Orca Security this month moved into API security with its first-ever acquisition: RapidSec, an Israeli cybersecurity startup that protects web applications from client-side attacks.

The companies did not disclose the financial terms of the deal. RapidSec raised $500,000 in a pre-seed funding round in 2020.

The acquisition comes on the heels of Orca’s $550 million extended Series C round, which boosted its valuation to about $1.8 billion. “And there might be others in the future,” Orca Security CEO Avi Shua told SDxCentral.

“The main parameter for us when we look at M&A is the ability to have a real integration into the platform,” he said. “It’s very easy to buy companies. It’s extremely hard to integrate them in a way that’s valuable for the customers.”

Shua wouldn’t provide any more details about which kinds of security technology and startups would make attractive acquisition targets. “But we are in active pursuit for such opportunities,” he added.

RapidSec built agent-based software that detects web-application misconfigurations and deviations from best practices. Orca plans to integrate these web services and API security technologies into its agentless cloud security platform, Shua said.

“So unlike the current agent-based deployment that they have, we will integrate it to our SideScanning capability so our customers will enjoy dramatically better security in this area,” he said.

Orca’s SideScanning technology is its secret sauce. It provides visibility and protection across cloud workloads and assets without installing any agents. And unlike agents, SideScanning doesn’t inherit the permissions of the workloads it scans. So, for example, Orca can scan a cloud environment that’s running a banking system without permission to access the customer data.

API calls represent the majority of web traffic. A frequently cited Akamai study puts it at 83%. For this reason, VMware’s security chief Tom Gillis calls APIs “the future of networking,” and this makes API security an increasingly important tool in protecting corporate data and systems.

For this reason, VMware bought Mesh7 last year and used its technology to build its new API security capabilities. Other larger vendors including Cisco have said this technology ranks high on their list of acquisition targets, and companies that provide API security including Salt Security and Traceable have raised millions of dollars in venture funding.

Shua said he expects to see more market consolidation as standalone API security vendors ultimately become part of a larger cloud-security stack. He compares it to the next-generation firewall market 12 years ago with its established firewall vendors and point solutions providing individual components such as intrusion detection and prevention, sandboxing, and web filtering.

“At the time, each of the point solutions claimed there is a reason to buy a dedicated solution,” Shua said. “If you look retroactively, all of them died a horrible death.”

Customers prefer consolidated platforms, he added. “Customers cannot afford to use that many solutions,” Shua said. “They’re looking for platforms that share data, that provide context, and they believe that API security will converge into the area of the more comprehensive cloud security platform.”

“If you buy point solution database security tool, it will tell you the API is insecure,” he continued. “The identity and access management tool will tell you that it’s overly assigned privilege, and maybe a posture management tool will tell you if the surface is exposed. And you need to connect the dots yourself to understand that you have a critical attack vector — that there is an insecure API exposed to the internet that exposes access to all of your data.”

Customers don’t have the time or the human resources to sift through all of these alerts, Shua said. “But when you do it in one platform, the platform can connect the dots use by itself to provide these a higher level of insights.”

Shua doesn’t expect standalone API security startups to all be acquired in the next year. “But I believe that within a few years these markets are going to be converged.”