It seems like everywhere you look in (and around) the cybersecurity industry right now, there's a billion-dollar-something event happening.
We've had seven cybersecurity-related M&A transactions over a billion dollars already this year.¹
Wiz raised a billion-dollar financing round.
Cyera became our first new unicorn since 2022.
We finally had a cybersecurity-related IPO with Rubrik going public at a $6.6 billion valuation.
There are more companies with a billion dollars of cybersecurity revenue and billion-dollar valuations than ever.
And the year isn't even half over yet.
Each of these billion-dollar events and milestones are significant by themselves, but I think they're a sign of something more for the rest of cybersecurity industry.
We're functioning in "billions" now. Billion-dollar financing rounds. Billion-dollar acquisitions. Billion-dollar revenue.²
That's a stark departure from where we've historically been. Cybersecurity didn't used to be a billion-dollar type of industry. We're more of the "cheeseburger and a beer at the neighborhood restaurant" crowd than a five-star Michelin restaurant type.
There's room for the entire spectrum of companies, of course. Plenty of smaller private companies have and will keep doing just fine at the thousands-to-millions scale. For mid-sized companies, the $130-ish million M&A exit median should remain consistent.
Cybersecurity is too big of an industry for its dynamics to change overnight.
But for cybersecurity companies who either are big or aspire to be, the new scale is going to be billions, capital B.
There's a lot to unpack here. Let me show you what I mean...right after we talk about beer.
Balance sheets and capitalization strategies have a shelf life
New Belgium Brewing started off as un-scaled as it gets. The company started as a home brewing project by Jeff Lebesch and Kim Jordan in 1991 after biking through Belgium and enjoying the beer a little too much.
Their beer was popular (and tasty), but the contrarian business model and operations changed the game in craft brewing. Breakthroughs included sustainable brewing at scale and, more famously, becoming 100% employee-owned in 2012.
They continued to expand independently, including a second east coast brewery in 2016. New Belgium was one of the most popular craft breweries and a role model for independent companies everywhere.
...until they shocked the world and sold the company to Lion Little World Beverages (Kirin Holdings) in 2019. The sale ended New Belgium's status as an independent craft brewery — and its employee stock ownership program (ESOP).
The decision came down to multiple factors, one being a tension between the cost of maintaining the ESOP and the executive team's ambitions to continue growing and scaling the brand and operations.
"Balance sheets and capitalization strategies have a shelf life," said Steve Fechheimer, the CEO of New Belgium Brewing since 2017.
Lion Little World Beverages has since merged New Belgium with Bell's Brewery, another iconic craft brewing operation. You've heard versions of this strategy before: expanding the product portfolio, operational efficiencies, and entering new markets.
Only now, their goal is to do something that's never been done before in the industry. The combined company is trying to become the leader of the U.S. craft beer market while becoming a certified B Corporation and carbon neutral by 2030.
They wouldn't have been able to do this without financial backing, stability, and other strategic moves that just weren't accessible as an employee-owned company.
This feels so, so similar to the place many cybersecurity companies are at right now.
Let's continue by talking about billion-dollar revenue scale (that's the real end game, not billion-dollar valuations), then work backwards through financing and M&A as two of the primary levers for getting there.
Billion-dollar revenue
A billion dollars of revenue has been surprisingly evasive in the tale of cybersecurity so far.
There are only eight pure-play public cybersecurity companies with $1 billion or more in annual revenue today. Even if we stretch the scope a little to include the extended cybersecurity ecosystem (hybrid companies with a material part of revenue coming from cybersecurity), the total only goes up to ~14, depending on how you classify the hybrid companies:³
It gets a little higher if you include large and mega-cap tech companies (like Microsoft or Cisco) and private companies (like PwC and Deloitte), but the number is still only around 40 companies.
No matter how you count it, there aren't very many companies who have ever hit $1 billion in cybersecurity revenue. Roughly speaking, it's something like 0.2% of companies that have ever existed.
Enough context, though — what does this mean for the industry?
As I wrote in Bigger, Faster, Stronger: The New Standard for Public Cybersecurity Companies, a billion dollars in revenue is probably the new standard for durable public companies, cybersecurity or otherwise. It's not just me — you can find people talking this all over recent earnings calls and behind closed doors at later stage companies.
There are ~100 (give or take) other public companies out there in the cybersecurity ecosystem with less than $1 billion in revenue, and nearly the same amount of VC and PE-backed unicorns who have expectations of scaling.
Put another way, there are five times more companies with expectations of billion-dollar revenue scale (~200 late-stage companies alone) than those who have ever achieved it (~40 at best).
I want to mention two anecdotes about the impact of revenue scale on public cybersecurity companies to help make the point.
So far, only three of the 28 formerly public cybersecurity companies who have been taken private or acquired had over $1 billion in revenue: Splunk ($4.2B), McAfee ($1.8B), and Proofpoint ($1.05B).
A common theme across companies who have been taken private by private equity firms is...you guessed it: scaling revenue to $1 billion as a private company.
On the other side of the spectrum, all seven of the "A-List" (highest performing) companies in the cybersecurity ecosystem I mentioned in Cybersecurity's Class Conundrum have over $1 billion of revenue. The average was $3.2 billion (TTM) at the end of calendar year 2023.
There is an undeniable connection between revenue scale and valuation for our public companies (SentinelOne and CyberArk⁴ are the notable exceptions). We have some great public and private companies under $1 billion in revenue, but they're all under pressure to get there.
Both of these stats are anecdotal, but they give you a rough idea about the current vibe of billion-dollar revenue scale in public markets.
So, what did these companies do to reach to $1 billion in revenue? A lot of things, including raising a bunch of capital. Let's talk about that next.
Billion-dollar financing
Cyberstarts partner (and investor) Gili Raanan put it bluntly when talking about Wiz's recent $1 billion round:
"It is expensive to build important cybersecurity companies."
Yes it is, Gili. Yes. It. Is.
$1 billion is the second largest single round raised by a cybersecurity startup after Lacework's (now both ominous and ironic) $1.3 billion Series D round in 2021. These are the only two individual venture rounds over $1 billion in cybersecurity history.
The $1.9 billion of total financing Wiz has raised is easily the highest amount of any cybersecurity startup other than Lacework:
Netskope is a distant ~$500 million behind those two. We're definitely going to see more large rounds being raised by companies in cybersecurity's IPO pipeline, but it's hard to imagine anyone surpassing Wiz.
Why? Their most recent round alone was more money than any other public cybersecurity company raised in total before IPO. And it's not even close.
SentinelOne raised a total of $696.5 million before it went public in 2021. CrowdStrike raised $481.2 million. Okta raised $230 million. Palo Alto Networks raised $65 million.
We don't have enough financial data to definitively say it costs more to build a public cybersecurity company these days (for private companies, we don't know how much capital they're spending and what's still in the bank). It's definitely accurate to say companies are raising more, though.
For Wiz and others, raising over a billion dollars of capital from financing or IPOs still isn't enough. It's tough to hit a billion dollars of annual revenue organically — especially at the growth rates both private and public market investors expect.
This is the part where M&A enters the picture. Let's talk about that next, billion-dollar style.
Billion-dollar acquisitions
The TL;DR of the entire history of cybersecurity M&A by strategic buyers (companies, not PE firms) is basically this: a relatively limited group of companies have made a handful of acquisitions at $250-400 million per deal, and usually far less.
Billion-dollar acquisitions have been incredibly rare. Rare, as in ~70 total transactions of any kind (PE or strategic) over $1 billion in the history of the cybersecurity industry.
Roughly half of the acquisitions were done by strategic buyers. With few exceptions (Okta buying Auth0 is one, and CyberArk buying Venafi is another very recent example), most of the buyers who have spent over $1 billion on an acquisition are large or mega-cap tech companies (like Cisco).
Most companies under $1 billion in revenue aren't going to be doing billion-dollar acquisitions — unless you're Wiz, who reportedly tried buying SentinelOne (valued at $4.9 billion at the time). Seriously though, $350 million and (very much) under is the typical range for subscale cybersecurity companies.
All of this is going to change, though. The frequency of billion-dollar acquisitions from strategic buyers is going to keep increasing. This is already a trend — 19 cybersecurity-related companies have been acquired by strategics for over a billion since 2020:
There were 23 cybersecurity-related transactions over $1 billion from 2010-2020. We're 4.5 years into this decade, and we're already close to even with the previous one.
Here's my less obvious prediction: we're going to see more merger-like transactions among (relative) peers to create companies with billion-dollar revenue scale.
The clues are already out there (a few are in the table above). Cohesity agreed to acquire Veritas's data protection business for $7 billion in Q1 2024.⁵ Exabeam and LogRhythm just merged in an undisclosed-but-definitely-over-a-billion sized deal. Most recently, CyberArk acquired Venafi for $1.5 billion.
The strategic drivers behind each deal were different, but the common theme is billion-dollar transactions creating billion-dollar revenue scale.
The shelf life of subscale cybersecurity companies is ending
Gokul Rajaram broke a small corner of the internet a couple months ago by highlighting some research on subscale IPOs. The punch line: companies with under $700 million ARR underperform (have negative absolute returns, on average) after going public.
The ensuing uproar led to some follow-on analysis that's a slightly different but harder conclusion: companies can go public at subscale revenue numbers (<$500 million), but they need a compound growth rate of 50% for a clear path to $1 billion in revenue within five years.
So, either way you look at it, the current expectation for public company revenue scale is around a billion. The variable is whether you IPO or not before getting there.
Subscale IPOs without astronomical growth are basically out of the question and will be for a while. And subscale public companies without better-than-respectable growth are going to keep getting taken private until they're all gone.⁶
Wiz is an exceptionally unique case. They're executing (rewriting?) a strategy that's like smashing together the playbooks for a hypergrowth unicorn, post-IPO company, and private equity firm all at once. Wiz is our industry's grand experiment in building a billion-dollar company with intent and speed. Grab your popcorn.
For the rest of the later-stage companies in the cybersecurity industry, it's all about the strategy they take to hit $1B revenue scale. We're not going to see billion-dollar financing rounds that often, but I do think we're going to see companies in the IPO pipeline raising a total of $1 billion or more before going public. And we're going to see more mergers among relative peers to get there faster.
I'm not a hypergrowth zealot. There's a point where growth at all costs becomes too reckless, and bad things happen.
Good strategy is about being a realist, though. Kim Jordan at New Belgium Brewing is a dreamer and idealist. But she was also savvy enough to know when and why a major change in strategy was needed to hit their next level of scale.
Billion-dollar scale is different, uncomfortable, and unnatural than what we're used to in cybersecurity. It's also the only way forward for our biggest companies.
Footnotes
¹Disclosed and estimated acquisitions over $1 billion in 2024 include Juniper Networks (HPE, $14B), HashiCorp (IBM, $6.4B), Darktrace (Thoma Bravo, $5B), AuditBoard (Hg, $3B+), Veritas (Cohesity, $3B), Venafi (CyberArk, $1.5B), and Exabeam-LogRhythm (undisclosed, estimated over $1B based on previous valuations).
²I intentionally avoided mentioning billion-dollar valuations here. Valuations don't mean much in the end game of becoming a company with a billion dollars in revenue.
³This count excludes large (e.g. OpenText) and mega-cap companies (e.g. Microsoft) with cybersecurity revenue as a small percentage of overall revenue. There are also privately held (likely PE-backed) companies with $1B revenue, but not many.
⁴CyberArk should be a $1B+ revenue company soon after their acquisition of Venafi officially closes.
⁵What's that, you say? Backups aren't security? I respectfully disagree. It doesn't really matter for the purpose of this discussion — the backup and data protection market is close enough to make this a reasonable comp.
⁶Or until private equity firms run out of money buying them, which is unlikely — they have more available capital than ever.