"Don’t call it a comeback, I been here for years." —LL Cool J, Mama Said Knock You Out
Cybersecurity's first IPO of 2025 is a triumphant comeback story from a company that's been a towering figure in the industry for years.
That company is SailPoint, who I've been following closely for over a decade now — both directly on client implementations at PwC and covering their business in my industry research.
I have a lot to say about this S-1 filing and the broader implications of their second IPO.
First, a couple (Midwestern) spicy takes¹:
-
I still question whether SailPoint needed to go private in the first place.
-
This is the earliest point in the window SailPoint could have gone public again.
Wait, isn't this a contradiction?!
Kind of. Let me explain.
Before going private, SailPoint was right around the cutoff line for cybersecurity's "high growth" and "low growth" cohorts. They averaged 21% top line revenue growth from 2019 to 2021.
Decent, not spectacular — and nowhere close to the lower performing companies who were taken private.
They had real business issues to face, though. Accelerating their SaaS transition was the big one. Peers like CyberArk and Varonis have successfully pulled off this transition in public markets, but it's hard.
Partnering with Thoma Bravo again was an offer too good to refuse. The rest is history.
Fast forward to today...I thought they'd let the SaaS transformation bake a little longer and get back to profitability before going back out. Might as well finish the job since they bothered to go private in the first place.
They always felt like a lock for 2025 (or early 2026, worst case). My guess was the second half of this year, even with the rumblings of a potential IPO starting in Q4 2024.
Instead, SailPoint is all set to be cybersecurity's first IPO in 2025 — and the first pure-play cybersecurity company to go public in almost three and half years.²
It's a big moment for both SailPoint and the cybersecurity industry. Here's why, starting with SailPoint's strategic narrative.
Strategic narrative
SailPoint's timing mostly boiled down to this: they had enough proof to credibly tell the story of being a modern, SaaS-first identity security platform. The essential parts of their strategic narrative shaped up well (with some caveats).
For its part, SailPoint checked most of the boxes, even though some important ones like their SaaS transition and profitability are still a work-in-progress. They did exactly what they needed to support their new strategic narrative while maintaining their market leadership in identity governance.³
The underlying business transformation will continue, but they've likely done enough to change how the market perceives them. Package that up with a general sense of optimism about public markets, and you've got a pretty airtight case. The timing was right to go public again.
And, bigger picture — they did it without causing a major shakeup of the competitive landscape in identity security.
Let me walk you through the core parts of the narrative and show you what I mean.
A "SaaS-first" company
The first piece of SailPoint's narrative shift was becoming a "SaaS-first" company. They needed to accelerate their transition to both a subscription-based revenue model and a SaaS product. This was basically reason number one for going private.
SailPoint started with an on-premise product (IdentityIQ) back in 2005. Their first SaaS-based product (IdentityNow) launched about ten years ago and evolved into their current Identity Security Cloud offering over the course of a decade.⁴
One of the biggest knocks against SailPoint's strategy was how long the customer transition from the on-premise product to the SaaS product was taking — or if it was even going to happen at all. The leadership team was surprisingly blasé (at least in public) about the pace of transition across the company's final few earnings calls before going private.
I'd speculate that behind closed doors, they knew the transition needed to happen faster. Or, Thoma Bravo knew it needed to happen faster and was willing to finance the acceleration in exchange for a share of the upside. Or both.
Either way, SailPoint has made solid progress with accelerating their SaaS transition and, bigger picture, advancing the narrative of being a modern, SaaS-first company.
They accomplished the objective with some stellar metrics to back it up. Growing SaaS ARR at 40%+ year-over-year and overall ARR at 30%+ year-over-year are very high growth rates relative to just about any public SaaS comp you can come up with.
They've successfully converted most of their revenue to subscriptions, which includes SaaS as a subset. That's impressive given how complex migrations from on-premise to SaaS are, especially with larger customers. It's basically like implementing a completely new product.
They still have work to do, though. According to the S-1, only 60% of their total ARR is coming from SaaS.
This means SailPoint still has a lot of revenue coming from on-premise-related things, like maintenace and other subscription services. Put differently, they still have a material amount of customers using the on-premise product — and I suspect it's their largest ($1M+ ARR) enterprise customers.
Finishing the job is a non-trivial task that's fraught with risk around churn and customer dissatisfaction. Staying private doesn't make these risks go away, though. It just masks them from public consumption. I don't view this issue as a compelling reason to stay private, and SailPoint's management team clearly agrees.
I definitely buy their "new customers are starting with SaaS, and remaining customers are in the process of transitioning" part of the narrative. We should't take this to unilaterally mean all of SailPoint's remaining on-premise customers are transitioning to SaaS — just that the transition has momentum.
Anecdotally, I've heard of several large, high-profile customers who are doing SailPoint SaaS implementations right now. It's definitely happening.
There's more work to do, but SailPoint's SaaS transition slog will eventually end. Sure, seeing 80%+ of subscription revenue coming from SaaS would have been ideal — but they've laid the groundwork for completing this transition faster than ever could have as a public company.
Identity governance to identity security
The second piece of SailPoint's strategic narrative was transforming their market positioning from "legacy identity governance vendor" to "modern identity security platform".
When they went private, they were still mainly seen as an IGA vendor (albeit the market leader) in a world where both customers and investors increasingly wanted comprehensive security platforms.
SailPoint methodically addressed this perception through their SaaS transition and, more strategically, a targeted set of tuck-in acquisitions to broaden the platform:
Since going private, they added basic PAM (Osirium), non-employee access/risk management (SecZetta), and ITDR (Double Zero) for $71.8M of total fair value (not the same as the full acquisition price, but likely in the ballpark).
Add these on top of their previous acquisitions in SSPM (Intello), CIEM (Orkus) Data Security (Whitebox Security), plus others, and you've got the makings of a broader identity security platform.
Here's a quick visual to help illustrate the point (using SailPoint's graphics with my own markups). Everything highlighed in yellow or blue has been added since going private, mostly through M&A:
SailPoint had the core components of their SaaS platform in place, but they added an entirely new layer of capabilities to the stack during this period.
Many of their acquisitions are still fresh, so it's too early to tell how much of a financial impact they will have (and how soon). Independently from commercial success, they've effectively addressed the near-term narrative of being a broad(er) identity security platform.
...all without a big merger or acqusition
SailPoint landed their new strategic narrative perfectly...but the moves they didn't make tell the real story. Here's the twist: they didn't have to merge or make a major acquisition and massively shift the competitive landscape in the identity security market.
A boss move (theoretically) would have been acquiring a scaled PAM or SSO company (from the current PE-owned cohort) to compete head-on with other identity security giants like Okta, CyberArk, Ping, and Microsoft.
There are plenty of later-stage, privately held, 8-9 figure ARR identity companies SailPoint could have acquired:
Not all of these companies are viable targets, obviously — but nothing feels out of reach for Thoma Bravo right now. The point is just to illustrate how many potential options SailPoint had available if they wanted to make a big move.
And, remember: Thoma Bravo already merged Ping Identity and ForgeRock, two other identity security companies in their portfolio. Merging SailPoint with one or both of these companies would have been challenging, but it certainly wasn't out of the question.
SailPoint didn't have to do any of this. Instead, they took a more measured and pragmatic approach — and it looks like their strategy is going to work (near-term, anyway).
Doing a major acquisition would have been both risky and financially prohibitive.
Most of the major identity security companies have their own lanes, and the market is still big enough (now) for everyone to stay in the lane they've been in. SailPoint will be fine on the competition front for a while.
That's not to say they're without competition — just that there is still enough room for SailPoint to maneuver in both their core identity governance segment and the overall identity security market.
Okta's identity governance product (OIG, the part that competes directly with SailPoint) is still pretty new. It has good traction, but it's still nowhere near the scale or sophistication of SailPoint. Okta's new product will eventually become more competitive in SailPoint's core upper middle market and enterprise customer segments, but that's still years away.
Microsoft's Entra platform is strong, largely thanks to the directory service formerly known as Active Directory and growing momentum in the Single Sign-On (SSO) space. They have an identity governance product, but the overall Entra platform is more competitive with Okta than SailPoint.
Saviynt is a legitimate threat (and likely on a path to its own IPO), but it's still a much smaller company. They disclosed $150 million of ARR at the end of their 2023 fiscal year. They're winning some competitive deals, and there's still a lot of market share left between legacy product migrations and customers who decide to shop around when migrating away from SailPoint's on-premise product.
CyberArk and Ping Identity are both big, important companies in the identity security market — but they're not direct competitors with SailPoint. Current product overlap with SailPoint is minimal, especially not their core identity governance features.
More direct competition feels inevitable, but not today. SailPoint has a nice lane carved out for itself in the market by owning the larger identity governance deployments.
One other thing: they also have significant debt. A large acquisition would have been impossible without a major restructuring. About the debt part...
Financial narrative
SailPoint's IPO narrative has several critical financial topics to address, debt being one of them.
On the financial side, I'm focused on the highlights and strategic implications. CJ Gustafson's analysis on Mostly Metrics should be your first stop if you want a professional, CFO-level financial analysis of the S-1.
Through my strategic lens, the financial part of SailPoint's IPO narrative hinges on debt, profitability, margins, and the immediately adjacent impact of each. Here's my interpretation beyond the S-1 print.
Debt and R&D spend
SailPoint has a ton of debt. $1.59 billion via term loan, to be exact. They're spending over $175 million on interest alone, which is just under the $180 million they spent on all of R&D in FY'24.
There's nothing too weird going on here. It's normal for a private equity firm to use debt for partially financing the acquisition. The S-1 is clear about SailPoint's plan to use some of the proceeds to pay down the term loan, so they won't be quite this indebted for long.
Regardless of the exact amount of debt they carry post-IPO, the implications are important — especially in the context of R&D spend.
Identity security in general is a highly competitive space (despite my comments on SailPoint's lack of direct competition earlier). Both late and early stage companies are investing significant capital into improving and building out their products, which falls under R&D.
Okta alone spent $656 million on R&D in their FY'24, and $158 million in Q3'25 alone (~$20M less than SailPoint invested in an entire year). And, according to Altitude Cyber's 2024 Year In Review, identity security startups raised a total of $1.08 billion in 2024. That's on top of $1.11 billion the year before.
R&D spending isn't a direct indicator of results or product quality, but there's definitely a correlation.
SailPoint clearly demonstrated R&D efficiency by advancing their SaaS transition this far at relatively reasonable R&D costs. This is about more than a SaaS transition, though.
As a public company, SailPoint is going to have to both defend their market leadership position and (eventually) brace for head-on competition with other major players in the identity security market. They need breathing room to keep investing in R&D, which means managing debt is a top priority.
Gross margins
SailPoint's gross margins are...below average... at 67% for their FY'24. Gross margins for Morgan Stanley's security group are at 81%:
Secureworks has the lowest gross margins at 70%. They're primarily a services company that will soon be going private once their acquisition by Sophos closes.
SailPoint has things like their ongoing SaaS transition, scaling infrastructure costs, and take-private transation related expenses to blame, but profitability is going to have to improve quickly if they want to be valued like the top performing SaaS companies.
Another potential issue is more strategic. If (BIG IF, just intuition and speculation on my part) they're experiencing significant pricing pressure and discounting to retain and win customers, margins are going to keep suffering.
I don't know if this is happening, but it's possible. Like much of enterprise software, every new $1M+ ARR customer opportunity they have is a competitive bid. SailPoint also has the added challenge of not ending up in competitive bids when their customers switch from the on-premise to SaaS product.
There are a lot more nuances to the margin story, and they play out in places like profitability and customer acquisition costs.
Profitability, customer acquisition costs, and market opportunity
Profitability had become an issue when SailPoint went private, and investors probably aren't going to love their continued (although substantially reduced) losses this time around.
Context matters, though – and there are some specific nuances about the identity security market that make SailPoint's situation very reasonable.
Here's the punch line on SailPoint's profitability: they're currently spending $2.85 to acquire $1 of ARR.
That seems terrible on the surface, but identity security products like SailPoint have a very important property: they're incredibly sticky once implemented. Like, prohibitively expensive and painful to replace. That's part of the reason why SailPoint's retention metrics are outstanding (114% NRR / 97% GRR).
Their CAC payback period is ~2.85 years, which is pretty high, but really no big deal in identity security terms. They keep most customers for much, much longer than that. A decade-plus is common. SailPoint (and their channel partners) are very good at supporting and retaining customers, so the mechanics here should just keep getting better with scale.
(Somewhat) crossing back over into strategy land for a minute: I was surprised how many smaller ACV customers they have. Here's the breakdown from the S-1:
I would have guessed a much higher count of $1M+ ARR customers and a much lower count of sub-$250K accounts. This tells me two important things. Their customer base is more diversified than I thought, and they still have room to grow in the enterprise customer segment.
They're just going to keep picking off implementations from legacy competitors (Oracle, IBM, etc.) until they have to compete more broadly. SailPoint will almost certainly be over $1 billion of ARR by then.
SailPoint deserves every minute of the spotlight and glory from this milestone, but this move has broader implications for the rest of the industry. Here's why.
Industry impact
SailPoint being the first cybersecurity company to go public in 2025 is the best thing that could have possibly happened for the rest of our IPO pipeline. They did everyone else a huge favor.
It's wayyyyyy better to re-introduce a well-known company and break the ice before we start rolling out companies the market hasn't seen yet.
Even though people are optimistic, tech IPOs are still warming up from the ice age we've been in for the past ~three years.
We're still figuring out exactly how the market is going to value new companies based on their revenue scale, growth rate, profitability, and other metrics. The benchmarks so far have set a pretty high bar, especially for revenue scale.
Most of the expert predictions point to expectations relaxing and subscale (<~$500M ARR) companies being able to go out again, but all of this is still in flux.
SailPoint is the perfect dosage of excitement and familiarity.
Right now, all signs point to this being a good IPO — exactly what we needed to get the pipeline moving in 2025.
Follow this up with another strong candidate or two (Netskope?), and cybersecurity's IPO window is officially open again.
Mama said knock you outttttttttt...huuh!
Footnotes
¹Midwestern (United States) people are notorious for disliking spicy food, myself included. We prefer to keep things bland. "Midwestern spicy" means a very, very mild level of spice.
²The first traditional, mid-cap IPO for a pure-play cybersecurity company, that is. We've had a few SPACs and nano cap companies go public, but most of the industry focuses on traditional IPOs. Rubrik technically went public in 2024 (and has done well), but many people classify them as a hybrid IT/infra/security company.
³I'm leaving the obligatory AI-enabled-whatever parts of the narrative aside for now. Yes, SailPoint covered them — I just don't think AI is a core part of the narrative here, at least near-term.
⁴Intentionally or unintentionally, SailPoint has thoroughly obfuscated the exact release date of IdentityNow. "About ten years ago" is the most accurate timing from an official source, so we'll go with that.