Going public makes $12 billion CrowdStrike an anomaly in crowded cybersecurity space where M&A is the norm. Here's why.
- CrowdStrike, the Google and Accel-backed end-point security company, went public last week, bucking the trend toward M&A that keeps most cybersecurity startups from hitting the public markets.
- Just five companies in cybersecurity valued over $100 million have gone public in IPOs since 2018, while 36 companies have gotten acquired, according to PitchBook data.
- Click here for more BI Prime stories.
CrowdStrike's initial public offering last week was a boon for early investors, but there's another reason it stood out. Most cyber companies simply don't go public. From Cylance to Demisto, a majority of sizable cyber firms have gotten scooped up before they've had a chance to hit the public markets.
"In security, even if you really want to go public, chances are somebody is going to make you an offer someone can't refuse," said Yoav Leitersdorf, founder of YL Ventures, which invests exclusively in cybersecurity companies. (CrowdStrike CEO George Kurtz serves as an advisor at YL.).
There have been 36 acquisitions in cybersecurity over $100 million since the start of 2018, and just five IPOs which raised more than $100 million during the same time period, according to PitchBook data.
With an initial market cap of $6.7 billion, CrowdStrike was valued at far more in its IPO than the two big cybersecurity IPOs in 2018. Tenable was valued at $2 billion in its IPO and Carbon Black was valued at $1.3 billion.
"Security tends to be a hype-fueled market, so it's not surprising to see such a high valuation," Jessica Lin, co-founder and general partner at the VC firm Work-Bench, said in an email. "The key here is CrowdStrike has reached a scale that most security companies don't in terms of revenue."
By Friday, CrowdStrike popped 97%, giving the Google and Accel-backed end-point security company a market cap over $12 billion by market's close, far exceeding the $3 billion valuation it got in a private funding round in 2018.
Other enterprise tech IPOs have seen comparable gains. IPO darlings Zoom and PagerDuty traded up 180% and 128% respectively on Friday from the price of their IPOs.
Palo Alto Networks's $1 billion shopping spree
For Leitersdorf, the active buying situation in cybersecurity is more than just theoretical.
Palo Alto Networks acquired Twistlock, a YL portfolio company, for $410 million at the end of May, putting an end to a trajectory that Leitersdorf thought might end with an IPO in the next two years.
The deal was signed just three weeks after Palo Alto Networks CEO Nikesh Arora first initiated acquisition talks, said Leitersdoft, whose firm owns 20% of Twistlock.
"We weren't in the market to sell it," he said. "But Nikesh was able to convince the founders and lure them with the great fit between the two companies."
Palo Alto Networks is one of the most active buyers in cybersecurity. In the year since Arora joined Palo Alto Networks as CEO, the company has spent more than $1.1 billion on acquisitions. In March, it bought security startup Demisto for $560 million, and in October 2018 it spent $173 million on RedLock.
Other active acquirers in security include Cisco, Symantec, and Check Point, as well as Microsoft and IBM. Though lower market cap companies, like the $5 billion Elastic, come in from time to time. Elastic announced its acquisition of cybersecurity startup Endgame for $234 million on June 5.
Cisco looked, but its budget is modest
One of the most active shoppers in the space is Cisco, the networking giant which spent $2.35 billion on Duo Security in August 2018 and $2.7 billion on Sourcefire in July 2013.
CrowdStrike held talks with Cisco ahead of its IPO, Bloomberg reported, though there was never an offer.
"Cisco is a huge incumbent in the space and have a focus on growing their security business," said Lin, who used to work at Cisco. "Their acquisition of Duo was a way for them to move into an adjacent security market (identity) and we wouldn't be surprised to see them make other bold, complementary acquisitions to buy into new business lines."
Though Cisco spent a record $3.7 billion on its dramatic eve of IPO acquisition of the performance management company AppDynamics in 2017, bankers in the space told Business Insider that they couldn't see Cisco paying more than that on another acquisition. CrowdStrike's valuation far exceeded what even Cisco, with its $236 billion market cap, is willing to pay, they said.
One reason Cisco keeps its checks modest, some hypothesize, is that it doesn't need to own the top player to compete in a given space to succeed.
"Cisco, they don't really compete on the strength of their technology. They compete on support and distribution," said Mark Kraynak, an investor at Aspect Ventures.
If Cisco wanted a company that does what CrowdStrike does, he said, they would probably go for a lower-cost competitor such as SentinelOne, which hit a $600 million valuation in a June funding round, or its even smaller competitor enSilo.
Kraynak, who spent more than a decade in high-level positions at cybersecurity company Imperva, estimated that the sweet spot for acquisitions across security is $350 million to $450 million.
But he stressed that companies like Palo Alto Networks and Cisco make acquisitions out of necessity - large companies rely on the emerging technology from cybersecurity startups to stay on top of their game.
"As the underlying compute changes, the existing security needs to change with it," Kraynak said."There's a need for new solutions."
- Read more:
- Sumo Logic, the startup helping Airbnb and the Pokémon Company secure their cloud software, raised $110 million in a round valuing it above $1 billion
- 7 companies looked at buying semiconductor firm Mellanox. Here's how Nvidia won the $6.9 billion deal.
- A Nasdaq executive says companies are rushing to get their IPOs out before Trump goes up for re-election
- McDonald's, Nvidia and Salesforce all want a bite of the Tel Aviv tech crop. Here's what you need to know about Israel's bustling M&A scene.