Update: Palo Alto confirmed the acquisition earlier today and will merge Cider into its Prisma stack, both as we predicted in the original article. The deal is "approximately $195 million in cash, excluding the value of replacement equity awards, subject to adjustment" ($300 million is the total value per our sources) and is expected to close in Q2 of fiscal 2023.
"Any organization using public cloud has an application infrastructure with hundreds of tools and applications that can access their code and yet, they have limited visibility to their configuration or if they are secured," says Lee Klarich, Chief Product Officer for Palo Alto Networks. "Cider has made it possible to connect into infrastructure, analyze the tools, and identify the risks, as well as how to remediate them. We are acquiring Cider for their innovation that will help enable Prisma Cloud to provide this capability that anyone doing cloud operations has to have."
"We designed an AppSec platform that allows engineering to continue to move fast, without making compromises on security. It's only fitting that we join Palo Alto Networks, a company built upon landmark cybersecurity 'firsts'. There couldn't be a better fit for Cider," said Guy Flechter, CEO at Cider Security. "By scanning and securing the CI/CD pipeline, we can help identify where there may be vulnerabilities in your code. Prisma Cloud will now be the ultimate solution for code to cloud security."
Our original article from earlier today:
More consolidation is afoot in the world of cybersecurity. TechCrunch has learned from sources that Palo Alto Networks is going to be announcing the acquisition of Cider Security for $200 million in cash and a further $100 million in shares. The deal has been rumored for weeks, but we understand that investors have now been informed, and staff is also being looped in on the deal, which will be made official when Palo Alto reports its earnings later today.
Palo Alto has not responded to our request for comment.
Cider Security, based out of Israel, is one of a number of companies that focuses on application security, which includes not just technology to monitor malicious or suspicious activity around live applications in the cloud, but observability of the full ecosystem around those applications, specifically code deployments and other kinds of modifications and updates, covering code, CI/CD and the wider supply chain around those apps.
The company had raised $44 million from investors that included Tiger Global and Glilot Capital Partners -- representing a decent exit for them at a time when valuations are seeing a lot of pressure, and many investors (including Tiger) have made drastic mark-downs in some of their holdings.
That's not to say that prices are buoyant here: One source tells us that Palo Alto may well publicize this as a $200 million cash deal, with the $100 million share part disclosed later in order not to alarm the market.
Palo Alto Networks currently has a market cap of close to $47 billion. Relatively speaking, while it has been hit, like other tech companies, by a dropping share price, it has seen significantly less volatility and decline than some of its more valuable, bigger, consumer-facing counterparts. The company has made a number of acquisitions over the years to expand its reach in the market, but this appears to be the first and only one in 2022 (the two most recent before this are Expanse and BridgeCrew, respectively for $800 million in 2020 and $156 million in 2021).
Palo Alto already has a division that focuses on application security, which was in part formed by way of acquisitions. Evident.io, which it acquired in 2018 for $300 million, forms the basis of its Prisma Cloud business, which is focused on end-to-end application security. Cider will bring Palo Alto a product built from the ground up, envisioning more holistic observability and communication between engineers and security teams.
Notably, along with the rumors of this Cider deal, it had been reported that Palo Alto Networks had been eyeing another application security startup, Apiiro Security; however, reports claim that PA "walked away" due to a much higher price tag of $600 million. Interestingly, Apiiro looks like it is set to go it alone for now: just earlier this month, it announced a $100 million round of funding.
Cloud security and application security specifically, continue to be hot areas in the enterprise IT world, not least because the high amount of network activity and systems exposure both make the space vulnerable to attacks. It was estimated to be a market worth some $6.2 billion in 2020, and it's growing fast.