Wiz's $32B GTM Playbook

IMO it’s mostly luck. Right place, right time, right connections. Look at the founders in the US, many of them are from already privileged backgrounds. True rags to riches stories like that of Jack Ma are rare.

It's got all the hallmarks of a piece written by AI. Lots of purple prose, adjectives where they add no information, bullet lists, etc. All this sits alongside banal content like "[Wiz] Use colors and designs to signal reliability in a high-stakes industry."

It may have been lightly edited & enriched by a human, but most of this article was written by an AI.

I've always understood the bullet format to simply be good for readability, e.g. as presented here https://www.nngroup.com/articles/presenting-bulleted-lists/ (though I remember learning that idea from the same site about a decade earlier)

Startup valuation is based mostly on sentiment in the current age so if you're not breathlessly hyping up your shitty product you're almost literally leaving money on the table.

I'd say it is actually perfect that it is last on the list.

Capital alone won't make a business succeed, and more capital won't make a business necessarily better. A big investment is typically the result of doing everything right before that. They would have never been able to get that amount of capital without a very solid foundation.

Capital is just a small piece of a business, it's not the hardest part by far. Capital is also relatively accessible, it's not an 'unfair' thing. There seems much unfairness sentiment nowadays where people think companies with access to lots of capital are guaranteed to succeed, like some kid with rich parents. Many seem to think that all there is between them and success is money, but in reality that's rarely the case.

Funding doesn't cause growth. If anything, funding causes Juiceros and Magic Leaps. Growth, however, can definitely cause funding and that's what happened with Wiz I think.

Some kind of additional leverage and/or connections were certainly used.

The open dirty secret of infosec is that outside of authentication systems, the products and services sold do not actually work. Usability and real world functionality are not box-tick items in feature matrix comparison. It is enough that a security[tm] product does something technically correct to get a green tick in the relevant feature list row.

As a result the products are not commonly sold to their end users. They are sold to C-suite, and inflicted upon their victims. And how do C-suite choose what vendor to throw their money at? DDQ/RFx templates. I wish I was joking.

The other dirty secret of infosec is that everyone does their vendor/client/etc. vetting with bingo sheets full of meaningless, context-free questions that try to enumerate SYMPTOMS of different kinds of breach scenarios - they do not attempt to look at root causes, and they certainly do not consider threat models. These bingo sheet templates are used by everyone: vendor teams, insurers, auditors, you name it.

And now we finally get to how Wiz pulling connections intersects with the above. A fair number of the bingo sheet templates come with pre-populated dropdown choices. The choices usually include no more than 8 options, including "Other". The implication is very clear: "if you use one of these known & approved vendor products, then we are fine with it".

Wiz got their offering included in the bingo sheet templates in approximately 18 months from launching publicly. That has provided them with constant advertising from the countless infosec questionnaires thrown around the various industries and the implied checkmark of being pre-approved as a vendor of choice. Given the landscape and the general quality of competing vendors, your product needs to be merely not-shit to stand out and get traction through the various back channels.

Now, from personal exposure I can say that Wiz's product (or at least those I have been faced with) are still better[ß] than their competition. A recent security scan report from a client using Wiz had only ~85% of false positives. The average FP rate for other vendors tends to be 95% or even higher.

ß: security products must be the only segment where vast majority of results being false positives is considered both acceptable and normal. In any other field a product that routinely gets >90% of its answers wrong would be consigned to rubbish heap.

> I am missing something big here. How and why did they raise 480 million dollars in a year for a cloud security product?

I am not an expert at Wiz specifically but I understand this is a "sales lead SaaS business" rather than "product lead SaaS business."

Sales lead Saas companies are incredibly costly from a sales and marketing standpoint, you hire a ton of sales people, BDRs and event marketing and other types of outreach and you fly your sales people around the place to win and dine your customers. So you basically invest all your VC money into your sales organization and it probably takes up 65% or maybe more of your head count. The sales people also take a decent percentage of all the ACV contracts they bring in, thus even if you make a ton of sales, they are not profitable for at least the first year. This is growth at all costs.

The answer is that it was 2021 and they were in an incredibly favorable fundraising environment. It's not "what are we going to use this funding for?" It's "investors are flush with stimulus cash and leveraged to the tits from low interest rates and they're banging down our door to invest, let's take the funding"

Nope. They bought up many similar companies in the space to monopolize the niche market. Got big enough to act as bait for some fossilized big tech company.

> Having launched a couple of dead startups that started with several months of writing code first, this way definitely sounds better.

This is basically what startup 101 tells you. This is what every successful entrepreneur will tell you. This is what every coach tells you. This is what every entrepreneurial book or blog will tell you.

But, this is also what every tech entrepreneur will ignore anyway.

This is one of those things that you have to experience a few times before you look back and think 'oh... they were right'. But coding is comfortable and cold calling is very scary. It's also against our nature to ask anyone what they think of your idea, because it might shatter your dream.

YC Startup school nailed this in one of their talks, the presenter opened the talk with something like "this is important advice that you will all ignore, and that's okay, my goal is to make you recognise the situation after you'll inevitably make one of these mistakes".

I'm not being a snob here. Trust me, I made this very same mistake. I ignored all the advice and poured years into building products that nobody wanted.

If the term "reconnaissance marketing" does not yet exist, it should.

This is indeed genius. I wonder if this were the same potential buyers or different 10-15 people every day.

The mystery is what happened between that phone call and the $100M ARR. The customer says "Can I get a PoC" but you don't actually have any code yet. You just hope your tech team is able to conjure whatever you were able to sell?

Saw this on HN a while ago [1], really eye-opening: https://www.calcalistech.com/ctechnews/article/b1a1jn00hc

> The first sales come from the loyal CISOs who work with the fund.

> This "loyalty program" - which encourages deepening the relationship between the CISO and a party other than his employer - is seen by many in the industry as a red line crossed by Ra'anan and Cyberstarts.

> Cyberstarts vehemently denies [...] and claims that CISOs were never remunerated for purchasing the products of the portfolio companies.

[1] https://news.ycombinator.com/item?id=41042462

Exactly, you don't just exit for $32B. There's definitely more to the story, which feels "manufactured" for lack of better words.

Well it depends on what you mean by "real" :) I'd say CSPM (like many security tools) can help if used well, but it's quite common to see it used as a blunt instrument, which does not help.

CSPM helps to apply sets of security rules across cloud resources, with the rules usually being based on external standards or custom rules per organization.

It suffers from the downsides of any rules based check system which is that it can be quite inflexible and noisy. Like many security systems it needs to be tuned to the specific environment its running in to be really useful.

What can complicate things is compliance requirements from external or internal bodies that require 100% pass rates or similar. That kind of inflexible approach often just causes needless work and people focusing on the wrong areas to achieve that externally imposed requirement.

I work in the security industry and use WIZ and while I do despise all of the buzzword acronyms this industry has come up with, CSPMs have been one of the few tools that have actually made my life significantly easier. Due to the nature of the industry I work in, there is a lot of regulation that we need to comply with, and CSPMs (and wiz in particular) gives us both observability and alerting for all of our resources in our cloud environments, including the configuration of the cloud environments themselves. I don't know how they managed to get a $32B offer so soon after coming out of stealth, but considering the amount of problems it solves for me and my team, I can see why they're doing well financially. We're definitely happy with the pain point the product fixes.

I can now say "I know for a fact we have x number of AWS/GCP/Azure accounts that are either not using our IdP or 2A, here's a list" without having to script across multiple cloud APIs

Similarly, I can say "here's a list of people that accessed x resource in the last y days". It really makes my life easier when I want to access metrics about my company's cloud environments