Tenable Inc. has agreed to acquire cloud-native security startup Accurics Inc. for $160 million in cash.
The agreement, which was announced Monday, will expand the vulnerability management's platform into securing the cloud with infrastructure as code (IaC) offerings. Founded in 2019, Accurics aims to assist enterprises and security teams by codifying security throughout the development lifecycle. As part of that goal, the vendor, which is based in Pleasanton, Calif., and has fewer than 100 employees, developed Terrascan, an open source tool for DevOps that contributes to cloud IaC practices.
Piyush Sharrma, co-founder and CEO at Accurics, said that with Tenable, they will pioneer a new approach to modern risk management. That includes proactive identification, prioritization and remediation of software flaws before deployment in cloud-native and hybrid environments.
The deal is expected to close late in the third quarter or early in the fourth quarter of 2021.
Glen Pendley, Tenable's deputy CTO, said the acquisition will be Tenable's first expansion into securing IaC, which has seen a rise in popularity recently.
"To support this movement, cybersecurity needs to innovate with Security as Code," Pendley wrote in an email to SearchSecurity. "By holistic assessment, we're referring to providing visibility into flaws in cloud resources before, during and after deployment throughout their entire lifecycle."
Monitoring for vulnerabilities in the cloud can be tricky. One concern comes with the IaC templates. Doug Cahill, vice president and group director of cybersecurity at Enterprise Strategy Group (ESG), a division of TechTarget, said modern, cloud-native applications are increasingly defined in a declarative manner via IaC templates. However, those templates can result in misconfigurations being inadvertently introduced into production environments creating exploitable attack paths.
"As such, scanning IaC templates pre-deployment helps prevent vulnerable configurations from being deployed, a DevSecOps use case 48% of ESG research respondents intend to implement over the next 12-24 months," Cahill wrote in an email to SearchSecurity. "Tenable's acquisition of Accurics extends the company's approach to vulnerability management to the pre-deployment stage as well as to configurations."
Jon Oltsik, senior principal analyst at ESG, said the move is another step toward Tenable's attempt to provide full coverage across risk identification and mitigation. While traditionally, Tenable's vulnerability management covers physical and virtual infrastructure, it's made a few investments to extend this coverage to the cloud and containers.
For example, Tenable acquired Alsid in April for just under $100 million in order to secure Active Directory environments. In 2019, Tenable acquired operational technology vendor Indegy, which led to an integration for cloud-based vulnerability management.
"Ultimately, Tenable wants to provide organizations with a dashboard that not only provides visibility of assets and risks, but also helps quantify risk and suggest risk mitigation priorities. Tenable is willing to invest in areas to make this vision a reality," Oltsik said in an email to SearchSecurity.