Consolidation is here in cybersecurity, as bigger players in the space pick up startups that will help them grapple with the ever-expanding attack surface for enterprises as they move more activity into the cloud. In the latest development, CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion.
CyberArk will pay $1 billion in cash and approximately $540 million in shares. Shareholders in both companies have approved the deal, which is expected to close in the second half of 2024, the companies said.
Venafi is majority-owned by Thoma Bravo, and was valued at $1.15 billion when the private equity firm bought its controlling stake in 2020. In other words, Venafi’s selling price today represents a moderate increase since 2020.
The news confirms rumors of a deal between the two companies that had been doing the rounds over the last few days.
CyberArk’s interest in Venafi comes at a time when security teams are trying to get a better and more holistic understanding of the threat landscape and attack surface of their organizations. In today’s market, that is an extremely complex puzzle to solve thanks to the growth of mobile technology, cloud services and distributed working.
In essence, all of these have led to an explosion of computing endpoints, which include not just the many devices that people might use to connect to a network, but any other device on the network where data is being processed or stored. The rule of thumb is that there are 40 “machines” for every human on an enterprise network. All this has led to a major surge of business for companies that focus on identity security. Some startups in the space have raised large amounts of money too — Oasis Security and Silverfort are good examples.
Venafi’s tech focuses on securing and understanding the flow of data between those machines.
The startup is described as a specialist in PKI and certificate management, and CyberArk says that the deal will expand its own total addressable market by $10 billion (to a total of $60 billion).
“This acquisition marks a pivotal milestone for CyberArk, enabling us to further our vision to secure every identity – human and machine – with the right level of privilege controls,” said Matt Cohen, CEO of CyberArk, in a statement. “By combining forces with Venafi, we are expanding our abilities to secure machine identities in a cloud-first, GenAI, post-quantum world. Our integrated technologies, capabilities and expertise will address the needs of global enterprises and empower Chief Information Security Officers to defend against increasingly sophisticated attacks that leverage human and machine identities as part of the attack chain.”
The acquisition also underscores some themes playing out among cybersecurity companies around consolidation.
Some companies that raised money several years ago at higher valuations are finding those valuations under pressure as they, variously, fail to grow ARR or reach profitability, and approach the predictable end of their runways.
Those companies are now looking for an exit, and sometimes that comes at a price far below their last valuations. For example, in recent weeks: Akamai acquired Noname Security for $450 million, less than half its last valuation; and Wiz tried to acquire Lacework, last valued at $8.3 billion, for just over $150 million, returning around $800 million in cash Lacework had in the bank to investors — that deal has fallen through.
On the other hand, a select few cybersecurity businesses are seeing significant growth right now, and are being earmarked as the consolidators. Wiz raised $1 billion a couple of weeks ago to fuel an acquisition spree, and CyberArk, which has a market cap of over $10 billion, is clearly another in this category.
The consolidation trend is playing out amongst even those being acquired. In May 2020, Venafi acquired Jetstack to bring Kubernetes expertise into its fold. Just a day before that, CyberArk had acquired Idaptive.