Thoma Bravo took SailPoint private just over two years ago, and there are already rumors about plans to go public again.
Bloomberg and Michael Novinson at ISMG did some solid reporting to break the news that Thoma Bravo is talking with bankers to underwrite a potential IPO.
On the surface, this move seems like it's defying the odds for a normal four-to-seven year private equity holding period.
It's defying the odds of the current IPO window, too. There hasn't been a traditional IPO for a pure cybersecurity company for over 1,000 days (and counting). Current market conditions are anything but favorable, at least for anyone other than the crème de la crème of the IPO pipeline.
SailPoint is anything but typical, though. I'm not convinced they even needed to go private in the first place, but here we are.
Taking SailPoint public again quickly was always part of the plan for Thoma Bravo, as partner Andrew Almeida made very clear in an interview with TechCrunch:
Our plan with SailPoint is to take them public as soon as we can, as an independent company, and re-IPO the business as a more SaaS-heavy, equally-to-higher growth business as to when they were public prior but generating a lot more cash flow.
News of an impending IPO is exciting to anyone who (a) likes SailPoint, and (b) wants this IPO drought for our industry to end.
This is far from a done deal, but it's credible enough to do some educated speculation about what it might take for SailPoint to go public again and stay there this time.
Let's start at the top with financial metrics.
Metrics: meeting the brutal expectations of the low-burn, high-growth era
The first thing SailPoint needs is obvious but complicated: financial metrics that meet the bar of today's low-burn, high-growth era of public markets.
Obvious, because strong financial metrics always underpin a successful IPO.¹
Complicated, because the standards required for a company to go public today are significantly higher than any previous IPO window, including the first time SailPoint went public in 2017.
Here's the crux of the current situation: Thoma Bravo acquired SailPoint for $6.9 billion. A great return for Thoma Bravo would be 20% or higher. SailPoint needs to be sold or go public at $8.5 billion (give or take, ideally higher) to make this happen.
The eight-point-five-billion-dollar question is: what metrics would SailPoint need to have to be valued at $8.5 billion?
IPO metrics have been a topic of intense debate within the tech industry this year. The analysis closest to SailPoint's situation is by Jamin Ball, where he breaks down what it takes to be valued at 10x revenue. Here's the punch line for performance among software companies valued at premium multiples:
-
Revenue: They all have LTM revenue over $600m, and 16 have >$1B in LTM revenue (the top 10 all have LTM revenue >$1B).
-
Growth: LTM growth ranges from 11% to 42% (median of 25%).
-
Free Cash Flow: All but one company are Free Cash Flow (FCF) positive with a median LTM FCF margin of 27%.
SailPoint may not need a 10x revenue multiple, but their situation is close enough for the analysis above to be a good blueprint. Let's break down SailPoint's revenue, growth, and FCF one by one.
Revenue
Can SailPoint hit $1 billion in revenue? It seems like they can, or maybe already have.
They were sitting at $495.4M of revenue (TTM), $429.5M of ARR, and 31% revenue growth as of their last public earnings report in June 2022. They disclosed $600 million of ARR in Q3 2023. SailPoint's ARR has historically been lower than top-line revenue because they're in the middle of a transition to subscription licensing, so actual revenue is likely much higher.
If we project out SailPoint's revenue since going private at 30% top-line revenue growth, they're likely approaching $1 billion in total revenue already:
A growth rate of 30% might be generous in today's "economic headwinds" world of software purchasing, but they are close to billion-dollar scale at anything over 20% growth.
Speaking of growth...
Growth
Before going private, SailPoint was right around the cutoff line for cybersecurity's "high growth" and "low growth" cohorts. They averaged 21% top line revenue growth from 2019 to 2021, their last full year as a public company:
Based on historical numbers, they're just below the median of 25% LTM growth among software companies with premium revenue multiples.
Did they get back to 25% or higher since they've been a private company? We won't know for sure until they file their S-1. They hit 27% growth in 2020, so it's been done before. Their platform is just as relevant now as it was then.
And remember, they don't necessarily need a 10x multiple to have a good outcome. If growth is at 20% (exactly where it was when they were taken private), they're still comfortably within the range of growth rates for the top 20 software companies.
If their acquisitions (more on this later) and other developments in the identity security market have helped drive revenue growth, a 10x multiple might not be so bananas after all.
Now, if only they could grow profitably...
Free Cash Flow (FCF)
One of the reasons (and probably the main financially-related reason) SailPoint was taken private was the sharp FCF decline they took between the end of 2020 and the time they delisted in mid-2022:
A sharp increase in operating expenses took the wind out of their sails², cratering FCF alongside other spending increases across stock-based compensation and capital expenditures.
They were growing, but not efficiently.
Why did this happen? A lifetime ago in 2021, I talked about how expensive product development (R&D) would get with SailPoint's strategy to continue building (and slowly transitioning customers from) its on-premise and SaaS products:
SailPoint's challenge with this approach is in product strategy. Continuing to make investments in building both an on-premise and SaaS product is expensive.
IdentityIQ and IdentityNow are essentially two separate products with minimal overlap in the codebase. This differs from competitors like ForgeRock, who run essentially the same product on-premise and in the cloud.
A multi-year transition process with no end in sight either means continuously high expenses in developing both products or dilution of progress in both.
Even though product and R&D expenses increased, they were only part of the story. As it turns out, it's prohibitively expensive to build and sell two different identity platforms. Sales and marketing expenses (as a percentage of revenue) increased by 13% from 2018 to 2020.
They were burning cash by fueling two fires at the same time.
SailPoint's expenses got out of hand for a brief period, but they're still in good shape if Thoma Bravo's private equity financial fitness bootcamp puts them back on track with pre-2021 levels.
Thoma Bravo basically confirmed this is happening already. Again from Andrew Almeida:
Then Q1 and Q2 of this year, it feels like things are maybe not getting back to peak levels, but certainly, we have a path to better times ahead. . . . The pressure of growing but doing it profitably, SailPoint has [flipped to material EBITDA profitability].
So, based on everything we just talked about, is a premium multiple possible for SailPoint?
I think it is. Difficult, but possible.
An $8.5 billion valuation (or higher) likely means an 8-9x revenue multiple. It's a premium multiple (based on the current 5.3x median for software companies), but not an impossible one.
With SailPoint, we're not talking about the need for a top ten revenue multiple in the software industry (currently 15.4x). They only need to be better than your average software company, which I'd argue SailPoint already was before going private.
Here's the thing, though. Financial metrics and revenue multiples are only part of the giant puzzle required to have a successful IPO. Again from Jamin Ball:
Revenue multiples are tricky. On one hand, they’re a great shorthand that allows us to line up 80+ software companies and evaluate them relatively with a single metric.
...
BUT, a revenue multiple is just a shorthand valuation framework. Baked into a revenue multiple are assumptions around growth, margins, market opportunity, competitive dynamics, etc. And most importantly, looking at those assumptions 5-10 years out vs today.
Market opportunity, competitive dynamics, and 5-10 year thinking aren't financial problems — they're strategy problems. We're all about strategy here, so let's talk about that next.
Narrative: a good story around their ability to win a hyper-competitive identity security market
For SailPoint to have a successful exit, they need to make investors confident they can keep up strong financial metrics and win the market opportunity for workforce identity.
Fortunately for them, the narrative right now is about as good as it's ever going to get.
There is a unique window of opportunity in the identity security market with Okta's security incidents and two major competitors (Ping and ForgeRock) being taken private and merged together.³
SailPoint is well positioned to capture the opportunity — at least in the workforce identity portion of the market.
So, what have they done to take advantage?
Under Thoma Bravo's ownership, they've acquired Privileged Access Management (PAM), third party access, and Identity Threat Detection and Response (ITDR) companies:
This matches two of Okta's moves, including their entry into the PAM and ITDR markets. It also puts SailPoint in a position to compete more directly with CyberArk in PAM.
Outside of M&A, SailPoint was also in the middle of their transition from on-premise to SaaS. This was probably the main strategic reason that drove them to go private.
Anecdotally, I've heard good momentum on SaaS adoption for new implementations. This has to be part of the narrative if they're going to go public again. SailPoint isn't going to completely shed its on-premise identity platform, but marking accelerated migration to SaaS as a W is good enough.
I'm somewhat surprised SailPoint (via Thoma Bravo or otherwise) hasn't tried add Single Sign-On (SSO) and complete the narrative of being a comprehensive workforce identity platform and fully competing with Okta.
There was some speculation about SailPoint also merging with Ping and ForgeRock, but a strategic move like this one may have been too financially risky and too jarring for customers to handle.⁴
The decision not to compete directly with Okta, Azure, CyberArk, and others in workforce SSO is a strategic insight in itself. SailPoint doesn't need to be a complete workforce identity platform. Instead, they need to avoid competition as much as they can.
Their strategy is to completely own the Identity Governance and Administration (IGA) space in the enterprise market. No company has been able to durably lead this market — not Sun Microsystems, Oracle, or anyone else who has been a market leader in the past.
SailPoint is easily in the best position to own the enterprise customer segment between the gaping void of Okta's brand new product and a slew of legacy products. There are tons of great cloud-focused IGA startups, of course — but they're still a ways off from competing directly with SailPoint in the enterprise. Savyint is the only company who comes close.
If the financial metrics were close enough to being IPO-ready, a strong strategic narrative shaping up faster than expected is what could drive Thoma Bravo to accelerate the exit timeline for SailPoint.
But does the exit have to be an IPO? I think it does. Let me tell you why.
Alternatives: No strategic buyers at a better outcome than an IPO
A second IPO for SailPoint isn't the only option, but it's the most probable. A strategic acquisition seems like a long shot.
Billion-dollar acquisitions don't happen very often in cybersecurity. We've only had ~70 total cybersecurity-related transactions of any kind (PE or strategic) over $1 billion in history. Roughly half of those acquisitions were done by strategic buyers.
And we're only talking about a $1 billion floor here. An $8 billion plus acquisition is a much higher bar to clear.
There have only been ~15 cybersecurity-related acquisitions over $5 billion in the history of the industry, and only ~5 over the $8.5 billion price I guessed it would take for SailPoint to exit.
Broadcom (VMware and Symantec), Cisco (Splunk), and Gen Digital (Avast) are the only three strategic buyers who have ever paid over $8 billion to acquire a cybersecurity company.⁵
Large and mega-cap tech companies are the only strategic buyers who can realistically absorb an acquisition of this scale. Palo Alto Networks, CrowdStrike, and the rest of the pure cybersecurity companies aren't doing this big of an acquisition — especially not in a market they've been reluctant to enter.
The buyer universe among strategics just doesn't look favorable for SailPoint:
Microsoft Entra is a relatively complete workforce identity suite. Broadcom already owns a Frankenstein of an identity suite, too.⁶ The same goes for Oracle, IBM, and Thales.
Amazon (AWS) doesn't buy many cybersecurity companies, and a product like SailPoint isn't a strategic fit for their roadmap. I expect Cisco will buy an IGA product, but likely an earlier stage company.
We're left with Alphabet (Google Cloud) and HPE as the most likely possibilities unless an unexpected buyer steps up.
Any way you look at it, there just aren't many potential buyers.
I don't see SailPoint wanting to move to another private equity firm, either. Thoma Bravo has sold portfolio companies to other PE firms before. There's too much mutual respect for something like this to happen with SailPoint.
Going public is the best option Thoma Bravo has for SailPoint if they want to control the timing of the exit.
Outcome: not if, but when
An IPO for SailPoint seems inevitable. As the old trope goes: it's not if, but when.
They're close to the financial metrics public markets currently expect for premium valuations. The strategic narrative is never going to get better than it is now. And nobody else is going to buy them.
Thoma Bravo doesn't have to do anything unnatural here, though.
The advantage of being only two years into the holding period is patience. They can afford to wait if they determine the timing, valuation, or anything else makes this the wrong time to go public.
We're running out of time for an IPO to happen in 2024, but it's still possible. Otherwise, 2025 seems likely.
The exact timing matters less than the outcome. SailPoint has already gone public and been taken private once. The next time is their last chance.
Footnotes
¹Successful traditional IPOs, anyway. Metrics are kind of out the window for SPACs, reverse mergers, and micro-cap companies who go public. They're generally operating on a smaller scale that's outside the scope of this discussion.
²See what I did there?! Let me have this one. Jokes are hard in financial analysis.
³I know, it's ironic that Thoma Bravo (the same private equity sponsor) is also responsible for this, but it's not as manipulative as it might look. They paid dearly for Ping and ForgeRock ($5.1 billion in total). Tanking both companies to help SailPoint is obviously not a good strategy.
⁴And too difficult for antitrust regulators to stomach. Thoma Bravo's acquisition of ForgeRock already got delayed because of antitrust concerns. Trying to smash three large identity portfolio companies together is probably not a good look.
⁵VMware isn't a pure-play cybersecurity company, either. I included them just to make a point, but it's hard to attribute the cybersecurity-related value of this deal.
⁶Don't you dare call this a platform. It's more like a pile of skeletons left over from CA and Symantec that a few poor enterprises still can't exorcise.