SAN FRANCISCO (Reuters) – A wave of cyber attacks by criminals, spies and hacker activists should make these heady days for US cyber security startups.
Instead, many in the crowded market are struggling to live up to their early promise. In some cases, the security products they developed have been overtaken by advances in cyber hacking, according to industry executives and venture capitalists. In others, larger competitors have come out with similar technology and locked down customers.
“I have never seen such a fast-growing market with so many companies on the losing side,” said David Cowan, a partner at Bessemer Venture Partners, a venture capital firm that has invested in the cyber security sector.
Venture capital continues to pour into the industry, driven by the belief that there is no end in sight to cyber attacks or companies’ need to protect themselves. Yet only a handful of startups have successfully sold themselves or floated in the stock market in recent years.
The result is a number of these start-ups have become corporate “zombies” with little prospect of fetching a good price in an IPO or becoming acquisition targets, experts said. Their early investors have been left without an easy or profitable exit.
Not only is the technology behind cyber attacks rapidly evolving, the nature of how the corporate world uses security firms is changing. To save money and trouble, some companies have consolidated their security work, using just a few large players rather than spreading business around.
Companies are also diverting money to lower-cost “bug bounty” firms that contract out researchers who help identify security weaknesses.
“Suddenly, we are in this situation where there are just too many vendors and too few can be sustained,” said Dave DeWalt, the former CEO of cyber security company FireEye.
“You’re starting to see companies go, ‘Oh my gosh, what do I do? Can I get more capital, do I have to merge?'” DeWalt said.
Momentum Cyber, an advisory firm focused on cyber industry mergers and acquisitions, said it tracks 2,500 security companies today, almost double the number a few years ago. The firm’s co-founder, Eric McAlpine, estimates 300 cyber security startups launch every year.
Few of these are pulling off IPOs. What’s more, big software companies have become less willing to acquire cyber security products they believe they can develop on their own.
“The pipe dream days of selling companies at a rich price equivalent to ten times their revenue are gone,” said Tom Kellermann, chief executive of venture capital firm Strategic Cyber Ventures.
ForeScout Technologies, a provider of software that helps companies keep the devices of their employees secure, was the only US cyber security company, excluding identity management providers, to go public last year. This compares to three cyber security IPOs in 2016 and four in 2015.
ForeScout raised $116 million in an IPO in October that valued the company at about $800 million, down from its $1 billion valuation in the private markets a year earlier. ForeScout’s backers, including Intel Capital and Accel Partners, had to moderate their valuation expectations for the IPO to be successful. The company is now trading at a $1.2 billion market capitalization.
To be sure, many venture capital firms are sticking with the sector. Some are curbing their bets or backing smaller startups.
“Startups that are likely to reach between $100 million and $300 million in value are still offering excellent opportunities for an exit,” said Yoav Leitersdorf, whose investment firm YL Ventures was an investor in Hexadite, a cyber security incident investigation company that announced a sale to Microsoft last June.
Some larger startups, such as Carbon Black, have delayed their IPOs. Founded in 2002 by former US government cyber security experts, Carbon Black, formerly known as Bit9, was a pioneer in developing tools that detect and respond to threats targeting corporate networks.
Within a few years, its market became more competitive, as rivals such as Cylance, CrowdStrike, and SentinelOne came out with similar technologies. Some larger companies, including Symantec, also developed similar products.
Carbon Black filed confidentially for an IPO in 2016, while also exploring a sale to other companies, including IBM, people familiar with the matter said. IBM did not respond to a request for comment.
The Boston-area company has yet to move ahead with the IPO, stranding investments from venture capital backers such as Kleiner Perkins Caufield & Byers and Sequoia Capital. Both firms declined to comment.
A source close to Carbon Black said it is now hoping to go public this year, and that it delayed its IPO to integrate an $100 million acquisition of a company called Confer.
Carbon Black CEO Patrick Morley, in an interview, declined to comment on plans around a possible IPO, or any merger discussions.
But Morley said the company has rolled out several cyber security offerings that make it more diversified than its rivals. He also predicted more consolidation in the market.
Another startup, Zscaler, which specializes in cloud security, hired investment banks to go public last year but has delayed its offering until at least March to focus on growing its revenue, according to sources. Zscaler declined to comment.
“Some have compared some cyber security companies to cockroaches,” DeWalt said. “They can’t die, but they aren’t smoking hot either.”
(Reporting by Liana B. Baker in San Francisco; Additional reporting by Joseph Menn in San Francisco; Editing by Greg Roumeliotis and Paul Thomasch)