What is Endor Labs and what problem does it solve?
In a software landscape dominated by rapid CI/CD processes, developers have reaped enormous benefits from leveraging third-party vendors and open-source software, resulting in thousands of microservice architectures that provide a small but compounding boost to development cycles. As these services grow, teams lose visibility into their own code and fail to manage their software dependencies. This causes not only delays and inefficiency, but also higher operating costs and wider security attack surfaces.[1] Endor Labs’ product aims to address this issue by allowing:
Security teams to have a single source-of-truth for all software inventories and SBOMs across internal apps, open source code, and 3rd party vendors
Engineering teams to maximize software reuse, turn down security noise, and debloat dependencies
Endor Labs simplifies, organizes, and protects a team's software supply chain, which includes both internal and open source code.
All-Star Management
Endor’s management team pulls no punches when it comes to assembling a great management team. Varun Badhwar (CEO) is a serial entrepreneur that has been covering security for almost two decades. He began his conquest with CipherCloud, and then moved on to RedLock, which culminated in an acquisition by Palo Alto Network, where he restarted and built Prisma Cloud to a staggering scale in a span of three years.[2] Varun is a well-known veteran within the industry, and this reputation extends to the rest of the team, majority of which he has worked with during his time at Palo Alto Network and RedLock:
Dimitri Stiliadis (CTO) also joined Palo Alto Networks through the acquisition of Aporeto and served as CTO to Prisma Cloud before moving joining Endor. He has been holding security-related CTO position since 2005 at a variety of different companies.
Nic LaBuz (VP Sales) has almost two decades of enterprise software sales experience and has worked with Varun since RedLock.
Before this section turns into a resume book for Endor’s C-Suite, it is clear that Varun leads a team that exemplifies deep passion and focus, whom are aspiring to solve a problem that they have lived and breathed for the past 20 years. They’ve had experience taking a company from an idea to a multi-million dollar enterprise (and have been successful at it on multiple different occasions). While I don’t have the opportunity to meet them in person, it brings me comfort to know that among the investors is Nikesh Arora, Palo Alto Network’s current CEO and an investor in Endor.
Challenging Market: Lifetime to Learn, Lifetime to Master
Determining an accurate bottoms-up market size and growth for Endor was the most challenging part of this analysis. Endor operates in a new and “niche” enterprise security market, where growth tends to happen through step-level catalysts of shifting priorities rather than gradual, ever-increasing budget spending. Most of the time, these catalysts are caused by increasing code complexity and discovered vulnerabilities that drive a boost in preventative spending (i.e., SolarWinds Supply Chain Focused Attack).
Furthermore, I believe the current market sizing estimates are flawed. Many customers are using existing license management solutions from traditional vendors to meet their needs. This is what led to the current technical debt and security flaws in the first place. Therefore, it is likely that the current reports aren't providing the full picture of this market's potential.
However, the writing is on the wall. In 2021, 99% of codebases utilize open-source packages and 85%+ of enterprises leverage open-source software. High-profile and aggressive supply chain breaches are on the rise from the likes of SolarWinds, Codecov, LastPass, and countless others. Therefore, it should not come as a surprise when software supply chain security is a priority for many CISOs across the industry, with almost half planning to increase spending on by 5-10%, and 18% expect to increase more than 10%.
Based on all considerations above and available data, Endor operates in a $12Bn+ Cloud Security market that is projected to grow more than 25% YoY until 2024 (based on PANW’s 2021 Investor Day deck). Additionally, it is projected that supply chain security will be a primary driver of this growth in the following years, with Endor as one of the few key players in this space. Out of this $12Bn pie, I’d forecast that 10%-15% of this market belongs to current outdated incumbents, a percentage that I’d estimate to remain stable for the next few years. Based on these assumptions, the supply chain security market would be at approximately ~$1.8Bn in 2022 and rise to ~$4Bn by 2024, implying a ~50% CAGR.
Bedrock Product (means only one vendor) + Complex Product (means no building in-house)
Endor's business is built on two main pillars that will position them favorably in the future: high switching costs and a complex proprietary product.
Endor’s product embeds itself as the “bedrock” for all the microservices used by an engineering team. As more engineers utilize and fine-tune this offering to their organizational needs, it becomes increasingly difficult to switch as customers risk the possibility of data loss, technical debt, and incremental training/operating costs. Furthermore, a bedrock dynamic usually means that there is only room for one central vendor, which further binds Endor.
Another strong pillar for Endor lies in the complexity of its product. Many DevOps companies are often faced with the looming threat that a customer’s own team can simply choose to build their own in-house solution. However, it is difficult for a customer to justify building an in-house solution that can exhibit the same level of rigor and visibility as what Endor could do.
Risks / What you need to believe
There are two main risks associated with Endor:
Ability to capture and expand market
As mentioned before, Endor’s product targets an ever-widening security gap that was previously addressed by band-aid solutions offered by market-adjacent incumbents. Therefore, customer education and top-of-funnel management will be critical in ensuring Endor’s success. While Varun and the team’s past experience with Prisma and RedLock gives me comfort, market growth remains an important risk for this company.
Future roadmap
Endor solves a very important problem with a fantastic product. However, the problem (OSS Supply Chain management) remains a specific problem often faced by large enterprise customers. Many companies start out by solving a specific problem, but often expand their offerings horizontally or vertically to ensure continued growth into the future. At the moment, Endor has not publicly disclosed a roadmap to discuss future expansions, as they remain focused on executing their current strategy. In the long term, this will be an important consideration as the company crosses the $100M ARR and we begin to consider exit options. What provides me with comfort is that, similar to many other companies (and Varun’s past records), Endor will likely be a target of M&A as other incumbents continually seek to improve their product portfolios and will view Endor’s offering as an easy way to improve their current offerings.[3]
Conclusion
Endor Labs' platform solves the problem of complex microservices architecture by simplifying, organizing, and protecting a team's software supply chain. Led by a management team with a proven track record of success, the company has the potential to capture the OSS Supply Chain security market by embedding itself as the bedrock of all microservices and third-party needs. However, further due diligence is needed to understand the company's performance and risks. Given the complexity of this endeavor and recent related security breaches, Endor’s unique and superior offering presents itself as a unique product-market fit and a compelling business.
[1] This is a classic example of technical debt. This debt, or as I like to call it: Ignored Technical Debt (trademark pending), differentiates itself from the rest by being deeply embedded third-party code, either causing endless false-positive alerts or none-at-all.
[2] $300M in ARR, to be precise.
[3] Dell and Nikesh’s investment in this company signals to me that there’s already a certain level of corporate investment in this business.