Network Detection & Response: Leading Cybersecurity Firms Battle Ransomware Attacks

NDR [Network Detection & Response] technology has become a ‘must have’ capability for enterprise and middle market companies to protect their data and networks and its adoption is propelling growth rates that attract strategic buyers, institutional investors, and IPO underwriters.

Tom McConnellManaging Director, Capstone Partners

The methods of safeguarding information technology (IT) systems have evolved over the past five years in response to the heightened complexity of cybercrime activity. Siloed cybersecurity efforts in prevention and protection are no longer sufficient, substantiated by the 300% increase in cybercrimes since the start of the pandemic, according to IMC Grupo.1 As the sophistication of cyber attacks increases, cybersecurity industry participants have pursued mergers and acquisitions (M&A) to bolster automated threat detection and response capabilities. As a result, 194 M&A transactions have been announced or completed in 2021 to-date, outpacing 2019 and 2020 by 57% and 53%, respectively. Private equity (PE) firms have exhibited robust buyer appetite in the industry, representing 37% of total deals year-to-date (YTD) with add-on and platform acquisitions targeting cybersecurity companies offering network-wide solutions that pinpoint irregularities and accelerate response times.

Exits through public listings have also proliferated this year, supported by a favorable pricing environment for cybersecurity providers. Notably, trading multiples in the HACK ETF reached 4.2x revenue on August 2, recording a new last-twelve-month high. In addition to traditional initial public offerings (IPOs), mergers with special purpose acquisition companies (SPACs) have been utilized by cybersecurity providers seeking to leverage patented technologies against future earnings to maximize valuations upon their market debut. The formation of NightDragon Acquisition Corporation (Nasdaq:NDAC) in March further highlights institutional interest in the space. The SPAC, launched by venture capital firm NightDragon Security, raised $300 million in an IPO to specifically target companies in the Cybersecurity industry.

If the past year has taught us anything, it's that effective security necessitates a holistic approach that encompasses the entire complexity of today’s enterprise systems, inclusive of cloud and hybrid environments. The next wave of transformation will be driven by the evolution of NDR to XDR [eXtended Detection & Response], utilizing AI-powered automation to identify and neutralize anomalous behavior behind the perimeter in real-time.

David BrinkleyManaging Director, Capstone Partners

Ransomware and Phishing Accelerate in Hybrid Work Environment

Enhancing cybersecurity hygiene across industries has become a critical priority as employees shortcut workarounds to company policies amidst remote work environments. As an example, 50% of staff do not report phishing emails, according to Security Magazine’s June Survey.2 Additionally, 67% of IT leaders predict targeted phishing emails to spike with cybercriminals exploiting organizations' gradual transition to the office. Hackers have utilized phishing emails as a means of entry into a company's IT network, planting hidden malware in regular data traffic to establish a command and control (C&C) channel which extracts and encrypts customer data, patents, and other critical systems. The monetary damages incurred to recover encrypted data have increased 57x in 2021 compared to 2015, amounting to $20 billion globally, according to Cybersecurity Ventures.3 The frequency of infiltration has also increased from an attack every two minutes in 2015 to an attack every 11 seconds in 2021, as the use of personal devices in the workplace have compromised organizations' defensibility.

Recent attacks have demonstrated the need for efficient, automated network monitoring as targets continue to suffer millions in damages. In May, leading U.S. petroleum pipeline Colonial Pipeline reportedly endured a ransomware attack as a result of a single leaked password. Though the exact point of vulnerability has not been identified, Colonial Pipeline predicted the source of the hack to be a virtual private network profile which did not require multifactor authentication.4 The Ransomware-as-a-Service (RaaS) DarkSide hacker group behind the attack demanded $5 million in exchange for the files exfiltrated from Colonial's shared internal drive. Although a portion of the ransom payment was recovered by the Department of Justice (DOJ), the attack resulted in gasoline shortages across the East Coast and will cost Colonial tens of millions of dollars to completely restore its IT systems.

Network Detection & Response Attracts Institutional Investment

To match the velocity and aggressiveness of ransomware attacks, organizations have shifted away from manual analysis and proprietary security algorithms with the adoption of network detection and response (NDR) tools, arming IT security teams with a real-time overview of network traffic. Upon implementation, NDR tools utilize sensors to detect malware infiltration and abnormal network behavior, enabling automated alert notifications when threatening anomalies are detected. The global NDR market size is forecast to annualize at 13.7% to reach $4.7 billion by 2027 from $2.1 billion in 2021, according to Precision Reports.5 As the market demand for NDR solutions continued to rise with the number of attacks, high-profile institutional investors have recognized NDR as the next pillar of cybersecurity through elevated levels of later-stage venture capital funding and PE platform acquisitions. Of note, Vectra AI secured $130 million in Series F funding led by The Blackstone Group (NYSE:BX) in April. The capital investment will allow Vectra to expedite innovations in its artificial intelligence (AI)-enabled network intrusion detection platform to address RaaS attacks at the network level. As established NDR providers reach maturity, exits through public listing have produced record post-money valuations. Cambridge-based Darktrace (LSE:DARK), provider of AI-enabled NDR solutions, raised $228.4 million through its April IPO for a post-money valuation of $2.4 billion, the highest in the pure-play NDR segment. Additionally, leading collective defense and NDR provider IronNet Cybersecurity announced its plan to merge with LGL Systems Acquisition Corp. (NYSE:DFNS) in March to be listed on the New York Stock Exchange. The total pro forma enterprise value of the combined company following the merger is expected to be $927 million, equivalent to 17.1x expected revenue in fiscal year 2022, according to IronNet’s investor presentation.6 This indicates a $1.2 billion pro forma equity value, with financing sources including $172.5 million of LGL’s Cash-in-Trust and $125 million from third party PIPE funding. The transaction is expected to close in Q3 2021, and cash proceeds upon closing will be used to accelerate IronNet’s revenue growth, expand its product portfolio, and bolster working capital to fund increasing demand. Cybersecurity companies in the eXtended Detection & Response (XDR) segment, integrating automated endpoint security with network visibility capabilities, have also utilized exits through public listing. Notably, SentinelOne filed an IPO in June for an expected offering amount of $880 million to carve out a niche presence in the XDR and Cloud Security markets.

Bain Capital Private Equity and Crosspoint Capital Partners acquired leading cloud native NDR provider ExtraHop in July for an enterprise value of $900 million. The transaction demonstrates the willingness of leading private equity firms to allocate substantial amounts of capital to build robust cybersecurity portfolios. The acquisition enables ExtraHop to further innovate its machine learning detection and response offerings for unmanaged devices to close the gap between first detection of post-compromise activity and deployment of full-scale response teams. "As the events of the last few weeks make crystal clear, cybersecurity is now a mission-critical requirement in the strategy and operations of every organization on the planet, with enormous implications for financial and reputational well-being. We believe that network detection and response is the next major cybersecurity segment and that ExtraHop has the best enterprise technology in the space,” David Humphrey, Bain Capital Private Equity Managing Director, said in a press release.7


  1. IMC Grupo, "FBI Reports 300% Increase in Reported Cybercrimes,", accessed June 21, 2021.
  2. Security Magazine, "Security Leaders Anticipate Ransomware and Phishing Uptick in a Hybrid Workplace,", accessed June 21, 2021.
  3. Cybersecurity Ventures, "Global Ransomware Damage Costs Predicted to Reach $20 billion by 2021,", accessed June 21, 2021.
  4. CNBC, "Colonial Pipeline Paid $5 Million Ransome One Day After Cyberattack CEO Tells Senate,", accessed June 21, 2021.
  5. Precision Reports, "Global Network Detection and Response (NDR) Market Size, Status and Forecast 2021-2027,", accessed July 26, 2021.
  6. IronNet Cybersecurity, “Q1 2021 Investor Presentation,” accessed July 27, 2021.
  7. ExtraHop, "ExtraHop to be Acquired by Bain Capital Private Equity and Crosspoint Capital Partners,", accessed June 22, 2021.


Related Transactions

Insights for Middle Market Leaders

Receive email updates with our proprietary data, reports, and insights as they’re published for the industries that matter to you most.