Corporate venture capital and cybersecurity: why Okta, CrowdStrike, CyberArk and others invest in cybersecurity startups
A deep dive into the past & present of the corporate venture capital (CVC) world
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
A brief take on the history of corporate venture capital
In 2003, Harvard Business School published a case study about Intel Capital, developed by David B. Yoffie, Barbara J. Mack, Adriana Boden, and Lee Rand. In that case, revised in 2007, the authors provide an in-depth analysis of Intel Capital and its recipes for success. It highlights that early on in the company’s history, Intel executives realized that to succeed in the microprocessor (and later - PC) markets, they needed to invest in building an ecosystem of interconnected products and services, not simply pushing home-bread technological innovation forward. The corporate venture arm of Intel (precursor of Intel Capital) was launched in 1991 after it became apparent that the practice where separate business units would manage their own investments needed more centralized control. In the mid-90s, Intel started looking at the ecosystem as a whole and making investments in companies complementary to their own offerings.
From the 1980s to the early 2000s, we see what can be described as a traditional corporate venture capital period. This era is characterized by the crystallization of corporate venture investing, and the establishment of the four core motivations for investing described in the case study from Harvard Business Review - ecosystem development, market development, gap-filling technologies, and “eyes and ears” opportunities. By the late 2000s, corporate VCs were following a well-tested playbook.
On July 10, 2008, Apple officially launched its App Store; the first software development kit was released earlier, in February of the same year. At Apple's iPhone Roadmap event on March 6, 2008, Kleiner Perkins announced iFund following the thought process that as new forms of software distribution are emerging (distributing apps to consumers), it is wise to get behind the new trend and fund the ecosystem powering it.
Kleiner Perkins iFund was the first step in the long series of events that established API connectivity and ecosystems as one of the main value drivers for corporate venture arms.
The company that solidified ecosystem thinking and operationalized it in corporate investing is Salesforce. Marc Benioff understood the value of building an API-powered ecosystem which became the primary focus of the Salesforce Ventures launched in 2009. The Salesforce venture arm started by investing in system integrators - service (not product) companies that were helping enterprises implement the Salesforce suite of products. This focus on enabling the adoption of its core products has proven to be a very smart move. Then, it expanded to support the Salesforce marketplace, enabling third parties to integrate their products into the CRM and extend the power of Salesforce’s in-house offerings. Striving to capitalize on API connectivity, Salesforce Ventures was very active in the early and mid-2010s.
In parallel with the Salesforce Ventures’ activity, the venture landscape started to evolve: Y Combinator, launched in 2005, gained traction with its notion of founder-friendly capital, check sizes were dropping, and seed-stage funds started to emerge. Corporate venture funds started to realize that they can invest before Series B, going a bit earlier, putting in less capital, and asking for fewer restrictions. The notion of becoming more founder-friendly has led to corporate venture capital firms (CVCs) rethinking how the rounds are structured, whether restrictions such as rights of first refusal are truly necessary, and if having the board seat should be a requirement for them to invest. In many ways, it can be said that the early and mid-2010s were a renaissance in CVC’s approach to investing. Salesforce Ventures has played an instrumental role in this evolution.
The next move that solidified the importance of the ecosystem for corporate venture funds came with the establishment of Slack Fund in 2016 (notably over three years before Slack went public in 2019). Slack was explicit in saying “we are a platform” and had its original intent around investing in Slack bots. The idea was as follows: to establish Slack as a platform, the company needed to encourage others not simply to integrate their products with Slack, but build on top of Slack. Slack Fund took a unique path, writing small checks (as low as $250,000-$300,000), investing in startups building on top of Slack, and doing it quickly and flexibly, via tools like SAFE, and with founder interests in mind. This strategy enabled Slack Fund to build a large portfolio in a short amount of time.
Motivations leading companies to establish a venture arm
For cybersecurity companies to continue growing, they need to ensure the existence of strong ecosystems, - standards, organizations, businesses, and technologies that support or amplify the value of their offerings. This includes investments in companies that solidify a specific approach to security and put a stand-alone product into the center of an ecosystem. For example, Falcon Fund’s investment in Tines, a no-code automation platform, is likely driven by its desire to make it easier for security teams to embed CrowdStrike deep into their operations, thereby greatly increasing the switching costs.
The concept of the ecosystem has expanded to include marketplaces. Ecosystems powered by API connectivity are arguably one of the most important motivators driving corporate venture capital (CVC) investments today, trumping the need to preserve capital and other factors. It is worth noting, however, that not all companies investing in startups have API interconnectivity, and not every product developed by large enterprises can be integrated with other players in the ecosystem.
Market development is the second common motivator that drives CVC's investment decisions. This includes investments in companies with the potential to act as resellers and distributors of the core technology (say, security service providers), as well as those that can influence distribution and shape demand trends in emerging market segments. This second category is more nuanced and requires careful planning and a deep understanding of the market forces. The idea is that, for example, by investing in companies using AI and machine learning, a venture fund can grow the adoption of AI and ML, thus driving the demand for data security.
The gap-filling technologies as an investment driver stem from the fact that companies cannot solve all problems themselves. This is especially the case in cybersecurity where deep domain expertise is often required to tackle smaller yet impactful use cases. Cybersecurity demands the ability to integrate a multitude of tools, and most cybersecurity firms have an "app store" or integration directory. By investing in JumpCloud (directory-as-a-service platform), Automox (IT operations platform for patch and endpoint management), and Hubble (digital asset management platform), to name a few, CrowdStrike made a choice to bring external players instead of building these capabilities themselves.
The least frequent motivator for CVC investments is the so-called eyes and ears on new technologies - investments in risky, potentially industry-reshaping opportunities that may offer a significant upside but are risky and far outside of the CVC’s zone of comfort. An example, in my opinion, would be Xerox Ventures’ investment in LimaCharlie (disclosure: I lead product at LimaCharlie).
Types of CVCs investing in cybersecurity
There are many ways to categorize corporate venture funds that invest in cybersecurity. When I think about corporate venture capital and cybersecurity, I see broadly three types of CVCs investing in the space:
CVCs run by cybersecurity firms
CVCs run by firms handling a lot of data and/or recognizing the need to build cybersecurity deep into their ecosystem
CVCs run by companies for whom cybersecurity isn’t a big area of focus
Note that at the core, motivators driving investments in cybersecurity are no different than those of SaaS in general. Whether we are talking about HubSpot Ventures, Atlassian Ventures, Okta Ventures, or CrowdStrike Falcon Fund - they all share the same mentality of platform and ecosystem play. The categorization provided here is intended to describe in a more detailed way the different types of CVCs investing in cybersecurity startups.
Venture funds run by cybersecurity firms
The biggest motivator for investment for the companies in this category is the need to grow their ecosystem of security products and solutions complementing the core product offerings.
Starting in 2019, we have seen a rise in corporate venture funds run by cybersecurity companies. In April 2019, Okta launched Okta Ventures - a $50 million fund. In August 2019, CrowdStrike announced the launch of Falcon Fund, a 20 million dollar early-stage fund in partnership with Accel. Then, after the pandemic hit and companies were adjusting to a new normal, the CVC launch spree was paused until 2022. In May 2022, CyberArk announced the launch of CyberArk Ventures – a $30 million global fund designed to support cybersecurity innovation. As recently in September 2022, SentinelOne launched S Ventures - a $100M fund to invest in enterprise cybersecurity startups. It’s worth noting that in 2017, Palo Alto Networks also announced a $20 million security venture fund, but there is no publicly available information about the fund or any of the investments they were able to make since inception. Chad Kinzelberg, senior vice president of Business and Corporate Development at Palo Alto Networks at the time of the announcement, appears to have left the company in 2018.
Companies in this category commonly have a marketplace of solutions that offer a broad range of security capabilities. It’s interesting to observe the intersection between portfolio companies of the CVCs and integrations listed on their marketplaces:
CrowdStrike Falcon fund lists 14 portfolio companies; 5 of them are already integrated into CrowdStrike Marketplace: Tines, ThreatWarrior, Talon, Sixgill, and DoControl.
Three out of four companies listed in the portfolio of the newly established S Ventures are already listed as SentinelOne marketplace partners with joint solution briefs: Torq, Armorblox, and Noetic Cyber.
One of the three CyberArk portfolio companies - Zero Networks - is already on the CyberArk marketplace.
Okta Ventures list a large portfolio of 24 companies as of the time of writing; of those 12 are available on the Okta integrations marketplace: Cerby, Crosschq, Adaptive Shield, Drata, Immuta, TripleBlind, Kandji, Openpath, VNDLY, Productiv, and DataGrail.
While becoming a part of the established company’s marketplace can be an important enabler for tapping into an established customer base, it is far from being the only (or even main) value proposition of the CVC (I will be discussing it later).
CVCs run by firms handling a lot of data and/or recognizing the need to build cybersecurity deep into their ecosystem
CVCs run by firms handling a lot of data and/or recognizing the need to build cybersecurity deep into their ecosystem also invest in cybersecurity companies although cybersecurity is just a part of their portfolio (10-50%). Their main focus is generally broader than security.
Two broad kinds of companies I would categorize in this bucket are:
Large enterprises with a broad focus and a strong foothold in security such as Microsoft and their M12 Ventures
Companies handling a lot of data and recognizing that securing data is critical for their operations such as Snowflake, Databricks, and Splunk
I have previously looked at portfolios of the 29 corporate venture funds and their cybersecurity-focused investments. Since Snowflake, Databricks, and Splunk are not covered in the above, here is a brief look at these:
Databricks Ventures has invested in Hunters SOC Platform among its 8 portfolio companies. Databricks CVC invests in the future of data, analytics, and AI.
Snowflake Ventures “are meant to foster Data Cloud innovation through investing in companies that demonstrate a commitment to mobilizing data”. The venture arm of Snowflake invested in Hunters, Lacework, Material Security, Panther, and Securonix among the 27 companies in its portfolio.
Splunk Ventures has 11 companies in its current portfolio; 5 are focused on security - BigID, Acalvio, Ermetic, JupiterOne, and Orca Security. This is a substantially larger proportion of security companies compared to other CVCs in this category, largely associated with Splunk trying to be a leading player in the cybersecurity space.
CVCs run by companies for whom cybersecurity isn’t a big area of focus
In this last category, I would put all other corporate venture funds that are not run by security companies, and that do not see security as core to what the CVCs parent company does. Instead, they either recognize that cybersecurity is something they should be looking at, or want to diversify their broader focus. There are many examples of firms that fit this bill. A long tail of CVCs focused on a broad range of areas (fintech, telecom, etc.) have at least one cybersecurity company in their portfolio.
The new model of corporate venture capital
There was a time when corporate venture capital firms needed an impressive office on Sand Hill Road, a large team with CFO and legal counsel, and executive admin. Today’s CVCs are lean: often 1-2 partners who make investments and build bridges with the corporate side, an associate, and an ability to leverage roughly 3-10% of the time of people already handling finance, legal, technical strategy and other critical functions of the CVS’s parent firm. The fund sizes are smaller, and most of the funds are evergreen (able to receive capital as needed, and not limited to the fund size initially announced). It can be said that doing corporate venture has been demystified with simple, straightforward models that can be adopted by enterprises with little to no modifications.
Every CVC has its operating practices: some write large checks (such as Snowflake) and take board seats (such as M12); most corporate venture funds want the startup to have at least one or two enterprise customers to see a path where they can work together. The terms have become very founder-friendly (it’s extremely rare to see anyone requesting a right of first refusal, as an example). SaaS corporate investors are hyper-networked, - it’s a small space, so people working in one CVC would commonly help their colleagues from other firms with advice, sharing experiences, and making new ideas happen.
It is interesting to see when in their lifecycle companies establish venture arms. Splunk IPO in 2012 and launched Splunk Ventures 7 years later, in 2019. CyberArk went public in 2014 and started CyberArk Ventures 8 years later. Okta IPO in 2017 and launched the CVC in 2019. CrowdStrike went public in June 2019 and only two months later announced the establishment of the CVC. SentinelOne went public in June 2021 and established a CVC just over a year later. Databricks, on the other hand, launched its CVC - Databricks Ventures - in 2021, ahead of the planned IPO which has been delayed. The sample size isn’t large enough to make judgments with a high degree of certainty, but it is easy to observe that while it used to take companies close to a decade after going public to launch a corporate venture arm, in recent years that time has shortened to a year or two. In some cases, the establishment of a CVC happens even before the company is public. While one of the reasons this is happening is the need to strategically allocate capital, the primary driver is the need to grow the ecosystem of products and solutions that integrate and complement the main product offering.
Working with CVCs: startup founder guide
As capital has become a commodity, it is how corporate ventures differentiate that matters. Arguably, differentiation comes from the value they can add post-investment, which leads us to the next topic: working with CVCs.
The strongest value proposition of CVCs are established customer base and distribution channels with the ability for two-way referrals, global brand recognition, and technical know-how. Some of the value-adds that can be offered by corporate venture funds include:
Enhanced exposure within the marketplace and the ecosystem of companies and technologies that are deeply embedded into the enterprise's core product offering. Being featured on the integrations marketplace of a large vendor such as CrowdStrike, Okta, or SentinelOne, can be a powerful boost for the startup generating brand awareness and demand for their product. It is, however, worth noting that this alone will most likely not make or break the business - while useful, it will by no means replace the startup’s need to look for independent ways to grow.
A potential to broaden the reach and increase adoption by building co-marketing partnerships with the enterprise. Startups that receive investment from a CVC, can often get the CVC’s parent company to become a paying customer. While the deployment size may not be large, the marketing materials (customer logos, case studies, and video testimonials) can be invaluable. This is especially true in cybersecurity which heavily relies on trust and an ability to secure validation from well-known brands.
Access to insights, guidance, and knowledge base from the network of mentors from the enterprise around sales and go-to-market strategy, positioning, product, engineering, and finance, to name a few. Some CVCs provide startups with access to resources such as recruiting, marketing, and technology advice, while others organize webinars, workshops, and AMA sessions for portfolio companies that cover anything from finance and operations to roadmap planning.
Industry connections. Aside from potentially helping with the go-to-market and customer introductions, corporate venture funds can connect startups to industry analysts, security leaders from their networks, media, and potential technical or channel partners. It is important to ask for examples of what the CVC has done for their portfolio companies before, not what could be possible. While many things may be possible in theory, in practice not every corporate venture arm has developed systems and built relationships to navigate the complex decision-making structure of the enterprise and make things happen.
Exclusive insight into the product roadmap of CVC’s parent company. This is not a default value proposition and it is not something all CVCs can offer, but it can be incredibly useful if the startup heavily relies on the enterprise product.
Founders must understand what the corporate venture is actually capable of doing, not what they would like to do. The CVC needs to have the right relationships with the right people in the enterprise to move things forward. Signing a two-way referral agreement will not do much unless there is someone capable of putting a system in place and designing the right incentive structure so that account executives in the CVC’s enterprise know about the startup, have all the necessary sales enablement materials, and most importantly - can get compensated for selling the partner’s product. There needs to also be a way and a willingness to measure success (such as tracking how many times the product is mentioned in the sales calls and what amount of revenue comes from the referral). Even a simple task of creating a marketing testimonial should have an owner - there is someone who will be on the video, someone who will finance its production, someone in charge of filming and editing, as well as getting the sign-off from the PR team in the enterprise.
In a large company, things do not simply “happen” by having the CVC pass the deal to the partnerships team, hence not every corporate venture that promises stuff can deliver on it. It’s the founder’s job to ask the right questions and do their own due diligence to check what the CVC has done in the past to make the right decision.
Most founders tend to be somewhat short-sighted when getting investments from corporate VCs, thinking “we got their logo as a customer and a marketing testimonial, so that’s great”. This mindset prevents them from getting the value that CVCs could offer in other areas - around technological expertise, industry insights, and a strong network of partners, to name a few.
Every corporate venture fund has its area of focus, as well as nuances around the way it operates. The best ways to understand these intricacies are to read the press coverage, analyze its portfolio companies, and talk to the founders of these companies. Some CVCs, such as Intel Capital, lead rounds, others such as Samsung Ventures do co-investments into the later-stage companies with a clear product-market fit while Samsung NEXT, also a fund run by Samsung, does fast-paced high-risk early stage (pre-seed to Series A) investments. Not all corporate venture funds take seats on the boards (this varies on their approach), but many do become board observers.
It is important that founders interested in getting funding from a CVC look for someone they can approach, someone willing to get their hands dirty and help where possible, and not someone who puts a bunch of restrictions and has a bunch of unreasonable requirements. Founders who pay attention to how the conversation with the corporate VC flows at the beginning of the relationship, what questions they ask, and what requirements they present, can often make good assumptions about what the experience could look like post-closing.
Some founders assume that getting funded by the CVC sets the stage for the potential acquisition. While it could happen, there are so many variables that impact the M&A decision-making that it would be very unreasonable to think that a CVC would invest in a startup to accelerate a potential future acquisition. More importantly, the market will look different a few years after funding, and the startup’s competitors may be in a better position to get acquired. Another company may become a market leader, or the opposite - a competitor might be faltering so it makes sense to buy it at a low price point.
With the rise of new forms of financing in recent years, founders of cybersecurity companies have many options when it comes to raising capital. Corporate venture capital is one of the funding sources to consider, as it often comes with additional value and resources only available to large enterprises.
Corporate venture capital, similarly to traditional VC, is now seen as an undifferentiated product. As more and more sources of capital are emerging, CVCs will need to start placing even more emphasis on portfolio support and look for ways to define their value proposition by leveraging even more enterprise resources. No corporate venture fund will make or break the success of the company - the startup will be successful if it has the right team, the ability to execute, the right product, and an ability to learn fast. However, the investors should have a meaningful impact on the company's future.
Thank you to several people from corporate venture funds who have shared their experiences as I was working on this piece, including Clarence Hinton, Chief Strategy Officer of CyberArk. Opinions and conclusions are my own.
Really interesting analysis Ross. Thanks. One potential addition could be Crowdstrike setting up its second Falcon Fund in the past year at $100m. And the hybrid VC types such as AllegisCyber with Datatribe. Could it be possible to republish on Global Corporate Venturing as an op-ed by you?