Panther Redacted Investment Memo
Provided here is our redacted investment memorandum, detailing our rationale for investing in Panther at their Seed Stage in 2019.
Panther Labs is a cloud-native cybersecurity platform for intelligently analyzing and monitoring cloud infrastructure. Panther was founded in 2018 by the co-creator and core contributor of the StreamAlert open source project.
KEY HIGHLIGHTS
Prominent Highlights
- Strong team with domain expertise: Jack Naglieri (Founder/CEO) has domain expertise in cloud infrastructure and security. He is the co-creator of StreamAlert. He spent 4 years at Yahoo as a security engineer and 3 years at Airbnb as a security engineering manager.
- Panther’s underlying technology has real adoption: StreamAlert has been in production at Airbnb since 2017. It has 1.9k stars in Github
- Strong syndicate with knowledge advantage: S28 has been incubating this project and is leading the round. S28 is co-founded by Andrew Miklas, who previously founded and was CTO at PagerDuty.
THE PAIN POINT
Thanks to the rise of new devops systems like Kubernetes, cloud-native companies have much greater flexibility in how they host applications. Instead of having to choose a single provider, enterprises can run a hybrid cloud infrastructure deployed on multiple clouds such as Amazon Web Services, Google Cloud and Microsoft Azure, along with traditional on-premise solutions.
A more distributed infrastructure approach also increases the potential surface area for possible attacks. One single misconfigured cloud instance, and your whole application can be at risk. Every cloud instance also has very specific rules depending on its use case. For example, one might have on-premise servers that work with PII data and cloud instances, that are only used to serve your website. The level of compliance required is much different for the two, and you need to build a different set of security rules for them. Identification is only part of the issue as well. Once you observe a problem, misconfigured authentication on an AWS for example, you also have to fix it.
Current solutions such as RedLock and Evident.io (both acquired by Palo Alto Networks, for $173m and $300m respectively) offer solutions to these problems, but they are very web-heavy platform and they don’t seamlessly integrate into developers’ workflows. In order to create a custom rule for example, you have to log into their web product and use their interface to write an RQL query that is associated with it. This gives the developers much less flexibility compared to their everyday languages like Python.
THE NEW AGE
Jack, founder of Panther Labs, saw this problem first-hand at Airbnb and built a solution called StreamAlert, which ended up becoming an open source project. He describes their pain points very well in this blog post. Panther Labs is the productized version of StreamAlert for enterprises. The product has multiple advantages over existing alternatives:
- Custom Rules Engine: One of the main advantages of Panther is their custom rules engine. It gives security teams the ability to write rules in Python, making it easier to have more granular checks in place.
- Easy to Deploy and Maintain: Deployment is simple, safe and repeatable. Infrastructure maintenance is minimal, and no devops is required.
- Serverless: Panther runs on a serverless infrastructure, which removes the need for any maintenance, as well as providing higher flexibility in usage scaling.
- Routing and Analysis Centralization: Panther sits as a middle layer between your infrastructure and your SecOps alerting infrastructure (PagerDuty, Email, Slack, etc).
- Open Source Remediation: Panther will open source their automatic remediation engine. This will help them build trust in future customers, as well as providing free publicity. The remediation solutions of current products like RedLock are limited to providing a single command and are not very developer-friendly.
COMPETITIVE LANDSCAPE
Splunk
Total Funding
- A publicly listed company with $17B market cap
Product Overview
- Software for searching, monitoring, and analyzing machine-generated big data
- SIEM tool that enables security monitoring, advanced threat detection, insider threat, incident response, compliance and fraud detection.
Founding Team
- Michael Baum, a serial entrepreneur with an impeccable track record: Co-Founder of Reality Online (acquired by Reuters), Pensoft (acquired by AT&T), 280 (acquired by Infoseek), dotBank (acquired by Yahoo), Collation (acquired by IBM)
- Rob Das: 10 years software development experience at Lotus, Sun Microsystems, etc.
- Erik Swan: 10 years engineer experience at The Automation Group, Apple, Taligent, etc.
Elastic
Total Funding
- A publicly-listed company with $6B market cap
Product Overview
- Open source distributed search engine, founded in 2012 by the people behind elasticsearch and Apache Lucene
- SIEM, deployable in the cloud and on-prem; with pre-built Beats integrations, it quickly ingests data from network infrastructure, endpoint agents and many other sources.
- With the Elastic Common Schema, it can centrally analyze information like logs, flows, and contextual data from across an enterprise environment
- Collaboration: Elastic SIEM is an interactive workspace for security teams to triage events and perform initial investigations
- Alert: automate threat detection with correlation-based alerts; implement Elastic and community correlation rules and adjust them to fit the needs of customers’ environment
Founding Team
- Shay Banon: created the precursor to Elasticsearch, called Compass, in 2004; then he created "a solution built from the ground up to be distributed" and used a common interface, JSON over HTTP, suitable for programming languages other than Java; Shay released the first version of Elasticsearch in Feb 2011.
- Uri Boness: 11 years software development and infrastructure engineer experience
- Steven Schuurman: Co-Founder of SpringSrouce (raised venture money from Accel and Benchmark, acquired by VMware), CEO of Orange11
- Simon Willnauer: Member of Apache foundation, core contributor of Apache Lucene
RedLock
Total Funding
- Acquired by Palo Alto Networks for $300M
Product
- Redlock has been merged under the Prisma Cloud product line within Palo Alto Networks, which also includes Evident.io’s product offering.
- Redlock is also in the cloud monitoring/visibility space, focusing on compliance assurance, security governance, threat detection and auto-remediation.
- Redlock works across all public cloud environments (Azure, AWS, Google Cloud)
Founding Team
- Varun Badhwar had previous entrepreneurial experience in security, having founded CypherCloud in 2010. He was also a senior security manager at Salesforce before that.
- Gaurav Kumar also had security expertise, and worked with Varun at CypherCloud for a couple years. Most of his career was in consultancy.
Evident.io
Total Funding
- Acquired by Palo Alto Networks for $300M
Product Overview
- Evident’s main product, the Evident Security Platform (ESP), is an agentless, API-centric platform that combines detection and analysis of misconfigurations, vulnerabilities, and risk.
- The product was rebranded as Prisma Cloud under Palo Alto Networks.
Founding Team
- Tim Prendergast covered multiple roles before starting Evident, including Senior Cloud Architect at Adobe and security manager at Ticketmaster.
- Justin Lundy was a Security Architect at Adobe, and previously security specialist at Sun Microsystems.
MARKET SIZING
Panther Labs offers an intelligent, cloud-native security monitoring platform for mid-size and enterprise companies. The underlying open-source technology, StreamAlert, enables security engineers/analyst to configure their own rules/policies to help prioritize alerts and threats across cloud environments and on-prem. The target end user of Panther is engineers with experience in security. Panther could be a fit for mid-size or enterprise companies with at least one in-house security professional.
We size the TAM at $1.3B, with enterprise customers (with 5000+ employees) driving most of the value, contributing to 60% of the TAM. This is inline with quite a few bottom-up developer-driven or open-source infrastructure products we studied in the past, where a company can acquire a large number of customers, but where enterprise customers deliver most of the revenue.