This Week: short on funding, long on research and analysis – ESW #363

We're overdue for a chat about Thoma Bravo. They've been a key exit point for security companies for many years. Let's talk about their past and present portfolio!

ACQUIRED, NOT EXITED

• Darktrace: Acquired for $5.3 billion in 2024.
• Ping Identity: Taken private for $2.8B in 2022 and merged with ForgeRock in 2023
• SailPoint: Taken private for $6.9B in 2022 (damn, they bought a lot of identity players!)
• Proofpoint: Acquired for $12.3 billion in 2021.
• Intel 471: Acquired for ??? in 2021. Acquired SpiderFoot and Cyborg Security.
• Sophos: Acquired for $3.9 billion in 2020.
• ConnectWise: Acquired for ??? in 2019. Acquired Continuum, ITBoost, Service Leadership, SmileBack, and Wise-Sync
• Apptio: Acquired for $1.94 billion in 2018.
• Imprivata: Taken private for $544M in 2016. Acquired Xton Technologies in 2021

ACQUIRED AND NOT SURE

• LogRhythm: Acquired for ??? in 2018 and merged with Exabeam in 2024, but not sure if Thoma Bravo exited in the process.

ACQUIRED AND EXITED

• ForgeRock: Acquired for $2.3B in 2023 and merged with Ping Identity in 2023
• Venafi: Acquired for ??? in 2020, and sold to CyberArk for $1.54B in 2024
• Exostar: Acquired for ??? in 2020 and sold to Arlington Capital Partners for ??? in 2023
• Imperva: Acquired for $2.1 billion in 2019 and sold to Thales for $3.6 billion in 2023.
• Veracode: Acquired from Broadcom for $950M in 2019 and sold to TA Associates for $2.5B in 2022.
• Delinea: Acquired as Centrify for ??? in 2018. Spins out IDaaS business as Idaptive. Sells to TPG for ??? in 2021. TPG merges Centrify with Thycotic in 2021 and rebrands as Delinea in 2022. Acquires Fastpath in 2024.
• Barracuda Networks: Acquired for $1.6B in 2018. Acquires SKOUT Cybersecurity in 2021. Sells to KKR in 2022 for ???
• Continuum: Acquired in 2017 for ??? and merged with ConnectWise in 2019
• Bomgar: Acquired for ??? from TA Associates in 2016 and sold to Francisco Partners for ??? in 2018. FP combines it with BeyondTrust and rebrands to BeyondTrust
• DigiCert: Acquired in 2015 for ??? and sold to TA Associates and Clearlake Capital for ??? in 2019.
• Blue Coat Systems: Acquired for $1.3 billion in 2012 and sold to Symantec for $4.65 billion in 2016.
• Tripwire: Acquired for ??? in 2011 and sold to Belden for $710 million in 2015.
• LANDESK: Acquired for ??? in 2010 and sold to Clearlake Capital for ??? in 2017. Clearlake combined it with HEAT Software to create Ivanti.
• SonicWall: Took private for $717M in 2010 and sold to Dell for $1.2B in 2012.
• Entrust: Acquired in 2009 for $124M and sold to Datacard for ??? in 2013.

Hungry for even more details? Check out Cole Grolmus's piece on Thoma Bravo here: https://strategyofsecurity.com/bravo-thoma-bravo/

From Ross's post:

"13 out of 14 cybersecurity companies acquired in the past year for over $100M were from Israel.

Bessemer recently published their 'Cybersecurity Trends in 2024' report. The report states that -

"Reflecting on the past year's acquisitions valued over $100 million, we observe two main trends: (1) most acquired companies had between 10 and 50 customers and were primarily targeted for their teams and products, and (2) the acquisition price for “product-only” companies has increased with a median of ~$200 million to $300 million over the past year."

One thing the report doesn't mention is that with the exception of Tessian which is based in the UK, all other startups are from Israel. Interestingly, the acquisition price for Tessian wasn't disclosed so even Bessemer ended up just putting '??' in place of one."

"tailored specifically for SMBs and their MSP partners"

I'm still getting used to CTEM instead of BAS, but I get very excited about any tech that lets defenders emulate attackers accurately, so that they can test the effectiveness of their controls.

In cybersecurity, it's important to try to anticipate what I call "abuse cases" - ways in which technology can be misused and abused, causing financial losses, reputational harm, or consumer/customer harm.

They're usually not demonstrated so explicitly by the founders of huge tech companies, but that's exactly what happened when Sam Altman decided to copy Scarlett Johansson's voice. Altman wanted to use the actress's voice for marketing, effectively reprising her role as the AI in the movie "Her".

He allegedly asked her to do some recordings for OpenAI last September, and she declined. Sam Altman found a way to use her voice anyway in an OpenAI demo, also tweeting "her" in case there was any uncertainty that the company's marketing was referencing the movie.

It's unclear if they used a voice actor soundalike, or generated her voice using AI (which seems more likely, given OpenAI's skillsets and access to AI tech), but regardless it created quite the debate when Johansson spoke out against the use of her voice without her consent.

The question now is, can they get away with it? If the answer is yes, then anyone's visual or audible likeness could simply be used for whatever by corporate entities, which doesn't seem like a great precedent to set. And can they weasel out of it by saying the likeness is a coincidence, or was unintended?

This precedent is exactly the concern in cybersecurity of executives being impersonated to pull off financial scams like BEC, or to fraudulently bypass identity verification measures.

Paul Graham wrote, "Though the most successful founders are usually good people, they tend to have a piratical gleam in their eye. They're not goody-two-shoes good. Morally they care about getting the big questions right but not about observing proprieties. That's why I'd use the word "naughty" rather than evil. They delight in breaking rules--but not rules that matter."

Do we think this is a rule that matters?

This is a great newsletter that summarizes GenAI research. I believe strongly that cybersecurity folks need to stay on top of the latest tech innovations and research, so that we can prepare ourselves and our people for What Comes Next.

There are some particularly interesting research papers in this week's edition.

• We continue to see purpose-built LLMs being trained. One paper focuses on LLMs that excel at steganalysis!
• Using LLMs to detect particular types of DDoS attacks
• SMS spam setection with explainability analysis
• Cyber activity news alerting language model (CANAL)
• and several more!

I'll never have time to read them all - maybe an LLM can help me out?

This won't be the last we see of unintended consequences, or uninformed parties celebrating AI for the wrong reasons, and then shunning it, also for the wrong reasons. What a mess this school created.

Learn how to chaos engineer, from the queen of security chaos herself, Kelly Shortridge!

Y'all know me - I LOVE pulling actionable lessons out of threat intel or a breach post mortem. The excellent DFIR Report has a new post out, and it's worth your time to dig through. Casey Smith, over at Thinkst, dug into it and shares how to use Canaries and Canarytokens to detect the TTPs explored in the DFIR Report writeup.

A very fun writeup from Thinkst about how they developed a stand to display their physical canaries at conference booths. It sounds like a small thing, but it's a window into Thinkst's success and their "if we're going to do a thing, we're going to do it well" philosophy.

No, it has nothing to do with cybersecurity, but it has everything to do with what's wrong with many cybersecurity vendors out there. Most VC-funded startups optimize to delight the investor and the acquirer, but rarely the customer. The points are for hitting the finish line at [time] with [amount] of ARR. There are no points for a working product, happy customers, good customer retention, or even sustainable growth.