🔒Cybersecurity's Golden Decade: A Deep Dive into Private Market Investing📈
A Comprehensive Analysis of Cybersecurity Investment Trends Over the Past Decade
Welcome to issue #13 of Indiscrete Musings
I write about the world of Cloud Computing and Venture Capital and will most likely fall off the path from time to time. You can expect a bi-weekly to monthly update on specific sectors with Cloud Computing or uncuffed thoughts on the somewhat opaque world that is Venture Capital. I’ll be mostly wrong and sometimes right. Views my own.
Please feel free to subscribe, forward, and share. For more random musings, follow @MrRazzi17
In my short time as a venture investor, I’ve held on to the belief that an immune and resilient sector to invest in has always been cybersecurity. In part, it’s a mature market with several mature branches of different types of cyber (e.g., MDR, WAF). So, as an early-stage investor, the viewpoint has been: Cybersecurity budgets aren’t a new concept; there are existing bad actors and attack mediums that require solutions today, and essentially, many sophisticated enterprises will often use 1-3 providers for redundancy to solve the same issue whether it be DNS spoofing or simplistic volumetric DDoS attacks. It is simple enough to underwrite and partner with cyber founders with the understanding that, on average and risk-adjusted, one will generate a return—which is impressive, especially when we consider the amount of randomness within the earliest stages of building a company and/or investing in one.
Putting my investor hat on—and fully realizing the maturity of the cybersecurity market—my belief that cybersecurity is a healthy sector to invest in to generate returns for Limited Partners (LPs) has been pegged to the notion that at the Seed (or even Series A) stage, one can imagine netting a >3x (net) minimum cash-on-cash return given the acquisitiveness that exists in the market. In this post, I decided to question my basic assumptions by looking at the cybersecurity investment trends relative to SaaS over the past decade. Excited to dive in!
***A quick note on the data: I pulled and analyzed data starting from 2013 to 2024, including all venture-backed cybersecurity companies founded in North America and Israel. I categorized SaaS as B2B software with no consumer-oriented sectors involved—you’ll find a large dispersion when comparing the two, considering the overarching coverage of “SaaS.”
Relative and Absolute Deal Volume
The past ten years have been transformative for private market investing, specifically in SaaS, which peaked at 20,000 deals in 2021. In stark contrast, the cybersecurity sector presented a more stable landscape, with deal volumes showing less volatility and a steadier growth pattern, reflecting its entrenched status across a broader range of sectors.
However, following the 2021 peak, SaaS deal volumes experienced a notable downturn, with a YoY decline of nearly 30%, signaling a market recalibration. The two-year moving averages further illustrate this trend, with the SaaS average demonstrating a delayed decline post-2021, suggesting a market correction after a period of intense activity. Meanwhile, cybersecurity’s moving average continued its slow but steady upward climb, indicating sustained, albeit more conservative, growth. These trends underscore a shift in investment focus from quantity to quality within SaaS. It’s also entirely plausible that the 2021 peak was a part of the drunken zero-interest-rate phenomenon (ZIRP) that led to the expansion of deal activity from privates to publics.
When comparing cybersecurity and SaaS, there has undoubtedly been a dynamic interplay over the last decade. Notably, a dramatic peak in SaaS investment is observed in 2021, soaring to nearly $700 billion, dwarfing the cybersecurity investments for the same year.
In contrast, the cybersecurity sector has shown less volatility in dollar investment over the years but has experienced a slight decline in the latter part of the decade. The relative stability of cybersecurity investments could suggest a mature, saturated market where investors are making calculated, consistent bets on established sectors of security with entrenched distribution. However, the decline points to a potential shift in technological focus or an indication of market consolidation, where fewer, more prominent players begin to dominate the landscape.
The overall trend for SaaS investment reveals sharp fluctuations year over year, with notable dips following the peaks of 2021 and 2023. This could infer a cycle of reaction and correction in the SaaS market, where large investments follow significant industry events or technological advancements, which are then moderated as the market absorbs the impact and recalibrates its investment strategy. The peaks and troughs could also be indicative of a sector that is still finding its equilibrium, with investor confidence waxing and waning in response to finding real intrinsic value.
Cybersecurity Deal Volume
The chart above represents a stark divergence beginning around 2016 when capital invested in cybersecurity began to significantly outpace the deal count. Notably, in 2021, the sector witnessed a monumental spike in capital investment (not surprising, re: ZIRP), reaching $111.4B, despite a deal count of 1,549, which, interestingly, did not peak concurrently. This suggests that while fewer deals were made, each deal was, on average, more significant, indicating consolidation in the market, with potentially more extensive and mature cybersecurity enterprises absorbing the majority of investments.
The subsequent years, particularly 2022 and 2023, show a continued increase in capital investment, with 2023 peaking at $124.4B alongside a declining deal count, which has dropped to just 545. This sizable reduction in deal count by nearly two-thirds from the 2020 figures, juxtaposed with the continued rise in investment, underscores a trend towards more significant, more concentrated investments into fewer deals. This points to a focus on scaling proven cybersecurity platforms that are more capital-intensive but also potentially more lucrative as they relate to unseating existing security solutions or plowing capital into distribution.
Relative Valuation Compared to B2B SaaS for Seed and Series A
Over the past decade, the valuations (post-money) for cybersecurity and SaaS startups have seen remarkable shifts. As of late 2024, the average post-money valuation for cybersecurity start-ups is approximately $50M, representing a remarkable increase in the last ten years. I’d expect this to average out to ‘21 and ‘22 levels, considering how early we are into the year and the number of relative reported financings that are accounted for in the data.
The SaaS sector presents a different picture. Starting from a median valuation of nearly $30 million in 2024, there was a less precipitous fall to just under $20 million by 2014—a decline of about one-third. The chart indicates a pivotal year in 2018, when SaaS valuations took a notable dip, descending below the trend line.
Both sectors show exponential decay in their valuation trends, but the rate of decline is steeper for cybersecurity. For instance, from 2021 to 2022, the SaaS sector's median valuation dropped from around $30 million to $20 million—a one-third decline in just one year. Meanwhile, cybersecurity valuations in the same period show a gentler slope, hinting at more resilient investor confidence. The cybersecurity sector's more volatile trend line might be a response to several variables such as capital needed to raise, R&D spend, or, generally, macro concerns such as rates and geopolitical issues.
What continues to stand out at the early stages—Seed and Series A—is that valuations for cybersecurity startups tend to be higher than that of their peers, B2B SaaS. Taken as a whole, cybersecurity startups may look “expensive,” but of course, price is an indicator of value, and knowing when to pay up is dictated by thinning through the exit assumptions and scenarios, which we’ll touch on later. Entry valuations are overrated; exit multiples are underrated.
Cybersecurity Early-Stage Valuations
Initially, in 2015, there was a close correlation between median post-money valuation and median deal size, indicating a balanced investment environment. However, as we move through the years, the relationship between these two metrics starts to fluctuate, demonstrating cyber’s evolving nature.
From 2015 to 2018, there was a general decline in both median post-money valuation and median deal size, with a notable dip in 2017. This could suggest a period of market correction or investor caution, possibly in response to economic factors or a reassessment of the value and potential return on investment in startups. The median deal size decreases from just above $6 million to around $4 million. In comparison, the median post-money valuation drops from approximately $70 million to nearly $60 million, reflecting a more conservative approach to valuation and dealmaking.
Nevertheless, from 2019 onwards, the trend reverses, with median post-money valuations beginning to rise while median deal sizes remain relatively flat or continue to decrease until 2022. This divergence could be attributed to a market that's rewarding companies with proven business, including cyber companies with increased potential for scalability. Even as the number of deals decreases or stagnates, investors may be placing larger bets on fewer, more promising ventures.
The years 2023 and 2024 show a dramatic upswing in median post-money valuations, with 2024 reaching upwards of $100 million despite median deal sizes not experiencing the same growth rate. This sharp increase in valuations, decoupled from deal sizes, could indicate a market that is highly optimistic about the future earnings potential of startups or one that has experienced a few outlier deals that have significantly raised the median valuations. It may also reflect the entry of late-stage companies with larger valuations affecting the median or a series of highly successful funding rounds for companies with disruptive technologies.
Relative and Absolute Exit Activity
In the early part of the decade, both sectors experienced moderate M&A (merger and acquisition) activity, but by 2021, SaaS M&A deals peaked dramatically, reaching close to 1,000 deals (more significant dispersion). This surge likely reflects a period of intense industry consolidation.
Following the 2021 peak, there is a sharp decline in SaaS M&A activity, with the number of deals dropping by more than half to under 500 by 2023. This decline might indicate a market that has undergone significant consolidation, resulting in fewer independent targets for acquisition. Alternatively, it may suggest a maturation of the sector, where major players have been established, reducing the need for further consolidation.
Cybersecurity M&A activity, on the other hand, shows a different pattern. The deal count has remained relatively stable over the decade, with a slight uptrend in the latter years, peaking at around 200 deals in 2021. The steadiness in the cybersecurity sector could be attributed to the continuous innovation and expansion of cloud-based solutions across various industries, driving ongoing interest in strategic acquisitions to complement existing offerings or enter new markets.
The two-year moving averages provide a smoothed perspective on the trend lines, confirming the spike in SaaS M&A activity around 2021 and a more even, less volatile trend for cybersecurity. The divergence of the two sectors' M&A activity post-2021, with cybersecurity maintaining a consistent level and SaaS experiencing a notable drop, could be indicative of differing market dynamics. SaaS may be transitioning from a growth phase characterized by acquisitions to one focused on organic growth and operational scaling. At the same time, cybersecurity remains in an expansionary phase with steady M&A as companies seek to broaden their platforms and capabilities.
IPO activity reached its zenith in 2021 with over 80 deals, a stark contrast to the single-digit figures seen in the preceding and following year for SaaS. By 2023, the drop to fewer than 10 SaaS IPOs could be a reaction to market oversaturation post-2021 or could indicate a cyclical cooling-off period. For example, the SaaS IPO count shows a decline from over 80 in 2021 to approximately 20 in 2022 and further down to less than ~19 by 2023.
The cybersecurity sector shows a different trajectory, with a more gradual and steady path of IPOs. The increase to around 12 IPOs by 2018 suggests a period of robust growth and investor confidence in the scalability of cybersecurity business models and market penetration. If you also look forward a few years, you see modest growth with an uptick in 2022 IPOs as reflected by the trendline. When examining the two-year moving averages, we see that for SaaS, the average peaks in 2021 and then begins a downward trend, mirroring the actual deal count. In contrast, the cybersecurity sector's moving average peaks slightly later, around 2022, and then follows a gentler downward slope, indicating a more tempered reaction to market changes.
Cybersecurity Exits Overtime
IPOs exhibit a relatively flat trend with slight variations year over year, never surpassing the 20 mark. This indicates that while going public is a consistent exit strategy, it’s not the predominant choice for most cybersecurity companies. For instance, in 2021, when M&A activities spiked, IPOs remained steady, suggesting that the market conditions that year—perhaps influenced by global economic uncertainty—favored private exit strategies over public listings.
Buyouts show a modest increase in 2019 and 2021, with counts hovering around the 60s, which may reflect periods when private equity interest in these sectors increased, possibly due to the availability of companies at valuations that were attractive for buyout strategies. However, by 2023, we notice a decline in buyouts to levels similar to those in 2015. This could suggest a market retraction or a shift in investor strategy towards other forms of investment or exit.
The absence of significant peaks in IPOs throughout the period, contrasted with the fluctuations in M&A and buyout activities, offers a narrative about the evolving preferences for exits. The data indicates that market players are favoring private consolidation over public markets for exits, possibly due to the perceived risks or the regulatory complexities associated with IPOs over time and favorable market terms, not just during periods of correction, reinforcing the acquisitiveness that exists within cybersecurity.
Embracing the Inevitable
The pie chart illustrates the proportion of various exit strategies for cybersecurity startups. It’s no surprise that M&A dominates the chart, accounting for 72% of the exits, signifying that it is the most preferred exit strategy. Simply put, 2,376 cybersecurity startups have been created within North America and Israel in the last ten years. Out of the 2,376, a large portion (1,713) were acquired, representing the 72% chunk. Only 173 (7%) of all cybersecurity companies formed in the last ten years went public. Assuming the same trends hold with nominal variance, this implies that ~17 cybersecurity companies created each year could become standalone, independent companies with a strong IPO candidacy. Inversely—applying the same logic—there are approximately 171 cybersecurity companies formed each year that will likely be acquired. As an investor seeking exits and, ultimately, focused on returning capital back to LPs, cyber remains a resilient industry to continue to invest in. Of course, you can expect dispersion in the returns via M&A, but returns are, well, returns.
I, for one, am a fervent believer in security, not only because it’s lucrative from an investing standpoint but also because, often, security is at the forefront of protecting nation-states from everyday citizens. It impacts us all without us even knowing it. And unlike many software industries, cybersecurity is at the core of protecting not only our enterprises but also our most crucial governments. I originally started this post testing my assumptions that by focusing on investing in cybersecurity, I could generate returns (risk-adjusted) over a long duration. As the data suggests, it is possible to have my cake and eat it, too.
As always, if you think I’m dead wrong and/or missing any critical heuristics to my thinking, please don’t hesitate to reach out—so I can further stretch and refine my assumptions in the space. If you are building anything in security at the earliest stages, I’d love to chat with you! Feel free to drop me a note at zain [at] ridge.vc or a line on Twitter @MrRazzi17. Big thanks to Francis for the edits, thoughts, and general comments on the piece!