Rak Garg wrote Security's Fifth Estate: Predictions for 2023 nine months ago, and I can't stop thinking about it. I'm not kidding — it probably crosses my mind every day.
Here's the concept that changes everything:
Historically, there have been four big categories in security: cloud (evolving from networks prior), identity, email, and endpoint. In every generation, each of these categories has supported at least one really big winner.
I looooooooooove the idea of "estates." I've spent lots and lots of time studying the cybersecurity ecosystem and all the (often contorted) ways people try to classify it. Thinking about major industry sectors as estates has revolutionized the way I think about the entire ecosystem.
Why? Every time I think about this wacky yet magnificent industry we've created, my head spins. Cybersecurity is @#$%'ing complicated. Rak's cybersecurity estates are the perfect metaphor to make it feel manageable again.
Why am I so wound up about this? Understanding cybersecurity's estates is a superpower in your thinking about the industry. Remember the fight scene from The Matrix where Neo dances around the bullets in slow motion? It's like that... well, except we're doing spreadsheets and Zoom calls here.
Don't get me wrong — I love the allure of a deep dive. But strategy is an art form that requires a broader view. It's like navigating between the clarity and precision of Neo's bullet-dodging and the vast reality of The Matrix itself. You see the industry in a completely different way by knowing when to plunge into the rabbit hole of specifics and when to rise above and see the world for the simulated construct it is.
Rak's piece was written from his well-refined intuition as an investor. He gave us insights about cybersecurity estates and which ones might be coming next. He is the Oracle.
With this article, I'm channeling my inner Morpheus — offering a red pill to anyone ready to translate the enigmatic code of the cybersecurity industry into a clear vision of how it works.
After spending too much plugged into The Matrix, watching the stream of green characters fly by my screen (okay, I was just analyzing data in a spreadsheet), I realized something I'd never thought about before: cybersecurity industry leaders are converging around estates, and a few are transcending them.
Take the red pill, and I'll show you how deep the rabbit hole goes.
How to think about cybersecurity's estates
The concept of cybersecurity estates is valuable because it stops your head from spinning. I feel like Neo when he throws up from the mental shock of learning about The Matrix. It's like I'm gonna pop. The acronyms are nauseating.
Estates give you a mental model for simplifying all the complex jargon you hear every day. ZTNA, IGA, EPM, GRC, SIEM, yada yada yada — doesn't matter. Once you understand estates, you're in control of the simulation.
Don't get fixated on the exact definition of "estate." It's a metaphor. All it means is a bunch of similar companies in a sector of the industry... with one super important attribute: "...supported at least one really big winner."
To me, "one really big winner" means an estate is large enough to support one or more public companies and some later-stage startups. A really big winner is The One — an anomaly in the system and a symbol of hope.
Ready to learn the truth about our cybersecurity estates? Let's go see the Oracle.
Our current estates: the epicenter of strategic activity
Today, the cybersecurity industry has four estates: Infrastructure Security, Security Operations, Identity Security, and Application Security.
...Wait, what? So this means you don't agree with Rak's estates?!
I completely agree with him. I deviated by grouping network, endpoint, and email security into a broad "infrastructure" estate — but I definitely agree they're estates.
I also made the case for Security Operations as an estate, which is mainly a terminology difference from his Cloud Security estate. Sematics aside, the thinking here conceptually aligns with everything Rak said in his original piece.
Ready to plug in? In the iconic words of Cypher, "Buckle your seatbelt, Dorothy, because Kansas is going bye-bye."
Infrastructure Security has 34 companies valued at $1 billion or higher.¹ Eleven companies are public, including the likes of Cloudflare, CrowdStrike, Fortinet, Zscaler, and SentinelOne. It's the Skywalker Ranch of cybersecurity estates. Let's take a tour.
If you asked most people to name the first cybersecurity estate that comes to mind, endpoint security is probably it. You could easily make the case for endpoint security being its own estate, as Rak did.
This sub-sector has five public companies — the highest concentration in any cybersecurity estate. That's not even counting tech giants like Microsoft, which sits atop Gartner's latest Magic Quadrant and holds the largest market share in this sub-sector.
Endpoint security has also been around for an eternity. In aviation terms, it's like a bomber. Early endpoint security companies like McAfee, Symantec, and Trend Micro are the B-52 Stratofortress bomber — they've been around for decades and are still widely used today.
Meanwhile, a new generation emerged and revolutionized the industry. CrowdStrike, SentinelOne, and Darktrace headline the modern endpoint security wave. They're the modern day Stealth Bomber.
With the emergence of XDR, these companies are leading the path to convergence between endpoint security and security operations.
Network Security is going through a similar renaissance. Back in my old-school Cisco days, "network security" meant firewalls and access control lists. In 2023, Network Security and SASE are basically interchangeable.² And Network Security is back in vogue again.
This now-fashionable domain includes the likes of Palo Alto Networks, Fortinet, Zscaler, Cloudflare and Check Point. Their combined Enterprise Value (EV) exceeds $175 billion. And let's not forget about Cisco, a tech giant who just got serious about cybersecurity.
Private companies are also coming in hot. Network security also includes IPO pipeline candidates like Netskope, Illumio, and Cato Networks (fresh off its latest $238 million financing round at valuation over $3 billion).
Even more large companies are lurking in the shadows of private equity firms. Barracuda Networks, Forcepoint, Forescout, and others are all being retooled from their network security roots and expanded into massive infrastructure security platforms.
Email Security is the estate that got away, at least for now. It used to feature two public companies until Proofpoint and Mimecast were taken private for $18 billion in total — two of the ten largest pure cybersecurity acquisitions in history.
Add two more venture-backed unicorns (Abnormal Security and Material Security) into the mix, and you've got a case for Email Security being its own estate.
Email isn't going away, so there's a good chance Email Security will rise from the ashes and reach estate status again soon.
Security Operations is my (slightly Luddite) take on what Rak defined as Cloud Security. From a numbers standpoint, it's easily an estate with 24 companies valued at over $1 billion. That's second only to the mega-estate of Infrastructure Security.
Palo Alto Networks and its Cortex platform is the shining star of the Security Operations estate, with $1 billion in annual bookings and an astonishing $90 billion TAM estimate. Cisco also means business after spending $28 billion on Splunk (just pocket change, right?!). I'd put the mystical Palantir in the Security Operations estate as well.
Vulnerability Management also falls into the Security Operations estate, with three public companies (Rapid7, Tenable, and Qualys) all building towards becoming broad Security Operations platforms.
Security Operations is such a large estate that it's large enough to support public companies in smaller sub-sectors. Threat Intelligence is one example, with ZeroFox going public via reverse merger in August 2022.
Kaseya, Axonius, Exabeam, and JupiterOne highlight a group of ten VC-backed companies valued at over $1 billion in this estate. It also includes a large set of PE-backed companies, including Sophos, Sumo Logic, Trellix, and others.
Identity Security³ has been undergoing the biggest makeover of any estate in the past two years. At this point, it's like Agent Smith in The Matrix — companies can take any form they need and magically transform from one person to another.
This sector was an obvious estate before Thoma Bravo stepped in and took three companies private. Okta and CyberArk (HashiCorp too, depending on how you classify them) remain, so Identity Security is undoubtedly still an estate.
Venture capital money has been pouring into this estate for the past five years. 1Password raised nearly $1 billion of total capital at a valuation of $6.8 billion. Transmit Security raised a $543 million Series A, the largest early-stage round in cybersecurity history.
Identity verification and password management are emerging markets within the estate. Similar to Security Operations, this estate might be large enough to support a handful of public companies in those sub-sectors.
I agree with Rak on Application Security being the next big estate in cybersecurity. It might already be one.
Practitioners have long considered application security to be one of the most important parts of a security program. Web application attacks account for 25% of breaches analyzed in Verizon's Data Breach Investigations Report (DBIR). In day-to-day cybersecurity, Application Security is an important domain.
In the business world, the only reason Application Security wouldn't be considered an estate is not having a pure-play Application Security company in public markets. Synopsys does a lot of things, and Application Security is just one of them. But it still counts!
Snyk is still one of the top companies in cybersecurity's IPO pipeline (despite all the valuation drama). They will almost definitely IPO when the timing is right. Veracode is on its way, too, and going public is a likely exit strategy for Thoma Bravo.
Application Security could be headed for convergence with Cloud Security if the CNAPP concept works out. However, it's still too early to say if two large, emerging sectors can combine their products in a coherent way.
Transcending estates: platformization and the rise of end-to-end cybersecurity
A select group of companies is reaching a point of transcending estates. If this is The Matrix, they've realized the truth: there is no spoon.
The limitations of the cybersecurty industry — taxonomy, scale, growth, and ambition — are only mental constructs. By understanding the rules are bendable, these companies are going to do the impossible.
We're entering an era of cybersecurity platforms that span across multiple cybersecurity estates, just like Neo flying from building to building. Large cybersecurity and tech companies are augmenting their core estates with products in smaller sub-sectors, and even entire estates. This strategy has so much momentum that Nikesh Arora, CEO of Palo Alto Networks, coined a verb: platformization.
It's now possible for companies to win at multiple estates. Three examples:
Palo Alto Networks has a collection of multi-million and billion-dollar businesses across Network Security, Security Operations, Application Security, and Cloud Security — with really big plans for the future.
CrowdStrike turned its original next-generation antivirus into 20+ modules across Endpoint Security, Security Operations, and now Application Security.
Cloudflare took a tiny wedge of Application Security (originally DDoS protection and a WAF) and grew it into Network Security, Email Security, Data Security, and likely more.
...Which brings us to the aggregators: the estabilshment of massive tech companies, both old and new. Aggregators are companies like Amazon, Google, Microsoft, Cisco, HPE, IBM, and Oracle.
In our metaphor, aggregators are the Agents. Their mission is to prevent any form of disruption in the simulated reality of The Matrix — that is, both the old and new worlds of data centers and cloud computing.
Aggregators have enough capital to buy an entire cybersecurity estate if it gets too close to breaking free. They'll do whatever it takes to neutralize threats and uphold the masquerade. Their strategy is effective because assimilation is a tempting option for rebel cybersecurity companies who decide acquisitions are better than continued resistance.
You made it to the end — you're unplugged from The Matrix. Now go break all the rules.
¹All data used for this article is from Crunchbase with a lot of my own refinements, especially around mapping companies to estates.
²I like to keep things timeless, so Network Security it is.
³Noting for the record that this is my first time using the term "Identity Security" for describing identity. I didn't like it when Okta, SailPoint, and CyberArk started using the phrase. It's grown on me.