“Every company has a founding story,” WhiteHat Founder and CTO Jeremiah Grossman says. “WhiteHat’s takes place a bit over 10 years ago, when I was asked to hack every website that Yahoo had before the bad guys could.”
Grossman was the information security officer at Yahoo, and realized that with more than 600 company-owned websites, all constantly changing, and an average time of 49 hours to systematically evaluate each website’s security, he had roughly 11 years of work to find all the vulnerabilities across the entire portfolio. The problem job wouldn’t scale. So the founder set about to create a system to “hack all the world’s websites all the time.”
WhiteHat Sentinel is a cloud website vulnerability management platform that delivers actionable insights to enterprise and small and medium sized enterprise (SME) security engineers. The company recently added mobile platform and pre-deployment application source code testing in its Sentinel Mobile and Sentinel Source products.
Shortly after its diamond anniversary and the Web security firm is getting a belated gift in the form of a $31 million growth investment led by new investor JMI Equity, with participation from existing investor Investor Growth Capical (IGC). The round brings the company’s total financing to date to $49.9 million, with those participating in previous rounds including IGC, Horizon Ventures, Altos Ventures, Garage Technology Ventures, and Startup Capital Ventures.
The company that has grown to 240 employees in Santa Clara and Houston amid increasing demand in the enterprise sector. “Today, we perform by far the most web application assessments of any firm,” Grossman says. The company recorded 75 percent year-over-year growth in new bookings and a retention rate above 95 percent, and now manages over 11,000 websites for several hundred customers. WhiteHat’s customer brands, which span ecommerce, financial services, technology, and healthcare, encompass more than one billion customer accounts.
“Web application vulnerabilities are rising at an alarming rate in recent years and can have a dramatic impact on a company’s business and reputation,” JMI Equity General Partner Peter Arrowsmith says. “WhiteHat’s holistic approach to security throughout the software development lifecycle – from source code through completed production application – provides an advantage that few security providers can achieve.”
WhiteHat is the undisputed leader of the application security market, which is projected to reach $1 billion by 2014, according to 451 Group research, while the subset dynamic application security testing (DAST) market is predicted to reach $453 million.
The company has no direct peer. Companies either choose its technology, costly consultants, or desktop scanning software that don’t solve the problem at scale. Both HP and IBM recently made acquisitions in the desktop scanner space in the last half decade and have converted the technology into SaaS products in an attempt to compete – somethign Grossman describes as “taking Microsoft Outlook and trying to convert it into Gmail.”
“When we lose sales, it’s most often over budget constraints,” says the CTO. “But it’s extremely rare that it’s due to competitors.”
WhiteHat plans to use the new capital infusion to invest heavily in key areas ignored over its recent period of rapid expansion: sales and marketing. The company will hire engineers as well, but it’s plan to expand further within the US enterprise and SME markets require feet on the street. WhiteHat will also increase its international expansion, by putting on the ground sales teams in the UK, Europe, and Asia Pacific, regions where it already has channel partnership programs in place.
Grossman acknowledges that both an IPO and an acquisition are “on the table” as potential exit paths. His firm currently manages 11,000 websites of the more than 600 million worldwide. If it focuses only on the 1.7 million that have SSL certificates, a security low water mark, the founder sees enormous growth potential ahead.
“The most common misconception in our space is that your websites are protected because you have firewalls, and anti-virus and anti-intrusion software in place,” Grossman says. “Sony and everyone else hacked publicly in the last few years had these. Once you leave the door open, all bets are off.”