Even in a year where few cybersecurity startups had problems raising money, a record number of venture-backed companies also saw exits through acquisition in 2021.
According to Crunchbase numbers, 129 venture-backed companies were acquired by private equity or strategics this year—shattering last year’s record 79 deals. Those deals were consummated even as more than $20 billion was poured into cybersecurity startups by venture and institutional investors.
Some of the highlights included:
- Identity management platform Okta bought Bellevue, Washington-based fellow identity and access management platform Auth0 in a $6.5 billion stock deal in March.
- Private equity firm TPG bought Washington, D.C.-based privileged access management company Thycotic for $1.4 billion in March.
- Bain Capital acquired Seattle-based network detection and response platform ExtraHop for $900,000 in June.
Who’s buying what?
Those three deals possibly best illustrate the cybersecurity sector as a whole in that there is no one feature, tool or platform driving the vast amounts of money and interest the sector is seeing. Those three deals include a diverse set of security features—identity management, privileged access and governance features, and a network security platform.
Search less. Close more.
Grow your revenue with all-in-one prospecting solutions powered by the leader in private-company data.
The other interesting aspect is who is buying. Fifteen strategics or investment firms made multiple buys of venture-backed cybersecurity companies this year. Interested parties ranged from private equity firms like TPG, to consulting firms like Deloitte, to those more closely associated with cybersecurity such as Fortinet and Rapid7.
Two companies, however, did make a trio of deals this year. Microsoft bought Maryland-based IoT security firm ReFirm Labs in June for an undisclosed amount. The tech giant then made two deals the following month, acquiring San Francisco-based digital threat management firm RiskIQ for $500,000, followed by picking up Sunnyvale, California-based CloudKnox Security for an undisclosed amount.
Francisco Partners-owned Forcepoint also acquired three VC-backed cyber firms this year. In May, the Texas-based company bought Los Gatos, California-based Cyberinc, which focuses on internet cyberattacks. Forcepoint then bought U.K.-based network security firm Deep-Secure in June, and Campbell, California-based security service edge provider BitGlass in October. Terms were not announced for any of those deals.
The fact M&A took off this year in cybersecurity probably should not shock anyone. The year was marked with cyberattack after cyberattack, from the Colonial Pipeline attack discovered in May to the more recent concern of a critical flaw found in the Java-based software known as “Log4j,” which companies use to configure their applications.
That does not even mention the fact that many of us are now working from home—or possibly both home and the office—thus creating a wider attack surface that companies must protect and secure as more of them and their workers move to the cloud.
While no one would think dealmaking in cyber is slowing down, it is interesting to note that through mid-December, there were only 19 M&A deals involving venture-backed companies in the fourth quarter. That number is down significantly from 47 deals in the previous quarter.
Is that a harbinger of what 2022 may hold? Or were acquirers exhausted after such a robust third quarter? Time will tell, although with the amount of cash the sector is flush with, it is hard to imagine 2022 not being a new record year for dealmaking.
Cybersecurity is defined by the industries of network security, cloud security, cybersecurity and identity management, as according to Crunchbase data.
Illustration: Dom Guzman
Stay up to date with recent funding rounds, acquisitions, and more with the Crunchbase Daily.