Bigger, Faster, Stronger: The New Standard for Public Cybersecurity Companies

Babe Ruth couldn't be a professional baseball player today.

Wait, how is that possible?! How could a person who hit 714 home runs and won seven World Series championships — widely regarded as one of the greatest baseball players of all time — not cut it in the big leagues?

Babe Ruth played professional baseball from 1914 to 1935. His prime was 100 years ago. A guy like him could eat dozens of hot dogs in one sitting, chain smoke cigars, get plastered every night, and still be a superstar athlete because fortune granted him enough natural ability.

Fast forward a century, and Mike Trout is the gold standard of the modern baseball era. His training regimen is social-media-famous: 54-inch box jumps, weighted tire rolls, medicine ball sprints — you get the idea. Babe Ruth would have needed a ladder to get on top of a 54-inch box.

Athletes get bigger, faster, and stronger with every successive era. It's the same story for companies in the cybersecurity IPO pipeline, too.

General Motors, the Babe Ruth of companies in the 1920s, had an inflation-adjusted market cap of about $9.1 billion in today's dollars.¹ Two private cybersecurity companies (and seven public ones) have a higher valuation today. Palo Alto Networks alone is worth over 10x more.²

How did this happen? Part of it is evolution, and part of it is because we know how to make better athletes and companies.

Time passes. Expectations change. Methods improve. Competitors get better. The standard of performance gets higher. The game gets harder. It's a never-ending cycle of progress.

Let's talk about why benchmarking performance matters and what the current standard is for cybersecurity IPOs today.

Benchmarks are an input to better decisions

Why does it matter to know what the standard of performance is in the first place? Anyone involved with a cybersecurity company in the IPO pipeline (and public companies, too) needs to know the standard they're being measured against. Life-changing decisions get made based on these benchmarks.

It's the equivalent of knowing your draft status in sports: you need good advice and statistics to make the right decisions. A high school pitcher with a 71 mph fastball, a 5.34 ERA, and an overinflated ego shouldn't to skip college and enter the draft if their performance isn't good enough to get drafted yet.

It's personal for thousands of people in the industry. Readers of this article (maybe even you) lead, work for, or invest in later-stage cybersecurity companies. I have consulting clients who are navigating this exact situation. It's very real.

Making the right decisions can be transformative. Making the wrong ones can be catastrophic.

So, what exactly are the expectations for cybersecurity companies in the IPO pipeline? That's the billion-dollar question we're going to answer.

The first part of the equation requires zooming out to look at the entire software industry. Cybersecurity is just one part of a larger tech ecosystem. Only looking at companies in our industry is equivalent to only looking at the stats for players on your favorite baseball team. They might be the worst team in the league.³ The performance of everyone else in the league matters. Same situation here.

One source source we'll reference is the Battery Ventures State of the OpenCloud 2023 report, which shows benchmarks from three recent cohorts of software IPOs:

The other source is Jamin Ball's Clouded Judgement publication. Two articles go into immense detail about benchmarks for public SaaS companies. This table summarizes the benchmarks for all SaaS IPOs from 2018 to mid-2020:

The second part of the cybersecurity benchmarking equation is looking back at the performance of previous cybersecurity IPOs. The combination of software industry and cybersecurity-specific benchmarks gives us a pretty good idea about the market's expectations for performance.

Next, we'll take a tour of cybersecurity's IPOs through the eras and compare them to today's software industry benchmarks. And Taylor Swift. Seriously.

Eras Tour: Cybersecurity's Version

I know, I know...the Taylor Swift reference was right in front of me here. I had to do it.

Just like the stylistic evolution of Taylor's music⁴, the cybersecurity industry has had distinct economic eras — all with different expectations, metrics, and vibes.

The Battery Ventures report has a perfect definition of the recent eras in software:

Cybersecurity is a lot smaller sample size than the overall software market, so I added the Dotcom Bubble (1995-2002) and Post-Dotcom to Great Recession (2003-2009) eras to the analysis. Here's our setlist, eras and all:

So here we go — you've got your ticket to the Eras Tour (Cybersecurity's Version). Let's take the stage and jam through the eras. You can wear sparkles if you want.

Dotcom Bubble (1995-2002)

The dotcom bubble was a wild and frenetic era for tech company IPOs. Webvan (RIP) peaked at a $1.2 billion valuation, burned through a billion in capital, and went bankrupt two years later. And that's just one story.

Cybersecurity companies had much more modest debuts on public markets during this era. Check Point and Radware were our only two IPOs. Here's how they were doing at the time of IPO:

Check Point went public with $31.8 million in annual revenue. That's over $600 million under the IPO standard of today (and a shade under the revenue Palo Alto Networks earns in a single business day!).

Both companies had good margins. EBIT margin was 25%, which easily puts them among the top IPOs in today's era.

Ironically, both Check Point and Radware survived the dotcom collapse and remain on public markets today. Check Point is still one of the largest cybersecurity companies in the world. There's always room in public markets for solid companies.

Post-Dotcom to Great Recession (2003-2009)

The time between the dotcom collapse and the Great Recession is our sad, emo era. Fortinet and Commvault were the only pure cybersecurity companies that went public:

A lull in cybersecurity and tech IPOs is a bummer, but Fortinet is an excellent consolation prize. It's turned into one of the best and highest-valued cybersecurity companies today, transcending eras to become a generational company.

High-Burn / High-Growth (2012-2020)

The High-Burn / High-Growth era is better known as the ZIRP era. Nearly a decade of low interest rates caused a spike in hyperscaling and IPOs.

This was like the steroid era of baseball. Performance was inflated by ZIRP. We had a bull market. Growth companies had high valuations. High-profile breaches started reaching mainstream media. And so on.

The IPO numbers speak for themselves — 27 pure cybersecurity companies went public during this era⁵:

Metrics for this cohort were a sign of the times. Cybersecurity's ZIRP companies went public when investors valued growth more than profitability. The metrics show.

Average LTM revenue at IPO was $173 million, which is far higher than cybersecurity companies in the dotcom and post-dotcom eras. It was relatively in line with median revenue benchmarks ($193) from Clouded Judgment. However, revenue was less than half of the late ZIRP era (2018 onward) standards from Battery Ventures.

Profitability (EBIT Margin) was in line with Clouded Judgment metrics, and way below current expectations of break-even or low single digits. Blame it on sales and marketing — spend in this category was 22% higher than today's standard. Yep, steak dinners drove overall EBIT margins 29% lower.

"Faster" was the emphasis in the "Bigger, Faster, Stronger" trifecta. Grow fast and you'll get bigger and stronger later, they said. The next two eras taught us why this was an empty promise.

High-Burn / Slowing-Growth (2021-2022) and Expense Management (2023)

KnowBe4 and ForgeRock were the two large-cap cybersecurity companies that went public during the High-Burn / Slowing-Growth era of 2021-2022. Here are their metrics at IPO:

The two eras from 2021-2023 are interesting because of acquisitions and take-privates, not IPOs:

Nine (!!!) public cybersecurity companies from the High Burn / High Growth era of 2012-2020 were taken private or acquired.

Stated differently, nearly 50% of the cybersecurity companies who went public during the previous High-Burn / High-Growth era were either acquired or taken private during this High-Burn / Slowing-Growth era.

Both KnowBe4 and ForgeRock also ended up being taken private quickly. They each survived public markets for less than two years. In baseball terms, they were the Mark Prior of cybersecurity public companies — full of early promise, then gone in a flash.

There was nothing notably wrong about either company's metrics compared to IPOs from the High-Burn / High-Growth era — emphasis on the "compared to" part. They were doing fine compared to past eras, but nowhere near the new expectations the market set for burn and growth.

The game evolved. KnowBe4, ForgeRock, and nine other companies found themselves watching the game from the bench.

The Expense Management era of 2023 brought nothing but pain: just more take-privates, layoffs, and valuation hits. It's like when the Florida Marlins won the 1997 World Series with a huge payroll, then cut it to $16 million in 1998. Nobody likes expense management, but sometimes it's the best strategy.

Encore: the Low-Burn / High-Growth era

We're not ending this show with expense management, right?! BOOOOOOOOOO!!!

No way. That would be like ending a baseball game on a walk-off balk call.

It's time for the encore. Welcome to the Low-Burn / High-Growth era. It's going to have our biggest hits yet.

Here's the description of this era from the Battery Ventures graphic we saw earlier:

Once companies manage expenses, we will soon see a convergence to the long-term target of 30% operating margins. As growth returns, highly-profitable, high-growth companies will return. The era of $1B B2B software companies is here, and with >30% operating margins and efficiency built in, we will see higher quality franchises.

A practical way to translate this is: you can't control growth, but you can control expenses.⁶ This means free lunches, massage tables, and unlimited expense budgets are probably gone, or at least limited. Complain to your CFO — I'm just the messenger here.

But seriously, I've spent a lot of time working in $1B+ B2B companies with >30% operating margins. Trust me, it's great when your company is making a lot of money, profitable, and manages it well.

We don't have visibility into IPO pipeline company metrics, but our currently public cybersecurity companies are a decent stand-in:

The 13 pure cybersecurity companies on public markets today are a mixed bag.⁷ On average, we're comfortably above IPO-level expectations for total revenue, margins, and operating expenses. We're lagging on growth and net dollar retention. Valuation metrics reflect both — our 8.1x multiple is above the SaaS IPO median and below the 2023 IPO metrics.

Getting to today's standard of software industry performance means being bigger, faster, and stronger. It's about balance and temperance, not overdoing one of the three. Higher standards are painful at first, but they're better in the long-term.

Don't believe me? Let's go back to our baseball anecdote. There are more total home runs in Major League Baseball (MLB) today than there were during the steroid era.

We don't have two players (Mark McGwire and Sammy Sosa) crushing Roger Maris's 61-homer record in the same season, nor do we have Barry Bonds hitting 73.⁸ We do have remarkable league-wide production, though.

Six of the seven highest home run rates per game occurred between 2016 and 2021. During the same period, the Minnesota Twins (2019) and Atlanta Braves (2023) both set the record for home runs by a team during a single season at 307.

Baseball players in today's era have better fundamentals. They're a balance of big, fast, and strong. The right balance is why we're seeing consistently high levels of performance at a team and league level.

This baseball anecdote is exactly what the Low-Burn / High-Growth era in the cybersecurity industry is all about. We're going to see fewer hypergrowth companies getting all juiced up for big IPOs, then withering two years later.

Instead, our IPO pipeline and public markets are going to have highly scaled, profitable, and resilient companies. They're going to endure and thrive in public markets. And our entire industry is going to reach new levels of performance.

The blitzscaling and hypergrowth of the High-Burn / High-Growth era wasn't a revolution or transformation of business models — it was just an era. Durable cybersecurity companies have been built across each of the eras. The important part is to understand how to use the best of the era we're in to build the biggest, fastest, and strongest companies we can.


Acknowledgements

Thank you to the team at Battery Ventures and Jamin Ball at Clouded Judgment (Altimeter Capital) for the heavy lifting on software IPO benchmarks. This cybersecurity iteration wouldn't have been possible without building on top of their work.

Footnotes

¹Cybersecurity companies obviously didn't exist in the 1920s, so I went with one of the top companies from the industrial era instead.

²And then there are mega-caps like Apple, Microsoft, and others who have multi-trillion-dollar valuations. Palo Alto Networks just achieved its first $100 billion valuation earlier this month, so it's a little early to start talking about trillion-dollar valuations in cybersecurity. But we can dream.

³I'm a Chicago Cubs fan, so I know what it's like to cheer for the worst team in the league. (Historically speaking, but not anymore! Go Cubs Go!).

⁴Okay, "just like" Taylor Swift is a stretch. Cybersecurity's business eras also have far less appeal in pop culture. The Venn diagram of Swifties and readers of this article is probably close to zero.

⁵Including companies which are now delisted and small cap/non-traditional listings.

⁶It's fine to control expenses. Just don't overdo it. There's a great Ruth Porat (now the Chief Investment Officer at Alphabet) quote about this: "You can't cost-cut your way to greatness."

⁷Our current situation even more nuanced than the chart shows. Palo Alto Networks, Fortinet, CrowdStrike, Check Point, and Okta skew the average metrics by a lot...but that's another article.

⁸Yes, Yankees fan — I know Aaron Judge hit 61 home runs in 2022. We still get high individual numbers once in a while. The point is the entire league is more balanced, which leads to a higher total across the board.