skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.

Omdia view


Content delivery network (CDN) Fastly has announced the $775 million acquisition of application security vendor Signal Sciences. Fastly already offers a range of security services, but Signal Sciences will bolster its portfolio. Omdia sees Fastly joining the CDNs that lead with, or at least feature prominently, their AppSec capabilities.

Signal Science anchors a broader Fastly secure offering

Founded in 2011 and listed on NYSE since 2019, Fastly is a challenger in the CDN market, with revenue still under $100 million and going up against the likes of Akamai, Cloudflare, and Limelight. To be more precise, while it started out in web acceleration and content delivery, in recent years it has pivoted to become an edge CDN, that is, a provider of cloud services from multiple (hundreds) of mini data centers instead of a handful of big ones as in the traditional communications service provider (CSP) model.

Signal Sciences has a total of 265 customers, of which 60 are in the enterprise category, and 70% will be new to Fastly, according to the acquirer. The list includes Duo Security (a division of Cisco), Datadog, Under Armour, Twilio, SendGrid, Splunk, and DoorDash. Underscoring the rationale for the acquisition, Fastly plans to make Signal Sciences the core of a new security offering called [email protected], which it sees as complementing, as well as integrating with, its [email protected] offering.

As for its technology, Signal Sciences nowadays leads with its web application firewall (WAF) offering, labeling it a “next-gen” WAF because of its ability to block rather than merely monitor, a stage old-school WAFs often failed to graduate beyond, it argues. In earlier times (the company was founded in 2014) more attention was paid to its runtime application self-protection (RASP) technology.

After initial promise, RASP failed to fly

RASP puts an agent on the server (physical or virtual) or, in the case of a mobile app, on the device on which an application runs in order to monitor its operation and detect any anomalous behavior indicative of compromise, at which point it can take remedial action. Hence the “runtime” in its name, and the suggestion that RASP could be more effective, and efficient, than network-based security.

Despite its early promise, however, RASP struggled to gain large-scale adoption: it was overly compute-intensive, could often add latency to the application’s performance, and was prone to delivering too many false positives. A couple of the early entrants in the market were acquired in 2018 (Imperva bought Prevoty and Rapid7 purchased tCell), and the remaining players, like Signal Science, began to focus on other capabilities, particularly in WAF. The vendor currently offers WAF, protection from account takeover (ATO), API security, bot management, distributed-denial-of-service (DDoS) mitigation, rate limiting, RASP, and security for serverless environments, with RASP well down its list.

Meanwhile Fastly’s security services span WAF, DDoS mitigation, bot management, TLS encryption and compliance, so while there is some overlap, the CDN clearly thought the new customers and additional capabilities made it worth the hefty price tag. Having gone public in April last year, it could presumably afford the $200 million in cash, with the remainder in stock, that it paid for Signal Sciences and felt this was a good time to make such a move.

Security is a natural extension business for CDNs

Fastly is moving into the ranks of CDNs that tout their security capabilities. The sector’s 800lb gorilla Akamai really started this process in the middle of the 2010s with its KONA DDoS protection service, initially focused on the big Wall Street banks that had been hit by the Operation Ababil attacks in 2012/13. Since then it has expanded into all the areas, such as bot, API, and WAF, that Fastly will now be able to offer with its security services. Security is now Akamai’s fastest-growing business and the one on which it pins its hopes of further expansion.

Cloudflare is perhaps an even more glaring example of this trend. Without a huge business in rich media, it can almost be thought of as a security company that delivers its services via a CDN, and it clearly leads with security as its primary value proposition for enterprise customers.

Fastly will now need to not only launch its broader security portfolio and raise its profile in a busy market but also articulate how its particular expertise in supporting edge computing makes its security offerings particularly relevant and advantageous compared with what else is in the market.


Further reading

Omdia Market Radar: Zero-Trust Access, INT005-000094 (March 2020)

“Akamai dives into customer identity with Janrain buy,” INT003-000310 (January 2019)

“Akamai tackles the security threat of third-party web content,” INT005-000053 (November 2019)


Rik Turner, Principal Analyst, Cybersecurity

[email protected]

Recommended Articles