Life comes at you fast in cybersecurity. That's certainly true for the later stage companies who had their sights set on going public in 2022.
The state of public markets has completely changed since I wrote a two part series about cybersecurity's IPO pipeline this January...which now seems like forever ago. It's time to revisit this topic and take a look at where things stand now.
Spoiler alert: it's gloomy out there. This isn't going to be the upbeat, full of excitement type of piece you're used to reading here lately. It's important to talk about what's happening, though — even if the news isn't good right now.
In this article, we're going to cover:
Overall Market Conditions: Analysis of overall market conditions and impact to publicly traded cybersecurity companies.
2022 Cybersecurity IPOs: Recapping the one cybersecurity IPO (via SPAC) so far this year.
IPO Pipeline Developments: Checking back in with companies in the IPO pipeline, including recent comments and events (financing, layoffs, etc.).
Emerging Candidates: Highlighting companies who have emerged as IPO candidates that weren't included in the original series I wrote in January.
What to Expect: Where we go from here and what to expect as the U.S. economy teeters on the edge of a recession.
We're going to start our melancholy little tour by looking at the overall condition of public markets. That's where the current challenges start for companies in the cybersecurity IPO pipeline.
Overall Market Conditions
As of July 31, 2022, valuations for public cybersecurity companies have fallen roughly 20% in the past year. The decline of cybersecurity company valuations is almost exactly in line with the overall market decline.
This chart from Momentum Cyber's monthly snapshot for July 2022 slices the downward trends in a few different ways:
A notable observation about this chart is the steeper decline of high growth cybersecurity companies compared to other benchmarks. Why have high growth companies been impacted more (especially recently)? One reason is hype.
I have previously talked about hype, including some now ominous comments from my Cybersecurity Is Going Public article:
The entire public cybersecurity market is hyped. It's hard to quantify "hype" precisely. Generally speaking, it's a combination of growth, revenue, and momentum.
Zooming in further, this table from Momentum Cyber's mid-year report shows the decline in the ratio of Enterprise Value (EV) to estimated revenue — another way of illustrating the decline in valuations for individual companies:
When previously discussing hype, I highlighted four companies in particular:
...in an already hyped market, there are four very hyped public cybersecurity companies — Cloudflare, CrowdStrike, Zscaler, and Okta.
Sure enough, these companies have had the largest year-over-year declines in multiples. In the chart above, declines for Okta, Crowdstrike, and Zscaler were all over 50%. As of today, Cloudflare's valuation has declined 56.3% in the past year (Note: not included in the table above as a hybrid networking and cybersecurity company). Okta suffered a 74% decline due to an untimely combination of a data breach and unfavorable market conditions.
In Cybersecurity Is Going Public, I also talked about the fickle behavior of markets. It's worth mentioning again here:
Hype is mostly a good thing, so take this data as a positive indicator overall for cybersecurity companies. Markets and hype cycles are fickle, though. If the market leaders start to miss their (admittedly high) expectations consistently, it could impact perception of the entire market. For now, all is well, especially for companies who are growing at a high rate.
Despite the valuation declines for hyped companies, there's something important to remember: they're still performing really well!
Jason Lemkin recently wrote a SaaStr article about the impact of reduced liquidity (in other words, what happens when public company valuations are down). The article noted something counter-intuitive — valuations are down, but SaaS revenue is still growing faster than ever:
At this point, any founder in SaaS should know the public markets have fallen 50% or so from the peaks of 2021. It’s profoundly frustrating as SaaS revenue growth hasn’t fallen. The best in SaaS are growing faster than ever, even past $1B or more in ARR. And yet, they are still worth half of what they were just a few months ago.
The "It’s profoundly frustrating as SaaS revenue growth hasn’t fallen" part is exactly the situation a lot of cybersecurity companies are in. Here's a quick sampling of public company earnings data to illustrate the point:
Palo Alto Networks crushed Q4 earnings guidance, grew billings 44% YoY, and issued strong guidance for the upcoming fiscal year.
Cloudflare raised 2022 sales guidance to $968M-$972M and reported a 53.9% YoY increase in revenue for Q2.
The impact of valuation declines hits companies in different ways, though. High profile acquisitions and rumors of more by private equity firms and strategic buyers have generated headlines in the past month:
Ping Identity was acquired by Thoma Bravo.
Darktrace confirmed preliminary acquisition talks with Thoma Bravo.
Whew... that's a lot to handle. For me, the important takeaway is that financial performance and valuations for public cybersecurity companies have held up relatively well given the circumstances.
We're not going to be in this quasi-downturn mess forever. Valuations will increase again. IPOs will eventually resume.
Next, we'll take a quick look at the broader trend in tech IPOs and the cybersecurity IPO that (technically) did happen.
2022 Cybersecurity IPOs
It's been a rough year for tech IPOs in general, as Flexport founder Ryan Petersen summarized in a recent tweet:
Metaphorically, it's like we were driving 100 mph and slammed the brakes to a complete halt. Now, the Ferrari is just sitting here idling and burning up premium gasoline at $4.60/gallon.
Shortly after the tweet above, ZeroFox went public on Nasdaq via SPAC on August 4, 2022. SPACs are still a non-traditional way for companies to go public, but it still counts!
ZeroFox going public is a relatively significant win for the industry: it's the first pure threat intelligence company to go public. Other public companies (CrowdStrike, for example) have significant threat intelligence offerings, among many other products and services. ZeroFox is unique because threat intelligence is their primary focus (for now).
That's it. There are no other IPOs to speak of in the first half of the year. It's very possible there won't be any more by the end of the year. So it goes...
Now that we've covered the one and only IPO, it's time for a deeper dive into the companies still in the IPO pipeline.
IPO Pipeline Developments
First, a caveat for all companies in the IPO pipeline: any of them are candidates to be acquired by private equity firms at any time (Thoma Bravo, for example).
If SailPoint, Ping Identity, and other public companies with half a billion or more in revenue can be acquired, so can anyone in the IPO pipeline. We may not see any acquisitions, but it's always possible.
Caveats aside, let's look at the pipeline company-by-company.
BigID has been clear about their intention to remain patient about going public — even before the current economic downturn. Repeating a quote from my IPO pipeline coverage in January from co-founder Nimrod Vax:
"BigID doesn’t need the cash and most of the capital has yet to be used. However, the offers we received were just too attractive to turn down, they allow us to accelerate growth and establish our leadership in both product and sales."
True to form, there have been no major developments on the IPO front for BigID. They haven't had any layoffs, raised any capital, or said a peep about going public. Note: Really starting my coverage with a bang here, right?!
In times like these, no news is probably good news. BigID appears to be in a great position. They raised extra capital at a favorable valuation long before the downturn started. It means they can ride out the freeze in IPOs and make a move when they're ready. This should result in a strong IPO once it eventually happens.
Cybereason is where the IPO pipeline developments really start. It's been a gut-wrenching journey for them, unfortunately.
They raised a $355 million Series F round at a $2.37 billion valuation in July 2021. Everything was peachy at the time, and their leadership team was candid and clear about their intentions to IPO in 2022. Cybereason confidentially filed for an IPO in January 2022 — right before things got rocky.
Instead of proceeding as planned with an IPO in the second half of 2022, they had to reprioritize profitability over growth. The practical implication of this strategic shift was laying off 10% of their workforce. The company's messaging was a bit more somber, too:
As the bullish tech market conditions have turned and the tech IPO market has essentially closed, companies like us must now exercise more strict financial discipline and prioritize profitably over top line growth.
It's not all bad, though. The statement continues by highlighting strong growth and reinforcing eventual plans for an IPO:
Our market traction remains strong as we continue to build a company that matters with long-term objectives in mind and plans for a tremendous outcome when the markets – and we – are ready.
Despite the setbacks, Cybereason is still likely to be one of the first cybersecurity companies to IPO once activity resumes. It might not happen at exactly the valuation they'd hoped for when filing in January 2022, but going public feels inevitable.
Exabeam is in the "wait patiently" camp of IPO pipeline candidates. There are no major developments to report. They've had no layoffs, no fundraising, and no commentary on an IPO. In fact, they're hiring — CEO Michael DeCesare even tried to recruit Tesla employees on LinkedIn.
DeCesare heavily implied before the downturn that an IPO would happen but that it wasn't a top priority. If an IPO wasn't a top priority then, it definitely isn't now.
The interesting part about Exabeam is revisiting this statement from DeCesare:
“We have a chance to be to cyber what ServiceNow is to the services market — the unification, the ability to create a CMDB and sit on top of your service system, your ticketing systems — that’s the real estate we occupy.”
Looking at it in the context of today, it means acquisitions and product expansion. Exabeam has only acquired one company to date (SkyFormation in 2019). However, decreased valuations create opportunities to acquire companies at favorable prices.
Exabeam has raised a total of $393 million, which is enough to make some smaller acquisitions before they IPO. Don't expect an IPO soon, but Exabeam could become an active strategic buyer in the near-term.
Illumio is another "wait patiently" company, but this time we have updates! CEO and co-founder Andrew Rubin gave some fairly detailed commentary in March 2022. This quote says it all:
"I don’t have to worry about day in and day out what is the right date for that to happen. Because there’s no market pressure and there’s no funding pressure, and those are usually the two things that would drive an answer of we’re gonna do it this week or next week or next quarter."
I also thought this quote was insightful, particularly the prediction that microsegmentation is a big enough category in tech to have a public company:
"I think that journey is playing itself out. Even though the segmentation category is still in its early stage, there is zero doubt in my mind that whoever emerges in that space as the category and market leader will become and be a public company."
Aside from commentary, there isn't much business-related news with Illumio — no layoffs or funding. Again, no news is probably good news.
Of all the companies in the cybersecurity IPO pipeline, Lacework has probably received the highest amount of negative press. They suffered an unfortunate combination of circumstances — a massive $1.3 billion funding event in 2021, aggressive hiring and growth, and subsequent layoffs:
Despite the drama that ensued from the broader tech world, Lacework still appears to be in a good position. Sure, a 20% workforce cut stings — but they still raised $1.3 billion in capital under favorable conditions. Assuming they're able to responsibly invest and prolong this money, they'll recover well on the other side of the downturn.
Netskope is content to wait things out on an IPO. Here's a good quote from CEO and founder Sanjay Beri in 2021:
"We frankly weren’t looking for capital, and we feel that we could have been public now. But this will help us to grow fast as a private company and invest in R&D. Our next move, though, will be an IPO."
Based on publicly available information, I agree with the "could have been public now" assessment. Netskope's post-money valuation as of their Series H round in July 2021 was $7.5 billion, among the highest of private cybersecurity companies.
Time will tell if it's a good thing Netskope remained a private company instead of going public last year. Regret is definitely possible — it may take years for markets to return to 2021 levels. Regardless, Netskope is likely to be one of the first cybersecurity IPOs once activity resumes.
Pindrop is in an interesting position. They've historically been in the "wait patiently" group of companies, with one important twist: they haven't raised any capital since 2018.
Most other companies in the IPO pipeline raised large rounds in 2021. 3+ years is a long time for a high growth company to go without raising capital. Either they're a highly profitable business, or they're in a tricky spot with raising capital or going public at a lower valuation than they'd like.
I said this about the bear case for Pindrop's IPO when covering the company in January:
Contact center platforms like Talkdesk are growing quickly (Talkdesk is currently valued at $10 billion). These platforms already have or will develop authentication features to include natively. The question for Pindrop is whether voice-based security is a standalone product or a feature within larger contact center platforms.
Looking at this strategic dilemma in the context of today's economic environment and duration since fundraising, it's fair to say Pindrop could be an acquisition target. That's purely speculation on my part — just an observation that several of the common ingredients for an acquisition are present.
That said, Pindrop has been hiring high profile executives, including Marc Diouane as President and Chief Operating Officer. This comment doesn't sound like a person who's there to help sell the company:
"Joining Pindrop was an easy decision for me. Voice is a critical part of the fabric of everyday human computer interactions. The widespread use of voice will only accelerate with new applications opportunities. Pindrop is clearly the leader and best positioned to benefit from this trend. I am beyond excited to get started and help Pindrop grow."
We'll see what happens here. Another financing round or an acquisition seems more probable in 2022 than an IPO.
QOMPLX was on a treacherous path towards an IPO well before the current market conditions. Here's a quick recap of their previous attempt to go public via SPAC from late 2021:
QOMPLX announced a SPAC in March 2021. As SPACs do, the intent was to take the merged company public that year. They even acquired two companies to round out the company's product portfolio.
By August, the SPAC merger was off. The chairman of the SPAC company stated "market conditions" as the reason the plans were scrapped.
This was a curious answer since, well, a bunch of other cybersecurity companies managed to go public in 2021 under the same "market conditions." Intuitively, it seems likely there were more factors in play.
There have been very few updates on the IPO front since. No layoffs have been publicly announced. They raised a small $200,000 financing round from Martinson Ventures in January 2022. The size of the round seems curious for a company that has raised a total of $102 million.
Given the timing of ZeroFox's recent SPAC, I wouldn't be surprised to see QOMPLX try again with a different partner. They could also be an acquisition candidate (again, my speculation). Both seem more likely than an additional round of substantial financing.
Snyk still looks like one of the top candidates to go public once market conditions improve. The big news since I covered Snyk in January is they've hired Morgan Stanley and Goldman Sachs in preparation for an IPO, as reported by Reuters.
The article included a brief comment about timing:
The timing of the IPO is uncertain given the market volatility fueled by Russia's attack on Ukraine, the sources said. Snyk aspires to double its valuation from its last funding round, the sources added.
The timing uncertainty is no surprise given everything we've discussed in this article. Doubling their valuation is somewhat of a surprise — especially considering it was $7.92 billion pre-money as of their Series F round in September 2021.
Hiring investment bankers is the headline news, but Snyk has also had minor fundraising and layoff events since January:
According to PitchBook, they raised an undisclosed amount from existing investors in January 2022.
They also announced restructuring and layoffs in June. Changes spanned across product, engineering, and sales that impacted around 5% of their workforce.
Based on the internal memo they shared publicly, the changes appeared to be more about evolving their organizational structure than cost cutting. There was also one important tidbit from an IPO perspective:
"We’ve accelerated our plans by a full year to become free cash flow positive in 2024."
With public markets currently prioritizing profitability, accelerating plans by a year is a big deal. Snyk may not end up going public in 2022, but this announcement sets them up well to be a public company in 2023.
Tanium's path towards an IPO is one of the most mysterious among the companies in the cybersecurity IPO pipeline. Recent articles have questioned whether the company will ever go public at all despite solid revenue and growth disclosures.
The company hasn't raised capital since its $150 million Series G round in May 2021. Layoffs have been reported, including their Chief Marketing Officer and senior product marketing team members.
Tanium's three strategic options appear to be:
Remain Private: Continue operating as a private company indefinitely, which CEO Orion Hindawi has previously stated he's perfectly content to do.
Private Equity Acquisition: Get acquired by a private equity firm. In the era of Thoma Bravo and other large scale private equity acquisitions, anything is possible.
Go Public: IPO when market conditions and valuations are stable enough for a public exit.
Remaining private is the most probable option for Tanium, especially given Hindawi's statements about being content as a private company. I also don't see Tanium's founders as the type of people who would want to work with a private equity firm. Going that route seems unlikely unless they have no other choice.
Transmit Security is another member of the "wait patiently" club. Technically, they are still a Series A stage company. Albeit, the largest Series A round ever in cybersecurity...which comes with certain expectations. Co-founder Mickey Boodaei has been clear the company has no planned date for an IPO, even though that's the intended outcome.
They haven't needed capital since raising $543 million in June 2021. Layoffs were reported in July that affected 7% of the workforce (27 people). Similar to Snyk, they appear to be an organizational change and not a reaction to market conditions.
We already knew Transmit Security was at an earlier stage of the IPO pipeline than several other cybersecurity companies. Current market conditions don't change that trajectory. I expect Transmit Security to keep building and growing as a private company in 2022 and 2023.
A couple companies have emerged as IPO candidates and probably should have been mentioned in my January 2022 coverage. We're going to talk about them briefly here and get them on the radar for future coverage.
Arctic Wolf is a Managed Detection and Response (MDR) company that recently raised a $150 million Series F round at a valuation of $4.3 billion. The company's leadership team has been open about their plans to IPO. President and CEO Nick Schneider told SDxCentral in January 2022:
"We’ve been pretty public that our intent is to go public this year. We’ll do it when the market is right and when the company’s right."
By February, plans had already cooled off a bit. From SC Magazine:
"We’re continuously evaluating what we would do from a financing perspective, but at this point we’re not commenting on financing plans. I just can’t comment on timing. We’ll continue to look at different avenues for financing. One option is an IPO, but there are other options we can consider and we’ll make that known when we get to that point in time."
They're certainly not alone in having their IPO plans derailed. The intent is clearly there, so expect plans to resume once markets improve.
In February 2022, Reuters reported that private equity firm KKR is exploring options for taking Optiv public:
Buyout firm KKR & Co Inc (KKR.N) is exploring a sale or an initial public offering for Optiv Security Inc, a U.S. cybersecurity solutions distributor and consultant it controls at a valuation of more than $3 billion, including debt, according to people familiar with the matter.
The article reported Optiv's annual revenue at $650 million, which is in the range of several other publicly traded cybersecurity companies.
If KKR decides to take Optiv public, they would become the second (or third, depending on when Arctic Wolf goes public) public cybersecurity company that earns most of their revenue from professional services. The only other company is SecureWorks.
KKR has owned Optiv for five years — a typical, but not mandatory — timeline for PE firms to exit holdings. An IPO definitely seems like the probable option here, but KKR may elect to hold longer than planned to get more favorable market conditions.
What to Expect
Despite spending 4,000 words analyzing and making predictions about companies in the cybersecurity IPO pipeline, I have no idea what's actually going to happen — at least not with precise accuracy. I'm just a person with a keyboard looking at the same information as everyone else.
In trying to make sense of it all, a few things I've read have resonated with me. That's the perspective I wanted to share here.
The big question is: how long will this downturn last? I found this stat from a recent Lytical Ventures report interesting:
Since World War II, there have been twelve recessions, lasting 10.3 months on average. The ‘Great Recession’ of 2008, allegedly the perfect storm of recessions, lasted eighteen months. The most recent recession, in February 2020, lasted only two months. Data suggests that the average length of recessions is shortening.
Recessions are a dire topic, but data like this is encouraging. As a person old enough to live through a couple, recessions feel like an eternity. From a long term perspective, 10.3 months isn't that bad. We'll get through it.
Regardless of the exact duration, there are a couple downstream implications of an economic downturn. One is the impact of valuations for pre-IPO companies. This ultimately drives the timing of when IPOs will start happening again. Jason Lemkin gave some perspective on this topic in a recent Twitter reply:
That's the big question for companies in the cybersecurity IPO pipeline — what valuation are they willing to live with? Companies who need additional financing may be forced to take lower valuations if an IPO is the only option. Other companies in the "wait patiently" club can wait until valuations return to a point they're comfortable with.
The other implication is that liquidity flows downhill. Low liquidity in public markets affects strategic buyers and limits their ability to acquire earlier stage companies. This is especially limiting in transactions involving equity. Later stage private companies are in the most difficult position, but the second and third order consequences can affect earlier stage companies.
Bad news aside, there are some flashes of positivity for the current set of companies in cybersecurity's IPO pipeline. Let's hope we're in for a short downturn and the IPO freeze comes to an end.