Trend Micro enters the cloud security posture management market with Cloud Conformity buy

October 21 2019
by Fernando Montenegro


Enterprises adopting cloud may look at traditional 'lift and shift' methods for their workloads as an onramp, but they quickly realize that there's a lot more to be done than simply moving VMs or even shifting to containers and Kubernetes. Having a secure cloud presence means nicely tying compute, storage, networking, identity and many more services. This is not a trivial task, and one that vendors both large and small have aimed to address with myriad offerings in this space.

Trend Micro has now joined the fray by acquiring Cloud Conformity, an Australia-based startup focused on cloud security. The buyer is aiming to complement its existing offerings for hybrid cloud, container/Kubernetes and application security.

Snapshot Snapshot


Trend Micro


Cloud Conformity


Cloud security posture management

Deal value

$70m (cash)

Date announced

October 21, 2019

Closing date, expected

Q4 2019


None disclosed

The 451 Take

As organizations of all sizes move to the cloud, they quickly realize that there is much more to cloud security than protecting VMs, containers or even serverless functions. Cloud security must also include properly configuring dozens of new services and the interactions between them. Trend Micro has long had a strong presence in cloud workload protection with its Deep Security offering. It was, however, lacking a component for validating security for the rest of the cloud. This deal should broaden Trend Micro's cloud security capabilities at a time when organizations are struggling with securing increasingly complex cloud deployments. It should also help the company compete with other large vendors such as Palo Alto Networks as well as specialists like Turbot, DivvyCloud and others. The key challenges for Trend Micro will be to quickly enhance support for other cloud environments and accelerate go-to-market efforts for the new offering.

Deal details

Trend Micro is paying $70m in cash for Cloud Conformity. According to 451 Research's M&A Knowledgebase, this is the acquirer's second-largest purchase, coming in behind the 2015 pickup of Tipping Point. Trend Micro notes that the amount signals the importance of the transaction in terms of time to market.

The company cites deal drivers on both the demand and supply side. First, there is ample evidence that organizations looking to secure their cloud deployments are doing so with a combination of services offered by their cloud providers as well as leveraging third-party services. Indeed, according to 451 Research's Information Security data, customers are demonstrating heavy demand for third-party cloud security functionality.

Figure 1

Figure 1: Use of third-party security services 451 Research Information Security, Budgets and Outlook 2019

From the supply side, many existing security firms have made the jump into cloud security posture management over the past 24 months, particularly in 2018. According to the M&A Knowledgebase, there have been several acquisitions in this space recently.

Figure 2: Cloud security posture management M&A Figure 2: Cloud security posture management M&A

Date announced



Deal value

November 27, 2017


Skyhigh Networks


February 14, 2018




March 14, 2018

Palo Alto Networks



July 12, 2018


Sift Security


October 3, 2018

Palo Alto Networks



October 24, 2018

Check Point Software Technologies

Dome9 Security


January 8, 2019


Avid Secure


451 Research's M&A KnowledgeBase *451 Research estimateTrend Micro's entry, albeit comparatively later than other buyers, does give it the capability to assist customers with more than just traditional 'compute' workloads. This should fit nicely with the evolution of its Deep Security offering at a time when customers are looking at much more complex architectures than traditional on-premises deployments.

Target profile

Cloud Conformity was founded in 2016 by Michael Watts, Mike Rahmati and Xabi Errotabehere, all of whom worked in the Australian government and saw the opportunity to build on cloud security needs from the many projects they were involved with. Originally based in Sydney, the startup has since moved its headquarters to San Francisco. Cloud Conformity has about 50 employees, most of them located in Sydney, with additional staff in London, Dallas and Montreal. The vendor reports that it has approximately 130 customers, about half of which are in Australia. It has raised $3.2m in two funding rounds, with a $2.8m series A round in August 2018 led by Paladin Capital Group. 451 Research estimates that Cloud Conformity generates revenue of roughly $4m.

The company developed an offering based on validating a customer's AWS configuration both during development – with an integration with CI/CD processes – and production. The product can also remediate problems it finds. Cloud Conformity seeks to differentiate based on a deep alignment with AWS's Well-Architected Framework model for cloud configurations, support for numerous AWS offerings, as well as having hundreds of rules and a deep knowledge base of recommendations for AWS and, to a smaller extent, Microsoft Azure deployments.

Acquirer profile

Trend Micro has grown to become a key security provider since its founding over 30 years ago. It is publicly listed in Japan and now has a presence in over 50 countries, with a total of about 6,000 employees. Trend Micro is led by cofounder Eva Chen, who rose to CEO in 2004 from previous CTO and EVP roles.

The company has products in both the consumer and business segments. As it relates to this acquisition, it has a strong footprint in the hybrid cloud protection sector since the purchase of Ottawa-based Third Brigade in 2009. Trend Micro has offerings to protect virtual, cloud, containers and applications, and has positioned itself as a key partner of AWS.


Looking at Trend Micro's broader cloud security portfolio – not only posture management but also container, Kubernetes and application security – its most significant rival is now Palo Alto Networks, which inked two significant acquisitions (Evident.io and RedLock) in the cloud posture management space last year, and then reached for container security specialist Twistlock and application security firm PureSec in May.

Trend Micro has often vied with Symantec, McAfee, Sophos and Kaspersky Lab in the endpoint security segment. Some of that competition now spills over to cloud as well since Symantec, McAfee and Sophos all have their own versions of cloud security offerings to match Trend Micro's newest buy. Symantec's offering was developed in-house, while McAfee and Sophos got significant boosts from the acquisitions of Skyhigh Networks and Avid Secure, respectively.

Other well-known security providers such as Check Point (with its Dome9 purchase), VMware (CloudCoreo) and Qualys (Cloud Security Assessment) also contend in this arena. In terms of more specialized vendors, the cloud infrastructure security market is still quite active. Firms in this sector include Turbot, DisruptOps, Alert Logic, Fugue, DivvyCloud, Threat Stack, Cavirin, Saviynt, Lacework and many others.

The major cloud suppliers – AWS, Microsoft Azure, Google Cloud Platform and others – all have varying levels of security configurations and support services to help customers implement recommended practices and maintain safe and compliant environments. Lastly, cloud teams looking at security tooling have several open source components that can provide visibility, compliance and, in some cases, remediation functionality. Cloud Custodian, originally created by CapitalOne, and Duo's CloudMapper are two examples, although others exist.

Moving forward, Trend Micro notes that Cloud Conformity will be available immediately. The company sees opportunities from cross-selling into its existing customer base, as well as using Cloud Conformity as a potential onramp for newer customers. Trend Micro plans to integrate the target's technology into a broader, unified cloud security offering in early 2020.