Cyber security start-ups fall on hard times

Becoming corporate ‘zombies’.

A wave of cyber attacks should make these heady days for US cyber security start-ups.

Instead, many in the crowded market are struggling to live up to their early promise.

In some cases, the security products they developed have been overtaken by advances in hacking, according to industry executives and venture capitalists.

In others, larger competitors have come out with similar technology and locked down customers.

“I have never seen such a fast-growing market with so many companies on the losing side,” said David Cowan, a partner at Bessemer Venture Partners, a venture capital firm that has invested in the cyber security sector.

Venture capital continues to pour into the industry, driven by the belief that there is no end in sight to cyber attacks or companies’ need to protect themselves. Yet only a handful of start-ups have successfully sold themselves or floated in the stock market in recent years.

The result is a number of these start-ups have become corporate “zombies” with little prospect of fetching a good price in an initial public offering (IPO) or becoming acquisition targets, experts said. Their early investors have been left without an easy or profitable exit.

Not only is the technology behind cyber attacks rapidly evolving, the nature of how the corporate world uses security firms is changing. To save money and trouble, some companies have consolidated their security work, using just a few large players rather than spreading business around.

Companies are also diverting money to lower-cost bug bounty firms that contract out researchers who help identify security weaknesses.

“Suddenly, we are in this situation where there are just too many vendors and too few can be sustained,” said Dave DeWalt, the former CEO of cyber security company FireEye.

“You’re starting to see companies go, ‘oh my gosh, what do I do? Can I get more capital, do I have to merge?’”

Momentum Cyber, an advisory firm focused on cyber industry mergers and acquisitions, said it tracks 2500 security companies today, almost double the number a few years ago. The firm’s co-founder, Eric McAlpine, estimates 300 cyber security start-ups launch every year.

Few of these are pulling off IPOs. What’s more, big software companies have become less willing to acquire cyber security products they believe they can develop on their own.

“The pipe dream days of selling companies at a rich price equivalent to ten times their revenue are gone,” said Tom Kellermann, chief executive of venture capital firm Strategic Cyber Ventures.

ForeScout Technologies, a provider of software that helps companies keep the devices of their employees secure, was the only US cyber security company, excluding identity management providers, to go public last year. This compares to three cyber security IPOs in 2016 and four in 2015.

ForeScout raised US$116 million in an IPO in October that valued the company at about US$800 million, down from its US$1 billion valuation in the private markets a year earlier.

Its backers, including Intel Capital and Accel Partners, had to moderate their valuation expectations for the IPO to be successful. The company is now trading at a US$1.2 billion market capitalisation.

Holding back

Many venture capital firms are sticking with the sector. Some are curbing their bets or backing smaller startups.

“Start-ups that are likely to reach between US$100 million and US$300 million in value are still offering excellent opportunities for an exit,” said Yoav Leitersdorf, whose investment firm YL Ventures was an investor in Hexadite, a security incident investigation company that announced a sale to Microsoft last June.

Some larger start-ups, such as Carbon Black, have delayed their IPOs. Founded in 2002 by former US government cyber security experts, Carbon Black, formerly known as Bit9, was a pioneer in developing tools that detect and respond to threats targeting corporate networks.

Within a few years, its market became more competitive, as rivals such as Cylance, CrowdStrike, and SentinelOne came out with similar technologies. Some larger companies, including Symantec, also developed similar products.

Carbon Black filed confidentially for an IPO in 2016, while also exploring a sale to other companies, including IBM, people familiar with the matter said. IBM did not respond to a request for comment.

The company has yet to move ahead with the IPO, stranding investments from venture capital backers such as Kleiner Perkins Caufield & Byers and Sequoia Capital. Both firms declined to comment.

A source close to Carbon Black said it is now hoping to go public this year, and that it delayed its IPO to integrate an US$100 million acquisition of a company called Confer.

Carbon Black CEO Patrick Morley declined to comment on plans around a possible IPO, or any merger discussions.

But Morley said the company has rolled out several offerings that make it more diversified than its rivals. He also predicted more consolidation in the market.

Another startup, Zscaler, which specialises in cloud security, hired investment banks to go public last year but has delayed its offering until at least March to focus on growing its revenue, according to sources. Zscaler declined to comment.

“Some have compared some cyber security companies to cockroaches,” DeWalt said.

“They can’t die, but they aren’t smoking hot either.”