Raising capital and understanding paths to an exit: thoughts and mental models for cybersecurity startup founders
Looking at ways cybersecurity companies can exit, why most startups in the industry won't go public, and what founders need to know to achieve good outcomes for their investors and employees
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Most security startups are founded by technical cybersecurity practitioners who spent their careers helping people and organizations protect their data. Many of them have experience building products, solving customer problems, and tackling complex technical challenges. I always emphasize that building a company isn’t the same as building a product, and nothing highlights this difference as well as having to think about funding, attracting investors, and giving away a part of the company in exchange for growth capital. In this piece, I discuss some of the important problems surrounding these topics. What constitutes an appropriate strategy is always subjective and highly contextual; what is important regardless of the circumstances is the ability to make sense of the complexity and choose the right approach.
Understanding the basics of fundraising
Several notes on fundraising and the VC model
There are two types of capital available to security companies:
Collaborative capital - capital that comes with people who leave the strategy & execution in the hands of the company, and look to add value by helping the team move forward. VC, individual angels, and angel networks all fall under this category. In turn, investors who provide collaborative capital can be active or passive. Passive investors write a check, and leave founders to do their work, while active are looking for ways to contribute.
Controlling capital - capital that comes with people looking to exercise a much higher degree of control. An example of controlling capital is private equity (PE) firms. Most startups don’t get involved with PE until the later stages of their journey.
During their early days, security startups raise capital from individual angels or angel syndicates. At this time, it is hard to determine company valuation so most early investors put their money via a so-called simple agreement for future equity (SAFE note), which means they invest a specific amount and agree that the exact percentage of their ownership will be determined in the future when the company raises its first institutional priced round from VCs. SAFE notes have become a standard and they make the fundraising process simple and easy, allowing founders to quickly raise capital and go back to building their company instead of having to spend time and money on complex negotiations.
During every priced round, founders should be expected to give away ~20% of the company ownership in exchange for cash to continue growing the startup. VC firms who issue the term sheet and lead the round typically have specific ownership targets such as 15%. This means that one VC would invest most of the capital required for the funding round, and then make a small part open to their partners and others whoever the founders would like to see back the company, including early angels from previous rounds, etc.
Although some founders assume that VCs want to take as much of their startup equity as possible, that’s not true. Good investors look to provide capital the company needs to grow, knowing that their ownership needs to be balanced against the stake founders & the team keep in the company. If the founders and employees don’t own enough to be highly motivated to make the company a success, the startup may die early and VCs lose all of their money. That is why investor’s interests are much more aligned with the founder’s interests than many realize.
The relationship between valuations, cost of capital, and exit options
Building a company requires thinking past the first order of the consequences. Fundraising, like everything else, is a mini-system: companies hit certain milestones, which drives the perceived value of the business up and enables them to raise capital. As they raise more capital, the milestones they need to hit become harder, and the cycle continues. At the earlier stages, the metrics are flexible - a startup can raise capital based on signups, interest from early adopters, count of GitHub stars, or just excitement of the VC about the team and its potential. As the company progresses through different stages, the milestones become more and more concrete until there is only one left that matters - the growth of the annual recurring revenue (ARR).
Company valuation (what the startup is worth), dilution (the percentage of the business founders are giving away to investors in exchange for growth capital), and target exit amount (return multiples the company will be expected to bring) are all linked together.
On one hand, founders are incentivized to drive the valuation as high as possible so that they can raise more capital and exchange parts of their company for as much money as they can. For example, a company raising $10 million at the $50 million post-money valuation is essentially selling 20% of the startup for $10 million; the same company raising $2 million on a $10 million valuation is also giving away 20% of the business but for only $2 million. The way the math works encourages founders to seek higher valuations so that they can “sell” parts of their company to the highest bidder.
That, however, is just one side of the medal. A company has two ways to exit - to go public (IPO), or to get acquired. For investors to be on board with an acquisition, they need to be able to make a certain level of returns. While the actual target multiples are highly dependent on the individual VC’s portfolio construction strategy, what matters for this discussion is that the more money the company raises, and the higher the valuation, the higher the exit price will have to be for investors to sign the paperwork and let the founders sell the startup.
This is exactly why raising a lot of money at high valuations only makes sense if the market is large and growing, and the founders see an opportunity to build a big platform company and go public. Those that operate in small markets and may instead be looking to get acquired, getting too expensive can make them unattractive to potential buyers. When the company starts raising at high valuations, it needs to have confidence that:
1) it will be able to put the capital to great use and continue growing,
2) it will be able to hit the metrics to get to the next stage, and
3) it can get to the revenue numbers that will enable it to go public.
Deciding how much to raise
There are no easy ways to answer the question of how much to raise and at what valuations - it depends on a multitude of factors such as the market, the type of the product the company is building, the long-term ambition of the founders, how well funded the competitors are, etc.
If there is a big opportunity to build a large platform quickly, then raising a lot of capital at a high valuation can be a good idea. Cloud security is a perfect example: it is an important problem with a tremendous total addressable market, and all the ingredients to build the product such as powerful APIs have been there for several years. If Wiz and Orca didn’t move fast to execute, someone else would. However, a tool for solving a smaller problem for a niche market segment should not take the same fundraising path, unless the founders are seeing a realistic (emphasis on realistic!) way to grow into a platform. Another way to look at it is this: if there is no clear path to a $100 million ARR (or higher), it’s often not a good idea to chase unicorn valuations and think about IPO.
In order to build a sound fundraising strategy, entrepreneurs need to have a deep understanding of the market, their customers and their willingness and ability to pay, the magnitude of the problem they are solving as well as the adjacent problem areas. Importantly, they should also have a good idea of what kind of company they are building. I’ve noticed that too many founders aren’t spending enough time to pause and think about building a company and instead, they focus all their time and attention on shipping features and products. Furthermore, I see entrepreneurs overly focused on what the market allows them to do today without thinking strategically and planning a few steps ahead. It’s important to realize that the next round (or an exit) may be happening in vastly different economic conditions, with different expectations and metrics for success.
The path to an exit depends on the type of company
Most security startups will not go public
Few people realize that what constitutes the most optimal fundraising and exit strategy isn’t simply dependent on the founder’s ambition. It is tempting to think that any company can go public if founders just keep building, but it’s not that simple.
First of all, let me state the obvious: most cybersecurity startups will never become public through an initial public offering (IPO).
Although most people think that going public means that individuals like you and I will be able to buy company shares on the stock exchange, the reality is that it’s the institutional investors - investment banks, endowment funds, pension funds, and the like who buy shares during the IPO. For them to commit capital, they need certainty: when, say, an endowment fund wants to make a high-risk bet, it invests in a VC; buying a part of the public company needs to come with a much higher degree of certainty and reasonable projections for growth. For a company to go public, it typically needs to have over $100 million in annual revenue with great year-over-year growth numbers.
Blossom Street Ventures looked at how fast are companies required to grow in order to IPO, and found that “on median, these companies grew revenue 43% from the prior year, while the average was 51%”. For example, CrowdStrike at the time of the IPO grew 110% year over year, Zscaler did 57% year over year, and Snowflake - 174%. According to the same report, the median overall revenue was $168 million while the average was $286 million (that average is skewed by names like McAfee which had $2.6 billion of revenue).
It would not be an exaggeration to say that the vast majority of cybersecurity companies do not have a path to get to these metrics. The only way to do it in our industry is to build a platform - a suite of solutions that customers can use to solve a broad variety of their problems. To build a platform, a security company needs to compel customers to get as much of their data into the product to address a specific use case, and then expand the range of supported use cases by utilizing the “land and expand” strategy. Most security startups aren’t building platforms - at best, they are crafting point solutions to smaller-scale problems (many aren’t even doing that, instead focusing on building features and hoping for an acquisition).
It’s worth noting that it’s very hard for a first-time founder to entirely reimagine a whole market segment. It requires experience, proven ability to execute, and a lot of capital that someone with no past experience as a founder can have trouble raising. It is no surprise that founders of large public companies such as CrowdStrike, Zscaler, and Tenable were not first-time entrepreneurs.
The majority of VC-backed startups would be better off getting acquired before Series B
Since the vast majority of security companies don’t have a path for IPO, the only viable exit option that remains is to get acquired. Most founders know this quite well; what is missing is the understanding of nuances.
Following many observations and discussions about this topic, I think that the vast majority of security startups (over 90%) would be better off exiting before Series B. Here is why that is the case.
Common factors that impact the probability of successful exits
A good exit for a Series A startup can be anywhere between $150 and $400 million (the number depends on the previous valuation and the amount of capital raised). To get to, say, a $300 million acquisition, founders would need $5-20 million in revenue with a forward-looking path to $10-50 million. Most founders at Series B still own ~60% of the company so they would get a great payout, and so would their investors.
Many entrepreneurs think that the higher they can get their revenue the higher will be the exit. Although logically it would make sense, both investors and acquirers think in terms of milestones, or cohorts: companies under $1 million; those between $1 and $5 million, those between $5 and $10 million; $10 and $25 million, and so on. Once a startup gets to $50-70 million ARR, buyers will be willing to pay more but most companies get stuck in the dead zone between $5-30 million ARR as niche solutions for some customers but with no ability to get to the next stage of growth.
Although $500-600 million seems to be close to $300-400 million, exiting at a $500-600 million valuation is not twice as hard, but exponentially (think 10x) harder. This is the case for several reasons. First of all, at that stage, acquirers want to see a clear path to $100 million ARR, a figure that requires much more than product-market fit: it begs a strong, well-oiled enterprise sales strategy and a pull from the market - something that most startups fail to establish. Second, when companies are looking to execute an acquisition valued in the range of roughly $150-400 million, the decision can typically be made by the general manager. They can issue a simple press release, often without discussing the value of the transaction, and the deal is done. To buy something bigger, it needs to become a part of the company strategy which implies that:
The number of people involved in making the decision is much higher.
The metrics are being scrutinized much more thoroughly.
The acquisition needs to be a part of the larger statement about new market expansion, entering new segments, etc.
The EBITDA needs to make sense so that it doesn’t negatively impact the buyer’s balance sheet.
The last part is particularly interesting. EBITDA is short for earnings before interest, taxes, depreciation, and amortization; this metric is one of the most commonly used measures of a company's financial health and ability to generate cash. Cybersecurity startups are research and development-heavy companies, and as such they require a lot of capital to grow. On the other hand, the vast majority of them don’t have a path to profitability, and the more capital they raise, the more people they hire, the further away from profitability they get. Before Series A, a typical company would not have raised too much capital, but once it gets to Series B or Series C, the picture changes. At that point, the valuation is too high, and the cap table is too big. Since most acquirers are public companies, their finances are being audited and reviewed by large numbers of market participants. Finance departments in these companies, when reviewing a potential acquisition, would often block startups that raised a lot of capital because of their EBITDA metrics. When a public company is buying a startup valued at $1 billion or more, the EBITDA becomes especially critical because it can greatly impact the corporation’s stock price. Moreover, large acquisitions attract attention and scrutiny from regulators - a factor worth keeping in mind when thinking about M&A in the industry.
The role of valuation & diversified revenue sources
Acquirers want to see the startup solve one problem really well and have a good product-market fit. The challenge is that many companies are starting to spread themselves too thin too early, entering new market segments and adding new features to justify the increasing valuation. When this happens before a company reaches $5-10 million ARR, it typically means that it failed to achieve product-market fit in one area.
As the company expands into new areas, it starts to position itself as a platform so the valuation often goes up. Many startups that end up in this situation become unacquirable:
It is no longer a point solution that is easy to understand, buy, and integrate
It is not (yet) a successful platform so the competitors don’t see it as a threat or something to buy
The ability to satisfy VC’s return objectives
The more rounds of financing the startup goes through, and the higher the valuation gets, the more VCs it starts accumulating on its cap table. The more time passes, the more likely it becomes that when the negotiation with the potential acquisition starts, they will ask for the price that company investors cannot reasonably allow for. Here is a simple example: let’s say a startup raised a Series A round at a $200 million valuation, and a Series B at a $1.2 billion valuation without strong metrics and a path to revenue that would justify this valuation. If the founders have tried all they could to grow the company but failed, and they have a potential acquirer ready to offer $700 million, the VCs who previously invested at a much higher valuation may not allow for the translation to happen, encouraging founders to go to the end. However, if the Series B valuation was $500 million, then selling at $700 million would be a more acceptable option.
When the founders are early, they can give their early VCs a decent exit. At the later stages, investors who put their capital into the latest rounds will not want to sell too early, instead arguing that the founders should go on. It’s great if the company does indeed have fantastic potential (even if founders don’t realize it); if it doesn’t, then the fact that the startup isn’t able to satisfy the VC’s return objectives, may send it off the cliff.
Other notes for founders about VC fundraising
Here are several other notes for founders looking to plan their fundraising strategy:
Understand the difference between cyber-focused VCs and generalist VCs, and decide which is a better option for what you are trying to do.
Do the due diligence on the potential investors. Reach out to founders from their active portfolio (not just the ones the VC firm introduces you to), as well as the founders of companies who closed their doors - it is equally important to know how the VC adds value, and how it behaves if things go south. Additionally, do some digging to understand if the firm is betting on innovation and takes risks early, or if it simply collects logos.
When structuring your round, think about both capital and value-add and remember that the two may come from different parties. For example, depending on the kind of support you’re looking for, it could be a good idea to get a big check from a big VC, and then take a small amount from an angel syndicate that will add a lot of value.
Before reaching out to VCs, have a look at their portfolio to see if they have already invested in companies that are competitive, or are likely to become competitive to your offerings.
Beware of broad generalizations and build your own understanding of reality. I sometimes hear that “VC is evil”; VCs are evil the same way banks are evil. A person who got a loan to open a factory and is now a millionaire is going to have a different experience than someone who borrowed money to take a trip around the world and is now in debt. VC money is a resource, and certainly not the best fit for everyone.
As a rule, most VCs aren’t looking to get involved in the day-to-day work of the company. If a VC has to become hands-on and participate in decisions about the operations, they have made a bad investment decision by picking founders who cannot execute.
Continued consolidation towards mega-funds leads to mega rounds. In other words, as VC funds get larger and larger, startups can access more and more cash. This is great if there is a need for this much money, and the startup can deploy it smartly, but founders should be thinking about their needs and taking what they can effectively deploy, not as much as they can get.
The big reckoning: the economic downturn, and why we may see a large number of security startups go under
Cybersecurity has long been seen as a “hot” industry. The year 2021, for instance, was a record-breaking year for security startups that raised $29.5 billion in venture capital. When the capital was cheap and readily available (VCs raised huge funds and needed to allocate capital), and when less sophisticated investors were willing to bet on cyber, many companies were getting funded even if they didn’t hit the right growth metrics. That has changed with the current economic downturn. According to Crunchbase, venture funding in cybersecurity as of Q2 2023 dropped 63% compared to the same quarter last year, to just slightly more than $1.6 billion. The dynamics in the industry have surely changed; what hasn’t changed is that:
Strong early-stage teams with compelling ideas and proof of market interest continue to get funded. The bar is certainly higher: while before, it was enough to show the back of a napkin drawing to raise a Seed round, now entrepreneurs are being selected and scrutinized much more seriously.
Later-stage companies capable of showing the right metrics don’t have issues raising capital either.
A large number of cybersecurity startups are indeed going to fail this & next year. Those that add value, solve real problems, and have viable business models, will surely survive and thrive. On the other hand, companies that have been hoping for the best, couldn’t find product-market fit, and failed to communicate their value proposition to the buyers, will have to go. Since investors are becoming much more critical when evaluating prospective investments, companies that received funding over the past several years but couldn’t hit the milestones to get to the next round will often be out of luck when they end up asking for bridge funding. It will be painful, but it’s the evolution that needs to happen, in order to bring the industry back to where it was pre-2020-2021 boom. One of Warren Buffett's most famous quotes is: “Only when the tide goes out do you learn who has been swimming naked.” We are nearing the end of 2023, the tide is receding, and we will soon be seeing who it reveals. Mark Curphey wrote a great post about this problem titled A Security Tools Crash Is Coming; I highly recommend reading it. From the outside, it won’t always be easy to tell where the market is, who succeeds, and who fails: I anticipate there will be many fire sales positioned as “exits” where startups will get acquired for undisclosed valuations.
Public markets are waiting, so companies that were getting ready for an IPO aren’t having a great time. Snyk in particular is an interesting case study: the company’s valuation was slashed in half in secondary deals, and we are yet to see how its destiny will unfold. After their previously sky-high valuation, it's unlikely that the startup’s investors will approve any acquisition at a lower valuation, and it’s equally unlikely that the company can IPO at the numbers it envisioned before. Cybereason is in an even worse spot; it is clear that today is a bad time to go public but a good time to build. A few years from now, the economic conditions will most likely be different, so those that stayed nimble and hustled their way when the markets were bad, will be in the strong position to emerge as new industry leaders.
What is almost uncanny is that this isn’t the first time we’re talking about these kinds of trends. Back in 2018, we were in a similar spot: security companies delayed their IPOs, and “start-ups have become corporate “zombies” with little prospect of fetching a good price in an initial public offering (IPO) or becoming acquisition targets” as Reuters wrote at the time.
I anticipate that for the next several years, with the push for revenue, more sustainable spending habits, and cost-effective ways to market, the VC-funded startups will start behaving more like those that don’t have as much capital:
Ensuring a clear value proposition, and finding a customer segment willing to pay
Focusing on getting to revenue quickly
Developing & implementing conservative recruitment strategies
Looking for ways to diversify revenue channels
Reducing marketing spend and ensuring high utilization of sales resources
People’s memory is short, so I strongly suspect that this focus on sustainable growth is not a long-term change but a short-term correction. Once the confidence is high, it won’t take us long to see investors take higher risks and support aggressive growth strategies.
As always, it is worth highlighting that VC funding is an instrument, not a prerequisite to building a successful cybersecurity company. If used well, it can greatly accelerate the speed of execution, make it possible for the company to hire the best talent, and innovate in areas that require solid upfront research & development (R&D) investment - something that wouldn’t often be possible without venture capital. For many great SaaS businesses, the natural ceiling of the market they are targeting may be $5-10-20 million ARR; to become a leader in their respective segment they may not necessarily need support from VCs. Additionally, access to venture capital is a way to temporarily fund the company while it figures out a path to profitability; it is not by any stretch a substitute for profitability.
Image Source: Momentum Cyber
Closing thoughts
Founders need to understand what kind of company they’re building before they go ahead with fundraising. Many factors go into making this decision:
How big is the problem the founders are solving? Is there a customer base that will pay hundreds of millions in annual recurring revenue (ARR)? If not, the company will probably not go public.
What path are the founders most comfortable with? Are they happy to take a chance and win big or lose big, or would they be happier to build a cash-efficient business and have a single (or a double) digit exit?
Questions are plenty, and so are the potential directions. It’s often presented like there are two choices: going the “VC route” and either becoming a unicorn or running off the cliff, or fully bootstrapping and never raising any penny from outside investors. That isn’t the case. First, it’s possible to raise early-stage from angels and syndicates - those that are more comfortable making non-traditional bets because they are investing their own capital. This can give founders enough resources and time to figure out if their hypotheses are worth pursuing. If they are - they may opt to go the “play big” route (raise a lot at high valuations, grow fast, and try to get big), or they can find investors who would be comfortable with a high-growth, cash-efficient, lean company that has the potential to get acquired in a few years. For that, founders would likely need to:
Solve a real problem for real customers
Get enough large customers to show that there is a potential for growth
Raise a little, be conservative in deploying capital, and keep the valuation low to position themselves as an attractive acquisition target
For others, not raising any capital and following the path of Thinkst Canary and Wazuh that have not taken any external capital, can be a better option.