Fortinet Acquires Lacework in Surprising Move
Is this a Firesale or Fortification - Only Time Will Tell
It’s been a tumultuous ride for Lacework, the former Super Heavyweight of cloud security. The nine-year-old company started its meteoric rise almost immediately out of the gate, taking advantage of enterprise companies’ mass migrations to the cloud. The company closed its $8 million USD Series A almost immediately after emerging from stealth; five rounds and $1.9 billion of investment later, the company was backed by some impressive firms, including Snowflake, Google Ventures, Altimeter Capital, General Catalyst, and Sutter Hill Ventures.
As of late 2021, Lacework was valued at $8.3 billion, yep, that’s “billion” with a “B,” making it — at least on paper —one of the biggest cybersecurity players on the market.
And then came the fall. While many companies — in and out of cybersecurity — floundered during and in the wake of the pandemic, cloud companies thrived. Businesses needed a way to get people working from home, quickly and securely, and the cloud security market capitalized on this momentum.
Lacework was one of the companies leading this effort. Bolstered by all the cash it could possibly need to advance and enhance its products, acquire companies/products to expand its portfolio and hire top talent, there should have been no stopping the company. They even jumped into the artificial intelligence (AI) fray before the term was splashed across every RSA vendor’s booth and sprinkled into sales and marketing collateral. The way Lacework was using AI (read: advanced math, a.k.a., algorithms) was by using anomaly-based detection in ever-shifting cloud environments. Great idea…but it fell short when it was realized that, uh oh! The training data didn’t exist. For any machine learning (ML) or AI algorithm to work, enormous amounts of data must be available for the model to learn. And it must be reliable and trustworthy data. But because of how cloud environments work — how busy they are, and the fact that many cloud-focused attacks are based on API calls (not the data in the cloud itself) — the technology started to falter.
From the cloud to the ground
A whole lot of technological issues later, the company’s valuation started to drop. Lacework laid off 20% of its workforce. Key executives (like the co-CEO) started running for the hills. The remaining team management seemingly used questionable tactics to lure companies into buying the product. Employees—current and past—started complaining about the toxic and overly political culture. Customers started reporting the product’s lack of efficacy. And the list goes on and on.
Lacework’s fall from grace was highly recognized in security circles. As both its valuation and revenue plummeted, and the cloud security sector continued to boom, competitors took notice. Wiz, the 800-pound gorilla of the cloud, decided to approach Lacework for an acquisition — theoretically to buy the company in a firesale, retain the good parts, and remove one noisy would-be competitor.
But that acquisition fell through. Not much detail was given, and the security community was left to speculate that Wiz found something—or a whole lot of somethings—it didn’t like during the due diligence process. The toxic culture could have been a sticking point, or Wiz could have discovered some “smoke and mirrors” in the product. We’ll likely never know. However, the covers were off—everyone seemed to be talking about Lacework as a case study of how not to operate.
A fresh start, or tearing apart?
It seemed like the end of the road for Lacework until yesterday. On June 10, 2024, Fortinet announced it would acquire Lacework for an undisclosed amount. According to the Fortinet press release, “Fortinet intends to integrate Lacework’s CNAPP solution into its existing portfolio, forming one of the most comprehensive, full-stack AI-driven cloud security platforms available from a single vendor. This will help customers identify, prioritize, and remediate risks and threats in complex cloud-native infrastructure from code to cloud.”
The reality is that time will shake out a few of the reasons why this seemingly failing company is being thrown a lifeline. Is it an acqui-hire? An acquisition “for-parts”? Were the financials just so in Fortinet’s favor — the firesale of a lifetime —resulting in Fortinet engineers having a tiny leg up on building CNAPP rather than starting from scratch?
One thing is for sure: the announcement has captivated many in the cybersecurity community, and it’s bound to be a topic of conversation for a long time. If you have thoughts or opinions on this story, leave them in the comments below!
Fortinet's investor analysis materials mention they gain over 220 patents from the Lacework deal, but I'm not sure what those are worth to them, they'd have to be willing to litigate and enforce those patents for them to have value, IMO.
Fortinet is good at buying such stuff from the garage sale