Back to stories

Our Investment in Obsidian Security: Securing the Most Critical Business Applications for the Enterprise

Business today lives in SaaS applications. Enterprises leverage Microsoft 365 for email, Salesforce for sales, Workday for payroll, and Github for code repositories. Employees share files via G Suite and Dropbox and collaborate over Slack or Zoom. In fact, the average enterprise organization uses no less than 150 separate SaaS applications.

Security has not kept pace with this proliferation. While many companies have focused on securing cloud infrastructure and company endpoints, SaaS sprawl has exposed an enormous gap in the middle where users, data, and business actually live. Here, sensitive enterprise data pinballs between workers distributed all over the world, sent via applications both sanctioned by organizations’ IT departments and not on devices both managed and unmanaged. 

Obsidian Security, our latest investment in the cybersecurity space, is the category-defining solution to this problem. Where legacy security and configuration tools fail, Obsidian has filled the gap by offering a solution to help security teams gain unprecedented visibility into and control their SaaS environment. 

Obsidian works by aggregating, normalizing, and contextualizing state and activity data across SaaS applications and interpreting it with statistical analysis and machine learning to detect deviations from normal behavior that can indicate account compromise, insider threats, data leaks, or risky behavior.

Protection against these threats is an enormous, unclaimed pocket of opportunity with no clear winner yet, but Obsidian has the domain expertise and operational experience to capture this emerging market. Led by a world-class team, Obsidian offers a differentiated solution locked in on where data and users actually live, creating considerable traction within the largest part of the market. Obsidian has many of the qualities we believe to be critical for building a market-leading cybersecurity company.

A World-Class Team

Successful cybersecurity companies tend to have roots in other successful cybersecurity companies, with strong leaders who are seasoned entrepreneurs with deep sector expertise.

Obsidian epitomizes this point. The CEO, Hasan Imam, is a highly regarded former CRO of Shape Security. Its founding team are veterans of Cylance and Carbon Black: Glenn Chisholm, chairman of the board and CPO, was previously the CTO of Cylance and, before that, CISO at Australian telecom giant Telstra. Ben Johnson, the CTO, co-founded Carbon Black and was also CTO there. And Matt Wolff, Chief Scientist, was previously Chief Data Scientist at Cylance.

It’s an impressive leadership team, and as we got to know Hasan over long hikes through the hills, our belief that this was the team and vision to bet on grew stronger.  

The Big Opportunity in SaaS Security

CISOs and other security professionals have focused mainly on hardening infrastructure rather than business software when it comes to the rapidly growing field of cloud security. Third-party solutions, including cloud access security brokers (CASB), cloud workload protection platforms (CWPPs), cloud infrastructure entitlement management (CIEM), and cloud security posture management (CSPM), focus primarily on managing and configuring IaaS and PaaS sprawl ($178 billion market). Spend on security solutions here increased to 5-6% of IaaS and PaaS spend in 2021, or a $9-11 billion market, with a crowded field of players serving these needs.

On the other hand, SaaS is a more nascent space. Saas security spend today is estimated at <$100 million total despite over $145 billion in SaaS application spend. Most enterprises are trying to get by with partial coverage from existing solutions like controls from the SaaS apps themselves, CASBs, or SIEMs—but these afford customers a significant lack of visibility and control. This is changing quickly: In 2020, Gartner identified the new category of cloud security (SaaS Security Posture Management, or SSPM)  as its own, distinct from these other tools.

And so, the total addressable market for the solution and the growth potential for current spend is massive. From a top-down perspective, CSPM spend for managing and configuring IaaS / PaaS is a good point of comparison for what SSPM could grow to be. Applying even a conservative 2% of cloud infrastructure spend to today’s $145 billion SaaS market would give us a $3-4 billion SaaS security market at full potential.

Winning Through Big Customers: Hooking the Global 2000

Cybersecurity companies need to target the largest enterprises to achieve meaningful scale and generate significant value. Obsidian fine-tuned its ideal customer profile last year as it scaled its sales organization and is now generating impressive traction among the largest and most sophisticated companies. The company has seen 5x growth in deals of $100,000 or more in just the last year. 

Cybersecurity continues to be a major focus for Menlo, and Obsidian joins a growing list of distinguished cybersecurity companies we’ve been fortunate enough to work with: Abnormal SecurityAppdome, Cequence, Dedrone, Immersive Labs, Sonrai Security, StackRox, and Strata Identity.

We will continue to grow our portfolio and continue to invest actively in security solutions that will guard our future. If you are a founder of a cybersecurity company, we’d love to hear from you.