BlueVoyant lands $250M to manage security, external risk for customers

In the security environment of 2022, internal cyber defense for a company is a big and apically complex endeavor. But, frustratingly, getting it right just means that attackers will try to break in another way.

In the 2013 breach of Target, for instance, the attackers gained their initial access by hacking a third-party vendor that had worked at the retailers’ locations. For a more current example, Microsoft said last fall it had observed attackers trying to get into the systems of companies by breaching their managed service providers, who had administrative access.

The threat actor in those attacks, by the way, was the same group believed to have carried out the SolarWinds breach — a case study in third-party risk if there ever was one.

Supply chain insecurity

Thus, in this environment, managing external cyber risk is arguably just as important as securing your endpoints and networks. “If you do have good internal defenses,” says Jim Rosenthal, CEO at security firm BlueVoyant, “a cyberattacker will go after you through your supply chain.”

However, there aren’t many companies out there that are going to make the investments necessary to manage third-party cyber risk all on their own, Rosenthal said. And while plenty of tools will now assess third-party cyber risk, BlueVoyant is the one vendor that will take on the responsibility of truly solving the problem for customers, he said.

While the company originally launched in 2017 to provide internal security for customers, with its managed detection and response (MDR) offering, BlueVoyant now places an equal emphasis on its external cyber risk management services.

Amid rapid growth in its customer base and revenue, BlueVoyant today announced raising a $250 million series D round funding round to help fuel its continued aggressive expansion — across both internal security and external cyber risk management for customers. In connection with the round, BlueVoyant now has a valuation of “substantially more than $1 billion,” Rosenthal told VentureBeat. The exact valuation was not disclosed.

The round was led by private equity firm Liberty Strategic Capital and included backing from ISTARI, Eden Global Partners and 8VC. Steven Mnuchin — formerly the U.S. secretary of the treasury and now the founder and head of Liberty Strategic Capital — and is joining the board of directors at BlueVoyant in connection with the investment.

The series D round brings BlueVoyant to more than $600 million in total funding to date, the company said.

Technology + humans

The MDR market is now highly competitive, with Gartner tallying 40 major players in the space in a report from last fall. Along with BlueVoyant, others cited by the research firm include Alert Logic, Arctic Wolf, Cybereason, Mandiant, Red Canary and Sophos.

BlueVoyant’s MDR offering provides cloud-based cyber defense for customers, and stands out with capabilities for analyzing massive amounts of data as part of its threat detection, Rosenthal said.

These analytics are performed across an ever-growing number of datasets — more than 50 right now — including through the use of advanced machine learning (ML), he said. The platform can ingest data feeds from hundreds of security tools and uses “high levels of automation” for processing data, none of which has to ever leave the customer’s cloud environment, Rosenthal said.

The technology works in tandem with 24/7 human expertise from the company’s security operations center team, and ultimately, BlueVoyant “can add more value than anyone else that I know of — because of our ability to do [MDR] at scale,” he said. BlueVoyant works with two different security information and event management (SIEM) systems — Microsoft Sentinel (for customers in Microsoft Azure) or Splunk (for customers in Amazon Web Services).

“We take the alerting from all [of a customer’s] tools into the Sentinel or Splunk cloud, we evaluate them and we respond to them as needed,” Rosenthal said.

Of course, internal security is only part of the equation for customers. Recently released research commissioned by BlueVoyant shows how pervasive the supply chain security threat has become: Nearly all firms — 97% — at this point have been negatively impacted by a supply chain security breach, according to the study conducted by research firm Opinion Matters.

When it comes to external cyber risk management, however, what BlueVoyant offers is one-of-a-kind, Rosenthal said. “We do supply chain defense, as opposed to supply chain risk scoring,” he said.

The latter approach typically involves assessing a few thousand suppliers, and giving each of them a risk score, Rosenthal said — but providing customers with that information “doesn’t actually improve the defense in the supply chain at all.”

Solving the problem

Instead, what BlueVoyant does is it looks at every participant in a customer’s supply chain, and identifies any externally detectable, severe vulnerabilities that an attacker would see. The company then interacts with the supplier to make sure that the issue is remedied — solving the problem on the customer’s behalf, Rosenthal said.

“This is a dynamic process — because on average, once a month, there’s a new zero day vulnerability in the world that’s externally perceivable. And that starts a race,” he said. “We can identify it at scale, typically within 90 minutes, and then interact with the affected suppliers within 90 minutes after that.”

This process involves having a “very specific interaction” with the third-party vendor, Rosenthal said. “We say, ‘Here’s the vulnerability. Here’s why it’s serious. Here’s where it is in your network. And here’s the appropriate patch or reconfiguration to fix it.’ And then we watch until they do it.”

Doing all of that is “supply chain defense — as distinguished from supply chain risk scoring,” he said.

And as of right now, “no one else does it,” Rosenthal said. “And it is what the world needs — if you want to prevent attackers from either disrupting your operations, or disrupting the supply chain, or moving upstream in an operation to the enterprise itself.”

Third-party suppliers can include software vendors; suppliers that hold intellectual property; firms that hold confidential data — either about employees or customers; and commodity suppliers. Another key category is suppliers that “are critical to just-in-time operation of your company — and if they are disrupted, your company’s operations are impacted because of that disruption,” Rosenthal said.

BlueVoyant encourages its clients to have risk thresholds tailored to each of the different areas, he said. “But our goal is to make sure that in the areas that really matter, there is nothing easily compromisable by a criminal group.”

Customer adoption

BlueVoyant reports that it has more than 700 customers — 299 of which were added just in 2021. Customer names were not disclosed.

The company also did not share revenue figures, but said that its annual recurring revenue doubled in 2021. BlueVoyant is targeting 100% growth in ARR once again in 2022, Rosenthal said.

“I think this company will continue to double in size for the foreseeable future,” he said.

With its growing revenue base and new funding in hand, the company plans to double its sales and marketing team and expand geographically in 2022, he said. BlueVoyant operates in 15 countries at this point, and plans to continue adding a country or two every quarter, according to Rosenthal.

The New York-based company currently has a headcount of 560, and plans to add 100 employees by the end of the year, he said

On the product side, BlueVoyant plans to continue adding new datasets for further enhancing its threat detection capabilities, and will consider additional acquisitions, as well, he said. The company’s most recent acquisition was of supply chain risk management firm 202 Group in October.

‘Effective record’

Rosenthal, formerly the chief operating officer of Morgan Stanley, cofounded BlueVoyant with executive chairman Thomas Glocer, formerly the CEO of Thomson Reuters.

While the series D funding makes the company a member of the now-populous security unicorns club, “within five years, I expect [BlueVoyant] to be more than $10 billion” in terms of valuation, Rosenthal said.

The company has made no decisions about whether to stay private or pursue going public — but either is an option because “we’ve earned the right to build our own value by our growth rates,” he said.

All in all, “we’ve got an extraordinarily effective record at providing internal defense for companies. And we are, at this point, very special in our ability to provide external defense as well,” Rosenthal said. “My goal is to always be a leader in both internal and external defense, and to make sure that companies have both — because they need both.”