In March of this year, as the first wave of the novel coronavirus rippled through the world, the Israeli application security company Checkmarx secured a $1.2 billion acquisition from private-equity firm Hellman and Friedman. The company’s founder and CTO, Maty Siman, and the CEO, Emmanuel Benzaquen, knew that they had passed a major milestone, but are already looking ahead towards their next objectives.
Fourteen years beforehand when the two first started the company, Siman, then 27, was a former soldier in the Israel Defense Forces’ Mamram computer and networks unit; a former employee of the Prime Minister’s Office; and a computer programmer. He was joined by French-born Benzaquen, who had arrived after years of working in Silicon Valley in California.
“I set the company up in February 2006, at a time when programmers were always being measured by the number of features they inserted into their product, but what wasn’t being checked is whether the programming was safe,” recalled Siman.
“The checks of that time were to see if the products work—not to see if they’re immune to hacking. There was no way to measure their security. So I began developing a tool that scans the code and gives it a security grade. That provides an opportunity to measure its security level and make improvements. It allows programmers to fix problems before the product arrives on the market,” he explained.
The newly founded company launched its code security test—and changed the cyber-security landscape for good.
“I wanted something that, as a programmer in my ‘past life,’ I’d want to use myself,” he said.
Fast-forward to 2020, and Checkmarx today has more than 650 employees—in Israel and around the world—some 1,400 global customers and two exits behind them.
Today, the company’s code scanner is applied to an array of organizations’ computer systems and smartphones.
‘There was great momentum’
A glance at Checkmarx’s clients reveals the true scope of this company’s reach. They include 10 of the largest software companies in the world; four of the largest American banks; government agencies; militaries; and a high concentration of companies on the Fortune 500 list. The clients stretch across North America, Europe, Israel and beyond.
“The [U.S.] federal government acts as a recipient of third party application, and they have to check what they’re getting,” said Benzaquen.
The company achieved unicorn status this year (a status achieved when a startup is valuated at $1 billion and more) when it was purchased by the Hellman and Friedman private-equity fund from Insight Partners. Insight Partners, a venture-capital and private-equity firm that bought Checkmarx for $84 million in 2015 (and still reserves a significant minority ownership).
Benzaquen described the process of engaging investment funds at the peak of a global crisis. “I started checking what was in the market and saw that there was clearly a big opportunity,” he told JNS. “We launched a flash process—recruiting top private-equity firms in the world. We met a number of them and told them to take two weeks to look at our company and decide. There was great momentum,” he said. “For me, it was important to anchor the real valuation together with an opportunity to bring in new shareholders. We pushed the reset button.”
An additional investment fund, TPG, also joined the acquisition.
“This is the second time I did this with Checkmarx. I brought Insights Partners for a full refinancing five years ago. Since then, our valuation went from $84 million to over a billion,” stated Benzaquen. The company may have been valuated higher if it wasn’t for the global pandemic.
“On the day of the bidding from contenders, the Dow plunged 10 percent in one trading day, making ‘Black Thursday,’ March 12, the fourth-worst day for stocks ever. It felt like end of the world. There was no trading,” he recalled.
And yet, the offer came through. “This strengthens our message,” he said.
“It was a very good feeling. We remained independent and have control over the future direction. This is very different from a situation in which a big company buys us—i.e., like Google buying Waze, and now it’s part of Google. We remain totally independent. This gives us the opportunity to build the company while staying true to our vision. When a fund of this size invests, after 12 days of due diligence, out over a billion dollars in you … you are on top of the world. Now we need to chart a course to get to the next level.”
‘It puts our whole industry on steroids’
One of the reasons why Checkmarx’s products are so valued is the scope of the threat posed by an array of hackers that target applications. “When the hacker enters an application, he gets full access to the data,” said Siman. “They can read all of the information that is supposed to be secret, and change, or delete it—as if he or she is the systems manager.”
If hackers target phone applications, they can gain access to cameras, microphones and GPS locations if successful. The company’s research division was able to break into the OS (operating system) of Android devices in 2019, activate cameras and microphones, and hijack devices. It responsibly disclosed the breach to Google and Samsung, creating a global stir.
Until recently, Israeli cyber-security firms specialized in network security, with Check Point being the prominent illustration, said Siman. “But in recent years, there have been many new startups in the field application security (AppSec). We saw 10 formed in Israel in the past year. They have become world leaders in this domain. It’s very nice to see this development.”
Benzaquen said Israel is “changing the landscape of the cyber industry.” Addressing the challenges of the industry in the coronavirus era, he said that key changes are underway.
High-tech and cyber companies are prioritizing their activities and adapting. The demand is not decreasing, he said, since clients understand that if they depend more on digital services now, they must eliminate holes through which hackers can strike. “In the long run, it puts our whole industry on steroids,” he said.
At the same time, said Benzaquen, plenty of uncertainty exists, and now that it’s clear that the virus is here for an extended period of time, companies are adopting major new working patterns.
Companies at the early stage of development face great struggles today, as they cannot engage investors or customers face to face and have to do everything virtually. Leading companies, on the other hand, are exploring the option for consolidation, said Benzaquen, who noted that “we feel there is potential here.”
Checkmarx’s research division has two centers—the lead one in Israel and another in Portugal, and it furthers the company’s desire to “turn the world into a better place,” according to Siman. “We connect to companies like Google. We support companies in their security fixes, making sure they work. We found attack loopholes on Amazon Alexa and exposed how they can be used for eavesdropping. We did similar things on Tinder. This enables us to share perspectives with the industry and to ensure that our security expert research teams are the best in the world.”
Nevertheless, the executives acknowledged, cyber attackers are not resting on their laurels. “They’re not only using new techniques, but are also writing in new languages and using new methodologies,” said Benzaquen. “The face of attacks is changing. It is elastic. The more software there is, the more encouragement attackers have.”
Still, as industry adapts and as Checkmarx transforms the global industry, “the message from us is very positive,” he affirmed. “The aim is not just to get to a billion dollars, or let a bigger company buy us and run with our products. We are really at the heart of this market. This is big validation for what we are doing. We are leading this market in the right direction.”