Wiz

Drata

Wiz

Wiz sells annual subscriptions based on the number of cloud workloads (virtual machines, containers, serverless functions) protected. Pricing scales with cloud consumption — as customers use more cloud, they pay Wiz more.

This aligns perfectly with the broader trend of growing cloud spend.

The agentless model is a key pricing advantage. Traditional security tools require installing software agents on every server, which creates deployment costs, performance overhead, and maintenance burden.

Wiz connects via API to cloud provider accounts and scans everything externally. Deployment takes minutes instead of months, which dramatically shortens the sales cycle.

ARR growth was record-breaking: $1 million within months of launch, $100 million in 18 months, $350 million by 2023, and reportedly over $500 million by 2024. No enterprise SaaS company has ever scaled this fast.

Drata

Drata charges annual subscriptions based on the number of compliance frameworks supported and the size of the organization. Pricing starts around $12,000-$15,000 per year for startups doing a single SOC 2 audit and scales into six figures for large enterprises managing multiple frameworks (SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, etc.).

The value proposition is clear: companies spend $50,000-$150,000 on consultants and hundreds of engineer-hours on manual compliance annually. Drata replaces most of that with software that costs less and runs continuously.

The ROI calculation sells itself.

The platform integrates with 100+ tools (AWS, Azure, GCP, Okta, GitHub, Jira, Slack, HR systems) to automatically collect compliance evidence. This means customers don't need to change their existing workflows — Drata observes what they're already doing and maps it to compliance requirements.

Wiz

The four Wiz co-founders — Assaf Rappaport, Ami Luttwak, Yinon Costica, and Roy Reznik — had already built and sold a cybersecurity company together. Their previous startup, Adallom, was a cloud security company that Microsoft acquired in 2015 for $320 million.

After the acquisition, all four worked at Microsoft leading the Cloud Security Group.

By 2020, they were ready to leave and build again. They saw a gap in cloud security: as companies rushed workloads to AWS, Azure, and Google Cloud, security tools hadn't kept pace.

Existing solutions required installing agents on every server and generated floods of alerts that security teams couldn't process. The cloud was a mess of misconfigurations, exposed credentials, and hidden vulnerabilities — and nobody had a clear picture of it all.

Wiz launched in January 2020 — literally weeks before COVID-19 shut the world down. Instead of slowing them, the pandemic accelerated their market.

Every company on Earth was rushing to the cloud, and Wiz's agentless approach meant customers could deploy it in minutes with zero infrastructure changes. Connect your cloud account, and Wiz scans everything — VMs, containers, serverless functions, databases, identity configurations — building a complete risk map.

Drata

Adam Markowitz had a front-row seat to compliance hell. As the founder of a previous health tech startup, he spent months manually collecting evidence for SOC 2 and HIPAA audits — taking screenshots of security settings, documenting access controls, filling out questionnaires.

The process was entirely manual, mindlessly repetitive, and had to be redone every year.

His brother Troy Markowitz and friend Daniel Marashlian had similar experiences. Every startup that wanted to sell to enterprises needed SOC 2 compliance (a security framework), and achieving it typically meant hiring consultants at $50,000-$100,000, assigning engineers to collect evidence for weeks, and praying that nothing changed between when you collected the screenshot and when the auditor reviewed it.

They founded Drata in January 2020 with a simple insight: most compliance evidence is just proof that security controls are configured correctly. And since those controls exist in software systems (AWS, Google Workspace, GitHub, Jira), you can check them automatically via API.

Instead of a human taking a screenshot to prove multi-factor authentication is enabled, Drata connects to the identity provider and verifies it continuously. The compliance audit becomes a live dashboard instead of a binder full of screenshots.

Wiz

Wiz grew through a combination of product excellence and founder credibility. The four co-founders had already sold a company to Microsoft and led cloud security there.

When they said "we built a better way," CISOs believed them because of the track record.

The product sold itself through demonstrations. Wiz's 15-minute deployment — connect your cloud account, see your risk map immediately — was the most effective sales tool.

Security vendors typically require weeks or months of setup. Wiz showed results in a single meeting.

Landing massive logos early created a cascade. Within two years, Wiz had 40% of the Fortune 100 as customers.

When one CISO at a major bank buys Wiz, every other bank CISO hears about it. Enterprise security is a trust-based market, and early customer logos created a self-reinforcing credibility loop.

Drata

Drata grew through the startup ecosystem. Every SaaS company selling to enterprises eventually needs SOC 2 compliance, which means every startup is a potential customer.

Drata became the default recommendation in founder communities — YC companies told other YC companies, one startup's security team recommended Drata to their friends at other startups.

The sales cycle is short because the pain is immediate. A startup loses a deal because a prospect requires SOC 2?

That startup signs up for Drata the next day. The motivation is revenue — compliance is a gate to enterprise sales, not an abstract security exercise.

Partnership with audit firms was strategic. Drata works directly with audit firms who can use the platform to conduct more efficient audits.

This creates a two-sided network: companies use Drata to prepare for audits, auditors use Drata to conduct them faster. Everyone wins.

Wiz

The Google acquisition decision dominated 2024. Wiz turned down Google's $23 billion offer in July 2024, with Rappaport saying they wanted to pursue an IPO and build an independent company.

Then they accepted a $32 billion offer later — the largest cybersecurity acquisition in history. The deal raised questions about cloud neutrality: Wiz secures AWS, Azure, and GCP equally, but becoming owned by Google could make AWS and Azure customers nervous.

Before the acquisition, the competitive landscape was intensifying. Palo Alto Networks acquired cloud security startups aggressively.

CrowdStrike expanded from endpoint security into cloud. AWS, Azure, and Google all improved their native security tools.

Wiz's lead was real but competitors were closing in.

Drata

The compliance automation market is getting crowded fast. Vanta (Drata's most direct competitor) raised similar amounts of funding and targets the same customers.

Secureframe, Sprinto, and other startups are also in the space. Differentiation is increasingly difficult when every platform connects to the same integrations and automates the same frameworks.

Expansion beyond startups is the growth challenge. Drata's core market is startups and mid-market companies doing their first SOC 2 audit.

Enterprise organizations have existing GRC (governance, risk, and compliance) platforms from vendors like ServiceNow, RSA, and OneTrust. Moving upmarket means competing against entrenched vendors with deep relationships.

AI could disrupt the category. If AI assistants can automatically fill out security questionnaires, generate policies, and collect compliance evidence without a dedicated platform, the need for specialized compliance software could diminish.

Drata is adding AI features to stay ahead, but the risk is real.

Wiz

Wiz Cloud Security Platform — the core product that provides agentless visibility across AWS, Azure, Google Cloud, and Oracle Cloud. Scans for vulnerabilities, misconfigurations, malware, exposed secrets, and identity risks.

Wiz Runtime Sensor — a lightweight agent (optional) that adds real-time threat detection to the agentless scanning foundation. Wiz Code — security scanning integrated into the developer pipeline, catching vulnerabilities before they reach production.

Wiz Defend — a cloud detection and response product that identifies and helps contain active threats in real time. Wiz Security Graph — a visual map of an organization's entire cloud environment showing how every resource connects and where attack paths exist.

Drata

Drata Compliance Automation — the core platform that continuously monitors security controls across 100+ integrations and maps evidence to compliance frameworks like SOC 2, ISO 27001, HIPAA, GDPR, and PCI DSS. Drata Trust Center — a public-facing page that companies can share with prospects to show their compliance status and security posture, replacing back-and-forth security questionnaire exchanges.

Drata Risk Management — tools for identifying, assessing, and tracking security risks with automated workflows for remediation. Drata Vendor Risk Management — automated assessment and monitoring of third-party vendor security posture.

Drata AI Compliance Assistant — uses AI to help answer security questionnaires and generate policy documents automatically.

Wiz

Sequoia Capital led early rounds and was the most prominent backer. Index Ventures, Insight Partners, and Greenoaks Capital participated in growth rounds.

Cyberstarts (an Israeli cyber-focused VC) was an early seed investor. Andreessen Horowitz invested in later rounds.

The final private valuation of $12 billion came in a 2024 funding round before the $32 billion Google acquisition.

Drata

ICONIQ Growth led the Series C at a $3 billion valuation. GGV Capital led the Series B.

Cowboy Ventures was an early investor. Alkeon Capital, Salesforce Ventures, and Greylock Partners participated in growth rounds.

The company has raised $328 million total across multiple rounds.