Fortinet Acquires Lacework

After the rumors that Wiz was going to acquire cloud workload security (CWS) specialist Lacework fell through, Fortinet has announced the acquisition of Lacework for an undisclosed amount.

The sales price is expected to be higher than Wiz’s rumored offer but lower than what Lacework’s investors would have liked. Forrester estimates that Fortinet paid approximately $200–230 million for Lacework, which is 20–30% above the rumored Wiz offer but still a very low price for Lacework, whose annual recurring revenue Forrester estimates to be between $70–90 million. Lacework had raised over $1.3 billion in venture capital, but based on our estimated purchase price, VCs are unlikely to see any returns on their investments. At this point, the acquisition looks like a fire sale of Lacework’s CWS (aka cloud-native application protection platform, or CNAPP) technology to Fortinet to augment Fortinet’s existing cloud security portfolio.

Application security implications for Fortinet: The acquisition indicates further consolidation and formation of suites players in cloud and application security. Fortinet previously added prerelease testing capabilities to its application security portfolio with the 2021 purchase of Sken.ai. Fortinet offers these capabilities through a SaaS solution, FortiDevSec, that includes static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), secrets scanning, container image scanning, and infrastructure-as-code (IaC) file scanning. Similarly, Lacework has IaC and container image scanning and more recently added SAST and SCA. This opens questions on what Fortinet will do with the duplicate tooling and platforms it acquired in Lacework’s portfolio. Fortinet rounds out its application security offering with FortiWeb (available as an appliance or through FortiWeb Cloud as a SaaS option) and a bot management solution, FortiGuard Advanced Bot Protection, launched earlier this year. The table below shows the corresponding appsec capabilities of Fortinet and Lacework along with our assessment of which component will be the likely winner.

CWS implications for Fortinet: Fortinet’s existing cloud security offerings are mainly focused on firewalls and the FortiCNP CWS solution (which Forrester clients and CWS vendors rarely mention as a competitor). The Lacework acquisition allows Fortinet to provide an updated end-to-end (albeit fragmented) portfolio of multicloud-capable cloud and application security solutions to its customers. Lacework’s CWS capabilities in cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), and agentless cloud workload protection (CWP) are behind many competitors, so Fortinet will have to invest significantly in R&D to enhance these Lacework components. The table below shows the corresponding cloud security capabilities of Fortinet and Lacework along with our assessment of which component will be the likely winner.

Fortinet will also need to work to create a unified user experience from these disparate pieces and overlapping functionalities, especially in CSPM and CIEM. While neither unified nor separate product roadmaps have been announced by Fortinet, Forrester recommends that 1) Fortinet customers investigate how Lacework’s IaC scanning and agent-based CWP protections fit into their infrastructure (since these capabilities have largely been missing or below par in the FortiCNP CWS platform) and 2) Lacework customers understand where they could potentially deploy Fortinet’s cloud network security capabilities.

Lastly, transitioning Lacework’s 700+ employees from a smaller and agile vendor to Fortinet (over 14K employees worldwide) will not be without potential integration challenges.