Cybersecurity Startup M&A Holds Steady After Record Year

While not on the same breakneck pace of last year, M&A dealmaking involving cybersecurity startups has remained robust in 2022, even with a sputtering economy.

Last year was a record breaker for cybersecurity dealmaking, with 124 VC-backed startups getting bought, according to Crunchbase data. Although it doesn’t seem that 2022 will break that record—with only 49 announced through nearly half the year—this year is still clocking in at a healthy pace, according to those who observe the market.

Dealmaking may not set records this year, but it hasn’t fallen off a cliff, either: For comparison, all of 2020 saw 76 cybersecurity startup M&A deals.

“While we’re a bit behind the record 2021 levels, when you compare this year’s activity with … all of 2020, it paints a slightly more positive outlook,” said Dino Boukourisfounding director of San Francisco-based financial advisory firm Momentum Cyber.

Search less. Close more.

Grow your revenue with all-in-one prospecting solutions powered by the leader in private-company data.

“That being said, the public market and associated cryptocurrency corrections, coupled with the overall economic and geopolitical uncertainty has led to a slight slowdown in M&A to start the year,” he added.

Slight slowdown

Despite that slowdown, this year has already seen some big deals involving VC-backed startups, including:

  • TA Associates bought Burlington, Massachusetts-based security application company Veracode for $2.5 billion in May.
  • AMD acquired Milpitas, California-based distributed services platform Pensando for $1.9 billion in April.
  • SentinelOne bought Fremont, California-based identity detection and response firm Attivo Networks for $616.5 million in March.

That should not come as a shock to most. Cybersecurity has proven resilient in a market where threats and attack surfaces are ever expanding. Although some IT budgets are getting cut, most companies still see cybersecurity as a “must have” due to the growing number of domestic and international attacks and bad actors.

Alberto Yépezco-founder and managing director at Forgepoint Capital—which specializes in cybersecurity and infrastructure software investments and has seen four exits this year alone in security—said the M&A dealmaking market is still robust and still providing good multiples for investors.

“M&A premiums are not coming down yet because the companies getting bought right now are some of the best,” said Yépez, whose exits include Attivo Networks and, more recently, threat detection and response startup Cysiv getting bought by ForeScout.

Yépez said he is still seeing strong multiples—around 20x ARR for good startups—and thinks it should continue with strategic buyers such as Google, Microsoft and Amazon still swimming in the acquisitions waters.

Google already pulled off a huge deal in cyber when it announced it would pay $5.4 billion to buy publicly traded cyber firm Mandiant.

“I think where you will see prices fall is when private equity starts to enter the frame,” he said.

Needing cash

Prices also could start to fall if fundraising continues to slow and startups are in need of cash.

“The real question, however, is after valuations in the private markets recalibrate. Will that create a tailwind for M&A for those companies that may be encountering challenges raising capital or possibly facing a ‘down round’ if they were to raise capital?” Boukouris said.

Boukouris said while evaluating strategic alternatives, startups may start eyeing M&A as an alternative if raising money is difficult.

Still, the slowdown in fundraising has not seemed to affect cyber as much as other tech sectors, with the industry minting more than a dozen unicorns already this year.

While some fear the economic uncertainty due to inflation and higher interest rates—which causes the money to complete deals to be more expensive—could chill some M&A in the second half of the year, many who invest in cyber do not anticipate a slowdown.

“I don’t think interest rates should affect M&A too much,” Yépez said. “I think it’ll still be strong in the second half.”

Methodology

Cybersecurity is defined by the industries of network security, cloud security, cybersecurity and identity management, as according to Crunchbase data.

Further reading:

Illustration: Dom Guzman

Stay up to date with recent funding rounds, acquisitions, and more with the Crunchbase Daily.

Leave a Comment

Your email address will not be published. Required fields are marked *