One of the most elite reports on the business of cybersecurity is back — just wearing a different jersey this time.
Altitude Cyber dropped its inaugural 2023 Cybersecurity Year In Review report last month. It's a data-driven deep dive into the year that was in 2023.
The last time I covered Momentum Cyber's annual industry report was back in 2022. I helped the team produce the next two as a Senior Advisor to the firm. Covering my own work seemed redundant!
Now that I'm back on the consumer side, it's time for me to show you around the next iteration of this industry research.
This time, I have a lot more experience navigating the reports and data shared in them. I also get to bend the rules, so that's exactly what I'm going to do!
I want to tell you about five themes from the report — an outlier, two growing trends, and two things that haven't changed — using a wide-angle lens across the horizon of time.
Let's start by erasing our memories about the most abnormal year our industry has ever had.
The outlier: 2021
Strategic activity is still pretty good if you forget 2021 ever happened.
In 2022, there was still a perception that everything in the cybersecurity industry (and all of tech, really) was fine. Strategic activity was going to get back to 2021 levels...any day now.
In hindsight, we were still a little euphoric from the boom loop that was 2021.
The doom loop had fully set in by 2023. All the industry chatter was about financing and M&A activity being down.
It was, but mainly compared to 2021. That's a tough benchmark. It's like comparing any other cricket player to Don Bradman, the undisputed greatest of all time.
Let's quickly step into a tangential world where 2021 never happened and see what cybersecurity's trend of strategic activity looks like.
Here are the "updated" charts for M&A:
And for financing:
...Wait, what?! The trends for both are pretty good!
Exactly.
Obviously, we can't delete 2021 in the real world, so don't stick these charts in any serious industry publication.
This "world without 2021" thought experiment helps add some perspective, though. Things don't seem as raucous as they did in 2021, but they're not as bad as they seem, either.
Next, let's talk about a couple growing trends — both related to M&A.
Growing trends: private equity and gigantic M&A transactions
Private equity buyers have been really active, and they have more money to spend than ever.
Back in 2010, private equity buyers cared more about the color of their ties than the cybersecurity industry. They did five total deals for just over a billion. That's lower than the net worth of some Managing Partners.
Boy, how times have changed. The next decade-plus was a rush of money into the industry from private equity. They're literally spending more money on acquisitions than strategic buyers now:
This wasn't from a handful of large deals, either. Private equity firms do close to half the acquisitions in cybersecurity:
Remember when I said we're going to see a record number of large acquisitions the rest of this decade (and you probably laughed at me)? Well, check this out:
Private equity firms have three times more capital available to deploy today than they did for most of the last decade.¹ And cybersecurity seems to be burning a hole in their pockets.
Our M&A transactions just keep getting bigger.
Even though cybersecurity's total M&A dollar volume and activity are down from all-time-highs, our big acquisitions are bigger than ever.
Cybersecurity is a small enough industry for M&A activity trends to get spiky from large deals. That's exactly what is happening...but the trend for deal size is clearly going up:
We didn't have a transaction over $10 billion until 2019. Now, we've had four (or five if you count Broadcom's $69 billion acquisition of VMware).
The $5-billion-plus deals that would have easily been the largest for most years of the past decade are now routine. We've had eight (and counting) since 2020.
We're probably going to see more large acquisitions in the remainder of this decade than we've seen in the entire history of cybersecurity. Why?
Two words: private equity.
Next, let's talk about a couple things that haven't changed — even after a few choppy years of activity in the industry.
What hasn't changed: strategic buyers and specialist investors
Cybersecurity's most active strategic buyers aren't slowing down (much).
The strategy for several large cybersecurity companies (and professional services firms) is to grow through acquisitions. Don't think for a minute that some little economic downturn is going to slow them down.
Our most active strategic buyers for the past three years are...well, pretty similar:
This is a pretty short list, too. I'm sure if we had access to all of the underlying data, the companies who dropped off in one or more years would still be pretty active.
The part that didn't happen was a rush of new strategic buyers (e.g. the IPO pipeline and unicorns of 2021) into the M&A market. Some people thought there were going to be fire sales. There weren't, and definitely not for our best companies.
The trend is starting to normalize a little bit now. We've seen new buyers making acquisitions and another set of companies who have raised capital and specifically said they're using it for M&A. But our most active buyers will keep being our most active buyers.
Let's finish by talking about what's happening with cybersecurity's top investors.
Cybersecurity's most active investors are still cybersecurity's most active investors.
Overall financing activity is down, but cybersecurity's most active and long-term investors are holding (HODL-ing?)² their ground. The list of active investors hasn't changed much in the past three years:
Eight of the ten most active investors are still the same.³ I wouldn't read much into Accel or Tiger Global, either — both of them are still investing in plenty of cybersecurity companies.
The investors who have pulled back either weren't investing exclusively in cybersecurity, were speculating because this was a "hot" industry, or both.
Our most active investors are as committed (and well-funded) as ever.
More than 2023
This year's Altitude Cyber report is about 2023, sure. But it's also about more than that. It's the middle of a story about an industry whose time has come.
When you're living in the moment, like all of us do most of the time, it's easy to get pulled into the highs or lows of the present.
If you've done this long enough, you know every year (or quarter, or sometimes day!) might just be an outlier.
Growing trends can be unnerving because they change the order of what we've always known. They can also be empowering if you get ahead of them and know how to act.
A few things rarely change. The people and companies who are in cybersecurity for the long run are still here. They're ready for what's next, good or bad.
And if you let yourself zoom out far enough, you'll see why there's a lot to be excited and optimistic about.
Acknowledgements
Thank you to both the Altitude Cyber and Momentum Cyber teams for years of hard work on this industry research.
Footnotes
¹This capital isn't just for cybersecurity acquisitions, but some of it is definitely heading our way.
²Not really – a bunch of data points (and intuition) still say cybersecurity is a good place to invest. Especially if you know what you're doing, and these firms do.
³This analysis just covers deal volume, not the next layer of details about round sizes or whether these were new or follow-on investments. It's still a pretty good indicator of commitment to the industry, though.