It's been a minute since we've talked about cybersecurity's IPO pipeline. There's a good explanation: our 2022 IPO pipeline did not go as planned.
It’s almost 2025 now. Zero companies from the 2022 list have gone public.
Zero.
Outside of my list, there has been a tiny bit of activity:
-
One traditional IPO for a cybersecurity-related company (Rubrik in 2024)¹
-
Two nano-cap IPOs on U.S. exchanges (CISO Global and HUB Security in 2023)
-
Two international listings (Hanssak and Yubico in 2023)
Better than nothing...but a pure-play cybersecurity company hasn't gone public since ForgeRock over 1,000 days ago. They've since been taken private and merged into Ping Identity.
This has been the story of the past three years: dozens of companies are stuck in the IPO pipeline, and more companies have been taken private than public.
So, all of this is to say: cybersecurity has an IPO pipeline — it just hasn't been very active.
It sure looks like 2025 (and beyond) is going to be different.
Tech IPOs have slowly resumed. Valuations have reset and stabilized. The incoming administration in the United States is pro-business with a relatively hands-off track record on regulation and antitrust enforcement.
More importantly, great companies are still great companies no matter what the economic circumstances. Cybersecurity has a lot of great companies in the IPO pipeline right now.
We're going to see more IPOs in the next three years than we have in the last three. There's an outside chance we could even break some previous records. But the bar is still high.
The three year, thousand-plus day IPO drought has put us in an interesting conundrum for analyzing our IPO candidates. There are too many companies in the pipeline to reasonably cover in one article.
This analysis is focused on companies who have a reasonable probability of going public in 2025.² We'll cover the pipeline for 2026 and beyond next time.
Before we get to the companies, you should know about an interesting dynamic in the current IPO pipeline.
Private equity owns a lot of large cybersecurity companies
The flip side of all the take-private activity by private equity firms in cybersecurity is...well, they own a lot of large cybersecurity companies now.
Private equity owns five of the 16 companies I have as candidates for the 2025 IPO pipeline. They also own six other companies who could go public in the next 2-3 years. Put differently, private equity owns about a third of the ~30 companies in the near-term IPO pipeline (the next three years).
This is a lot different dynamic than our previous IPO windows. We're used to venture-backed companies bursting onto the scene as the next big thing. All of the A-list cybersecurity (+related) companies of today went public this way.³
A handful of companies have taken a detour through private equity ownership on their way to public markets. SailPoint was owned by Thoma Bravo, and Ping Identity was owned by Vista Equity Partners before each went public (the first time). Jamf was also majority-owned by Vista Equity Partners before going public in 2020.
These were all private-to-private transactions, though. Private equity firms acquired these later-stage private companies and put on the finishing touches (and provided some liquidity) before taking them public.
Our pipeline still has a few never-before-public companies in private equity holding. What's different is the number of previously public companies who were taken private.
These were large, well known companies with revenue in the hundreds of millions (or higher). They ran into challenges with things like scale, growth, profitability, leadership, and/or other major business transitions that were better to address as private companies.
Several of them are going to be ready to go public again soon. In fact, a few are probably going to be the first companies to list in 2025.
Let's move on to the companies in the IPO pipeline, and I'll tell you why.
The 2025 IPO candidates
Of the 100+ cybersecurity-related companies I've analyzed for IPO potential, 16 of them have a realistic shot at going public in 2025:
These are probably names you've heard a lot about. An IPO candidate, at least in the traditional sense, means being among the who's who of an industry. Cybersecurity is no exception, especially as the profile of our industry has gained prominence across tech and capital markets.
For this level of analysis, the relevant distinction is between PE-backed and venture-backed companies.
PE-backed companies
There are five private equity owned companies in the 2025 pipeline. Four of the five have been public before (Mimecast, Proofpoint, SailPoint, and Sophos). Kaseya is a hybrid cybersecurity company (at best), but they do enough in cybersecurity to be mentioned.
This group has been among the most active strategic M&A buyers, highlighted by Sophos buying Secureworks (a public company) for $859 million in one of the largest cybersecurity services transactions we've ever seen. Kaseya, Mimecast, Proofpoint, and SailPoint have all made smaller tuck-in acquisitions, too.
Based on recent reporting, SailPoint will likely be the first company to go out among this group. It may even be the first IPO of any company in the pipeline.
Venture-backed companies
The 11 venture-backed companies in the 2025 pipeline have all waited patiently for their IPO window to open. Four of them were candidates on my (much shorter) 2022 pipeline list.
Most have been durable companies throughout the post-2021 decline, either raising more capital or debt to extend their runway (and grow, or at least preserve, their valuations). They've made lists like the Forbes Cloud 100 Lightspeed's Cyber 60, and more.
You're not here to gawk at lists, though. You're here to dig in deeper.
There are reasons why all of these companies are near-term IPO candidates, both qualitative and quantitative. Let's talk about the qualitative side first.
The qualitative side: who has said they're going public
As much as we can try to quantify the probability a company will go public, there's a lot of judgment involved. It's unavoidable. We're dealing with private companies, which means we have limited information about their financials until they file an S-1.
This means qualitative factors carry a lot of weight. The biggest factor here is who straight up said they're going to go public (and when).
Statements like these can sometimes be posturing. A handful are dated. Intent counts for something, though.
When a founder or CEO says their company is going to go public, we should believe them (to some extent, at least). Even more so if the numbers back it up. Every company in this list has the numbers (and/or other factors ) to go with it. We'll get into the numbers side shortly.
For now, here are (relatively) concrete statements about IPO intent and timing for companies in 2025 IPO pipeline. The quotes are either directly from founders/executives, investors, or credible media sources:
Mileage varies on the degree of commitment each statement carries, but my judgment says none (or very few) of these are a stretch.
It's also worth noting who hasn't said anything. Mimecast and Sophos are the only two companies from the 2025 pipeline without any specific comments about going public again (that I could find, anyway).
Both have been public companies before. We don't need to hear them say the plan is to public again — of course it is. The bigger question is when, and the quantitative side can help us figure that part out.
This is exactly where we're heading next.
The quantitative side: revenue, valuation, financing, and incentives
A company can say they want to go public, but actually doing it is another thing. They need the numbers to back it up if they want to have a successful IPO and stay in public markets. This is where the quantitative part comes in.
Most of the companies in the 2025 IPO pipeline have strong quantitative reasons to help convince us they're a near-term candidates. Again, we're dealing with imperfect information any time we analyze private companies, but we can make the best of what we have.
The three most helpful quantitative factors are revenue estimates (better yet, disclosures), valuation and financing, and (in the case of PE-backed companies) how long their holding period has been.
Estimated revenue
As we've moved past the ZIRP era, a big shocker for pre-IPO companies has been the revenue scale required to go public. Cybersecurity IPOs from 2003-2020 had a relative average of ~$175 million in annual revenue. Dozens of companies in our current IPO pipeline have been well above this mark for years.
Profitable Efficient Growth (PEG), otherwise known as the Low-Burn/High-Growth Era, came along and raised the bar significantly. Software IPOs in 2022 and 2023 (not many, but still) averaged $788 million in revenue.
Closer to home, Rubrik had $627.9 million of total revenue when they went public in Q2'24. Their revenue scale was ~2.3x larger than the next highest traditional IPO in the history of the cybersecurity industry.
We've entered a different era. Scale matters.
The exact revenue scale range is still widely debated, partly because we don't have many software IPOs to benchmark. For this discussion, let's say $500 million is pretty safe, and $250 million or above with amazing growth is possible.
Here's where the companies in cybersecurity's 2025 IPO pipeline stand, including both revenue disclosures and estimated revenue ranges projected from publicly available information:
Five companies are at (or very close to) $1 billion or more in revenue already. The scale part is a no-brainer. We'll have to wait for the S-1 filings to see the rest of the operating metrics. Unsurprisingly, this group of companies also had the most specific statements about IPO intent and timing.
The $500-999 million revenue range also has five companies, some of which are likely on the higher end of the range. I expect growth rates for this group are also very high, and not only the blistering pace Wiz is growing at.
Druva and Snyk are likely between $250-499 million in revenue based on recent disclosures. The success of subscale IPOs is probably case-by-case at this point. Both companies have a story for their path to $1 billion, which is good enough to be considered a candidate for 2025.
Four companies are either between $100-249 million of revenue or haven't provided enough information to make a reasonable estimate. They're on the list because of tangible actions they've taken to go public. Cato Networks hired bankers. Bitdefender has started the process of listing before. Coalition's CEO said their plan is to go public after a couple other IPOs happen. Socure had a credible report of IPO plans.
Revenue scale is the best quantitative measure we have available, but other metrics matter in the broader context of incentives.
Valuation and financing
Valuation and financing are by no means direct measures of IPO readiness, but they tell us a lot about the expectations stakeholders have — especially investors.
Late stage companies backed by venture capital, and especially private equity acquisitions, all have pretty clear and reliable valuation metrics. Investors aren't just pulling numbers out of the sky for companies at this stage. Valuations are based on reliable comps, detailed financial models, and years of preparation to shape the them into IPO-ready machines.
The 2025 IPO candidates hold most of the highest valuations among all cybersecurity-related companies:
And remember, the valuations you see here are just the most recently disclosed numbers we have. Current valuations could go up or down when marked to market today.
I didn't go all the way into reconciling estimated revenue with prior valuations based on current multiples. It's safe to say most of these valuations are stable, though.
And then there's Wiz — valued at $12 billion on paper, declined a $23 billion acquisition offer from Google, and currently reported to be exploring a sale of shares at a $15-20 billion valuation.
For the venture-backed companies, total financing also matters. Companies in the 2025 IPO pipeline have raised more capital than basically any other company in the industry (except a few of the 2026-2027 candidates).
They've also raised the most total capital across the entire history of cybersecurity companies, including all of our current public companies.
OneTrust, Netskope, and Snyk have all raised over $1 billion. Arctic Wolf, Cohesity, and Wiz are not far behind at $900 million plus each.
Cato Networks, Coalition, and Socure have all raised around $700 million. They're all on the lower end of the revenue scale, all likely under $250 million. Druva has been slightly more efficient, raising $475 million to hit ~$250 million in revenue.
Bitdefender is unique, with most of their $187 million in financing coming from a single secondary round by Vitruvian Partners. They're a Romania-based company with most shares closely held by CEO Florin Talpeș.
Private equity holding period
For companies owned by private equity firms, the holding period is a decent predictor for the exit timeline. Private equity firms (very generally) hold companies for 5-7 years.
Sophos is technically the only company in the 2025 group who has hit the window of a typical PE exit. This specific group of companies is pretty unique, though.
Four of the five companies (everyone except Kaseya) were formerly public companies. They were already large companies when they were taken private (Proofpoint had over $1 billion of revenue in 2021, for example). This means they're likely to exit sooner than the typical PE holding period.
The gotcha: how many cybersecurity IPOs can public markets handle in a year?
The analysis for the 16 companies in the 2025 pipeline seems plausible.⁴ There's just one really, really big gotcha.
We've never had more than 11 cybersecurity-related companies go public in a single year.
If you've been reading Strategy of Security for a while, I don't even need to tell you what year it was.
Yeah... 2021.
The second highest year?
Nine in 2020.
(I heard that sigh. I feel you.)
Here's the distribution since the Dotcom Bubble:
Outside of 2020-2021, the annual range for cybersecurity-related listings in IPO windows hovers right around 3-4 companies per year. This includes everything from traditional IPOs to SPACs, both hybrid and pure-play.
And remember, there's an avalanche of 40+ other companies in our IPO pipeline right behind them (more on these another time).
We're going to need five record-breaking IPO years in a row to clear out the backlog.
The next IPO window is going to be a good one. We're talking about an epic, never-before-seen streak here, though. Not going to happen.
It shouldn't be surprising if any one of the companies in the 2025 IPO pipeline goes public next year — but it would be very surprising if all of them do.
Footnotes
¹Backups aren't cybersecurity. I hear you. Rubrik and HashiCorp are not cybersecurity companies by the most strict definition of the term. They are mid-cap technology companies who generate a portion of their revenue from cybersecurity products, to be very specific.
²By "reasonable probability of going public," I mean a decent chance (call it 50/50 or above) based on both qualitative and quantitative data points. All of these companies will not go public in 2025. Some companies will slide into 2026 and beyond. Some companies I have in the pipeline for 2026 and beyond could still go public in 2025. And some companies may never go public. We're playing probabilities here, so this analysis is bound to be wrong some of the time.
³Plus others like SentinelOne, which is still one of the largest pure cybersecurity IPOs in history.
⁴I hope it's plausible, anyway. I want to hear about it if you think I'm off base anywhere.