Photo: Philippe Huguen/AFP/Getty Images

The market for cybersecurity startups is bubbling, but more of these new firms are choosing to sell out to larger companies than to grow into major independent players.

Between the lines: As a result, the big winners in cybersecurity investing right now tend to be founders and early-stage investors rather than larger venture capital and private equity (PE) firms.

There's strong interest from private equity firms: "Every color of private equity — VC, growth, and buyout — is chasing cybersecurity," says Kristjan Kornmayer, director of M&A Advisory Services with the Chertoff Group, a global security advisory firm. "But it’s especially tough for the big buyout shops. There are not enough mature, scaled opportunities to put real money to work."

  • Private equity firms often have large minimum investment amounts, but companies "get snapped up before reaching any significant size to be of interest to private equity," Kornmayer said.
  • Some PE firms are so interested in investing in cybersecurity firms, they're lowering their minimum investment expectations to get in the game before companies get acquired. "We are seeing some funds revisit their minimum equity checks to accommodate the realities of this market’s structure," Kornmayer tells Axios.

By the numbers: In the general market, PE firms normally invest a minimum of $100 million in a company. But in the cybersecurity market, PE firms' average investment, not their minimum, is approximately $80 million, per data PitchBook shared with Axios.

Driving the market: Cybersecurity firms are often formed to quickly meet and beat new threats as they emerge, and bigger firms are prone to snatching them up to show they are prepared to meet threats better than their competitors. "On the early stage side, corporate buyers are looking to add new technology capabilities as soon as the company proves itself," Kornmayer said.

The other side: The fast pace of acquisition is also rooted in how hard it is to make a cybersecurity solution that's relevant. RSA Security CTO Dr. Zulfikar Ramzan tells Axios that cybersecurity startups often end up "stumbling":

They haven’t been able to prove out they can do a proper go-to-market...By then their investors have sort of run out of patience and steam and they say 'Okay, we’re done, let's wind it down and sell the company for whatever we can get.'
— Dr. Zulfikar Ramzan, RSA Security's CTO

The bottom line: The pace of the market doesn't appear to be slowing anytime soon.

  • The cybersecurity M&A market is active and getting more active. Already in the first half of 2018 there were 101 M&As in the cybersecurity market, which is well on track to surpass the number of M&As that took place in all of last year, 178, per Momentum Cyber, a cybersecurity advisory firm.
  • Just this year, for example, cybersecurity firm Splunk has already acquired Phantom at $350 million and VictorOps at $120 million, and Palo Alto Networks has acquired Evident.io at $300 million and Secdo at $90 million.

What's next: PE firms are still hungry to invest in cybersecurity businesses — despite having to shift their expectations. "The industry’s size and growth justify the enthusiasm. We are talking about an $87 billion market growing 12% per year — that’s not easy to find," Kornmayer said.

Go deeper

Harvard and MIT sue Trump administration over rule barring foreign students from online classes

A Harvard Law School graduate on campus before attending an online graduation ceremony on May 28. Photo: Craig F. Walker/The Boston Globe via Getty Images

Harvard and MIT on Wednesday filed a lawsuit against the Department of Homeland Security to block federal guidance that would largely bar foreign college students from taking classes if their universities move classes entirely online in the fall.

The big picture: Colleges, which often rely heavily on tuition from international students, face a unique challenge to safely get students back to class during the coronavirus pandemic. Some elite institutions, like Harvard, have already made the decision to go virtual.

Updated 59 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Eniola Odetunde/Axios

  1. Global: Total confirmed cases as of 9 a.m. ET: 11,856,991 — Total deaths: 544,871 — Total recoveries — 6,473,170Map.
  2. U.S.: Total confirmed cases as of 9 a.m. ET: 2,996,333 — Total deaths: 131,481 — Total recoveries: 936,476 — Total tested: 36,878,106Map.
  3. Public health: Deaths are rising in hotspots — Déjà vu sets in as testing issues rise and PPE dwindles.
  4. Travel: How the pandemic changed mobility habits, by state.
  5. 🎧Podcast: A misinformation "infodemic" is here.

Facebook auditors say it's failing on civil rights

Illustration: Sarah Grillo/Axios

The findings from a new civil rights audit commissioned and released by Facebook show that the tech giant repeatedly failed to address issues of hatred, bigotry and manipulation on its platform.

Why it matters: The report comes as Facebook confronts a growing advertiser boycott and criticism for prioritizing freedom of speech over limiting misinformation and protecting users targeted by hate speech.