Thats the kind of a company everyone wants to build in enterprise security.
Incognito unicorns.
There are many companies like these in security space. Another company I can think of is Rubrik. All these large security companies under the radar success.
Security is a big field. I’m in the CSPM space and Wiz is a major player here, I actually had a bit of an existential crisis about what we were building when I first saw a demo of their platform.
Most of their competitors, like Palo Alto, have a very convoluted offering from gluing together several acquisitions. Wiz is very cohesive with a much nicer API and great UX, which is very underrated in the security space imo.
I have zero trust in Google’s promise to keep supporting the tool for multiple clouds or maintain the high quality of product design that makes Wiz great. It’s great for my job security, but I’d call it a net loss for the industry.
> Wiz is very cohesive with a much nicer API and great UX
I actually don't care for Wiz's UX.
If you're a manager and just want to get an idea of what your security posture looks like, it's great. They have a million dashboards for you.
But if you're an AppSec Engineer that just wants to see which EC2 instances have which CVEs, it's kind of a pain in the pass and takes way too many clicks.
There's a single button I click that'll list all my VMs, then a single click (usually a middle click to open a new tab) to view all the CVEs in each VM.
I've been a cybersecurity SWE, PM, and VC for a decade at this point and I've almost never found any relevant security or enterprise SaaS related content on HN.
For a hot second (around 2018-2019) there was solid conversations around eBPF, io_uring, or cloud posture management, but that doesn't happen on here anymore.
Same with MLOps and ML Infra as well - almost no one on here understands Infiniband, RDMA, or BLAS
The tech industry is MASSIVE - and most people are only clued into their own little niche. And according to HN, the only tech companies that exist are FAANG, Nvidia, Tesla, TSMC, and BYD.
>I've been a cybersecurity SWE, PM, and VC for a decade at this point and I've almost never found any relevant security or enterprise SaaS related content on HN.
FWIW "here" could mean "in this thread". It's pretty normal (and very visible here) that threads about X attract people working in X. I'm not sure this is happening here, I work in IT security but I clicked the thread because 32B caught my eye.
Lobste.rs for technical stuff. But most security related conversations by security SMEs aren't happening online anymore. We have specific user conferences and regional user groups now.
The cybersecurity industry is almost entirely located in the Bay, Seattle, Tel Aviv, and Blr/Hyd, so the really active user groups are mostly in those cities.
Cybersecurity goes hand-in-hand with IT, DBA, Networking, DevOps, and OS/Systems Programming - all functions that were previously looked down upon over the last 15-20 years.
Furthermore, most American CS programs made OS internals, Computer Architecture, or Distributed Systems optional, so the junior portion of the ecosystem doesn't exist in the US anymore.
I don't use Lobste.rs anymore because the owner irrationally blocked the browser I'm using, and I refuse to switch to a different browser just to read Lobste.rs. The owner seems like he has some issues to say the least.
Well, it depends what it does to your liability. If, in case of attack, it ends up shifting the blame to a third party, then yes, that's considered adding security in enterprise space.
If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do. I'm not saying you have to be a CSPM expert, but not even hearing about Wiz, when they are the largest CSPM, is somewhat concerning.
I am in security for many years now, my main focus is reverse engineering (but I did many diverse things, including cryptography, some exploit development and the opposite, AV work, I did R&D in security automation and some development of security tools and engines).
I never even looked at a CSPM, and from my point of view[1] CSPMs are a tool only relevant for a small part of security teams focused on enterprise cloud security. Today is the first time I heard of Wiz.
edit Actually my partner works in policy/compliance/legal side of security, and I'm pretty sure she never heard of Wiz too.
[1] I wrote this only to stress how different people in the same field can see things differently.
I've heard of Wiz, but would have had a hard time listing out their feature/benefit statement, because I don't work with CSPM tools. I don't think this "I have doubts about what you actually do" line is doing the work you want it to; it may be backfiring on you a bit.
CNAPPs and CSPMs are extremely common tools in cybersecurity. This is my concern. If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have. There's a big responsibility as a security practitioner to stay up to date on new tools and techniques. CNAPP and CSPM is not some new thing that was invented last year. It's been around for a decade.
> . If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have
I’ve never heard or seen either of those terms before reading this thread. What you’re calling “CNAPP” I’ve been calling “endpoint security”. I’ve been building internal “CSPM” tooling since 2014 with like raw cloud api calls feeding into graphviz, CI-like tests in a terraform repo, transforming the state of a set of cloud accounts into a form I can shove into z3 and ask questions about, that kind of thing, but never heard it called that.
I suppose if your company prefers to build over buy, you won’t be exposed to the kind of knowledge and vocabulary that buyers in the space use to orient themselves.
CSPM solutions are what corporate buys when they don't want to invest in security. It is rubber-stamping and ass covering. From my experience most people involved with such platforms are rather technical sales people than actual security experts.
> If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do.
IT security a very wide field. For example, a lot of positions in IT security are actually about compliance (i.e. lots of documentation), and ensuring the rollout of all necessary application patches in the whole company.
I've been securing my cloud instances the same way I would for dedicated hardware. I use the same tools. I periodically eyeball usage data from the service providers to make sure their end is OK. Takes 5-15 minutes. Occasionally run updates. It all mostly just keeps chugging along.
What is a CSPM? Some cloud monitoring tool? What does it provide over open-source security and monitoring tools with years of field use that would make me invest time into it? Also, have these tools been thoroughly audited, scanned, fuzzed, and pentested by reputable people like some of the open source tools we've been using? Since tools are part of the attack surface, do these tools themselves increase or reduce it?
Serious questions since you think I should be very knowledgeable about these tools. My tech stack just works with minimal maintenance. So, I'd have to lose time on more important or fun stuff to even study CSPM or Wiz. Not counting setting it up.
Bullshit. Infosec is not just about highly inflated startups or whatever the fuck CSPM means. I know people who do exploit dev, reverse engineering, blue teaming and they have never heard of wiz. Stop overexaggerating
Would we (i.e. anyone not in the intelligence space) know how intelligence service-y software would look like ? . Aren't all such organizations trained and designed to be inconspicuous and in places we are unlikely to expect.
Mossad aren't the guys doing cyber ops in Israel. They're suave arsim (how else can you blend in Beirut or Tehran).
Also, if you've worked with Israeli government cybersecurity teams, they aren't much different in caliber from the kind you'd find at the NSA, GCHQ, or Netherlands.
> They're suave arsim (how else can you blend in Beirut or Tehran).
To save others looking up what 'suave arsim' meant:
1. suave -- a normal English the word for charming/confident
2. "arsim" [1] -- apparently a former ethnic slur for Mizrahi Jews [2] now repurposed to mean crude, loud and brash (which sound to me like the equivalent of the British slang term 'chav').
It was a bad attempt at humor, but pretty much my point is there are a couple other cybersecurity/sigint specific units unrelated to Mossad. And "arsim" isn't as loaded a term anymore - everyone is mixed in Israel now because it's a melting pot.
And saying "Mossad"-this/"Mossad"-that just feels like it's increasingly being used as a dogwhistle.
> they aren't much different .. NSA, GCHQ, or Netherlands
I (and most here) wouldn't really know what that caliber is in these other organizations either to compare
What we do hear is of how the Hubble's tech stack is hand me down previous gen(i.e. 70s) spy satellites or exploits like Stuxnet, Pegasus or the recent pager supply chain attacks. On pure technical level those are all pretty impressive things well beyond what I or even anyone I may personally know do.
There of course is definitely certain amount of propaganda that would project much higher capability than reality, being mindful of that misdirection and the visible evidence, we civilians can only reasonably conclude that we will never have a clue what these organizations can or cannot actually do.
This is google. They've got everything. I use google password manager, wallet, biometrics to log into my google smartphone and google authenticator for my 2FA. I use google voice and maps, photos, youtube, search, docs, gmail and gemini for AI.
Imagine if you found an authentication backdoor - a way to impersonate any account and you could start sucking down data. You do it for 5 billion people and charged google $6.40 per person not to put it on Tor.
The article talks about Trump inserting himself into larger deals, there is no reason to think this one is an exception.
I’d also bet on this being more of a kickback, rather than an invisible unicorn. Between a visible elephant (Trump/Israel) and an invisible unicorn, betting on an elephant is more reasonable.
I feel like the majority of anti-jew sentiment is from pro-palestine arab people and adjacent. At least In my country. They really believe "jews run the world" once you debate them enough they admit it and there is no changing of their minds.
> I feel like the majority of anti-jew sentiment is from pro-palestine arab people and adjacent
Most people haven't met an Israeli or traveled to Israel.
Also, most users on HN are Americans or Northern European who overwhelmingly use Reddit, so everyone has some weird fringe mentality about one side or the other.
Honestly, most Israelis and Arabs act the same - I mean most Israelis are Mizrahi and normal/collquial Hebrew is heavily Arabic based (where else will you here people say "Yalla" in every other sentence)
> Most people haven't met an Israeli or traveled to Israel.
I have travelled to Israel a bunch of times and worked with a lot (proportionately) of Israelis and Jews. I generally really really like working with them, like their attitude and love the vibe of Tel Aviv.
That doesn't mean that I support or agree with their behaviour in Palestine particularly.
Like, I have often hated US foreign policy, but have always been OK with US citizens. The two things are very different.
Ik. I have friends from Haifa, Nazareth, and Beersheba. There isn't an easy way to write Israel, Israeli Arab, Palestinian Arab, and non-Palestinian Arab.
My point is, anyone who isn't Israeli (be they Mizrahi, Ashkenazi, Ethiopian, Arab, Druze, Chechen, etc) or Palestinian should stfu (me included).
You have wackos saying "Israel is a fake state" or "raze Gaza into a parking lot". Yet if you talk to an actual Israeli their opinions are much more prosaic. It's just a complex situation that outsiders shouldn't comment on.
> My point is, anyone who isn't Israeli (be they Mizrahi, Ashkenazi, Ethiopian, Arab, Druze, Chechen, etc) or Palestinian should stfu (me included).
On the contrary: for the vast sums of money and military power we contribute to keep the lights on over there, US citizens should have two or three votes each in Israeli elections and free airfare to and lodging in the country. Oh, and access to their quite generous healthcare subsidies as well.
Anti-semetic talking point, nice. From an american too. Wow. I keep seeing this talking point, but the money to Israel is nowhere near to fund healthcare. You are just lashing out like a little rat.
You are so right! Only whites can be racist. As a northern European, how can I ever repent and make you happy?
I will never have an opinion on this conflict again, as I am white. I am so sorry. I will listen and learn while pro palestine people protest here in Sweden and advocate for Israel to be wiped off the map.
That is totally unfounded. Their book of business is huge. You think Google is paying 32B of shareholder dollars because of a foreign intelligence agency? Keep your conspiracism to yourself.
2.) I’m only adjacent to security but have heard of Wiz. If you work in security and haven’t, are you sure you’re good enough to subject us to your opinion?
>2.) I’m only adjacent to security but have heard of Wiz. If you work in security and haven’t, are you sure you’re good enough to subject us to your opinion?
For some reason I picked this hill to die on in this thread. I work in IT security for a long time, and I have never heard of Wiz. My focus is malware reverse engineering and adjacent subfields. I have no interest in anything Cloud.
"are you sure you’re good enough to subject us to your opinion" feels a bit dismissive.
Incognito unicorns.
There are many companies like these in security space. Another company I can think of is Rubrik. All these large security companies under the radar success.