Merger and acquisition news has been a mixed bag so far in 2024. Deal volumes are down, but the values of those dwindling deals are up. Trends driving mergers and acquisitions (M&A) are a need for vendors to add AI features to their cyber arsenal, the need to streamline tool sprawl, and a push to jumpstart revenue growth.
Polled experts paint a complex picture for the 2024 M&A landscape that’s part macroeconomic hangover of the early 2020’s for Big Tech firms and a push for financial and tactical success in 2025.
The AI ‘X factor’
The big theme, most experts agree, is Big Tech companies are looking to buy cyber domain expertise around AI and data analytics. The value of AI presents twofold benefits for companies. One, it’s to acquire AI tools to become more efficient and improve decision-making. Second, AI also empowers their customers with mature AI tools, said Bob Ackerman, managing partner at AllegisCyber Capital.
Beyond the tactical implementation of AI, many large old-guard tech firms are looking to juice their bottom line with a promising AI business and adding it to their 2024 year-end balance sheet.
“For Big Tech, their core market is growing at 3% while cyber’s growth is at 12%. They want the 12% -- and they can do it by acquiring the innovators," Ackerman said.
Also driving Big Tech’s thirst for AI-related M&A deals: the promise of OpEx cost reduction. Dustin Sachs, chief technologist and senior director of programs at CyberRisk Alliance, said Big Tech wants to sell AI products to customers with staffing issues and skills gap challenges and that AI tools can augment security teams and drive operational efficiency.
“They want the business intelligence and APIs right out-of-the-box so they can go to market immediately,” said Sachs. “Big Tech wants to bypass the 12-18 month development cycle for AI, they want to say, ‘hey, we just bought this company, we can offer these AI features that allow you to make better decisions right now.”
Merger and Acquisition trends: Ups and Downs
A check of the Crunchbase numbers finds that there were 55 acquisitions of cybersecurity startups between the months of January and May 2024 totaling $6 billion. During the same time period in 2023, there were 53 acquisitions of cybersecurity startups that totaled only $852 million.
So what’s going on? Why such a big dollar number discrepancy?
For starters, look at the very large May 20 $1.54 billion deal where CyberArk acquired the hot non-human identities company Venafi. Akamai also bought API security company Noname Security on May 7 for $450 million. While it was a far cry from Noname’s peak value at around $1 billion three years ago when it became one of the first API unicorns, it was still a substantial deal.
Why are these big deals happening?
Richard Stiennon, chief research analyst at IT-Havest, said big deals occur when buyers have confidence that security spending will always even out. Therefore making an acquisition now, while valuations are low, will pay off in the long run.
“There are other reasons of course,” said Stiennon. “Palo Alto Networks claims to have purchased the SaaS customers for IBM QRadar. This is pure addition to the top line and will serve to quell investor frustration.”
Stiennon pointed out that the Crunchbase number of 55 deals through May projects to only 132 for 2024, a drastic reduction from the 250 acquisitions recorded last year, which in turn, was below the 332 in 2022.
“If valuations start to turn around and if the public markets indicate that spending on security is strong there will be a flurry of acquisitions at elevated valuations,” Stiennon explained.
“The market for cybersecurity stocks are lackluster in recent months even if they turn in good revenue growth numbers,” he said. “When the market sentiment turns to growth again (as it always does in tech) those stocks will shoot up and cause valuations for private companies to come back in line with investor expectations.”
And that suits AllegisCyber’s Ackerman just fine. He said cybersecurity went through what he calls a “risk-off” mode in 2022-2023 where investors weren't spending money.
Getting past the correction
Ackerman explains that private markets tend to run in cycles that have historically averaged around eight years and feed off the public markets. The last cycle basically ran for 14 years. With interest rates rising, Ackerman said the IPO market effectively shut down, and there was a knock-on effect for the private markets. With IPO expectations tempered, the private markets correlated down, and we saw an an across-the-board correction.
“New investments slow as investors aren’t sure how to price new financing rounds, and accordingly, valuations drop,” explained Ackerman. “On the cyber front, capital has pulled back from the market due to a largely closed IPO market. The ‘momentum’ that drove the market has cooled, and only the best teams, with the best ideas and the most reasonable business models, are able to raise capital. The investing bar is much higher today, and that is good news for investors.”
CRA’s Sachs points out that companies blew through big budgets during the pandemic years because they were in panic mode.
“They had to revamp supply chains and in some cases actually start a work-from-home program,” said Sachs. “At the start of 2024 companies were coming out of the three-year austerity period and looking to make deals again.”
Working through natural selection
Today, the cyber sector has worked through the funding pullback and companies are starting to “rationalize” their businesses and look for growth opportunities. Ackerman said now is a good time to invest in cyber because only those companies with strong fundamentals have survived the past years’ economic gauntlet.
People with domain expertise who can demonstrate that they have products that can solve specific technical challenges have fared well, say experts.
“Go back three years when capital flowing into the security market was off the hook driven by the fear-of-missing-out,” said Ackerman. “People came to realize that cyber is complicated and hard, you need domain expertise. A lot of the tourists went home, which exacerbated the rationalization of the market. So a lot of the free money coming into cyber pulled back part as part of the recalibration we went through. In many ways, the market is less speculative today, which is a good thing.”
Ackerman added Big Tech will continue to look for acquisitions in the cyber market for the rest of 2024 and into 2025.
VCs are from Mars and PEs are from Jupiter
Further defining the next 12 months of M&A rounds will be similar but divergent interests from venture capital (VC) firms and private equity (PE) investors. Experts said both (VCs and PEs) are reenergized and will continue to drive the M&A space in the months ahead.
While the goals are different - VCs tend to invest in early-stage companies adopting a shorter investment horizon, while PEs mostly focus on mature businesses with a longer investment threshold. However, both are aligned to sell for many multiples over their initial invested.
Those trends will color, but not define the months ahead when it comes to the types of companies on the receiving end of VC and PE investments.
Startups have nowhere to go but up and they tend to do it quickly and will continue to attract VCs, said Ofer Schreiber, senior partner and head of the Israel office at YL Ventures. On the other hand, growth among Big Tech companies has slowed and they are looking for emerging categories to energize their business.
All of the security analysts who talked to SC Media expect to see some more deals such as the one where an established player like Akamai acquired startup Noname. In March, high-profile cloud company Zscaler acquired data fabric company Avalor.
“So the quickest way to grow if they are missing a solution is to acquire an up-and-coming startup,” said Schreiber.
Just do the math: It’s much easier for a $10 million company to grow by 12% (growing by $1.2 million) than for a $10 billion company to grow by 12% (growing by $1.2 billion).
On the other hand, in May Palo Alto Networks made a move to acquire IBM’s QRadar’s SaaS-based security information and event management system.
From tool sprawl to consolidation
Another big trend driving the market: Schreiber said CISOs and security execs at many traditional companies like manufacturers, insurance companies and banks are often managing dozens of costly tools that require in-house resources to manage. Companies are now in the process of reining in the number of tools and streamlining associated costs.
High-profile hacks at Target, Home Depot and the federal Office of Personnel Management in the 2010s were to blame. CISOs bought as many tools as possible in a desperate attempt to get a handle on new cyber threats. Many would try anything to see if the product worked. The result was tool sprawl.
We are in midst of a tool-sprawl correction driving M&As as tool vendors are getting squeezed out of 2024 and 2025 budgets.
Schreiber said that’s driving a trend of platformization – the integration of multiple security capabilities into one platform.
“As a CISO, if I can get a single security platform from the likes of Palo Alto, Microsoft, Crowd Strike or Cisco, it’s better for me,” said Schreiber. “CISOs of large organizations with mature security programs usually have dozens of security tools from multiple vendors. Managing, configuring, integrating and orchestrating all of them is a huge challenge. There’s a case for fewer point solutions and more broad platforms from large vendors that address multiple domains in a holistic way."
So, whether it’s for data analytics or AI features, streamlining tool sprawl, or simply the need to grow at a time when growth has stalled, expect to see some interesting M&A deals during the rest of 2024.
(Editor's Note: This is part of a series of articles to feature the 15 Top Cybersecurity Trends of 2024 & 2025)