2023 was the year people in the cybersecurity industry thought everything was going to get better, and it didn't.
"Valuations will get straightened out, and everyone can start raising capital again."
"Klaviyo going public will get IPOs going again."
"Our last valuation was a little high, but we can grow into our valuation over time."
...and so on. The stories we tell ourselves are how we cope with the uncomfortable reality of "economic uncertainty" that's been going on for, well, too damn long.
We're staring 2024 in the face, and the outlook is sobering. It's Dry January¹ for over 100 cybersecurity companies who are sitting on billion-dollar-plus valuations. It's %#@&ing cold and dark outside, the holidays are over, and there's nothing to do.
Okay, in business terms...here's the conundrum: IPOs are the best, if not the only, exit option for 30+ cybersecurity companies. Eighty more unicorns are right behind them wondering what their future looks like. And the market's standards for being a public company just got wayyyyyy higher.
What does all of this mean? It means it's time for us to sober up, straighten our lives out, and give 2024 everything we've got.
The never-ending party of 2021 is long gone now. It's time to get honest about where our top companies are really at heading into the new year.
Let me take you on an up-and-down ride through the financial plight of our industry. I'd normally tell you to fix a drink to calm the nerves first, but it's Dry January, so we're on our own.
Welcome to no man's land
To understand the state of cybersecurity companies, you need to understand the state of software markets in general. Enter Battery Ventures and their incredible (but brutal, at least this year) State of the OpenCloud report.
Here's the chart I haven't been able to stop thinking about for two months:
Note: This is a funnel, so the numbers are aggregated. For example, the total number of private unicorns is 1,000, not 1,000+115+50+17. Each range in the funnel shows how many companies graduated from the previous one. It's confusing at first, but useful once you figure it out.
It's a chamber of horrors for anyone who works at, invests in, buys from, or cares about software companies. There have been 95 software IPOs in the past decade. 1,000 more companies are sitting in the pipeline wondering when it's going to be their turn. That's not good.
The line "$1B is the new $100M when it comes to ARR" is the one that causes me the most panic. Why?
There are only 14 companies with over $1 billion of ARR in the entire cybersecurity industry. Private companies don't report revenue, but it's safe to say that very few of cybersecurity's private companies have $1 billion in ARR.
As if reading the report wasn't panic-inducing enough, I saw this response to some discussion about the report on X:
A stat that stuck with me after writing No Way Out: The Changing World of Cybersecurity Exits is how many companies with $1 billion-ish valuations we have in cybersecurity. If the $1-2 billion valuation range really is "no man's land in the public markets," we're entering a world of pain.
Trying to see the cybersecurity companies in this chart starts looking a lot like the blurry haze you were in during that bender back in college. Let me give you a clearer view, but without the hangover this time.
Cybersecurity's valuation funnel: billion dollar problems
Here's a cybersecurity version of the Battery Ventures chart (without the logos):
Right now, we have 113 private companies with disclosed valuations of $1 billion or higher, including both VC-backed startups and companies owned by private equity firms. Here's the bad news: 79 of them (70%) are in the "no man's land" of a $1-2 billion valuation.
The 79 companies are a mix of up-and-comers like Dragos, Expel, Island, Stytch, and Vanta, plus later-stage companies like Forcepoint, RSA Security, Veracode, and more.
Each company's individual timeline depends a lot on the timing and structure of investments. But their expectations are all the same: exit with a multi-billion-dollar outcome.
This is where things get complicated. We've had 26 companies go public at a valuation of $1 billion or more. However, our current situation is a lot different than the cybersecurity IPOs of the past three decades.
Since 2000, two cybersecurity companies went public in what's now the no man's land of $1-2 billion valuations. Five companies (CyberArk, Fortinet, Qualys, Rapid7, and Varonis) went public at valuations under $1 billion and grew into valuations of $3 billion or more as public companies.
None of this seems possible right now. We're in a more austere place in time. Only the Most Upstanding Companies™ are worthy of public markets. The rest are left to toil in private until the end of eternity — or what feels like it, anyway.
Several of the 79 companies will make it out and have good exits. And a lot of them will get sold for under half of their billion-dollar valuations. Which ones? I don't know — not beyond an informed guess, anyway. You probably don't either. This no man's land is a very uncertain place.
Next, let me walk you through the funnel and pour you a shot of good, ol' fashioned hope.
Through the funnel: from no man's land to the promised land
When we move down the funnel and past the companies in the $1 billion+ no man's land, we reach a much rosier outlook.
There are 34 cybersecurity companies that have made it beyond the $3 billion valuation threshold. This doesn't mean they have the scale, predictability, and story to make it to an IPO, but their path and probability of making it to the public markets is a lot more clear.
Let's dive into the data for each valuation range. You'll see what I mean.
Nineteen cybersecurity companies are currently valued between $3-5 billion:
Other than IDEMIA, the entire set of companies owned by private equity firms used to be public companies. They ended up being taken private for a reason. Each of them needed to take a minute and work on some things outside the public eye.
Most of them will get back to public markets eventually — especially with the magic of Thoma Bravo (Sophos), Vista Equity Partners (KnowBe4), and KKR (Barracuda Networks), all firms with a long history of success in cybersecurity. All six PE-backed companies are early in their holding period, so there's no rush to sell before they have their scale, predictability, and story figured out.
The 12 VC-backed companies in this valuation range are on the fringe of cybersecurity's IPO pipeline. Acronis, Arctic Wolf, Cato Networks, Forter, Rubrik, and Socure have all shared plans to go public. The other six have raised significant capital and likely have the time and runway to grow into IPO candidates.
Companies in this range might be three or more years out from going public, but timing doesn't matter if they use it to become sustainable companies long-term.
Twelve cybersecurity companies are currently valued between $5-10 billion:
Just like the $3B+ range, all three PE-backed companies were public once upon a time. Each had over $500 million in annual revenue (as of their last earnings reports) before being taken private.² Their return to public markets seems like destiny.
Seven of the nine VC-backed companies in this valuation range are basically a who's who of the cybersecurity IPO pipeline. Netskope (12), Tanium (13), Snyk (19), OneTrust (21), and 1Password (50) are all members of the Forbes Cloud 100 class of 2023. Lacework and Coalition raised three of the top 50 largest financing rounds in cybersecurity history.
As blockchain companies, the future of Fireblocks and StarkWare is up in the air — but if you know anything about cryptocurrency, you know valuations swing wildly. Hodl, I guess.
If I could make a billboard to show the world who the best private companies in cybersecurity are, most of these are on it. $5B+ is the range of rising stars.
Three cybersecurity companies (or two and change, depending on how you classify Kaseya) stand alone in the bougie $10 billion+ valuation club:
Only 16 cybersecurity companies, public or private, are valued at over $10 billion. That's a higher valuation than 28 other public cybersecurity companies listed on major exchanges. With over 3,000 known cybersecurity companies, this group of 16 is in the top 0.5 percent.
Kaseya (Insight Partners, majority ownership) and Proofpoint (Thoma Bravo) are backed by private equity firms. Proofpoint was public until 2021, when it was taken private for $12.3 billion, the fourth largest acquisition ever in cybersecurity. Kaseya's future has a few more questions, but, well...they have a basketball arena named after them now.
Wiz stands alone as the only private cybersecurity company in history to be valued at over $10 billion. They're #19 on the Forbes Cloud 100, the fastest software company to ever reach $100 million in revenue, and ...you've heard the rest. One of the best articles of the past year sums it up nicely: Nobody Beats Wiz.
If you had to bet everything you own on picking which cybersecurity company is going to have a successful IPO, Wiz is it.
Sober, but good
Sobering was totally the right word for this tour through our industry. I feel surprisingly good about it, though. It's a lot like Dry January.
The first week is a downer. That's exactly how it feels for the 79 companies in the no man's land of $1 billion valuations.
The second week is when you start feeling better. The companies in the $3 billion range should be feeling a lot better than a lot of the unicorns.
The third week is when you feel like you've got this. "You've got this" is exactly what I'd say to our $5 billion companies. Most of them are going to have good exits.
The last week is when you feel superhuman. Our $10 billion companies are unstoppable.
Cybersecurity has around 30 public companies today. You don't have to squint much to see 20 or 30 more public companies a decade from now.
Whatever the number ends up being, it will feel a lot more meaningful when we can look back and say 2024 was the year that made companies in our industry great.
Now, let's pop a bottle of NA Moscato, raise a toast to everyone who's still in the game, and get back to building.
¹Yes, I'm doing Dry January too.
²Ping Identity and ForgeRock have over $500 million revenue combined (now under Ping Identity). Both companies were under $500 million individually before the merger.