M&A Mania

2018 has kicked off with a flurry of M&A activity in the infosec space. There have been four that I’ve been aware of,

Barracuda acquired Phishline
Cyxtera acquired Immunity Inc
Verizon acquired Niddel
Threatcare acquired Savage Security

I wonder how many more deals will be announced between now and RSA. Either way, it looks like it could be a busy year ahead.

Threatcare secures $1.4m seed funding

Threatcare has announced a $1.4m seed round led by Moonshots Capital and includes Flyover Capital and Firebrand Ventures.

The Austin-based company was founded in 2014 by CEO Marcus Carey. Its flagship product, Violet, is a SaaS-based offering that enables continuous security validation through attack simulations.

For many security departments, the question they are often faced with is, “are we secure?” While that may be a loaded question, there isn’t usually a satisfactory answer.

Security assurance is an established discipline, but is often limited in scope, either by business or technology. The advantage that a product like Threatcare brings is that it can provide broad assurance across multiple technologies. By simulating attacks, Violet is able to see the forest for the trees, and rather than getting tied down with one particular vulnerability, it can be used to assess the overall security effectiveness of an organisation. In that way, it can perhaps be thought of more as a security assurance orchestration offering – tying together multiple technologies and processes.

This is an area we’ll likely see rapid growth in over the coming years as companies stop layering technologies, and stop to see if what they already have is functioning adequately.

Competition in this space is heating up, both from a technology perspective, and the funding competitors have raised, most notably Safebreach raised $19m in mid 2016, while AttackIQ raised a $8.8m series A, and UpGuard raised a $17m series B at the end of 2016.

Other vendors in this space include Picus Security and Cybric.


Analyst Vendor Briefings

Fuelled by a twitter conversation both Adrian Sanabria and Anton Chuvakin posted articles here and here, sharing some good tips on what makes a good briefing and common pitfalls to avoid.

As a former (recovering?) analyst, I thought it only right that I jump on the bandwagon and share my thoughts on the topic.

What is a vendor briefing?

If you’re not familiar with vendor briefings, it’s basically where a vendor will speak to an analyst and explain what their product does, how the company is structured, financials, and so forth. The analyst will then, depending on how the analyst firm operates, will either write up a piece on the company, reference it as part of a broader piece of research, or maintain the details in their database of companies they are tracking.

Analyst tips

Both Anton and Adrian were very thorough in their advice to vendors on how to deliver a good briefing. But I’d like to shift focus and point out a few things analysts could be mindful of during such briefings.

1. You don’t know everything. Yes, you speak to very smart people every day and your reports are widely read. But it’s very easy to get on a high horse and think you are all-seeing all-knowing. If that were the case you’d have raised millions in funding and solved all technology problems by now.

2. Let the vendor make their point. You may not agree with them, but let them present their perspective and give the courtesy of hearing them out.

3. A briefing isn’t a fight – it’s not an argument that needs to be “won”. If putting others down makes you sleep better at night that’s cool. But chill out a little, you’re meant to be impartial and balanced.

4. Set expectations – let the vendor know up front what you are hoping to get out of the call. Be open about whether you’re more interested in the product, or the company strategy, or the numbers. Vendors aren’t mind-readers.

5. One of the most useful phrase I learnt as an analyst was, “Can you help me to understand…” It’s a simple and effective line that can mean so many things such as, “I don’t believe you”, “too many buzzwords”, “maybe you need to think this through”. Whatever it may mean, it doesn’t come across as confrontational – it puts you on the same page trying to work through a problem.

6. Be organised – be on time, have your notes in order, don’t just blunder through the briefing. Yes, you’re a busy analyst that has to do many of these a week – but a little organisation can go a long way.

7. Share your plans – be clear as to what the vendor can expect. Do you plan on covering their company, will you include them in a larger piece of research. How frequently would you like them to keep in touch with you. All this can go a long way in ensuring a long and meaningful relationship.

The numbers don’t lie

If I were to add to Adrian and Antons respective blogs as a tip to vendors, that is that while an analyst may disagree on the effectiveness of your product, or its value, the numbers don’t lie. Analysts have a lot of numbers – they spend a lot of time sizing markets, analysing competitors growth projections and targets, most will be able to analyse your numbers, or infer them very quickly. So please don’t try and impress by claiming huge numbers or ridiculous growth. Don’t claim your TAM is your SAM or SOM.

I’ll digress and give an example of what I mean.

Say you are a producer of bottled water.

Every human needs to drink water, so the total available market (TAM) is around 7 billion.

But you’re restricted by geographical reach. Say you can only ship your bottled water to the whole of England , then that is your serviceable available market (SAM).

However, there are other competitors in England, and there are many people who won’t buy bottled water, maybe they drink tap water, or boil their own water, or have their own water filters. So, in reality you’re looking at a much smaller serviceable obtainable market (SOM).

Maybe you’re a vendor that secures IoT devices. Don’t start your pitch by saying that your market is 22billion devices (or whatever the number of estimated IoT devices is) because it’s not. That may be the TAM, but your SOM will be much smaller. So think about how you will convince the analyst your product has the right strategy to get there.

In my opinion, recklessly throwing around numbers is worse than buzzword bingo – you could end up in the vapour-ware category of my vendor heirarchy pyramid.



Market sizing

Seeing as I’ve kicked the hornets nest about numbers – I guess it’s a good time to talk about market sizing. I see a lot of weird and wonderful numbers thrown about and sometimes I’m left scratchiing my rapidly-balding head as to how markets are sized up. Many times I’ll see claims that the {small infosec segment} industry will be worth {huge} billions by 2020 according to {analyst firm}.

I have typically been drawn more towards the bottom-up approach to market sizing, it can be more time consuming, but gives a more sane answer.

It’s rather simple in that you basically take the collective revenue of the current vendors in a given market segment to get todays market size. If you know the rate at which each of the vendors is growing, or predicting to grow, you can estimate how large the market will be in the future.

For example, if you take a list of security awareness providers and calculate their turnover (I’ll save that for another post), and add it all together, maybe the answer will be $200m (as an example). So that’s our market size.

On average, all the companies may be growing sales at 25% every year. Which means that, barring any major disruptions, in two years time – the market size would grow to $300m.

So, if a new security awareness vendor comes onto the scene, they shouldn’t make claims that the market is worth 5bn because every employee in every company in the world needs training, or that they plan on growing to $500m in revenue in five years – an analyst will be justified in rolling their eye and being skeptical.




Thales splashes out $5.7bn for Gemalto

M&A in the infosec world has waited for the holiday season to go all out splashing its cash. A flurry of activity has occurred at the tail end of the year with considerable consolidation.

Proving that encryption and identity management is no slouch, Thales has made an eye-watering bid of $5.7bn to acquire Gemalto, a few days after Atos failed to make a successful bid.

The merged entity will create a near monopoly in encryption, key management, and HSMs. There is overlap between the two companies, and a fair amount of time will likely be spent picking apart the threads, de-duplicating services, and consolidaing divisions.

While there are alternative HSM offerings in the market, the combined presence of Thales and Gemalto will eclipse all others, both in general purpose, and payment processing HSMs.

The new company will also have a significant play in the identity as a service space. Although, it will remain to be seen if Gemalto will be content in dominating the areas it has greater presence in, or expand its offerings to broader cloud encryption, authentication, identity, and tokenization services.

Subject to regulatory approval, the deal is expected to close in the second half of 2018. Thales was advised by Lazard, Messier Maris & Associés, and Société Générale. Gemalto was advised by Deutsche Bank and JPMorgan.

A tale of two public companies

Infosec companies don’t always get the love they deserve from the markets once they IPO. As Barracuda Networks discovered despite posting respectable profitable growth.

PE firm Thoma Bravo stepped in, paying $27.55 per share for Barracuda in a $1.6bn move taking it private.

The market can be unforgiving, even when a company like Barracuda is profitable, it may not be profitable ‘enough’. One of the main contributing factors in the slower growth was Barracuda’s shift to a more cloud-focussed business model.

While the transition from legacy on-premises billing models to a subscription-based cloud model makes sense in the long run, it does include a degree of disruption – particularly on how the financial numbers are reported.

From that perspective, the deal makes a lot of sense. Thoma Bravo acquires a company that the market isn’t fully in-love with. Helps it get through the transition period to a cloud-based model, and see the value shoot up.

On the other end of public infosec companies lies Proofpoint. A company that has continued to grow through acquisition buying companies like FireLayers, Cloudmark, and most recently Weblife.io.

Weblife is a browser isolation provider and makes an almost perfect fit for a company like Proofpoint which has a broad array of security capabilities but had a blind spot around BYOD or personal use of company-issued devices. Weblife provides an answer that may appease many an enterprise wrestling with personal / corporate monitoring and segregation.

The $60m acquisition of Weblife falls within the average purchase price for Proofpoint. Founded in 2013, Weblife had raised $3.5m, so the deal resulted in just over 17x multiple of invested capital.

New CEO leading the Bugcrowd

Bugcrowd has announced a new CEO, Ashish Gupta to take the helm from founder Casey Ellis, who has stepped aside to assume the role of Chairman and CTO of the firm he founded five years ago in 2012.

The move shows a level of maturity on behalf of the company, and indeed Ellis. Startup founders often find it hard to make way for a dedicated CEO that can lead the company through the next level of its growth. By appointing a CEO, Ellis can focus on what he is best at, the technology, the product, the game theory, and the crowd itself.

The Grugq quipped that Ellis has successfully grown the company to the level that he can now outsource the boring work. While it may not be completely factually correct, the sentiment rings true.

Bridging communities
It’s also important to take a step back and examine what factors have led to the success of Bugcrowd as a company.

While its platform has definitely helped, as has funding, the real value Bugcrowd has brought to the table is its ability to bridge together communities.

The word community is thrown around a lot in the security world, almost as much as the Fast and Furious franchise uses the word family. But in this case, the sentiment is true.

Vendors and security researchers have a long and well-documented strained relationship. The debate around responsible disclosure has led to more heated arguments than climate change, or the link between vaccinations and autism.

On the surface, what companies like Bugcrowd offer is no different from any of the other “sharing economy” companies such as Uber or AirBnB. But that is an overly simplistic generalisation.

Companies that open bug bounty programs have a variety of needs, objectives and goals. Some will offer large cash rewards, while others can only afford a public acknowledgement and tip of the hat. Some have very strict requirements as to what is in scope, while others cast a much wider net.

In that regard, it’s a bit more like internet dating. Trying match up the right couples who have complex needs and requirements, whilst trying to ensure neither is an axe murderer in their spare time.

Inevitably, not every bug bounty will satisfy researchers and companies, but despite that, Bugcrowd has managed to build up its brand and influence. Its marketing campaigns and rewards to researchers has helped showcase talents and build trust.

Perhaps the biggest success of the company is that it has been successful in shining the spotlight on its researchers and participating vendors as opposed to itself. Maybe that’s what community is all about –  highlighting the successes of others before yourself.

Flashpoint, shining a light on threat intelligence from the dark web

New York-based Flashpoint was founded in 2010, and has evolved its mission to comb the dark web to provide business risk intelligence to help organizations mitigate risk across the enterprise.

The company is headed up by CEO Josh Lefkowitz, with Evan Kohlmann and Josh Devon serving as chief innovation officer, and chief operating officer respectively.

Over the course of two rounds, Flashpoint has raised a total of $15m in funding. The most recent Series B closed in July 2016 and was led by Greycroft Partners.

The company has 75 employees and over 80 customers in private and public sector across multiple verticals. The majority of customers are in North America, with plans to expand across South America and Europe over 2017.


The Flashpoint offering is a combination of people, data, and technology leveraged to generate business risk intelligence for its customers, from traditional intelligence to intelligence that aids all departments across a company’s enterprise. All aspects of Flashpoint’s offering are tailored to specifically drill into, and find relevant information in the dark web. This includes having multi-lingual analysts that are experienced in embedding themselves within dark web communities and possessing an understanding of the culture and digital-customs.

The Flashpoint technology assists the analysts in working around technical issues such as captcha solving, evading bot detection, collecting timely data, and assisting in maintaining a positive reputation.

According to Flashpoint, this combination of analysts with technology allows analysts to be far more effective and provide the ability to serve a multitude of customers.

The product is sold via a subscription model. Flashpoint customers receive anywhere between three to eight reports a day. Depending on the package, they also get a set number of hours every month which they can use to engage directly with analysts. Customers can also sign onto the online Flashpoint portal and run custom queries, or use the API to import and query data in a local tool.

Breaking the Fourth Wall

Obtaining meaningful threat intelligence from the dark web, and from the internet that is relevant and usable by businesses is a large task. But with its specific focus on the deep and dark web, and mix of technology and specialist staff gives Flashpoint a good foundation upon they can build on.

Perhaps the biggest challenge Flashpoint will have is differentiating itself in an already noisy threat intelligence market. The offering differs from vendors such as FireEye (Mandiant) or Crowdstrike that focus on nation-state or APT’s, or vendors that focus on indicator feeds, or even primarily on the open web. An element of customer education will likely be needed to gain mainstream understanding of how Flashpoint differs, or complements others in this space such as Digital Shadows, InsightPartners, Recorded Future, Cyveillance, and others

In that regard, pursuing technology partnerships, as the company already does, will be key in generating more awareness of its offering as well as getting its intel in front of more customers.