Last year was record-breaking for the cybersecurity market. Data from Momentum Cyber, a financial advisory firm for the security industry, showed that cybersecurity startups raised a “record-shattering” $29.5 billion in venture capital in 2021, more than doubling the $12 billion raised in 2020, while a record number — including Dragos and Noname Security — were minted as unicorns.
The past few months have started to paint a different picture for the industry, which has managed to successfully navigate the pandemic, geopolitical conflict, and — so far — the looming economic storm.
While it at first appeared that cybersecurity startups were immune to the mass layoffs impacting almost every startup sector, from healthcare to enterprise SaaS, that is no longer the case. IronNet laid off 17% of its employees, Lacework axed a fifth of its staff, Cybereason laid off 100 workers, and OneTrust cut 25% of its entire workforce, for example.
“I know this news is surprising, especially as you heard last month that the business is on track with record quarters and increasing customer demand,” OneTrust CEO Kabir Barday said in an email to employees. “However, capital markets sentiment shifted to a more balanced approach between growth and profitability, and at this time, we have decided the best course of action is to reorganize to position OneTrust for continued long-term success.”
New data shows that H1 numbers are down across financing and M&A, too. Momentum tracked $12.5 billion of volume across 531 deals in the first six months of 2022, down from the $12.6 billion raised in 2021. And while M&A activity has remained “steady,” Momentum recorded an 11% drop in deals toward the tail end of 1H.
Cyber foundry DataTribe has also published a report containing data on early-stage cyber deal activity in the U.S. for the second quarter of 2022. The company found that seed deal volume decreased by nearly 20% year on year, while Series A deals declined by 43%.
The company reported that median seed deal valuations dropped 33% from $18 million in Q1 to $12 million in Q2, while Series A funding saw a 10% decline in median valuation in Q2 from $45 million to $40.5 million.
These are by no means figures that indicate that investment in cybersecurity is slowing to a crawl. In the last few months alone, we have seen startups raising mega-rounds and reaching unicorn status: Cyber insurance startup Coalition recently closed a mega $250 million Series F investment that took its valuation to $5 billion, Axonius raised $100 million at a $1.2 billion valuation, and Island — just weeks after launching — raised $115 million in a Series B round valuing the company at $1.3 billion.
However, the Q2 metrics do show that pace of funding in the cybersecurity space is noticeably slower — and continuing to decelerate. So while the cybersecurity funding bubble hasn’t burst, it’s starting to deflate.
Market “malaise”
Alex Doll, founder and managing member of Ten Eleven Ventures, told TechCrunch that it’s clear the “macro climate has shifted and the inflation-led ‘malaise’ in the market” is beginning to have an impact.
“Valuations peaked a while ago and have been healthily corrected to align with more sustainable investment levels,” said Doll, who recently backed IoT security startup Ordr and zero trust network access company Axis Security.
“Early-stage investing has not changed too much, although round sizes might edge downward to more normalized levels. Late-stage, high-quality companies on IPO paths may not be as highly valued as last year but are still great, high-quality companies.”
Doll warned that the middle ground between these two ends of the investment spectrum was most “unhinged” during the pandemic.
“At the height of the market, all growth companies in each cyber subsector were priced as if they were the market leader, and this cannot be true. Only one company is winning in a market at a given time or phase of the market,” he said. “Many investors who were not deep in cybersecurity expertise did a lot of investing in the ‘hot’ cybersecurity sector but had difficulty pricing the specific market competitive dynamics.”
Deepak Jeevankumar, managing director at Dell Technologies Capital, also believes that cyber valuations “surely peaked” in early 2021 as interest in funding cybersecurity startups ignited as a result of the pandemic-fueled explosion in cyber threats.
“Cyber spending will be resilient with F500 customers but valuations for cyber startups will not see the same resiliency,” he told TechCrunch, noting that areas that are “over-funding” include threat analytics, managed security service provider, endpoint security and software supply chain security. “This is the dichotomy that startups will have to navigate.”
Megan Reynolds, an investor at Crane Venture Partners, added: “Valuations peaked and fell across the board. It’s harder and harder for new products in existing crowded spaces to penetrate.
“Security operations has been a huge growth area but is already seeing saturation here. SOC analysts are becoming overwhelmed with a fragmented landscape of tools, and we expect there will be consolidation driven by companies in the data infrastructure layer.”
Cybersecurity remains “anti-fragile”
Despite a slowdown in financing and an apparent over-investment in certain cybersecurity subsectors, investors don’t expect doom and gloom for the cybersecurity market going forward.
“Many more great companies will be formed and built within the cybersecurity sector,” Doll said. “Despite the macro environment, cyber is still a massive problem, and the demand side created by threats is not dissipating. Companies are still underinvested in cyber — on average, only about 6% of all IT spend.
“Overall, cyber is still an attractive place to be — we think one of the most resilient, even ‘anti-fragile,’ parts of the economy. The long-term trends for cyber spending are not even close to peaking.”
According to Momentum, there are a number of subsectors to watch throughout the second half of 2022, including identity and access management, risk and compliance, attack surface management, and products that secure the increasing number of threats targeting industrial control systems and operational technology.
Cloud security, too, is likely to continue growing despite a slowdown in other areas of the industry as organizations accelerate digital transformation projects in the face of widespread remote and hybrid working.
“Probably the biggest area of opportunity is in cloud security. Industries are wholesale moving their code to the cloud creating a huge, fast-growing attack surface, but most cloud security companies are still focused on last-gen vulnerabilities,” Jeevankumar tells TechCrunch. “Other areas that may be under-invested are log analysis platforms that can deal with 100x more volume than current platforms, email security and API security.”
Kerry Baldwin, a managing partner at IQ Capital, told TechCrunch that asset management — the process of identifying the IT assets that your organization owns and the potential security risks or gaps that affect each one — is another area that’s likely to buck the downward trend.
“Larger organizations are painfully realizing that they don’t have complete visibility and, therefore, control over their infrastructure, particularly what is exposed over the internet. This gap has been exacerbated by cloud adoption, the proliferation of connected devices, including specialized IoT/OT or software-defined assets, and more recently the obvious challenges posed by remote work,” she said.
While the next 12 months will arguably be an easier ride for some startups than others, Jeevankumar said that all companies planning to raise should look for capital from investors with a proven track record of investing in cyber for at least a decade. “Venture tourists lack the kind of seasoned experience critical during turbulent times,” he said.
“Avoid operating your company solely on venture debt. Founders should aim to have 18 to 24 months runway, at a minimum, not including venture debt. To get there, one thing to consider is adopting a sales strategy that provides discounts to customers who can pay for your solutions in advance — think deals that are paid two to three years ahead,” he added.
“Those at the seed stage should take extra dilution and decrease the amount of equity ownership now to give themselves more runway for the coming years.”
Isabelle O’Keeffe, partner and head of Origination at Sure Valley Ventures, also has some words of wisdom for cyber startups: “Most of the same advice applies across the board — careful cash flow management, scenario planning, staying close to the customer to adjust to their budgets and plans if needed. Seeking advice from your current investors and leveraging their experience.
“For companies in a position where they don’t need to raise capital, they should keep an eye on burn and continue to build out product and technology and focus on validating existing product portfolio. They should also be looking at timings around new product development and release in line with cash burn, customer appetite and ability to fundraise.”