These days, security operations teams face a daunting task, fending off malicious hackers and their increasingly sophisticated approaches to cracking into networks. That also represents a gap in the market: building tools to help those security teams do their jobs. Today, an Israeli startup called Rezilion is doing just that — building automation tools for DevSecOps, the area of IT that addresses the needs of security teams and the technical work that they need to do in their jobs — is announcing $30 million in funding.
Guggenheim Investments is leading the round, with JVP and Kindred Capital also contributing. Rezilion said that unnamed executives from Google, Microsoft, CrowdStrike, IBM, Cisco, PayPal, JP Morgan Chase, Nasdaq, eBay, Symantec, RedHat, RSA, and Tenable are also in the round. Previously, the company had raised $8 million.
Rezilion’s funding is coming back from initial solid growth for the startup in its first two years of operations.
Its customer base comprises some of the world’s biggest companies, including two of the “Fortune 10” (the top 10 Fortune 500). CEO Liran Tancman co-founded Rezilion with CTO Shlomi Boutnaru, said that one of those two is one of the world’s biggest software companies. The other is a major connected device vendor, but he declined to say which. (For the record, the top 10 include Amazon, Apple, Alphabet/Google, Walmart, and CVS.)
Tankman and Boutnaru had previously co-founded another security startup, active, acquired by PayPal in 2015; the pair worked there together until leaving to start Rezilion.
There are a lot of tools out in the market now to help automate different aspects of developer and security operations. Religion focuses on a specific part of DevSecOps: Large businesses have over the years put in place a lot of processes that they need to follow to try to triage and make the most thorough efforts possible to detect security threats. Today that might involve inspecting every single suspicious piece of activity to determine what the implications might be.
The problem is that with the volume of information coming in, taking the time to inspect and understand each piece of suspicious activity can put enormous strain on an organization: It’s time-consuming and, as it turns out, not the best use of that time because of the signal to noise ratio involved. Typically, each vulnerability can take 6-9 hours to properly investigate, Tankman said. “But usually about 70-80% of them are not exploitable,” meaning they may be bad for some, but not for this particular organization and the code it’s using today. That represents a very inefficient use of the security team’s time and energy.
“Eight of out 10 patches tend to be a waste of time,” Tankman said of the approach that is typically made today. He believes that as its AI continues to grow and its knowledge and solution become more sophisticated, “it might soon be nine out of 10.”
Religion has built a taxonomy and an AI-based system that essentially does that inspection work as a human would do: It spots any new, or suspicious, code, figures out what it is trying to do, and runs it against a company’s existing code and systems to see how and if it might actually be a threat to it or create further problems down the line. If it’s all good, it essentially allowlists the code. If not, it flags it to the team.
The product’s stickiness has come out of how Tancman and Boutnaru understand large enterprises, mainly those heavy with technology stocks, operate these days in what has become a very challenging environment for cybersecurity teams.
“They are using us to accelerate their delivery processes while staying safe,” Tankman said. “They have strict compliance departments and have to adhere to certain standards,” in terms of the protocols they take around security work, he added. “They want to leverage DevOps to release that.”
He said Rezilion has generally won over customers in large part for simply understanding that culture and process and helping them work better within that: “Companies become users of our product because we showed them that, at a fraction of the effort, they can be more secure.” This has particular resonance in the world of tech. However, financial services, and other verticals that essentially leverage technology as a significant foundation for how they operate, are also among the startup’s user base.
Down the line, Rezilion plans to add remediation and mitigation into the mix to further extend what it can do with its automation tools, which is part of where the funding will be going, too, Boutnaru said. But he doesn’t believe it will ever replace the human in the equation altogether.
“It will just focus them on the places where you need more human thinking,” he said. “We’re just removing the need for tedious work.”
In that grand tradition of enterprise automation, it will be interesting to watch which other automation-centric platforms might move into security alongside the other automation they are building. For now, Rezilion is forging out an attractive enough area for itself to get investors interested.
“Rezilion’s product suite is a game-changer for security teams,” said Rusty Parks, senior MD of Guggenheim Investments, in a statement. “It creates a win-win, allowing companies to speed innovative products and features to market while enhancing their security posture. We believe Rezilion has created a truly compelling value proposition for security teams, one that greatly increases return on time while thoroughly protecting one’s core infrastructure.”