Another week, another multi-billion dollar acquisition in cybersecurity. You may have seen the news: SailPoint announced it's being acquired by Thoma Bravo (for a second time) for $6.9 billion on April 11, 2022.
Or maybe you didn't. Multi-billion dollar cybersecurity transactions happen all the time now. Trust me, this one is a big deal. Today, we're going to talk about why.
The news about SailPoint is important, but they're not the story here. The interesting part about the story is bigger than one company or one acquisition — it's about Thoma Bravo.
I haven't written an entire article focused on a private equity firm yet. Now is the time. Thoma Bravo's influence within cybersecurity is too important not to write about.
One of the five themes I went into detail about in Themes From Momentum Cyber's 2022 Cybersecurity Almanac was private equity's dramatically increased involvement in the cybersecurity ecosystem:
Private equity firms are going to continue upping the dosage of rocket fuel in cybersecurity as long as the promise and opportunity for large returns continues. As the data from Momentum Cyber shows, we're likely looking at a multi-year trend here. The effects will take a decade or more to play out.
Implicitly, you could have taken this statement as a prediction that Thoma Bravo was going to make some big M&A moves in 2022 and beyond. A prediction like this isn't that speculative or improbable. Thoma Bravo has been making deals for years. The scale and frequency of their deals are just now reaching a point where a lot more people take notice.
Along with Vista Equity Partners and a handful of other firms, Thoma Bravo is one of the most active private equity firms in cybersecurity, both in terms of deal volume and size. An upward trend in cybersecurity's private equity activity is inextricably tied to Thoma Bravo. So, it's worth spending time to understand the firm in more detail.
The interesting part about private equity trends in cybersecurity is speculating exactly which moves the firms are going to make. Thoma Bravo acquiring SailPoint was not something I was expecting to happen:
I should have been expecting it, though. Recent history already shows a clear trend of mega-deals, many involving Thoma Bravo. Two examples:
Thoma Bravo already acquired Proofpoint for $12.3 billion in April 2021. SailPoint wasn't even their largest cybersecurity acquisition by a long shot.
A group of private equity firms acquired McAfee's consumer business for $14 billion. That's the current leader for largest cybersecurity acquisition of all time. Go figure: Thoma Bravo was already a minority investor back in 2017.
The lesson here: we should all expect that acquisitions like this one can happen at any time. The acquisitions of SailPoint, Proofpoint, and others clearly demonstrate that any cybersecurity company under $10 billion in market cap or valuation is up for grabs. Several private equity firms have no trouble raising that much money for acquisitions if needed.
Shifting focus to Thoma Bravo, you have to admire their courage and audacity for going even bigger with their current portfolio and recent moves. This is exactly what we're going to unpack today. Topics include:
The Story of Thoma Bravo: Interesting highlights from the history of Thoma Bravo and its founders.
A New Strategy for Private Equity: The innovative strategy for Thoma Bravo's approach to deals and how it plays out in practice.
Reshaping Cybersecurity, a Timeline: Thoma Bravo's cybersecurity investments, acquisitions, and impact over time.
Possibilities for SailPoint: A specific look into the SailPoint deal and possibilities going forward.
Thoma Bravo's Audacious Future: Where all of this could be headed for Thoma Bravo.
Let's start with an epic tale of failure, fortitude, and fortune.
The Story of Thoma Bravo
Thoma Bravo is one of the most innovative companies in the cybersecurity ecosystem. I am fully aware how heretical it sounds to call a private equity firm "innovative." Hear me out.
When we think of innovative companies, our mental model is tech and products built by iconic founders and their rocket ship startups. That's accurate, and there are hundreds of examples to back it up. Cybersecurity alone has plenty of examples: CrowdStrike, Cloudflare, Okta, Ping Identity, and more.
Private equity firms traditionally get bucketed in a distant category far away from innovation along with their consulting and investment banking peers. The stereotype is often fair, but not in the case of Thoma Bravo. Thoma Bravo changed the model and scale of private equity from traditional ways of the past to the modern version you see today.
The modern incarnation of Thoma Bravo has been over 40 years in the making. It's actually a great story — one of the best business stories I've ever heard. A 2019 Forbes article about Orlando Bravo captures the story incredibly well, so we're just going to do the abridged (read: spoiler) version here.
The tale of Thoma Bravo starts with the firm's original founders, Stanley Golder and Carl Thoma, pioneering the "buy-and-build" investment strategy in the 1980s. The Forbes article describes it like this:
Thoma is a tall and mild-mannered Oklahoman whose parents were ranchers. Thoma and his partners practiced a friendlier version of the buyouts popularized by Michael Milken, preferring to buy small businesses and expand them using acquisitions.
The plot twist happens when Carl Thoma hires Orlando Bravo, a fresh MBA and JD graduate from Stanford:
Upon graduation in 1998, Bravo wasn’t offered a position there or at TPG, and he spent months cold-calling for a job. After about a hundred calls, Bravo’s résumé caught the eye of Carl Thoma, a founding partner of the Chicago-based private equity firm Golder, Thoma, Cressey, Rauner (now known as GTCR), and they hit it off.
You read that correctly: Orlando Bravo, now one of the wealthiest people on the planet, had to make over a hundred calls to find a job. "The smartest investment Chicago private-equity pioneer Carl Thoma ever made could well be when he hired Orlando Bravo," says a (paywalled) Crain's Chicago Business article in the understatement of the century.
As they say, the rest is history...sort of. Orlando Bravo's first few deals didn't go so well. From Forbes:
Bravo’s first few deals, struck before he turned 30, were disasters. He backed two website design startups, NerveWire and Eclipse Networks, just as the dot-com bubble popped.
The two lost most of the $100 million Bravo invested. “I learned I didn’t want to invest in risky things ever again,” Bravo says. “It was too painful to live through.”
By "risky things," he meant to stop doing what we now call early stage venture capital investments:
He realized his mistake was in backing startup entrepreneurs, an inherently risky move, when for the same money he could buy established companies selling niche software to loyal customers. With Thoma’s blessing, Bravo pivoted and became an expert on these arcane firms.
The "buy boring software businesses" plan started working right away, and Orlando Bravo made partner at the firm (preciously TCEP) in 2001 at age 30. Not a bad rebound from losing millions of dollars of the firm's money in his 20s.
The firm was expanding by 2005, foreshadowing a series of early hires who are now the face of Thoma Bravo:
By 2005, Bravo and Thoma had recruited three employees, Scott Crabill, Holden Spaht and Seth Boro, to focus on software applications, cybersecurity and Web infrastructure. All remain with the firm today as managing partners.
Orlando Bravo's impact on the firm was so profound that they re-incorporated the current iteration of the firm in 2008 to focus exclusively on software. That's why Orlando Bravo is a co-founder.
Beyond being a co-founder, Orlando Bravo is also a prodigy — just not in the usual way people in cybersecurity and tech think about prodigies. Most of the (well-deserved) credit goes to startup founders. Every once in a while, someone comes along in a different part of the cybersecurity ecosystem and changes everything. That's exactly what happened with Orlando Bravo and private equity.
As it turns out, having specific knowledge in a niche topic like software company operations and growth is a massively valuable thing to be good at. This probably did seem niche back in the early 2000s. Add in the magic of compounding growth, and you get Orlando Bravo circa 2022. In his own words:
The economics of software were just so powerful. It was like no other industry I had ever researched. It was just very obvious.
The innovation started with Carl Thoma's buy-and-build investment strategy. It continued with Orlando Bravo's specialization in software. Thoma Bravo's next innovation is scale. That's the topic we're headed to next.
A New Strategy for Private Equity
Before we get into the specifics about Thoma Bravo's strategy, we need to take a quick step back and talk about the relationship between private equity and the cybersecurity ecosystem.
The influence and impact of private equity firms within the ecosystem isn't well understood. People often see private equity firms as mysterious (and sometimes evil). I understand the reservations and concerns, but (in general), the fear and apprehension is more about uncertainty than legitimate cause for concern. Getting over this uncertainty starts with understanding what private equity firms do and the outcomes they seek.
The most concise way to describe the role of private equity is an explanation I've given in the past:
Here's the model: A private equity firm buys a cybersecurity company as the centerpiece, then acquires other complimentary companies to round out the platform. It's easier and faster for PE firms to make the complimentary purchases because they already have the capital and relationships to make the deals happen.
For private equity firms, a successful investment outcome is either:
Taking the company public (in many cases, a previously public company being taken public again in its refined form).
Selling the company to another company or investor for a profit.
The objective is easy to understand, yet incredibly hard to execute. Building an industry leading company is a difficult accomplishment in any shape or form — whether that's starting a business from scratch, turning around an unprofitable company, or maximizing the potential of a company that's already doing well.
Private equity firms get involved when companies are unprofitable, or when they see potential growth and value that isn't happening yet. The best private equity firms pore over the details about a company's operations, financials, market, and strategy to create profitable businesses.
Thoma Bravo's buy-and-build strategy is distinctly different from traditional private equity firm strategies. When most people think of private equity, they think of turnaround specialists: people who swoop in to save distressed businesses, lay off employees, work everyone else to the bone, and either save the business or sell it off in pieces.
Many private equity firms do specialize in turnarounds, but that's not the business Thoma Bravo is in. Their buy-and-build strategy is completely different on a philosophical level.
The core of Thoma Bravo's buy-and-build strategy is creating collaborative partnerships with good-but-not-yet-great performing companies. In their own words: "We are a passionate group of individuals who share one mission: to buy great software companies, spend time with them operationally and make them the best at what they do."
In an ironic twist of fate (we'll get to that at the end), Elon Musk's recent quote about buying Twitter actually summarizes Thoma Bravo's strategy nicely: "[COMPANY] has extraordinary potential. I will unlock it." Thoma Bravo is all about unlocking potential.
This strategy has a number of differences from turnarounds when put into practice, including two very important ones:
Companies Thoma Bravo acquires or invests in are already doing well. The Forbes article describes typical criteria as "at least $150 million in sales from repeat customers" and specialized markets.
They work with existing management teams instead of replacing them. For turnarounds, management is usually the first to go. From a recent Colossus podcast: "We work with existing management... We adapt ourselves to their culture. That is very meaningful to us."
These strategic differences completely change the profile of companies Thoma Bravo acquires and the entire dynamic of their relationship with them. The objective is to maximize wealth, not to avoid ruin.
Thoma Bravo's specialization in software is another distinct difference that's closely related to the buy-and-build strategy. Here's the summary from Forbes:
His secret? He invests only in well-established software companies, especially those with clearly discernible moats.
There's a backstory behind this that dates back to Bravo's mistakes as a young investor. Again, from Forbes:
He figured out nearly two decades ago that software and private equity were an incredible combination. Since then, Bravo has never invested elsewhere, instead honing his strategy and technique deal after deal.
He hunts for companies with novel software products...[and] looks to triple their size with better operations. By the time he strikes, he’s already mapped out an acquisition or turnaround strategy.
This quote is insightful because it surfaces two important nuances about how Thoma Bravo executes its strategy:
They start with a business strategy that's mutually agreed upon with a target company's existing management team before an acquisition takes place. There is no "we'll buy this company now and figure it out later."
Once the acquisition takes place, they're deeply involved with a company's operations. A CEO of an acquired company described it like this: "Orlando would help not only at the highest level with strategy but also when we got grunt work done."
There is a phenomenal quote from Orlando Bravo in the Forbes article that captures the essence of this philosophy:
My passion...is to move beyond the strategic, long-term pontification, and into the operational and tactical moves that make you move forward today. Economies go down, companies miss their numbers, trade stops, product issues happen and people quit. [The question is] do you have a creative approach to problem solving?
Some people are stuck . . . and some people love putting the pieces together. I just feel like every operational problem can be solved. There’s always a solution.
The combination of strategy and execution is what makes Thoma Bravo so successful and prolific. Their fingerprints are everywhere in the cybersecurity ecosystem, even if they're still invisible to many people working in the industry.
Next, we'll take a look at exactly how big of an impact Thoma Bravo has had on reshaping cybersecurity.
Reshaping Cybersecurity, a Timeline
Thoma Bravo has done more to reshape cybersecurity than (arguably) any other private equity firm. A total of 24 cybersecurity companies have passed through Thoma Bravo's portfolio, including 14 active investments today (SailPoint will become the 15th when the acquisition closes).
To illustrate the point about how active Thoma Bravo has been, here are all of the firm's cybersecurity-related flagship deals, sorted by the year Thoma Bravo entered the company:
Note: This data is somewhat incomplete and inaccurate. It was compiled based on publicly available information, which has limited data about transaction prices. It's intended to be illustrative, not authoritative.
We're missing a lot of detail since much of the transaction data is undisclosed. However, there is enough information to give you an idea of the frequency, size, and outcomes that Thoma Bravo is creating. TL;DR – they've been busy, and their portfolio companies are doing quite well.
This is already a long list of transactions, and it doesn't even include smaller add-on acquisitions for companies that are folded into the flagships. We can't go through every single company without making this a 10,000 word article, so we'll cover a few of the highlights instead.
In what should be no surprise by now, Thoma Bravo was a beneficiary in the largest cybersecurity deal ever — McAfee's $14 billion consumer and $4 billion enterprise acquisitions by two separate groups of investors in 2021.
Thoma Bravo took a minority investment stake in McAfee back in 2017 and helped guide the company through its transformation and multiple exits (along with multiple acquirers). The result you see today is McAfee's consumer business and Trellix, the combination of McAfee's enterprise business and FireEye.
Proofpoint is the largest direct acquisition Thoma Bravo has done. They acquired the then-public company in mid-2021 for $12.3 billion and took it private.
Executing their strategy for Proofpoint is a massive, multi-year project — especially alongside other large investments like SailPoint. This is an area to pay attention to.
Delinea is the result of multiple Thoma Bravo deals involving Centrify, a Privileged Access Management (PAM) focused company. Thoma Bravo acquired Centrify in 2018, spun out its Access Management business as Idaptive, and sold it to CyberArk for $70 million in 2020.
Centrify was sold to TPG Capital in 2021 and merged with Thycotic to become Delinea. This involved a lot of activity and significantly reshaped both the PAM and Access Management markets.
Veracode, a consistent market leader in Application Security, was acquired by Thoma Bravo for $950 million in 2019. The company performed exceptionally well under Thoma Bravo.
It recently announced a large growth investment round from TA Associates that values Veracode at $2.5 billion just three years later. Thoma Bravo will retain a minority stake after the investment closes.
Veracode is one of the best examples so far of the results a partnership with Thoma Bravo can bring. The company was already a market leader before it was acquired by Thoma Bravo, and the acquisition resulted in incredible execution and growth by Veracode's leadership team.
Thoma Bravo acquired Barracuda Networks as a public company in 2017 and took it private in a $1.6 billion transaction. This was a large-scale deal at the time — over $300 million larger than Thoma Bravo's 2011 acquisition of Blue Coat for $1.3 billion.
On a whirlwind day of April 12, 2022 — a day after Thoma Bravo announced it was acquiring SailPoint — they sold Barracuda to KKR for a rumored $4 billion.
Barracuda's revenue had grown to over $500 million at the time of this transaction. That's larger than many public cybersecurity companies today.
As mentioned earlier, the recent news about Thoma Bravo acquiring SailPoint is the firm's second time owning the company. Thoma Bravo's first go around with SailPoint was a 2014 acquisition from venture capital funds.
An exit came just three years later, with Thoma Bravo taking SailPoint public in 2017. This was definitely a successful exit for all as SailPoint performed well during its time as a public company.
There is a lot more to dive into with Thoma Bravo's second acquisition of SailPoint. That's where we're headed next.
Thoma Bravo's Audacious Future
In my analysis of Momentum Cyber's 2022 Cybersecurity Almanac, I made an observation about how wild things are in cybersecurity right now:
First, let's just call a spade a spade: 2021 was a wild year in cybersecurity. Several of the financial numbers in the report are mind-bending. The cyber attacks are even worse. It's madness, and the madness is multiplying.
On the private equity side, Thoma Bravo is leading the charge of accelerating change. The obvious trend in the chart of Thoma Bravo's investment history (shown earlier) is that their transactions keep getting bigger and bolder. The buy-side examples of Proofpoint and SailPoint and the sell-side examples of McAfee and Barracuda make this point abundantly clear.
Outside of cybersecurity, it was speculated that Thoma Bravo has interest in buying Twitter. You know, that Twitter — the same company Elon Musk also wants to buy. Even though it looks like this deal isn't going to happen for Thoma Bravo, the punch line still matters: you don't compete directly with Elon Musk unless you're comfortable making audacious moves.
Thoma Bravo raised three funds totaling $22.8 billion at the end of 2020. They're rumored to be raising again (paywalled, sorry) already. Forbes described the plan nicely:
...Bravo is eyeing $10 billion-plus deals and expects to begin buying entire divisions from today’s technology giants.
We've already seen the $10 billion-plus deals start to happen. They're going to continue as long as Thoma Bravo keeps up this level of success. Orlando Bravo described the opportunity in front of his firm to Forbes:
There are bigger and better companies to fix than there were ten years ago.
An important piece of context here is that Orlando Bravo was already a billionaire before the 2019 fund, joining the 2019 Forbes 400 that same year. Neither Bravo nor the firm that bears his name have much of anything left to prove.
This could be the exact reason for the audacity you're seeing today. Metaphorically, Thoma Bravo is playing with house money. The irony in saying the pressure is off for a private equity firm making deals at this scale is not lost on me. However, Thoma Bravo has a formula and track record that justify the success they've had and the audacious moves you're seeing today.
Time will tell how their current portfolio plays out and what future moves will be made. Until then, it's going to be interesting to watch the story unfold. Bravo, Thoma Bravo 👏