3rd Annual Global Technology Private Company Conference

Patrick Colville: Good morning, thank you so much for joining us here today. I have Ami Luttwak from Wiz with us. I am Patrick Colville. Ahead of starting, I'm just going to read a quick disclaimer. The views expressed by employees or representatives of The Bank of Nova Scotia or its affiliates during the event are for informational and discussion purposes only and do not represent the views of The Bank of Nova Scotia or its affiliates, constitute advice of any kind or represent an endorsement, approval, recommendation or other opinion of or regarding any third party or its prospects, including, without limitation, Wiz.

So, without further ado, thank you so much for joining us today for the 2025 Scotia Private Technology Conference. I am Patrick Colville, a lead analyst on Scotiabank's Technology equity research team. We might have, halfway through this session, Jonathan Echevarria, the SVP office of the Chief Information Officer at Scotiabank join us as well, but our main event and star speaker is Ami Luttwak, co-founder and Chief Technology Officer for Wiz. Thank you so much for joining us, Ami.

Ami Luttwak: I’m very excited to be here and looking forward to the talk.

PC: So, look, Ami, I think everyone should know about Wiz but, you know, can you please just kick us off by introducing the company for those who may not be familiar?

AL:  Sure, so I'm Ami, CTO and Co-Founder for Wiz. We actually, we started in 2020, just five years ago, a few days before COVID. Our first customer meeting was in RSA [Conference] 2020. Basically, that was our last customer meeting for two years. So, I think we've been a very lucky team. We are a cloud security company, focused on trying to change completely how cloud security is done, rethinking everything we know about security and asking ourselves: In a world that everything moves so fast and developers build everything in a matter of minutes – even the marketing person can build an application – how should security look like in a year or two years from now?

PC: And I guess, you know, you've been in the enterprise security market for many, many years, and Wiz, has exploded onto the scene and had a tremendous amount of success. So, I guess I want to ask you the first principles question. So, you know, what is the state of enterprise security today, and, when you speak to CISOs from the role as Chief Technology officer, what are CISOs most worried about as of June 2025?

AL: So, the state of cloud security, is that – and again we, we definitely see that as part of being in the market – there is a, it's a huge change in perception and we need to understand when we talk about cloud security and the reality when we talk about this concept of CNAP, it's not really cloud security anymore. It's the security of what you have in the cloud. And basically, it's everything. So, I mean, think about what do you have in the cloud. You have data, you have AI, you have applications, right? And what CISOs feel – what we all feel – is that everything is moving so fast. It's actually moving faster than we've ever seen before, right? We are now inside probably the fastest technology revolution the world have ever seen and CISOs feel it, right, because they are caught in the middle between all the businesses telling them we have to use all of these new AI services, and the security is completely, I would say, they don't know what to do. Honestly, no one knows exactly how to secure this, so what do you expect every security team to do? It's a very hard position to be. You want to enable everyone to move fast, but you don't want to take risks, right? And this, they were like in the middle between two rivers that flow, you know, and it's been always like that, but now the speed is just getting crazy in both directions.

PC: And I guess, you know, public cloud is not a new thing. You know, AWS was launched in 2006, so, when we think about securing public cloud and securing the cloud, what is CNAPP today, because, originally, I think CNAPP was cloud security posture management, but to your point, Wiz is kind of rethinking cloud security. So, I guess, what are the demands within a cloud security suite that your customers or enterprises need.

AL: So, I think that's the basic question, right? Cloud is here since 2006, right? What changed now? So, what is changing is the speed, speed of innovation, speed, the number of people that actually build applications now, especially with the eye and the speed of building the applications, the speed, right? And why is the speed so fundamental? Yeah, so I like to use an analogy, right? Think about if you build the building in 2 years, right, and the inspection office comes to check the building 2 months before you have to tell them, 6 months before and they come to approve it, right? What happens if buildings get built in 2 hours, right? Every way, every approach, every tool, the basic mechanism to inspect buildings cannot work anymore. You can't come 6 months after the building doesn't exist, right?

The way you do inspection manually doesn't make any sense anymore, so the key thing about CNAPP now and the revolution in security is that we have to rethink how we operate; we have to move fast. We have to be self-service, and CNAPP now is all about how do I cover all aspects of security, not just a small portion, just vulnerabilities, just misconfigurations, just network. Or even now, we even look at code. All of those problems are connected. They're part of the building, right? If you need a tool that tells you within seconds this is your problem and you're building right now, you need a tool that understands all of the aspects of the building, and that's what CNAPP is getting to be.

First of all, a speedy self-service tool that a developer can use. Because we cannot assume a security person is going to be in the door of the building, right? We can't assume we have someone coming to review. We need to be agile, we need to be horizontal, we need to understand the entire building. So, self-service and understanding the entire building means we need the inspector now to uncover multiple aspects of security that used to be different markets, right? Why is it does it have to be one market? Because there has to be one tool. Why does it have to be one tool? Because the developer needs to answer right now, right? So, once you understand that, you understand you cannot have a window inspection and a door inspection. You need building inspection in 10 seconds, right? And that's the big change we're seeing now.

PC: I mean, you made a number of fascinating points and the go-to-market and sale to developers, I think is interesting. Let's touch on that in a little bit and just kind of wrap up the product side first. When we think about the different tools, I mean, I think your point you're making there is you need to tick all the boxes, you know, you can't just have one tool. So, do you now see customers purchasing posture management, advanced threat protection, runtime protection, shift left security, all concurrently, or is that a future state that we're not quite there yet, but that's where the direction of travel is?

AL: So, I mean that's, you know, the pendulum in security, right? There's always the discussion between the platform and multiple point solutions. The way we see it is that it's not about acquiring a suite. It's not about that. The point is this.  You're trying to secure an application; that's really what you're trying to do. The application is composed of code, it's composed of the pipeline that builds the code, and of course the cloud itself and the runtime. Historically, the application security was done in multiple, multiple tiers in multiple, multiple tools in multiple times. You had a tool looking at the code, a tool looking at the pipeline, a tool looking at the runtime, and of course the CSPN for cloud, right?

But the point is that if it's one application, and I need to look at all of those components immediately, we believe and history will tell that yes this will become a platform that covers an application, right? Now, is it currently the state? Not yet, not yet. I can tell you – I'll give you one example, okay? You currently have, if you look at the org structure, you have cloud security teams and you have application security teams. My thinking, and I do see it in some organizations, the cloud security and application security teams are starting to merge into cloud and application security teams, right? That's the first sign for this concept which says I'm trying to secure the building, right? I don't care if it's cloud posture or application posture. Why do I care? I'm the developer. I need answers.

PC: And then I guess, if we think about the market – go back to my prior point, public cloud is not new. Security of public cloud is not new either. I remember meeting the Evident.io team at RSA Conference in 2016. So, like nearly 10 years ago.

AL: Yeah, I agree.

PC: It's interesting, you know that we are where we are, that actually that there is still this multi-product adoption to happen and still education of customers.

AL: Very interesting, yeah, I asked myself that a lot of times. Like how, you know like, but think about it, organizations, org structures, it takes a lot of time to change, right? And if there is a fundamental perception in security, it can take years to change. And cloud wasn't the mainstream, even though you had Evident.io and Dome9, amazing tools 10 years ago, it still wasn't the core of the security team that was just, oh yeah, we also have clouds, so we also have this, cloud tool, right? But now it changed. In my view, what changed is that now the majority of your development is in the cloud, right? The majority of the developers are in the cloud, and now the core for how you operate should be cloud based, right? And that's what opens the way also for tools like Wiz to say, okay, wait, if now your majority of development is in cloud, maybe it's time to rethink.

PC: So, most of the audience on this call are investors. How much green space is there in the cloud security market, and I'm going to ask you, in the enterprise, maybe in the tech vertical, is tech vertical more advanced, and then I guess maybe the government vertical? Just like what is the green space, what is brownfield, and what do you think is kind of already, you know…?

AL: Yeah. So, I think majority of customers in the world today have some CSPM tool, right? So, I would say you can call it brown in the sense they have some tool, but I would call it the legacy tools, right? But in terms of what I call the unified CNAPP, right, this approach that you need one inspection for the building, right? This approach that I inspect the code and the cloud and the runtime together that's green, green, green. This is something that most companies don't have. Some of them are starting to think about this concept of cloud and upset, but that's completely green.

PC: Okay. And I was actually on the phone yesterday with an investor and we were remarking that the firewall vendors have of late talked a lot about their virtual firewall revenue, and we were kind of surprised that this is happening concurrently – you know, really explosive growth in the public cloud security market, CNAPP, but then concurrently the firewall vendors are saying, look, we've seen really good demand for virtual firewalls. Could you talk through where virtual firewalls would be applicable and then where they are clearly unapplicable in public cloud?

AL: Yeah, I think when we think about public cloud, right, we need to understand that if my entire strategy moves to securing the cloud, then everything I've done before, I need to rethink about it for cloud and that's why there's huge growth in cloud security and it's not just CNAPP; there will be huge growth in many areas. Virtual firewalls is just one example, right? And again, this is an area where you will have the cloud providers trying to provide solutions for customers, and the legacy network firewall providers will try to say, wait, it would be useful for you to use the same firewall across, and honestly the industry still doesn't know what's the right approach. It's still open for discussion.

I believe that just like CNAPP, because we are moving to multi-cloud and everyone are moving to multi-cloud, the security market, including network security, by the way, also including access security, including threat detection for cloud, right, these markets are huge because they're going to replace it out of the legacy data centre markets, right? So, I do think there is huge growth potential in network, in threat detection, in AI security, and everything is going to be on cloud.

PC: So, just to I guess, put a fine point on that. I think the audience will probably care most about enterprise and kind of mid-enterprise. So would you say that even a company that is like 80+% in public cloud will likely have some sort of firewall, virtual firewall at the point of ingress and egress?

AL: So, that's a good question. We don't know. Really, to be fully honest, we don't know the answer to this, right? The people using virtual firewalls today are mainly teams with a lot of legacy firewalls that extend their legacy firewalls to the cloud. That's currently what I see in the market, right? So, if I'm a brand-new customer, like a cloud native, cloud born company, usually I'm not using, usually I'm not using a virtual firewall. I'm used to use cloud native, right? So, it's a good question. Like we don't know the answer yet. Is it going to be also new companies because what we're seeing now, yeah, there is opportunity around native firewalls in the cloud, but it's mainly in my perspective existing customers that already have the firewall and they're just extending their knowledge. The people in their teams already know to use firewalls, you know, so they extend. I don't know yet the size of the opportunity in terms of new companies to use only cloud native firewalls and will come to a third party, and this is something the third-party network security companies have to prove, you know, to show that cloud native companies use them, not just the legacy.

PC: And, look, I think this is really fascinating. So, it's actually, can I ask you the same – because your insights, having been in the industry for a long time and as CTO of Wiz – can I ask the same question about endpoint. So, in terms of like placing an endpoint agent on a virtual machine, in an IAS environment. Does that make sense in some circumstances, or does that like…?

AL: So, yeah in my view, it doesn't make any sense to put an endpoint agent on a cloud native worker. Doesn't make any sense. I think that if, if you think about cloud when I say we have to reimagine security for cloud, it also means we have to reimagine endpoint and honestly threat detection for cloud, right? And by the way, threat detection for cloud in my view is a huge, huge market. It's bigger than the endpoint market. It's bigger, by the way, it's a huge part of the SIEM market. Because a lot of the logs from the cloud are actually a huge portion of the logs that go to the SIEM companies like, like Wiz that are cloud native companies, right, most of their logs are cloud logs in the SIEM, right? So, like the way I see it is that part of when we say we reimagine security for cloud, it's part of it is, okay, let's reimagine threat detection for cloud, obviously it's not going to be an endpoint agent. It's not going to be, and by the way, I don't think anyone thinks it's going to be an endpoint agent.

Even the endpoint companies understand that and most of them, if you look at what they're doing, they're trying to rebuild new agents just for that because I think everyone understands now that cloud security has to be built for cloud and not reuse existing tools.

PC: Okay, and your point there is that CWPP, a cloud workload protection platform, is a completely distinct category from, you know, using a traditional agent on a server, on a virtual server.

AL: I believe it is a completely, I would say the following. It used to be like that and it's going [gestures] like that, right? So basically, yeah, it's, it's, it's moving away in my view from the classic EDR to something that is much more cloud native. How do you do threat detection for a server expansion? How do you do threat detection for a container, right? What about an AI service? Well, how do you do threat detection for that, right? And the lines also it become blurry between SIEM for cloud, XDR for cloud, EDR for cloud, because maybe the suspicious activity came from an agent that is running an AI agent or maybe it's coming from a container or from a service. It doesn't actually matter for the company, for the customer, they just want solutions for the cloud security. And, by the way, it would help if this cloud security solution would understand how the developers operate and what is usually supposed to be happening in the environment. So, this is definitely not an endpoint solution. It's a cloud application security solution.

PC: Okay, and let me, let me go back to like our, you know, our core discussion point, the cloud security market and Wiz. Who do you see as Wiz's most significant competitors here? Is it, you know, Pal Alto Networks, CrowdStrike, the large cybersecurity companies that the investor audience will know? Is it Orca and best of breed companies? Is it the public cloud vendors, themselves?

AL: Yeah, so, for us no doubt that Palo Alto and CrowdStrike are the main competitors. And again, think about the market a bit differently, right? Don't think about CSPN, right? Yes, Wiz competes in CSPN, vulnerability management, CIEM, container security. Yes, all of those are just one small part of the bigger market that we are going after, which is cloud security. Cloud security contains also endpoint security for cloud, cloud logs security, right? So, the same portion of that, right? So, of course the main competition is Palo Alto and CrowdStrike, right? And they also understand that I think for all of the big security companies now, right, and we are very, very good partnership with Check Point on that. We understand that cloud security is the big market, right? All companies are trying to build dedicated solutions for that, taking legacy solutions and trying them in the cloud is not going to work and I think the industry understands that and so and we understand that and for me honestly just to be honest it's humbling that our competition is CrowdStrike and Palo Alto, but that is the case, right? Think about a company that uses CrowdStrike for all of their endpoints and uses Wiz for all of their cloud risk. And now the big question is, this customer, are they are going to deploy CrowdStrike on the cloud or Wiz in the cloud for threat detection, right? That's going to be the big – that's a big market. And we believe that the right approach is cloud native end to end, right? And that's what's going to be the interesting question in the market, you know, in the coming years. Let's see. I definitely believe that cloud native end to end is the right approach.

PC: And so I, I guess I'm not surprised you said Palo Alto Networks, it piqued my interest that you said CrowdStrike, because that one actually did surprise me a little bit more. If I had asked you the same question a year ago, you know, in mid-2024, would you give me the same answer, or do you think CrowdStrike has gotten better over that time?

AL: So, I think it's more about a bit of a growth of Wiz than changes on CrowdStrike. From the Wiz side, we as a company in 2020 started from a risk-based product that tried to change viability management, exposure analysis, identity, CSPM, secret scanning; but in the last two years, once our core cloud platform matured we're building what we call Wiz Defend, which is the threat detection tool that in our view will try to change the way cloud operates, how SOP team operates in cloud, right? So that's why for us, CrowdStrike and us are becoming a bit more competitive in the sense that we're trying to go after CWP market, right, which I believe is bigger than what we currently see in the numbers, much bigger, much, much bigger. That's why this is a green field, almost, because it contains all the cloud logs and all the cloud workloads and all of the budgets for SOC teams for doing cloud detection, right? And so what changed if you ask me from a year or two years ago is the Wiz focus on creating a platform that covers risk and threat detection, because we understand that what that's what the companies need. We believe that the layers that we have to understand, the application can allow us to build threat detection that is better than legacy.

PC: Okay, so, to paraphrase it back, your point there was it's Wiz’s maturation from being a kind of risk-based product to now being a kind of defense product that has put competition with CrowdStrike more at the forefront, that your kind of TAMs have overlapped, so to speak.

AL: Yeah, I mean, again, these are amazing companies and it's humbling just to even to say that on a call, but yes, that's correct, like threat detection, container security in cloud, right? And also now, as we said, CWP endpoint for cloud or Wiz Defense also covers cloud, right? That's correct. Like the main competitor on this kind of an opportunity on a customer, the best company today in the world to do this kind of threat detection and the most loved company today by SOC teams today is CrowdStrike, right. For sure we have huge respect to them, and I think that's why again for us – and also the for me personally – it is a humbling moment and these years have been amazing, but yeah, we believe that the ability to do threat detection in cloud depends on understanding the context of cloud which goes back to understand the developer of the code and the build pipeline and the context of the environment and not that you have experience in Windows malware.

PC: Yes, OK. And then, just zooming in Palo Alto, you call those two out, so, you know, what distinct advantages do they have, and then, maybe the kind of second part of my question is, versus both CrowdStrike and Palo Alto, why is Wiz winning? Because clearly Wiz is performing very well, but what advantages does Palo have, and then how is Wiz kind of winning versus these guys?

AL: So, Palo Alto invented the market. Palo Alto acquired the companies – you said you met Evident.io, right? And they acquired Twistlock – they invented the market, they were before we started, right? Palo Alto invented the market and were before us, and I think that allowed them also to get very good market position in leading companies, right, and they have a very complete set of solutions across network and remote access, and they moved very, very nicely from an appliance based company to a very, very holistic company, and I think that their numbers represented, right. So, the advantage of Palo Alto is that they were first. But the problem for Palo Alto, they're not a cloud native company, right? And this is an add on for their key stuff, and it's not what they focus on as a company. They focus on network and now they're trying to focus on SIEM. Cloud is not their key focus. And that's their problem also and CrowdStrike, the same. CrowdStrike is focused on the SOC, but they're very, very, very, very weak in understanding cloud. They're not a cloud born company, not a cloud native company, and they definitely didn't build everything they have around the cloud context, right?

So, I think this is basically, it's going to be a very interesting industry discussion of what is better for a company. Some companies would say for my SOC I want one tool across everything, and that's where CrowdStrike will win because CrowdStrike is deployed on the endpoint, right? Some companies will say my cloud is important to me and I want to have the best cloud platform across risk and threat detection, and that's where Wiz wins. And honestly, when you start thinking about your customers in the cloud, it is the developers and they prefer a tool that understands them, right? And Palo Alto wins especially because they have a huge suite and a lot of customers love them for their most complete offering in the market today.

PC: You touched on the partnership with Check Point, so let's just touch on that quickly. Do you mind just describing what the partnership is and what it's going to bring for the remainder of the year and onwards with Check Point.

AL: So, I think what we understand is the market is – and that's not even specific to us – that like you have CNAPP and you have network security and these markets are not colliding, okay? The expertise in CNAPP is very deep and the expertise in network security is very, very deep, right? So, customers need both. And the partnership with Check Point is basically saying, for Check Point customers, we want to give you the best solution in the market, integrating – and we're building very, very, very important and unprecedented integrations between Check Point and Wiz. So a customer uses both their Check Point protection for network and the Wiz cloud platform just gets the best of both worlds, right? And, and especially the focus, think about it.

As a Check Point customer, Check Point comes to you and tells you, we will give you the end to end solution with the best of breed. Our focus is what Check Point does best, and Wiz complements with their focus on cloud. So, I think this is a very unique moment in the industry. Usually companies don't say that, okay? That's why I think this is a customer focused decision, right, to say: yes, we actually want to bring you the best of breed; we're not going to give you just something because we want to sell you the sweets, because we care about the customers and that's why I'm excited about it.

I also think it shows you that network security and CNAPP are not merging, okay? They're not merging. They're actually two, because it's so deep. Unlike threat detection in cloud which I believe is going to become part of CNAPP, right? Network security, no. The competition and network security is with the CSPs, right? That's because they own the network and they have an advantage, so that's, I think from a, like, industry directions perspective.

PC: And if I'm a customer of Check Point now and Wiz now, can I adopt Wiz plus Check Point as of today?

AL: Yes, and more than that, what we are building now are integrations that that no one ever had across their network firewalls and their cloud security. So, think about each of the solutions can actually work together. We can see the Checkpoint configurations where they're deployed, how they impact the network, and even build actual use case where you can actively change the file configurations based on risk, right? So there's a lot of very exciting use cases we're thinking about to provide just the best use cases for customers that use both.

PC: I see we've only got 3 minutes left. I want to do a hard pivot. When I last saw you at RSA Conference, you were talking about MCP, Model Context Protocol.

AL: Yes.  

PC: I must confess I hadn't heard those three letters before RSA and then I literally came out that week hearing about it at every single meeting, so I guess, can you just talk about, maybe just very briefly, like a one liner on what MCP is, and then also why were you talking about at RSA? Like what is this MCP mean for security, what does it mean for Wiz?

AL: Yeah, so it's actually pretty simple. The way I see it is this. We talk a lot about AI all the time, right? But in reality, the product called AI agents, like a ChatGPT, okay, is a bit weird because it doesn't connect to all my stuff, right? It's just it's like a search engine, but it doesn't know anything about me. So, most of the questions I want to ask as an enterprise security person are about my tools, my environment, right? And the idea is that, okay, I have an agent. How do I connect my agent to all of my stuff, right? And Wiz is one of my tools, right? But I would love to connect all of my tools, right, maybe Wiz, maybe CrowdStrike, maybe Jira, maybe Palo Alto. The way that an AI agent can connect to your existing tools is called, the protocol is called MCP, and every tool and every enterprise tool today that wants to enable the users to use it needs to basically implement MCP. So, we see our customers now, our security teams now, creating flows that are much cooler than just summarizing emails, okay? Actual flows that say get the risk from Wiz, send it to Jira, go to GitHub, prepare the code fix, push the code fix. The only way you can do this kind of flows that are really fundamentally changing enterprises is by using MCPs to these different tools.

PC: And then, how Wiz fits in that. Is there a new product, like a separate SKU?

AL: So, first of all, the MCP of Wiz doesn't cost additional money, it's just a way for customers to consume with, right? Think of it as the interface, right? The reason we invest in that, we want to enable the security teams to use Wiz in an AI enabled way, right? Also, Wiz fits in the AI, what we call AISPF, the AI security market because we see everything in the cloud, so we don't cover all of the problems of AI, but we cover one problem which is what's going on. That's, that's what, what we can help you. Where do I have AI in my cloud environment. It doesn't answer questions like, who is uploading sensitive data to ChatGPT, but it does answer the question, where do we have AI in my company? That's where Wiz fits as a product, but the MCP for us, it's before anything product related, right? Yes, we do have a product for AI security, AI discovery, and it's part of cloud, in my view. But before that I want to enable the teams to use AI, right? To use Wiz in an AI way and that's why we're part of the MCP movement.

PC: Fantastic. I mean, this 35 minutes has whizzed past. I want to thank you. We talked about the state of the public cloud market as of June 2025. Really interesting conversation around kind of competition and the advantages of Wiz. And I thought your points just then on emerging technologies like MCP and how they're reshaping the industry were fascinating. So, thank you, Ami from Wiz, for coming to Scotiabank's 2025 Technology Conference. I really, really appreciate it.

AL: Thank you.

PC: Keep up the good work.