Is the cybersecurity sector shrinking? – The Armchair Trader

The cybersecurity space is beginning to show some hallmarks of the 2000 dot-com bubble but it looks like investors, particularly large-scale investors, have learned valuable lessons over the last twenty years.

As artificial intelligence dominates the top of the list of the most interesting trading themes, cybersecurity is not far behind. Be it security breaches from unpopular governments or cyber threats from oddly named hacker groups (my personal favourite: Muddled Libra. And no, I did not invent that, they are a real group), as technology becomes more sophisticated so does the need for cyber protection.

This cybersecurity market is currently valued at around $200 billion but is expected to more than double before the end of the decade.

What is similar to the dot-com bubble is an abundance of smaller to medium-sized unproven players. Previously NASDAQ-listed ZeroFox Holdings [NASDAQ:ZFOX] is a good example, which I will elaborate on later.

At the same time, the massive amount of R&D and intellectual capital invested in these companies will eventually create the future Metas, Googles, and Amazons. There are gems to be had, and large digital companies as well as tech private equity seem to be particularly good at singling them out.

Private equity vs digital company buyers

Here are a couple of examples. The aforementioned ZeroFox, a provider of external cybersecurity was listed on NASDAQ in the summer of 2022 valued at around $1.4bn. Yet less than a year later shares dropped 50% as the company remained unprofitable even as revenue increased by almost 100%.

Spring forward to April this year and ZeroFox has been sold to Texas-based technology private equity firm Haveli Investments for $350m in cash, subsequently delisting from NASDAQ. If you are wondering what Haveli will do with ZeroFox, a possible path it could take would be similar to Thoma Bravo, a Chicago-based PE firm active in enterprise software.

Thoma Bravo was involved in three of the five largest cybersecurity acquisitions in 2023. In August it completed a $2.3bn deal for identity and access management company ForgeRock and then in October its subsidiary Proofpoint bought UK-based cloud email security provider Tessian. Although the value of the deal was never disclosed, at that time Tessian was valued at around $500m. The same year Thoma Bravo sold US cybersecurity company Imperva to French aerospace and defense firm Thales for $3.6bn.

Don’t forget the digital specialists

Apart from the PE-powered merry-go-round of sales and acquisitions, the second type of M&A activity in this sector comes from large digital players buying up smaller players to expand their cybersecurity offerings.

The single biggest deal last year was digital communications giant Cisco [NASDAQ:CSCO] buying cybersecurity firm Splunk for $28 billion, the largest investment in Cisco’s history. This move was followed up in April this year by Cisco releasing HyperShield, a new security architecture product that uses AI to protect clouds, data centres, and IT environments. Splunk was not Cisco’s only target, the company is also in the process of taking over Armorblox, Oort and Lightspin.

The trend continues. According to specialty magazine Security Week, in March alone there were 27 cybersecurity-related mergers and aquistions. This constitutes a slowdown from last year when the total number of M&A deals in this sector hit 400 but industry insiders believe that as the overall financial situation picks up in the US and Europe the number of deals will increase.

It seems that cybersecurity has a long way to go before this sector is truly consolidated.