Endpoint Detection & Response (EDR) , Endpoint Security , Next-Generation Technologies & Secure Development

Why Cybereason Went From IPO Candidate to Seeking a Buyer

Stiff Competition, Muddled Go-to-Market Strategy Put Cybereason on Path to Selling Michael Novinson (MichaelNovinson) • October 24, 2022

What a difference a year makes.

Cybereason was riding high in 2021, notching a $3.3 billion valuation and raising $325 million from the likes of Google Cloud and former U.S. Treasury Secretary Steve Mnuchin's private equity firm, PitchBook and VentureBeat reported. The company grew from just 500 workers in spring 2020 to 1,100 staff in November 2021 and increased its U.S. business by 200%, CEO Lior Div told Forbes in 2021.

Strategy of Security named Cybereason as one of the security vendors most likely to go public in 2022, and the company confidentially filed for a U.S. initial public offering in January 2022 that would have valued it at more than $5 billion, Reuters reported at the time.

Cybereason's fortunes have changed dramatically since then.

The company laid off 10% of its employees in June and acknowledged that "the tech IPO market has essentially closed," which put Cybereason on a very different path than its top EDR rivals. SentinelOne - which went public last year - employed 1,415 people in April and has increased its headcount by 24% since then; Cybereason employed 1,363 people in April but its headcount has dropped 17% since then (see: Cybereason Lays Off 10% of Staff Months After Raising $325M).

Now, Cybereason has abandoned its IPO plans altogether and hired JPMorgan Chase to find a buyer for the company, The Information reported Friday, citing the company's current valuation at $2.5 billion. A Cybereason spokesperson told Information Security Media Group the company doesn't comment on market rumors.

Why is Cybereason no longer poised to make it to the IPO Promised Land? An unfavorable competitive environment and a muddled go-to-market strategy provide some clues.

Looking Up at the Competition

Cybereason was one of many startups to emerge in the 2000s and early 2010s to take on weaknesses in Symantec's and McAfee's antivirus products with an approach that's predictive and signatureless and that goes beyond prevention. Of the six endpoint detection and response startups from this era, only Cybereason remains venture-backed; the other five have either gone public or been sold to larger technology companies.

Carbon Black, Cylance and Endgame cashed in their chips in 2019 and were sold to VMware, BlackBerry and Elastic, respectively, for a combined $3.7 billion. That same year, CrowdStrike went public at a then-industry record $6.6 billion valuation. Then in June 2021, SentinelOne burst into the public market with the biggest cybersecurity IPO of all time, raising $1.2 billion on a record-breaking $10 billion valuation.

Cybereason is the middle child of the next-gen EDR vendors - founded a year after CrowdStrike and a year before SentinelOne. The company raised its first nine-figure funding round two years after CrowdStrike and two years before SentinelOne. But SentinelOne went public during the 2021 economic boom while Cybereason decided to hold off for one more year.

The visibility associated with being a publicly traded firm had its perks. CrowdStrike grew its corporate endpoint security business by 67.9% in 2021 to $1.3 billion, while SentinelOne delivered 112.2% growth to $187.1 million, according to IDC. In contrast, Cybereason recorded a far more modest 45.4% growth rate in 2021, and SentinelOne surpassed the company from a revenue perspective, IDC found.

Cybereason was recently generating around $160 million in annual recurring revenue, up just 33% from $120 million in ARR as of the end of 2020, The Information reported. In contrast, CrowdStrike's ARR jumped 59% on a year-over-year basis to $2.14 billion as of July 31, 2022, while SentinelOne's increased 122% to $438.6 million during the same time frame.

Analysts don't regard Cybereason's technology as highly as they do its direct competitors. CrowdStrike and Microsoft led Gartner's endpoint protection platforms Magic Quadrant by a country mile, while SentinelOne rounded out the leaders quadrant alongside Trend Micro, McAfee - now Trellix, and Sophos. Cybereason was listed as a visionary with execution ability trailing Carbon Black, Cisco and Symantec.

Similarly, Forrester last year named both CrowdStrike and SentinelOne as strong performers in extended detection and response, while Cybereason was rated in the third tier as a contender due to the weaknesses of its current XDR offering.

Go-to-Market Leadership in Flux

CrowdStrike and SentinelOne each have a distinct and well-defined go-to-market strategy. CrowdStrike has pursued deep partnerships with technology vendors such as Amazon Web Services as well as large systems integrators and has managed detection and response firms such as EY and eSentire. CrowdStrike also taps into direct selling relationships for 19% of its business, much of which involves large enterprises.

SentinelOne, meanwhile, derives more than 20% of its business from nontraditional channels such as MSSPs, incident response firms and MDR providers, leveraging relationships with companies such as Pax8, ConnectWise, N-able and AT&T. Many of SentinelOne’s top-tier MSSP partnerships are exclusive, meaning these companies have forgone relationships with competitors such as CrowdStrike or Cybereason.

Cybereason's go-to-market strategy, however, has been more muddled. The company historically focused on large enterprise customers and served many directly, but in 2020 vowed to sell exclusively through channel partners. Cybereason made a big splash in 2021 when it recruited Check Point channel leader Abigail Maines and Fortinet veteran Stephen Tallent to run traditional channels and MSSPs, respectively.

Twenty months later, neither executive still works for Cybereason. Tallent left the company in June 2022 - the same month layoffs were disclosed - to become Stellar Cyber's global vice president of service providers, and Maines left in September to become HiddenLayer's chief revenue officer. And the person who initially managed the two executives - Eric Appel - left in June 2021 to lead sales for browser isolation startup Island.

Since Cybereason disclosed its layoffs in June, Asia-Pacific Regional Vice President Leslie Wong, Vice President of North America Enterprise Sales Chad Boyer, Vice President of Cloud Engineering Shahaf Azriely, and Vice President of Global Customer Success Adrian Beck have left the company, according to LinkedIn.

Where Might Cybereason End Up?

A number of financial and strategic entities could kick the tires on acquiring Cybereason.

Any analysis of potential buyers must start with Thoma Bravo given how much the private equity firm has spent on security M&A since the economic downturn. Just this year, Thoma Bravo has committed $12 billion to buying SailPoint, Ping Identity and ForgeRock. But Thoma Bravo's interest in cybersecurity goes beyond identity; the private equity firm today owns Proofpoint, Sophos, LogRhythm and Imperva.

From take-private deals to venture funding rounds, Vista Equity Partners has also been active in security recently. The company led a $100 million Series E round for secure web gateway vendor Menlo Security in November 2020 and a $1 billion growth investment for SIEM vendor Securonix in February 2022. Vista capped it off by agreeing to take awareness training vendor KnowBe4 private at a $4.6 billion valuation.

In the strategic realm, one possible acquirer might be Google Cloud, given the public cloud giant's $50 million investment in Cybereason in October 2021 and its desire to match Microsoft's capabilities. The firm's $5.4 billion Mandiant buy gave Google threat intelligence capabilities on par with Microsoft, and purchasing Cybereason would allow Google to have an offering that rivals Microsoft Defender for Endpoint.

Who will step forward and actually express an interest in buying Cybereason? Only time will tell.