I spoke with Matt Mills, SailPoint’s President, about a wide range of topics. We spent time reflecting on the journey to $1 billion ARR, then moved towards the future: authorization, business drivers, AI fear and progress, adaptive identity, application integrations, competition, and…mainframes?!

This was a candid discussion about what it takes to be an identity company serving the world’s largest customers as we enter the AI era. I hope you enjoy it as much as I did.

Note: This interview has been lightly edited for clarity.

The billion dollar milestone

Cole Grolmus: SailPoint just surpassed $1 billion ARR in its last fiscal year, so this discussion is coming at a perfect time. I'd love for you to reflect on that for a minute. It's such a significant milestone that's been building over the course of 20 years.

Matt Mills: If you haven't spent time in the startup world or these emerging markets, you might not fully appreciate the Mark McClain story: doing a startup, taking it from zero to $150-200 million, taking it public, taking it back private, and then taking it back out again. 

When you start looking at the odds, what percent of startups actually make it to a public market? It's really, really small. Then you start asking what percent actually make it to a billion dollars, and what percent of those actually have the same founder CEO for 20 years going through all of that. It's a pretty incredible story.

Breaking down our business at a billion dollars ARR: we typically do three-year contracts, so when you look at remaining purchase obligations and the size of the business, it's probably a $3 billion business. It's a big business.

I've only been here for six and a half years, so I've been here on Mark's coattails. It's a great story. 

We talked about being a billion-dollar company when I got here, but there's a ton of work by everybody that goes into it. It's a pretty nice thing for the company to rally around and celebrate. Everybody contributes because you don't get there any other way.

Authorization is having a moment

Cole Grolmus: The core thesis of an article I published recently was that authorization is about to have a moment.

As someone who's been doing this for a long time and has done several enterprise identity implementations, I think authorization (broadly) and SailPoint (specifically) are more relevant than ever, even after a 20-year run. 

What evidence or anecdotes have you seen from a customer perspective that make you believe this is happening?

Matt Mills: There are a lot of things happening that are all coming together and changing the context of what SailPoint is. 

If you go back even five years ago, we were still doing traditional identity governance. Having been in the business a while yourself, you understand that when you thought about governance originally, you were always thinking about compliance and audit. That was it.

With the acceleration of agentic AI, it's really accelerated the idea that governance is still important, but it's going to have to manifest itself very differently in this world.

We're moving to a real-time world. We've been authenticating and authorizing for a lot of years, but now it takes on a new meaning.

When you start talking about zero standing privilege, that's the operating model. But now we're talking about authorization in a different context: just in time, time-bound, purpose-bound. We're looking for immediate or real-time remediation. The permissions are revocable.

When companies are looking for a new solution, what's causing them to go down this path? A big chunk of it is still compliance, but a big chunk of it now is risk.

The conversation changes from "are we compliant?" to "is access justified right now?" Not just is it justified, but is it justified right now. 

If you listen to our CTO Chandra Gnanasambandam talk, he talks about context: When Cole is logging on, does he have access to this? 

The answer might be yes, Cole has access to that. But does he have access to it at 3:00 in the morning on an IP address I've never seen in China? I'm probably going to say no, I don't think he does right now. I'm going to poke at that and make sure he's authorized to do what he's doing, where he's doing it, when he's doing it.

Those are the things that bring this whole new perspective around authorization.

Compliance and security, not either/or

Cole Grolmus:  You probably have the broadest allocation of customer discussions of anybody at SailPoint. 

What percentage of customers are still coming in with regulation as a driver versus moving towards the risk and security end of the spectrum?

Matt Mills: I hate to say it, because the industry's been around this long, but there's a ton of regulation that we deal with already in regular business. Every time I turn around, there's another cottage industry coming up with their own level of certification or compliance regulations.

I think we're just on the cusp of a new set of regulations that are going to come at us from an AI perspective.

The auditors I talk with ask questions about when we are going to get to the point where AI agents are actually doing things on our behalf, making relevant and material decisions.

If you're going to secure your enterprise, I don't think you can do it through human hands on a keyboard. You cannot keep up. 

At some point, somebody's going to have to make a call: do we trust what's happening here? Can we put the right constructs in place that allow us to have some level of confidence? Is there enough transparency?

The bad guys don't have to deal with that. They just use the technology and wreak havoc.

There's a balance we're going to have to get to. As providers of these solutions, we're going to have to be transparent. It's going to have to be auditable. I think that's coming. It’s not that far away.

Cole Grolmus: It sounds like an "and" not an "or." The reality is we're living in a world that's more regulated and there are more risks driving security. It's actually the combination of both things that's going to be a factor.

Matt Mills: I think so. There's a little bit of a fear factor that companies are dealing with. They don't want to go too far down this path until they understand exactly what they're dealing with — not only from a regulation perspective but from a security perspective.

I don't believe applications as we know them today are going to act and behave like they did five years ago. You're going to have embedded agents in virtually every off-the-shelf software product available. 

Companies are going to say, "I don't have a choice. I'm going to have to somehow certify and regulate these agents to make sure they're doing things like they're supposed to do and not causing problems with security or having access to the wrong data."

Having your foot on the gas and the brake simultaneously

Cole Grolmus: I covered this topic in my interview with Mark McClain, and he had an interesting take on it. He described it as: “I’ve never seen this many customers with their foot on both the gas and the brake at the same time.” 

There is so much upside with both AI and agents, and it gets more incredible by the week. But once you realize what's possible, you also become way more afraid. How do you reconcile that?

Matt Mills: He says it well. He and I sit on a number of investor calls, and we get a ton of questions because the investors and analysts want to understand how fast this is going to go.

At the end of the day, it's hard to understand how quickly the update will be on these technologies. You're seeing C-suite executives saying, "We need to take advantage of these efficiencies. We need to start being able to get the benefits of this in our business."

Meanwhile, the practitioners and security experts are saying this scares the heck out of them. It scares them that we're going to have the ability to build human-like digital agents that are going to go out and work under my guidance with permissions that maybe a human is going to pass through to them.

You hear these cornerstone cases that people repeat, like the story about so-and-so who had forty-six agents running in their business that nobody knew anything about. 

I've heard that story over and over. The numbers change, but it’s the same story. Nobody knew, then it did something bad, and everybody got in trouble. I hear a ton of those stories, and they scare the living daylights out of people.

I don't think you hear enough about how people are actually using this effectively today in very pointed solutions and starting to get those benefits. People will get more comfortable with AI and agents eventually. 

One of the big accelerators for companies like us is when we can get our product out and start getting people comfortable with the level of security and transparency we can provide around agents. Then you're going to see some acceleration.

The big next step is what we call the "base agents.” Those are the vendor agents that come from the Salesforces and the Workdays of the world, delivered in the products. If you can govern those — discover them, categorize them, assign ownership to them, certify them — then you can start making progress. It's the autonomous agents that give people pause.

Are security teams ready for adaptive identity?

Cole Grolmus: Another question I asked Mark was whether security teams are ready for adaptive identity. 

The reason I asked with some consternation is that, if I put my implementer hat back on and consider what an operational identity program is like most of the time, the median implementation is just trying to keep its head above water.

There's a lot to integrate, a lot to roll out. It's hard enough to manage human identities…and then we're talking about adding agents on top of that?!

Mark's answer, which I agree with, was: "Look, I get it, but I don't think we have a choice. It's going to happen whether we want it to or not. Better to get ready for it, and better to use tools like SailPoint to enable it instead of trying to make it stop."

Matt Mills: I'm with you 100%. We acquired Savvy to help with this, which is now our Accelerated Application Management solution. It's probably our fastest-scaling product. The pipeline is going through the roof because people are now starting to understand what it does.

It's not just about discovering all your apps. It's also being able to tell you that apps use embedded agents. 

When companies realize "I have 1,000 apps, and 900 of them are using agents," it's not like you can just disable them. They are probably running your business. You can't just turn them all off.

So what do you do? You discover them. You categorize them. You assign ownership to them. You give them human owners and certify them just like any other kind of identity. That's significant.

When we look at Tier 1, Tier 2, Tier 3 connectors, the Tier 3s are probably 15-20% of your total applications. The Tier 2s were always at 20-25%. It's quite possible the Tier 2s may end up being 80-90% of all your applications now because they're all using agents.

To Mark's point, I don't think agent adoption is going to go backwards. Agents are coming down the tracks. You're going to have to deal with it as a company because agents are not going away.

Your other choice is to not manage them, not assign ownership, leave them orphaned and therefore not certified and not governed. We'd all agree this is a really bad idea.

The under-appreciated shift to managing every app

Cole Grolmus: Let's go to the topic of integrations — or in SailPoint terms, accelerated application management. This is a major product strategy shift, which I believe is underappreciated. 

Some historical context: SailPoint has historically focused on helping customers manage regulated and high-risk applications. That’s an important slice, but still only a slice of the application portfolio. 

With Savvy and accelerated application management, we're headed towards a place where customers can manage every app at some degree of depth.

Tell me more about the shift from your point of view.

Matt Mills: It's hugely underappreciated. One of the biggest challenges we have is that identity governance has gone from a back-office solution stuck somewhere down in IT operations to showing up front and center on the threat vector. Especially over the last five years, it turns out identity is the path where 80-90% of all these breaches are actually occurring. We've got to think about this differently.

We always get criticized because "these guys are only governing 10-15%, like 100 applications out of 5,000." Nobody's doing anything with the other 4,900. That's why we went out and acquired Savvy. 

I think of Savvy as a bit of posture management. It's the discovery component saying, "I'm going to go out and not only identify the applications, but keep the pulse on them — ones coming in, ones going out, and changes to them."

When you start looking at the complexity of what we're trying to solve in Tier 2 and Tier 3 apps, this is where we get a little high and mighty. Our competitors say they can do this, but they don't have the depth. 

We always say they don't have the ability to handle this complexity, and people say, "Well, what's the complexity?"

You've got thousands of identities: humans, machines, services. You've got millions of access relationships. You've got roles, groups, permissions. All of this adds complexity, especially in a large company. 

We'll go down to 30 or 40 levels deep of nested entitlements. That's not abnormal for our world. We go over 250 levels deep sometimes. 

People hear that and they're like, "That's got to be one in a million." It's not. There's a lot of complexity out there. If you don't have those levels of capability to handle the complexity in a Tier 3 fully governed auto-provisioning environment, you have no hope.

I've said this a hundred times to analysts: people can't handle the complexity that we handle. That's why we do well in the 5,000+ employee segment. Nobody there says, "Explain the complexity." They just don't. 

If somebody says, "Well, it's because of your fine-grained entitlements" — of course, but nobody wants to get under the hood because if they did, they'd really start to understand the differentiation between us and the others.

You'll hear Mark try to be humble about the Veza (ServiceNow), Zilla (CyberArk), even Okta (Identity Governance) that say, "We're coming up to enterprise." They’re really not. It's going to take more than just newer technology or newer architecture. I'm not suggesting there's not a place for them. There is. It's just not up here. Not today. Maybe down the road.

One of our customers has 50 million entitlements. My reaction when I heard that was somebody ought to get fired over there. But then we find out we've got a bunch of customers out there with 10, 20, and 30 million entitlements. It's just a fact of life in enterprises. We can sit here and debate if that's smart or not, but it's there.

This is where we get a little indignant when you've got 200+ companies out there today saying, "We do identity security." If you go to the Gartner event, if there are 200 vendor suites, they all say identity security on them. "We do identity security. We do agent security."

Maybe there are cursory-level things they can do. But to secure an agent, you've got to secure the data. You've got to take identity context, tie it with the data, and drive it into the entitlement level all the way down. It gets pretty hard.

Competitive dynamics

Cole Grolmus: Give me some thoughts on the competitive dynamics in the identity market today. Obviously there's been a lot of market activity, probably in some ways starting with SailPoint going private a few years ago. Even if you look at the last few months, it was one of the most interesting periods in the history of the identity market.

You've got a billion-dollar acquisition with ServiceNow and Veza, Saviynt raising $700 million, Palo Alto Networks closing the acquisition of CyberArk…plus all of the major product announcements and earlier stage startups raising capital. 

What are your thoughts on the competitive landscape as it stands in 2026?

Matt Mills: We're all competitive, and I think it's in our nature. If you've ever heard Mark, he talks about being humble, hungry, and proud. We try to stay humble. It's not our nature to sling mud.

When I look at this market, I segment it between what I'll call the broader market (3,000-4,000 employees and under) and the enterprise. That broader space is really noisy. That's where everybody is at. You've got Zilla, Veza, Lumos, Oasis, and others. That's where Okta lives. That's where a lot of Microsoft Entra’s customers are, too. 

They bang heads down there. We're not down there much. We've done a good job of understanding where we're differentiated and trying to stay there. 

When you look at the progress we've made over the last number of years, we now own 50% of the Fortune 500 and 26-27% of the Global 2000. We live off this thing we call our target account list. We've got a bunch of companies we've done our first line of qualifying on. They look like SailPoint customers, and we've only converted about 15% of those so far. We've got a ton of runway ahead of us.

I fight this battle all the time about people wanting to go down-market. Over time, that happens naturally. Gravity gets a hold of your company. If you don't stay up and stay relevant and continue to innovate, you get sucked into it.

Down-market is competitive, noisy, with less sophisticated buyers. When everybody says they do everything, I think it's a terrible place to be if you're trying to buy something because it's really confusing.

When you get up into the market where we really live, it's not that noisy. We see Saviynt the most. They show up everywhere because nobody wants to run a process with a single source. They want to see multiple players.

We'll get the occasional deal where somebody on the board says, "We own Microsoft, why aren't we using those guys?," and we'll get into a little bake-off with them. It doesn't really end well for them because they can't execute with the level of complexity that we can.

When we stay in our 5,000+ employee segment, we win 82-83% of the time. We have a rigorous methodology and good products that solve the problems and handle the complexity.

We'll lose some to Saviynt, to be fair. They're pretty good marketers. They realize our goal is to get high and get strategic. Their goal is the battle down in the trenches. In the trenches they can say, "I can make this do whatever you want to do." It's literally a bespoke solution — they say it's not, but that's what it is.

Time and time again, I'll read our win-loss reports and they'll say, "Oh, we lost on price." I'm like, we didn't lose on price. We lost because we ran a subpar sales campaign and got sucked into their methodology. It'll happen on occasion with Okta where somebody maybe hasn't gotten the value out of our stuff.

We just did a deal with a large enterprise customer. On an investor call, they said they heard about several big companies, including that one, who are now Okta customers. We responded and said, “We just did a deal with them. Where does this come from?” 

Okta actually does their access management, but not identity governance. If I was sitting here trying to make sense of it, they probably threw in all their other stuff in the renewal. That happens quite a bit.

What many of our competitors are continuing to do is salt the renewal with other products to keep it from going negative. They can say "hey, we just did a pretty big deal with this product" even if it’s not being used.

We compete and get challenged every day by competitors. There are things they do well. But when you look at things holistically, we continue to beat them pretty handsomely.

Cole Grolmus: A couple quick things to tidy up that thought:

First, I'd bet your ideal accounts that aren’t SailPoint customers yet are probably running legacy identity systems, right? Most of them aren’t using your current competitors. They're using Oracle, IBM, or something really old. 

That's a completely different animal from a competition standpoint. It’s not like you’ve lost those accounts — it’s that nobody has won them yet.

Also, the entitlement depth and variety of connectors is a major factor that gets an aspiring competitor out of the downmarket group and into SailPoint’s enterprise-level group. 

That's why there isn't much competition at the enterprise level. It's way different to manage a bunch of cloud apps than it is to manage my gnarly mainframe.

Matt Mills: 100%. That's something Mark always goes to. You're not going to find a Fortune 100 company that doesn't have a bunch of 40-year-old IBM stuff in it. It's not a cloud app. It's something far more sophisticated to build a connector for and manage and govern.

There's way more of that out there than you would ever imagine. There are still tens of millions of lines of COBOL. 

Believe it or not, I was an old COBOL programmer. When I hear that, it makes me smile because I potentially could have another gig in semi-retirement.

Cole Grolmus: If AI doesn't take your job first. I haven't tried writing any COBOL with Claude Code yet, so your semi-retirement gig might be safe!

This is the moment SailPoint is entering right now.

They've made it to nearly a billion dollars of ARR by managing and governing human identities over the course of 20 years. A nice business, for sure — but only a fraction of what's coming next.

It’s not a “legacy” company. It’s a company that has been patiently preparing for its time to come.

Authorization is about to have a moment. Nobody is in a better position for that than SailPoint.

Let me tell you why.

Authentication is important...but not sufficient

Something I have always found baffling is our industry's fixation on authentication.

There is a perception, especially outside the identity-deep parts of the industry, that SSO and MFA are identity security.

You authenticate, and you're good to go. Security is handled. Simple.

My quick summary of this point of view is oversimplified, of course — but you know what I mean if you've been working in or around enterprise identity programs long enough.

We've worried about authentication for a long time — making it simple and easy for people to log in to apps they need to use. We're still chipping away at other authentication-related things like MFA and passkeys.

That's all great stuff. I've written plenty about this topic.

Authentication is an important first step. But it's not the whole picture.

I don't have to tell you how important identity has become to security. 'Identity is the new perimeter.' 'Attackers aren't breaking in, they're logging in.' All of that. The case has already been made ad nauseam.

The finer point here is what it means to do something about it.

What happens after the credentials you use for authentication are compromised?

Authorization becomes a whole lot more important.

SailPoint CEO Mark McClain uses a physical security analogy that captures this well:

"Go into a New York skyscraper. You check in at the bottom floor, show your license to a security guard. Once you go past that security guard, you're authenticated. You're in the building, which is like logging in. The security guard loses track of you. He doesn't know where you go in the building, what floor you're on, what room you're trying to get into."

That's the difference between authentication and authorization. Authentication gets you into the building. Authorization determines where you can actually go and what you can do once you're inside.

Authorization is where everyone's mind is shifting — from who you are to what you can do. The 'what you can do' part is so, so important.

Here's something you can only learn from hard-won cybersecurity experience, though: managing authorization is really hard.

Managing thousands of identities is a nightmare already. The challenge gets exponentially more difficult when you do the math on how many entitlements every identity has.

The numbers I saw recently from SailPoint were staggering. I intuitively knew they managed a lot of entitlements, but I didn't realize they were at this scale across their customer base:

• 125 million identities in production
• 5 billion entitlements under management
• 35 billion SaaS account changes processed (last twelve months)

And it's going to get even harder when more than just people trying to access apps and data. Wait until it's also a bunch of non-human identities and AI agents trying to access that data, too.

It doesn't really matter if you believe agents are going to be a big deal or not. Things are difficult enough with just the regular threats we're facing.

Authorization is going to matter a lot more with or without AI agents.

That doesn't mean give up on authentication. It means we need to keep working on authentication while doubling down on authorization.

Next, let's get into a few more of the nuances with authorization and why I think this opportunity is so significant for SailPoint.

Breadth: more apps, more entitlements

Fundamentally, SailPoint manages access to apps and infrastructure — which identities get access, and what they can do once they're in there.

There's an important philosophical detail inside of this: for SailPoint's entire existence, its customers have mostly focused on managing static permissions to business applications that matter for regulatory compliance.

The implication is the time, focus, and investment on deploying SailPoint gets directed towards applications that are critical to either compliance, business operations, or both.

There's a long tail of other applications that don't get touched. Implementations historically run out of time, money, and patience by this point.

The shift that's been happening recently is the transition of IGA (broadly) and SailPoint (specifically) from being compliance-driven to being security-driven.¹

Because attacks have shifted so dramatically towards credentials, we've hit a point where visibility into all of the applications, identities, and entitlements across an organization is a must. We can't avoid this anymore.

The highly regulated app isn't always the one that gets compromised. The random SaaS app (which IT may not even know about) that has a random credential breach is just as likely. Those credentials get stolen and used to log into other high-profile systems. You know how the rest of the story goes.

This is why the collective mindset is changing. It's not just a handful of critical systems we need to tightly control. We need deep controls over the entire application portfolio with much more dynamic and granular management of authorization.

Having better coverage of the entire portfolio means you have a better understanding of the access the user has, what the risk might be, and what actions need to be taken if there's a compromise.

Let's talk about the depth part next.

Depth: not all connectivity is the same

Here's the other thing they don't tell you about integrating applications with identity platforms: not all connectivity is the same.

There's lightweight connectivity, and then there's real, in-depth connectivity. One "integration" might be worlds apart from another in terms of features and sophistication.

I've integrated thousands of different applications and...let me tell you: they come in all different shapes and sizes.

Why? Authorization and entitlements are a very slippery concept from a technical standpoint. They're difficult to integrate with because apps make it difficult.

The potential variations of how apps implement authorization are endless:

• Entitlements in APIs with varying levels of detail
• SCIM endpoints that expose some attributes but not others
• Active Directory groups that map to application permissions
• Custom authorization tables buried in proprietary databases
• Role-based access control models with nested hierarchies
• Attribute-based policies that require context to evaluate
• Mainframe security systems that predate modern standards

It's not even the variety of authorization models alone that makes this tricky — it's literally the representation of what an entitlement really is.

If you're lucky, you get details about the entitlements represented as data or fields in a database, so you have data to pull and tell what they are.

Other times, the entitlement-level details are obfuscated. You may have information about the application roles in the database, but the detailed entitlements are written in the code.

Worst case, authorization is entirely written in code, and none of it's available in the database or an API. You have limited visibility and limited ability to manage authorization.

Miraculously, SailPoint has been able to address a lot of this chaos. They wouldn't claim to have it all covered (and you shouldn't believe anyone who does).

SailPoint has been in the business of managing authorization longer than anybody. They've seen every variation you could imagine of the variety and complexity I just described.

Historically, SailPoint was selective about what level of integration they were willing to natively provide (largely based on what an application was capable of).

Their preference is very deep integration that allows customers to manage the full identity lifecycle (down to the entitlement level) and access reviews. In other words, the full treatment an enterprise IGA platform is capable of giving.

SailPoint's mindset is evolving, though. They're now taking a three-tier approach to application integration:

• Tier 1: Basic visibility – Discover all applications across the environment, even shadow IT
• Tier 2: Quick compliance connectors – Lightweight integrations for basic provisioning and access reviews
• Tier 3: Deep governance connectors – Full lifecycle management with entitlement-level control, business logic embedded in the integration, and rich context from logs and usage analytics

The combination of SailPoint's existing deep governance connectors, the progress they've made on their Atlas (SaaS) platform, and the Savvy acquisition (which brought broad, quick app discovery capabilities) has them on the path to covering the full spectrum of apps, from breadth to depth.

Authorization is always going to be difficult. What matters here is that SailPoint already manages more authorization than anybody. Now, they have the breadth of integration capabilities to handle more.

Here's the gotcha, though: everything we've talked about so far only describes the past and current state of authorization.

When you factor in persistent identity-related threats and more productive use cases like AI agents, the needs and capabilities customers require from identity platforms start to go way beyond what we've been talking about here.

These future needs are a big part of SailPoint's opportunity. Let me tell you about that next.

Beyond today's identity challenges

Once you've climbed the mountain of integrating all of your applications and deepening the level of integration you have with them, you're only at the starting line for the brave new world we're entering.

What matters next is what you do to secure all the identities and entitlements your identity platform now knows about.

To be clear, what we're about to talk about here is beyond what most enterprises have implemented, SailPoint customers or not.

But many of the specific features are already here, and they're going to become more relevant quickly.

1. Privileged access, redefined

SailPoint has a well-grounded and insightful point of view about its role in managing privileged access: the definition of privileged access is moving from developer and engineering-focused admin access to a broader realization that many other kinds of users' access is privileged, at least some of the time.

This could be access like:

• Admin access to a non-regulated application
• Business-critical access within a regulated application
• HR, payroll, and benefits access
• New vendor creation in the ERP accounts payable module
• Treasury access within the banking application
• Customer data access in the CRM

Historically, a challenging part for enterprise identity programs has been the separation of privileged access management and identity governance. It isn't as easy as it should be to identify, request, or manage privileged entitlements.

SailPoint's platform already manages a lot of privileged entitlements. The part that was missing was simply the classification of whether an entitlement was privileged or not.

Some implementations took care of this on their own through relatively trivial things like noting access as privileged in the description of an entitlement that would show up when a user was requesting that access. That's not really a feature though — it's more like a workaround.

Where we're heading (and what SailPoint announced at their Navigate conference) is that privileged access is going to have a specific meaning within SailPoint going forward.

This means being able to classify entitlements as privileged, formally request and review them, and all kinds of other details. Bigger picture, the strategy is helping to bring a paradigm that was already happening into reality.

2. Just-in-time access and the end of static privileges

SailPoint now believes static privilege is dead. Color me surprised. I never thought I'd hear a well-known identity company utter these words.

They're, right though — and credit to them for being brave enough to say it.

The typical workflow is for authorization to be given in advance and stay there. That's what "static privilege" means. The process goes something like this...

When a person starts working at a company, they're granted access to several applications based on other people similar to their job function.

Any access that's not granted right away is requested later as needed. An access request gets made, reviewed, approved or denied, and (if approved), provisioned — which sometimes takes a few days because managers have to approve.

The just-in-time access model flips this. It's our industry's solution to eliminating standing privileges.

Access is granted dynamically, right when it's needed, then revoked immediately after. No one has standing access sitting around indefinitely, which lowers the risk of access being exploited if an identity is compromised.

3. Adaptive identity

The most exciting (and, empathetically, most ambitious – but hear me out) direction we're being pulled towards is adaptive identity.

The nature of the identity lifecycle has traditionally been asynchronous:

• "We'll set your access up within a day or two."
• "We'll eventually disable your access if you leave."
• "Let's validate access is correct quarterly or annually."

A lot of this work was manual or semi-manual. SailPoint has already helped make processes more automated and efficient, especially for enterprise customers who do all of this at scale.

Things are about to move a lot faster, though.

We're heading for a world where waiting days to get access and reviewing it once a year is borderline ridiculous. We need to have much more real-time understanding of the environment.

Mark McClain explains the shift this way:

"On the positive side, you want to have identities that are very responsive and rapid so that you can quickly do things that you want to do and do them safely. On the other side, you want to just as quickly take away things or stop them or block them if they appear to be problems or anomalous or dangerous."

That's the core concept behind adaptive identity: very rapid and dynamic changes are happening with identities all the time. You can't declare an identity "secure" or access "approved" at one point in time and expect it to stay that way.

Instead, authorization decisions need to be made at runtime (when the authorization needs to be used) with context about why the access is needed and what the status of the identity is at the time. It goes from being a one-time decision to a continuous set of decisions.

If access is truly granted and revoked between uses, it means that the volume of provisioning and deprovisioning actions customers need SailPoint to manage is going to go up exponentially.

Are we really ready for this?!

Mark McClain's take on this is both nuanced and practical. He told me he's never seen a situation where customers have their foot on both the gas and the brake at the same time:

"They're trying to press the gas and go faster. 'We've got to adopt these new technologies. They're going to change everything. It's going to make us more effective, more efficient, competitive in our business.' And then the brake is just as heavy right now with people going, 'Whoa, whoa, whoa, this is risky. We don't understand it. We don't know what this is going to expose.'"

This tension is visible in the industry right now. There's a reason for it — especially with AI agents.

If you've used any of the really powerful agents, you know how they pull you into putting your foot on the gas. There's this different level of inertia you're not used to with a regular app.

They're innocent and they're addicting. They want you to do more. And their sole purpose in life is to complete work on your behalf. That's the part that makes you want to get on the gas.

But the flip side is that even the best agents go off the rails once in a while. Whenever that happens, you quickly get pulled back into reality and realize why we need guardrails on them.

SailPoint was early to market with its Agent Identity Security solution and first among the major identity companies to hit general availability. There’s even more to come, though.

This tension between wanting to move fast and not quite trusting new technology like AI yet is exactly where privileged access, just-in-time access, and adaptive identity become critical.

We may have no other choice, even if we don't feel ready yet.

Welcome to the authorization era

Authorization was always going to matter eventually. The question was when and who would be ready when the time came.

The 'when' is now.

Credential-based attacks have made it impossible to ignore what happens after authentication. AI agents are creating pressure from business and engineering counterparts to enable rapid access while maintaining control.

The old model of annual access reviews and static privileges isn't going to cut it.

The shift from compliance-driven to security-driven identity governance is happening. The shift from static privileges to adaptive authorization is coming. The shift from annual reviews to real-time decision-making is inevitable.

The 'who' is SailPoint.

Head starts matter in this business.

Customer trust at enterprise scale can't be manufactured overnight. Integration depth takes years to build. The data estate they already manage (those 5 billion entitlements) is a level of data gravity that's hard to replicate.

They've been patiently building this moat for two decades while authentication got all the attention and funding.

Authorization is about to have its moment. SailPoint has been waiting for this all along.

Footnotes

¹Compliance is always going to matter, of course. The imminent demise of access reviews, flawed or not, is greatly overstated. We're still going to be doing access reviews when I retire.

Varonis had a near miss on its Q3'25 earnings guidance and lowered revenue guidance for the full fiscal year. The result was placed squarely on the shoulders of their on-premise subscription business.

Many people will call it a stumble. I see it differently. It’s the start of a sprint towards the future.

They took this opportunity to formally announce what we've all known for a while: they're ending support for their on-premise product and only supporting the SaaS platform moving forward.

This is no surprise. They've been alluding to it all year. The only major change here was that they made the decision a formality and put a specific date on it.

I expect this was earlier than they planned or wanted to make this announcement (and several other hard decisions). Sometimes you choose the timing, and sometimes the timing chooses you.

When you rip the band-aid off, it hurts for a minute. It hurt when I was a kid. It hurts my kid now. Honestly, it still hurts me today even though I’m better at hiding the pain.

The thing you learn about ripping band-aids off as an adult is that the anticipation is worse than the burn you feel after taking it off. That's where we're at right now with this earnings report and SaaS transition.

A near miss on revenue and conservative guidance should not overshadow what is clearly the correct strategic decision for Varonis moving forward. It’s the right call for them to end support for their on-premise products and be 100% all-in on SaaS.

That's the part I want to dig into more — both why it's the right decision now and what it means for the future of Varonis.

SaaS transitions in cybersecurity

The cybersecurity industry has enough SaaS transition battle scars to see the pattern. The common thread: lengthy timelines, customer friction, and compressed margins.

Public markets don't have patience for this. Many cybersecurity companies have needed private equity air cover to finish the job.

Varonis's SaaS transition has been remarkably pain-free until this quarter. Their conversions have gone both quickly and smoothly from a metrics standpoint. They're two years ahead of their original schedule and have technically completed the SaaS transition, at least by the percentage of revenue marker they set at the beginning.

The part that makes Varonis's SaaS transition different is also one of their biggest strategic differentiators moving forward.

They’re going to finish the job and go all-in on SaaS.

No legacy products hanging around. No “we’ll let customers migrate at their own pace.” Just a clear declaration of 100% cutover by the end of next year.

The nuance and context behind this decision matters a lot here. It's worth explaining in detail why Varonis's strategy makes their SaaS transition different from others.

It's also the reason why they had to make the hard but necessary decision to announce the end of their on-premise product during this earnings report.

Accountability at scale

Varonis takes accountability for customer outcomes in a way I have rarely seen in cybersecurity, especially for a product-focused company.

Growing up on the services side of the industry at PwC, I'm very familiar with what it means to take deep accountability for customers (and have the scars to prove it).

In a services engagement, especially the long-term transformational programs that I did, client outcomes become your life. It's all-consuming in a way that's very hard to describe unless you've been there.

You wake up in the morning and go to sleep at night consumed by the massive problems you're trying to solve. You put most of your mental energy toward inching closer to the goal every single day.

Care doesn't scale, though. This mode of operation can only handle one or two clients at any given time.

The nature of services demands a different level of accountability than what most clients or industry professionals would typically expect of a product-focused company.

Product companies aren't irresponsible. They operate on a different accountability spectrum.

At one end: ship software, provide documentation, offer support tickets. At the other: own outcomes end-to-end, automate fixes, guarantee results.

Most cybersecurity product companies cluster in the first third of the range because deeper accountability hasn't historically scaled — or at least, it hasn't until now.

Varonis is betting they can move the median.

Something I have grown to admire about Varonis is the extraordinary level of ownership and accountability they aspire to take as a product company. Their find, fix, alert mantra is all-encompassing and all-consuming in a way that's rare to see in the industry.

They literally aspire for a world where their customers barely have to lift a finger to protect their data.

It's remarkable to even make or assert a statement like that in the first place (and actually mean it).

Most cybersecurity companies won't go that far. It's a completely next-level thing to actually be far down the path of doing it, but there is a ton of substance and evidence of execution that shows how Varonis is bringing their vision closer to reality.

More tactically, for Varonis and the data security market at large, that means a few things.

Finding and classifying data is table stakes.

That's the easy part, at least in theory. It's surprisingly not though, especially when you get into the larger enterprise customer segment who has a significant amount of sensitive data both on-premise and spread across multiple cloud providers, data stores, and SaaS applications.

For this kind of customer, the ideal customer profile for a data security platform, just finding cloud data isn't good enough. You have to be able to find and classify their data across every data store imaginable, including the old gnarly on-premise ones that most startups don't want to touch.

Varonis has exhaustively done this, maybe in some ways to their own detriment. They built, enhanced, and supported on-premise data stores for a long time because that's what matters to their customers. By their own admission, they were later than they should have been to the cloud, but they've caught up quickly with the SaaS product.

Basic data security posture management products aren't at a point where they're able to be accountable for even discovering and classifying every piece of data. Focusing on cloud data stores is a nice start, but enterprise CISOs need everything. Even that old filer over there. You know, the one with a bunch of credit cards sitting on it.

Things really start to get difficult when you try fixing problems.

For an enterprise security leader, there is a massive difference between finding data security issues and opening tickets for them versus automatically fixing the issues without intervention.

Tickets may work for smaller organizations with less data and modern tech stacks, but this approach to fixing does not scale at enterprise level.

If Varonis hadn't taken deep accountability for fixing the data security issues they find, they would have been at risk of going the way of the vulnerability management companies, who notoriously found vulnerabilities and left the patching and remediation to somebody else.

The fixing for Varonis goes beyond the traditional data security domain when necessary. To me, this is strategic, not overreaching.

One example: if the reason data is exposed is because of an identity-related permissions issue, Varonis believes it is their responsibility to fix the issue. The easy route would be to hand this off through a ticket or to another identity product and say "this is not my problem."

Varonis continues to double down on owning more and more of the accountability for fixing data security problems they identify, regardless of which domain the fix is in.

A more recent extension of accountability is through services.

Varonis's Managed Data Detection and Response (MDDR) service offering was a surprise to me, mainly because it is so rare for cybersecurity product companies to willfully operate a managed services business themselves. Historically, an overwhelming majority of companies outsource this to managed services partners.

I'll admit that I was a bit skeptical of this offering when Varonis first announced it, but in hindsight, this tracks with the overall accountability theme.

I don't think Varonis really cared what the financial profile of the services business was. They just felt like it was the best thing for their customers, so they did it.

The offering has performed amazingly well by almost any account (and certainly exceeded my expectations.)

I think this could even be a model for other product companies in the future. It sounds trite, but this is a tangible example of delivering outcomes, not just products. The product (the SaaS product, in particular) is certainly an enabler of the outcome, but (at least for now) you need people too.

Hard strategic decisions

Hard strategic decisions are the cost of accountability at scale.

Without strategic context, I can see how announcements like we heard yesterday seem jarring. It feels like an extreme and binary decision to end support for a product that carried the company for 20 years (and risk churning customers who aren't along for the ride).

I think the aha moment for Varonis was acknowledging how much they want to be accountable for customer outcomes, then laying the groundwork across many tactical decisions to make it happen.

This buildup has been happening for years. It just feels more real now.

Ending support for the on-premise product and going all-in on SaaS isn't about cutting costs — it's about closing the delta between the level of accountability they can take on-premise versus what can do now (and going forward) with the SaaS product.

The choice is obvious.

Varonis made it far enough in their SaaS transition to build conviction and make this call now.

Long after the drama from the earnings report cycles through the news and the stock volatility settles, it will be clear this was the right move.

The band-aid is off. The anticipation was worse than the sting. That short-term sting clears the path for what matters: accountability at scale.

Netskope just became the second cybersecurity-related IPO of 2025. The company filed its S-1 on August 22, 2025 and went public 27 days later at a $7.26 billion offering valuation.

The journey of Netskope is a remarkable one. The company was founded in 2012, raised $1.44 billion in capital, and played a defining role in shaping the market category we know as Secure Access Service Edge (SASE) today.

For Netskope, going public represents both a significant milestone and an inflection point that could alter the trajectory of the company for better or worse. Their performance over the next few quarters will set the tone going forward, as will their ability to execute and capture market share in AI Security.

Inside this analysis, you’ll find:

• The story of Netskope’s history and evolution, from its origins as a CASB pioneer to a broad SASE platform
• An assessment of Netskope’s technical capabilities across SASE, DLP, and AI Security
• Netskope’s AI strategy, future vision, and potential competitive advantages
• A financial analysis based on Netskope’s S-1 filing and evaluation of the company’s valuation metrics
• Netskope’s business strategy and competitive landscape
• A summary thesis, including the bull and bear cases for Netskope’s next chapter as a public company

Use this report to understand the evolution of Netskope’s business, its product strategy, financial performance, competitive landscape, and path forward as a public company.

Company History and Evolution

Origins as CASB pioneer

The story of Netskope is closely aligned with the story of SaaS. Without the rise of the large enterprise SaaS applications, we wouldn’t be talking about a Netskope IPO.

Salesforce started gaining enterprise adoption in the early 2000s as an early pioneer of SaaS, but one (generally unregulated) application isn’t enough to set off alarms for security leaders.

Amazon AWS launched in 2006. Their primary business is IaaS/PaaS, not SaaS — but moving infrastructure workloads to the cloud was the hook enterprises needed to start getting comfortable with SaaS.

Several of our current SaaS juggernauts started reaching enterprise-grade scale and security by the late 2000s. Microsoft Office 365 started around that time, as did Google Workspace (formerly Google Apps and G Suite). Workday (HRMS) and ServiceNow (ITSM) also brought essential enterprise functions to the cloud.

Once you've got email, docs, spreadsheets, HR, and ITSM in the cloud, the enterprise floodgates are open. SaaS started to go mainstream for enterprises in the early 2010s. Collaboration joined the party — names like Box, Dropbox, Atlassian, collaboration apps (Yammer, HipChat, Skype Enterprise, Slack), and dozens more.

Enter Netskope. The company was founded in 2012 as one of the defining Cloud Access Security Brokers (CASB) on a mission to secure SaaS apps. Network security was very different in 2012. Firewalls and VPNs were the way enterprises secured their perimeters. B2B SaaS effectively broke the architecture when cloud-first started becoming the default option for CIOs.

CISOs needed an answer for widespread SaaS adoption as core business processes and sensitive data moved out of the network and into the cloud. Netskope and CASB quickly became a major part of the solution for securing SaaS apps outside the network perimeter. Traditional Secure Web Gateways (SWG) weren’t enough (and were designed for broad traffic filtering, not deep integration and inspection for specific apps). Netskope became famous for its granular controls and data-centric visibility over a wide range of B2B SaaS applications.

The secure networking and cloud security markets moved quickly, though. The emerging CASB market Netskope helped pioneer started to converge with adjacent market segments. The race to the market we now know as Secure Access Service Edge (SASE) was on by the middle of the 2010s.

Netskope stepped up with world-class execution and financial backing to scale from its CASB roots to a multi-product platform. The company grew rapidly as SaaS became the default for new enterprise software purchases. Netskope disclosed 600% year-over-year revenue growth and 500% year-over-year customer growth in 2015, grew by 400% again by 2016, and followed it up by tripling revenue the following year. Unsurprisingly, they were a unicorn by 2018.

Their early financing rounds mirrored their growth, with $400.1 million raised across six rounds (Series A-F) between their founding date in 2012 and the end of the decade.

Transformation through market evolution

From a market perspective, buyer demand and analyst influence started driving the convergence of SWG, CASB, Zero Trust (ZTNA), SD-WAN, and NGFW. Gartner coined the term SASE in 2019 and put a name (and serious analyst clout) behind the market convergence that was already happening.

Nothing drives market change like a crisis, though — and the COVID-19 pandemic was exactly that. The rapid shift to remote work and acceleration of digital transformations pulled forward years of change into a short and intense period of time.

Combine a global pandemic with peak cybersecurity market hype for investors, and you’ve got the ingredients for IPO-level scale. Netskope was a promising company before the pandemic, but the early 2020s changed its trajectory forever.

Netskope entered the decade as a unicorn with $400.1 million in total financing. By the end of 2021, they had raised another $640 million of later-stage capital and reached a $7.5 billion valuation, one of ~15 privately held cybersecurity-related companies to reach a valuation of $5 billion or higher.

Add on a $401 million convertible note in 2023 to create some breathing room from 2021 venture round to…whenever the software IPO window opened again…and you get to a grand total of $1.44 billion in financing. That’s the third highest total ever by a cybersecurity-related company after Wiz and Lacework.

As they say, it is expensive to build important cybersecurity companies. Netskope is no exception.

To their credit, they executed. Netskope deployed their capital wisely and made a critical strategic choice: becoming a multi-product security platform instead of sticking to their core CASB market. This graphic from the S-1 is a nice visual summary of the timeline and evolution of their platform:

They expanded from CASB into SWG, ZTNA, and eventually a full SASE offering (and beyond). They also invested heavily in building their own global private network (NewEdge, not to be confused with the New Edge Labs acquisition) to support inline traffic steering and performance.

Netskope’s rapid platform expansion was driven by both organic product development and inorganic M&A. They’re one of the most low-key active acquirers in cybersecurity, with eight disclosed acquisitions (no price disclosures) and at least a couple more undisclosed deals:

Netskope could go down as one of the all-time greats for tuck-in M&A execution. Customers generally like their products, analysts consistently rate them highly in market maps, and (as the S-1 shows) they’ve performed relatively well financially. This trifecta is extraordinarily difficult to pull off.

Brand recognition challenges and market perception

Despite their rocketship growth (by pre-AI standards), valuation, capital raised, analyst rankings, and all of the other reasons companies make noise and get recognized, Netskope hasn’t yet become a household name like Wiz and a few other cybersecurity contemporaries.

Increasing awareness and brand recognition is such a big strategic priority for Netskope that co-founder and CEO Sanjay Beri has named it as a driver for going public multiple times. From the WSJ: “Our biggest focus is just awareness. We know if we get an at‑bat, in baseball terms, we have a great chance of getting on base and doing well, so when I look at going public, for me, it’s an awareness event.”

That may seem like a bizarre strategy, but you need all the brand recognition you can get when you’re directly competing against the likes of Palo Alto Networks, Fortinet, Check Point, Zscaler, and other well-known companies.

Industry analysts know and recognize them, which is a good place to start. They’re consistently recognized as a leader in various market reports by Gartner, Forrester, and IDC. Strong analyst ratings are helpful, but not sufficient, for building a successful cybersecurity company at scale.

Most cybersecurity leaders are familiar with Netskope, but familiarity doesn’t always translate to pipeline and growth. For some, Netskope is the CASB company that raised a bunch of money and fell off the radar during the economic downturn.

That’s not true, of course. Netskope is going to be one of the first ZIRP-era companies who made it through to the other side. Perception can take time to catch up with reality, though — especially in a noisy cybersecurity market where buyers are tired of hearing about Zero Trust.

Combine all of this with an outsized international customer base, and you can see why brand recognition and perception are an ongoing thing Netskope has to keep working on.

Technology and Product Analysis

Netskope is increasingly positioning itself not just as a SSE leader but as a full SASE platform. While its reputation was built on best-in-class cloud security controls such as CASB, SWG, and ZTNA, Netskope has steadily expanded its portfolio to include networking capabilities like FWaaS in 2021 and SD-WAN in 2022.

By integrating these networking and security layers into a single cloud-native fabric, Netskope delivers on the original Gartner vision of SASE, being a leader in Gartner® Magic Quadrant™ for SASE Platforms in 2024 and 2025. It is a converged platform that ensures users can securely and efficiently connect to applications, data, and services from anywhere.

The market opportunity is significant. Netskope believes its unified solution addresses a large TAM that is projected to reach $138.9 billion by 2028, growing at a 16.8% CAGR from 2024 to 2028.

The graphic below (from the S-1) shows a comprehensive overview on the Netskope One Platform, a cloud-native, converged security and networking platform that delivers a single stack rather than a patchwork of point tools.

Rather than building separate AI Security tools, Netskope has intentionally made AI and Data its two key pillars in its entire NewEdge Network, attempting to weave these ideologies into all its products. This image showcases how Netskope brings together DSPM and context-aware DLP capabilities together across its entire stack to mitigate data risks and ensure compliance.

Below is a deeper analysis on the core SASE platform as well as how Netskope is leveraging its SSE infrastructure to wedge into AI and Data Security.

Core Netskope One SSE Products

CASB: Netskope’s CASB delivers comprehensive and adaptive visibility and security controls for cloud and SaaS. Part of their CASB operates out-of-band, connecting to SaaS platforms through API integrations to monitor activity and enforce policies instead of requiring all traffic to be routed for inspection.

It provides access control, threat protection, and data protection across sanctioned and unsanctioned apps. The CASB combines out-of-band capabilities such as data and threat detection, SaaS app inventory, remediation, and event log analysis with real-time preventive enforcement for both human and non-human entities. This dual inline and out-of-band approach gives enterprises visibility into SaaS data at rest through APIs, while also enforcing inline controls on live traffic.

Netskope is the industry’s first Gen AI powered CASB, which is intended to expedite and automate the process of risk categorization for new SaaS applications. In addition, security teams can leverage self-serve risk categorization for novel SaaS applications and can use natural language queries for detailed LLM-driven risk insights of SaaS applications.

At the same time, Netskope prides itself on having a strong DLP integration, providing a high degree of data protection and compliance across all apps and users. The solution uses AI, ML, deep learning, Natural Language Processing (NLP), Convolutional Neural Networks (CNN), and trainable ML to proactively identify and protect critical data. Netskope One CASB delivers this protection using a catalog of over 3,000 data classifiers and 1,800 file types.

Compared to competitors such as Zscaler, Netskope has historically been stronger on DLP integration and granular data controls within CASB. Zscaler, by contrast, emphasizes scale, performance, and ecosystem reach, leveraging its Zero Trust Exchange to inspect all SSL and internet traffic globally with proven throughput and speed.

SWG: Netskope’s SWG is positioned as the foundation of SSE for inline web and SaaS security. It provides real-time traffic inspection, URL categorization, malware detection, SSL/TLS decryption, and deep content inspection, with threat defenses delivered consistently across all controls, including sandboxing and AI/ML-based malware detection. Unlike traditional web proxies that primarily focus on URL filtering, Netskope’s SWG decodes SaaS applications, analyzes content and context, and applies adaptive access policies. It also extends protections to cover non-web traffic, risky websites, and unmanaged remote access, consolidating functionality that previously required multiple tools.

Netskope’s SWG uses ML models for URL categorization, analyzing not just domains but page content, metadata, and visual elements to more accurately classify sites beyond traditional URL filtering. The SWG also leverages AI/ML for threat detection and anomaly detection, with models trained on cloud-scale traffic patterns to identify suspicious behaviors and cloud-enabled threats. Netskope documentation notes that SkopeAI includes behavioral anomaly detection and other adaptive learning techniques, which allow the platform to flag and respond to emerging attack vectors more effectively than static signature approaches.

While this enables the SWG to detect both known and previously unseen threats in real time, the company’s capabilities are more so an evolution of machine-learning–based classification and detection rather than as novel generative AI. Combined with its deep DLP integration and single-pass inspection architecture, Netskope’s SWG acts as a more context- and data-aware enforcement point than traditional web proxies, though independent validation of its AI advantages over competitors remains limited.

While Netskope’s SWG is formidable, Zscaler pioneered the large-scale, cloud-delivered SWG and still dominates in terms of customer base and deployment scale. Zscaler’s SWG is proven at very high throughputs and global volumes. Netskope differentiates itself with its single-pass architecture, AI-driven inspection engines, tight DLP integration, and performance SLAs tied to the NewEdge network. In fact, performance testing Netskope conducted in May 2025 demonstrated a lower latency for connections to its NewEdge network in leading cities globally than those of Palo Alto Networks and Zscaler.

However, Zscaler remains the “safe” choice for many enterprises due to its long-standing scale proof points, especially in handling massive SSL/TLS traffic. To overtake incumbents, Netskope must continue to prove that its AI-enhanced SWG can scale as reliably as Zscaler and other established players while maintaining the performance and visibility advantages promised by its architecture.

DLP: Netskope’s DLP is one of the strongest pillars of its SASE platform and sits at the heart of its “secure data everywhere” vision. Unlike point products that focus only on specific layers, Netskope extends DLP consistently across web, SaaS, IaaS, private applications, endpoints, and even email. By running through its NewEdge backbone, DLP policies are applied close to the user in real time, reducing the latency challenges that often plague intensive inspection. This convergence is intended to make DLP a unifying control plane, allowing enterprises to set a single policy for sensitive data and have it follow workloads seamlessly across all environments.

AI plays a central role in Netskope’s DLP architecture, but in a measured way. Machine learning classifiers, OCR for images and screenshots, and behavioral context enrich the platform’s ability to recognize sensitive content more accurately than traditional regex-based rules.

Netskope also extends DLP directly into generative AI workflows for monitoring prompts, preventing sensitive uploads into public models, and inspecting AI-generated outputs for inadvertent leakage. In practice, this means that employees cannot paste intellectual property into ChatGPT or accidentally exfiltrate regulated data through a Copilot response without Netskope detecting and enforcing policy. The company’s framing of this as “secure enablement of AI” reflects its intent to make AI safe to use in enterprise rather than simply blocking it altogether.

Where Netskope is most credible is in its multi-surface enforcement and unified policy fabric. Many API-only or SaaS-native DLP vendors can discover data risks after the fact, but Netskope’s inline presence means it can act immediately to block or redact risky transactions. The ability to apply the same DLP controls to SaaS traffic, private applications, and web browsing is a real differentiator, particularly for organizations that want consistent governance across hybrid work environments.

Enterprises also benefit from the operational simplicity of a single policy console and the global enforcement made possible by the NewEdge footprint.

That said, some of Netskope’s claims require context. The assertion of being the “most comprehensive and advanced cloud DLP” is ambitious given that competitors like Zscaler, Palo Alto, and Microsoft Purview offer equally broad capabilities, each with its own edge. Zscaler, for example, still leads in proven global scale and throughput for TLS/SSL inspection, which can be critical when AI data flows grow in size. Palo Alto Networks delivers deeper threat intelligence integration through Unit 42 and WildFire, something Netskope cannot match at the same breadth. Specialized data security vendors such as Varonis, Cyera, and BigID also offer exhaustive DSPM, data classification, and (primarily) out-of-band DLP for complex data estates, albeit without the dual inline and out-of-band prevention Netskope provides.

Another area to watch is how well Netskope can keep up with evolving AI risks. Current policies cover prompts, embeddings, and outputs, but threats like prompt injection, model inversion, and inference leakage are emerging quickly. Netskope’s AI is primarily machine-learning, data-driven classification rather than novel generative AI techniques.While effective today, it risks being perceived as “incremental” compared to newer AI-native players. Similarly, while the platform reduces false positives with ML, tuning remains a challenge for enterprises with highly diverse data, and blind spots may remain in legacy data stores or niche SaaS apps with weak APIs.

Looking forward, Netskope’s growth hinges on demonstrating that its AI-driven enforcement can scale as reliably as Zscaler’s and match Palo Alto Networks’ breadth of ecosystem integration. If it succeeds, Netskope is well-positioned to benefit from enterprises consolidating point products into unified SASE stacks, a trend analysts expect to accelerate as hybrid workforces and generative AI reshape network and data security priorities.

Netskope's AI Ambitions and Pillars

Netskope's three-pillar AI security framework includes:

• Data Protection: DLP, sensitive data monitoring, policy enforcement
• Threat Protection: Runtime security, supply chain protection
• Content Moderation: Filtering profanity, bias, harmful content (upcoming capability)

This represents far more than a tactical response to emerging AI risks. It's a calculated positioning for what the company envisions as the inevitable convergence of AI and enterprise infrastructure.

By anchoring data protection, threat protection, and content moderation within their existing SSE platform rather than building standalone AI security tools, Netskope is making a bet that AI will become so deeply embedded in business operations that separating "AI security" from "enterprise security" will become meaningless.

Their consolidated architecture positions them to enable enterprises to confidently embrace AI transformation at scale, transforming from a network security vendor into the foundational infrastructure that governs how organizations interact with artificial intelligence.

This isn't just about securing AI applications — it's about becoming the control plane through which all AI-human collaboration flows. If Netskope’s strategy works, they can position themselves as kingmakers in both security and determining which AI technologies enterprises can safely adopt.

Their strategic advantage lies in leveraging their existing customer relationships and nine years of API intelligence to create switching costs that would make it prohibitively expensive for enterprises to replace them. Netskope wants to embed their platform so deeply into the AI decision-making process that they become indispensable to digital transformation itself. In essence, while competitors are building point solutions for today's AI security problems, Netskope is architecting the nervous system for tomorrow's AI-native enterprise.

Architecture: How Netskope is leveraging its SSE infrastructure to wedge into AI Security

Netskope's approach to AI security builds upon their architectural leverage, using their decade-long investment in SASE infrastructure and deep packet inspection capabilities as a moat against pure-play AI security startups.

Their existing SSE platform already has a strong vantage point to monitor AI runtime behavior, intercepting every API call, JSON payload, and data exchange between users and AI applications in real-time. This positioning allows them to extend their DLP engines to understand not just what sensitive data is moving, but how it's being transformed and utilized within AI workflows.

If this strategy works, they can create a comprehensive view of AI supply chain risk that competitors would need years to replicate.

Netskope’s competitive advantage becomes particularly pronounced when examining their use case execution.

For user access security, Netskope doesn't need to build identity integrations from scratch because they already authenticate and authorize millions of users daily through their existing zero trust framework.

When protecting custom AI applications, their DLP on-demand service can instantly plug into any homegrown AI tool through APIs they've been perfecting for nearly a decade, while startups struggle to achieve enterprise-grade integration depth.

For data pipeline safeguarding, their DSPM capabilities naturally extend to protect training datasets and vector databases because they already understand data lineage and classification at scale.

Their strategic insight is recognizing that AI runtime protection and posture management aren't net-new security categories. They’re natural extensions of network security fundamentals.

While AI security startups are required to invest in building basic infrastructure capabilities, Netskope transforms existing customer deployments into AI security platforms through software updates, creating immediate time-to-value and eliminating the friction of new vendor evaluation cycles.

This architectural inheritance means they can focus their R&D entirely on AI-specific threat detection and response rather than rebuilding networking, identity, and data protection foundations.

Financial Analysis

If you want a comprehensive look into Netskope’s financials, CJ Gustafson has a full breakdown of the S1 over at Mostly Metrics. This part of the report includes the key points from CJ’s analysis in the context of Netskope’s broader strategy and market positioning.

Revenue scale and growth dynamics

Netskope’s ARR was $707M as of July 2025, growing at +33% YoY. Their TTM Revenue was $616M (as of July 2025, +31% YoY). This is real revenue they recognized, looking back over the last 12 months.

This makes them one of largest scale cybersecurity companies ever to go public, but we’re also in a period where investors value revenue scale. Netskope may have gone public years ago (with far less revenue) if the market hadn’t turned on subscale IPO candidates.

They have 4,300 customers, growing at +21% YoY. Their customer mix slants towards enterprise, with 30% of the Fortune 100 and 18% of the Global 2000. They’re not just selling to Series B CTOs. Their ICP is a public company CIO.

Netskope’s revenue scale and growth are all about large customers. They have 111 customers spending +$1M a year, representing 37% of total ARR and 32% YoY growth. There are also 1,372 customers with ARR +$100K, representing 86% of ARR and 29% YoY growth. One customer makes up ~3% of revenue.

41% of revenue comes from outside the U.S., which is unusually high for a security company still sub $1B in scale. Much of this is already routed through their global NewEdge infra — not just hyperscaler data centers. This suggests Netskope may actually be ahead of rivals in building a true global GTM. And it justifies infra spend more than initially assumed.

Netskope’s contracts are typically multi-year, priced per user, and sold top-down into large enterprises. This is a classic field sales motion, supercharged through the channel — not a PLG tool you swipe a credit card for.

Most deals are brokered by partners, not direct AEs (although reps still get paid handsomely to work with partners and usher deals over the finish line). It allows for global scale, and access to juicy multi national CIO budgets, but it distances Netskope from end-user feedback loops and pricing power.

Upsell is a big lever. Netskope’s products are modular, which means once they land with one or two services, there’s plenty of room to tack on more — like data loss prevention (DLP), zero trust access, or browser isolation.

They also charge more if you want traffic to run through their private NewEdge network — think of it like a fast lane on the highway…that you pay extra for.

Profitability roadmap and unit economics

Netskope lost $170M in the first half of FY26. That’s down from $223M the year before, which is progress, but still deep in the red.

The company managed $9M in positive operating cash flow for the first time ever right before the filed the S1. This could be real efficiency gains or some well-timed invoicing. Either way, they’ll need to prove it sticks.

Their headcount growth is keeping up with, and has historically outpaced, revenue growth. They’ve more than doubled staff over the last two years. They are very much a security company born in the 2010’s applying the field sales / cloud based / reseller / ENT SaaS playbook.

They will not be breaking any world records when it comes to “doing more with less people”. Their revenue per head is closer to Series C or D levels than that of a public company.

The path to sustained profitability travels through S&M. Looking at the last six month period, Sales and Marketing dropped from 60% of revenue to 45% YoY without a hit to growth. That’s a sign they’ve found some GTM efficiency, likely due to scale and channel leverage.

In absolute terms, Sales and Marketing costs only grew 7% year on year while GAAP revenue grew 31%. Total S&M dollars spent actually decreased when you compare the most recent 6 month period to that in the prior year.

Valuation framework and multiple analysis

Netskope last raised money in 2021 at a $7.5B valuation. They’ve pulled in $1.4B total from a deep bench of crossover names: ICONIQ, Lightspeed, Accel, Sequoia, and SoftBank.

They still had $261M in cash on the books as of July 31. So while some extra padding would be nice, this IPO wasn’t about plugging a hole. It was about giving those early investors a path to liquidity, and giving the sales team a new slide for the next QBR with [Big Bank XYZ] on it.

Netskope priced its IPO at $19.00 per share, bringing in $908.2 million in net proceeds at a $7.26 billion opening valuation. It’s fair to assume they wanted to clear that $7.5B mark. That said, a (roughly) flat round in public is still a win in this market. Especially if it buys you brand equity and a path to liquidity.

Companies that are burning money (as Netskope is) are valued using multiples of revenue, estimated to occur over the next twelve months, relative to their enterprise value.

For context, the median SaaS company is trading in the 5x forward revenue range.

Within the security sector more specifically, CheckPoint is clocking in at 6x, Fortinet at 8x, and SailPoint at 10x. Anything over 10x is historically considered a premium multiple reserved for the best companies. Palo Alto is trading at 12x, Zscaler at 15x, and and CrowdStrike, while not a direct comp, at 20x.

At 31% GAAP revenue growth, Netskope is at the high end of this range, but at the low to mid point in terms of absolute revenue as they are still sub $1B.

The biggest difference is all of these companies are profitable, or break even (Rubrik being the exception). If Netskope’s sales slow, it will make their cash burning profile even less attractive, and decrease their multiple accordingly.

Business Strategy, Competitive Landscape, and Benchmarking

Direct competitive assessment

Netskope's positioning relative to a strong set of (mostly public) competitors in the SASE market is one of the most interesting insights we get from having their financial data.

Revenue disclosures aren't perfect because SASE is just a business unit for a lot of these companies, so they don't have to disclose revenue (or any other metrics).

A few interesting data points from relevant company disclosures:

• Netskope itself disclosed $707M ARR growing at 35%. Customers include more than 30% of the Fortune 100 and 18% of the Global 2000.
• Palo Alto Networks just disclosed $1.3B SASE ARR growing at 35% YoY. They have over 6,300 SASE customers, including one-third of the Fortune 500.
• Fortinet disclosed $1.15B SASE ARR growing at 22% in its Q2'25 report. They're currently investing $2B to build their own SASE infrastructure (conceptually similar to Netskope's NewEdge network). They also made a bold prediction: "We do believe we'll be the #1 SASE player in the next few years."
• Zscaler disclosed $2.9B of total ARR in its Q3'25 report. Their product/BU revenue disclosures are hard to break out. Roughly assume most, but not all, of their ARR is from their core SSE/ZTNA business.
• HPE disclosed $1.16B of revenue (not ARR) for its Intelligent Edge business segment in Q2'25 with 45% ARR growth. This includes more than SASE, but that's a big part of it.
• Cato Networks isn't public yet, but they disclosed $250M ARR growing at 46% back in February. This disclosure is highly relevant both as one of Netskope's closest competitors and as a future IPO candidate.
• Cisco, Check Point, Broadcom, Cloudflare, Versa Networks, and other regulars in SASE/SSE-related analyst reports don't disclose revenue, but all are relevant players.

Netskope’s primary SASE market is both busy and intensely competitive, with both established and emerging companies competing to be the market leaders. It's also a big market, which is part of the reason why you see several companies putting up large revenue figures and double-digit market share.

Netskope is holding their own against the competition, both financially and strategically. They clearly feel there is enough room in the public markets for another company in this category and now is the time to take their next step.

Market positioning and security sector benchmarking

Competition is the crux of the story for Netskope, both strategically and financially. Public markets are all about comps, which means Netskope is always and forever going to get compared to companies like Zscaler, Cloudflare, and Palo Alto Networks.

Comparisons to public market superstars can be both good and bad. Netskope is hoping the comparisons are good for them post-IPO, and they could be right. Their stock has been holding at just under 20% above the IPO price, but they’re still in the early days of being a public company. They’re going to need to keep putting up Rubrik-like numbers post-IPO to maintain (let alone exceed) their valuation.

Broader cybersecurity (and related) comps matter, too — especially in terms of scale and growth rate. Even at $707 million in ARR, Netskope will be one of the smallest cybersecurity-related companies in public markets once they list. Here’s a sampling of cybersecurity-related companies and their current ARR, including Netskope:

Netskope’s current scale is well above the sub-$200 million LTM revenue scale some cybersecurity companies were going public with as recently as 2023. Many of those subscale companies have been taken private. The ones that remain are, for the most part, performing steadily (at worst) and setting the bar for the software sector (at best).

A good post-IPO outcome for Netskope would be following the path of Rubrik, SailPoint, and Varonis (CyberArk too, but excluding them after their recent acquisition announcement). If their ARR growth keeps trending up and profitability metrics keep improving, they’re going to have a home in public markets for a long time.

Recent IPO Context and Market Timing

Recent cybersecurity-related IPO performance landscape

The two best comps we have for relative IPO performance are Rubrik and SailPoint, cybersecurity-related companies who went public in late 2024 and early 2025, respectively. Both companies have been solid performers since going public. Rubrik, for its part, has been a (somewhat unexpected) darling of the software sector.

Netskope benchmarks relatively well against both companies’ financial metrics at the time of listing. Rubrik had $784 million subscription ARR at 47% growth. SailPoint had $813 million ARR at 30% growth.

Netskope’s $707 million is just below both, but close enough that most investors won’t lose sleep over it. Their 33% ARR growth isn’t astronomical, but comfortably above the cybersecurity sector median of ~20%.

Market timing

The market timing for Netskope is somewhat of a mixed bag with more good news than bad news. There's rarely a perfect time to go public. This was about as good of a time as any given the market volatility we've seen in the IPO window during the past year.

The good news is that recent cybersecurity-related IPOs have gone well. As mentioned earlier, both Rubrik and SailPoint had successful IPOs. Rubrik has had an even more successful run in the quarters following its IPO. Their stock is up 179% since opening day. SailPoint is currently down 15.9% YTD, but they’ve only had two reported quarters so far.

Cybersecurity stocks in general have performed well this year, with many scaled ($1B+ revenue or ARR) companies significantly outperforming the market. Three cybersecurity-related companies (Cloudflare, CrowdStrike, CyberArk – four if you count Palantir) are in the top ten highest EV/NTM revenue multiples for the overall software industry.

The bad news is that it's hard to live up to the standards of the top performing public cybersecurity companies. All of our sub-scale companies (less than $1B revenue) other than Varonis are down YTD. Netskope's revenue profiles as a subscale company, but their growth rate ranks among the best in cybersecurity.

The last bit of bad news for Netskope is that it's hard to follow a generational IPO like Figma, plus four other good ones in CoreWeave, Chime, Circle, and StubHub. Figma had an unbelievable debut spike and has been volatile since, but is still sitting well above its IPO price. Everyone besides StubHub had strong debuts but leveled off in the time since listing.

Paraphrasing Vanguard founder John Bogle: “In investing, you can’t time the market. You can only give it time.” Netskope is taking a long-term view here and giving themselves time to gain visibility and grow into a higher-profile public company.

Investor sentiment and reception dynamics

Reactions since Netskope's IPO filing have generally been positive to neutral with a bit of negative critique about specific metrics mixed in. Jason Lemkin (SaaStr) called Netskope’s S-1 “a really, really good one.”

It goes without saying that Netskope is not Figma (or Wiz, in cybersecurity parlance). Their IPO did not attract the same level of good karma and buzz. This felt a bit more like Rubrik or SailPoint, and that’s okay.

It's hard to directly compare Netskope to SailPoint because SailPoint spent nearly five years as a public company before being taken private and re-listing in 2025. Investors and analysts were already familiar with them and were never far out of touch during their three years as a private company under Thoma Bravo.

Rubrik was a different story. Much like Netskope, public market investors weren't very familiar with Rubrik either. This explains a lot of the pre-IPO skepticism people had about Rubrik and their good-but-not-great S-1 metrics. We all know the story since then, with Rubrik lighting up the scoreboard quarter after quarter in their time as a public company.

This was a rare feat and something that's unfair to project onto Netskope. The lesson to take from Rubrik is that it's okay to go into public markets as a lesser known company with some skepticism as long as you can perform at a high level after going public.

What's Next?

Netskope has an opportunity to be a memorable cybersecurity company and a fixture in public markets if enough goes right. They were one of the largest scale and fastest growing cybersecurity-related companies ever to hit public markets. However, the standard for public companies is much higher in 2025 than it was in the decade-plus prior when many of our current public cybersecurity companies listed.

Bull case

The bull case for Netskope hinges on the sheer size and stage of the SASE market. Whether you believe their ~$140B TAM estimate or not, it’s a directional proxy that help illustrate how large this market could be.

It's still early days for SASE adoption, especially in large enterprises with perimeter-based, firewall-heavy network architectures to modernize. There are still a lot of legacy VPNs out there. The shift to distributed and cloud-based work isn't going away. Netskope has a huge opportunity to help the world get there.

The main competitive advantage Netskope has is focus. SASE is the only thing they do. Most of their public market competitors have diversified security businesses that span beyond SASE into secure networking and other cybersecurity domains. Even Zscaler has expanded its focus into security operations in the past couple years.

Netskope has to use focus to its advantage and keep delivering a top-tier product experience while leveraging the brand uplift and capital infusion it gets from being a public company to raise its profile.

The software market is dying for high-growth stories during an extended period of muted SaaS growth rates and questions about impending AI doom for traditional SaaS companies. Netskope can outperform if it delivers sustained high growth on its path toward billion-dollar scale and beyond.

Bear case and execution risks

The bear case for Netskope is mostly about competitive pressure from larger, better-resourced players. The SASE market is basically a who's who of high-powered cybersecurity and diversified technology companies who are highly motivated to win this important market.

This brings all sorts of strategic risks for Netskope. Larger competitors have the financial flexibility to price and package Netskope out of the market, especially in the enterprise customer segment. Many security leaders view SASE as an undifferentiated product and choose to buy it as part of larger platform consolidation deals. Some large companies also choose to execute staged migrations to SASE and prefer to buy it from their existing firewall vendors.

From an execution standpoint, the standard of performance is significantly different as a public company. Several other recent cybersecurity IPOs that quickly turned into take-privates learned this the hard way. In fairness, the market's expectations changed significantly as investor preferences moved from growth at all costs to profitable, efficient growth.

The advantage Netskope has is knowing the market's expectations in advance. They know what they're getting into. Top-tier execution is easier said than done, of course. Anything less than that is going to put Netskope in the subscale/low-growth cohort of cybersecurity companies, which almost certainly means repressed public market valuation.

Critical success factors

Netskope needs a few things to go right to be sustainable as a scaled public company — and better yet, find a realistic path to a premium valuation multiple.

Other cybersecurity-related public companies have proven out the playbook for growth within a single domain. It’s worked for CyberArk, Okta, and SailPoint in identity. It’s worked for Varonis in data security. It’s worked (so far) for Rubrik in cyber resilience. Netskope needs to make it work for them in SASE.

As we've said throughout this analysis, the pattern for Netskope’s success is Rubrik. For Netskope to reach the bull case, they're going to have to execute like Rubrik — and maybe even better given the strong competitors in SASE.

A high-level abstraction of the Rubrik playbook means a handful of things when you apply it to Netskope.

First, they need to reduce their losses while sustaining (or even accelerating) growth. Netskope will enter public markets in a very similar position as Rubrik, with ~$350 million of net losses (TTM) as of their S-1.

Rubrik was actually getting more unprofitable year over year, but made dramatic improvements during their first few quarters as a public company. They're still not profitable, but industry-leading growth has been enough to make investors forgive them.

Netskope's losses have been improving sequentially across the periods disclosed in the S-1. In that sense, they're in a better starting position than Rubrik was. It's not easy to keep growth going without significant investment in sales and marketing and R&D. Netskope needs to find a way to hit Rubrik's level of performance.

Second, they need to keep expanding their platform. This is the focus thing we mentioned earlier and one of the primary advantages Netskope has over competitors as a SASE-only company. From an analyst point of view, they already have a relatively complete SASE platform and rank among the leaders in multiple market reports.

Expansion is likely to come from building on top of their existing SASE footprint and making logical extensions into other cybersecurity domains. They've given us some clues already, like their acquisition of Dasera to add Data Security Posture Management (DSPM).

Lastly, they need to share their story and articulate their vision. This is the hardest part to measure, but it’s impactful when it works.

Rubrik did an amazing job with this, going from a relatively unknown company to a much more widely recognized thought leader in just a year. All of the high-performing public companies, both cybersecurity and cybersecurity-related, are great storytellers.

Netskope has an interesting story of its own. Going public was the next big step. What they do next is going to determine if they can be a generational company.

It is expensive to build important cybersecurity companies. —Gili Raanan

How's that for a bold proclamation?!

Whether you agree or disagree with Gili Raanan and the Cyberstarts regime, this observation is spot on.

And the evidence keeps on mounting.

Raanan's full commentary was in the context of Wiz and their $1 billion Series E round last year, but it broadly applies to many other later-stage cybersecurity companies.

Even more so lately.

Earlier this month, Cyera became one of the five most highly funded companies in cybersecurity history. The $540 million Series E round they announced in June put them at $1.3 billion of total capital raised.

Less than a month later, Cato Networks announced a $359 million Series G round that put them at just over $1.1 billion in capital raised — the sixth highest total ever by a cybersecurity-related company.

This recent funding activity brought me back to Raanan's observation — and behind it, one of our industry's most important questions:

How much capital does it take for a cybersecurity company to go public?

A lot more than it used to, that's for sure. But how much, exactly?

I teamed up with Altitude Cyber to find out. We analyzed two decades of financing to give you a nearly precise answer and the supporting data to answer this exact question.

First, let's rewind the clock and taking a look at the fundraising journey of our current public companies.

Navigating M&A: What Every Security Leader Needs to Know by 1Password

Handling the security side of an M&A transaction can be just as difficult as the commercial parts. Especially when you factor in the long tail of work (and risk exposure) that happens after the deal closes.

I've been on both the security and corporate development sides of the equation several times now. I have a ton of empathy for everyone involved.

Navigating security during M&A is one of the hardest things to do in all of cybersecurity. It's a unique blend of business and technical acumen, capital, and pressure that you don't find many other places in business.

So, how do you function in such a high-stakes situation?

That's exactly what Dave Lewis, Wendy Nather, and Kane Narraway recently discussed on 1Password's Navigating M&A webinar.

The full replay is available now if you missed it live. Check it out.

How much capital did our current public companies need to go public?

None of the cybersecurity-related companies listed in public markets today required a billion dollars of capital to reach public markets.

Here's how much funding most of them (excluding several smaller cap companies) raised before going public:

The companies who went public a decade ago (or more) all raised less than $100 million total. This includes Palo Alto Networks, the first cybersecurity company to reach a $100 billion valuation.

Varonis did it with ~$30 million (give or take, might be off by a little).

CrowdStrike, Cloudflare, Tenable, Okta, and Zscaler all raised a lot of capital too, but not the massive totals we're seeing today.

SentinelOne raised $697 million on its way to being the largest cybersecurity IPO ever (by money raised and pre-market valuation).

Rubrik is the only other cybersecurity-related public company who raised over $500 million. They're one of our most recent IPOs, so this tracks with the overall trend.

And then there's SailPoint (not included in the chart above, but worth mentioning).

The company went public for the first time in 2017 with only $26.1 million in total financing, including $4.8 million in debt. For the sake of discussion, this tracks consistently with the data we have on other cybersecurity-related companies who went public in 2017 or earlier.

SailPoint was later taken private (and recapitalized) by Thoma Bravo for $6.9 billion, then went public again in Q1 2025 at a $12.8 billion valuation.

They were remarkably efficient the first time, but...guess what?! Setting themselves up to be an important cybersecurity was still expensive. The expensive part just happened the second time around with private equity sponsorship. Still a great outcome, but expensive.

We're going to see the SailPoint movie over again for an entire segment of private companies in the current IPO pipeline. Companies who went public (generally raising significant but modest amounts of capital by today's standards) were taken private, recapitalized, and are preparing to follow SailPoint's path back to public markets.

In context, you could infer Gili Raanan's observation was about high growth startups following the traditional venture-backed path to public markets. It's also going to end up applying to companies who were taken private, just with a different wrinkle of significant private equity financing to get them back to public markets for the long run.

It's still expensive to build important cybersecurity companies — regardless of whether the capital is coming from venture capital or private equity.

This has never been more true than it is for our current private companies. Let's talk about them next.

A majority of the most-funded cybersecurity companies ever are still private

Here's a telling stat about why the next generation of important cybersecurity companies is on a completely different planet financially:

Eight of the 10 (and 26 of the 30) most-funded cybersecurity companies of all time are still private.

Let that sink in.

Here's the dataset for the top 30¹:

Lacework raised the most equity funding by any company in the industry so far. You know the story.

Wiz raised $1.9 billion in total before Alphabet's (still pending) infamous $32 billion acquisition announced in March.

Netskope has raised $1.4 billion and looks to be among our top IPO candidates this year if public markets hold steady.

Cyera raised two of the largest rounds in 2024 and just added another $540 million this year.

ReliaQuest jumped into the top five with a private equity round earlier this year.

Cato Networks jumped into the top ten last month after a wild sequence of speculation and denial of a potential sale earlier in 2025.

OneTrust, Snyk, and Tanium are all later-stage companies who are holding steady after raising significant capital. They haven't disclosed raises since 2023 (or earlier).

Fireblocks is debatable as a cybersecurity-related company, but I decided to include them. They build security and governance infrastructure for Web3/cryptocurrency. No additional funding has been disclosed since a $550M round in late 2021.

Cybereason made the top ten with its Series H round this March. You know the story here, too.

The list goes on. Arctic Wolf, 1Password, and many others are promising companies in our IPO pipeline who are preparing and patiently awaiting their turn to go public.

So far, it's been a wide distribution of fortunes for our most-funded companies. Wiz had a great exit.² Lacework didn't.

The fate of the other 28 cybersecurity companies on this list (and dozens of more well-capitalized startups right behind them) is still to be determined. Some companies have grown into their massive valuations. Others look pretty even. A few may never live up to expectations.

That's the hell of it: raising massive amounts of capital alone is necessary but insufficient for achieving a large outcome.

Raising more money means raising the stakes

So, what does all of this mean for our industry?

It has never been more expensive to build important cybersecurity companies.

And, in general, it's just going to keep getting more expensive.

"Important" is relative, of course. Significant impact and good exits have been accomplished with far less capital than the companies we discussed here.

We'll see an occasional Saviynt — an IPO-track company who has been remarkably capital efficient — but examples like these are clear anomalies in a mass of data that clearly shows a pattern of rising capitalization.

But to reach the exceptionally rare pinnacle of business, a generational company who produces billions (or more) of economic value, significant capital has to be invested.

In many cases, our next wave of public companies are going to require $1 billion or more to reach public markets.

Why is this happening?

Companies are staying private longer. Competition is more intense than ever. Growth is happening faster. Lots of other reasons.

Large capital raises and massive funding totals mean something else, too:

It's more important than ever to remember that funding doesn't equal success.

As Marc Andreessen said:

Raising money is never an accomplishment in and of itself — it just raises the stakes for all the hard work you would have had to do anyway: actually building your business.

We forgot about the 'actually building your business' part for a while, but he's right.

This is exactly the stage many of the companies in our industry are at right now — actually building businesses with very high stakes.

Acknowledgements

Thank you to Dino Boukouris, John Gould, and the team at Altitude Cyber for partnering with me on the research and data analysis for this piece.

Footnotes

¹RSA Security has technically raised the most total financing (~$2B) if you include debt. We wanted to keep this analysis focused on equity funding rounds for private companies, so we excluded debt.

²Assuming the transaction closes, which still seems promising but...who knows.

...wait a minute, weren't we just doing exactly the same thing for SentinelOne?!

Yep. You can't make this stuff up.

Reports of a CyberArk acquisition surfaced before the ink was even dry on my analysis of a potential Palo Alto Networks-SentinelOne deal.

The news became official less than 24 hours later: Palo Alto Networks will acquire CyberArk for $25 billion.

There's no need to do an analysis of a theoretical deal this time. This is really happening.

I'm still shocked at how fast the deal materialized once the details became public. There's a lot to process here, both for Palo Alto Networks and the broader ecosystem.

The purpose of this article is still to analyze the case for and against the deal. It's just a different thought process knowing the deal has been announced and having the public version of Palo Alto Networks' strategic rationale to evaluate.

I'm mostly going to take the case for the deal as the rationale Palo Alto Networks provided and layer on some more context and analysis of my own. The case against the deal is based on my own judgment, discussions I've had, and points others have raised since the deal was first reported.

Here's the short of it: acquiring CyberArk is an excellent move by Palo Alto Networks from a business strategy standpoint. Emphasis business.

It makes a lot of sense commercially, and certainly a lot more sense than acquiring SentinelOne.

Whether this move is good or not for customers remains to be seen and will take years to play out.

It's going to depend a lot on whether Palo Alto Networks can expedite and improve the product integrations CyberArk already had in front of it with recent acquisitions. It's also going to depend on how effective the integrations are with Palo Alto Network's other platforms, especially Cortex and Prisma.

That's the flip side of identity market fragmentation: If Palo Alto Networks blows this up, there are hundreds of other companies who would be happy to take CyberArk's place in the market.

As Nikesh Arora might say, they still have to execute.

This is a long article. Transformative deals like this don't happen very often, so they're worth digging into when they do. Let's get into it.

The case for a deal

If Palo Alto Networks was going to do identity, they had to do it big.

Commercially, there was no way they were going to build a successful identity business if they had just picked up a bunch of small companies and tried to put them together. They needed to bootstrap their entry into the market, so a scaled acquisition made sense.

The identity market is at a completely different level of maturity compared to the situation when Palo Alto Networks built its cloud security business by stitching together smaller companies. That approach worked because the cloud security market was still forming. There essentially was no market leader to acquire.

Identity has been through multiple generations of market leaders (Sun, IBM, CA, Oracle, and others. The market has already gone through multiple phases of disruption and M&A. For the most part, we've seen it all.

Currently, we've landed with a handful of specialist identity players — some public, some owned by private equity firms. You know them: CyberArk, Okta, SailPoint, and Ping Identity. And then there's Microsoft. We'll get to that.

Palo Alto Networks had zero chance of competing with those four companies (plus Microsoft and the other incumbents who still hold material market share) by building, buying, and partnering their way to a coherent identity offering.

If there was one market where a massive deal had to be done, identity had to be it.

Accelerating platformization

Palo Alto Networks' multi-platform evolution of the last seven years has been a story for the ages.

Acquiring a scaled identity company like CyberArk and entering the identity market as a de facto market leader accelerates the platformization strategy that Palo Alto Networks has been working on for years.

It's worth reiterating the common misunderstandings around Palo Alto Networks' platformization strategy. They are not, and never have been, building a single end-all-be-all cybersecurity platform.

They have established and grown three core platforms on top of their existing NGFW/Network Security business in the Nikesh Arora era: SASE, Security Operations, and Cloud Security — collectively, their Next-Generation Security (NGS) portfolio.

For the most part, their strategy has worked. They have established a significant product portfolio and revenue traction in the NGS businesses, now over $5 billion ARR even without CyberArk.

They clearly felt like it was time to take the next step and enter the identity market.

Identity will become the fourth platform based on the details they've shared so far in the announcement.

This is a significant milestone both for Palo Alto Networks and the cybersecurity industry in general. It's the first time a company has held leading positions across all of the major cybersecurity categories.

We've never seen a company operate a footprint across this many domains. There are still open questions about whether this strategy is going to work long term and if it can be sustained. This is the furthest along the experiment has gone.

Why CyberArk?

Did the acquisition target for Palo Alto Networks' identity market entry absolutely have to be CyberArk?

No, but CyberArk was the best option they had among scaled identity companies. There just aren't that many viable targets with the right financial profile and product suite. CyberArk is a great option. I'm surprised they got it.

CyberArk has more pieces of a comprehensive workforce identity offering than most other scaled alternatives. They have PAM, SSO (albeit third or fifth in the market), and they just acquired IGA with Zilla, an early-stage company.

Any other targets Palo Alto Networks could have acquired would have required add-on acquisitions to round out the full workforce identity offering.

Okta likely isn't willing to sell at their current market cap of ~$17 billon, roughly half its all-time high (and now below CyberArk, even before the acquisition report). Todd McKinnon is still a relatively young CEO who looks committed for the long haul.

Ping Identity could have made sense, but their product portfolio doesn't have well-established IGA or PAM capabilities, even with ForgeRock. Palo Alto Networks likely didn't want to be in the customer identity business, either. They do have a directory product, which is nice — but again, directory is not the way the identity market will be won.

SailPoint just went public again and has had a successful return. They're primarily an IGA company that has acquired its way into PAM — nowhere near the depth of CyberArk there. They don't do SSO. Great company, not as great of a strategic fit for Palo Alto Networks.

There is a long tail of smaller companies in the identity market with varying shapes and sizes of a product portfolio. Some have eight and nine figures of revenue — Saviynt, RSA Security, SecureAuth, 1Password, Keeper, Veza, StrongDM, and dozens more.

Palo Alto Networks was playing an entirely different game here. The plan wasn't to do value acquisitions of different market leaders in multiple identity segments and slowly grow an identity business. The quest to win the competition against both hyperscalers and large competitors like CrowdStrike needed a transformative deal.

Product expansion

From a product standpoint, this is a completely different discussion from the SentinelOne deal in terms of product overlap. CyberArk brings a set of net new capabilities for Palo Alto Networks with a relatively minimal amount of overlap.

With CyberArk, Palo Alto gets a complete workforce identity suite: PAM, SSO, IGA, Machine Identity, Secrets Management, and more. There's almost no product overlap — just a few ITDR-related features, a secure browser most people didn't know CyberArk had, and some other minor tools.

They don't get a directory services product, but the best strategy is probably to concede that one to Microsoft. There is no viable strategy for beating Microsoft — not in security, and not in identity. Microsoft is going to be Microsoft.

I've done directory migrations, and let me tell you: they're gnarly. Even if Palo Alto Networks did gain a first-class directory product with this deal, it doesn't mean customers would buy it. Just ask Oracle how that went. Customers will change out their IGA, PAM, and SSO products many times over before they'll change directories. It's just not worth the pain.

The way to tame the Microsoft dragon is to keep it well fed with directory revenue so it doesn't get hangry and start breathing fire. Put the dragon in its directory corner, and go take the market for everything else.

Palo Alto Networks is not entering the identity market to beat Microsoft. They want to be competitive, of course — but they're savvy enough to know Microsoft isn't going anywhere. This move is about marginalizing standalone, single-platform identity companies.

Are there products out there that practitioners like using more than CyberArk? Of course. Product and usability were secondary factors at best. This was primarily driven by commercial and financial considerations.

I do have some hope that progress will be made on the product side if they apply the Cortex platformization playbook to CyberArk. While not perfect, what I've seen of the Cortex product did turn out relatively well, especially considering the breadth and scope of what they're doing.

Market convergence and timing

The first part of the "why now" thesis Palo Alto Networks outlined is interesting. As a longtime identity person, I generally share their view the market, but with some specific nuances.

I've always seen identity as a security function, although this admittedly could be a factor of working within a cybersecurity consulting practice where CISOs are the primary buyer. Either way, the evidence is clear that identity and security are converging in a way they haven't before.

I directionally agree with their overall thesis, though I would have framed the PAM expansion differently. Maybe I'm being particular as an identity person. The differences of opinion are negligible.

I'm not completely sold on the narrative that identity is fully aligned with the PAM vision and that PAM should be deployed across the entire employee base. The PAM part is what CyberArk had been saying, especially prior to machine identity, about their own growth story.

It's not so much that PAM needs to go to everybody — it's that the very definition of PAM is changing. A broad workforce identity platform is going to have aspects of PAM that are now becoming unbundled and usable by more people. Every identity needs better security, not just the special ones.

I wouldn't over-index on the PAM part, even though that alone is a good reason to be in the identity market. To me, the narrative here is offering a broad, integrated identity platform that works for various different users.

The need for platformization in identity

The second part of the "why now" thesis is the one I wholeheartedly agree with. Identity is an established market, but at the same time, there's still a lot of room for change.

As a former systems integrator who understands the pain of identity implementations, I fully subscribe to the need for convergence in identity security. Everything they said about fragmentation on a market basis is true.

Even with some consolidation that has happened recently, the enterprise market is clearly headed in the direction where converged workforce identity platforms are the way of the future. We've made a lot of progress, but it's still fair to say this is more theory than practice right now.

Okta has expanded from its SSO roots and has become a more well-rounded identity platform with SSO, PAM, IGA and many other features through a combination of organic and inorganic activity. While there are early signs of success, it's still pretty early in the journey and just starting to gain meaningful traction in the enterprise segment.

SailPoint has also become a much broader platform, especially as it retooled for its second incarnation as a public company. They still don't have SSO, and the PAM acquisition they made is nowhere near the level of scope and maturity as CyberArk.

The interesting part about platformization and identity security is that even with acquiring CyberArk, Palo Alto Networks is still not getting a fully baked platform.

CyberArk, for its part, is still more of a suite than a platform by the strict definition. They've had PAM for a long time. Their SSO product consistently ranks in the top three to five and likely has tens of millions of dollars in ARR. They recently acquired Zilla for IGA, which is still an early stage addition to the product portfolio.

There are pieces that haven't been fully integrated across PAM, SSO, Machine Identity/Secrets Management, and especially not IGA. CyberArk is close enough as is, but there's still work to be done from a product perspective.

Machine identity and AI positioning

The third "why wow" pillar about the rise of machine identity and AI agents is where things start to get a bit more speculative, especially the AI agent part. It's also the part with the highest upside if things go well.

The case for machine identity was already pretty well established by CyberArk at the time of their Venafi acquisition. This was more than just theory. The partnership had worked for a long time leading up to the acquisition. The demand was already proven to a point where it made more sense for CyberArk to own Venafi than work with them as a partner.

The deal is fresh enough that the full upside remains to be seen, but it's helpful for Palo Alto Networks to already have that acquisition in the bag and de-risk the machine identity part of the equation (to some extent).

Venafi is an established machine identity company, not some newfangled NHI startup. It's really about certificates and cert-based authentication and authorization for machines, plus management of rotation.

I know that sounds super boring, but it's the most likely solution for how enterprises are going to handle security for AI agents.

There are a lot of theories being thrown around about how AI agents should be secured. Several of them are good, and I hope we do eventually get to standards and protocols that are the ideal implementation.

Knowing how application development works in large enterprises, my guess is that identity for AI agents is going to look fairly similar to how it already looks for apps today. This means secrets, API keys, certificates, service accounts, and the like. In other words, exactly what CyberArk already does well in PAM, secrets management, and now machine identity.

Maybe the implementations will get better eventually, but this is probably how it's going to work — especially for internal-facing stuff in big enterprises.

Financial terms and valuation

It's easy to see a $25 billion headline and get sideways about how much Palo Alto Networks paid. I get it, but the price tag is at least within reason.

One of the closest comps out there is Cisco's acquisition of Splunk for $28 billion. This had a much more reasonable multiple with Splunk at around $4 billion of revenue at the time of acquisition compared to CyberArk being just over a billion.

Another comp is Alphabet's acquisition of Wiz, which is one of the highest multiples ever recorded for a cybersecurity-related acquisition.

CyberArk falls closer to the Splunk side of the multiple spectrum, arguably with more upside and momentum at the time of acquisition.

From CyberArk's point of view, they had no need to sell. I take the $25 billion as a "make me move" price where they were only willing to sell at a significant premium. That's the position they put themselves in by completing their SaaS transition, rounding out at least the beginnings of a complete workforce identity suite and generally executing well across the board.

Acquiring CyberArk is definitely on the upper bound of Palo Alto Networks' financial guardrails, but it's also important to remember that Palo Alto Networks is trading close to all-time highs.

In this particular case, a substantial portion of the deal was equity. The cash consideration was still meaningful (roughly $1.5-2 billion based on the information they disclosed), but it's still a relatively small percentage of the overall consideration.

This is Palo Alto Networks using its momentum and current market cap to its advantage.

Upselling and cross-selling

Go-to-market and revenue synergies (bleh) could go either way in terms of whether they're part of the case for or against a deal. I think they're more likely to work in favor of Palo Alto Networks, so I'm including the analysis here.

Why?

Palo Alto Networks has significantly more customers (70,000+) compared to CyberArk's 10,000. The customer profile generally matches too, with buyers of PAM being heavily regulated large enterprises in mature industries.

Palo Alto Networks has a bit broader customer base, but many of the large eight-figure deals you see them talk about in earnings releases are the typical profile of a CyberArk customer.

The pull-through is hard to know without seeing exact customer lists, but I expect it could work both ways. Palo Alto Networks will be in more companies where CyberArk doesn't currently have a footprint. The opposite is also true, especially in some larger enterprise accounts where CyberArk is already a customer but Palo Alto Networks is not.

With the scale and ambitions of Palo Alto Networks, it's hard to understate the value of gaining new customers any way they can. Acquiring CyberArk gives Palo Alto Networks a first point of entry into many new accounts with hopes of not only keeping the customers, but also adding other platforms in the future.

TAM and revenue impact

Palo Alto Networks already had one of the largest TAMs in cybersecurity with their existing platforms. Adding identity unlocks significantly more TAM, with some estimates like both Okta and CyberArk measuring the TAM for workforce identity at $50 billion, not the $29 billion Palo Alto Networks quoted from IDC in their release.

Either way, the more impactful part now is the serviceable obtainable market (SOM) it unlocks for Palo Alto Networks — and even more specifically, the accretive revenue and free cash flow it adds.

CyberArk is a billion-dollar run rate business, which is a nice way to start your foray into the identity security market. It puts Palo Alto Networks at $10 billion of revenue already and, as discussed in the SentinelOne analysis, significantly accelerates and de-stresses its path to $15 billion.

Integration strategy and future vision

I expect we're going to see Palo Alto Networks execute the playbook they followed with Cortex.

They spent significant R&D effort building out a centralized data model, refactoring and reintegrating multiple products into a much more cohesive platform and user interface.

What Palo Alto Networks has to do (okay, should do) over the next two to five years is apply the Cortex integration strategy to CyberArk and finish their product integrations across the board.

I've seen Cortex and what they did with it — integrating what they built and acquired, adding cloud security, data security, AppSec, etc. They did a great job making it look coherent on the front end.

The next level beyond integrating all of the identity parts is integrating data into Cortex for SecOps. All this identity log data is going to get fed into Cortex for much higher-fidelity logging than we're used to with identity.

If you can get really high-fidelity authentication and authorization data into Cortex, plus cloud security, application security, data security, and more — you have a much better ability to see what's going on in your environment and then drill down and triage alerts that didn't have much visibility before.

There are definite connections to the networking and SASE sides as well. You can already see other companies doing interesting things with identity, secure browsers, SASE, network security (zero trust...gasp) and lots of other things Palo Alto Networks already does.

Acquiring CyberArk is about adding identity, but the next-level strategic move here is bringing identity to other core security functions in a more comprehensive way.

AI is the bull case

Even if you completely take any upside from the agentic market and strike that from the deal, this still looks like a smart acquisition commercially.

Palo Alto Networks is entering an important new market while adding a billion dollars of ARR that's growing at a market-leading growth rate.

None of us really know how big the market for securing AI agents is going to be. The assessment of that emerging market and the upside and downside is a completely different article, so we're not going to get into that here.

In the context of this deal, whatever happens with AI agents is part of the upside. The downside is relatively limited. If you strike that part entirely from the deal or imagine a worst case scenario where AI agents are a complete dud, this still looks like a pretty good deal.

Competing in a market for human identity alone is pretty good business. There's enough validation on the traditional side of machine identity where that's a safe bet, too.

This acquisition may not be worth the full $25 billion without some AI upside, but is it still worth over $20 billion? Probably.

The case against a deal

Here's the punch line: I don't see much of a bear case at all (again, from a business strategy standpoint). This was a savvy acquisition. Expensive, but savvy.

Most of the criticism I've seen so far is people airing out grievances with Palo Alto Networks, CyberArk, or both.

If you look at this from a hardcore business strategy standpoint and take away the other incentives and biases, it's hard to argue with their rationale.

There are risks, though. Lots and lots of risks. Those are what we need to talk about.

Valuation and financial tradeoffs

The financial risk of a transaction this large is obvious. $25 billion is a lot of capital no matter what the split is between cash and equity.

This means another scaled acquisition like SentinelOne is off the table for now. In fairness, I can't think of a scaled acquisition that would have made more of a difference to Palo Alto Networks than entering the identity market.

They'll continue to make tuck-in acquisitions within their existing NGS platforms, including CyberArk, wherever they feel like it might be lacking.

Palo Alto Networks has reached a point where building from scratch is often close the same level of effort as integrating an acquisition. They don't need to buy as many companies going forward as they did in the previous seven years now that their NGS platforms are more established.

They will still make some relatively large tuck-in acquisitions like they did with Talon or Protect AI, but the burden of proof is now a little higher and their financial position is such that deals may have to clear higher financial and technical hurdles than they did in the past.

Go-to-market

If we learned anything from other large identity acquisitions this decade, it's that GTM is a huge gotcha post-acquisition.

The GTM integration between Okta and Auth0 went very sideways. Combining the orgs didn't work. As it turns out, selling a top-down workforce/customer identity platform and a bottom-up, developer-focused customer identity platform are two wildly different things.

Palo Alto Networks has to tread lightly on the GTM side of this. Selling firewalls and the NGS portfolio is not the same as selling identity. They're probably better off keeping most or all of CyberArk's GTM org in tact and doing what they can to make their lives easier.

On the customer side, the risk of churn is real — but I certainly don't expect a material part of CyberArk's customer base to churn even if they'd rather not work with Palo Alto Networks. Complaining is one thing. Switching is another.

A specific nuance about Identity, and PAM in particular, is the products are incredibly sticky. They take millions of dollars and years to implement. Changing vendors isn't like just install a different agent to move from CrowdStrike to SentinelOne on the endpoint. There are meaningful switching costs.

Most existing CyberArk customers are just going to put up with Palo Alto Networks even if they don't use or want to use any of their products across the rest of the security or IT portfolio.

If there's going to be any customer impact at all, it's more likely to be on the net new customer acquisition side. CyberArk was doing fairly well in this category, especially given the macroeconomic circumstances.

Rather than existing customers churning, the more likely impact is going to be new customers choosing to go a different direction for their PAM and workforce identity solutions. This is generally good for other companies in the workforce identity market, but that's for another discussion.

The cross-selling opportunities are the wild card here. I'm sure the Palo Alto Networks Corp Dev team and their bankers modeled this and have good assumptions around it.

I expect some level of success with cross-selling — and possibly enough to not only net out any churn or slowdown in new customer growth, but vastly exceed it.

This could be especially true if Palo Alto Networks is able to do good things on the product side and simplify the overall purchasing, financing, licensing and transaction process that many CyberArk customers complain about.

Channel relationships

Channel is another area where you could argue there is downside, or at least substantial risk.

CyberArk is the gold standard in cybersecurity for how to grow and run a partner program. They have amazing relationships with all of the GSIs as well as several other niche boutique integrators. Palo Alto Networks works with most of them anyway, but identity will be a different capacity.

We're not going to see the channel just stop working with CyberArk now that they will be owned by Palo Alto Networks. Due care has to be taken to make sure the channel relationships and model CyberArk already has in place continues to be successful.

Palo Alto Network has its own successful channel relationships, and they already work with many of the same GSIs and partners CyberArk does. Identity implementations are a different muscle, but the GTM side is still similar.

Integration and culture

Palo Alto Networks is no stranger to integrating acquisitions, now with more than 20 reps of experience. Integrating a scaled public company with $1 billion of revenue and over 4,000 employees is a lot trickier than making things work with a startup.

As we discussed earlier, I actually like their chances with the technical side of the integration over the long run. People and process are the parts that worry me.

Tough personnel decisions have to be made. This inevitably means layoffs, as we already saw with Cisco-Splunk, Proofpoint's acquisitons, and many others.

CyberArk has a specific method and culture that's worked for them over the course of 25 years. Palo Alto Networks has it own culture — one that largely mirrors the towering ambitions and personality of Nikesh Arora.

How CyberArk responds to the limelight that inevitably follows Palo Alto Networks is one of the biggest open questions about this deal.

So, what now?

Large, multi-domain cybersecurity companies have historically stayed away from the identity market.

That era appears to be over. This is an industry-altering deal.

The place to watch next is what happens with the rest of the market.

CrowdStrike, Fortinet, Check Point, Zscaler, and anyone else who wants to be a broad cybersecurity market leader is now under tremendous pressure to enter the identity market.

This acquisition also changes the game for Okta, SailPoint, Ping, Saviynt, and several other standalone identity companies. They need to finish the job of building end-to-end workforce identity platforms and find other ways to differentiate. Or, they need to sell.

The gloves are off now. Palo Alto Networks made its move, and the ripple effect across the rest of the industry is going to be just as big.

That was the multi-billion dollar question many people were talking about last week after (speculative) reports came out about a potential deal.

And now we have another one, with WSJ and Reuters reporting a potential acquisition of CyberArk (right before I was about to hit publish!).¹

I normally wait until after deals are announced to do a detailed analysis. Both the SentinelOne and CyberArk reports had so much interest and would be so consequential (if either were to materialize) that it makes sense to explore now.

Even as the CyberArk report gains steam, there are some generalized factors here that apply to either scenario.

Consider these preliminary analyses to be a thought exercise.² Even if the reports are totally unfounded and/or a deal never materializes, it's still a helpful learning experience for us to analyze transactions of this scale.

Why?

Most of the take-private activity we've seen in cybersecurity so far has been private equity firms acquiring public companies. There have been acquisitions of public companies by strategic buyers, of course. Cisco-Splunk and Sophos-Secureworks are a couple recent examples. They're far less common, though.

Disclaimers aside, here's the punch line: I wouldn't take these Palo Alto Networks/SentinelOne acquisition reports too seriously (yet). The combination of strategy and dollars for this aren't a clear "go" or "no-go."³

Let's walk through the case for and against the deal, starting with the reasons why it could happen.

The case for a deal

First off, I still think we have to consider SentinelOne as an option that's still on the table, even with qualified reports of a CyberArk acquisition.

In some ways, CyberArk makes the SentinelOne report more credible than it was on its own. There are now two signals of Palo Alto Networks having the appetite to do a transformative deal.

I agree with others that CyberArk makes a SentinelOne deal seem less likely — just that it shouldn't be written off yet either.

Neutralizing a top‑three rival in endpoint security and adding ~$1 billion of ARR is appealing, both strategically and financially.

Market leadership (commercially) in endpoint security is still just out of reach for Palo Alto Networks, despite good effort to date in building an offering and a good stretch of favorable analyst ratings.

Combine the market reality with ambitious long-term financial goals, strong financial metrics, and competitive pressure, and you can start to see why a large acquisition like SentinelOne could be on the table.

Let's dig in.

Market share consolidation

If this deal happens, market share consolidation is going to be one of the main reasons.

Even though endpoint security is one of the largest and most mature markets in cybersecurity, it's still highly fragmented. Here's a market share snapshot from IDC (via Microsoft) to give you an idea of how pervasive the fragmentation is. The snapshot is a couple years old, but we can take the numbers as directionally correct.

Microsoft (25.8%) and CrowdStrike (18.1%) control ~45% of the market, and things get choppy from there. SentinelOne had ~4% market share at the time but was growing 43.1% year over year. Palo Alto Networks had less than 4% — their exact number buried somewhere in the 32% "rest of market" slice.

Acquiring SentinelOne would get Palo Alto Networks to ~10% market share (ballpark).⁴ That's still around half the market share CrowdStrike likely has today. It's good for third place, just above established companies like Trellix, Broadcom (Symantec and Carbon Black), Sophos, and Trend Micro.

A secondary but still important point is further consolidation of the next-gen SIEM market. Adding SentinelOne's customers to the ~270 customers XSIAM already has (as of their Q3'25) clearly helps the case for acquisition.⁵

We haven't seen market share consolidation happen very often in cybersecurity. It does, but it's not our default playbook. The cybersecurity industry has mostly been a collection of emerging markets and companies.

The Thoma Bravo backed combinations of Ping-ForgeRock and Exabeam-LogRhythm are two large, recent examples. In Cybersecurity's Class Conundrum: Winner-Take-All Market Dynamics, I made a case about why we're going to see market forces cause things like consolidation.

There is already a little bit of precedent with Palo Alto Networks doing market share consolidation. Their partial acquisition of IBM's QRadar SIEM portfolio was primarily about accelerating market share for Cortex XSIAM.

Palo Alto Networks essentially acquired customer pipeline (IBM's existing QRadar customers), not tech. Their objective is to migrate QRadar customers over to XSIAM (with IBM's blessing and professional services help), not to keep them on QRadar or integrate any part of the product into Cortex.

QRadar isn't a direct comp for SentinelOne, which has both a broader and more diversified product suite. I'm just making this connection to say that market share consolidation has been a factor for Palo Alto Networks before, even with a slightly different flavor.

SentinelOne would be a bigger, bolder iteration of a similar playbook — and perhaps a necessary one for Palo Alto Networks in their quest for multi-platform market leadership in cybersecurity.

Revenue acceleration

Palo Alto Networks has an audacious long-term financial goal: $15 billion in Next-Generation Security (NGS) ARR by 2030.

They hit $5 billion of NGS ARR in Q3'25. This is impressive on its own, and it also shows how far they still have to go if they want to hit $15 billion.

This is where the math starts to impact the strategy. Hitting $15 billion by 2030 from $5 billion today implies a ~20% CAGR. It could happen on its own...but we're currently living in a world where median revenue growth for public software companies is 11%, and 20% growth puts you in the top ten.

Acquiring SentinelOne quickly adds ~$1  billion of ARR to Palo Alto Networks' NGS portfolio. The growth rate to $15 billion suddenly becomes 16-17% (napkin math, just showing what revenue acceleration looks like). Still aggressive, but a lot more doable.

So, accelerating the timeline for reaching this milestone is very appealing — assuming a reasonable acquisition price and revenue multiple.

This assumes strong growth continues (or even accelerates) post-acquisition, customer retention is high, and overlaps in product portfolios get worked out (more on this later). All big assumptions, but part of the territory in large scale acquisitions.

Scale and financial position

Palo Alto Networks is now big enough to afford larger deals. History says that billion-dollar-plus acquisitions are uncharacteristic for them. But Palo Alto Networks is a much different company in mid-2025 than they were when Nikesh Arora took over seven years ago.

As I observed in a related LinkedIn post, the reported price tag of $7 billion (or more) for SentinelOne would a atypical — 10x larger than their largest acquisition level of atypical. They have never made an acquisition over $800 million.

Here are the ten largest disclosed acquisitions they've made so far:

A commenter correctly pointed out that Palo Alto Networks has grown beyond their original M&A playbook.

In fact, you could make the case that the investment required to inorganically grow their current NGS portfolio was proportionally larger and riskier (in aggregate) than a large acquisition is now.

Over the past decade, Palo Alto Networks spent just over 11% of its weighted average market cap on acquisitions. This isn't a banking-grade calculation, but it's precise enough for comparison.

Even though the individual deal sizes were smaller, the total was a material investment relative to its size at the time. The plan worked, too. Palo Alto Networks wouldn't be today's most valuable standalone cybersecurity company without these acquisitions.

This brings us to today and the current situation with SentinelOne (or any comparably large acquisition target ...cough...CyberArk...).

Palo Alto Networks' current financial metrics can support larger acquisitions than they've done in the past. You know...like buying a public company for several billion dollars.

A few metrics to further illustrate the point: Palo Alto Networks currently has $136 billion of market cap, $2.3 billion of cash and equivalents, and essentially zero long-term debt obligations.

Enterprise value has quadrupled since 2020. They can comfortably finance a $7–8 billion purchase.

Palo Alto Networks has made plenty of acquisitions, but they haven't fully exercised their enviable financial position. This is only theoretical because they haven't chosen to exercise it.

The strategic choice is theirs to make, of course. Nobody says they have to do this deal, or any deal they don't have strategic and financial conviction.

The point is they can.

Strategic buyers make acquisitions up to ~10 % of enterprise value all the time. We just don't see deals like those very often in cybersecurity because they haven't needed to happen.

A ~$7 billion acquisition (ballkpark for SentinelOne) at their current $136 billion market cap is about 5%. A ~$20 billion acquisition (ballpark for CyberArk) is 14.7%. More of a stretch, for sure — but both within reason as a proportion of the company's current scale.

Acquiring either SentinelOne or CyberArk would be a large transaction, but it's not outside normal strategic M&A guardrails for a $130 billion company.

If the priority for Palo Alto Networks is to accelerate NGS revenue, neutralize a rival, and position itself better against large competitors, SentinelOne’s $1 B ARR at a mid-single-digit multiple is attractive...financially.

But for a deal like this, the strategic rationale have to clear a higher bar than “we can afford it.”

Factors like product overlap, cannibalization risk, and whether consolidating share in endpoint security is worth the distraction from PANW’s platform-expansion roadmap (Prisma Cloud, XSIAM, etc.). More on this later.

The financial drivers could make sense, but qualitative fit still matters.

Timing and competitive dynamics

Companies and their leaders will often downplay the role of timing and competitive dynamics in M&A decisions, but the reality is they're always a factor.

The Nikesh Arora era Palo Alto Networks is notoriously ahead of competitors on the timing of most acquisitions — Protect AI being the most recent example in a nascent market to secure AI models.

Large cybersecurity competitors aren't letting up, and several have already made large moves of their own.

Alphabet acquired Wiz for $32 billion.

CrowdStrike's valuation is $117.6 billion, up 29.2% since last year. At this point, they're past material impact from last summer's outage.

Microsoft is Microsoft. No large acquisitions, but lots of action within a well-rounded security portfolio that directly competes with most of Palo Alto Networks' NGS portfolio.

Fortinet, Check Point, and others are doing their part, too.

Competition has never been more intense on either front — both traditional competitors and hyperscalers. External pressures and urgency are higher than ever.

Timing and competition won't be the main driver, but it could be time for a big move.

We're probably at a point where organic growth and tuck-in acquisitions aren't going to move the needle enough on driving growth at scale.

Acquisitions like Talon and Protect AI still matter, of course, but they're in emerging markets that need time to grow. There are only a finite amount of these emerging market leader opportunities out there.

Palo Alto Networks is big enough where they need multiple levers to pull.

Next, let's move on and discuss the case against a deal.

The case against a deal

As a person who's been part of billion-dollar cybersecurity acquisition discussions before, I can assure you the burden of proof required to get a deal done is incredibly high.

Most of our larger companies wouldn't bat an eye at spending $50 or $100 million on a smaller company that's obviously complementary. You still have to make the case, but it's much easier to do.

For Palo Alto Networks and SentinelOne, there is a case for a deal — as we just discussed in the first half of this article. I just don't know if it's enough to overcome the relatively substantial case against the deal.

Everything basically starts and ends with overlap in product portfolios and how to rationalize the differences. Several other sub-points stem from this core issue.

Let's start at the top.

Product overlap

There is significant overlap in the product portfolios. It's hard to put an exact number on the amount of overlap without an internal data room. I'd call it something like 50-75% overlap based this high-level analysis:

Endpoint security is obviously the core product and crown jewel of SentinelOne. It's a valuable asset, for sure — but Palo Alto Networks is no slouch.

Palo Alto Networks doesn't disclose product line level revenue within the Cortex platform, so it's hard to say exactly how big their endpoint security business is commercially.

It usually ranks well in analyst reports and performs among the leaders on MITRE ATT&CK evaluations, to the extent that external benchmarks and analyst ratings matter.

As we discussed earlier, the overall endpoint security market share probably isn't where Palo Alto Networks ideally wants to be, but it's not a gaping hole in their product portfolio either.

Another nuance worth noting is that Palo Alto Networks has historically viewed endpoint security as an add-on to its Cortex platform, not as a standalone product. I don't have the data around this (and Palo Alto Networks doesn't discloses it), but I would guess the number of times where endpoint security is a standalone sale or the entry point into a new customer is somewhere between "never" and rarely.

That's not to say they don't want to lead with endpoint security, just that leading with an endpoint security product would represent a change to their go-to-market philosophy.

There is also a lot of overlap in the broader SecOps portfolio. SentinelOne has shown some traction in the next-gen SIEM market, but this directly overlaps with Cortex XSIAM.

It's a similar story for CNAPP, SOAR/hyperautomation, threat intelligence, exposure management, ITDR...you get the picture.

The only cases where there is little to no overlap are capabilities that Palo Alto Networks already has and SentinelOne doesn't.

ITDR is probably the product category where SentinelOne is the closest to bringing something net new to the table, but Palo Alto Networks does have an offering already.

Purple AI is the wildcard. SentinelOne has done some interesting things and shared anecdotes of customer traction in recent earnings calls.

Palo Alto Networks is no stranger to AI, though. They have their own unique approach with Cortex XSIAM and many other customer-facing and internal use cases across the board that Nikesh Arora has openly discussed for years.

Rationalizing this many products, agents, data repositories, and automation suites is a recipe for customer churn and channel confusion. They might decide the upside is worth the pain, but make no mistake about it: there would be a lot of pain.

Financial tradeoffs

Palo Alto Networks may be in a fortunate position where they can afford a large acquisition, but a move like this comes with tradeoffs.

Spending $7 billion or more on a single acquisition with significant overlap in the product portfolio could limit their ability to execute the playbook that's worked for them so far: multiple acquisitions of emerging market leaders.

They also limit optionality for acquiring a different company at or around SentinelOne's scale. You can see where this tradeoff matters with the CyberArk report we just heard. If I was Palo Alto Networks and had to pick between SentinelOne and CyberArk, I'm buying CyberArk 100/100 times.

A large acquisition could also limit their ability to invest in R&D. Their product teams have proven to be capable of both integrating acquired products and developing new ones within each of the three major platforms.

Inorganic growth gets a lot of attention, but Palo Alto Networks wouldn't be as successful as it is without meaningful R&D investments.

Customer perception and retention

A secondary point against the deal is how customers will receive it and whether Palo Alto Networks can retain a meaningful portion of SentinelOne's customer base. This one is harder to quantify, so I'll just describe the point anecdotally.

Here's a paraphrased comment from a CISO in the LinkedIn post I wrote about the potential deal:

Many SentinelOne customers explicitly chose SentinelOne to avoid Cortex XDR...many SentinelOne customers will switch to CrowdStrike.

There would be some amount of churn from SentinelOne customers that don't have a Palo Alto Networks footprint today (and don't want one). This isn't everyone, or even a majority, but there is an undercurrent of hard-to-explain industry contempt for Palo Alto Networks.

The churn could end up being negligible. Or, it could manifest itself in different ways, like a slowdown in net new customer additions. This alone isn't a reason not to do the deal, but it has to factor into the rationale.

Regulatory and antitrust scrutiny

Combining two industry leaders in endpoint security could attract regulatory (DOJ and EU) scrutiny, as most large deals do.

Ping and ForgeRock made it through under the previous administration. HPE's acquisition of Juniper Networks was finally settled, too.

The review of Alphabet-Wiz is still in progress and isn't predicted to close until 2026.

I'm certainly not an antitrust expert, but anecdotally it seems like Palo Alto Networks-SentinelOne should also be approved if it was to happen.

The question is how long it would take, as any major delays affect the upside of the deal. Again, not enough of a concern to prevent the deal on its own, but a factor that has to be considered.

Best Alternative to a Negotiated Agreement (BATNA)

This wouldn't be a proper case study without a BATNA! We won't drain this topic, but it's worth mentioning the alternatives for each company if a deal doesn't come together.

If Palo Alto Network believes the trajectory for Cortex (and NGS overall) is already set up for success (between organic growth and continued tuck-ins), the price premium plus integration risk could outweigh the bump in endpoint security market share.

As discussed earlier, it also leaves them the optionality to do a different large scale acquisition like CyberArk or other late-stage cybersecurity companies.

SentinelOne still has decent options too. An acquisition and take-private by private equity would follow a pattern many other public cybersecurity companies have taken in the past few years.

Continuing along as a public company is a perfectly good option, too. They are still one of the better performing pure play cybersecurity companies since they've been public. The path ahead isn't easy, but it's certainly possible.

Unlikely, but interesting to think about

In probabilistic terms, I think this acquisition is unlikely (but still possible — and even less possible with CyberArk on the table).

Even before hearing the CyberArk report, I didn't expect this acquisition would happen.

It's hard to rationalize the overlap between SentinelOne and the product portfolio Palo Alto Networks already has.

While the price is digestible for Palo Alto Networks, overlapping portfolios and integration complexity make the overall value thesis challenging.

If nothing else, a scenario like this is fascinating to think about.

And now, we get to think about another one — this time with CyberArk. More on that soon.

Acknowledgements

There are too many people to name, but I want to thank all of the commenters who shared their thoughts and opinions on the LinkedIn post I wrote about this acquisition. The discussion sharpened my point of view considerably and helped a ton with this longer-form analysis.

Footnotes

¹There are a handful of CyberArk-related comments sprinkled in for context, but most of this analysis was already written when the potential acquisition was reported. More analysis on that report soon.

²You should literally treat it like the Harvard MBA case studies people do in business school, not a credible news report.

³There are reasons why Nikesh Arora is a highly compensated CEO. Making decisions like these is one of them.

⁴Give or take, depending on factors like growth rates, attrition from the CrowdStrike incident, continued market share decay from the legacy competitors, and more.

⁵There's more to it than adding customers, though. Unlike the QRadar acquisition, most of SentinelOne's SIEM deployments are relatively new. Customers aren't going to scrap their deployments and cut over to XSIAM right away. It's way more likely they will be furious, which means retention could be hard.

Their ~$500M+ (intended) acquisition of Protect AI is nothing short of a declaration to win this emerging market before competitors get their strategy together.

This is going to be one of the headline deals for 2025. Maybe even the entire decade if everything goes right.

A deal like this is comes with a lot of questions and skepticism, though. We only see strategic buyers making $500M+ cybersecurity acquisitions a few times per year. Major cybersecurity markets get created even less frequently.

The Palo Alto Networks-Protect AI deal was an extra special blend of combustible ingredients. A dash of Palo Alto Networks, platformization, AI, and a high revenue multiple is a recipe for uproar in the cybersecurity industry.

A lot of things had to come together across the market for AI/ML Security, Protect AI, Palo Alto Networks, and more over several years to make a transaction like this possible.

Let's talk about everything that made this happen, starting with the wildest early stage market I've ever seen.

AI/ML Security is the definition of an embryonic market

AI/ML Security is a hard market for strategic buyers because there isn't a recognized pattern or product architecture to follow yet. This is still a very embryonic market — or, in Nikesh Arora's words, a "rapidly evolving market."

Financing activity in the market is a pretty good indicator for how messy and embryonic this market really is.

According to Return on Security data, financing for this market more than doubled from 2023 to 2024. Investment activity went from $181.5 million in 2023 to $369.9 million in 2024, a 96% year-over-year growth rate.

A disproportionate amount of the money went to Series A and earlier stage companies — so, basically the definition of an embryonic market.

Protect AI was one of the most well-funded pure AI/ML Security companies, with $108.5 million raised across three rounds. They raised a $60 million Series B in August 2024, which made them one of the most mature (but still relatively early stage) companies in the space.

Here's the thing, though. All of this early stage startup activity means we have terms like AI-SPM, AI Detection and Response, and MLSecOps — but most buyers don't intuitively recognize them yet. They just know they have AI problems and need a way to solve them.

Enter the DeepSeek problem.

AI/ML security got real for people quickly during one fateful week back in late January. The conversation went from, "hey, LLM scaling might be slowing down" to "oh, &@%$, this DeepSeek thing is out of control" in 0.002 seconds.

I can't think of another example where an AI app became so popular so quickly.¹

This meant security teams didn't have much time to act. We basically had to rely on tools and processes that were already implemented. There was no time to put something new in place.

The sudden rise of DeepSeek stress-tested the current state of security controls for AI in every large enterprise. Researchers discovered a few bad vulnerabilities, but (thankfully) no widespread attacks or breaches were reported.

Security for AI/ML was on our radar long before then, of course. In hindsight, DeepSeek was a wake-up call that contributed to some of the market activity we're seeing today.

Securing user inputs directly to DeepSeek (opposed to self-hosted models) is an adjacent problem to what Protect AI's product suite does. It was close enough to get business and security leaders thinking about the power and risks of both self-hosted and first-party models.

Right now, the tailwinds for the AI/ML security market are looking exponentially better than they did during our "LLMs aren't scaling" spell in Q4 2024.

Back then, I would have said we were only going to have three to five third party models that everyone was going to use (OpenAI, Anthropic, etc.). In that scenario, there is basically no need for AI/ML security (for the models themselves, I mean) outside the handful of companies building the models.

After DeepSeek (and other open source models), it seems a lot more likely that companies with enough motivation and resources are going to both host and post-train third-party models. Ambitious companies will even train their own first-party models. We already have some good examples of this in cybersecurity with Google's Sec-Gemeni v1 and Cisco's Foundation-sec-8b.

It sure looks like this trend of open source models, reinforcement learning, post-training, and model proliferation is going to continue. This is a fundamentally different world for security than big tech and AI labs controlling a majority of model development and training.

In this version of the story, security teams have to play an active role in protecting their companies' own models — not just prompts and data coming in and out of other people's models.

Training bespoke models is definitely a first world (read: enterprise and tech company) problem, but the addressable market for first-party models (and, by proxy, securing them) is probably going to be bigger than we thought a few months ago.

Let's hop back in time again and talk about how Protect AI put itself on the map with a highly counter-intuitive strategy.

Protect AI’s rapid platform build

The story of how Protect AI put itself in a position to be acquired by Palo Alto Networks is a case study for the ages in cybersecurity industry history.² There are a bunch of interesting strategic moves that the Protect AI founders made to make the company (and acquisition) of today possible.

Protect AI was one of the OG companies in AI/ML Security, founded way back in 2022 (ha) by a team of AI/ML experts with successful exits in the past.

I know 2022 doesn't seem like very long ago, but remember: ML security wasn't an obvious domain for a startup back in 2022. ChatGPT wasn't released until late November that year, and it took even longer for businesses to start adopting it at scale.³

Securing ML code at the source in Jupyter notebooks with NB Defense was even less obvious. They knew what they were doing.

They swiftly built out their "AI Radar" platform strategy from there. Next was a central console and data layer, followed by static analysis for ML models (Guardian), dynamic testing (Recon), and runtime (Layer).

They used four acquisitions to help build their product suite. This is highly atypical for a less than five-year-old company who raised just over $100 million in total.

Protect AI already did the grubby integration work, which ended up being an appealing option for Palo Alto Networks over doing this post-acquisition.

Protect AI broke all kinds of "conventional" rules to build a platform early...and rapidly. From Jupyter notebook plugin to one of the industry's leading AI/ML security platforms in three years is the definition of moving fast.

It takes two sides to make a deal happen, though. Let's talk about the trajectory of Palo Alto Networks' product strategy for AI and how it led to an acquisition.

The convergence of Palo Alto Networks’ AI strategy and Protect AI

A cynic might argue Palo Alto Networks is a mature company jumping on the AI bandwagon, but history tells a different story.

They acquired an ML-based behavioral analytics company in 2017 (LightCyber) before Nikesh Arora became CEO. This iteratively evolved into the Cortex platform we know today.

ML was embedded into their core NGFW product in 2020 (the PAN-OS 10.0 Nebula release). The rest is history.

They doubled down on AI for security after that. The launch of Cortex XSIAM in February 2022 was the beginning of the AI-powered-everything movement.

But in 2025, why would Palo Alto Networks spend half a billion or more on a company in the AI/ML Security market instead of building their own solution or piecing together a few smaller acquisitions?

They could have done either, but it would have cost them time to market. Here's an abbreviated explanation from Nikesh Arora shortly after the acquisition was announced:

What I’m most excited about is making sure that we get this AI thing right…there’s a whole new series of security challenges…I’m really excited that we’re taking a very assertive and aggressive view.

In this assertive and aggressive view, it makes a lot more sense to accelerate the roadmap and get to market faster.

Palo Alto Networks had the beginnings of AI/ML security products, but there still wasn't a ton of product overlap. So, they went for a platform instead of buying piecemeal.

Prisma AIRS is their platform of the future. They wasted no time telling the world about it after the acquisition was announced.

Give them credit for having the conviction to buy an early stage platform instead of trying to do multiple acquisitions and stitch all of this together at a cost of months or years on the roadmap.⁴

Was this the right strategic decision, though? Let's talk about a few of the counterarguments and risks I've seen since the deal was announced.

Demand, competition, moats, and more

Tom Le, the CISO at Mattel, wrote an incredibly thoughtful counter to my LinkedIn post about the transaction. I had to include and expand upon it in the full article.

The summary version of the counterargument is that Palo Alto Networks is throwing market cap (or cash — terms weren't officially disclosed) to buy an AI model protection capability with questionable demand, intense competition, a limited moat, and a risk of being subsumed into existing platforms.

How's that for a counterargument?! Valid points, for sure — and worth discussing in detail here.

Will customers buy the product, or does it have to be bundled for free?

Palo Alto Networks obviously wants to monetize the product and is betting on that happening eventually. They've shown willingness to be both patient and creative with emerging markets, which is going to be the case here.

A similar situation happened with Talon and the secure enterprise browser market. Palo Alto Networks was roundly criticized for paying $700-million-plus to acquire a promising but early stage startup in a promising but embryonic market.

They started out by giving the product away for free to existing customers. Now, it's generating a fair (and growing) amount of revenue — $30 million in total bookings as of their fiscal Q2'25 earnings report.

I'd expect a similar playbook here. They may not proactively give the product away. It could be bundled on a case-by-case basis depending on the customer and circumstances. Either way, there will be an incubation period while the product gets integrated and market demand becomes more established and predictable.

How are they going to compete with 25+ other AI startups?

If you were at RSAC, you probably saw an expo hall lined with companies selling AI guardrail/model/firewall/injection protection. As we discussed earlier, an embryonic market means a highly competitive market with everyone trying to gain traction.

This is another instance of the platformization debate. Sure, there are 25+ startups that can do flavors of AI/ML security — just like many other markets in cybersecurity.

The question becomes if you want to manage another vendor relationship...or just push the easy button and buy the AI security module from Palo Alto Networks. The answer is even easier if you're already a customer, and easier still if they're willing to let you try it for free.

I'm not saying this is the best option for every organization, nor that the however-many-other AI/ML Security startups are hosed.

A relatively complete product suite from an established company is a big deal for a lot of buyers, though — especially large enterprises who want to make this problem go away and would rather not deal with startups in the process.

Does model protection have a low barrier to entry?

This could be the case. It's hard to answer definitively without seeing the underlying economics for a bunch of private companies building in this space.

Anecdotally, the financing data says otherwise — but it's obviously questionable to conclude large amounts of capital invested mean AI/ML security is expensive to build.

Meta released several AI/ML security tools the same week the Protect AI acquisition was announced. The tools aren't a one-for-one match with everything Protect AI does, but still impressive.

You might be able to conclude tech company building and open sourcing a bunch of AI tools as a hobby means model protection isn't difficult or expensive — but this side of the case is anecdotal, too. Meta built Llama, an entire frontier model, and open sourced it. Time and money have different laws of gravity in big tech.

Regardless, we've seen this movie before. Every major cybersecurity product category has respectable free, low cost, and/or open source alternatives. Companies still pay for products. Sometimes top dollar.

A lot of factors go into making moats and creating barriers for market entry. Technical difficulty and cost are two of them. Palo Alto Networks has distribution, brand equity, and several other factors that are equally hard (or harder) to replicate.

Are licensing, fair use, and IP infringement the more complex challenge for AI?

They definitely could be. Matthew Prince at Cloudflare has talked about this exact topic on at least two recent earnings calls. From their Q4'24 report:

Cloudflare counts many of the most important AI companies as customers. We also count a huge portion of the world's content creators as our users. Being between those two puts us in an important role to help figure out the business model of the post-search web. Cloudflare sits in a unique position to help figure out how content creators are compensated, what agents are allowed where, and on what terms, and how the AI-driven web of the future will fit together. It's early days, but the conversations we're having with all the relevant parties feel foundational for the future. Watch this space, definitely exciting times.

I think he's right, at least for the open web. Internal and proprietary data is a slightly different story.

One of the biggest reasons (and advantages) sophisticated companies are going to have with using first-party models is access to their own data.

If you've worked in or around an enterprise, you know a lot of the data is trash, and too many people have access to it. But, presumably, at least some of it is highly advantageous for AI.

The fundamental difference between the Matthew Prince view of the world and enterprises is this: they own their data, dumpster fire and all.

Protecting their data and the first-party models that consume it is priority number one. Their general counsel obviously doesn't want them getting into legal issues either, but that's more about managing risk.

Cybersecurity companies like Palo Alto Networks don't care about content on the open web in the same way Cloudflare does. Their enterprise customers come first, which means helping them secure their AI/ML stack top to bottom.

Will third-party AI platforms build all this protection in natively?

They could, but they have plenty of other high priority problems to solve.

Fragmentation of models, constant one-upping on benchmarks, and...oh, protecting against severe harm are going to keep them busy enough to let the cybersecurity companies deal with the cybersecurity problems.

Companies do build security and privacy features into platforms, of course. GitHub and GitLab building things like vulnerability scans, secrets management, and more into code repositories is a recent example.

The many other cases where native security didn't happen seem like better precedent here, though.

Cloud infrastructure is the closest one I can think of in terms of magnitude. AWS, Microsoft, and Google Cloud all prioritized features and growth over security for years...which, as we just saw, produced a $32 billion company named Wiz.

Even with the relative success GitHub and GitLab have had with native security features, there was still plenty of room left for companies in AppSec, Secrets Management, and more to hit nine figures of revenue.

Uncertainty is part of the deal when you're making strategic decisions in early stage markets. As a wise cybersecurity CEO (not named Nikesh Arora) once told me, “we’re all just making bets about the future.”

Palo Alto Networks made its bet. Let's talk about what comes next for the company and the rest of the industry.

Palo Alto Networks made its move — where do we go from here?

Palo Alto Networks acquiring Protect AI puts significant pressure on their relative peer group and other market-specific competitors to respond with moves of their own.

This doesn't necessarily mean everyone is going to make similarly sized acquisitions. There is more than one way to put together a product portfolio, of course.

What changed was the timing. After the deal closes, Palo Alto Networks will have put together the most complete AI/ML Security product portfolio outside of Cisco and Robust Intelligence.

This is likely going to mark the beginning of an AI security consolidation rush. Palo Alto Networks has spoken and made their move. The clock was already ticking for everyone else, but the window to deliver just got cut in half.⁵

As for Palo Alto Networks, I expect history is going to look back on this deal as another good one by the current leadership team. They made a reasonable bet on a complimentary market with high upside while it was still relatively early.

It's not over, though. Palo Alto Networks still has to keep innovating and building on top of Protect AI — but they have demonstrated a reasonably good track record at integrating past acquisitions.

Palo Alto Networks did everything they could within their control, which is to accelerate delivery of their AI security product suite and give customers a concrete option if they want to buy into a platform.

The strategic bet behind Palo Alto Networks' platformization strategy is that the sum of the parts is better than others can offer as standalone products.

For Palo Alto Networks, this now becomes a market question: how big will the market for AI/ML Security get in the long term?

They don't have to completely and utterly dominate the AI security market for this to be a good deal.

Anything under a $1 billion acquisition price is a reasonable bet (and breakeven point) for Palo Alto Networks — especially in a market with this much upside.

Footnotes

¹I know it's fundamentally a model – I'm referring to their hosted web and mobile apps.

²This is the short, strategy-focused version. Ed Sim and the boldstart team have you covered on the full timeline.

³It's still debatable whether businesses have adopted it at scale or not yet. "Scale" is such a relative term in AI that you could easily argue we're not even close to scale today, and you'd probably be right.

⁴Also, credit to their early investors for investing in AI/ML security super early. The thesis for this market isn't totally clear even today. It definitely wasn't back in 2022 when boldstart and Acrew Capital cut the first checks for Protect AI's seed round. Evolution Equity Partners led both the A and B rounds, and everyone kept doubling down well before an outcome like this was obvious.

⁵Waiting for the market to develop or sitting it out entirely are viable strategic options, although I doubt many peers will intentionally choose to sit on the sidelines.

Tough one?!

What about FS-ISAC?

FIDO Alliance?

Let's Encrypt?

Maybe you got some of them. Questions like these are tough ones for regular civilians like me, though.

The whole funding situation with MITRE and the National Vulnerability Database (NVD) made me realize my understanding of the dependencies between federally-funded organizations is lacking.

If you've worked in cybersecurity for a while, your knowledge was probably something like mine before I did the research for this article. I knew about most of the headline organizations, have used many of their frameworks and tools, and generally suspected taxpayer dollars provided some or all of the funding.

What I didn't know turns out to be important: who and where the money comes from.

This is exactly the challenge with the current administration in the United States and its quest for government efficiency.

For the first 20 years of my career, it was fine for me to think this government-backed cybersecurity stuff just works.

I've got news for you: it does not 'just work'. There's a lot of effort, coordination, and money that makes it all go.

Many of the institutions and resources we know and love rely upon layers and layers of complex government mandates, legislation, executive orders, and (importantly) — federal funding.¹

After seeing what happened with the NVD, it sure looks like some of these things could disappear at any minute without much warning.

I want to have an opinion. Humbly, I realized the first step towards having an opinion was understanding all of this better.

This article is literally the (polished) output of the work I've been doing over the past week or so to understand the structure and intricacies of the federally funded cybersecurity, privacy, and trust ecosystem.²

Admittedly, we're crossing over from pure cybersecurity into some broader privacy, trust and safety, ICS/IoT, AI safety, and national security topics. I still think it's important to reference all of them in this context to try and paint a picture of what's relevant for people in the mainline cybersecurity industry.

This is obviously a U.S. centric view of things. That alone was a lot to bite off for this research. I'm sure other countries have similar scenarios, although this research now makes me wonder if the complexity is uniquely American.

Let me start by telling you why I care about this topic in the first place.

I'm a product of federally funded research

My first real security job was at a public policy research department in college. Some of their grants were state funded, and some were federally funded.

It wasn't a large department, especially compared to the size of some organizations we're going to discuss in this article. We had seven or low eight figures of research funding in any given academic year.

During my senior year of college, I was a research team member for a $16.5 million federal project to explore road use taxes in the United States. The project was a massive experiment in both taxation and user privacy for thousands of field study participants.

This project was a little different than the cybersecurity-specific ones we're going to be talking about in this article. I still think it's relevant because it gave me a taste of how federally funded research works.

Since then, I've assessed companies against NIST standards, audited based on PCAOB standards, implemented passkeys, and (this month!) used MITRE ATT&CK and D3FEND on a product strategy project for a consulting client.

I use the outputs of federally funded research a lot, and sometimes even without realizing it.

My first reaction to the NVD situation was, "oh $#@%, a lot more of this stuff could be going away."

Once you have that realization, a lot of important questions start coming up:

• What type of organization is MITRE in the first place?
• Where does its money come from?
• Which other organizations are like MITRE?
• Which institutions and research is the federal government funding in the first place?

And so on.

I had a partial understanding, but definitely not enough to know the ramifications if some or all of the federally backed institutions and research start disappearing.

The strategic part of this situation has very little to do with whether you politically agree or disagree with government efficiency. It's okay to voice an opinion, but that's not enough. The savvy thing to do is prepare for the worst.

The first step is knowing the blast radius, so to speak. This means mapping out the whole federally funded ecosystem of cybersecurity, privacy, and trust.³

Spoiler alert: there is a whole lot more to the ecosystem than I realized.

A high-level view of the federally funded ecosystem

Before we get into the individual entity types, examples, and what they do, I think it's helpful to see everything at once. I'm giving you the punch line before we dive off the deep end.

This is the top-down view of how power, authority, and funding for cybersecurity, privacy, and trust flows through the U.S. federal government:

Yeah, I know. There's a lot more going on here than I was aware of before putting it all in a single visual.

The important takeaway is that there is a trickle down effect for both money and authority.

Proper departments are the "parent" organizations. There are only 15 of them. Departments have policymaking, budgetary, and executive oversight authority. They receive the money and hand it out to downstream entities for execution.

Federal agencies are the operational arms that perform a particular mission or function. They can either be part of a department or operate independently. This is usually where the actual work happens, or at least gets mobilized.

Things get a lot more complicated from there. Agencies give funding to several other different entity types. Sometimes the funding is sole-sourced, and sometimes it's competitive. Sometimes it's another formal government entity, and sometimes it's not.

The dependencies and nuances keep going.

This is where the controversy starts to come in. It's a question of whether and to what extent the federal government has the authority to use and distribute funds. By extension, this brings up questions about the scope of the federal government's mission.

A core thesis of the current administration's stance on government spending is questioning whether the federal government has the authority to finance activities through administrative power instead of pure legislation.

The answer to this question sways the landscape dramatically.

Why?

A whole lot of administrative power has been used for decades to make all of this happen.

And what administrative power gives, administrative power can take away.

The A to Z of federally funded entities

This is the part where we go down the rabbit hole. It's a deep, dark, and treacherous one. You should still read it, but consider yourself warned.

We need to start at the top with a little bit more detail about federal government departments and agencies, then work our way down through the other types of federally funded entities.

Federal Government Departments

As we said earlier, federal government departments receive the money and hand it out to downstream entities for execution. Here's the surprising part: most of them are involved in funding cybersecurity, privacy, and trust institutions and research.

There are only 15 federal government departments in the United States. Eleven of them control or allocate a material portion of funding for various cybersecurity, privacy and trust activities:

As if 11 wasn't enough, two other closely related entities get honorable mention:

• Executive Office of the President (EOP): Controls major funding and policy decisions via OMB, ONCD (cyber director), and OSTP.
• Department of the Treasury / IRS: Funds trust infrastructure for identity verification and anti-fraud.

The only four departments who don't provide direct funding are the Department of the Interior (DOI), Department of Agriculture (USDA), Department of Housing and Urban Development (HUD), and the Department of Labor (DOL).

Now that we know who hands out the money, let's start talking about who does the work.

Federal Government Agencies

Agencies make everything go, regardless of whether they are part of a department or operate independently. These agencies are where the real execution happens.

There are a lot of them:

This list includes a bunch of names you've heard of (CISA, NIST, NSA, and more), plus some you haven't.

The outputs of our federal government agencies are vast. They are the driving force behind most of the activity we're going to discuss in the rest of the article. Most importantly, they are in control of funding and power.

Operators of Federally Funded Research and Development Centers (FFRDCs)

Technically speaking, MITRE is a 501(c)(3) nonprofit. This is a charitable nonprofit, the most common type of nonprofit organization in the United States.

The similarities end here.

MITRE is the operator and manager for several FFRDCs across multiple government sponsors. It exists solely to serve the federal government. It's barred from competing with commercial firms or lobbying.

Think of MITRE like a general contractor who is exclusively licensed by the government to manage certain federal research centers, but the research centers themselves are the FFRDCs.

Seems rare? Sure is.

There are very few organizations like MITRE. Only a handful of nonprofits exist to operate FFRDCs. Here are other cybersecurity-related nonprofits in the same category:

The outputs of the FFRDC operators are tricky to understand, mainly because they're so closely associated with the actual FFRDCs they operate. Their role is to, well — operate FFRDCs, which is where the actual outputs come from.

Federally Funded Research and Development Centers (FFRDCs)

Okay, it's cool that we know who operates the FFRDCs — but what are FFRDCs in the first place?

They are private-sector entities who have long-term relationships with the federal government for special R&D needs. There aren't very many FFRDCs — only 42 active ones today, and an all-time high of 74 back in 1969.

FFRDCs technically operate autonomously from both the federal government and their sponsoring organizations. They're deeply embedded and fully reliant on funding though, so it's debatable how autonomous they actually are.

It's essentially a captive relationship with the government because FFRDCs run on federal funding and aren't allowed to compete or market products and services externally.

This may sound tricky, but it's a pretty sweet deal because most of their projects and funding are sole-sourced from the government without a competitive bidding process.

In theory, FFRDCs do specialized R&D work that can't be done by the government or commercial organizations. This assumption is part of what's being questioned by the current administration: "Are you sure this can't be done by a private company?"

As it stands today, these are the FFRDCs who are closely related to cybersecurity, privacy, and trust:

They produce a lot — way too much to name here. A few examples you've heard of are the NIST special publications, the CERT Coordination Center (CERT/CC), MITRE ATT@CK and D3FEND, and (as we now know) managing the NVD.

University-Affiliated Research Centers (UARCs)

UARCs share some similarities with FFRDCs, but they're Department of Defense-flavored research centers. Unsurprisingly, they're focused on national security and defense, which sometimes crosses over into cybersecurity.

Like FFRDCs, they have long-term contracts and focus areas, but they are specifically tied to a university. Unlike FFRDCs, they get to bid for projects and grants from other agencies.

There are under 20 total UARCs. The cybersecurity-related ones are:

The outputs of UARCs are important but harder to spot. Penn State's Applied Research Lab worked on some heavy infrastructure around secure underwater communication for the Navy. Other UARCs may perform specialized research that gets factored into NIST and or other cybersecurity standards.

Federally Supported Nonprofits

Federally supported nonprofits are the more traditional organizations (typically 501(c)(3) charities or institutes) that partner with the government. Even though they're the same nonprofit entity type as FFRDC operators like MITRE, these nonprofits are not directly operating FFRDCs.

They rely heavily on federal support (grants, cooperative agreements, or designated roles) to execute cybersecurity, privacy, or digital trust missions. They are NGOs with their own governance and aren't tied to one agency.

Their work is more project-based and non-recurring, which means they have to clearly demonstrate value and seek renewal or new grants continuously.

There are a lot of federally supported non-profits, including several well-known ones. Here are a few highlights:

Many of the outputs of federally supported nonprofits are highly visible. One of the most well-known ones is CIS's Critical Security Controls. The National Cybersecurity Alliance also does work on privacy awareness and consumer education on behalf of the Federal Trade Commission (FTC).

Public-Private Collaboratives

This is where we start moving away from formal government structures. It's also where the private sector starts coming in.

Public-private collaboratives are exactly what they sound like — partnerships between the government and the private sector to work together on joint cybersecurity, privacy, and trust initiatives.

It's a shared governance model, and both parties contribute time and money. Participation is voluntary. No captive relationships here, at least not directly.

Practically, this means things like information sharing, advisory committees, task forces, joint development of frameworks, coordinated incident response, and co-investment in R&D. A few examples:

The NIST Cybersecurity Framework (CSF) is probably the most widely used and well known output from public-private collaboratives. The federal government covered most of the cost, and the private sector contributed time and expertise.

The DHS/CISA Cybersecurity Advisory Committee and Cyber Safety Review Board (CSRB) highlighted in the table were two other well-known examples. They were swiftly disbanded in January 2025.

It seems reasonable to expect that anything created by an executive order from Joe Biden is going to be put to an end. We have two examples already. There are probably more coming.

Information Sharing and Analysis Centers (ISACs) and ISAOs

ISACs and ISAOs are special-purpose collaboratives for information sharing and analysis. ISACs are industry/sector-specific, and ISAOs are more general. Bill Clinton signed off on starting these back in 1998, and they're still going strong today.

Most are still nonprofit entities, but they're funded by member companies. The government just supports them, provides some coordination, and supplies warnings and intel (like new malware campaigns the FBI discovers). They're not doing much research, just sharing relevant information.

Financial Services ISAC (FS-ISAC) is the one I've heard about the most, and there are several others:

The main output of ISACs and ISAOs is information sharing, but they also produce some targeted reports that inform regulators and policymakers.

This is the ideal model (or at least an acceptable one) from the perspective of the current administration. It also seems like a model that could happen without government involvement if needed.

Research Nonprofit Grantees and Independent R&D Organizations

...colloquially known as think tanks, independent labs, open-source projects, and university centers. These entities exist on their own but receive periodic, project-based funding from the federal government.

Their missions and objectives vary. The spectrum spans all the way from deep technical research to policy research and building community research.

Several of the organizations who fit into this category are well-known, especially the open source projects and technical standards organizations:

The DOT study I worked on in college (and mentioned at the beginning of the article) loosely fits into this bucket. It was primarily a study in road use taxation, but the research involved a study of the privacy implications resulting from the proposed methods. In this case, the output was a policy recommendation.

You've definitely heard of the FIDO Alliance, or at least an output they helped bring into reality: passkeys. Let's Encrypt is another downstream beneficiary who basically brought TLS to the masses.

National Academies Committees and Boards

The National Academies of Science, Engineering, and Medicine (MASEM) bring together their own independent expert committees to study specific issues on behalf of Congress or federal agencies.

They can exist as either an ad hoc group for a specific study, or as standing boards/forums around specific topics. Members are independent experts from academia, industry, and former government officials. Their role is purely advisory.

A few examples of cybersecurity-related committees are:

Their main outputs are studies and reports. Rigor, objectivity, and consensus are the name of the game here. They've written on all kinds of topics, including: encryption, cybercrime classification and measurement, cyber resilience, and more.

Emerging Federally Funded Initiatives

There's a lot going on in AI safety, identity, quantum security, and more that doesn't cleanly fit into the buckets we've already discussed. So, we're just going to broadly call these "emerging federally funded initiatives" until they find a home or get cut.

This group is a bit fuzzy, but here are a few examples:

The outputs here vary, but are generally similar to some of the other entity types above: research, reports, and advice for the federal government and the general public.

What isn't federally funded

Unpacking the laundry list of federally funded organizations may have left you wondering what else is out there and whether it's affected or not. Good for you if you were thinking this far ahead. It's totally reasonable.

The good news is that many of the important organizations in and around our industry are privately funded.

Obviously, public and private cybersecurity companies are neither owned nor funded by the government. Many of our public companies have relatively large federal businesses, though. This has been cause for concern on earnings reports since the election, but it's a different topic than we're talking about here.

A more comprehensive list of non-federally funded organizations is probably a social media post or article of its own. I wanted to include a few highlights just to take a few big names off the board of potential cuts:

Some of these may seem obvious, and some may not. The outputs of these organizations vary quite a bit, but the part they have in common is immaterial or no reliance at all on federal funding.

Like it or not, this is probably the model going forward. Knowing which organizations are already self-supported is a decent starting point to prove it can be done.

All of this isn't going away, but any of it could

NVD was not an isolated incident. Near-misses and actual cuts are going to keep happening.

And remember — the situation with NVD isn't even fixed. They just kicked the can down the road by 11 months.

The message was loud and clear, though: "You have 11 months to fix this before we cut off funding for good."

NVD was a wakeup call, but I don't think the sky is falling. DOGE is not going to use this article as a punch list of items for the chopping block.⁴

Several parts are legitimately essential, especially when they're directly supporting national security.

Many of the flagship programs are multiyear appropriations with advance procurement authority. They're harder to cancel, but as we're seeing, anything is possible.

Our federally funded cybersecurity institutions, research, and projects are not all going to get cut.

Some of them definitely will, though.

"Cut" is a relative term, too. The impact of a cut varies based on the situation.

One-off work that's already completed will still be available. We just won't get more of it. If MITRE ATT@CK and D3FEND eventually get cut, the frameworks are still there — but it's on us to keep working on them.

Ongoing things will just stop working until someone else maintains them. When funding for the NVD gets cut, the federal government isn't going to up and delete the database. They're just going to stop paying for the updates.

Some things seem like they could be just fine on their own. The ISACs are one good example. So is anything else that's mostly self-funded and self-organized.

A few things will disappear. The DHS/CISA Cybersecurity Advisory Committee and Cyber Safety Review Board (CSRB) committees that were already cut are just gone. They can always be reconvened, of course — but in the meantime, nothing is happening.

The real challenge is going to be the randomness. Much like tariffs, we aren't going to know what is happening or when. We're just going to get sudden announcements like the one MITRE inexplicably put out a day before their funding for CVE was supposed to end.

Acting as though something is going away tomorrow is paranoid, but coming up with a backup plan starting tomorrow is a good idea if it's mission-critical.

This situation is an opportunity, too. A lot of this federally funded stuff just works, but not all that well. I was surprised with how many Centers-For-This and Institutes-For-That existed.

There wasn't overwhelming consensus from the security community on the current state of NVD, either. Several people pointed out the questionable timing of the announcement and systemic issues with the program itself. The current system works, but there's room for improvement.

Good or bad, we're in for a turbulent year-plus. Or four. Or longer. Sacred cows will be sacrificed. There is going to be a lot of near-term pain.

I'm still hopeful we can make some good out of this.

There probably are ways our government-backed cybersecurity apparatus could run more efficiently. It very well could be holding the bag for some things the government shouldn't need to be responsible for.

It's a lot to ask of the private sector to take on work the government has operated and/or funded for years. Dismantling decades of work this quickly comes with a ton of risk.

I do know this: the resourcefulness and resilience of Americans (miraculously) never fails.

Footnotes

¹I thought James Berthoty's "I'm just a vuln" diagram was well done and exceptionally timely. You could roughly think of this research as a commercial, macro-level derivative where we try and explain the organizational structure and financial dependencies for cybersecurity related federal funding.

²I am definitely not the end-all-be-all expert here, though. Please fact check anything you're relying on and send me edits if you find anything wrong.

³This research is only about federal funding. State and Local Government funding is out of scope. So is federal spending — that is, departments and agencies buying cybersecurity products and services (which they do a lot of, too). This was a big topic on the last round of earnings calls, but it's orthogonal to this discussion.

⁴Probably not. Stranger things have happened, though.

Maybe all of tech.

Yesterday was an industry-defining day. You'll remember where you were and what you were doing the day you found out Alphabet acquired Wiz.¹

It was the day cybersecurity's future veered in a radically different direction.

As Alphabet's founders famously said in a shareholder letter 21 years ago, "Google is not a conventional company. We do not intend to become one."

It takes one to know one.

Wiz is anything but a conventional cybersecurity company — which, ironically, led Alphabet to make the most unconventional acquisition in its history.

Just like that, the spectacular rise of Wiz as an independent company appears to be over. It's changing course and continuing the ride aboard a blue, red, yellow, and green-colored rocketship.

And I have so many questions about what all of this means.

Let's start by talking about how massive this deal was in economic terms, then work our way through the strategic and competitive impact.²

Just how big of a deal was this, really?

Short answer: one of the largest deals in history across almost any measure.

This deal is basically in a class of its own — definitely in cybersecurity, and arguably across all of tech.

Alphabet is buying Wiz for one of the highest (disclosed) revenue multiples in the history of large cybersecurity M&A.

Wiz falls somewhere between a 45-65x revenue multiple based on current estimates. Their most recent public disclosure was $500 million of ARR. Sources said their current ARR is closer to $700 million. They were reportedly on track for $1 billion later this year.

This is how Wiz's multiple compares to a selection of other high-profile deals in cybersecurity:

There's only one other cybersecurity-related transaction with a relatively similar profile: Okta's acquisition of Auth0 in 2021.

I say relatively similar because Wiz's ARR is much higher than Auth0 had at the time of acquisition, among other reasons. The Okta-Auth0 deal had a 42.7x revenue multiple, which is easily the highest among large ($2.5B+) cybersecurity acquisitions that have actually closed.

But Auth0's revenue was much smaller when they were acquired. Okta was also a much smaller acquirer. They're a big company, but nowhere near the scale of Alphabet.

The story doesn't end there, though.

Alphabet's proposed acquisition price for Wiz had among the highest dollar values and revenue multiples we've ever seen in the entire software industry.

Here's a look at the most relevant comps for software M&A³:

WhatsApp is the undisputed champion of the world for billion-dollar-plus M&A revenue multiples. Meta (then Facebook) paid $17.2 billion for ~$30 million of revenue (according to PitchBook, reportedly lower in other sources). That's a ~573x revenue multiple!

It's a consumer app with a completely different business model, though. I only included this example to show how high the ceiling can go with a motivated strategic buyer.

The Adobe-Figma deal (RIP) is a more accurate comp (even though it didn't close) because it has a similar size and narrative to Alphabet-Wiz. Mainly: it costs a lot of money to buy a market-leading growth company in its prime. A 50x multiple in the case of Figma. Wiz is right around the valuation Adobe was willing to pay for Figma.

The rest of this chart looks like a hall of fame for software industry M&A — large B2B acquisitions that mostly turned out well.

Microsoft-GitHub is a good example because revenue was relatively similar at the time of purchase. GitHub is now a $1B+ business unit for Microsoft.

SAP-Qualtrics also had similar revenue scale. The acquisition didn't last, but it was still a fairly good outcome. Qualtrics was spun off as a public company and later taken private again for $12.5B.

Alphabet is paying a lot for Wiz, but deals like this aren't completely unheard of. Buying one of the top startups in cybersecurity is expensive, and paying top dollar is what it takes to make a deal like this happen.

Why is Wiz worth so much to Alphabet?

To answer why Wiz is worth $32 billion to Alphabet, we need to look at a trillion-dollar question⁴: What will it take to win the public cloud infrastructure market?

This is the problem at hand for Alphabet and Google Cloud today:

They're the number three cloud provider by market share, hovering around 10% for years at a $48 billion annual run rate. AWS is over double the size of Google Cloud. You know Alphabet doesn't like losing to Microsoft, either.

Wiz is a big part of Alphabet's answer for how they're going to beat AWS and Microsoft. Not the only part, but a big one.

This was a deeply calculated move.

Alphabet didn’t rush out to acquire a competitor. They clearly wanted Wiz.

Sure, there are other cloud security products in the market — including some built by private companies who, on the surface, would have been logical and cheaper acquisition targets.

But there really is no substitute for Wiz.

Buying Wiz is about more than just a cloud security product. It’s a brand. A mystique. A promise. A chance to reinvent Google Cloud and transform it into the cloud infrastructure market leader.

Wiz is the combined cybersecurity and cloud infrastructure market aspirations of Alphabet, all rolled into a bright and shiny $32 billion package.

You have to look way beyond Alphabet's cybersecurity acquisitions to get a true appreciation for the magnitude and strategic importance of Wiz.

Alphabet has done big deals before, with eight other acquisitions over $1 billion. The list includes one other cybersecurity company with their $5.3 billion purchase of Mandiant in 2022:

Cybersecurity is such a big priority for Alphabet that the acquisition price for Wiz is more than $3 billion more than their eight other largest acquisitions combined.

Alphabet acquired Motorola Mobility for $9.6 billion in 2011, which was a high stakes move to solidify their lead in the smartphone market and add in-house hardware manufacturing capabilities. Devices are a huge priority, and the acquisition price for Wiz is $22.4 billion (or 3.3x) higher than Alphabet paid for Motorola Mobility.

Sundar Pichai called Alphabet's shot on investing in cybersecurity years ago. Here's one example from a 2021 earnings call:

"[Cybersecurity] is definitely an area where we are seeing a lot of conversations, a lot of interest. It's our strongest product portfolio, and we are continuing to enhance our solutions...a definite source of strength, and you'll continue to see us invest here."

It's one thing to say cybersecurity is strategic. It's another to back it up with over $40 billion in cybersecurity-related acquisitions and billions more in R&D.

Alphabet has been steadily building their cybersecurity portfolio ever since, both organically and inorganically.

It's a classic Jim Collins "bullets and cannonballs" concept. Fire bullets to figure out what will work. Once you have validation, fire a cannonball (a big bet):

Alphabet has been firing bullets in cybersecurity for a few years now. They have some empirical validation with Chronicle and Mandiant. Wiz is the cannonball.

An expensive cannonball, no doubt — but well-calibrated cannonballs are the way big companies get outsized results.

The results depend on exactly how well calibrated the cannonball is.

The base case is Alphabet building a strong, relatively standalone cybersecurity business within Google Cloud. They already have a promising security operations business. Adding Wiz is rocket fuel. The base case alone could make Alphabet's cybersecurity investments look brilliant.

The bull case is Alphabet's cybersecurity business driving meaningful market adoption of Google Cloud. It's the answer to the trillion-dollar question. It's Wiz's ticket to ride.

In a trillion-dollar cloud infrastructure game, Alphabet is willing to buy a cybersecurity market leader while it's still private no matter what it costs.

Alphabet simply wasn't willing to take "no" for an answer. Not for the company they so clearly wanted.

Tuck-in acquisitions alone weren't going to get the job done. Audacious moves are part of the territory, and that’s exactly what we saw happen here.

The full answer to the trillion-dollar question is a complex, multi-part strategy, of course — but becoming the cybersecurity leader among public cloud infrastructure providers is one of the best shots Alphabet has at winning the market.⁵

Why did Wiz decide to sell this time?

As they say, everyone has a number. I'm sure their reasoning is a lot more nuanced, but price is one of the main factors that changed between last July and today.

$23 billion is a lot to begin with, but $9 billion more is a big deal. Wiz sold for 39.1% higher just by waiting this out for nine months.

Marc Andreessen was still probably pounding the table yelling at the founders not to sell (like he famously and successfully did to Mark Zuckerberg at Facebook), but the reality is this was too much money for Wiz and its other investors to turn down. He'll get over it once the wire hits a16z's bank account.

Another major factor that changed was CrowdStrike. The Wall Street Journal reported Alphabet's offer to buy Wiz on July 14, 2024 — the beginning of a fateful week in cybersecurity industry history.

CrowdStrike caused a massive IT outage five days later. Wiz declined Alphabet's offer shortly after, partly due to the opportunity presented by CrowdStrike's uncertain future during a time where their situation looked dire.

Nine months later, CrowdStrike has ostensibly put the incident behind them. They look stronger than ever as a company with no meaningful decline in financial performance from the incident.

That's not to say Wiz isn't competitive against CrowdStrike in cloud security — just that the path to victory looks a lot better without CrowdStrike.

The third major factor is the state of public markets and the IPO window. The good news is that we have an IPO window in the first place. SailPoint went public already. Wiz was at the top of the list of remaining candidates in the pipeline.

The bad news is markets have been unstable so far in 2025. The S&P 500 is down 8.6% in the past month. Ironically, the market is almost exactly where it was when this whole saga started in July 2024.

Wiz almost certainly would have been the largest cybersecurity IPO in history...but could they have topped a $32 billion valuation? I don't think so, at least not right away.

They still had the option to keep going and wait things out — but again, everyone has a number. I don't blame them for taking $32 billion to the bank now over a much longer and less certain path to...someday, maybe...topping $32 billion the hard way.

I called this cybersecurity's "Zuckerberg moment" the first time around. As it turns out, it was more like cybersecurity's Instagram moment instead — a high-profile exit with a reasonable chance at a "better together" story.

Is this acquisition going to get past regulatory approval?

Yes, I think it will. Other than CrowdStrike, a hostile regulatory environment for M&A was the other reason the Alphabet-Wiz deal fell apart the first time around.

There are still questions about the new administration's stance on M&A with the HP-Juniper acquisition being held up, but this one looks a lot different.

It’s easier to make a monopoly argument in an old-ish industry segment like secure networking and a transaction oriented around market share between large, established players.

I don’t know how a regulator could argue against there being intense competition in the cloud security market, even with Alphabet owning Wiz.

Regulatory approval certainly isn't a slam dunk. It's going to face intense scrutiny, lobbying by competitors, and probably delays. But the probable outcome is a close sometime in 2025 or early 2026.

What does this mean for Alphabet and Wiz going forward?

This could be a whole article in itself, so I'm going to focus on two things: corporate strategy and retention.

Alphabet buying Wiz means they are pot committed to seeing their cybersecurity strategy through. As wild as it sounds, that wasn't the case before acquiring Wiz. Not even after spending $4.5 billion on Mandiant.

Mandiant is a rounding error for a company like Alphabet. They can afford Wiz, but you can bet they're going to put their full resources behind making this acquisition successful once it closes.

Perhaps ironically, I suspect this means more acquisitions. Who, what, and when are a separate discussion — I'm just saying they have now proven they're willing to do whatever it takes to be a major cybersecurity player now.

Retention of Wiz's amazingly talented team is a central pillar of this strategy actually working in practice. Wiz is Wiz because they have one of the best teams ever assembled across every aspect of their business — product, engineering, GTM, you name it. The longer they can keep Wiz's execution functioning at a high level, the better this deal is going to look.

...but they're probably going to have a hard time retaining the team. Founders and key employees are easy enough — they have lockup periods, earnouts, and other incentives in deals like this. Alphabet kept the Mandiant team as long as they could, but it's been slowly trickling away across all levels.

Wiz is going to end up being one of cybersecurity's biggest and best mafias. We're probably going to see multiple successful companies founded by Wiz alumni in the next five years, and multiple more funded by the wealth this exit just created.

Builders gonna build, and there is only so much Alphabet can do about that.

What does this mean for customers?

Let me tell you what it doesn't mean: mass defection of Wiz's existing customers to competitors.

We've seen different versions of this movie before — some major event happens, FUD takes over, and lots of people speculate about mass defection of customers and the end of times for the company.

That's not going to happen, especially if Alphabet plays its cards right and successfully positions Wiz as a standalone, multi-cloud security product.

Are some customers going to have concerns about Wiz being owned by Google Cloud and churn out? Of course. Those are edge cases, not a majority.

Just because there are grumblings and paranoia about the nefarious things Alphabet might do with Wiz doesn't mean customers are going to pick up and leave. Imagine going to your CFO (after already pounding the table to buy Wiz) and saying you want a new cloud security product now because of...reasons.

Get out of my office.

The base reality for enterprises today is a multi-cloud, multi-vendor existence. If they're already using Wiz and love it, which a lot of people do, they're not going anywhere.

Back to the execution and retention points: this changes years later if Wiz can't maintain the pace and quality of execution its pre-acquistion customers expect. We're years away from that. The near-term customer impact is going to be minimal.

What does this mean for competitors?

It's a mixed bag, but Wiz being acquired is more good than bad news for competitors. Especially their pure-play cybersecurity competitors.

Wiz no longer being an independent company eliminates one of the biggest threats (the SWOT definition of threat, that is) for larger cybersecurity competitors like Palo Alto Networks and CrowdStrike. Yes, there was and will continue to be competition at the product level in cloud security. That's fine.

The big competitive win here is Wiz not becoming a large public company and continuing to grow its platform. Wiz is still going keep building its platform, but in a different, Google Cloud-oriented way than it would have as a standalone company.

The gap between the large, multi-domain cybersecurity companies and everyone else looks a whole lot wider without Wiz.

The news isn't quite as good for Google Cloud's competitors in the public cloud infrastructure market.

AWS and Microsoft have to take Google Cloud more seriously. It's not like Alphabet was totally off the radar before they bought Wiz, though. The competition is still going to be intense across multiple fronts — especially in AI, and now in cybersecurity.

But remember, Google Cloud is still sitting at number three. There's a long, arduous journey between announcing a major acquisition like Wiz and becoming the number one cloud provider.

The biggest implication I hope we'll see as an industry is AWS and Microsoft taking their cybersecurity businesses more seriously. I don't expect this will set off a major acquisition spree by either company, but it does raise the competitive bar in a meaningful way.

What does this mean for partners?

Cybersecurity partnerships have complex dynamics. The impact really depends on the type of partnership, incentives, competitive positioning, and many other factors.

One major theme I do have conviction about: we're not going to see a mass defection of partners from either Google Cloud or Wiz.

There is some risk to Wiz itself on the partner side. Roughly 50-60% of their revenue goes through marketplaces. Assuming this revenue is roughly distributed by cloud infrastructure market share, only ~10% of it is coming from Google Cloud. Having ~90% of your marketplace revenue in flux is a big risk, but it's definitely not insurmountable.

As we discussed in the last section, this move has the biggest impact on AWS and Microsoft, Google Cloud's direct competitors in the cloud infrastructure market. They're obviously going to be more paranoid and less forthcoming about product roadmaps and collaborations with Wiz.

They're not going to kick Wiz out of their marketplaces or take any other drastic action, though. They might want to, but other parties affect their decisions.

Limiting customer choice isn't a good look with regulators already scrutinizing their broader business practices. More importantly, if customers want to buy Wiz, it's foolish not to let them. AWS and Microsoft will happily take their cut of Wiz's revenue and keep their own cloud infrastructure customers happy.

Don't expect them to help out on the GTM side, though. Any boost Wiz got from AWS and Microsoft sales teams is effectively over. Alphabet obviously knew this and was willing to absorb the hit.

Most other channel and technology partners are going to start taking their Google Cloud partnerships a lot more seriously. This was already trending up, but acquiring Wiz accelerates partner effort and investment.

Large cybersecurity GSIs were already taking Google Cloud seriously based on their recent traction in the SIEM market. But, believe it or not, they weren't all that serious about Wiz yet. GSIs are deeply skeptical of startups, and it was hard to know with certainty whether Wiz was a passing fad or the next big thing in cybersecurity.

Google Cloud owning Wiz is the best possible scenario in the eyes of a GSI. They already have multi-billion dollar partnerships with Google Cloud. The acquisition gives them enough certainty that Wiz is here to stay. It slides in nicely as another large cybersecurity service offering to build under the Google Cloud alliance.

I expect status quo for most other technology partners post-acquisition. Cybersecurity already exists in a state of co-opetition, with many competing companies and products begrudgingly integrating with each other to meet shared customer needs.

The Check Point and Cisco partnerships that were recently announced are probably the most unique and impactful technology partnership changes from the acquisition.

Cisco looks like the least impacted of the two. They generally have a co-opetition relationship with Google Cloud, so they may decide to proceed as planned. But, this also increases the probability they decide to enter the CNAPP market and acquire one of Wiz's competitors.

Check Point has a bigger strategic decision on their hands — and not an ideal one for the first major partnership of the Nadav Zafrir era. They were set to migrate customers from its CloudGuard CNAPP platform to Wiz under the terms of this partnership. That may still happen, but they may also rethink their situation and take another look at build and buy scenarios to stay in the CNAPP market.

What does this mean for the industry?

Wiz exiting feels bittersweet. It's a good outcome, but I worry about the long-term implications on the industry side.

Putting one of the largest exits in the history of tech on the board is a big win for the cybersecurity industry at large. It's de facto validation for everything we've been doing and the importance of cybersecurity in the broader tech landscape.

An acquisition this large also makes it (more) okay for other large strategic buyers to pay high multiples for cybersecurity market leaders. A lot of this is driven by comps, and this completely resets the benchmark during a time where more large exits are needed.

Wiz is unique in so many ways, though. The size and scale of its exit doesn't automatically mean we're going to see other cybersecurity unicorns attracting the same level of interest and capital. It doesn't hurt, though.

On the other hand, Wiz was almost certainly going to be cybersecurity's largest ever IPO. $32 billion looks good in the near-term, but we'll never know what would have happened if Wiz had a sustained run as an independent company.

It sure looked like Wiz had a shot at reaching a $100B+ valuation someday. Now, we'll never know.

I keep wondering if cybersecurity has a glass ceiling we haven't fully recognized yet.

Early stage market leaders are being acquired early. IPOs are a meaningful milestone, but even reaching public markets is no guarantee a company will stay there.

Wiz being acquired is a visceral reminder that very few standalone cybersecurity companies are untouchable. Two, to be exact: Palo Alto Networks and CrowdStrike. Anyone else is up for grabs at any time.

Wiz might have hit the glass ceiling on the 100th floor, but it was still there.

Larger tech industry dynamics were at play here. Nothing is off limits when trillion-dollar questions are hanging over the heads of the largest and most powerful companies in the world.

Remember: cybersecurity is a pawn in a much larger game of chess.

Footnotes

¹I know, I know: Alphabet announced their intent to acquire Wiz. We'll get to the "will this actually close" question later in the article.

²I wrote this article as fast as I could. I stopped counting how many cups of coffee I drank. I'm sure I missed a lot of details and potential considerations. Please cut me some slack in the spirit of moving fast :)

³This data isn't a banker-level comp set, so don't make any serious decisions from it. I just wanted to give you some context on where the valuation for this potential deal stands against recent history.

⁴Trillion-dollar question is a favorite a16z phrase for big questions with significant industry and market impact.

⁵The other is AI, which is another trillion-dollar question. This tells us a lot about how high the stakes are for Alphabet. They're facing multiple trillion-dollar questions at the same time.

It's so good that I poured my whole month of research this February into analyzing the report.

I've either reviewed or helped produce the report five times now.² After a thousand-some hours in total, I'm dialed in on spotting subtle trends and anomalies in the data.

An added bonus for this year is our new content partnership, which gives me access to the full resources of the Altitude Cyber team for this article, social media posts, and more.

It's a rare opportunity for me to look behind the data, think about what all of it means, and tell you what we've found together.

Here are the ten most interesting insights I found and what they mean for the industry, starting with Altitude Cyber's specialty — M&A.

M&A: Activity is stable, but the mix of buyers and targets are shifting

The tale of cybersecurity M&A is "smooth sailing with strong undercurrents."

For all the choppiness on the financing side (we'll get to that), and <name your favorite reason why tech M&A has been unstable>...cybersecurity-related M&A activity has been remarkably steady in the past four years.

We've just been chugging along at ~280 deals and $50-ish billion of (disclosed) dollar volume per year.

Smooth sailing, right? Kind of, but there's a lot more to the story.

M&A hit an inflection point in 2021, then stabilized.

The multi-year cybersecurity M&A activity trend is more interesting than any single year alone. 2021 accelerated M&A activity in a big way, and it's stayed relatively high ever since:

Annual dollar volume (the total of all disclosed cybersecurity-related M&A transactions) averaged $21.5 billion per year for the five-year period from 2016 to 2020. It spiked to $80.9 billion in 2021, then settled in at a $58.5 billion per year average since then.³

The average is still at $51 billion per year without 2021, though. That's over double the average dollar volume from 2016-2020.

It's a similar story for annual deal counts (the literal count of cybersecurity-related transactions, disclosed or not):

The average count from 2016-2020 was 178 deals. We hit an inflection point, and 2021-2024 was much busier at 280 deals per year.

Sure, 2021 was peak hype for both cybersecurity and tech — but we've clearly settled into a new normal for cybersecurity M&A. We're going to see a sustained increase in both total deals and dollars spent on acquisitions.

It's smooth sailing now, but here's where the "strong undercurrents" part comes in.

Strategic buyers are more active than they've ever been.

Strategic buyers accounted for 62% of all deals in 2024 (174 total) — the highest total deal count ever recorded.

It's a subtle but significant shift. We're talking about hundreds of transactions and billions of dollars here.

Strategic buyers always have more total acquisitions per year than financial buyers (there are more of them). But since 2020, the proportion had been shifting towards private equity — until this year:

Put another way: we had a stretch where financial buyers were more active in the industry than they were historically. This was partly due to a major increase in take-private activity, and also because investors took a shine to acquiring cybersecurity companies.

Strategic buyers are back. I expect the trend to continue as valuation expectations adjust and many of the ZIRP-era companies look for reasonable exits.

There's a bigger picture interpretation of this trend that could be even more significant, though.

A macro-level shift back towards strategic buyers is one thing, but the overall mix of the strategic buyers tells us even more about the future of cybersecurity M&A.

The biggest acquisitions were made by non-cybersecurity buyers.

The current shift back towards strategics includes a growing minority of "non-traditional" buyers.

Case in point: most of the largest M&A transactions that occurred during the year were led by cybersecurity-related companies, not pure-play cybersecurity companies.

Half of the ten largest acquisitions from 2024 were made by strategics with a majority of revenue generated outside of cybersecurity. Only one of the ten largest acquisitions (CyberArk's $1.5B acquisition of Venafi) was by a pure-play cybersecurity company.⁴

Another example is the trend of financial services buyers acquiring cybersecurity-related companies. It's a multi-year trend, but Mastercard's $2.65 billion acquisition of Recorded Future was one of the largest deals of 2024.

I take these data points as signals that cybersecurity capabilities are starting to be viewed as core components of broader business strategies, not just an isolated field.

We're going to keep seeing more convergence and "hybrid" acquisitions where cybersecurity is wrapped into adjacent offerings (cloud, data analytics, payment networks, etc.).

Buyers from outside the industry aren't the only change in the mix of strategic buyers, though. We're seeing some familiar names get back into the M&A game in a big way.

Once-quiet security giants are emerging as more frequent buyers.

It's no surprise to find companies like Cisco and Palo Alto Networks among the most active strategic acquirers in the industry. What's surprising is how active some companies that aren't typically viewed as buyers have been — especially in 2024.

Perception lags reality here. Many of these "quiet" players have been steadily active for years but kept under the radar.

Companies like Zscaler, Check Point, Fortinet, and other companies are rising up the charts again:

Zscaler had a steady run of 1-2 small acquisitions per year, then made a splash with their ~$350M acquisition of Avalor in 2024.

Check Point took 2022 off from M&A, then came roaring back with Perimeter 81, Atomsec, and Cyberint for close to a billion in combined deal value.

Fortinet hadn't done a single deal since 2021 until it shocked the world with its acquisition of Lacework. It followed that deal up with two other deals for Next DLP and Perception Point in 2024, which put them in a tie with CrowdStrike at seven acquisitions over a five year period.

Throw in Rapid7 and Tenable at six acquisitions apiece, and we've got a pretty interesting mix of strategic buyers beyond the likes of Cisco and Palo Alto Networks.

The dynamics among buyers are changing, but there's also an interesting shift happening with the companies who are being acquired.

Startups are getting acquired earlier than ever before.

Does it feel like cybersecurity startups are just getting acquired younger and younger?

Don't worry, it's not just you getting old. (Okay, we might be getting old, but still...)

You're right. The data shows that early-stage startup exits are increasing:

Acquisitions of companies younger than three years old jumped from 10% to 15% of deals in 2024. Early stage acquisitions are still a minority of deals by proportion, but a 5% jump is still a big deal.

We could be seeing the beginning of a "glass ceiling" phenomenon where hot early-stage startups get acquired at massive premiums before they get a chance to grow into our next big cybersecurity companies. This starts looking even more plausible when you include the targets in the 3-5 year age range.

So, why is this happening? Lots of reasons, but here are two.

Large acquirers want novel capabilities quickly. Rather than waiting for companies to scale, they make "preemptive" acquisitions and buy them early. Avalor, Gem, Dazz, Eureka, Flow, and Oxeye were all among the leaders in emerging markets who were acquired in 2024.

The other reason is relative value. Earlier stage companies who have raised less capital than comparable later stage companies in the same market aren't as expensive to acquire. Resmo, PingSafe, Vantyr, Wib, and BreachQuest are all examples from the year.

If the story of M&A in 2024 was all about micro-level changes, the plight of financing was a hard reset. Let me tell you why.

Financing: More activity, and a shift towards safe or speculative

The best possible news about cybersecurity financing in 2024 is that both deal count and total funding are up from 2023.

I know this seems like a small win, but trust me — we needed a small win.

We were in a pretty vicious downward spiral since cybersecurity industry financing peaked in 2021. Investment levels were still well above average in mid-2022, then cratered towards the back half of the year.

There were really no meaningful signs of recovery in 2023. A tiny, tiny bit of hope returned in 2024. Any positive trend is huge, and we got it last year.

Let's talk some more about what our new reality looks like.

A reset to the pre-boom baseline.

It's (unfortunately) safe to say that cybersecurity financing has returned (regressed?!) to pre-2021 levels. Total funding in 2024 was $13.2 billion, up 40% from 2023's abysmal $9.4 billion. Deal count was also up 16%.

2024 was a much more active year, for sure. But historically, total dollar volume looked a lot more similar to 2019 (and earlier) than 2021:

An interesting quirk was total deal count, which was 24% above the average from 2017-2020 despite relatively comparable dollar volume:

But in general, the takeaway is that we're back to the pre-2021 baseline for financing.

I take this as both good and bad news.

The bad news is mostly for founders, investors, and employees who are still clinging to the hope that 2021-like financing activity (and valuations) will return. They won't — at least not any time soon.

Things got super out of hand from 2021-2022. That's an anomaly.

Bad things happen when too much capital is flowing into an industry and valuations get inflated. We've hit a point where there's no (good) way out for a material part of an entire generation of companies who are fighting to live up to their valuations.

The good news is that our current baseline is probably where we should be. Companies that have raised or will be seeking capital at post-2022 levels are (for the most part) raising at more responsible amounts and reasonable valuations.

Accepting our new baseline is the practical and mature way of looking at financing going forward. Sure, it stings — but it's a lot better than down rounds, layoffs, fire sales, and other alternatives.

That's not to say cybersecurity companies can't raise large rounds, though.

Massive financing rounds are more rare, but they're still happening.

Given our new reality in financing, it shouldn't be a surprise that the number of massive ("massive" = ~$200-million-plus for cybersecurity) financing rounds is down compared to 2021-2022 levels.

2024 did have a few, though — another small but important win.

There were ten cybersecurity-related rounds at $200 million or higher, including two $300 million rounds by Cyera alone:

Wiz’s billion-dollar round more or less overshadowed everything else, with the next largest round (Kiteworks at $466M) at less than half the size.

The story of financing in 2024 gives us a pretty good idea of how big the reset was. Here's the story in visual form:

There were way, way fewer large financing rounds in 2024 than the tail end of the ZIRP era. Wiz's billion-dollar round still stacks up against the largest rounds in history, but we're not going to see the frequency of large rounds we had in 2021 any time soon.

Why?

In 2024, companies that would have been raising $200M+ during that period did rounds in the $100 million range instead...or not at all.

Going forward, it's going to be a story of outliers. Abundant capital is available for cybersecurity companies with big momentum and clear aspirations of scale. But those are the outliers, not the norm.

Expect ten (or so) large financing rounds per year. That's about where we've been, and where we should be in a healthy and rational version of the industry.

This isn't all about large financing rounds, though. Other stages make up most of the activity — and where the activity is happening has been changing.

Early or late, not mid.

The shifts in the number of capital raises by stage in cybersecurity have been subtle, but the implications are important:

Series A funding was basically flat in 2024, and Series B funding activity was still a little bit down. Early-stage and late-stage activity are on their way back up.

Total dollar volume trends are a similar story, but the differences are even more pronounced:

Series A funding in 2024 was down almost a billion dollars compared to 2022. Series B funding was less than half of 2022.

The Series A and B crunch might seem bad, and I'm sure it feels bad for individual founders and employees at companies caught up in the crunch and struggling to raise.

If we zoom out to the industry level and beyond, we're doing okay given the circumstances.

Across the rest of tech, it's been hard to raise Series A and Series B rounds. Peter Walker at Carta is the authority on this topic.

The punch line of his team's research is graduation rates at these stages are significantly lower than the ZIRP era. Companies are taking much longer to raise rounds, and many still haven't raised them yet. Some never will.

This Altitude Cyber report didn't go all the way down the rabbit hole into graduation rates, but total capital raises and dollar volume are a decent proxy. Cybersecurity's mid-stage funding decline has been very modest compared to the crater that happened with the rest of tech.

The later stage recovery is the least surprising stage. It's a reflection of the times. As we discussed in the last section, relatively abundant capital is available — but companies have to earn it. Those who do are safe bets.

The recovery of early stage financing isn't a huge surprise to me, either. There's never a shortage of people wanting to start cybersecurity companies. We also have a healthy set of early stage investors across both industry specialists and larger agglomerators. Promising early stage companies will keep getting funded.

The investor landscape and activity levels are shifting, though. Things are starting to look different now that the industry hype is back to reasonable levels.

Which investors are staying or leaving?

Two of the most interesting observations I noticed in the entire report were how many of the most active investors from 2021-2024 dialed back their activity in 2024, and how many others ramped up activity:

I'd be careful about reading too much into this without a detailed look into the data, but it does make me curious about why all of this happened.

Here's what I mean.

Insight Partners has been the most active cybersecurity investor since 2021 with 74 total investments. They were still one of the ten most active in 2024, but their eight investments were down almost half over their five year average.

Ten Eleven, SYN Ventures, Bessemer, and Tiger Global are top ten investors (by volume) since 2021, but not in 2024.

Activity from Sequoia, Accel, and Lightspeed was all stable.

Meanwhile, Andreessen Horowitz, Index, Evolution Equity Partners, and Vertex all cracked the top ten in 2024.

Again, I wouldn't read too much into this based on positive or negative activity variances in a single year. Ten Elevan and SYN Ventures are cybersecurity industry specialists — they're not going anywhere, and they're still doing a lot of deals.

I'm very interested in what the next five years are going to look like, though.

The big question is how many investors (especially the larger agglomerators who are investing in more than cybersecurity) are going to lean in or pull back from our industry based on everything that has changed since 2021-2022.

One cybersecurity market defied all forms of reason and logic in 2024. This goes beyond just M&A or financing. Let's talk about data security.

The anomaly: data security had a moment in 2024

For the first time ever, the data security sector led all industry capital raises. Data security companies raised $2.94 billion in 2024, up 2.5x from $1.16 billion in 2023.

It wasn't just financing. M&A activity was also high, doubling from 12 transactions in 2023 to 24 in 2024.

Altitude Cyber's sector classification includes backup and recovery alongside traditional data security areas like data classification, DLP, DSPM, encryption, and other things you'd expect. As it happened, 2024 was a very active year for basically all of these areas.

Cyera alone raised $600 million. Several other DSPM companies were acquired or raised capital. The backup and recovery market had its most active year ever.

This might only be the beginning of the data security story, too.

Data security is a top priority (and concern) with AI and transformation programs, especially in larger companies. DeepSeek just stress tested the current state of security controls for AI in every large enterprise. The verdict wasn't good.

We're going to keep hearing stories like this on repeat.

We still have a long way to go on figuring out how to securely use AI. Data security is the best set of tools we have.

2024 was the year data security had a moment, but we're going to look back on this as the inflection point where its trajectory changed for good.

Settling into our new reality

If there was any doubt left about the direction our industry was heading in the post-ZIRP era, 2024 eliminated most of it.

M&A activity is stable, even with subtle shifts happening among buyers and the profile of their acquisitions.

Financing activity is down from 2021-2022 levels, and it's going to stay down for a while. This is healthy.

Abundant capital is available for our top companies who have earned the right to scale. It's still there for promising early stage companies, too.

Macro trends are as important as ever. This is never going to change. In 2024, the notable one was AI driving data security market activity. Trends like these take years to play out, so we're going to keep seeing this one in 2025 and beyond.

If I had to summarize the vibe heading into 2025 in one sentence, it's this: The cybersecurity industry is maturing.

Our adolescence is behind us. We’re entering a period of thoughtful, disciplined growth — exactly what we need to build stronger companies and a more resilient industry.

Acknowledgements

Thank you to both the Altitude Cyber and Momentum Cyber teams for years of hard work on this industry research.

Footnotes

¹Hat tip to Mike Privette at Return on Security, who writes another epic annual report on the industry. Several of the observations from my research here align with things he's already said in other ways.

²Including both the Altitude Cyber version and its predecessor, Momentum Cyber's Cybersecurity Almanac.

³One caveat for the 2024 dollar volume data: it includes HPE's $14 billion acquisition of Juniper Networks. This is a caveat for multiple reasons, one being that some people don't consider either a cybersecurity company. I'm in the "hybrid" camp here. More importantly, the deal hasn't technically closed, and depending on how the Department of Justice intervention plays out, it may never close. I think it eventually will, but the total could get skewed quite a bit if it doesn't.

⁴The other four (Darktrace-Thoma Bravo, Acronis-EQT, Auditboard-Hg, and the Synopsys software integrity carveout) were made by financial buyers.

Cybersecurity's first IPO of 2025 is a triumphant comeback story from a company that's been a towering figure in the industry for years.

That company is SailPoint, who I've been following closely for over a decade now — both directly on client implementations at PwC and covering their business in my industry research.

I have a lot to say about this S-1 filing and the broader implications of their second IPO.

First, a couple (Midwestern) spicy takes¹:

• I still question whether SailPoint needed to go private in the first place.

• This is the earliest point in the window SailPoint could have gone public again.

Wait, isn't this a contradiction?!

Kind of. Let me explain.

Before going private, SailPoint was right around the cutoff line for cybersecurity's "high growth" and "low growth" cohorts. They averaged 21% top line revenue growth from 2019 to 2021.

Decent, not spectacular — and nowhere close to the lower performing companies who were taken private.

They had real business issues to face, though. Accelerating their SaaS transition was the big one. Peers like CyberArk and Varonis have successfully pulled off this transition in public markets, but it's hard.

Partnering with Thoma Bravo again was an offer too good to refuse. The rest is history.

Fast forward to today...I thought they'd let the SaaS transformation bake a little longer and get back to profitability before going back out. Might as well finish the job since they bothered to go private in the first place.

They always felt like a lock for 2025 (or early 2026, worst case). My guess was the second half of this year, even with the rumblings of a potential IPO starting in Q4 2024.

Instead, SailPoint is all set to be cybersecurity's first IPO in 2025 — and the first pure-play cybersecurity company to go public in almost three and half years.²

It's a big moment for both SailPoint and the cybersecurity industry. Here's why, starting with SailPoint's strategic narrative.

Strategic narrative

SailPoint's timing mostly boiled down to this: they had enough proof to credibly tell the story of being a modern, SaaS-first identity security platform. The essential parts of their strategic narrative shaped up well (with some caveats).

For its part, SailPoint checked most of the boxes, even though some important ones like their SaaS transition and profitability are still a work-in-progress. They did exactly what they needed to support their new strategic narrative while maintaining their market leadership in identity governance.³

The underlying business transformation will continue, but they've likely done enough to change how the market perceives them. Package that up with a general sense of optimism about public markets, and you've got a pretty airtight case. The timing was right to go public again.

And, bigger picture — they did it without causing a major shakeup of the competitive landscape in identity security.

Let me walk you through the core parts of the narrative and show you what I mean.

A "SaaS-first" company

The first piece of SailPoint's narrative shift was becoming a "SaaS-first" company. They needed to accelerate their transition to both a subscription-based revenue model and a SaaS product. This was basically reason number one for going private.

SailPoint started with an on-premise product (IdentityIQ) back in 2005. Their first SaaS-based product (IdentityNow) launched about ten years ago and evolved into their current Identity Security Cloud offering over the course of a decade.⁴

One of the biggest knocks against SailPoint's strategy was how long the customer transition from the on-premise product to the SaaS product was taking — or if it was even going to happen at all. The leadership team was surprisingly blasé (at least in public) about the pace of transition across the company's final few earnings calls before going private.

I'd speculate that behind closed doors, they knew the transition needed to happen faster. Or, Thoma Bravo knew it needed to happen faster and was willing to finance the acceleration in exchange for a share of the upside. Or both.

Either way, SailPoint has made solid progress with accelerating their SaaS transition and, bigger picture, advancing the narrative of being a modern, SaaS-first company.

They accomplished the objective with some stellar metrics to back it up. Growing SaaS ARR at 40%+ year-over-year and overall ARR at 30%+ year-over-year are very high growth rates relative to just about any public SaaS comp you can come up with.

They've successfully converted most of their revenue to subscriptions, which includes SaaS as a subset. That's impressive given how complex migrations from on-premise to SaaS are, especially with larger customers. It's basically like implementing a completely new product.

They still have work to do, though. According to the S-1, only 60% of their total ARR is coming from SaaS.

This means SailPoint still has a lot of revenue coming from on-premise-related things, like maintenace and other subscription services. Put differently, they still have a material amount of customers using the on-premise product — and I suspect it's their largest ($1M+ ARR) enterprise customers.

Finishing the job is a non-trivial task that's fraught with risk around churn and customer dissatisfaction. Staying private doesn't make these risks go away, though. It just masks them from public consumption. I don't view this issue as a compelling reason to stay private, and SailPoint's management team clearly agrees.

I definitely buy their "new customers are starting with SaaS, and remaining customers are in the process of transitioning" part of the narrative. We should't take this to unilaterally mean all of SailPoint's remaining on-premise customers are transitioning to SaaS — just that the transition has momentum.

Anecdotally, I've heard of several large, high-profile customers who are doing SailPoint SaaS implementations right now. It's definitely happening.

There's more work to do, but SailPoint's SaaS transition slog will eventually end. Sure, seeing 80%+ of subscription revenue coming from SaaS would have been ideal — but they've laid the groundwork for completing this transition faster than ever could have as a public company.

Identity governance to identity security

The second piece of SailPoint's strategic narrative was transforming their market positioning from "legacy identity governance vendor" to "modern identity security platform".

When they went private, they were still mainly seen as an IGA vendor (albeit the market leader) in a world where both customers and investors increasingly wanted comprehensive security platforms.

SailPoint methodically addressed this perception through their SaaS transition and, more strategically, a targeted set of tuck-in acquisitions to broaden the platform:

Since going private, they added basic PAM (Osirium), non-employee access/risk management (SecZetta), and ITDR (Double Zero) for $71.8M of total fair value (not the same as the full acquisition price, but likely in the ballpark).

Add these on top of their previous acquisitions in SSPM (Intello), CIEM (Orkus) Data Security (Whitebox Security), plus others, and you've got the makings of a broader identity security platform.

Here's a quick visual to help illustrate the point (using SailPoint's graphics with my own markups). Everything highlighed in yellow or blue has been added since going private, mostly through M&A:

SailPoint had the core components of their SaaS platform in place, but they added an entirely new layer of capabilities to the stack during this period.

Many of their acquisitions are still fresh, so it's too early to tell how much of a financial impact they will have (and how soon). Independently from commercial success, they've effectively addressed the near-term narrative of being a broad(er) identity security platform.

...all without a big merger or acqusition

SailPoint landed their new strategic narrative perfectly...but the moves they didn't make tell the real story. Here's the twist: they didn't have to merge or make a major acquisition and massively shift the competitive landscape in the identity security market.

A boss move (theoretically) would have been acquiring a scaled PAM or SSO company (from the current PE-owned cohort) to compete head-on with other identity security giants like Okta, CyberArk, Ping, and Microsoft.

There are plenty of later-stage, privately held, 8-9 figure ARR identity companies SailPoint could have acquired:

Not all of these companies are viable targets, obviously — but nothing feels out of reach for Thoma Bravo right now. The point is just to illustrate how many potential options SailPoint had available if they wanted to make a big move.

And, remember: Thoma Bravo already merged Ping Identity and ForgeRock, two other identity security companies in their portfolio. Merging SailPoint with one or both of these companies would have been challenging, but it certainly wasn't out of the question.

SailPoint didn't have to do any of this. Instead, they took a more measured and pragmatic approach — and it looks like their strategy is going to work (near-term, anyway).

Doing a major acquisition would have been both risky and financially prohibitive.

Most of the major identity security companies have their own lanes, and the market is still big enough (now) for everyone to stay in the lane they've been in. SailPoint will be fine on the competition front for a while.

That's not to say they're without competition — just that there is still enough room for SailPoint to maneuver in both their core identity governance segment and the overall identity security market.

Okta's identity governance product (OIG, the part that competes directly with SailPoint) is still pretty new. It has good traction, but it's still nowhere near the scale or sophistication of SailPoint. Okta's new product will eventually become more competitive in SailPoint's core upper middle market and enterprise customer segments, but that's still years away.

Microsoft's Entra platform is strong, largely thanks to the directory service formerly known as Active Directory and growing momentum in the Single Sign-On (SSO) space. They have an identity governance product, but the overall Entra platform is more competitive with Okta than SailPoint.

Saviynt is a legitimate threat (and likely on a path to its own IPO), but it's still a much smaller company. They disclosed $150 million of ARR at the end of their 2023 fiscal year. They're winning some competitive deals, and there's still a lot of market share left between legacy product migrations and customers who decide to shop around when migrating away from SailPoint's on-premise product.

CyberArk and Ping Identity are both big, important companies in the identity security market — but they're not direct competitors with SailPoint. Current product overlap with SailPoint is minimal, especially not their core identity governance features.

More direct competition feels inevitable, but not today. SailPoint has a nice lane carved out for itself in the market by owning the larger identity governance deployments.

One other thing: they also have significant debt. A large acquisition would have been impossible without a major restructuring. About the debt part...

Financial narrative

SailPoint's IPO narrative has several critical financial topics to address, debt being one of them.

On the financial side, I'm focused on the highlights and strategic implications. CJ Gustafson's analysis on Mostly Metrics should be your first stop if you want a professional, CFO-level financial analysis of the S-1.

Through my strategic lens, the financial part of SailPoint's IPO narrative hinges on debt, profitability, margins, and the immediately adjacent impact of each. Here's my interpretation beyond the S-1 print.

Debt and R&D spend

SailPoint has a ton of debt. $1.59 billion via term loan, to be exact. They're spending over $175 million on interest alone, which is just under the $180 million they spent on all of R&D in FY'24.

There's nothing too weird going on here. It's normal for a private equity firm to use debt for partially financing the acquisition. The S-1 is clear about SailPoint's plan to use some of the proceeds to pay down the term loan, so they won't be quite this indebted for long.

Regardless of the exact amount of debt they carry post-IPO, the implications are important — especially in the context of R&D spend.

Identity security in general is a highly competitive space (despite my comments on SailPoint's lack of direct competition earlier). Both late and early stage companies are investing significant capital into improving and building out their products, which falls under R&D.

Okta alone spent $656 million on R&D in their FY'24, and $158 million in Q3'25 alone (~$20M less than SailPoint invested in an entire year). And, according to Altitude Cyber's 2024 Year In Review, identity security startups raised a total of $1.08 billion in 2024. That's on top of $1.11 billion the year before.

R&D spending isn't a direct indicator of results or product quality, but there's definitely a correlation.

SailPoint clearly demonstrated R&D efficiency by advancing their SaaS transition this far at relatively reasonable R&D costs. This is about more than a SaaS transition, though.

As a public company, SailPoint is going to have to both defend their market leadership position and (eventually) brace for head-on competition with other major players in the identity security market. They need breathing room to keep investing in R&D, which means managing debt is a top priority.

Gross margins

SailPoint's gross margins are...below average... at 67% for their FY'24. Gross margins for Morgan Stanley's security group are at 81%:

Secureworks has the lowest gross margins at 70%. They're primarily a services company that will soon be going private once their acquisition by Sophos closes.

SailPoint has things like their ongoing SaaS transition, scaling infrastructure costs, and take-private transation related expenses to blame, but profitability is going to have to improve quickly if they want to be valued like the top performing SaaS companies.

Another potential issue is more strategic. If (BIG IF, just intuition and speculation on my part) they're experiencing significant pricing pressure and discounting to retain and win customers, margins are going to keep suffering.

I don't know if this is happening, but it's possible. Like much of enterprise software, every new $1M+ ARR customer opportunity they have is a competitive bid. SailPoint also has the added challenge of not ending up in competitive bids when their customers switch from the on-premise to SaaS product.

There are a lot more nuances to the margin story, and they play out in places like profitability and customer acquisition costs.

Profitability, customer acquisition costs, and market opportunity

Profitability had become an issue when SailPoint went private, and investors probably aren't going to love their continued (although substantially reduced) losses this time around.

Context matters, though – and there are some specific nuances about the identity security market that make SailPoint's situation very reasonable.

Here's the punch line on SailPoint's profitability: they're currently spending $2.85 to acquire $1 of ARR.

That seems terrible on the surface, but identity security products like SailPoint have a very important property: they're incredibly sticky once implemented. Like, prohibitively expensive and painful to replace. That's part of the reason why SailPoint's retention metrics are outstanding (114% NRR / 97% GRR).

Their CAC payback period is ~2.85 years, which is pretty high, but really no big deal in identity security terms. They keep most customers for much, much longer than that. A decade-plus is common. SailPoint (and their channel partners) are very good at supporting and retaining customers, so the mechanics here should just keep getting better with scale.

(Somewhat) crossing back over into strategy land for a minute: I was surprised how many smaller ACV customers they have. Here's the breakdown from the S-1:

I would have guessed a much higher count of $1M+ ARR customers and a much lower count of sub-$250K accounts. This tells me two important things. Their customer base is more diversified than I thought, and they still have room to grow in the enterprise customer segment.

They're just going to keep picking off implementations from legacy competitors (Oracle, IBM, etc.) until they have to compete more broadly. SailPoint will almost certainly be over $1 billion of ARR by then.

SailPoint deserves every minute of the spotlight and glory from this milestone, but this move has broader implications for the rest of the industry. Here's why.

Industry impact

SailPoint being the first cybersecurity company to go public in 2025 is the best thing that could have possibly happened for the rest of our IPO pipeline. They did everyone else a huge favor.

It's wayyyyyy better to re-introduce a well-known company and break the ice before we start rolling out companies the market hasn't seen yet.

Even though people are optimistic, tech IPOs are still warming up from the ice age we've been in for the past ~three years.

We're still figuring out exactly how the market is going to value new companies based on their revenue scale, growth rate, profitability, and other metrics. The benchmarks so far have set a pretty high bar, especially for revenue scale.

Most of the expert predictions point to expectations relaxing and subscale (<~$500M ARR) companies being able to go out again, but all of this is still in flux.

SailPoint is the perfect dosage of excitement and familiarity.

Right now, all signs point to this being a good IPO — exactly what we needed to get the pipeline moving in 2025.

Follow this up with another strong candidate or two (Netskope?), and cybersecurity's IPO window is officially open again.

Mama said knock you outttttttttt...huuh!

Footnotes

¹Midwestern (United States) people are notorious for disliking spicy food, myself included. We prefer to keep things bland. "Midwestern spicy" means a very, very mild level of spice.

²The first traditional, mid-cap IPO for a pure-play cybersecurity company, that is. We've had a few SPACs and nano cap companies go public, but most of the industry focuses on traditional IPOs. Rubrik technically went public in 2024 (and has done well), but many people classify them as a hybrid IT/infra/security company.

³I'm leaving the obligatory AI-enabled-whatever parts of the narrative aside for now. Yes, SailPoint covered them — I just don't think AI is a core part of the narrative here, at least near-term.

⁴Intentionally or unintentionally, SailPoint has thoroughly obfuscated the exact release date of IdentityNow. "About ten years ago" is the most accurate timing from an official source, so we'll go with that.

Several of our best companies are (likely) a couple years out from going public. And, let's face it: several of the 2025 IPO candidates are going to slide into 2026.

Public markets just aren't going to have the stomach to ingest 16 cybersecurity-related companies (plus dozens of other software companies) all at once.

It's definitely still worth gazing off into the distance to see what cybersecurity's longer-term IPO pipeline looks like.¹

Companies further out in our pipeline are going to keep becoming more and more influential. It's like you're seeing the next A-list celebrities perform at a small club before most of the world knows their name.

Don't forget about the macro side of this, either. IPO windows also last more than a year. If 2025 is the de facto start of our next window, we're going to see a multi-year run.

We're going to need a multi-year run. On top of the 16 companies who are IPO candidates in 2025, at least 38 more have realistic shot at going public in 2026 or later.

I used time ranges here because making predictions multiple years out is an inexact science. As we've painfully learned, a lot can change (good or bad) in a year or two.

Just like the 2025 candidates, the distinction (and incentives) between private equity owned and venture-backed companies affects the timing. But this time, the venture-backed companies are the star of the show.

We have a lot of companies to talk about here. Let's get to it.

Venture-backed companies

There are 24 venture-backed companies in the IPO pipeline for 2026 and beyond:

This is a flat out amazing group of companies. They're our Forbes Cloud 100-winning, large round-raising, high valuation-seeking superstars. Not all of them will go public, of course — but any of them could (someday).

Part of the criteria we have to go with for venture-backed companies is what they've said about their intent to go public and the timeline. Of the 25 companies in this part of the pipeline, 14 of them have spoken publicly about IPO plans:

There are too many companies here to discuss them all, but I wanted to highlight five.

1Password

1Password is one of my favorite stories. Over nearly two decades now, they've grown from a bootstrapped company in a once-obscure market to a potential decacorn.

In total, the company has raised $920 million in capital, most recently at a $6.8 billion valuation. They launched a full identity suite earlier this year. 1Password is clearly one of our top IPO candidates and feels like a lock for 2026, if not sooner.

Abnormal Security

Abnormal Security recently targeted "being able to operate as a public company" in Q4 2025 after raising a $250 million Series D at a $5.1 billion valuation.

Taken at face value, going public in late 2025 is definitely in range — and if not, early 2026 seems like a lock if markets are ready.

Timing may also depend on when Proofpoint, a direct competitor in email security, decides to re-enter public markets.

Cribl

Cribl is a cybersecurity-related company who is part of the emerging security data fabric market. They raised $200 million at a $3.5 billion valuation earlier this year and signaled clear intent to go public in the near future.

Their potential IPO is notable for several reasons, one being the creation of a new market segment for data fabric products. This helped clear the way for several other earlier stage companies I've covered this year.

Saviynt

Saviynt has been an under-the-radar company for most of its existence, but they put themselves squarely into the IPO pipeline with a recent disclosure of $185 million in ARR.

They've raised a very low amount of capital to date — $375 million in total, which includes $205 million in debt financing. Their latest disclosed valuation is $100 million in 2018...which, needless to say, is well over 10x higher today based on revenue.

CEO and founder Sachin Nayyar also led Securonix to a billion-dollar private equity exit in 2022, then rejoined Saviynt to (presumably) do the same or better.

Some of the disclosed numbers might not add up, but judgment wins out here. They have the revenue, leadership, enterprise customers, channel parterships, and tailwinds in a stellar identity security market. This is either going to be a major strategic acquisition or a public company.

Tanium

Tanium is one of the most perplexing companies in the entire IPO pipeline. They've looked like a no-doubt IPO candidate for a long time — yet here they are, still a private company with no definite timeline for going public.

They're valued at $9 billion with over $700 million in revenue. They basically have everything they need to go public. Will it be 2025? 2026? Later? I honestly don't know.

The VC-backed part of our long-term pipeline is by far the most dynamic segment. Timelines can change quickly. Other companies will definitely join the list. This is just the view we have right now.

The private equity part of the list is a bit more systematic. Let's cover these companies next.

Private equity owned companies

There are 14 private equity owned companies in the pipeline for 2026 and beyond:

The profile of this group is a bit different than the PE-owned candidates for 2025, though.

The 2025 group is unique because it includes several formerly private companies who were already at hundreds of millions or a billion in revenue scale. It's unusual to have companies like these in private markets. They won't be for long.

The 2026 and beyond group also has some formerly public companies, but the rest are a bit more typical.

Former public companies

There are still five former public companies (Barracuda, KnowBe4, McAfee, Ping Identity/ForgeRock, and Trellix), but each had challenges that are more common for private equity to address.

KnowBe4 and Ping Identity (including ForgeRock) were both subscale companies who didn't quite have the growth or operating metrics to keep up with the top performers.

Fast forward to today: Ping Identity just announced it's closing in on $800 million of ARR (with ForgeRock's revenue). They still have some product portfolio overlap and SaaS transition hurdles to overcome, which is why they're not a 2025 candidate. 2026 or 2027 feels very realistic.

KnowBe4 is likely over $500 million in revenue, and it's not even two years into its PE holding period. If they can grow at a 20-30% rate and keep adding tuck-in acquisitions, they'll be on their way to $1 billion of revenue by the end of their holding period.

Barracuda, Trellix, and McAfee are closer to the typical private equity story, even with their atypically large scale. Here's the quick summary of their activity:

Barracuda has almost completely transitioned into a cybersecurity company. Thoma Bravo sold them to KKR in 2022. They're now two years into the KKR holding period.

Trellix is the result of a merger between FireEye and McAfee's enterprise business unit in 2022.

The standalone version we now know as McAfee is the company's remaining consumer business.

I put a 2-3 year timeline on this group of companies because of their scale. Trellix has over a billion in revenue. McAfee has two billion. It's been a long time since Barracuda disclosed revenue, but rough math says they're likely over $500 million as well.

Private companies

The nine other PE-owned companies in the pipeline all have fairly unique journeys that could eventually lead to public markets.

Acronis and Armis are growth stage companies. Both are majority-owned by private equity firms, which are functioning more like growth equity investors in this situation. These companies need more time to hit revenue scale, which may happen quickly if they can sustain their high growth rates.

BeyondTrust just disclosed $400 million in revenue and acquired Entitle. They're reasonably competitive against CyberArk, Okta, and the large identity security platforms. They're also seven years into their holding period, which means an exit could happen soon.

Fortra was founded in 1982 (!!!) and has since evolved into a cybersecurity-focused company. They casually disclosed² $800 million of revenue back in 2022, which likely means they're at or above $1 billion now. That's public company scale.

The situation with LastPass is the most tumultuous of any company in the entire IPO pipeline:

• They were acquired by LogMeIn for only $110 million back in 2015 when LogMeIn was a public company.

• LogMeIn itself (including LastPass) was acquired and taken private by Francisco Partners in 2020.

• In the midst of all this, people finally realized password management is a big market! LastPass became a valuable asset. LogMeIn's PE sponsors announced they were spinning out LastPass as a standalone company in late 2021.

• ...until multiple security issues derailed the plan.

• The separation finally completed in May 2024. LastPass is now a standalone, PE-backed company with hundreds of millions in revenue.

When 1Password (another 2026-2027, maybe even 2025 candidate) goes public, it potentially opens the door for LastPass to follow.

Optiv was ready to go out before the current economic downturn. Reuters also reported a potential sale or IPO by KKR. Depending on how you feel about passthrough VAR revenue and Optiv's business model, and cybersecurity services companies in general, Optiv could an IPO-able company in the next 2-3 years.

Veeam is another cybersecurity-related company (backup and data protection) owned by Insight Partners who has the scale to go public soon. They reported $1.5 billion in revenue in late 2024 and just closed a $2 billion secondary round with TPG in December. With Rubrik performing well and Cohesity on its way to an IPO, it seems likely that Veeam will follow in 2026 or earlier.

Four other PE-backed companies seem destined for 2028 or beyond.

Acronis was publicly considering an IPO before a majority acquisition by EQT in August 2024. This pushes their timeline out to the end of a typical PE holding period.

Armis shared IPO plans for 2024-2025 and later disclosed $200 million in ARR. They announced a $200 million growth equity round in late 2024 with a five year strategic plan.

Exabeam talked about IPO aspirations back in 2021, then merged with LogRhythm under Thoma Bravo earlier this year. The combined company is sizeable, but it's going to take a few years before they're ready.

NetSPI looks like a long shot right now, but they're an interesting company to watch. KKR did a $410 million majority recap in 2022. The company is transitioning from offensive security services to products. This might all be coming together for them at the right time.

There's a lot going on with the private equity side of our IPO pipeline, both near-term and long-term.

The implication of so much private equity activity in the industry over the past five-plus years is that the acquired companies will eventually need to exit. We may start to see this play out in 2025, but the real action is going to be in 2026 and beyond.

This is all great, but two-plus years is an eternity

It's fun to look at IPO lists, but all of this is going to take years to get sorted out.

Don't take this list too literally, though. Several of these companies will go public. Others will get acquired. A few might falter.

Two-plus years is an eternity.

Any of the 100+ cybersecurity-related companies valued at a billion or more could technically be considered IPO candidates. Life comes at you fast though — for better and worse.

Just ask anyone at Lacework, who easily would have been considered an IPO candidate 2-3 years ago. They now have the dubious distinction of being one of the most spectacular meltdowns in the history of tech.³

The flip side is also true. Cybersecurity is building large and highly-valued companies faster than ever.

There will definitely be companies we didn't talk about today that will be obvious IPO candidates in a couple years.

Like I said, two-plus years is an eternity.

For now, let's celebrate that the cybersecurity IPO pipeline is alive and well. The timeline will align when it’s ready.

Footnotes

¹Doing this is more speculative, of course. It's hard to accurately predict IPOs even one year out, let alone two or more. Some of my analysis is bound to be wrong in retrospect. Consider this a starting point that we'll adjust over time.

²As humble, understated Minnesotans do.

³Although very salvageable within the friendly confines of Fortinet. This wasn't an FTX or Theranos situation — just blitzscaling gone sideways.

It’s almost 2025 now. Zero companies from the 2022 list have gone public.

Zero.

Outside of my list, there has been a tiny bit of activity:

• One traditional IPO for a cybersecurity-related company (Rubrik in 2024)¹

• Two nano-cap IPOs on U.S. exchanges (CISO Global and HUB Security in 2023)

• Two international listings (Hanssak and Yubico in 2023)

Better than nothing...but a pure-play cybersecurity company hasn't gone public since ForgeRock over 1,000 days ago. They've since been taken private and merged into Ping Identity.

This has been the story of the past three years: dozens of companies are stuck in the IPO pipeline, and more companies have been taken private than public.

So, all of this is to say: cybersecurity has an IPO pipeline — it just hasn't been very active.

It sure looks like 2025 (and beyond) is going to be different.

Tech IPOs have slowly resumed. Valuations have reset and stabilized. The incoming administration in the United States is pro-business with a relatively hands-off track record on regulation and antitrust enforcement.

More importantly, great companies are still great companies no matter what the economic circumstances. Cybersecurity has a lot of great companies in the IPO pipeline right now.

We're going to see more IPOs in the next three years than we have in the last three. There's an outside chance we could even break some previous records. But the bar is still high.

The three year, thousand-plus day IPO drought has put us in an interesting conundrum for analyzing our IPO candidates. There are too many companies in the pipeline to reasonably cover in one article.

This analysis is focused on companies who have a reasonable probability of going public in 2025.² We'll cover the pipeline for 2026 and beyond next time.

Before we get to the companies, you should know about an interesting dynamic in the current IPO pipeline.

Private equity owns a lot of large cybersecurity companies

The flip side of all the take-private activity by private equity firms in cybersecurity is...well, they own a lot of large cybersecurity companies now.

Private equity owns five of the 16 companies I have as candidates for the 2025 IPO pipeline. They also own six other companies who could go public in the next 2-3 years. Put differently, private equity owns about a third of the ~30 companies in the near-term IPO pipeline (the next three years).

This is a lot different dynamic than our previous IPO windows. We're used to venture-backed companies bursting onto the scene as the next big thing. All of the A-list cybersecurity (+related) companies of today went public this way.³

A handful of companies have taken a detour through private equity ownership on their way to public markets. SailPoint was owned by Thoma Bravo, and Ping Identity was owned by Vista Equity Partners before each went public (the first time). Jamf was also majority-owned by Vista Equity Partners before going public in 2020.

These were all private-to-private transactions, though. Private equity firms acquired these later-stage private companies and put on the finishing touches (and provided some liquidity) before taking them public.

Our pipeline still has a few never-before-public companies in private equity holding. What's different is the number of previously public companies who were taken private.

These were large, well known companies with revenue in the hundreds of millions (or higher). They ran into challenges with things like scale, growth, profitability, leadership, and/or other major business transitions that were better to address as private companies.

Several of them are going to be ready to go public again soon. In fact, a few are probably going to be the first companies to list in 2025.

Let's move on to the companies in the IPO pipeline, and I'll tell you why.

The 2025 IPO candidates

Of the 100+ cybersecurity-related companies I've analyzed for IPO potential, 16 of them have a realistic shot at going public in 2025:

These are probably names you've heard a lot about. An IPO candidate, at least in the traditional sense, means being among the who's who of an industry. Cybersecurity is no exception, especially as the profile of our industry has gained prominence across tech and capital markets.

For this level of analysis, the relevant distinction is between PE-backed and venture-backed companies.

PE-backed companies

There are five private equity owned companies in the 2025 pipeline. Four of the five have been public before (Mimecast, Proofpoint, SailPoint, and Sophos). Kaseya is a hybrid cybersecurity company (at best), but they do enough in cybersecurity to be mentioned.

This group has been among the most active strategic M&A buyers, highlighted by Sophos buying Secureworks (a public company) for $859 million in one of the largest cybersecurity services transactions we've ever seen. Kaseya, Mimecast, Proofpoint, and SailPoint have all made smaller tuck-in acquisitions, too.

Based on recent reporting, SailPoint will likely be the first company to go out among this group. It may even be the first IPO of any company in the pipeline.

Venture-backed companies

The 11 venture-backed companies in the 2025 pipeline have all waited patiently for their IPO window to open. Four of them were candidates on my (much shorter) 2022 pipeline list.

Most have been durable companies throughout the post-2021 decline, either raising more capital or debt to extend their runway (and grow, or at least preserve, their valuations). They've made lists like the Forbes Cloud 100 Lightspeed's Cyber 60, and more.

You're not here to gawk at lists, though. You're here to dig in deeper.

There are reasons why all of these companies are near-term IPO candidates, both qualitative and quantitative. Let's talk about the qualitative side first.

The qualitative side: who has said they're going public

As much as we can try to quantify the probability a company will go public, there's a lot of judgment involved. It's unavoidable. We're dealing with private companies, which means we have limited information about their financials until they file an S-1.

This means qualitative factors carry a lot of weight. The biggest factor here is who straight up said they're going to go public (and when).

Statements like these can sometimes be posturing. A handful are dated. Intent counts for something, though.

When a founder or CEO says their company is going to go public, we should believe them (to some extent, at least). Even more so if the numbers back it up. Every company in this list has the numbers (and/or other factors ) to go with it. We'll get into the numbers side shortly.

For now, here are (relatively) concrete statements about IPO intent and timing for companies in 2025 IPO pipeline. The quotes are either directly from founders/executives, investors, or credible media sources:

Mileage varies on the degree of commitment each statement carries, but my judgment says none (or very few) of these are a stretch.

It's also worth noting who hasn't said anything. Mimecast and Sophos are the only two companies from the 2025 pipeline without any specific comments about going public again (that I could find, anyway).

Both have been public companies before. We don't need to hear them say the plan is to public again — of course it is. The bigger question is when, and the quantitative side can help us figure that part out.

This is exactly where we're heading next.

The quantitative side: revenue, valuation, financing, and incentives

A company can say they want to go public, but actually doing it is another thing. They need the numbers to back it up if they want to have a successful IPO and stay in public markets. This is where the quantitative part comes in.

Most of the companies in the 2025 IPO pipeline have strong quantitative reasons to help convince us they're a near-term candidates. Again, we're dealing with imperfect information any time we analyze private companies, but we can make the best of what we have.

The three most helpful quantitative factors are revenue estimates (better yet, disclosures), valuation and financing, and (in the case of PE-backed companies) how long their holding period has been.

Estimated revenue

As we've moved past the ZIRP era, a big shocker for pre-IPO companies has been the revenue scale required to go public. Cybersecurity IPOs from 2003-2020 had a relative average of ~$175 million in annual revenue. Dozens of companies in our current IPO pipeline have been well above this mark for years.

Profitable Efficient Growth (PEG), otherwise known as the Low-Burn/High-Growth Era, came along and raised the bar significantly. Software IPOs in 2022 and 2023 (not many, but still) averaged $788 million in revenue.

Closer to home, Rubrik had $627.9 million of total revenue when they went public in Q2'24. Their revenue scale was ~2.3x larger than the next highest traditional IPO in the history of the cybersecurity industry.

We've entered a different era. Scale matters.

The exact revenue scale range is still widely debated, partly because we don't have many software IPOs to benchmark. For this discussion, let's say $500 million is pretty safe, and $250 million or above with amazing growth is possible.

Here's where the companies in cybersecurity's 2025 IPO pipeline stand, including both revenue disclosures and estimated revenue ranges projected from publicly available information:

Five companies are at (or very close to) $1 billion or more in revenue already. The scale part is a no-brainer. We'll have to wait for the S-1 filings to see the rest of the operating metrics. Unsurprisingly, this group of companies also had the most specific statements about IPO intent and timing.

The $500-999 million revenue range also has five companies, some of which are likely on the higher end of the range. I expect growth rates for this group are also very high, and not only the blistering pace Wiz is growing at.

Druva and Snyk are likely between $250-499 million in revenue based on recent disclosures. The success of subscale IPOs is probably case-by-case at this point. Both companies have a story for their path to $1 billion, which is good enough to be considered a candidate for 2025.

Four companies are either between $100-249 million of revenue or haven't provided enough information to make a reasonable estimate. They're on the list because of tangible actions they've taken to go public. Cato Networks hired bankers. Bitdefender has started the process of listing before. Coalition's CEO said their plan is to go public after a couple other IPOs happen. Socure had a credible report of IPO plans.

Revenue scale is the best quantitative measure we have available, but other metrics matter in the broader context of incentives.

Valuation and financing

Valuation and financing are by no means direct measures of IPO readiness, but they tell us a lot about the expectations stakeholders have — especially investors.

Late stage companies backed by venture capital, and especially private equity acquisitions, all have pretty clear and reliable valuation metrics. Investors aren't just pulling numbers out of the sky for companies at this stage. Valuations are based on reliable comps, detailed financial models, and years of preparation to shape the them into IPO-ready machines.

The 2025 IPO candidates hold most of the highest valuations among all cybersecurity-related companies:

And remember, the valuations you see here are just the most recently disclosed numbers we have. Current valuations could go up or down when marked to market today.

I didn't go all the way into reconciling estimated revenue with prior valuations based on current multiples. It's safe to say most of these valuations are stable, though.

And then there's Wiz — valued at $12 billion on paper, declined a $23 billion acquisition offer from Google, and currently reported to be exploring a sale of shares at a $15-20 billion valuation.

For the venture-backed companies, total financing also matters. Companies in the 2025 IPO pipeline have raised more capital than basically any other company in the industry (except a few of the 2026-2027 candidates).

They've also raised the most total capital across the entire history of cybersecurity companies, including all of our current public companies.

OneTrust, Netskope, and Snyk have all raised over $1 billion. Arctic Wolf, Cohesity, and Wiz are not far behind at $900 million plus each.

Cato Networks, Coalition, and Socure have all raised around $700 million. They're all on the lower end of the revenue scale, all likely under $250 million. Druva has been slightly more efficient, raising $475 million to hit ~$250 million in revenue.

Bitdefender is unique, with most of their $187 million in financing coming from a single secondary round by Vitruvian Partners. They're a Romania-based company with most shares closely held by CEO Florin Talpeș.

Private equity holding period

For companies owned by private equity firms, the holding period is a decent predictor for the exit timeline. Private equity firms (very generally) hold companies for 5-7 years.

Sophos is technically the only company in the 2025 group who has hit the window of a typical PE exit. This specific group of companies is pretty unique, though.

Four of the five companies (everyone except Kaseya) were formerly public companies. They were already large companies when they were taken private (Proofpoint had over $1 billion of revenue in 2021, for example). This means they're likely to exit sooner than the typical PE holding period.

The gotcha: how many cybersecurity IPOs can public markets handle in a year?

The analysis for the 16 companies in the 2025 pipeline seems plausible.⁴ There's just one really, really big gotcha.

We've never had more than 11 cybersecurity-related companies go public in a single year.

If you've been reading Strategy of Security for a while, I don't even need to tell you what year it was.

Yeah... 2021.

The second highest year?

Nine in 2020.

(I heard that sigh. I feel you.)

Here's the distribution since the Dotcom Bubble:

Outside of 2020-2021, the annual range for cybersecurity-related listings in IPO windows hovers right around 3-4 companies per year. This includes everything from traditional IPOs to SPACs, both hybrid and pure-play.

And remember, there's an avalanche of 40+ other companies in our IPO pipeline right behind them (more on these another time).

We're going to need five record-breaking IPO years in a row to clear out the backlog.

The next IPO window is going to be a good one. We're talking about an epic, never-before-seen streak here, though. Not going to happen.

It shouldn't be surprising if any one of the companies in the 2025 IPO pipeline goes public next year — but it would be very surprising if all of them do.

Footnotes

¹Backups aren't cybersecurity. I hear you. Rubrik and HashiCorp are not cybersecurity companies by the most strict definition of the term. They are mid-cap technology companies who generate a portion of their revenue from cybersecurity products, to be very specific.

²By "reasonable probability of going public," I mean a decent chance (call it 50/50 or above) based on both qualitative and quantitative data points. All of these companies will not go public in 2025. Some companies will slide into 2026 and beyond. Some companies I have in the pipeline for 2026 and beyond could still go public in 2025. And some companies may never go public. We're playing probabilities here, so this analysis is bound to be wrong some of the time.

³Plus others like SentinelOne, which is still one of the largest pure cybersecurity IPOs in history.

⁴I hope it's plausible, anyway. I want to hear about it if you think I'm off base anywhere.

It has also been 1,126 days (as of the day this article was published) and counting since a pure-play cybersecurity company went public.²

Our companies are both going private and staying private way, wayyyy more often than the voracious pace we were cranking out public companies at back in 2021 when I (now ominously) proclaimed that cybersecurity is going public.

What's going on here? Is the entire industry going to crumble?!

No, it's not. We're just getting over the sugar high that was 2021 when too many companies (across tech, not just cybersecurity) went public. We're in the no ice cream, hire a personal trainer, get bigger/faster/stronger period of our industry's journey.

All this change and volatility is unsettling, though. I get it. I literally check my LinkedIn feed first thing every morning to see which big cybersecurity company is getting acquired today. Large acquisitions don't happen every day, of course — but it sure feels like one could happen at any moment.

We need to unpack and thoroughly demystify all of this take-private and strategic acquisition activity. It's hard to make sense of one-off events.

When you look at big picture trends and data logically, I promise you that the future of our industry will start to look a lot more promising than it does today.

We just have to wade through some yucky stuff first. Let's ease into this by talking about something fun...ICE CREAM!

Ben & Jerry's used to be a public company

I know, right?! We've all heard of Ben & Jerry's, but I definitely did not know they were a public company for 15 years. It's a super interesting business story.

Ben Cohen and Jerry Greenfield started Ben & Jerry's (I know, who would have thought they would end up being marketing geniuses) with a whopping $12,000 of financing to open an ice cream shop at a renovated gas station in 1978.

Their wacky flavors and quirky brand caught on quickly. Like, rocket ship quickly in the world of consumer brands. They went public in 1985 and expanded rapidly, hitting $58 million of revenue by the end of the decade.

By the 1990s, competition in the premium ice cream market heated up (get it?). Häagen-Dazs and others turned things from an ice cream social into, well, real businesses. Ben & Jerry's struggled with profitability, and (crucially...) the founders realized they didn't really want to manage an actual company.

Unilever acquired Ben & Jerry's in 2000 for $326 million. Instead of letting the company melt, they found a strategic buyer who could give them the scale, distribution, and professional management they needed.

Almost 25 years later, Ben & Jerry's is still recognized as the top premium ice cream brand in the world. They're generating hundreds of millions in revenue (exact figures undisclosed), still making iconic flavors, and still advocating for the social causes they care deeply about.

Does this story feel a little bit familiar? Cybersecurity is a highly competitive industry torn between the societal value of security and the inevitable need for financial stability and growth. We have a lot in common with Ben & Jerry's. Their story might give us a peek into our own future, too.

Let's get back to cybersecurity and talk about what's happening in our own industry today.

What's happening: a wicked decline in public companies

Cybersecurity is dropping public companies like it's going out of style. I mean that literally — being a public company feels like it has been out of style for more than two years now:

Before 2022, there was only one year (2010) where our total number of cybersecurity-related public companies went down. HP acquired ArcSight, and no other companies went public that year. Down one, no big deal.

Something completely different happened in 2021 and 2022. Eight cybersecurity-related companies went public on U.S. exchanges in 2021.³ This included SentinelOne, whose IPO was valued at $8.9 billion — still the most of any pure-play cybersecurity company.⁴

Our IPO momentum violently turned the opposite direction in 2022. ZeroFox (a SPAC who was quickly taken private in 2024) was the only cybersecurity-related company to go public on a U.S. exchange.

Meanwhile, eight public companies were acquired over roughly the same period. Thoma Bravo's $12.3 billion acquisition of Proofpoint kicked things off in August 2021. Seven other companies followed throughout 2022.

We're still stuck in the same rut two years later. Seven more cybersecurity-related companies on U.S. exchanges were acquired from 2023 to 2024.

This count doesn't even include IBM's pending acquisition of HashiCorp
or Thoma Bravo's completed acquisition of Darktrace (listed on the London Stock Exchange, but a big company) for $5.3 billion.

The total count of cybersecurity-related companies that are publicly traded has gone down by 21% between the 2021 peak and today. Pure-play cybersecurity companies have seen an even steeper decline, down 36% over the same period:

Several more cybersecurity-related companies that are currently public have been rumored to be considering sales:

• SolarWinds: Was reportedly exploring a sale in October 2023

• N-Able: Reportedly began exploring a sale in May 2024

• Rapid7: Started receiving pressure from an activist investor to sell in June 2024

• Tenable: Reportedly began exploring a sale in July 2024

• Trend Micro: Reportedly began exploring a sale in August 2024

• Secureworks: Dell Technologies, the majority owner, reportedly hired bankers to explore a sale in August 2024

Very speculative rumors have also come and gone about CrowdStrike acquiring Radware and (get this) Wiz acquiring SentinelOne — although the latter was summarily dispatched by SentinelOne's leadership team.

On top of the activity with public companies, both strategic buyers and private equity firms are acquiring (or trying to acquire) later stage companies from our IPO pipeline:

• Lacework: Acquired by Fortinet (at a steep valuation decline) in June 2024

• Wiz: Attempted acquisition by Alphabet (Google) in July 2024

• Exabeam: Majority ownership acquired by Thoma Bravo and merged with LogRhythm in July 2024

• Recorded Future: Acquisition by Mastercard announced in September 2024

We're at 16 pure-play cybersecurity companies listed on public markets right now. It's unlikely (but possible) the number could drop as low as 10 if the reported sales happen and the window of opportunity remains closed for companies in our IPO pipeline.

Okay, so what's happening is very clear: cybersecurity is going private. Next, let's talk about why.

Why it's happening: more strategic moves, fewer investor complaints

There is a surprising amount of consensus around why so many cybersecurity-related companies have chosen to go private: it's a lot easier to make strategic moves as a private company.⁵

Here's a sampling of quotes to illustrate the point:

• Seth Boro (Managing Partner, Thoma Bravo) on Sophos: "Sophos’ leadership team is empowered to innovate faster and respond to market opportunities more effectively in a private setting."

• Gary Steele (former Chairman and CEO, Proofpoint): "We believe that as a private company, we can be even more agile with greater flexibility to continue investing in innovation, building on our leadership position and staying ahead of threat actors."

• Andre Durand (CEO, Ping Identity): "This move allows us to focus entirely on our innovation and customer success, without the distractions that can come with being a public company."

• Seth Boro (again) on SailPoint: "...taking a step back from the public markets at the time that the company did, we think is a great decision to accelerate this move to cloud and come out the other side as a, both a high growth and high profit business."

Their public statements are intentionally broad, of course. And this is not the only reason.

There's an elephant in the room we don't like to talk about. The thing most of our companies who were acquired (especially by private equity firms) had in common was declining growth and a lack of profitability.

From the standpoint of a CEO, it's better to take the company private or sell to a strategic buyer and work on the business outside the spotlight of public markets, especially with strong acquisition offers on the table.

Most of our public companies who sold are solid companies who do several things well. We've had a couple fire sales, but those are rare exceptions.

We're mostly in the position Ben & Jerry's was in — solid companies with a few problems but lots of upside. Our companies have options, which gives them the ability to make choices strategically.

Let's talk more about the strategic options cybersecurity companies have and where they go after exiting the public markets.

Where they go: private equity and some very large strategic acquisitions

Historically, cybersecurity-related companies leave the public markets in one of two ways: an acquisition by a private equity firm, or an acquisition by a strategic acquirer.

Any other scenarios are highly unlikely. Bankruptcies have happened, but they've been limited to small micro and nano cap companies. Across the entire history of cybersecurity, one hundred percent of the 27 mid cap and above company delistings are because of private equity or strategic acquisitions.

The breakdown between the two categories is the interesting part. Private equity firms have made 19 take-private acquisitions, or 70% of the total:

Thoma Bravo alone has been behind eight of the deals, to go along with ~20 other private cybersecurity company acquisitions in their portfolio.

Strategic buyers have acquired eight public companies, or 30% of the total:

All buyers are either large or mega cap tech companies. Cisco is the only repeat strategic buyer (probably no surprise).

This PE-to-strategic ratio is probably going to continue and may slant even further towards the private equity side. There aren't many bargain rack discounts left among the cybersecurity-related public companies we have left. Buying a large public company is expensive, so the buyer universe for this type of transaction is small.

Here's the thing about private equity, though: private equity ownership is almost never a final destination for an acquired company.

Private equity is like flipping houses. They buy a company to hold it for a period of time (typically 5-7 years, but it's case-by-case), improve the business, and (ideally) sell it for a profit.

It's pretty rare to see private equity firms hold on to portfolio companies long term. This means our industry has over 20 formerly public companies who are sitting in private equity holding right now and need to find a permanent home soon.

The two best options are taking the company public again or selling it to a strategic buyer in a private transaction. Those scenarios are the real end game here.

They've happened before in cybersecurity...just not as often or at the same scale as what needs to happen with the current set of private equity backed companies.

The absolute best case scenarios are either for a healthy, growing company to go public again and stay there, or to find the right strategic buyer. This doesn't always happen, of course — but I'm hopeful it can a majority of the time.

Imperva and ForgeRock are both good examples of companies who found a good strategic fit. Thales added Imperva to its now pretty massive portfolio of cybersecurity products in December 2023. Thoma Bravo merged ForgeRock into Ping Identity in September 2023, a logical strategic choice for two portfolio companies competing against Okta, CyberArk, and Microsoft.

SailPoint looks like it's going to be an example of a successful return from private equity to the public markets. In under three years, no less. This was their plan all along, and it appears they've executed perfectly.

These examples are successful blueprints. We need high performing companies going back into the public markets and staying there, and we need companies who aren't going to make it public again to find good homes.

In fact, our future probably looks a lot like Ben & Jerry's.

How this ends: Ben & Jerry's is in our future

The company, I mean. You're not getting ice cream.

...okay, you can have ice cream if you want.

You're not my toddler, you can do whatever you feel like. You probably deserve it by the end of this article.

Seriously though, my point with the Ben & Jerry's thing is that it's okay for a company to take a step back and regroup if it needs to.

Just because a company gets taken private doesn't mean it is imminently dead. Too often, we see headlines and instinctively assume the worst.

I understand. It's a natural reaction. Let's put our logic hats on for a minute, though.

As I've said before, big cybersecurity companies don't really "die." They're just smashed into pieces and split, merged, divested, rebranded, or any other action you can take on a business without actually killing it.

Later stage cybersecurity companies with 8-9 figures of annual revenue don't fully go out of business, no matter how bad they're struggling. They've created enough value for someone to find their problems worth fixing.

Each company's situation is incredibly nuanced, especially how to fix the problems that led to being taken private. It's not going to work out for everyone — they won't all be Ben & Jerry's.

Instead, we're going to see uneven outcomes. Several companies will go public again. Others will find nice homes with strategic buyers. And the ice cream will melt on a few of them.

We just want to save as many ice cream cones as we can. The example of Ben & Jerry's selling to the right strategic buyer is a perfectly good outcome, too. Sometimes it's better not to be a standalone company. We need to be okay with this.

Any way you look at it, we're going to end up with more public companies than we have right now. There are plenty of high quality IPO candidates between the current set of private equity holdings and later stage startups.

Cybersecurity might be going private now, but we'll be back to going public again soon.

Footnotes

¹This count includes cybersecurity and hybrid companies listed on major U.S. stock exchanges. It excludes micro and nano cap companies. They skew the numbers quite a bit. The focus for this article is on our larger companies with higher valuations, although we'll mention some of the micro and nano cap companies.

²A mid-cap or higher company, that is. HashiCorp and Rubrik both went public more recently than ForgeRock, but they're technically "hybrid" companies.

³The real total was even higher: 17 companies went public in 2021, including micro and nano cap companies and all global stock exchanges. It was a wild year.

⁴As of its opening valuation, anyway. CrowdStrike opened its first day at $6.7 billion in 2019 but closed at $14 billion.

⁵Publicly disclosed consensus, that is. I understand why you might want to dismiss this as boilerplate language for press releases. There's still some truth to it though, at least at a high level. It's undeniably difficult to be a subscale public company right now.

Sounds like some 1984-level propaganda, right?!¹

In George Orwell's famous book, the statement "2 + 2 = 5" is a tool used by the Party to demonstrate its ability to bend reality. They wear down people's minds to a point where they are forced to believe something that is obviously false.

The narrative and influence in the cybersecurity industry isn't nearly as insidious, of course — but reality can get distorted sometimes in the frenzy of hype and competition.

I recently made an observation about Accenture's $9 billion cybersecurity services business unit having more revenue than any pure-play cybersecurity company in the public markets today. I made the comparison knowing it would create some discourse...and that it did.

Several readers rightly pointed out that comparing revenue (or any financial metrics) between product and services companies is a stretch. I agree, but not to a point of avoiding comparisons altogether.

It's still useful to understand the scale and magnitude of product and services businesses. Both business models are essential parts of the cybersecurity industry. More importantly, there are way more interdependencies between the two than many of us realize.

The part that was missing from my comparison was context. There's a lot of nuance behind how and why different business models work the way they do. Comparing revenue alone is only one dimension (among many) that drives the value of a business.

Comparisons like this need context in a way that's just not possible in the world of social media. This article is to explain the context and nuances.² We're going for beginner-to-intermediate level here — just enough to help you navigate the most common business models for cybersecurity companies.³

I'm partial to Warren Buffett and Charlie Munger's (RIP) old school ways of evaluating businesses. They're both principled, independent thinkers who are categorically immune to business world Doublethink. So, I'm going to channel these two kings and do an old school, Berkshire-style analysis.

Let's kick it off with one of their favorite topics: economic moats.

Economic moats

Buffett and Munger like businesses with predictable revenue and cash flows. Even better when the competitive advantages driving revenue are hard to replicate. Here is Munger's definition of a good business:

We have to have a business with a durable competitive advantage—because without that, you’re just fated to compete, and competitors will drive your returns down.

This, friends, is a moat.

In cybersecurity, you'd think the "predictable revenue" part would make product companies with subscription-based revenue more appealing. It's not quite that simple. Here's why.

Product companies

Most of the earlier stage cybersecurity companies that started in the cloud era have subscription-based pricing, which means recurring revenue. Public companies like CrowdStrike and SentinelOne also have nearly all of their revenue coming from recurring subscriptions.

Other companies who started on premise (like CyberArk and Varonis) have been on multi-year transitions from non-recurring licenses to recurring subscriptions. This cohort of companies is in varying stages of transition with varying degrees of success.

Subscriptions and recurring revenue sure sound wonderful. They are! But just because a company sells products or services by subscription doesn't mean it has the economic moat Buffett and Munger covet.

Most product categories in cybersecurity are brutally competitive. They often have 10+ companies who all offer solid products. In the eyes of a buyer, they're interchangeable.

Switching costs are real (especially in the enterprise customer segment), but rarely insurmountable. CrowdStrike blew up your Windows systems? No problem, you'll have SentinelOne up and running in a few weeks or less.

Most product companies don't have as strong of an economic moat as you'd think.

Services companies

Business models for services companies are more diverse. Managed services like MSSPs, Virtual CISOs, and other operations-focused services have a subscription-based model.

Traditional consulting, professional services, and systems integrators do not. They usually charge by the (very expensive) hour. A small project for firms like Accenture or PwC is $100,000 or more. Large systems integration projects for enterprise clients are seven figures.

Multi-million-dollar engagement fees might sound awesome, but they're non-recurring. Partners and Directors constantly sweat it out to win new projects. I was one of these people once upon a time, and trust me — chasing non-recurring projects over and over again is hard work.

Services companies may not have the cushy recurring revenue of product companies, but the big firms (and some savvy smaller ones) have incredible economic moats. Things like amazing brand recognition, global scale, and deep client relationships get these firms deeply embedded in the world's largest enterprises. Any experienced enterprise CISO will tell you they're very hard to get rid of.

The big services firms with cybersecurity practices are unique creatures, though. Smaller, cybersecurity-only services firms don't have the luxuries of brand or scale to enjoy the same type of moats.

Some have deep client relationships, which is enough to create a mini-moat on its own. The rest, unfortunately, are transactional with no economic moat at all — just another body shop to get the mundane work done.

Reinforcing economic moats

A small irony here is that the economic moats of cybersecurity product and services companies reinforce each other.

Services companies need products to generate a large portion of their revenue. Product companies need services to help sell, implement, and operate the products. There's a reason why an estimated 90% of cybersecurity product sales go through channel partners.

Interdependencies manifest themselves differently across customer segments, but they're always a factor. Enterprise environments are complex, and so are the products they implement. Mid-market and SMB customers are less complex, but many of them rely on MSPs and MSSPs to partially or fully operate their cybersecurity functions.

Economic moats are the starting point for Buffett and Munger, but there's a lot more to a good business. Next, let's talk about predictability.

Business predictability

In the old school, long-term world of Buffett and Munger, "predictability" and "recurring" are not the same thing.

Their version of predictability is measured in decades — a demonstrated history of consistent, stable cash flows year in and year out. In Buffett's words:

The best business is one that, after you buy it, you can leave it alone for ten years, and it’s still going to generate cash flow.

This hasn't happened yet in cybersecurity. It doesn't even seem within reach.

Ten years feels like ten lifetimes in our industry. Broadcom and some of the private equity buyers might give this strategy a shot, but heavy reinvestment has been the only way to remain competitive so far.

Here's why we're so unpredictable.

Product companies

Revenue for cybersecurity's product companies is relatively predictable on a near-term basis — our market leaders don't just disappear overnight, and they all have above average retention metrics. Even in cases like Okta's security incidents or CrowdStrike's global outage, market cap gets wiped out but revenue doesn't.

We don't have the kind of long-term predictability Buffett and Munger cherish, though. Not yet, anyway.

Cybersecurity is a relatively young industry on the time horizon of the industrial era. We don't have many businesses of any kind with demonstrated market leadership over decades. Companies who have reached the top haven't sustained it for long, either. Look no further than Symantec.

Pure-play cybersecurity companies like Fortinet and Check Point might be starting to reach the territory of long-term predictability. They were founded in 1993 and 2000, respectively. 30-ish years is just scratching the surface of durability.

Sprinkle in the 10+ private equity take-privates of cybersecurity-related companies in public markets since 2020, ~70 billion-dollar acquisitions (and approaching 10 just this year), and ~250 total acquisitions per year, and you get the picture about why they consider industries like ours "unpredictable."

Services companies

Services companies are a bit more boring and predictable, especially the larger ones. Deloitte (179 years), PwC (175 years), EY (175 years), and KPMG (140 years) were all founded in the 1800s (!!!).

Accenture is barely younger than me (who is also starting to get old) at 35 years. Their ill-fated parent company, Arthur Anderson, was 89 years old when it suddenly burst into flames in 2002.

Put differently, the total combined age of the public cybersecurity companies with $1B+ revenue (Palo Alto Networks, Fortinet, Gen Digital, CrowdStrike, Check Point, Okta, Zscaler, and Trend Micro) is 197 years. These newfangled product companies are infants compared to the giant ol' services firms.

They haven't had cybersecurity consulting practices since the 1800s, of course — but they're far more predictable than the raucous product side of our cybersecurity industry house. Right or wrong, the top cybersecurity services firms basically are the top firms year in and year out.

With big services firms, we're talking about incredibly resilient and reliably profitable businesses that have steadily grown and produced cash flows for literally generations. Their revenue growth might only be single digits, give or take, but it rarely goes down.

Mileage varies with predictability for smaller cybersecurity services firms. Without the scale and economic moats the larger firms have, revenue and cash flow can be a lot more unpredictable. For a consulting firm, all it takes is the loss of a big client, slowing momentum in a key partnership, or something wild like a global pandemic to put the business in a bad spot.

Outsourcing and managed services firms like MSSPs and MDR companies have more predictability than consulting firms, even on a smaller scale. They operate in long-term contracts for repeatable, non-project based operational services. Once a managed service provider learns a customer's environment, the switching costs become high. Most companies don't burn through MSSPs year after year, even if the level of service is mediocre.

Generally speaking, cybersecurity services companies are more predictable at any scale (by the Buffett/Munger definition) than product companies. Most of them don't grow to the billion-dollar scale of Accenture, Deloitte, or PwC — but it's rare to see a services firm completely strike out on projects and revenue.

Product companines need predictability

The relative predictability of cybersecurity services companies is a good thing for product companies. It's one of the things that makes channel partnerships valuable.

Successful cybersecurity services firms have (predictably) strong customer relationships. They serve fewer clients than product companies, so it's natural to have deeper relationships than product companies — no matter how slick your AE is.

Anecdotally, services companies pull product companies through into new customer opportunities more than the other way around. The ratio isn't completely imbalanced, but deep customer relationships matter. Sequence matters, too: potential buyers often look to services firms for recommendations and evaluations of cybersecurity products.

From a customer's point of view, the predictability of relationships matters. Products come and go. I saw this myself with identity products during a decade at PwC. First it was Sun Microsystems, then Oracle, then SailPoint, then ForgeRock, now Okta. The churn isn't quite that sequential, but the momentum of product companies as partners definitely comes and goes.

Incentives between product and services companies are aligned a decent amount of the time, though. Services companies need products to implement and operate, and they want to partner with product companies customers want to buy. Product companies want to leverage service provider relationships and increase their odds of winning. This interdependency works — at least for market leaders and up and coming products that service providers want to partner with.

Next, let's discuss another hallmark of the Berkshire investment philosophy: capital efficiency.

Capital efficiency

One of the core investment criteria for Buffett and Munger is capital efficiency and the ability for a company to generate high returns on invested capital. Charlie Munger, as always, is good for an epic quip:

A great business is like a great athlete — it has low body fat and lots of muscle. It doesn’t need to spend too much capital to stay competitive.

Most cybersecurity product and services companies are more like couch potatoes — or, more generously, up-and-coming athletes in the low minor leagues. They lack capital effiency, but it happens for different reasons.

Let's talk about why Warren and Charlie are disappointed in us.

Product companies

Cybersecurity's publicly traded product companies all have respectable gross margins, emphasis gross. Their operating margins are low — more like negative (on average) until a recent emphasis on demonstrating profitability. The operating margins part is what makes them struggle with capital efficiency.

We're going to have to get a little accounting-ish here to explain why the nuances between Cost of Goods Sold (COGS), gross margins, and operating margins matter for product businesses, but it's worth getting into.

SaaS and subscription-based products (so, most of our cybersecurity products today) have very low COGS. The accounting definition has some minor variances, but in general, COGS for product companies includes hosting and infrastructure, third-party licenses or APIs, and sometimes things like customer support and capitalized software development costs.

The punch line is that all of these costs are low for product companies, especially at scale. For example, it barely costs CrowdStrike anything to sell another instance of the Falcon platform. They've already built it, and the marginal cost of replication is essentially zero.

Gross margins are where the good news about capital efficiency for most product companies ends. Operating expenses are a wildly different story.

People like Buffett, Munger, and the accountants aren't letting these fancy software companies off the hook so easy.

COGS is only one part of the equation for expenses. There are tons of other operating expenses. We call them Research and Development (R&D), Sales and Marketing (S&M), and General and Administrative (G&A) in financial reporting, but these are only high level classifications.

A few practical examples of each include:

• R&D: Building and and improving software (you know, like the main function of a product company) mostly avoids COGS and goes into R&D, an operating expense.

• S&M: Expensive steak dinnahs with salespeople, booths at RSA Conference (or drone shows instead) all add up.

• G&A: Cool perks like swanky SOMA offices, ping pong tables, and less fun overhead like finance and HR are all expenses in this bucket.

When you look at a more complete picture of the business and factor in operating expenses, you start to see why capital efficiency is a struggle in the ultra-competitive world of cybersecurity products.

High margins and capital efficiency are two core economic promises of software companies, including ours in cybersecurity. Because the marginal costs of replication are low, a product company's economics get better and better as it scales. Operating expenses continuously become a lower percentage of overall revenue, and they become more and more capital efficient (read: rake money).

It's not an empty promise. This does happen, at least in the broader tech world. The "Magnificent Seven" public tech companies are all good examples, especially the ones who sell purely software. Operating margins for these seven companies are ~20%, way above the S&P 500 average of ~13.5% (today).

Cybersecurity doesn't have any companies who have reached this level of scale yet. Most of our companies have high gross margins and negative operating margins. When expenses like R&D, S&M, and G&A enter the picture, the level of investment required to keep up with the Joneses is gnarly. It's no wonder most of our public and private companies are unprofitable, even if it's technically voluntary.

Will trends like consolidation, platformization, aggregation, or plain old expense management ever get us over the high bar people like Buffett and Munger have for capital efficiency? Eventually, yes — for some companies. But it's going to take a while.

Services companies

Cost structures have a major influence on a company's capital efficiency. Basically all cybersecurity services firms have this working against them by default. People cost a lot of money to employ, and they're necessary because services are labor-intensive.

Cybersecurity people are also expensive because they're smart and specialized. You won't find seasoned cybersecurity practitioners just walking down the street. They either have to be paid a small fortune or be trained from junior, usually fresh out of college levels.

Firms like Accenture, Deloitte, and others do both. PwC trained me fresh out of college, then paid a small fortune to retain me as I became more senior. It's a vicious and necessary cycle.

All this expensive labor adds up to a bad combination for capital efficiency.

The part our services firms have going for them is the reinvestment of capital side of the equation. It costs a ton to employ dozens (or thousands) of people, but firms don't have to reinvest much capital in service offerings, sales, or marketing. Their gross margins are bad compared to product companies, but their operating margins can be decent.

Big services firms reinvest in the business like any healthy business does, but cash flows are still high and owners (partners, usually) get nice distributions every year. Accenture's operating margins hover around ~14-15%, which is respectable for any company and borderline incredible for a services company.

From an employee's standpoint, the downside of being both salaried and junior is you can get squeezed for extra time to "reinvest" in the firm. You might get a bigger bonus at the end of the year, but you're not getting paid extra for the overtime hours you work.

Sales and marketing are generally handled by senior client service people, too. They have relationships with CISOs and other senior client people, so it's weird to put an extra sales person in the mix. Directors and Partners get paid a lot, but the firm doesn't have to pay double for its sales counterparts.

Marketing happens, but it's rare. They'll sponsor Phil Mickelson or Tiger Woods once in a while, but flashy marketing campaigns are about as rare as a hole-in-one. Marketing dollars get spent on conferences, thought leadership™, and other fancy things consultants do, but it's not a huge drag on overall capital efficiency.

What cybersecurity services businesses lack in gross margins gets made up in operating margins. They don't have the promise or upside a privileged few product companies achieve at scale, but they're rarely unprofitable.

Services partners keep the product cost structures clean

One of the main interdependencies between cybersecurity's product and services companies is delivery — strategy, implementation, and operations. Building a good product is hard, but so is getting (and keeping) it up and running in a customer's environment.

Most cybersecurity product companies work with channel partners (services firms) to implement, upgrade, and operate their products. This means product companies don't have to operate a massive services business unit in-house — they just farm out the work to partners and let them take care of it.

From a financial standpoint, partnerships with services companies are a nice boost in capital efficiency for product companies. Most public cybersecurity companies offer services, but it's a single-digit percentage of overall revenue. They're not trying to compete with channel partners, and especially not large cybersecurity services practices like Accenture and PwC.

In a hypothetical world where cybersecurity services firms didn't exist, product companies would be forced to have much larger services business units. They're capable, but their capital efficiency would take a hit because of the people-intensive cost structure of services.

Services are also a different core competency than building products. It's a massive strategic distraction most of the time. Their focus is better spent on building, selling, and supporting core products.

Everything we've talked about so far culminates in one area: scalability, growth, and valuation. Welcome to the main event.

Scalability, growth, and valuation

If services companies are so essential to the cybersecurity ecosystem, why do people constantly bag on them? And why are their valuations so much lower than product companies?

Two of the biggest reasons are scalability and growth. Warren Buffett nailed the dilemma:

The problem with a consulting firm is that you can’t scale it in the same way you can scale a product company. You need more people to sell more services, and that’s hard to scale without losing control of quality.

Let's talk about why this is and how it drives valuations for both types of companies.

Product companies

Like we discussed in the last section on capital efficiency, the appeal of product companies is building a product once and selling it N number of times. This is pure, unadulterated scalability in business.

With a cybersecurity software product, you get high scalability and low incremental costs. This means growth can happen very, very quickly. Every venture capital investor's dream is to invest early in a flashy new cybersecurity company, have it hit product-market fit, and grow quickly into a massive exit.

You can't grow or scale like this with cybersecurity services companies — we'll get into that in a second.

The implication of these differences in scalability and growth rate is one of the main reasons why both public and private market investors value cybersecurity product companies at higher revenue multiples than services companies. You might get a nice return out of a services company, but the big winners in cybersecurity are product companies.

There's the catch: the big winners.

Product companies are significantly more likely to have (relatively) modest exits, get acqui-hired, or fail completely.

But when a cybersecurity company gets the formula right, they grow quickly. The average compound growth rate of our public pure-play cybersecurity companies is 19%, well above the software industry average of 14%. CrowdStrike, SentinelOne, and Zscaler are all growing over 30%, which is among the best of all public software companies.

And then there's Wiz, the fastest-growing software company ever.

Investors have noticed how well cybersecurity-related companies perform, and valuations have skyrocketed. As of this week, six of the top ten companies with the highest valuation multiples have a cybersecurity component (Palantir, CrowdStrike, Cloudflare, ServiceNow, Datadog, and CyberArk).

Valuations, both public and private, are a fickle and inexact science, of course — but ambitious investors are going to bet on our product companies over and over again.

Services companies

Buffett's quote about services businesses is spot on, but I would also add: you need more people to deliver more services, not just sell them.

Delivering quality cybersecurity services at scale is incredibly hard. Delivering quality services at all, no matter what the scale, is incredibly hard. The nature of cybersecurity makes delivery exponentially harder, especially when the business driver for a project is regulatory requirements or a security incident.

Every seasoned enterprise CISO has their own horror stories about projects that went sideways with services firm X, Y, or Z. I've seen this movie dozens of times now. The CISO gets mad, kicks out the team, swears off working with them ever again, and brings in another firm. Maybe their luck is better this time, or maybe it isn't. And the process repeats itself to infinity.

Quality is part of the reason why scaling and growing a cybersecurity services firm is so hard. Marginal cost of replication is not a thing when you're talking about people and time.

If a cybersecurity services firm wins a new project, they can't just clone a team they already have and deploy them the next day. They either have to maintain a bench of people (which is bad because unutilized people cost money without bringing in revenue) or hire more of them. Hiring takes time, and who knows about quality. Scaling is a messy process.

There's a reason why there are only five pure-play cybersecurity services companies are publicly traded, and only two have valuations over $100 million. Investors have a hard time with limitations in growth and scalability. It feels a lot more appealing to put their money into software businesses.

Big cybersecurity services firms drive growth

Cybersecurity product companies can grow quickly, but they usually don't do it on their own. It's a top-down, procurement-led world where channel partners drive a lot of sales.

Large services firms like Accenture, PwC, and Deloitte are kingmakers. Many of our current or former public companies — ones like SailPoint, CyberArk, and ForgeRock — all had their growth heavily driven by global systems integrator partnerships.

The interdependence also works the other way. Building service offerings around emerging cybersecurity products and use cases is a driver of growth for services firms. The strategic rationale for a lot of cybersecurity services M&A is picking up smaller firms who have expertise with emerging products. One example is PwC's acquisition of EagleDream, which added cloud security services for AWS.

There are multiple ways for both types of companies to grow, but channel partnerships and joint GTM efforts is a big one in cybersecurity.

We've covered a lot of mechanics and practical examples here. Let's finish by talking about what it all means.

Not better or worse, just different

If you take one thing away from the article, I hope it's this: cybersecurity's product and services companies aren't better or worse businesses. They're just different.

Sure, they have different financial and operational characteristics you might classify as "better" or "worse" based on your own view of the world. Other people may have a different view.

Some of us care about investing in or working for a company with high growth potential. Others want consistent returns and long-term stability.

Warren Buffett and Charlie Munger have their view, which is investing in "wonderful business at fair prices." (They've never invested in a cybersecurity company.)⁴

When I decided to work at PwC, I cared about a balance of economic growth, stability, and professional development. I wanted access to learn about the largest companies in the world. I also kept my job during the global financial crisis in 2007-2008. I got exactly what I wanted, which is incredibly valuable to me.

That's exactly the point. Value is derived in so many different ways and depends on so many different things.

Economic value is an important way, for sure. It's not the only way. And it's certainly not possible for cybersecurity product or services companies to create on their own.

Acknowledgements

Thank you to Prem Iyer at Palo Alto Networks for teaching me the phrase "a dollar of revenue doesn't equal a dollar of revenue," and for the spirited and respectful LinkedIn discussions on this topic.

Footnotes

¹To be explicitly clear, I'm not saying any of the positioning or investor relations companies in our industry do is as evil or serious as totalitarian political regimes or psychological warfare.

²I don't have an accounting degree, but I've taken masters-level accounting classes and spent enough time working on financial audits at a public accounting firm to have a decent grasp of this.

³If you're an equity analyst or investment banker, you can probably skip this one. My goal is to share a practical explanation of the differences in business models for people who want to understand the industry but don't work in capital markets every day.

⁴Unless you count investments in large insurance firms who issue cybersecurity insurance as a small subset of their overall coverage. Buffett doesn't like it, either.

Bloomberg and Michael Novinson at ISMG did some solid reporting to break the news that Thoma Bravo is talking with bankers to underwrite a potential IPO.

On the surface, this move seems like it's defying the odds for a normal four-to-seven year private equity holding period.

It's defying the odds of the current IPO window, too. There hasn't been a traditional IPO for a pure cybersecurity company for over 1,000 days (and counting). Current market conditions are anything but favorable, at least for anyone other than the crème de la crème of the IPO pipeline.

SailPoint is anything but typical, though. I'm not convinced they even needed to go private in the first place, but here we are.

Taking SailPoint public again quickly was always part of the plan for Thoma Bravo, as partner Andrew Almeida made very clear in an interview with TechCrunch:

Our plan with SailPoint is to take them public as soon as we can, as an independent company, and re-IPO the business as a more SaaS-heavy, equally-to-higher growth business as to when they were public prior but generating a lot more cash flow.

News of an impending IPO is exciting to anyone who (a) likes SailPoint, and (b) wants this IPO drought for our industry to end.

This is far from a done deal, but it's credible enough to do some educated speculation about what it might take for SailPoint to go public again and stay there this time.

Let's start at the top with financial metrics.

Metrics: meeting the brutal expectations of the low-burn, high-growth era

The first thing SailPoint needs is obvious but complicated: financial metrics that meet the bar of today's low-burn, high-growth era of public markets.

Obvious, because strong financial metrics always underpin a successful IPO.¹

Complicated, because the standards required for a company to go public today are significantly higher than any previous IPO window, including the first time SailPoint went public in 2017.

Here's the crux of the current situation: Thoma Bravo acquired SailPoint for $6.9 billion. A great return for Thoma Bravo would be 20% or higher. SailPoint needs to be sold or go public at $8.5 billion (give or take, ideally higher) to make this happen.

The eight-point-five-billion-dollar question is: what metrics would SailPoint need to have to be valued at $8.5 billion?

IPO metrics have been a topic of intense debate within the tech industry this year. The analysis closest to SailPoint's situation is by Jamin Ball, where he breaks down what it takes to be valued at 10x revenue. Here's the punch line for performance among software companies valued at premium multiples:

• Revenue: They all have LTM revenue over $600m, and 16 have >$1B in LTM revenue (the top 10 all have LTM revenue >$1B).

• Growth: LTM growth ranges from 11% to 42% (median of 25%).

• Free Cash Flow: All but one company are Free Cash Flow (FCF) positive with a median LTM FCF margin of 27%.

SailPoint may not need a 10x revenue multiple, but their situation is close enough for the analysis above to be a good blueprint. Let's break down SailPoint's revenue, growth, and FCF one by one.

Revenue

Can SailPoint hit $1 billion in revenue? It seems like they can, or maybe already have.

They were sitting at $495.4M of revenue (TTM), $429.5M of ARR, and 31% revenue growth as of their last public earnings report in June 2022. They disclosed $600 million of ARR in Q3 2023. SailPoint's ARR has historically been lower than top-line revenue because they're in the middle of a transition to subscription licensing, so actual revenue is likely much higher.

If we project out SailPoint's revenue since going private at 30% top-line revenue growth, they're likely approaching $1 billion in total revenue already:

A growth rate of 30% might be generous in today's "economic headwinds" world of software purchasing, but they are close to billion-dollar scale at anything over 20% growth.

Speaking of growth...

Growth

Before going private, SailPoint was right around the cutoff line for cybersecurity's "high growth" and "low growth" cohorts. They averaged 21% top line revenue growth from 2019 to 2021, their last full year as a public company:

Based on historical numbers, they're just below the median of 25% LTM growth among software companies with premium revenue multiples.

Did they get back to 25% or higher since they've been a private company? We won't know for sure until they file their S-1. They hit 27% growth in 2020, so it's been done before. Their platform is just as relevant now as it was then.

And remember, they don't necessarily need a 10x multiple to have a good outcome. If growth is at 20% (exactly where it was when they were taken private), they're still comfortably within the range of growth rates for the top 20 software companies.

If their acquisitions (more on this later) and other developments in the identity security market have helped drive revenue growth, a 10x multiple might not be so bananas after all.

Now, if only they could grow profitably...

Free Cash Flow (FCF)

One of the reasons (and probably the main financially-related reason) SailPoint was taken private was the sharp FCF decline they took between the end of 2020 and the time they delisted in mid-2022:

A sharp increase in operating expenses took the wind out of their sails², cratering FCF alongside other spending increases across stock-based compensation and capital expenditures.

They were growing, but not efficiently.

Why did this happen? A lifetime ago in 2021, I talked about how expensive product development (R&D) would get with SailPoint's strategy to continue building (and slowly transitioning customers from) its on-premise and SaaS products:

SailPoint's challenge with this approach is in product strategy. Continuing to make investments in building both an on-premise and SaaS product is expensive.

IdentityIQ and IdentityNow are essentially two separate products with minimal overlap in the codebase. This differs from competitors like ForgeRock, who run essentially the same product on-premise and in the cloud.

A multi-year transition process with no end in sight either means continuously high expenses in developing both products or dilution of progress in both.

Even though product and R&D expenses increased, they were only part of the story. As it turns out, it's prohibitively expensive to build and sell two different identity platforms. Sales and marketing expenses (as a percentage of revenue) increased by 13% from 2018 to 2020.

They were burning cash by fueling two fires at the same time.

SailPoint's expenses got out of hand for a brief period, but they're still in good shape if Thoma Bravo's private equity financial fitness bootcamp puts them back on track with pre-2021 levels.

Thoma Bravo basically confirmed this is happening already. Again from Andrew Almeida:

Then Q1 and Q2 of this year, it feels like things are maybe not getting back to peak levels, but certainly, we have a path to better times ahead. . . . The pressure of growing but doing it profitably, SailPoint has [flipped to material EBITDA profitability].

So, based on everything we just talked about, is a premium multiple possible for SailPoint?

I think it is. Difficult, but possible.

An $8.5 billion valuation (or higher) likely means an 8-9x revenue multiple. It's a premium multiple (based on the current 5.3x median for software companies), but not an impossible one.

With SailPoint, we're not talking about the need for a top ten revenue multiple in the software industry (currently 15.4x). They only need to be better than your average software company, which I'd argue SailPoint already was before going private.

Here's the thing, though. Financial metrics and revenue multiples are only part of the giant puzzle required to have a successful IPO. Again from Jamin Ball:

Revenue multiples are tricky. On one hand, they’re a great shorthand that allows us to line up 80+ software companies and evaluate them relatively with a single metric.

...

BUT, a revenue multiple is just a shorthand valuation framework. Baked into a revenue multiple are assumptions around growth, margins, market opportunity, competitive dynamics, etc. And most importantly, looking at those assumptions 5-10 years out vs today.

Market opportunity, competitive dynamics, and 5-10 year thinking aren't financial problems — they're strategy problems. We're all about strategy here, so let's talk about that next.

Narrative: a good story around their ability to win a hyper-competitive identity security market

For SailPoint to have a successful exit, they need to make investors confident they can keep up strong financial metrics and win the market opportunity for workforce identity.

Fortunately for them, the narrative right now is about as good as it's ever going to get.

There is a unique window of opportunity in the identity security market with Okta's security incidents and two major competitors (Ping and ForgeRock) being taken private and merged together.³

SailPoint is well positioned to capture the opportunity — at least in the workforce identity portion of the market.

So, what have they done to take advantage?

Under Thoma Bravo's ownership, they've acquired Privileged Access Management (PAM), third party access, and Identity Threat Detection and Response (ITDR) companies:

This matches two of Okta's moves, including their entry into the PAM and ITDR markets. It also puts SailPoint in a position to compete more directly with CyberArk in PAM.

Outside of M&A, SailPoint was also in the middle of their transition from on-premise to SaaS. This was probably the main strategic reason that drove them to go private.

Anecdotally, I've heard good momentum on SaaS adoption for new implementations. This has to be part of the narrative if they're going to go public again. SailPoint isn't going to completely shed its on-premise identity platform, but marking accelerated migration to SaaS as a W is good enough.

I'm somewhat surprised SailPoint (via Thoma Bravo or otherwise) hasn't tried add Single Sign-On (SSO) and complete the narrative of being a comprehensive workforce identity platform and fully competing with Okta.

There was some speculation about SailPoint also merging with Ping and ForgeRock, but a strategic move like this one may have been too financially risky and too jarring for customers to handle.⁴

The decision not to compete directly with Okta, Azure, CyberArk, and others in workforce SSO is a strategic insight in itself. SailPoint doesn't need to be a complete workforce identity platform. Instead, they need to avoid competition as much as they can.

Their strategy is to completely own the Identity Governance and Administration (IGA) space in the enterprise market. No company has been able to durably lead this market — not Sun Microsystems, Oracle, or anyone else who has been a market leader in the past.

SailPoint is easily in the best position to own the enterprise customer segment between the gaping void of Okta's brand new product and a slew of legacy products. There are tons of great cloud-focused IGA startups, of course — but they're still a ways off from competing directly with SailPoint in the enterprise. Savyint is the only company who comes close.

If the financial metrics were close enough to being IPO-ready, a strong strategic narrative shaping up faster than expected is what could drive Thoma Bravo to accelerate the exit timeline for SailPoint.

But does the exit have to be an IPO? I think it does. Let me tell you why.

Alternatives: No strategic buyers at a better outcome than an IPO

A second IPO for SailPoint isn't the only option, but it's the most probable. A strategic acquisition seems like a long shot.

Billion-dollar acquisitions don't happen very often in cybersecurity. We've only had ~70 total cybersecurity-related transactions of any kind (PE or strategic) over $1 billion in history. Roughly half of those acquisitions were done by strategic buyers.

And we're only talking about a $1 billion floor here. An $8 billion plus acquisition is a much higher bar to clear.

There have only been ~15 cybersecurity-related acquisitions over $5 billion in the history of the industry, and only ~5 over the $8.5 billion price I guessed it would take for SailPoint to exit.

Broadcom (VMware and Symantec), Cisco (Splunk), and Gen Digital (Avast) are the only three strategic buyers who have ever paid over $8 billion to acquire a cybersecurity company.⁵

Large and mega-cap tech companies are the only strategic buyers who can realistically absorb an acquisition of this scale. Palo Alto Networks, CrowdStrike, and the rest of the pure cybersecurity companies aren't doing this big of an acquisition — especially not in a market they've been reluctant to enter.

The buyer universe among strategics just doesn't look favorable for SailPoint:

Microsoft Entra is a relatively complete workforce identity suite. Broadcom already owns a Frankenstein of an identity suite, too.⁶ The same goes for Oracle, IBM, and Thales.

Amazon (AWS) doesn't buy many cybersecurity companies, and a product like SailPoint isn't a strategic fit for their roadmap. I expect Cisco will buy an IGA product, but likely an earlier stage company.

We're left with Alphabet (Google Cloud) and HPE as the most likely possibilities unless an unexpected buyer steps up.

Any way you look at it, there just aren't many potential buyers.

I don't see SailPoint wanting to move to another private equity firm, either. Thoma Bravo has sold portfolio companies to other PE firms before. There's too much mutual respect for something like this to happen with SailPoint.

Going public is the best option Thoma Bravo has for SailPoint if they want to control the timing of the exit.

Outcome: not if, but when

An IPO for SailPoint seems inevitable. As the old trope goes: it's not if, but when.

They're close to the financial metrics public markets currently expect for premium valuations. The strategic narrative is never going to get better than it is now. And nobody else is going to buy them.

Thoma Bravo doesn't have to do anything unnatural here, though.

The advantage of being only two years into the holding period is patience. They can afford to wait if they determine the timing, valuation, or anything else makes this the wrong time to go public.

We're running out of time for an IPO to happen in 2024, but it's still possible. Otherwise, 2025 seems likely.

The exact timing matters less than the outcome. SailPoint has already gone public and been taken private once. The next time is their last chance.

Footnotes

¹Successful traditional IPOs, anyway. Metrics are kind of out the window for SPACs, reverse mergers, and micro-cap companies who go public. They're generally operating on a smaller scale that's outside the scope of this discussion.

²See what I did there?! Let me have this one. Jokes are hard in financial analysis.

³I know, it's ironic that Thoma Bravo (the same private equity sponsor) is also responsible for this, but it's not as manipulative as it might look. They paid dearly for Ping and ForgeRock ($5.1 billion in total). Tanking both companies to help SailPoint is obviously not a good strategy.

⁴And too difficult for antitrust regulators to stomach. Thoma Bravo's acquisition of ForgeRock already got delayed because of antitrust concerns. Trying to smash three large identity portfolio companies together is probably not a good look.

⁵VMware isn't a pure-play cybersecurity company, either. I included them just to make a point, but it's hard to attribute the cybersecurity-related value of this deal.

⁶Don't you dare call this a platform. It's more like a pile of skeletons left over from CA and Symantec that a few poor enterprises still can't exorcise.

Their acquisition of Recorded Future might look surprising at first. It makes a lot more sense once you dive into the details.

The financial services and cybersecurity industries have long been converging. This acquisition is both another milestone and a preview of what's to come.

The second and third-order consequences could be even more important. This deal's unique structure gives us clues about what could happen with other later-stage companies in the industry.

Mastercard-Recorded Future is really just the beginning of the story for both financial services and the rest of cybersecurity.

To understand the future, we need to start by looking at the past. Let's talk about how much convergence has already been happening between financial services and cybersecurity.

Past: Financial services convergence was already happening

The convergence of financial services and cybersecurity has been happening for over two decades.

I'm not talking about financial services companies just spending money to buy cybersecurity products and services. They do spend tons of money on cybersecurity—but you probably knew that already.¹

The part you (and me) may not have fully realized is how many financial services companies are active strategic acquirers of cybersecurity companies.

Altitude Cyber has tracked 47 cybersecurity-related transactions by 17 unique financial services acquirers at over $10.5 billion of disclosed deal value since 2007. Here's the data (excluding Mastercard for a second):

Six transactions were over $500 million, and two were over a billion. Add a $250 million strategic investment in BitSight from Moody's into the mix, and you really start to see how strategic cybersecurity, risk, and fraud are to financial services companies.

The trend of cybersecurity-related acquisitions by financial services has been gradually picking up, with 79% of total transactions and 96% of disclosed dollar volume happening within this decade:

But no financial services company has been a more active buyer than Mastercard.² The company has been building and buying cybersecurity-related products for years. They've formally had a cybersecurity business unit since 2017. Their involvement in the industry was significant well before they made it official.

Mastercard has already added identity verification (Ekata), behavioral analytics (NuData), third-party risk (RiskRecon), external threat intelligence (Recorded Future), and more.

With Recorded Future, Mastercard now has nine total acquisitions at over $3 billion of disclosed value:

Note: emphasis "cybersecurity-related." Transactions include fraud, risk, and other adjacent things you'd expect from one of the largest financial services companies in the world.

Recorded Future is Mastercard's largest disclosed acquisition yet, cybersecurity or otherwise. This move signals they're after something bigger. It also shows us what's possible when strategic priorities fully align.

Let's move to the present and dig into the implications of Mastercard's cybersecurity strategy for Recorded Future and beyond.

Present: Why cybersecurity is strategic for Mastercard

In an incredibly open and direct post-acquisition interview with Michael Novinson at Information Security Media Group (ISMG), Mastercard EVP and Head of Security Solutions Johan Gerber clearly laid out the strategic rationale for Recorded Future and the long-term game plan for the rest of Mastercard's cybersecurity portfolio.

Gerber left no doubt about the severity of the problem Mastercard is facing:

"Being in payments, you're one of the most attacked sectors out there. Anybody who wants money will come after you."

This may sound unsurprising at first, but it's surprisingly hard to comprehend the scale of the problem.

Verizon's Data Breach Investigations Report (DBIR) has been chronicling breaches and threat actor activity for 16 years and counting. 95% (!!!) of threat actor motives in breaches are financially-related.

It's been this way for years. Nothing else comes close.

Meanwhile, for Mastercard (and the entire ecosystem of payment processors, banks, ecommerce, etc.), the volume of digital transactions just keeps growing. They're currently estimated at 30-40% of Mastercard's total transaction volume.

If all the companies in the world were mapped to a dart board, Mastercard is at the center of the bullseye.

This brings us to the problem statement. Again, from Johan Gerber:

"How do we constantly increase the level of security across payments?"

The word "constantly" is telling here. Attacks are constant. This is never going to change. Instead of being complacent, Mastercard is choosing to keep raising the bar for security...well, constantly.

Here's the part where Mastercard's strategy gets fascinating. Their interests are much broader than securing their own company and customers. Mastercard is in an incredibly unique position to create value for the entire payments ecosystem.³

The bigger opportunity here is selling sawdust. Sure, it's a bummer that Mastercard is one of the most attacked entities on Earth — but this also means they have a massive amount of both transaction data and first-party fraud data.

A portfolio of cybersecurity, risk, and fraud products makes this a feature, not a bug. Ekata and RiskRecon are good examples of how Mastercard is already using the good and bad sides of its scale to vertically integrate and sell its own sawdust.

The first part of the value chain starts with a new account. When someone wants to use an identity and open an account, Ekata verifies the identity and uses fraud data to indicate whether the attempt is real or fraudulent.

With RiskRecon, they score the entire payment ecosystem — banks, processors, and everyone connected to them — every ten days. When a serious risk gets identified, both the directly impacted party and affected third parties get notified.

Recorded Future underpins nearly every step of Mastercard's transaction and fraud prevention processes from account origination through settlement. Adding external threat intelligence on top of Mastercard's proprietary data potentially has massive upside, both internally and for customers.

The less obvious advantage is the strategic value Mastercard's fraud and transaction data gives Recorded Future. Owning the company outright allows Mastercard to share proprietary data in a way that's hard to do with a partnership alone. This creates a unique moat for both Recorded Future and Mastercard, especially with financially-related threat intelligence.

The real significance of Mastercard-Recorded Future is far beyond a single acquisition. Let me explain why.

Future: What this means for other companies the cybersecurity industry

Mastercard-Recorded Future is just one example, but good deals like this one can influence the rest of the industry in a big way. I see this as a beacon for strategic buyers, investors, and later-stage companies throughout the ecosystem.

Cybersecurity companies in the IPO pipeline

Recorded Future was a viable IPO candidate, especially by historical public market standards for cybersecurity-related companies. Maybe not the top of the heap, but definitely viable.

At ~$300-400M in revenue, they are well above the ~$175M revenue scale it took for 30 other cybersecurity-related companies to go public between 2012 and 2022.

Cybersecurity has (roughly) 20-30 other private companies sitting in the $250-500M revenue range today (including both VC and PE-backed). It's a big backlog — and we still haven't had a traditional IPO for a pure cybersecurity company since ForgeRock went public almost exactly three years ago.

Some companies in the pipeline will successfully go public, but not all 20-30 of them. This means the rest will either (a) raise capital/debt to extend their runway and scale bigger, (b) sell directly to strategic buyers, or (c) sell majority or full stakes to growth equity or private equity buyers (what Recorded Future did).

If high quality, scaled cybersecurity companies like Recorded Future are willing to be sold at a reasonable revenue multiple, we're going to see more strategic acquisitions and fewer IPOs.

Strategic buyers in cybersecurity

We could see more "non-traditional" strategic buyers like Mastercard if (a) the convergence of cybersecurity and everything keeps happening, and (b) more companies outside of cybersecurity view security as strategic.

Mastercard and Visa are two of the ~20 most valuable public companies in the world, valued at $448.9 billion and $524 billion respectively as of today.⁴ Mastercard had $7 billion in cash and cash equivalents sitting on their balance sheet as of their latest earnings report. Companies this big can make huge acquisitions look like bargain shopping at Nordstrom Rack.

As security becomes more strategically important for companies outside of cybersecurity and big tech, the pool of potential buyers capable of $1B+ acquisitions gets bigger. With over 100 VC and PE-backed companies valued at $1 billion or more (on paper), we need as many strategic buyers as we can get.

The revenue multiple for this deal looks like a reasonable ~8-9x, exactly the average of today's public market comps for cybersecurity companies (and higher than Rubrik's ~6x IPO earlier this year).

Everyone wants the 40-50x multiple Wiz almost got, but it's exceptionally rare to find a strategic buyer willing to pay that much for a scaled company. An exit at 8-9x revenue is a pretty good outcome right now, and it's a reasonable number for more strategic buyers.

Growth equity

An easy-to-overlook detail in this transaction is that Recorded Future sold a majority stake to Insight Partners for $780 million in 2019. Rather than waiting and eventually raising a gigantic early 2020's venture era round and trying to go public, they sold most of the company — a very good exit, but atypical for the times.

The blueprint for Insight Partners and Recorded Future might become a lot more common after this deal. Selling to Insight Partners was a highly strategic move, not a desperate hail mary to save the company. Christopher Ahlberg, co-founder and CEO of Recorded Future, explained at the time:

"With a single shareholder, where there is alignment, you can execute more effectively."

Recorded Future wanted a strategic partner for their next phase of growth, and they clearly got one with Insight Partners.

Comparable situations have happened in the past with similarly good results. A few examples (though not exactly the same) are Thoma Bravo with SailPoint (the first transaction), and Vista Equity Partners with both Ping Identity and JAMF.

This model works especially well in market conditions like today. It provides near-term liquidity and eventually facilitates IPOs or strategic acquisitions. Growth equity or private equity backing is going to be an appealing option for a lot of later-stage companies while subscale IPOs aren't an option.

Convergence, vertical integration, and exits

There's a lot going on here — a lot more than what meets the eye from a single transaction.

The history and accelerating trend of financial services converging with cybersecurity, risk, and fraud is worth paying attention to. As Johan Gerber says, "The lines are graying out between cyber and fraud."

Mastercard is going to keep vertically integrating components across the entire ecosystem of cybersecurity, risk, privacy, and trust as their strategic priorities become more clear.

Their cybersecurity and customer experience solutions business is well into the hundreds-of-millions in revenue once Recorded Future and its ~$300M-400M of ARR closes.⁵ Expect a constant drumbeat of strategic build, buy, and partner activity for years to come.

For the rest of the cybersecurity industry, this deal is both a victory and a poignant reminder about how hard it is to achieve a successful outcome. Sometimes, the best possible strategy is acquisition that makes perfect sense on both sides.

Acknowledgements

Thank you to Dino Boukouris, John Gould, and the team at Altitude Cyber for collaborating with me on the financial services M&A data in this article.

Footnotes

¹Remember the whole 'J.P. Morgan spends half a billion on cybersecurity' thing a few years ago?! Accurate or not, financial services as an industry spends a lot on cybersecurity.

²Although LexisNexis is close, with eight acquisitions and $1.6 billion of disclosed value.

³And monetize some of the value they create, of course. Some capabilities they build and acquire are solely for the benefit of their cardholders and/or merchants. The ideal situations are when Mastercard can both protect itself and provide value back to the rest of the ecosystem.

⁴And we thought Palo Alto Networks being valued at $100 billion+ was impressive. Okay, it's still impressive...but companies like Mastercard and Visa give us some context about how massive the financial services industry is.

⁵It seems unlikely Mastercard's cybersecurity business unit is over $1 billion in cybersecurity-related revenue yet. I could be wrong. In any case, it's a nine-figure business and well on its way to a billion.

It's happening in purchasing.

Yep, purchasing.

Cloud security and name-your-favorite-category are cool and all, but purchasing is cybersecurity's hundred billion dollar problem.¹

I lived the pain of buying and selling cybersecurity products and services for over a decade. Nobody likes buying or selling things the way we do today...yet here we are.

If you've had similar experiences in your career, you understand exactly what I'm talking about. If you haven't, let me tell you: it’s brutal.

We're at a crucible moment in time, caught between the past of top-down sales and steak dinners, reeling from the illusion of Product-Led Growth (PLG), and more discontent about buying and selling cybersecurity products and services than ever.

A shift is underway. The early signals are visible, but only to savvy observers.

That's why I'm joining Ken Yao and the team at Cyberse as an advisor. They're uniquely capable of understanding the nuances of cybersecurity purchasing and the needs of the buyers and sellers of tomorrow.

To say I'm amped to help bring a company like this into existence is an understatement.

Let me tell you the reasons why I think cybersecurity purchasing is going to change dramatically and why marketplaces are the best way to do it.

...okay, okay — I need to tell you. It's cathartic. I have a lot to say after living this pain daily for more than a decade.

Let me start by telling you a quick story about my favorite thing I've ever bought.

My gold standard for major purchases

I just bought my first Tesla a couple weeks ago. You know what else I want to be like buying a Tesla?²

Everything.

Seriously. The process of buying a Tesla is how every major purchase should work.

Every step in the process is meticulously thought out.

Test drive? Book the exact time you want online. No schmoozing with salespeople. There isn't even a key. Just get the app, head to the store, hop in, and drive.

Shopping the inventory? It's all there on their website. No clunky dealer or third party aggregators needed.

Buying the car? The purchase is basically complete before you ever set foot in the store. No need to block off three hours of your day to haggle with salespeople or sign a five foot stack of paperwork. The car costs what it costs, and you can buy it right in the app.

Anything in the process that went sideways was my fault (expired driver's license...whoops). But even when something did go wrong, their process handled it gracefully and kept on moving.

I'm not saying I never wanted to talk with a human during the purchasing process. I had questions about which home charger to choose, and it really helped to talk with someone.

But talking with someone wasn't the default. I had all the information and process available to me if I wanted to make all the decisions myself. The inventory was clear. The price was clear. The steps were clear.

What a huge difference that makes.

I have seen the future, and there's no going back. Any lesser experience than this one isn't good enough.

This is exactly the problem. Other major purchasing experiences (ahem cybersecurity products and services) aren't like Tesla.

You can barely see a product without booking a live demo. Pricing? Ha – “Talk to Sales.” Need help deciding what to buy? You’ll need a consultant for that.

Tesla isn't a marketplace, of course. The important idea here isn't explicitly a marketplace — it's a flawless purchasing process.

Cybersecurity does not have a flawless purchasing process. Far, far from it.

This critique is so widely accepted that I don't even need to say anything about it. I'm only going to because it's entertaining.

Tales of cybersecurity purchasing inside the world's largest enterprises

Let me give you a few quick examples from my own career about just how wacky cybersecurity purchasing is.

A company spent three months evaluating a secondary technology for a major strategic program in their security organization. They flew in no less than ten vendors for in-person demos, got wined and dined weekly, and basically stopped everything else they were doing. They didn't buy any of the products.

Another company repeatedly bid out phases of a multi-year project with no intent of choosing any of the other participants. They leaked our full proposal to a competitor to help make their response better. The procurement processes ran for weeks, delayed the program, got someone fired, and saved no money in the end.

Cybersecurity companies can be pretty wasteful too. One of them flew in entire sales teams multiple times to meet with us — usually for "relationship building" (nice dinners and drinks) or potential deals even the most junior team members could call out as unqualified. No deals were closed, and most of the sales team was let go.

We don't have time for these shenanigans anymore. Not during the expense management era we live in today.

I'm not saying all sales meetings (or salespeople) are bad. Face-to-face is always valuable when it's high impact.

But doing 'things that look like work' isn't going to cut it. You can have sales meetings, procurement processes, whatever — but they'd better be a good use of time.

I know this sounds cranky. That's the point. My generation of buyers is divinely discontent. Let's talk more about why.

The next generation of cybersecurity buyers is divinely discontent

My Tesla buying story is off-topic, but it's a critical insight into where cybersecurity purchasing is headed.

People like me (30 and 40-something-year-olds, now at Sr. Manager/Director/VP/CISO level) are the next generation of security leaders and buyers. Tesla is the way we want cybersecurity purchasing to work.

There's a great Jeff Bezos quote about this hard-to-nail-down sentiment. It's from Amazon's 2017 Letter to Shareholders. Bezos describes customers as "divinely discontent":

One thing I love about customers is that they are divinely discontent.

Their expectations are never static – they go up. It’s human nature. We didn’t ascend from our hunter-gatherer days by being satisfied.

People have a voracious appetite for a better way, and yesterday’s ‘wow’ quickly becomes today’s ‘ordinary’.

Divinely discontent.

Guess what? Thousands of cybersecurity buyers already have a voracious appetite for a better way. Thousands more are going to be in senior leadership positions during the next decade and beyond.³

Like it or not, we're going to get our 'better way' sooner or later. In the world of cybersecurity purchasing, marketplaces are one of the ways.

VARs are the legacy model. My generation of practitioners would rather not work with them.⁴

We don't want to deal with vendor sales or bake-offs either. A good marketplace is the right balance — just buy what you want and get started.

Millennials don't want to waste time buying things. We don't like dog-and-pony shows.

We want information, decision support, and low friction.

We want people to be available when we need them, but technology-driven workflows need to be the default option.

We want sales-assisted purchasing, not sales-led. You can buy my steak dinner after the purchase has been made.

This shift in cybersecurity purchasing behavior is playing out in plain sight. Cloud marketplaces are a big clue.

Marketplaces are already here, they're just not evenly distributed

You've probably seen a few marketplace-related announcements in passing from large cybersecurity companies:

• CrowdStrike went over $1 billion in total sales on the AWS Marketplace in October 2023.
• Okta said it's generating $175 million of annual contract value (ACV) from the AWS Marketplace during the company's Q4'24 earnings call.
• Zscaler has been winning seven-figure deals on the AWS marketplace for years.
  

Palo Alto Networks hasn't disclosed specific numbers about their cloud marketplace partnerships, but they may have given the most definitive endorsement of all:

"It’s not just where the puck is headed. It’s where the puck is now." —Prem Iyer, SVP, Global Ecosystems at Palo Alto Networks

It's easy to write announcements like these off as run-of-the-mill PR, though. I can't blame you. I did for years.

My wake-up call came when I found out PwC had quietly started selling cybersecurity services on the AWS Marketplace. I never thought this would happen when I left the firm five years ago. Like, bet my entire retirement savings, never. Good thing it wasn't a real bet.

Once I started paying attention to this marketplace trend, subtle hints started popping up everywhere. Here's another shocking example you probably haven't heard about yet.

Vendr, a YC-backed marketplace upstart, just shared this data about Wiz:

All of these numbers are surprising, but one stands out to me: mid-market buyers have an average Annual Contract Value (ACV) of $138k with Wiz.

Transacting 1% of Wiz's total revenue is pretty significant, too — that's $3.5 million annually at Wiz's most recent $350 million ARR disclosure.

The most staggering clue of all was buried deep in a random vendor webinar about Wiz: "As of today, roughly 50-60% of our revenue goes through the marketplaces."

Wiz, the fastest growing company in the history of software, is generating more than half of its revenue through marketplaces. They found a cheat code most cybersecurity companies haven't caught on to yet.

Now that our eyes are wide open, let's adjust the aperture. If we zoom out and look across the entire software industry, the marketplace numbers start to get wild. 

In a recent Canalys study, 80% of surveyed channel partners (read: product or services companies) have already seen customers buying from cloud marketplaces. Eighty percent. Today.

By 2025, they estimate cloud marketplace transaction volume will hit $45 billion with an 84% compound annual growth rate (CAGR).

It's hard to find a market in cybersecurity or all of tech with a higher growth rate. Yet we barely pay attention to this one because marketplaces aren't a typical product or service.

Forecasts aside, these anecdotes and data points can be taken as signals about willingness (if not straight-up preference) to buy and sell software and services through marketplaces. 

I think the trend is going to continue as the divinely discontented millennials inevitably assume leadership positions. We don't buy like previous generations of buyers. We’ll put up with the old way of doing things, but we’ll jump at the first chance we get for a better way. 

PLG, enterprise sales, and VARs will never go away, of course — but the better way is right in front of us: marketplaces.

There's just one problem. Cybersecurity is an infinite abyss. It's confusing to buy cybersecurity products and services on cloud marketplaces because cybersecurity itself is confusing.

Here's the part where Cyberse and cybersecurity-focused marketplaces come in.

Why we need a cybersecurity-focused marketplace

Why do we need a marketplace just for cybersecurity? Aren't cloud marketplaces good enough?

Head over to the AWS Marketplace and tell me which of the 4,621 (and counting) security products and services to buy. Go ahead. I'll wait.

Relying on a cloud marketplace for most or all of your cybersecurity purchasing is more theory than practice right now. You can buy products and services, and they'll give some information and guidance to help you — but you're mostly on your own.

Today's cloud marketplaces are the last mile of procurement. They're a centralized place you can go to execute transactions. This is a breakthrough in and of itself, but it's only a fraction of the end-to-end process for buying products and services.

There's a reason why consultants, VARs, and industry analysts are some of the most powerful players in the cybersecurity industry. Planning, buying, and implementing a full security stack is hard.

Buyers need advice and guidance to make the right decisions. They rely on third parties a lot of the time, who sometimes have misaligned incentives. Or, they just buy the "safe" product everyone else is buying. Nobody gets fired for buying IBM.

Capturing the transactional part of the value chain is important, but it's incomplete. The opportunity hiding in plain sight is to vertically integrate large parts of the value chain for a specific industry — cybersecurity, in the case of Cyberse.

Done well, a vertically integrated marketplace for a niche domain will always be more relevant and valuable than a cloud marketplace could ever be. It will also be more objective than consultants, VARs, and the smattering of decision support resources companies rely on today.

Cybersecurity is still too specialized for cloud marketplaces and technology resellers to have the domain expertise buyers truly need to make good purchasing decisions. Because of this, the marketplace needs to be semi-opinionated to help buyers architect solutions, narrow down their options, and help make sure the products and services they buy meet their objectives.

We need a single place to do market research, assess and gather requirements, discover and evaluate recommended products, and make purchases. No expensive consultants, VARs, or analyst subscriptions — just exactly what you need to buy the right cybersecurity products and services for your company.

This is exactly what Cyberse is building, and why I'm so excited about it. 

Cyberse cuts through the exceptionally loud cybersecurity marketing noise and gets straight to the point: giving you the industry knowledge and data you need to make the best decision for your needs.

Reimagining the cybersecurity purchasing process for the divinely discontent, Tesla-buying, millennial leaders-in-waiting has huge consequences. Let's finish by talking about what's at stake once this behavioral shift actually happens.

What's at stake: growing the TAM of cybersecurity

McKinsey wrote a research report that bent my brain in a way that hasn't happened in a while. The punch line: the cybersecurity industry has only reached 10% of its overall TAM yet because large portions of the market are under-served.

...wait, what?

Yeah, that caught my attention too. The article goes on to explain:

Currently available commercial solutions do not fully meet customer demands in terms of automation, pricing, services, and other capabilities.

...

This does not imply the market will reach such a size anytime soon (current growth rate is 12.4 percent annually off a base of approximately $150 billion in 2021), but rather that such a massive delta requires providers and investors to “unlock” more impact with customers by better meeting the needs of underserved segments, continuously improving technology, and reducing complexity.

Here's a visual to go along with it:

Even if you don't buy into the exact numbers (I don't, but they're only estimates), anything remotely close to this situation is astonishing.

How did this happen?!

A partial explanation: our products, services, and purchasing processes are all very enterprise-focused.

The traditional top-down sales model doesn't work for Small Business (SMB) and Mid-Market (MM) customer segments. Most cybersecurity companies can barely afford to support this model for enterprises. There's effectively zero chance of doing it profitably for smaller customer segments — and even if we most could, buyers in this segment don't have time to run enterprise-grade procurement cycles anyway.

Serving the SMB and MM customer segments is a problem we can tackle right now. As the McKinsey report shows, this alone is a big opportunity. But it's not the full story here.

What happens when the divinely discontent millennial cybersecurity leaders are the majority of buyers in cybersecurity? 

Marketplaces will become the de-facto model for how cybersecurity products and services are bought and sold.

That's why we need a cybersecurity-focused marketplace: to address both under-served market segments and the new generation of buyers in our industry.

It's a gradual, compounding transition — but it's going to be so, so impactful when the rapidly approaching inflection point hits.

Acknowledgements

Thank you to Ken Yao and the team at Cyberse for patiently hashing out multiple iterations of this thought process with me.

Also, thanks to Jonathan Cran for sharing the stat about Wiz's marketplace revenue percentage. No way I would have found this on my own.

Footnotes

¹Relatively speaking as an order of magnitude statement, not a precise estimate. I say this based on Gartner's latest Global Security and Risk Management Spending forecast and a McKinsey report we'll get to later in the article.

²I mean this literally — as in the process of buying, configuring, and operating the car, not the drama and nonsense created by Elon Musk himself. I don't condone or agree with a lot of his behavior, but I also think credit needs to be given for his inventions (and many other more decent people at Tesla).

³Statistics about millennials in the workforce and leadership positions are fuzzy, so I'm not going to cite specific data. Roughly speaking, we've been the largest generation in the workforce by percentage for several years now, but it's still a minority percentage. We'll be a majority percentage by ~2025. Leadership positions (VP+) will follow shortly after. Some of us are already in them today.

⁴Nobody really does today either, but they tolerate VARs because they make the traditional procurement process just a shade less miserable.

We've had seven cybersecurity-related M&A transactions over a billion dollars already this year.¹

Wiz raised a billion-dollar financing round.

Cyera became our first new unicorn since 2022.

We finally had a cybersecurity-related IPO with Rubrik going public at a $6.6 billion valuation.

There are more companies with a billion dollars of cybersecurity revenue and billion-dollar valuations than ever.

And the year isn't even half over yet.

Each of these billion-dollar events and milestones are significant by themselves, but I think they're a sign of something more for the rest of cybersecurity industry.

We're functioning in "billions" now. Billion-dollar financing rounds. Billion-dollar acquisitions. Billion-dollar revenue.²

That's a stark departure from where we've historically been. Cybersecurity didn't used to be a billion-dollar type of industry. We're more of the "cheeseburger and a beer at the neighborhood restaurant" crowd than a five-star Michelin restaurant type.

There's room for the entire spectrum of companies, of course. Plenty of smaller private companies have and will keep doing just fine at the thousands-to-millions scale. For mid-sized companies, the $130-ish million M&A exit median should remain consistent.

Cybersecurity is too big of an industry for its dynamics to change overnight.

But for cybersecurity companies who either are big or aspire to be, the new scale is going to be billions, capital B.

There's a lot to unpack here. Let me show you what I mean...right after we talk about beer.

Balance sheets and capitalization strategies have a shelf life

New Belgium Brewing started off as un-scaled as it gets. The company started as a home brewing project by Jeff Lebesch and Kim Jordan in 1991 after biking through Belgium and enjoying the beer a little too much.

Their beer was popular (and tasty), but the contrarian business model and operations changed the game in craft brewing. Breakthroughs included sustainable brewing at scale and, more famously, becoming 100% employee-owned in 2012.

They continued to expand independently, including a second east coast brewery in 2016. New Belgium was one of the most popular craft breweries and a role model for independent companies everywhere.

...until they shocked the world and sold the company to Lion Little World Beverages (Kirin Holdings) in 2019. The sale ended New Belgium's status as an independent craft brewery — and its employee stock ownership program (ESOP).

The decision came down to multiple factors, one being a tension between the cost of maintaining the ESOP and the executive team's ambitions to continue growing and scaling the brand and operations.

"Balance sheets and capitalization strategies have a shelf life," said Steve Fechheimer, the CEO of New Belgium Brewing since 2017.

Lion Little World Beverages has since merged New Belgium with Bell's Brewery, another iconic craft brewing operation. You've heard versions of this strategy before: expanding the product portfolio, operational efficiencies, and entering new markets.

Only now, their goal is to do something that's never been done before in the industry. The combined company is trying to become the leader of the U.S. craft beer market while becoming a certified B Corporation and carbon neutral by 2030.

They wouldn't have been able to do this without financial backing, stability, and other strategic moves that just weren't accessible as an employee-owned company.

This feels so, so similar to the place many cybersecurity companies are at right now.

Let's continue by talking about billion-dollar revenue scale (that's the real end game, not billion-dollar valuations), then work backwards through financing and M&A as two of the primary levers for getting there.

Billion-dollar revenue

A billion dollars of revenue has been surprisingly evasive in the tale of cybersecurity so far.

There are only eight pure-play public cybersecurity companies with $1 billion or more in annual revenue today. Even if we stretch the scope a little to include the extended cybersecurity ecosystem (hybrid companies with a material part of revenue coming from cybersecurity), the total only goes up to ~14, depending on how you classify the hybrid companies:³

It gets a little higher if you include large and mega-cap tech companies (like Microsoft or Cisco) and private companies (like PwC and Deloitte), but the number is still only around 40 companies.

No matter how you count it, there aren't very many companies who have ever hit $1 billion in cybersecurity revenue. Roughly speaking, it's something like 0.2% of companies that have ever existed.

Enough context, though — what does this mean for the industry?

As I wrote in Bigger, Faster, Stronger: The New Standard for Public Cybersecurity Companies, a billion dollars in revenue is probably the new standard for durable public companies, cybersecurity or otherwise. It's not just me — you can find people talking this all over recent earnings calls and behind closed doors at later stage companies.

There are ~100 (give or take) other public companies out there in the cybersecurity ecosystem with less than $1 billion in revenue, and nearly the same amount of VC and PE-backed unicorns who have expectations of scaling.

Put another way, there are five times more companies with expectations of billion-dollar revenue scale (~200 late-stage companies alone) than those who have ever achieved it (~40 at best).

I want to mention two anecdotes about the impact of revenue scale on public cybersecurity companies to help make the point.

So far, only three of the 28 formerly public cybersecurity companies who have been taken private or acquired had over $1 billion in revenue: Splunk ($4.2B), McAfee ($1.8B), and Proofpoint ($1.05B).

A common theme across companies who have been taken private by private equity firms is...you guessed it: scaling revenue to $1 billion as a private company.

On the other side of the spectrum, all seven of the "A-List" (highest performing) companies in the cybersecurity ecosystem I mentioned in Cybersecurity's Class Conundrum have over $1 billion of revenue. The average was $3.2 billion (TTM) at the end of calendar year 2023.

There is an undeniable connection between revenue scale and valuation for our public companies (SentinelOne and CyberArk⁴ are the notable exceptions). We have some great public and private companies under $1 billion in revenue, but they're all under pressure to get there.

Both of these stats are anecdotal, but they give you a rough idea about the current vibe of billion-dollar revenue scale in public markets.

So, what did these companies do to reach to $1 billion in revenue? A lot of things, including raising a bunch of capital. Let's talk about that next.

Billion-dollar financing

Cyberstarts partner (and investor) Gili Raanan put it bluntly when talking about Wiz's recent $1 billion round:

"It is expensive to build important cybersecurity companies."

Yes it is, Gili. Yes. It. Is.

$1 billion is the second largest single round raised by a cybersecurity startup after Lacework's (now both ominous and ironic) $1.3 billion Series D round in 2021. These are the only two individual venture rounds over $1 billion in cybersecurity history.

The $1.9 billion of total financing Wiz has raised is easily the highest amount of any cybersecurity startup other than Lacework:

Netskope is a distant ~$500 million behind those two. We're definitely going to see more large rounds being raised by companies in cybersecurity's IPO pipeline, but it's hard to imagine anyone surpassing Wiz.

Why? Their most recent round alone was more money than any other public cybersecurity company raised in total before IPO. And it's not even close.

SentinelOne raised a total of $696.5 million before it went public in 2021. CrowdStrike raised $481.2 million. Okta raised $230 million. Palo Alto Networks raised $65 million.

We don't have enough financial data to definitively say it costs more to build a public cybersecurity company these days (for private companies, we don't know how much capital they're spending and what's still in the bank). It's definitely accurate to say companies are raising more, though.

For Wiz and others, raising over a billion dollars of capital from financing or IPOs still isn't enough. It's tough to hit a billion dollars of annual revenue organically — especially at the growth rates both private and public market investors expect.

This is the part where M&A enters the picture. Let's talk about that next, billion-dollar style.

Billion-dollar acquisitions

The TL;DR of the entire history of cybersecurity M&A by strategic buyers (companies, not PE firms) is basically this: a relatively limited group of companies have made a handful of acquisitions at $250-400 million per deal, and usually far less.

Billion-dollar acquisitions have been incredibly rare. Rare, as in ~70 total transactions of any kind (PE or strategic) over $1 billion in the history of the cybersecurity industry.

Roughly half of the acquisitions were done by strategic buyers. With few exceptions (Okta buying Auth0 is one, and CyberArk buying Venafi is another very recent example), most of the buyers who have spent over $1 billion on an acquisition are large or mega-cap tech companies (like Cisco).

Most companies under $1 billion in revenue aren't going to be doing billion-dollar acquisitions — unless you're Wiz, who reportedly tried buying SentinelOne (valued at $4.9 billion at the time). Seriously though, $350 million and (very much) under is the typical range for subscale cybersecurity companies.

All of this is going to change, though. The frequency of billion-dollar acquisitions from strategic buyers is going to keep increasing. This is already a trend — 19 cybersecurity-related companies have been acquired by strategics for over a billion since 2020:

There were 23 cybersecurity-related transactions over $1 billion from 2010-2020. We're 4.5 years into this decade, and we're already close to even with the previous one.

Here's my less obvious prediction: we're going to see more merger-like transactions among (relative) peers to create companies with billion-dollar revenue scale.

The clues are already out there (a few are in the table above). Cohesity agreed to acquire Veritas's data protection business for $7 billion in Q1 2024.⁵ Exabeam and LogRhythm just merged in an undisclosed-but-definitely-over-a-billion sized deal. Most recently, CyberArk acquired Venafi for $1.5 billion.

The strategic drivers behind each deal were different, but the common theme is billion-dollar transactions creating billion-dollar revenue scale.

The shelf life of subscale cybersecurity companies is ending

Gokul Rajaram broke a small corner of the internet a couple months ago by highlighting some research on subscale IPOs. The punch line: companies with under $700 million ARR underperform (have negative absolute returns, on average) after going public.

The ensuing uproar led to some follow-on analysis that's a slightly different but harder conclusion: companies can go public at subscale revenue numbers (<$500 million), but they need a compound growth rate of 50% for a clear path to $1 billion in revenue within five years.

So, either way you look at it, the current expectation for public company revenue scale is around a billion. The variable is whether you IPO or not before getting there.

Subscale IPOs without astronomical growth are basically out of the question and will be for a while. And subscale public companies without better-than-respectable growth are going to keep getting taken private until they're all gone.⁶

Wiz is an exceptionally unique case. They're executing (rewriting?) a strategy that's like smashing together the playbooks for a hypergrowth unicorn, post-IPO company, and private equity firm all at once. Wiz is our industry's grand experiment in building a billion-dollar company with intent and speed. Grab your popcorn.

For the rest of the later-stage companies in the cybersecurity industry, it's all about the strategy they take to hit $1B revenue scale. We're not going to see billion-dollar financing rounds that often, but I do think we're going to see companies in the IPO pipeline raising a total of $1 billion or more before going public. And we're going to see more mergers among relative peers to get there faster.

I'm not a hypergrowth zealot. There's a point where growth at all costs becomes too reckless, and bad things happen.

Good strategy is about being a realist, though. Kim Jordan at New Belgium Brewing is a dreamer and idealist. But she was also savvy enough to know when and why a major change in strategy was needed to hit their next level of scale.

Billion-dollar scale is different, uncomfortable, and unnatural than what we're used to in cybersecurity. It's also the only way forward for our biggest companies.

Footnotes

¹Disclosed and estimated acquisitions over $1 billion in 2024 include Juniper Networks (HPE, $14B), HashiCorp (IBM, $6.4B), Darktrace (Thoma Bravo, $5B), AuditBoard (Hg, $3B+), Veritas (Cohesity, $3B), Venafi (CyberArk, $1.5B), and Exabeam-LogRhythm (undisclosed, estimated over $1B based on previous valuations).

²I intentionally avoided mentioning billion-dollar valuations here. Valuations don't mean much in the end game of becoming a company with a billion dollars in revenue.

³This count excludes large (e.g. OpenText) and mega-cap companies (e.g. Microsoft) with cybersecurity revenue as a small percentage of overall revenue. There are also privately held (likely PE-backed) companies with $1B revenue, but not many.

⁴CyberArk should be a $1B+ revenue company soon after their acquisition of Venafi officially closes.

⁵What's that, you say? Backups aren't security? I respectfully disagree. It doesn't really matter for the purpose of this discussion — the backup and data protection market is close enough to make this a reasonable comp.

⁶Or until private equity firms run out of money buying them, which is unlikely — they have more available capital than ever.

I pay close attention to Y Combinator and its cybersecurity-related companies because they're a tastemaker for the entire tech industry. Sure, we can debate industry-specific things like their level of specialization or track record of success, but you can't downplay or ignore their dominance as early stage investors across tech.

I've covered every YC batch since I started writing. This is now the sixth article in the series. Our list of companies to look at it is shorter this time, but there's still plenty to talk about.

Let's start by revisiting some longer-term investment trends across batches.

YC's cybersecurity, privacy, and trust investment trends

Y Combinator's number of investments per batch in the cybersecurity, privacy, and trust ecosystem had more than doubled since 2020...until now.¹

In YC's current era of smaller batch sizes (247, down from 402 in W22), six companies is still a healthy representation.

Garry Tan, YC's President and CEO, was also the group partner for two companies (PromptArmor and Tracecat) — a pretty disproportionate ratio for their leader.

I don't read too much into the reduction in investment this batch. They've invested in nearly 100 companies in the ecosystem over the past six years, and they have the resources to keep funding the best ones that come their way.

YC invests in a mind-bending amount of companies, though. Even though I'm saying their level of investment in cybersecurity companies is healthy, it's a low percentage of the overall batch size.

Here's what I mean:

If we (hypothetically) took away all of YC's other investments, their ~15-20 investments per year (across two batches) in cybersecurity, privacy, and trust companies still makes them one of the most active early-stage investors in our industry.

Next, let's meet the companies in the W24 batch and think through their potential opportunities and challenges.

Opportunities and challenges for the Winter 2024 batch

Alacrity

What does the company do?

Alacrity is building an account takeover prevention platform. It's a combination of identity and fraud products and techniques specifically crafted for stopping account takeovers.

Where do they fit into the cybersecurity ecosystem?

They're somewhere between Authentication and Fraud and Transaction Security. The product isn't a full-on identity or fraud platform — it's an intentional blend of the two focused on a specific (and massive) problem within both domains.

What are their challenges?

Alacrity's launch article covered the current state of the problem perfectly:

Large tech companies invest in advanced fraud solutions such as passkeys and intelligent device/session management, etc. However, most companies do not have the bandwidth or expertise to do the same.

What most companies rely on today for ATOs is SMS 2FA. Yet, we are seeing ATOs grow despite the wide adoption of SMS 2FA because codes can be socially engineered, phished, or subject to SS7 attacks.

A skeptic could argue the solutions to ATO attacks are already out there, and it's just an implementation or adoption problem. Maybe true, but could an easier-to-adopt platform increase the adoption rate and win? There were payment processors before Stripe, too — but their early advantage was being ridiculously easier to adopt.

Another adjacent challenge is the difficulty of separating ATO prevention from a company's overall customer identity infrastructure. Companies with enough traction and maturity to have large-scale ATO problems have already invested loads of time, money, or both into their customer identity stack. They're unlikely to change the entire stack just to stop ATO attacks.

This means Alacrity may eventually need to integrate with existing customer identity platforms. Competing with the likes of Okta (Auth0), Ping Identity, FusionAuth, Descope, Passage, and dozens of other well-funded customer identity platforms is an exhausting road. Making friends with them could turn potential competitors into huge advocates.

Why could this be a big company?

Stolen credentials are the reigning champion of methods criminals use to cause breaches — and has been for many years running in Verizon's DBIR reports. Solutions aren't getting implemented quickly enough, and attacks are becoming more sophisticated and persistent.

Now, companies are starting to get sued for not doing enough (in the eyes of regulators, anyway) to stop these types of attacks on consumers. Historically, companies start to take action when legal or regulatory implications get bad enough.

Alacrity can be a big company if they make ATO prevention incredibly easy and effective to implement, alongside a boost in urgency from state and federal regulators to reduce the impact of this problem.

Delve

What does the company do?

Delve automates the process of becoming HIPAA compliant and monitoring compliance on an ongoing basis. It's not just a compliance product — they literally set up compliant infrastructure for HealthTech companies to build products on.

Where do they fit into the cybersecurity ecosystem?

I'd classify Delve as a "hybrid" company across infrastructure and Governance, Risk, and Compliance (GRC). They're solving security and compliance problems (HIPAA, at least to start) with infrastructure and compliance automation features.

What are their challenges?

I could be off base here, but Delve seems easier to implement for brand new companies (or products) than existing products already built on infrastructure created long before Delve was a company. This could make switching costs hard. Re-platforming an existing app is a big ask.

HIPAA compliance is a big-but-not-massive market at ~$3 billion annually.² It's a U.S. only regulation, and the existing market includes a lot of services spend. Delve (eventually) might need to repeat their model for other types of regulations as they scale, but that's a problem for later.

Why could this be a big company?

Trends for HealthTech industry investments look just about like cybersecurity — down from 2021 and early 2022 numbers, but still strong. This means there are still plenty of potential early-stage customers (including 24 in this YC batch alone) for Delve to grow with.

The idea of building and monitoring regulation-specific infrastructure is pretty novel. If Delve becomes the go-to approach for launching companies in regulated industries, they can be a big company.

Nuanced

What does the company do?

Nuanced is an API and web app for detecting AI-generated fraud, deepfakes, and misinformation. Their current specialty is detecting AI-generated images, which is useful for all kinds of services with high volumes of user generated content.

Where do they fit into the cybersecurity ecosystem?

They're a combination of AI/ML Security and Fraud and Transaction Security. The problem is fraud, and the reason is AI.

What are their challenges?

AI-generated fraud, deepfakes, and misinformation is still an emergent problem. Most people you know (definitely not your mom) have heard of this. It's still going to take a while for the long tail of companies to realize this problem exists, let alone adopt a solution for it.

This may sound defeatist, but I also wonder if some companies are even going to try stopping AI-generated content. X (Xitter?!) is the wild west right now. Other out-of-band sites like forums, Discord channels, and Reddit just let a lot of this stuff go.

Why could this be a big company?

Some companies have to care about AI-generated content because trust and safety are important parts of their business. The scope of "have to care" is a lot wider than you'd think — everyone from dating sites to regulated industries like FinTech needs to avoid this type of behavior from malicious users.

If the problem itself multiplies exponentially (and it definitely could), companies will have to find a solution fast. What better way than a straightforward API like Nuanced? That's how they become a big company.

PromptArmor

What does the company do?

PromptArmor protects LLM applications from attacks. It's a full offering, including a product, services, and threat intelligence.

Where do they fit into the cybersecurity ecosystem?

They're an AI/ML Security company focused on securing LLMs.

What are their challenges?

Awareness of this problem space is going to take a minute. Most companies barely understand how or why to build LLM applications, let alone defend them from attacks.

Companies who are thinking about LLM security are often focused on the data loss/exfiltration part of the equation right now — things like preventing their own employees from sharing information they shouldn't. They haven't put much thought into how or why an attacker might exploit an LLM application.

Why could this be a big company?

This is an "all ships rise with the tide" situation. Generative AI sure looks like the next major technology platform, and those only come around a few times in your life.

Business and enterprise adoption of LLMs is moving faster than it has with some previous technology platforms. A majority of use cases, or at least a material share, are going to be business-focused.

A major security incident (and definitely a handful of incidents) involving LLM applications is going to get this problem on the radar of security leaders quickly. If PromptArmor can position itself as the go-to solution for securing an organization's LLM applications, it's going to be a big company.

Titan

What does the company do?

Titan helps companies manage access to data, starting with Snowflake. This includes authorization for any resource type in the data warehouse (users, roles, schemas, databases, etc.).

You could conceptually think of Titan like an Identity Governance and Administration (IGA) product but specifically for managing access to data, and implemented with infrastructure as code instead of an interface.

Where do they fit into the cybersecurity ecosystem?

It's an Authorization product built for Data Security.

What are their challenges?

It's easy to pick on access control for Snowflake as a niche market with a small TAM, but Snowflake has over 8,500 customers. Titan may (eventually) have to broaden support and add other data platforms in the future, but there's plenty of room to grow on Snowflake alone.

Managing access to data infrastructure is a complex problem, and implementing it with infrastructure as code requires sophisticated users. I'm sure the Titan team knows that and is building a product that works for them, at least for now. Someday, they might need to add an interface or other abstraction layers to make things easier for less sophisticated customers.

Why could this be a big company?

Snowflake has a $57 billion market cap and $2.8 billion of revenue growing 36% year-over-year. They're one of the ten best companies in all of tech. Building on top of them is a nice place to start.

And guess what? Managing security in Snowflake is a nightmare!

We're quickly moving past the days where access in data warehouses is a free-for-all. This is partly driven by plugging LLMs into them. Companies figured out how quickly LLMs give employees access to sensitive data if their underlying access to the data isn't tight.

Titan can be a big company if this problem rapidly increases the importance of access control in data infrastructure and they're the standard for solving it.

Tracecat

What does the company do?

Tracecat is an open source security automation platform. It's a nice one with modern features like no code, AI-assisted workflows, and local or cloud deployment options.

Where do they fit into the cybersecurity ecosystem?

They're a Security Orchestration, Automation, and Response (SOAR) product, which falls under Security Operations.

What are their challenges?

SOAR (or hyperautomation, if you want to use the fancy new term) is a busy market with lots of competition. The big security operations companies like Palo Alto Networks, CrowdStrike, Cisco (Splunk), and others all offer established SOAR products.

We've also seen a lot of M&A and financing activity lately, including Arctic Wolf's acquisition of Revelstoke, SentinelOne's acquisition of Stride, Torq's oversubscribed Series B, and so on.

Competing in this market is going to take an awesome product and then some — but the recent acquisitions and investments have made it clear the market is far from won.

Why could this be a big company?

We're entering a new era of SOAR/hyperautomation products, partly because the need for automation in security is still so acute. Who knows if or when AI is going to fully automate the SOC — probably not anytime soon. Until then, the combination of some AI and some automation is going to be what companies use to get by.

Tracecat can be a big company if they keep building an awesome product and their open source model (with a pretty reasonable entry price point) helps them find customers and grow with them.

Footnotes

¹Batch counts include companies as of Demo Day. Numbers may be off by a few because companies pivot in and out of the industry after launching.

²According to the mildly shady market research companies, anyway.

Altitude Cyber dropped its inaugural 2023 Cybersecurity Year In Review report last month. It's a data-driven deep dive into the year that was in 2023.

The last time I covered Momentum Cyber's annual industry report was back in 2022. I helped the team produce the next two as a Senior Advisor to the firm. Covering my own work seemed redundant!

Now that I'm back on the consumer side, it's time for me to show you around the next iteration of this industry research.

This time, I have a lot more experience navigating the reports and data shared in them. I also get to bend the rules, so that's exactly what I'm going to do!

I want to tell you about five themes from the report — an outlier, two growing trends, and two things that haven't changed — using a wide-angle lens across the horizon of time.

Let's start by erasing our memories about the most abnormal year our industry has ever had.

The outlier: 2021

Strategic activity is still pretty good if you forget 2021 ever happened.

In 2022, there was still a perception that everything in the cybersecurity industry (and all of tech, really) was fine. Strategic activity was going to get back to 2021 levels...any day now.

In hindsight, we were still a little euphoric from the boom loop that was 2021.

The doom loop had fully set in by 2023. All the industry chatter was about financing and M&A activity being down.

It was, but mainly compared to 2021. That's a tough benchmark. It's like comparing any other cricket player to Don Bradman, the undisputed greatest of all time.

Let's quickly step into a tangential world where 2021 never happened and see what cybersecurity's trend of strategic activity looks like.

Here are the "updated" charts for M&A:

And for financing:

...Wait, what?! The trends for both are pretty good!

Exactly.

Obviously, we can't delete 2021 in the real world, so don't stick these charts in any serious industry publication.

This "world without 2021" thought experiment helps add some perspective, though. Things don't seem as raucous as they did in 2021, but they're not as bad as they seem, either.

Next, let's talk about a couple growing trends — both related to M&A.

Growing trends: private equity and gigantic M&A transactions

Private equity buyers have been really active, and they have more money to spend than ever.

Back in 2010, private equity buyers cared more about the color of their ties than the cybersecurity industry. They did five total deals for just over a billion. That's lower than the net worth of some Managing Partners.

Boy, how times have changed. The next decade-plus was a rush of money into the industry from private equity. They're literally spending more money on acquisitions than strategic buyers now:

This wasn't from a handful of large deals, either. Private equity firms do close to half the acquisitions in cybersecurity:

Remember when I said we're going to see a record number of large acquisitions the rest of this decade (and you probably laughed at me)? Well, check this out:

Private equity firms have three times more capital available to deploy today than they did for most of the last decade.¹ And cybersecurity seems to be burning a hole in their pockets.

Our M&A transactions just keep getting bigger.

Even though cybersecurity's total M&A dollar volume and activity are down from all-time-highs, our big acquisitions are bigger than ever.

Cybersecurity is a small enough industry for M&A activity trends to get spiky from large deals. That's exactly what is happening...but the trend for deal size is clearly going up:

We didn't have a transaction over $10 billion until 2019. Now, we've had four (or five if you count Broadcom's $69 billion acquisition of VMware).

The $5-billion-plus deals that would have easily been the largest for most years of the past decade are now routine. We've had eight (and counting) since 2020.

We're probably going to see more large acquisitions in the remainder of this decade than we've seen in the entire history of cybersecurity. Why?

Two words: private equity.

Next, let's talk about a couple things that haven't changed — even after a few choppy years of activity in the industry.

What hasn't changed: strategic buyers and specialist investors

Cybersecurity's most active strategic buyers aren't slowing down (much).

The strategy for several large cybersecurity companies (and professional services firms) is to grow through acquisitions. Don't think for a minute that some little economic downturn is going to slow them down.

Our most active strategic buyers for the past three years are...well, pretty similar:

This is a pretty short list, too. I'm sure if we had access to all of the underlying data, the companies who dropped off in one or more years would still be pretty active.

The part that didn't happen was a rush of new strategic buyers (e.g. the IPO pipeline and unicorns of 2021) into the M&A market. Some people thought there were going to be fire sales. There weren't, and definitely not for our best companies.

The trend is starting to normalize a little bit now. We've seen new buyers making acquisitions and another set of companies who have raised capital and specifically said they're using it for M&A. But our most active buyers will keep being our most active buyers.

Let's finish by talking about what's happening with cybersecurity's top investors.

Cybersecurity's most active investors are still cybersecurity's most active investors.

Overall financing activity is down, but cybersecurity's most active and long-term investors are holding (HODL-ing?)² their ground. The list of active investors hasn't changed much in the past three years:

Eight of the ten most active investors are still the same.³ I wouldn't read much into Accel or Tiger Global, either — both of them are still investing in plenty of cybersecurity companies.

The investors who have pulled back either weren't investing exclusively in cybersecurity, were speculating because this was a "hot" industry, or both.

Our most active investors are as committed (and well-funded) as ever.

More than 2023

This year's Altitude Cyber report is about 2023, sure. But it's also about more than that. It's the middle of a story about an industry whose time has come.

When you're living in the moment, like all of us do most of the time, it's easy to get pulled into the highs or lows of the present.

If you've done this long enough, you know every year (or quarter, or sometimes day!) might just be an outlier.

Growing trends can be unnerving because they change the order of what we've always known. They can also be empowering if you get ahead of them and know how to act.

A few things rarely change. The people and companies who are in cybersecurity for the long run are still here. They're ready for what's next, good or bad.

And if you let yourself zoom out far enough, you'll see why there's a lot to be excited and optimistic about.

Acknowledgements

Thank you to both the Altitude Cyber and Momentum Cyber teams for years of hard work on this industry research.

Footnotes

¹This capital isn't just for cybersecurity acquisitions, but some of it is definitely heading our way.

²Not really – a bunch of data points (and intuition) still say cybersecurity is a good place to invest. Especially if you know what you're doing, and these firms do.

³This analysis just covers deal volume, not the next layer of details about round sizes or whether these were new or follow-on investments. It's still a pretty good indicator of commitment to the industry, though.

That's the part I was missing when I wrote Cybersecurity's Class Conundrum three weeks ago.

The core observation from the original piece was clear: the cybersecurity industry has a growing class divide between its companies, and the gap is only getting wider.

Okay, great. But what now?

I was still missing the punch line about why this matters and what it means.

Class divides are one of the most common outcomes in capitalism. The winner-take-all market dynamics that cause them are really common, too.

Cybersecurity just hasn't experienced many of these dynamics yet, even though our industry has been around for a little while.

When industries are at this point, one of two things usually happens.

People are totally unaware the dynamics are happening and keep doing what they're doing — which is easy to do because their effects aren't very obvious yet.

Or, people are aware of the dynamics and deny they're happening. I've seen enough renditions of the "cybersecurity is special" argument to know this belief is common.

Either scenario leads to bad outcomes, or at best sub-optimal ones. Consciously or unconsciously, they've missed a powerful force and how it's going to impact them. It's the business version of not seeing the weather forecast for a hurricane or catching the forecast but deciding to stay put.

The good outcomes come from people recognizing the dynamics early, making high-probability predictions about what will happen, and taking action. It's really hard, but doing all of this right means you, your company, or anything else you care about comes out ahead.

I think this is the point we're at right now in cybersecurity — the "not too early, not too late, but better hurry" inflection before serious market dynamics take over. We need to have a practical discussion about the effects winner-take-all market dynamics are going to have on our industry.

Let me start with a quick story about how I learned market dynamics dynamics the hard way.

Why you're reading this instead of shopping at my grocery store

In a parallel universe without strategic forces and market dynamics, I would probably be helping my extended family run a small chain of grocery stores in Iowa.

My grandpa opened our family's first independent grocery store in 1973, just one year and 70 miles apart from the first Wal-Mart in the state. The family business thrived in the 1970s and 1980s, growing to four stores across eastern Iowa and employing hundreds of people.

That's where the winner-take-all markets part comes in and bends the arc of my life dramatically.

Walmart went public in 1970. They had 38 stores at the time — ten times more than my family's modest chain of four stores, but not orders of magnitude larger in size or scale.

You know where the Walmart part of the story goes from here. They had 1,400 stores and $26 billion in revenue by the end of the 1980s. They also spent these two decades developing and refining their business model, including the most sophisticated logistics system in retail. This period was the foundation that eventually made Walmart the largest retailer in the world.

By the end of the 1980s, my family's business had...four stores. This was the same local-first, long-tail strategy that worked wonders for all kinds of retail businesses before Walmart came along.¹

Before Walmart came along. That's how stories like this happen. Everyone thinks an industry works a certain way — until it doesn't. By then, it's too late.

Market dynamics are powerful and brutal forces. Walmart was playing a winner-take-all game while everyone else was following the playbook of decades past.

I never worked in my family's grocery stores. It's fortunate I didn't. The last store was sold in 2023, ending a 50-year era of the family business at the 2nd generation. Being a 3rd generation independent grocer on the wrong end of winner-take-all dynamics is not a strategic position I'd want to be in.

Next, let's talk about how tech made the forces behind winner-take-all markets even faster and more severe than old school businesses like my family's grocery stores.

Winner-take-all markets in tech: like grocery stores, but bigger and faster

Marc Andreessen originated the current version of thinking around winner-take-all markets in the tech industry during an interview back in 2013:

In normal markets, you can have Pepsi and Coke. In technology markets, in the long run, you tend to only have one…The big companies, though, in technology tend to have 90 percent market share. So we think that generally, these are winner-take-all markets.

Generally, number one is going to get like 90 percent of the profits. Number two is going to get like 10 percent of the profits, and numbers three through 10 are going to get nothing.

You know this intuitively if you've been around tech long enough. Winner-take-all markets happen all the time in tech: search engines, social media, e-commerce, music streaming, ride sharing — on and on. The effects are pretty easy to see in retrospect.

What's harder is acknowledging the effects before they happen, especially the markets you work or invest in. This means us, cybersecurity people.

Harder still is doing something about it: things like putting your company in a position to be number one, investing in companies who are likely to be number one, and knowing when and how to change course, salvage, or bail if you're number three through 10.

Before we get into effects, let's make a quick distinction about the differences between markets and industries.

Cybersecurity isn’t winner-take-all, but its markets are

Andreessen's 90/10 profit split might be a little extreme for an entire industry, but it's been proven accurate repeatedly at the market level. Let's translate this to cybersecurity.

As I said when making my case for platformization, "There will never be a one-ring-to-rule-them-all cybersecurity platform all companies buy from a single vendor."

The concept of winner-take-all markets is the economics side of the cybersecurity platformization debate.

The same fundamental platformization idea applies for the cybersecurity industry: there will never be a winner-take-all cybersecurity company.

But at a market level, there are definitely going to be winners. Eventually. We're talking about a decades-long process here.

Let me show you what I mean:

In ecosystem terms, the entire domain of Cybersecurity, Privacy, and Trust is too large to win. It's an entire industry, not a market.

Really big markets like Security Operations might have multiple leaders because they're quasi-industries. Leaders will win the smaller markets that roll up into the large one.

Smaller markets like cloud security will have winners.² Those winners may eventually end up being acquired by mega-cap companies in larger markets — but they're still winners and still have great financial outcomes.

Now, let's talk about how a few powerful market forces are shaping the cybersecurity industry.

Revenue concentration

Cybersecurity's current market leaders are growing at a disproportionate rate.

In winner-take-all markets, the winners (and companies who are on their way to winning) grow at a much faster rate than everyone else.

In my grocery business example, it's Walmart jumping from 38 to 1,400 stores in a decade while my family's business stayed at four. "Disproportionate" barely begins to describe the difference.

Disproportionate growth happens in technology markets, too. You know, like cybersecurity:

The reason cybersecurity's top seven public companies (the "A-List" in the chart) are now worth more than the rest of the industry combined comes down to one thing: massive revenue growth. Their average growth rates have nearly doubled the rest of the industry's growth for over a decade.

"A-list" company revenue growth topped out at 46.7% in 2021 and has never been below 20%. Everyone else topped out at 27.6% back in 2011 and has only averaged over 20% growth three times in 13 years.

The same thing happens in earlier stage markets — it's just harder to spot because private companies aren't required to report financial metrics.

Revenue is concentrating among cybersecurity's market leaders.

Revenue concentration among market leaders is an immediate consequence of disproportionate growth over a long enough period of time.

Andreessen's 90-10 theory of profit concentration is faster and more pronounced in consumer technology markets. Concentration still happens in enterprise tech — it just takes longer and has a less lopsided ratio.

Revenue concentration among cybersecurity's public companies has been happening for a while:

Fortinet, our only current A-List company who was public in 2011, had only 1.6% of the total cybersecurity industry revenue reported at the time. Fast forward to 2023, and our seven A-list companies have already concentrated 23.1% of revenue.

But wait, other companies still have over 75% of the revenue?!

Remember, there are only seven A-list companies. 51 other companies are controlling the remaining 76.9% of revenue. And this is still excluding tech companies with massive cybersecurity businesses — Microsoft, Cisco, Alphabet, HPE, and others.

Ed Sim recently shared a variation of the same concept about cybersecurity revenue concentration that included Microsoft:

I'd bet the concentration would be a lot higher than 51% if we had enough data to include Cisco, Alphabet, and other large cybersecurity business units.³

Regardless of the exact percentage we're at today, cybersecurity's revenue concentration is compounding quickly (by the long, bending arc of market time horizons, anyway). Just look at what already happened in a decade and imagine how much more concentrated it's going to be in another decade or two.

Revenue concentration leads to all kinds of other effects. Let's talk about those next.

Leverage

Larger profits and higher valuations give the largest cybersecurity companies more leverage.

"Leverage" means all kinds of things — pricing, partnerships, acquisitions, and more. Once a market leader has leverage, their advantages compound even faster.

Acquisitions are an interesting example to show the effects of leverage. Cybersecurity market leaders have multiple advantages over companies who aren't market leaders — cash, equity, and post-acquisition growth.

Here's how much cash each public cybersecurity company has on hand right now:

Cybersecurity's seven A-list companies have $17.6 billion of total cash, an average of $2.9 billion per company. All but one company (Cloudflare) makes up the top six companies with the highest amount of cash on hand. Splunk is the only other company with over $2 billion of cash, which now belongs to Cisco after their acquisition closed.

Cash is just one kind of leverage. Higher valuations for A-list companies mean the value of any equity they use for acquisitions is higher than other cybersecurity companies with lower valuations. This saves cash and gives them more leverage for other acquisitions or investments. It's a self-reinforcing feedback loop.

Speaking of feedback loops...

Feedback loops

Positive feedback loops make cybersecurity's most powerful companies even more powerful.

So far, we've been talking about effects related to money. Things really get out of hand with social effects.

The Matthew effect causes success and resources to gravitate towards people and companies who already have them. Colloquially, it's "the rich get richer and the poor get poorer" adage.

Companies like CrowdStrike and Wiz are famous for being famous. People want to buy their products, buy their stock, work there, and partner with them because they're already famous.

Another example is Okta's leadership in the Gartner Magic Quadrant for Access Management. They've been in the "leaders" quadrant for seven straight years. Positive feedback loops kept them on top, even after breach after breach ripped through the news headlines.⁴

It's called a feedback loop because outputs like these become inputs, and the cycle repeats itself. This is exactly why it's hard to overtake a market leader by competing with them directly — positive feedback loops are really strong, and they get stronger with compounding.

Talent concentrates to winners, and the rest do layoffs.

Another interesting example of positive and negative feedback loops in winner-take-all markets is talent. Talent concentrates among market leaders. Talent defects (or gets laid off) from companies who aren't market leaders.

Here's a wild stat from Cloudflare to illustrate the point. In 2022, they had approximately 400,000 people apply for 1,300 positions. That's an acceptance rate of 0.3%. Admission rates for Harvard and Stanford are both around 4%. In other words, it's over 13 times harder to get a job at Cloudflare than it is to get into two of the top universities in the United States.

The same thing goes for executives. CrowdStrike famously poached SentinelOne's Chief Marketing Officer and Chief Product Officer at the same time, using their leverage to stick it to a competitor while they were (briefly) down. Then, they literally put the executives in charge of building more advantages in channel growth and new product development, two of the biggest drivers fueling CrowdStrike's massive 2024 earnings.

The relationship between negative feedback loops and layoffs works in a similar way, but in reverse. According to Layoffs.fyi data (and my own company classifications), A-List companies have laid off 881 employees since tracking began in 2020. Other public companies have laid off 3,019 employees.⁵ Private markets are even uglier, with 5,922 employees let go by 71 different companies.

Negative network effects repel talent away from companies who aren't viewed as market leaders (or potential ones).

Let's finish by talking a bit about competition.

Competition

It's harder to IPO in an established cybersecurity market.

Late-stage cybersecurity companies are having an increasingly difficult time going public in established markets with clear leaders. This trend is still nascent, but you can start to see the signals based on cybersecurity's large-cap IPOs in the last five years.

Aside from endpoint security (the market that keeps on giving, apparently), companies who have gone public in established markets haven't lasted very long:

SentinelOne's 2021 IPO is the most recent clear example of a company who went public in a well-established cybersecurity market and succeeded. There will be others in the future, but this path is becoming more rare. Look no further than Cybereason.

Companies who have gone public in "new" markets (either markets they've defined or ones without another public company) don't have an unblemished record, but they're doing better:

Leading a market is hard no matter what, but it's a shade easier when you're viewed as one-of-one.

It's also a mixed bag if we play out this trend across the late-stage companies in cybersecurity's IPO pipeline.

For example, Wiz falls into the "new markets" group as the first standalone public company in the cloud security market. Other unicorns are competing directly in markets with established public companies, which is extra difficulty on top of the already challenging conditions for IPOs.

The path to going public in cybersecurity is heading through market leadership in new markets more than it ever has before.

Cybersecurity companies who aren't viewed as market winners get taken private.

Companies outside of cybersecurity's seven A-list performers are being taken private at a staggering rate.

In Bigger, Faster, Stronger: The New Standard for Public Cybersecurity Companies, I analyzed the cybersecurity companies from various IPO eras who have since been taken private:

In the complete history of cybersecurity, we've had 117 companies of all sizes go public. As of today, 34 companies (29%) have been delisted due to acquisition or bankruptcy. The general trend among delistings is companies who haven't established themselves as a clear market leader.

The insatiable take-private trend is showing few signs of slowing down.

In the past year, we've heard rumors of Rapid7, SentinelOne, HashiCorp, and others being taken private. Rapid7 and SentinelOne both compete in established markets with strong competitors.⁶

You're either leading the market or regrouping until you can try again.

Survivorship bias causes more people to enter cybersecurity markets and lose.

This one hit me the hardest. It's the most tragic market effect by far. From Farnam Street:

Ironically, winner-take-all markets tend to perpetuate themselves by attracting more losers. When we look at founders in Silicon Valley or actors in LA, we don’t see the failures. Survivorship bias means we only see those who succeed. Attracted by the thought of winning, growing numbers of people flock to try their luck in the market. Most fail, overconfident and misled. The rewards become even more concentrated. More people are attracted and the cycle continues.

In winner-take-all markets, the success of winners causes more people to chase success and lose.

This is how we get the 8th, 9th, and 10th new company in hot cybersecurity markets. Founders and investors see success, and they can't help themselves from trying to replicate it. By the time a market is getting a ton of industry hype, it's probably too late.

You don't need to be the first mover, but cybersecurity's markets are efficient to a point where it's difficult for a multi-year, multi-million dollar head start to be overcome.

There can be only one

I'm not sure how long cybersecurity's winner-take-all market dynamics and their effects are going to take to play out. We're probably talking about a decades-long progression here, but it's inevitable.

Market dynamics like these can't be avoided. They're better to understand and accept than ignore or deny.

Cybersecurity has unique characteristics, but so does every interesting industry. Taking a contrarian stance against widely proven market forces happening in cybersecurity is an option, but probabilities are working against you.

If you're daring, you can take the bet — but do it with a clear understanding so you know which rules to bend and why.

In the end, there can be only one (NSFW).

Acknowledgements

Thank you to Logan Bartlett at Redpoint Ventures for casually dropping the timely 'there can be only one' comment in my Data Security Posture Management (DSPM) post on LinkedIn last week. It's a fitting way to end this piece.

Footnotes

¹This story isn't intended to imply the family business could or should have been Walmart, nor that anything Walmart or other large retailers did was unfair. It's just the best way I can think of to illustrate a visceral lesson in my life.

²An estimated ~$30 billion market size for cloud security isn't even small, but the point is it's much smaller than the overall infrastructure security market.

³Unfortunately, we don't. Large public tech companies aren't required to break out revenue by business units, so we have to rely on metrics they voluntary report at random time intervals. Some never volunteer to share security business unit revenue, or share it with serious questions about the math behind the calculation.

⁴Okta has been on the receiving end of negative feedback loops, too. It's definitely one of the causes behind their new customer growth stalling over the past two years.

⁵This data excludes layoffs at Cisco. They're a large, diversified technology company, so attributing layoffs to their security business unit isn't possible. The data does include Splunk since their layoffs were done before the acquisition by Cisco closed.

⁶HashiCorp is the "new market" exception here, although you could argue they compete directly enough with CyberArk to be viewed as an established market player.

In his new book Same as Ever, Morgan Housel said this about people's behavior towards limits:

Optimism and pessimism always have to overshoot what seems reasonable, because the only way to discover the limits of what’s possible is to venture a little way past those limits.

That's it. Being optimistic about platformization in cybersecurity is about testing the limits of what's possible in our industry.

Being pessimistic about a single, end-to-end cybersecurity platform is easy to do. There are all kinds of reasons platformization hasn't worked in cybersecurity. But it's a straw-man argument.

Why? There will never be a one-ring-to-rule-them-all cybersecurity platform all customers buy from a single company. The real discourse here is about something different.

Platformization is about the process of cybersecurity products moving towards platforms. It's not about the extreme ends of the spectrum. It's about the market moving towards one side of the spectrum or the other.

The question isn't, "why won't platformization work in cybersecurity?"

A better question is, "what would it take for platformization to work in cybersecurity?"

Being optimistic and unpacking the conditions required for platformization to happen in cybersecurity is harder. It's where we need to put our energy and brainpower. We need to venture a little way past our limits.

Let's start by talking about platformization in other areas of tech.

Platforms are tech's ultimate prize

If you zoom out and look at the broader tech industry, you see the same pattern play out over and over: platformization wasn't possible...until it was.

A common goal among tech's most ambitious companies has been their desire to build platforms in areas where they didn't exist before.

Apple and Microsoft built personal computing platforms.

SAP built an enterprise resource planning platform.

Epic built a healthcare platform.

Salesforce built a customer relationship management platform.

Facebook built a social networking platform.

Amazon built an infrastructure platform.

ServiceNow built an IT operations platform.

If people's lives, work, health, money, and relationships can be platformized, cybersecurity can too. We're important, but it's tough to argue we're more important than most of the domains where platforms already exist today.

Speaking of platforms in cybersecurity...

We already have platforms in cybersecurity

An important detail got lost in the fray of bantering about platformization: we already have platforms in cybersecurity.

Okta is an identity platform.

CrowdStrike is an endpoint security platform.

Zscaler is a network security platform.

Splunk is a security operations platform.

Wiz is a cloud security platform.

They're all pretty good ones, too. Not perfect, but enough to drive the buying behavior of security leaders from dozens of point products to platform companies in each of these domains.

What we don't have yet is a multi-estate platform — something that spans major domains like security operations, networks, identity, and so on. Single domains are the current limit of what's possible in cybersecurity.

Moving beyond our current limits requires thinking in relative terms, not absolute terms. Let me show you what I mean.

The spectrum of cybersecurity platformization

Thinking about platformization as an all-or-nothing thing is a trap.

Security leaders are never going to buy all of their products and services from one company. They're never going to buy from all different companies, either.

These scenarios are the extremes. Reality lies on the spectrum between them:

The way to think about this is in relative terms — where do we sit on this spectrum? More importantly, where will we sit if certain things happen?

Distributed products are the default state. Most companies can't just wake up in the morning and decide to be a platform. It takes a lot of capital, and there are stages of progression involved to get there. Platformization itself is a competitive moat.

Movement along the spectrum is where the real magic happens.

If things like cybersecurity mesh architectures gain traction, or cybersecurity companies get really good at partnering and integrating, the market gets further entrenched on the distributed end of the spectrum.

If the benefits of using cybersecurity platforms built by a single company clearly exceed their distributed alternatives, they'll push the market towards the platform end of the spectrum.

How far cybersecurity companies can bend the median is a multi-billion-dollar proposition:

The economic tilt of even a small movement towards platformization is huge.

With platforms, fewer companies control a greater percentage of overall cybersecurity spend. You don't even need to be the end-all be-all cybersecurity platform. Just nudge the needle, and you’ve won.

This dynamic and its forces are a very fluid situation, but we're never going to end up at either one of the extremes.

Lots of factors can drive movement in either direction along the spectrum. Let's look at what it would take for a meaningful movement towards cybersecurity platformization to happen.

What could work: nudging cybersecurity towards platformization

Successful platformization is so rare that it's silly to say a playbook exists. Cybersecurity has its own set of nuances and idiosyncrasies, just like every relatively large industry.

However, there are some themes we can draw from platformization in other areas of tech and what's worked (and hasn't worked) so far in cybersecurity.

Real platforms: by the technical definition, not the marketing definition.

Building actual technology platforms is the biggest factor by far that will influence the success of platformization in cybersecurity.

Yep, this means everything real platforms have, soup-to-nuts — integrated UIs, data layers, ecosystems, you name it. There aren't any non-technical shortcuts, even if you buy parts of the platform. Everything has to work.

It's disingenuous to call a bundle a platform. This strategy might work for a little while, but technology doesn't lie. Once you're exposed, it's all over. Just ask Symantec, McAfee, and CA.¹

The only way the cycle of product innovation, sales and marketing, financial incentives, and other factors we're discussing here will work is if customers actually want the product.

Product innovation has to be able to keep up with every other idea we're discussing in this section. If the product falters, nothing else works.

Obsession: cybersecurity focus, expertise, and commitment.

Building a multi-estate cybersecurity platform is going to take focus. It needs to be a singular effort. "Obsession," in a word.

I have a hard time seeing a company who isn't fully focused on cybersecurity pulling this off. Large technology companies theoretically have the resources to build a cybersecurity platform. What they lack is the focus, expertise, and commitment to make this a reality.

Expertise has been a major factor in the cybersecurity platforms we've seen so far. George Kurtz knew exactly what needed to be done differently to build an endpoint security platform when he started CrowdStrike. Todd McKinnon had a similar insight for Okta from his time at Salesforce. It's possible an industry outsider could overcome this, but platformization is hard enough as it is.

And then comes the commitment part. A shift towards platformization is probably a decade-long effort or more. It's either going to take founder-led companies or some really committed senior execs to get this done.

Right now, we're in the middle of a multi-billion-dollar experiment to find out if it's possible for large tech companies to build cybersecurity platforms. Broadcom, Cisco, Alphabet, and Microsoft are all investing heavily in their cybersecurity business units. I'd expect some level of success, but it's improbable any of these companies will end up with a cybersecurity platform that has everything it takes to work.

Technological shifts: big and small technology changes, both inside and outside of cybersecurity.

Some factors driving platformization in cybersecurity are outside the control of our industry. Technological shifts are one of them. They've been a factor for platforms in every other sector of technology. We're no exception.

I'm not sure if AI is going to be the technological shift that makes cybersecurity platformization possible or not. AI is being thrown around as the hand-wavey solution to every problem right now. It will probably be part of the reason behind platformization in cybersecurity, but don't count on it being the only reason.

The breakthroughs driving platformization in cybersecurity might be more pedantic. It's easier than ever to build integrated technology platforms in any domain because our tools and frameworks are better than ever. As this leverage compounds, it gets easier to build and scale larger pieces of software.

Things really get interesting when technological shifts combine. Wiz became the fastest-growing cybersecurity company ever because of this. Building great products quickly got easier, and they used this to relentlessly seize the opportunity to redefine how infrastructure security is done for cloud computing.

Curation: creating a cybersecurity platform through building, buying, and partnering.

The phrase "building a cybersecurity platform" is oversimplified. When we're talking about platform scale, building alone isn't enough.

Mark Zuckerberg has talked about how finding and developing engineering talent is the number one constraint holding back growth of Meta. If Mark Zuckerberg can't find enough people to build at Meta, we have no chance.

Platformization in cybersecurity will need to happen through a combination of building, buying, and partnering. There can't be no building, of course — but solving the riddle of platformization is going to take some good old fashioned dealmaking.

We all know about M&A, but acquisitions have to be executed differently this time. For platformization to work, companies need to buy the best products at the right time and... Actually. Integrate. Them.

This means having enough capital available for acquisitions, identifying companies in emerging categories early, then successfully executing the transactions before a competitor acquires them. None of this is easy to do.

I also expect we'll see white or gray labeling of components in a platform become more of a thing going forward. The incentives for moving the needle towards platformization are too high. Companies will do whatever it takes to source and integrate the best products, even if it means OEM'ing them from someone else.

Brand status: the first "luxury" cybersecurity brand.

Platforms seem to have an allure of luxury and exclusivity, at least in the early days. This isn't necessary in cybersecurity, but the broader trend is worth acknowledging.

Apple is the gold standard (no pun intended) of case studies for technology platforms. It's a luxury brand — they've literally hired luxury brand executives to run their business.

People pay more for Apple than they would for similar products if Apple didn't exist. Why? It's partly because they make amazing products. It's also because people want the status of owning an Apple product.

We're already starting to see this model replicated by a handful of leading cybersecurity platforms. If cybersecurity platforms truly can become better than distributed alternatives, owning one is going to be viewed as a luxury among big company executives.

Customer segmentation: big companies buy big cybersecurity platforms.

Building a multi-domain cybersecurity platform will likely require disciplined customer segmentation. This may seem counterintuitive at first — shouldn't platforms try to reach as many customers as possible?

Broad cybersecurity platforms for businesses of all sizes and consumers haven't worked yet. Symantec and McAfee tried this strategy with endpoint security and ended up unceremoniously separating their B2B and consumer businesses.

The enterprise customer segment is the obvious target for platformization, but it's not a straightforward answer. Enterprises have more complex problems and need more tools than consumers. This is tempting, but it also makes the challenges of platformization harder.

A cybersecurity platform for consumers or SMBs would likely have a smaller scope. A narrower focus on the product side could be an advantage in platformization, but time will tell.

Incentives: inertia is powerful, but so are the right incentives.

Lastly, platformization in cybersecurity needs the right blend of incentives.² In our industry, this means financial, social, and regulatory incentives.

The power of incentives becomes a lot more realistic if a cybersecurity company builds a platform customers really want. A great platform makes people want to buy something that they can't afford — or at least spend more money than they would before because they need to have it right now.

Customers won't stop buying point products unless (a) platforms are legitimately better, (b) they're forced to by their CFO or procurement, or (c) both.

Savvy security leaders aren't going to buy bad security products to save their company money. But they're also not going to buy commoditized products from multiple vendors. They're smart enough to recognize when a platform is advantageous and when it's not.

The bar for incentives is really high. For platformization to work, it needs to be clear that platforms provide the best possible defenses and advantages far beyond anything distributed products can offer.

Beyond our numbers and stories

Does executing all of this sound impossible? It should — that's part of the lesson here.

Platformization might be the single most difficult outcome to accomplish in technology. Just because it's difficult doesn't mean it's impossible. The only way to find out is to keep testing the limits.

Morgan Housel describes it like this:

The only way to know we’ve exhausted all potential opportunity from markets—the only way to identify the top—is to push them not only past the point where the numbers stop making sense, but beyond the stories people believe about those numbers.

Are we past the point in our industry where numbers and stories about platformization stop making sense? Maybe. We'll find out where the top is.

I don’t know which cybersecurity company is going to be the one who figures out platformization. Both numbers and stories tell us the journey has a ton of risk. Many a promising company has been destroyed in the pursuit.

Any company that figures out cybersecurity platformization is going to be worth $500-billion-plus. Anyone who doesn't is going to the private equity graveyard to be dismantled alongside the companies who tried before them.

And then the next audacious cybersecurity companies are going to keep on trying.

Acknowledgements

This article was influenced by thoughts from a broad set of people on the topic of platformization. A few specific influences are Adrian Sanabria, Eric Parizo, Francis Odum, Richard Stiennon, Tyler Shields, and our Palo Alto Networks Q2 2024 earnings webinar attendees.

Footnotes

¹Okay, "it's all over" might be dramatic. The point is companies who make this argument and get exposed lose their swagger and become B-list or C-list companies struggling to remain relevant.

²Charlie Munger would have wanted me to put incentives first, but here we are. RIP, GOAT.

Part of me says this is normal. Public markets fluctuate, often between different extremes.

But cybersecurity's current situation feels...different, or at least more nuanced.

Companies like Palo Alto Networks are were doing better than ever. They became cybersecurity's first $100 billion company (by valuation) in December 2023. (Nevermind the irrational panic-selling in the 24 hours after their Q2 2024 earnings announcement.¹)

Other companies are doing worse than ever. IronNet and Cyren both filed for bankruptcy in the last six months. Auditors for several other small-cap cybersecurity companies have raised doubts about their ability to continue operations.

And then there's everyone else. A group of ~60 public cybersecurity companies is stuck in the malaise of economic uncertainty that's been going on for two-plus years. It's a group of respectable companies that can't quite seem to break through.

This divide has bothered me for a long time. A lot of us feel this way. We recognize the circumstances but haven't quite been able to explain what's happening or how.

Mike Privette was on to something when he wrote about the K-shaped recovery of the cybersecurity industry almost a year ago: the recovery of the tech industry has been unevenly distributed, and it's the same story for cybersecurity, too.

In Bigger, Faster, Stronger: The New Standard for Public Cybersecurity Companies, I talked about cybersecurity IPOs by era and the metrics behind them. I didn't quite have a handle on this whole divide at the time, though.

So...what's going on here?!

Two weeks and 5,000+ data points later, I'm confident about one thing: Cybersecurity has a class conundrum, and the gap is only getting wider.

Let me tell you about this situation using a comparison you might not expect — celebrities.

Celebrities and cybersecurity companies have a lot in common

Even if you don't follow the latest Hollywood gossip (I sure don't), everyone can name and recognize a few A-list celebrities: Tom Hanks. Julia Roberts. Rihanna. Serena Williams. LeBron James.

You probably know more B-list and C-list celebrities than you might expect, too: T.J. Miller (I loved Silicon Valley!). Mindy Kaling. Allyson Felix. MGMT (listening to them on Spotify right now). They're all accomplished artists and athletes, but you might not recognize them walking down the street.

Reducing people and companies to status lists is shallow, but it's also human nature. We are a status-oriented species. Things like celebrity status lists can be a useful model if they're not taken too literally.

For this metaphor, I'd define classes of celebrities and cybersecurity companies something like this:

It's cleaner to use a single, objective metric like year-over-year revenue growth or market cap, but this misses nuances that are better captured with some judgment involved.

A comparison to celebrity status lists probably isn't the best way to do it either, but...whatever, this isn't Gartner.

So, let's go with it. Enough suspense already — let's reveal cybersecurity's A-list companies.

Cybersecurity's A-list companies

Cybersecurity has seven "A-list" companies, including both pure and hybrid: Cloudflare, CrowdStrike, Fortinet, Okta, Palantir, Palo Alto Networks, and Zscaler.²

A-list companies have performed spectacularly well across revenue, growth, market cap, and underlying financial metrics for a long time:

Again, this isn't to say the other public companies in cybersecurity are bad — it's not that black and white. Some of my favorite companies aren't on this list.

When you look at the data, there is a clear set of companies who have financially outperformed the rest of the cybersecurity market. Let me show you what I mean, and then we'll unpack it.

There are currently 55 pure and hybrid cybersecurity companies listed on major U.S. exchanges. I added two more (Darktrace and Trend Micro) from international exchanges because of their market cap to make 57 companies in total.³

Cybersecurity's seven A-list companies currently have a higher market cap than the remaining 50 companies combined:

This inflection point just happened in 2023. No wonder it's not being talked about very much.

Today's A-list companies were almost non-existent a decade ago. Only Fortinet and Palo Alto Networks were public in 2014. Now, the seven A-list companies are worth more than every other public company in the industry.

...uhhh, what happened?!?!

Let's rewind to 2011 and quickly step through the progression that got us to the class conundrum we're seeing today.

Remember the world in 2011?

Yeah, I needed a reminder. Here are a few highlights: Bridesmaids was a popular movie, the first season of Game of Thrones aired, and Aaron Rodgers won the Super Bowl with the Green Bay Packers. The Social Network won an Oscar, which is a funny coincidence. All of this feels like forever ago.

The cybersecurity industry of 2011 feels pretty unfamiliar, too.⁴ Breaches of Epsilon, RSA, and the Sony PlayStation Network were the major events of the year. Back then, we had 26 public companies with a total market cap of $68.2 billion:

Symantec (now Gen Digital) was on top of the world at the time, clocking an $11.5 billion market cap on $6.7 billion of annual revenue.⁵ Fortinet was just getting started as a public company.

Palo Alto Networks and several of the other A-list companies were founded, but they weren't child stars destined for greatness. They were promising private companies, but far from the superstars they are today.

Cybersecurity's rise to stardom from 2012 through 2018 set us up for the divide we're seeing today. Let me show you why.

2012 through 2019: Cybersecurity's A-list walks down the red carpet

This era is the Oscars, otherwise known as the "High Burn/High Growth" era in software industry terms.

A total of 31 pure and hybrid cybersecurity companies walked down the red carpet and went public from 2012 through 2019. The guest list included A-list companies like Palo Alto Networks (2012), Okta (2017), Zscaler (2018), CrowdStrike (2019), and Cloudflare (2019).

The industry's total market cap more than quadrupled, going from $68.2 billion to $308.6 billion in under a decade:

Everything was going right. Take-privates were hard to find. Blue Coat (2012), Infoblox (2016), Gigamon (2017), and KeyW (2019) were the only subtractions from our overflowing club of public companies.

You thought that was wild? Think again. Let's crank the volume up to 11.

2020 through 2021: The after-party

If the High Burn/High Growth era was the Oscars, 2020-2021 was the after-party. We were all having the time of our lives.

Twenty more pure and hybrid cybersecurity companies went public on top of the companies we already had.

The industry's market cap doubled over a two-year period, going from $308.6 billion at the end of 2019 to $698.2 billion by the end of 2021:

Unfortunately, this was the "High Burn/Slowing Growth" era. The whole software industry got upside down from overspending on growth. And then the D-list companies (SPACs and reverse mergers) started showing up.

It's getting late — time to go home.

2022 onward: Our growing class conundrum

The free-for-all is over. Investors are taking sides now, and it's fueling the growing divide between cybersecurity's A-list companies and everyone else.

After a market-wide blip in 2022, cybersecurity's total market cap is back to levels higher than ever in 2024:

...but remember our chart from the beginning of the article where we hit an inflection point in 2023? That's the conundrum — our seven (S-E-V-E-N!) A-list companies are driving over 80% of the industry's valuation growth this time:

You could argue the divide is because 13 cybersecurity companies have been taken private since 2022. It's definitely a factor. But look at this trend of average valuations broken down by class:

The rising stardom of cybersecurity's A-list companies started in 2019 and shows no signs of coming back to earth, even with a decline in 2022.

The A-list companies took off and soared above $10 billion average valuations. Everyone else remained flat, stuck at the sub-$10 billion valuations they've known for years.

Using market cap to measure the success of a company is like using fame to measure the success of a celebrity. Valuations and fame are fickle, but revenue doesn’t lie:⁶

Revenue growth for our A-list companies has been a hit machine, outperforming the rest of the industry for more than a decade.

Enough with the numbers — you get the idea. Cybersecurity in 2024 is fundamentally different and more polarized than ever.

I still don't know if this is just a phase or a new long-term reality we all need to operate in.

One thing I do know: the implications of our growing class conundrum are more impactful than anything we've experienced yet as an industry.

Footnotes

¹I spent an hour and a half live with Francis Odum talking about this recently.

²I'm including Okta as an A-list company based on their way-above-average performance since IPO. I get the argument they're not an A-list company right now — that's fair. The time horizon for this analysis is intentionally longer. I also have doubts Okta is going to remain down forever.

³The data also includes Splunk and ZeroFox. Both companies have pending acquisitions that have not yet closed, so they're technically still listed for now.

⁴This probably depends how experienced you are. I was barely out of college and working with Oracle identity products (rough, I know – amazing I'm still in security). I still had a lot to learn about the industry at the time.

⁵How's that for a valuation multiple?!

⁶Okay, okay — sometimes revenue does lie. Or people lie about revenue. I get it, I worked at PwC. I remember Enron. Those are edge cases, especially post-SOX.

Wait, how is that possible?! How could a person who hit 714 home runs and won seven World Series championships — widely regarded as one of the greatest baseball players of all time — not cut it in the big leagues?

Babe Ruth played professional baseball from 1914 to 1935. His prime was 100 years ago. A guy like him could eat dozens of hot dogs in one sitting, chain smoke cigars, get plastered every night, and still be a superstar athlete because fortune granted him enough natural ability.

Fast forward a century, and Mike Trout is the gold standard of the modern baseball era. His training regimen is social-media-famous: 54-inch box jumps, weighted tire rolls, medicine ball sprints — you get the idea. Babe Ruth would have needed a ladder to get on top of a 54-inch box.

Athletes get bigger, faster, and stronger with every successive era. It's the same story for companies in the cybersecurity IPO pipeline, too.

General Motors, the Babe Ruth of companies in the 1920s, had an inflation-adjusted market cap of about $9.1 billion in today's dollars.¹ Two private cybersecurity companies (and seven public ones) have a higher valuation today. Palo Alto Networks alone is worth over 10x more.²

How did this happen? Part of it is evolution, and part of it is because we know how to make better athletes and companies.

Time passes. Expectations change. Methods improve. Competitors get better. The standard of performance gets higher. The game gets harder. It's a never-ending cycle of progress.

Let's talk about why benchmarking performance matters and what the current standard is for cybersecurity IPOs today.

Benchmarks are an input to better decisions

Why does it matter to know what the standard of performance is in the first place? Anyone involved with a cybersecurity company in the IPO pipeline (and public companies, too) needs to know the standard they're being measured against. Life-changing decisions get made based on these benchmarks.

It's the equivalent of knowing your draft status in sports: you need good advice and statistics to make the right decisions. A high school pitcher with a 71 mph fastball, a 5.34 ERA, and an overinflated ego shouldn't to skip college and enter the draft if their performance isn't good enough to get drafted yet.

It's personal for thousands of people in the industry. Readers of this article (maybe even you) lead, work for, or invest in later-stage cybersecurity companies. I have consulting clients who are navigating this exact situation. It's very real.

Making the right decisions can be transformative. Making the wrong ones can be catastrophic.

So, what exactly are the expectations for cybersecurity companies in the IPO pipeline? That's the billion-dollar question we're going to answer.

The first part of the equation requires zooming out to look at the entire software industry. Cybersecurity is just one part of a larger tech ecosystem. Only looking at companies in our industry is equivalent to only looking at the stats for players on your favorite baseball team. They might be the worst team in the league.³ The performance of everyone else in the league matters. Same situation here.

One source source we'll reference is the Battery Ventures State of the OpenCloud 2023 report, which shows benchmarks from three recent cohorts of software IPOs:

The other source is Jamin Ball's Clouded Judgement publication. Two articles go into immense detail about benchmarks for public SaaS companies. This table summarizes the benchmarks for all SaaS IPOs from 2018 to mid-2020:

The second part of the cybersecurity benchmarking equation is looking back at the performance of previous cybersecurity IPOs. The combination of software industry and cybersecurity-specific benchmarks gives us a pretty good idea about the market's expectations for performance.

Next, we'll take a tour of cybersecurity's IPOs through the eras and compare them to today's software industry benchmarks. And Taylor Swift. Seriously.

Eras Tour: Cybersecurity's Version

I know, I know...the Taylor Swift reference was right in front of me here. I had to do it.

Just like the stylistic evolution of Taylor's music⁴, the cybersecurity industry has had distinct economic eras — all with different expectations, metrics, and vibes.

The Battery Ventures report has a perfect definition of the recent eras in software:

Cybersecurity is a lot smaller sample size than the overall software market, so I added the Dotcom Bubble (1995-2002) and Post-Dotcom to Great Recession (2003-2009) eras to the analysis. Here's our setlist, eras and all:

So here we go — you've got your ticket to the Eras Tour (Cybersecurity's Version). Let's take the stage and jam through the eras. You can wear sparkles if you want.

Dotcom Bubble (1995-2002)

The dotcom bubble was a wild and frenetic era for tech company IPOs. Webvan (RIP) peaked at a $1.2 billion valuation, burned through a billion in capital, and went bankrupt two years later. And that's just one story.

Cybersecurity companies had much more modest debuts on public markets during this era. Check Point and Radware were our only two IPOs. Here's how they were doing at the time of IPO:

Check Point went public with $31.8 million in annual revenue. That's over $600 million under the IPO standard of today (and a shade under the revenue Palo Alto Networks earns in a single business day!).

Both companies had good margins. EBIT margin was 25%, which easily puts them among the top IPOs in today's era.

Ironically, both Check Point and Radware survived the dotcom collapse and remain on public markets today. Check Point is still one of the largest cybersecurity companies in the world. There's always room in public markets for solid companies.

Post-Dotcom to Great Recession (2003-2009)

The time between the dotcom collapse and the Great Recession is our sad, emo era. Fortinet and Commvault were the only pure cybersecurity companies that went public:

A lull in cybersecurity and tech IPOs is a bummer, but Fortinet is an excellent consolation prize. It's turned into one of the best and highest-valued cybersecurity companies today, transcending eras to become a generational company.

High-Burn / High-Growth (2012-2020)

The High-Burn / High-Growth era is better known as the ZIRP era. Nearly a decade of low interest rates caused a spike in hyperscaling and IPOs.

This was like the steroid era of baseball. Performance was inflated by ZIRP. We had a bull market. Growth companies had high valuations. High-profile breaches started reaching mainstream media. And so on.

The IPO numbers speak for themselves — 27 pure cybersecurity companies went public during this era⁵:

Metrics for this cohort were a sign of the times. Cybersecurity's ZIRP companies went public when investors valued growth more than profitability. The metrics show.

Average LTM revenue at IPO was $173 million, which is far higher than cybersecurity companies in the dotcom and post-dotcom eras. It was relatively in line with median revenue benchmarks ($193) from Clouded Judgment. However, revenue was less than half of the late ZIRP era (2018 onward) standards from Battery Ventures.

Profitability (EBIT Margin) was in line with Clouded Judgment metrics, and way below current expectations of break-even or low single digits. Blame it on sales and marketing — spend in this category was 22% higher than today's standard. Yep, steak dinners drove overall EBIT margins 29% lower.

"Faster" was the emphasis in the "Bigger, Faster, Stronger" trifecta. Grow fast and you'll get bigger and stronger later, they said. The next two eras taught us why this was an empty promise.

High-Burn / Slowing-Growth (2021-2022) and Expense Management (2023)

KnowBe4 and ForgeRock were the two large-cap cybersecurity companies that went public during the High-Burn / Slowing-Growth era of 2021-2022. Here are their metrics at IPO:

The two eras from 2021-2023 are interesting because of acquisitions and take-privates, not IPOs:

Nine (!!!) public cybersecurity companies from the High Burn / High Growth era of 2012-2020 were taken private or acquired.

Stated differently, nearly 50% of the cybersecurity companies who went public during the previous High-Burn / High-Growth era were either acquired or taken private during this High-Burn / Slowing-Growth era.

Both KnowBe4 and ForgeRock also ended up being taken private quickly. They each survived public markets for less than two years. In baseball terms, they were the Mark Prior of cybersecurity public companies — full of early promise, then gone in a flash.

There was nothing notably wrong about either company's metrics compared to IPOs from the High-Burn / High-Growth era — emphasis on the "compared to" part. They were doing fine compared to past eras, but nowhere near the new expectations the market set for burn and growth.

The game evolved. KnowBe4, ForgeRock, and nine other companies found themselves watching the game from the bench.

The Expense Management era of 2023 brought nothing but pain: just more take-privates, layoffs, and valuation hits. It's like when the Florida Marlins won the 1997 World Series with a huge payroll, then cut it to $16 million in 1998. Nobody likes expense management, but sometimes it's the best strategy.

Encore: the Low-Burn / High-Growth era

We're not ending this show with expense management, right?! BOOOOOOOOOO!!!

No way. That would be like ending a baseball game on a walk-off balk call.

It's time for the encore. Welcome to the Low-Burn / High-Growth era. It's going to have our biggest hits yet.

Here's the description of this era from the Battery Ventures graphic we saw earlier:

Once companies manage expenses, we will soon see a convergence to the long-term target of 30% operating margins. As growth returns, highly-profitable, high-growth companies will return. The era of $1B B2B software companies is here, and with >30% operating margins and efficiency built in, we will see higher quality franchises.

A practical way to translate this is: you can't control growth, but you can control expenses.⁶ This means free lunches, massage tables, and unlimited expense budgets are probably gone, or at least limited. Complain to your CFO — I'm just the messenger here.

But seriously, I've spent a lot of time working in $1B+ B2B companies with >30% operating margins. Trust me, it's great when your company is making a lot of money, profitable, and manages it well.

We don't have visibility into IPO pipeline company metrics, but our currently public cybersecurity companies are a decent stand-in:

The 13 pure cybersecurity companies on public markets today are a mixed bag.⁷ On average, we're comfortably above IPO-level expectations for total revenue, margins, and operating expenses. We're lagging on growth and net dollar retention. Valuation metrics reflect both — our 8.1x multiple is above the SaaS IPO median and below the 2023 IPO metrics.

Getting to today's standard of software industry performance means being bigger, faster, and stronger. It's about balance and temperance, not overdoing one of the three. Higher standards are painful at first, but they're better in the long-term.

Don't believe me? Let's go back to our baseball anecdote. There are more total home runs in Major League Baseball (MLB) today than there were during the steroid era.

We don't have two players (Mark McGwire and Sammy Sosa) crushing Roger Maris's 61-homer record in the same season, nor do we have Barry Bonds hitting 73.⁸ We do have remarkable league-wide production, though.

Six of the seven highest home run rates per game occurred between 2016 and 2021. During the same period, the Minnesota Twins (2019) and Atlanta Braves (2023) both set the record for home runs by a team during a single season at 307.

Baseball players in today's era have better fundamentals. They're a balance of big, fast, and strong. The right balance is why we're seeing consistently high levels of performance at a team and league level.

This baseball anecdote is exactly what the Low-Burn / High-Growth era in the cybersecurity industry is all about. We're going to see fewer hypergrowth companies getting all juiced up for big IPOs, then withering two years later.

Instead, our IPO pipeline and public markets are going to have highly scaled, profitable, and resilient companies. They're going to endure and thrive in public markets. And our entire industry is going to reach new levels of performance.

The blitzscaling and hypergrowth of the High-Burn / High-Growth era wasn't a revolution or transformation of business models — it was just an era. Durable cybersecurity companies have been built across each of the eras. The important part is to understand how to use the best of the era we're in to build the biggest, fastest, and strongest companies we can.

Acknowledgements

Thank you to the team at Battery Ventures and Jamin Ball at Clouded Judgment (Altimeter Capital) for the heavy lifting on software IPO benchmarks. This cybersecurity iteration wouldn't have been possible without building on top of their work.

Footnotes

¹Cybersecurity companies obviously didn't exist in the 1920s, so I went with one of the top companies from the industrial era instead.

²And then there are mega-caps like Apple, Microsoft, and others who have multi-trillion-dollar valuations. Palo Alto Networks just achieved its first $100 billion valuation earlier this month, so it's a little early to start talking about trillion-dollar valuations in cybersecurity. But we can dream.

³I'm a Chicago Cubs fan, so I know what it's like to cheer for the worst team in the league. (Historically speaking, but not anymore! Go Cubs Go!).

⁴Okay, "just like" Taylor Swift is a stretch. Cybersecurity's business eras also have far less appeal in pop culture. The Venn diagram of Swifties and readers of this article is probably close to zero.

⁵Including companies which are now delisted and small cap/non-traditional listings.

⁶It's fine to control expenses. Just don't overdo it. There's a great Ruth Porat (now the Chief Investment Officer at Alphabet) quote about this: "You can't cost-cut your way to greatness."

⁷Our current situation even more nuanced than the chart shows. Palo Alto Networks, Fortinet, CrowdStrike, Check Point, and Okta skew the average metrics by a lot...but that's another article.

⁸Yes, Yankees fan — I know Aaron Judge hit 61 home runs in 2022. We still get high individual numbers once in a while. The point is the entire league is more balanced, which leads to a higher total across the board.

...

Struggling to come up with an answer? If you took a shot, how confident are you that you're right?

If you're feeling a little bit rattled right now, don't worry. The answer is wayyyyyy trickier than it seems. I struggled to answer this question myself, and I've been covering publicly traded cybersecurity companies for a while. I literally found 20 more companies while writing this paragraph.

I was planning to write a different article about public cybersecuity companies until I realized how difficult it is to come up with a list of companies in the first place. Why is it so damn hard?!

It's partly because different answers get reported all the time. Richard Stiennon's public cybersecurity stocks spreadsheet has 13 companies. Momentum Cyber tracked 38 companies as of its 2022 Cybersecurity Almanac report. Mike Privette tracks 59 companies on his Return on Security market tracker. Cybersecurity Ventures tracks 60+ companies. And all of them are right!

Back to the original question — how many publicly traded cybersecurity companies are there? The short answer: 71. I know... finally, number we can rely on! Not really...

...How do you classify pure cybersecurity companies versus hybrid ones? Do you have a minimum threshold for small-cap companies? What about companies on global stock exchanges? And weren't there just a bunch of cybersecurity companies that were taken private?

Are you starting to see what I mean about this being tricker than it seems?

The real answer to this question is: it depends. I know — how unsatisfying. Everyone wants a number we can all agree on. I regret to inform you this isn't going to happen. But trust me, the nuances are why this is a super interesting question.

Let me start by telling you a quick story about a deranged billionaire and one of the wildest estate sales of all time.

What do casinos, hotels, TV stations, ice cream, and airplanes have in common?

"I'm not a paranoid deranged millionaire. Goddamit, I'm a billionaire," the eccentric Howard Hughes once quipped about himself.

We've all heard stories about Hughes' quirks, antics, trials, and tribulations as a businessperson and celebrity. You probably haven't heard how bad of an accountant he was.

What casinos, hotels, TV stations, ice cream, and airplanes have in common is that Howard Hughes owned one or more of all of them. The stories about why he owned this large and eclectic set of assets are even more wild.

He bought several casinos in Las Vegas, including one because the rotating slipper on its sign annoyed him. He bought a hotel because management tried to kick him out after staying past his reservation. He bought a TV station so his late-night movie watching wouldn't get interrupted by commercials. He stockpiled Baskin-Robbins banana nut ice cream because he was obsessed with it. He owned a massive plane (the "Spruce Goose") that he flew one time at only 70 feet of altitude.

We haven't even talked about the companies, real estate, mining claims, art, and bank accounts Hughes also owned. He had a %&@^load of stuff, and nobody knew where all of it was. He probably didn't either.

Howard Hughes died without a will in 1976. Nobody could figure out what he owned or how to liquidate it. It took almost 15 years and millions of dollars for teams of lawyers, judges, advisors, and heirs to sort out his vast and disorganized estate.

The story of Howard Hughes and his sprawling estate is a metaphor for our industry. I would lovingly call cybersecurity a vast and disorganized estate, too.¹

We're like an industry version of Howard Hughes right now. We don't really know how many public companies we have, let alone the 3,000+ private ones.²

Cybersecurity isn't some cottage industry anymore. Our public companies have a combined valuation of over $350 billion.³ We're not paranoid, deranged millionaires. We're billionaires...oh, wait a minute.

Let's get our own estate in order with some solid numbers about cybersecurity's public companies.

The total number of public cybersecurity companies depends on how you look at it

Remember when I said there are currently 71 public cybersecurity companies at the beginning of this article? You're about to see why I'm not 100% confident about this answer.

The big question is: how do you define the cybersecurity industry? This exact question is why the reported number of public cybersecurity companies varies widely between different sources.

It all depends on how you cut the data. Here are the most logical ways to slice it.

Pure and hybrid cybersecurity companies

A never-ending industry debate is the classification of "pure" versus "hybrid" cybersecurity companies. The uncertainty is whether companies whose products and revenue are a mix of cybersecurity and other tech should be considered cybersecurity companies.⁴

I'm firmly anchored in the "yes, they are cybersecurity companies" camp. I understand how including hybrid companies can skew the numbers on the cybersecurity industry, though. Including larger companies like Cloudflare makes metrics like the overall count of companies and valuations go way up.⁵

I'm happy to make the case for why that's a good thing all day long, but the diplomatic answer is to show you the data both ways:

See what I mean about hybrid cybersecurity companies making the overall count go way up? There are 31 of them, or 43.7% of the total company count:

Even if you exclude hybrid companies, having 40 pure cybersecurity companies traded globally is still super respectable. Here's the full list of companies:

Would you have guessed the number was this high? I sure wouldn't have. And remember, the totals are down from all-time highs after 21 delistings from M&A and take-private activity since 2020.

Global stock exchanges

Right or wrong, the business side of the cybersecurity industry has a very U.S.-centric slant to it. For our purposes, this means public company counts get skewed towards major U.S. stock exchanges like Nasdaq and the New York Stock Exchange (NYSE).⁶

Here's the breakdown of companies by U.S. and non-U.S. stock exchange listings, which also includes our previous filter of pure and hybrid company types:

The count of companies is skewed towards the U.S., but much less than you might think. There are 24 companies listed on non-U.S. stock exchanges, and 17 of them are of the "pure" variety.⁷

Discovering and tracking global cybersecurity companies is sort of like excavating for dinosaur fossils — they're really hard to find. I'm certain this part of the list is still incomplete.⁸

Valuation and listing path

Two other widely debated criteria for classifying public companies are the path a company took towards listing and their valuation (or stock price).

How a company listed is contentious to the point of throwing punches, especially in the investment banking community. An era of SPACs (and their cousin, the reverse merger) in the early 2020s high-nosed the traditional IPO process and brought some questionable companies into public markets. Capital markets people don't like that, so companies on this path often get ignored.

SPACs and reverse mergers have been popular in tech but rare in cybersecurity — 79.4% of our current public companies have gone public through traditional IPOs or direct listings. We've only seen six non-traditional listings so far:

Chamath Palihapitiya hasn't played a hand in any cybersecurity SPACs yet, but the results have been similar. IronNet filed for bankruptcy in 2023 (and delisted shortly after). HUB Security's stock has lost 95% of its value. You can see why people get fired up about this topic.

Small-cap stocks are like the cousins of SPACs and reverse mergers. Professional investors generally consider companies with a stock price of $5 or lower (and/or sub-$100 million valuations) speculative. So, they're also excluded from a lot of industry counts.

In cybersecurity, there are currently 12 companies globally which are valued under $100 million:

The number is likely a bit higher because market data isn't readily available for some global exchanges.

From paranoid and deranged to calm and confident

We've done it! Our burgeoning, multi-billion-dollar cybersecurity estate is much more buttoned-up and put together now. We might not have the slicked-back hair and pressed suits of Wall Street stalwarts, but we're definitely not an enigmatic recluse like Howard Hughes anymore.

This is no time to get complacent, though. Keeping up with our public companies is an ongoing quest. Companies come and go from public markets all the time.

And remember, cybersecurity is still an up-and-coming industry! Like I said last week, it's not hard to imagine 20 or 30 more public cybersecurity companies a decade from now. This list is going to get bigger quickly whenever the tech IPO pipeline opens up again.

The next time you're asked how many public cybersecurity companies there are, you can calmly answer (with a bit of a smile): "it depends..." before confidently putting on a clinic on the nuances of the biggest companies in our industry.

Footnotes

¹Several smart people put lots of time and money into tracking industry data. It's not widely available or understood yet, though.

²In fairness, this problem isn't limited to cybersecurity. I'm more encouraged about our situation. Our industry is big enough to lose track of, but small enough to figure out.

³Based on data from Google Finance as of January 18, 2024.

⁴Classifying companies as pure or hybrid is also a judgment call without companies consistently disclosing business unit level revenue breakdowns.

⁵This definition (and data) is still excluding large, diversified technology companies like Microsoft, Cisco, Accenture, and others. These companies all have multi-billion-dollar cybersecurity business units. It's a stretch to include them in the count of companies and other metrics like valuation.

⁶Being listed on a U.S. stock exchange doesn't mean the company is also headquartered in the United States. This data analysis counts companies by stock exchange, not the location of their headquarters.

⁷It's starting to feel like we are breeding dogs or horses here — something where the purity of genetics matters.

⁸I'm still taking suggestions if you know of global public cybersecurity companies you didn't see listed in this article.

Things like...

"Valuations will get straightened out, and everyone can start raising capital again."

"Klaviyo going public will get IPOs going again."

"Our last valuation was a little high, but we can grow into our valuation over time."

...and so on. The stories we tell ourselves are how we cope with the uncomfortable reality of "economic uncertainty" that's been going on for, well, too damn long.

We're staring 2024 in the face, and the outlook is sobering. It's Dry January¹ for over 100 cybersecurity companies who are sitting on billion-dollar-plus valuations. It's %#@&ing cold and dark outside, the holidays are over, and there's nothing to do.

Okay, in business terms...here's the conundrum: IPOs are the best, if not the only, exit option for 30+ cybersecurity companies. Eighty more unicorns are right behind them wondering what their future looks like. And the market's standards for being a public company just got wayyyyyy higher.

What does all of this mean? It means it's time for us to sober up, straighten our lives out, and give 2024 everything we've got.

The never-ending party of 2021 is long gone now. It's time to get honest about where our top companies are really at heading into the new year.

Let me take you on an up-and-down ride through the financial plight of our industry. I'd normally tell you to fix a drink to calm the nerves first, but it's Dry January, so we're on our own.

Welcome to no man's land

To understand the state of cybersecurity companies, you need to understand the state of software markets in general. Enter Battery Ventures and their incredible (but brutal, at least this year) State of the OpenCloud report.

Here's the chart I haven't been able to stop thinking about for two months:

Note: This is a funnel, so the numbers are aggregated. For example, the total number of private unicorns is 1,000, not 1,000+115+50+17. Each range in the funnel shows how many companies graduated from the previous one. It's confusing at first, but useful once you figure it out.

It's a chamber of horrors for anyone who works at, invests in, buys from, or cares about software companies. There have been 95 software IPOs in the past decade. 1,000 more companies are sitting in the pipeline wondering when it's going to be their turn. That's not good.

The line "$1B is the new $100M when it comes to ARR" is the one that causes me the most panic. Why?

There are only 14 companies with over $1 billion of ARR in the entire cybersecurity industry. Private companies don't report revenue, but it's safe to say that very few of cybersecurity's private companies have $1 billion in ARR.

As if reading the report wasn't panic-inducing enough, I saw this response to some discussion about the report on X:

A stat that stuck with me after writing No Way Out: The Changing World of Cybersecurity Exits is how many companies with $1 billion-ish valuations we have in cybersecurity. If the $1-2 billion valuation range really is "no man's land in the public markets," we're entering a world of pain.

Trying to see the cybersecurity companies in this chart starts looking a lot like the blurry haze you were in during that bender back in college. Let me give you a clearer view, but without the hangover this time.

Cybersecurity's valuation funnel: billion dollar problems

Here's a cybersecurity version of the Battery Ventures chart (without the logos):

Right now, we have 113 private companies with disclosed valuations of $1 billion or higher, including both VC-backed startups and companies owned by private equity firms. Here's the bad news: 79 of them (70%) are in the "no man's land" of a $1-2 billion valuation.

The 79 companies are a mix of up-and-comers like Dragos, Expel, Island, Stytch, and Vanta, plus later-stage companies like Forcepoint, RSA Security, Veracode, and more.

Each company's individual timeline depends a lot on the timing and structure of investments. But their expectations are all the same: exit with a multi-billion-dollar outcome.

This is where things get complicated. We've had 26 companies go public at a valuation of $1 billion or more. However, our current situation is a lot different than the cybersecurity IPOs of the past three decades.

Since 2000, two cybersecurity companies went public in what's now the no man's land of $1-2 billion valuations. Five companies (CyberArk, Fortinet, Qualys, Rapid7, and Varonis) went public at valuations under $1 billion and grew into valuations of $3 billion or more as public companies.

None of this seems possible right now. We're in a more austere place in time. Only the Most Upstanding Companies™ are worthy of public markets. The rest are left to toil in private until the end of eternity — or what feels like it, anyway.

Several of the 79 companies will make it out and have good exits. And a lot of them will get sold for under half of their billion-dollar valuations. Which ones? I don't know — not beyond an informed guess, anyway. You probably don't either. This no man's land is a very uncertain place.

Next, let me walk you through the funnel and pour you a shot of good, ol' fashioned hope.

Through the funnel: from no man's land to the promised land

When we move down the funnel and past the companies in the $1 billion+ no man's land, we reach a much rosier outlook.

There are 34 cybersecurity companies that have made it beyond the $3 billion valuation threshold. This doesn't mean they have the scale, predictability, and story to make it to an IPO, but their path and probability of making it to the public markets is a lot more clear.

Let's dive into the data for each valuation range. You'll see what I mean.

$3B+ range

Nineteen cybersecurity companies are currently valued between $3-5 billion:

Other than IDEMIA, the entire set of companies owned by private equity firms used to be public companies. They ended up being taken private for a reason. Each of them needed to take a minute and work on some things outside the public eye.

Most of them will get back to public markets eventually — especially with the magic of Thoma Bravo (Sophos), Vista Equity Partners (KnowBe4), and KKR (Barracuda Networks), all firms with a long history of success in cybersecurity. All six PE-backed companies are early in their holding period, so there's no rush to sell before they have their scale, predictability, and story figured out.

The 12 VC-backed companies in this valuation range are on the fringe of cybersecurity's IPO pipeline. Acronis, Arctic Wolf, Cato Networks, Forter, Rubrik, and Socure have all shared plans to go public. The other six have raised significant capital and likely have the time and runway to grow into IPO candidates.

Companies in this range might be three or more years out from going public, but timing doesn't matter if they use it to become sustainable companies long-term.

$5B+ range

Twelve cybersecurity companies are currently valued between $5-10 billion:

Just like the $3B+ range, all three PE-backed companies were public once upon a time. Each had over $500 million in annual revenue (as of their last earnings reports) before being taken private.² Their return to public markets seems like destiny.

Seven of the nine VC-backed companies in this valuation range are basically a who's who of the cybersecurity IPO pipeline. Netskope (12), Tanium (13), Snyk (19), OneTrust (21), and 1Password (50) are all members of the Forbes Cloud 100 class of 2023. Lacework and Coalition raised three of the top 50 largest financing rounds in cybersecurity history.

As blockchain companies, the future of Fireblocks and StarkWare is up in the air — but if you know anything about cryptocurrency, you know valuations swing wildly. Hodl, I guess.

If I could make a billboard to show the world who the best private companies in cybersecurity are, most of these are on it. $5B+ is the range of rising stars.

$10B+ range

Three cybersecurity companies (or two and change, depending on how you classify Kaseya) stand alone in the bougie $10 billion+ valuation club:

Only 16 cybersecurity companies, public or private, are valued at over $10 billion. That's a higher valuation than 28 other public cybersecurity companies listed on major exchanges. With over 3,000 known cybersecurity companies, this group of 16 is in the top 0.5 percent.

Kaseya (Insight Partners, majority ownership) and Proofpoint (Thoma Bravo) are backed by private equity firms. Proofpoint was public until 2021, when it was taken private for $12.3 billion, the fourth largest acquisition ever in cybersecurity. Kaseya's future has a few more questions, but, well...they have a basketball arena named after them now.

Wiz stands alone as the only private cybersecurity company in history to be valued at over $10 billion. They're #19 on the Forbes Cloud 100, the fastest software company to ever reach $100 million in revenue, and ...you've heard the rest. One of the best articles of the past year sums it up nicely: Nobody Beats Wiz.

If you had to bet everything you own on picking which cybersecurity company is going to have a successful IPO, Wiz is it.

Sober, but good

Sobering was totally the right word for this tour through our industry. I feel surprisingly good about it, though. It's a lot like Dry January.

The first week is a downer. That's exactly how it feels for the 79 companies in the no man's land of $1 billion valuations.

The second week is when you start feeling better. The companies in the $3 billion range should be feeling a lot better than a lot of the unicorns.

The third week is when you feel like you've got this. "You've got this" is exactly what I'd say to our $5 billion companies. Most of them are going to have good exits.

The last week is when you feel superhuman. Our $10 billion companies are unstoppable.

Cybersecurity has around 30 public companies today. You don't have to squint much to see 20 or 30 more public companies a decade from now.

Whatever the number ends up being, it will feel a lot more meaningful when we can look back and say 2024 was the year that made companies in our industry great.

Now, let's pop a bottle of NA Moscato, raise a toast to everyone who's still in the game, and get back to building.

Footnotes

¹Yes, I'm doing Dry January too.

²Ping Identity and ForgeRock have over $500 million revenue combined (now under Ping Identity). Both companies were under $500 million individually before the merger.

I'm not surprised anymore. Okta has had a rough time since their first breach was announced back in March 2022. Tack on several more incidents since then, and it's easy to join the bloodthirsty mob of people counting the days until Okta's imminent demise.

I'm not an Okta apologist, but their situation isn't as dire as some people think. They're going to be fine. Maybe even better than before...eventually.

WHAT?!? How could that be possible after this many problems??!!

Let's start with a freakish comparison between Okta and the most popular tale in human history.

A Cinderella story

All great stories have an arc. We understand this implicitly because of how we feel when watching a show, reading a book, or seeing a movie. Most of us don't think about the mechanics of a story — it's just something we experience emotionally.

Kurt Vonnegut, one of the greatest storytellers of all time, turned the fuzzy, hard-to-quantify concept of story arcs into a science. In his short (and hilarious) lecture on the Shapes of Stories¹, he defined several of the most common patterns great stories follow.

One specific type of arc keeps churning out hit after hit. It's called the "Cinderella story." Here's what it looks like:

Want to see something wild?

The chart of Okta's stock price from its IPO in 2017 through today follows almost exactly the same arc:

I kid you not. It's uncanny.

The comparison is a metaphor, of course — but Okta's narrative fits the story arc in a remarkable way.

From ill-fortune to cybersecurity's debutante ball

Okta couldn't have been started under worse circumstances.

In 2008, Todd McKinnon was a mid-30s, up-and-coming exec at Salesforce with a baby daughter and recent Type 1 diabetes diagnoses. The economy was in a free fall.

Financial stability, family, and health were all working against him. He was barely able to convince his wife it was a good idea to start a company.

The company started out as Saasure, a network monitoring product. It didn't get traction. The founders quickly pivoted to cloud identity management and changed the name to Okta.

Okta's cloud access management product steadily grew beyond everyone's wildest expectations. The fairy godmothers at Andreessen Horowitz and Sequoia bestowed a total of $228 million in venture capital upon the company. Okta went public in 2017 at a $1.5 billion valuation.

As a public company, Okta continually produced steady increases in growth and valuation, peaking at an enterprise value of $41.29 billion in September 2021. It was one of the most valuable cybersecurity companies in the world.

That's the quick version of how Okta went from an ill-fated beginning to become one of the darlings of the cybersecurity debutante ball.

The story really starts to get interesting when the clock strikes midnight.

When the clock strikes midnight

Everything changed on March 22, 2022, when LAPSUS$ publicly disclosed it breached Okta through a third-party service provider.

The magic spell wore off. Their Teslas turned into pumpkins, Cotopaxi into rags. A glass Allbirds slipper was the only trace left behind.

The protagonist in Okta's real-life story is Todd McKinnon. He's not exactly in rags, but you'll never find a picture of a more exhausted CEO than this one — taken from an interview at a software industry conference the day after a breach:

We've all heard about the direct and indirect security incidents and PR debacles since then: source code breaches, Rightway Healthcare, Oktapus, MGM, support case management...okay, make it stop.

Right now, it feels like anything Okta does right gets overshadowed by something that's gone wrong.

Why? We're watching Okta's "clock strikes midnight" moment play out in real time.

They were just on top of the cybersecurity world, and now they're not. It's jarring. We're all on the edge of our seats, unsure of how the story is going to end.

What we're thinking and experiencing now is exactly how the arc of a Cinderella story goes. Something horrific happens. Things look dire. Nobody knows if the hero can recover this time.

Here's what happens after the princess vanishes from the ball and her glass slipper gets left behind.

The next Cinderella?

In the movie Cinderella, the prince launches a massive quest to find her after she disappears. Everyone in town tries on the glass slipper to see if it fits. People like the stepsisters pull all kinds of nefarious stunts to jam their foot into the slipper.

This iconic scene is...actually not so different from the time since Okta's clock struck midnight.

There's an important lesson about competition here: when given the chance, a lot of people want to make the glass slipper fit and steal the throne.

Some competitors piled on with "this wouldn't have happened if..." and all kinds of questionable tactics to make Okta look bad and get customers to switch. It's unfortunate, but they probably deserved it.

Could Okta have done a better job with security? Of course.

Did their mistakes put thousands of customers at risk? Absolutely.

Was their initial PR and incident management lacking? #%@& yes it was.

But not all security incidents are the same. Incidents happen all the time. They can also happen to anyone — even security companies. The "why" and "how" matter. Savvy security leaders know that.

Here's the reality: the glass slipper isn't going to fit for most other identity companies.

A founder-led decacorn in its prime is not going to disappear overnight. Okta has used up a lot of karma points, but the collective damage from these incidents is far from the worst we've seen as an industry.

On a practical basis, it's not easy or fiscally responsible for most customers to rip out an identity platform like Okta once it's implemented. Identity platforms are incredibly sticky, especially when they're integrated with most of an organization's apps.

For a large enterprise, "not easy" means years spent migrating the integrations for hundreds or thousands of applications to the new identity platform. "Not fiscally responsible" means millions or tens of millions in capital expenses, including a big chunk for professional services.

Security leaders are disappointed and annoyed about this repeated string of incidents involving Okta. But frustration is not enough for most of them to cut ties and move on — especially when security budgets are getting tight and dollars are better spent other ways.

Sure, they'll throw a fit and ask for discounts. They'll renew their contracts for shorter periods of time. All kinds of political stunts can happen, but very little of the noise is translating to actual customer churn.

Let's talk about why a few insightful financial metrics mean the glass slipper still fits.

The glass slipper still fits

The evidence doesn't support mass defection of customers or the major implosion some people still believe is imminent.

How do we know customers aren't churning? Okta reports customer data in their quarterly earnings reports.

Their literal count of customers² isn't dropping:

Nor are the big, $100k+ accounts people were saying would leave:

Okta's customers are not running for the hills. In fact, they have 435 more $100k+ customers since the first breach.

Revenue isn't crashing, either. Their revenue has grown 25.26% year-over-year.³ The CAGR from FY21 (before the first breach) through the end of FY24 is 39%:

By the way, they're more profitable than ever now — scheduled to clock in at a 12% (non-GAAP) operating margin at the end of this fiscal year.

They're also still a leader in the 2023 Gartner Magic Quadrant for Access Management for, oh...just the seventh straight time. They're not the clear leader this time around — mainly because of Microsoft's investments in identity and Thoma Bravo's rejuvenation of Ping and ForgeRock, not Okta's series of unfortunate events.

Growing this fast as a ~$2 billion company under any circumstances is incredibly difficult. Okta has done it in the face of a bad macroeconomic environment and a level of noise and scrutiny no cybersecurity company other than SolarWinds has ever faced.

Analyst ratings and financial metrics aren't an adequate measure for the pain and frustration Okta's customers and security practitioners feel because of the security incidents. But, they're correlated.

If customers were dumping Okta to buy other identity products, rankings, revenue, and retention metrics would be tanking by now. None of them have.

I know things still seem dire right now, but Okta's story can have a happy ending. It won't be easy, but it's possible — just like all good Cinderella stories.

Okta's story can still have a happy ending

At this point, a happy ending for Okta is definitely not destiny. It's still possible if they do all the right things.

The biggest concern CISOs and investors both have is: Are there going to be more security incidents?

Maybe. The "O" in Okta might as well be a giant bullseye for attackers right now. The fairy godmother isn't going to rescue them. It's going to take massive effort to change the narrative.

There's an Icarus story arc, too. It's a moral lesson about the dangers of hubris and overambition.

A kid escapes capture by building wings made of wax, gets overconfident and flies too close to the sun, then drowns after the wings melt.

What Is Okta doing to make sure their story has a happy ending? A few things.

They need to handle any incidents they do have perfectly. They're out of karma. CISOs are going to move from mild frustration to mutiny if Okta can't figure this out fast, so they've been working on it.

Then, go on offense: make security a clear priority and address the high-impact issues. This is exactly what Project Bedrock (the internal project name) is about. 90 days of focus isn't going to fix everything, but it's a nice start.

Right now, Okta doesn't need more products. It needs more security.

If Okta can fix its security, both in reality and perception, they're going to be fine.

Fixing security is fixing growth.

The noise will fade. The spotlight will turn elsewhere. Customers will notice the progress.

Keeping the madness at bay is the best growth strategy for Okta right now.

Why? Okta has plentyyyyyyy of products with growth potential in the pipeline. Its Identity Governance and Privileged Access Management (PAM) products have both hit General Availability (GA). Early momentum is promising — especially in a world where three of their biggest competitors were taken private and other legacy products fade into the oblivion of data centers gone by.

The stakes couldn't be higher. If Okta lives up to its Cinderella story, they're cemented on the Mount Rushmore of winners in the identity market.

Ironically, it's security that will dictate Okta's future: will it be a tale of Icarus's fall or Cinderella's fortune?

Footnotes

¹Seriously, you should watch Vonnegut's lecture. It's pithy. Totally hilarious. I promise it will be the best four minutes of your day.

²The count of total customers can get a bit muddled because of how Auth0's product-led growth (PLG) model works. Without knowing the breakdown, you could speculate Okta's core workforce platform is churning, but Auth0 nets it out by adding super tiny customers to the total count. It's possible, but this scenario seems unlikely because of Okta's strong $100k+ account growth and Net Revenue Retention (NRR) metrics post-breach.

³On a TTM basis as of Okta's Q3 FY24 earnings report. Put differently, they're still growing a lot — long after the first breach was disclosed.

—Me, a more naive person two weeks ago than I am today.

What started as "a few quick changes" turned into a long and intellectually grueling two-week project.

The result was the biggest update I've made to Strategy of Security's cybersecurity ecosystem mapping since I first published it over two years ago. A lot has changed since then, including both the industry and my own understanding of it.

This isn't your normal Strategy of Security article. It's a few things: an announcement about the updates, some observations and insights I had along the way, and an audible sigh of relief for finally being done (for now...).

One thing I want to be clear about: this is not an attempt to simplify anything about the industry — it's the opposite. My goal is to define the most comprehensive and accurate taxonomy for the business of cybersecurity as I can. The topic is complex, nuanced, and ...well, so is this mapping.

I think about the famous line from George Box a lot: "all models are wrong, some are useful." It's definitely true of this project. Only now, it's a little less wrong and a little more useful.

Let's talk about a few things I realized from obsessing about the cybersecurity ecosystem every waking hour for two straight weeks.

The big estates are clear, and more are on the way

I've been on a kick about cybersecurity estates for most of the past year. My irrational enthusiasm about this idea has now fully made its way into this cybersecurity ecosystem mapping.

The graphic is now reorganized around the four largest estates — Application Security, Identity Security, Infrastructure Security, and Security Operations. I felt good about this idea when I wrote my thoughts on cybersecurity estates a few weeks ago. I feel even better about it now.

Cybersecurity's four largest estates are clear. They're supported by both intuition and data. Most of cybersecurity's public companies and invested capital live there. Estates are also the epicenter of strategic activity in cybersecurity, and sometimes all of tech.

My mind really got bent when I realized how many other sectors are so obviously on their way to becoming massive estates. They may not have clear winners or public companies yet, but you can feel the momentum and see multiple companies on a sky high trajectory.

Let's take Governance, Risk, and Compliance as an example. It's easy to sleep on this sector because it has no rizz. But a savvy observer sees the appeal: new SEC cybersecurity disclosure rules, emerging cybersecurity and privacy regulations in the U.S. and Europe, CISO fraud charges, and more are making this market...surprisingly popular.

You could also make a case that Consumer Security and Privacy, Fraud and Transaction Security, Data Security, and Services are already estates. Each has one or more public companies, plus multiple startups valued at $1 billion or more. More importantly, these companies need to exist — they're solving some of the gnarliest problems in our industry.

The cybersecurity ecosystem is crowded, but it's still big enough for more estates. A rare few companies are even starting to transcend estates. Let's talk about that next.

A few companies are transcending estates

Here's a question I didn't consider until this year: "What happens when a company has billions of dollars in revenue and operates across multiple estates?"

We're at a point now where this question isn't just a thought experiment — it's a reality. Several companies have industry-leading products in multiple estates.

Big tech aggregators like Microsoft, Cisco, and Alphabet (Google Cloud) all have multi-billion-dollar cybersecurity businesses. They make high-stakes strategic maneuvers, like buying companies for $28 billion. They're so big that even the biggest pure cybersecurity companies are doing $1 billion in revenue through them.

Pure cybersecurity companies like CrowdStrike and Palo Alto Networks are combining multiple categories into platforms. They're generating billions in revenue and growing revenue at 20% or more. And investors have big expectations for the future — the two companies are currently valued at a combined total of $151 billion.

We're in an era of cybersecurity juggernauts. Once you understand how today's juggernauts are shaping the ecosystem, you start to notice the juggernauts of tomorrow.

The juggernauts of tomorrow are converging smaller markets

After the concepts of aggregation and platformization click in your mind, you can see little pockets of convergence happening everywhere. The juggernauts of tomorrow are building mini-platforms, combining old and new markets to own a valuable slice of the industry.

Application Security Posture Management (ASPM) is a good example. Companies are converging several types of application security testing tools (and adding a real-time component) to create end-to-end Application Security Testing platforms.

We're at a point where convergence is happening on top of convergence. Cloud-Native Application Protection Platforms (CNAPP) are really going for it — they're combining the core parts of the Cloud Security market (CSPM, CIEM, CWP, etc.) and taking over AppSec, too.

Companies who succeed at converging smaller markets to create bigger ones are going to enter the juggernaut territory of CrowdStrike and Palo Alto Networks.

This brings us to the most important lesson of all...

You never have the cybersecurity ecosystem totally figured out

I'll admit it: I was feeling prettyyyyyy good about my understanding of the ecosystem when I started these updates two weeks ago.

Now, in the last few words of a long and humbling process, I'm viscerally aware that none of us have the cybersecurity ecosystem totally figured out.

I say this with complete gratitude and excitement about the future. It's energizing to be part of an industry so dynamic. I like not having it all figured out.

Fully understanding cybersecurity is an ideal, not a realistic achievement. But it's the only motivation you need to keep trying.

Thank you to Nipun Gupta for helping me sort out the current application security landscape.

People thought the best land purchase of all time was the worst land purchase of all time for more than 20 years.

The United States, led by Secretary of State William Seward, bought Alaska from Russia for $7.2 million in 1867. Adjusted for inflation, the acquisition price was about $725 million in today's dollars. That's a steal. Nobody cared in 1867.

Both the media and the public mocked the acquisition. The New York Herald called Alaska a "sucked orange," meaning Russia had sucked the value from the land and sold the U.S. a frozen wasteland. The deal was nicknamed "Seward's Folly," a personal criticism against William Seward for leading what everyone thought was a foolish purchase.

William Seward passed away in 1872. Seward's Folly followed him to the grave. He never knew about the gold discovered at Juneau in 1880. He never knew about the oil discovered at Prudhoe Bay in 1968. He certainly didn't know his now legendary foresight was vindicated by economic benefits of a trillion dollars and counting.

What can the Alaska Purchase teach us about the strategy and upside for Cisco's acquisition of Splunk? A lot more than you'd think.

Let me tell you how Russia sold a literal gold mine.¹

Motives for selling: fur trading and SIEM are unprofitable businesses

Russia wanted to get rid of Alaska because the land was a pain to maintain and defend from the expanding British Empire. They were also broke and needed the money.

The fur trade was paying the bills. It was an okay business, but it cost them tons of money and military resources to operate. Alaska seemed like a giant, frozen, bottomless drain of cash.

The near-term pain of making their Alaska problem go away motivated Russia to sell. The deal with the United States checked too many strategic boxes to refuse. Decent cash infusion? Check. Stop fending off the British Empire? Check. Sell off a marginally profitable fur business? Check.

Is this story starting to sound familiar? It should.

Back in 2016, SIEM looked like a good market for Splunk. Here's the Gartner Magic Quadrant for SIEM from 2016:

Splunk's position in the "Leaders" quadrant was a cozy spot on the couch in front of the fireplace at a mansion in Vail. Splunk and LogRhythm were the up-and-comers, just out there chilling in the house enterprise tech players built. IBM, HPE, and Intel owned the mansion, but there was plenty of room for everyone.

Then, things got crowded. Microsoft entered the picture. Seven other startups raised $2.4 billion in capital.² Splunk and LogRhythm weren't the only up-and-comers anymore.

The three most recent Gartner Magic Quadrants for SIEM look a whole lot different than 2016:

Competition arrived, and the SIEM market became a pain to maintain and defend. Financially, the Splunk of the 2020s was a wildly unprofitable business. This chart compares Splunk's revenue and profitability (net income) over its entire time as a public company:

It tells you everything you need to know. Splunk has never (yep, never) had a profitable quarter. In January 2022, they spent $4 billion to earn $2.67 billion. Put differently, they had to spend $1.50 to earn $1. You don't need an MBA to know that spells trouble, capital T.

Cisco kicked off the beginning of the end with a failed $20 billion plus acquisition offer in February 2022.

Private equity entered the room shortly after. Silver Lake invested $1 billion in June 2022, "...eager to work with [Splunk CEO Doug Merritt] and his team to support Splunk’s next phase of growth."

Doug Merritt resigned five months later.

Pile on even more competition and the makings of a paradigm shift from SIEM towards security data lakes, and Splunk's situation starts looking a lot like the frozen wasteland of Alaska in 1867.

Could Splunk have waited things out and kept competing? Sure. This wasn't a fire sale. But, like Russia³ and Alaska, the deal with Cisco checked too many strategic boxes to refuse. Decent return for shareholders? Check. Stop fending off well-capitalized competitors? Check. Sell off a marginally profitable SIEM business? Check.

Alleviating near-term pain often motivates action more than the drudgery of waiting things out for long-term benefits that may never come. This is true in territorial expansion, in cybersecurity, and in your own life.

Russia was happy to sell 665,384 frozen square miles of land and an unprofitable fur trading business for $7.2 million. Splunk was happy to sell $4.1 billion of ARR and an unprofitable SIEM business for $28 billion. They both just needed to make the pain go away.

Next, let me tell you how a directionally correct strategy and an insatiable hunger for expansion led the United States to make the purchase.

Motives for buying: American expansionism and predictable revenue growth

The United States didn't know it was buying a literal gold mine, either. William Seward had a directionally correct hunch about resources (hand-wavey gesture... somewhere). More importantly, he had an obsession with the idea of American expansionism.

By 1867, the United States was already a prolific dealmaker. The Alaska Purchase was the country's seventh major territorial expansion. Back then, America valued expansionism like many of today's investors value growth — more is always better.

If you look at expansionism as the main strategic driver, the Alaska Purchase had very little downside risk for the United States. More land, same continent, decent price, and maybe some resources other than fur. A true "All Weather" strategy. Ray Dalio sure would be proud.

The acquisition of Splunk by Cisco and CEO Chuck Robbins is a similar story. The news was initially met with shock about the price tag, questions about Cisco's ability to execute, and mixed reviews about its potential.

Cisco has been widely criticized for years about low growth and declining innovation. The accusation of "The destructive and illogical ideology that...a company should be run to 'maximize shareholder value' continues to cripple the United States..." is an uppercut to the jaw of Cisco's leadership team.

Splunk was a solid acquisition for Cisco based on financial metrics alone. The $28 billion acquisition price was a relatively pedestrian 7x multiple on Splunk's projected revenue. Buy-side investment bankers everywhere smiled with joy.

Leaders from both companies projected the deal to be cash-flow positive in the first year. They wasted no time making good on that promise. Splunk laid off 7% of its workforce a month after the acquisition was announced.

Most importantly for Cisco, Splunk adds $4 billion of smooth, buttery, and predictable ARR to its security business. When you're a 38-year-old company with $57 billion of revenue, boring ol' predictable growth is a central part of your strategy. Nobody is calling this "Robbins' Folly."

But wait. Predictable revenue growth surely isn't what the life of a big company is all about, right?

Here's how new technology can turn an average investment into an iconic one.

Sometimes, you get lucky: gold, oil, and artificial intelligence

The potential upside of a deal isn't always obvious right away. This story has repeated itself throughout the history of tech.

Microsoft and Forethought had no clue its Project Odyssey would turn into Excel, the app that never dies.

Google and YouTube had no clue that traditional media was on the brink of The Great Unbundling.

Sequoia and WhatsApp had no clue the app was going to become the de facto SMS protocol for billions of international users.

Likewise, Russia and the United States had no clue about the gold and oil buried beneath the frozen tundra in Alaska.

So the important question is: what changed?

Technology.

Technologies for finding and extracting gold and oil were basically non-existent when the Alaska Purchase happened. Russia didn't know they were selling a gold mine because they couldn't find it. Simple as that.

The discovery of oil at Prudhoe Bay happened because of major advancements in tech. It took 100 years and a slew of breakthroughs in geological surveying, seismic testing, exploratory drilling to finally discover one of the largest oil fields in North America. On top of all that, it took an 800-mile pipeline to actually use it.

You can rag on Russia all you want for selling a gold mine. The reality is there's no way they could have found it in 1867. The technology just wasn't there yet.

Splunk could be the Alaska Purchase of tech acquisitions. Why?

Artificial intelligence. Specifically, how artificial intelligence gets applied to the security problems we've been struggling with for a long time.

Security Operations makes up a giant subset of the problems. It's one of cybersecurity's largest estates. The company that develops the best AI and ends problems like alert fatigue, SOC analyst burnout, long MTTD/MTTR cycles, and (just maybe) the holy grail of reducing breaches is going to get paid.

Palo Alto Networks and others are working towards this audacious future. But Cisco's acquisition of Splunk might be the savviest strategic move yet.

When you’re building AI models, one of the only factors that matters is how much high-quality data you can run through the algorithm to train it. Training AI to solve security problems for you is a whole different ballgame than building products and storing security logs for customers to analyze themselves.

In the context of AI, Splunk is uniquely valuable. They have access to more operational security data than just about anybody, with 790 enterprise customers paying over $1 million in annual subscription fees.⁴ Customers add petabytes of data to Splunk every year. The total amount of data stored on their platform is probably into the exabytes. Let's just bluntly summarize by saying Splunk has a $%&#-load of data.

AI completely reframes Splunk’s unprofitable business model because its upside is so high. Charging a pile of money to store SIEM data was expensive for customers and unprofitable for Splunk. Taking a loss on the cost of storage and using the data to train AI models looks like a bargain for Cisco.

Buying access to exabytes of security data is like discovering oil at Prudhoe Bay. If Cisco's hunch about Splunk’s value to AI is right, it completely validates the purchase and changes the trajectory of the company forever.

Like William Seward and the Alaska Purchase, we may not know the real outcome of Cisco and Splunk for many years. Part of Cisco’s strategy is being able to wait long enough to find out. Sometimes, you get lucky.

Footnotes

¹Technically, Russia sold a gold mine and an oil field, but this is a metaphor!

²According to Crunchbase data. This stat only includes startups listed on Gartner's Magic Quadrant. Total investments in SIEM companies who didn't make the quadrant raises the amount even higher.

³Saying this out loud so there is no ambiguity: I categorically condemn the current Russian administration's attacks on Ukraine and its behavior towards the rest of the world. Using the Alaska Purchase and the Russia of 1867 as a metaphor for this story is not meant to make or imply a connection or parallel between Splunk and Russia today.

⁴As of its Q4 2023 earnings report.

Here's the concept that changes everything:

Historically, there have been four big categories in security: cloud (evolving from networks prior), identity, email, and endpoint. In every generation, each of these categories has supported at least one really big winner.

I looooooooooove the idea of "estates." I've spent lots and lots of time studying the cybersecurity ecosystem and all the (often contorted) ways people try to classify it. Thinking about major industry sectors as estates has revolutionized the way I think about the entire ecosystem.

Why? Every time I think about this wacky yet magnificent industry we've created, my head spins. Cybersecurity is @#$%'ing complicated. Rak's cybersecurity estates are the perfect metaphor to make it feel manageable again.

Why am I so wound up about this? Understanding cybersecurity's estates is a superpower in your thinking about the industry. Remember the fight scene from The Matrix where Neo dances around the bullets in slow motion? It's like that... well, except we're doing spreadsheets and Zoom calls here.

Don't get me wrong — I love the allure of a deep dive. But strategy is an art form that requires a broader view. It's like navigating between the clarity and precision of Neo's bullet-dodging and the vast reality of The Matrix itself. You see the industry in a completely different way by knowing when to plunge into the rabbit hole of specifics and when to rise above and see the world for the simulated construct it is.

Rak's piece was written from his well-refined intuition as an investor. He gave us insights about cybersecurity estates and which ones might be coming next. He is the Oracle.

With this article, I'm channeling my inner Morpheus — offering a red pill to anyone ready to translate the enigmatic code of the cybersecurity industry into a clear vision of how it works.

After spending too much plugged into The Matrix, watching the stream of green characters fly by my screen (okay, I was just analyzing data in a spreadsheet), I realized something I'd never thought about before: cybersecurity industry leaders are converging around estates, and a few are transcending them.

Take the red pill, and I'll show you how deep the rabbit hole goes.

How to think about cybersecurity's estates

The concept of cybersecurity estates is valuable because it stops your head from spinning. I feel like Neo when he throws up from the mental shock of learning about The Matrix. It's like I'm gonna pop. The acronyms are nauseating.

Estates give you a mental model for simplifying all the complex jargon you hear every day. ZTNA, IGA, EPM, GRC, SIEM, yada yada yada — doesn't matter. Once you understand estates, you're in control of the simulation.

Don't get fixated on the exact definition of "estate." It's a metaphor. All it means is a bunch of similar companies in a sector of the industry... with one super important attribute: "...supported at least one really big winner."

To me, "one really big winner" means an estate is large enough to support one or more public companies and some later-stage startups. A really big winner is The One — an anomaly in the system and a symbol of hope.

Ready to learn the truth about our cybersecurity estates? Let's go see the Oracle.

Our current estates: the epicenter of strategic activity

Today, the cybersecurity industry has four estates: Infrastructure Security, Security Operations, Identity Security, and Application Security.

...Wait, what? So this means you don't agree with Rak's estates?!

I completely agree with him. I deviated by grouping network, endpoint, and email security into a broad "infrastructure" estate — but I definitely agree they're estates.

I also made the case for Security Operations as an estate, which is mainly a terminology difference from his Cloud Security estate. Sematics aside, the thinking here conceptually aligns with everything Rak said in his original piece.

Ready to plug in? In the iconic words of Cypher, "Buckle your seatbelt, Dorothy, because Kansas is going bye-bye."

Infrastructure Security

Infrastructure Security has 34 companies valued at $1 billion or higher.¹ Eleven companies are public, including the likes of Cloudflare, CrowdStrike, Fortinet, Zscaler, and SentinelOne. It's the Skywalker Ranch of cybersecurity estates. Let's take a tour.

Endpoint Security

If you asked most people to name the first cybersecurity estate that comes to mind, endpoint security is probably it. You could easily make the case for endpoint security being its own estate, as Rak did.

This sub-sector has five public companies — the highest concentration in any cybersecurity estate. That's not even counting tech giants like Microsoft, which sits atop Gartner's latest Magic Quadrant and holds the largest market share in this sub-sector.

Endpoint security has also been around for an eternity. In aviation terms, it's like a bomber. Early endpoint security companies like McAfee, Symantec, and Trend Micro are the B-52 Stratofortress bomber — they've been around for decades and are still widely used today.

Meanwhile, a new generation emerged and revolutionized the industry. CrowdStrike, SentinelOne, and Darktrace headline the modern endpoint security wave. They're the modern day Stealth Bomber.

With the emergence of XDR, these companies are leading the path to convergence between endpoint security and security operations.

Network Security

Network Security is going through a similar renaissance. Back in my old-school Cisco days, "network security" meant firewalls and access control lists. In 2023, Network Security and SASE are basically interchangeable.² And Network Security is back in vogue again.

This now-fashionable domain includes the likes of Palo Alto Networks, Fortinet, Zscaler, Cloudflare and Check Point. Their combined Enterprise Value (EV) exceeds $175 billion. And let's not forget about Cisco, a tech giant who just got serious about cybersecurity.

Private companies are also coming in hot. Network security also includes IPO pipeline candidates like Netskope, Illumio, and Cato Networks (fresh off its latest $238 million financing round at valuation over $3 billion).

Even more large companies are lurking in the shadows of private equity firms. Barracuda Networks, Forcepoint, Forescout, and others are all being retooled from their network security roots and expanded into massive infrastructure security platforms.

Email Security

Email Security is the estate that got away, at least for now. It used to feature two public companies until Proofpoint and Mimecast were taken private for $18 billion in total — two of the ten largest pure cybersecurity acquisitions in history.

Add two more venture-backed unicorns (Abnormal Security and Material Security) into the mix, and you've got a case for Email Security being its own estate.

Email isn't going away, so there's a good chance Email Security will rise from the ashes and reach estate status again soon.

Security Operations

Security Operations is my (slightly Luddite) take on what Rak defined as Cloud Security. From a numbers standpoint, it's easily an estate with 24 companies valued at over $1 billion. That's second only to the mega-estate of Infrastructure Security.

Palo Alto Networks and its Cortex platform is the shining star of the Security Operations estate, with $1 billion in annual bookings and an astonishing $90 billion TAM estimate. Cisco also means business after spending $28 billion on Splunk (just pocket change, right?!). I'd put the mystical Palantir in the Security Operations estate as well.

Vulnerability Management also falls into the Security Operations estate, with three public companies (Rapid7, Tenable, and Qualys) all building towards becoming broad Security Operations platforms.

Security Operations is such a large estate that it's large enough to support public companies in smaller sub-sectors. Threat Intelligence is one example, with ZeroFox going public via reverse merger in August 2022.

Kaseya, Axonius, Exabeam, and JupiterOne highlight a group of ten VC-backed companies valued at over $1 billion in this estate. It also includes a large set of PE-backed companies, including Sophos, Sumo Logic, Trellix, and others.

Identity Security

Identity Security³ has been undergoing the biggest makeover of any estate in the past two years. At this point, it's like Agent Smith in The Matrix — companies can take any form they need and magically transform from one person to another.

This sector was an obvious estate before Thoma Bravo stepped in and took three companies private. Okta and CyberArk (HashiCorp too, depending on how you classify them) remain, so Identity Security is undoubtedly still an estate.

Venture capital money has been pouring into this estate for the past five years. 1Password raised nearly $1 billion of total capital at a valuation of $6.8 billion. Transmit Security raised a $543 million Series A, the largest early-stage round in cybersecurity history.

Identity verification and password management are emerging markets within the estate. Similar to Security Operations, this estate might be large enough to support a handful of public companies in those sub-sectors.

Application Security

I agree with Rak on Application Security being the next big estate in cybersecurity. It might already be one.

Practitioners have long considered application security to be one of the most important parts of a security program. Web application attacks account for 25% of breaches analyzed in Verizon's Data Breach Investigations Report (DBIR). In day-to-day cybersecurity, Application Security is an important domain.

In the business world, the only reason Application Security wouldn't be considered an estate is not having a pure-play Application Security company in public markets. Synopsys does a lot of things, and Application Security is just one of them. But it still counts!

Snyk is still one of the top companies in cybersecurity's IPO pipeline (despite all the valuation drama). They will almost definitely IPO when the timing is right. Veracode is on its way, too, and going public is a likely exit strategy for Thoma Bravo.

Application Security could be headed for convergence with Cloud Security if the CNAPP concept works out. However, it's still too early to say if two large, emerging sectors can combine their products in a coherent way.

Transcending estates: platformization and the rise of end-to-end cybersecurity

A select group of companies is reaching a point of transcending estates. If this is The Matrix, they've realized the truth: there is no spoon.

The limitations of the cybersecurty industry — taxonomy, scale, growth, and ambition — are only mental constructs. By understanding the rules are bendable, these companies are going to do the impossible.

We're entering an era of cybersecurity platforms that span across multiple cybersecurity estates, just like Neo flying from building to building. Large cybersecurity and tech companies are augmenting their core estates with products in smaller sub-sectors, and even entire estates. This strategy has so much momentum that Nikesh Arora, CEO of Palo Alto Networks, coined a verb: platformization.

It's now possible for companies to win at multiple estates. Three examples:

• Palo Alto Networks has a collection of multi-million and billion-dollar businesses across Network Security, Security Operations, Application Security, and Cloud Security — with really big plans for the future.

• CrowdStrike turned its original next-generation antivirus into 20+ modules across Endpoint Security, Security Operations, and now Application Security.

• Cloudflare took a tiny wedge of Application Security (originally DDoS protection and a WAF) and grew it into Network Security, Email Security, Data Security, and likely more.

...Which brings us to the aggregators: the estabilshment of massive tech companies, both old and new. Aggregators are companies like Amazon, Google, Microsoft, Cisco, HPE, IBM, and Oracle.

In our metaphor, aggregators are the Agents. Their mission is to prevent any form of disruption in the simulated reality of The Matrix — that is, both the old and new worlds of data centers and cloud computing.

Aggregators have enough capital to buy an entire cybersecurity estate if it gets too close to breaking free. They'll do whatever it takes to neutralize threats and uphold the masquerade. Their strategy is effective because assimilation is a tempting option for rebel cybersecurity companies who decide acquisitions are better than continued resistance.

You made it to the end — you're unplugged from The Matrix. Now go break all the rules.

Thank you to Rak Garg and Enrique Salem at Bain Capital Ventures for sharing the idea that inspired this article.

Footnotes

¹All data used for this article is from Crunchbase with a lot of my own refinements, especially around mapping companies to estates.

²I like to keep things timeless, so Network Security it is.

³Noting for the record that this is my first time using the term "Identity Security" for describing identity. I didn't like it when Okta, SailPoint, and CyberArk started using the phrase. It's grown on me.

Close your eyes and think about the music playing. You're circling the chairs with your friends, full of anticipation about when the music is going to stop.

STOP!

You're the only one without a chair.

Do you remember the sinking feeling in your stomach? I haven't played musical chairs for over 30 years, and I still feel exactly how I felt when I was five.

We're playing a big, complex game of musical chairs right now in the cybersecurity industry. There are 82 unicorns and 36 other billion-dollar acquisitions¹ by private equity firms who are all just trying to find a chair when the music stops.

The chairs are exits. Except in this game, we don't know how many chairs there are. I know there aren't enough for all 118 companies.

The implications of this are going to create major changes in the industry. We're moving from fun and games towards a more balanced, fundamentally sound way of building companies.

Some of the changes will feel bad, just like the sinking feeling you had in your stomach when you were a kid. But a few careful, strategic changes can set us on a trajectory higher than ever before.

What happened: optimism gone wild

I started Strategy of Security in August 2021. Everything in the cybersecurity was looking good at the time — especially venture capital investing:

It's easy to be optimistic when we're sitting on top of an unprecedented bull run across the board: record venture capital financing, M&A, and public company valuations. Ahh, the good ol' days...

I used a chart with current data for a reason. August 2021 was peak optimism for people in the cybersecurity industry. We were raging. The party was turnt. Our childhood game of musical chairs turned into Lollapalooza (or a DEF CON after party — whatever you're in to). Everyone was having a blast. Nobody was worried about finding a chair when the music stopped.

Until things started looking worse as every quarter ticked by. Was the party ending?

No way! Things will go back to normal, right? Right?! Oh...

Slowly and quietly, people started to wake up. Andrew Morris broke the spell for me. He's a positive, playful, and entertaining person. A thought like this was out of character for him, so I took it seriously:

The timing and severity might vary, but his point stands. The music is going to stop soon. It's time to start looking for our chairs.

Back to reality: our situation by the numbers

Cybersecurity has 82 unicorns — companies valued by investors at $1 billion or higher. There are more unicorns in cybersecurity today than the industry's entire history of IPOs and billion-dollar strategic acquisitions combined.

The unicorns include nine companies valued at $5 billion or higher. Two of them (Wiz and Kaseya) are decacorns with valuations over $10 billion.

If a company is above a $5 billion valuation, there aren't very many ways to exit. And boy does it help to know that. There have been 10 total cybersecurity acquisitions above $5 billion by strategic buyers. Ten. Ever.

Our two decacorns ($10B+ valuation) are in completely uncharted territory. The only two strategic acquisitions in cybersecurity over $10 billion were public companies. In all of tech, there have only been 33 strategic acquisitions over $10 billion.

The only chair available for these nine companies is the exquisite luxury of a royal throne. It's basically IPO or bust for them.

If the situation with our unicorns wasn't overwhelming enough, there are also 36 more cybersecurity companies owned by private equity firms that were acquired for $1 billion or more.

Private equity acquisitions are often viewed as exits. They're not. All of these companies need to exit eventually, too. They're in a similar situation as the unicorns.

When we put everything together, the exit math doesn't add up:

We've had 64 companies achieve billion-dollar exits. We're expecting 118 more companies to do the same. And we're expecting those exits to happen soon.

It sure seems like there aren't going to be enough chairs when the music stops.

What changed: fewer IPOs, more value acquisitions, and a total reset of expectations

We’re past the point of "the market will come back" or "this will all blow over." There are too many cybersecurity companies with high valuations to exit under current (and near-term) market conditions. I know, what a party foul.

IPOs and acquisitions by strategic buyers (larger tech companies, not private equity firms) are the two "good" ways for a company to exit. We've seen major changes in both during the past year.

IPOs are like the buffet of exits — an all-you-can-eat feast for everyone involved. The buffet at our party ran out...bummer.

ForgeRock's IPO on September 16, 2021 was the last major pure-play cybersecurity company to go public. HashiCorp followed shortly after in December 2021.

Since then, only two smaller companies (ZeroFox and Yubico) have joined the ranks of public cybersecurity companies. Meanwhile, eight public cybersecurity companies have been taken private. IronNet went out of business. The party is starting to clear out.

The other important change is the focus on value acquisitions instead of mega-acquisitions by strategic buyers. Rather than pigging out at the buffet, they started bringing Sweetgreen salads to the party instead. Less fun, but probably a better decision.

There have been five total acquisitions over $1 billion by strategic buyers since the beginning of 2022. We've had a couple headliners: Google acquired Mandiant. Cisco acquired Splunk. Otherwise, strategic buyers are mostly consuming a healthy diet of value acquisitions far below the billion-dollar threshold our 118 companies need for a good exit.

The decline of both IPOs and large strategic acquisitions brings along an inevitable reset of expectations about valuations and exit paths. There's no way out for a lot of later-stage cybersecurity companies. It's a serious downer for an industry that couldn't lose just a couple years ago.

A reset is necessary for the long-term success of the industry. We're going to be better off because of this. But right now, it hurts in the pit of your stomach — the adult version of missing out on a chair and feeling humiliated in front of everyone.

Where we're heading: boring is the new fun

Will we get back to our 2021 level of fun? Yes…eventually. The problem is none of us know when "eventually" will come.

"Eventually" isn’t a good strategy. Dealing with reality is a good strategy. Right now, the reality is we’re in a tough spot.

Unlike the luck of our childhood game of musical chairs, there is strategy involved in winning the adult game. We can determine whether we get a seat or not, both as individual companies and collectively as an industry.

The music isn't actually going to stop. The idea there will be one major event where all the unicorns sell for peanuts or go out of business is an irrational fear. 118 companies aren't going to spontaneously combust and burst into flames.

The music isn't going to keep playing forever, either. Everything will play out in a parallel set of smaller events. Every company has their own timeline, circumstances, and decisions to make. Real strategy — the kind where we have to deal with pesky constraints, incentives, and trade-offs — will be more important than ever.

Some bad outcomes are inevitable. Valuations will decrease. M&A activity will go up. Investors will lose money. Layoffs will keep happening. Options won't pan out. Companies will go out of business. You've heard all of this.

What you haven't heard is how the right moves will make both companies and our industry better off. We're already starting to see some examples:

• Strategic acquisitions: Perimeter 81 is probably better off with Check Point. SASE is a brutally competitive market. It cost them a billion-dollar exit, but $490 million and an important strategic role in Check Point's future is better than getting flattened by some of the biggest and best companies in cybersecurity.

• Mergers: ForgeRock and Ping Identity are probably better off together. Combining their respectable customer identity market shares makes them a much scarier competitor for Okta.

• Metrics: Growth is always going to matter, but it's not going to be the only metric anymore. Company performance and valuations are being evaluated against a balanced set of metrics. Gravity didn't used to apply to tech. Now, it does. We're probably better off with companies who are durable businesses, not just growth machines.

Boring? Maybe. But it's a lot more fun than playing make-believe and pretending everyone can get a gold medal.

Good strategic choices like these are like redefining the rules of musical chairs. People are sharing chairs, using benches, playing their own music, and finding all kinds of other ways to bend the rules in their favor.

If we're smart — even intentional — about the long-term changes we make at an industry level, we're all going to be better off in the future.

Thank you to Andrew Smyth for discussing and sharing thoughts on this article.

Footnotes

¹Publicly disclosed investments and acquisitions, that is. Larger deals typically get disclosed, so this count is probably accurate. The overall point still stands if the count is off by a few.

I knew it wasn't possible. I had to try. I wanted to see how far I could get. My dreams were swiftly crushed.

It's not possible to go all in on passkeys. Not in 2023, anyway. The reason surprised me.

I got blinded by my own optimism from announcement after awesome announcement about passkeys in the past two years. The hype is real — we've made a ton of progress after a decade or more of hard work by the FIDO Alliance and others. We're still an eternity away from the finish line, though. Why?

The problem isn't technical — most customer identity platforms already support passkeys. It's not platform support — Apple, Google, Microsoft, their browsers, and the major password managers are all on board. It's not consumer demand, either.

The challenge is surprisingly acute: we're all stuck with passwords until a lot more companies make passkeys available for their users.

My experiment with pushing the limits of passkey adoption made it clear to me why availability is the limiting factor. Here's the story.

My terrible, horrible, no good, very bad day of implementing passkeys

I wanted to experience everything good and bad about passkeys — just like a regular person would if they tried adopting them today. Bright-eyed, ambitious, and slightly naïve Cole started with a pragmatic plan: inventory my accounts, classify them by risk level, and implement passkeys for high risk apps.

This seemed achievable. I've put in my 10,000 hours planning, designing, and executing identity implementation projects. I decided to do the same thing for myself as I would for Fortune 500 clients.

Inventorying my accounts was easy because I emphatically use a password manager. A quick export of my accounts to a spreadsheet was a perfect starting point.²

Once I had my list of accounts, I did what any former Big 4 security consultant would do —gave them a simple risk classification:

• High: The app directly holds financial information or PII.
• Medium: The app doesn't hold money or PII, but can cause significant financial, intellectual property, or reputational damage if compromised.
• Low: The app has limited impact if compromised.

My former bosses would have been so proud. Fancy Consulting Analysis™ in hand, I set off on my journey to implement passkeys.

"Great, let's enable passkeys for the high risk apps!"

[...starts working through the list...]

"Oh, $&^%."

Thinking like an enterprise cybersecurity practitioner was a mistake. I assumed high-risk apps would be more likely to support passkeys. Wrong!

The correlation between risk and passkey support is low.³ The apps I could use passkeys for were scattered across my high, medium, and low risk categories. I haven't noticed any rhyme or reason why this was the case. Adoption is random.

Success! Sort of...

After a quick regroup, I decided to work backwards from 1Password's Passkeys.directory index. This approach is easier because any app I use that's listed in the directory should have full or partial support for passkeys.

This plan worked...sort of. I found apps I use in the directory and started enabling passkeys for them. Success!

Until...I ran out of apps. Quickly.

I use 374 apps (I know, it's a lot). Seventeen support passkeys. Seventeen. This means 95% of the apps I use today don't support passkeys yet:

Here's where disappointment sets in. We talk a lot about whether consumers will adopt passkeys. That wasn't the problem here. I wanted to adopt passkeys. I would have adopted them across 100% of my apps if I could.

As a consumer, the situation is completely out of my control. There's no end in sight. That's a helpless feeling.

Where's the path forward?

If my experiment with passkeys was a marathon, I ran a mile and had to stop because the course for the remaining 25.2 miles wasn't even built yet. I didn't choose to stop because I lacked the skills or desire to finish. I had to stop because there was literally no way for me to continue.

I'm still having a hard time understanding why companies aren't racing to adopt a solution that solves so many of our problems in security. It's like we found a cure for cancer and they said, "no thanks, I'll take my chances with cancer." Security is a smaller scale than cancer, of course, but the potential impact of passkeys is profound.

For an industry that loves to argue and debate, there is very little disagreement about the need to get rid of passwords and the solution for getting rid of them. Passwords are bad. Passkeys are the solution. Why aren't we giving everyone a chance to use them?!

You know when they say "the future is here, it's just not evenly distributed"? That's exactly where we are at with passkeys. We're still a long, long way from getting rid of passwords.

The path forward is slow and tedious. More companies have to make passkeys available for their customers. There's no other solution. There is a glimmer of hope, though.

A glimmer of hope: Shopify and 1Password

If you squint your eyes and take a few small, tangible steps like I did, you can see the future of security. I promise you, it's marvelous.

When an app implements passkeys as a first-class citizen, the experience is amazing. In the epic words of Steve Jobs, "it just works."

Look no further than Shopify's Shop Pay app (the consumer version, not the e-commerce store). Seriously, try it. Go to your account page, add a passkey, and you're done.

This experience is exactly what I mean by "passkeys as a first-class citizen." You literally don't have a password. No clunky amalgamation of passwords and passkeys (...which one do I use?!) or passkeys as a second factor. The steps to enable passkeys are so clear you don't even need instructions. It. Just. Works.

Using 1Password to manage your passkeys makes the experience even more exquisite. You don't want to lose your passkeys. You don't want to create a new one for every device. And you don't want to get locked into a platform like Apple, Google, or Microsoft with no way out. Storing and syncing your passkeys in 1Password is a cheat code.

I wish Shopify and 1Password were more than a glimmer. The reality is we're still at ground zero. Let these two examples serve as a beacon of what's possible for security if other companies can get on board with passkeys. Until then, we're all stuck with passwords.

Footnotes

¹I'm using the term passkeys here instead of the FIDO2 standard name. Apple always picks the best names for stuff.

²If you don't use a password manager (or kinda-sorta use one), there's no need to worry. You can probably think of your riskiest accounts. Start there. Don't worry about the long tail of low-risk accounts.

³I didn't actually run the statistical correlation. Intuition is good enough to make the point.

One of cybersecurity's most active strategic buyers is at it again. Cisco has been buying a company every other month this year.

Their $28 billion acquisition of Splunk in September is the largest acquisition in cybersecurity history.¹ This acquisition alone is three times larger than all cybersecurity M&A activity in the first half of 2023 ($8.8 billion). It's also larger than quarterly M&A totals for the past 22 quarters (all the way back to 2018, and likely earlier).²

Cisco's cybersecurity shopping spree should come as no surprise (okay, maybe the Splunk thing was a surprise). They've had a formidable security business for years, lurking in the shadows of their dominant networking business. In the convergence of cybersecurity and everything, Cisco is the headliner.

Diving deeper into the history and strategy for Cisco and its security business is the best way to understand why these acquisitions were made and what their next moves could be. 

In Part 1 of the series, we'll take a data-driven look at Cisco's heyday through today. In Part 2, we'll evaluate where Cisco stands today (post-Splunk) and where their security business is heading.

Cisco and its security business

Understanding Cisco's security business starts with understanding Cisco's business‌ over its 38 (!!!) years as a company.

I have always felt a special connection to Cisco. The company is almost exactly as old as I am. It's a staple (alongside Apple and Microsoft) of my earliest tech memories — the work equivalent of grandma’s oatmeal cookies.

On a practical level, Cisco started my career in technology. I had the opportunity to take their Cisco Certified Networking Associate (CCNA) classes (through a junior college) while I was in high school. This gave me both a solid understanding of networking and a running start into a better life.

The Cisco of my youth was a giant and a pioneer in the technology industry. It once reigned as the most valuable company in the world back in 2000.

We're in a different era today. BGP is still around (it's always BGP...), but this isn't my high school Cisco anymore. We're witnessing a retooling of an iconic tech brand. Cybersecurity is the driving force.

Today, Cisco is the 19th largest technology company by revenue ($56.99 billion LTM) and 16th largest by valuation ($216.59 billion). Based on revenue, Cisco is much smaller than Amazon, Google, and Microsoft, and roughly the size of IBM and Oracle. 

The reporting of revenue and metrics from Cisco's security business has been fuzzy in recent years. A slide published in 2019 by a previous security leadership regime is a time capsule of metrics we haven't seen in public since:

Cisco's FY22 annual report states 7% of revenue ($3.6 billion) is driven by its End-to-End Security product category. On its Q4 FY22 earnings call, Cisco also shared the segment grew 20% during the quarter. Some cybersecurity startups don’t even grow 20% per quarter (let alone a ~$4 billion business unit).

The scale of Cisco's security business is easy to lose track of with the recent talk around Microsoft exceeding $20 billion in security revenue. Revenue for Cisco's security business unit is larger than every public cybersecurity company except Palo Alto Networks ($6.5 billion) and Fortinet ($4.7B).

The OG of strategic buyers

Cisco's voracious cybersecurity acquisition spree in 2023 might feel bizarre: "Why is a networking company buying all of these cybersecurity companies?!"

Cisco is one of the OG strategic buyers in tech. They bought their first company way back in 1991. Some people reading this weren’t even born yet!

They’re like an A-list celebrity with all the money in the world — they can buy whatever their heart desires.³ Right now, the object of their affection is cybersecurity companies.

Cisco is also one of the most prolific strategic buyers in all of tech, with 253 total acquisitions (and counting).⁴ They average nearly eight acquisitions per year. I don’t even go shopping at the mall eight times per year.

To the surprise of nobody, 206 of Cisco's 253 total acquisitions (81% of M&A activity) have been companies related to its core networking business. Over 90% of Cisco's revenue comes from networking. Acquisitions keep their bread and butter growing.

Cisco’s cybersecurity acquisitions get lost in their flurry of M&A activity. One of our industry’s best secrets is hiding in plain sight: Cisco buys more cybersecurity companies than anyone.

Nobody — not Google, IBM, Microsoft, Palo Alto Networks, Symantec, or any other company — does as many cybersecurity deals as Cisco.

Cisco has acquired 35 pure-play cybersecurity companies at a clip of 1.5 deals per year. They’ve also acquired 12 hybrid companies (ones with a cybersecurity component but not solely focused on cybersecurity). This means 19% of Cisco's acquisitions are cybersecurity-related.

Cybersecurity has been Cisco’s side hustle. It’s quickly becoming the main thing.

Starting the cybersecurity party wave

In surfing, a party wave is a massive wave big enough for everyone to ride.⁶ In cybersecurity, Cisco is usually the ringer: better than everyone expects, but never the center of attention.

Cisco's cybersecurity-related acquisitions have happened in waves (no pun intended):

The four big waves on the chart are Cisco's four largest cybersecurity acquisitions (before Splunk):

• IronPort, a manufacturer of messaging security appliances.
• Sourcefire, a network security and intrusion prevention and detection system.
• OpenDNS, a DNS-based content filtering solution.
• Duo Security, a multi-factor authentication (MFA) platform.

They've spent $1 billion on cybersecurity acquisitions (give or take) in four different years.⁵ That’s a lot. Microsoft has acquired a total of four cybersecurity companies, and none over $1 billion.

In 2023, Cisco is the cybersecurity party wave. A roaring, high-flying, attention-grabbing spectacle. Hop on board and have the ride of your life.

Cisco's $28 billion acquisition of Splunk is the mother of all waves. It’s over twice as large as their other cybersecurity-related acquisitions combined ($13.1 billion). 

All of their previous acquisitions were just a warmup. Splunk is the main event:

Cisco is investing more in cybersecurity than ever before. They’ve hit their stride in the past decade.

Including Splunk, cybersecurity makes up 72% ($39 billion) of the money Cisco has spent on acquisitions since 2013. They’re not riding the baby waves anymore. Cisco is out at Mavericks⁷ with the pros riding the biggest and most dangerous waves in the world.

The return of longtime Cisco security executive Tom Gillis in January 2023 lit a fire under the company's cybersecurity M&A efforts. The fire is now roaring with no signs of slowing down.

Buying nearly $30 billion worth of companies in a single year is a clear signal of strategic importance — "put your money where your mouth is," so to speak.

Will Cisco keep the party wave going and bring more companies on board? Or, will it flinch and get sucked into the deep, blue ocean?

Stay tuned for Part 2, where we’ll look at the treasures Cisco has collected and explore what’s possible in the future.

Footnotes

¹Depending on how you classify Broadcom's acquisition of VMWare, and whether you consider Splunk to be a pure cybersecurity company or a hybrid of security and observability. Either way, the primary strategic driver of the acquisition was Splunk's cybersecurity products and customers.

²According to Momentum Cyber data from the 1H 2023 Cybersecurity Market Review and the 2023 Cybersecurity Almanac reports.

³With a very important difference: the things Cisco buys have ROI, unlike jewelry, cars, and Prada.

⁴Cisco has made so many acquisitions that the best M&A data platforms in the world (PitchBook and CapitalIQ) both had missing data. Cisco itself didn’t even have a full list of its own acquisitions. For this analysis, I stitched together and analyzed data from all three sources. You might literally be reading the most accurate version in existence.

⁵Disclosed acquisition dollar volume in 2007 was technically $930 million, not $1 billion. I said "give or take" to give them credit. When we’re talking billions, what’s another $30 million?!

⁶I’m from the Midwest. I don’t surf. Riding a party wave sounds terrifying.

⁷Remember Apple’s Mac OS X Mavericks? They named it after one of the most dangerous places in the world to surf — Mavericks at Half Moon Bay.

I have a soft spot for early stage startups, so here I am covering YC's cybersecurity startups for the fifth time. Like the previous four, this article is a quick analysis of every company from the industry in the Summer 2023 batch:

• Accend: A co-pilot for fintechs and banks to use when performing manual Know Your Customer (KYC) reviews.
• Affinity: A compliance training platform for companies in regulated industries.
• Corgea: Third party data security for sensitive workflows.
• Greenlite: AI agents for financial crime investigations.
• Kobalt Labs: Data privacy for generative AI.
• Remy Security: AI-automated product security reviews.
• SafetyKit: Replacing human trust and safety reviewers with AI language models.
• Sero AI: AI-powered content moderation for trust and safety teams.
• Trench: An open source fraud prevention platform for marketplaces.
• Xeol: A software supply chain security platform.

This time, I'm also including a look at Y Combinator's investment trends in the industry for the past five years. I haven't been covering YC companies for quite that long (since the Summer 2021 batch), but I've been doing it long enough to identify some trends. Let's start there.

Investment trends across batches

Our (current) no good, very bad economic conditions make things difficult for early stage companies. YC companies are no exception, despite the disproportionate advantage they get from being part of the best startup accelerator the world has ever known.

We're not here to rain on the parade, though. There are positive trends for cybersecurity, privacy, and trust companies that need to be talked about. I'll cover a few here, but this really could be an entire article (someday...).

Y Combinator is investing in cybersecurity companies at double its historical rate.

In YC's current era of smaller batch sizes, ten companies from the industry is still a healthy representation. Batches across the past three years have averaged 11 cybersecurity companies — a rate more than double the 4.5 company per batch average from 2019 and 2020.

YC's consistently high investment rate is a good sign for cybersecurity companies, considering the ~40% reduction in overall batch size starting in Summer 2022. The reduction halved the number of startups from a 19 company spike in Winter 2022, but the average is still well above their historical trends.

Cybersecurity is still under 5% of YC's overall batch size.

Not to get greedy here, but an average of 11 companies per batch for the cybersecurity industry is still under 5% of the total batch size over the past five years.

A 218 company batch at Y Combinator's standard deal (TL;DR, it's $500,000 per company) means they invested just over $100 million for the entire batch. Ten cybersecurity companies is $5.5 million of the total. That's a healthy amount, but our industry has also seen over 50 seed rounds of $5 million or more in 2023 alone (according to Crunchbase data).

YC generally funds companies at the earliest possible stage, so the companies they attract are naturally seeking lower investment amounts. When capital was easier to come by, it was easier for cybersecurity companies to bypass YC and raise higher amounts of capital from early stage venture investors. Times have changed, which could mean more (or higher quality) cybersecurity companies wanting to do YC.

Funding 10 cybersecurity companies at once (and ~20ish per year across both batches) is still a lot. The most active venture capital firms in cybersecurity average 10-ish investments per year (40-50 investments in a five year period, according to the Momentum Cyber Cybersecurity Almanac for 2023). This batch is further proof that YC continues to be one of the most prolific investors in cybersecurity, at least based on quantity.

80% of companies haven't raised additional financing yet.

You'd think being part of both Y Combinator and a seemingly recession-proof and well capitalized industry like cybersecurity would help companies raise funding. The current data says otherwise.

Similar to the Winter 2023 batch, only two of the 10 companies in this batch have raised additional funding outside Y Combinator's initial investment. According to PitchBook data, Corgea raised a small, early stage round in June 2023. SafetyKit raised a seed round led by First Round Capital in August 2023. That's it so far.

Other companies in this batch will raise funding, of course. However, we're clearly in a correction period from the days where YC companies had investments from top-tier firms at premium valuations weeks before Demo Day.

Accend

What does the company do?

Accend is building an automated workflow for fintech ops and compliance teams to make regulatory reviews more efficient and accurate.

Their current product is somewhere between augmentation and automation. Parts of the compliance process are automated, like generating standard regulatory reports for Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD). Pre-defined workflows augment human reviewers to improve consistency and quality in the overall review process.

Where do they fit into the cybersecurity ecosystem?

It's a Fraud and Risk product. This category is somewhat adjacent to pure cybersecurity, but core security principles like identity and authenticity are fundamental to what the company is building.

What are their challenges?

The biggest challenge with automating high scrutiny (and high risk) processes is quality. For the product to deliver on its promises of saving time and reducing risk exposure, it needs to consistently produce better results than the humans it's (eventually) replacing.

At the company's current stage, quality is relative. Humans are still expected to review and sign off on the results. This is a totally reasonable ask. If the quality of the system-generated output is high enough most of the time, it still saves ops and compliance teams a lot of time (relative to starting from zero with no automation).

Over time, quality will get higher and results will get better. Manual reviews will get shorter and shorter, eventually reaching a point where humans are only reviewing a narrow set of exceptions and edge cases.

Why could this be a big company?

The big company version Accend is something like "the leader in compliance automation for financial services companies." Their current product is focusing on a relatively narrow set of use cases (as it should). Financial services companies have a lot of regulatory-driven paper pushing to automate. The surface area of opportunity for Accend is large.

From a growth standpoint, scaling alongside earlier stage fintech startups and (eventually) reaching enterprise financial services companies can help Accend become a big company. The model of selling to startups and scaling as they grow (as made famous by YC alums like Stripe and Brex) definitely applies here.

On the enterprise side, larger, more traditional banks will continue to do manual reviews until they need to cut costs or get hit with a large fine. Unfortunately, in banking, a lot of behavioral change is driven by regulators. One way or another, they'll eventually reach a point where they need to automate more of their compliance processes — a huge opportunity for Accend if the company can establish itself as a leader in the space.

Affinity

What does the company do?

Affinity is a training platform built for companies in regulated industries.

The product is unique because it's focused specifically on companies in regulated industries, not general security awareness training. It also manages training across multiple external parties (e.g. B2B customers), not just an internal workforce.

Where do they fit into the cybersecurity ecosystem?

Affinity is a Security Awareness company. Compliance is also a secondary driver.

What are their challenges?

Differentiation could be difficult in a relatively crowded security and awareness training market. The threat of substitutes for training content is high. In this market, it's hard to build a moat on content alone. The founders are clearly aware of this and know where to focus based on their previous experience building a buy now, pay later (BNPL) company.

Additionally, education and training isn't valued as highly by customers as flashier areas of cybersecurity. Many buyers view training as a commodity and shop for the lowest price. Affinity is trying to mitigate this by focusing on specialized training in the immediate proximity of revenue-generating business activities.

Why could this be a big company?

Positioning training close to revenue generation (on the external side) and risk reduction (on the internal side) is a unique insight. If Affinity can flip the narrative and turn compliance-driven training into a revenue driver, it can be a big company.

The market for Affinity's product is bigger than you might expect. PitchBook's analyst-curated fintech vertical currently tracks 9,455 companies. The broader market for regulated industries is even larger.

Also, don't sleep on the security awareness market. It has already yielded a (formerly) public company in KnowBe4, which was taken private by Vista Equity Partners for $4.6 billion in October 2022.

Corgea

What does the company do?

Corgea helps companies map and monitor the flow of sensitive data, including third parties. This visual is a perfect description:

Corgea isn't your DLP product of a decade ago. It's a modern approach built for cloud-first companies.

Where do they fit into the cybersecurity ecosystem?

Corgea is primarily a Data Loss/Leakage Prevention product with a (slight) slant towards third party risk. It fits into the wider data security category — one of the most interesting spaces in cybersecurity right now.

What are their challenges?

Mapping data workflows is a hard problem to solve, especially when third parties are involved. Completeness and accuracy of coverage matter. Corgrea already has over 300 out-of-the-box connectors to SaaS apps and other data sources, which is a lot for an early stage company. Keeping up with integrations can feel like a never-ending treadmill, though.

Working with larger companies (mid-market and enterprise) is challenging for data security products. Larger companies with legacy apps may not be covered yet by out-of-the-box connectors. In the data security market, enterprise is the space of large, well-funded startups like BigID and OneTrust. Corgea doesn't need to compete for enterprises right now, but it's a challenge they'll face with growth.

Why could this be a big company?

Data security is one of the most active markets in cybersecurity right now across financing, M&A, and innovation in general. This quote from my discussion with Amer Deeba, CEO and co-founder of Normalyze is the punch line:

Data security is going to be a huge category on its own with a big focus on the cloud.

DSPM is the future of data security — how to manage data from a security perspective, how to classify it, and how to secure it on an ongoing basis. It's a huge category that's going to consolidate many other cloud security tools around it.

Evidence of financial and strategic interest in data security is clear. Recent acquisitions from strategic buyers include Polar (by IBM), Laminar (by Rubrik), and recent speculation about Palo Alto Networks acquiring Dig Security. Early stage data security companies have also raised over $500 million from investors (according to Momentum Cyber research).

Greenlite

What does the company do?

Greenlite builds AI agents for fintech compliance teams. The product directly takes aim at outsourced analysts: "Greenlite can help you scale your compliance operations with AI instead of outsourced teams."

If this sounds similar to Accend, you're on the right track. Both companies are solving a similar problem — routine AML and KYC compliance tasks. The difference is in their approach. Greenlite is more agent-based, leaning on AI to execute tasks. Accend is more workflow-based, relying on defined processes to execute tasks.

It's common for Y Combinator to invest in competing companies, both within the same batch and across previous batches.

Where do they fit into the cybersecurity ecosystem?

Similar to Accend, Greenlite is a Fraud and Risk product.

What are their challenges?

Greenlite faces the same challenges as Accend, plus an additional one because of their heavy reliance on AI. The product's results are heavily dependent on the abilities and limitations of LLMs and their ecosystems of tooling. Any internally developed, domain-specific AI/ML models will also require a lot of training data to reach a high level of accuracy.

Using AI is also a huge opportunity, of course. LLMs and AI tools are improving exponentially by the day. Internal models are getting easier and easier to build. Greenlite has an opportunity to turn these challenges into insurmountable strengths with enough time and training data.

Why could this be a big company?

Greenlite's YC launch shared a damning stat from McKinsey:

Critically, the productivity of these AML teams are low. McKinsey estimated that as little as 15% of an AML investigator’s time is spent actually investigating. Manual processes, administrative tasks and limited working hours leave backlogs to grow, increasing risks of a major fine.

Compliance reviews are a necessary evil for fintech companies. They're never going away. Doing reviews well is expensive and slow. Doing them poorly is an existential business risk — no company wants to be fined or shut down by a regulator.

Making compliance reviews both fast and accurate directly unlocks customer growth (by improving customer experience) and reduces risk exposure (by catching and preventing fraud). It's the fintech equivalent of augmenting and automating the SOC, which is central to the success story of Palo Alto Networks.

Solving the problem of compliance automation is a huge opportunity. The winner will be a big company, or at worst have a nice exit.

Kobalt Labs

What does the company do?

Kobalt Labs is an API for securing sensitive data, both as an input to and output from LLMs.

Their approach is roughly similar to JumpWire and Sarus from the Winter 2022 batch, but designed specifically for LLMs and the dynamic nature of their inputs and outputs.

Where do they fit into the cybersecurity ecosystem?

Kobalt Labs is a privacy and data protection product built specifically for LLMs. You could also argue it's in the AI Security market if you view this as a standalone domain in cybersecurity.

What are their challenges?

The (still very nascent) AI security landscape is becoming more crowded by the day. The popularity of LLMs have brought lots of brainpower, capital, and new products to the security side of the space. As with every embryonic stage market, there's a lot of uncertainty, risk, and competition.

There are also the practical challenges of usage and adoption. An API-focused approach requires everyone in the company to actually use the API. Most LLMs make it easy for employees to go rogue and start using them without company (or security) approval. Even if people are using company-sanctioned LLM accounts, there are still political barriers to overcome before a security solution is universally adopted.

Why could this be a big company?

The AI attack surface is already large, rapidly evolving, and remains relatively exposed. AI companies are aware of security and privacy challenges. Both are higher priority than usual, partly in favor of gaining enterprise customers.

AI companies are well funded and have other difficult problems to solve. We're likely to see them using part of their cash reserves on acquiring AI security products that can unlock customer growth and give their platforms an advantage over competitors.

If Kobalt Labs can become the go-to solution for LLM security and data privacy, they can be a massive company.

Remy Security

What does the company do?

Remy Security uses LLMs to help security teams do product design reviews. Security design reviews are (should be?!) an early step of the overall development process — well before later stage application security testing and pentesting.

Remy Security's product augments a reviewer and helps get some basic analysis out of the way before human expertise is needed.

Where do they fit into the cybersecurity ecosystem?

Remy Security generally fits into the Security Architecture category. They're also directly related to the Application Security market, but in a different way than traditional products that deal directly with code.

What are their challenges?

Reviewing software product designs is a lot less straightforward and repetitive than the compliance reviews Accend and Greenlite are doing. The nature of product security reviews is different, and the nuances matter.

Compliance reviews under AML and KYC are required by external regulators. Product security reviews are not. They're completely optional, even though any decent security practitioner would tell you it's a good idea. The bad part about being optional is companies can skip product reviews entirely, or rubber stamp them and move on.

Similar to Greenlite, the product's heavy reliance on LLMs is subject to the limitations of LLM performance and accuracy. The Remy team makes it clear a human is expected to be involved in the review process at some point. This is exactly the right approach for an early stage product and helps keep customer expectations in check.

Why could this be a big company?

We hear "shift left" all the time (okay, too much). This is one of the first attempts at applying a security product to the design/architecture phase. Historically, design is a process-oriented phase. Building a product to help with this is a pretty revolutionary idea.

The upside is Remy's product can help increase the number of security design reviews that get done. They're using new technology to expand the market for security design reviews. And, if we're being brutally honest, that market should be a lot bigger than it is today.

If Remy can materially expand the quantity and quality of security design reviews, they can be a big company. This could also be a nice acquisition for larger, well-funded application security companies looking to broaden their platforms into new areas.

SafetyKit

What does the company do?

SafetyKit is using LLMs to augment and replace trust and safety reviewers. The product executes customer-specific workflows to identify and make decisions about content moderation.

Where do they fit into the cybersecurity ecosystem?

SafetyKit is a Trust and Safety product.

What are their challenges?

SafetyKit shares many of the same challenges as other trust and safety startups from previous batches. Content moderation is a somewhat unique challenge faced by companies with lots of user generated content once they reach scale. I summarized the challenge when writing about Cinder, a company from the Winter 2022 batch:

Finding customers at the right level of traction and scale to require more advanced trust and safety operations is potentially tricky. Small companies with seed funding or earlier are usually still seeking traction. This doesn't leave much room to focus on problems outside of growth — trust and safety being one such problem.

I also called out the variety of content moderation problems companies face:

There is also a lot of variety in this space. Trust and safety threats and problems vary by company and by industry, as do the processes for solving them.

SafetyKit does a nice job of addressing the variety by allowing customers to define their own company-specific workflows and rules. The product also provides clear reasoning about moderation decisions made by the platform (lots more detail about this in their YC launch).

Why could this be a big company?

Content moderation jobs meet all the criteria of jobs that should be automated. Here's a real example of a job posting from Upwork:

Veriswap isn't your prototypical user generated content giant like Facebook, Twitter, or Airbnb. It's a marketplace for trading sports cards (just like I used to do in person as a kid). Seems innocuous enough, but guess what?! They still need content moderation.

The opportunity for SafetyKit is to help the (growing) long tail of businesses who have user-generated content. Giants like Stripe and Airbnb (where SafetyKit's founders previously worked) aren't necessarily the ideal customer. They're on the front of the curve with the scale and resources to build their own solutions.

It doesn't make sense for companies like Veriswap to build a trust and safety platform (let alone an LLM-powered one) from the ground up. Content moderation is not their core business, as shown by the meager $5-12 hourly rate they're offering for the role above. They're better off integrating a product like SafetyKit and eliminating their entry level roles for good.

From a broader market standpoint, trust and safety has had some interesting acquisitions in the past year. Spotify acquired Kinzen in October 2022 to help address platform safety issues. ActiveFence acquired Spectrum Labs in September 2023. ActiveFence has raised over $100 million at a $500+ million valuation, according to TechCrunch. It seems likely a big company is going to emerge from this space.

Sero AI

What does the company do?

Sero AI is an AI-powered content moderation platform for trust and safety teams. This should sound familiar. Both Sero AI and SafetyKit are solving a very similar problem.

The main difference I can see between the companies is their approach to implementing AI. Sero AI focuses more on machine learning. SafetyKit uses LLMs.

Where do they fit into the cybersecurity ecosystem?

Sero AI is a Trust and Safety product.

What are their challenges?

Sero AI faces the same challenges as SafetyKit and other trust and safety startups from previous YC batches.

Why could this be a big company?

All the same opportunities for SafetyKit apply to Sero AI. The differentiator for both companies is their use of AI. Workflows matter too, but AI might end up being the difference in this market.

Trench

What does the company do?

Trench is an open source fraud prevention platform for marketplaces. The product brings together reviews for buyers, sellers, and payments — along with the services and data needed for the reviews — into a centralized decisioning point.

Where do they fit into the cybersecurity ecosystem?

Broadly speaking, Trench is a Fraud and Risk product. It's focused on the fraud side and relies heavily on identity proofing and device fingerprinting techniques to aid the verification process.

What are their challenges?

There isn't a "one best way" for ecommerce and marketplace businesses to prevent fraud. The result is a wide variety of approaches and products that solve specific use cases (or categories of them). And basically all the financial services giants are in this market.

Sift is a YC company from the Summer 2011 batch now valued at over $1 billion (from its latest financing round in 2021). Large financial services companies have fraud prevention products (via acquisition):

• American Express: Accertify (acquired in 2010 for $150 million)
• Equifax: Kount (acquired in 2021 for $640 million)
• LexisNexis: ThreatMetrix (acquired in 2018 for $817 million)
• MasterCard: Ekata (acquired in 2021 for $850 million)
• TransUnion: TruValidate (rebranded product from acquisitions of Neustar for $3.1 billion and Sontiq for $638 million in 2021)
• Visa: Cybersource (acquired in 2010 for $2 billion)

You could argue some of these products are entering "legacy" territory, which is part of the opportunity for Trench.

Why could this be a big company?

Building an open source product was a strategic decision. This statement from Trench is a contrarian point of view in the very closed source world of fraud platforms:

Fraud vendors can't solve fraud for you. Every business eventually needs to build something in-house.

Trench has a strategic advantage by taking a completely different approach and going open source. From an industry standpoint, the scale of the acquisitions (several listed earlier) by strategic buyers is massive. If Trench can become the equivalent of GitLab for fraud platforms, they can become a big company.

Xeol

What does the company do?

Xeol is a software supply chain security platform. Its main differentiator is a contextual graph that allows companies to ask specific questions about usage enforce policies.

Where do they fit into the cybersecurity ecosystem?

It's a Software Supply Chain Security company.

What are their challenges?

The supply chain security incidents we've seen this decade have attracted some of the best talent in the industry. Investors joined the party this year, and financing picked up. It's now a busy and competitive market.

Endor Labs raised a $70 million Series A last month, which is one of the largest early-stage cybersecurity funding rounds in 2023. They've raised a total of $95 million. Chainguard, FOSSA, and other startups also compete in this market.

Bigger cybersecurity companies are coming, too. Major acquisitions and convergence are happening as cloud and application security companies move towards full CNAPP platforms. For example, Snyk acquired Enso Security in June 2023 for its software supply chain features.

Why could this be a big company?

Varun Badhwar, the Founder and CEO of Endor Labs, shared a nice timeline of events that explains the ongoing series of serious software supply chain security incidents:

We're seeing a lot of new ideas, but this market is still in the early innings. If Xeol can build interesting tech, it's going to attract interest from strategic buyers looking to extend their application security platforms. If software supply chain security continues to be a serious problem, it's possible a large standalone company could emerge.

Rampant speculation took off from there, including "rumors" about CEO Nikesh Arora's impending resignation:

This bizarre sequence of events set the stage for the spectacle that was Palo Alto Networks' Q4 2023 earnings call. I've never seen anything like it in cybersecurity. The uncertainty leading up to it, followed by the unexpected and thoughtful narrative about the future of the company and the industry was quite the turn of events. Nikesh Arora even acknowledged how unique the situation became:

Our choice of Friday has definitely made us the topic de jure these past two weeks and has made for some very interesting reading of all the analyst notes.

To say this stunt (intentional or not — probably intentional) generated attention is an understatement:

Palo Alto Networks delivered in a spectacular way, just like it's been doing for the five years (and counting) of the Nikesh Arora era. Despite several bear-ish analyst estimates and (especially) the rampant speculation about doomsday scenarios, the Q4 and FY23 earnings were just fine, as were FY24 projections.

The real story is the vision Arora and team laid out for the future of Palo Alto Networks and the cybersecurity industry. It's rare for a company to articulate such a definitive point of view. It's even more rare for them to do it on a Friday afternoon earnings call. And it's exceptionally rare for the point of view to be so outstanding.

So, yes, the event was technically an earnings call — but the implications are so much deeper. Understanding Palo Alto Networks' point of view is a dynamic reflection on several of the most important themes driving the future of the industry.

Platformization as a strategic advantage

A foundational idea for everything Palo Alto Networks is doing (and wants to do) is platformization. If you're averse to buzzwords, don't be put off by the term. I'd argue they're using it in the purest sense of the word: integrating a complex set of products and features into a platform with unified data and management. The payoff is an end-to-end platform greater than the sum of its parts.

There's an important distinction between "platformization" and "consolidation." Many people in the industry, including other large cybersecurity companies, have been talking a lot about consolidation for the past few quarters. In this context, they're referring to customers consolidating the number of security vendors they work with. Vendor consolidation is about cost savings, not value.

The drivers for platformization are very different. It's barely the same thing as vendor consolidation. Platformization has little to do with cost savings. It may result in consolidating products and vendors, saving money as a byproduct. The driver is better security outcomes and value for companies who use the platform.

What does this distinction mean in practice? Consolidation ≠ platformization. Just because you're buying multiple cybersecurity products from a single company doesn't mean the products are integrated or work well together.

Platformization goes beyond consolidation. It's an intentional set of activities to integrate products and unlock value that isn't possible without the integrated platform. It's a flywheel effect — small, incremental wins (new features and modules) accumulate over time, creating increasingly better and more valuable results.

The Palo Alto Networks leadership team did a good job explaining the challenges of disparate products and making their own case for the advantages of platformization. From Nikesh Arora:

...five years ago, we had customers who had more cybersecurity vendors than they had IT vendors. And it was a customer's responsibility to take these vendors, deploy them across their infrastructure, make them work together to deliver security outcomes.

You're expecting 2,000 customers out there in the Global 2000 or possibly tens of thousands of customers having security experts trying to stitch together products made by fast growth cybersecurity companies, which are deeply technical and trying to figure out how to correlate what one vendor saw or one set of vendors is telling you versus another. It just seemed like a problem that could not be solved.

But over the last five years, you've seen that starting to stitch these together, starting to take this disparate solutions for security, trying to provide them in a common fabric has actually allowed us to deliver better security outcomes.

And we've proven that by doing that in a way, they are -- each of those pieces work in a best-of-breed fashion are leading in their own category. However, they're better together in the platform.

More from Chief Product Officer Lee Klarich:

Everything we do is integrated. It's designed to solve hard problems through integration that cannot otherwise be solved with point products. And that combination enables our platforms to be real time and enable real-time security outcomes for our customers.

You could ask, "What's wrong with point products? We've been doing that forever in cybersecurity." There's also a stigma around monolithic platforms: the individual products making up the platform aren't as good as point solutions. I thought Lee Klarich's explanation of the tension was insightful:

...prior attempts to do this generally required a tradeoff for the customer. It was the capabilities that were delivered on their attempts to do a platform where not industry leading. And so, the customer had to make a tradeoff between, worse capabilities, but in one place, or best-in-class capabilities, and that's a hard trade off in cybersecurity. That is one thing that we're not asking our customers to do. We're making sure that everything we do is industry leading on its own.

The second thing we're doing is making sure that when we integrate it, they're actually integrated together in solving hard problems that can't be solved as standalone capabilities. So, we're it's not just about consolidation, although that's a clear value. It's about delivering technical outcomes through the integration that cannot be achieved otherwise.

Building a platform with best-in-class, industry-leading capabilities is trying to have your cake and eat it, too. It's difficult to pull off and powerful if it works. Palo Alto Networks is one of the few (perhaps the only?) cybersecurity companies capable of building a best-in-class platform across multiple product domains at scale.

Klarich's second point about the value of an integrated platform is also important. There's a reason cybersecurity services is an $80 billion market (according to PANW on this earnings call). Integrating security products is difficult and expensive. Being intentional about integrating the product up front instead of leaving it to customers to figure out for themselves is a game changer, even if the drudgery of systems integration doesn't excite you.

Integration is just the beginning. Unlocking the ability to solve security problems that aren't possible without an integrated platform is revolutionary. It's not possible to detect attacks reliably, and certainly not proactively, without a common data foundation and set of detections running on top of it. This is just one example — we're all still figuring out what's possible if we have an integrated platform to start with instead of chasing our tails trying to integrate everything.

Longer term, Nikesh Arora played out the impact of platformization even further, predicting the emergence of a standard security platform in the next decade:

...in the next decade, we will see sort of a standard platform for security out there, just the way we've seen platforms in CRM or we've seen platforms in HR, as you've seen platforms and financial sort of software.

We think it's time that in the next decade, we will see a security platform in our future, which just works for our customers, and the customers are not spending time integrating multiple vendors trying to stitch their own...that's the only way we're going to get to the future that we need for real-time and AI-based security.

You have to imagine a bit, but if you're optimistic, it's clear how this vision is possible. The reason it's hard to envision a standard platform for security is because it's really hard to build. Nikesh Arora and Palo Alto Networks are doing the cybersecurity equivalent of building Singapore: re-imagining everything from the ground up and pushing the boundaries of what's possible.

Can they pull it off? Time will tell — but you have to admire the audacity of trying.

Making real-time security a reality

Real-time security underpins the idea of platformization. Nikesh Arora summarized it nicely:

The idea that as something is happening, you're able to analyze it real time, on the fly and understand it's good or bad. It is reducing the noise of security in the industry by eliminating all these super close alerts or the bad signal to noise ratio.

As an industry, we've been talking about the idea of real-time security in various shapes and forms for a long time. Concepts like adaptive authentication, continuous compliance, and plain ol' antivirus scanners are all variations of the same paradigm.

Again, don't get lost in the buzzword here — the underlying idea is important. Nikesh Arora explained it like this:

What we think lies ahead is the need for security to stop bad actors mid-flight, real-time, as it's happening... What we still aren't good at as an industry is being able to figure out unknowns and stop them before they happen.

To do that, it requires a fundamentally different way of thinking about security... And that is the idea of having stitched products that work from end to end.

For as long as cybersecurity has existed (and longer), we've been trying to close the gap between when something bad happens, when it's detected, and when it's mitigated. Formally, it's the definition of MTTD and MTTR. Nikesh Arora's prediction is a shift towards results, outcomes, and speed:

It will no longer be about putting a bunch of sensors and thinking about hygiene and security policies. It will be about how do you stop a bad act. And we'll talk more about this because today, the mean time to fix a bad act...is four to six days. That's not acceptable. This thing will have to go down to minutes and near real time.

This anecdote aligns perfectly with the shift from promise-based to evidence-based security. Declaring something as "secure" isn't good enough anymore. We have to prove it's secure and do it in real time.

The challenge with real-time security has always been "how?" As he does, Nikesh Arora took a strong point of view in answering the question:

Now we sit at a point where everybody is talking about AI. And actually, that is the solution. The solution is to make sure you ingest large amounts of data, you analyze them on the fly, and you're able to deliver superior security.

At a high level, the "how" is platformization and AI. Anyone who is even mildly technical is likely both intrigued and unsatisfied by this answer. Gonen Fink to the rescue:

We need to replace this fragmented architecture with a unified single floor architecture. We need to replace multiple products that collect data with a single data platform and silo detection tools with an AI engine that is trained on a full data center. And then automation should be natively integrated into the flow rather than being placed as an afterthought.

Here's the same idea in visual form:

Building a real-time security platform like this is a tall order. But, they're right: we do need a fundamental transformation in security operations. Palo Alto Networks is all in on building towards this future. According to Nikesh Arora, it could be within reach:

We have to make sure every platform that we have continues to grow and continues to get more and more ubiquitous with our customers, at the same time, also stitches these things together. So we believe in the next five to 10 years, we're going to see this shift, which is going to be palpable.

Getting to a point anywhere close to real-time security across a company's entire security estate is a breakthrough. Skeptics may think it's impossible. They might be right, but these are the shots you need to take when you're trying to be the first $100 billion cybersecurity company.

Convergence of cloud and application security

The convergence of cloud and application security isn't a totally new idea, but we're definitely still in the early innings. This macro-level trend underpins a large part of Palo Alto Networks' strategy. They're one of a few companies with the combination of scale and innovation required to win.

Gartner's term for the convergence of cloud and application security is Cloud-Native Application Protection Platform (CNAPP). Here's how they define it:

CNAPPs address the full life cycle protection requirements of cloud-native applications from development to production.

First, the bad news: building a full CNAPP is really hard. In practical terms, building a CNAPP means performing basically every security function across development, build (CI/CD), and production for most of the stack (apps, workloads, networking). In market terms, building a CNAPP requires combining 5-10 other markets into a single platform.

Gartner's latest Market Guide for Cloud-Native Application Protection Platforms has a graphic that explains the situation quite well:

Unsurprisingly, no company has accomplished the massive feat of building a full CNAPP yet. From Gartner:

No single vendor delivers all of the capabilities [of a full CNAPP] today. CNAPP offerings are emerging from multiple providers, often from different starting points.

Gartner doesn't do Magic Quadrants for emerging markets like CNAPP, so Palo Alto Networks is listed alongside several other companies as a "representative vendor." Among the representative vendors, Palo Alto Networks is one of the furthest along the path to offering a full CNAPP.

Here's how Palo Alto Networks described the problem space during the forward-looking session of the earnings call (from Ankur Shah):

In the code phase, there are about half a dozen different tools to scan security posture. In the infrastructure layer, you have yet another set of tools. And finally, in the run time, you have tools for cloud workload protection, network security and application security. Now this is not the right approach to solving this problem for two reasons: number one, each of those tools lack the context. So the customers have to stitch all of that together.

And the second thing is, like Lee described, there are 33 million developers and a really few security professionals who understand code and cloud. This is a battle that the security team simply can't win with this specific approach.

We believe there is a better approach. And that's the approach that we have been steadfast in executing over the last four years, and that is an integrated code-to-cloud platform approach that can help customers prevent risks, and breaches in near real time.

In Palo Alto Networks terminology, the convergence of application and cloud security is called "code-to-cloud." Modules for CNAPP and beyond fall under the Prisma Cloud product umbrella. Their "Code-to-Cloud Platform" approach is a specific example of the platformization and real-time security concepts we talked about earlier. Here's how it works:

Prisma Cloud does that today by scanning security vulnerabilities at each phase of the application life cycle and also have runtime protection to prevent breaches in runtime.

Prisma Cloud began as a cloud security platform, kicked off by the 2018 acquisitions of Evident.io and RedLock. The combination of building and buying on the application security side (including recent acquisitions of BridgeCrew and Cider) have extended Prisma Cloud into CNAPP and beyond.

How is their code-to-cloud strategy working out? On the FY23 earnings call, Nikesh Arora shared that Prisma Cloud has now surpassed $500 million ARR since its initial launch in May 2019. Zero to $500 million ARR in under five years a phenomenal growth, exceeding total ARR for several other public cybersecurity companies.

There's still a long way to go before a clear winner of the CNAPP market emerges — or if the CNAPP market fully materializes in the first place. Many of the best companies in cybersecurity are competing for this market. It's definitely one to keep an eye on.

AI's role in security operations (and beyond)

The spiciest point of view discussed on Palo Alto Networks' FY23 earnings call was the role of AI in security operations. This topic also happens to be one of the most important in our entire industry, so let's dive in.

"The human-driven SOC architecture doesn't work" could not be a more clear indicator of where Palo Alto Networks stands on the current state of things:

Here's more color commentary, straight from Nikesh Arora:

...the biggest opportunity is...security operations and automation because we think the current paradigm is broken. The current paradigm is a reactive security paradigm. It's the paradigm we say, let's hire three more million people to solve security problems.

No, I don't think that's going to solve the problem. What's going to solve the problem is: Let's collect good data. Let's analyze good data. Let's find out the anomalous behavior. Let's block it while it's happening, so our customers have a better security outcome. I think that's where we're going to be going.

...

A future that is driven by software capability, a future that's driven by software solutions with security, and a future which has integration as a key tenet with the objective of delivering a real-time autonomous security outcome. That's where we think the world is going, that's where we'd like to be, and we think we're best positioned in the industry to be able to deliver that future. Not only that, to deliver great security outcomes to our customers.

How's that for a hot take? The notion of an autonomous SOC was widely criticized when Palo Alto Networks announced their Cortex XSIAM platform in February 2022.

Taken literally, the idea of fully automated security operations could seem far-fetched. On the spectrum of beliefs about automation, I'd call myself a realist. I made the case for a framework to help guide decisions about automation in an article with Tessian shortly (and coincidentally) before Cortex XSIAM was announced:

XSIAM fits the model perfectly. It's a balance of augmentation and automation, depending on risk:

Automation is used up front to analyze more data and evaluate relevance. Lower risk incidents are triaged automatically. Higher risk or unknown incidents move up into the augmentation quadrant. They're evaluated by humans with the assistance of technology to improve the speed and accuracy of the investigation.

The combination of automation and augmentation increases coverage (a higher percentage of incidents are addressed) and greater speed (MTTR is reduced from days/months to hours). This example is a best case scenario, of course, but it's a scenario that needs to become reality far more often.

From a business standpoint, the best anecdote I can give to disprove the skeptics is, "show me the pipeline." It's the exact line a former cybersecurity practice leader at PwC used to give when bright, new ideas (often half-baked) were put in front of him. If you couldn't show a tangible pipeline of customers who wanted the potential offering, it wasn't happening.

So, Nikesh... show me the pipeline. Here's the response to this thought exercise, straight from the FY23 earnings call:

We launched XSIAM to general availability last October and set an aggressive goal of booking north of $100 million in our first year. The year is not over yet. We have closed out the year achieving $200 million in XSIAM.

This is strong validation that our outcome-based value proposition on XSIAM is resonating well with security organizations and also a sign that interest in applying AI to transform security operations is very high.

XSIAM is shaping up to be our fastest-growing offering outside our original next-generation firewall releases. XSIAM transactions are large and long term, which helped to further our goal of evolving our customer relationships from vendor to partner.

How's that for pipeline?! Perfect answer. Zero to $200 million of bookings in less than a year is nothing short of incredible. Especially while the company was continuing to build two other billion dollar businesses and a half-billion dollar business in parallel.

Why did the explosive growth of XSIAM happen? Part of it is the promise of automation. Customers are betting on potential. Revenue is one of the best proxies we have for judging progress, and cybersecurity buyers are voting with their wallets.

We're still early in the journey of transforming security operations with automation. If year one of XSIAM is a sign of what's to come, we could be in for a complete transformation of security operations.

Shifting from selling products to partnering on solutions

The biggest breakthrough shared on the call may also seem to be the most mundane: the company's shift in thinking about go-to-market and moving from selling products to partnering on solutions.

Don't let the simplicity of this transition fool you. It's incredibly difficult to execute. If successful, the implications could be more impactful than any of the flashier topics.

Here's a summary of the GTM transformation shared on the call, shared by BJ Jenkins:

Jenkins' point of view is relatively straightforward to understand. It's deceptively profound when you start thinking through the nuances of what it takes to implement and the potential impact if successful.

Most cybersecurity product companies are transactional and everything else on the "from" side of the list above. They sell products and leave it to customers to figure out how the product fits into the strategy and architecture of their respective security programs.

Good professional services firms take the opposite approach. They're strategic partners to clients, and everything else on the "to" side of the list above. They co-create the strategy and transformation journey alongside clients. As part of the strategy, they architect outcomes. Only then do they get into tactics like vendor selection, implementation roadmaps, and everything else required to deliver outcomes.

The difference in approaches is the reason revenue for large professional services firms like Accenture, PwC, Deloitte, and others is orders of magnitude larger than 99% of cybersecurity product companies. The best professional services firms are world-class at helping their customers.

There are many reasons product companies struggle to become strategic partners and focus on outcomes. One of the biggest constraints is having the scale and breadth of products to properly architect outcomes and capture enough of the value to make the effort worthwhile.

Creating a good strategy, a plan for implementing it, and executing well enough to achieve good outcomes is incredibly difficult — something that's hard to appreciate unless you've done it. The size and scope of an enterprise security initiative is often so large that a single point product is barely a blip on the radar. When you're on the side of the point product, it's challenging to be viewed as a strategic and have your voice be heard by the customer.

This is the reason it's difficult to architect outcomes if you're a point solution with a single product. Scaled, multi-product companies like Palo Alto Networks are more capable of architecting outcomes because they have dozens of products and extensive partnerships. They capture more of the value from the outcomes they help architect. It's possible because they have a lot more they can bring to the table, which means customers are more likely to view them as a strategic partner.

A visual from the Palo Alto Networks presentation does a nice job of explaining both the concept and the opportunity:

Expansion of breadth and depth ("land and expand") is the outcome every cybersecurity product company wants. Transitioning from selling products to partnering on solutions is how to get there. If Palo Alto Networks is successful, their reward is a significant financial return and a level of customer value rarely seen in the industry today.

What happens if ubiquitous platformization and real-time security outcomes become reality

If big ideas like ubiquitous platformization and real-time security become reality, it likely means several major feats in cybersecurity have all been achieved:

• An integrated cybersecurity platform with multiple category-leading products within it

• Demonstrated value and improvement of security outcomes from a unified data layer

• Meaningful progress in the breadth of coverage and rate of automation for security operations

The future of Palo Alto Networks isn't a consolidation story. It's much larger and more difficult to achieve. And the end state is far more defensible. Platformization is the long, hard road through thoughtful product strategy, integration, and application of new AI and ML superpowers to domain-specific problems.

The problem space and target customers are distinctly enterprise, at least for now. Small and mid-market business segments will likely continue stitching together point products, especially when the products already have pre-built integrations with each other.

It's possible we could see platformization play out on a smaller scale within different customer segments and product categories. You could argue companies like Okta are already doing this today in identity. Cyvatar (mid-market and SMB), Agency (businesses and individuals), and others are doing the same across different customer segments.

Real-time security is starting to happen, too. The rise of "[X] Posture Management" and "[X] Detection and Response" domains like Cloud Security Posture Management (CSPM), Identity Threat Detection and Response (IDTR), and others are leading indicators of a new wave of real-time security products.

Eventually, products like these are going to mature from nascent, emerging categories to the way everyone does security. Real-time security is inevitable — the only uncertainty is how long it will take us to get there.

What happens to Palo Alto Networks if ubiquitous platformization and real-time security outcomes become reality? They become cybersecurity's first $100 billion company.

Their FY23 earnings call was a grand public rendition of the plan to get there. The success of Palo Alto Networks over the past five years has put them in a rare position to capitalize on advantages only possible at the scale and momentum they have today. Successful or not, they've raised the bar for all of us in the cybersecurity industry.

• Leveraging services experience to build a product company: How 20 years of cybersecurity services experience created an opportunity to build a cloud incident response product.
• The role modern incident response plays in cloud security: How capabilities have evolved to address the specific risks and opportunities of today’s cloud environments.
• Tech-enabled incident response services: Discussing why Mitiga blends tech and services to change the paradigm for delivering incident response services.
• The impact of Alphabet’s acquisition of Mandiant: Perspectives from the incident response market after Alphabet’s acquisition of Mandiant.
• The future of Mitiga: Where Mitiga is headed after its $25 million Series A round in April 2023.

Note: This interview has been lightly edited for clarity.

Leveraging services experience to build a product company

Cole Grolmus: I'm curious about your time at EY and the Hacktics services business you owned before EY. You spent 20 years doing pure cybersecurity services before starting Mitiga. Connect the dots going backwards on how that duration of time informed your decision to start Mitiga.

Tal Mozes: There are a lot of different aspects to that. In 2004, my current co-founder, Ofer, I, and another co-founder started a company called Hacktics that specializes in application penetration tests. We were pioneers in the application security layer.

Later on, we automated everything we knew into a product called Seeker Security. We managed to take something that used to be only in professional services and fully automate it into a product. I'll park it there and jump to EY.

Hacktics was acquired by EY. I joined EY, and I managed the EY Americas Cybersecurity Center of Excellence for a while. Then, I relocated to the UK to build something similar.

Through that time in EY, selling a lot of professional services, I participated in some of the world's biggest incidents and incident response engagements. Some customers got infected really badly, especially after NotPetya and WannaCry in early 2017.

We worked with a lot of incident responders, and we saw them send tens of different people just to understand where the system logs were, collect those logs, and sift through them to understand what happened.

I suggested to those incident responders to automate a lot of legwork—which maybe would have taken three developers around three weeks to build. They told us their business model is time and materials based. They were not looking to be more efficient.

We had this eureka moment that incident response is a space of cybersecurity that hasn't changed since the internet was public in '94. Not because of the technology challenge, but because of the business model challenge.

You've worked for a Big Four consulting firm as well, so you know that these firms always strive to give as much value as possible to customers. And the way they deliver that value takes time. At a moment when the financial regulators are talking about the importance of resilience and encouraging companies to increase their ability to bounce back as quickly as possible, there’s potential for misalignment.

Essentially, if you’re breached, calling a professional services company that will take a time and materials approach to help you recover is misaligned with your goals. I knew at EY that I wanted to change this business model and to build something that allows customers to have a rapid and speedy recovery.

This is what started the idea for Mitiga: understanding the value customers are looking for and the problems with the business model. In professional services, the holy grail was always to sell value-based projects and not necessarily hourly-based projects.

Cole Grolmus: The bigger consulting firms have had a really hard time flipping over into value-based pricing. Maybe someday we'll be able to pull it off with incident response because that’s a company-wide issue when an incident happens.

But I'm empathetic, too. I understand why it's hard for services firms to shift out of time and materials. It's really hard when the incentives aren't quite aligned. I can understand your feeling where the only real way to tackle this problem effectively is to do it outside the firm and not within it.

Tal Mozes: Building a product is a completely different DNA than professional services. So, I had to take it out.

The role modern incident response plays in cloud security

Cole Grolmus: Could you make the distinction between what Mitiga is doing for cloud incident response versus what a Wiz, Orca, or any company in the broader cloud security space is doing with their product?

Tal Mozes: Cloud security is a big space. If we take the NIST framework of security, we have: identify, detect, protect, respond, and recover. If you go to Wiz, CASB, it's all about protecting, it's about understanding the controls, misconfigurations, and so on.

We come in when all of those fail—because unfortunately no protection system is 100% effective. Not surprisingly, cloud and SaaS breaches are rising. We’ve built a unique expertise in cloud and SaaS investigations. It’s part of the recently coined CIRA category—cloud investigation and response automation.

SaaS risk today is one of the biggest risks. It's like taking your third party risk, multiplied by your Shadow IT risk, multiplied by the application layer risk. This is where you are: SaaS, uncontrolled. Added to the infrastructure risk that you have with AWS, Azure, GCP, and the split responsibility model for security. Many people term this “shared responsibility.” But the truth for IR is that it’s really split.

We’ve built an expertise in understanding cloud forensics, and from this expertise, we’re able to offer different products and solutions. For example, we understand what kind of forensic data needs to be collected from where, how to store it, and for how long we need to store it—so we built a forensic data lake. Because we understand forensic data so well, we also understand how attacks look in cloud and SaaS environments. So, we were able to proactively build an automated threat hunting capability.

Knowing all of that, we definitely know how to respond very, very quickly to those incidents when they occur in our clients’ environments. We’re able to help our customers recover much faster than anyone else. And today, it takes us a few hours to help respond to those incidents instead of weeks and months because we already have all the data we collected in advance and we’ve verified all the data that needs to be kept is being kept.

We have a lot of automation. Our platform automates the entire process, which is something very, very different than all the other products that you have mentioned. Our approach helps you to gain visibility of your controls, configurations, and stuff that has been misconfigured.

Cole Grolmus: Rephrasing what you said in a slightly different way: instead of starting from zero when an incident occurs, you've got a Mitiga customer X percentage along the way of already having the data that they would need to investigate an incident, and the playbooks and the means for how to‌ perform an investigation. That's the starting point for a Mitiga customer, as opposed to starting from scratch and having to build that all on the fly.

Tal Mozes: We’ve learned that when it comes to the cloud, if you haven't thought about it in advance, you won't have all the telemetry you will need for a comprehensive investigation. In most cases, you won't be able to ask your cloud provider for those logs, or you will need to wait for weeks to get the data you need to start an investigation.

Even when you go to certain SaaS services like Office 365, they will only give you the last seven days of data. If you want to look at something older than that, for example, investigate a business email compromise that happened 10 months ago, they will throttle downloading the logs and it'll take you more than 24 hours to download. You'd better save it all in advance, so when you're being called to the response, you don't have to spend three weeks just collecting data. Streamline the investigation with all the automation that we have built.

You've been through big crises, you know how it is. It's not just the CISO’s office involved. There are different stakeholders taking part in incident response. You have legal and compliance involved, the PR agency, CEO, CFO, Chief Risk Manager. We enable situational awareness by showing everybody on one platform what is going on in their own language. Having an executive summary and timeline of events makes it all a lot easier and saves a lot of time and effort. More than you can imagine.

Cole Grolmus: Let’s go further into the approach that Mitiga takes from a product standpoint. On one side, the negatives of cloud security and all the risks are pretty well documented. We don't need to cover that.

What I'm curious about is the opposite of that, which is: what opportunities are now available to you from an IR perspective in cloud and SaaS that were not there in an on-premise world, back in the days when you were doing EY and other on-prem investigations?

Tal Mozes: When you go to on-prem, you won't find two environments that are the same. Each environment has a unique fingerprint. When you go to the cloud, all environments are very similar. My AWS and your AWS would be the same, and my Salesforce and your Salesforce would look the same.

That allows us to build automation and scale that you couldn't do before. It's not like we can build a Mitiga for on-prem, because you won't have one product that fits all. But in the cloud, we can do that.

One of the biggest opportunities here is to learn from the network effect. When any of our customers are being breached in their environment, it doesn't matter what they have: GCP, AWS, Slack, Okta. We will deploy a squad of engineers to investigate what had happened, but also codify the incident response for that. And once that has happened, we can execute this exact code against all of our customer environments at once and help everyone respond.

If you go to the insurance market, one of the biggest risks today in the cyber insurance market is accumulated cyber events, when everybody is being affected at the same time from something like NotPetya, WannaCry, Log4j, or whatever happens. Until today, there was no real answer to that, someone that could handle all those claims at once.

It takes our technology, or similar technology, the same amount of time to handle one or 4,000 different affected customers of the same cyber campaign. You only need to automate the response for the same breach or attack vector once. This is a huge opportunity for us.

Cole Grolmus: That's pretty fascinating from a business model perspective. The network effect gets bigger and better and stronger as the customer base grows, but also cumulatively over time as you see more incidents. Any one customer gets to benefit from every other customer and anything that's happened to them. That's a pretty big advantage.

On the flip side of that, given that you've spent so much time in on-prem, traditional incident response as well: which cloud security risks and incident response processes are completely different than on-prem? What are new things that we weren't even thinking about before that we now need to worry about?

Tal Mozes: When you go to an on-prem IR, usually the methodology is: save the hard drive, capture the memory, split it to three copies, one in the safe, one for the client, one for us to work on, and start investigating from there. Then, look for system logs, application logs if they exist, and so on.

When we're talking about the cloud, you have to think about logs by design. Logs cost money. There is a risk of not having them, and there is a financial risk of having them. And you need to understand exactly what is missing, why you should allow or enable certain logs, where you should keep them, and how to keep them.

You can't keep all those logs in your SIEM. SIEM storage can cost three, five million dollars a year. You need to know how to keep the logs, and you need to keep it for more than the 90 days that it’s usually being kept because we see that it takes over 220 days to discover that you've been breached.

Thinking about all this (we call it a forensics data posture), in advance is mandatory today. It's something that you didn't need to think about as much in the old school.

We differentiate between infrastructure, SaaS, PaaS, and "lift and shift". A lot of organizations will just move their entire infrastructure into virtualization, but it will look very similar to on-prem. Even in those aspects, we cannot keep treating it all like just another endpoint like we used to do.

There's a lot you need to understand with the cloud: how it works, what is available for you, what tools are existing, how the logs are being saved. You need to know that they are compressed and encrypted. You have different encryption providers. Every SaaS will have different APIs. Some need to be collected every two minutes and some every 24 hours.

There's a lot of new knowledge that needs to be gathered to handle this new space of incident response in the cloud. It's completely different from on-prem.

Cole Grolmus: So, it's not accurate to say: "I have a solid on-prem incident response process. I can just lift and shift that into the cloud, and it's all of a sudden going to work." It's definitely not anywhere near that easy, and there are a lot of things you need to think about.

Tal Mozes: An environment that was breached nine months ago might not even exist today. The cloud is super dynamic. If you don't keep context like: “what were the security settings at that time?” or “what were the configurations at that time?”, those environments won't be there today to investigate. You won't even know where to start.

Tech-enabled incident response services

Cole Grolmus: The tech and services combination within Mitiga is really interesting. We wrote a whole 80-page report on this with Momentum Cyber about services becoming productized, automated, and more of a blend instead of just a service or just a tech platform.

Could you take me through where you're at with Mitiga on the services and tech spectrum? Which part of the delivery of the overall solution is services, which part is tech, and where do you see that going?

Tal Mozes: The majority of what we do is tech. We will sell a subscription to our platform that has a forensic data lake, hunts, and incident response.

Where the high touch parts are is when you do investigations. We run a continuous and automated threat hunting process, and we get results. Those results could be indications of compromise or indications of attack vectors. You still need someone to look at the results to make sure there are no false positives. We're not alerting the customer and annoying them for no good reason. That can take a few hours.

When there's an incident response, we can automate‌ parts of it. If we see something for the first time, we need to deploy a team to look at the incident, investigate it, and understand what has happened. They will codify it eventually. You only have to deploy it once. Usually it takes two hours to three days, depending on the incident. You still need to have expert incident responders to understand what happened and investigate it.

The other part of it is onboarding. We need to work with our customers to explain the risk of why they need to enable a certain log, show them the risk, and show them how to do it. This is where we add people into the technical aspect.

Cole Grolmus: It's almost a self-reinforcing thing where the tech is the default mode, but there's expertise, development, and codification of knowledge around that — which makes the tech and data stronger.

Tal Mozes: Customers get people supporting them, part of that support reports back to improve the product for everybody else. For us, they're part of our R&D. For the customer, they get a fully-blown solution. By partnering with our teams they also expand their own internal knowledge and capabilities related to cloud IR.

The impact of Alphabet’s acquisition of Mandiant

Cole Grolmus: One broad industry question: how do you see the incident response market being impacted with Alphabet (Google Cloud) acquiring Mandiant?

Mandiant is a well-known player in the space, with potential changes occurring with the acquisition and potentially shifting to more of a product-based delivery model. I'm curious about your thoughts on that.

Tal Mozes: From what I'm hearing from the market, customers using multi-cloud environments don't want to have one of their cloud providers being in charge of the incident response as well.

They're still independently serving a lot of customers with hybrid environments. All of them will be hybrid, but not necessarily GCP customers. In that sense, it looks like it's staying‌ the same for now.

We do have a lot of customers calling us because they were Mandiant customers and they don't want to be using Google for their IR.

Cole Grolmus: People still have questions about what the acquisition means and are still figuring out how exactly this is going to impact their business if they’re a Mandiant customer. With such a big deal, it takes a while to truly see what the effects are going to be.

Tal Mozes: They're not building the technology to automate IR. We have this platform, and we are not interested in growing the professional services part.

IR is a very wide term. We're using it loosely. What we are doing very well is a cloud investigation.

What Mandiant is doing well is holding hands with the customer, talking with comms, with PR, with legal, and other services they can do on top of that.

The future of Mitiga

Cole Grolmus: From the outside looking in, things seem to be going really well. What’s next for you and Mitiga?

Tal Mozes: We're starting to work with many insurance providers to allow their customers to buy new insurance products. When they have a breach, they can actually use Mitiga for the IR, quantify their incident response posture, and be more resilient.

That allows companies to have lower deductibles, allows the insurance company to have lower loss ratios when there is an incident, and so on. The data that we collect from all those incidents is very important to them.

Most of the insurance companies are suffering from ‌survival bias. They only have data of customers that have been breached, but not of customers that have been attacked and not breached. We collect forensic data insights from customers that have been attacked and not breached, as well as not being attacked or attacked and breached.

Also, we are developing some more interesting products that we've been asked to build by our customers. A product we call Investigation Workbench allows our customers to do hunts for themselves on top of their data that we're collecting for them.

There's a lot of stuff on the roadmap. We'll probably launch a new platform capability every quarter. But the essence is always the same: it's expertise in cloud and SaaS investigations.

Thank you to Andrew Smyth for the introduction and Katie Levine for a detailed review and edits.

Cybersecurity hasn't been well understood by the public for long. It's hard to pinpoint exactly when this started to change. Anecdotally, awareness seems to have grown alongside the rise of large data breaches regularly sweeping across news cycles.

Broader public awareness of cybersecurity is a side effect of an industry trend that's been building for years: the convergence of cybersecurity and everything. What used to be a narrow and (relatively) isolated domain now seems to be everywhere in tech and society.

We've all noticed individual instances of this phenomenon in passing. You don't start to understand the true magnitude of it until you see how widespread the convergence has become. The qualitative and quantitive impact is even harder to grasp. Movements are easy to feel and difficult to measure.

There are a few rare occasions when you strike a chord and realize you've found a topic people are interested in. This is exactly what happened to me when I tweeted about the convergence of cybersecurity and broader tech last year:

These companies aren’t successful because they’re cybersecurity companies. They’re successful because they took something that wasn’t inherently secure and made security a core feature. A movement this profound deserves a deeper look.

Convergence with core tech markets

The convergence of cybersecurity and core tech markets is relatively intuitive. Its impact is not. The best way to understand the magnitude is to look at the breadth of domains convergence is touching, along with some relevant anecdotes and data about its impact.

Networking

The convergence of networking and cybersecurity is far along the maturity scale. What began as plan old "networking" has evolved into multiple markets — including Secure Access Service Edge (SASE), estimated by Gartner to be a $15 billion market with a 36% CAGR by 2025.

Roughly half of the SASE market is related to security:

Traditional networking companies have fully evolved and converged into major players in the cybersecurity industry. The path towards convergence is an interesting one, nicely illustrated by RBC analyst Matt Hedberg:

Cisco and Juniper Networks were early pioneers. Their core networking business (routers and switches) was more than enough to propel both companies to IPOs and establish them as icons of the technology industry.

Fast forward to today, and both companies have made a measurable impact on the cybersecurity industry. Cisco's End-to-End Security business segment now generates $4 billion in annual revenue at a 20% growth rate (as of Q4 2022). It's at the core of the company's growth strategy. From Cisco's Q4 2022 earnings call:

...we shared our strategy to help our customers connect their entire security architecture with our new platform, Cisco Security Cloud, which will be a game changer for them as they look to secure their multi-cloud environments with a single cloud-delivered security platform. This is just one part of our broader security innovation cycle. Building on the double-digit growth we saw in security this quarter, we are investing across our security business, focusing on cloud based offerings, best-in-class AI driven threat detection and end-to-end security architectures. These innovations position us well for leadership in the security market.

The impact of Juniper Networks is more derivative. As Ross Haleliuk pointed out, alumni of the company have founded some of the top companies in cybersecurity. The list includes Palo Alto Networks (the highest valuation among cybersecurity companies today), Netskope (a company in cybersecurity's IPO pipeline), Illumio, Versa Networks, and more.

Cloudflare, Fortinet, Palo Alto Networks, and Zscaler headline a newer generation of companies built from the ground up with network and security convergence in mind. These companies now have a combined $178 billion valuation. They're among the most respected public companies in both cybersecurity and all of tech.

Dev Tools

Convergence between dev tools and cybersecurity is growing by the day. DevSecOps is now common parlance among both developers and security practitioners. The impact of GitHub, GitLab, and others on driving this trend forward is immeasurable.

GitHub and GitLab began as source code repositories and have since evolved into comprehensive application development platforms. Security is one of the major components. Both companies continue to add major security features, tightening the integration between software development and security.

GitHub has added an impressive set of security features since being acquired by Microsoft, primarily under the GitHub Advanced Security banner. Features like Dependabot alerts for vulnerable packages are available to all users, while others are part of enterprise licenses. Their velocity of shipping security-related features might be more impressive than any one announcement. A quick scan through the security category of GitHub's blog shows a consistent cadence of security releases, both large and small.

Bigger picture, GitHub is one of the most successful technology industry acquisitions of all time, eclipsing $1 billion ARR in late 2022. Growth metrics haven't been shared publicly by Microsoft, but it's safe to assume their advancements in security were a major factor in enterprise growth.

For GitLab, GitHub's open source competitor, security has become a central part of their strategy. It's literally the company's main goal:

...our strategic goal is to be the leading complete DevSecOps Platform.

A deeper dive into their product vision (which is, fittingly, open source) talks about their objectives for building a converged DevSecOps platform and estimated timeline for accomplishing it:

...we expect to continue rapidly maturing our DevSecOps platform so that GitLab is able to replace any DevSecOps point solution.

To replace any DevSecOps solution will require most of our categories to be lovable, which is likely a 10 year journey. To ensure rapid progress, we have a 3-year goal to have 50% of our categories at lovable maturity by the end of 2023, and this three year product strategy articulates our current focus. Once we achieve that goal, there will still be more work to do, but having half our categories lovable will mean most DevSecOps tools are replaceable by GitLab.

GitLab's $7.64 billion market cap speaks for itself — it's one of the best technology IPOs in recent years, despite a valuation decline along with the broader tech markets. Their strategy for building a converged DevSecOps platform was the headline for the company's IPO.

The convergence story isn't all about GitHub and GitLab. Products like ngrok are classic examples of dev tools where security is a major component of the product's overall value. There are far more companies than can be mentioned here — a testament to the momentum behind convergence in this market.

Application Performance Monitoring (APM) and Observability

Log management, APM, observability, and SIEM were destined to be together. Strictly speaking, the Venn diagram for these markets isn't a perfect circle. However, the overall process of collecting performance and log data lends itself to specific use cases. Security happens to be a large one.

Splunk began as a data analytics company focused on application performance and operations. Its product portfolio had a minimal security footprint at the time of its IPO in 2012. Their $190 million acquisition of Caspidia in 2015 was a milestone for Splunk and cybersecurity — their unoffical entrance into the market. The product brought behavioral analytics to the Splunk platform, giving customers the ability to detect suspicious behavior from security logs.

Just over a decade from their IPO, Splunk now has $3.6 billion in annual revenue and is a widely recognized leader in both observability and security. Their product portfolio includes several security operations (SecOps) focused products:

They don't break out revenue by business segment, so it's unclear how much revenue is generated by their security portfolio. Specifics aside, the convergence between security, operations, and observability is clear.

In Gartner's latest Magic Quadrant for Application Performance Monitoring and Observability, 16 of the 19 companies included also have significant security product portfolios. I added red dots to the diagram for each company with security products:

My classification of "security products" is admittedly broad — only a few companies have a full SIEM, for example. However, the direction is clear: APM companies are becoming major players in cybersecurity.

Infrastructure

The convergence between infrastructure and security gained serious credibility when HashiCorp went public in December 2021. HashiCorp pioneered a new approach for building infrastructure products by focusing on workflows and domains, not tools. Their process-focused approach spans multiple domains. In their own words:

...critical processes involved in delivering applications in the cloud: infrastructure provisioning, security, networking, and application deployment.

The company (formally) started in 2012 and didn't offer a pure security product until Vault in 2015. The company doesn't disclose revenue by segment, so we don't have enough information to attribute exactly how much revenue is being generated by its security products. As I noted when writing about HashiCorp's IPO, the details don't really matter:

Even though HashiCorp only classifies two of its products as pure security offerings, all of their products support security in important ways. That's the type of future we want — one where security is an inherent part of how we build and deliver tech, not an afterthought.

HashiCorp's breakthrough is building a fully integrated infrastructure platform where security is a core part of everything. A successful IPO helps validate the trend.

Teleport is an earlier stage company (kind of—it's a unicorn) focused on infrastructure security that has the potential to follow a similar trajectory. Their product helps developers securely access cloud infrastructure without requiring passwords, tokens, or other authentication factors which are easy to compromise.

Just as dev tools and security are converging to make code more secure, infrastructure management and security are converging to do the same for cloud workloads. The success of standalone companies like HashiCorp and Teleport, along with native security features from cloud providers, is a driving force behind the migration of workloads from on-premise to cloud.

IT Service Management (ITSM)

IT Service Management (ITSM) and security have always had areas of overlap for necessities like access requests, change management, and other user-related security workflows. However, ServiceNow is pushing the traditional boundary even further. The convergence of ITSM, security operations, risk and compliance, and more into the ServiceNow platform is one of the company's main growth drivers.

ServiceNow's platform has way, way more security and GRC features (more like full-blown products at this point) than many people realize. It's a surprisingly useful aggregator of security processes and data.

Workflows for core security processes like vulnerability management, incident response, and configuration management invariably end in a ticket that someone needs to act upon and remediate (...someday, maybe). ServiceNow makes this handoff natural, both by integrating with other security tools and threat intelligence sources and by developing native features of its own. On the GRC side, it's used for risk management, business continuity management, vendor risk management, and anything else that needs a workflow for ongoing tracking and monitoring.

ITSM and its adjacent ticket-based security workflows are perfect candidates for automation and centralization. ITSM is a necessary capability for any organization with more than a few people. Operationally, it makes sense for many companies to centralize workflows (including security) instead of having workflows all over the place in domain-specific tools.

Similar to other hybrid companies, ServiceNow doesn't break out revenue by product segment in its earnings releases. However, this stat from CEO Bill McDermott in their Q4 2022 earnings call is a nice data point about the role security plays in driving growth:

Security and Risk Solutions were at 13 of the top 20 [largest deals for the period], with 9 deals over $1 million.

Strategically, it makes sense for ServiceNow and other ITSM products to accelerate the security convergence customers are asking for.

Emerging areas of convergence

The convergence of security and traditional tech markets is just the beginning. Magic is going to happen once convergence reaches the long tail of less obvious markets. This section highlights a few of the many examples where security is converging into previously uncharted territory.

Cloud Data Platforms

Cloud data platforms have recognized cybersecurity is a major set of use cases and area of opportunity. Intense competition across verticals between Snowflake, Databricks, and others has been ongoing for years.

Snowflake has developed a massive partner ecosystem across data integration, business intelligence, data science, and (you guessed it) security (red highlight mine):

Beyond basic data integrations, an entire ecosystem of cybersecurity startups have been building high growth businesses on Snowflake's platform:

The level of interdependence varies by company, but each has established itself as a significant technology partner for Snowflake. It's still unclear if these companies will remain partners or emerge as future acquisition candidates.

Both Snowflake and DataBricks made their first cybersecurity-related acquisitions in 2023. Snowflake acquired LeapYear, a data privacy platform for sharing sensitive data between parties. DataBricks acquired Okera, an AI-focused data governance and privacy platform.

Each acquisition brought a complimentary set of security features for to the data platforms — they weren't additive products focused specifically on cybersecurity. LeapYear helped add security capabilities to Snowflake's third party data rooms. Okera brought a set of AI-focused data classification and privacy capabilities to DataBricks, augmenting their rapidly growing set of use cases for LLMs and AI. I expect more acquisitions like these (security features for core data platform use cases) near-term before either company starts acquiring pure cybersecurity companies.

In addition to partnerships and acquisitions, Snowflake has been building cybersecurity-focused features into its platform. Its cybersecurity workload announcements in 2022 are a recent example, with security log ingestion and analysis as the primary focus.

We're still in the early days of convergence between cloud data platforms and cybersecurity. Cloud data platforms have definitely arrived — Snowflake is a high performing public company with a $60 billion market cap, and DataBricks is a top candidate in tech's IPO pipeline despite debates about its current valuation. A combination of factors, including the need to fuel growth and shifting markets for SIEM and XDR mean cybersecurity is going to be increasingly more important for both companies.

Human Resources

In the game of corporate politics, human resources has traditionally been one of the arch nemeses for security teams. Turf wars develop over access to people data, integrations with HR systems, and more. HR data is oxygen for workforce identity systems, which rely on timely updates about hiring, job changes, terminations, and more to manage access to corporate systems.

Rippling is bringing these worlds together by combining traditional HR functions with closely related security and IT service management processes. Rippling CEO Parker Conrad described the platform like this in an interview with Stratechery:

Rippling builds a bunch of things that historically would not have been thought of as belonging to the same system. Payroll, HRIS, a bunch of related systems around HRIS but then also identity, single sign-on user management, security services, device management, and the unifying theme is that each of these systems are reservoirs of employee data in their own right.

Convergence among this set of related processes is inevitable — especially as both leaders and employees care more about employee experience. Newer companies born in the cloud don't have time for infighting between HR and security teams. They also don't have the technical burden of displacing legacy HR systems.

For many companies, the way forward is an integrated approach like Rippling. When basic employee administration processes just work like they should, people can focus their time on solving value-creating problems on the product side.

FinTech and Fraud

Massive progress in FinTech is driving convergence between cybersecurity and fraud. It's also creating a new set of issues. People have wanted to steal money since money was invented. As the internet becomes the default mode for delivering financial services, crime follows suit.

Unsurprisingly, financial motives were overwhelmingly the top driver of breaches identified in Verizon's 2023 Data Breach Investigations Report. They were a factor in 94.6% of breaches studied in the past year, and a consistent leader for many years now.

In response, cybersecurity and fraud features are becoming a core component of FinTech product offerings. There is a whole category of companies focused on fraud. From a convergence standpoint, the interesting development is FinTech platforms building and acquiring cybersecurity and fraud products.

Stripe now has products for identity verification and fraud protection. Shopify's enterprise commerce components include fraud protection, identity, customer data management, vaulting of card data, and other security and compliance features. PayPal offers risk management and fraud features for businesses. The list goes on.

Traditional financial services companies are also making moves. Mastercard has been a particularly active buyer of cybersecurity and fraud companies. Recent acquisitions and investments include Baffin Bay Networks, Enveil, RegGenome, Bitfy, CipherTrace, and Ekata. They now offer a full suite of cybersecurity products for business customers.

FinTech companies are also a major driver of adoption for consumer security technologies. Identity includes many examples, with financial services companies nudging customers to adopt MFA long before the idea was widely accepted as good security practice.

Today, FinTech companies are one of the main drivers for passwordless authentication. Mercury is an early adopter of passkeys for MFA. Finance is one of the top categories on Passkeys.directory, a site tracking adoption of passkeys. Notable FinTech companies supporting passwords include Robinhood, PayPal, Binance, and others.

Storage and Databases

Security has historically been a secondary feature in storage and database products. We've had full disk encryption, field-level encryption, and an entire category of database security tools for years. The convergence with cybersecurity is now making these features front and center — including companies where security is the core value proposition. I went deep into this topic with Ryan Cooke, the founder and CEO of JumpWire.

A new generation of security-focused storage and database companies for developers includes Evervault, SkyFlow, Cape Privacy, JumpCloud, and more. AWS offers similar functionality natively with its Nitro Enclaves product. Approaches vary, generally falling within a range from enhancements to existing data stores to dedicated infrastructure for data storage (secure enclaves).

Privacy is also a driving factor for convergence. AI, ML, and LLMs are driving adoption for a new set of privacy-focused companies. Blyss, Zama, Ravel, Duality, Sarus, and other early stage companies are behind the advancements in this space. Homomorphic encryption is the emerging approach many of these companies are using. I analyzed Blyss and Sarus as part of my coverage for their respective Y Combinator batches.

We're in the early stages of a new wave of activity for secure storage and databases. This area is well positioned to be a beneficiary of larger tech trends like AI/ML, privacy regulations, and more — all of which have a need for security as a central part of their value proposition.

Domains

Convergence has even reached domains, of all things. Unstoppable Domains, a Web3 startup, raised a $65 million and became a unicorn with its 2022 Series A round. Let's put our Web3 skepticism aside (we're in the "emerging" section of the article, after all) and look at the practical benefits of converging domains and identity.

Unstoppable Domains is the company behind the .eth domain extension, which was seemingly everywhere in tech during the latest peak of crypto hype. Status was undoubtedly a motive, but identity-focused domains have a more practical purpose. From Matthew Gould, founder and CEO of Unstoppable Domains:

For too long, companies have controlled people’s digital identities, and Unstoppable Domains is putting that power back into the hands of people. As the digital economy becomes a larger part of our lives, it’s time for people to own their identity on the internet.

We’re thrilled to partner with Pantera and other investors who share our vision of onboarding billions of people onto Web3 through NFT domains that unlock user-owned, private, and portable identities.

One of the biggest rough edges in crypto-powered commerce is sharing wallet addresses. These long and gnarly character strings are conceptually similar to navigating the internet using only IP addresses. Nobody would use the internet this way, which is why standard DNS is a game changer.

Verifiably linking domains to identities is a massive improvement for Web3. It reduces the friction of moving money while simultaneously reducing fraud and improving security. A win-win if there ever was one. Throw in the added benefit of authentication and portable identities, and we're really on to something.

Time will tell if this approach gains traction. For now, it's an interesting example of the convergence between commerce, identity, and privacy.

National Security

The convergence of cybersecurity and national security has the highest stakes of all. The link between cybersecurity and national security isn't new, but its rising level of importance among more traditional forms of warfare definitely is.

As information warfare gains popularity among nation states and organized crime groups, multi-domain operations become critical. In the MDO model, cyber warfare is a sector of its own, cross-cutting domains like land, air, and water. On a practical level, offensive cyber operations are now part of the playbook for countries like the United States.

Palantir is the company most synonomous with the convergence between national security and cybersecurity (and technology in general). From a private sector standpoint, Palantir is almost single-handedly driving the convergence. The financial outcome was a $20 billion direct listing to the NYSE in 2020. Their market cap has nearly doubled since then (currently at $38 billion) despite steep valuation declines across the technology sector.

This convergence story has two important dynamics. Cybersecurity is a battleground of its own, which is important but now obvious. The second dynamic is the interesting one going forward: technology and AI are going to augment warfare across every domain. From Marc Andreessen's recent essay about AI:

I even think AI is going to improve warfare, when it has to happen, by reducing wartime death rates dramatically. Every war is characterized by terrible decisions made under intense pressure and with sharply limited information by very limited human leaders. Now, military commanders and political leaders will have AI advisors that will help them make much better strategic and tactical decisions, minimizing risk, error, and unnecessary bloodshed.

The future is widespread use of technology and AI for the benefit of national security. Again from Marc Andreessen:

...let’s mount major efforts to use AI for good, legitimate, defensive purposes. Let’s put AI to work in cyberdefense, in biological defense, in hunting terrorists, and in everything else that we do to keep ourselves, our communities, and our nation safe.

That's exactly what companies like Palantir are doing, and is certainly happening within nation state military branches. Progress in national security is one of the best possible outcomes of convergence.

What does all of this mean?

I'm certain there are more examples of convergence than I mentioned here, even at nearly 5,000 words. The convergence of cybersecurity and "everything" is hyperbole, but the broader point is undeniable.

Not everything needs security, of course. However, as the examples in this article demonstrate, the surface area for convergence is broader than you might expect — even if you already recognized it's happening. This means a few things.

We're likely to see more acquisitions of cybersecurity companies by strategic buyers outside the industry. Acquisitions will happen more often and at higher dollar volumes than in the past. A couple recent examples help illustrate the point.

Alphabet (Google) acquired Mandiant for $5.3 billion — its second largest acquisition of any kind, and likely more than the total value (disclosed and undisclosed) of its 11 other cybersecurity acquisitions combined. The acquisition price was high because of cybersecurity's strategic importance in driving growth for Google Cloud.

HPE's acquisition of Axis Security is a recent example of a strategic buyer outside the industry. HPE is a diversified enterprise tech company, not a pure cybersecurity company. HP's current and former entities, including both HP and HPE, have made six cybersecurity acquisitions among 46 total transactions, according to CapIQ and Momentum Cyber data. Axis Security is the company's first cybersecurity acquisition since 2019 and it second largest cybersecurity acquisition after ArcSight.

Bigger picture, convergence leads to a larger overall TAM for cybersecurity sub-sectors and the overall industry. Greater strategic importance in the broader technology sector means both expansion of existing markets and the creation of new ones.

During downturns like we're in right now, it's easy to think with a fixed mindset — things like "the cybersecurity market is stagnant, and the only way to grow is by taking market share from competitors." While partly true for mature sub-sectors of the industry, this point of view is more about industry consolidation than convergence. Convergence with other markets is one of several reasons cybersecurity is a growth market. It's about growing the pie, not reallocating the existing one.

Any market where security is an inherently valuable property is a candidate for convergence, at least to some degree. We're going to see deeper integration of security into everything. Widespread convergence may blur the lines of what the cybersecurity market even is. We can already see that happening with hybrid companies like Cloudflare, Palantir, Synopsis, and others — are they in the cybersecurity industry, or not?

The industry's periphery is becoming less clear, but in a way, that's what we've always wanted. Cybersecurity is moving from an afterthought to a fast follower, if not (gasp) a full-blown influencer.

On a micro level, we have examples like DevSecOps moving security earlier in the development lifecycle and password managers reaching mass adoption. On a macro level, security will play a role in technological shifts sooner. It took people a long time (relatively speaking, in technology terms) to realize that operating systems for PCs need to have good security. Security wasn't absent, but it also wasn't a core part of the value proposition or something buyers prioritized when making purchasing decisions. Mobile was faster. The current wave of AI is faster still. We're making progress.

A transformational shift in thinking is well underway now — one where cybersecurity is inherent to many types of businesses and a driver of growth.

I was a contributor again for this year's coverage as part of my role as a Senior Advisor to the firm's research team.

You can read the full report here — no email required:

It’s the progress we need as more data moves to the cloud. The network and access-based approaches we’ve used for securing on-premise data don’t fit the model for cloud security. More encryption is a big part of the solution.

I spoke with Ryan Cooke, the Founder and CEO of JumpWire, about what’s happening in the data encryption market. I first covered JumpWire in my analysis of Y Combinator’s Winter 2022 batch. This discussion goes deeper into both JumpWire and much broader topics around data encryption:

• Data encryption in the cloud: How the age-old problem of data security changes when data moves to the cloud.
• Emerging solutions for data encryption: Comparing new approaches to data encryption.
• How JumpWire works: A deeper dive into how JumpWire helps companies implement data encryption on their existing data architecture.
• Doing data classification and enforcement on the fly: How the approach to data security differs when you can do data classification and enforcement on the fly.
• Approaches for implementing data encryption: Things to think about and nasty ‘gotchas’ when implementing data encryption.
• Why companies implement data encryption: A quick, anecdotal exploration into why people implement data encryption.
• Why data encryption is ready for mass adoption: Overcoming some long-held fears and philosophical concerns about encryption.

I intentionally left this discussion long because (personally) I had a lot of learning to do about how data security and encryption have evolved. Some of the discussion was background knowledge for me. I decided to share it with you rather than assuming you already know everything about the topic. The sections are shorter than usual to help you skip around if you find some parts more relevant than others.

Note: This interview has been lightly edited for clarity.

Data encryption in the cloud

Cole Grolmus: Database security has been a known issue forever, or at least as long as I’ve been in security. Why isn't this a solved problem already?! What happened that left an opportunity for JumpWire to solve such a big problem?

Ryan Cooke: A big part of it is cloud. Traditional data security and data infrastructure tooling that you had in the past is not translated at all to the cloud. A firewall in your data center is very different than an AWS security group. It’s the same thing for other security categories. The technical implementation is completely different between what you would deploy in your data center versus in the cloud.

On the encryption side, TLS is great. It's encrypting bytes on your network wire. You absolutely need that when you're in the data center because anybody can look at traffic across the wire. In the cloud, you're on a virtualization plane where you don't have a network you can just snoop on. So TLS‌ is still important, but it's not providing you with the same security provisions.

In the cloud, all of your infrastructure is‌ an API. Anybody can get access to that infrastructure through the API. Now, your risk and intrusion model changes. In the security industry, we’re going through a pretty major shift in the tooling and the controls of, “okay, what are the actual threats to my data in a Postgres database sitting in Amazon versus a Postgres database sitting on a VM and a blade in a data center?”

Cole Grolmus: We had a heavy over-reliance on things like network security, firewalls, network segmentation, and other controls like that. We could get away with overcompensating on those controls to protect data when everything was on-premise. Fast forward to today, and it seems like encryption may have been the right answer all along. But we rarely did it because we didn't have to.

Ryan Cooke: Yeah, I think that's right. The way I think about it is: because you're in the cloud, you really need to bring everything up to the application level. You need to be putting controls in place between applications and APIs, not at network and storage, which is‌ a lower level part of your compute and tech stack.

We’re not reinventing encryption. We're just using encryption in a different place where there‌ is more risk for data to get lost or improperly accessed.

Emerging solutions for data encryption

Cole Grolmus: It’s an exciting time for data encryption — the most progress I’ve seen in my career, for sure. It’s difficult to keep up with the new approaches because there is so much happening all at once.

At a high level, they fall into two segments:

• Dedicated encryption infrastructure (secure enclave) you put your data into.
• An encryption layer that works with the data infrastructure you already have.

What are the reasons an engineering team would want to pick one approach over another?

Ryan Cooke: For something like PCI, secure enclaves make a ton of sense. PCI is so strongly scoped to systems that have access to PCI data, you want a narrow scope. That's a use case where you really never want to touch the data. However, there’s a whole long tail of information worth protecting that secure enclaves aren't very well built to do from an engineer’s perspective.

If you’re using a secure enclave, you end up incorporating their SDK into your application code, and your application code interacts with their SDK. From an ongoing retrieval aspect, you're talking to an API to get your data. That’s very different code than talking to your database. If you've grown up working on CRUD apps, you have a SQL interface to your database. That's‌ how you think about structuring your data.

Implementing secure enclaves often means segmenting your data. Some of your data is going to be retrieved through a proprietary API. The rest is retrieved through your database. As your data architecture starts to expand, you have to make decisions about where to put the data. You end up putting narrow pieces of data into the secure enclave. There’s a gray area where data may be sensitive or not — it depends on who you ask, or if you’ve compiled a bunch of pieces of data together, now it becomes identifiable, but independently, it’s not.

Our perspective is to make it much easier for you to put an encryption layer around your own database. That way, you don't have to pick and choose between what data is going to go in the vault and what data is going to go in your main database. You end up owning your data architecture. That’s really powerful.

As you go through different iterations of scaling your systems, some things are going to break and be hard to fix with your data infrastructure. And when you go back and revisit that, owning the infrastructure yourself is a huge advantage for engineers.

Cole Grolmus: Native database security and encryption has been around for a while. Why should engineers use a product like JumpWire or a secure enclave instead of implementing their own solution using native features?

Ryan Cooke: That’s one of the hardest points — where we are competing against “let's just build this ourselves.” It's very easy to underestimate the complexity of key management. Even with something like KMS (offered by AWS), you can get into a situation where it's extremely expensive. You're paying for every API call to decrypt the data.

What we've experienced starting down this path in prior roles, you quickly realize that key management is quite difficult — issuing and managing keys, segmenting and rotating keys, partitioning keys by customer, and more. As you start to scale up the solution, some of these use cases become really challenging to build yourself or to continue dedicating engineering resources for maintenance.

Where we see an opportunity is when there's a larger class of data that needs to be protected. Many companies don’t want a dedicated security team managing a data plane or some type of consolidated security layer in the architecture itself.

How JumpWire works

Cole Grolmus: Could you give me an explanation of how JumpWire works and why you’ve chosen to take this direction with the product?

Ryan Cooke: The product has two main components to it. It has a proxy, which we call a proxy engine or policy engine. This is a container that you deploy into your network. It implements HTTP protocols and database protocols. The proxy lives transparently between the application interfaces, whether that's an API, GraphQL, or between an application and a relational database like Postgres.

The idea is that you don't need to change anything on the application side. We're going to manage data security by inspecting requests. We're looking at data as it flows through applications, then making decisions about that data from a security and policy perspective.

We’re sitting inside your network. We're not a SaaS product — today, at least. You don't need to‌ give up all of your most sensitive data just to secure it. You can leave it in your architecture. You don't need to change anything. It gives you control.

The second piece is field-level encryption. We're helping you ‌identify the columns in your database, the properties of a JSON HTTP request, and so on that look like sensitive information. We run heuristics, modeling, and other techniques to say, “this looks like this is sensitive data.” Then, we're giving you a tool that says, “if this is sensitive data, it should be encrypted” with its own key using the approach you want to take for classification, segmentation, and things like that.

The result is if someone were to get into your database, or even internal tools that should not be exposing sensitive data, they're not going to walk away with everything. They're going to see things that are encrypted.

There are a couple different modes that we can operate encryption in. Depending on the database, sometimes ‌field-level encryption happens in the database. You can feel very confident that for any data getting inserted there, encryption happens, because we'll manage triggers and keys using native database capabilities. Or, we can encrypt it in flight as data is being passed through our proxy.

Cole Grolmus: What is a major driver for why customers decide to buy JumpWire?

Ryan Cooke: One of the things engineering leadership finds attractive about our product is their ability to give developers production database access. There are a lot of cases where a non-security incident happens, and someone needs to‌ log in and look at data in the database or inspect production systems. They’re thinking, “Every time I do that, do I open myself up to a risk of that data being compromised?”

What you end up with is a complete picture of data that needs to be treated as sensitive based on its classification. The only way to unencrypt the data is to pass it through our proxy.

From a security perspective, this gives you a very low surface area where you need to be worried about there being a compromise. You can put a lot of people and a lot of tools into your production database. We're giving a really complete level of protection across a very large surface area with a small appliance.

Doing data classification and enforcement on the fly

Ryan Cooke: SOC2 compliance was the kernel that started JumpWire. We’ve been through SOC2 readiness and audits in the past. There’s a huge gap in data classification and data handling policies that never translate into your data architecture. Unless you've‌ been very forward-looking, you lose tons of granularity about how you classify data.

With JumpWire, we're really trying to push those concepts into what's important about any piece of data. Anything that's highly confidential should be field-level encrypted. That's what our tool really unlocks. We do the discovery and data classification. We'll go to all of the schemas in the database, understand the columns being returned, and then run a data classification heuristics based on that. We automate the labeling of all your tables and columns.

Then, we're applying policies on classifications, not on a field that says “first_name.” It gives you holistic policy enforcement and control where you can be bridging your information security program to your data infrastructure in a way that really is not possible without a lot of custom built stuff.

Now, you can audit who's accessing highly confidential data instead of who's accessing social security numbers. You can start to say:

“This application is our email sending service that’s going to send email digests. So, it’s going to need PII. We expect that application to process PII. But this other customer service tool doesn’t ever need an email address. It shouldn't have access to that type of data.”

By running database connectivity through our systems, we can give you that type of control.

Cole Grolmus: This is interesting! So, you're saying that an application connecting to a database via JumpWire — that doesn't know it shouldn't have access to things like email addresses or whatever — JumpWire will block it and not return that sensitive data?

Ryan Cooke: Yeah. We're creating all these virtual proxies. You can create one proxy that says an internal application that needs confidential information can connect through this proxy, and it's going to have its own username and password. And then you have another proxy that just says, “oh, it's only an internal application, it shouldn't be reading PII.”

We're not restricting it or blocking it, but if someone does write a query in that app to pull out sensitive data like a name and email address, they're just going to get the encrypted blob back. They're not able to read it. They don't have the key to read it, so they can't decrypt it.

Cole Grolmus: Data discovery and classification and application-specific enforcement are both really important. For a second, it seemed like magic to me.

You're into a whole other product category. There are entire data security platforms that scan your data repositories, find sensitive data, classify it, etc. I don't think you're sitting here saying you’re going to replace those tools — they have a purpose. But you are saying, “in addition to that, we can actually help you enforce it.”

The enforcement part is really important because after you’ve discovered sensitive data, your security team is sitting there trying to figure out, “well, now what do I do?” JumpWire can say: “Here's all this data. We helped you find it, and we can also implement what you should do to protect it right away.”

Ryan Cooke: Yeah, that's right. Where we play is in situations where you know customer data is sitting in this database, but you don't really know all the schemas it's in. We can just automate that part for you.

Approaches for implementing data encryption

Cole Grolmus: If I was starting greenfield with a brand new application and had a loose schema in my head, that seems like the easiest time to adopt a secure enclave. It's hard to put a percentage on it, but I suspect that’s less than 10% of use cases.

I'm sure the use case you see a lot more is, “I already have an existing application.” And probably worse yet, “I already have a massive existing application that's already scaled beyond the point of no return. We're not going back to do a rewrite here.”

…And then a requirement comes in where we need to secure the data better. “Now what do I do?!” If I'm in that headspace, putting security around my existing data by adding secure data infrastructure seems a whole lot more appealing than migrating data.

Ryan Cooke: Yeah, definitely. Otherwise, it's like a six-month project, right? If you think about what teams have to do to plug in an existing vault into their microservice architecture, where they have a half a dozen databases already, it’s a lot of effort.

Cole Grolmus: Can you talk more about that? What has your experience been with customers bringing existing data architectures and infrastructure in with them?

Ryan Cooke: It's been a big area of focus for us on the product side — how we've architected and implemented our proxies to speak database protocols. There's really no impact that has to happen to your architecture other than self-hosting our proxy.

All of our customers self-host the product today. We think about the rollout in multiple stages. They're not about cycles of engineering work the customer has to do. It’s really validation that everything is working and not breaking existing code in unexpected ways.

We drop our proxy, and it starts forwarding requests to the database. What you're testing is network latency and whether there are any queries that are going to be negatively impacted by JumpWire. If that looks good, we move on to manipulating the data on the fly. So, we're not going to change the data that's been stored in the database. We're simply going to manipulate it as we see the request pass through our proxy.

Then, we create policies and do the classification work that determines which of your fields are sensitive. At that point, if things are looking good, we move to the final phase, which is to rewrite the data in your database. We have tooling that helps do that efficiently. You can run a fairly large scale data migration without impacting in production.

Once that finishes, you’re at a point where new data coming in is being stored in a secure format. Your application is expecting to get it through JumpWire in a particular format, and things run as you expect.

We put a lot of thought into how to roll out a tool and migrate an existing application stack with the least possible interruption, or potential availability faults as we can. What people are really concerned about is not just losing control of their architecture, but introducing something that really degrades the performance of their app. They don't discover that until it's in production and in front of users.

Cole Grolmus: That level of thinking matters — the amount of detail and consideration that's gone into helping people implement JumpWire in their existing data architecture. When you think about customer adoption for something like this, a massive barrier to getting started is, “OMG, how do I take all this data and not break my app to make encryption happen?”

That's got to be a non-starter for a lot of people who don't have a burning platform to implement data encryption. The fact that you can do it in a staged out way that doesn't require a big-bang cutover is really appealing.

Ryan Cooke: We really think about engineering teams. A lot of times, they're not the ones who have decided that they need to have this in their overall architecture. The reality of engineering work is that you get pushed things from others.

We want to make encryption as easy as possible for teams, where the organization has decided it’s the priority, and they're now on the hook to implement it. Do they want to spend several months out of their iteration cycles working on this problem? Or, can we solve it a lot faster so they can go back to product development?

Why companies implement data encryption

Cole Grolmus: What is the main driver of people wanting to adopt a data encryption solution?

Developers are a lot more security-conscious now, but an encryption solution this sophisticated isn’t super high on most people’s priority list. It seems more likely to be pushed down from somewhere else, as opposed to, “hey, we want to do the right thing here.”

Ryan Cooke: We actually do get a decent number of engineers coming to us saying, “I'm uncomfortable with how we're storing data.” Now, can they prioritize that into an initiative to adopt JumpWire? Unfortunately, not always.

Early in the life of a business, the goal is to build a viable product. But there are a set of engineers who are aware of security. There's an opportunity for that basic level of awareness to come to the next level — where I‌ need to have a little more consideration for data that's been stored in my database and how it's getting secured.

Cole Grolmus: I’m interested in the intrinsic versus extrinsic motivation here. Is this developers wanting to do the right thing? Or is it somebody telling them that they have to do it?

I’m sure the reality is some of both. But it’s encouraging to hear people realize that there's some data that's just not okay to have sitting in plain text and know they need to do something about it.

Ryan Cooke: It’s some of both, but mostly external. My expectations when we were starting was the motivation would be 100% external. I've been really surprised with these cases where there is some self-identification happening on the engineering side.

But you're absolutely right — the vast majority of motivation is going to come from higher levels in the organization, maybe even someone in Legal saying, “we're not we're not doing the what we should be doing to handle this data properly.”

Cole Grolmus: Motivation for adoption being driven by other people probably lends itself better to a solution like JumpWire, where they're not having to totally refactor everything. That’s my concern about companies in this category that need developers to be on board from the beginning of an app. Somebody would really have to want to do the right thing from the start.

For that business to work, it requires developers changing a behavior that’s really hard to change. JumpWire is sort of the beneficiary on the other side. The behavior that’s more likely to happen is engineering teams are going to get told down the line that they have to implement encryption. Now they’re stuck working within the data infrastructure they already have. JumpWire is a good solution for doing that.

Why data encryption is ready for mass adoption

Cole Grolmus: A lot of people are afraid of encrypting their data. They try to encrypt as little as possible because there’s this fear of “encryption is really hard.” And, “If I mess this up, I'm going to lose my data.”

The downside of bad things happening with my data that were irreversible was worse than the risk of having unencrypted data get hacked. That might be an outdated mindset.

What strikes me about companies like yours and other early stage companies who focus on encryption is that you’re making encryption less scary.

Ryan Cooke: Yeah. If you make a mistake, you can shoot yourself in the foot. When you automate and have a programmatic approach to key management, you're reducing the risk of losing a key considerably. That's the worst case scenario.

I remember when we would generate the root encryption keys, put it on a thumb drive, and put it in a safety deposit box. We were so afraid of losing the key because it’s everything. When you approach key management programmatically, it becomes a lot more predictable. We can put in guarantees in the system that's handling the encryption that those keys aren't going to get lost and that they are recoverable.

From a cost perspective, by having a system like ours where we can make decisions around whether to decrypt or not, that's going to vastly reduce the potential that you end up spending a lot on compute to decrypt swaths of data. We’re applying a policy-driven approach. It's very predictable about what is going to happen to compute needs for decrypting some quantity of data. We can demonstrate that up front.

So, those are a lot of the fears practitioners might have from a philosophy standpoint. A lot of things these days are encrypted by default. AWS made a big push on S3, where everything's now encrypted on the server side by default. Every website uses TLS. So, some of the philosophical concerns about encryption are becoming less and less concerning.

Nine cybersecurity, privacy, and trust startups were among the 282 companies unveiled at the two-day event. In YC's current era of smaller batch sizes, nine companies is still a healthy representation for the cybersecurity ecosystem. Batches across the past two years have included roughly a dozen cybersecurity companies. Numbers have remained resilient despite the recent slant towards AI/ML companies, including 60 in the Winter 2023 batch.

We'll be doing a quick analysis of each cybersecurity, privacy, and trust company in this article, just as we've done for previous batches. Companies in the Winter 2023 batch include:

• 0pass: A passwordless authentication platform for an organization's workforce.

• Blyss: A privacy-focused data warehouse built on homomorphic encryption.

• Credal: A data security product for AI apps.

• EdgeBit: A software supply chain security platform focused on prioritization.

• Escape: A GraphQL API security platform.

• Intrinsic: API-based technologies for trust and safety teams.

• Infiscal: An open source secrets manager for developers.

• Matano: An open source, cloud-native SIEM.

• Nucleus: A Know Your Business (KYB) compliance orchestration platform.

An overall observation before we get into the analysis: only one of the nine companies (Escape) has disclosed financing other than Y Combinator's investment. This is somewhat unusual for Y Combinator companies, who are generally regarded as the best of the best among early stage startups.

Each of the nine companies likely have capital raises in the works, but it's a clear departure from the earlier trend of YC companies announcing funding on or before Demo Day. I expect the timing for this batch is more reflective of the overall funding environment than the companies themselves — all of which are at or above the level of quality from previous batches. It's a trend to watch as other early stage companies are likely facing similar (or worse) situations.

0pass

What does the company do?

0pass is a passwordless authentication platform for a company's workforce. Their passwordless implementation is based on Public Key Infrastructure (PKI) and implements authentication through Windows Hello, TouchID, FaceID, and Yubikeys. The platform also provides features for managing the full lifecycle of PKI enrollment, certificate renewals, and more for end users.

Where do they fit into the cybersecurity ecosystem?

0pass is one of many early stage companies competing in the Passwordless and Multi-Factor Authentication market.

Customer segments are an important nuance of this market. 0pass is currently focused on passwordless authentication for workforce, meaning a company's internal employees and third party business partners. Their solution is not currently focused on customers — a completely different user group with a slightly different set of use cases and implementation requirements.

What are their challenges?

From an implementation standpoint, many security leaders avoid deploying hardware-based authentication solutions for non-technical users because using external devices for authentication is unnatural. The behavior of authenticating without passwords is still in the early stages of user adoption. It's going to take time for people to get on board.

At a macro level, passwordless authentication is an extremely competitive market with competition among a range of companies, from early stage to tech giants like Apple, Google, and Microsoft. Many startups are well financed — for example, Transmit Security's $543 million Series A round that was the largest Series A investment in cybersecurity history.

Why could this be a big company?

Passwordless authentication is one of the most important paradigm shifts in cybersecurity. It's a generational transition — we're not going to see many of these in our careers.

A Gartner research report predicted 30% of organizations would use at least one form of passwordless authentication by 2023, which is...still not a lot. However, it's still a positive upward trend in a massive market. As I wrote in my deep dive on 1Password, we're still in the early days of passwordless adoption. There is plenty of room in the market for more companies to succeed.

Yubico, a later stage startup that helped pioneer hardware-based authentication (Yubikeys), just announced it's going public via SPAC and disclosed impressive growth metrics. Their announcement is likely the best financial data on a pure passwordless company that's been made publicly available to date. Yubico's strong revenue, growth, and an impending public listing are all positive signals for earlier stage companies in this market.

Who are their investors?

According to PitchBook data, Y Combinator's $500,000 SAFE note is the only investment disclosed to date.

Blyss

What does the company do?

Blyss is building a privacy-focused data warehouse using homomorphic encryption. Their company description explains what this means with perfect clarity:

Data sent into Blyss is permanently sealed; once it enters, it's never decrypted. All analysis happens directly on the encrypted data. Regulated enterprises can use Blyss to unlock value from sensitive data without risking leaks.

Where do they fit into the cybersecurity ecosystem?

I would roughly classify Blyss as a Data Deidentification and Pseudonymity company. However, they're potentially creating a new product category that is a hybrid of security and data warehouses.

Blyss is a fascinating instance of a non-security product (data warehouse) with security and privacy (homomorphic encryption) at its core. In other words, the product is differentiated from other types of data warehouses because of the security and privacy benefits.

What are their challenges?

How much had you heard about homomorphic encryption before reading about Blyss? Probably not much — myself included.

That's the challenge: the big idea of privacy-focused data stores is still pretty new to most people. Awareness is something we're still working through, although the trend of developers embracing security is accelerating quickly. There's a risk of this being a "solution in search of a problem" situation, although homomorphic encryption is a legitimate solution for difficult problems like facial recognition, voice assistance, and smart contracts.

From an implementation standpoint, adopting an entirely new data warehouse (privacy-focused or not) is a challenge for companies who already have one or more. Many companies don't have the luxury of starting from a clean slate, so data migration is a huge obstacle. I'll be discussing more about this topic in an upcoming interview with a previous YC founder, so stay tuned.

Why could this be a big company?

Widespread adoption of a security and privacy-focused data warehouse would be a huge win for cybersecurity. There are a variety of different approaches for bringing security and privacy to data stores, and homomorphic encryption is among the most promising.

The technology is so new that there is relatively little direct competition. Zama is one example of another company making progress with open source homomorphic encryption tools. It's a very nascent market, which means Blyss has plenty of room to establish itself as the clear leader.

Bigger picture, Blyss is advancing technology that wasn't previously possible and making it something that's widely available and commercialized for engineers. The product is a massive advancement in the security and privacy of data, which means it has a chance to become a big company.

Who are their investors?

According to PitchBook data, Y Combinator's $500,000 SAFE note is the only investment disclosed to date.

Credal

What does the company do?

Credal protects sensitive data used with AI apps, including major providers of Large Language Models (LLMs) like ChatGPT. The product provides enterprise-grade controls over use of company data, including DLP-like tools for data exfiltration, logging, proxying, and Master Service Agreements (MSAs).

Where do they fit into the cybersecurity ecosystem?

Credal broadly fits into the Data Loss/Leakage Prevention category, albeit with a very specialized use case that could easily be considered a standalone segment. AI security is beginning to establish itself as an entirely new (and potentially massive) market within cybersecurity.

What are their challenges?

Security for LLMs isn't something many companies have on their radar yet. Slower-adopting organizations may not have tested or adopted LLMs yet. Or, if they have, they're still determining what the impact on their company could be. Even with the recent popularity of ChatGPT, it's fair to say that security for LLMs is still almost unheard of.

Longer term, the question is whether data security for AI and LLM apps is a standalone category or part of an established enterprise data security platform. A product like Credal could be a valuable acquisition target — not a challenge, but a factor that may keep them from reaching later stages of growth as a standalone company.

Why could this be a big company?

You may have heard about ChatGPT...basically everywhere on the internet in 2023. There's a brilliant quote by Paul Virilio that's useful here: "When you invent the ship, you invent the shipwreck." In this instance, LLMs like ChatGPT are the ship, and security and privacy are the shipwreck.

Multiple flavors of security issues have already occurred — including companies leaking sensitive data to ChatGPT, and ChatGPT itself leaking data between users. The explosive growth of LLMs themselves and applications built on top of them are sure to bring more security and privacy issues.

LLMs and ChatGPT were a huge topic of conversation at RSA Conference this week. Rak Garg shared a nice summarization on LinkedIn:

Everyone is aware of the risk of employees inadvertently leaking data to ChatGPT, and there's no great solution outside of domain blocking at the network layer.

Most companies, especially those based in the United States, are unlikely to go the way of Italy and issue full-blown bans of LLMs. The upside is too high, even with the potentially catastrophic downside risks.

For security teams, this means finding ways to allow employees to safely interact with AI apps and LLMs. The Cloud Security Alliance recently published an analysis of the security implications for ChatGPT — a nice starting point, but not yet a full solution. If Credal becomes the solution for companies who need to secure AI apps used by employees, it's going to be a big company.

Who are their investors?

According to PitchBook data, Y Combinator's $500,000 SAFE note is the only investment disclosed to date.

EdgeBit

What does the company do?

EdgeBit dynamically monitors, analyzes, and prioritizes software supply chain vulnerabilities. The product takes a unique new approach to prioritization by understanding which code is executing in your environment. The result is a live inventory of relevant vulnerabilities...instead of a laundry list of vulnerabilities you aren't sure if you need to worry about.

Where do they fit into the cybersecurity ecosystem?

EdgeBit is a Software Supply Chain Security company. Although their differentiator is focused on prioritization, their product is comprehensive enough to compete with other supply chain security companies in this market.

What are their challenges?

Starting with a narrow focus on prioritizing supply chain vulnerabilities is exactly what EdgeBit needs to do as an early stage company. However, this is both a challenge and an opportunity.

Winning prioritization could be a wedge into the broader supply chain security and vulnerability management markets, or it could make them a prized acquisition target. Acquisitions are fine, of course, but there's a chance that being too good at prioritization catches the eye of strategic acquirers hungry for buying promising early stage companies.

Competition is also a challenge, with many of the top early stage companies (and investors) focused on supply chain security. Companies that didn't start with prioritizing supply chain vulnerabilities will get to those features eventually. Does EdgeBit have enough time to establish itself before competitors catch up?

Why could this be a big company?

There is a clear trend towards vulnerability prioritization in the overall Vulnerability Management (VM) market. Large vulnerability management companies like Qualys, Rapid7, and Tenable talked extensively about vulnerability prioritization in their most recent annual earnings announcements. Vulnerability management fatigue is one of the most well-known challenges (and complaints) for security practitioners today.

Ironically, if we had to build VM again from scratch, prioritizing vulnerabilities would be one of the first features to build. Supply chain security is probably the closest thing we're going to get to a do-over. If EdgeBit's real-time prioritization approach wins out, they can become a big company.

Who are their investors?

According to PitchBook data, Y Combinator's $500,000 SAFE note is the only investment disclosed to date.

Escape

What does the company do?

Escape helps engineering and security teams find and fix vulnerabilities in GraphQL APIs. The product is a security testing tool that runs in CI/CD pipelines, not a scanning tool that runs after deployment in test or production environments.

The magic is in a new testing approach called feedback-driven API exploration, which progressively learns from API responses and generates increasingly relevant tests over time.

Where do they fit into the cybersecurity ecosystem?

Escape is an API Security company with a specific focus on GraphQL-flavored APIs.

What are their challenges?

Like several other cybersecurity companies in this YC batch, Escape's challenge (and opportunity) is focusing on a relatively narrow slice of a growing market — GraphQL security within API security, in this case. Competition in the overall API security market is intense, including unicorns Noname Security and Salt Security.

Beyond API security, application security platforms like Snyk and Veracode have raised significant venture capital and private equity financing, respectively. Escape is already an early member of Snyk's technology alliance program. The value they bring is undoubtedly on the radar for Snyk and others already. Their focus on GraphQL and innovative testing approach could make them an early stage acquisition target.

Why could this be a big company?

We're still in the early days of API security for traditional REST APIs. Adoption of GraphQL itself is increasing rapidly, and security desperately needs to keep up. Two stats shared by Escape in their YC launch help make the point: GraphQL is now used by 20% of developers, and 95% of GraphQL APIs have unremediated security vulnerabilities.

These are astonishing figures, even if they're only directionally correct. GraphQL is on its way to becoming the dominant architecture for APIs. An even more significant development is the rise of API-first companies. According to GGV Capital research, API-first companies have raised over $14 billion in capital, including the likes of Stripe, Plaid, Segment, and many more.

Escape is well positioned to become the leader in security for GraphQL with its team, tech, and Y Combinator backing. They'll become a big company if they can ride the wave of GraphQL growth and become the go-to platform for security.

Who are their investors?

According to PitchBook data, Escape has raised a total of $850,000 across two early stage financing rounds. In addition to Y Combinator, investors include Irregular Expressions, Frst Capital, and a handful of individual angel investors.

Intrinsic

What does the company do?

Intrinsic provides tools for trust and safety teams through a unified API. Examples of tools include image and text scanning, content policy definitions, scoring, and analytics.

Where do they fit into the cybersecurity ecosystem?

Intrinsic is a welcomed addition to the growing Trust and Safety market, which builds workflows and tools for online platforms to reduce the risk of fraud, harm, and abuse among users.

What are their challenges?

Intrinsic shares many of the challenges I wrote about when covering Cinder, a Y Combinator company from the Winter 2022 batch:

Finding customers at the right level of traction and scale to require more advanced trust and safety operations is potentially tricky. Small companies with seed funding or earlier are usually still seeking traction. This doesn't leave much room to focus on problems outside of growth — trust and safety being one such problem.

There is also a lot of variety in this space. Trust and safety threats and problems vary by company and by industry, as do the processes for solving them. Cinder offers customizable workflows for this exact reason, but managing the variety is a potentially difficult product management challenge.

Intrinsic is more focused on tools than workflows, providing a base set of technologies that can be used by engineers working within trust and safety teams to integrate features directly into products. This requires a slightly higher level of process maturity and technical sophistication in exchange for the flexibility to customize and enhance products with world-class trust and safety primitives.

Why could this be a big company?

As I discussed with Cinder, the problems addressed by trust and safety teams are massive societal problems:

Problems with abusive content, fraud, and threats were a nascent problem that only existed in the world of large social media companies. Or so we thought. We've now entered an era of misinformation, abuse, and outright information warfare that causes massive societal problems and elevates the discussion about trust and safety into the public spotlight.

For companies like Intrinsic, the seemingly narrow target market of trust and safety teams is deceiving. User Generated Content (UGC) is among the internet's most profound breakthroughs. The most common UGC examples we think of are social media and YouTube — however, the impact of UGC spans almost every vertical of tech and society, including online gaming, Esports, travel, commerce, and more.

A recently published academic study in the Journal of Advertising measures the effectiveness of UGC and traditional media for customer acquisition and retention, concluding UGC is more effective for acquiring customers. Studies like this are one of many signals we intuitively understand as people in the tech industry: UGC is both profoundly important and dangerous when misused.

Now, the dangers of online misinformation and abuse are widely understood. Along with the looming possibility of social media regulation and growing support for outright bans of platforms like TikTok, it's clear we are on the brink of entering a new phase of governing content on the internet. If Intrinsic can establish itself as a foundational platform for trust and safety, it can become one of the most important companies for this inevitable next phase.

Who are their investors?

According to PitchBook data, Y Combinator's $500,000 SAFE note is the only investment disclosed to date.

Infiscal

What does the company do?

Infiscal is an open source platform for managing developer secrets. "Secrets" include a specific subset of credentials like API keys, service account passwords, certificates, and more. The product includes several developer-focused features like injection into local dev environments, synchronization across teams, secrets rotation, versioning, and more.

Where do they fit into the cybersecurity ecosystem?

Infiscal is a secrets management platform, which is a subset of the overall Privileged Access Management (PAM) market.

What are their challenges?

As a major category within PAM, secrets management is a relatively established product category in cybersecurity with strong market leaders.

CyberArk is a high performing public company, and their Conjur product has been a successful add-on to their core PAM product for enterprise customers. HashiCorp IPO'ed in late 2021. Vault, an open source secrets manager, is one of the company's core products. 1Password, a later stage startup, is also in this market with its Secrets Automation product.

Beyond traditional competitors, secrets management is becoming a native feature in code repositories like GitHub and GitLab and cloud platforms like AWS, Azure, and Google Cloud Platform (GCP).

Despite the volume of established companies competing in this market, problems with secrets management are far from solved. It's too early to declare this market has been won, which could leave a window of opportunity for Infiscal.

Why could this be a big company?

Any time a cybersecurity company shows success by growing through bottom-up adoption and winning over developers, you need to pay attention. Infiscal's open source repository already has 5,743 starts on GitHub and 64 contributors (as of today). Their YC launch also stated 220+ community members in their private Slack. Those are impressive numbers for a very young company.

Adoption and maturity of secrets management among engineering teams is still relatively early stage. A 1Password report on the topic includes all kinds of interesting statistics. I wrote about secrets management in a previous article about security for developers:

In a 2021 1Password survey, 80% of IT/DevOps organizations admitted to not managing their secrets well. That's...not great. It's also a more pervasive problem than you'd think. In the same survey, 65% of companies reported having over 500 secrets, and 18% have more than they can count.

Products that are relentlessly focused on making it easier for developers to securely use and manage secrets are going to rise to the top. Like HashiCorp, Infiscal needs to keep winning over developers. Their open source model makes it easy for engineering teams to adopt the product and eventually upgrade to paid plans. Developers are a difficult but valuable audience. If Infiscal can continue the rate of traction they're already gaining with developers, they're going to be a big company.

Who are their investors?

According to PitchBook data, Y Combinator's $500,000 SAFE note is the only investment disclosed to date.

Matano

What does the company do?

Matano is building an open source, cloud-first Security Information and Event Management (SIEM) platform. The product ingests security log data from sources like SaaS, network, endpoints, and more and allows companies to analyze and build detection rules on top of the aggregated data.

Where do they fit into the cybersecurity ecosystem?

Matano is an open source Security Information and Event Management (SIEM) platform.

What are their challenges?

It's counterintuitive to be building a SIEM product alongside companies like Splunk, a public company with $3.65 billion in revenue for its most recent fiscal year, Google's Cloud's market entry via its acquisition of Siemplify, Sumo Logic, a recently acquired Francisco Partners portfolio company, Panther, one of the most promising cybersecurity unicorns, and more.

Direct competition aside, larger questions loom about the future of the SIEM market due to the rise of XDR platforms from Palo Alto Networks, CrowdStrike, SentinelOne, and others. Competing anywhere near the vicinity of SIEM, XDR, and the ultra-powerful companies in these markets is challenging.

Why could this be a big company?

Jack Naglieri, the Founder and CEO of Panther, describes his own experiences as an engineer building a custom cloud-native SIEM internally at Airbnb. He also discusses the temptation (and pitfalls) for security teams to build their own SIEM on this episode of the Business of Cyber. His commentary is relevant background for the problem Matano is trying to solve. TL;DR: some companies insist on buiding their own SIEM, and they shouldn't.

The critical market insight for Matano is exactly that: a lot of companies still want to build their own SIEM (or SIEM-equivalent platforms for security log analysis). This segment of the market is bigger than it might sound, especially with the rise of security engineering and plenty of born-in-the-cloud technology companies. Matano can be a big company if it can appeal to people in this market segment as a better alternative than building a SIEM from scratch.

Who are their investors?

According to PitchBook data, Y Combinator's $500,000 SAFE note is the only investment disclosed to date.

Nucleus

What does the company do?

Nucleus is an orchestration service for Know Your Business (KYB) compliance — a U.S. federal government requirement for institutions like banks, fintech companies, securities brokers, and other financial institutions to verify the identity of business customers and reduce the risk of fraud and money laundering.

The product is conceptually similar to AiPrise, a YC company from the Summer 2022 batch who focuses on orchestration for Know Your Customer (KYC) compliance — a similar regulation for individuals. A nuance I explained while covering AiPrise also applies to Nucleus:

The "integration and orchestration" part is an important distinction — it doesn't do the verifications. There are plenty of good products that do this already. [The] problem space is how to manage the identity verification providers — an adjacent but tricky challenge.

What the product does may sound complex if you don't spend much time dealing with financial regulations. If that's the case, a quick demo of the product is better than words.

Where do they fit into the cybersecurity ecosystem?

Nucleus generally fits into Identity Proofing, with the nuance I pointed out earlier about managing but not doing the validation. The product focuses on validating the identities of businesses, not individual people or the employees who work for a business.

What are their challenges?

Similar to AiPrise, Nucleus faces the challenges that come with competing in a market that's perceived to be niche:

Managing multiple identity verification and KYC providers is somewhat of a niche. The pain is most commonly felt by fintech companies. Many investors would question if the problem space and market is big enough to become a large company.

Niche markets and specific problems like this are YC's bread and butter, though. What seems like an obscure problem is often bigger than people expect. Solving a niche problem well also unlocks adjacent opportunities in broader domains (Fraud and Transaction Security, in this case).

Competition is also somewhat of a challenge. For example, Middesk is a Series B company in this space that's backed by top venture capital firms like Accel, Sequoia, Insight Partners, and more.

Why could this be a big company?

During a period of time where cost savings are the top priority, companies will be looking for ways to spend less on essential but non-core activities like regulatory compliance. Nucleus states that its product can reduce manual KYB operations time by 60%. Anywhere close to that is a massive amount of savings for financial institutions who devote substantial resources to KYB.

User experience matters, too. Customers don't want to wait days or weeks to get started while they wait for their business to be verified. They don't want to answer pointless compliance questions, either. If Nucleus can help financial institutions both save money on KYB compliance and improve customer experience in a meaningful way, they can become a large company.

Who are their investors?

According to PitchBook data, Y Combinator's $500,000 SAFE note is the only investment disclosed to date.

The strategy for each company is expansion into other adjacent product categories to broaden their platform and consolidate other standalone vendors. Each is executing their strategy in a slightly different way with varying levels of (early) success. We'll cover some of the nuances as we break down the earnings for each company.

From Qualys's annual earnings press release:

Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced financial results for the fourth quarter and full year ended December 31, 2022. For the quarter, the Company reported revenues of $130.8 million, net income under United States Generally Accepted Accounting Principles (GAAP) of $28.3 million, non-GAAP net income of $38.9 million, Adjusted EBITDA of $55.1 million, GAAP net income per diluted share of $0.74, and non-GAAP net income per diluted share of $1.01. For the full year ended December 31, 2022, the Company reported revenues of $489.7 million, GAAP net income of $108.0 million, non-GAAP net income of $146.5 million, Adjusted EBITDA of $218.6 million, GAAP net income per diluted share of $2.74, and non-GAAP net income per diluted share of $3.72.

"We are pleased to report another quarter of strong revenue growth, profitability, and cash flow generation," said Sumedh Thakar, president and CEO. "In 2022, we continued to innovate, introducing new applications as well as enhancing existing applications, to further strengthen our market position in the cybersecurity space. As validated by the 2022 SC Awards having named Qualys' Vulnerability Management, Detection and Response as the Best Vulnerability Management solution, we believe that our natively integrated platform that is detecting, remediating, and reducing cyber risk brings a highly differentiated value proposition to organizations and positions us well for durable profitable growth."

Qualys's recent financial performance has been much better than the overall tone of the earnings call. Their financial performance is nicely summarized in a chart from their investor deck, which compares Rule of 40 calculations across peers in both cybersecurity and SaaS:

Qualys maintained this level of financial performance despite being (in their own words) focused on investments in R&D and sales and marketing. From CFO Joo Mi Kim:

2022 was another notable year of product innovation for Qualys as we continued our product leadership while growing revenues by 19%, maintaining our gross margin at 81% despite inflationary pressures, and generating EBITDA margin of 45%. While our profit margin was well-above our industry peers, 2022 was a year of investment for Qualys with both R&D and sales and marketing growing faster than revenues.

I summarized the strategy behind their investments during a previous analysis of their earnings:

Qualys is at an interesting juncture as a company. They have long been known for vulnerability management, dating all the way back to their beginnings in 2000 when they became the first SaaS-based vulnerability management platform. They're a market leader in vulnerability management, but the company has struggled with growth relative to top performing cybersecurity companies...

Qualys is a notable exception among public cybersecurity companies because they're profitable at the expense of growth. To increase growth, they are now pursuing a broader platform strategy with product consolidation as its primary value proposition.

Just over a year later, their platform strategy is starting to shape up. The company is still a work in progress (one of the major themes from the annual earnings call), but there's a lot to learn from their transformation.

Enterprise buyers want consolidation and quantifiable outcomes.

Add Qualys to the list of cybersecurity companies with consolidation as a major theme on the earnings call. In the words of CEO Sumedh Thakar:

I’ve met with over a hundred CISOs over the past few months, and their message is clear; they are looking to pivot to a platform-based solution to solve their complex security problems.

They went as far as publishing a slide showing exactly which vendors and categories their cloud platform can consolidate:

Their roadmap for consolidation is more illustrative than reality at this point. Outside of Qualys's core vulnerability management capabilities, other areas of the platform are still maturing. For example, their endpoint security product isn't yet mentioned or included in Gartner's latest Magic Quadrant for Endpoint Protection Platforms. However, this visual is a clear demonstration of the company's vision and strategy.

Signs of progress are starting to show. Sumedh Thakar discussed customer perception of their platform and strong growth in large accounts:

As more and more customers are beginning to perceive Qualys as a leading security platform they can leverage to solve their complex and difficult security problems, we are growing increasingly confident in our ability to drive growth and gain market share.

This is evidenced by the continued growth in our large customer spend, with customers spending $500,000 or more with us growing to 116 in Q4 up 27%, from a year ago.

This theme is consistent with several other large cybersecurity companies. However, Qualys's large account growth comes with a tradeoff: they're struggling with mid-market and SMB customer segments. More on this later.

Sumedh Thakar shared one of the most insightful perspectives I've seen on consolidation during this year's earnings calls:

...everybody is talking about security budgets and the layers being added and the scrutiny, but really it's a question of the spend that you're putting in security is that giving you meaningful outcomes from a risk reduction perspective and that's really the question that's being asked.

If we're going to spend this money, are we getting a risk reduction? And that's where the TruRisk that we introduced last year and the enhancement that we have done now, it has resonated well with the CISOs, because now we're able to give them risk score and they're able to actually tie the spend that they're doing to bring that risk score down and really able to quantify how that investment is making sense.

...

So it's not just the projects in security you're executing, but what is the outcome that you are bringing? And I think that's kind of what's resonating with our customers.

Risk quantification (and the topic of measurement, more broadly) has always been a tricky subject in cybersecurity. In difficult economic periods, business leaders want their CISOs to measure and quantify spend and outcomes. There's no way around it, even though it's difficult to do in this profession.

Qualys is facing challenges with economic uncertainty, especially in mid-market and SMB.

Qualys's leadership team talked a lot about the impact economic uncertainty had on the company during Q4 2022. Their assessment and 2023 guidance couldn't have been more blunt. From Joo Mi Kim:

Q4 was a tough quarter for us. As Sumedh mentioned, it was lower-than-expected bookings performance. And what we've assumed in the 2023 guidance is that that condition continues.

Their specific challenges seem to lie in mid-market (SME) and small business (SMB) sales. Another pointed analysis from Joo Mi Kim:

...where we've seen the lack of growth and the inefficiency if you will is on the SME and SMB space, where if you take a look at as an example, customers who spent less than $20,000 with us, the count really didn't grow that much and that's been a drag on our business. That's where we're really focused on right now with the new product and packaging, we knew that there was friction.

The company seems to be caught in the middle of top-down enterprise sales and bottom-up adoption with Product-Led Growth (PLG). Two anecdotes show the tension. First, operating expenses skyrocketed in Q4 because of spend on sales and marketing:

Operating expenses in Q4 increased by 25% to $58.4 million, primarily driven by the growth in sales and marketing investments including higher headcount and related costs as well as spend on trade shows.

However, Sumedh Thakar mentioned product-led growth and alignment of product marketing multiple times on the call:

...aligning product marketing, product management, product market being and driving more product-led growth, we believe we can use our platform itself as a way to create more opportunities for our sellers to show the value prop much more quickly.

In cybersecurity, it's hard (but not impossible) to have both top-down and bottom-up adoption. Companies like Cloudflare (discussed in Part 1), HashiCorp, and others have done it with varying degrees of success. Qualys is aiming to be one of the rare companies that has both sides of the growth equation working.

Qualys is well positioned for vulnerability management in hybrid environments.

Qualys introduced TotalCloud in October 2022, officially marking their entry into the hot Cloud-Native Application Protection Platform (CNAPP) market. The launch was partly fueled by the company's Blue Hexagon acquisition in October 2022.

Sumedh Thakar gave some commentary about both on the earnings call:

Additionally, TotalCloud, which is our cloud-native risk management solution for public clouds, is now GA, and since our acquisition of Blue Hexagon in October, we’ve already added a new Cloud Detection and Response module to our TotalCloud solution.

As organizations increasingly prioritize moving workloads to hybrid and multi-cloud environments, we view this new ML/AI-based technology for zero-day threat hunting and response as another strong competitive differentiator in a rapidly evolving market.

For all the hype about cloud security and the well-funded companies in this market, a practical problem remains: large enterprises are going to have material amounts of on-premise infrastructure for a long time. We're probably talking decades.

That's a tough dilemma for both security leaders and product companies during this long and unpredictable period of transition. Cloud security products aren't built for on-premise environments. Yet security leaders need to keep both types of environments secure.

Enter Qualys — a company originally built for on-premise infrastructure, yet early enough and agile enough to adapt their vulnerability management product into a SaaS offering. Sumedh Thakar shared several interesting comments about how enterprises with hybrid environments are behaving:

...customers are looking for flexibility moving workloads from on-prem into cloud multi-cloud and back...

...feedback has been very positive because of the comprehensiveness of the scanning capability that we bring and sort of just focusing on a snapshot-only scan or agent-only scan, we're giving them the most flexible options.

Our large enterprises are excited about it instead of looking at cloud-only security solutions that only give them visibility near the cloud. Most companies applications have or hybrid some of it is in cloud some of it is in on-prem, and they want to see the overall risk...

Even with the buzz and large financing rounds in cloud security, Qualys has an important role to play as an established leader in vulnerability management and adjacent domains.

“Rapid7 ended the year with revenue, operating profit, and free cash flow that exceeded our targeted ranges. Amidst an evolving economic landscape, we see customers continuing to expand their wallet share around our leading Insight platform, with ARR per customer growing double-digits from the prior year,” said Corey Thomas, Chairman and CEO of Rapid7.

Rapid7 is delivering solid financial results despite being a company in transition from its well-known vulnerabilty management product to a multi-product Security Operations company. A quick summary of revenue growth from CFO Tim Adams:

Full year revenue of $685 million grew 28% over the prior year and exceeded the high end of our guidance range.

The company's strong FY22 performance was somewhat overshadowed by rumors of an acquisition. Let's get straight to that.

Rapid7's leadership team didn't comment on acquisition rumors...but let's discuss them anyway.

The most significant news about Rapid7's annual earnings was barely discussed on the earnings call. On February 1st, Reuters reported the company is exploring a take-private sale. Investors liked the idea — Rapid7's stock price jumped 31% on the day the news surfaced:

Comments on the rumored acquisition was the first question out of the gates for the analyst Q&A portion of the call. Unsurprisingly, CEO Corey Thomas wasn't able to address the question directly, but his commentary gave some important context:

...we have a pretty massive opportunity in front of us, and we’re executing well against this. In that context, it’s not a shocker that people will talk about us, because we have both a good opportunity, and we’re well positioned to actually capture that opportunity in the broader market. That said, we just have a policy [of not commenting] on numerous speculation and we’re going to continue that.

In this current phase of large cybersecurity take-privates, these are the exact criteria private equity buyers are looking for. Rapid7 isn't financially performing on the level of the very highest performers in cybersecurity, but it's a quality company with well-established assets in vulnerability management and pentesting to build from.

Moving beyond the earnings call and into speculation about what a take-private sale might look like, two analysts provided important commentary about the deal structure. First, from Matt Hedberg at RBC:

While we wouldn't expect RPD to go for a multiple as high as that of SAIL, given its SaaS mix-shift, strategic pivot away from VM to DevSecOps and positive margins, for reference, 8.0x EV/NTM revenue would imply ~$90 per share.

Next, from Fatima Boolani at Citi:

RPD's inferior financial profile/end-market dynamics vs. recent cyber M&A does cast the 8-9x EV/S transaction precedents as a high watermark, in our view, but we think the rest of the aforementioned ingredients at work do offer credible reasons for a potential transaction outcome.

Both analysts are pointing out that the deciding factor for an acquisition would likely boil down to the valuation and underlying factors that drive the multiple. The 8-9x EV/NTM multiple referenced by both analysts implies the acquisition price could be well over $10 billion.

We've seen transactions of that size happen recently. Proofpoint's acquisition by Thoma Bravo is a good comparison in terms of company size. Revenue as of the company's 2020 fiscal year (its last full year of reporting as a public company) was $1.05 billion — compared to the $685 million in revenue just reported by Rapid7 for its 2022 fiscal year. Thoma Bravo paid $12.3 billion for Proofpoint.

Several factors have to align for a deal of this size to materialize, so it's hard to predict what will happen with Rapid7 in 2023. This is definitely the headline to monitor, though.

Rapid7's focus for consolidation is on increasing ARR per customer.

Like many other public cybersecurity companies, Rapid7 is executing its own strategy for building a multi-product portfolio to drive vender consolidation among its customers. They took a slightly different approach to explain their strategy. It's worth a quick look.

Rapid7's leadership team believes there is a lot of upside for ARR growth at existing customers:

The graphic illustrates that the path towards ARR growth is through vendor consolidation. For Rapid7, this means extending beyond their traditional entry point of vulnerability management to upsell additional products in their platform.

On the earnings call, Corey Thomas explained their strategy and clarified how vulnerability management — the product Rapid7 is most well known for — fits into the company's broader product strategy:

Our strategy is pretty straightforward. As we are taking a cloud-first because that’s what strategic assets are as we go forward, and a holistic risk view and a holistic threat view of the environment.

In that context, vulnerability management is strategic. We have people working on that. We have teams who are dedicated to it. But it is a feature and component of our platform.

We are a SecOps cloud-first company that actually offers vulnerability management as a part of our platform that allows people to have the visibility that they need to manage our overall security. As part of that overall strategy, it is just a part of our offering included in the price point.

Proactively driving consolidation is important enough that the company's sales metrics are weighted towards increasing ARR per customer over adding new customers, at least for the near term. Again from Corey Thomas:

...we have an increased focus with our consolidation offerings on our installed base across the company...

...we do expect internally to see a much heavier weighting towards ARR per customer versus new customer adds because we have a pretty good installed base is actually looking to actually consolidate that we have great relationships with, and is looking to be oriented towards the future that’s actually more cloud-based.

...

We’ll add customers in the future. But right now, we’re heavily focused on ARR per customer.

While this may sound like a conservative "protect the base" strategy, it's probably the best thing for the company to do as it transforms its product portfolio and, you guessed it, navigates an uncertain econoy in 2023.

More concerns about the economy in 2023, but from a customer point of view.

Add Rapid7 to the long list of company leaders with concerns about the economy in 2023. We don't need to keep discussing that.

The insightful part about Corey Thomas's commentary was how he articulated the mindset of a customer and how they're thinking about the impact to their organizations:

Customers continue to face an evolving and complex threat landscape and there remains broad-based executive and board level support for cybersecurity projects. Despite this fundamental demand, the ability to obtain incremental budgets for these projects has gotten more difficult in the current environment.

As a result, CISOs are being forced to scrutinize and prioritize our budgets, driving longer deal cycles and more uncertainty around deal timing as contracts take longer to push through procurement. This dynamic is exacerbated by the increasing size of our deal opportunities as we gain traction as a platform consolidator.

Despite a challenging budget environment, we're seeing certain tailwinds gain traction. Constrained security budgets are accelerating customers' focus on security vendor consolidation with greater value being placed on the efficiency and impact of integrated platform technology in a fragmented IT landscape.

So, budgets are generally stable, but not increasing. And buyers are heavily scrutinizing and prioritizing every dollar they spend.

Further complicating the problem, security has some domain-specific challenges with wage inflation and manual processes:

...what we actually see is...every organization is trying to figure out how to get a handle on spending. It really comes down to sort of like two big things. As you said, security is one of the bigger wage inflationary areas. So they’re actually trying to figure out how to actually think about managing the fact that they've got a lot of overhead and an expensive talent market, so how to manage that. And there’s lots of actually security tools that require a lot of manual interaction.

We actually tackle both of those, which is why we believe that we actually have lots of leverage over the mid and the long-term is from a core platform perspective, we built a broad platform, but we have the core capabilities that mostly we have a heavy automation focus that’s really focused on driving the productivity of our customers and security operations across vulnerability management, across cloud security and a cost detection and response.

It's an interesting conundrum that partially explains the cybersecurity industry's (relative) level of durability so far during the economic downturn.

From Tenable's annual earnings press release:

Tenable Holdings, Inc. (“Tenable”) (Nasdaq: TENB), the Exposure Management company, today announced financial results for the quarter and year ended December 31, 2022.

“We are very pleased with our Q4 results as we exceeded our expectations on the top and bottom line,” said Amit Yoran, Chairman and CEO of Tenable. “We are seeing incredible traction with Tenable One, which helps customers understand and reduce risk across the interconnected attack surface. Product innovation, coupled with continued focus on financial performance, including strong free cash flow generation, position us well in this fluid market.”

Tenable is in an interesting place as a company — now well into their transition from the company's founders to the next generation of leadership. They're also firmly established as a multi-product company that has successfully built upon its vulnerability management roots (with Nessus) and is now seeing early financial results on an integrated security platform.

In many ways, Tenable is the precursor to HashiCorp in our industry — a company with strong open source roots (Nessus, in the case of Tenable), that grows through bottom-up adoption, and successfully builds a company around the open source offering.

All of this adds up to the positive momentum the company talked about on its 2022 annual earnings call. Their Tenable One platform offering is working, and the company's financial and competitive landscape is seeing positive changes as a result.

Tenable is one of the few companies who had a good Q4 and is optimistic about 2023.

Tenable turned in strong financial performance for its 2022 fiscal year with full year revenue of $683.2 million, a 26% year-over-year increase. In the current economic environment, they'll get some scrutiny from analysts for a $92.2 million net loss on the year. I'd rationalize it by saying they're in a position to take market share and need to sustain growth-level investments longer than companies in other less competitive markets.

Their 2022 results speak for themselves — Tenable is one of the only companies with strong momentum and (relative) optimism heading into 2023. Look no further than Q4. From CEO Amit Yoran:

Additionally, we had another strong quarter with large deals as we added 140 net new six-figure customers, which is a record for us and is up 40% year-over-year.

Even more importantly, the number of six-figure deals accelerated throughout the year, further validating our corporate strategy and demonstration of the momentum we are building.

And more specifics from CFO Steve Vintz:

Underpinning our better than expected topline results is strong customer demand. Specifically, we added 571 new enterprise platform customers and 140 net new six-figure customers in Q4. While both metrics are exceptional, large deals, in particular, grew 40% year-over-year.

How did they do it? By executing a strategy of channel partnerships and layering on multiple products beyond their core vulnerability management offering — long before it was needed. From Steve Vintz:

The takeaway here is the investments we've made over the years to build a vast ecosystem of partners and extend our global reach allow us to effectively serve customers of all sizes in most major markets for traditional VM or increasingly for unified risk and exposure management.

When turbulent economic conditions hit, it's too late to jumpstart growth strategies like channel partnerships and product portfolio expansion. Both of these take time to develop, and Tenable was fortunate and intelligent enough to start both at the right time.

For Tenable, this adds up to confident CFO and lots of optimism about 2023:

...we're delighted with our results for the quarter, which gives us a lot of confidence heading into 2023. We're beating the top and bottom-line, added hundreds of new customers and closed a record number of large deals in one of the most highly dynamic markets we see in many years.

Tenable One's early success is driving the strategy and narrative around vendor consolidation.

Every cybersecurity company has talked about vendor consolidation in annual earnings calls, but Tenable has one of the most concrete and data-driven narratives around their story. There are several factors in play that span product strategy, a paradigm shift in vulnerability management, and macroeconomic conditions.

First, a few comments on product strategy and positioning from Amit Yoran:

As the market leader in vulnerability management, we're seeing great demand in the market, including new customer acquisition, renewals, and expansions. Our years of leadership in VM has put Tenable in a great position to target bigger, more strategic deals as customers continue to move beyond traditional VM to understand and reduce their cyber risk. We believe this thesis is driving the acceleration of six-figure deals.

Every security practitioner knows about Nessus and Tenable. They walk into any company or opportunity with instant credibility in their core vulnerability management market. That's a great start, but the trend Yoran mentioned about customers moving from traditional VM to broader cyber risk management is what's important going forward.

Another way to think about this mindset shift is the idea of preventative security — identifying vulnerabilities earlier in their lifecycle, often before a CVE is even created. He went on to explain this paradigm shift, why it's hard, and how Tenable is positioned to win:

Operationalizing preventative security has been an objective in the market for a long time. It's really hard to do and it requires a deep understanding of vulnerabilities, context and prioritization. It's our long history of understanding exposures at a very deep level that uniquely positions us to deliver on this objective.

[Customers] can look at a more complete understanding of cyber exposure, a more complete perspective of risk, a much more compelling set of analytics, including attack path analytics and asset inventory types of things, which they haven't historically gotten with the vulnerability management program.

We're still in the early days of this paradigm shift, but it's an important one. The companies (public, startups, or otherwise) who lead the transition from traditional VM to proactive, risk-based exposure management are going to thrive.

Finally, Tenable has a logical story behind market conditions and how consolidation benefits them. What stands out to me is how much more specific they were about exactly how they drive vendor consolidation. From Amit Yoran:

...by [customers] increasing their Tenable One spend to cover not only traditional VM, but also look at a cloud-based assets or also looking at their identity, we can offer them some volume-based pricing, which ends up being much more attractive than going to one vendor for VM, going to another vendor for external attack surface management, going to another vendor for cloud security. So, we're seeing great leverage in go-to-market function, and it really has been resonating with customers. We expect that trend to continue, if not accelerate.

There was no complaining about budgets or delayed sales cycles. Yoran's point of view is that budgets are there if you can demonstrate the value and benefits of consolidation:

So, customer budgets are there. I think to the extent that we can become a cost-effective vendor consolidation platform play for them. There's a lot of interest, a lot of strategic dialogue around that. And I think customers are very excited about some of the newer analytics that we've introduced with Tenable One.

All three of these factors add up to Yoran being confident about the future of Tenable One and the impact it will have on the company in 2023:

So, we look forward to updating you during the course of the year, but I feel like Tenable One looks like it will continue to play a larger and larger factor throughout the year and going into next year.

Tenable's competition is shifting from traditional vulnerability management companies to broader security platforms.

A less obvious theme from Tenable's annual earnings discussion was the changing dynamics around their competition. At a high level:

• There is some uncertainty around Tenable's traditional competitors in the vulnerability management market.
• Other large cybersecurity companies are building vulnerability management products, bringing new competition to Tenable's core market.
• Tenable is continuously broadening its product portfolio with Tenable One, igniting new competitions in markets outside of vulnerability management.

First, the existing vulnerability management market. Amit Yoran was asked about Tenable's competition and the acquisition rumors surrounding Rapid7. He wasn't able to comment directly, unsurprisingly, but did offer this:

Yes, I mean, obviously, we wouldn't speculate about that, but I feel really good about the competitive environment. We are pretty consistent saying that we have exceptionally strong win rates especially in this market against our primary competitors. That remains -- those win rates remain exceptionally strong.

And while we don't have a specific update to that, I'd say anecdotally, continues to climb in the sales team feels exceptionally confident going into any VM opportunity, but those are really ours to lose. And candidly, they feel like Tenable One gives them a very significant value differentiated capability to talk about as well.

This is anecdotal, and obviously unsurprising to hear such confidence coming from a CEO, but interesting nonetheless during a time where a lot of other leaders aren't feeling confident or optimistic.

An analyst asked about increased competition from other large cybersecurity companies starting to offer vulnerability management products. Amit Yoran summarily dispatched them:

Yes, there's been a lot of vendors over the course of years, making a lot of noise about VM going back four, five-plus years, Tanium, CrowdStrike, Microsoft others. And what I would tell you is they make noise. We see them for a quarter or two and then very quickly their sales team understand that their products are inferior and they start gravitating to their core markets and candidly, where their companies are investing much more aggressively in logging, SEIM, and elsewhere.

So, especially in a product like VM where independent audit is an important function and where we feel like we've got a quantitatively and qualitatively differentiated product and experience and understanding the enterprise. We almost never see those larger IT vendors participating and certainly never see them beyond a first phase of competition.

This is hilarious commentary for an earnings call. Banter aside, Tenable clearly doesn't view this type of competition as a serious threat. I don't take this as being overly dismissive, either — just that Tenable's leadership team is aware of their market leadership position.

Finally, Amit Yoran discussed competition and market opportunities in two new markets — Identity Threat Detection and Response (IDTR) (Note: My words for the market, not his.) and Operational Technology (OT). Here's what Amit Yoran said about IDTR:

Active Directory is a trick and mess to deploy in any large environment and almost impossible to keep clean when you look at the number of pieces of software and the complexity of Active Directory, the number of pieces of software we should modify as they get installed into an enterprise environments.

So, having a solution -- and most organizations don't have a solution in this area. The security teams know it's a big problem. They maybe do a consultant and an annual audit or assessment of their Active Directory environments, which is clearly not enough.

So, we feel like there's tremendous market opportunity. The sales team has a lot of confidence in the Active Directory product and bringing it into customers. We had a great quarter with Active Directory in Q4. So, excited about the potential, both in 2023 as well as Active Directory playing an increasingly large role in Tenable One and some of the analytics that we're unlocking with Active Directory and identities.

The overview of the problem is absolutely correct — every large organization struggles with securing and maintaining their Active Directory domains. I also agree about the market opportunity.

The interesting part about competition is that ITDR (Identity Protection, in CrowdStrike terminology) is that it brings Tenable into competition with non-tranditional competitors. CrowdStrike and SentinelOne are both heavily invested in this space, as I discussed in detail during my review of both companies' annual earnings last year.

There are also several well-funded startups competing in this space, including Authomize, Oort, Semperis, Spera, and more. The strategic question is whether security leaders want to buy these products from security platform companies like Tenable and others or standalone companies.

Finally, Amit Yoran described new competition in OT like this:

In terms of competitive dynamics and competitive landscape, I'd say we're predominantly competing against just a small number, two or three private pure-play-focused vendors in the OT space. We feel like our technology is compelling and really leads the market when it comes to looking at the converged IT/OT environment.

So, if you look at a factory floor today or if you look at pipeline operations or other OT environments, they are exclusively OT. They have a bunch of IT systems, IT control systems in those factory floors as well. And so we're, I think, unique in our ability to deliver incredible insight for overall risk of facility, which would include both OT and IT, and we think it's a significant competitive advantage for us.

There is a similar theme here: when security leaders are buying OT security products, do they want to buy it as part of a platform, or from a pure-play company in the space? Time will tell, but it's interesting to think about now.

Overall, it's an exciting time for Tenable, especially as they head into 2023 with a lot of positive momentum and traction in new product categories.

Enter Kunal Agarwal, the founder and CEO of dope.security. He and the team at dope.security are re-imagining the SWG using a “fly direct” model built for today’s remote first, cloud-based world.

I spoke with Kunal before their recent Series A announcement. We covered several topics, including:

• The making of dope.security: How the experiences gained from a decade at large cybersecurity product companies led to dope.security.
• The tech behind fly direct: Why the fly direct architecture is a breakthrough for SWG.
• Cybersecurity marketing, but make it dope: An approach to marketing that’s both authentic and clear.
• The future of dope.security: Where all of this is headed for the company and our industry.

Note: This interview has been lightly edited for clarity.

The making of dope.security

Cole Grolmus: Your background is super relevant to the dope.security story. You worked for Symantec and Forcepoint, two large product companies, both in the SWG product domain and adjacent domains in their product portfolio. I definitely would like to hear about the connection between what you learned there and the reasons you decided to start dope.security.

Kunal Agarwal: My background has always been in hacking since a very young age. After university, I moved to Symantec, and then to Forcepoint for almost 10 years between the two companies. I started out as an engineer and then moved into product management.

Moving from a large cybersecurity company into a startup is unusual, right? I didn't really have any specific need to do that. But really, what made this whole thing come together? It was the day to day customer experience. You cannot imagine the amount of people that would be complaining on a regular basis about Forcepoint's web proxy capability. The same thing happened at Symantec. Every single day.

Rehan Jalil, the CEO of a company called Securiti.ai, came in and said, "If you were not going to do some random big company, what would you do?" And I was like, this is the most mainstream problem that exists today. Every single company out there has this issue because they all use a capability like this. And we can fix it. Because right now, there's an architectural change. There's a terrible user experience. I mean, this is ripe for disruption. Rehan said, "That sounds great Kunal. Go do it!"

It's a scary thought, right? But this whole company has been born from the experience of that, and just kind of making changes and saying, "hey, maybe we could do it better ourselves."

Cole Grolmus: I definitely think that's the best way to do it — being well grounded in experience and knowing what you're getting into. And having the expertise to actually be able to do it is something that's really important.

Kunal Agarwal: I work a lot with musicians. There are two types of musicians. There's career musicians that are gonna go in, and that's their life and blood, and they're gonna crush it. And then there are tourist musicians who happen to have a decent voice that go into a studio, record a voice and do one single. Which one are you? Are you the person that's going to be in this day in and day out, no matter if we were making a living or not making a living?

That is what the people in dope.security are. We are so passionate about this. We want to make it good. We're not just people that stumble into this just because we want a stint and tour around saying, "Oh, how in cybersecurity today?" These are people that have done this for their whole lives.

It's not saying that you have to be a hacker to be able to do this stuff and that you have to do black hat hacking like myself to do this. But you should have the energy. This is something I really, really, really enjoy doing. And I would not be doing anything else but this. That is the underscore of dope.security.

The tech behind fly direct

Cole Grolmus: Can you talk about the serious advantages of fly direct as compared to the old SWG architecture? To me, that's the clear benefit of what's going on here and something that's radically different from a tech perspective.

Kunal Agarwal: It's like taking a flight. If you're flying from Minneapolis to San Francisco, would you stop over in New York? No. That's the answer.

When every single person who's at a company accesses the internet today, they stop over. You access the internet, it goes to a data center, and from there, it's processed, decrypted. And then it goes to its destination, which could be anything from YouTube, to Gmail, to Office 365, to pretty much anything on the internet.

The fly direct architecture is: why stop over if you could fly direct? We actually implemented those capabilities into the device itself rather than in some remote data center.

There are a few big challenges we used to see with these stopover approaches which just don't exist with the fly direct approach. You have a huge reliability challenge when data centers are having a problem. Maybe your internet is getting blocked to that data center. It could just be a performance problem where it's slow and not working correctly. Or it could be a privacy problem where you're decrypting everything in a data center.

If you take those three together, it's a pretty awful experience. With fly direct, we make it a much better architecture, and then we wrap it in a beautiful user experience. That is the heart of what dope.security is.

Cole Grolmus: I suspect this is one of those things that sounds simple because you explained it in a really elegant way, but it's deceptively hard to execute.

If you're not thinking critically, you sit there and listen to the explanation you just gave and start to wonder things like: "Well, why hasn't this been done before? Oh, this can't be that hard to build. Why don't Forcepoint and others build this instead?

Unpack that a little bit for me. What makes this actually hard to do?

Kunal Agarwal: Think about 20 years ago. You'd be sitting in an office, and in your office, there would be a back room with a mini data center in the closet. You'd have a proxy, a secure web gateway, and that SWG would take all the traffic from all the devices in the office and then only send it out if it's acceptable. So it's very close to the user.

When Zscaler, Symantec, Forcepoint, and all these other companies came about, they all said, "Well, what if we hosted that proxy for you so you didn't have to install it in everyone's environment?"

And then the evolution came where your laptop is actually moving in and out of the office. "So what if we give you some software agent that reroutes the internet, no matter where you are, to our data center for protection?"

If you think about, it's a very big company mentality. It's, "Hey, we're not able to just fix the problem. We need to make a patch or an enhancement to the existing infrastructure to actually allow for people that are outside the office to be secure." It makes perfect sense, then 10 or 15 years later, it doesn't really make that much sense. It's 2023. These products were built in 2010 or 2011.

Cole Grolmus: From a technical perspective, what all of a sudden made it possible to build a SWG that works on-device?

Kunal Agarwal: The first part of it is the willpower. If you went back a couple of years ago when I raised the first round of funding, and you asked everyone, "Hey, what do you think of this?", probably 60 percent of people would say this is not possible. That is half of it: so many people out there think this is not possible.

What they don't realize is that our software is 50 to 100 megabytes of RAM max. My browser uses gigabytes. That's because it's doing tons and tons more processing than SSL decryption, re-encryption, and some regex's for for security purposes — block this URL, inject this, that kind of stuff.

It's actually not just that so many people have said "no" and that's why it was never done. The architecture from the past was like a Titanic ship. It's going in a direction, and you can't shift it at all. You can't change it.

That's the genesis for dope.security: we're able to do something because we wanted to do it and we knew it was possible. So we built it.

Cole Grolmus: Among the people who were in the "this isn't possible" camp, did you ever get anybody to substantiate why it wasn't possible? Or, was it more of the overall inertia where people feel like a SWG is what it is and needs to be routed through some central proxy?

Kunal Agarwal: No. We quickly started to see that there was an old school mentality, which is like, "The CFO is gonna hate the name dope.security. It's too colloquial, etc." "Oh, and it'll never work on a device. It's not powerful enough and, and, and, and, and..."

Then, there's the shift to the new thinkers, the creative people that are thinking, "look, why isn't this possible?" At some point, people said that machine learning couldn't be done on an endpoint protection platform or EDR software on the device. These things are possible. They just have to be rethought.

And they can't be done by companies that have existed for 10 or 20 years, because they can't let go of all their existing investment and all the infrastructure around the world. You can't let go of that overnight. For them, there isn't even value in doing something like this.

In fact, we used to think about doing this at Symantec many times. Even one of our board members will always tell you they thought of it at Symantec, but it was not possible due to bureaucracy. There's too much infrastructure around what's being built. It's not possible just go in and say, "take this out, build it from scratch, and make it modern."

Cole Grolmus: I want to make sure we don't lose a technical point that you touched on. I could definitely see technical skeptics saying, "Doing all of this client side is going to impact the performance on my clients. And I already have enough agents running on there, yada yada yada."

I'm sure you run into this objection at least once in a while. Talk about that a little bit. Is that problem even true? Or, how were you able to engineer this in a way that runs efficiently client-side?

Kunal Agarwal: Your viewpoint of practitioner versus enthusiast is completely in this spectrum here. A practitioner will quickly realize that "Hey, I already have an agent on my system. So I'm just replacing it with a nice, beautiful, natural one." You're not taking up more room on the block. You're just renovating the old house renovated with a nice, new, beautiful house.

It's the enthusiast that gets confused, right? The person that heard at some point, "Oh, people don't like agents anymore" and this and that. Yeah, but you're not looking at it from a practitioner perspective, you're looking at from an enthusiast perspective, where you're just reading about things.

It's like when you hear from people, "Yeah, and you can take all these things and it all work together and it's gonna be great, and that's the platform pitch, and we're all integrated together!" That's not the way the world works, unfortunately, and that I have always believed is missing from cybersecurity.

As a person in a company, whether you are an engineer, or a leader or The Supreme Leader, it doesn't matter. You must know how your capabilities and products work. I've worked with CEOs and vice presidents who have never even used their product. I've even worked with product managers who have never used their product before. They cannot set it up.

At dope.security, everyone, from your engineer, to your QA, to your marketing, to your sales person, have all used the product and they can show it to you right now.

Cybersecurity marketing, but make it dope

Cole Grolmus: What led you to call the company dope.security? It's a really unique name — maybe a turn-off for some people, and I'm sure other people love it. I think it's awesome. I was just curious how you decided on it.

Kunal Agarwal: The name has been in my head for years and years, all the way back to Symantec. I would be chatting with my bosses at the time and just saying this name. It was just a pipe dream at the time. It took something that you get really passionate about — not just something that works really well, but also something that can be a very successful business.

Ultimately, I want the reaction that you had when you went website and you're like, "damn, that website is dope." And I'm not saying this in a different way — this is exactly what we see from pretty much anyone in the company.

All of us look at something, we see it, we feel it and then we put our signature on it when it goes out there into the world. And we say, "that's dope because we stand behind it.”

Cole Grolmus: The vibe of your marketing and brand is clearly a lot different than your plain old cybersecurity marketing site. I would even include a lot of the new marketing sites from other startups.

What gave you the confidence to be able to do that instead of being afraid it might turn a bunch of people off and work against you?

Kunal Agarwal: The first thing that people see when they see dope.security is think, "Oh dope, that's too crazy a word for us." We want people to like take one level deeper and ask, "why do they call it dope.security?" It's because this is a labor of love. The company, the product, all of us at the company.

The average age of the company is 40 or 50 years — we worked ages in big cybersecurity companies. We were the people that would probably get laid off because we were working really hard on a product that just wasn't the main line stuff. Products that were built on a direction by some executive who really didn't understand the product and had never even seen the product, never used the product.

That is why we call it dope.security. When you look at the website, the words are very, very specific. We do SSL inspection. We do URL categorization. We do cloud application control. We do this all from a cloud-based console.

It's very, very, very clear because that's what we wanted. We wanted those product requirements. We wanted those visions of the company. We wanted everything to be clear so we could go in and crush it, add our beauty, add our designs, add our passion and energy into the product.

Why is it dope.security? Because our vision is to give the customer, the person, the user, the viewer, a first class experience.

The future of dope.security

Cole Grolmus: Where is all of this going? You're starting with a SWG — that's something you knew really well. You have a lot of product management experience at senior levels and other domains. SWG just happens to be part of SASE, which is a very popular, big, and highly valued domain. You've got some room to maneuver here. What's the plan?

Kunal Agarwal: First off, Secure Web Gateway can directly replace any existing Secure Web Gateway that's out there. There is no if, ands, or buts — we will replace it.

The second part of that is enhancing it with what I consider as two parts of CASB. One is really making the shadow IT nature and the inline control nature come through in the product. Such as, for example, being able to actually identify all the personal emails that are being used in your organization and the content that's been uploaded to those Google Drives. That is not possible, very easily, today. It's extremely difficult to get up and running.

After the CASB part, there's also the API controls which says, "here's all the applications that have been connected into your GitHub, your Google your 365," or "here's all the files that are externally shared, that have PII in them," that kind of stuff.

And last, but not least, is what we call private access. The grand finale, which is the private access, is ultimately a fly direct private access the same way we have a fly direct Secure Web Gateway.

If you FaceTime audio me right now, it'll connect from your phone to my phone, and then it's done. Data does not flow through Apple servers. Similarly, your endpoint can directly connect behind a firewall through NAT traversal to a connector, and we will have a fly direct capability on the private access at the same time.

Thank you to Shomik Ghosh and Boldstart Ventures for the introduction that made this interview possible.

At a macro level, what's changed with annual earnings in cybersecurity is take-private transactions. Ten companies have been taken private by private equity firms or strategic buyers since this time last year:

With only two new public companies (via SPACs) during the same period, the number of take-privates represents a relatively large contraction for the industry's public companies.

That's not necessarily a bad thing — Thoma Bravo, Vista Equity Partners, and Turn/River are good owners for the companies that were taken private. It's often better to refactor a company for long-term success outside the pressures and scrutiny that come with being a public company. This trend is likely to play out over 3-5 years (or more) with additional companies being taken private and (eventually) companies re-emerging from their private equity owners as public companies again.

One last overall point before going into individual companies: why are public companies worth paying attention to? There are several reasons, but one of the main ones is that public cybersecurity companies are an indicator of the health of all companies in the industry.

Large cybersecurity companies are one of the main strategic acquirors ("strategics") of earlier stage companies. If strategics aren't doing well, their performance impacts the entire ecosystem. M&A and financing are directly impacted, and things like hiring, partnerships, product development, and more are second order consequences.

Now that we've covered the macro-level discussion points, let's get into the annual earnings announcements.

From Cloudflare's Q4 earnings press release:

Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced financial results for its fourth quarter and fiscal year ended December 31, 2022.

"In the fourth quarter, we delivered record operating profit, operating margin, and free cash flow. We also surpassed more than 2,000 large customers paying us over $100,000 per year and signed a record number of deals greater than $500,000," said Matthew Prince, co-founder & CEO of Cloudflare. "During economic slowdowns, we believe that it's important to show discipline and optimize for efficiency. We have our hands on the levers of our business and a full-throttle innovation engine that is the envy of the industry. There's no better time to outpace the competition and continue to deliver products on our customers' ‘must-have’ list.”

The story of Cloudflare's annual earnings call was humility and conservatism. Credit to their leadership team for reading the room and adjusting their tone — especially considering the high-flying spectacle that is a typical Cloudflare event or earnings call.

It's unusual to hear public companies talk so candidly about areas of improvement. That's exactly what Cloudflare did for both marketing and sales and public sector growth.

Cloudflare is a "hybrid" networking and cybersecurity company, but it's clear in the earnings call how important cybersecurity is to their business and strategy. They're too important not to cover alongside other pure cybersecurity companies.

Cloudflare is benefiting from convergence and vendor consolidation.

For all the generalized chatter we hear about convergence and vendor consolidation in cybersecurity, its important to look at specific and current instances as they play out. Cloudflare is one of the best case studies because it sits squarely in the middle of both convergence and vendor consolidation.

Before we get too deep into analyzing this, there's an important distinction to make about convergence and consolidation: they're related, but they're not the same thing. These terms are often muddled together, and knowing the difference matters.

Convergence is a macro-level phenomenon where entire product categories or industries overlap or merge entirely. It's driven by innovation and market forces beyond any single company.

Consolidation is the result of things like M&A (on the industry side) and vendor consolidation (among buyers on the practitioner/operator side), among other reasons. I wrote an intro about cybersecurity consolidation in the context of aggregation if you want to go deep down the rabbit hole.

Lately, we've been hearing a lot about vendor consolidation as cybersecurity buyers try to reduce and manage spend during uncertain economic times. There are examples all over the place in this set of earnings announcements from February. We'll kick off the examples with Cloudflare.

From CEO Matthew Prince:

A European financial services company signed a five-year $1.8 million deal, replacing a dozen different security and network vendors with Cloudflare...They wanted to consolidate and simplify their numerous point solutions into a single pane of glass solution.

Displacing 12 (!!!) different vendors in one shot is an impressive sales feat. Situations like this don't happen without a powerful strategic driver. In this case, consolidation of network security functions was that driver. Implicitly, cost savings were the motivating factor. In the case of Cloudflare, it's likely the company also wanted to move forward towards a modern cloud platform and away from legacy products.

This is obviously a cherry-picked example, but it's a good one if you want to see what vendor consolidation looks like at customers. There are countless other examples that didn't get highlighted in earnings calls, and potentially an acceleration of similar instances as enterprises continue to manage the economic downturn at a tactical level.

At the level of financial statements, large customer growth is a partial indicator of consolidation. Matthew Prince summarized Cloudflare's large customer growth on the earnings call:

We added 134 large customers, those who pay us over $100,000 per year, and now have 2,042 large customers, including 33% of the Fortune 500. Revenue from large customers grew 56% year-over-year, and they now contribute 63% of our total revenue.

A trend throughout the entire set of earnings calls we're discussing is growth in large customer segments. While not a direct indicator of consolidation, it's definitely a causal relationship. Increased consumption (e.g. existing customers using more of Cloudflare's services) is one component of the growth — that's normal and expected. Consumption alone doesn't get you to 56% year-over-year growth. Vendor consolidation is likely a contributing factor.

They're starting to pull the profitability lever.

Matthew Prince started the call talking about discipline and efficiency:

We achieved a record operating profit of $16.8 million, representing an operating margin of over 6%.

While we continue to invest to capture the huge market ahead of us, we believe that during economic slowdowns, like the one we're in the midst of, it's important to show discipline and optimize for efficiency. We have our hands on the levers of our business and are adjusting them based on the macroeconomic conditions.

If you've followed Cloudflare long enough, you know this isn't Matthew Prince's normal tone. Prince is excitable and upbeat, especially about Cloudflare's growth. Unsurprisingly, growth was the theme of my analysis of Cloudflare earnings last year. They're still growing at a nice clip, but the shift towards profitability late in the year is the interesting part about this year's earnings.

This feels like Cloudflare showing the market they're capable of profitability if they want. Put differently, they're not a growth machine running amok. As Matthew Prince said, they "have [their] hands on the levers of the business" and can make adjustments as needed.

The $16.8 million operating profit (non-GAAP accounting — they technically still had a $50.7 million loss under GAAP) isn't much, but the statement it makes about Cloudflare's ability to be profitable is far more valuable.

At a macro level, Cloudflare's lack of optimism about the economy should be cause for concern. From CFO Thomas Seifert:

In our guidance, we have not factored in any improvement in the macroeconomic environment or from our go-to-market initiatives. Specifically, despite a notable improvement in our pipeline exiting 2022 as compared to with the first half of the year, we have assumed the increase in sales cycle, which we observed in the second half of last year, continues in 2023 and have, therefore, incorporated close rates below recent historical lows.

...the important takeaway in the guidance that we put forward is that we did not assume any help from the macroeconomic environment. We did not plan that things would get better.

When a company that's almost optimistic to a fault is saying things like this about their guidance for all of 2023, it's alarming. The tone is partly conjecture, of course — their job is to manage the expectations of analysts and investors, so conservatism is expected. We're just not used to seeing this level of conservatism from a company wired for innovation and growth.

Enterprise sales and public sector expansion are huge opportunities for improvement.

Enterprise sales and public sector expansion are where the unexpected candor part came in. Matthew Prince was brutally honest about his company's marketing and sales efforts:

While our innovation engine is the best in the industry and has unlocked $125 billion total addressable market we have ahead of us, if we're honest with ourselves, our go-to-market organization hasn't yet been fully optimized.

As our product become more complicated and we are selling to larger and larger customers, it's increasingly clear that we need to step up our game in marketing and sales. I introduced Marc Boroditsky who joined last quarter to lead our sales organization. Last week, he briefed me and Michelle on his first 100 days. My initial reaction, if I'm honest, was embarrassment over some of the basic things we should have been doing better. But my second reaction was excitement as there are so many opportunities for us to improve.

For me, the interesting part is Cloudflare's dichotomy between being highly successful at product-led growth (PLG) and simultaneously being embarassed (in Prince's words) about sales. Cloudflare is one of the few cybersecurity companies who has reached a stage where this problem exists in the first place.

There are only a handful of cybersecurity companies with significant PLG (or bottom-up adoption) from consumers and/or developers, while also having a growing presence in sales-driven mid-market and enterprise companies. HashiCorp and 1Password are a couple others that come to mind, but this PLG-to-enterprise transition in cybersecurity is a relatively unique challenge.

I agree with Prince's optimism about the opportunity for improvement. Cloudflare's growth is so consistently good that most people wouldn't bother to notice the sales side could be doing better. They look committed to being great at both, as emphasized by Matthew Prince here:

We’ve been leaders on the product and engineering side. Now we're focusing on becoming a leader in the go-to-market side as well.

Opportunities for public sector growth are a similar reason for optimism. On the call, Prince shared that Cloudflare is now FedRAMP certified:

I'm happy to report that after our longer than expected wait at the proverbial DMV, we officially received Cloudflare’s FedRAMP certification.

FedRAMP certification itself isn't earth-shattering news, but the possibilities now that it's been attained are interesting. Matthew Prince shared a breakout of Cloudflare's public sector revenue prior to the certification:

...the public sector space is only 3% of our revenue today, so we believe it's only the beginning of what we'll be doing in the future.

That's a low percentage, especially compared to Cloudflare's traditional network security competitors. Another (adjacent, but relevant) peer-level comparison is CrowdStrike, which typically reports around 25% of revenue from public sector customers.

The early results are promising. Matthew Prince reported a nice win for the .gov registry:

We were awarded the $7.2 million, five-year deal to operate the .gov registry. We were awarded the contract because of our modern infrastructure, technical prowess, relentless innovation and proven ability to defend against the largest cyber attacks. Every e-mail sent to the White House, every agency's webpage and most of the other ways the U.S. government connects to the Internet now depend on Cloudflare and our network.

Not too shabby of a start for an area of Cloudflare's business that should become much more important going forward.

From Check Point's annual earnings press release:

Check Point® Software Technologies Ltd.](https://www.checkpoint.com/) (NASDAQ: CHKP), today announced its financial results for the fourth quarter and full year ended December 31, 2022.

“We delivered solid fourth quarter and 2022 full year financial results despite a volatile year-end macro-environment. Revenue and non-GAAP earnings per share came in at the top end of our projections,” said Gil Shwed, Founder & CEO of Check Point Software Technologies. “We continued building the future of cyber security with the prevention-first Infinity architecture and realized triple-digit growth in Infinity revenues. Building on this success we are driving security innovation with a focus on the 3Cs of the Best Security – a Comprehensive set of technologies that address the key attack vectors; a Consolidated set of solutions with a unified management portal, with Collaborative security technologies – to prevent the next cyber-attack.”

Check Point is in a state of transition. They've been a consistently profitable company since before the current economic downturn. However, they're facing challenges with growth, drawing the inevitable comparisons to other high growth competitors.

On the annual earnings call, these factors amounted to analyst concerns about growth, concerns about the economy, and a glimmer of hope about M&A. Like many companies, it appears tough times are ahead, but Check Point has been through this before.

Analysts are concerned about Check Point's growth.

Analysts didn't hide their concerns about Check Point's growth. This was a clear theme from the earnings call, which drew pointed questions and comments.

From Joseph Gallo at Jefferies:

...what is needed to explicitly grow double digits? Is it products? I saw you lean more into SD-WAN or is it go to market?

And from Keith Bachman at BMO Capital Markets:

Your competitor Fortinet gave guidance kind of mid-teens for product revenue growth...I'm just wondering, you talk about the strength of your product and whatnot and the efficacy of it, and yet you're still under growing one of your major competitors.

They're concerned because Check Point ranked among the lower growth cybersecurity companies at 5.7% (LTM) revenue growth in (calendar year) 2022:

As a result, Check Point's leadership team had some tough questions to answer about their plans for growth in (let's face it) an economic environment that's making growth difficult.

CEO Gil Shwed's main focus is on expanding their sales organization:

I think what's needed is mainly go to market. When we see -- when we engage with customers, when we deliver our message to the customer, to the CSOs, to the CIOs, they love the message, and they expand the usage.

...which was lacking, by his own admission:

...our potential and opportunity is reaching more customers, engaging more. And I think we are working very, very hard internally to achieve it. I think we have what it takes, but we need to get our act together on that.

Bigger picture, Shwed signaled Check Point's plan to stick with good old fashioned profitability:

...we do want to invest. Our goal is to grow. Our goal is to do what's right, and I think our margins are very rich. So my focus is not on -- again, I've always been proud and I'm still proud to be a profitable company and don't intend to change that.

I'm sure some analysts and investors weren't satisfied with these responses. The reality is that it's hard to answer questions about growth in the midst of an economic downturn. The most sensible strategy is for Check Point to hang on to the profitability it already has.

I don't expect low growth will make Check Point a take-private acqusition target. Their history of profitability is a positive. The company's $15B+ market cap would also make them a large transaction. That said, anything is possible in 2023, and we've seen acquisitions of this size recently.

Check Point is cautiously optimistic about M&A...

Check Point isn't widely thought of as a prolific strategic buyer in cybersecurity, but past and future M&A was an interesting topic on the earnings call. The company has been more active in recent years. From Gil Shwed:

...we made many acquisitions. If you look, we've made I think like 18 acquisitions over the history of Check Point. Over the last three, four years, I think made like six or seven.

According to Momentum Cyber data, Check Point has made seven acquisitions since 2018:

Application security, cloud security, infrastructure security, and messaging security have been their focus. Three of four acquisitions have been under $100 million, except for Avanan in 2021.

In the context of growth, Shwed spoke openly about how well their Avanan acquisition is performing:

...we had three "rockets." One was the e-mail rocket based on acquisition we did, which actually grows very, very fast. I don't know, we didn't mention it much today, but the e-mail aspects, that acquisition is very successful, and it's contributing a lot to our growth.

...

The one that's growing very fast and the one that we are very happy with is the Harmony e-mail, doing extremely well, reaching -- meets all the expectation from an important acquisition like that, integrates well with the rest of our technology like our anti-malware engine is used in that product. Their anti-phishing engine is used in many, many of our other technologies, everything that I said about centralizing this threat cloud brain is working well.

That's the type of value Check Point wants out of a larger acquisition: fast growth and integration with other parts of their product portfolio.

His commentary about future M&A is exactly where many strategic buyers are at right now — interested in acquisitions, but holding tight to see if valuations will decline further:

On the private market, I think we will see some opportunities in the future. I'm not sure that the valuation reached the level that we need to reach yet. Some -- we do get once in a while a call from a company that we think is interesting and reached this point of time that it may be interesting.

He also left open the possibility of a larger acquisition:

So, it's not that we are not active on the M&A frame. But I think in the future, there's definitely an opportunity that we will do more. And by the way, that is a good reason to keep some cash, especially if we will find something more transformative, and then not that I'm underestimating spending a few hundred million dollars on a company is also a big bet and a big investment. But maybe we'll find something even bigger, and then it's good to have some cash to fund that.

A larger acquisition would satiate many of the analysts and investors who are focused on Check Point's limited growth. However, the message was clear that Check Point is seeking value acquisitions and will do so with fiscal discipline. So, don't expect a buying spree to ignite growth.

...but also has concerns about the economy.

In a recurring theme across earnings calls, Check Point's leadership team expressed their concerns about the economy and the impact it's having on their business. In the case of Check Point, you could dismiss this as conjecture from a company struggling with growth. However, it's worth noting that the same concerns are being shared by nearly every cybersecurity company (and beyond).

Gil Shwed highlighted Q4 2022 in particular as a challenging period for the company:

Q4 was a little bit different, and we did face some challenges towards year-end. Projects were postponed. Customers didn't have the budget flash, which usually expect in Q4. Despite that, again, the numbers that we have are very, very good, but I just want us to know that it's not business as usual and that -- and even though we have good numbers and good forecast for next year, I think we need to be a little bit cautious more than usual.

Like several other CEOs, he believes consolidation could work in Check Point's favor:

I think, by the way, in the mid- and long range, it can play to Check Point's strength because in times like that, people look for consolidation. In times like that, people look for strong vendors. And I think that can very much play into our strength of providing the best security.

I'm not sure that competitors like Cloudflare, Zscaler, Palo Alto Networks, Fortinet, or other SASE companies would agree, but we're all inherently biased. We'll see how consolidation plays out in this space.

Finally, speaking on behalf of all of us, Shwed commisserated about the current economy:

But I can do without the bad about the economy. And right now, I think it's nothing to do with network security or anything like that. It's clearly the more of the macro economy that's behaves a little bit different in the last quarter.

It's a trying time for Check Point, but the company has been around and made it through challenging times before.

From CyberArk's annual earnings press release:

CyberArk (NASDAQ: CYBR), the global leader in Identity Security, today announced strong financial results for the fourth quarter and full year ended December 31, 2022.

“Our results in the fourth quarter and full year 2022 demonstrate the durability of demand for our solutions and strong execution,” said Udi Mokady, CyberArk Chairman and CEO. “Our subscription bookings mix reached a new record of 90 percent in the fourth quarter, well above the mix assumed in our guidance framework. The higher mix drove our Annual Recurring Revenue to $570 million, an increase of 45 percent year over year and significantly above our guidance, but also negatively impacted our recognized revenue in the quarter. We also once again set a record for net new Total ARR and Subscription ARR in the fourth quarter compared to the third quarter 2022."

CyberArk is doing exceptionally well in a tumultuous period where other cybersecurity companies (and direct competitors) are facing challenges. Their financial performance is sneaky good — "sneaky" because they've been in a period of transition in their revenue model that's making their revenue growth apper lower than it is (more on that soon). Analysts were using terms like "defy gravity" on the earnings call.

The company's annual earnings announcement was one of the most eventful among all cybersecurity companies. Why? CyberArk's co-founder and CEO, Udi Mokady, announced he is transitioning into an Executive Chair role. That's clearly the headline here, so let's get into it.

CyberArk will have a new CEO in 2023.

Here's the news, straight from Udi Mokady:

We entered 2023 with a more durable, more resilient and highly visible business model. CyberArk is in a position of strength well on our way to our $1 billion ARR target, and we have already reset our sights well beyond that. Because of this execution, as we are gearing up for 2023, we recognized that CyberArk was in the best possible position to make the executive changes we announced this morning. In early April, I will move into the Executive Chair role and Matt Cohen, our Chief Operating Officer, will become our CEO. Matt is an incredible leader, and I can't imagine a better person to be the next CEO of CyberArk.

As a long time follower (and implementation partner) of CyberArk, I was a bit rattled when I heard the announcement. Udi Mokady is an icon in cybersecurity — right along with a rare and special group of founder-CEOs who were with their companies on Day 1 and remained as CEO long after going public. Any time one of these people steps down, it's a big deal.

However, CyberArk's leadership team has clearly thought this transition through. Throughout the call, it was made clear that Udi Mokady will remain actively involved with the company, and that incoming CEO Matt Cohen is sticking with their strategy because it's working:

While my role with CyberArk is changing as Executive Chair, I'll stay very active, working with Matt and the management team...It is very important to me that we get this right and that we have a smooth transition, continuity of leadership and that we don't skip a beat in our execution.

Cohen faces the difficult challenge of replacing an icon. He said all the right things:

...when you look at what has worked so well for Udi and I is that we do share a similar view on the market, on the importance of culture and the importance of the teams that we've built here. And we've been so kind of intricately linked from a standpoint of coming up with the strategy that we have today. So I think what I promise to the team and to Udi really is a continuation of the great momentum that we have. We feel like we've never been in a better position in a better place.

And we have a special opportunity here in the market and a group of special people here at the company. And so I'm kind of excited to continue the spirit, as you said, of where we've been and to bring it forward for the years ahead.

...

We don't need to pivot to a new strategy. We need to go and execute or continue to execute against the current strategy to go get that opportunity.

The company's leadership transition is clearly something to follow as it plays out across the upcoming quarters and year. There's never an ideal time to replace a person like Udi Mokady, but doing so from a position of strength is probably the best place.

They're one of the only companies who feels confident about their performance in the current economy.

In a rare departure from nearly every other cybersecurity leadership team during this earnings season, CyberArk is feeling good about how they're doing in the current economy and their prospects going forward. From Udi Mokady:

...we wanted to comment on the macro environment. While Identity Security remains top priority, more approvals continue to be required in deals, consistent with what we saw in prior quarters. The demand trends, deal progression, win rates, renewal rates and sales cycles remain healthy across the board, which we see in our strong ARR growth.

The big question behind CyberArk's strong performance and optimism is "why?" I thought Udi Mokady did a great job explaining the drivers behind their current success:

Privileged Access Management is one of the few critical security layers that really make a difference in enterprise security. I would categorize it in one of the few that are on the must have side of enterprise buying decisions. And no matter how you dissect every attack that's in the news, there's -- that point of no return is when they elevated privileges, moved laterally, captured identities. And CyberArk captures both the human and machine identities in our PAM platform and in our Identity Security platform.

And today, it's become clear that Identity is not just the new perimeter. Identity is the attack surface. And so it's one of the few things that enterprises do today. And of course, we pioneered the space. We're a market leader in the space. And the flip side of it is also executing on that opportunity that we created through our best-in-class go-to-market team, our channels and of course, delivering great solutions, all of these years. And I would say that the team is executing and firing all cylinders against a growing opportunity.

Cybersecurity budgets appear to be remaining stable, but not all categories within them remain equal. Mokady's observation about PAM being "on the must have side of enterprise buying decisions" is absolutely correct.

For CyberArk, that's a great position to be in. It's also a great position to build from — a reliable foothold into growth for other areas of their product portfolio during a time when companies on less stable ground are just hanging on.

They're so confident about their position that CFO Josh Siegel even shared they might be able to grow even faster:

...if we look at our win rates, our pipeline and in the macro, we actually believe we can grow faster than that...I'd say we're actually really confident in the underlying demand environment, and we have the pipeline to actually support a faster growth than in the ARR side.

You don't hear a CFO say things like that unless the company truly believes they can do it. The takeaway is that CyberArk is in an enviable position, and they're a company to watch as we navigate uncertain economic times.

Their transition to SaaS and subscription-based revenue has gone very well.

I started talking about CyberArk's SaaS transition and move to subscription-based revenue back in 2021. At the time, I acknowledged how difficult of a journey it was for a PAM product to move to the cloud From CyberArk and the New Paradigm for Privileged Access:

Privileged Access Management (PAM) is going to be one of the last cybersecurity services companies move to the cloud. Many security leaders (enterprises in particular) are reluctant to move their most sensitive credentials out of their own data centers. Privileged accounts and their credentials are the holy grail for attackers. If the vault the credentials are stored in is compromised, it's game over.

...while also agreeing with their strategy on SaaS and subscriptions:

This approach is unsurprising, and completely the right strategy. In CyberArk's case, transitioning to SaaS is even more of a sensitive topic given the nature of their business and their flagship PAM product.

Looking at where CyberArk is at on this journey at the end of their 2022 fiscal year, it's hard to imagine how this could have gone any better for them. I would not have predicted CyberArk to make (arguably) the most successful transition, while peers like SailPoint, ForgeRock, and Ping Identity continue to work through similar challenges — now as private PE-backed companies.

Three charts from CyberArk's investor presentation show exactly how dramatic the transformation to subscription revenue has been. First, subscriptions are driving total revenue growth. In FY22, 88% of new licenses sold are subscriptions:

There is no going back at this point — customers have clearly been willing to transition to subscription-based licensing. With 88% of new bookings via subscription, the revenue mix will continue to shift in favor of subscriptions.

Second, the breakdown of recurring revenue improved significantly in FY22:

Revenue from perpetual licenses is down $66m year-over-year, exactly as you'd want to see during the transition to subscriptions.

More importantly, SaaS revenue is up $97 million year-over-year. This is impressive because it shows customers are adopting their SaaS product, not just transitioning on-premise implementations to subscription licenses. In a perfect world for CyberArk, a majority of their implementations (and revenue) would be coming from SaaS. They're well on their way.

Third, the transition to subscriptions is making top line revenue growth look less impressive than it is:

TL;DR, this is due to differences in revenue recognition for software subscriptions versus term-based licenses. We're not going to unpack that here — just know that's the reason for the obscure "headwinds" they mention.

If you're only looking at the headlines, CyberArk's revenue growth looks decent but relatively pedestrian. When you factor in the headwinds, 27% topline growth puts the company among the very best in cybersecurity.

From Fortinet's annual earnings press release:

Fortinet® (Nasdaq: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, today announced financial results for the fourth quarter and full year ended December 31, 2022.

“Total revenue grew 32% in 2022 and year-over-year to $4.42 billion, and we generated GAAP net income of $857.3 million. This marks the 14th consecutive year that we have been GAAP profitable, including every year since our 2009 IPO. Cash flow from operations was $1.73 billion and free cash flow was a Fortinet record of $1.45 billion for the year,” said Ken Xie, Founder, Chairman and Chief Executive Officer.

In a period of time where profitability is valued by investors more than growth, Foritinet's streak of GAAP profitability (net income) looks even more remarkable. Fourteen consecutive years of profitability is unheard of in cybersecurity — yet here they are, just doing what Fortinet does: consistently churning out profits and growth at scale.

Investors have rewarded them accordingly. As of January 31, 2023, Fortinet had the second highest market cap ($40.89 billion) among all pure cybersecurity companies in public markets:

As you might expect, their strategic drivers are remarkably consistent with past years — highlighted by convergence and consolidation and growth through R&D. Their competition with Palo Alto Networks, Zscaler, and others in the network security market — and especially SASE, where their strategy is most actively playing out.

Fortinet is benefiting from convergence and vendor consolidation.

As a multi-product networking and SASE company, Fortinet is another example of a company that believes it's positioned to benefit from vendor consolidation. Fortinet CEO Ken Xie cited consolidation as one of the main drivers of revenue growth in FY22:

For the full-year, revenue growth accelerated to 33%. We continue to gain market share in the service security industry with customers increasingly recognizing how Fortinet integrate and a single platform approach to security delivers along total cost of ownership and a greater return on investment than competing solutions.

Here's what vendor consolidation looks like for the company — in this case, an example where it played out nicely in their favor. From CFO Keith Jensen:

If we look at a few of our large deals of the year, let's start with a competitive upsell deal. Fortinet displaced a 11 different vendors by consolidating the customer's network security functions on our Security Fabric. This worldwide wholesaler previously purchased secure SD-WAN and FortiProxy.

On a broader basis, what's good for Fortinet — a multi-product company with an established network security platform — is bad for other cybersecurity companies. In this example, 11 other vendors are now gone or saw their footprints reduced by the hand of a consolidated technology platform fueled by cost savings. The displaced vendors likely include a mix of point products and other platforms, neither of which could match the maturity and cost efficiency of Fortinet.

On the topic of convergence, Keith Jensen discussed another nice example with security and networking:

There's been an explosion of devices that must be connected to the cloud, data center and edge compute. As a result, the infrastructure has expanded to support secure connectivity via distributed firewalls, it is no longer feasible to overlay security on top of networking in the data center. They must be deployed as a converged solution.

The convergence of security and networking is a part of the broader trend that's easier to recognize. Convergence in these two domains is much more mature than others, with examples like Fortinet, Palo Alto Networks, Zscaler, and other large companies. They started with networking and followed the path of convergence to become full on cybersecurity companies.

Looking forward, Fortinet is making big predictions about convergence and consolidation. From CEO Ken Xie:

As networking and security continue to converge and consolidate, we believe we are well positioned to achieve our 2025 building target of $10 billion.

Justifying revenue growth with convergence and consolidation is a clear tell that Fortinet (and others) should believe these are real themes that are shaping cybersecurity markets.

Fortinet's growth strategy is to build new products, not buy them.

Two slides in Fortinet's investor presentation tell us almost everything we need to know about their growth strategy around products. The company is heavily invested in R&D and internal product development, spending very little on M&A. These slides are a direct shot at Palo Alto Networks, a company notorious for M&A.

The first slide is a comparison about product revenue growth and overall growth on an LTM (last twelve months) basis:

Fortinet's product revenue is growing faster than Palo Alto Networks — perhaps a lagging indicator of Fortinet's long-term approach to product strategy playing out.

Total revenue growth between Fortinet and Palo Alto Networks is similar at 29% and 27%, respectively. The punch line here isn't the direct growth comparison — it's the comparison of two very different growth strategies. Fortinet's revenue is growing at the same pace as Palo Alto Networks despite Fortinet spending less than 1/10th the amount of capital on M&A as Palo Alto Networks.

The second slide zooms in on Fortinet's build vs. buy strategy, highlighting investments in R&D and share repurchases over the past five years:

You read that correctly — Fortinet invests in R&D over M&A at a 90/10 ratio. An important side note to their R&D spend is that they've invested this much while remaining profitable, unlike some other cybersecurity companies with high R&D spend.

A specific example of this strategy playing out is Ken Xie's response to an analyst question about the SD-WAN and OT markets:

So advantage much huge compared to other competitors, quite some mostly come from acquisition. And at the same time, they don't have the ASIC help to increase speed, lower the cost and the power consumption. So that's why we feel we're keeping growing above the market, so above the market growth rate. There's a different research about how the market is growing. But I do agree it's a fast-growing market compared to the cybersecurity space and there will be a lot of potential going forward.

Fortinet is deeply committed to their long-term product innovation strategy, as we'll see next in the highly competitive SASE market. While they could be opportunistic with reduced valuations, don't expect any major M&A activity out of Fortinet.

Fortinet is taking an integrated and long-term approach to SASE.

Secure Access Service Edge (SASE) is the market where the intense competition among network security heavyweights is currently playing out. Three of the four most highly valued (pure) cybersecurity companies — Palo Alto Networks, Fortinet, and Zscaler, plus (hybrid) Cloudflare — have SASE offerings. Game on.

SASE is a massive topic, so we'll focus on Fortinet's strategy here. From Ken Xie on the annual earnings call:

Our strategy...in the last few years is: first, we want to have a SASE integrated in the same system, the same OS, including all the SD-WAN or the SASE function. So making SASE can be more easily broader deploy and also working with service provider to leverage their infrastructure to offer a SASE. So it's a little bit different than some of the SASE players right now in the market. So we do believe this is highly integrated the single system as will be more efficient and same time will be more secure.

...we believe long-term leverage...will be much more efficient than the profit model compared to some of the SASE solution or player kind of losing money, which will be difficult to last long. So that's what we will keep investing in this area. And also, we want to be a long-term player in this space and also we'll be keeping internal innovation R&D and keeping driving this space.

Fortinet is all about integration across its proprietary hardware and software. They're committed to this approach (even at the expense of speed and time to market) because they believe quality and value will win out in the long term.

Xie's comment about "some of the SASE solutions or players losing money" and how that will be "difficult to last long" is prescient. Fortinet has clearly demonstrated the ability to compete while remaining profitable as a company. With public markets placing an increased emphasis on profitability over growth (and no end in sight), Fortinet has a lot to gain from being positioned to outlast the competition.

I had the opportunity to speak with Ron Nissim, the co-founder and CEO of Entitle, shortly before the Cloud IGA company emerged from stealth. We covered a wide range of topics during our discussion, including:

• Building a Cloud IGA product from the ground up: What the Entitle team has learned from customers and the advantages of building from the ground up in today’s cloud-based world.

• How Entitle works: What Entitle does and how the team chose where to start within the massive surface area of Cloud IGA.

• Product strategy: The conundrum of starting with provisioning or governance, just-in-time provisioning, and the advantages of being cloud-first.

• Convergence of IGA and PAM: Observations about the convergence of use cases between IGA and Privileged Access Management (PAM).

• Transitioning from on-premise to cloud: How IGA products can bridge the gap during the transition from on-premise to cloud.

Note: This interview has been lightly edited for clarity.

The journey towards building Entitle

Cole Grolmus: Could you give me some background on Entitle — what you've built up to this point and how you decided to build it? I'm also curious what you believe are the big differentiators versus both the well-established identity products on the markets, and also among the new generation of competitors.

Ron Nissim: Permission management is still one of the biggest risks to organizations, even though IGA solutions have been around for decades. When we asked companies what their biggest problems are, the first thing that we heard from all the security people we spoke with was governance — knowing who has access to what, how do I know who has access, is it still relevant, and so on.

We spoke not only with security professionals but also with IT and DevOps. They also spoke about permission management, but from a different side of, "how do employees get permissions to begin with when someone joins the company?", "how do I know what they what they get when someone changes positions?", "how do I know they should be getting versus what should be taken away?" We realized the whole operational side of things was very, very manual even in the most forward thinking companies.

We identified three types of companies: the big enterprises of the world that had SailPoint or other traditional IGA products for provisioning and governance, very large cloud companies, and smaller cloud companies. Cloud companies almost didn't look at traditional IGA products as a viable alternative. We spoke with a few who ran proof of concepts, figured out that wasn't working for them, and then developed their own internal solution. A lot of big cloud companies developed internal solutions for Cloud IGA — companies that were cloud resource intensive and got to the size where they could hire a 20 person team and develop an access management solution.

Smaller cloud companies are the SaaS companies that we all know and love, but they're smaller in size than very large cloud companies (around 1,000 employees). They haven't reached the size where they wanted to develop their own solution. They were doing very manual processes. When the process is manual, it has a lot of direct challenges for the business with how long it takes people to be efficient and getting access to what they need. For many companies, 30% of tickets to the IT department are access requests, which is a huge burden on both the business and DevOps.

The real interesting part was because processes were manual, downstream security teams had no auditability. When you get your access by calling up your friend and it and saying, "hey, I need access to Salesforce," no one knows how you got access to Salesforce. That's what gave light to a bunch of new identity governance companies and compliance automation tools, which are very focused on the visibility side.

Our "aha" moment was when we realized the real problem was not governance. The real problem is how it's done to begin with, and because it's done in such a manual fashion, governance is very, very hard. We realized if we automate the way that employees get access, a business will be more efficient because employees have access and they're not waiting around. IT teams will be more efficient because they're not processing access requests. And security teams will have auditability because everybody knows who's getting access and what they're getting.

How Entitle works

Cole Grolmus: Could you give an overview of how Entitle works and some of the core aspects of the product?

Ron Nissim: The solution itself has four core aspects. The first part is self-service, which is what we call front end agnostic because you can attach it to whatever employees are used to using — Slack, Teams, ServiceNow, JIRA, whatever.

The second part is the policy engine. We have a no code workflow where security teams can define what that flow would look like in different cases. Based off the risk profile, they can identify who should be signing off on what. A concrete example that's really popular to start with: create a policy for someone who's on call with pager duty. If this person requests access for less than six hours, they get it automatically, even if it's super sensitive because they're probably firefighting. If they're not on call, then they have to go through the approval of the Head of Engineering unless it doesn't include PII. In that case, they could get access just with the approval of their direct manager. The idea is to enable companies to strike the balance between being bureaucratic enough in places that are really sensitive, but enabling people to get what they need and being able to audit that in retrospect.

The third part is API fulfillment. This is a big part of what we bring to the table, as opposed to the traditional IGA products, because we're very much focused on cloud resources. It's a very self-service installation. IGA tools are historically renowned for being bought through consulting agencies and having multi year projects with a ton of professional services hours. One of the huge powers of what we're doing is because everyone uses AWS, everyone uses Salesforce, everyone uses this bulk of 100, 200, or 300 applications, which we've already pre-researched. We come out of the box with what should be the 80% to 90% of what you need. Within a day, you already have Entitle configured to provision to all your different core applications.

The fourth part is governance. Governance is a byproduct of good provisioning. So once we're the ones that are giving and taking away access, then knowing who had access, when they had that access, why they have the access, should it still exist, have they changed roles since, so on and so forth — that's the easy part. The next step is very, very trivial, as opposed to the provisioning aspect.

To give a concrete example, a customer that we're at right now already bought one of our startup competitors. Their GRC team bought them for access reviews. And now they're trying to upsell into provisioning, and it's a completely new sales process. It's a different buyer. They're starting from scratch. We have just as strong of a case as they do — they don't have an edge because they're already installed because it's a completely different business unit. The other way around, this is not the case. If Entitle were installed in a company and provisioning permissions inside that company, then opening a user for the GRC team is really easy. That's why starting from provisioning is the much more interesting case long term.

There's a logical case for why to start from governance instead of provisioning. The biggest case is because Fortune 500 companies need governance. They're very compliance-driven. But when you speak with companies that are more agile, they're much more focused on what best serves security than what ticks the box from a compliance perspective.

Starting with provisioning versus governance

Cole Grolmus: The philosophy about whether to build the product starting with provisioning or governance is interesting. There is a grand experiment going on right now among the early-stage, cloud-first IGA companies.

If you're starting with governance, you're accepting the mess of entitlements that is there in a company's environment. You're almost intentionally, saying: "We're not going to proactively intervene in that mess. We're just going to visualize all of it through our governance tool and then fix the problem through access reviews."

Starting on the on the provisioning side, you're more deeply ingrained operationally and intervening with the problem early in the provisioning process. You're hoping that governance will be easier later on because you've done a better job with the management side of it.

It will be interesting to see which approach ends up being more effective, or even if this set of problems gets solved at all in this round of companies. In some ways, this space seems like one of the existential problems of security that may never be completely fixed. I hope it does, though.

Ron Nissim: You're completely right about this being a grand experiment. There's a lot that's still to be determined. It's on us as ‌vendors to figure out what customers want and what's going to work.

Customers need to have both provisioning and governance. But the question is: what do you do really well, and what do you do just good enough? Compliance is where customers want to be just good enough. They don't need a kick-ass product. They need something good enough to get them through their audit.

From a provisioning perspective, there are real business implications — from people not having permissions in time to people getting stuck without the access they need. That's why we believe provisioning is the more interesting place to focus on.

Cole Grolmus: There are a lot of ways the provisioning side of it can go wrong. You can definitely see the impact when that happens.

What happens in governance is a recertification doesn't get done on time, the scope of it is wrong, or something else isn't quite right about it. Even if you get a control deficiency in an audit, there's usually still time to make the control operational again. There's some margin for error.

If you do something wrong with provisioning, de-provisioning, etc. — even if it's one person — sometimes that person is the wrong person, and you get a call from the CEO. The stakes are definitely higher when you're managing access.

Ron Nissim: That's the hardest part of Entitle. We have to earn our customers' trust. And that is a very big challenge. There are a lot of things, even from a security perspective, that we've done to help enable trust.

We need we need admin privileges to all the systems we manage so that we can edit permissions. Governance tools don't need that. They just need visibility and read-only permissions. That's a harder challenge to solve, but if we solve it, then we'll be number one. That's how we've been looking at it.

Cole Grolmus: From an early stage founder's point of view, provisioning is riskier because there is more to build from an integration standpoint. It's also harder to convince your potential customers to trust you and let your product have the privileges it needs to do its job.

Provisioning is a steeper mountain to climb, but it's also an important barrier to entry. That problem is not unique to you. Anybody else that's entering the market now also has to solve the same challenges.

So, it's really a question of who has the perseverance and the runway and all of the attributes that it takes to climb that metaphorical mountain and make it work. That's probably who's going to win this time.

Customer demand for just-in-time provisioning

Cole Grolmus: IGA has such a massive surface area of problems. Where did you decide to start? Did you make any adjustments based on early feedback from customers?

Ron Nissim: We started with the change management aspects. So, when an employee needs access to something they don't have and put in a ticket. That's a fairly easy place to start, and we took it from there.

What customers took us towards was just-in-time access. What we said is we're automating the way that employees get access and take away that access when it's no longer needed. But what customers heard was: if you're making it really easy for employees to get access, I can now feel comfortable taking away that access. Whereas beforehand I felt uncomfortable taking access because I knew the burden would be very high in getting it back.

Just-in-time access has become almost ubiquitously the first use case with customers. We start with a few core applications and provide temporary access to those sensitive resources. That could be databases, production environments, admin roles in Okta, admin roles in Salesforce, or specific areas which are very sensitive.

Cole Grolmus: It's interesting and surprising to me to hear you say that just-in-time provisioning came up a lot with customers and that you ended up deciding to focus on it from a product perspective.

The reason it's interesting to me is because just-in-time provisioning has been talked about for a long time. I remember presentations from ten years ago with people talking about temporal and just-in-time access. But the secret was that it never worked. It was a better idea on paper than it‌ was in practice.

What about your tech stack, or the tech stack of your customers, that has now made it possible to do just-in-time access?

Ron Nissim: The reason we ended up focusing on just-in-time is, when I put myself in our customers' shoes, a lot of these companies are at the beginning of the process of thinking about their identity and Cloud IGA infrastructure. Or maybe not at the very beginning — the beginning is you buy Okta — but what's the next step?

If you're in the CISO's shoes and decide you need to do Cloud IGA, where do you start? I start with my most sensitive resources. I start with Okta admin, Salesforce admin, super sensitive databases, and critical infrastructure. In all of those places, there often isn't a need for someone to have access to those resources all the time.

I believe that's why, from a priorities perspective, it makes sense for customers to start with just-in-time access — because it's very easy to show quick value. Within a week of using Entitle, there are no constant admins in all the applications that are critical to you. It's powerful to see that kind of success very quickly. Onboarding and off-boarding is important, and it's good to know you have a tool for that. But it's hard to see well-defined success, so that's why I think our customers ended up pulling us in that direction. You want to start with your crown jewels.

What has changed over the last five to 10 years is a couple things. First of all, systems now have APIs which enable configuration from the outside. For CyberArk to manage access to databases, they had to sanitize your query. You put the query into CyberArk, it looked at the query, and then determined you're accessing a table that you shouldn't be accessing. StrongDM and a lot of these other solutions had to be met in the middle from a networking perspective to be able to control ‌what you get access to.

All these solutions now have awesome APIs that enable us to control access from the outside. It's as if there are a lot of faucets and we're the ones opening and closing all the different faucets based off the configuration. You want access to that table? No problem. We'll edit your user. Now you can access that table. You want it for only three hours? After three hours, we'll go in and remove the setting inside that database that enables you to get access to that table.

The second thing I wanted to mention is that authentication to these systems is becoming a solved problem. I don't think it's fully solved. Five years from now, it will be a solved problem, whereas five years back, Teleport didn't exist. A lot of other startups have solved authentication to more complex cloud infrastructures. Before that, the only way you could solve authentication was with a jump server.

Now, a lot of companies have some sort of authentication mechanism for servers, databases, and SaaS applications. SSO is becoming standard, whereas 5-10 years ago, a lot of companies didn't buy SSO. Now, you can't start a company without buying SSO very, very early on.

Once authentication has become a solved problem, then being able to discuss the more fine grained access management inside the applications becomes more interesting. It's now possible to look at problems like, "Who is Cole inside a lot of these different applications?" It's a hard question.

Those are the two things that have changed over the last five or so years that have enabled a more clear focus on permission management.

Building an IGA product for the cloud

Cole Grolmus: I have a follow-up question, and I'm trying to get at something abstract. What you described earlier are factors external to your product — progress in the technology environment that now makes things like just-in-time provisioning possible. Is there anything within Entitle itself that also makes it possible?

The reason I'm asking is because changes to external factors are good for everybody. That's good for SailPoint. That's good for any of your competitors. What is it that's differentiated about the Entitle that lets you win because of these changes in technology?

Ron Nissim: First of all, what's interesting about our company and how we build things, we're a team of security engineers. Everyone in the company is or was a security engineer. So, we've been tackling this from a security-centric approach in a world where traditional IGA is very governance and bureaucracy- driven. Bringing that fresh approach has enabled us to make a lot of interesting decisions and how we should be building the product in terms of recommendations, understanding what's relevant, what's good from security perspective, and what's just adding more bureaucracy and friction to the system.

We've been investing a lot of time researching different applications and understanding how permissions should be provisioned inside every application. A lot of times, companies will come to us and say things like, "We don't know how to manage access in Kubernetes. You tell us what we should be doing." We come with that expertise. We know what should be done and how it should be done.

The second part is because we've researched these applications very well, and on the other side, we know the organizations very well because we're integrated with the HRIS, the identity provider, and all these other systems, we can now recommend what permissions are relevant and irrelevant. I like to draw similarities to what Amazon does when they say people who bought this usually also bought that when you're buying things.

It's very similar from a permissions perspective. How can you cluster together permissions that are often that often come together that are similar from a business or a risk perspective? For example, what does it matter if you have access to the PII database that sits in Ireland on AWS or that sits in Iowa on AWS? It's the same database, so from a risk perspective, it doesn't matter if you're getting access to one or the other.

That's something Entitle can tell you. It will tell you, this is actually the same permission, so you can get access to both of these. It shouldn't be another step. It shouldn't be another process. What that enables is a consolidation between business enablement and security.

Cole Grolmus: It's interesting to hear about the advantages of building a product greenfield versus being an already established company in this space. The way you would manage access to Kubernetes or cloud environments is fundamentally different than how you would manage access to some on-prem Active Directory environments.

The IGA product tends to reflect the environment that it's managing, in some ways. Or, even more abstractly, the philosophy of the people who are doing the management. What's going to end up benefiting new companies like Entitle is that you're starting with a fresh approach to IGA in a new world of cloud infrastructure. That is going to make the product more advanced and kick off some of the cruft that used to be there from the old days of on-prem.

Convergence of IGA and PAM

Ron Nissim: Another topic that I'm really keen to hear your thoughts on as someone that's been in this space for a while: I have a theory that IGA and PAM are converging in the cloud; that PAM in the cloud has become very API-centric, and that vaults are becoming commoditized.

What's essentially been happening to us is that we've been solving a lot of CyberArk use cases. We used to compare ourselves often to SailPoint. I'm starting to realize that people find SailPoint synonymous with governance more than they do with provisioning. And a lot of the provisioning aspect of who has access to different resources is often covered by some sort of jump server, like a temporary access management solution.

A big benefit of being in the cloud is you don't have to be man in the middle from a networking perspective. To give you access to MongoDB, you don't need to connect to us so that we can connect you to MongoDB. We will go to MongoDB, create a connection string, and send it to you. Your connection is done directly to MongoDB. And because everything's logged, we can take the logs and give them to you. We can provide a lot of the things that customers need from PAM, like just-in-time, temporary access management.

Cole Grolmus: The convergence of IGA and PAM is definitely ‌something I see and believe, too. I've felt like they were inevitably going to converge in some way, shape, or form, for a while now.

There were so many reasons it was going to happen, or it will eventually happen. Some of it is operational — a lot of the things that you're saying, and the way that people are engaging with technology, how architecture has changed, and other factors that just necessitate them to be tightly integrated. If you also look at the business end of the industry with large private equity firms buying identity companies, it's going to make sense economically to have some of the IGA and PAM companies under the same umbrella.

The challenge is going to be — at least for ‌established companies with products that were built separately — I don't know if they're ever going to be able to truly integrate the products in a way that really works. That's a really hard challenge to take products that are years, if not decades old, and get them to work well together in an acceptable way that's better than just a light integration. I don't know if that's going to be possible.

Not that it's easy to build a company, either. At least you get to start with a fresh approach from a product perspective and build it in a way where the product is incorporating some of the PAM use cases you and your customers feel are really important and putting them together from the start. It's a more natural and organic integration from a product perspective right from the beginning, instead of having to piece that together later.

Both of those approaches are hard, but I wonder if the companies that had a chance to like start greenfield are going to end up being more effective eventually.

Ron Nissim: Yeah, that's a benefit of starting from scratch and a new technological environment — you don't have to deal with all the legacy stuff. It's not that we're not supporting IBM mainframes. That's just not the place where we're 10x better. You have your proprietary stuff, you have your on-prem stuff, you have that solved because it's a problem that's 30 years old. The new problem is your SaaS, your infrastructure — those are things that are changing rapidly. Those are the new things to your environment. What do you do there?

I met with a Fortune 100 company not too long ago. I really appreciated them because he was super brutal. He said, "Wait, I don't get it. I have SailPoint, CyberArk, and a bunch of internal scripts. What do you what do you replace for me, and what do you sit beside?" My response was, "I'm willing to bet that SailPoint and CyberArk cover your old on-prem corporate applications, but all of your cloud infrastructure stuff, your databases, your SaaS applications you've bought, those are either untouched, or you've developed internal scripts that cover those." He said, "That's exactly right. We've built an internal system that does self-service for these." That's what Entitle replaces and improves. And that's a theme I'm seeing repeat itself.

From a go-to-market perspective, there are two types of companies that like Entitle. One is companies that are "born in the cloud." They don't have to be born in the cloud, but they have to be cloud resource intensive. That's their core business. And then you have really large companies that maybe have SailPoint, maybe they have IBM mainframes. They have all these other traditional applications, but they have a cloud environment that's been untouched. We want to partner with them to be able to solve for that aspect. The hope is that over time, as more and more of their workload moves to the cloud, we will be the natural partner.

Managing permissions during the transition from on-premise to cloud

Cole Grolmus: Supporting cloud versus on-premise is a really interesting conundrum. Especially the latter category of companies who have some on-prem workloads and legacy apps, some cloud apps, and an increasingly growing cloud.

If I were to put myself in the shoes of a Fortune 500 CISO that's in charge of identity, what do I do?! I've already spent all this money to implement SailPoint, CyberArk, or their equivalents, and that's taken care of my on-prem infrastructure and maybe some of my very common cloud infrastructure. But I don't know if they're going to get to my cloud infrastructure from a product perspective. They may not keep pace ‌with where you're starting — with a focus on the cloud. It's going to take them a long time to get those integrations taken care of and adapt the product to be able to have full coverage of both on-premise and cloud applications. That's hard.

From your end, it's also hard because you can come in and help cover my cloud applications, but you're never going to touch my mainframe. So, what do I do? As a CISO, I'm stuck in this hell where I have to have both old and new IGA and PAM products. That's probably just going to be ‌reality for a while.

Ron Nissim: There are two things that need to happen. First, one of the biggest challenges in IGA is that every person in the company has some sort of interface with the IGA tool, which just makes it so much more complicated.

So, in that meantime when larger companies need both a Cloud IGA tool and a traditional IGA tool for on-premise access, we're working on creating a unified front end to the end employee so that they don't feel that they're working with two systems. I put in a request in JIRA or ServiceNow, and that's routed to either Entitle or another tool automatically. That way, users don't have to know, "For this, I go to Entitle, and for that I go somewhere else."

The second part is that, at some point, we'll have to acquire an on-premise product to join the Entitle family.

Cole Grolmus: So the point where you think this conundrum is going to get resolved is convergence from a business perspective, as opposed to established companies building out all the cloud integrations, or in your case, building out mainframe integrations.

Ron Nissim: There's going to be a point where we'll have to do that. It's just that on the mainframe, we don't plan to be 10x better. We want to be good enough. Where we want to be 10x better is in the cloud environment.

Cole Grolmus: That makes sense. For clarity, I know that I'm talking about things that are way down the road and problems that are not anywhere near your near-term vicinity as an early stage founder. This part of the discussion was more about the long-term vision of the market and how it ends up playing out.

Identity is such a hard market because these are legitimately hard problems that we're talking about here. Probably some of the hardest in security. People who don't understand identity look at these problems and say, "Oh, of course you should build an IGA platform that covers mainframes, on-prem, Active Directory, and cloud." That's really hard to do. It would probably take a billion dollars of capital and a decade to build.

I think what we do in this messy middle period is fascinating. That's why I called it a renaissance. I feel like we're getting new ideas and fresh energy back into this problem domain that had waned for a little while. It felt like progress had become stagnant in a way that made you think the current state was as good as we could do. In the last two or three years, there's been this renewal of new people who want to tackle this problem, who are really serious about it, and actually have a chance to do it.

Thank you to Liz Safran and the team at Montner for helping to make this interview possible.

There has never been a more exciting time for this sector of the market. Google Cloud’s $5.4 billion acquisition of Mandiant, one of two public cybersecurity companies with significant services revenue, was a signature move that will impact the entire industry for years to come. This special report focuses on the impact of this deal on the industry and what to expect next.

Key Report Discussion Topics

• The impact of Google Cloud’s $5.4B acquisition of Mandiant, along with the impact of this landmark deal on the industry and what to expect next
• The convergence of next-generation cybersecurity services
• Analysis of key players in the cybersecurity services market by sector
• Breakdown of emerging trends in the cybersecurity services landscape
• Special contributions from Charlie Thomas (Deepwatch CEO), Aaron Sandeen (Securin CEO), Michael Aiello (Secureworks CTO), and Dave DeWalt (NightDragon Founder)

You can read the full 80 page report here — no email required:

I first wrote about Agency in my article on Y Combinator's Winter 2022 batch. I was excited about them then — here's what I wrote at the time:

Agency is one of my favorite companies from this batch. I backed that statement up with my money — I like this company so much that I bought a plan for myself.

I'm even more excited now that I've had the unique opportunity to study the company and the problems they're solving in detail. I hope you enjoy the report.

Overview

Our work and personal lives have become one and the same. Attackers are seeking increasingly devious ways to exploit companies, including attacks on the personal accounts and devices of individual employees and business partners. People are now targeted as individuals because of their work lives. It’s time for cybersecurity to adapt to this new reality.

Managed security and privacy for individuals is an emerging paradigm for addressing this reality and keeping people’s digital lives secure. Forward-thinking companies and sophisticated individuals are turning to cybersecurity experts to help them defend personal devices and accounts. A new generation of personal services now makes enterprise-level cybersecurity accessible to individuals.

Agency commissioned Strategy of Security to explore the intersection of personal and enterprise cybersecurity and new approaches for managing the new wave of attacks. The analysis found vast differences in the tactics and rigor taken by organizations to keep their people secure at work compared to individuals at home. The traditional “you’re on your own” model for managing the security and privacy of individuals isn’t working. It’s time for a better approach.

Organizations that offer managed security and privacy services for employees’ digital lives — or forward-thinking individuals who subscribe on their own — are taking a proactive stance. They’re more prepared and resilient against attacks that impact their personal lives. They also prevent attacks from crossing over into their work lives. This is a security model built for the future.

Key Findings

The traditional model for personal digital security isn’t working anymore.

Over-reliance on one-off countermeasures like antivirus are leaving people exposed to new kinds of threats. The “go it alone” approach we’ve taken towards security in the past isn’t enough to keep us safe. It’s not how security is done in enterprises. In the future, it won’t be how security is done for individuals, either.

The individual threat model matters, and it’s converging with the enterprise threat model.

Just like company systems, individuals also face risks and threats on the internet. Acknowledging a personal threat model exists at all is a new concept. Worse, it’s quickly becoming a central part of enterprise threat models as personal security incidents escalate into enterprise security breaches.

Managed security and privacy for individuals can reduce the impact of security incidents on people and the companies they work for.

The best way to reduce the risk of personal cybersecurity incidents impacting a company is to proactively manage them. It’s not as straightforward as protecting company assets, though — many people don’t want their employers to have access to their personal devices and accounts. Managed security and privacy for individuals balances the risks faced by companies while respecting the fundamental right to privacy for individual employees.

The deal has closed, and Google is talking now. After a barrage of articles, interviews, and a full-on conference (Google Next) this month, now feels like an opportune time to revisit the topic, tie up any loose ends in my analysis, and highlight any areas that remain undetermined.

The purpose of today's article isn't to keep score on what I got right or wrong. Google's acquisition of Mandiant is a big and evolving topic in cybersecurity. It's important to stay on top of the evolution and how it impacts strategy — both directly to Google and Mandiant, as well as the second order consequences to others within the industry.

There's no need to revisit every section of the original article. Some of it was context and background that's still a good read if you're trying to get your mind around this acquisition. Today, we're going to focus on specific (and interesting) topics based on the new information we have.

A quick note: this article has a few more long block quotes than usual. I did that to save you from having to jump back and forth between this article and the original analysis. For newer readers, it's also enough background for this article to be useful even if you haven't had time to read the original one yet.

On to the updated analysis.

What’s Going To Happen to Mandiant?

When the acquisition was announced in March 2022, a lot of big and existential questions came up. I summarized the sense of uncertainty like this:

Big picture, an acquisition changes the equation for Mandiant in a different way than going private and remaining an independent company. There is more uncertainty about what the future holds for Mandiant as we know it and how the company fits within the vast Alphabet (Google) empire. People have a lot of questions and concerns about what's going to happen next.

Questions about where and how Mandiant was going to fit within Google Cloud were valid, especially at the time. They're still valid now, but we'll get to that in detail later.

I felt some uneasiness when I first heard the acquisition news, but I quickly realized this was something Google was going to put its full resources behind:

Right on cue, the skeptics started talking about how Mandiant is (eventually) going to end up in Google's notorious product graveyard after the news was announced. There are a lot of valid questions surrounding the acquisition, but this isn't one of them. Mandiant is absolutely not headed for Google's product graveyard.

...

Alphabet employs some of the smartest people on the planet. They are absolutely not going to make a multi-billion dollar acquisition without a plan for making it successful. We should expect Alphabet to make the same level of commitment for Mandiant.

Google (Alphabet) and Mandiant kept us wondering for over six months. It was essentially radio silence from both companies as the acquisition completed diligence, regulatory review, and closing. That's par for the course with large acquisitions like this.

However, concerns about Mandiant being dismantled were summarily dismissed in the wave of post-acquisition media appearances:

...and also the important little details like employee swag:

The employee swag part might not seem like an important detail, but it's more symbolic than you might think. If Google was playing lip service with keeping the Mandiant brand, you'd see a media blitz and no employee appreciation or perks behind the scenes. The fact that Google went as far as customizing swag for 2,000+ Mandiant team members is a small indicator about the importance they're placing on integration and retention.

Why was keeping the Mandiant brand a no-brainer? Instant credibility. From Kyle Alspach in Protocol:

In the world of incident-response services, which provide investigation and remediation after a breach, Mandiant is the marquee name. Without a doubt, linking up Google Cloud’s security business with Mandiant “adds a level of credibility” with customers, said Benny Henderson, cloud practice manager at IT services provider World Wide Technology.

The Google Cloud leadership team was definitive about continuing to use the Mandiant brand going forward. This shows the respect, value, and power of the brand Mandiant has developed. Mandiant's annual revenue is less than 1% of Alphabet's annual revenue, yet the intangible value of Mandiant's brand was worth keeping.

What About Mandiant's Professional Services?

Aside from what Google Cloud would do with Mandiant in general, the elephant in the room was the fate of Mandiant's professional services business:

Perhaps the biggest open question about Alphabet's acquisition of Mandiant is what will happen with their well-known professional services business. It's a valid question with the potential for significant impact depending on what Alphabet decides to do.

The starting point couldn't be further apart. As I quipped in the original article, Alphabet literally calls Google's products "services" in earnings reports. It's no stretch to question whether a company with product so deeply engrained into its DNA has the long-term appetite for cybersecurity professional services.

Productized services was the direction Mandiant was headed as a company when they divested FireEye — long before Google came around. Once Google entered the picture, the mutual alignment with moving away from pure services was obvious:

Google's idea of "services = products" seems to align well with Kevin Mandia's recent "we're not a services company" declaration...except that professional services makes up roughly half of Mandiant's annual revenue. It's even more nuanced than that, though — mainly because the other half of Mandiant's business also includes services sold via subscriptions. Mandiant is a professional services business that's actively trying not to be. And Google would be glad to help with that.

I may have taken this prediction a little too far by floating the idea that Google could end Mandiant's consulting business entirely:

In the long run, subscription-based services revenue is likely to be much more appealing to Google than one-off, non-recurring professional services projects. I wouldn't be surprised if Google ends Mandiant's consulting business entirely. That statement may sound heretical, but it's definitely in the realm of possibility.

Recent public comments have made it clear that's not going to happen. From Jeff Reed, VP of Product for Cloud Security in CRN:

Mandiant is a step function in terms of capabilities, both from a security operations perspective and the product side, but also the incident response and the consulting capabilities.

Also, the relationships that they have throughout the world with both enterprises and government institutions is really amazing.

However, my observation about subscription-based revenue being more appealing looks pretty accurate. I specifically called out the value of Mandiant's threat intelligence business:

Within the recurring, subscription-based services, Mandiant's Threat Intelligence and Managed/Automated Defense services should both be highly appealing to Google and its Google Cloud customers. Especially the world-famous threat intelligence services.

...

At an abstract level, threat intelligence is information. And great threat intelligence is highly valuable information. It's also notoriously difficult to organize and make universally accessible and useful — exactly the part Google specializes in.

...

The same concept applies for threat intelligence. Combined with tech, it gives customers information about cybersecurity threats. Mandiant is the best at sourcing this information. Google is the best at providing it. The combination is potentially a winning strategy.

That's exactly where this is headed with Google. From Jeff Reed in CRN:

We know that Mandiant had excellent threat intelligence, so it’s about how do we bring that threat intel on Chronicle as soon as possible? They do a bunch of things in a proactive perspective, so how do we do that now [at Google]?

My takeaway for Mandiant's professional service is "let's wait and see." The Google Cloud team clearly isn't going to abolish services on Day 1. Reading between the lines, their commentary implies some of Mandiant's services and subscription offerings are more valuable than others.

What happens to specific service offerings within Mandiant depends a lot on how much autonomy they retain. If Mandiant is truly a standalone business operating within Google Cloud, there's a higher probability they will continue offering their full range of services. If Mandiant gets partly or wholly integrated into Google Cloud, I expect we'll see the core incident response and threat intelligence service maintained and non-core services retired.

How Will Mandiant Advantage Fit Into Google Cloud?

The fate of Mandiant Advantage is complicated. Google Cloud's portfolio of security products — Chronicle, in particular — has a checkered past. They're at an interesting crossroads with the re-vitalization of Chronicle, acquisition of Siemplify, and the addition of the Mandiant Advantage platform.

The death of Google Chronicle was greatly exaggerated — or, so it appears in hindsight. Mandiant's data and technology platform is clearly being viewed as a breath of fresh air into the current iteration living within Google Cloud.

The Chronicle project has had its share of issues, no doubt. The vision has shifted from the astronomical moonshot expectations Chronicle was born into nearly seven years ago within X. From former Chronicle CEO Stephen Gillett:

We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find. We are building our intelligence and analytics platform to solve this problem.

The announcement went on to (ominously) predict:

We know this mission is going to take years, but we’re committed to seeing it through.

The first part was right — Chronicle's mission is going to take years. The second part, not so much. As lofty internal projects often go, the project's leadership stepped down as the formerly standalone company was acquired and folded into Google Cloud.

Five years later, Google Cloud is still holding up the commitment of seeing it through. As Chronicle Co-Founder and Chief Security Officer Mike Wiacek wrote when announcing his departure:

Chronicle is in good hands with the brilliant folks at GCP, and I hope to see amazing things continue to happen. I may not be a custodian of it anymore, but I sincerely want to see it thrive! We had only just started to scratch the surface of what could be, and the future potential is so very high.

He also left a clue that's much more clear in hindsight:

What’s next? Well, that’s easy, “Second star to the right, and straight on ‘til morning.”

"Second star to the right, and straight on ‘til morning" is a quote from Peter Pan about finding Neverland. In this story, it translates to keeping a sense of curiosity and pursuing your dreams. For Wiacek, that meant founding Stairwell — a startup that, in some ways, is the spiritual successor of Chronicle's original vision.

With the acquisition of Mandiant, Chronicle itself is undergoing a major transformation. This month at Google Next, the next iteration of Chronicle was unveiled. Google summarized both the current and planned changes in their announcement:

Chronicle Security Operations brings together the capabilities that many security teams depend on to more quickly identify threats and rapidly respond to them. It unifies Chronicle’s security information and event management (SIEM) tech, with the security orchestration, automation, and response (SOAR) solutions from our Siemplify acquisition and threat intelligence from Google Cloud. The recently-completed Mandiant acquisition will add even more incident and exposure management and threat intelligence capabilities in the future.

Moving forward, all security operations software will come under the Chronicle brand. The Siemplify brand will be replaced with Chronicle SOAR, and security analytics capabilities of the suite will be named Chronicle SIEM.

A couple things stand out:

• This answers the question about where the $500 million Siemplify acquisition fits into Google Cloud's product equation.

• The announcement itself was more about the future than the present. It made clear that any of Mandiant's tech and data that Google chooses to keep will be part of the Chronicle brand and platform.

From a product and engineering standpoint, it's too early to expect much (or any) of Mandiant's threat intelligence data or the Mandiant Advantage platform to be integrated. There's a lot of product planning and rationalization to do.

Jeff Reed outlined the initial planning and rationalization to CRN:

Think of the security operations space and what we’ve done with Chronicle. We’ve been focused on the analytics, the SIEM [Security Information and Event Management] market, we acquired Siemplify and integrated orchestration, automation and response to that.

What Mandiant adds is capabilities like validation and attack service mitigation. Chronicle in that world is more of a reactive defense—so looking for data, trying to find what might be going on in your environment, threat hunting and all that.

...

One of the big things we’re talking about is how we’re bringing those capabilities together with what we’re doing with Chronicle and the SecOps [security operations] space.

So you’re going to see a set of new offerings come out over the coming quarters that are tying together what we’re doing in Chronicle with what Mandiant has done in validation, attack surface mitigation and threat intelligence.

Google has already given us an early glimpse. Part of the Mandiant Advantage automated defense platform has been branded "Breach Analytics for Chronicle." Re-platforming other Mandiant tools is also underway. From Jeff Reed via CRN:

Another good example is the Mandiant incident response teams are rebasing the tools that they use when they’re called in to investigate a breach, so it runs on top of Chronicle.

Consider these examples a placeholder for now — I'm sure there will be many more changes and, eventually, a lot more clarity to come.

Mandiant's Threat Intelligence

Mandiant's threat intelligence offering turned out to be a far more important part of the deal than I originally discussed. I raised the question about whether it would continue at all:

A topic the information security community is particularly interested in is whether Mandiant's public research and threat intelligence information sharing is going to continue.

Financially, it's a valid question — threat intelligence and public research is expensive to maintain. Along with incident response services, threat intelligence is Mandiant's bread and butter. Strategically, it makes a lot more sense for Google to invest in growing and integrating Mandiant's threat intelligence than doing away with it.

The Google Cloud leadership team has had nothing but high praise for Mandiant's threat intelligence. From Jeff Reed:

They also bring amazing threat intelligence. They are there in the world’s worst breaches. So they have some of the absolute freshest threat intelligence that we’ll also complement.

As it turns out, integrating Mandiant's threat intelligence is one of the first major areas of investment for Google Cloud. Again from Jeff Reed:

"...threat intelligence integration, their proactive controls and bringing those together—that is already off and running."

Unsurprisingly, these comments and priorities are slanted towards Mandiant's paid threat intelligence offerings; however, it's safe to assume the public research and reporting is likely to continue as well.

Antitrust? Nah.

At the time of the acquisition, many people (including me) pointed out the potential antitrust implications:

First, it's not completely certain this deal is actually going to close. There is already speculation and demands for the transaction to be struck down because of antitrust. Alphabet is already facing significant antitrust scrutiny from regulators. Tech regulation in general is en vogue with governments across the globe.

From the outside, antitrust seems to have been a non-issue for Alphabet with this acquisition. The real headline was how quickly the United States Department of Justice (DOJ) came to a favorable decision and put investor concerns to rest.

The DOJ did conduct a probe starting in April. It was effectively over by mid-July after the DOJ granted an early termination of the waiting period for the transaction.

I didn't try to predict the timeline, but I did expect this deal would eventually be approved and move forward:

Antitrust is a fluid topic, and I'm certainly not an antitrust lawyer. However, it seems unlikely this acquisition is going to be blocked. Despite the likely drama and rhetoric, reasonableness should enter the picture at some point in the process. The case against this being an antitrust concern is relatively strong.

Ironically, there was a lot of post-acquisition discussion about how the deal could help create competition. As Google Cloud CISO Phil Venables told Axios:

There's a little bit of a sigh of relief that there is going to be some competition to the other company [Microsoft] that typically serves government.

Longer term, I expect the deal actually will create competition — just not exactly how Google's leadership team is predicting. There is already an emerging class of technology-enabled companies in Managed Detection and Response (MDR), Incident Response, Threat Intelligence, and other areas of the cybersecurity ecosystem where Mandiant operates.

Mandiant’s Future Within Google Cloud

After my original analysis, I felt pretty optimistic about Mandiant's chances of success within Google:

...I feel a lot more positive and optimistic about the combined future of Mandiant and Google. The new Mandiant may have been a mirage, but I'm hopeful the best parts of their vision can still be carried out — and maybe even improved and accelerated — under Google.

I still feel that way now — even more so with commentary and details that have emerged in the past month.

This acquisition is clearly a priority for Alphabet. From Phil Venables via Axios:

It's not this kind of little acquisition. It's this big part of our ongoing security transformation in terms of building a much bigger security business.

Alphabet takes big acquisitions seriously. If the historical track record of other large acquisitions is an indicator, that's great news for Mandiant.

If we zoom out and look at the vision behind Mandiant's productized services model, it's exactly what Google is world class at — information. From Jeff Reed in CRN:

...we at Google love trying to solve really hard problems. In a place like security operations, it’s based on Google’s expertise in large data, search and analytics.

So that really works well in the sense that we are able to ingest and index amazing amounts of data.

We can search them with other tools—which would take others minutes or sometimes hours—in less than a second.

So that’s just something that we’re just really good at from my core engineering technology perspective. We’ve applied that expertise to the security operations.

Both of those are really based on things that Google broadly is uniquely capable of.

Google's decision to put its full resources behind security operations is a big deal. As I previously discussed in An Intro to Consolidation and Aggregation in Cybersecurity, cloud providers like Google Cloud are driving aggregation in the industry:

Cybersecurity companies aren't the ones doing the aggregating; they are being aggregated. Aggregators (cloud providers) are modularizing suppliers (cybersecurity product companies) and using control of customer demand (businesses using their cloud services) to control distribution of products and services (via marketplaces).

When aggregators enter the picture, existing demand and distribution models can change entirely. Operating at the scale of an aggregator makes new things possible, usually in favor of the aggregator (Google Cloud, in this example). Here's one example, again from Jeff Reed in CRN:

...we’re able to take these amazing economies of scale around [the fact that] we produce our own security chips at Google, we custom-build hardware to reduce the number of peripherals, we are able to do things that any single organization is not going to have because of our large IT budget.

But because we’re servicing tens of thousands of customers and our own Alphabet stuff, we can make these additional investments in security that wouldn’t make sense for anybody else. It makes sense for us.

It's still too early to tell all of the possibilities that will be unlocked for Google by owning Mandiant. Similarly, we can't know for sure what every downstream impact will be on the rest of the industry, positive or negative.

Most of the challenges that come with acquisitions are still likely to happen here: mistakes will be made, people will move on to new opportunities, and some of the lofty expectations and goals may not be achieved. However, it can still be a huge success for both companies, even if everything doesn't go quite as planned.

The Summer 2022 batch was intentionally smaller than Y Combinator's recent batches. This is no surprise — YC warned everyone batch sizes were being reduced by 40% back in August. The surprise was this: the Summer 2022 batch still included 13 companies in cybersecurity, privacy, or trust. That's consistent with the Winter 2022 batch, which included 12 companies.

Companies in the Summer 2022 batch that are in (or around) the domains of cybersecurity, privacy, and trust include:

• AccessOwl: Provisioning and management of access to SaaS applications for a company's workforce.

• Allero: Code scanning in CI/CD pipelines to perform security, code quality, and compliance checks before deployment.

• AiPrise: Integration and orchestration of identity verification and Know Your Customer (KYC) checks across multiple providers.

• Ballerine: An identity and risk management platform that allows companies to automate workflows for customer onboarding, transaction monitoring, credit underwriting, and more.

• Chainsight: An API for Web3 background checks.

• Conversion Pattern: Tracking for user analytics and measurement of ad spend without cookies.

• Derisk: Cryptographic key custody software that secures cryptocurrency assets for businesses.

• Notebook Labs: Decentralized, anonymous, and verifiable identity for Web3.

• Oneleet: Pentesting services delivered through a combination of AI and human expertise.

• Openline: An open source customer data and orchestration platform.

• Overwatch: Detection and management of business risks that could impact an enterprise company's operations, supply chain, or reputation.

• Slauth.io: A platform that secures access to cloud infrastructure.

• TrueBiz: Background checks for businesses.

Admittedly, 13 companies is a bit of a stretch. Eight of these companies operate at the intersection of cybersecurity and adjacent domains (fraud and risk, for example).

Hybrid cybersecurity companies are big these days — look no further than Cloudflare or the host of cybersecurity startups building on Snowflake. Hybrid companies absolutely should not be dismissed because they aren't "pure" cybersecurity companies. So, we'll include the hybrid companies here.

On to the analysis of the 13 cybersecurity, privacy, and trust companies in YC's Summer 2022 batch.

AccessOwl

What does the company do?

AccessOwl orchestrates provisioning and management of access to SaaS applications for a company's workforce. The product's interface is Slack-first, which allows people to request and approve access directly within Slack.

Where do they fit into the cybersecurity ecosystem?

Provisioning, deprovisioning, and management of access are clearly features of an Identity Governance and Administration (IGA) platform. AccessOwl is focused on SaaS applications, a narrow but important slice of the market.

What are their challenges?

The IGA market is incredibly competitive, both among incumbents and earlier stage startups. SailPoint, ForgeRock, and Oracle are all market leaders with growing businesses. SailPoint received a Thoma Bravo-powered jolt of energy earlier this year.

Financing and M&A activity in IGA has been one of the busiest segments in the cybersecurity ecosystem. BalkanID, Clear Skye, Frontegg, Opal, Pathlock, and Zilla have all raised large rounds in 2022.

Why could this be a big company?

IGA is a wide open market right now. The value of IGA products to mid-sized companies through enterprises has been clearly established — to a point where SailPoint was worth $6.9 billion to Thoma Bravo. Any product that stands out and gains traction in this market has the potential to be a big company.

Allero

What does the company do?

Allero scans code in CI/CD pipelines to perform security, code quality, and compliance checks before deployment. It's a CLI-based tool for use by developers.

The company's value proposition is to "ensure only compliant code makes it to production." It's counter-intuitive to think that preventing software from reaching production is valuable, but that's definitely the case here.

Where do they fit into the cybersecurity ecosystem?

Allero fits broadly into Application Security. I would argue it also intersects with Governance, Risk, and Compliance (GRC).

The product focuses on the quality and adherence of code to standards — not the code-level vulnerabilities tools like Snyk are after. Allero is somewhat of a meta-layer: it can be configured to check if Snyk security scans are part of the CI/CD pipeline.

What are their challenges?

Inertia and apathy are probably bigger challenges for Allero than any competitive product. Organizations are still embracing the idea of developer-friendly application security. Unfortunately, it's going to take more time for this to catch on.

This is a challenge with long-term upside — it's going to happen eventually. I'd even call it existential: the least capable development shops will have to either get with the program or go out of business. Nobody knows how long it will take for the revolution to happen, but it will.

Why could this be a big company?

Many developers and engineering leaders are hard-wired to ship code fast. This often means shortcutting or bypassing security, code quality, or compliance. It's unlikely for code to be rolled back once it's deployed, which is a recipe for disaster if non-compliant code keeps finding its way into production.

Allero is a neutral, automated voice of reason: its job is to stop bad things from happening. Expectations are codified into Allero's configuration — the rules are the rules. That's a big deal because no human judgment is involved, and the rules are automatically and consistently enforced.

Everything Allero does have been a huge and recent problems in cybersecurity, including many of the trends and topics I discussed in What Developers Need to Know About the Strategy of Security. Protecting the CI/CD pipeline and the code that flows through has to get better, and Allero could be one of the companies leading the way.

AiPrise

What does the company do?

AiPrise integrates and orchestrates identity verification and Know Your Customer (KYC) checks across multiple providers.

The "integration and orchestration" part is an important distinction — it doesn't do the verifications. There are plenty of good products that do this already. AiPrise's problem space is how to manage the identity verification providers — an adjacent but tricky challenge.

Where do they fit into the cybersecurity ecosystem?

AiPrise generally fits into Identity Proofing, with the nuance I pointed out earlier about managing but not doing the validation.

What are their challenges?

Managing multiple identity verification and KYC providers is somewhat of a niche. The pain is most commonly felt by fintech companies. Many investors would question if the problem space and market is big enough to become a large company.

Niche markets and specific problems like this are YC's bread and butter, though. What seems like an obscure problem is often bigger than people expect. Solving a niche problem well also unlocks adjacent opportunities in broader domains (Fraud and Transaction Security, in this case).

Why could this be a big company?

Having a meta-layer to manage the identity verification mess is incredibly valuable for companies operating in multiple geographies. Nobody wants to integrate and maintain multiple identity verification platforms. With AiPrise, you don't have to.

Companies like Segment have proven the value and potential scale of integration and orchestration products. AiPrise could follow in similar footsteps. Segment proved orchestration for customer data and analytics was a deceptively large problem, and AiPrise could do the same for identity verifications.

Ballerine

What does the company do?

Ballerine is an identity and risk management platform that allows companies to automate workflows for customer onboarding, transaction monitoring, credit underwriting, and more.

This is one of the hybrid companies I referred to in the article's intro. The product has clear elements of cybersecurity, but it also extends well into financial services.

Where do they fit into the cybersecurity ecosystem?

A product like Ballerine spans multiple categories of the cybersecurity ecosystem, including Customer Identity (CIAM) and Fraud and Risk.

What are their challenges?

Larger financial institutions are the potential customers who feel problems with customer onboarding, transaction monitoring, and fraud acutely. Unfortunately, they're often the slowest to adopt new technology to help solve the problem. They've been forced to build their own solutions, and the result is usually a legacy technology stack that's ready to fall apart from the slightest change.

Modernization and (gasp) digital transformation is coming, though. The problems Ballerine solves are part of financial services companies' core operations, which puts new technologies higher up on the priority list when modernization finally comes around.

Why could this be a big company?

Thankfully, Ballerine can capitalize on the revolution in fintech and neobanks while it waits for larger institutions to come around. There are plenty of companies building their identity and fraud stacks from the ground up. It makes a lot more sense for them to work with a company like Ballerine than build the stack on their own.

An open and extensible platform like Ballerine might also be the antidote to skepticism from larger financial institutions. The best retort to "...but we're special" scenarios from enterprises is to let them build whatever they need on their own. Ballerine makes that possible.

In the adjacent market for digital identity, ForgeRock has proven it's possible to win over a meaningful portion of a market with an open, extensible platform. Ballerine could do the same for the intersection of identity, risk management, and fraud.

Chainsight

What does the company do?

Chainsight is an API for Web3 (a.k.a. blockchain or cryptocurrency) background checks. The company uses a direct comparison that's helpful: "Checkr for Web3."

Where do they fit into the cybersecurity ecosystem?

The company fits into my broadly defined Blockchain and Web3 domain of the cybersecurity ecosystem. They could also be grouped with traditional companies in the Background Screening market.

What are their challenges?

Mostly macro: where Web3 is headed is still very much in flux. We're currently sitting in the middle of yet another crypto crash. Competition among early stage companies and protocols is intense — all the usual traits of an industry at the embryonic stage of its lifecycle.

The good news for Chainsight is that background checks are among the foundational set of services needed for Web3. It's a relatively safe bet that wherever Web3 ends up going, background checks are going to be needed.

Why could this be a big company?

Web3 fraud and scams are rampant. The problem has become a serious headwind for Web3 users, companies, and protocols. Help is desperately needed.

Chainsight isn't another "build something that exists in Web2, but now on blockchain?!" type of company. Yes, background checking services have conceptually existed for a long time. Web3 brings a different set of challenges and use cases that require a new solution.

Why is a new solution needed? Web3 has a lot of data and assets to monitor for background checks to work. According to Chainsight, the company currently monitors over 300,000 dApps and tokens, over 100 million phishing sites, and labels 25 billion blockchain transactions.

Paradigm-altering technology shifts create spaces of opportunity for new products and companies. That's exactly what Chainsight is taking advantage of in a space with massive upside.

Conversion Pattern

What does the company do?

Conversion Pattern helps companies track user analytics and measure ad spend without cookies.

"...wait, what? Why is this company on the list?!," you might ask. It's another hybrid company that crosses over into cybersecurity and privacy to solve a business problem.

Digital identity is at the core of Conversion Pattern's product, including a unique identifier for visitors and an identity resolution engine to help correlate activity across multiple sessions and devices.

Where do they fit into the cybersecurity ecosystem?

The company fits broadly into Identity Graphing and Resolution. They're really a user analytics company that happens to intersect with digital identity and privacy to solve problems for their customers.

What are their challenges?

Changes to third-party tracking and user privacy are dynamic. Requirements (and underlying tech) are evolving rapidly. The discourse is part technical, and part political. This makes for a messy situation.

Anything Conversion Pattern builds could be partially or completely wiped out by the whims of powerful companies like Apple and Google. That's also an opportunity, of course — being the company who helps other companies navigate the turmoil is incredibly valuable.

Why could this be a big company?

The end of third-party tracking is an existential crisis for marketers. Without cookies, new solutions are needed to help businesses understand their customers and measure ad spend.

It's unrealistic to expect this type of measurement for eCommerce and digital ad spend will go away just because Apple killed third-party tracking. Once people are given something, it's hard to take it away — especially when it's directly related to a company's revenue and profitability.

If the market decides Conversion Pattern is the best solution for balancing third-party tracking with the user privacy requirements of device manufacturers, they can become a big company.

Derisk

What does the company do?

Derisk builds cryptographic key custody software that secures cryptocurrency assets for businesses. Their product uses multi-party computation (MPC) to secure keys among multiple parties without anyone knowing the full key.

It's a new solution to the "not your keys, not your coin" dilemma in cryptocurrency that has found the spotlight recently. TL;DR – if a company holding digital assets implodes, there's no guarantee its users will be able to get their assets back because they technically don't hold the private keys needed to access them. That's a problem in a lightly regulated industry like cryptocurrency — the FDIC isn't there to save you.

Where do they fit into the cybersecurity ecosystem?

Like Chainsight, Derisk fits into my broadly defined Blockchain and Web3 domain. The company is also a new-generation entrant into the Public Key Infrastructure market with a specific focus on Web3.

What are their challenges?

One of the biggest challenges for Derisk is convincing cryptocurrency asset custodians it's safe to use a product from a startup to secure their private keys. Ironically, building on MPC helps address this problem because its core design principle is that nobody has to trust anyone else.

The other macro-level challenges are value capture and defensibility. Products built on top of open protocols (an entire sub-field of cryptography, in this case) often struggle to capture the value they create. It can also be challenging to build a defensible moat when part of the core IP is open and available for competitors to copy.

Why could this be a big company?

Derisk is a real life instance of the cryptocurrency "centralization vs. decentralization" debate where the decentralized solution could (objectively) be the best solution. MPC is great because it's both secure and redundant by design — excellent benefits when we're talking about securing digital assets with monetary value.

In the case of managing the private keys that protect cryptocurrencies, many people shouldn't be at either end of the trust spectrum: wholly trusting third parties or relying on ourselves to protect our digital assets. The best answer might be in the middle — spreading some, but not all, trust among a few parties and enforcing it with distributed computation.

Notebook Labs

What does the company do?

Notebook Labs is building decentralized, anonymous, and verifiable identity for Web3. The company calls it "KYC for crypto," which loosely means it's doing identity proofing.

This might sound similar to Chainsight, but the nuances are important. Notebook is an on-chain store of verified identity information (a smart contract). It's integrated with an NPM package versus an API for Chainsight. Bigger picture, Notebook also seems to be building towards a fully self-soverign identity store, not just an identity proofing service.

Side Note: They also use AiPrise, another company we discussed earlier, for identity proofing during user onboarding.

Where do they fit into the cybersecurity ecosystem?

Notebook is another company that maps to the Blockchain and Web3 domain. They're also similar to an Identity Wallet, although technically implemented as a smart contract.

What are their challenges?

Web3 identity is an extremely competitive segment. Multiple other companies, including several funded by YC (Spruce and Magic, for example) are building in and around the same identity wallet vicinity.

Why could this be a big company?

Identity for is one of the biggest opportunities up for grabs in Web3. Several attempts have been made, and new companies keep getting better and better.

Balancing verifiable identity with user privacy and decentralization is a tricky thing to do. It's also the right thing to do. Notebook can be a big company if it pulls this off.

Oneleet

What does the company do?

Oneleet is a pentesting service delivered through a combination of AI and human expertise. The platform includes tools to execute and manage the pentest, plus a marketplace of talent to guide, validate, and report the results.

Where do they fit into the cybersecurity ecosystem?

The company sits at the intersection of Penetration Testing, Professional Services, and Crowdsourcing. It's part technology platform and part professional services marketplace.

What are their challenges?

Forward-thinking professional services firms have caught on to the idea of productized penetration testing services. Companies like Bishop Fox, NetSPI, Praetorian, Synack, and more have all raised significant capital to address this exact problem.

The challenge is also an opportunity for Oneleet. Companies that began as traditional professional services firms have to deal with organizational and culture change to bend their offerings into productized services. Oneleet is one of the first companies with the opportunity to build a productized service from the ground up.

Why could this be a big company?

The productization of cybersecurity services is one of my favorite topics (more on this soon...hint hint). Naturally, I'm excited about what Oneleet is doing.

I talked extensively about this topic when analyzing Mandiant's shift towards productized services. Substitute Oneleet for Mandiant, and it's exactly the reason they could become a big company:

Building a successful productized services business to address an important societal issue like cybersecurity attacks is an interesting problem to solve. In the process, Mandiant may also revolutionize the delivery model for professional services in the industry.

A shift towards productized services is bound to happen, especially in cybersecurity. Too many incentives are aligned for this not to happen: labor shortages, budget constraints, speed of delivery, and never-ending fear are a recipe for innovation. The question is whether Mandiant will be the company to execute this strategy and successfully capture the value.

Bigger picture, the company describes itself as "your security department as a service." That obviously means a lot more than pentesting. The ceiling here is high. Anyone who accomplishes this will become a massive company in the process.

Openline

What does the company do?

Openline is an open source customer data and orchestration platform. It takes customer data and interactions from multiple sources to personalize experiences and automate support.

Like Conversion Pattern, you might be wondering why this company made the list. Same reason: digital identity is at the core of the product. From their YC company profile:

Third-party tracking and analytics tools do not work in the current world of GDPR, HIPAA, CCPA, ad blockers, and cookie deprecation. We allow you to get the most comprehensive view of your customers without sending personal identifying and/or usage data to third parties.

Identity and privacy are enablers for everything else Openline does.

Where do they fit into the cybersecurity ecosystem?

Openline fits broadly into Identity Graphing and Resolution. More broadly, they're a customer data platform.

What are their challenges?

Competition. Cliché, I know. Customer data platforms is a competitive space in tech. The The Forrester New Wave™: B2B Standalone CDPs, Q4 2021 report evaluated 14 companies. That's a lot of companies already, and newer startups haven't made the list yet.

Competition alone isn't cause for concern, though. The market for customer data platforms is an emerging one (hence the "New Wave" terminology by Forrester). Companies and buyers are still sorting out the features they value most.

Why could this be a big company?

The macro-level shift is clear: companies are moving away from building and maintaining their own customer data platforms. Combine this trend with ripple effects from privacy regulations and Apple's ban of third-party tracking cookies, and you've got an important problem space that needs solutions.

Openline's open source platform could be a major advantage over competitors with proprietary platforms. Open source companies in adjacent markets (ForgeRock, GitLab, and HashiCorp, to name a few) have proven this model can be successful to the point of becoming a public company.

Overwatch

What does the company do?

Overwatch helps large enterprises detect and manage business risks that could impact their operations, supply chain, or reputation.

Where do they fit into the cybersecurity ecosystem?

The company sits at the intersection of Enterprise Risk Management and Risk Ratings. An important nuance is that Overwatch's risk profiling is mostly outward-facing. That is, it's focused on external risks that could impact a company, not internal risks within the company itself.

What are their challenges?

The problems they're solving are huge, gnarly ones. That's a challenge in the best possible way — exactly the type high potential early stage startups should be going after.

The difficulty with solving hard problems is that they're sometimes too hard to move the needle. Finding and surfacing relevant business risks among a sea of global activity is challenging.

The product has to do a great job of justifying continued spend — too many false negatives or false positives could cause enterprise buyers to lose trust and revert to old ways.

Why could this be a big company?

Third party risk is a huge problem for every enterprise company. Entire departments are dedicated to monitoring, managing, and auditing partners, suppliers, territories, and more.

However, their approach is typically reactive and narrow in scope (think vendor risk assessment questionnaires and the like). This behavior is partly a relic of legacy thinking, and partly because advanced tech didn't exist to monitor risk on a global scale. Overwatch can be a big company because it changes the game completely.

The company already has amazing customers (Stripe and Goldman Sachs were mentioned publicly) for an early stage startup. They will undoubtedly draw the attention of many more companies who want to be proactive about managing enterprise risk.

The three-person founding team deserves special mention, too — their backgrounds are incredible. A company like Overwatch can't be started by just anyone. Subjects like geopolitics, global supply chain risks, financial crimes, and others are highly specialized. This looks like a unique team solving a unique problem at a unique time in the world.

Slauth.io

What does the company do?

Slauth.io secures access to cloud infrastructure. The product scans IAM configurations for each of the three large cloud infrastructure providers, generates a map of access, identifies potential vulnerabilities, and recommends remediation actions.

Where do they fit into the cybersecurity ecosystem?

The product maps to Cloud Infrastructure Entitlements Management (CIEM) within Cloud Security.

For clarity, Slauth.io isn't an authentication service like Okta or Ping. It's focused on analyzing and identifying issues with access control, not performing the day-to-day authentication or authorization of users.

What are their challenges?

Cloud Infrastructure Entitlements Management is dangerously close to the broader Cloud Security Posture Management (CSPM) market that awesome companies like Wiz, Orca, and more are well on their way to owning. It's an open question whether access control is a standalone problem or a subset of the problems CSPM platforms monitor and remediate.

Why could this be a big company?

Access to cloud infrastructure is one of the top security weaknesses and causes of cloud-related breaches. Unit 42 at Palo Alto Networks went deep into this subject if you're interested in the data behind it.

Two identity protection companies (Attivo and Preempt, conceptually similar products) had nice exits in the past year (to SentinelOne and CrowdStrike, respectively). This category is gaining visibility as an important capability beyond core IAM systems.

An effective solution to cloud infrastructure access is a strategic acquisition target at minimum, and potentially an even larger company.

TrueBiz

What does the company do?

TrueBiz performs background checks for businesses. Traditionally, this is both a lengthy and laborious requirement that financial institutions are required to perform when doing business with corporate entities due to Know Your Business (KYB) legislation. TrueBiz automates away the paper pushing and makes the verification process both faster and easier.

Where do they fit into the cybersecurity ecosystem?

The company maps to Background Screening with a specific focus on businesses, not individuals.

What are their challenges?

Large financial institutions are typically slow to adopt new technologies, so it might be a while before TrueBiz can make a dent in a meaningful number of enterprise accounts.

Like Ballerine, the good news for TrueBiz is there are plenty of emerging fintech startups that would be glad to use their service for KYB while building a stack from the ground up.

Why could this be a big company?

Tech for performing business background checks is lagging behind its consumer counterparts. The potential for financial institutions to eliminate manual processes and headcount is a powerful incentive, too. If TrueBiz can build a product that is legitimately better than other products, it can become a big company.

The state of public markets has completely changed since I wrote a two part series about cybersecurity's IPO pipeline this January...which now seems like forever ago. It's time to revisit this topic and take a look at where things stand now.

Spoiler alert: it's gloomy out there. This isn't going to be the upbeat, full of excitement type of piece you're used to reading here lately. It's important to talk about what's happening, though — even if the news isn't good right now.

In this article, we're going to cover:

• Overall Market Conditions: Analysis of overall market conditions and impact to publicly traded cybersecurity companies.

• 2022 Cybersecurity IPOs: Recapping the one cybersecurity IPO (via SPAC) so far this year.

• IPO Pipeline Developments: Checking back in with companies in the IPO pipeline, including recent comments and events (financing, layoffs, etc.).

• Emerging Candidates: Highlighting companies who have emerged as IPO candidates that weren't included in the original series I wrote in January.

• What to Expect: Where we go from here and what to expect as the U.S. economy teeters on the edge of a recession.

We're going to start our melancholy little tour by looking at the overall condition of public markets. That's where the current challenges start for companies in the cybersecurity IPO pipeline.

Overall Market Conditions

As of July 31, 2022, valuations for public cybersecurity companies have fallen roughly 20% in the past year. The decline of cybersecurity company valuations is almost exactly in line with the overall market decline.