Palo Alto isn’t going to buy everyone: the anatomy of cybersecurity startup exits
Many discussions about exits in security end with “Palo Alto is just going to buy them”. And yet, the reality of startup exits is much more complex.
Many discussions about exits in security end with “Palo Alto is just going to buy them”. And yet, the reality of startup exits is much more complex.
Making sense of the M&A landscape is hard, and the main reason for that is the absence of reliable data about companies that get acquired, and those that end up going out of business. Most capital raises are accompanied by press releases and loud announcements where founders boast which VCs led the round, which notable investors, angels, or syndicates joined, and frequently, what the company valuation was. The same isn’t true for exits: many startups get acquired for an “undisclosed amount”, and those that go out of business, usually fade away quietly, without any announcements.
Since the data is usually hard to come by, a large percentage of this piece will be based on observations rather than only hard numbers. However, despite the information vacuum, the discussion about cybersecurity startup exits is long overdue.
This article is co-authored with my friend Mike Privette of Return on Security. Mike’s work helps people save hours of research with a weekly review of the cybersecurity market and the economics behind it in 5 minutes. I highly recommend you subscribe to Return on Security.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Did you know that BSidesNYC has an entrepreneur track? It's unique among community-driven security conferences. New York City is home to numerous security startups and the organizers want to highlight this unique feature of their community. For GTM folks, this is your opportunity to share your insights on building and growing a security company. They are looking for talks that come from your experience, be uniquely relevant to the security industry, and not be a sales pitch. Sessions can be 25-minutes or 55-minutes. To submit, simply go to https://bsidesnyc.org/cfp/ to get started. The deadline is July 19, so post something soon!
Lastly, over 2,595 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far.
Let’s the the obvious out of the way
99.9% of cybersecurity startups won’t go public
Another harsh truth is that most cybersecurity startups will never become public through an initial public offering (IPO).
As Venture in Security has previously discussed, “Although most people think that going public means that individuals like you and us will be able to buy company shares on the stock exchange, the reality is that it’s the institutional investors - investment banks, endowment funds, pension funds, and the like who buy shares during the IPO. For them to commit capital, they need certainty: when, say, an endowment fund wants to make a high-risk bet, it invests in a VC; buying a part of the public company needs to come with a much higher degree of certainty and reasonable projections for growth. For a company to go public, it typically needs to have over $100-150 million in annual revenue with great year-over-year growth numbers.
Blossom Street Ventures looked at how fast are companies required to grow in order to IPO, and found that “on median, these companies grew revenue 43% from the prior year, while the average was 51%”. For example, CrowdStrike at the time of the IPO grew 110% year over year, Zscaler did 57% year over year, and Snowflake - 174%. According to the same report, the median overall revenue was $168 million while the average was $286 million (that average is skewed by names like McAfee, which had $2.6 billion of revenue).”
Times have also changed dramatically since heavyweights like CrowdStrike and Palo Alto went public, with distinct eras marking changes in technology and investing approaches.
You can see all the public cybersecurity companies, which era they fit into, and more here.
What allowed a company to go for an IPO in the “High-Burn / High-Growth” period of 2012 to 2020 will no longer work in the “Expense Management” era we live in today. $250-$500 million ARR is the new $100-$150 million ARR to go public. This shift was a direct result of the global interest rate hike and market corrections in late 2022, which is detailed in the Return on Security 2022 Annual Report.
It would not be an exaggeration to say that the vast majority of cybersecurity companies do not have a path to get to these metrics, and therefore they need to look for other ways to get an exit.
Palo Alto isn’t going to buy everyone who doesn’t IPO
We often see startup founders and industry observers speculating that Palo Alto would buy any company. If history is at least somehow a predictor of future events, it’s apparent to us that most people who share such wishful thinking are mistaken. A quick look shows that historically, Palo Alto Networks only acquired startups based in the Bay Area, or those with Israeli founders (with HQs in Tel Aviv or New York). One exception in the company’s decade-long history of acquisitions was its purchase of the Crypsis Group, a service company based in Virginia. Palo Alto is very strategic about the ability to integrate the startups it buys in a technical/product sense, but also in a location/culture sense.
Palo Alto has also been pretty specific and transparent about their criteria for acquisitions. Here's how Nikesh Arora described their plans for M&A on one of the company’s earnings calls: "We have successfully acquired companies that are early leaders in adjacent and emerging cybersecurity markets. Many times, these are markets in which we've had an early organic effort, but we see external innovation that can significantly accelerate our time to market. We target companies that have achieved product market fit with teams that can accelerate their innovation inside Palo Alto Networks. Revenue is not a focus for us, but we do ensure that we have a solid plan to accelerate the trajectory of our business."
In short, the company generally buys emerging leaders at an early stage in categories where they need to get to market faster than they can from building on their own. Naturally, since Palo Alto offices are in Israel and California, it makes sense that they would try to expand within their existing home bases as much as possible. There is little to suggest that that's going to change soon. Hopeful companies outside of California or those with no strong ties to Israel might need to dream about other acquirers.
With these two assumptions out of the way, let’s discuss the interesting aspects of the cybersecurity startup exit.
Most startup acquisitions aren’t as great as many think
Many people think that an acquisition automatically means that the startup has succeeded in solving the problem and accumulating happy customers, that buyers recognize the value of the product, and that founders, employees, and investors will get paid. That could not be further away from the truth.
In the startup world, we have learned to position failures as successes. We don’t think it’s necessarily wrong: after all, when people put in a lot of work for many years, they want to celebrate the outcomes, even if these outcomes fall short of their own, customers’, and investors’ expectations. The trouble is that to outsiders, successes and failures often look the same.
The harsh reality is that most acquisitions that are being celebrated and positioned on social media as success aren’t that. Many of these transactions are fire sales and acqui-hiring where neither founders nor investors and most certainly not the employees will see any money.
When it comes to the numbers, the positive story of a merger or acquisition can often be different from what the press release might say.
The Role of Undisclosed Transactions
There are many nuances about what makes an M&A successful, but there is one easy shortcut to spot those that aren’t: look for acquisitions for an “undisclosed amount.”
Based on data from Return on Security, there were 648 transactions in cybersecurity exits between 2022 and the end of Q2 2024. Undisclosed transactions are the norm.
More than 85% of transactions were private during this timeframe, limiting the industry’s ability to analyze the quality of outcomes. This is by design most of the time because economics are not always positive, and many factors determine what a founder or investor gets out of a transaction. Until disclosure norms improve, we are left guessing based on a small, possibly unrepresentative, share of deals.
Undisclosed deals can mean one of several things:
The exit price is low, so the company founders and investors insist on not disclosing the amount. This usually enables them to maintain the perception of success. In this case, the buyer doesn’t necessarily care whether or not the deal amount is public, so the secrecy is driven by the founder and investor side.
It’s a fire sale, so everyone involved, including the acquirer, will want to maintain secrecy and not disclose how much they paid for the failed company’s assets.
Expectations vs. Reality
What funding a company raises is one set of expectations that either do or do not come true. M&A transactions are a clearinghouse function that acts as an intermediary in the market. Acquisition prices are based in part on performance, in part on the future potential of an available market, and in part on a company's intrinsic momentum and goodwill.
While most of the data does not have either acquisition or funding data publicly available, we can use a bit of math to help us better understand the available data.
To do this, we’ll introduce a view that helps us understand the value of an exit.
Exit Value Percentage (EVP) Formula
This formula calculates a percentage-based difference between the amount of funding a company has raised and the amount of money they are later acquired for. While not an exact science, this can give you a quick understanding of the return on investment (ROI) at the company level. This formula can help you quickly assess whether or not a company's expectations or the promise of future success was met.
If this is a positive number, you can quickly assess that, in general, expectations were met. If this is a negative number, you can see that a company and its investors (and likely its customers) did not have a great outcome.
Looking at a few high-profile M&A transactions, we can see the formula in action:
If this analysis tells us anything, it’s that Private Equity firms are the real winners in the cyber M&A landscape, not founders.
Companies with good exits often have less traction than many realize
Bessemer’s “Cybersecurity trends in 2024” states: “Reflecting on the past year's acquisitions valued over $100 million, we observe two main trends: (1) most acquired companies had between 10 and 50 customers and were primarily targeted for their teams and products, and (2) the acquisition price for “product-only” companies has increased with a median of ~$200 million to $300 million over the past year.”
That’s right - many of the companies acquired at $100 million or more have 10-20 customers. What’s also interesting is their revenue. Obviously, there is no publicly available data but there are rumors - so investors and competitors usually have a decent idea of the revenue for the companies being acquired. Many of the companies exiting for over $100 million or more have $1-5 million in annual recurring revenue (ARR), and some even under a million.
Getting acquired for $100-300 million in cybersecurity is a great achievement. It usually means that entrepreneurs are great at understanding customer pain points, building products that solve them, and selling to early adopters. Sometimes these kinds of transactions involve luck, and more often than not, they are not a sign that founders are great at building and scaling large-scale, sustainable businesses. Everything considered, it’s hard to argue that cybersecurity startup acquisitions are signs of great success.
Financial outcomes of acquisitions
Looking again at the publicly available data, we see a normal distribution starting to emerge. More than half of the transactions are in the $100 million to $250 million range, with 23% in the $10M to $100M range, 15% in the $100M to $250M range, and 14% in the $250M to $500M range.
At the higher end of the spectrum, we see a “fat tail” emerge with large outliers. Deals exceeding $500 million made up 30% of disclosed data, with 23% of those deals between $1 billion and greater than $10 billion.
While the available data suggests a concentration in the $10-250M range with a long tail of larger exits, we can't be sure this reflects the full exit landscape. The 85% of undisclosed deals could completely change the true distribution.
It’s with briefly noting another fact that Bessemer’s report made obvious: that with the exception of Tessian which is based in the UK, all other past year's acquisitions valued over $100 million are from Israel. Interestingly, the acquisition price for Tessian wasn't disclosed, so even Bessemer ended up just putting “??” in place of one.
Source: Bessemer’s “Cybersecurity trends in 2024”
An acquisition doesn’t mean a payday for anyone involved
Another common misconception is the idea that an acquisition means a payday for investors, founders, and employees. That could not be further away from the truth as every situation is unique, and therefore so are the financial outcomes for everyone involved. For example,
If the company is being acqui-hired (think fire sale to recover some money), investors may receive pennies on the dollar, and founders and employees would get nothing.
If the company is not financially successful and is being acquired at a price lower than the last valuation round, VCs may exercise their liquidation preferences (assuming they’d have secured them during fundraising) so that they can recover their original investment, or a few times that. Founders will get paid second, and there may not be much money left for the stock owned by employees.
If the company is acquired for cash, then things are simpler. Most acquisitions for an undisclosed amount aren’t that. Instead, founders and employees trade their stock for the stock in the acquiring company. If the acquiring company is also private, there is no way to know what the final financial outcome will look like.
Many of the acquisitions do not result in immediate payday, and most are unlikely to make a meaningful impact on people’s personal wealth. There are so many factors that impact the outcome that it’s never possible to tell from the outside who made and who lost the money in any specific M&A transaction. Liquidation preferences, the amount of capital the startup raised, the type of acquisition, whether it’s cash, stock, or a mix of the two, and the types of shares different groups of stockholders own are just some of the things that have to be factored in, but there are many more.
Services businesses lead the way
More than 50% of the time, when it comes to M&A in the cybersecurity industry, it’s one service-based business buying another. Most commonly, we see Managed Security Services Provider (MSSP) or Professional Services businesses buying one another.
Venture capital is often wary of services-based companies, as they do not have the same revenue makeup or consistency that product-based companies can have. These types of businesses are notoriously known for not being “venture-scale.”
Yet, services make up the majority of sales in the industry. According to a report from Accenture and Gartner, Accenture had the highest revenue for Security Professional Services at $3.76 billion and for Managed Security Services at $2.23 billion in 2023.
Even the acquisitions that are financially successful often end up killing the product
As Harvard Business Review points out, “According to most studies, between 70 and 90 percent of acquisitions fail. Most explanations for this depressing number emphasize problems with integrating the two parties involved”.
Cybersecurity acquisitions are not an exception to this rule. Inadequate integration between the buyer’s platform and the acquired product, clashes between cultures, values, and norms, and other issues can cause the M&A deal to fail to deliver shareholder value. Plenty of great cybersecurity products ended up getting killed following the acquisition. Different founders react to this differently: for some, it’s totally fine as by then they would have cashed out and likely be long gone from the company that bought their startup, while others feel resentment and sadness that the product they spent many years building got axed.
Closing thoughts
Startups are hard. We have met plenty of intelligent, hard-working, and visionary founders who were doing all the right things and still failed. Others seemed to have all the cards stacked against them, yet they succeeded because of luck, chance, a reversal of some market trend, or something else.
Aspiring and early-stage entrepreneurs and market insiders need to stay realistic about the M&As everyone is celebrating. Not everything with a press release is a success, and not every high-dollar transaction results in great outcomes for the customers, founders, investors, employees, and the industry as a whole.
This article is co-authored with my friend Mike Privette of Return on Security. Mike’s work helps people save hours of research with a weekly review of the cybersecurity market and the economics behind it in 5 minutes. I highly recommend you subscribe to Return on Security.
If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.
If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.
If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate.
If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!
 | A guest post by
|
From personal experience, I have not seen a case in cybersecurity when an acquisition of startup made product better for customers. IMHO the reason is simply different incentives: for startup to succeed, it needs to differentiate, needs to be better (at least in certain areas) than competition, it needs to listen to customers; when it is bought, it is often that a buyer simply needs a “check box” that their (most likely much bigger) product has capabilities similar to startup product. It is ok if these capabilities are average and mediocre if it is not a main feature set of the product. That results in slow death of original startup product and at best average feature in a buyer product.