The Mirage of Mandiant

New Mandiant, we hardly knew ye. Only 155 days after the company sold FireEye and re-branded to Mandiant, they're being acquired by Google for $5.4 billion.

The acquisition has been a widely discussed topic within the information security community since it was announced. Mandiant is one of the most visible and respected companies in the cybersecurity ecosystem. News like this hits differently.

Big picture, an acquisition changes the equation for Mandiant in a different way than going private and remaining an independent company. There is more uncertainty about what the future holds for Mandiant as we know it and how the company fits within the vast Alphabet (Google) empire. People have a lot of questions and concerns about what's going to happen next.

Admittedly, I have had a lot of the same questions running through my mind since the news broke. I have covered Mandiant a lot in the short amount of time I've been writing this publication — possibly more than any other company, although I'm not keeping score.

I decided to take my time and think through a rational analysis rather than rushing to offer a quick opinion. Now that I've done this, I feel a lot more positive and optimistic about the combined future of Mandiant and Google. The new Mandiant may have been a mirage, but I'm hopeful the best parts of their vision can still be carried out — and maybe even improved and accelerated — under Google.

To summarize my general line of thinking: I don't believe there was a singular reason behind this acquisition. With large, complex deals like this, there are usually a multitude of reasons. Human nature tries to boil complex subjects down to a simple explanation. Rather than making that mistake here, we're going to explore the nuances.

In this article, we're going to logically step through:

  • What happened with Mandiant

  • How the significance of Mandiant changes at the scale of Google

  • Why Mandiant isn't headed for Google's graveyard

  • What the acquisition means for Mandiant and Alphabet

  • What the acquisition means for the cybersecurity ecosystem

First, a couple important caveats:

  • This analysis was done completely through publicly available information. I didn't speak with anyone at Mandiant or Google directly. It's analysis, not reporting.

  • A lot of this article is my own speculation, which is bound to be wrong. There is still value in speculation — just take it with a grain of salt.

Also, semantics:

  • When using "Alphabet," I'm referring to the top-level company that owns Google.

  • When using "Google," I'm referring to the business unit within Alphabet that Google Cloud is a part of.

  • I mention "Google Cloud" or "Google Cloud Platform" specifically when referring to the business unit and cloud service.

Caveats aside, let's start breaking down what's happening here.

What Happened With Mandiant?

There is a lot to unpack with this acquisition, so I'm going to summarize what happened in the relatively recent period of time as concisely as possible. This article is about the impact and the future, so I only want to focus on the parts of the past that provide relevant context about what led to the acquisition. If you're interested in a deeper analysis of Mandiant and FireEye, I wrote about it in Mandiant and the Future of Cybersecurity Services.

In a word, the problem with Mandiant as an independent company was profitability. This blunt assessment isn't meant to sound like cold-blooded capitalism. It's more of an objective observation and, in hindsight, a lesson to learn from.

Looking at Mandiant's operating income (a good way to measure profitability from regular operations) for the past decade is telling. The company had substantial operating losses every year during this period — an average of $297.3 million per year.

Most of this data includes FireEye, but the divestiture didn't make a huge difference. Mandiant still wasn't profitable in the quarters after the sale, and their leadership team was clear that investors should not expect profitability until at least 2023. Unfortunately, they had a pattern of losses that investors couldn't stomach.

Anecdotally, Mandiant created far more value than it captured. I made this observation in my October 2021 article about Mandiant's post-FireEye strategy:

Identifying the Chinese APT-1 espionage unit and the SolarWinds breach are two of the most significant accomplishments in modern cybersecurity history. This is exactly Mandiant's dilemma: the company hasn't been able to capture enough of the value they've created through research and innovation.

Highly visible accomplishments like these — plus the day-to-day engagement Mandiant has with the information security community — are the reasons people in the community get emotional about the work Mandiant does. We feel attachment with the brand, regardless of whether we work directly with them or not.

At the time of Mandiant's re-launch in late 2021, I was super excited about the idea of building productized services at scale and the impact Mandiant's strategy could have on professional services in cybersecurity. I wanted the new Mandiant to work.

Admittedly, this was an optimistic take on how their strategy could work. Their success was improbable. Deep down, I knew that — more than I was comfortable writing about at the time. For the strategy to work, I knew that Mandiant needed to start showing results quickly:

Mandiant's productized services model has to start showing results quickly. If it doesn't, investors are going to view Mandiant as just another professional services firm with underperforming profitability.

In a follow-up article that included Mandiant's FY21 earnings, I expanded on the timeline for their transformation and how they could buy more time by changing perception:

...as a public company, they're in a vulnerable position until their balance between profitability and growth gets fixed.

The fixing starts with perception. This iteration of Mandiant isn't the Mandiant of old. Here's one example: do you still think Mandiant is in the professional services business? Think again. From Kevin Mandia:

"We're not a services company. We don't wake up every day and go, let's maximize services."

Mandia's dismissal of perceptions that Mandiant is a professional services business couldn't have been more clear. The shift in perception is important from a strategy perspective, and also for managing investor expectations.

These now sound like famous last words — ominously published less than two weeks before Mandiant was acquired by Alphabet. However, there are still a lot of reasons to be optimistic.

The acquisition creates a new set of opportunities that weren't available to Mandiant as a public company under the microscope and scrutiny of investors. At a macro level, the main opportunity is for Mandiant to execute their strategy (or Google's modified version of it) within the towering shadow of Alphabet's financial empire. Let's talk more about that.

Significance Changes at Scale

For Mandiant, the best medicine for curing over a decade of losses is the financial stability Alphabet can provide. Financially, this acquisition is completely insignificant for Alphabet. This insignificance is a very good thing for Mandiant.

An important caveat: I say "insignificant" purely from a financial perspective. Mandiant is an incredibly important and meaningful company for both Google and the cybersecurity ecosystem. There is a ton of qualitative, non-financial significance in this transaction — we'll get to that later. First, we need to set the stage with the financial part of the deal. Which...is insignificant. Here's why.

Alphabet is one of the most reliable and profitable companies in the world. They earned over $200 billion in annual revenue for the first time in FY21 — $257 billion at a 41% year-over-year growth rate (!!!), to be exact. Their operating income for FY21 was $78.7 billion. By comparison, Mandiant's total FY21 revenue was $483.5 million. In other words, Mandiant's total revenue is less than 1% of Alphabet's operating profit alone.

Alphabet operates on a completely different size and scale than Mandiant did as a public company. The sheer magnitude of Alphabet obfuscates any near-term profitability struggles that Mandiant has. To give you an idea of what I mean, consider this (from The Verge):

The company doesn’t typically break out numbers for devices like its Pixel phones, Nest smart home products, or the Android operating system, instead including them in “Google other” under “Google Services.”

You read that correctly. A large segment of Google's mobile operation — you know, the one with the largest mobile operating system market share in the world — isn't large enough to merit a detailed breakdown in Alphabet's earnings releases. That's partly due to some creativity in how business units are financially bundled within Google, but the broader point stands: Alphabet can afford to make investments in growth, and nobody will bat an eye.

Alphabet's Google Cloud business does get mentioned in earnings releases. It actually operates at a loss — $890 million on $5.54 billion in revenue for FY21. Nobody cares about the loss because of how wildly profitable the rest of Alphabet is. And guess what? Nobody is going to care about the loss once Mandiant joins the Google Cloud umbrella sometime in 2022.

Sure, Alphabet paying $5.4 billion for Mandiant sounds like a lot...until you realize they had $140 billion of cash in the bank at the time of the acquisition. $5.4 billion is a measly 3.8% of Alphabet's cash.

An analogy for comparison: this acquisition is like you spending $3,800 on a nice TV when you have $100,000 in cash sitting in your savings account. This analogy is actually oversimplified — it's that, plus having a $750k salary, a house and cars that are fully paid off, college savings for your kids, and maxed out retirement accounts. You get the point. Alphabet bought something they can afford.

Why does financial stability and the relative insignificance that comes with scale matter for Mandiant? Time. They need time to build the product and services vision without quarterly scrutiny from investors. I made this quasi-prediction when writing about Mandiant's post-FireEye strategy:

I wouldn't be surprised to see Mandiant take the company private so they can step out of the public spotlight and scrutiny like other large cybersecurity consulting firms. Going private could give them the time and capital they need to build a productized services strategy at scale.

Going private was one viable option for buying time. I didn't mention it in the earlier article, but being acquired by a large company like Alphabet was another viable option. This acquisition gives Mandiant a similar set of options — including time and capital — albeit with the very real tradeoff of independence.

Forgoing independence to operate under the control of Alphabet's management team has consequences across every aspect of Mandiant's business. These consequences can be both good and bad. Next, we're going to explore the implications across Mandiant's products and services.

The Myth of Google's Graveyard

Right on cue, the skeptics started talking about how Mandiant is (eventually) going to end up in Google's notorious product graveyard after the news was announced. There are a lot of valid questions surrounding the acquisition, but this isn't one of them. Mandiant is absolutely not headed for Google's product graveyard.

Debunking this myth requires some evidence, so let's start with the data. Here is a sorted list of the largest companies Alphabet has acquired, cut off roughly at the $500 million mark:

Source: Wikipedia

All of the companies on this list are still part of Alphabet's product portfolio in some shape or form — some in very significant ways. As with all acquisitions, mileage varies on returns. YouTube, for example, was an obvious steal at $1.65 billion. Even though others may not be breakout successes, no company on this list was a complete dud that went straight to the graveyard.

Mandiant is the second largest acquisition Alphabet has ever made — well behind Motorola Mobility and well ahead of Nest and AdSense. As a headline, Mandiant being Alphabet's second largest acquisition ever seems significant. Alphabet doesn't make many large acquisitions, though. Especially not for a company with as much revenue and cash in the bank as they have.

By comparison, Oracle has paid over $5 billion for six companies, including $28.3 billion for Cerner alone in December 2021. And, as we discussed in Themes From Momentum Cyber's 2022 Cybersecurity Almanac, private equity firms are making multi-billion dollar acquisitions of cybersecurity companies at an impressive rate.

So, why don't Alphabet's high value acquisitions end up in the graveyard? There is a big difference between "toy apps we bought for peanuts to experiment with" and "serious company we paid hundreds of millions or billions for." Mandiant is a proven business with world class capabilities in multiple areas. Their situation is not the same as a social app Google cooked up internally or an acqui-hire they spent a few million on.

Alphabet employs some of the smartest people on the planet. They are absolutely not going to make a multi-billion dollar acquisition without a plan for making it successful. We should expect Alphabet to make the same level of commitment for Mandiant.

However, there is still a lot of gray area between "Alphabet isn't going to kill Mandiant" and "Mandiant will continue to operate unchanged." We should definitely be expecting changes, some of which could be significant. We'll explore some of those possible changes next.

What This Means for Mandiant

The transition to the new reality of Mandiant living under the Google Cloud umbrella is going to take some time. We may not see any obvious changes for a while, but now is a good time to make some educated guesses. We'll start with Mandiant.

Professional Services

Perhaps the biggest open question about Alphabet's acquisition of Mandiant is what will happen with their well-known professional services business. It's a valid question with the potential for significant impact depending on what Alphabet decides to do.

Hacker News commenter ocdtrekkie had a nice, punchy summary of the dilemma in a discussion about the acquisition:

...it's very unlikely Google wants to be in the incident response consulting space: Google entirely hates any line of business that can't be automated into a smooth profit paste. Flying security professionals out to clients isn't in their DNA.

Alphabet, and Google in particular, is definitively a product company. They have minimal professional services revenue — it's not even a line item in their 10-K. The only mention of professional services in the filing is about Alphabet's expenses for hiring external consultants.

Alphabet's definition of "services" is literally the exact opposite of what Mandiant does. At Alphabet, the word "services" means "products." Google Services is one of two major business segments (ironically, Google Cloud is the other one). Their Google Services segment holds all the core products we traditionally associate with Google: Android, Chrome, Gmail, Maps, Photos, YouTube, etc.

Google's idea of "services = products" seems to align well with Kevin Mandia's recent "we're not a services company" declaration...except that professional services makes up roughly half of Mandiant's annual revenue. It's even more nuanced than that, though — mainly because the other half of Mandiant's business also includes services sold via subscriptions. Mandiant is a professional services business that's actively trying not to be. And Google would be glad to help with that.

Now that the ideological divide is clear, what happens with Mandiant's professional services? Multiple actions are likely to be taken with varying levels of impact to Mandiant's existing business model. Google is going to do what benefits Google — that's part of the tradeoff for being acquired.

In the long run, subscription-based services revenue is likely to be much more appealing to Google than one-off, non-recurring professional services projects. I wouldn't be surprised if Google ends Mandiant's consulting business entirely. That statement may sound heretical, but it's definitely in the realm of possibility.

Within the recurring, subscription-based services, Mandiant's Threat Intelligence and Managed/Automated Defense services should both be highly appealing to Google and its Google Cloud customers. Especially the world-famous threat intelligence services.

Threat intelligence aligns a lot better with the DNA of Google than you might expect. Remember Google's mission:

Our mission is to organize the world’s information and make it universally accessible and useful.

At an abstract level, threat intelligence is information. And great threat intelligence is highly valuable information. It's also notoriously difficult to organize and make universally accessible and useful — exactly the part Google specializes in.

The distinction is important but nuanced. Google isn't just a pure tech company — they're an information company at the core. Search is tech that gives you results. YouTube is tech that gives you videos. Gmail is tech that gives you emails. Maps is tech that gives you directions. Flights is tech that gives you flight details. AdSense is tech that shows people ads...and so on.

This differs from pure tech like, say, a database platform (MongoDB, for example). MongoDB builds the tech, but they don't care what information you use their database to store and retrieve. Google does, at least for its core products (services?!). Every product has an objective.

The same concept applies for threat intelligence. Combined with tech, it gives customers information about cybersecurity threats. Mandiant is the best at sourcing this information. Google is the best at providing it. The combination is potentially a winning strategy.

Operating Mandiant's threat intelligence unit under the Google Cloud umbrella can potentially solve many of the difficult challenges Mandiant had with sustaining this expensive capability. I previously described the challenges like this:

Mandiant's threat intelligence unit is a heavy duty operation. This commentary starts to give you an idea about why their R&D spending is so high — it's not cheap to deploy hundreds of highly paid threat analysts globally, rapidly analyze their findings, and disseminate them to thousands of customers. Mandiant is making one of the largest attempts ever at executing a productized services strategy. Something like this can be done by governments in the public sector, but they're not bound by profits like Mandiant is in the private sector.

The last line is particularly interesting, partly because a company like Alphabet is an obvious exception. It's accurate to say that governments aren't bound by profits like public companies are. However, highly profitable companies like Alphabet can also defy gravity: their scale and profitability allows them to make investments in loss leaders like global threat intelligence, and nobody questions them.

The return on investment part gets interesting at cloud scale. Alphabet doesn't release specific figures about the number of Google Cloud customers. However, we do know it generates $5.54 billion in annual revenue, growing at a ~45% clip. That's the type of scale that makes it sustainable to invest in threat intelligence.

Information products (like threat intelligence) have essentially zero marginal costs of replication. Selling the information to more customers distributes the cost of research to produce it. In the case of Google Cloud, selling threat intelligence to the however-many-thousands of customers Google Cloud has as part of their cloud subscription is super appealing.

Mandiant Advantage Platform

Mandiant Advantage is the technology platform that powers Kevin Mandia's big idea for productized services. The platform was assembled primarily through smaller acquisitions to compliment homegrown products. Much of the new Mandiant's recent work (and R&D spend) was integrating the acquired technology and building new features and products on top of it.

The time and effort Mandiant invested in building and integrating the platform may have factored in to Alphabet's acquisition rationale, but probably not in a significant way. Alphabet — a world class tech company — didn't acquire Mandiant for their tech. What happens with Mandiant Advantage is a big question mark.

Alphabet is fully capable of building products. They already have built several security products within Google Cloud. And they just acquired Siemplify for its security orchestration, automation and response (SOAR) features.

There isn't a ton of overlap between Google Cloud's existing security products and Mandiant Advantage — which Google obviously thought about before the acquisition. So, there's a reasonable chance the technology behind Mandiant advantage could become a permanent part of Google Cloud.

However, Mandiant Advantage as-is will probably go away and be folded into the existing portfolio of security products in Google Cloud (sans Mandiant branding). Most people aren't going to sweat the downside. Mandiant Advantage is new, and people are endeared towards Mandiant for different reasons.

The upside is much better: the big idea behind Mandiant Advantage (using technology to augment and scale human threat analysts) now has the entirety of Google Cloud's products at its disposal. Integrating and maximizing Mandiant's use of all the products will take time. Gaining customer adoption will, too. However, this is potentially a massive step forward in both tech and customer adoption — albeit in a different, Google-flavored form.

Addressing the elephant in the room: it's definitely not out of the question that Google decides to throw out the entire Mandiant Advantage platform or rebuild it over time. That's the advantage Google has as a product division and the disadvantage Mandiant has by selling their company. Immediate disassembly or disposal of Mandiant advantage seems unlikely, though.

Whatever Google Cloud leadership decides to do from a product perspective, I don't think it matters in terms of the overall productized services offering. Mandiant's core competencies of incident response and threat intelligence services were built long before the company attempted to productize them with Mandiant Advantage. That is to say, the competency depends more on people than technology. Mandiant's technology was a secondary part of the acquisition — icing on the cake, so to speak.

Longer term, the upside is that Google can potentially help realize Kevin Mandia's productized services vision faster. Tech was the limiting factor in Mandiant's strategy as an independent company. The vision for what they wanted to build with Mandiant Advantage is awesome, but it's also somewhat unprecedented. It's going to take a lot of time and energy to build. Better to undertake the journey with a world-class product company like Google.

Public Research and Threat Intelligence

A topic the information security community is particularly interested in is whether Mandiant's public research and threat intelligence information sharing is going to continue.

As discussed earlier, Mandiant has gained a lot of its fame from publishing freely available research about high profile threats and attacks. Taking that away from the community is a huge disservice — hence the concerns.

It's hard to say for certain, but I expect their public research will continue in some shape or form after the acquisition. It may happen under the Google brand, though — mainly because of the attention groundbreaking research receives. The same viral effect that carried Mandiant to prominence is also a nice uplift for Google Cloud as it seeks to increase credibility in security (and yet another intangible reason why this deal was worth $5.4 billion).

At a mission level, Google's about website literally places cybersecurity alongside increasing economic opportunity as a strategic priority for the company:

As Google does, this vision is obviously grandiose. You don't say something like this unless you mean it, though. Acquiring Mandiant is a bold statement to prove that you mean it.

Google also has a relatively good track record of its own for publishing security research and contributing to the community. They recently summarized their contributions nicely in a recent press release:

We’ve published over 160 academic research papers on computer security, privacy, and abuse prevention, and we warn other software companies of weaknesses in their systems. And dedicated teams like our Threat Analysis Group work to counter government-backed hacking and attacks against Google and our users, making the internet safer for everyone.

In the same press release, the company also announced $10 billion in cybersecurity program investments:

That’s why today, we are announcing that we will invest $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security.

The nature of the investments was vague, but you shouldn't take this as "Mandiant was $5 billion out of that $10 billion." The $10 billion is likely for investments above and beyond Google's core business and products — generally for the betterment of the community, not Google directly.

It's hard to say exactly how Mandiant's public contributions will change after the acquisition closes, but it seems safe to assume they will continue. The intent behind Google's contribution to cybersecurity is definitely there, along with some tangible evidence of action to back it up.

What This Means for Alphabet

Acquiring Mandiant is a big deal for Alphabet, despite how much I minimized the financial impact of the acquisition. Much of the value Mandiant brings is either intangible or a second-order effect.

Alphabet gains a large (and hard to quantify) amount of goodwill that comes from Mandiant's brand and credibility alone. Reputation matters, but they also gain Mandiant's core technical competencies — a valuable addition to the Google Cloud Platform.

Acquiring Mandiant also keeps Alphabet's competitors from gaining the same advantages. Unlike other technology-focused acquisitions, Mandiant is one of one — there isn't really another company with the same combination of skills and brand.

Beyond these high-level benefits, there are a few specific areas of impact for Alphabet that are worth diving into deeper.

Antitrust Implications

First, it's not completely certain this deal is actually going to close. There is already speculation and demands for the transaction to be struck down because of antitrust. Alphabet is already facing significant antitrust scrutiny from regulators. Tech regulation in general is en vogue with governments across the globe.

Even with the point I made earlier about this deal being financially insignificant, most regulators aren't going to read past the "Alphabet's second biggest acquisition ever" headline. The Mandiant acquisition is just another drop in the overflowing bucket of evidence antitrust regulators are compiling against Alphabet.

If this deal gets delayed or struck down, the cause won't be Mandiant in isolation. The cause will be the aggregated set of concerns with Alphabet — primarily its advertising business.

Antitrust is a fluid topic, and I'm certainly not an antitrust lawyer. However, it seems unlikely this acquisition is going to be blocked. Despite the likely drama and rhetoric, reasonableness should enter the picture at some point in the process. The case against this being an antitrust concern is relatively strong:

  • Google Cloud is the third largest cloud provider, far from a monopoly in isolation from the remainder of Alphabet.

  • Mandiant is a leader in cybersecurity professional services, particularly incident response and breach investigations. However, their competitive position isn't a monopoly.

  • Mandiant's technology assets (the Mandiant Advantage platform) exist in an extremely competitive market, namely XDR.

  • Amazon AWS and Microsoft Azure both have competitive security offerings, as do hundreds of private companies within the broader cybersecurity ecosystem.

  • The size of this transaction is small and makes an immaterial impact on Alphabet's revenue.

We'll see how the antitrust situation plays out as the deal moves through the closing process in the coming weeks and months.

Google Cloud Risk Protection Program

In March 2021, Google Cloud announced their new Risk Protection Program — a wildly innovative model (relatively speaking) for managing and distributing security risks for customers. This program reshapes the paradigm for cloud risk management in a way that only a select few companies like Alphabet could achieve.

Here's the big idea:

  • Customers who use Google Cloud and enroll in the Risk Protection Program can get a purpose-built cyber insurance program for everything they run in Google Cloud.

  • In exchange, Google takes shared responsibility for securing the customer's cloud environment and optimizing security and compliance over time.

  • Security posture gets measured and reported to the insurance providers, who then have better data (and more comfort) to model risk as they underwrite policies.

This model solves a lot of problems:

  • Some major insurers have stopped offering cyber insurance because it's too risky. Having data about a company's security posture (and Google's expertise for improving it) makes the risk more palatable.

  • Companies want to move to the cloud but defer, partly because cloud security is hard and skills are scarce. Getting help from Google to secure cloud workloads is super appealing.

  • Alphabet wants to increase Google Cloud market share. The Risk Protection Program incentivizes customers to move as many workloads as possible on to Google Cloud. Anything outside of Google Cloud isn't covered under the insurance policy.

Mandiant fits into this equation nicely. If Google is on the hook for keeping customers in the Risk Protection Program secure, it sure helps to have people like Mandiant around to do it.

If there is any room for Mandiant's consulting business to stick around under the Google Cloud umbrella, this is it. The Risk Protection Program is only in "preview" mode right now, so the number of customers using it is presumably limited. If the model catches on and reaches general availability, Mandiant's former consulting practice will have a lot of work to stay busy with.

Market Share for Google Cloud

For Alphabet, one of the primary success criteria for this deal is "does it make our Google Cloud revenue go up?". The revenue Mandiant earns directly is secondary compared to its overall contribution to the Google Cloud bottom line.

Compound growth gets wild in situations like Google Cloud. $5.5 billion in revenue isn't astonishing, but a ~45% growth rate is. Mix in the cash infusion from Alphabet's other profitable businesses, and you've got rocket fuel for growth.

The part where Mandiant comes in is helping Google Cloud maintain or increase the growth rate. That's where the indirect contribution part comes in — adding Mandiant's ~$400 million in annual revenue to Google Cloud's bottom line doesn't matter as much as the uplift Mandiant gives everything else in Google Cloud.

Here's a quick thought experiment to demonstrate the point: if Google Cloud continues growing at 45% annually, its revenue in 2025 would be $24.3 billion. That's a $7.5 billion increase from 2024 and an $18.8 billion increase from the $5.5 billion in revenue reported for 2021. Accelerating the growth rate by just 5% (to 50% year-over-year) creates an even more dramatic effect: $27.8 billion in revenue by 2025, a $22.3 billion increase from 2021.

This example is a lot of finance speak, but it gives you an idea about why growth rates and maintaining or accelerating compound growth matters. Spending $5.4 billion on Mandiant looks pretty appealing if it helps you increase revenue by $18-20 billion in five years, and even more in the long term.

Tactically, security is a major factor in capturing the remainder of the cloud computing market. Any on-premise workloads that can easily be moved to cloud already have. The low-hanging fruit is essentially gone. And it's probably staying on whatever cloud it's on now. The workloads that are still on-premise have reasons for not moving — security being one of them.

The best way for Google Cloud to grow its revenue isn't to take existing customers away from other cloud providers. It's to win more of the remaining workloads that remain on-premise. Alphabet CEO Sundar Pichai views security (and Mandiant, by proxy) as a key to unlocking it. From Alphabet's Q2 2021 earnings call:

[Security] is definitely an area where we are seeing a lot of conversations, a lot of interest. It's our strongest product portfolio, and we are continuing to enhance our solutions, be it integrating Chronicle, BeyondCorp and all the product components we have there. So a definite source of strength and you'll continue to see us invest here.

Acquiring Mandiant is one such investment. Expect to see more as Alphabet makes this vision a reality and a growth driver for Google Cloud.

What This Means for the Cybersecurity Ecosystem

There is a lot to grok with the direct impact to Mandiant and Alphabet alone, but we're not done quite yet. The acquisition creates ripples in the rest of the cybersecurity ecosystem. Let's finish by looking at a few of them.

Incident Response Services

First, the big micro-level question: what happens to the market for incident response services now that Alphabet is acquiring Mandiant? It's unclear if or to what extent Mandiant is going to continue providing professional services under Google Cloud, especially long term.

Mandiant has been the market leader for incident response services for more than a decade. The acquisition creates a potentially significant disruption (or opportunity, depending on where you sit) in the market.

I wrote this when previously writing about Mandiant's transformation after selling FireEye:

Their transformation is high risk, high reward. If the transition doesn't work out, their failure is going to create a giant opening for opportunistic service providers to disrupt Mandiant's dominance in breach responses and threat intelligence.

This prediction is more relevant than ever, especially in breach response. The window of opportunity is now wide open for professional services firms to fill the void that (I fear) Mandiant will inevitably leave behind.

It's possible that incident response services are becoming commoditized. Competitors have been building out service offerings for years. Mandiant is well known for incident response, but they're not the only show in town.

Regardless of how big or small of a void Mandiant leaves in the incident response market, there won't be one single firm that replaces them. The more likely outcome is multiple firms (large and small) divide up market share. New market leaders may emerge, but there probably won't be another Mandiant.

Professional Services and Public Markets

Losing Mandiant as a publicly traded cybersecurity professional services company is a pretty strong vote against the viability of such companies in public markets. The somewhat grim conclusion might be this: professional services companies in cybersecurity don't make for good public companies.

SecureWorks is now the only cybersecurity professional services company traded on U.S. stock exchanges. Everyone else, from big to small, is private. I detailed some of the reasons why when breaking down challenges for traditional professional services firms:

Cybersecurity professional services firms are traditionally private for several reasons. A big one is their business model. Unlike SaaS companies, professional services firms have minimal recurring revenue. They have to manage their sales pipeline and grind out new project wins continuously. Reputation and scale matter, but future stability and growth have an element of inherent instability.

It's not out of the question that another cybersecurity-focused professional services firm could go public. Consolidation of professional services companies is a major theme in the industry, which I wrote about in detail while analyzing Momentum Cyber's 2022 Cybersecurity Almanac.

If other candidates emerge to go public, they're either going to come from consolidation or a subscription-based business model, a la Arctic Wolf's Managed Detection and Response (MDR) solutions. Arctic Wolf is probably the closest quasi-services company in the IPO pipeline. Otherwise, I would expect to see the consolidation activity happening in transactions between private companies.

Consolidation of Security Under Cloud Providers

Finally, the big picture: it's very possible we could see a run of security company acquisitions by cloud providers.

Security is one of the biggest barriers remaining for any organizations who still maintain on-premise data centers. Cloud providers know that and have the capital to fix it. Alphabet has made their intentions clear. Amazon and Microsoft are on the same page about security, too.

Given the scale and growth rate of cloud providers, it's possible they could aggregate a meaningful portion of the cybersecurity ecosystem, with acceleration starting this year. As this acquisition demonstrates, nothing is off limits — not even public companies. Things get can get really interesting and wild in a hurry when the aggregators start aggregating.

In the story of Alphabet and Mandiant, the biggest lesson of all might be that aggregation is coming for the cybersecurity ecosystem. That's a topic for a future article. For now, it's been interesting to think about the strategic implications of this acquisition and what it could mean going forward.


Thanks for reading! How did you like this article?

LovedGreatGoodMehBad