Cybersecurity M&A Update – July 2024

Strong Deal Flow Signals Comeback for Cybersecurity M&A

Mergers and acquisitions (M&A) in the Cybersecurity M&A market have experienced a significant recovery in volume through year-to-date (YTD) 2024. Following full-year 2023, which saw a 18.8% year-over-year (YOY) decline in Cybersecurity transactions, M&A activity to-date has risen 13.6% YOY. This resurgence in dealmaking has stemmed from both a rising rate of critical cyberattacks and continued integration of artificial intelligence (AI) and machine learning (ML) technology into the product suites of sector players. The April 2024 initial public offering (IPO) of Rubrik (NYSE:RBRK), a provider of cyber resiliency and cloud data protection, has characterized the strength of these two sector trends. Despite operating at a net loss of $277.8 million and $327.5 million in its fiscal years (FY) 2023 and 2024, respectively, Rubrik went public on April 24 at $32 per share, according to its IPO prospectus.¹ Additionally, the company raised $752 million through its public offering while trading at $38.6 per share on its first day, 21% above the initial listing price. Rubrik’s public valuation was driven by its unique positioning among data storage providers, as one of the few providers that offers protection and backup against ransomware attacks. Cybercrime incidents involving ransomware attacks have risen by 13% over the past five years with an average cost to the victim of $1.9 million per incident, according to Astra.² Rubrik’s AI/ML threat monitoring engine analyzes emerging ransomware threats, creating a wholistic platform of cyber resiliency. Although Rubrik operated at a net loss during its FY 2024 and had $482.5 million in sales and marketing costs, the company grew its subscription-based annual recurring revenue (AAR) by 47% YOY to $784.0 million in its FY 2024. At the intersection of AI/ML integrated technology and increased demand for cybercrime protection, Rubrik’s successful IPO in the face of lagging earnings has provided an optimistic outlook for the health of the sector.

Cybersecurity transaction activity continues to rebound from the lows of 2022 and 2023 as AI driven innovation to address unrelenting, sophisticated attacks drive increased cyber budgets. These underlying fundamentals create a solid foundation for higher volumes of mergers and acquisitions going forward.

Tom McConnellManaging Director, Capstone Partners

Cybersecurity Market Sees Resurgent M&A Activity Through Year-to-Date

Cybersecurity M&A has performed well through YTD 2024 reaching 226 announced or completed transactions, outpacing the prior year period by 13.6%. Demand tailwinds have helped revitalize the dealmaking environment, as persistent cyberattack threats have proliferated in recent years. This has had a positive effect on consolidation at the higher-end of the deal value spectrum. Sector M&A deals exceeding $1 billion in enterprise value have risen YOY to ten transactions through YTD 2024. In comparison, there were only three deals exceeding $1 billion in YTD 2023, seven in YTD 2022, and nine in YTD 2021. Optimistic sentiment about demand in the Cybersecurity market has also contributed to strong public company valuations. Notably, Check Point Software (Nasdaq:CHKP) and CyberArk Software (Nasdaq:CYBR) have both seen double-digit growth in their stock prices through YTD. Additionally, Everbridge (Nasdaq:EVBG) saw its stock price rise over 40% in 2024 before Thoma Bravo completed its acquisition to take the company private (February, $1.5 billion, 3.4x EV/Revenue).

Despite accounting for only 12.4% of total transactions through YTD 2024, private equity platform acquisitions have comprised half of all Cybersecurity deals exceeding $1 billion in enterprise value during the same period. While debt financing costs since Q1 2022 have stifled leveraged buyouts, private equity buyers traditionally active in the Cybersecurity sector have continued to pursue consolidation. Capstone has noticed that a number of sponsor-led platform deals in the Cybersecurity space through YTD have been all-cash acquisitions. Private equity firms have been able to selectively finance large-scale acquisitions in attractive sectors using cash, due to the $1.6 trillion in dry powder that financial buyers have amassed globally, according to PitchBook.³ Notably, Thoma Bravo, has announced two multi-billion-dollar, all-cash take-private deals in the Cybersecurity sector through YTD. These included the announced acquisitions of Everbridge (Nasdaq:EVBG) (February, $1.5 billion, 3.4x EV/Revenue) and Darktrace (LSE:DARK) (April, $5.2 billion, 8.5x EV/Revenue). This trend has carried over from 2023 where massive take-private deals of enterprise software companies, such as Vista Equity Partners’ acquisition of EngageSmart (October 2023, $3.5 billion, 9.7x EV/Revenue), helped to prop up the volume and value of private equity activity. Although interest rates have placed downward pressure on financial buyer activity, large take-private deals have continued to signal the Cybersecurity sector as an attractive area of investment for sponsors.

Venture Capital Funding Rises Year-Over-Year, Lags Historical Precedent

Venture capital (VC) funding for cybersecurity companies has been comparatively robust through YTD 2024, rising 97.4% YOY to $7.5 billion. Deal volume has also increased, rising 21.2% YOY to 446 VC funding transactions. Although multitudes higher than the previous year in both volume and value, VC funding in the Cybersecurity space has lagged behind historical precedents. Cybersecurity VC deal volume through YTD 2022 reached 717 transactions, while YTD 2021 saw 606 VC fundraising transactions.

Funding volume through YTD 2024 has been driven by both the practical applications of, and the future growth potential for, AI technology in cybersecurity programs. While AI has been hailed as a driver of growth in a variety of technology-based sectors, AI has been involved in the Cybersecurity space since the late 1990’s and early 2000’s with the introduction of Intrusion Detection Systems (IDS). These IDS programs use anomaly detection as the basis of their protection by establishing baseline behaviors in a system and flagging deviations as potential threats. This can be seen as an early adoption of ML, a subset of AI, which functions in the same way by learning normal behaviors within a network and then identifying abnormal activity. While AI in cybersecurity programs has evolved significantly since the turn of the century, the underlying fundamentals of cybersecurity technology have enabled the use of current AI technology as an enhancement, rather than a reimagining, of cybersecurity capabilities.

VC Funding Drives M&A Among Buyers and Sellers

AI adoption has drawn significant investment interest from VC groups with deep pockets that can sustain the capital needed for long-term product development. Even as VC funding has dried up in other areas of the broader Enterprise Technology space, VC funding in the Cybersecurity sector has rebounded. This is also expected to have larger implications for Cybersecurity M&A, as the IPO market has been volatile since 2022 with 36 IPOs in Q1 2024, a 64.4% decline compared to Q1 2021, according to KPMG.⁴ VC investors with a need to return capital to their limited partners (LPs) may decide that a strategic acquisition provides a more reliable exit opportunity than the IPO market. Several key VC funding deals and VC-backed M&A transactions in the Cybersecurity sector through YTD 2024 are highlighted below.

• Wiz Raises $1 Billion in Series E Funding (May 2024) – New York-based Wiz, a cloud security developer, raised $1 billion in Series E funding (May) co-led by Andreessen Horowitz, Lightspeed Venture Partners, and Thrive Capital, placing the company’s post-raise valuation at $12 billion. This latest funding round makes Wiz one of the most highly valued start-ups in the Cybersecurity sector and gives the company a capital outlay for its inorganic growth initiatives. Founded in 2020, Wiz has raised a total of $1.6 billion since its inception with the intention of going public in the future. The April 2024 Series E funding round offers Wiz room to pursue an all-cash inorganic growth strategy that does not dilute the company’s equity and maximizes its return for a future IPO. “We see two kinds of opportunities in the market right now. There are ex-unicorns, startups with valuations greater than $1 billion that have failed to grow as expected and are exploring options beyond an IPO, and also exciting, younger startups, superstars with a great trajectory ahead of them. We have an opportunity now to combine forces with both of these,” said Wiz CEO Assaf Rappaport, in a press release.⁵ Through YTD 2024, Wiz has already acquired threat detection provider Gem Security (March 2024, $350 million), and looks to be an active buyer in the sector moving forward.

• Apex Security Raises $7 Million in Seed Funding (May 2024) – Apex Security, a developer of cybersecurity tools for use with AI, raised $7 million in seed funding from Sequioa Capital, Index Ventures, and Sam Altman, CEO of OpenAI (May 2024). Apex offers specific visibility into a company’s AI-integrated operations while enabling companies to mitigate exposure to cyberattacks. The company uses AI to fight AI-enabled cyberattack threats, an increasingly prominent trend in the sector which has been seeing elevated VC interest. “As companies start using AI and large language models, they expose themselves to new risks, including data leaks, privacy, intellectual property breaches, or dedicated AI attacks. Apex is focused on resolving this particular dilemma,” said Shardul Shah, Partner at Index Ventures, in a press release.⁶
• Vista Equity Partners-backed KnowBe4 Announces Acquisition of Egress Software Technologies (April 2024, Undisclosed) – KnowBe4, a portfolio company of Vista Equity Partners, announced its intent to acquire Egress Software Technologies in April 2024 for an undisclosed sum. Egress, an AI-powered email security provider, had received Series A venture funding from Albion Capital Group (February 2014, $3.7 million) and Series C funding from Albion Capital and FTV Management (December 2018, $40 million). Kyle Griswold, Partner at FTV Management, joined Egress’ board following FTV’s 2018 investment in the company. KnowBe4 plans to use the acquisition of Egress to provide a single platform that offers both AI-based email security and preventative training. Both KnowBe4 and Egress have won awards in the Cybersecurity space this year. KnowBe4 was recognized as a Top Software winner by G2, while Egress’ AI-powered Automated Abuse Mailbox received the Security Innovation of the Year award from Computing Security Excellence Awards, according to a press release.⁷ This transaction highlights a growing interest in M&A as an alternative exit strategy for VC-backed companies that have reached maturation.
• Insane Cyber Raises $4.7 Million in Seed Funding (February 2024) – Insane Cyber, a developer of industrial cybersecurity solutions, received $4.7 million in seed funding from Paladin Capital in February. This funding transaction represents Paladin Capital’s fifth VC investment in the Cybersecurity space since the beginning of 2023, deploying $150 million in total capital investments during the same period. Paladin has been active in the Cybersecurity sector fundraising environment, with two VC funds dedicated to cybersecurity investing including the Paladin Cyber Fund (Opened 2014, $146.7 million) and the Paladin Cyber Fund II (Opened 2019, $372.3 million). Insane Cyber expects to use the newly secured funds to further develop its proprietary Valkyrie and Cygent Flyaway Kit platforms, while expanding its market reach.

To discuss increasing demand for AI-integrated products, provide an update on your business, or learn about Capstone's wide range of advisory services and Cybersecurity M&A knowledge, please contact us.

Joe Collins, Analyst, was the lead Market Intelligence contributor to this article.

Endnotes

1. Securities and Exchange Commission, “Form S-1 Rubrik Inc.,” https://www.sec.gov/Archives/edgar/data/1943896/000119312524083525/d359771ds1.htm, accessed May 30, 2024.

2. Astra, “100+ Ransomware Attack Statistics 2024: Trends & Cost,” https://www.getastra.com/blog/security-audit/ransomware-attack-statistics/, accessed May 30, 2024.

3. PitchBook, “2023 Annual Global Private Market Fundraising Report,” https://files.pitchbook.com/website/files/pdf/2023_Annual_Global_Private_Market_Fundraising_Report.pdf, accessed May 30, 2024.

4. KPMG, “IPO Insights Q1 2024,” https://kpmg.com/us/en/articles/2024/ipo-insights-q1-2024.html, accessed May 30, 2024.

5. TechCrunch, “Wiz raises $1B at a $12B valuation to expand its cloud security platform through acquisitions,” https://techcrunch.com/2024/05/07/wiz-raises-1b-at-12b-valuation-expanding-through-acquisitions/, accessed May 30, 2024.

6. Cyverse Capital, “Apex Security Emerges From Stealth With $7M to Secure AI Adoption,” https://cyversecapital.com/f/apex-security-emerges-from-stealth-with-7m-to-secure-ai-adoption, accessed May 30, 2024.

7. KnowBe4, “KnowBe4 to Acquire Egress,” https://www.knowbe4.com/press/knowbe4-to-acquire-egress, accessed May 30, 2024.