Photo: Philippe Huguen/AFP/Getty Images

The market for cybersecurity startups is bubbling, but more of these new firms are choosing to sell out to larger companies than to grow into major independent players.

Between the lines: As a result, the big winners in cybersecurity investing right now tend to be founders and early-stage investors rather than larger venture capital and private equity (PE) firms.

There's strong interest from private equity firms: "Every color of private equity — VC, growth, and buyout — is chasing cybersecurity," says Kristjan Kornmayer, director of M&A Advisory Services with the Chertoff Group, a global security advisory firm. "But it’s especially tough for the big buyout shops. There are not enough mature, scaled opportunities to put real money to work."

  • Private equity firms often have large minimum investment amounts, but companies "get snapped up before reaching any significant size to be of interest to private equity," Kornmayer said.
  • Some PE firms are so interested in investing in cybersecurity firms, they're lowering their minimum investment expectations to get in the game before companies get acquired. "We are seeing some funds revisit their minimum equity checks to accommodate the realities of this market’s structure," Kornmayer tells Axios.

By the numbers: In the general market, PE firms normally invest a minimum of $100 million in a company. But in the cybersecurity market, PE firms' average investment, not their minimum, is approximately $80 million, per data PitchBook shared with Axios.

Driving the market: Cybersecurity firms are often formed to quickly meet and beat new threats as they emerge, and bigger firms are prone to snatching them up to show they are prepared to meet threats better than their competitors. "On the early stage side, corporate buyers are looking to add new technology capabilities as soon as the company proves itself," Kornmayer said.

The other side: The fast pace of acquisition is also rooted in how hard it is to make a cybersecurity solution that's relevant. RSA Security CTO Dr. Zulfikar Ramzan tells Axios that cybersecurity startups often end up "stumbling":

They haven’t been able to prove out they can do a proper go-to-market...By then their investors have sort of run out of patience and steam and they say 'Okay, we’re done, let's wind it down and sell the company for whatever we can get.'
— Dr. Zulfikar Ramzan, RSA Security's CTO

The bottom line: The pace of the market doesn't appear to be slowing anytime soon.

  • The cybersecurity M&A market is active and getting more active. Already in the first half of 2018 there were 101 M&As in the cybersecurity market, which is well on track to surpass the number of M&As that took place in all of last year, 178, per Momentum Cyber, a cybersecurity advisory firm.
  • Just this year, for example, cybersecurity firm Splunk has already acquired Phantom at $350 million and VictorOps at $120 million, and Palo Alto Networks has acquired Evident.io at $300 million and Secdo at $90 million.

What's next: PE firms are still hungry to invest in cybersecurity businesses — despite having to shift their expectations. "The industry’s size and growth justify the enthusiasm. We are talking about an $87 billion market growing 12% per year — that’s not easy to find," Kornmayer said.

Go deeper

The apocalypse scenario

Illustration: Aïda Amer/Axios

Democratic lawyers are preparing to challenge any effort by President Trump to swap electors chosen by voters with electors selected by Republican-controlled legislatures. One state of particular concern: Pennsylvania, where the GOP controls the state house.

Why it matters: Trump's refusal to commit to a peaceful transfer of power, together with a widely circulated article in The Atlantic about how bad the worst-case scenarios could get, is drawing new attention to the brutal fights that could jeopardize a final outcome.

Federal judge rules Trump administration can't end census early

Census workers outside Lincoln Center in New York. Photo: Noam Galai/Getty Images

A federal judge ruled late Thursday that the Trump administration could not end the 2020 census a month early.

Why it matters: The decision states that an early end — on Sept. 30, instead of Oct. 31 — would likely produce inaccuracies and thus impact political representation and government funding around the country.

Caitlin Owens, author of Vitals
1 hour ago - Health

Where bringing students back to school is most risky

Data: Coders Against COVID; Note: Rhode Island and Puerto Rico did not meet minimum testing thresholds for analysis. Values may not add to 100% due to rounding; Cartogram: Andrew Witherspoon/Axios

Schools in Southern and Midwestern states are most at risk of coronavirus transmission, according to an analysis by Coders Against COVID that uses risk indicators developed by the Centers for Disease Control and Prevention.

The big picture: Thankfully, schools have not yet become coronavirus hotspots, the Washington Post reported this week, and rates of infection are lower than in the surrounding communities. But that doesn't mean schools are in the clear, especially heading into winter.

Get Axios AM in your inbox

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Subscription failed
Thank you for subscribing!