Obsidian Security to detect and fix major SaaS security risks with $90M infusion

While businesses have embraced software-as-a-service (SaaS) in a massive way, the questions around how to best secure the use of data in those applications remain unanswered for many organizations. One startup hopes that these questions won’t need to remain unanswered for long, though.

Obsidian Security, which today announced raising a $90 million series C funding round, offers a platform that aims to address the biggest use cases for businesses that are looking to reduce their SaaS security risk.

Notably, the SaaS Security and Posture Management (SSPM) platform leverages Obsidian’s proprietary “knowledge graph” — which ties together data from different apps to “create a comprehensive and deeply contextual view of the SaaS world” that’s inhabited by customers, said Obsidian Security CEO Hasan Imam.

Currently, use cases that Obsidian’s SSPM platform solves for are: recognizing if an account has been compromised, determining if there is insider activity that could pose a threat, detecting configuration drift that is creating undue risk for the enterprise, detecting oversized privileges that are creating risk, and determining when data has been accidentally made visible to the outside world.

Solving for new SaaS security threats

“We believe that we are just scratching the surface on the set of challenges in front of us, as it relates to SaaS,” Imam told VentureBeat. “The differentiation is the graph — because that’s the comprehensive view that allows us to solve for these use cases. But what that also means is that tomorrow, as we see new threat vectors, we have created a model that allows us to quickly solve for a new threat vector that we may not be thinking about today.”

Menlo Ventures led the series C round of funding for Obsidian. The round also includes backing from IVP, Greylock, Norwest Venture Partners, Wing and GV. Obsidian has now raised a total of $119.5 million since its launch in 2017.

Obsidian’s CEO and founders are all veterans of well-known cybersecurity startups of the past decade.

Imam was previously the chief revenue and customer officer at Shape Security, which F5 acquired for $1 billion. Obsidian CTO Ben Johnson was previously the cofounder and CTO of Carbon Black — which merged with Bit9, went public and was ultimately acquired by VMware for $2.1 billion.

Meanwhile, CPO Glenn Chisholm was formerly the CTO of Cylance, which BlackBerry acquired for $1.4 billion, and Obsidian chief scientist Matt Wolff previously served as Cylance’s chief data scientist.

“We have created a model that allows us to quickly solve for a new threat vector that we may not be thinking about today.”

Hasan ImaM, CEO, Obsidian Security

Detecting compromise

Obsidian’s approach, based on its graph technology, comes in contrast to solutions that involve placing a proxy to see how users are uploading or downloading data from a SaaS app, according to Imam.

This approach is “fundamentally flawed” because it doesn’t account for the fact that SaaS applications “are talking to each other,” Imam said.

“And there are many SaaS applications that are not accessed through a proxy,” he said. “And even if it’s accessed through a proxy, the proxies have very specific rules. If the rules aren’t triggered, it doesn’t have any value.”

On the other hand, Obsidian’s platform collects and normalizes data from numerous major SaaS applications — currently including 25 of the most-used SaaS apps, with more on the way, the company says. The SSPM platform then resolves accounts to identities and introduces threat intelligence, while also adding further context — resulting in a system that can detect threats across a customer’s SaaS app usage, according to Obsidian.

As an example, hijacked sessions using tokens are a significant threat vector for how SaaS applications are being breached, Imam said. Since the token lives in the browser of the end user, the provider of the identity authentication service can’t prevent an attack if the user’s browser or device is compromised, he noted.

But using Obsidian’s system, once an attacker has gained access to certain credentials — and used the credentials to get into SaaS apps that an identity service is protecting — “we would be able to see that from a contextual perspective,” Imam said. “From a behavioral perspective, we’d see that we have an attacker that is behaving very differently than the user whose credential it is.”

Customer traction

Newport Beach, Calif.-based Obsidian Security currently employs 80, and expects to reach 120-140 employees by the end of the year.

Obsidian reports having nearly 100 customers — 20 of which are currently paying more than $100,000 in annual recurring revenue (ARR). The startup says it saw a 5X increase in $100,000 ARR customers last year, and increased its revenue about 3.5X overall in 2021, year-over-year.

While Obsidian is providing its platform across about eight different verticals, its strongest verticals are financial services and healthcare. Others include tech, education, telecommunications and retail.

Along with expanding its sales — Obsidian aims to grow revenue by 3X this year, Imam said — the new funding round will go toward enabling Obsidian to continue broadening the number of SaaS applications that its platform can integrate with.

Current integrations include Salesforce, Workday, Microsoft 365, ServiceNow, Google Workspace and GitHub, but the eventual goal is to cover all of the major SaaS apps that are relevant across the U.S., Europe, Asia-Pacific and Japan, according to Imam. Obsidian, ultimately, aims to be “covering the long tail of SaaS applications,” he said.

The breadth of Obsidian’s coverage for SaaS applications is already excellent, though — and is one of the big differentiators for the platform, according to Venky Ganesan, partner at Menlo Ventures.

Obsidian also stands out with ease of implementation, Ganesan said. As part of its due diligence on Obsidian, Menlo deployed the platform for its own systems — and rapidly gained greater visibility into what was going on with its SaaS usage, he said.

“We got value in 30 minutes,” Ganesan said. “There’s not a CISO in the world who, within 30 minutes of installing [Obsidian], won’t get value.”

‘Iconic company’ in the making?

Obsidian also does more than just provide enhanced visibility; it also brings remediation capabilities for proactively stopping malicious behavior that it detects, he said.

“That combination of three things — that usability, breadth of coverage, and visibility and remediation — is a trifecta that no one else has,” Ganesan told VentureBeat.

Within the security market, protecting the usage of SaaS apps is likely to be the “next big area of spend,” he added — and said he believes Obsidian is positioned to lead in this area.

Ganesan led Menlo’s investment into Palo Alto Networks and previously sat on its board. He noted the potential he sees in Obsidian reminds him of Palo Alto Networks — which today ranks as the world’s most-valuable security vendor with a market cap of $60 billion.

With Obsidian, “it looks like a chance to build a very iconic company in a big area,” said Ganesan, who is joining the board at the startup.

One of Obsidian’s other investors, IVP general partner Somesh Dash, drew a comparison between the startup and one of the other giants of the security world — CrowdStrike (which IVP had invested in).

“We view the way [CrowdStrike has] protected the endpoint as the analogy for how Obsidian’s going to protect the application layer,” Dash told VentureBeat.

“If they pull that off for U.S. and global Fortune 5000 companies, mid-stage companies, government agencies, regulated industries — I think this company has the chance to be a $10 billion+ public company in the not-so-distant future,” Dash said. “That’s not something we see in a lot of companies.”