Editor’s note: This is Mergers & Money, a monthly column by Senior Reporter Chris Metinko that covers dealmaking in the enterprise tech space.
Venture capital investors aren’t just putting a record amount of money into cybersecurity startups, they are also cashing in, as evidenced by an explosion of M&A deals in the space.
Subscribe to the Crunchbase Daily
The number of M&A deals for venture-backed cybersecurity companies in the first seven months of 2021 almost equals the total amount for all of last year, per Crunchbase data. This year has already seen 77 deals — while last year saw a record total of 80.
While the dealmaking numbers alone are impressive, a look at the deals themselves seem to show a breadth and depth of interest that indicate the current run cybersecurity is on may not stop any time soon.
On top of the record number of deals, the value has also skyrocketed. While terms of many deals involving VC-backed companies are not announced, the 16 deals in which terms were announced put $11.4 billion back in investors pockets. That amount already surpasses all of what was reported last year — $5.6 billion — and even in 2018, which saw large deals such as Cisco acquiring Duo Security for $2.4 billion and Blackberry buying Cylance just before it was set to go public for $1.4 billion.
- Private equity firm TPG bought Washington, D.C.-based privileged access management company Thycotic for $1.4 billion in March.
- Bain Capital acquired Seattle-based network detection and response platform ExtraHop for $900,000 in June.
- Microsoft bought San Francisco-based digital threat management firm RiskIQ for $500,000. Just 10 days later, the Redmond, Washington-based giant would make another deal in cyber, acquiring Sunnyvale, California-based CloudKnox Security for an undisclosed amount — the company’s third cybersecurity deal this year.
Just as venture capital has flowed to a variety of subsectors of cybersecurity, M&A dealmaking has run the gamut too — from authentication to Kubernetes workload security, and threat intelligence to governance, risk management and compliance.
However, a dive into the numbers does seem to indicate a large appetite for identity management solutions, as well as cloud and network security offerings. Out of the 77 deals to date this year, 47 have involved those areas. That would seem to indicate heightened interest around security platforms that can help keep companies’ employees and networks safe in the new hybrid work environment the COVID-19 pandemic has brought.
Aside from the previously mentioned TPG and Microsoft deals, other large companies making acquisitions in the space of identity or cloud and network security this year include Palo Alto Networks, Ping Identity and Fidelis Cybersecurity.
The other takeaway when looking at the deals is the variety of buyers in the space — which may explain the prices. It is not just strategic buyers in cybersecurity acquiring venture-backed companies, but also private equity firms like TPG, Bain, The Carlyle Group and Audax Private Equity. In addition, buyers outside of cybersecurity also are looking for solutions, like consulting giants Deloitte and PwC, and large tech players not exclusively associated with security such as IBM’s Red Hat and Datadog.
On top of all the selling, venture investors also have used the public market slightly more this year to get liquidity back from earlier investments. Last year saw only two traditional IPOs in the security market, with Virginia-based company TELOS and British Columbia-based company Plurilock going public. This year has already seen Florida-based KnowBe4, U.K.-based Darktrace, and Mountain View, California-based SentinelOne all listing on major exchanges.
Others like Kirkland, Washington-based Tanium, San Francisco-based ForgeRock, Santa Clara, California-based Netskope, Sunnyvale, California-based Illumio and Atlanta-based Pindrop also could eye the public market this year.
With five months still left in the year, not only should cybersecurity shatter venture capital fundings numbers, but M&A deal making should also set new records — and IPOs should see their best year since 2016 in the sector.
Those numbers likely should not come as a surprise, as ransomware attacks have surged this year and made headlines on a weekly basis — such as the Colonial Pipeline attack discovered in May. Just late last month, the Department of Homeland Security issued a directive requiring operators of critical pipelines to upgrade their protection against cyberattacks. It was the second such directive since May.
Add on top of that the changing dynamics of the work world — with more people working from home and companies relying on the cloud to connect everyone — and it seems clear why everyone from venture capitalists to private equity and large strategics are betting big — and even bigger — on cybersecurity plays.
Cybersecurity is defined by the industries of network security, cloud security, cybersecurity and identity management, as according to Crunchbase data.
Illustration: Dom Guzman
Stay up to date with recent funding rounds, acquisitions, and more with the Crunchbase Daily.