Why CrowdStrike's $350M acquisition of Bionic is interesting
Reading time: 3-4 minutes
This post builds upon a couple of my recent blog posts:
If you haven’t already, I’d encourage you to read them first since they provide some foundational context.
CrowdStrike’s announcement
Yesterday, CrowdStrike announced it was acquiring Application Security Posture Management (ASPM) startup Bionic1 for an estimated $350M. The announcement itself was not surprising as CrowdStrike and Bionic were rumored to be in acquisition talks since late July2. And, the timing of the announcement coincided with CrowdStrike’s annual user conference, Fal.Con 2023 taking place this week in Las Vegas.
CrowdStrike plans to offer ASPM capabilities from the acquisition as an independent offering as well as fully integrated with their Cloud Native Application Protection Platform (CNAPP) to deliver comprehensive risk visibility and protection across the entire cloud estate, from cloud infrastructure to the applications and services running inside of them.
Bionic overview
Bionic is one of the 60 “Next Gen” AppSec startup vendors I previously wrote about that provides ASPM and other AppSec capabilities in a single solution.
Interesting Point 1: Bionic is more than just ASPM
Sure, Bionic has ASPM capabilities that aggregate, prioritize and support the remediation of AppSec related vulnerabilities, but what’s more interesting is Bionic easily integrates into the CI/CD pipeline, scans application artifacts and visualizes the entire application architecture providing visibility of services, data flows, dependencies and APIs of an application. Each time a code change is made, Bionic automatically and passively runs to provide continuous application visibility and security.
It’s this level of visibility and security that makes Bionic an interesting fit for CrowdStrike’s CNAPP offering by bridging the gap between AppSec on the development side with application runtime visibility. Reference the diagram below.
Interesting Point 2: Another AppSec security startup acquisition
It’s no secret that CrowdStrike has been a serial acquirer over the past few years along with close competitors Microsoft and Palo Alto Networks. CrowdStrike’s acquisition of Bionic is another example of a larger vendor making an AppSec related acquisition in order to broaden and differentiate their existing capabilities.
Other recent AppSec acquisitions include:
Jun 2023 - BluBracket acquired by HashiCorp
Jun 2023 - Enso Security acquired by Snyk
May 2023 - Ion Channel acquired by Exiger
Nov 2022 - Cider Security acquired by Palo Alto Networks
Interesting Point 3: Not so cheap tuck-in
While the terms of the deal were not disclosed, online news outlets, TechCrunch, The Information and Calcalist reported CrowdStrike will pay $350M to acquire Bionic. Interestingly, rumors in July pointed to a $200-300M acquisition price for Bionic.
If CrowdStrike did indeed acquire Bionic for $350M, that represents at least a 35x revenue multiple - and perhaps much higher since we only have a ballpark idea of Bionic’s revenue (<$10M ARR).
CrowdStrike’s previous acquisitions of External Attack Surface Management (EASM) vendor, Reposify in September 2022 for $18.9M and data protection startup, SecureCircle in November 2021 for $60.8M were both relatively small in comparison to Bionic.
Did CrowdStrike feel pressure to acquire a similar (and perhaps superior) AppSec technology in response to Palo Alto Networks 2022 acquisition of Cider Security?
With ~$83M in funding, did Bionic investors demand a bigger/better return?
Was there another bidder for Bionic in addition to CrowdStrike that drove the initial price higher (e.g.: Microsoft)?
It’s tough to say. We can only speculate as to why the acquisition price was that high.
What comes next?
Over the past 12-18 months, larger security vendors such as Palo Alto Networks, Snyk and now CrowdStrike are picking up these innovative “Next Gen” AppSec startups. This trend will only continue as competition continues to increase across multiple categories and vendors attempt to expand and differentiate their offerings.
Expect more CNAPP vendors to incorporate artifact scanning and Software Bill of Materials (SBOM) capabilities. Also, software supply chain risk is not going away any time soon, so it makes sense for larger vendors to incorporate those capabilities into their broader security offerings.
This space is rapidly evolving and I suspect they’ll be a lot of new developments in the near future.
If you liked this post, please subscribe and share it with others.
If you think my insight would add value to your organization, please email or DM me on LinkedIn to engage. Thank you!
CrowdStrike, Inc., CrowdStrike to Acquire Bionic to Extend Cloud Security Leadership with Industry’s Most Complete Code-to-Runtime Cybersecurity Platform, 19 September 2023
TechCrunch, Source: CrowdStrike is close to acquiring Bionic.AI for between $200M and $300M, 26 July 2023