HOST_A: Welcome back to Clawd Talks. I'm Emma, and today we're doing a bit of a demo episode — but honestly, the topic is one of the wildest stories in tech, so it doesn't feel like filler at all. HOST_B: Not remotely. We're talking about Wiz. The cloud security company. And Emma, if you only know one number about Wiz, make it this one: thirty-two billion dollars. HOST_A: That's what Google — Alphabet — agreed to pay for them. In March 2025. The largest cybersecurity acquisition in history, and the biggest acquisition Google has ever made. Full stop. HOST_B: For a company that was founded in 2020. So in under five years, from zero to a thirty-two billion dollar exit. Let's actually unpack how that's even possible, because it's not luck. HOST_A: Right, let's start with the founders, because this is a case where the team is the whole story. Four people: Assaf Rappaport, Ami Luttwak, Yinon Costica, and Roy Reznik. HOST_B: And this wasn't their first rodeo. Not even close. This exact team previously built a company called Adallom — a cloud access security company — which they sold to Microsoft back in 2015 for around three hundred and twenty million dollars. HOST_A: And then they didn't just take the money and leave. They stayed at Microsoft and ran the Cloud Security Group there. So they spent years, on the inside of one of the biggest cloud providers on earth, watching how enterprises actually secure — or fail to secure — their cloud. HOST_B: That's the part I find fascinating. They didn't come up with the Wiz idea in a vacuum. They lived inside the problem. They saw thousands of enterprise customers struggling with the same thing, and they saw exactly where the existing tools fell short. HOST_A: So in 2020 they leave Microsoft, and they start Wiz. Originally it was even called something else — Beyond Networks — before they pivoted and rebranded. And the core insight was about how cloud security scanning was done. HOST_B: This is the technical heart of it, so let's slow down. The old way of doing cloud security — and a lot of endpoint security generally — is agent-based. You install a little piece of software, an agent, on every server, every workload, every virtual machine. HOST_A: And that's painful. Agents have to be deployed everywhere, maintained, updated. They consume resources. They can conflict with things. And in a big organization, getting an agent onto every single workload is a political and logistical nightmare. You never actually get full coverage. HOST_B: So Wiz said: what if we go agentless? Instead of installing software on every machine, we connect to your cloud environment through the cloud provider's own APIs. We take snapshots of your workloads, we scan those snapshots, and we read the configuration of your whole environment. HOST_A: The pitch was you could connect Wiz to your cloud and get meaningful results in, like, minutes. No agents, no deployment project that takes six months. Time-to-value measured in a coffee break. HOST_B: And that matters enormously for sales, by the way. We'll come back to the business side, but the fact that a security engineer could run a proof-of-concept and see real risks in their environment before lunch — that's a sales weapon. HOST_A: But Ben — sorry, Ryan — here's where I want to push a little. Agentless has a real limitation, right? If you're scanning snapshots, you're getting a point-in-time picture. You're not getting live, runtime, what-is-happening-right-now-in-memory detection. HOST_B: That's a fair critique, and it's exactly what competitors hammered them on. Agentless is fantastic for finding misconfigurations, vulnerabilities, exposed secrets, bad identity permissions — the stuff that's sitting there waiting to be exploited. It's weaker for catching an attacker mid-breach in real time. HOST_A: And Wiz's answer over time was basically "we'll add a lightweight runtime sensor as an option" — so they became agentless-first but not agentless-only. Which is pragmatic. But the initial wedge, the thing that made them explode, was that agentless graph approach. HOST_B: So let's talk about the graph, because this is the other half of the secret sauce. It's called the Wiz Security Graph. And this is what actually separated them from being just another vulnerability scanner. HOST_A: The problem in cloud security isn't too few alerts. It's too many. Any scanner will tell you you have ten thousand vulnerabilities. Great. A human team can't fix ten thousand things. So which ten actually matter? HOST_B: And the answer is: the ones that chain together into an actual attack path. Wiz's graph correlates everything — a misconfiguration here, a known vulnerability there, an over-privileged identity, a resource that's exposed to the public internet — and it connects the dots. HOST_A: They called these "toxic combinations." Individually, each thing might be low priority. But when you combine "this machine is exposed to the internet" plus "it has a critical vulnerability" plus "it has admin credentials that reach your crown-jewel database" — now you have an attack path, and that jumps to the top of the list. HOST_B: So instead of drowning a team in ten thousand red alerts, Wiz says: here are the twelve toxic combinations an attacker could actually walk through to reach your sensitive data. Fix these first. That prioritization is the product. HOST_A: This whole category, by the way, got a name — CNAPP. Cloud Native Application Protection Platform. It's an ugly acronym, but the idea is one unified platform instead of five separate point tools for posture, vulnerabilities, identity, and so on. HOST_B: And Wiz basically became the poster child for CNAPP. Gartner, the analysts, everyone started organizing the market around this category, and Wiz was the fastest-growing name in it. HOST_A: Let's put numbers on the growth, because it's genuinely absurd. Wiz reportedly hit a hundred million dollars in annual recurring revenue in about eighteen months. That was, at the time, the fastest any software company had ever gotten to a hundred million ARR. HOST_B: And they didn't stop. By 2024 they were reportedly around three hundred and fifty million in ARR, and they were talking about pushing toward a billion. The valuation on the private market ran up to around twelve billion dollars in their funding rounds. HOST_A: Which is what makes the acquisition number so striking. Because there's a twist here. Google didn't just show up with thirty-two billion. Google tried to buy Wiz in 2024 for around twenty-three billion dollars. And Wiz said no. HOST_B: They walked away from twenty-three billion. The reasoning at the time was that Assaf Rappaport wanted to keep building, wanted to go public, wanted to hit a billion in ARR and IPO as an independent company. Turning down twenty-three billion in cash takes a certain kind of nerve. HOST_A: And then less than a year later, they said yes — to thirty-two billion. So the patience, if you want to call it that, was worth roughly nine billion dollars. HOST_B: Now here's where I want to get a little skeptical, Emma. Because everyone tells this as a triumph, and it is. But why did they say yes the second time? What changed? HOST_A: A few things. The market for tech IPOs was still shaky. A guaranteed thirty-two billion in cash is a bird in the hand versus the uncertainty of a public offering. And Google reportedly sweetened the terms significantly — including a large breakup fee if regulators blocked it. HOST_B: That breakup fee is the tell. Reportedly on the order of over three billion dollars that Google would owe Wiz if the deal collapsed on antitrust grounds. That's Wiz protecting itself, because this deal is absolutely going to get regulatory scrutiny. HOST_A: Which is the elephant in the room. Google is already under antitrust pressure globally. Buying the hottest independent cloud security company — and folding it into Google Cloud — raises real questions. Will Wiz stay multi-cloud? HOST_B: That's the thing that could break the magic. A huge part of Wiz's appeal is that it's neutral. It secures Amazon Web Services, Microsoft Azure, and Google Cloud equally. Companies run on multiple clouds, and they loved that Wiz didn't play favorites. HOST_A: Now the owner is Google. So if you're a big AWS or Azure shop, do you still want your cloud security run by a Google subsidiary? Google has promised Wiz will remain multi-cloud and independent-ish. But that promise is load-bearing for the entire thesis. HOST_B: And historically, big acquisitions of beloved independent security tools have a mixed record. Sometimes the talent leaves, the roadmap slows, and the neutral product gets pulled into the acquirer's ecosystem. The optimistic case is Google gives them resources and distribution and mostly leaves them alone. HOST_A: There's also the competitive landscape to mention. Wiz didn't invent agentless cloud scanning entirely alone. There's a company called Orca Security that pioneered a lot of the agentless approach, and Orca actually sued Wiz over patents. HOST_B: And then the big platform players — Palo Alto Networks with Prisma Cloud, CrowdStrike, Microsoft with Defender for Cloud. So Wiz was fighting on two fronts: against nimble startups like Orca on one side, and against giant platforms on the other. And they out-executed everyone. HOST_A: One more thing I love about their story: the Wiz research team. They didn't just sell a product, they built a reputation by publicly discovering huge vulnerabilities in the cloud providers themselves. HOST_B: Right — Wiz Research found some genuinely famous cloud vulnerabilities. Things like ChaosDB, a flaw in Microsoft Azure's Cosmos DB database service that could have let attackers access other customers' data. That kind of headline-grabbing research builds enormous credibility. HOST_A: It's brilliant marketing that's also real security work. You find a massive flaw in Azure, you disclose it responsibly, it's in every tech publication, and suddenly every CISO on earth knows the name Wiz and trusts that these people actually understand cloud at the deepest level. HOST_B: So if you're trying to extract lessons from this — because we're a talk show, we're contractually obligated to extract lessons — what's the takeaway, Emma? HOST_A: For me it's three things. One: a repeat founding team that has already built and sold a company in the same space is an unbelievable advantage. They skipped years of learning. Two: the wedge was time-to-value. Agentless meant customers saw results in minutes, and that made selling fast. HOST_B: And three? HOST_A: Three is the graph — the prioritization. Solving alert fatigue, telling teams what actually matters instead of dumping data on them. In a world drowning in security alerts, "here are the twelve things that can actually hurt you" is a product people will pay enormous money for. HOST_B: And my addition would be: timing and category creation. They rode the cloud migration wave at exactly the right moment, and they helped define the category — CNAPP — that they then dominated. Creating the category you win in is a superpower. HOST_A: The open question, and the one we should genuinely watch, is whether the Google acquisition preserves what made Wiz special, or slowly dissolves it. The multi-cloud neutrality is the thing to keep your eye on. HOST_B: Agreed. Thirty-two billion buys you the company. It doesn't automatically buy you the reason the company was worth thirty-two billion. That's the tension. HOST_A: Well said. That's our demo episode on Wiz — the fastest-growing software company you maybe hadn't heard of, and the biggest cybersecurity deal ever made. HOST_B: If the audio sounds good and the feed shows up in your podcast app, then the demo worked on two levels at once. Very meta. HOST_A: Thanks for listening to Clawd Talks. We'll catch you in the next one.