Top 9 cybersecurity M&A deals of 2018 and 2019 (so far)

2018 was a busy year for mergers and acquisitions in the cybersecurity industry. Here's why the M&A market is so hot and what to expect in 2019.

big data merger and acquisition big business smb
Thinkstock

As the market for cybersecurity products and services grows, so does the value of the companies that provide them. This is reflected in the number of mergers and acquisitions of cybersecurity firms that took place in 2018. Technology M&A advisory firm Hampleton Partners reports that more than 140 cybersecurity deals occurred in 2018, and at least nine of them were worth $500 million or more. Four deals were worth more than a billion dollars.

“Cybersecurity basically is everywhere in the tech industry today,” says Hampleton Partners Director Axel Brill. “Everything is connected today, it really cries for more security in those in all areas.”

Identity and access management (IAM), network security and financial/transaction cybersecurity were the three largest areas of activity. “IAM is gaining increasing attention as we move more and more towards a zero-trust world and the notion of perimeters continues to fade,” says Dino Boukouris, director at cybersecurity M&A advisory firm Momentum Cyber. “Cloud infrastructure security heated up significantly as the lift and shift to hybrid cloud infrastructure rapidly accelerated.”

Here are the nine largest cybersecurity M&A deals from 2018 and an early look at what to expect in 2019.

1. Cisco buys Duo Security for $2.35 billion

As the market for cybersecurity products and services grows, so does the value of the companies that provide them. This is reflected in the number of mergers and acquisitions of cybersecurity firms that took place in 2018. Technology M&A advisory firm Hampleton Partners reports that more than 140 cybersecurity deals occurred in 2018, and at least nine of them were worth $500 million or more. Four deals were worth more than a billion dollars.

“Cybersecurity basically is everywhere in the tech industry today,” says Hampleton Partners Director Axel Brill. “Everything is connected today, it really cries for more security in those in all areas.”

Identity and access management (IAM), network security and financial/transaction cybersecurity were the three largest areas of activity. “IAM is gaining increasing attention as we move more and more towards a zero-trust world and the notion of perimeters continues to fade,” says Dino Boukouris, director at cybersecurity M&A advisory firm Momentum Cyber. “Cloud infrastructure security heated up significantly as the lift and shift to hybrid cloud infrastructure rapidly accelerated.”

Here are the nine largest cybersecurity M&A deals from 2018 and an early look at what to expect in 2019.

1. Cisco buys Duo Security for $2.35 billion

Networking giant Cisco’s $2.35 billion purchase of zero-trust security provider Duo Security was the largest security acquisition of 2018, and evidence of the growing realization that the need for all encompassing cloud security is a pressing issue. In an earnings call just after the acquisition, Cisco CEO Chuck Robbins said the Duo buy was about “expanding the company’s portfolio for the multi-cloud world. Duo’s SaaS delivered solution will expand our cloud security capabilities to help enable any user on any device to securely connect to any application on any network,” he said.

It’s report, Hampleton Partners said that Cisco saw a user-friendly dual authentication solution as a growth opportunity in a time when the threat of security breaches through weak user passwords continues to grow. “Cisco was actually struggling with security for their devices mainly being based on password security,” says Hampleton Partners’ Brill. “Duo can help making access to Cisco devices more secure and at the same time easier to access.”

2, 3 and 5. Thoma Bravo buys Imperva for $2.1 billion, Barracuda Networks for $1.6 billion and Veracode for $950 million

One of the most active companies in the cybersecurity space in 2018 was private equity firm Thoma Bravo, which spent a collective $4.75 billion on three acquisitions. The biggest was its purchase of application and data security provider Imperva for $2.1 billion, followed by network security company Barracuda Networks for $1.6 billion. The company also bought Veracode, which provides application security testing services, for $950 million from CA Technologies shortly after its surprise acquisition by Broadcom.

Thoma Bravo has recently built up a considerable collection of cybersecurity companies that runs the gamut of the security stack. Its portfolio now includes McAfee (which also acquired Skyhigh Networks early in 2018), LogRhythm, Centrify, Digicert and healthcare-security specialist Imprivata.

“The overall security area is pretty scattered and there is not one clear leader,” says Brill. “For a company like Thoma Bravo, the strategy could be to just build that one biggest company in cybersecurity. We think that it really makes sense for those big financial buyers to put together some of the leading companies from different sectors and build the market-leading company in that space.”

“If you can actually offer your clients a comprehensive portfolio including software development, software testing and software security, from one single software product, combined with artificial intelligence,” says Brill, “it could be a very, very good selling point because nobody else has that currently.”

However, investment firms can be equally likely to sell a company if the right offer is presented. Thoma Bravo sold Bomgar off to fellow investment company Francisco Partners in April 2018, while Bomgar made three acquisitions of its own in 2018: BeyondTrust, Avecto and Lieberman Software Corp.

4. Blackberry buys Cylance for $1.4 billion

Blackberry is in the midst of a transition from its mobile phone roots to a provider of internet of things security. The phone aspect is long gone, and what remains is a mishmash of messaging apps, device management services, a largely car-focused operating system, and security offerings that overall is making a profit.

To further its security chops Blackberry acquired endpoint security startup Cylance for $1.4 billion in November 2018. The company said it plans to integrate Cylance’s anti-malware technology into its Spark platform in order to make it “indispensable to realizing the enterprise of things.”

Given the generally vulnerable state of the IoT space, this could be a smart long term move for an ailing tech giant. “This is the largest deal for Blackberry to date,” says Momentum Cyber’s Boukouris, “and continues a significant shift for Blackberry going from mobile devices to enterprise software and services, and now with a strong focus on Cybersecurity.”

6. Relx Group buys ThreatMetrix for $817 million

January 2018 saw analytics company Relx Group acquire digital identity platform ThreatMetrix for $817 million. The San Jose, California, startup was founded in 2005. Its product analyzes connections among devices and users and combines this with threat intelligence and behavioral analytics to identify risky or fraudulent actions. Post-acquisition, the company now sits under the parent company’s Risk & Business Analytics unit.

7. Allstate buys InfoArmor for $525 million

Insurance provider Allstate acquired identity protection startup InfoArmor for just over $500 million in August. Allstate said at the time it plans to use InfoArmor’s technology, which trawls the dark web for evidence that a customer’s identity has been stolen, as an offering in its supplemental insurance and employee benefits services.

8. BlackRock and Pamplona Capital buy PhishMe (now Cofense) for $400 million

Phishing is one of the oldest tricks in the cybercriminal playbook, yet it continues to be highly effective. Given the ever-evolving techniques around phishing, technology dedicated to email security and preventing phishing is likely going to continue to be a high priority area for companies for a while to come.

February 2018 saw more private equity firms make a stake in the security space with BlackRock and Pamplona Capital Management paying a combined $400 million to acquire anti-phishing startup PhishMe. They have since renamed the company to Cofense. According to Hampleton Partners, more than a quarter of the largest 40 global cybersecurity transactions since 2016 were made by private equity buyers.

“Private equity continues to play a larger role in the cybersecurity industry overall,” says Thomas McConnell, managing director at investment banking advisors Capstone Headwaters. “Clearly, Thoma Bravo is a leader in the sector, but many other firms are making a significant push in the sector as well. Vista Equity has taken stakes in ReturnPath, Datto, Forecepoint, Infoblox, SecureLink and PING Identity. The increasing amount of private equity investment in the sector signals the gradual maturation and eventual consolidation of the industry. Unlike venture capital, private equity generally seeks stable, cash flowing companies which can support debt on the balance sheet.”

9. Splunk buys Phantom Cyber for $350 million

Acting as an organization’s security information and event management (SIEM) system is a common use case for big data startup Splunk. Given the ever-increasing amount of information being fed to security analysts is sitting in security operation centers (SOCs), being able to do something with that data is often more of an issue than collecting it.

Splunk paid $350 million for security orchestration company Phantom Cyber to bring more automation into dealing with security events and incidents. “The combination of Splunk’s machine data platform with Phantom’s SOAR technology will accelerate a new age of analytics-driven security and expand Splunk’s vision as the security nerve center for SOCs around the world,” said Splunk CEO Doug Merritt.

Other notable cybersecurity acquisitions

Though it didn’t break the bank on any single acquisition, Palo Alto Networks was busy in 2018. The Santa Clara-based cybersecurity provider spent $563 million on three purchases; cloud security startups Evident.io and RedLock, which both help with configuration and policy for public cloud instances, and Israeli endpoint security specialist Secdo.

Telecoms providers have long sought to be more than merely the dumb pipes through which other companies provide services and make large amounts of money. In the last few years, for example, Verizon has bought mapping startups, telematics and fleet management companies, Yahoo and AOL in an effort to cover all bases and keep up with the big technology companies.

AT&T acquired San Mateo-based security management company AlienVault for an undisclosed fee (though the company has since admitted it was around $600 million) in mid-2018, giving the telecoms firm a more complete security offering to complement its cybersecurity consulting services. French telco Orange acquiring UK-based managed security services provider SecureData in early 2019 is a similar move.

Cybersecurity M&A outlook for 2019

Aside from Orange’s acquisition of SecureData and Carbonite acquiring Webroot, 2019 has been fairly quiet for cybersecurity M&A. Just a handful of relatively small or undisclosed deals have been made, with Thales completing its previously-announced acquisition of Gemalto and Broadcom's acquisition of Symantec's Enterprise Security Busines, and VMware's purchase of Carbon Black the only billion-dollar acquisitions so far.

The largest deals of 2019 so far are:

  • Broadcom buys Symantec's Enterprise Security Business for $10.7 Billion
  • Thales completes its acquisition of Gemalto for $5.4 billion
  • Thoma Bravo buys Sophos for $3.9 billion [still to be confirmed].
  • VMware buys Carbon Black for $2.1 billion.
  • OpenText Buys Carbonite for $1.42 billion.
  • Insight Venture Partners buys Recorded Future for $780 million
  • Cabonite buys Webroot for $618 million
  • Orange buys SecureLink for $577 million
  • Palo Alto buys Demist for $560 million
  • Palo Alto buys PureSec for $410 million
  • GBG buys IDology for $300 million
  • Zix buys Appriver for $275 million

“2019 will pick up speed in terms of transactions in the cybersecurity space very quickly,” says Brill. He says that specialist areas such as autonomous and connected cars, IoT and manufacturing, and healthcare security will be areas of high activity in the coming year, especially with larger companies acquiring specialist startups. “Those big companies are really investing into their IT security and cybersecurity product portfolio because they can actually sell that to so many different companies in different industries, they can really leverage that on an extreme level.”

Momentum Cyber’s Boukouris agrees that IoT security will be a hot area for 2019, while the continued push for hybrid cloud will mean more demand for cloud-agnostic solutions to address security, data protection, and compliance. “Third-party and software supply chain will continue to emerge as critical new threat vectors posing some of the biggest cybersecurity threats across all industries,” he says, “while security service providers will continue to increase their market share as more organizations elect to use MSSPs to alleviate vendor fatigue and the growing cyber skills shortage.”

Capstone Headwaters’ McConnell believes GDPR and similar privacy legislations will also be an area of interest for companies. “Looking ahead to 2019, compliance should continue to play an ever-expanding role in cybersecurity. The growth in the demand for cybersecurity audit and compliance services should help drive further transaction activity in the sector.”

While it’s a risk for CSOs that smaller, innovative startups will be acquired by the larger incumbents and their product will disappear, the benefit is more features in a larger player and a larger customer base. “Normally a very active and well-developed market is something which is good for the user,” says Hampleton’s Brill. “What does it mean for the CSO? They're always better off buying from the bigger companies, of course, and that's what they normally do. Every time something is hot, that leads to consolidation and then you have bigger players integrating those products in their portfolios. You know the old saying 'nobody was ever fired for buying IBM' And that is partly true still.”

Here’s a list of all disclosed cybersecurity mergers and acquisitions in 2019.

  • November 12: Aqua Security acquired CloudSpoit, which offers tools for monitoring configurations of cloud services.
  • November 11: OpenText bought data backup and protection firm Carbonite for $1.42 billion.
  • November 4: Sumo Logic announced the acquisition of autonomous SOC tool JASK. 
  • November 2: Proofpoint revealed its intent to acquire ObserveIT for $225 million to extend its Data Loss Prevention offering.
  • October 28: Fortinet made its first acquisition of the year in California-based endpoint security provider enSilo.
  • October 21: Trend Micro announced it had acquired Australian cloud security startup Cloud Conformity for around $70 million.
  • October 3: Outpost24 revealed it had bought Pwnie Express, a threat detection provider for Bluetooth, wireless and IoT devices. 
  • October 1: ReliaQuest announced it had acquired Threatcare to provide more detailed and integrated threat simulations.
  • September 30: KnowBe4 made its third acquisition of the year in security awareness training media company Twist and Shout.
  • September 20: HP Inc. revealed it had bought endpoint security start-up Bromium and plans to combine it's virtualization-based security technology into HP's Sure Sense, Sure View and Sure Start products.
  • September 18: Microsoft-owned Github announced it had acquired code-scanning startup Semmle.
  • September 5: Palo Alto revealed its fourth acquisition of the year with IoT security specialist Zingbox for $75 million.
  • August 22: VMware followed up its Intrinsic announcement by revealing it had acquired Carbon Black for $2.1 billion to expand its protection capabilities further into the cloud.
  • August 21: VMware announced it had bought Intrinsic, a San Francisco-based security start-up focusing on serverless computing as part of its expansion into public and hybrid cloud.
  • August 20: Web and application security firm PerimeterX announced it had bought client-side malware protection company PageSeal.
  • August 12: McAfee made its first acquisition of the year with NanoSec in the hopes of improving the container security capabilities of its MVISION Cloud and MVISION Server Protection products.
  • August 8: Broadcom -- which spent $18.9 billion buying CA Technologies in 2018 and then offloaded Veracode announced it had acquired Symantec's Enterprise Security Business for $10.7 Billion. Symantec retained its consumer-facing brands including LifeLock and Norton. 
  • August 1: Everbridge revealed it had acquired threat intelligence firm NC4.
  • July 31: Apple-focused security company Jamf announced it had bought Digita Security, which provides endpoint protection solutions for Macs. 
  • July 29: Microsoft revealed it had snapped up data access control startup BlueTalon in order to provide centralized data governance at scale for its Azure platform.
  • July 10: Houston based merchant bank Braes Capital, announced it had bought Siege Technologies, a cyber R&D firm specializing in the federal market. Braes says this is part of a move into protecting critical infrastructure.
  • July 2: Exabeam made its first acquisition in the shape of SkyFormation, an Israeli cloud application security company which provides cloud logs to feed into SIEMs.
  • July 1: NTT Security, Dimension Data, NTT Communications were all folded into a new technology services banner of NTT Ltd.
  • July 1: Digital identity provider Signicat bought Norwegian electronic signature specialist, Idfy.
  • June 27: Chronicle, Alphabet's security 'moonshot' company, will be folded into Google Cloud. 
  • June 26: Accenture acquired BCT Solutions, an Australian company providing security services to government agencies focused on defense, national security, and Public Safety
  • June 17: Accenture revealed the purchase of Deja vu Security, which provides consulting services around secure design and testing of software and internet of things (IoT) technologies.
  • June 6: Cisco announced it had acquired operational technology (OT) cybersecurity firm Sentryo for an undisclosed amount.
  • June 6: Elastic announced it acquired endpoint security startup Endgame for 
    $234 million to expand the SIEM capabilities of its ElasticSearch product.
  • June 4: Imperva revealed it plans to acquire Distil Networks to expand its malicious bot detection and mitigation capabilities. 
  • June 3: UK based Sophos made its third deal of the year with the purchase of managed detection and response (MDR) service provider Rook Security for an undisclosed amount.
  • May 30: Investment firm Sunstone Partners completed a triple acquisition of  Terra Verde Security, TruShield Security Solutions and Sword & Shield Enterprise Security. The three companies were combined to create a new managed cybersecurity services entity, Avertium.
  • May 30: Investment firm Insight Venture Partners increased its stake in Recorded Future to acquire the whole company for $780 million.
  • May 29: Continuing 2018's trend, Palo Alto made its second and third acquisitions of the year after it announced deals for both Twistlock and PureSec,  startups specializing in container and serverless security respectively.
  • May 29: FireEye announced it had acquired security validation vendor Verodin for $250 million. The company claims the purchase will help automate security effectiveness testing. 
  • Data storage company NetApp revealed it had bought data protection startup Cognigo for $70 million.
  • May 21: Security awareness training startup KnnowBe4 acquired CLTRe, a Norwegian provider of security assessment tools. 
  • May 9: Certificate Authority firm Sectigo (previously Comodo CA) revealed it had bought IoT device security company Icon Labs and expand its IoT security platform to provide companies with purpose-built 3rd party IoT certificates.
  • May 7: Following on from its acquisition of SecureData in February, Orange announced it had bought Netherlands-based third-party remote access software firm SecureLink for $577 million.
  • May 7: Proofpoint revealed it had spent $120 million to acquire Meta Networks and plans to incorporate its zero-trust network access technology into the firm's cloud access security broker (CASB) and web isolation product lines.
  • May 6: IT infrastructure management firm Kaseya snapped up ID Agent, which offers services around dark web monitoring, phishing simulation, IAM and patch management.
  • April 24: European IP firm Zacco announced it had bought Indian cybersecurity research and consultancy provider Lakhshya Cybersecurity Labs.
  • April 2: Thales completes its acquisition of Gemalto for 4.8 billion euros ($5.4 billion), making it one of the largest disclosed security acquisitions of recent years. First announced in late 2017, the acquisition for the digital security provider could only be completed after Thales had offloaded hardware security module company nCipher.
  • April 2: Rapid7 announced a deal to buy network traffic visibility and analytics provider NetFort, plans to integrate monitoring capabilities into its Insight cloud solution.
  • March 28: Following its acquisition of AlienVault, AT&T rolled its security divisions into one standalone business unit, AT&T Cybersecurity.
  • March 18: ISC security firm Dragos acquired rival firm NexDefense and then releases its ICS security assessment tools for free.
  • March 11: Privacy management software provider OneTrust bought privacy and security regulatory research platform to help customers achieve compliance with privacy and security laws and frameworks.
  • March 5: NTT Security acquired application security provider, WhiteHat Security. Will continue as a wholly-owned subsidiary
  • Marth 4: Comcast announced it acquired Virginia-based BlueVector for an undisclosed amount from private equity firm LLR Partners.
  • February 24: KnowBe4 acquired Brazilian phishing attacks and security awareness training platform El Pescador.
  • February 22: Entrust acquired hardware security module provider nCipher from Thales in order for the French defense giant to complete its acquisition of Gemalto.
  • February 19 Palo Alto, one of 2018’s most active security companies in the M&A space, acquired Security Orchestration, Automation and Response (SOAR) firm Demist for $560 million.
  • February 15: Micro Focus announced a deal for Canadian security analytics firm Interset for an undisclosed fee.
  • February 14: The founders of NSO Group, an Israel-based provider of spyware to governments, re-acquired the company from private equity firm Francisco Partners.
  • February 12: Symantec acquires Israeli zero-trust cloud security startup Luminate Security.
  • February 12: Qualys announced it was buying the software assets of application management company Adya.
  • February 11: GBG acquired IDology for $300 million. The UK-based identity management company plans to integrate Atlanta-based IDology’s identity verification and fraud prevention services into its own product and expand its footprint in the US.
  • February 8: Backup provider Carbonite acquired endpoint protection provider Webroot for $618 million in an effort to merge the two areas into one offering.
  • February 4: Risk management company ACL bought GRC solution provider Rsam.
  • February 1: French telecoms giant Orange bought UK cybersecurity firm SecureData to enhance its CyberDefense security consulting business.
  • January 17: Email and mobile security companies Zix announced it had bought AppRiver, a provider of cloud-based email and Internet security services including spam filters, encryption, archiving, and Microsoft Exchange hosting, for $275 million.
  • January 16: Boston-based ERP security company Onapsis announced it had acquired Virtual Forge, a German startup focused on SAP application security.
  • January 14: DDoS protection company Radware acquired ShieldSquare in order to boost its cloud security chops and beef up its anti-bot traffic capabilities.
  • January 14: Check Point Software bought Web Application and API startup ForceNock and plans to roll up its machine learning, behavioral and reputation-based security engines the Infinity product’s architecture.
  • January 8: UK security firm Sophos snapped up San Francisco-based cloud security startup Avid Secure and endpoint security platform DarkBytes.
  • January 7: Akamai bought Identity and Access Management provider Janrain and plans to integrate the company into its Intelligent Edge Platform.
Related: