BitSight Technologies Inc., a startup helping enterprises and government agencies assess the effectiveness of their cybersecurity efforts, today disclosed that it has raised $250 million in funding at a $2.4 billion valuation.

The funding was provided entirely by Moody’s Corp., one of the financial sector’s three major credit rating agencies. In conjunction, BitSight says it has acquired VisibleRisk Inc., another cybersecurity startup backed by Moody’s with a similar focus on helping companies measure whether their cybersecurity initiatives are effective.

BitSight provides a platform that maps out all the technology assets in an organization and determines if any of the systems contain vulnerabilities. The platform flags cloud instances with misconfigured security settings, as well as software-as-a-service applications used by employees without permission from the information technology team. In a company’s on-premises data centers, BitSight flag systems accessible through the open web, while firms with “internet of things” fleets can determine if any of their connected devices may be susceptible to cyberattacks.

The platform turns the results of vulnerability assessments into a cybersecurity rating ranging from 250 to 900. The higher the rating, the better a company’s network is protected against hacking attempts.

BitSight says its platform is used by more than 2,300 customers for a variety of purposes. Large organizations rely on the startup’s technology to scan their sprawling IT infrastructure for vulnerabilities systems that may have escaped the notice of the cybersecurity team. An enterprise carrying out an acquisition can use BitSight’s technology to evaluate the network security of the firm it’s buying and fix potential weak points. 

Some companies use BitSight to assess the cybersecurity of external organizations in their business ecosystems, such as suppliers. Companies often share sensitive business with another one as part of partnerships. With BitSight, an enterprise can evaluate the network security of the firms with which it’s sharing business data to fix vulnerabilities that may indirectly put its information at risk of a cyberattack.

VisibleRisk, the startup that BitSight has acquired in conjunction with the funding announcement, focuses on the same area. It exited stealth earlier this year with a platform that helps organizations uncover whether parts of their IT infrastructure may be vulnerable to cyberattacks.

VisibleRisk brings several capabilities to the table that will boost BitSight’s platform. One is a feature for estimating the financial impact of a potential data breach, information that can ease tasks such as setting cybersecurity budgets. The technology will enhance BitSight’s existing Financial Quantification tool for measuring the potential losses that could be caused by a cyberattack.

The technology VisibleRisk uses to measure the effectiveness of companies’ cybersecurity was another factor behind the acquisition. The startup analyzes technical data about a firm’s breach prevention systems and runs simulated hacking attempts to find weak points. VisibleRisk also takes other factors into account, including information on a company’s organizational processes for addressing breach attempts. 

“VisibleRisk’s data collection capabilities — including its proprietary, automated technical collection tools that gather internal data — complement and enhance BitSight’s external observations to deliver an enhanced view of organizational security performance,” BitSight Chief Executive Officer Steve Harvey wrote in a blog post today.

The acquisition of VisibleRisk is part of a broader growth plan that BitSight plans to pursue following its new $250 million funding round. The startup is also setting up a new Risk Solutions Division that will supply cybersecurity insights for Chief Risk Officers, other senior executives and boards of directors. Moreover, BitSight is teaming up with Moody’s to make cybersecurity risk data available through the credit rating agency’s risk assessment offerings.

“Cybersecurity was once an ‘IT problem,'” Harvey wrote. “No more. The market now recognizes the urgency of cybersecurity. It is a risk that cannot be ignored and must be evaluated and priced into every market transaction.”

BitSight has raised more than $400 million to date including the new funding round from Moody’s. The credit rating agency is now the startup’s largest investor. Its last round was a $60 million Series D in June 2018.

VisibleRisk, in turn, had raised $25 million in funding prior to the acquisition. 

Image: BitSight