VMware grabs Lastline to tie up its security bundle

June 5 2020
by Eric Hanselman, Fernando Montenegro, Scott Crawford


Effective security protections are becoming ever more complicated to build and network perspectives have gained more prominence as a critical insight. VMware has acquired Lastline to add depth to its spectrum of security capabilities with the target's combination of malware sandboxing and network detection and response (NDR) functionality. The buyer plans to add Landline as a layer on top of the Carbon Black endpoint and NSX network intelligence skills, which could enhance protections for its customers.

Snapshot Snapshot






Security / Antimalware

Deal value

Estimated in 451 Research's M&A KnowledgeBase

Date announced

June 4, 2020

Closing date, expected

By June 30, 2020


DBO Partners (Lastline)

The 451 Take

The perspectives that deeper malware behavior and network visibility offer for effective security management are significant and are important context to be integrated into a greater whole. Making sense of malware behavior in a rapidly metamorphosing application and network environment is challenging and takes sophisticated analytical techniques to make sense of what's desired and what's not. Lastline's network analysis and machine learning (ML) capabilities could bolster VMware's NSX Intelligence while its core sandboxing smarts fill a malware analysis gap that could aid traffic and executable analysis. Both are areas where the acquirer had some coverage. But bringing aboard a team that has built both could have greater long-term benefits for VMware's security capabilities.

Deal details

VMware's parent, Dell, has been an investor in Lastline since the company's series B funding round in 2014. Because of the deal's apparent emphasis on Lastline's technology and researchers, it seems unlikely that VMware would aim to bring the target's entire team aboard. In its announcement, VMware noted that it expected Lastline's threat research team to join forces with the Carbon Black Threat Analysis Unit.

Terms of the transaction, which is expected to close later this month, weren't disclosed.

Deal rationale

Reaching for Lastline should give VMware an opportunity to expand its security capabilities and fill in a gap in its portfolio. The Carbon Black team had partnerships with other malware sandboxing offerings, including VMRay, but being able to integrate this functionality internally has significant value in addressing an area that has seen rapid expansion in the level of exploitation activity. The NDR skills are an additional benefit and could bring ML models that expand those already present in NSX to increase the sophistication with which network-based attacks are identified. A large portion of the value of the deal for VMware will have to rest on the threat research team that Lastline had assembled. It's a talent pool that has always been difficult to hire and is even more critical today. The fact that the deal returns an investment by VMware's parent company couldn't have hurt.

Target profile

As the security market morphs, Lastline has evolved its focus and product investment. Founded in 2011 by some of the team that worked on the ANUBIS sandbox and Wepawet code analysis service, Lastline offered malware analysis capabilities that targeted integration with OEM security products with a motto of 'collect, detect, respond.' The vendor forged several OEM relationships with firms such as Barracuda Networks, Watchguard, Forcepoint and Sonicwall. It later extended its product line into NDR with the introduction of Lastline Defender, an offering that leveraged ML to analyze data from network sensors to identify complex attacks and correlate activity and malicious payloads to detect threats and successful compromises.

According to S&P Global Market Intelligence, the Redwood City, California-based company had raised $57m in venture capital, with its most recent infusion coming three years ago. Its investors included Redpoint Ventures, Dell Ventures, Thomvest, NTT Ventures, Barracuda Networks and Watchguard. As we noted in our Tech M&A Outlook, the need for detection and response beyond legacy networks could well lead to an exit for Lastline.

Acquirer profile

As a provider of enterprise cloud and virtualization foundations, VMware has established a leading role in building IT infrastructure and the tools for its operation. It's also not an infrequent acquirer, with an interest in bolstering its native security capabilities. And it's not reluctant to purchase technologies that could have overlaps with existing product functionality. VMware's pickup of Veriflow last year arrived just as the company was announcing NSX Intelligence, which has a simulation mode that parallels some of Veriflow's capabilities, albeit with narrower scope.

VMware's Security M&A Since Early 2018 VMware's Security M&A Since Early 2018

Date announced



Deal  value

May 13, 2020


Cloud security


August 22, 2019

Carbon Black

Endpoint security


August 21, 2019


Application security


August 14, 2019


Network security


March 28, 2018

E8 Security

Security analytics


February 14, 2018


Cloud security


451 Research *451 Research estimate

VMware is looking to build a comprehensive security portfolio that can reduce the operational complexity of security management by integrating the necessary elements across its platform. The various pieces are brought together under the company's Intrinsic Security branding. Carbon Black gave VMware a position in endpoint defense and Octarine one in cloud platform security. NSX Intelligence has network behavioral defenses that profit from the additional context that VMware's vSphere platform provides.


Lastline contends in several areas and Fireye has been a strong opponent in sandboxing, but the technology has become a piece of standard functionality for other security platform providers such as Palo Alto Networks, Check Point, Trend Micro and others. Rival Cyphort was acquired by Juniper in 2017 and became part of its Sky ATP offering. As Lastline's OEM partners have done, many other vendors are integrating OEM sandboxing technology from the likes of Fireeye and others. The NDR market is at an earlier stage and has a more vibrant competitive field. Darktrace has made its name as an ML-driven network protection specialist – others include Awake, Vectra AI and Netography.

Sensor-based threat hunting tools will also vie for some of the NDR mindshare, with vendors like Corelight and Reservoir Labs fielding tools based on the open source Zeek project. Gigamon's Threat Insight (from its 2018 purchase of ICEBRG) wields advanced analytics for threat hunting on its own platform. Well-established network monitoring firms, including ExtraHop and NETSCOUT, have pivoted into NDR and have been able to leverage their existing customer bases.

If VMware can fully integrate its various acquisitions and native capabilities, the breadth of context available for analysis could produce powerful results. That integration will take resources, time and a strong internal drive to make the whole much more than the sum of its parts.