Insights from category creators and the investors who believe in them.

VC Predictions: Cybersecurity Consolidation Will Continue in 2024—But Not at the Expense of Innovation

December 7, 2023

Many of us started the year bracing for more uncertainty—and 2023 did not disappoint. From March to May, failures of three U.S. regional banks rattled financial markets, followed by Q3 reports that global venture funding reached its lowest level since 2016.

But a spate of acquisitions in Q3 paints a slightly different landscape, at least for the cybersecurity market:

Before we take a closer look at this M&A trend, it’s important to acknowledge that many of these recently acquired startups originate and have teams in Israel. While the impact of recent events in Israel are devastating on many levels, we’ve seen firsthand the perseverance and resilience of Israeli founders and entrepreneurs who are leading, building, and innovating under unprecedented conditions. We expect the country to remain a leading entrepreneurial ground in 2024 and beyond.  

What’s driving the recent M&A activity

At first glance, these recent high-profile acquisitions may not seem to make much sense from a financial perspective. For starters, many of the recently acquired startups are only a few years old. If these companies were trading in the public market, it would be challenging to justify the up to 100x ARR multiples acquirers are paying. 

So what’s fueling this seemingly counterintuitive M&A activity? 

For incumbents, several strategic opportunities emerge: 

  • Giants like Palo Alto Networks can acquire a startup’s technology, bundle it with existing tech, and upsell customers for the increased bundle—this meets demand by customers who are ready to consolidate vendors. 
  • Public investors also love to see net dollar retention (NDR). Companies such as CrowdStrike are proving their ability to drive NDR through the sale of incremental products, some of which have been acquired. In fact, about 63% of CrowdStrike customers now use more than five of the company’s modules—only a few years ago, only a single product was available.
  • The increase in competition among startups gives acquirers a larger selection of potential acquisitions to choose from, and further differentiates the acquired product in a noisy competitive landscape.

For the biggest players in cybersecurity, now is an ideal time to fill any tech gaps with an acquisition. As we’ve seen, the cycles of innovation tend to move faster in cybersecurity, and incumbents are willing to take a bet on young companies. As for startups facing macro headwinds, we see three compelling reasons to consider merging with a larger player:

  • Consolidated IT budgets are creating more challenges for startups that are trying to sell standalone products to budget-conscious Chief Information Security Officers (CISOs).
  • The funding spree of 2019-2021 gave rise to intense competition in nearly every corner of the security world. We’re often seeing 10-plus startups in categories that are proving difficult to draw budget for amid IT consolidation.
  • Founders are more willing to sell. As we predicted in mid-December 2022, cybersecurity M&A can be the beginning—not the end. Founders who are open to the M&A route may be able to fulfill their mission and vision within a larger organization, effectively continuing the entrepreneurial journey under a new umbrella.

What M&A means for cybersecurity founders

There’s a reason why there’s an old adage: “Companies get bought, not sold.” This string of high-profile cybersecurity acquisitions may lead some founders to believe the odds of getting acquired have significantly improved. If you’re a founder, the reality is not every startup is eventually going to reach a $200 million to $600 million outcome. PitchBook’s data shows 12 VC-backed cybersecurity acquisitions of more than $100 million over the last year, compared to hundreds of new companies being funded annually.

Even so, we believe three trends show great promise for entrepreneurship in this sector:

Cybersecurity will remain a unique market: Every technological advancement (like generative artificial intelligence, crypto, etc.) creates new security challenges, leading to the need for continuous innovation in cybersecurity. For the most part, security budgets don’t appear to be shrinking—in fact, many expect that expenses will increase in the coming years. Lastly, CISOs are also gaining prominence and responsibilities. It’s not uncommon for CISOs to take over IT, privacy, fraud, and other domains, increasing not just their influence but also their budgets to buy new tools.

Innovation doesn’t have to end with an acquisition: If you’re a builder, the cybersecurity market clearly has space to innovate. But not every problem within security will merit its own budget line item and lead to multibillion-dollar independent companies. As security companies race to $100 billion market caps, they’re more incentivized than ever to invest not only in innovative technologies, but also in the builders of these technologies to help scale them rather than letting acquired products stagnate.

Acquirers are still willing to pay a premium for top technology: Acquisitions have become critical, transformative tools for some of the largest cybersecurity companies in the world. Morgan Stanley recently estimated that Palo Alto’s combined ~$3 billion of acquisitions was generating $1 billion of ARR for the company, effectively transforming the firewall company into a cloud software business. For example, SOAR leader Demisto was acquired by Palo Alto Networks in 2019 for about $700 million, with an all-in price representing more than 30x forward revenue multiple. That business quickly grew to over $250 million in annual revenue for the cyber behemoth. 

As we look ahead to 2024, it’s clear that opportunity still abounds in the security landscape.  Consolidation has started and will only continue in 2024—but not at the expense of innovation. We also believe that the cybersecurity realm's distinctive attributes will continue to generate favorable outcomes. After all, cybercrime is not going anywhere, and every new technology will only increase the future spend in cybersecurity.