David Holmes formerly worked for both F5 Networks and Shape Security.

The F5 Networks acquisition of Shape Security marked the third time in a year that a web application firewall (WAF) vendor purchased a bot management solution, as fellow Forrester analyst Sandy Carielli noted in her blog (The WAF-Bot Management Acquisition Waltz). The other two were Imperva’s acquisition of 2018 Forrester New Wave™ Leader Distil Networks and Radware’s acquisition of ShieldSquare.

The acquisitions of these three specialists suggest that the market is consolidating into a bazaar of five-layer burritos composed of WAF, CDN, DDoS, API security, and bot management.

This is not a five layer burrito but it is labeled for reuse unlike other burritos
Image source: Wikimedia Commons

 

Shape’s most recent investment round valued the company as one of Silicon Valley’s billion dollar unicorns. F5 Networks, meanwhile, had only three of the five burrito ingredients but also a pile of cash and a new executive team that wasn’t afraid to spend it, as shown by its $670M acquisition of load-balancer rival NGINX earlier last year.

Market Mechanics

Because our coverage areas overlap, Sandy and I have teamed up on several end-user inquiries recently in which buyers have been weighing the burrito vendors. Some of these buyers are best of breed, and some like to buy a portfolio to have a single throat to choke. For the enterprise buyers, this is what the burrito bazaar looked like through the last 18 months:

2018

WAF

DDoS CDN Bot mgmt. API security
Akamai

===

===

=== ===

===

Imperva

===

=== === =

===

F5 Networks === === =

===

What a difference a year makes! (Note: Vendors, put no stock in the number of equal signs in either table. They are just for visual effect; this is not a poor man’s Forrester Wave™ ranking.)

2020 WAF DDoS CDN Bot mgmt. API security
Akamai

===

=== === ===

===

Imperva

===

=== ===

===

F5 Networks

===

===

===

The obvious gap left for F5 to fill is CDN but only if the CDN space continues to show relevance for buyers in a multicloud world where Azure, GCP, AWS, and Alibaba are furiously spinning up PoPs and regions.

Internal Integration

Shape Security delivered on-premises appliances to mitigate the bot problem, and these typically sat right behind an F5 appliance that decrypted all the inbound traffic (good and bad). From an architectural perspective, integration makes sense because the adjacent Shape functionality could be absorbed into the F5 device, resulting in fewer appliances, one fewer vendor, and easier sales motions.

What It Means

For customers: The Shape team will be getting access to F5’s considerable channel and sizable sales force. This could result in many more Shape customers. As F5 has competed in the application delivery market for 20 years, a significant number of the Fortune 2000 are already F5 customers. Many of them have bot problems, whether they know it or not, and will surely be getting visits from the enlivened F5 sales teams.

For the future: Forrester VP and Research Director Amy DeMartine has said that the bot management problem will become the dominant application security challenge in the years to come. The adversaries in this space are highly motivated. F5 now has access to their solution, and its challenge will be to integrate it into its own burrito without diluting its value.