On the heels of raising $102 million earlier this year, Bugcrowd is making good on its promise to use some of that funding to make acquisitions to strengthen its security chops. The company — which crowdsources skills from more than half a million hackers to find and fix security vulnerabilities and other operational loopholes in companies’ networks and apps — has acquired Informer, a specialist in assessing and maintaining attack surface management (ASM).
ASM, which is a critical aspect of how security technology works these days, involves the use of a variety of techniques to continuously monitor potential attack vectors in an organization’s IT environment.
Terms of the deal are not being disclosed. But Informer was completely bootstrapped, thus profitable. This is also Bugcrowd’s first-ever acquisition.
Informer is U.K.-based and it appears, for the most part, that is also where its customers are located. They include the likes of Brandwatch and (ironically, considering it never raised money) the venture firm InMotion.
The deal will see Bugcrowd bring on the tech, customers and whole staff of Informer, including CEO and founder Marios Kyriacou, who himself started as a white-hat hacker long ago and will become director of product for Bugcrowd.
Bugcrowd said its aim in buying the company is to have more of the technology it uses regularly as part of its own stack.
“This was a bit of a no-brainer, to bring external attack surface management directly into the Bugcrowd portfolio,” CEO Dave Gerry — pictured above on the right — said in an interview.
“We’ve been leveraging various partners for ASM technology up until this point and then also offering what we call ‘attack reconnaissance,’ which is basically having the hackers leverage ASM to be able to then say, ‘Hey, this is how I would get in.’ This for us was an important piece of technology that we wanted to have on the platform. Because one of the things we keep hearing from customers is they still don’t understand their perimeter walls. Even in 2024.”
Indeed, ASM is a pretty hot area in the world of security at the moment. In a nutshell, the migration of many services, architecture and data to the cloud, plus the explosion of remote working, has enabled a lot more flexibility for organizations. But it has also created a minefield for security operations teams.
Many IT people, and even security teams, do not have a full picture of which company assets are in active use or inactive, and the more services, employees, devices and data that are added over time, the more thorny that lack of visibility becomes. Not having a full picture of the problem typically means companies also cannot secure everything. (And this might mean, inadvertently, companies end up creating vulnerabilities out of how services, data and assets overlap with each other.)
There are a number of startups that have raised significant rounds of funding and invested in big R&D budgets to help fix this issue. Previously, Bugcrowd could have said it partnered with best-in-breed partners for this tech, but having an in-house team will mean it can now develop its own products (and have bigger margins) in this area.
Bugcrowd is backed by the likes of General Catalyst and has raised $180 million to date. It does not disclose valuation, but as a point of reference one of its closer competitors, HackerOne, was valued at over $800 million in 2022.
At a time when we are seeing a number of security startups that once commanded huge valuations being cut down to size by investors and the market — those valuations were often too-high and based on sales projections that have simply not materialized — Bugcrowd is positioning itself as a would-be consolidator.
This deal, Gerry said, is happening as the start of “what we hope is a rapid succession of opportunities for us.” He and founder/chief strategy officer Casey Ellis say they are getting approached “all the time” by companies hoping to sell up before they have to fold up.
This report was updated to correct Informer CEO and founder Marios Kyriacou’s new job title at Bugcrowd. Casey Ellis’ title was also originally misreported. We regret the errors.