Fresh off a $102 million funding round earlier this year, Bugcrowd is making good on its promise to use some of that funding for security acquisitions. The company, which crowdsources the skills of more than 500,000 hackers to find and fix security vulnerabilities and other operational loopholes in enterprise networks and apps, has acquired Informer, which specializes in assessing and maintaining attack surface management (ASM).
ASM is an important aspect of how security technology works today and involves the use of various techniques to continuously monitor potential attack vectors in an organization's IT environment.
Terms of the transaction were not disclosed. But Informer is profitable because it was completely bootstrapped. This is also Bugcrowd's first acquisition.
Informer is based in the UK, and the majority of its customers appear to be located there as well. Among his clients are Brandwatch and the (ironically, unfunded) venture company InMotion.
With the deal, Bugcrowd will acquire Informer's technology, customers, and entire staff, including CEO and founder Marios Kyriacou. Kyriacou himself started his career as a white hat hacker and will become Bugcrowd's head of product.
Bugcrowd said its aim in acquiring the company is to have more technology that it uses on a daily basis as part of its stack.
“Bringing external attack surface management directly into Bugcrowd's portfolio was a no-brainer,” CEO Dave Gerry (pictured right) said in an interview.
“We've been leveraging various partners for ASM technology and also providing what we call 'attack reconnaissance,' which is essentially enabling hackers to leverage ASM to determine, 'Here's how I can get in.' This was a key technology for us to have on our platform. One of the things we hear from our customers all the time is, it's 2024 and we still don't understand the perimeter wall.”
In fact, ASM is a very hot area in the security world right now. In short, the migration of many services, architectures, and data to the cloud, along with the proliferation of remote work, has given organizations a lot more flexibility. But it has also created a minefield for security operations teams.
Many IT professionals, and even security teams, don't have a full view of which company assets are actively and inactive. The more services, employees, devices, and data that are added over time, the more troubling this lack of visibility becomes. Not seeing the full picture of the problem usually means that companies can't secure everything either. (This means that companies can inadvertently create vulnerabilities where services, data, and assets overlap with one another.)
There are a lot of startups out there that have raised a lot of money and invested big R&D budgets to solve this problem. Previously, Bugcrowd could have said they partnered with the best in the business on this technology, but having an in-house team means they can develop their own product in this space (and reap bigger rewards).
Bugcrowd is backed by General Catalyst and others and has raised $180 million to date. The valuation has not been made public, but for reference, the company's competitor HackerOne is valued at more than $800 million in 2022.
As we see many security startups that once commanded huge valuations being scaled down by investors and the market, those valuations are often too high and simply don't materialize. Bugcrowd is positioning itself based on sales forecasts that are often non-existent. As an aspiring integrator.
Jerry said the deal is happening as the beginning of “what we hope is a rapid succession of opportunities for us.” He said he and founder and chief technology officer Casey Ellis are approached “all the time” by companies who want to sell the company before folding.