Palo Alto Networks today said that it will purchase security orchestration, automation, and response (SOAR) startup Demisto for $560 million in cash and stock. The deal is expected to close in Palo Alto Networks’ fiscal third quarter.
Palo Alto Networks CEO Nikesh Arora today in a conference call with investors said that the purchase would help its customers to “further automate parts of their security operations and allow them to solve unique, complex threats.”
Demisto was founded in July 2015 and launched its enterprise platform in May 2019. Its platform enables companies to automate day-to-day tasks by orchestrating actions across a number of integrated security tools to create automated playbooks. Demisto’s platform is intended for use cases in security operations centers. It claims that its automated playbooks have helped reduce alerts that require human review by as much as 95 percent.
The Cupertino, California-based startup has received a lot of attention from investors. To date, Demisto has raised $69 million in three funding rounds. This includes its most recent Series C funding roundup in October where it raised $43 million led by Greylock Partners. It boasts a customer base of around 150, a quarter of which Demisto claims are Fortune 500 companies.
Demisto’s technology will be integrated with Palo Alto Networks’ Application Framework, which is cloud-based infrastructure that collects data from its security operating platform and connects this data with a number of cloud-based security applications. The startup already hosts and integrates its technology within the framework.
Currently, the Application Framework is purely focused on Palo Alto Networks data, according to Arora. However, Demisto offers a multi-vendor automation and orchestration tool that will extend the company’s analytics capabilities to be able to provide analytics and solutions across multiple vendors rather than relying on its own data.
While this means that the SOAR startup works with some third-party vendors that are competitive with Palo Alto Networks, the vendor does not intend to interfere.
“Demisto has been successful because of its multi-vendor, cross-enterprise view of security,” said Arora. “We will not interfere with what has made Demisto successful so far.” He added that it will “keep driving this capability, because we don’t have it,” and having multi-vendor as an option to solve customers’ security issues is “mandatory” in managing and automating security operations.
In addition to what Demisto will add, there is some synergy between the two companies that also made the startup an attractive purchase, including some complementary analytics capabilities. The two companies also both prescribe to the notion that a paradigm shift on how security is offered is required, and that a data-centric approach to security is the way to get there.
Demisto will continue to operate as an “individual speedboat” underneath, said Slavik Markovich, the startup’s CEO and co-founder. Arora noted on the call that this is the best way to facilitate and support the startup’s “ambitious plan for 2019.” Markovich will also work alongside Palo Alto Networks’ leadership to continue Demisto’s integration with the Application Framework.
In addition to Markovich, the company’s other co-founders Rishi Bhargava, Dan Sarel, and Guy Rinat will also join Palo Alto Networks.
BMO Capital Markets’ Keith Bachman wrote in an analyst note wrote that “the technology and service offerings of Demisto are promising, but [Palo Alto Networks] is paying a lot of money.”
This is Palo Alto Networks’ fourth acquisition in the past year. Last March, it purchased public cloud security and compliance startup Evident.io for $300 million. Then in April it bought endpoint data collection and visualization firm Secdo. And in October it purchased cloud security startup RedLock for $173 million.
Increased Demand for SOAR
The SOAR market is evolving and growing as enterprises look to eliminate the sheer number of tools and alerts in use in favor of automated security solutions.
According to Arora, “Customers are getting a lot more alerts and have too many solutions,” which is why Palo Alto Networks went in search of technology that could boost this. “We think Demisto is the industry-leading solution for this,” he said.
In fact, his is similar to a recent move made by Palo Alto Networks’ competitor Splunk, who snapped up SOAR company Phantom Cyber last year. It also follows the suit of IBM’s 2016 purchase of Resilient Systems, FireEye’s purchase of Invotas also in 2016, and Microsoft’s purchase of Hexadite in 2017.
Bachman wrote in his analyst note that these purchases are a way for more traditional security information and event management (SIEM) vendors to compete against the growing SOAR market. “We think SOAR companies will increasingly compete against SIEM vendors that offer SOAR tools that can orchestrate and automate response playbooks,” he wrote.