Sendmail, Sensory Networks & PacketLoop - Pondering Interesting Transactions

Sendmail - Watch this space 

ProofPoint - who are serial acquirers in the cyber-security industry - acquired Sendmail for about $23 Million in cash, paying a revenue multiple of something like 10, and a profit multiple of n/a since by the sounds of the announcement, Sendmail as a commercial enterprise has been losing money pretty consistently.  

sendmail.png
"For the fourth quarter of 2013, Proofpoint expects Sendmail to have an immaterial impact on revenue while widening the company's non-GAAP net loss by approximately $2 million or $0.06 per share, as the company takes on the costs associated with this new team and begins to build a recurring revenue stream."  (http://finance.yahoo.com/news/proofpoint-inc-acquires-sendmail-inc-201000890.html)
"Sendmail brings a global community of open source users and a compelling set of enterprise customers, but little in the way of near-term recurring revenue due to their legacy business model built around the sale of appliances and perpetual licenses."  (http://finance.yahoo.com/news/proofpoint-inc-acquires-sendmail-inc-201000890.html)

So why are they buying it?  It seems the strategy is primarily about supply chain protection and/or integration:

"Noting that ProofPoint's enterprise protection solution is built on Sendmail's MTA, ProofPoint CEO Gary Steele said, "Acquiring Sendmail gives Proofpoint ownership of this definitive industry-standard technology...""  (http://www.fool.com/investing/general/2013/10/01/proofpoint-makes-another-acquisition.aspx)

Although the opportunity could well also be larger than that.  There is certainly precedent for taking a semi-open-source software product and surrounding it with commercial services and support (with Snort/Sourcefire and Nessus/Tenable being two prime examples in the cyber-security industry) and creating significant value in the process.  Key to success will be ensuring the community continues to participate in the open source project, and see that the overarching commercial organisation that is now supervising them, is an organisation whose values they align to.  That ProofPoint has already started reaching out the community (eg http://www.sendmail.com/sm/open_source/community_letter/) is a positive start to that relationship.

 

Sensory Networks - A mixed result

 The same day as the Sendmail transaction, it was announced that Intel is acquiring Australian cyber-security tech company Sensory Networks for $21.5 Million (http://www.smh.com.au/it-pro/business-it/intel-to-acquire-australian-tech-company-sensory-networks-for-21-million-20131001-hv1un.html).  Intel is listed on the Sensory website as a partner, so as with the Sendmail acquisition, it could simply be case from Intel's perspective of protecting the supply chain.

sensory.png

I have a soft spot for Sensory Networks as it was on Matt Barrie's recommendation that a number of our earliest team members at SIFT were recruited, and without exception they turned out to be some of the best and brightest minds in security that I have had the privilege to work with.  That being said, early media reports of the Sensory Networks sale really wanted to be able to present it as a success story, but that became progressively more difficult when additional context was added to the deal and the company.  

Like the fact Sensory had raised about USD $30M in venture capital to get to this point.  Like the fact Sensory was not a 'start-up', but had been running since 2003.  Like the fact Sensory started life as a hardware company (and by all accounts was excellent at it, from an engineering standpoint) and in 2009 changed tack to be software focused.  And the fact that at the date of the transaction the company had only five (5) employees.

Does anyone actually make any money in a deal like this?  It's an interesting question, and the answer is... It depends.

It depends on a few things, like:

  • The terms under which the venture capitalists invested
  • The degree to which the early shareholders were diluted in the various funding rounds
  • The importance of the remaining key employees and their ability to renegotiate equity plans over time
  • Other technical things like whether it's an asset sale or a share sale, and what the balance sheet of the company looks like

The first of those is probably the most significant.  Essentially, a venture capitalist is likely to get 'Preferred Stock' rather than 'Common Stock'.  One of the benefits of this preferred stock is that it will generally have 'liquidation preferences' attached to it.  At the simplest level, the 'preference' referred to in the name of the stock, is that it gets paid before the common stock.  There are a few different approaches to preferred stock (broadly known as 'Straight Preferred', 'Participating Preferred', or 'Partially Participating Preferred' - http://venturebeat.com/2010/08/16/beware-the-trappings-of-liquidation-preference/), but the crux of the issue is the same... basically, if you've got preferred stock, you will generally get back the cash you put in, prior to the common stockholders getting anything.  And if you put in $30M, and the company sells for $20M, that means there is zero left for anyone holding non-preferred shares.

Now to be clear, I don't have inside information on any of these transactions, and don't know what the terms were in any of the agreements.  It's likely that the share register at Sensory changed a great many times over the years as funds were raised, investors came and went, founders departed, the employee share scheme ebbed and flowed (since it is in everyone's interests to ensure the key team members remain motivated and incentivised to make the company succeed), and perhaps at the end a few people were holding enough of the right shares to do reasonably well after years of hard work... But it's also possible that nobody did.

My intention here is simply to highlight the fact that for aspiring tech entrepreneurs out there who heard the figure "$21.5 Million" and thought "Pay Day! I'm starting a company!", life often isn't that simple.  While it's fairly self-evident that a company going bust doesn't make the founders rich, it's less self-evident that a company being sold for an eight-figure sum, also may not make the founders a fortune.

I do hope that the team who worked so hard, for so long, to build the technology and the business of Sensory, did reasonably well out of this.  Looking to build an engineering-heavy cyber-security hardware company in Australia in the early 2000s was ambitious and courageous, and they contributed significantly to the cyber-security talent pool that we now have.

 

PacketLoop - The next generation

A month before the Sensory Networks and Sendmail transactions, it was announced that Arbor Networks (www.arbornetworks.com) acquired PacketLoop (www.packetloop.com) - see http://www.arbornetworks.com/recent-in-the-news/4983-news-packetloop for official press release.  While both innovative cyber-security technology companies, in many ways, PacketLoop is the antithesis of the Sensory Networks story.  It was started in 2011 and sold just 2 years later, and as far as I know, was bootstrapped throughout that period, without external venture capital involvement (although I could be wrong in that assumption).     

packetloop.png

For those who are new to the industry, it is worth noting that the PacketLoop team have experience in this area - their previous cyber-security consulting firm ThinkSecure was sold to Infoplex in 2007 (http://www.computerworld.com.au/article/188385/infoplex_acquires_thinksecure_/).  

The great thing about this transaction from my perspective, is that PacketLoop is genuinely innovative, IP-driven, and Australian.  The company has focused on research and development, and getting the product right before taking it hard to market.  The attraction of PacketLoop to Arbor can only have been the IP - while I'm sure they have some clients and revenue, an acquisition at this early stage of the company's genesis is about getting access to the technology.  And that is really exciting, a great credit to Scott Crane, Michael Baker and others involved, and also is a really powerful message to others that it can be done.

The financial details of the deal haven't been made public and I don't know what they are, but I hope the founders and others have done well out of it, and I am also very confident that the deal would have been structured to provide significant incentive to stay and build the company further with Arbor's support and backing - which is great for the industry, the technology, and for cyber-security research and development in Australia. 

Transaction Analysis - Cyber-Security M&A

With a handful of recent transactions (eg NTT acquiring Solutionary; and Malwarebytes acquiring ZeroVulnerabilityLabs), we have just gone over the 650 transaction level in our database of cyber-security industry M&A.  Given that, I thought it was about time for another post teasing out some of the trends and intelligence that this data set has to offer.

Geographic - Transaction Size

The average transaction size, 2004-2013, for cyber-security companies with the following US / non-US transaction profile is as follows:

  • Non-US Buyer / Non-US Seller         $ 93 Million
  • Non-US Buyer / US Seller               $ 198 Million
  • US Buyer / Non-US Seller               $ 295 Million
  • US Buyer / US Seller                      $ 420 Million

So the more 'US' you can get into your transaction, the bigger the number tends to get.  If you have a cyber-security product and want to maximise the return, heading to the US and getting venture capital funding is probably still your best option.

Buyer Industry Sector & Influence on Multiples

We have worked through the transaction data and categorised the buyers into one of a few groups: 

  • Defence industry
  • IT industry
  • Cyber-security industry
  • Professional services
  • Private equity / venture capital
  • Other

A couple of interesting observations from the transaction data, when analysed in this context:

  • Defence industry buyers pay the lowest revenue multiples, slightly below the private equity / venture capital community.  Realistically, this is likely to be more of a reflection of the difference in acquisition targets between the buyer groups, with the defence industry focused on services-intensive companies, and many of the other groups (eg the IT industry, and the cyber-security industry) are completing lots of acquisitions of product-led companies.
  • Cyber-security companies pay the largest multiples, by a significant margin.  The average profit multiple paid by the IT industry, the defence industry, and the private equity / venture capital community, varies by less than 10%.  The average cyber-security company-led acquisition multiple is over 6 times higher.  As per the above, this is primarily a function of the types of companies being acquired, with many cyber-security company-led transactions being of relatively early stage product companies, with significant R&D and sales and marketing expenses, but a relatively low base of revenue and profit, resulting in extremely high multiples.

This again demonstrates the importance of understanding the market, and particularly of the market as it pertains to your company.  The types of companies being acquired, and the level of maturity of those companies, varies significantly between buyer groups, and the prices paid vary accordingly.  

Outlying Transaction Valuations & Effect

While this blog isn't intended to be a tutorial on maths terminology, I'll just briefly revisit the distinction between the 'mean' (commonly called the 'average') and the 'median'.  The mean is calculated by simply summing all of a set of numbers together and dividing by the number of numbers.  

eg:  1, 1, 2, 2, 9

Gives a total of 15, and 5 numbers, so a mean of 3.

The flaw with using a 'mean' is that while it may be true to say the 'average' of that set of numbers is 3, the fact is also that 80% of the numbers are below the average, since it is skewed upwards by the larger number at the end.  Means are susceptible to being skewed by outliers.

The 'median' is basically just the value of the middle number when the numbers are arranged in order.  In this case, the median is 2.  What that number says is that 50% of the data is equal to or less than that number; and 50% of the data is equal to or greater than that number.  Generally speaking, that's going to be a more useful number.

How big a difference can this really make?  Let's take the example of transactions with a Cyber Security company as the acquirer.  The multiples data looks like this:

security company data.png

Obviously a profit multiple of 38.49 is nothing to be sneezed at, but 117.08 as an average profit multiple is pretty crazy.  How is it possible that the averages could be that high?  Transactions like this:

These transactions skew the averages up rapidly, particularly in an environment where not every transaction has data available.  (ie, if price data was available for all 650 transactions, it would have much less of an impact; but with price data only available for maybe 10% of transactions, and the rest being 'not disclosed', it can have a big influence).

Multiples by Year - There's Really No Bubble

The average revenue multiple from 2004 until 2006, was a shade over 14.

The average revenue multiple from 2007 until 2009, was a shade under 3.

The average revenue multiple from 2010 until mid-2013, was almost exactly 3.

Profit multiple data similarly hasn't changed markedly over the period 2007 to mid-2013. 

In other words, back in the early days of cyber security, there were fewer transactions being completed, but the ones that did complete tended to be for high valuations - for example, Juniper's acquisition of NetScreen (https://www.networkworld.com/edge/news/2004/0209juniscreen.html) and Symantec's acquisition of Brightmail (see above).  

 

transactions-by-year.png

There are now many more transactions, but the valuations have remained steady.   That's not a bubble - that's just a healthy market with strong demand for valuable companies.

 

Want to maximise your sale price? Build a product

When you run a cyber-security consulting firm, servicing hundreds of clients, and delivering thousands of projects over the course of many years, you get a pretty good idea of the problems that organisations are experiencing, as well as the problems you are experiencing, and would like to have solved.  From that position, invariably a discussion occurs within the leadership of the company, about whether or not to stay 'pure' as a consulting firm - and do what you know well, recruiting, delivering, and tracking utilisation - or reallocate some of the brainpower in your consulting team towards research & development and more specifically towards the development of some kind of 'product' that will solve the problems you have identified.

The obvious attraction is that products are (often) scalable.  People are not.

Part of the consideration in deciding whether to make this investment, is the expected return at the point of 'exit', particularly, the likely valuation differential that could be commanded at the point of a trade sale.  Having analysed the data for over 600 cyber-security industry transactions completed in the last decade, this is what that premium looks like:

Comparative valuation multiples - software, hardware & consulting led cyber-security businesses, 2004-2013

comparative-valuations.png

So what does the data tell us?

Breaking the organisations into consulting-led, software-led, and hardware-led categories (noting that not enough managed services company data is available for this category to stand alone), and comparing valuation multiples for revenue and profit, with consulting-led firms normalised for each category to '100%', we get the following differentials:

  • Compared to consulting-led firms, hardware-led firms have sold for revenue multiples between 3%-45% higher.
  • Compared to consulting-led firms, software-led firms have sold for revenue multiples between 101%-177% higher.
  • Compared to consulting-led firms, software-led firms have sold for profit multiples between 69%-109% higher.
  • (Insufficient comparative profit multiple data is available for the hardware firms so isn't included)

To put those figures in perspective, if your consulting-led cyber-security business is expected to sell for a revenue multiple of about 2 or a profit multiple of 6, a software-led cyber-security business next door will likely sell for a revenue multiple of between 3 and 5.4, or a profit multiple of between 10.1 and 12.5.  That is a significant difference.

In other words, if you have both consulting and software parts to your business, when valuing the business, it is likely that $1 of profit from your in-house developed software, is worth twice as much as $1 of profit from your consulting business.

Of course, this isn't without its exceptions.  Just looking at listed companies, it's easy enough to find cases of services-driven firms being valued more highly than product-driven firms.  As an example:

PE-mature.png

(Of course, I do acknowledge the significant growth of Checkpoint and Symantec in the services area of their businesses, and particularly Symantec with regard to managed services.  But I would be pretty confident that investors see them significantly as product companies first.)

But then those are all very mature businesses and realistically are well past the point of 'explosive growth'.  When you look at the younger crop of cyber-security product companies, you get some pretty crazy numbers:

PE-fastgrowth.png

To give some perspective on what a P/E of 319 means... Sourcefire's income (profit) for the last 12 month reporting period was a tad over $5 million.  Their current market capitalisation is $1.57 Billion.

But these companies have massive growth potential (Sourcefire has been growing revenue at 25-35% a year), and are also obvious acquisition targets for the more established firms in the market.  The enormous market capitalisations reflect this growth profile and the fact that investors are comfortable the companies will find a way to provide a return to shareholders.

It is also important to recognise, however, that building a successful product business is significantly more difficult than building a consulting practice, and the likelihood of a 'moderate' success is much lower.  In other words, building a consulting practice, it is reasonably easy to run a small team, build up a client base, and operate at a healthy level of profitability for as long as you are willing to continue driving the business.  Building a product business, this type of viability-without-being-the-market-leader is harder to come by, and success is much more likely to be all or nothing.  So while the payoff may be higher, the likelihood of getting a payoff at all is most likely lower.

Also of importance to consider is that the 'buyer universe' changes significantly when your consulting firm starts building a product-led business unit.  Companies that previously may have been interested suitors, may not want the R&D or support and maintenance expenditure necessary for an ongoing product-led operation.  

Ultimately, there are many ways to build a valuable company that will appeal to a sufficient number of potential buyers to achieve a healthy exit for the founders.  What is important, is understanding where the value is within your business, and how to stitch it together into a coherent story to maximise value during the sale process.