Unpaywalled: The next 10B+ security companies
Based on popular demand!
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
For those who missed it last week, I’m going to write a series on why certain great security companies will fail. Last week, I discussed how Crowdstrike fails. If anyone wants to cover any specific companies, let me know!
Many VCs want to invest in companies with large outcomes, namely 10B+. This is especially common with the “top VCs.” The reason for this is that they need large outcomes to provide meaningful returns on their large funds. However, that’s not the focus of this newsletter. Historically, investments in cybersecurity companies have been light because the number of 10B+ companies has been limited. Yet, the public market has recently shown this not to be true with the likes of Palo Alto Networks, Zscaler, Crowdstrike, Splunk, Cloudflare, etc. In fact, many companies like Akamai, Fastly, etc. have been adding security as part of their business to boost both their valuations, margins, and multiples. Even companies like Google (with the acquisition of Mandiant) are getting into the security business, and private equity firms like Thomas Bravo and Vista run some of the biggest and most profitable companies.
There is no longer any doubt that cybersecurity is a great business that has a growing market and increasing enterprise budgets. The question is how do you build a big business in security? There are a lot of problems to solve in cybersecurity, and the problems are not getting back. They are, perhaps, getting worse! However, singular problems rarely lead to large 10B+ companies unless every company has a need to buy this product, e.g. email security and endpoint security. Even those companies realize that they need to have a broader product line to justify their valuations or suffer from plateauing growth. Most companies, such as Zscaler and Palo Alto Networks, don’t have this luxury and have had to sell multiple products on their platform in order to accomplish this.
Many people talk about platforms, but how do platform “plays” or companies emerge? There has to be a theme that allows them to build the platform. Let’s look at the data space. For example, dbt Labs (my company) is at the center of the modern data stack by being the transformation layer between raw data and business intelligence. There are a lot of potential products in the transformation layer. Similarly, Looker is a great platform for verticalized business intelligence applications.
How does this apply to cybersecurity though? What is the best way to think of “platform potential” in security?
A vast majority of use cases in security boil down to access management and visibility. The question in a platform is whether having a certain grouping of telemetry substantially improves the ability to detect suspicious/malicious activity by providing additional context. For example, having all information about the network is helpful, especially in a zero-trust environment.
Useful Cybersecurity Telemetry
Here is a list of what I believe are key groupings of telemetry, and I’ll discuss more of each below. Of course, some of these sections will have some overlap
Network
Code
Identity
Security-related data
Another way to think about this is that the telemetry data will be a core part of the platform and make it easy to build verticalization applications, which would be the products of the company.
Network
This is especially relevant as companies move toward a zero-trust model. What I think about here is network ingress and egress. It definitely makes sense to have WAFs and SWGs be on one platform since one product monitors ingress and the other product monitors egress. Also, email and external/SaaS applications play a role here too as they are another avenue for data to enter and exit a company’s network. VPNs also have a role to play here for companies that still want to use VPNs. Finally, there’s the management of service-to-service communication, i.e. services talking to each other internally.
Cloudflare has the most comprehensive platform here with this with their products (Access and Gateway) that provide zero-trust. They also have WAF and email security products. Zscaler and Netskope are also building platforms with this telemetry, but they are primarily on the SWG and VPN-like accesses.
Code
Application security tools have historically dominated this area. Interestingly, it’s been a fragmented market with SAST, DAST, etc. Various tools targeted segments, but it was hard to consolidate. However, with the cloud and the adoption of agile, this has changed. Almost everything is in code now, even infrastructure with Terraform! This created an opportunity for the consolidation of various AppSec tools. Enter Snyk. In my opinion, Snyk realized that the code surface area was going to explode, especially with the advent of the cloud and DevOps. There’s still a lot of surface area to cover here. However, Snyk has managed to consolidate various AppSec tools in cloud-focused companies. There is still plenty of room since Snyk does mainly scanning. There’s room for more “targeted” tools, such as those that don’t just monitor for general vulnerabilities but allow developers to set custom rules for vulnerabilities like Semgrep.
Identity
This one is fairly obvious. Every company needs a single source of truth for identity. For a long time, this was Active Directory (AD), which managed endpoints as the entry into corporate perimeters. However, with the rise of cloud and SaaS, this is increasingly Okta’s playing field. Many new tech companies start with mostly SaaS apps and probably never end up setting up AD until much later (if at all). Usually, Okta’s AD offering is more than enough. Interestingly, new players have been making bigger plays in this space focused primarily on GTM changes.
Traditionally, Okta has sold to IT and IT security, but new players like Teleport, StrongDM, etc. are helping companies manage developer access as companies realize that the IT team doesn’t have good context into managing access to cloud environments. In fact, most IT teams don’t want to deal with this as it’s usually mission-critical and complex. Teleport, etc. have been making strides in a cloud-focused GTM, and this might cause some trouble for Okta if they start bleeding into IT use cases. At the very least, it will take away some pricing power and market power from Okta.
However, I do believe that given the size of the identity space, there can be multiple winners with different GTM motions, especially since it’s hard to have one GTM motion or maintain different ones.
Data
The main reason for this is visibility and incident response. There has been and will continue to be a need to aggregate telemetry from all security tools so that security has the best context of what’s going on in the environment. This is the best way to avoid false positives (and negatives) around security incidents or malicious activity. SIEM has been a major compliance play here, and it’s actually one of the few “useful” compliance requirements. Splunk has dominated this space, but new players have entered, such as Datadog, XDR players, e.g. Crowdstrike, and others using endpoint data as a launching point or core part of the telemetry. Datadog collects general application and infrastructure telemetry that might be useful, especially in cloud-focused applications and environments.
The platform value here is the ability to build verticalization applications on top of this data. However, we haven’t seen many of these given that people have never wanted to pay for verticalization applications on top of Splunk, etc., but I believe this will change as the modern data stack makes some of this easier and can bring more value. Tools like Snowflake will be substantially cheaper and have better ecosystems to encourage. We are already seeing larger companies use data warehouses to handle a large amount of security event data and process it better, creating more opportunities for better applications. I personally believe that the adoption of the modern data stack mentality in security might be one of the biggest cybersecurity industry disruptors in the upcoming decade. Security tools will no longer be in silos but built on top of these data warehouses and create better feedback loops for analytics.
Conclusion
My final question is whether I missed any major telemetry or potential platform play. I believe that there’s still plenty of room for disruption and innovation in these spaces, especially in the data space, that can lead to 10B+ company outcomes. I am excited to see how the space evolves and how organizations adopt these trends.