More cybersecurity consolidation coming your way, with bigger players picking up startups that will help them bolt on tech to meet the ever-expanding attack surface for enterprises as they move more activity into the cloud. In the latest development, CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion in a cash and share deal.
Specifically, CyberArk will pay $1 billion in cash and approximately $540 million in shares. Shareholders in both companies have approved the deal, they say, and it’s expected to close in the second half of 2024.
Venafi has since 2020 been majority-owned by Thoma Bravo, whose controlling investment in 2020 valued the business at $1.15 billion. In other words, Venafi’s selling price today represents a moderate increase.
The news confirms rumors that had been circulating of a deal between the two companies over the last few days.
CyberArk’s interest in Venafi comes at a time when security teams are trying to get a better and more holistic understanding of the threat landscape and attack surface of their organizations.
In today’s market that is an extremely complex question to answer thanks to the growth of mobile technology, cloud services and distributed working.
In essence, all of these have led to an explosion of computing endpoints (which include not just the many devices that people might use to connect to a network, but also any other device on the network where data is being consumed or stored). The rule of thumb is that there are 40 “machines” for every human on an enterprise network. All this has led to a major surge of business for companies focusing on identity security. Some recent big funding rounds for startups in the same area include rounds for Oasis Security and Silverfort.
Venafi’s tech focuses on securing and understanding the data flow between those machines.
It’s described as a specialist in PKI and certificate management, and CyberArk says that Venafi’s solutions will expand CyberArk’s total addressable market by $10 billion (to a total of $60 billion).
“This acquisition marks a pivotal milestone for CyberArk, enabling us to further our vision to secure every identity – human and machine – with the right level of privilege controls,” said Matt Cohen, CEO, CyberArk, in a statement. “By combining forces with Venafi, we are expanding our abilities to secure machine identities in a cloud-first, GenAI, post-quantum world. Our integrated technologies, capabilities and expertise will address the needs of global enterprises and empower Chief Information Security Officers to defend against increasingly sophisticated attacks that leverage human and machine identities as part of the attack chain.”
The acquisition also underscores some themes playing out among cybersecurity companies at the moment around consolidation.
Some (not all) companies that raised money several years ago at higher valuations are finding those valuations under major pressure at the moment as they variously fail to grow ARR, reach profitability, and approach what looks like the predictable end of their runway.
Those companies are now looking for an exit, and sometimes that will come at a price far below their last valuations. (Cases in point from recent weeks: Akamai acquired Noname Security for $450 million, less than half its last valuation; Wiz tried to acquire Lacework, last valued at $8.3 billion, for just over $150 million, returning around $800 million in cash Lacework still has in the bank to investors: that deal appears to have fallen through.)
On the other hand, a select few cybersecurity businesses are seeing significant growth right now and are essentially being earmarked as the consolidators. Wiz raised $1 billion a couple of weeks ago, specifically to fuel an acquisition spree. And clearly CyberArk, which is publicly traded and has a current market cap of over $10 billion, is another in this category.
The consolidation trend is playing out amongst even those that are being consolidated. In May 2020 Venafi acquired Jetstack to bring Kubernetes expertise into its fold. Just a day before that, CyberArk acquired Idaptive.