Tenable’s $265M Ermetic Acquisition Deal: 5 Things To Know

The integration of Ermetic’s technology will make Tenable a formidable competitor in the cloud security market, executives told CRN.

All-In On Cloud Security

With the addition of capabilities from its planned acquisition of Ermetic, Tenable will be poised to go head-to-head with top players in the cloud security market including Palo Alto Networks, executives told CRN. The $265 million cash-and-stock acquisition deal announced Thursday is expected to close early in the fourth quarter, and brings “leading” cloud identity and permissions management technology as well as a complete cloud-native application protection platform (CNAPP) offering, according to the company.

CNAPP — a term coined by Gartner in 2021 — describes a unified cloud security platform that spans cloud infrastructure, workloads, identities and more. Major vendors in the space include Palo Alto Networks, Lacework, CrowdStrike, Check Point, Wiz and Orca Security, according to a Gartner report from March. Both Tenable and Ermetic also made Gartner’s list of representative CNAPP vendors . And so, following the expected integration Ermetic’s technology with Tenable, “this puts us in a very, very strong position” in CNAPP versus competitors, said Terry Dolce (pictured), executive vice president for operations, global business development and channels at Tenable.

The planned acquisition of Ermetic — which CRN named as one of the 10 hottest cybersecurity startups of the year in June — will also open up massive opportunities for Tenable channel partners, according to Dolce and Jeff Brooks, vice president of channels and alliances at Tenable. The company, which generates 100 percent of its sales with the channel, is aiming to enable its 5,000 partners to bring Ermetic’s technology to customers on “day one” after the acquisition closes, Brooks said.

Ultimately, the combination of Ermetic’s CNAPP capabilities with Tenable’s well-known vulnerability and risk management platform, Tenable One, will create a highly differentiated and consolidated offering for partners and customers, executives said in interviews Thursday.

What follows are five key things to know about Tenable’s planned acquisition of Ermetic.

Tenable CEO Amit Yoran

Building A CNAPP

In recent years, Tenable has assembled its cloud-native application protection platform (CNAPP) in part through a series of acquisitions. However, acquiring Ermetic — which would be Tenable’s sixth acquisition since its 2018 IPO — will make Tenable a far more formidable player in CNAPP, executives told CRN.

Prior key acquisitions for Tenable have included Accurics, which brought infrastructure-as-code (IaC) capabilities; Cymptom, which added attack path analysis; and Bit Discovery, which contributed external attack surface management functionality.

Ermetic’s speciality is in automatically removing unneeded permissions in the cloud — a category known as cloud infrastructure entitlement management (CIEM). That’s an increasing area of concern for many organizations, which have struggled with the complexities and security risks created by “identity sprawl” in cloud environments, Tenable’s Dolce said.

For Tenable, the expansion of its offering with Ermetic’s identity-driven cloud security capabilities will enable the company to “deliver a holistic view of the modern attack surface and help organizations reduce exposure and risk, using identity as an essential foundation,” Tenable CEO Amit Yoran said in a news release.

Competitive Landscape

Ermetic offers CIEM as part of its broader CNAPP — which also offers cloud security posture management (CSPM), cloud workload protection (CWP), IaC security and Kubernetes security posture management.

All in all, “we believe that in connection with all the other acquisitions, [Ermetic] will allow us to deliver leading contextual risk visibility, prioritization, remediation — across infrastructure as well as identities in a hybrid capacity — on-prem as well as in cloud,” Dolce said.

CNAPP has emerged as a fast-growing category in recent years, with many of the biggest names in cybersecurity making it a major focus — whether it’s publicly traded security giants such as Palo Alto Networks and CrowdStrike or top-valued venture-backed companies, such as Wiz (valuation of $10 billion) and Lacework ($8.3 billion valuation).

Consolidation And Prioritization

With Tenable now expecting to make a push into the CNAPP market in a bigger way with its planned acquisition of Ermetic, the company believes it will be able to offer some unique advantages to partners and customers, Dolce said.

For instance, consolidating both cloud security and exposure management on a single platform is a “game changer,” he said. With an increasing number of partners and customers seeking to consolidate their vendors, “being able to solve multiple problems with the same platform” is a highly compelling option right now, Dolce said.

There will also be benefits for security from integrating the technologies on one platform, he said. For instance, “having the full context” of security risks across both on-premises and cloud environments — and having a tool that can prioritize which risks need a response most urgently — is one way that Tenable One will stand out with the help of Ermetic’s capabilities, according to Dolce. “Having the full visibility and context from all of those vectors — and not just just running a scan from an endpoint that has very limited contextual information — that’s the real difference,” he said. “To my knowledge, there’s really nobody that’s providing all of that.”

Ermetic Co-Founder and CEO Shai Morag

Choosing Ermetic

Ermetic, which was founded in 2019 and had raised $100 million in funding, is an ideal fit for Tenable in a number of ways, Tenable executives said. “We looked at a number of different companies leading up to this,” Dolce said, but others were not as strong in terms of cloud identity management and security. When it comes to CIEM, “from what I’ve seen, [other companies] are less mature across the board,” he said.

Ermetic had also taken some meaningful steps in the right direction on channel, Dolce said. In March, Ermetic announced the launch of a redesigned channel program, which includes an offering customized for resellers and a separate offering tailored to MSSPs. The startup said at the time that it counted more than 90 channel partners in its program, including Trace3, GuidePoint Security and Optiv. “They are very partner-focused and partner-centric,” Dolce said.

And notably, “a good portion of their partners are already our partners today,” he said. “So the transition is going to be almost seamless, because all those partners already have agreements with us, and have agreements with the distribution network that we have.”

Ultimately, “this was the absolute right acquisition at the right time for us,” Dolce said.

Enabling Partners

If all goes as planned, Tenable will have Ermetic’s technology available to its channel partners as soon as the acquisition closes, Dolce said. “We plan to equip our channel partners with SKUs, with information on the solution, with data sheets, with training,” he said. “This is a great opportunity.”

Meanwhile, Tenable’s Brooks said that the plan for bringing Ermetic’s partners into the Tenable channel program is already “all mapped out.” The key “is to get everybody formally into our program, our process, deal [registration], medallion levels,” he said. However, “because the majority of their partners are already our partners, they won’t need to do anything.”

Looking ahead, major opportunities for channel partners will include offering professional services around the combined Tenable-Ermetic offering, according to Brooks. Because the platform “pulls together so many different product areas, you’re not going to light that whole thing up at once,” he said. “It happens over time. There’s a lot of operationalization of it. And we just are not in a position to do those services. So it’s a great opportunity for partners.”