Home / Uncategorized / Lessons from cybersecurity exits – TechCrunch

Lessons from cybersecurity exits – TechCrunch

Dear F0und3r:

What a month this has been for cybersecurity! One unicorn IPO and two great acquisitions – Zscaler’s nice debut on wall side road,  a $300 million acquisition of Evident.io through Palo Alto Networks and a $350 million acquisition of Phantom Cyber through Splunk has gotten all people excited.

Word in the street is that during every of the ones exits, the founders took domestic ~30% to 40% of the proceeds. Which isn’t unhealthy for ~ four /five years of labor. They can in spite of everything come up with the money for to shop for two bed room properties in Silicon Valley.

Evident.IO Investment Rounds and Return estimates


Select Investors

Round Size




Estimated Returns / Multiple of Invested Capital

Sep 2013

True Ventures



$6.75 m



Nov 2014

Bain Capital

$nine.eight m


$28.zero m



Apr 2016


$15.7 m

$35.zero m

$50.7 m



Feb 2017


$22.zero m

$73.6 m




My math isn’t that excellent however seems like even some VCs made a tight go back. Back of the envelope scribbles point out that True Ventures scored an estimated ~44X more than one on its seed funding. Others like Bain snagged a ~10X at the A spherical funding and Venrock which led the Series B spherical took domestic ~6X.

We see a an identical development with Phantom Cyber, which were given obtained through Splunk for $350 million. A little bit hen advised me that they’d reserving within the vary of $10 million. But ahead of all of us get too self-congratulatory, we could ask – why did those firms promote at $300 million to $350 million when everybody within the valley needs to trip a unicorn? Clearly, finances like GV, Bain and Kleiner will have fueled extra rounds to make unicorns out of Evident.io and Phantom Cyber.

Phantom Cyber Investment Rounds and Return estimates


Select Investors

Round Size




Estimated Returns / Multiple of Invested Capital

April 2015

Foundation Capital


$eight.three m

$11.04 m



Sep 2015



$26.7 m

$33.2 m



Jan 2017



$83.zero m

$96.five m



(Data Source: Pitchbook)

Some of the board contributors may have peeked on the go out information accumulated through the hardworking analysts at Momentum Cyber, a cybersecurity advisory company. Look at safety go out traits from 2010-2017. You may realize that ~68% of safety exits have been beneath $100 million. And up to 85% of exits happen beneath $300 million.

Agreed that there are only a few outstanding safety CEO’s like Jay Chaudhry who grew up in a Himalayan village, and led ZScaler to an IPO. This was once Jay’s 5th startup and he saved over 25.five% of the proceeds, with some other 28.three% owned through his agree with. TPG Growth owned not up to 10%. After all, he himself funded a considerable a part of the corporate (which raised a complete of $110 million).  But now not everyone seems to be as pushed, a success and it’s alright to promote if the go out numbers are significant. Remember what that bard of avon as soon as stated:

For I will have to inform you pleasant to your ear,

Sell when you’ll be able to; you don’t seem to be for all markets.

(Shakespeare, As you Like It, Act three, Scene V)

(68% of safety exits happen beneath $100 million. M & A Data from 2010-2017. Source: Momentum Cyber)

My good friend Dino Boukouris, a director at Momentum Cyber, provides some sage recommendation to all founders who’re smitten through unicorns. “Before a founder raises their next round, I would reflect on the market’s ability to purchase companies. The exit data says it all. As you raise more capital, your exit value goes up, timing gets stretched and the number of buyers who can afford you drops.” Dino has some degree, you notice. As we inflate valuations, your paintings, my pricey CEO, turns into a lot tougher.

If you don’t imagine Dino, let’s have a look at some other contemporary go out, PhishMe, which was once obtained through a personal fairness consortium for $400 million. That’s a pleasant quantity, right kind? At the primary glance, you’ll realize that the dilution and monetary go back patterns are very similar to that of Phantom. Except that PhishMe took 7 years and fed on $58 million of capital, whilst Phantom took three years and fed on $22.7 million. Timing and capital potency topic up to go out worth. It’s now not simply the go out worth ~ however how lengthy and what sort of. Back to my guy, Dino who will gently remind you that for the 175 M & A transactions in 2017, the median worth was once $68 milion. Read that ultimate sentence once more — very slowly. $68 million. Ouch!

PhishMe Investment Rounds


Round measurement

Select Investors

Pre-money Valuation



Returns / Multiple of Invested Capital

July 2012



$10 m

12.five m



March 2015

$13 m


$61 m

$74 m

13 %


July 2016

$42.five m


$155 m

197 m



(Data Source: Pitchbook)

Two years in the past  in Cockroaches as opposed to Unicorns – The Golden Age of Cybersecurity Startups cybersecurity founders have been prompt to keep away from the unicorn hubris. Numerous bystanders, your ego incorporated, will cheer you as you get upper valuations. But aren’t all of us rational human beings, all the time making information based totally choices?

Marc Andreessen will remind you that his easiest good friend, Jim Barksdale, as soon as stated “If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”   Since 2012, my VC buddies have funded 1242 cybersecurity firms, making an investment a whopping $17.8bn. But leader data safety officials say that they don’t want 1242 safety merchandise. One exhausted CISO advised me they get fifteen to seventeen chilly calls an afternoon. They cover away from LinkedIn, being bombarded relentlessly.

Enrique Salem (former CEO of Symantec) and Noah Carr, each with Bain Capital are celebrating the a success sale of Evident.io. They identified that the founders — Tim Prendergast and Justin Lundy had lived the general public cloud safety drawback of their earlier lives at Adobe. “Such deep domain expertise allowed them to gain credibility in the market. It’s not easy to earn the trust of their customers. But given their strong engineering team, they were able to build an “easy to deploy” answer that would scale to consumers with 1000s of AWS / Azure accounts. Customers have been extra prepared to be reference-able, given this aligned courting.”

(Source: Momentum Cyber)

You, my pricey CEO, will have to take a web page from that playbook. Because Jake Flomenberg, Partner at Accel Partners says, “CISOs are suffering from indigestion. They are looking to rationalize toolsets and add very selectively. New layer X for new threat vector Y is an increasingly tough sell.” According to Cack Wilhelm Partner at Accomplice, “Security analysts have alert fatigue, and CISOs have vendor fatigue.”  You are a type of perhaps, wouldn’t you compromise?

Besides indigestion and fatigue, the CISO roles have transform hard. William Lin, Principal at Trident Capital Cyber, a $300m fund identified that “the role of CISO has bifurcated into managing risk akin to an auditor and at the same time, managing complex engineering and technology environments.”  So naturally, they’re managing their time extra cautiously and now not taking a look ahead to assembly yet one more startup.

Erik Bloch, Director of Security Products at Gross salesForce says that whilst he helps to keep an open thoughts and is prepared to have a look at leading edge startups, it takes him weeks to prepare calls with the best folks, and months to scope a POC. And let’s now not disregard the mountain of paperworks and felony agreements. “It’s great to say you have a Fortune 100 as an early customer, but just be warned that it’ll be a long, hard road to get there, so plan appropriately” he identified.

So, my pricey founder, as the street will get tougher, investment slows down. Look at 2017 —  regardless of all the ones giant hacks, Series A investment dropped through 25% in 2017. Clearly, lots of our seed funded firms don’t seem to be handing over the ones Fortune 100 POC milestones. And are not able to lift a Series A.  Weep, if we will have to, however allow us to remind ourselves that out level answers don’t seem to be that spectacular to the CISOs.

All the founders I do know are seeking to lift a formulaic $8m Series A on $40m pre. But now not each startup that wishes eight on 40 merits it. Revenues and enlargement price, the ones old fashioned metrics topic greater than ever. And some traders search for the standard of your consumers.  Aaron Jacobson of NEA, a multi-billion buck project fund says, ”A key worth motive force is a thought-leader CISO as a buyer. This is continuously a excellent indicator of worth advent.“


Expected Revenue Run Rate

Estd. Round Size



Up to $2m

Series A

$1.5m to $three m

$5m to $8m

Early VC

$five m to $eight m

$15m to $25m

Late Stage VC

$6m to $10m

$30m to $50m

When markets get crowded and all startups sound the similar, traders search high quality, or transfer to later phases.  They like to look neatly confirmed firms, that experience solved numerous fundamental issues. And eradicated riskier hindrances. Like product-market are compatible, pricing and go-to-market problems. Naturally, the later level valuations are emerging sooner. Money is chasing high quality, enlargement and returns.

Median Post-Money Valuation through level for cybersecurity firms (Source: Pitchbook)

The safety IPOs be offering a sobering view. This is an extended adventure, now not for the faint of middle. Okta moved rapid, fed on ~4X extra capital as in comparison to Sailpoint and delivered nice returns.


Year Founded

Years to IPO

Total Capital raised previous to IPO

Revenues (2017)

Post Money of ultimate spherical previous to IPO

Market Cap at IPO





$176 m

$1.05 bn

$three.6 bn




$231 m

$160 m

$1.18 bn

$2.1 bn




$159 m

$220 m

$1.zero bn

$806 mn




$54.7 m

$186 m


$1.1 bn

Security IPOs (Source: Momentum Cyber, Pitchbook)

Innovating with go-to-market methods

In the close to time period,  the massive problem for you, pricey safety founder, is promoting in an over crowded marketplace. If I have been you, I’d keep in mind that innovation will have to now not be limited to simply generation, however can prolong into gross sales and advertising and marketing. We lack creativity in the case of advertising and marketing – ask Kelly Shortridge of Security ScoreCard. She will have to get some roughly BlackHat award for growing this godforsaken Infosec Startup Bingo. If you in finding any startup dealer that makes use of most of these phrases, and wins this bingo, please DM me ~ I can promptly shave my head in disgrace. We were given right here as a result of we don’t possess easy advertising and marketing muscular tissues. We reproduction every different whilst our consumers roll their eyes after we pitch them.

Sid Trivedi of Omidyar Technology Ventures needs to paintings with the developer focussed startups. He says, “Look at companies like Auth0. The sales efficiency on developer-focused platforms is tremendous. You can go to a CISO, CIO or CTO and point out that X number of developers are paying to use my technology. Here are their names, why don’t you talk to them? And then, let’s discuss an enterprise license for the full company?” That method works like magic. Overwhelming majority of the device IPOs like Twilio, Mulesoft, SendGrid are developer platforms.”

If you cross top-down in a rush, you’ll be able to crash and burn. I’m conscious about an impatient safety dealer who used government degree power at a Fortune 50 corporate. They kicked their approach into the POC. And were given kicked out through the infosec crew. The furios infosec crew destroyed the seller in a technical review. I used to be advised that the product was once purposeful however the dealer’s impatience and political gymnastics killed the deal. Let us now not disregard easy fact: time and again CISOs flip to their subordinates for recommendation and decision-making, so don’t simply promote to the highest. Nor forget about the remainder of the folks within the room.

With extra noise, the patrons freeze. Margins shrink. Revenues and enlargement slows down. Which approach it’s tougher to get on your milestones ahead of your subsequent spherical. Running out of money isn’t a laugh. Nor is a down spherical, layoffs and such. So whilst that is more straightforward stated than executed, please lift much less and do extra. And possibly, simply possibly, you’ll be able to stay 40% of a $350 million go out.

If you may have questions or existential dilemmas, you’ll be able to all the time in finding me, speaking to a pleasant VC in South Park.  Or I’m all the time round in a relied on safe international of Signal.

Stay secure at that annual safety stampede referred to as RSA.



PS: Let’s now not disregard to specific our gratitude to these analysts at Momentum Cyber and Pitchbook for painstakingly monitoring each funding, inspecting and presenting significant information. They assist us have a look at the wooded area, and make our adventure more straightforward. Send them a thank-you tweet, some wine, goodies, vegetation or home-baked cookies.

About admin

Check Also

Artificial intelligence must be ‘for common just right’

Image copyright Getty Images Ethics must be on the centre of the improvement of synthetic …

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: