Aqua Security, one of the leaders in container and cloud-native security, recently announced it has raised $62 million in a “C” round of investment, led by Insight Partners.
In this DevOps Chat, we speak with Rani Osnat and Andy Feit of Aqua Security about how this validates the cloud-native security field that Aqua has helped develop.
The video of our conversation is immediately below, followed by the transcript of our conversation. An audio version is also available on Soundcloud.[videopress 1pfe0tRG]
Alan Shimel: Hello, everyone. It’s Alan Shimel, DevOps.com, Container Journal, Security Boulevard for MediaOps and I’m really happy to be joined by my friends from Aqua Security. Charge of product marketing, we’ve got Rani Osnat, and, in charge of go-to-market, Andy –
Andy Feit: Go-to-market, that’s right, Alan.
Shimel: – none other than Andy Feit. Both of these guys are familiar to our audience or you’re both familiar to the audience – you’ve been on – but, guys, first of all, congratulations, mazel tov, whatever you wanna say. Big news today with Aqua. You guys raised a Series C, I believe it is, for $62 million.
Feit: Yeah, thank you, Alan.
Rani Osnat: Thank you, Alan.
Shimel: Congratulations. So let’s talk about what this means, guys. So, first of all, it looks like this round was led by Insight Ventures, correct?
Shimel: And I don’t know if we know; who is the Insight partner kinda leading the charge on this?
Osnat: It’s Jeff Horing, was the _____ –
Shimel: So I know Jeff and he’s one of the senior people there. Will Jeff be joining the board of directors?
Feit: Yeah, so Insight will have a board seat.
Shimel: Okay. Will it be Jeff, though, or you don’t know at this point?
Osnat: Yeah, we’re not sure that it’s gonna be Jeff.
Feit: We’re not positive, yeah.
Shimel: Okay. I don’t mean to ask any trick questions, so don’t worry. So, Andy and Rani, you know, what I thought was interesting in reading the release was, yes, Insight did lead this round for $62 million, but a couple of things to note. Number one, your existing ventures, Lightspeed, Microsoft or M12, M7, whatever they call it –
Osnat: M12, _____.
Shimel: – Shlomo Kramer. You know, your existing venture investors all participated in this, correct?
Osnat: Correct. Yeah.
Shimel: And that says something, right? People believe in it enough to keep writing more dollars into it. Kudos to the Aqua team ’cause that does mean something.
Osnat: Yeah, and it has been like that in all previous rounds as well, so we’ve always had the existing investors continue to participate. And I think, from their perspective, obviously, this is – they’ve taken – especially the early investors, like Shlomo Kramer and then TLV Partners, have taken a risk, investing in a very early-stage startup with an uncertain market. And now a lot of that risk is gone – you know, you can never know, but it’s a much more solid proposition than we had _____ _____ ago –
Shimel: Well, it certainly less risky than a raw startup, but, you know –
Osnat: It’s less risky, and so they deserve it.
Shimel: – from an investment point of view, when they – it’s almost doubling down, when they continue to participate. Right? That’s saying, “I believe in this enough that I don’t wanna be watered down in my stake in the company, and so I’m gonna invest my pro rata or per-capita share so that my stake in the company remains constant, not decreased or watered down as they raise more money.” So it is very significant.
The other thing I just wanted to mention is, hey, this brings the total raised, I think, to $100 million, maybe a little over $100 million.
Feit: Just don’t round down, yeah.
Shimel: I was doing the math on my fingers; I ran out of the toes, but I knew it was close. But the obvious question then becomes “So does this move Aqua into a unicorn, where you have a valuation of a million-plus?”
Feit: Yeah, we’re not really sharing the details on the post-money valuation here. One of the nice things about being a privately-held company: you don’t have to share all those details. But, obviously, the number’s more than $100 million and we’re excited about bringing in a new investor that’s actually more than just bringing money to us. And I think what’s great about Insight is how involved they are, how well they know the space, the introductions they can make to partners as well as end-user customers. And this is really – they are a late-stage investor that knows what it takes to make a company successful.
Shimel: No doubt about it. As we were talking off camera before, I have a relationship with Insight for a number of years now and, look, I’ve seen them invest in many companies that I’m very familiar with – some of them, I’ve worked with. Companies like FireMon and JFrog and Tricentis, Aquanow, and others. So, I mean, their record kinda speaks for itself. And I will tell you, more than just writing a check, I’ve seen firsthand, right, what they’ve done. I mean, frankly, we’ve talked about working with them here at MediaOps, in doing something for their whole portfolio, right? And great company. You couldn’t pick a better partner, in my opinion.
Feit: We definitely feel that way and it’s impressive how well they know the space. Through the due diligence process and even –
Shimel: No doubt about it.
Feit: – here at the meeting, they’re digging in. And the fact that they spoke with our customers, they met with our team, they looked at our product, they went through it – it’s a testament to how far we’ve come and we’re excited about that.
Shimel: Great. So let me pivot now. So, again, congratulations on the raise. That’s a significant amount of money. It means you guys can do some great things. In reading over or perusing the release, though, I saw some other kinda subtle changes in messaging, and that is I knew Aqua or many of us may know Aqua as a container security company. And now I see the messaging changing to more a cloud-native security company. Let’s talk about that. What does that mean, Rani?
Osnat: Yeah, I think, when we started out, the market was different, in terms of adoption and also in terms of the technology landscape. A lot of the technologies that are now maturing were really experimental at the time – and we’re not talking about a long time ago; it’s three and a half years ago – but things like serverless, for example, that are catching on. They’re not as big as containers yet, but, if you believe some of what the proponents say, they will be bigger.
And, in general, I think there’s a trend to look at this cloud-native space, for lack of a better term, as something that is supporting the next generation of application development, application deployment, and runtime environments, where cloud-native doesn’t – it’s not equivalent to cloud, right? I mean, you could run things in the cloud that are not cloud-native and you could run cloud-native applications on-prem as well. But the whole notion is that you support this very Agile, microservices environment that is portable, interoperable, and you can update it very frequently. It’s very resilient – you can update different pieces without impacting other pieces.
And the benefits to enterprises that adopt these technologies are huge, and so that’s why it’s catching on. And we’re at that stage where we see not just the breadth of adoption across the industry, in terms of the number of companies that are actually using it, but also how deep it goes and how wide the adoption is within a given company. So we’re still at an early stage, but we see how a lot of enterprises like banks and insurance companies, not the tech industry itself, are looking at these technologies as strategic to their objectives – digital transformation, customer centricity, all those things.
Shimel: You know, I was telling someone in the office here this morning, “We live in such interesting times if you’re a tech person.” Right? I think bank to my first Web hosting company in 1995 and what it meant to rack up a server.
Shimel: Right? Set up a server for someone. My ops people walked around with tool belts, with pliers and screwdrivers, right, ’cause you had to literally screw in the server into the rack. It’s a different world; it’s an amazing world. Here’s another just something I wanna throw out at you: when we talk about things like serverless and we talk about what Kubernetes brings to the picture, it almost – there’s a place for everyone here. It’s not just the cloud, like we’ve seen with AWS or Azure or Google or Alibaba or – you know, the data center is back.
Osnat: Right. Yeah, I –
Shimel: Right? And there’s now _____ serverless stuff, right?
Shimel: And it’s still native.
Osnat: Yeah, absolutely, and we think if you really kinda distill it, from a technology standpoint, to one thing, we’re talking about a complete abstraction of the application layer from the underlying infrastructure. Right? So that’s –
Shimel: That’s it right there. Mm-hmm.
Osnat: – moving into a serverless world, but “serverless” not in a narrow sense of serverless functions that we have today but “serverless” in the wider meaning of the word, where you really don’t have to manage any servers. And any technology that aligns with that concept is legitimately cloud-native and we need to support those technologies.
And, even today, there are many choices, right? You can do everything from running containers on VMs to running containers on bare metal to using container-as-a-service type solutions or serverless containers, like Fargate and ACI, and, of course, serverless functions. And there will be a lot of things in between that. We’re already seeing some technologies that are still very early-stage, like micro-VMs or hybrid container VMs, and this will all have a place because, ultimately, organizations will choose the technology that serves them in the most optimal way, without necessarily being married to one particular technology.
Feit: And I would just add, Alan, I think the common theme between these technologies is the dynamic nature of the infrastructure and the ability to spin up, whether you’re spinning up a VM or requesting a microservice run for 70 milliseconds on a function. It’s happening over the course of the day, over the course of an hour, over the course of minutes. That network is changing and your security infrastructure needs to understand that. And the old-school models of securing these platforms didn’t work before and it’s only getting harder with things like microservices and moving to serverless architectures.
Shimel: No, I agree. I think Rani hit it, actually, right on the head. We’re just seeing this abstraction where that whole infrastructure is so liquid, right, and so dynamic that you almost – you need to secure it, obviously, but the mission of securing the application, irregardless, wherever it’s _____, of the infrastructure, is a mission in and of itself as well.
Feit: Which means you need to understand how _____ _____ _____.
Shimel: And you still have to play nice.
Feit: Yep. Yeah, you need to understand the application part of it, go with it wherever it’s running, and that’s really the magic of what Aqua does.
Shimel: Yeah. Well, and I think that that is the magic, right, and that is the mission. Go with it wherever it’s running. Let me turn back. So, you know, some fresh fuel in the tank. What does the $62 million mean? Let’s talk about it just in terms of go-to-market with you, Andy, but, Rani, let’s talk what does it also mean in terms of product? In this new – I mean, one could say that – saying, “Hey, we’re gonna secure cloud-native. Gives us a bigger surface to play on, a bigger playground to play in.” Go-to-market’s a challenge, right? Both? Let’s hear.
Osnat: Right. Yeah, I mean, so we’ve been – one of our key advantages in this market has been platform support and being able to support different clouds, orchestrators, operating systems, and modalities of cloud-native, right? And, as we see things right now, the market is not – it’s been consolidating around Kubernetes as the orchestration platform, but, at the same time, there are many different flavors and there are different dependencies, on where you’re running, et cetera, that have to be addressed.
So we already are supporting a very large matrix of different technologies and combinations of those technologies. And, as the market continues to hold, we’ll need to continue to track that, so not just support them but actually provide deeper security controls at each level and at each step of the way because we’re not only a container security solution, as you pointed out earlier, but we actually provide this support for various types of cloud-native technologies, various pieces of the stack, and also the full life cycle. So, starting from their early stages of development and CI/CD, going all the way to production environments. And this requires investments in R&D.
Additionally, we also have been investing in open-source tools, specifically around Kubernetes, and we will continue to do that and not only expand the capabilities of those tools that we’ve already put out there in the market but also add new tools. And we do that as part of our philosophy of educating the market, getting out tools that anyone can use, and then, when they get to large production environments, they’ll probably come to us for a commercial solution, with all the benefits of commercial interoperability and support and all that. So that’s – part of the money goes there, obviously.
Feit: And part of the money definitely goes out to build the infrastructure, whether we’re talking sales globally. We’re working with some of the largest customers – companies in the world today and they have a global presence, but, as we go to market and look at growing the business, we have a proven model at this point. I mean, that’s what happens when you get to this late-stage investment. They’re looking for “Do you have customers? Could you do more of them if you had resources in various countries? Could you scale out more by solving more of their problems across divisions and departments in those enterprises and up-sell and cross-sell?”
And then the support infrastructure. One of the things that has really differentiated Aqua, when we win our business – and we’re in a competitive marketplace, but one of the things that really drives us is our ability to be on site with a customer, to support them through their deployment, to be truly invested in their success and integrating with their CI/CD pipelines, integrating with their secrets management, integrating with their SIEM tools. Our solution is not standalone; it’s not a double-click install of a SAS solution. This is part of your entire application development life cycle and it requires resources, so we’ll be – there’ll be people, as part of those organizations, that help ensure the customer deployment is successful.
Shimel: You know, I think Aqua is kinda taking the lead on this cloud-native security. Of course, we all at KubeCon in Seattle a few months ago. There’s another one coming up in Barcelona in – was it May? The end of May, I think.
Feit: May 20th. Believe it, it’s on our schedule.
Shimel: Yeah, no, us too. I think I fly out the 18th. We’ll talk about it. But, you know, I mean, we saw at KubeCon in Seattle this buzz, this palpable excitement – it reminded me of AWS Reinvent five years ago, right? Before the – when the cool kids still there. Where do you think we go? Are we at – I guess, are we at the top of the hype cycle here? Do you think it’s just starting? Where’re we going here?
Feit: It’s still early, I think. [Laughs]
Osnat: It’s not even close to the top. I mean, so KubeCon in Barcelona is gonna be – they’re expecting 10,000 attendees.
Shimel: I didn’t realize it’s that big.
Osnat: In Europe, _____ _____ _____ –
Shimel: Yeah, that’s great to hear.
Osnat: – _____ people coming from all over, et cetera. These European events are typically less well-attended than the US equivalents, so the last KubeCon in Seattle, I think, was 8,500, which was about double what Austin was the year before, and now they’re doubling Europe. So that’s, obviously, a very promising sign. But not only that, we see a lot of companies that are new to this space, new to Kubernetes, new to containers, new to serverless. And, sometimes, we get leads on our website – people who’ll purchase – and you can tell they’ve already done their homework, so these are not clueless people who are just kicking the tires, that are trying to learn the basics. They’ve already done that and now they’re actually looking for a solution because they know that they’re going to production, with their environment, in – whatever – six months, three months, nine months.
And so that’s a level of maturity in the market that we didn’t see until recently. And also just the number – I mean, the sheer number of companies that are getting involved is huge and CNCF membership, including end-user organizations, is growing. So all of these are indicators to where it’s going. And I think Andy also wants to say something about our presence at KubeCon.
Feit: Yeah, two things. I would also – before we talk about KubeCon, I think the other indicator is that most of the application workloads that are out there today are still very much in the data center. A lot of them are still monolithic applications; they haven’t all migrated to the cloud or, if they have, maybe they were done with a lift-and-shift. So I think we’re talking about a market that is poised for significantly more growth and we see a lot of different indicators of that. One example is our customers who deployed, say, a pilot project or a handful of applications one or two years ago are now asking us for enterprise-wide licenses and scaling this out to be “This is our cloud-native platform. We’re gonna do everything on this.”
But, at KubeCon this year, in Barcelona, as we did in Seattle, where we did a pre-day event called “KubeSec Enterprise Summit,” we will be doing the same thing in Barcelona. You can register on the CNCF site. When you register for KubeCon, you can sign up for KubeSec Enterprise Summit, which is really an event built just for large-scale enterprise customers rolling out into Kubernetes in production. We’ll have customer speakers; we’ll have an analyst speaker; we’ll have panels. It was a terrific event, very positively reviewed in Seattle, and we’re repeating that now in Barcelona on the 20th of May.
Shimel: That’s great news. You know, and one thing – look, I’m guilty of it; I think you guys are guilty of it too – we call it “KubeCon.” It’s “cloud-native con” too. Right?
Feit: Absolutely. We do tend to – for those of us who’ve been in the market –
Osnat: It’s like for a while.
Shimel: No, no, I do it. I’m guilty as charged, but I think there’s gonna come a day where cloud-native maybe is bigger than Kube itself, right?
Osnat: Yeah. Well, I think it already is, in a sense, right? I mean, Kubernetes is just – it’s a bit like a fleet. You have a – Kubernetes is the aircraft carrier and then you have everything that surrounds it, the frigates and the destroyers and the minesweepers and all of that.
Shimel: _____ and the battleships. Absolutely.
Osnat: I think that you can tell I play – I used to play _____ –
Shimel: I can tell that. Right.
Feit: And the other thing that I think it comes down to, it’s just harder to say “cloud-native con.”
Osnat: That’s true.
Feit: It’s got too many Cs and Ns and _____ –
Shimel: “KubeCon” does roll. You’re right.
Osnat: Why don’t we call it “KubeCon cloud-native con”? Not “cloud-native con” or “KubeCon.”
Shimel: Absolutely. Hey, guys, I know you’re coming to us from Madrid today. You’re at an Aqua team meeting, and so I appreciate you carving out some time, but I wanna be respectful as well. I know you only had 25, 30 minutes, so. First of all – or last of all, congratulations.
Osnat: Thank you.
Shimel: You and the whole Aqua team. I tend to think of you two as Aqua, but I know there’s more people behind it.
Osnat: I mean, _____ _____ people behind this wall. I don’t _____.
Shimel: Yeah. But congratulations to both of you. Congratulations to the whole Aqua team. It’s gonna be interesting to see how it plays out. As I said earlier, we live in interesting times in tech, so I will see you both in KubeCon in Madrid? I mean, in Barcelona.
Feit: In Barcelona. And if –
Shimel: In Barcelona. We’re doing videos there for Digital Anarchist, so we’ll have you in and we’ll talk some more.
Feit: I will be at DockerCon before that if you’re going to San Francisco, so _____ –
Shimel: I’m not at DockerCon. I have to go to Iceland. But –
Feit: All right. Great talking to you again, Alan.
Shimel: There’s only so many conferences that I can do, but we try. But we’ll talk more. But, for now, Rani and Andy, congratulations. Continued success with Aqua and we’ll talk to you later.
Feit: Thanks, Alan. Buh-bye, Alan.
Shimel: All right, guys. This is Alan Shimel for DevOps.com, Container Journal, and Security Boulevard, with our friends from Aqua Security on their recently-announced $62 million raise of round C. Till next time, bye bye.