Mandiant and the Future of Cybersecurity Professional Services

Exploring Mandiant's path forward after FireEye, building productized services at scale, and the future of cybersecurity professional services.
Mandiant and the Future of Cybersecurity Professional Services

FireEye relaunched as Mandiant today, making it one of a select few publicly-traded professional services firm focused exclusively on cybersecurity. Mandiant's strategy going forward is interesting on multiple levels, including the company's own prospects and the future of the broader cybersecurity professional services industry.

Mandiant announced the sale of FireEye for $1.2 billion to Symphony Technology Group (STG) on September 22, 2021. The move marked the end of a seven year relationship between FireEye and Mandiant. FireEye acquired Mandiant for $1 billion in 2014, a fateful move that eventually led to Mandiant and Founder/CEO Kevin Mandia leading and eventually divesting FireEye.

Mandiant's Dilemma

Selling FireEye seemed inevitable. Revenue and product innovation from FireEye's products stagnated for years despite massive growth from other companies within the cybersecurity ecosystem. From CRN:

FireEye’s product business has struggled for several years due to the persistence of legacy, on-premises appliance-based technology. Revenue for the company’s product business fell to $540.9 million in 2020, down 3 percent from $557.8 million a year earlier. That’s despite the surge in cybersecurity spending that accompanied the rapid shift to remote work at the onset of the COVID-19 pandemic.

I understand why FireEye's acquisition of Mandiant made sense at the time. The firms were frequently collaborating on deals. The product-services relationship was mutually beneficial. Mandiant's growing reputation and revenue made it an attractive addition to FireEye's business. Both sides likely expected to pull each other into opportunities exclusively, establishing a dominant pairing in the market.

Mandiant continued to grow and differentiate itself in breach response and threat intelligence services. Meanwhile, FireEye wasn't able to maintain its market leadership in the transition from its on-premise hardware and software business to a modern SaaS model.

Fast-moving competitors like CrowdStrike and SentinelOne took over the endpoint protection market that FireEye was pivoting towards. Gartner's Magic Quadrant for Endpoint Protection Platforms says it all:

FireEye has been relegated to a niche player in the market, far behind CrowdStrike and the other leaders and visionaries.

The disconnect in the combined strategy of FireEye and Mandiant was this: it's difficult to grow both a product (FireEye) and a services business (Mandiant) at the same time. Especially when your CEO (Kevin Mandia) started the services business.

A company with equally strong product and services businesses is not the traditional paradigm — not in cybersecurity, and not in the broader tech industry. Two models have been proven to work:

  • Product companies with subservient services businesses

  • Services companies with small or non-existent product businesses

Okta is an example of the former. Their primary business is SaaS-based identity and access management products. Their professional services business supports implementation of the products — basically serving as an extension of customer success.

Accenture is an example of the latter. Their primary business is professional services — people to deliver work, typically billed by the hour. Their revenue from software products pales in comparison to revenue from services.

FireEye's breach in late 2020 certainly didn't help, and may have accelerated the process. A major breach at a company who specializes in threat intelligence and incident response clearly raises skepticism in the market.

A $1.2 billion return for the sale of FireEye's products isn't what Mandiant had hoped for. FireEye's valuation was at a low revenue multiple. A lot of money has been spent acquiring companies to modernize FireEye's product portfolio. Unfortunately, this was probably the best Mandiant could do given the circumstances.

FireEye's future is likely a blend with STG's other recent acquisitions of RSA and McAfee's enterprise business. As private equity does, the eventual result will be a rationalized conglomeration of products from each of the companies operating under a reasonably efficient and profitable corporate entity. That's not the focus here — Mandiant's future as a standalone cybersecurity professional services company is much more interesting.

Challenges for Traditional Professional Services Firms

Mandiant's decision to remain a publicly-traded company as a professional services firm is somewhat of an anomaly, especially in cybersecurity. Most cybersecurity professional services firms are private companies — even multi-billion dollar practices like PwC, Deloitte, and EY.

Cybersecurity professional services firms are traditionally private for several reasons. A big one is their business model. Unlike SaaS companies, professional services firms have minimal recurring revenue. They have to manage their sales pipeline and grind out new project wins continuously. Reputation and scale matter, but future stability and growth have an element of inherent instability.

For much of the industry, profit margins vary widely and fluctuate based on billable rate pressures and market demand for service offerings. Highly competitive or commoditized services frequently end up in a race to the bottom: which firm can deliver the service for the lowest price?

The winners are at the margins. Large, reputable firms with strong brands and broad service offerings have incredibly robust profitability. They're some of the most reliable and resilient businesses on the planet. The other winners are firms like Mandiant: clear leaders in a specific area of expertise.

Mandiant has dominated breach investigations and threat intelligence for over a decade. They have led or participated in nearly all the high profile breaches in recent memory: Target, Sony Pictures, JP Morgan Chase, Anthem, SolarWinds, Colonial Pipeline, and more. It's hard to be more dominant than Mandiant has been within a competitive industry segment like breach response services.

The Achilles' heel and barrier to growth for professional services firms is development of software products to compliment and diversify services revenue. All the leverage in a traditional professional services business comes from labor, the oldest form of leverage there is. People alone don't scale. They have marginal costs of replication — to get more done, you need to hire and pay more people. So, that's what traditional firms do:

This is where Mandiant's strategy gets interesting. They're not immune to the limitations of labor leverage, but they're taking specific actions to increase leverage with code and media.

Mandiant is creating leveraged workers by augmenting and scaling them with tech. They're also applying specific knowledge from people in the field investigating and responding to breaches to make their tech even more leveraged. It's a mutually reinforcing cycle of product and service development with profound implications, if successful.

Mandiant's Current Status

The Mandiant of today is a perplexing case study. The company is widely recognized as the leader in large-scale breach responses and threat intelligence. They have focused on growth, investing heavily in R&D, sales, and marketing. This has created challenges with profitability, particularly compared to their traditional, privately-held peers in the professional services industry.

Mandiant is a significantly smaller company after selling FireEye. Services revenue (Mandiant Solutions) was $113.9 million in Q2, or roughly a $450-500 million business annually. For context, Mandiant's revenue is slightly higher than companies like SailPoint and CyberArk and significantly lower than large, billion-dollar cybersecurity consulting firms like Accenture, PwC, and Deloitte.

On the surface, Mandiant is a niche company. They don't offer many services compared to their larger peers. Their strategy is to be excellent at the narrow set of things they do. From Kevin Mandia in the Q2 2021 earnings call:

And right now, what I see when you have an alignment of strategy, you get a focus. The folks that will be on a go-forward basis on Mandiant will be, I think, way more productive selling things like we're No. 1 in intelligence, we're No. 1 in incident response.

We're creating a automated defense based on our No. 1 intelligence and our No. 1 breach intelligence. With focus will come better results.

Identifying the Chinese APT-1 espionage unit and the SolarWinds breach are two of the most significant accomplishments in modern cybersecurity history. This is exactly Mandiant's dilemma: the company hasn't been able to capture enough of the value they've created through research and innovation.

Mandiant has consistently struggled with profitability, losing $64.6 million in the last quarter alone. Again, from CRN:

However, from a profitability perspective, Mandiant’s operating losses barely budged, coming in at $183 million in 2020. Conversely, in the product business, FireEye recorded operating income of $27.8 million in 2020, improved from a $26.8 million operating loss in 2019.

However, the company's revenue growth is good. They reported 26% year-over-year growth in the consulting business and a 19% ARR for the subscription software/intel business. It just takes a lot of spend on R&D, sales, and marketing to make their growth happen.

The challenge with focusing on breach response services is that the size, scope and frequency of breaches is erratic and unpredictable — truly feast or famine for a service provider. In the past, Mandiant has cited volatility as a reason for missing earnings expectations:

“While our services personnel are responding to more attacks this year than prior years, the scope and scale of these attacks is simply different,” FireEye (FEYE) CEO Kevin Mandia said on a quarterly earnings call Thursday afternoon. “The average duration and size of each incident response engagement was smaller than in years past.” Rather than having to respond to attacks on “thousands and thousands and thousands” of computers, he added, “suddenly, we’re doing forensics and deep-diving [on] four machines or five machines.”

The company's thinking on the impact of volatility is clearly evolving towards adaptability. Kevin Mandia discussed a revised stance in the Q2 earnings call:

...let's just say we have world peace overnight and there's no inbound IRs, we can repurpose every one of those people, for the most part, to strategic services or red teaming and all the skills are overlapped.

So that's the good news with incident response consultants. They can play free safety and pretty much do any of the services that we have.

There is a lot of room for debate about whether this is accurate or not. I generally agree, assuming there is adequate demand and sufficient rates to support repurposing incident response people on adjacent projects. How Mandiant handles this is relevant, but it's also minutiae on the wider scale of their strategy going forward.

The interesting part of Mandiant's future strategy is building leverage with code and intel. This is where we start to get a glimpse inside the mind of Kevin Mandia, one of the leading experts in the world on breach response and threat intelligence:

I believe automation, powered by AI and machine learning technologies, is the only way organizations will be able to keep up with attacks and maintain resilience. Customers are coming to this realization as well, and momentum for Mandiant Advantage continues to build.

...

The combination of increasing threats and a growing shortage of cybersecurity skills means in-house teams are overworked, and they may lack the expertise or visibility to manage their security controls and security posture.

He's absolutely right. A practical example:

The combination of continuous threats and a shortage of cybersecurity skills is a real problem — perhaps the most significant problem we face today as cybersecurity professionals. Kevin Mandia described how Mandiant intends to address this gap in the Q1 2021 earnings call:

...a lot of people that I talked to wish they had Mandiant experts sitting in their SOC and staring at every alert.

We can't offer that. That doesn't scale. But one thing we can do is create a system that learns, it thinks, and it can do the minimization as if it was us.

The tech world has a term for this: productized services. Building systems to augment and automate human functions in a function like cybersecurity is an interesting experiment. It's also one of the largest attempts at building productized services at scale. This could have a profound impact on the professional services market for cybersecurity.

Productized Services at Scale

Productized services are an emerging trend in the creator economy and across tech. Dru Riley's coverage in Trends #0060 — Productized Services is a great starting point. From the report:

Productized services offer services at a fixed price with a clear scope and timeline.

Freelancers are like personal chefs who cook everything for everyone. Productized services are like restaurants with a menu.

Productized services are intended address the labor leverage problem faced by traditional professional services companies:

Productized services help you move from selling time to outcomes. You can build systems instead of billing hours.

The concept of productized services is based on the idea of a value ladder — a progression from low volume, high labor services to low labor, high volume products with greater leverage. Applying a model from Jack Butcher, an example of Mandiant's value ladder looks like this:

Mandiant's strategy aligns exactly to the productized services model. From Kevin Mandia:

We are also building our expertise and intelligence into the modules of the Mandiant Advantage platform to extend our expertise and reach far beyond the number of customers we can reach through services alone.

...using Mandiant Automated Defense is like having a team of Mandiant experts right there in your security operations center.

We all know that almost every single human skill over time is going to be replicated by machine intelligence, and that's what we're doing here.

Mandiant is turning low volume, high labor services (breach response and threat intelligence) into low labor, high volume products (the Mandiant Advantage SaaS platform). A specific example of how this strategy is being executed:

...we launched our ask an expert capability across our endpoint platform. And this provides customers instant access to Mandiant experts when they need immediate help.

Productized services in action at public company scale. This model has worked for independent consultants and smaller firms. The Trends.vc report highlights several success from across tech, none of which have reached the size and scale of Mandiant yet. Mandiant's attempt is one of the largest ever.

If productized services are the future of professional services, Mandiant's transformation will be leading the way. Can they pull it off? It's definitely possible. A few hints from Kevin Mandia tell us why.

First, an explanation about the complimentary and mutually reinforcing innovation cycle between Mandiant's services and solutions businesses:

The two parts of our Mandiant business, services and solutions, are interdependent and complement each other. Our consultants are technology-enabled by the Mandiant Advantage platform, allowing them to scale their productivity, and our technology is expertise-enabled with our frontline intel and experience. In combination, this allows us to deliver our expertise at scale whenever and however customers need it. Going forward, we plan to continue building on our Mandiant Advantage strategy, automating human tasks and applying machine learning to create a super analyst: a technology that thinks, learns and makes recommendations to make our customers more secure.

It's a powerful idea in theory, and harder to execute in practice. Mandiant's innovation cycle has multiple dependencies:

  • The technology has to be good enough and current enough to truly enable and scale the productivity of consultants. Consultants aren't more productive or effective if they don't use the tech.

  • Consultants have to execute on sharing their frontline expertise the product managers and engineers building the technology platform. Knowledge goes to waste if it isn't shared within the organization.

  • Product managers and engineers have to build and iterate the product quickly to codify the intel and expertise they receive from the field. Leverage doesn't happen if knowledge isn't incorporated into the product timely.

Operationalizing this model is going to be challenging. It's incredibly valuable if it works, though — especially in cybersecurity, a field that's facing an unprecedented set of global threats.

Second, some commentary from Q1 about Mandiant's competitive moat and and greenfield opportunities with Mandiant Advantage:

But at the end of the day, that's what creates the halo effect is the knowledge itself, not the event, and we just happen to be at the front row seat for it...Getting demand in Advantage, what I see there is it's greenfield. I don't believe it's ever existed where you can plug a technology in and it's like adding a thousand experts to your network.

...to make Mandiant Advantage work, here's the moat for it...you have to have a global intel capability, and we have that. We're in over 20 countries. We speak over 30 languages.

You have to own the front lines, and we have that, where we did over a thousand investigations last year. And a lot of people think, oh, investigations are tactical. They're absolutely strategic. It's how you get a front-row seat to all the threats that are circumventing the safeguards of today, so we can, with Mandiant Advantage, with our international intelligence team, and our breach intelligence that we're getting every single day, we can feed it to products that just don't learn, don't think, can adapt, too static, which is the majority of security products today because they simply don't have the knowledge and the intelligence that we have as we clean up the messes left behind from a lot of these products.

...So [for] Mandiant Advantage, the greenfield opportunity is to automate that expertise in that intel and bring it to you at machine speed.

...if you're going to test your security, you've got to do with real threats and real knowledge. You can't just be, hey, I made software that can simulate a threat. Well, where do you get the content for it? We've got the content.

When Mandiant is the first to discover a piece of threat intelligence, their knowledge is exclusive — you literally can't get it anywhere else. If their specific knowledge about threat intelligence can be quickly operationalized within a scaled technology platform and made available to every customer, it's incredibly valuable.

Third, Kevin Mandia clearly has strong conviction about their competitive advantage in threat intelligence:

...we prefer having first-hand knowledge of the intelligence that we produce.

The only way to get that firsthand intelligence is to have hundreds of responders out there on the front lines...

...90% of the time, it seems like every time I see a headline, we're on the ground responding firsthand...I'm not getting distracted by what other folks are doing.

On any given day, one company may be on the front lines with intel, other companies don't have. All I know is we were structured and it's strategically important to respond to security breaches to have the best intel. So that's what we did. And then to augment that, we have nearly 300 threat analysts that speak over 30 languages in over 25 countries.

I am confident that, that doesn't exist in the private sector anywhere else. So if somebody wants to say they're in a threat intelligence business, I'd be interested in how -- do they have a global infrastructure doing collections like we do?

Mandiant's threat intelligence unit is a heavy duty operation. This commentary starts to give you an idea about why their R&D spending is so high — it's not cheap to deploy hundreds of highly paid threat analysts globally, rapidly analyze their findings, and disseminate them to thousands of customers. Mandiant is making one of the largest attempts ever at executing a productized services strategy. Something like this can be done by governments in the public sector, but they're not bound by profits like Mandiant is in the private sector.

Finally, some commentary about the idea of placing value in outcomes:

First, nobody cares how you provide the outcome as long you provide it. Right? ...what I would want to buy, is the outcome of saying, if I've got Mandiant Automated Defense, regardless of how we deliver it, even -- whether we deliver 99% tech or 92% tech, but it'll be a lot of tech, I would just want the outcome that I feel safe, and that's what we want to provide.

Productized services are the solution to Mandiant's profitability issues. So far, they haven't been able to earn enough revenue from professional services to offset their massive spending on R&D, sales, and marketing. If they can shift their customers' mindset to focus on value and outcomes, they have a chance at capturing more profits from the value they provide.

Safety and security are things people and companies value. Value-based pricing is the way Mandiant can move beyond hourly rates — trading time for money — to subscription-based revenue with little to no marginal cost of replication.

What the Future Holds

Building a successful productized services business to address an important societal issue like cybersecurity attacks is an interesting problem to solve. In the process, Mandiant may also revolutionize the delivery model for professional services in the industry.

A shift towards productized services is bound to happen, especially in cybersecurity. Too many incentives are aligned: labor shortages, budget constraints, speed of delivery, and never-ending fear are a recipe for innovation. The question is whether Mandiant will be the company to execute this strategy and successfully capture the value.

Mandiant's productized services model has to start showing results quickly. If it doesn't, investors are going to view Mandiant as just another professional services firm with underperforming profitability.

Their transformation is high risk, high reward. If the transition doesn't work out, their failure is going to create a giant opening for opportunistic service providers to disrupt Mandiant's dominance in breach responses and threat intelligence.

I wouldn't be surprised to see Mandiant take the company private so they can step out of the public spotlight and scrutiny like other large cybersecurity consulting firms. Going private could give them the time and capital they need to build a productized services strategy at scale.

The clock has started now, and it's going to be an interesting journey to follow.

Cybersecurity Services
You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.