Not wrong, just early?

by Brenon Daly

Call it a case of mistaken identity in the identity security market. In our exclusive report last week that BeyondTrust was nearing a sale, we speculated that One Identity would be the buyer for the often-in-play company. Instead, Bomgar has announced the purchase of BeyondTrust.

We regret missing the mark, which can be an occupational hazard while working in the opaque regions of the information economy. (Subscribers to 451 Research’s M&A KnowledgeBase can see our proprietary estimates for Bomgar’s acquisition of BeyondTrust by clicking here.)

In our defense, however, we were close. We had the correct family (private equity firm Francisco Partners) albeit the wrong sibling (Francisco-owned One Identity rather than Francisco-owned Bomgar). And, for the record, we have heard from numerous sources that One Identity and BeyondTrust have held in-depth M&A discussions ever since Francisco carved the software business out of Dell, which included the assets that became One Identity.

And while we didn’t necessarily get the right buyer for BeyondTrust right now, it may be a bit academic as far as Francisco is concerned. Longer term, we could well imagine that the PE shop will ultimately combine Bomgar, which it bought in April, with One Identity.

Buyout firms often consolidate holdings as a way to cut expenses and boost all-important cash flow. Admittedly, we’re speculating again. But there’s a lot of financial sense to making the move. If that does come to pass, then we like to think we weren’t wrong about the buyer for BeyondTrust, just early.

For now, though, 451 Research subscribers can look for our full report on Bomgar’s pickup of BeyondTrust on our site later today.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Snapping up smarts

by Brenon Daly

Having gotten a little richer in its mid-March IPO, Zscaler is now looking to get a little smarter with some M&A. In its first-ever acquisition, the cloud security vendor has reached for TrustPath, a startup that Zscaler plans to use to help speed and sharpen its analysis of the billions of transactions that flow over its platform each day. Not much is known about TrustPath, which is still operating in stealth mode.

Zscaler’s inaugural print continues the trend of information security (infosec) providers emerging as some of the busiest buyers of machine learning (ML) startups, a market that itself is pretty busy. In fact, for the past two years, tech investment bankers we have surveyed have forecast ML to be the single biggest driver for M&A in each of the coming years, ahead of other notable themes such as the Internet of Things and cloud computing.

More importantly, that sentiment is coming through in the actual deal flow. According to 451 Research’s M&A KnowledgeBase, the number of overall ML transactions is on pace to top 120 deals in 2018, three times the number announced just in 2015. Infosec is playing a key role in the record number of ML transactions, with Zscaler joining Amazon Web Services, Splunk and even PayPal in the parade of recent security-focused ML acquirers.

Collectively, infosec buyers are punching well above their weight in the emerging field of ML M&A. Look at it this way: Infosec accounts for roughly 15% of total ML deals in the M&A KnowledgeBase, despite security acquisitions making up less than 5% of all tech transactions we record in any given year.

The main reason for infosec’s outsized role in the ML market is that there’s actually business to be done there. In fact, in a recent survey by 451 Research’s Voice of the Enterprise: AI & Machine Learning, Adoption, Drivers and Stakeholders 2018, infosec emerged as the second-highest rated use case for ML, trailing only ‘business analytics.’ Importantly, the rankings in our survey came from folks who actually have ML technology up and running or are nearly there. With that kind of demand from customers, it’s no wonder infosec suppliers are leading the charge in snapping up smarts.

A safe bet to get rich

by Brenon Daly

Playing defense can be a lucrative strategy. Along with the record deal volume in the information security (infosec) market this year, valuations across the fast-growing sector have surged to their highest level. Already in 2018, 451 Research’s M&A KnowledgeBase lists eight transactions that have gone off at price-to-sales multiples of more than 10x, based on disclosed or estimated terms.

These double-digit valuations have helped to push the multiple across the entire infosec market to new heights, twice as rich as virtually all other major IT sectors. According to the M&A KnowledgeBase, acquirers have been paying 8.1x trailing sales for the infosec companies they have picked up so far this year.

For comparison, the next-richest segment (infrastructure software) checks in at 6.6x trailing sales. One sign of how inflated that market has become is the surprisingly rich valuation of infrastructure software titan CA Technologies. Broadcom is paying the highest price for CA shares since the internet bubble collapsed. The deal values CA at 4.5x sales, roughly a turn higher than other large software vendors that aren’t really growing. Additionally, Salesforce paid more than 20x trailing sales for MuleSoft in March.

More broadly, valuations in the 10 other IT sectors we track in the M&A KnowledgeBase are all less than half the median valuation in infosec. For instance, application software transactions this year are going off at 3.4x trailing sales, which is roughly consistent with the two previous years.

Of course, as in any small market, a few richly valued deals can skew the overall valuation for the sector. (The number of infosec prints each year is only about one-tenth the number of application software transactions in any given year.) And the infosec market has seen an unusually large number of big prices paid for very early-stage startups. Deals such as Palo Alto Networks-Evident.io and Splunk-Phantom Cyber are certainly pushing the median multiple higher. But even outside those outliers, acquirers are having to reach deeper than ever before to secure the security providers they want to buy.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Infosec hits the exits

BY Brenon Daly

At Black Hat last year, we half-cleverly noted how information security (infosec) vendors should feel right at home in Mandalay Bay, since exits were hard to find in both the infosec industry and the casino itself. Now, as the annual security conference gets set to open this weekend, it’s a much different picture. The exit door has been thrown wide open, with an unprecedented level of both IPOs and M&A in the cybersecurity market.

Start with IPOs. At this point last year, only one cybersecurity provider had made it public (Okta). As the conference gets set to open this weekend, three infosec startups have already debuted on Wall Street this year (Zscaler, Carbon Black and Tenable). Collectively, this year’s trio of new listings has created $9bn of market value, more than 10 times the amount of venture backing they raised altogether.

More significantly, the long-expected wave of consolidation in the overpopulated infosec market is beginning to take shape. For instance, 451 Research’s M&A KnowledgeBase lists 18 infosec acquisitions in July, which matches the highest-ever monthly total for the sector. Last month’s acceleration continues the already-strong dealmaking activity posted earlier this year, putting 2018 on track for the most infosec transactions in any year in history. This year’s unprecedented rate of M&A activity is being driven by an ever-increasing number of buyers that have been attracted to the fast-growing market.

Subscribers to 451 Research can look for a full report on the exit environment for infosec companies on our site early next week.

Managing an exit for Alert Logic?

The field is tilted against companies trying to secure their information: they face an ever-growing number of attackers, but a shortage of defenders. To get around this imbalance, an increasing number of vendors are looking to hand off at least some of their security to other firms, which can manage headaches and heartaches that come with process. The offerings, which can range from single products all the way to broader portfolios from managed security service providers (MSSPs), have found buyers among thinly stretched CISOs. A recent survey of security professionals by 451 Research’s Voice of the Enterprise showed MSSPs ranking the second-highest increase in spending over the next year.

Against this backdrop of overall growth in the market, it’s worth noting that – unlike other areas of the information security (infosec) market – there haven’t been any significant prints recently, at least not among the pure MSSPs. According to 451 Research’s M&A KnowledgeBase, the most recent deal for a substantial MSSP came more than three years ago, when SingTel paid $810m for Trustwave. Since then, most of the M&A activity around hosted security has come from infosec vendors looking to acquire people and technology so they can offer their own product as a managed service. (For instance, earlier this month, CounterTack bought GoSecure, an 80-person startup that provides managed detection and response services.)

That could be changing. Long-rumored to be an acquisition candidate, Alert Logic would likely be the next blockbuster print in the spectrum of vendors that offer security as a service. This brings up a distinction not always clear in this space. Alert Logic is recognized by many as a provider of security SaaS, but the boundaries between that and managed security services keep getting blurrier, as traditional MSSPs move from one direction to reinforce managed services with hosted technologies, and from the other, security SaaS vendors augment their offerings with managed services. Alert Logic is among the poster children for the latter. (That approach also shows up in Alert Logic’s financials. According to our understanding, the company operates with gross margins of roughly 70%, much higher than a pure MSSP.)

Alert Logic has more than quadrupled revenue since it was recapitalized by private equity (PE) firm Welsh Carson Anderson & Stowe (WCAS) nearly five years ago. (Subscribers to the M&A KnowledgeBase can see our proprietary estimate of terms on that deal.) In addition to nearing the logical end of a holding period inside a PE portfolio, Alert Logic has also seen two top executives replaced this year. If it does trade, we estimate that Alert Logic’s price would be roughly double the amount WCAS paid, putting the transaction among the largest security services acquisitions.

http://the451group.com/images/upload/VotE_mid-2018_spending_increases.JPG

TITUS goes from bootstrapped to buyout with Blackstone

Contact: Brenon Daly

Private equity (PE) firm Blackstone Group has picked up a majority stake in TITUS, marking an unconventional bootstrapped-to-buyout exit for the 12-year-old data classification startup. Terms weren’t revealed. With the acquisition, PE shops have now purchased more cybersecurity vendors in 2017 than any year in history, according to 451 Research’s M&A KnowledgeBase (see graphic below).

The transaction comes two years after Microsoft made a similar data security move, reaching for Israel-based startup Secure Islands. (Although the price of that deal wasn’t disclosed, subscribers to the M&A KnowledgeBase can see our proprietary estimate on terms.) However, Secure Islands was a much smaller company than TITUS, both in terms of revenue and technology. Secure Islands focused primarily on extending security for Microsoft technology, specifically Office 365 and SharePoint, while TITUS has a broader technology platform. Also, according to our understanding, profitable TITUS generates more than four times the sales that Secure Islands did at the time it was acquired.

For Blackstone (in this case, through its Tactical Opportunities team), the purchase of TITUS represents a return to the information security (infosec) market, with a platform that lends itself to additional bolt-on acquisitions. (The firm used the buy-and-build strategy with infosec reseller/service provider Optiv before selling it to Kohlberg Kravis Roberts a year ago.) Once TITUS is in the portfolio, which should come before the end of the year, Blackstone could help cover the costs of buying into markets where TITUS currently partners. Specifically, markets such as data-loss prevention and archiving would be logical adjacent sectors for Blackstone-backed TITUS to look to shop in.

Cybersecurity turns into a busy bazaar

Contact: Brenon Daly

The holiday shopping season kicked off last week, and for one tech sector, it was a particularly bountiful time for picking up some companies. Information security (infosec) acquirers announced an unprecedented seven transactions during the week that started on Cyber Monday. The pace represented a dramatic acceleration from the year-to-date average of just two deals announced each week.

With last week’s flurry, the number of infosec acquisitions in 2017 has already eclipsed last year’s total, even as overall tech M&A volume this year is heading for a mid-teens percentage drop from last year, according to 451 Research’s M&A KnowledgeBase. (This year already ranks as the second-busiest year for infosec, with deal volume tracking to roughly 50% higher than the start of the decade.) Probably more important than the sheer number of transactions was who was doing the dealing:

-McAfee announced its first purchase since throwing off the shackles of full ownership of Intel last year. By all accounts, McAfee’s step back into the M&A realm with cloud security startup Skyhigh Networks came at a sky-high price.
-An infrequent acquirer, Trend Micro reached for a small application security startup based in Montreal, IMMUNIO. It is only the third acquisition the Japan-based company has done since 2011.
-Thoma Bravo continued this year’s record level of infosec M&A by private equity (PE) firms, taking Barracuda Networks private for $1.6bn. The M&A KnowledgeBase indicates that 2017 is on pace for more PE purchases in this market than any year in history, likely to come in about quadruple the number of sponsor-backed infosec deals in 2012.

Expanding the timeframe beyond just last week, we see a number of other trends this year that have contributed to strong infosec deal volume in 2017, which should continue in 2018. For starters, the industry’s largest stand-alone vendor has stepped back into the market in a big way. Symantec has inked five transactions so far in 2017, more than it has done, collectively, in the previous half-decade. Meanwhile, other infosec providers have either reemerged as buyers (Juniper acquiring Cyphort after a four-year infosec M&A hiatus) or started their own acquisition program (Qualys has announced two deals in the past four months, after printing just one transaction since the company’s founding in 1999).

Thoma Bravo goes fishing, lands a Barracuda

Contact: Brenon Daly

After four underwhelming years as a public company, Barracuda Networks will step off the NYSE in a $1.6bn take-private with Thoma Bravo. The all-cash transaction, which is expected to close within three months, is one of those rare deals that appears to fit both the buyer and the seller in equal measure. With $17bn sloshing around, private equity firm Thoma Bravo needs to put money to work and has made the information security market a favorite shopping ground, having previously taken four infosec vendors private.

For Barracuda, the proposed leveraged buyout (LBO) wraps a period of not truly finding a home on Wall Street. As a public company, Barracuda posted just one-third the return of the Nasdaq Composite over the same period. The $27.55 per share that Thoma Bravo is paying represents the highest price for Barracuda stock in two and a half years. At one point in 2015, shares of Barracuda changed hands above $40.

Part of the reason why Barracuda fell out of favor with investors is the company’s ongoing transition from an on-premises business to more of a cloud focus. The so-called ‘legacy’ revenue – much of which is tied to appliances – has been shrinking every quarter, but still represents roughly one-third of sales. Deemphasizing that business has boosted Barracuda’s operating margins, but has slowed overall revenue growth to the single digits. Going private to complete the transition to a higher-margin software business, while continuing to throw off $10-20m of free cash flow each quarter, makes sense for Barracuda.

On the other side, Thoma Bravo pays essentially a market multiple for a company that has figured out a way to turn a profit selling into the underserved SMB market. (The enterprise value of Thoma Bravo’s bid stands at $1.48bn, or 4x trailing 12-month sales at Barracuda. That roughly matches the 4.4x TTM sales/EV multiple that Thoma Bravo paid in its most recent infosec LBO, Imprivata.) Further, Thoma Bravo has some growth opportunities once it adds Barracuda to its portfolio, both in terms of products (for instance, the target’s managed security service) and markets (Barracuda still generates 70% of its revenue in the US).

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

SailPoint sets sail for land of unicorns

Contact: Brenon Daly

In what would be one of the few private equity-backed tech companies to go public, SailPoint Technologies has put in its paperwork for a $100m IPO. The identity and access management (IAM) vendor, which has been owned by buyout shop Thoma Bravo for three years, should debut on Wall Street with a valuation north of $1bn. That is, unless SailPoint gets caught up in the current M&A wave that has seen a number of big buyers pick up identity-related security firms.

SailPoint reported $75m in revenue for the first half of 2017, an increase of 32% over the same period last year. Assuming that pace holds, the Austin, Texas-based company would finish this year with about $175m in sales. Depending on the product, SailPoint sells both licenses and subscriptions to its software. Subscriptions to its cloud-based offering, IdentityNow, are outpacing on-premises software sales, and currently account for some 42% of total revenue. License sales generate 34% of overall revenue, with the remaining 24% coming from services.

Transitioning to more subscription sales will undoubtedly boost SailPoint’s valuation. (Wall Street tends to appreciate the predictability that comes with multiyear subscriptions. In the case of IdentityNow, SailPoint indicated in its prospectus that the standard contract lasts three years.) That’s not to suggest that SailPoint will get the same platinum valuation as a pure SaaS provider such as Okta. That cloud-based IAM vendor, which went public in April, currently commands a $2.75bn market cap, or 11x this year’s sales. Of course, Okta is larger than SailPoint and growing at twice the pace.

Instead, we would look to some of the recent M&A pricing in the active IAM market to inform SailPoint’s valuation. For example, we understand that SecureAuth traded at more than 6x revenue in its sale in September to buyout firm K1 Investment Management. Ping Identity – which, like SailPoint, was in transition from license sales to subscriptions – also sold for about 6x sales last year. SailPoint is substantially larger than either of these fellow IAM firms, and is growing solidly. That should garner it a premium. But even using a conservative valuation multiple of 6x sales gets SailPoint into the land of the unicorns.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

ForeScout looks ahead to Wall Street

Contact: Brenon Daly

For all the ‘next generation’ hype throughout much of the information security (infosec) market, 17-year-old ForeScout represents a bit of a throwback. For instance, ForeScout has been around twice as long as the other infosec company to make it public this year, Okta. Further, its business is primarily tied to old-line boxes, while Okta and other startups of a more-recent vintage have pushed their businesses to the cloud.

That comes through in the numbers. At ForeScout, sales of products (physical appliances, mostly) still accounts for about half of the company’s revenue. The remaining half comes from maintenance fees, with just a sliver of professional services revenue. There’s no mention in ForeScout’s IPO paperwork of ‘bookings’ or ‘billings’ or any other business metric favored by companies delivering their offering through a newer subscription model

While not flashy, ForeScout’s business model works. (There aren’t too many startups that are generating a quarter-billion dollars of revenue and increasing that by one-third every year.) ForeScout posted $167m in sales in 2016, and $91m in the first half of 2017. (Growth over that period has been consistent at roughly 33%.) Assuming that pace holds through the end of 2017, ForeScout would put up about $220m in revenue, or roughly triple the amount of sales it generated in 2014.

However, in our view, much of that performance has been more than priced into the company, which secured a $1bn valuation in the private market. That said, we also don’t imagine that ForeScout will be one of those unicorns that stumbles when it steps onto Wall Street. (Post-IPO valuations for recent offerings from Snap, Blue Apron, Cloudera and Tintri are all lingering below the level they secured from VCs.)

ForeScout likely won’t enjoy anywhere near the platinum valuation that Okta commands. (The cloud-based identity vendor currently trades at a market valuation of $2.7bn, or 11x this year’s forecast revenue of $245m.) Instead, to value ForeScout, Wall Street might look to another product-based infosec provider, Fortinet.

The two companies don’t exactly line up, either in terms of strategic focus or scale. (Fortinet generates far more revenue each quarter than ForeScout will all year, while ForeScout is growing about twice as fast as Fortinet.) Nonetheless, Wall Street currently values Fortinet at roughly 4.3x current year’s revenue. Slapping that valuation on ForeScout would get the company to a $1bn valuation, but not much higher.

451 Research subscribers can look for a full report on ForeScout’s filing later today.