Get rich or die trying

by Brenon Daly

As we saw in this week’s offering from Ping Identity, there’s virtually no middle ground for IPOs from the information security (infosec) market. More than any other tech segment, infosec prices its chosen few at astronomical heights, while relegating the rest to a far more earthbound valuation.

Broadly speaking, on a price-to-trailing-sales multiple, infosec IPOs inevitably come to market at either a high-single-digit valuation or at greater than 20x. Nothing in between. None of those deals that price at twice the low end, but half the high end. As a result, when we survey the IPO valuation landscape, we see a very unusual distribution: cybersecurity tends to stack up in two camel-like humps rather than a conventional bell shape.

According to our analysis, Ping is the ninth debutant from the infosec market on US exchanges in the past two years. (See our full preview on Pings offering.) The identity and access management vendor created some $1.6bn in (undiluted) market value in its IPO. That works out to about 7.5x its trailing sales of $215m through midyear.

Ping’s price-to-sales valuation slots right next to the current trading multiples of other recent infosec IPOs such as Tufin Software Technologies (6x), Tenable (7x) and SailPoint Technologies (7x). (SailPoint, like Ping, came public from a private equity portfolio, after being acquired for a fraction of its current valuation.) Similarly, Carbon Black, which came public last year, is being erased from the Nasdaq by VMware in a deal that gives the endpoint security provider a terminal value of 9x trailing sales.

Further out on the histogram of trading multiples, there are the vertiginous valuations of Okta (25x), which came public in 2017, as well as last year’s entrant Zscaler (20x). Both of those are bargains compared with CrowdStrike, which listed three months ago and currently trades at twice the multiple of either of the other highfliers.

Of course, valuation is always relative. Even as some of infosec’s recent debutants look longingly up at the market caps and multiples of others in the industry, there are whole sectors of IT that would gladly take the valuation of a ‘left behind’ infosec vendor like Ping. For a great number of tech startups, even the lowliest infosec valuation would be a trade up.

Figure 1: Infosec IPO valuations

Infosec’s valuation inflation

by Brenon Daly

Acquirers looking to go shopping in the information security (infosec) market had better bring a big bankroll. Valuations are stretched well beyond the going rates for deals in virtually any other IT sector. For instance, a solid-but-unexceptional 20% grower that commands a double-digit multiple in infosec (like Carbon Black) would almost certainly drop into the high single digits in any other industry. And even an infosec vendor that’s shrinking and faces the real possibility of being terminally disrupted (hello, Symantec) still manages to trade for an above-market valuation.

To highlight the recent valuation inflation in the infosec M&A market, consider a pair of $2bn-plus deals that are separated by just a half-decade but clearly belong to different eras nonetheless: Cisco Systems mid-2013 acquisition of SourceFire and VMware’s just-announced purchase of Carbon Black. (Subscribers to 451 Research’s Market Insight Service can see a full report on the latter transaction on our website today.)

Although the two security firms sell into different segments of the markets, both SourceFire and Carbon Black had a similar scale (revenue north of $200m) and similar exits (selling to strategic buyers for double-digit valuations in $2bn-plus deals). While all of those metrics line up very closely, a closer look at the companies shows that SourceFire, at least on paper, had a far more valuable business:

Carbon Black, which is losing $15-20m per quarter, is growing at just 20%.

SourceFire was growing at a mid-30% rate, while also turning a profit.

We highlight the valuation gulf between the two transactions because, in many ways, it exemplifies a recurring complaint we hear about the infosec market from both investors and acquirers: A dollar just doesn’t buy nearly as much right now as it once did.

Cofense removes the Red Threat

by Brenon Daly

 

After a long and torturous process, email security startup Cofense has landed where it appeared headed pretty much the whole time: deeper in the portfolio of existing investor BlackRock. The private equity firm, which picked up roughly one-quarter of Cofense in a recap of the company in early 2018, added the 43% stake that had been held by a Russian investment firm. But it wasn’t an easy deal.

BlackRock’s transition from minority investor to majority owner of Cofense only came after some highly unusual – and highly disruptive – regulatory scrutiny from a secretive US national security agency. A few months after the deal was announced last year, the Washington DC-based Committee on Foreign Investment in the US (CFIUS) began pushing for the Russian investor, Pamplona Capital, to be removed from the syndicate. The reason? Perceived threats to national security.

Under scrutiny from CFIUS, business at Cofense stalled. Customers didn’t want to be buying from a potentially insecure security vendor. (Is the Kremlin reading your email?) Cofense’s growth rate, which had topped 40%, fell to about half that level, according to our understanding. The company had to do some layoffs due to the slowdown.

As growth tailed off, valuation followed suit. Although the exact price couldn’t be learned that BlackRock paid Pamplona for its stake, the transaction is understood to value Cofense at less than the $400m the two buyout shops paid for the company a year and a half ago. For comparison, rival email security provider KnowBe4 raised money this summer at a valuation of more than $1bn.

Still, with the removal of the Red Threat, Cofense at least has the opportunity to get back to business. And a fair amount of business is available. Our surveys of information security buyers and users continually show, broadly, that phishing and the related concern of user behavior is the top-ranked security ‘pain point’ facing organizations. That’s the good news for the company. The bad news: Cofense didn’t even make it into the top-five most-popular vendors for security awareness training, according to the 451 ResearchVoice of the Enterprise: Information Security, Workloads & Key Projects 2019.

Figure 1: Security awareness vendors

A rare trip into rarified air

by Brenon Daly

Symantec’s blockbuster $10.7bn divestiture of its enterprise security business to Broadcom marks a rare trip into rarified air for the information security (infosec) M&A market. Through the first seven-plus months of 2019, 451 Researchs M&A KnowledgeBase shows not a single deal in the segment valued at more than $1bn.

Obviously, the unusual carve-up of Big Yellow blows past that threshold. But setting aside this transaction, which we would very much describe as a one-time deal, a couple of trends are playing out in the infosec market that may make it tough to see many more of those three-comma deals coming for the rest of 2019. We suspect that this year’s total will end up looking up at the three separate billion-dollar transactions we tallied last year.

Helping to keep a lid on deals at the top end of the infosec sector right now are factors including:

Several of the industry’s largest vendors appear unlikely to pursue big-ticket transactions. In some cases, that’s due to internal upheaval (e.g., Symantec, which has announced five billion-dollar acquisitions in the past 15 years). In other cases, it’s due to a likely period of digestion (e.g., Palo Alto Networks, which has dropped $1.6bn in a half-dozen high-valuation deals over the past 18 months).

After only recently starting to print big purchases, private equity firms have slowed their activity at the top end of the market. That move down-market comes after buyout shops have been behind significant infosec take-privates in the past two years, including Barracuda and Imperva.

And most notably, VC dollars have replaced M&A dollars in the ‘unicorn universe.’ In just the past four months, Auth0, SentinelOne, Cybereason and Sumo Logic have all landed funding rounds that value the infosec startups at more than $1bn, according to the premium version of 451 Research’s Private Company Database.

As long as startups only have to give up a portion of their equity to VCs (rather than full ownership to an acquirer), funding will likely be the option of choice for popular infosec startups. Of course, taking money now at such an elevated level assumes that billion-dollar buyers will return at some point to provide big exits. That may well be the case, but it’s a pretty high-stakes gamble nonetheless.

Broadcom broadens into security

by Brenon Daly

What began last summer as a head-scratching novelty has now become a consistent strategy at chipmaker-turned-software vendor Broadcom. A year after the semiconductor giant inked the second-largest software acquisition in history, Broadcom has made a big splash in information security (infosec), paying $10.7bn for Symantec’s enterprise security business.

Although the transaction is ‘just’ an asset purchase, it nonetheless stands as the largest infosec acquisition in history, according to 451 Research’s M&A KnowledgeBase. Another way to look at it: Broadcom’s massive bet on Symantec basically equals a full year’s worth of M&A spending for the entire infosec market. (The M&A KnowledgeBase shows annual spending across the infosec sector over the past two decades has ranged widely from $2bn to $28bn, depending on blockbuster deals.)

By virtually any measure, Broadcom is paying up for Symantec’s castoff business. Divestitures, particularly those involving low- or no-growth businesses, invariably garner a discount to broad-market M&A multiples. Depending on the segment and the assets, divestitures can get done at 1-2x sales, or half the prevailing prices in outright acquisitions.

At a purchase price of more than $10bn, Broadcom is valuing the enterprise security division at 4.5x sales. (In the most-recent fiscal year, Symantec’s enterprise group posted sales of $2.4bn, a level that hasn’t really changed in three years.) That’s even slightly richer than the 4.3x that Broadcom paid in its landmark acquisition last summer of CA Technologies.

The most-significant portion of Symantec falling into the portfolio of a financially minded consolidator comes after a prolonged slump at Big Yellow, which has served – not entirely fairly – as a company caught on the wrong side of disruption. As one indicator, consider that its stock price has basically been stuck in place for the past half-decade. During that same period, other business-focused security vendors have emerged and created somewhere in the neighborhood of $100bn – or 10x the terminal value of Symantec’s enterprise business – in both the public and private markets. We’ll have a full report on this transaction for subscribers to 451 Research’s Market Insight service later today.

What might have been (and what may still be) for Symantec

by Brenon Daly

If not for a last-minute snag in talks to sell itself, Symantec would be headed to this week’s Black Hat not as the single-largest vendor in the information security (infosec) market, but as a subsidiary. Negotiations with chip giant Broadcom reportedly broke down over price (what else?), meaning Big Yellow will be unattached and unchaperoned as the hacker’s ball opens in the desert. We wonder, though, how many more industry confabs will Symantec be attending in its current standing?

A public company for 30 years, Symantec generates almost $5bn of sales each year. Part of the difficulty for Symantec right now is embedded in those two facts about the company. Symantec isn’t moving any closer to the $5bn. In fact, in its most-recent fiscal year it actually slipped further away, as Big Yellow got a little smaller in 2018. Declining revenue doesn’t do much for Wall Street investors.

That’s particularly true in infosec, where budgets across the board are fat and getting fatter. A stunning 87% of IT professionals told 451 Research’s Voice of the Enterprise (VotE): Information Security, Budgets & Outlook 2019 that their companies will have more money to spend on security this year than they did last year. On average, respondents to our VotE survey said their security budgets are up 22%, an enviable bump compared with GDP-like growth rates for overall IT budgets.

And yet, Symantec hasn’t been able to enjoy much of the bountiful budgets. That led to the abrupt departure of the company’s chief executive earlier this year, with an interim CEO still leading the industry giant. Symantec’s new chief, who cut his teeth in the semiconductor industry, has a reputation as a straight-talking operator, and he serves a board of directors that tips far more toward finance than technology. Fully half of Symantec’s 12 board members, including virtually all of the directors added in the previous three years, are out-and-out financial professionals.

Given the composition of Symantec’s board and executives, reports of a sale to a financially focused operator such as Broadcom shouldn’t have surprised anyone. (At least not after the chipmaker-turned-enterprise-software-provider shelled out $19bn for CA Technologies, a diversified software vendor that nonetheless shares a similar financial profile and vintage as Symantec.) Although Broadcom wasn’t able to consolidate the infosec giant, the reported negotiations did give a useful glimpse into the most likely outcome for Symantec: a full sale to a financial firm.

The company currently garners an enterprise value of about $16bn, or roughly 3.3 trailing sales. Even with an acquisition premium, Symantec’s LBO valuation would likely be slightly below the prevailing multiple of 4.1x trailing sales in take-privates announced so far this year on US exchanges, according to 451 Researchs M&A KnowledgeBase. Looking specifically at the infosec market, our data shows buyout firm Thoma Bravo has paid 4-5.5x trailing sales in its three purchases of publicly traded security companies in the past three years.

Source: 451 Research’s Voice of the Enterprise: Macroeconomic outlook – Business Trends Q2 2019

Dual tracks: A singular path to infosec riches

by Brenon Daly

Fittingly enough, there are two main types of ‘dual tracks.’ In most cases, dual track refers to a company simultaneously pursuing both the two exits available to startups, M&A and IPO. By keeping one foot on both roads to an exit, an in-demand startup can cultivate new sources of capital on Wall Street while, at the same time, pressuring any acquirer to effectively outbid the public market. Assuming the laws of economics hold, when supply remains constant, any additional demand invariably boosts pricing.

There is also a smaller-scale version of that process, which happens at a level below Wall Street. In a ‘dual track lite,’ a startup also explores an outright sale and a capital raise at the same time. But in this case, the funding comes once again from private-market sources, such as VCs, rather than the public market.

Of course, to be able to effectively – and profitably – dual-track, a startup needs strong interest from the demand side, from both potential backers and potential buyers. And right now, no other segment of the enterprise IT market has more dollars available from both investors and acquirers than the information security (infosec) market.

When it comes to M&A, the 451 Research M&A KnowledgeBase shows acquirers pay two to three times higher valuations in infosec deals than they do in the overall broad market. (Since 2017, our data shows the prevailing multiple in infosec transaction at nearly 6x trailing sales.) And for those security startups pursuing the other track (funding), there is an unprecedented amount of money available from VCs. In just the past month, for instance, we’ve seen big-money fundings for infosec startups, including:

$120m for SentinelOne. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for SentinelOne revenue from 2016-19.)

$100m for Auth0. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for Auth0 revenue from 2016-18.)

$100m for Vectra Networks. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for Vectra revenue from 2016-19.)

But this flood of VC money has skewed the dual track, highlighting just how inflated funding valuations have gotten recently. Consider the two different outcomes, separated by less than three years, for a pair of rival firms. At the end of May, Dashlane raised $110m. We would note that’s exactly the same amount of money that rival password manager LastPass got when it sold the whole company to LogMeIn in October 2015. All in, Dashlane’s funding valuation was roughly 5x richer than the terminal value of LastPass, according to our understanding.

Instant gratification in CrowdStrike’s IPO

by Brenon Daly

Other recent high-flying debutants in the information security (infosec) market have had to take some time to grow into their multi-unicorn status on Wall Street. Not so for CrowdStrike. The endpoint security vendor smashed all pricing expectations on its way to creating a stunning $12bn of initial market value in its IPO.

To put that number into perspective, CrowdStrike’s valuation is roughly equivalent to the M&A spending across the entire infosec market for any given year, according to 451 Research’s M&A KnowledgeBase. Or, sticking to comparisons in the IPO market, CrowdStrike’s debut market cap is twice the initial value created in IPOs by two other recent fast-growing cloud security startups:

Okta came public in April 2017 at a valuation of $2.4bn, and now commands a $14.5bn market cap.

Zscaler came public in March 2018 at a valuation of $3.7bn, and now commands a $10bn market cap.

In its most recent fiscal year, CrowdStrike posted revenue of $250m. Revenue more than doubled last year, helped in part by an astonishingly high dollar-based retention rate of roughly 140%. Although not yet profitable, the company showed some leverage in its model by holding its net loss at the same level over the past two years, even as it doubled revenue.

In the IPO, Wall Street is valuing CrowdStrike at nearly 50 times trailing sales. That’s a heady multiple, significantly eclipsing the current mid-30x price-to-sales multiples for both Okta and Zscaler.

CrowdStrike is, however, still looking up at the current trading multiple of Zoom Video Communications. Zoom shares have tacked on roughly 50% since debuting in April, giving the profitable and fast-growing videoconferencing startup a price-to-sales multiple of nearly 70x. If CrowdStrike could replicate Zoom’s trading in the aftermarket, the infosec startup would be tracking to nearly the same astronomical trading multiple later this summer.

A change of guard in the infosec market

by Brenon Daly

After an uncharacteristic half-year absence from the top end of the information security (infosec) market, a private equity (PE) shop has now put up the largest print in the bustling sector so far this year. Insight Venture Partners built on an earlier investment in Recorded Future to take a controlling stake in the threat intelligence startup in a deal valued at $780m.

Other than that, however, most of this year’s activity has been coming from newly resurgent strategic acquirers. In fact, except for Insight’s reach for Recorded Future, strategic acquirers account for all of the 10 largest infosec transactions listed in 451 Research’s M&A KnowledgeBase so far in 2019.

Already this year, Palo Alto Networks has announced three acquisitions totaling a cool $1bn in aggregate spending, Sophos has doubled up on deals, and FireEye has shelled out a quarter-billion dollars in its largest single purchase in a half-decade. Other infosec M&A mainstays such as Symantec, Akamai and Proofpoint have also been heard from this year, with all of them inking $100m+ acquisitions.

The key to many of these corporate deals getting done is that buyers are paying up. That’s particularly true for Palo Alto, which has made a practice of paying hundreds of millions of dollars for startups that measure their revenue in the tens of millions of dollars. But FireEye and Symantec have also paid double-digit valuations this year.

As strategic acquirers stretch on valuation, they have been able to elbow PE buyers aside. According to the M&A KnowledgeBase, buyout firms are behind just one of every five infosec transactions so far in 2019, down from at least one of four deals in each of the previous three years. Further, our data indicates that PE shops’ slumping market share of only 21% in infosec M&A so far in 2019 is a full 10 percentage points lower than their share of the overall tech M&A market.

Playing small ball in the big leagues

by Brenon Daly

Over the past two years, no single IT sector has put forward more highly valued IPOs than information security (infosec). Spurred by ever-increasing spending by CISOs, startups across the cybersecurity landscape are either big or getting big fast. As they graduate up to Wall Street, growth-hungry investors have lavished rich, double-digit valuations on infosec startups.

So what, then, to make of the recent IPO filing by Tufin Software Technologies? The security policy management vendor is heading to the NYSE on the back of a year where it did less than $100m in sales. And its growth rate, while a solid 30% in 2018, barely matches the pace of some of the recent infosec debutants, even as they put up more than three times more sales.

And then, there’s the crucial consideration of how – and when – Tufin generates those sales. In the current era of cloud-delivered software, Tufin sells its product in the conventional model of software licenses, plus maintenance and professional services. Further, those sales are heavily back-end-loaded, with a make-or-break Q4 providing about 34% of total revenue for the company.

It’s worth noting that all five of the other infosec providers to come public since the start of 2017 derive at least a portion of their sales from subscriptions, with the two richest valuations being given to the full cloud-based vendors. (Zscaler trades at an astronomical 34x trailing sales, while Okta garners 23x trailing sales.) Subscription revenue tends to be more predictable than lumpy sales of licenses, particularly when the average price tag of just the software – as it is in some cases at Tufin – climbs above $200,000.

That’s not to say that Tufin doesn’t have the opportunity for growth in front of it. In its prospectus, the company cites a 451 Research Voice of the Enterprise survey of 550 IT buyers and users in 2018 that shows that 83% of the respondents do not currently run any security automation and orchestration technologies at their company. Yet, encouragingly for Tufin and other vendors, more than half of the respondents (54%) plan to have it in place by 2020.

In addition to Tufin, we suspect that at least one other company will likely be paying very close attention to the upcoming IPO. Rival Skybox Security, which we understand is roughly the same size as Tufin, is thought to be tracking to an offering of its own. The difference being, as we heard it, that Skybox is targeting a debut in 2020, when it will be north of $100m in sales.