Cybersecurity's 2022 IPO Pipeline (Part 1)

There could be more cybersecurity IPOs in 2022 than any previous year. Even with notable companies like SentinelOne, ForgeRock, and HashiCorp going public in 2021, the IPO pipeline is still full of stellar companies.

As I've previously written about, 2021 was already a big year for cybersecurity IPOs. Barring any significant macroeconomic changes, expect the momentum to continue this year.

I've divided up the analysis into a two part series. This week, we're going to take a look at the first six of twelve total cybersecurity companies that have the potential to go public in the upcoming year. We'll look at the remaining six companies next week.

Some are more likely than others. Regardless of timing, it's interesting to look at the up-and-coming companies that are going to become even more influential in the years to come.

What does the company do?

Appgate is known as a Zero Trust company. Their products include networking (software-defined perimeter) and risk-based authentication — both of the core tenets for a Zero Trust Architecture (ZTA).

Their products have received good industry recognition. Appgate was recognized as a Leader by Forrester in both the The Forrester New Wave™ Zero Trust Network Access, Q3 2021 and The Forrester Wave™ Zero Trust eXtended Ecosystem, Q3 2020 reports.

Appgate is relatively new as a standalone company. It was originally the security business within Cyxtera Technologies, a global data center platform. Appgate and its products were spun off as a separate company in November 2019.

Where do they fit into the cybersecurity ecosystem?

Appgate fits broadly into both Network Security and Adaptive Authentication. Note: Admittedly, the categories related to Zero Trust could be better defined in the next iteration of the ecosystem mapping.

Their Software Defined Perimeter (SDP) product is relatively unique and fits nicely into an emerging category for Zero Trust networking.

Appgate's Risk-Based Authentication (RBA) product has a bit more competition. Larger authentication platforms like Okta, ForgeRock, and Ping Identity all have a well-defined set of adaptive authentication features within the product. Specific functionality varies, but making authentication and authorization decisions based on risk is a standard feature.

How much money have they raised?

Appgate has raised an estimated $50 million, according to Momentum Cyber. The company's funding is not widely disclosed, in part because of their atypical path.

Since Appgate originated as a spinoff from an existing company, they didn't need a lot of outside capital to grow. The spinoff was done with the intention of filing for IPO within a relatively short period of time. As a result, the company didn't need additional funding before going public.

What is their most recent valuation?

Appgate was valued at $1 billion at the time of their reverse merger announcement in February 2021.

Have they stated an intention to go public?

Correction: Appgate officially became a public company as of October 2021 following their merger with Newtown Lane marketing. The transaction occurred via a reverse merger, not a SPAC. This section has been updated with revised details and timelines.

Appgate completed a reverse merger with the Newtown Lane Marketing company in October 2021, an important prerequisite step for uplisting to stock exchanges like Nasdaq or the New York Stock Exchange (NYSE). It's currently trading on the OTC Bulletin Board under the stock symbol APGT.

Appgate's leadership has been clear about their intent to uplist — likely as soon as Q1:

Appgate intends to seek to uplist to Nasdaq or the New York Stock Exchange as soon as possible following satisfaction of applicable listing requirements, which is expected to occur during the first quarter of 2022.

Even though the company is already public, uplisting to Nasdaq or the NYSE is an important accomplishment.

What is the bull case for an IPO?

This assessment from Barry Field, Appgate’s CEO, is pretty accurate:

"The legacy methods of security, such as VPNs and firewalls, are no longer effective in keeping companies and networks secure. Today’s threat landscape is forcing executives to rethink how they secure their businesses, their data and their users. Grounded in the principles of Zero Trust, Appgate’s industry-recognized solutions are replacing outdated, easily compromised traditional network security."

Zero Trust has lots of momentum right now. It makes sense for Appgate to capitalize on it since they're well positioned as a leader in the emerging space.

What is the bear case for an IPO?

The bear case for Appgate is more long term. The hype cycle for Zero Trust could eventually fade. Then what?

Appgate's identity as a company is inextricably tied to Zero Trust. The association is working in their favor right now. If Zero Trust is a fad and not a movement, that spells trouble for a public company.

Additionally, reverse mergers and SPACs are relatively new concepts for cybersecurity. So far, companies that have gone public via SPAC haven't performed as well as traditional IPOs or direct listings. That could change as SPACs become more accepted within the industry and firms like NightDragon join the mix.

What is the most likely outcome?

Appgate will go forward as planned to uplist in early 2022. Regulatory delays could push back the uplisting to later in the year, but it's almost certain they'll be trading on one of the two major U.S. exchanges this year.

What does the company do?

BigID became famous for helping companies manage new data privacy regulations. When companies were scrambling to comply with new privacy regulations like GDPR and CCPA, BigID saved the day — especially with data discovery. Enterprises didn't know where all their sensitive data was, and BigID helped them find it.

The product is more of an end-to-end privacy and data governance platform now that the company has grown. It now has solutions for discovery, privacy management, data protection, and governance. The platform was highly rated in The Forrester Wave: Privacy Management Software, Q4 2021.

Where do they fit into the cybersecurity ecosystem?

At its core, BigID is a Data Discovery and Classification product. As noted earlier, it's become more of a platform spanning multiple areas of Privacy and Data Protection.

How much money have they raised?

According to TechCrunch, BigID has raised over $200 million as of their last funding round in April 2021.

What is their most recent valuation?

The same article set BigID's valuation at $1.25 billion based on the new round of funding.

Have they stated an intention to go public?

BigID hasn't said much yet about going public. Based on comments from co-founder Nimrod Vax in December 2020, they appear content to take their time.

Vax explained how they didn't need capital but raised anyway because of the favorable terms:

"BigID doesn’t need the cash and most of the capital has yet to be used. However, the offers we received were just too attractive to turn down, they allow us to accelerate growth and establish our leadership in both product and sales."

With the current funding, their focus is on growth and product expansion rather than going public:

"We continue to focus on customer growth in addition to our development and marketing processes. In the coming year, we are targeting the expansion of our service offering and customer variety. Solutions at scale for both small and large, for developers, and for small business units in enterprises."

What is the bull case for an IPO?

BigID has essentially won their segment of the market already. The main questions that remain are how much of the adjacent Privacy and Data Protection ecosystem they can capture and exactly how big the company can get.

Better yet, data privacy regulations aren't going away. If anything, we'll see more of them in the next decade or sooner. That's exceptionally good news for BigID.

They've already done well enough to become a unicorn of IPO scale. With increased privacy regulations, they have a growth engine that can propel them into continued growth and success as a public company.

What is the bear case for an IPO?

The best reason for BigID not to IPO isn't really a bear case — it's just old fashioned patience. They're doing well and, according to their co-founder, don't need the capital they recently raised.

This likely means they have everything they need to continue growing rapidly and further develop their products. They could IPO this year if they want to, but why rush if a later IPO would make them a more successful public company in the long run?

What is the most likely outcome?

The most likely outcome this year is no IPO and continued focus on steady growth.

If the opportunity for growth and expansion merits additional fundraising, don't be surprised if BigID raises more money. Likewise, don't be surprised if they make acquisitions to expedite their growth.

This IPO seems more likely in 2023 or beyond, but it's something to keep an eye on.

What does the company do?

Cybereason is an Endpoint Detection and Response (EDR) platform that's making a move into the emerging eXtended Detection and Response (XDR) market. It's a brutal market because they're competing head on with fan favorites like CrowdStrike and SentinelOne.

Cybereason's platform hasn't done especially well in recent analyst ratings. It's ranked as a Visionary in Garner's latest Magic Quadrant for Endpoint Protection, well behind the Leaders category. Likewise, their XDR product is rated in the third tier as a Contender in The Forrester New Wave: Extended Detection And Response (XDR) Providers, Q4 2021.

Where do they fit into the cybersecurity ecosystem?

Cybereason's platform fits squarely into the Endpoint Detection and Response (EDR) market segment. They've also joined the fray in the emerging XDR segment.

How much money have they raised?

The company has raised $713.6 million, per Crunchbase. Their most recent funding round was a $275 million Series F in July 2021.

What is their most recent valuation?

Cybereason's valuation was reported to be $3.1 billion by TechCrunch and Crunchbase as of their last funding round.

Have they stated an intention to go public?

Lior Div, Cybereason's co-founder and CEO, has specifically targeted 2022 as their IPO year. From an interview in July 2021:

"We’re focusing on building a major company that secures the world’s biggest enterprises, and going public is a crucial milestone along the journey. We will aim for it in the coming year."

What is the bull case for an IPO?

The bull case for Cybereason is to take advantage of the high valuations of peers in the EDR market and grab their share. Companies in the EDR market have done exceptionally well in their IPOs. From my earlier Cybersecurity is Going Public article:

SentinelOne became the largest cybersecurity IPO in history earlier in 2021. The company went public at a valuation of nearly $11 billion. A notable trend is that SentinalOne's IPO nearly doubled the previous mark — CrowdStrike set the previous record for largest cybersecurity IPO at a $6.7 billion valuation in 2019.

Cybereason's revenue is relatively strong, reported at over $120 million (ARR) at the end of 2020. Assuming the usual high growth rate for cybersecurity companies at this stage, revenue is likely much higher now. If the timing, growth, and core metrics are all in place, why not go for it?

What is the bear case for an IPO?

CrowdStrike and SentinelOne are two of the hottest companies in cybersecurity right now. They're direct competitors for Cybereason.

The market might not be ready yet for another publicly traded EDR company — especially given how much we heard about CrowdStrike and SentinelOne last year.

Even if they do IPO, they still have to perform if they're going to be successful as a public company. It's hard to live up to the standards of their competitors, but that's also a known issue — Cybereason has been competing in this market for a long time.

What is the most likely outcome?

All the ingredients are in place for an IPO in 2022.

What does the company do?

Exabeam is a security operations company that has built a cloud analytics platform. They were made famous by their User Entity Behavior Analytics (UEBA) product and have since expanded into Security Information and Event Management (SIEM), and more.

Their SIEM product did exceptionally well in the 2021 Gartner Magic Quadrant for SIEM. It was the highest rated product in the Leaders category.

Where do they fit into the cybersecurity ecosystem?

Exabeam has grown into a platform that maps most closely to User Entity Behavior Analytics (UEBA) and Security Information and Event Management (SIEM). They're also considered an Analytics product within the Security Operations domain.

How much money have they raised?

The company has raised $390 million according to Crunchbase. Their latest round of funding was a $200 million Series F in June 2021.

What is their most recent valuation?

Exabeam's valuation was $2.4 billion as of their latest funding in June 2021.

Have they stated an intention to go public?

Exabeam's new CEO, Michael DeCesare, talked generally about an IPO in a June 2021 interview:

An IPO “is still on the table,” and DeCesare said he believes Exabeam “will be quite successful in the public market,” but it’s not a top priority.

What is the bull case for an IPO?

Exabeam's platform is strong in multiple product categories. The broader Security Operations ecosystem is critically important to cybersecurity. Exabeam is the leader of a new generation of analytics-focused tech in the space.

Like CrowdStrike, Exabeam wants to bundle cybersecurity. From DeCesare:

“We have a chance to be to cyber what ServiceNow is to the services market — the unification, the ability to create a CMDB and sit on top of your service system, your ticketing systems — that’s the real estate we occupy.”

Being the ServiceNow of cybersecurity is a lofty but achievable goal in the long run. Having an exceptional analytics product is a strong foundation for expanding into other areas (unsurprisingly, XDR is a target for Exabeam). They have a good chance at becoming a very large and very successful company.

What is the bear case for an IPO?

Similar to BigID, their biggest reason for holding off on an IPO might be time to further grow and mature.

Exabeam is a new entrant into the XDR market. Their XDR product wasn't yet included in Forrester's first New Wave for Extended Detection And Response (XDR) Providers report. That likely means the product was too new and incomplete to qualify for evaluation.

The biggest long term issue for Exabeam is the progress of the XDR market. If SIEM truly has lost and XDR is the way of the future, that could spell trouble for Exabeam. However, Exabeam isn't the legacy SIEM products of old. It's leading a new generation of SecOps analytics products. The company should be resilient enough to be valuable even if XDR does rise to prominence.

What is the most likely outcome?

Like BigID, the most likely outcome seems to be patience. Don't expect an IPO until 2023 or beyond.

What does the company do?

Illumio is known for its Zero Trust networking and segmentation product. The company has been recognized as a leader in Zero Trust.

Honors include the top ranking in the Leader category by Forrester in The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020.

Where do they fit into the cybersecurity ecosystem?

Illumio's core product maps to the Micro-Segmentation category within Cloud Security.

How much money have they raised?

The company has raised over $550 million, according to TechCrunch. Their most recent round of funding was a $225 million Series F in June 2021.

What is their most recent valuation?

Illumio was valued at $2.75 billion as of their most recent funding round.

Have they stated an intention to go public?

Founder Andrew Rubin has broadly stated an IPO is the plan but hasn't provided specific details about when. From TechCrunch:

"If we do our job right, and if we make our customers successful, I’d like to think that would be part of our journey."

What is the bull case for an IPO?

Zero Trust is a big movement, and Illumio is recognized as a leader by Forrester. That's impressive because they're rated ahead of much larger competitors, including multiple public companies.

The current valuation is high and momentum is on their side. Appgate is almost definitely going public. Their IPO could provide confidence for Illumio to move forward this year if all goes well.

What is the bear case for an IPO?

Like its Zero Trust peer Appgate, Illumio's fate is tied to the rise or fall of Zero Trust. If Zero Trust falls out of favor with industry practitioners, Illumio may not have enough other options to fall back on.

Illumio is well known for its Illumio Core product. Currently, the company has two other products: one for cloud security, and one for endpoint security. Both are tough and competitive markets. Additional traction in these markets, along with further product diversification, might be needed before an IPO is practical.

What is the most likely outcome?

It's a tough call. The more probable outcome seems to be staying private for another year. However, if the economy remains stable and other cybersecurity IPOs go well, don't be surprised to see Illumio go public in 2022.

What does the company do?

Lacework has built a comprehensive cloud security platform. The platform has a broad set of modules spanning cloud configuration management, policy compliance, workload protection, threat detection and response, and more.

Analyst ratings are a moving target in cloud security, so it's difficult to benchmark Lacemark that way. Anecdotally, they were named a 2018 Gartner Cool Vendor in Cloud Security by Gartner shortly after the company was founded.

Where do they fit into the cybersecurity ecosystem?

Lacework's platform fits broadly into the Cloud Security domain with functionality in both Container and Workload Protection and Management and Compliance.

How much money have they raised?

The company has raised $1.9 billion, according to Crunchbase. Their $1.3 billion Series D in November 2021 was the largest funding round in the history of cybersecurity.

On one hand, raising the largest funding round ever is eye opening. On the other hand, $1.3 billion is a lot to raise at one time. That's more than some public companies have raised in total. For example, CrowdStrike (only?!) raised $481M in funding over seven rounds before its IPO.

What is their most recent valuation?

Lacework was valued at a somewhat astonishing $8.3 billion as of their most recent funding round.

Have they stated an intention to go public?

Lacework co-CEO David Hatfield spoke broadly about an IPO with no specific timeline in an interview with Reuters:

"There are a lot of different options for companies like ours, (including) a direct listing or an IPO, and we are considering those options, but nothing actively."

What is the bull case for an IPO?

The fact that Lacework raised the largest amount of funding ever for a cybersecurity company is an important signal. Since we don't know the full details of their growth, revenue, and overall financials, we can only speculate that investors loved what they saw.

The bull case for Lacework is best summarized by this quote from Franklin Templeton Vice President Matt Cioppa:

"Lacework has built something that's powerful and unique, positioning it to be one of this generation's most important cybersecurity companies."

The potential to become one of the most important cybersecurity companies is praise that shouldn't be taken lightly. Especially given how important companies in this generation actually are.

What is the bear case for an IPO?

Headlines are great, but there's also risk that comes with raising such a large amount of funding at a high valuation. Expectations are high, and Lacework has to keep performing.

There isn't much of a bear case, though. As the Momentum Cyber team put it, "public markets today are focused on growth." As long as Lacework continues to grow, they will do just fine as a public company.

What is the most likely outcome?

An IPO this year seems inevitable. They likely don't need to go public given the amount of capital they raised. However, their momentum and valuation are both great. It almost seems silly not to IPO when everything is in their favor.

Next Week: Part 2

Next week, we'll finish looking at the remainder of the cybersecurity IPO pipeline for 2022. The upcoming list includes Netskope, Pindrop, Qomplx, Snyk, Tanium, and Transmit Security.

If you're curious about other companies or know of any that should be on this list, don't hesitate to send an email or DM me on Twitter.