Santa Clara-based Palo Alto Networks has bought Californian startup RedLock, a cloud security specialist founded in 2015, for $173 million in cash, continuing a shopping spree that bolsters its product line in an increasingly competitive cloud security market.

RedLock, funded in a Series A round to the tune of $8 million last year by Dell Technologies Capital, Sierra Ventures and Storm Ventures, provides automated threat detection across AWS, Azure and Google Cloud.

Its customers include VMWare and Genpact.

The acquisition comes as organisations increasingly recognise that traditional network monitoring tools create security blind spots since they cannot be deployed for monitoring traffic to API-driven services in the cloud.

The RedLock research team made a name for itself by uncovering crypto mining activity at organisations including Tesla, Gemalto, and Aviva which had previously gone undetected.

RedLock, Palo Alto Synergies

RedLock co-founders, Varun Badhwar and Gaurav Kumar, will join Palo Alto Networks.

Palo Alto Networks already provides a broad security offering for multi-cloud environments with inline, host-based, and API-based security, which was bolstered by the acquisition of Evident.io in March 2018. The company currently serves more than 6,000 cloud customers globally with its cloud security portfolio.

Palo Alto Network’s Chris Morosco described RedLock’s contribution with two examples, in a blog that asks “what does that [RedLock’s tool] look like in the real world?”

“Say, for example, that a developer accidentally leaks cloud access keys on a well-known forum such as Github, and that as a result of this, a hacker attempts to login to the cloud environment using those keys. RedLock’s fast analytics detect that the key is being used in an unusual location to perform an unusual activity – and immediately alerts the SOC team, with a full history of all activities associated with that key.”

“As another example, say a user creates a security group within an organization, but accidentally leaves it open. RedLock will discover it, see that it is associated with a VM running MongoDB, and determine that the database is receiving Internet traffic from a known malicious IP address. What happens next is the database is automatically moved to a private security group – remediating the risk.”