JFrog To Acquire Security Software Startup Vdoo For $300M

JFrog and Vdoo will combine to deliver advanced security offerings for developers and security engineers, with a particular focus on securing the full software lifecycle through DevSecOps.


JFrog has agreed to buy Vdoo for $300 million to provide holistic security from the development environment all the way to edges, IoT and devices.

The Sunnyvale, Calif.-based DevOps platform provider said Tel Aviv, Israel-based Vdoo brings years of experience to bear around software architecture and vulnerability research, reverse engineering, and binary code analysis. The combined company will deliver advanced security offerings for developers and security engineers, with a particular focus on securing the full software lifecycle through DevSecOps.

Vdoo approach to securing the software development lifecycle goes beyond source code and examines binaries to get visibility into configuration and key encryption activities that take place after the code is compiled into files, Vdoo Co-Founder and CEO Nati Davidi told CRN. The binaries are more similar to the production environment than source code, and closely mimics what an attacker is seeing, Davidi said.

Sponsored post

[Related: Dell-Backed VDOO Raises $32M To Boost IoT Device Security Platform]

“For us, binary is at the core of everything,” Davidi said. “Though it, you understand the contextual threat.”

The synergies between JFrog and Vdoo go beyond technology to include product philosophy, with both sets of products available in the cloud and on premises, according to JFrog Co-Founder and CEO Shlomi Ben Haim. Vdoo brings extensive top-down selling experience working with security engineers and the C-suite, while Ben Haim said JFrog has made bottom-up experience selling to developers and DevOps.

The acquisition is expected to close in the coming weeks, and Ben Haim said initial integration efforts will focus on merging the infrastructure and databases for the two products together. From there, the combined company will begin shipping Vdoo capabilities inside the JFrog platform, with a complete integration of Vdoo’s technology into JFrog expected next year, Ben Haim told CRN.

From a metrics standpoint, Ben Haim said JFrog is most focused on accelerating revenue growth, becoming accepted as the global leader in binary security, and fully integrating the two separate engineering teams into a single organization. The Vdoo acquisition should also help JFrog expand beyond the DevSecOps space and into the much larger security updates market, Ben Haim said.

Vdoo was founded in 2017, employs 100 people, and has raised $70 million in three rounds of outside funding, according to LinkedIn and Crunchbase. The company in January 2021 closed a $25 million extension to its Series B funding round led by Qumra Capital and Verizon Ventures.

The Vdoo acquisition will triple the size of JFrog’s security team across engineering, marketing, and sales, with workers to be based in Israel, Germany, Japan, and North America. Vdoo’s SaaS product will remain in operation in the near-term, though development of new features and functions will focus on JFrog’s platform.

Later this year, JFrog said it plans to expand its vulnerability detection offering to include Vdoo’s configuration and applicability scanning as well as its extensive data. Then in 2022, JFrog said it expects to fully integrate Vdoo’s technology into the company’s existing DevOps platform. JFrog and Vdoo plan to work with customers to ensure business continuity and streamlined migration to the joint offering.

JFrog customers will benefit from Vdoo’s contextual threat analysis with advanced algorithmic applicability scanning that prioritizes critical security gaps across multiple vectors, the company said. Vdoo can also automatically detect zero-day vulnerabilities, malware, exploits, backdoors, and supply chain risks before they become publicly known.

Vdoo can extend security to embedded software on conventional and IoT devices, conduct firmware scanning, and identify unique vulnerabilities in compiled C/C++ application components. The company’s mitigation recommendations across multiple attack vectors thwart alert fatigue by eliminating the need to sift through thousands of possible vulnerabilities, according to JFrog.

The company can also: detect configuration risks and implementation gaps; alert and block exploitation attempts in real-time; identify known and unknown security risks; improve prioritization and mitigation capabilities; and assess risk in accordance with more than 40 different security standards and regulations.

“This creates new opportunities for channels around our space,” Davidi said. “Clearly, we need to invent new things here together.”