TITUS goes from bootstrapped to buyout with Blackstone

Contact: Brenon Daly

Private equity (PE) firm Blackstone Group has picked up a majority stake in TITUS, marking an unconventional bootstrapped-to-buyout exit for the 12-year-old data classification startup. Terms weren’t revealed. With the acquisition, PE shops have now purchased more cybersecurity vendors in 2017 than any year in history, according to 451 Research’s M&A KnowledgeBase (see graphic below).

The transaction comes two years after Microsoft made a similar data security move, reaching for Israel-based startup Secure Islands. (Although the price of that deal wasn’t disclosed, subscribers to the M&A KnowledgeBase can see our proprietary estimate on terms.) However, Secure Islands was a much smaller company than TITUS, both in terms of revenue and technology. Secure Islands focused primarily on extending security for Microsoft technology, specifically Office 365 and SharePoint, while TITUS has a broader technology platform. Also, according to our understanding, profitable TITUS generates more than four times the sales that Secure Islands did at the time it was acquired.

For Blackstone (in this case, through its Tactical Opportunities team), the purchase of TITUS represents a return to the information security (infosec) market, with a platform that lends itself to additional bolt-on acquisitions. (The firm used the buy-and-build strategy with infosec reseller/service provider Optiv before selling it to Kohlberg Kravis Roberts a year ago.) Once TITUS is in the portfolio, which should come before the end of the year, Blackstone could help cover the costs of buying into markets where TITUS currently partners. Specifically, markets such as data-loss prevention and archiving would be logical adjacent sectors for Blackstone-backed TITUS to look to shop in.

Cybersecurity turns into a busy bazaar

Contact: Brenon Daly

The holiday shopping season kicked off last week, and for one tech sector, it was a particularly bountiful time for picking up some companies. Information security (infosec) acquirers announced an unprecedented seven transactions during the week that started on Cyber Monday. The pace represented a dramatic acceleration from the year-to-date average of just two deals announced each week.

With last week’s flurry, the number of infosec acquisitions in 2017 has already eclipsed last year’s total, even as overall tech M&A volume this year is heading for a mid-teens percentage drop from last year, according to 451 Research’s M&A KnowledgeBase. (This year already ranks as the second-busiest year for infosec, with deal volume tracking to roughly 50% higher than the start of the decade.) Probably more important than the sheer number of transactions was who was doing the dealing:

-McAfee announced its first purchase since throwing off the shackles of full ownership of Intel last year. By all accounts, McAfee’s step back into the M&A realm with cloud security startup Skyhigh Networks came at a sky-high price.
-An infrequent acquirer, Trend Micro reached for a small application security startup based in Montreal, IMMUNIO. It is only the third acquisition the Japan-based company has done since 2011.
-Thoma Bravo continued this year’s record level of infosec M&A by private equity (PE) firms, taking Barracuda Networks private for $1.6bn. The M&A KnowledgeBase indicates that 2017 is on pace for more PE purchases in this market than any year in history, likely to come in about quadruple the number of sponsor-backed infosec deals in 2012.

Expanding the timeframe beyond just last week, we see a number of other trends this year that have contributed to strong infosec deal volume in 2017, which should continue in 2018. For starters, the industry’s largest stand-alone vendor has stepped back into the market in a big way. Symantec has inked five transactions so far in 2017, more than it has done, collectively, in the previous half-decade. Meanwhile, other infosec providers have either reemerged as buyers (Juniper acquiring Cyphort after a four-year infosec M&A hiatus) or started their own acquisition program (Qualys has announced two deals in the past four months, after printing just one transaction since the company’s founding in 1999).

Thoma Bravo goes fishing, lands a Barracuda

Contact: Brenon Daly

After four underwhelming years as a public company, Barracuda Networks will step off the NYSE in a $1.6bn take-private with Thoma Bravo. The all-cash transaction, which is expected to close within three months, is one of those rare deals that appears to fit both the buyer and the seller in equal measure. With $17bn sloshing around, private equity firm Thoma Bravo needs to put money to work and has made the information security market a favorite shopping ground, having previously taken four infosec vendors private.

For Barracuda, the proposed leveraged buyout (LBO) wraps a period of not truly finding a home on Wall Street. As a public company, Barracuda posted just one-third the return of the Nasdaq Composite over the same period. The $27.55 per share that Thoma Bravo is paying represents the highest price for Barracuda stock in two and a half years. At one point in 2015, shares of Barracuda changed hands above $40.

Part of the reason why Barracuda fell out of favor with investors is the company’s ongoing transition from an on-premises business to more of a cloud focus. The so-called ‘legacy’ revenue – much of which is tied to appliances – has been shrinking every quarter, but still represents roughly one-third of sales. Deemphasizing that business has boosted Barracuda’s operating margins, but has slowed overall revenue growth to the single digits. Going private to complete the transition to a higher-margin software business, while continuing to throw off $10-20m of free cash flow each quarter, makes sense for Barracuda.

On the other side, Thoma Bravo pays essentially a market multiple for a company that has figured out a way to turn a profit selling into the underserved SMB market. (The enterprise value of Thoma Bravo’s bid stands at $1.48bn, or 4x trailing 12-month sales at Barracuda. That roughly matches the 4.4x TTM sales/EV multiple that Thoma Bravo paid in its most recent infosec LBO, Imprivata.) Further, Thoma Bravo has some growth opportunities once it adds Barracuda to its portfolio, both in terms of products (for instance, the target’s managed security service) and markets (Barracuda still generates 70% of its revenue in the US).

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

SailPoint sets sail for land of unicorns

Contact: Brenon Daly

In what would be one of the few private equity-backed tech companies to go public, SailPoint Technologies has put in its paperwork for a $100m IPO. The identity and access management (IAM) vendor, which has been owned by buyout shop Thoma Bravo for three years, should debut on Wall Street with a valuation north of $1bn. That is, unless SailPoint gets caught up in the current M&A wave that has seen a number of big buyers pick up identity-related security firms.

SailPoint reported $75m in revenue for the first half of 2017, an increase of 32% over the same period last year. Assuming that pace holds, the Austin, Texas-based company would finish this year with about $175m in sales. Depending on the product, SailPoint sells both licenses and subscriptions to its software. Subscriptions to its cloud-based offering, IdentityNow, are outpacing on-premises software sales, and currently account for some 42% of total revenue. License sales generate 34% of overall revenue, with the remaining 24% coming from services.

Transitioning to more subscription sales will undoubtedly boost SailPoint’s valuation. (Wall Street tends to appreciate the predictability that comes with multiyear subscriptions. In the case of IdentityNow, SailPoint indicated in its prospectus that the standard contract lasts three years.) That’s not to suggest that SailPoint will get the same platinum valuation as a pure SaaS provider such as Okta. That cloud-based IAM vendor, which went public in April, currently commands a $2.75bn market cap, or 11x this year’s sales. Of course, Okta is larger than SailPoint and growing at twice the pace.

Instead, we would look to some of the recent M&A pricing in the active IAM market to inform SailPoint’s valuation. For example, we understand that SecureAuth traded at more than 6x revenue in its sale in September to buyout firm K1 Investment Management. Ping Identity – which, like SailPoint, was in transition from license sales to subscriptions – also sold for about 6x sales last year. SailPoint is substantially larger than either of these fellow IAM firms, and is growing solidly. That should garner it a premium. But even using a conservative valuation multiple of 6x sales gets SailPoint into the land of the unicorns.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

ForeScout looks ahead to Wall Street

Contact: Brenon Daly

For all the ‘next generation’ hype throughout much of the information security (infosec) market, 17-year-old ForeScout represents a bit of a throwback. For instance, ForeScout has been around twice as long as the other infosec company to make it public this year, Okta. Further, its business is primarily tied to old-line boxes, while Okta and other startups of a more-recent vintage have pushed their businesses to the cloud.

That comes through in the numbers. At ForeScout, sales of products (physical appliances, mostly) still accounts for about half of the company’s revenue. The remaining half comes from maintenance fees, with just a sliver of professional services revenue. There’s no mention in ForeScout’s IPO paperwork of ‘bookings’ or ‘billings’ or any other business metric favored by companies delivering their offering through a newer subscription model

While not flashy, ForeScout’s business model works. (There aren’t too many startups that are generating a quarter-billion dollars of revenue and increasing that by one-third every year.) ForeScout posted $167m in sales in 2016, and $91m in the first half of 2017. (Growth over that period has been consistent at roughly 33%.) Assuming that pace holds through the end of 2017, ForeScout would put up about $220m in revenue, or roughly triple the amount of sales it generated in 2014.

However, in our view, much of that performance has been more than priced into the company, which secured a $1bn valuation in the private market. That said, we also don’t imagine that ForeScout will be one of those unicorns that stumbles when it steps onto Wall Street. (Post-IPO valuations for recent offerings from Snap, Blue Apron, Cloudera and Tintri are all lingering below the level they secured from VCs.)

ForeScout likely won’t enjoy anywhere near the platinum valuation that Okta commands. (The cloud-based identity vendor currently trades at a market valuation of $2.7bn, or 11x this year’s forecast revenue of $245m.) Instead, to value ForeScout, Wall Street might look to another product-based infosec provider, Fortinet.

The two companies don’t exactly line up, either in terms of strategic focus or scale. (Fortinet generates far more revenue each quarter than ForeScout will all year, while ForeScout is growing about twice as fast as Fortinet.) Nonetheless, Wall Street currently values Fortinet at roughly 4.3x current year’s revenue. Slapping that valuation on ForeScout would get the company to a $1bn valuation, but not much higher.

451 Research subscribers can look for a full report on ForeScout’s filing later today.

No more high-rolling in infosec M&A

Contact: Brenon Daly

Casinos, which are always looking to have patrons spend more money, are notorious for making exits difficult to find. For that reason, the Mandalay Bay was the perfect setting for this week’s trade show for the information security industry, Black Hat. Why do we say that? Infosec companies — at least the big ones — are having difficulty in finding exits, too.

Not to overstretch the metaphor of the host city for Black Hat, but the infosec industry has stepped away from the high-roller tables. So far this year, just one infosec company (Okta) has made it public, while those that have headed toward the other exit haven’t enjoyed particularly rich sales. This year’s small bets are reversing the recent record run for M&A spending on infosec transactions.

Spending on overall infosec acquisitions in the first seven months of the year has put 2017 on pace for the lowest annual total in a half-decade, according to 451 Research’s M&A KnowledgeBase. This year’s paltry total of just $2.3bn in aggregate deal value means that 2017 will snap three consecutive years of increasing infosec M&A spending. Our M&A KnowledgeBase shows that in 2016, infosec buyers spent $15bn, more than any other year in history, while 2015 also came in as another strong year in 2015 with $10bn in transaction value.

To put the current dealmaking decline into perspective, consider this: The largest infosec print so far in 2017 wouldn’t even make the list of the 10 biggest infosec transactions of 2015-16. And while this year’s largest acquisition – CA’s $614m purchase of Veracode – represents a decent exit, it’s fair to say more was certainly expected from the application vulnerability startup. (Veracode had filed its IPO paperwork several months before the sale on the quiet, according to our understanding.) Similarly, this year’s second-largest VC exit saw TeleSign agree to a sale that valued it lower than its valuation in its previous funding round.

The reason why so few sizable infosec startups are looking to exit is mostly because they don’t have to exit. Thanks to ever-increasing CISO spending, venture capitalists are back writing big checks to subsidize infosec startups. And when we say ‘big checks,’ we mean the size that used to come in IPOs or the rounds that got announced during the 2014-15 boom in late-stage investing, when single rounds of $100m were announced from across the startup landscape. While those growth rounds were relatively plentiful across the IT scene two or three years ago, infosec is the only industry where the big checks are once again rolling in. In just the past three months, a half-dozen infosec startups have each raised rounds of about $100m.

The one and only exit for infosec’s unicorns

Contact: Brenon Daly

In just the past month, four different information security (infosec) startups have all pulled in single rounds of funding that typically would have only been available from an IPO. In addition to filling company coffers, however, the roughly $100m slug of capital raised by each of the quartet — CrowdStrike, Tanium, Netskope and Illumio — may also influence company strategy, at least when it comes time to seek an exit. Rather than pursue a sale of the business, which is the most likely outcome for any startup, these infosec unicorns will likely eye the door that leads to Wall Street.

In other words, when it comes to the two exit options available to these security startups, they should be modeling themselves more on Okta than on AppDynamics. The reason? Of the 17 sales of VC-backed vendors valued at more than $1bn since January 1, 2014, not a single startup has come from the infosec market, according to 451 Research’s M&A KnowledgeBase. Mandiant came close to a 10-digit exit in its early 2014 sale to FireEye, but the announced value of that deal stands at $989m. (Of course, FireEye paid for the vast majority of that in stock, which lost half of its value within four months of the transaction and has never regained its early-2014 level.)

Infosec is conspicuous by its absence among the big-ticket purchases of venture-backed companies. Virtually every other major tech sector has realized some unicorn exit, including mobility (WhatsApp, AirWatch), e-commerce (Jet.com), storage (Cleversafe), the Internet of Things (Jasper Technologies) and cloud (Virtustream). The largest sale of a VC-backed infosec firm over the past three and a half years, according to the M&A KnowledgeBase, is Trustwave’s $810m sale to Singtel in April 2015. (Although Trustwave did raise venture money, notably from FTV Capital, it hardly fits the classic definition of a startup. Instead, it is more accurately viewed as a rollup, having consolidated 16 other businesses since its founding in 1995.)

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Onapsis on the block?

Contact: Brenon Daly

Enterprise application security startup Onapsis quietly kicked off a sale process about a month ago, according to our understanding. Several sources have indicated that Onapsis, which focuses on hardening security for SAP implementations, has hired UBS to gauge interest among buyers. And while there undoubtedly will be acquisition interest in the startup, Onapsis may ultimately prove to be a bit of a tough sell. The reason? The most obvious buyers for the company don’t typically pay the type of valuations that Onapsis is thought to be asking.

In many cases, the heavy-duty SAP systems that Onapsis helps secure were implemented by one of the big consulting shops. So at least theoretically, it’s not a big leap to imagine one of these consultancies buying Onapsis and offering its platform, exclusively, to help safeguard these mission-critical systems and the data they generate. (Indeed, Onapsis already has partnerships with many of the big consulting firms, including KPMG, PWC, Accenture and others.) While that strategy may be sound, M&A always comes down to pricing. And that’s why we would think it’s probably more likely than not that eight-year-old Onapsis remains independent.

According to our understanding, Onapsis is looking to sell for roughly $200m, which would be twice the valuation of its September 2015 funding. The rumored ask works out to about 8x bookings in 2016 and 4.5x forecast bookings for this year. For a fast-growing SaaS startup, those aren’t particularly exorbitant multiples. Yet they may well price out any consulting shops, which have typically either picked up small pieces of specific infosec technology or just gobbled up security consultants. Any reach for Onapsis would require a consulting firm to pay a significantly richer price than the ‘tool’ or ‘body’ deals they have historically done.

Okta’s growth-story IPO finds an audience on Wall Street

Contact: Brenon Daly 

The unicorn parade on Wall Street continued Friday as security vendor Okta nearly doubled its private market valuation in its debut on the Nasdaq. The subscription-based identity and access management provider initially sold shares at $17 each, but investors bid them to about $24 in midday trading. With the surge, Okta is valued at some $2.4bn. (See our full preview of the offering.)

Okta becomes the third enterprise IT startup to come public so far this year, and it extends the strong performance of these new issues. It also joins the two previous IPOs – MuleSoft and Alteryx – in sporting a rather stretched valuation. Based on a market cap of $2.4bn, Okta is trading at about 15x trailing sales.

Granted, Okta’s sales are growing quickly, having nearly quadrupled in just the past two fiscal years to $160m. Still, the company is commanding quite a premium compared with fellow secure identity specialist CyberArk, which also just happens to be the last information security startup to create more than $1bn of value in its IPO. (To be clear, CyberArk, which went public in 2014, also sells identity-related products in the form of privileged identity management, but doesn’t really compete with Okta.)

Wall Street currently values CyberArk at about 8.2x trailing sales, or just slightly more than half the level that investors are handing to the freshly public Okta. Bulls would argue that Okta merits the premium given that it is growing twice as fast as CyberArk. But others might counter with a question about what that growth is costing each of the companies. Okta lost a mountainous $83m on its way to generating $160m in sales last year. In contrast, CyberArk, which has run in the black for the past four years, netted $28m from its 2016 revenue of $217m.

If nothing else, the valuation discrepancy underscores that growth is still the key metric for investors. Okta’s IPO is simply supply meeting demand, same as it ever was on Wall Street. Indeed, CyberArk has also experienced that. Shares of the company reached an all-time high – nearly 50% higher than current levels, roughly Okta’s current valuation – in 2015, when revenue was increasing north of 50%, compared with the mid-30% level now.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Mastercard makes an antifraud deal of its own 

Contact: Jordan McKee 

After December reaches by Visa and American Express for card-not-present (CNP) antifraud providers, Mastercard makes its move in this space. With the purchase of NuData Security, it gains digital identity and behavioral biometrics capabilities that will play an important role as EMV and growing transaction volumes continue to push fraud into digital channels.

A recent study of 500 US merchants by 451 Research underscored the severity of this problem, showing that 60% of respondents are experiencing an increase in fraudulent activity in their digital commerce channels compared with this time last year. This problem will only be exacerbated as the Internet of Things (IoT) spreads commerce into myriad new connected devices, increasing chargeback and data breach risks for merchants.

Given its scale and complexity, IoT presents a security threat an order of magnitude greater than anything the payments industry has previously experienced. Payment networks and their partners are increasingly being required to operate in foreign environments that differ greatly from traditional CNP channels, such as web browsers. The spread of commerce to new connected endpoints will require new technology, talent and security approaches to ensure that the integrity of the card issuance ecosystem remains intact.

While Mastercard has positioned its pickup of NuData as an IoT antifraud play – and could conceivably extend NuData’s technology into various IoT settings over time – we see near-term applicability to traditional CNP antifraud use cases. In particular, its work around digital identity and biometrics will help extend Mastercard’s security efforts from the network to the device, helping to combat the wave of fraud currently occurring in mobile and e-commerce. Terms of the deal weren’t disclosed. NuData had about 70 employees.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.