Cybersecurity Is Going Private

Cybersecurity companies are going private at a shocking rate. We've lost 12 public companies since 2022, including nine pure-play cybersecurity companies.¹

It has also been 1,126 days (as of the day this article was published) and counting since a pure-play cybersecurity company went public.²

Our companies are both going private and staying private way, wayyyy more often than the voracious pace we were cranking out public companies at back in 2021 when I (now ominously) proclaimed that cybersecurity is going public.

What's going on here? Is the entire industry going to crumble?!

No, it's not. We're just getting over the sugar high that was 2021 when too many companies (across tech, not just cybersecurity) went public. We're in the no ice cream, hire a personal trainer, get bigger/faster/stronger period of our industry's journey.

All this change and volatility is unsettling, though. I get it. I literally check my LinkedIn feed first thing every morning to see which big cybersecurity company is getting acquired today. Large acquisitions don't happen every day, of course — but it sure feels like one could happen at any moment.

We need to unpack and thoroughly demystify all of this take-private and strategic acquisition activity. It's hard to make sense of one-off events.

When you look at big picture trends and data logically, I promise you that the future of our industry will start to look a lot more promising than it does today.

We just have to wade through some yucky stuff first. Let's ease into this by talking about something fun...ICE CREAM!

Ben & Jerry's used to be a public company

I know, right?! We've all heard of Ben & Jerry's, but I definitely did not know they were a public company for 15 years. It's a super interesting business story.

Ben Cohen and Jerry Greenfield started Ben & Jerry's (I know, who would have thought they would end up being marketing geniuses) with a whopping $12,000 of financing to open an ice cream shop at a renovated gas station in 1978.

Their wacky flavors and quirky brand caught on quickly. Like, rocket ship quickly in the world of consumer brands. They went public in 1985 and expanded rapidly, hitting $58 million of revenue by the end of the decade.

By the 1990s, competition in the premium ice cream market heated up (get it?). Häagen-Dazs and others turned things from an ice cream social into, well, real businesses. Ben & Jerry's struggled with profitability, and (crucially...) the founders realized they didn't really want to manage an actual company.

Unilever acquired Ben & Jerry's in 2000 for $326 million. Instead of letting the company melt, they found a strategic buyer who could give them the scale, distribution, and professional management they needed.

Almost 25 years later, Ben & Jerry's is still recognized as the top premium ice cream brand in the world. They're generating hundreds of millions in revenue (exact figures undisclosed), still making iconic flavors, and still advocating for the social causes they care deeply about.

Does this story feel a little bit familiar? Cybersecurity is a highly competitive industry torn between the societal value of security and the inevitable need for financial stability and growth. We have a lot in common with Ben & Jerry's. Their story might give us a peek into our own future, too.

Let's get back to cybersecurity and talk about what's happening in our own industry today.

What's happening: a wicked decline in public companies

Cybersecurity is dropping public companies like it's going out of style. I mean that literally — being a public company feels like it has been out of style for more than two years now:

Before 2022, there was only one year (2010) where our total number of cybersecurity-related public companies went down. HP acquired ArcSight, and no other companies went public that year. Down one, no big deal.

Something completely different happened in 2021 and 2022. Eight cybersecurity-related companies went public on U.S. exchanges in 2021.³ This included SentinelOne, whose IPO was valued at $8.9 billion — still the most of any pure-play cybersecurity company.⁴

Our IPO momentum violently turned the opposite direction in 2022. ZeroFox (a SPAC who was quickly taken private in 2024) was the only cybersecurity-related company to go public on a U.S. exchange.

Meanwhile, eight public companies were acquired over roughly the same period. Thoma Bravo's $12.3 billion acquisition of Proofpoint kicked things off in August 2021. Seven other companies followed throughout 2022.

We're still stuck in the same rut two years later. Seven more cybersecurity-related companies on U.S. exchanges were acquired from 2023 to 2024.

This count doesn't even include IBM's pending acquisition of HashiCorp
or Thoma Bravo's completed acquisition of Darktrace (listed on the London Stock Exchange, but a big company) for $5.3 billion.

The total count of cybersecurity-related companies that are publicly traded has gone down by 21% between the 2021 peak and today. Pure-play cybersecurity companies have seen an even steeper decline, down 36% over the same period:

Several more cybersecurity-related companies that are currently public have been rumored to be considering sales:

• SolarWinds: Was reportedly exploring a sale in October 2023

• N-Able: Reportedly began exploring a sale in May 2024

• Rapid7: Started receiving pressure from an activist investor to sell in June 2024

• Tenable: Reportedly began exploring a sale in July 2024

• Trend Micro: Reportedly began exploring a sale in August 2024

• Secureworks: Dell Technologies, the majority owner, reportedly hired bankers to explore a sale in August 2024

Very speculative rumors have also come and gone about CrowdStrike acquiring Radware and (get this) Wiz acquiring SentinelOne — although the latter was summarily dispatched by SentinelOne's leadership team.

On top of the activity with public companies, both strategic buyers and private equity firms are acquiring (or trying to acquire) later stage companies from our IPO pipeline:

• Lacework: Acquired by Fortinet (at a steep valuation decline) in June 2024

• Wiz: Attempted acquisition by Alphabet (Google) in July 2024

• Exabeam: Majority ownership acquired by Thoma Bravo and merged with LogRhythm in July 2024

• Recorded Future: Acquisition by Mastercard announced in September 2024

We're at 16 pure-play cybersecurity companies listed on public markets right now. It's unlikely (but possible) the number could drop as low as 10 if the reported sales happen and the window of opportunity remains closed for companies in our IPO pipeline.

Okay, so what's happening is very clear: cybersecurity is going private. Next, let's talk about why.

Why it's happening: more strategic moves, fewer investor complaints

There is a surprising amount of consensus around why so many cybersecurity-related companies have chosen to go private: it's a lot easier to make strategic moves as a private company.⁵

Here's a sampling of quotes to illustrate the point:

• Seth Boro (Managing Partner, Thoma Bravo) on Sophos: "Sophos’ leadership team is empowered to innovate faster and respond to market opportunities more effectively in a private setting."

• Gary Steele (former Chairman and CEO, Proofpoint): "We believe that as a private company, we can be even more agile with greater flexibility to continue investing in innovation, building on our leadership position and staying ahead of threat actors."

• Andre Durand (CEO, Ping Identity): "This move allows us to focus entirely on our innovation and customer success, without the distractions that can come with being a public company."

• Seth Boro (again) on SailPoint: "...taking a step back from the public markets at the time that the company did, we think is a great decision to accelerate this move to cloud and come out the other side as a, both a high growth and high profit business."

Their public statements are intentionally broad, of course. And this is not the only reason.

There's an elephant in the room we don't like to talk about. The thing most of our companies who were acquired (especially by private equity firms) had in common was declining growth and a lack of profitability.

From the standpoint of a CEO, it's better to take the company private or sell to a strategic buyer and work on the business outside the spotlight of public markets, especially with strong acquisition offers on the table.

Most of our public companies who sold are solid companies who do several things well. We've had a couple fire sales, but those are rare exceptions.

We're mostly in the position Ben & Jerry's was in — solid companies with a few problems but lots of upside. Our companies have options, which gives them the ability to make choices strategically.

Let's talk more about the strategic options cybersecurity companies have and where they go after exiting the public markets.

Where they go: private equity and some very large strategic acquisitions

Historically, cybersecurity-related companies leave the public markets in one of two ways: an acquisition by a private equity firm, or an acquisition by a strategic acquirer.

Any other scenarios are highly unlikely. Bankruptcies have happened, but they've been limited to small micro and nano cap companies. Across the entire history of cybersecurity, one hundred percent of the 27 mid cap and above company delistings are because of private equity or strategic acquisitions.

The breakdown between the two categories is the interesting part. Private equity firms have made 19 take-private acquisitions, or 70% of the total:

Thoma Bravo alone has been behind eight of the deals, to go along with ~20 other private cybersecurity company acquisitions in their portfolio.

Strategic buyers have acquired eight public companies, or 30% of the total:

All buyers are either large or mega cap tech companies. Cisco is the only repeat strategic buyer (probably no surprise).

This PE-to-strategic ratio is probably going to continue and may slant even further towards the private equity side. There aren't many bargain rack discounts left among the cybersecurity-related public companies we have left. Buying a large public company is expensive, so the buyer universe for this type of transaction is small.

Here's the thing about private equity, though: private equity ownership is almost never a final destination for an acquired company.

Private equity is like flipping houses. They buy a company to hold it for a period of time (typically 5-7 years, but it's case-by-case), improve the business, and (ideally) sell it for a profit.

It's pretty rare to see private equity firms hold on to portfolio companies long term. This means our industry has over 20 formerly public companies who are sitting in private equity holding right now and need to find a permanent home soon.

The two best options are taking the company public again or selling it to a strategic buyer in a private transaction. Those scenarios are the real end game here.

They've happened before in cybersecurity...just not as often or at the same scale as what needs to happen with the current set of private equity backed companies.

The absolute best case scenarios are either for a healthy, growing company to go public again and stay there, or to find the right strategic buyer. This doesn't always happen, of course — but I'm hopeful it can a majority of the time.

Imperva and ForgeRock are both good examples of companies who found a good strategic fit. Thales added Imperva to its now pretty massive portfolio of cybersecurity products in December 2023. Thoma Bravo merged ForgeRock into Ping Identity in September 2023, a logical strategic choice for two portfolio companies competing against Okta, CyberArk, and Microsoft.

SailPoint looks like it's going to be an example of a successful return from private equity to the public markets. In under three years, no less. This was their plan all along, and it appears they've executed perfectly.

These examples are successful blueprints. We need high performing companies going back into the public markets and staying there, and we need companies who aren't going to make it public again to find good homes.

In fact, our future probably looks a lot like Ben & Jerry's.

How this ends: Ben & Jerry's is in our future

The company, I mean. You're not getting ice cream.

...okay, you can have ice cream if you want.

You're not my toddler, you can do whatever you feel like. You probably deserve it by the end of this article.

Seriously though, my point with the Ben & Jerry's thing is that it's okay for a company to take a step back and regroup if it needs to.

Just because a company gets taken private doesn't mean it is imminently dead. Too often, we see headlines and instinctively assume the worst.

I understand. It's a natural reaction. Let's put our logic hats on for a minute, though.

As I've said before, big cybersecurity companies don't really "die." They're just smashed into pieces and split, merged, divested, rebranded, or any other action you can take on a business without actually killing it.

Later stage cybersecurity companies with 8-9 figures of annual revenue don't fully go out of business, no matter how bad they're struggling. They've created enough value for someone to find their problems worth fixing.

Each company's situation is incredibly nuanced, especially how to fix the problems that led to being taken private. It's not going to work out for everyone — they won't all be Ben & Jerry's.

Instead, we're going to see uneven outcomes. Several companies will go public again. Others will find nice homes with strategic buyers. And the ice cream will melt on a few of them.

We just want to save as many ice cream cones as we can. The example of Ben & Jerry's selling to the right strategic buyer is a perfectly good outcome, too. Sometimes it's better not to be a standalone company. We need to be okay with this.

Any way you look at it, we're going to end up with more public companies than we have right now. There are plenty of high quality IPO candidates between the current set of private equity holdings and later stage startups.

Cybersecurity might be going private now, but we'll be back to going public again soon.

Footnotes

¹This count includes cybersecurity and hybrid companies listed on major U.S. stock exchanges. It excludes micro and nano cap companies. They skew the numbers quite a bit. The focus for this article is on our larger companies with higher valuations, although we'll mention some of the micro and nano cap companies.

²A mid-cap or higher company, that is. HashiCorp and Rubrik both went public more recently than ForgeRock, but they're technically "hybrid" companies.

³The real total was even higher: 17 companies went public in 2021, including micro and nano cap companies and all global stock exchanges. It was a wild year.

⁴As of its opening valuation, anyway. CrowdStrike opened its first day at $6.7 billion in 2019 but closed at $14 billion.

⁵Publicly disclosed consensus, that is. I understand why you might want to dismiss this as boilerplate language for press releases. There's still some truth to it though, at least at a high level. It's undeniably difficult to be a subscale public company right now.