Thoughts on the Cylance and Arctic Wolf Acquisition
It could make sense, but honestly not sure what to think
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m running an end of year sale for my blog! For those who have any leftover professional development budget or have always been wanting to subscribe, I’m giving 50% off annual subscriptions until the new year. Your support is greatly appreciated!
I was in the middle of writing another blog post about AI and security, specifically about startups that are developing AI SOC analysts. But then, I saw the news of the Arctic Wolf acquiring Cylance for 160M, and I decided to pivot and write about the acquisition instead, especially as the presses are “hot.”
I haven’t heard the Cylance name in quite a while, and I thought they had faded in the darkness and just held onto some legacy customers who got a good deal because they were already Blackberry endpoint customers.
Blackberry acquired it for 1.4B in 2018 to complement their own endpoint and embedded OS businesses. At the time, I was a bit confused, but I also didn’t have a forum to express my thoughts as I do now — that is, my blog was primarily focused on security research rather than business happenings in the security world. Maybe, they thought that Cylance would boost their endpoint product and help with their embedded security business because it was at the peak of the IoT security hype. IoT is just another form of endpoint at the endpoint.
Anyway, regardless, it seems that Blackberry no longer wanted to run this business, and it didn’t turn out to be as complementary as it seems. I’ve talked in the past that security is a hard business. Although it has high margins and is a large market, it can be costly if you don’t know what you’re doing. It’s a high-risk high-reward business. Companies have managed to expand greatly by going into security, such as Cloudflare and Akamai, but many businesses have also failed to take off, such as Fastly in the same space.
In my opinion, private equity firms might have the right idea to consolidate and reduce the GTM costs by selling multiple products under one umbrella. GTM costs are especially high in security because it’s competitive. It’s even more competitive in the endpoint market, so you have a competitive space in an already competitive market, which makes creating profits hard.
It seemed like this was the case for Cylance. It lost $51 million last year, and it seems like it was dragging down other more profitable parts of Blackberry’s cybersecurity business. Cylance wasn’t getting close to producing a profit and was causing more harm than good. This isn’t surprising given the competitiveness of the endpoint market with Crowdstrike, SentinelOne, and Microsoft having large market shares.
Anyway, I digress. This post isn’t about why security businesses are hard, but it does show why Blackberry was eager to sell off Cylance, especially given the high price tag of the acquisition. It also seems that shareholders agree that it was time to divest Cylance even at a loss to prevent further loss — the stock skyrocketed 15 percent after the announcement.
The question is now what does Arctic Wolf get out of Cylance?
What is Cylance and Arctic Wolf?
Before we discuss more about the acquisition, let’s talk about what Cylance and Arctic Wolf are.
Cylance is an endpoint detection and response company that was acquired by Blackberry in 2018. Its main competitors are Crowdstrike, SentinelOne, Microsoft EDR. I wrote more about this endpoint space when I discussed how Crowdstrike would fail. The main difference is that Cylance had AI capabilities focused more on prevention than detection and response. It turned out that was not a great position in the market as customers wanted more detection and response to issues, which also led Crowdstrike to better pair with its high-quality professional services.
Pramod Gosavi, who is very active on LinkedIn regarding security and more recently AI trends, provides a concise differentiation between Cylance and Crowdstrike, and why Crowdstrike ultimately won out.
I don’t agree with everything Pramod states in general, but in this case, he’s right—Cylance’s endpoint protection was no better than signatures. It was more reactive than proactive, especially since endpoints are usually the start of most attack chains.
So, what’s Arctic Wolf? Arctic Wolf is one of the two major managed detection and response (MDR) vendors. (The other vendor is Expel, which I’m a big fan of.) They allow companies to outsource their detection and response functionality, at least the basic/Tier 1, to an external party. This concept has been around for years with MSSPs handling most of this work, but they’ve managed to build a product not just a set of services. They’ve also made it attractive for larger companies to outsource their detection and response as well as SOC functions because these take a while to build, mature, and produce value. Instead of multiple months or even years, a customer can have basic SOC functionality out of the box. Arctic Wolf is mostly in environments that are hybrid or have some on-premise presence whereas Expel does better with customers who are solely in the cloud.
I write more about this and the market in a previous post.
Why does Arctic Wolf want to acquire Cylance?
Here’s the formal statement from the press release by the CEO Nick Schneider:
By incorporating Cylance’s endpoint security capabilities into our open-XDR Aurora platform, we will be addressing a rampant need for a truly unified, effective security operations that delivers better outcomes for customers. We believe we will be able to rapidly eliminate alert fatigue, reduce total risk exposure, and help customers unlock further value with our warranty and insurability programs.
Honestly, this statement doesn’t say anything of substance, but also it’s not surprising. They currently support multiple endpoint vendors, so those endpoint vendors are wondering what their relationship will be like. The big vendors, such as Crowdstrike and SentinelOne, will be fine, but it’s not clear how much support the smaller ones will continue to receive. So, it’s good that they didn’t into how much Cylance would enhance the platform at risk of offending their partnerships and potentially losing business to Expel or another competitor.
Also, it’s not clear how Cylance makes the platform better other than providing the traditional security platform package deal, i.e. it’ll be cheaper to buy Cylance and Arctic Wolf if you don’t have an EDR or aren’t happy with your EDR. However, based on the press release, the integration strategy isn’t fully clear. A more generous reading is that the CEO, Nick, isn’t technical and more focused on sales, so he might be trying to keep the mystery around the benefits until a bigger announcement.
In my opinion, there are a few reasons that they might acquire Cylance.
The first and somewhat obvious reason is that Arctic Wolf is looking to go IPO, but it needs to have a diversified business with good revenue. Going IPO with just the MDR product is likely a “one trick” pony, and security companies that don’t have an obvious platform tend to struggle in the public markets.
Second, Cylance was a cheap asset that had some obvious synergies to the business. It’s hard to get a brand like Cylance for such a low price, especially since most security acquisitions with minimal product market fit are selling for much higher multiples. Just look at all the recent acquisitions by Palo Alto Networks. Arctic Wolf can augment Cylance with MDR features similar to Crowdstrike’s offering. It’s not clear if they will sell Cylance as a standalone product, but they could do that to bolster their top line. (It won’t be good for their bottom line, but maybe they can get rid of some expensive GTM functions. Selling Cylance is also a more nature fit for Arctic Wolf, especially since they can bundle it if companies don’t have it or have an existing but subpar product.)
Third, it’s about talent and technology. Arctic Wolf has an agent for their on-premise customers to detect potential issues. Cylance had a good agent as well as AI, and this could help improve Arctic Wolf’s agent technology. I haven’t tried it myself, but Cylance was known for having a pretty solid AI product and a well-functioning agent. These technologies, especially, could also boost capabilities in their MDR and potentially lower operational costs, increasing margins.
Finally, the Arctic Wolf will have similar capabilities (and more) compared to Crowdstrike. They are not just looking to be seen as just an MDR company, but it seems that they are guiding toward companies buying their core XDR, especially if a company wants to have some customization and isn’t fully ready for an MDR. On the side, they could take a Crowdstrike approach and sell Cylance + their XDR while offering MDR as an upsell.
It might be a combination of all these reasons. In my opinion, Arctic Wolf can capture the market of those who can’t afford the top of the line products, such as Crowdstrike, and are looking to target middle-market companies looking for value from bundles where they can also have some customization. This will also likely put some pressure on companies like SentinelOne, which have similar offerings but lack a good MDR story.
I’m still unsure if Cylance is a good acquisition, but as Warren Buffet said, “Price is what you pay. Value is what you get.” Since they were able to acquire Cylance so cheaply, it might be able to provide outsized value for Arctic Wolf. It’s hard to pass up a good deal, but we’ll see how that works out!