top of page

Gee-Wiz! Google's $32B Wiz Acquisition

By Rory Duncan and Christina Richmond as a Richmond Advisory Group Point of View April 7, 2025


Google’s announcement of its intention to acquire cloud cybersecurity specialist Wiz was a surprise, but for reasons other than the obvious. Wiz had already rejected a previous offer from Google in 2024, so it was reasonable to expect that Google might come back with a better offer. Even the fact that Wiz had agreed to be acquired – instead of going for a much-heralded IPO – was perhaps inevitable, given the current macroeconomic climate and market uncertainty.


What raised eyebrows was the size of the transaction - $32 billion, equal to the GDP of Iceland, and the largest acquisition Google has made by a margin of over $20 billion. Oh, and did we say it was an all-cash deal?


We’re unlikely to hear further public statements about the acquisition until due diligence has been done, the relevant legislative authorities have been consulted, etc.


However, a deal of this magnitude generates a lot of questions that when unanswered, creates speculation. We have attempted to answer some of them below.

Wiz’s Meteoric Rise

For a barely five-year-old company, Wiz’s journey has been nothing short of remarkable:

  • January 2020: Founded by Assaf Rappaport, Yinon Costica, Roy Reznik, and Ami Luttwak, all of whom previously founded Cloud Access Security Broker (CASB) firm Adallom.

  • May 2024: Raised $1 billion to be valued at $12 billion.

  • July 2024: Rejected Google's purchase offer of $23 billion, telling employees it would seek an IPO.

  • January 2025:  Appoints a new CFO who publicly talked up the impending IPO.

  • March 2025: Announces that it is being acquired by Google for $32 billion.


In just 10 months, Wiz saw its valuation skyrocket 2.7x. Not bad for a five-year-old startup.


IPO Dreams Deferred: Why Sell Now?


Was this “A tale of IPO caution? A reaction to the current market conditions? An opportunity to cash-in?" With Wiz recently hiring a new CFO and openly discussing IPO plans, what changed? Several factors might explain the pivot:


The IPO market has been sluggish, with Investor's Business Daily reporting on February 28, 2025, that technology "unicorns" have been slow to go public since the 2021 bull market faded. However, AI cloud firm CoreWeave filed for its IPO in early March 2025, seeking a $35 billion valuation—not far from Wiz's acquisition price. And as of March 28, 2025, it began selling on the NASDAQ.


In May last year Wiz stated it wanted to reach $1B in annual recurring revenue (ARR) before it launched its initial public offering. At this time, the company was likely already in talks with Google on the $23B deal that ultimately failed in July. In January, the CNAPP company announced the appointment of the retired ex-DreamWorks CFO, Fazal Merchant. He supported and reiterated the belief that Wiz was going to seek IPO. However, a lot changed in the waning moments between his appointment and the announcement of the $32B acquisition in March: the new U.S. administration entered the White House and with it the new FTC Chair, Andrew Ferguson. The previous FTC chair, Lina Khan, was known for her aggressive stance on Big Tech and her tenure was marked by a focus on antitrust enforcement against large technology companies, including Amazon, Meta, and others. While Ferguson is not yet a known quantity, the administration is clearly supportive of the tech industry. Add to this that all investors (including those on the Wiz board and its venture capital partners) have been watching to see if Trump 2.0 would boost the stock market. Rhetoric on tariffs came to fruition last week with “Liberation Day,” in the U.S. and the global tariff battle has sent the NASDAQ, Dow and S&P reeling.


We can’t know what was going through the minds of Mr. Merchant and the Wiz founders nor what Andrew Ferguson will make of the $32B Google acquisition, but it is fair to say that it’s harder to get to $1B in ARR in a shifting global economy than it is to take the $32B in cash today. Some analysts believe that Ferguson is good news for Big Tech. We’ll leave that with them and go with the “bird in the hand” theory.


Google's Acquisition History: Breaking the Pattern

This deal represents a significant departure from Google's typical acquisition strategy. According to Tracxn, Google has completed 262 acquisitions with an average amount of $704 million—making Wiz over 45 times larger than their average deal.

 

Google's acquisition activity has slowed in recent years, averaging just one per year over the past three. Their most recent cybersecurity purchases for Google Cloud came in 2022 when they acquired Mandiant, Forseeti, and Siemplify.

 

We’ve seen Google’s acquisitions integrated well from an engineering standpoint but not always from a go-to-market angle. Searching for Siemplify leads one clearly to Google Security Operations (formerly Google Chronicle), while Mandiant is still very much its own brand though it lives within Google SecOps as well.


What Does Wiz Bring to Google?

Wiz offers a comprehensive Cloud-Native Application Protection Platform (CNAPP) with three key components:

  • Wiz Code:  Unified security across code, CI/CD, and cloud environments with code-to-cloud mapping that traces risks back to source code.

  • Wiz Cloud:  Agentless visibility and risk prioritization to proactively reduce attack surfaces across cloud environments.

  • Wiz Defend: Cloud-focused detection and response with real-time visibility for SecOps teams.

 

Probably the most exciting capability Wiz offers Google is the ability to remediate multicloud configurations.


What makes Wiz stand out in the crowded CNAPP market?

  • Agentless Architecture: Simplified deployment without performance impacts

  • Graph-Based Security: Mapping cloud resources and relationships to identify complex attack paths

  • Unified Platform: Integration of multiple security functions in one solution

  • Ruthless Risk Prioritization: Focus on addressing critical risks first

  • AI Integration: First CNAPP to incorporate AI Security Posture Management


Understanding CNAPP: The Evolution of Cloud Security


A Cloud-Native Application Protection Platform combines multiple security functionalities into a single unified solution designed to protect cloud-native applications throughout their lifecycle.

 

Key features include:

  • Centralized Security: Integrates Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and Kubernetes Security Posture Management (KSPM)

  • Lifecycle Protection: Secures applications from development through runtime

  • Automation and Monitoring: Provides continuous monitoring and real-time threat detection

  • Team Collaboration: Bridges gaps between DevOps, DevSecOps, and SecOps teams


CNAPPs typically consist of four key functions in two categories:

  • Application Protection: Cloud Infrastructure Entitlements Manager (CIEM) and Cloud Workload Protection Platform (CWPP)

  • Network-Level Protection: Cloud Access Security Broker (CASB) and Cloud Security Posture Manager (CASM)


According to David Strom's "CNAPP Buyers Guide" (CSO Online, September 2022), vendors approach CNAPP from either a DevSecOps perspective (focusing on CIEM and CWPP) or a traditional IT security perspective (emphasizing CASB and CASM). Wiz approaches CNAPP from the traditional IT security angle, with its standout feature being "risk prioritization queue with graph visualization."


Wiz’s Competition

There are many vendors – big and small – that offer partial or substantial parts of a CNAPP platform:

 

The largest firms – such as Microsoft, CrowdStrike, Check Point and Trend Micro – already have comprehensive platform-based offerings for protecting cloud-based assets. They also offer cloud native support (to a greater or lesser degree). They may not provide the level of functionality that a dedicated CNAPP provider does, but they are an attractive option for those companies already using products from those providers. Integration may be relatively easy and considerations such as existing licencing and support come into play.

 

Smaller vendors and service providers can offer more discreet CNAPP functionality and focus that may be more applicable to certain industries or niche use cases. They can often boast many years of experience in this sector. Firms such as Lacework, Orca Security, Prisma Cloud, Sysdig, Aqua Security, Singularity Cloud and many others may not have as comprehensive a platform as the larger vendors, but they have strong CNAPP credentials.

 

The challenge for Google will be how to position Wiz within its portfolio given the competitive environment: integrate it with the Google Cloud platform to enhance its “complete” positioning, or retain its “best at CNAPP” position and go to market as a specialist product for a subset of clients and retain the Wiz brand? Our two cents, since you’ve asked, is to go with the “complete” positioning, integrate Wiz substantially while working to retain clients and partnerships AND tout its best at CNAPP reputation. The reason is simple: Google is Google. It is a long-standing, solid brand seeking to cement its role in cybersecurity across multiple cloud environments. This is not a quick or easy thing to do, however.

 

Partnership Complications

Wiz boasts an impressive 157 integrations with various services, including Google's cloud competitors Microsoft Azure and AWS. The acquisition raises questions about the future of these partnerships. Will Microsoft and AWS continue their relationships with Wiz once it becomes part of Google Cloud? This competitive dynamic could potentially impact Wiz's client reach and integration ecosystem.

 

Regulatory Hurdles Ahead

While the acquisition is real and a definitive agreement has been signed, several regulatory challenges lie ahead:

  • Antitrust Concerns: Regulators in the U.S., EU, and other markets will scrutinize potential anti-competitive effects, particularly given Google's ongoing antitrust lawsuits.

  • Patent Litigation: Wiz faces a patent infringement lawsuit from competitor Orca Security, which could complicate the acquisition.

  • Uncertain Regulatory Climate: Under the Trump administration, regulatory policies remain in flux, though the FTC under Andrew Ferguson has emphasized strict merger guidelines though he also has stated the FTC will “get out of the way” if a merger isn’t likely to “hurt Americans economically.”

  • Integration Challenges: Google's mixed track record with major acquisitions (Motorola Mobility, Nest) raises questions about successful integration.

  • Global Regulatory Scrutiny: International regulators increasingly cautious about Big Tech consolidation.

Due to these challenges, the deal is expected to close in 2026 rather than sooner.

 

The Strategic Vision

Looking beyond the regulatory and potential partnership hurdles, the strategic rationale for the acquisition appears compelling:

  • Create a leading multicloud security platform with tighter integration between Wiz and Google services and better protect customers' multicloud environments

  • Combine Google's AI capabilities with Wiz's graph technology to potentially drive new security innovations

  • Enable developers to move faster while maintaining security

  • Unlock enterprise data to enhance AI capabilities and provide greater customer insights

  • Bring world-class threat intelligence to the Wiz platform to combat sophisticated threats


A continuing trend by many vendors and service providers has been to "platformize" their offerings. This is said to provide convenience – a "one throat to choke" – with simplified administration and licencing etc. The counter viewpoint is that buyers want to exercise their right to choose "best of breed" solutions, reducing vendor "lock-in" and giving them more control over potential integration, and flexibility in deployment.


The issue with positioning a "Complete" Platform is that it doesn't really exist. It's "complete" at a point in time relevant to the requirements of the task(s). As existing requirements change, or new requirements emerge, the platform needs to add those features/functions to maintain its 'complete' status. The more requirements a platform needs to satisfy, the more it needs to be updated to maintain its status of being "complete".


Best of breed solutions also need to be updated as requirements change, but the nature of their focused functionality means that this should be easier and less often (maybe?).


The cloud security landscape continues to evolve rapidly, and with this acquisition, Google is making a bold statement about its commitment to enterprise security. Whether this blockbuster deal will clear regulatory hurdles and deliver on its promise remains to be seen, but one thing is certain: the cloud security market will never be the same.


Comments

bottom of page