized that, and they delivered.
“The Wizard of Cyber”: how one company nailed what it takes to stay top of mind for the whole industry
The magic of ARR milestones
From the early days of the company, Wiz realized that cybersecurity buyers rely on signals that others trust these tools. If many people believe something is good, it must be good.
One of the first marketing plays on Wiz’s part was announcements about its ARR milestones. It all started when in August 2022, Wiz became “the fastest-growing software company ever” by hitting $100 million ARR in 18 months. It should be surprising that this is even possible in security, given that the industry is notorious for long sales cycles, especially if one is selling direct to Fortune 500 companies - the companies that take a year or two to just finish their POCs. This kind of revenue growth should have been possible in other industries, but not cyber, and yet Wiz did it. Magic, you say? I think it is.
Here is a little-known fact: ARR (annual recurring revenue) is not a GAAP metric. It is defined by the software industry. In other words, a company can calculate it however it wants and whatever it presents, will never be audited. Every software company chooses how to calculate its own ARR based on what it believes makes sense for their business. Some only take into account the actual cash received from customers, while others, such as RingCentral, calculate “Annualized Exit Monthly Recurring Subscriptions”, whatever that means. A company may even charge customers $1 for contracts but value each contract at $1,000,000 (hoping that when they renew a year or two later, they will actually be okay to pay the whole $1,000,000, or whatever new price they negotiate). Since ARR is not a real accounting term, nobody will ever know what Wiz’s announcement meant and how much real money they were actually getting from customers. It got the whole industry talking, and it set them on the trajectory of crazy hype, so whatever they did worked, and most importantly, it is totally fair game - anyone else could have done the same.
For those interested in how it can be, check out this great piece titled “Lies of ARR vs GAAP Revenue Growth”. Here are some examples of how other SaaS companies play with ARR numbers from the article.
Source: Lies of ARR vs GAAP Revenue Growth
By choosing to announce its ARR - the magic number - Wiz turned all the eyeballs in the industry to the company. And, since then, it has been able to maintain this attention by relying on other methods we are going to discuss below.
The magic of threat research
The Wiz team has been incredibly effective in leveraging threat research to generate exposure. Every week, their threat research team publishes new findings that get picked up by the market. Sometimes, they hit a jackpot such as that time in September 2023 when they found “38TB of data accidentally exposed by Microsoft AI researchers”. The funny thing is that as Microsoft assured, “No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue”. Basically, it’s a good finding but not nearly as impactful as tens of real problems Microsoft has been struggling with such as the one when Russian hackers spied on staff emails and stole emails of the customers. And yet, the “38TB” is a big number, and it got so actively pushed all over different media as if it was a breach of customer data in production. The magic of big numbers worked, and Wiz once again got a lot of publicity.
The company has done a great job evangelizing its research and positioning itself as an authority on cloud security. Its “Cloud Threat Landscape” tool, “a curated public instance of Wiz Research’s internal cloud threat intelligence database, summarizing information about publicly disclosed cloud security incidents and campaigns” is a great example of that. I think more companies should be open sourcing their threat intel work, but that’s a topic for another day.
The magic of M&A announcements (without the actual M&As)
Of all the magic tricks Wiz was able to pull off, it’s its M&A activity that deserves the most attention and gets none of the discussion. The company has acquired two startups - Raftt and Gem Security. Both are great additions to their portfolio, but both acquisitions went somewhat uneventfully (at least it looks that way from the outside). It is the acquisitions that never materialized that got everyone talking.
We will probably never know how this happened, but one thing for sure is that Wiz has figured out how to make the industry talk 24/7 about the deals that somehow “leak” and yet… never materialize. One of them is more impressive than the other.
First, there was the SentinelOne acquisition that got everyone talking. Is a startup taking over a public company? Is SentinelOne being squeezed by the competition with CrowdStrike? Rumors were plenty but at the end, SentinelOne CEO called Wiz “a nice little startup” and called it a day. No closed deal but a lot of chatter in the industry which certainly contributed to Wiz’s magical image of a powerful security company.
Then, by the magic of a few moves, accidental or not, Wiz’s biggest competitor, Lacework, got sold to Fortinet (of all the options) for pennies on the dollar. Here is how it unfolded (again, an outside view based on public data). First, the information leaked that Wiz is in talks to acquire Lacework. Then, the price leaks - the price that is so low compared to the once nearly $10 billion valuation that the whole industry is talking about Lacework being over. And then, an article comes out that the acquisition talks have ended with no result. The nail in Lacework’s coffin was the statement that the “deal fell through during the comprehensive due diligence process” which most certainly ended what was once the most promising cloud security company. We will never know what happened behind the scenes; all we know is that following just over a month-long process, what was once the largest cloud security player became a part of Fortinet.
The biggest of all announcements that got the whole tech industry talking is the recent news that Google is in talks about acquiring Wiz for the record-breaking $23 billion. Tyler Shields & Katie Teitler-Santullo of The Cyber Why wrote an interesting take on this story:
“By now, you’ve definitely heard the news: Wiz walked away from a $23 billion dollar acquisition offer from Alphabet (Google’s parent company) to focus on preparing for an IPO instead. The initial announcement about the intent to acquire shocked the security community, both because of the sheer financials thrown around in media publications and because the deal, had it gone through, would have drastically changed the cloud vendor security landscape.
This was never a typical acquisition proposal, so the “ifs” were abundant.
But what I find most interesting is the timing of the offer and the decline. Few founders would reject the kind of money offered. Even with all the funding raised ($1.9B USD to date), the multiples were off the charts, especially for a four-year-old company. But to reject that kind of deal so quickly indicates to me that some sort of security theater may have been at play. In other words, Wiz might never have had any intention of selling. The founders have been bullish on this topic from the start — their goal is to become the biggest security company of all time. So why allow the media to get into a frenzy? Why even let it get to the media if the Wiz team had already decided to stay solo?
The short answer: Press and media attention. Market attention. All right before filing for IPO. I suppose it’s no different than an NFL coach hyping up his team right before the “Big Game.”
And that’s how it went. We will never know who called off the deal (Wiz? Google?) and why. What we do know is that the magic of M&A announcements played out once again, this one on a truly grand scale raising Wiz’s perceived valuation from $12 billion just a few months ago to a whopping $23 billion today. Not much has changed since Wiz announced its $1 billion round, but a few moves of a magic wand and voila - the company valuation doubled. A true wizardry.
The magic of creative projects
In addition to everything above, it is evident that Wiz has found creative ways to stay top of mind for everyone in the industry even with small milestones. The method they’ve been using to achieve it is what I would describe as “creative projects as marketing”.
Wiz the Magician is publishing children’s books, creating playlists on Spotify, developing meditation apps for CISOs, meditation cards, and probably more, much more than I have time to sift through on this Sunday afternoon. Though neither of these has particular value or utility, that’s not at all the goal - the goal is to do things that people like, share, and talk about. Needless to say, these are great marketing gimmicks but they only work if the company already has the mindshare and reach of Wiz. If some struggling startup tries to create a meditation app for CISOs, it better have the guts to show up at their investor meeting and tell how much money was spent on this, and what the return on investment has been.
“Cloud Security for Kids” - Wiz on X / Wiz Summer Hacking Playlist on Spotify / CISOasis, the cybersecurity meditation app / Cybersecurity meditation cards - Wiz on LinkedIn
The magic of engineering
Another way Wiz has been getting people to talk about them is by leveraging engineering to create brand awareness. Though the company doesn’t really sell to or through practitioners (its sales motion is strictly top-down), it is making an effort to engage technical security professionals. Wiz’s AI Security Challenge is a great example of such a tactic. The game offers people the ability to “manipulate the customer service AI chatbot to get a free airline ticket” which definitely resonates with the security mindset.
The magic of shows
An honorary mention goes to Wiz’s ability to design impressive booths at industry conferences. Though some say that there is no value in spending millions on RSAC and Black Hat booths, the value is indeed huge - and that is signaling and attracting attention. Some contrarian players such as Palo Alto have given up and instead are trying to get attention by acting contrarian and opting out of having the floor presence at the RSA Conference.
Wiz does still have the creativity to make people pay attention to them on the conference floor and it wields that power quite well. So well in fact that at RSAC 2024, it earned the 2024 RSAC Beautiful Booth Award from Cybersecurity Marketing Society. Here’s how the Society described it: “Wiz‘s booth at the RSA Conference, themed as “Wiz Mart,” cleverly transformed their exhibit space into a one-stop shop for cloud security, mirroring the layout and experience of a classic supermarket. This unique approach not only visually captivated attendees but also made the complex topic of cloud security highly approachable. The booth featured custom-made merchandise that cleverly related cloud security themes to everyday supermarket products, enhancing the thematic consistency. Interactive elements, such as a QR code scanning game, invited attendees to discover hidden content on the shelves, greatly increasing engagement and participation. Regularly scheduled demos, including a raffle for custom-made Nike shoes, kept the booth bustling with activity. The messaging throughout the booth was clear and playful, effectively communicating the importance and functionality of Wiz’s cloud security solutions in a fun and interactive manner.”
Security leaders don’t know and can’t tell what product is offering the best security (remember, it's a market of silver bullets). Booth sizes at RSAC, Black Hat, and other conferences have long been the way our industry judges company success, and Wiz knowingly invests a lot of money, creativity, and brainpower to stand out in the noise.
Wiz at RSAC 2024 - Cybersecurity Marketing Society
“The Wizard of Cyber”: how one company nailed what it takes to stay top of mind for the whole industry
Mastering the art of signaling
Wiz knows that nobody can tell the difference between the multitude of tools in security, and the company truly mastered the art of signaling. Specifically,
Wiz raised capital from top VCs, Cyberstarts, Andreessen Horowitz, Lightspeed Venture Partners, and Thrive Capital, to name a few.
Wiz nailed the art of getting attention from analysts. The company has earned a reputation for being the top cloud security platform.
Wiz founders are alumni of Israeli Defense Forces which obviously gives them credibility as someone who understands security. They have previously founded Adallom, a Cloud Access Security Broker (CASB) solution which was acquired by Microsoft. At Microsoft, they worked in different leadership roles (Asaf, now Wiz CEO, led the Cloud Security group and served as the General Manager of Microsoft Israel’s R&D Center).
Wiz targeted top enterprises from day one, and with the help of its investors, it was quite successful at doing it. Since buyers are looking for signs that other reputable organizations trust the startup with their security, they are certainly happy to see that according to Wiz’s website, the startup is “Trusted by more than 40% of Fortune 100 companies”.
Since Wiz was backed by Cyberstarts, it was certainly able to tap into the resources and support of what’s widely considered to be one of the top VCs in Israel. This, combined with the fact that founders had a CISO network from their time of building Adallom, has inevitably given the company a good community of security leaders who could advocate for them from day one.
Wiz, according to a lot of feedback I’ve been hearing, nailed user experience and ease of adoption. This includes the presence of technical documentation, product design, the amount of time it takes to get started with the solution (being agentless gave them the advantages their competitors didn’t have), and so on.
Marketing hype and public presence. While all the other criteria are true, it is this one that in my opinion made Wiz the company we know today.
The key to Wiz’s success isn’t a magic wand, it is being the center of attention 24/7
By now it should be clear that the key to Wiz’s success isn’t a magic wand. It is becoming omnipresent. It is getting everyone to talk about them, all the time, everywhere, and for whatever reason possible. This article itself is a case in point. I am sure they have a good product, but they also know that being agentless, they don’t have as much technical moat as some of their competitors used to (until they didn’t). But, they also know that in security, it’s all about the distribution, and technology isn’t what matters.
Wiz is a giant experiment of what PR and carefully crafted marketing can do in the industry. Whoever runs their marketing is a real genius.
The story of Wiz hasn’t always been that of untainted success. The company is still under a lawsuit of intellectual property theft alleged by Orca (a trial date is set for December 2025), and one of its early-stage investors is now under scrutiny about the way they built what is now probably one of the most successful VC firms in the world. So far, the company has been able to weather all storms, and it surely looks like they are going to be a sweeping success. All that said, Wiz is still a private company (although with a lot of cash in the bank), and with every private company, the future is always uncertain. As of right now, nothing seems to suggest that there is anyone who would dare to challenge their success. Every early-stage founder I spoke to recently, threw away the very idea of building something that would compete with Wiz. And that’s the key - when you become a giant that’s full of steam moving at a crazy speed, you can remain unchallenged for a long time.
There are certainly many reasons that have allowed Wiz to become the hottest cybersecurity company today. And yet, I still think that it is their art of being the most talked about company, at every event, every occasion, and their ability to take advantage of the fact that success breeds success, that got them where they are today. Not the product, not the security capabilities per se, but their ability to recognize that the industry just wants magic, and deliver that magic
Needless to say, I expect that Wiz’s presence at Black Hat is going to be as impressive as ever.
“The magic of Wiz”: the importance of branding, in Wiz’s own words
I would like to close this piece by making it clear that none of this is a secret. Wiz has always been open about the fact that they understand the power of brand; many people were just too busy to read. Their playbooks are out there, in the open. As the company states, “Security professionals are inundated with scary and negative alerts all day long. These alerts can be overwhelming and take a toll on one's well-being. That's why our approach is to create a security product that provides a sense of hope and positivity, something to look forward to amidst the chaos of potential threats.
… We've chosen magic as a central theme for our brand identity. Magic represents the power to create something out of nothing, to turn the impossible into the possible. It's a perfect fit for a security product, which must protect against potential threats and vulnerabilities. By infusing magic into our brand identity, we're creating a sense of wonder and excitement that is rarely associated with security products.”
It is armed by this deep understanding of the power of branding and marketing hype that Wiz has executed what is probably the most impressive magic trick of a decade. The true Wizard in a market of magic wands.
Absolutely right about open-sourcing research. Well written.
Wiz's GTM "magic" is higly dependent in their co-selling approach with the hyperscaler cloud providers. The sales teams of the cloud vendor are incentivized by their own company to support deals and push them through (their) Marketplace. These programs are available to average startups/ISVs as well, but there is huge difference in doing it as a strategic sales motion vs a "nice to have".