90% of the data you will ever need to know about the cybersecurity industry can be found in one place: Momentum Cyber's annual Cybersecurity Almanac. The (free!) public version is a tour de force from one of the best firms in cybersecurity.
The 2022 edition was just released on February 8th. For me, this means I drop anything I was planning to write about and immediately immerse myself in the report. It's that good.
The report has a lot of information — 130 pages, to be exact. That's a lot to consume, especially with the heavy data focus. Momentum Cyber's primary objective is to present highly relevant sets of data from the firm's proprietary cybersecurity data platform.
The best part about having a brand new treasure trove of industry data is that we get to go through it, pull out some interesting facts, remix them a bit, and talk about the most interesting themes. The purpose of this article is to dive deeper on a few interesting themes rather than summarizing the whole report.
You should definitely spend a few hours looking through the report if you're able to make the time. This article can help you get a head start, or serve as a companion to provide useful context while you're reading it.
We'll be going deeper on five specific themes:
-
Multiplying Madness: Understanding a wild year in cybersecurity and what to expect going forward.
-
Private Equity's Rocket Fuel: The impact of private equity's dramatically increased involvement in the ecosystem.
-
Venture Capital Mega-Rounds: Fundraising trends, a new paradigm of mega-rounds, and the importance of investor specialization.
-
Consolidating Professional Services: Explaining counter-intuitive activity in a mature segment within the cybersecurity ecosystem.
-
Grow Or Get Acquired: What happens to public cybersecurity companies when markets value growth over profitability.
A couple callouts before getting started:
-
Nearly all the charts and slides in this article are taken directly from Momentum Cyber's latest report. All the credit and praise for producing such valuable information should be directed their way.
-
The structure of this article deviates from the structure of Momentum Cyber's report. The report itself is logically structured around the data. It lays out the facts clearly and intentionally. Our goal here is to explore themes. It's easier to do that by deviating from the structure of the report.
Now, let's analyze some data.
Multiplying Madness
First, let's just call a spade a spade: 2021 was a wild year in cybersecurity. Several of the financial numbers in the report are mind-bending. The cyber attacks are even worse. It's madness, and the madness is multiplying.
A thought-provoking question that's relevant here is from Packy McCormick in his Compounding Crazy article on Not Boring:
Everything is moving so fast out there. What if it's just getting started?
A central theme of the Not Boring article is that high valuations and a rapid rate of change create skepticism and snark. This vibe feels doubly true in the InfoSec world, where we're paid to be skeptics and find daily evidence to reinforce our frame of mind:
Well, guess what? The InfoSec profession and cybersecurity ecosystem are subject to the same forces as the rest of the world. Neither free markets nor criminals care about our skepticism and disbelief. As Packy predicts, "the world will continue to get exponentially crazier."
Exponential growth is a theme throughout Momentum Cyber's report. If I had to capture it in one slide, it's this one:
Diving a bit deeper, here's an approximate list of the madness that happened last year. The list is roughly ordered on a scale of "more believable" to "mind-blowing." Most of the points are from the Momentum Cyber report with a few additions of my own:
-
Five cybersecurity companies went public (and more, depending on how you count them).
-
Okta acquired Auth0 for $6.5 billion, the largest transaction of the year that didn't involve a private equity firm.
-
Over 30 cybersecurity companies became unicorns (valuations over $1 billion).
-
More financial transactions were completed than ever before, with 1,042 financing deals and 286 M&A deals.
-
82 companies raised individual financing rounds over $100 million, including Lacework's $1.3 billion Series D in November 2021 that was the largest funding round in the history of cybersecurity.
-
Proofpoint was acquired by private equity firm Thoma Bravo for $12.3 billion, the largest cybersecurity acquisition ever as of April 2021.
-
Avasat was then acquired by NortonLifeLock for $8.6 billion, the third-largest cybersecurity acquisition ever as of August 2021.
-
Both transactions were quickly surpassed by a group of private equity firms, who acquired McAfee's consumer business for $14 billion. That's the current leader for largest cybersecurity acquisition of all time.
-
The U.S. military's Cyber Command unit made its first public acknowledgement of taking offensive actions.
-
A Chinese hacking group discovered vulnerabilities in Microsoft Exchange that impacted 250,000 organizations globally. The situation was so dire that the FBI just went ahead and fixed it for people.
-
REvil infected multiple companies with the Kaseya ransomware and made a demand for $70 million, the biggest ransomware attack to date.
-
A serious vulnerability was discovered with the Apache Log4j package, impacting 8% of Java artifacts and millions of organizations worldwide.
-
An entire oil pipeline was taken ransom when DarkSide compromised Colonial Pipeline, causing a halt in operations, fuel shortages, flight delays, and multiple state of emergency declarations by U.S. government officials.
2022 may have already topped the madness from 2021:
-
Just 14 days into the new year, Ukraine suffered a massive cyberattack on government websites.
-
REvil ransomware gang members were arrested around the same time.
-
Cybersecurity and the threat of further attacks continue to be an ongoing theme in the tension between Russia, Ukraine, and other world leaders.
-
U.S. lawmakers alleged the CIA is conducting mass surveillance on citizens...again.
Oh, and Securonix just raised a $1 billion round from Vista Equity Partners last week. Barely a blip on the radar these days.
You knew about a lot of these events already. However, it's interesting to look at the list all at once and in ascending order of madness. Seeing everything within this context makes the madness obvious.
So, then, why is this madness happening to us? Accelerating change. This idea comes in many forms from many intelligent people. The most famous variation is Ray Kurzweil's Law of Accelerating Returns.
Packy McCormick's article summarizes the law nicely:
The Law of Accelerating Returns states that the rate of change of progress accelerates because humans can use the technology at their disposal to progress faster than previous generations could without the technology.
In his essay on the topic, Ray Kurzweil explains the impact of the law in more specific terms:
An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense “intuitive linear” view. So we won’t experience 100 years of progress in the 21st century—it will be more like 20,000 years of progress (at today’s rate). The “returns,” such as chip speed and cost-effectiveness, also increase exponentially. There’s even exponential growth in the rate of exponential growth.
The Law of Accelerating Returns is exciting for all the reasons I discussed in What is Security? — namely, that development and progress lead to safety and security. It's simultaneously terrifying because humans can use the same technology to regress and create all kinds of chaos at an equally accelerated rate.
We'll cover a few examples of the practical impact of accelerating change within the cybersecurity ecosystem throughout the rest of this article. It's a mega-theme that explains specific instances of exponential growth and change.
Private Equity's Rocket Fuel
The rate of change accelerates when large amounts of cash are involved. That's the forte of private equity (PE) firms. Momentum Cyber's report makes the growth trend of PE involvement in cybersecurity abundantly clear. It's rocket fuel for an industry that's already growing quickly.
In 2022, the influence of PE firms in cybersecurity is everywhere. They make moves that are big enough to shape large portions of the ecosystem. Not even public companies with multi-billion dollar market caps are spared.
The Momentum Cyber report found that private equity involvement in cybersecurity M&A is increasing across deal volume and count. A side-by-side comparison of M&A activity over the past decade shows exactly how dramatic the increase of private equity involvement in cybersecurity has been:
Digging into the math behind the charts: the total count of private equity deals has gone up 10x (~1,000%), and total dollars spent has gone up 15.5x (~1,500%). The significance of this increase and private equity's involvement can't be understated. It changes the size, scale, and speed of everything.
To help understand what's going on here, we should take a quick step back to clarify the roles of private equity (PE) and venture capital (VC). Private equity and venture capital firms share an important similarity: they both invest money in companies with the expectation of generating a large return. However, the nature and timing of their investments differs.
Venture capital firms typically invest in the early stages of a company. Investments can occur before a company finds traction (typically seed or pre-seed stage), or in later rounds after some traction has been achieved (Series A, Series B, etc.). VC investments are smaller (by comparison) and more speculative (e.g. higher risk).
Private equity firms invest in later stage companies. Investments occur in late stage rounds (Series C or beyond), and often in the final rounds before an IPO. Private equity firms also buy large ownership stakes in public companies and take them private. Thoma Bravo's $12.3 billion acquisition of Proofpoint in 2021 is one example. PE investments are larger and less speculative (e.g. lower risk).
In 2021, we saw interesting examples of both pre-IPO investments and acquisitions of public companies. First, let's cover the pre-IPO investments.
Private equity firms were part of multiple deals involving existing cybersecurity unicorns:
One major investment included Lacework's $1.3 billion Series D, the largest single investment round ever for a cybersecurity company. Other companies are within range of an IPO, including several I highlighted in my two part review of cybersecurity's IPO pipeline.
We should expect to see private equity firms involved in the largest late stage funding rounds. This will likely happen more often than it has in previous years.
As we'll explore in the next section, the size of financing deals has gone up significantly. Single rounds often exceed $100 million. Most VC firms aren't built to make large investments alone. Private equity necessarily has to be involved if we're going to do rounds at this scale.
Next, let's move on to the late stage and public company PE investments. PE firms were involved in multiple mega-deals involving widely known cybersecurity companies:
These mega-deals varied in size, ranging from around $1 billion to over $14 billion. For late stage PE deals, serious money and expectations are involved.
PE firms don't invest billions of dollars to buy companies without a plan. They have a specific vision and timeline in mind for what the company is going to look like after they're done with it. These are a few specific examples from 2021:
Many of these PE-backed projects are still a work in progress. We're not flipping houses on HGTV here — these mega-deals take time to get all the pieces in place and produce a valuable company on the other end.
Here's the model: A private equity firm buys a cybersecurity company as the centerpiece, then acquires other complimentary companies to round out the platform. It's easier and faster for PE firms to make the complimentary purchases because they already have the capital and relationships to make the deals happen.
This is an example of why private equity's role in cybersecurity is important. For a company to make moves like this on their own, they would likely need to raise additional capital each time they want to make an acquisition. It's a slow process, and tech moves quickly. The risk of missing out or mis-managing the execution of a deal is high.
Private equity firms are going to continue upping the dosage of rocket fuel in cybersecurity as long as the promise and opportunity for large returns continues. As the data from Momentum Cyber shows, we're likely looking at a multi-year trend here. The effects will take a decade or more to play out.
Venture Capital Mega-Rounds
The Momentum Cyber report clearly shows that 2021 was the year of venture capital mega-rounds in cybersecurity. This slide shows an obvious growth trend in venture capital financing activity:
The most important numbers are a record $29.3 billion in total funding, the 136.2% year-over-year increase in total funding, and a 43.1% increase in total financing transactions. 2021 was a big jump in all of these categories.
The aggregated multi-year trend is impressive, but the funding amounts for individual companies is even more interesting to look at:
High growth cybersecurity startups are increasingly well-funded, with many of the largest deals in history happening in 2021. Lacework's $1.3 billion round was the largest ever. Transmit Security raised $543 million in a Series A. Snyk Raised a $530 million Series F. In total, 31 companies raised individual rounds of over $200 million.
For context, Shopify went public in 2015 after raising a total of $122.3 million across four rounds. Nearly all of that capital came from a $100 million Series C, their largest round by far.
There has also been an exponential increase in the number of companies reaching unicorn status. According to the Momentum Cyber data, only six companies reached unicorn status in 2019 and 2020. In 2021, 37 cybersecurity companies reached a unicorn valuation ($1 billion+) — a 6.2x increase.
Companies are also becoming unicorns at earlier stages of investment. In 2021, 12 companies were unicorns by their Series C round or earlier. Between 2017 and 2020, OneTrust was the only company to reach unicorn status by its Series C round. That's a massive shift in valuations.
On the flip side of the companies being funded, data about the most active investors in the ecosystem is also fascinating to look at:
It's not surprising to see mega-firms like Insight, Accel, Sequoia, and a16z on the list. Pure-play cybersecurity investors making up 1/3 of the list is much more surprising.
One way to interpret this data is that the mix of investors in a cybersecurity company matters. When capital is easier to find, strategic founders put together the right mix of investors on their cap tables. As Momentum Cyber founder Dave DeWalt said in his introduction:
Founders are looking for "real value-add" from their investors and specialization with an abundance of capital in the current market.
This trend raises important questions for both investors and cybersecurity companies raising capital:
-
Investors: what specific cybersecurity expertise and value can we bring? I've seen firms accomplish this in many ways. Sequoia's Customer Partnerships team is one good example.
-
Founders: how can I organize my cap table to include investors with industry-specific value? It's not an absolute necessity, but the trend of doing so is clear in earlier stage rounds.
As with the other trends we're discussing here, expect both individual and total venture capital rounds to keep going up. We may also see interesting developments in the specialization of investors, both at the level of venture capital firms and solo funds. Cybersecurity is now big enough for focused investors, which brings interesting opportunities.
Consolidating Professional Services
One of the most counterintuitive themes from the report is the volume of M&A activity from consulting firms. This is worth unpacking. It doesn't seem to make sense at first glance, but there's an interesting explanation for it.
First, let's define what "professional services" includes. Here's a snippet from my cybersecurity ecosystem mapping project that shows the components:
This chart from the Momentum Cyber report is where the counterintuitive trend with professional services firms starts. Three of the top ten most active buyers in 2021 were pure consulting firms (highlights mine):
Accenture and Deloitte bought more companies than anyone in the industry? Really? We're used to private equity rocket fuel transactions or companies like Okta buying Auth0. These deals get all the attention, and boring old consulting firm M&A flies under the radar.
This is where things get really confusing. In total, the amount of M&A activity in professional services is dramatically higher than every other sector (highlighted below):
Note: in the chart, Security Consulting and MSSP both fall under the umbrella of professional services. They're combined in the numbers below for better analysis.
Yet, when we look at this chart of M&A activity by dollar volume, professional services is significantly lower than other sectors:
On one hand, the activity numbers look staggering:
-
98 total M&A transactions during 2021
-
239% (2.4x) increase in total professional services M&A activity from 2020 to 2021
-
350% (3.5x) higher M&A activity than Risk and Compliance, the next highest sector
On the other hand, the dollars look ho-hum:
-
$2.354 billion total dollar volume for professional services M&A
-
$24 million average transaction value
Why is this happening? Activity is high because mature industries consolidate. Transaction volume is low because services have less leverage than software. Professional services is a mature, low-leverage industry within an otherwise growing and high-leverage cybersecurity ecosystem.
Consulting is especially mature — many large firms were around decades before computers. Cybersecurity consulting practices emerged within these large firms much later. They were joined in the market by thousands of smaller boutique firms.
I previously wrote about the challenges professional services firms have with leverage in Mandiant and the Future of Cybersecurity Services:
All the leverage in a traditional professional services business comes from labor, the oldest form of leverage there is. People alone don't scale. They have marginal costs of replication — to get more done, you need to hire and pay more people.
When leverage comes from labor, the best ways to increase it are scale and specialization. Mergers and acquisitions drive both. Large consulting firms acquire smaller ones because of specialization — new skills to layer into the existing practice. Firms also merge to create scale — more people with less overhead. That's why we're seeing high M&A activity in the Momentum Cyber report.
The M&A numbers for professional services stand out within the ecosystem because earlier stage sectors don't consolidate as frequently. They're focused on organic growth and making the overall pie bigger. Almost every other sector of the cybersecurity ecosystem is still in the growth stage (or earlier).
In growth stage companies, there are fewer transactions, but the transactions that happen are at much higher dollar amounts. High-leverage software businesses carry a premium.
As I've written previously, I also expect private equity firms to become more active participants in professional services deals:
The pace of private equity firms acquiring, consolidating, and reselling boutique cybersecurity consulting firms will accelerate.
Assuming market conditions hold, we should expect to see even more consolidation in professional services this year.
Grow Or Get Acquired
One conclusion the Momentum Cyber's report makes crystal clear is that public markets today are focused on growth over profitability. Here's a comparison of two charts to visually illustrate the point:
The left chart measures the relationship (correlation) between stock performance and revenue, regardless of profitability. The right chart measures the relationship between stock performance and profitability.
Correlation just means "how close are the dots to the line?" In the growth chart on the left, the dots are close to the line — stock performance is highly correlated to revenue. In the profitability chart on the right, the dots are not as close to the line, and some companies (SentinelOne, CrowdStrike, Okta) are significant outliers. Stock performance isn't as highly correlated to profitability.
What does the market's fixation on growth mean, then? In practical terms, it means any public cybersecurity company in Momentum Cyber's "low growth" category is fair game for an acquisition or takeover.
That's the feast or famine world we're living in right now. When public markets value revenue growth above all else, companies have to deliver and produce growth or get acquired and refactored until they can.
To demonstrate this point, let's rewind to Momentum Cyber's 2021 Cybersecurity Almanac, which analyzes data from the 2020 calendar year:
Five of the companies in the "low growth" category at this time last year were acquired by private equity firms and either taken private or restructured (highlighted in the slide above). That's 25% of the low growth companies, which is...a lot.
Fast forwarding back to 2022, it already looks as though this trend will continue or increase. Here is the same chart from Momentum Cyber's 2022 Cybersecurity Almanac, which analyzes data from the 2021 calendar year:
It's only mid-February, and multiple companies in the 2021 "low growth" category are rumored to be in M&A discussions:
-
VMWare received an unsolicited offer from a private equity firm.
-
Mandiant was rumored to be in acquisition talks.
-
Splunk received a large takeover offer.
The Mimecast deal is already done — they will go private when the transaction closes in Q1 2022. So is the merger between NortonLifeLock and Avast.
Three of the 13 remaining companies in the 2021 "low growth" category (excluding Mimecast, NortonLifeLock, and Avast) are already in M&A talks. That's 23% of the low growth companies, consistent with last year's rate. And there's still a lot of time left in 2022.
Given private equity's increased involvement in cybersecurity, expect to see continued acquisitions within the low-growth segments. This is prime territory for private equity. It's also hard to account for what private equity firms are going to do with deals from previous years. New public companies are going to get created from deals made years ago.
What 2022 Holds
As we established at the start of this analysis, 2022 likely holds continued madness. That's madness across the board, both good and bad.
The trends we highlighted in Momentum Cyber's report will be even bigger next year. The attacks and breaches probably will, too. We've got a long way to go until all of this is sorted out.
In terms of specific themes, we should expect:
-
Several of the later stage companies who have raised mega-rounds will go public.
-
Private equity firms will inject more capital into the ecosystem, buying up late stage and public cybersecurity companies in the process.
-
Venture capital rounds will get larger. Lacework's record $1.3 billion round won't stand.
-
Professional services firms will continue to consolidate, likely with the help of private equity firms.
-
Public companies who fail to satiate the growth expectations of investors will be merged or taken private.
The release of Momentum Cyber's Cybersecurity Almanac is a great time to look back on the year that was. Diving deeper into the data is insightful, and I enjoyed doing it for this report. We'll continue to follow Momentum Cyber's quarterly market reviews to periodically check in on the data and developments throughout the year.
Thank you to the Momentum Cyber team for producing this amazing report every year and sharing it with all of us. Your work and generosity are sincerely appreciated.
Thanks for reading! How did you like this article?