Sendmail, Sensory Networks & PacketLoop - Pondering Interesting Transactions

Sendmail - Watch this space 

ProofPoint - who are serial acquirers in the cyber-security industry - acquired Sendmail for about $23 Million in cash, paying a revenue multiple of something like 10, and a profit multiple of n/a since by the sounds of the announcement, Sendmail as a commercial enterprise has been losing money pretty consistently.  

"For the fourth quarter of 2013, Proofpoint expects Sendmail to have an immaterial impact on revenue while widening the company's non-GAAP net loss by approximately $2 million or $0.06 per share, as the company takes on the costs associated with this new team and begins to build a recurring revenue stream."  (
"Sendmail brings a global community of open source users and a compelling set of enterprise customers, but little in the way of near-term recurring revenue due to their legacy business model built around the sale of appliances and perpetual licenses."  (

So why are they buying it?  It seems the strategy is primarily about supply chain protection and/or integration:

"Noting that ProofPoint's enterprise protection solution is built on Sendmail's MTA, ProofPoint CEO Gary Steele said, "Acquiring Sendmail gives Proofpoint ownership of this definitive industry-standard technology...""  (

Although the opportunity could well also be larger than that.  There is certainly precedent for taking a semi-open-source software product and surrounding it with commercial services and support (with Snort/Sourcefire and Nessus/Tenable being two prime examples in the cyber-security industry) and creating significant value in the process.  Key to success will be ensuring the community continues to participate in the open source project, and see that the overarching commercial organisation that is now supervising them, is an organisation whose values they align to.  That ProofPoint has already started reaching out the community (eg is a positive start to that relationship.


Sensory Networks - A mixed result

 The same day as the Sendmail transaction, it was announced that Intel is acquiring Australian cyber-security tech company Sensory Networks for $21.5 Million (  Intel is listed on the Sensory website as a partner, so as with the Sendmail acquisition, it could simply be case from Intel's perspective of protecting the supply chain.


I have a soft spot for Sensory Networks as it was on Matt Barrie's recommendation that a number of our earliest team members at SIFT were recruited, and without exception they turned out to be some of the best and brightest minds in security that I have had the privilege to work with.  That being said, early media reports of the Sensory Networks sale really wanted to be able to present it as a success story, but that became progressively more difficult when additional context was added to the deal and the company.  

Like the fact Sensory had raised about USD $30M in venture capital to get to this point.  Like the fact Sensory was not a 'start-up', but had been running since 2003.  Like the fact Sensory started life as a hardware company (and by all accounts was excellent at it, from an engineering standpoint) and in 2009 changed tack to be software focused.  And the fact that at the date of the transaction the company had only five (5) employees.

Does anyone actually make any money in a deal like this?  It's an interesting question, and the answer is... It depends.

It depends on a few things, like:

  • The terms under which the venture capitalists invested
  • The degree to which the early shareholders were diluted in the various funding rounds
  • The importance of the remaining key employees and their ability to renegotiate equity plans over time
  • Other technical things like whether it's an asset sale or a share sale, and what the balance sheet of the company looks like

The first of those is probably the most significant.  Essentially, a venture capitalist is likely to get 'Preferred Stock' rather than 'Common Stock'.  One of the benefits of this preferred stock is that it will generally have 'liquidation preferences' attached to it.  At the simplest level, the 'preference' referred to in the name of the stock, is that it gets paid before the common stock.  There are a few different approaches to preferred stock (broadly known as 'Straight Preferred', 'Participating Preferred', or 'Partially Participating Preferred' -, but the crux of the issue is the same... basically, if you've got preferred stock, you will generally get back the cash you put in, prior to the common stockholders getting anything.  And if you put in $30M, and the company sells for $20M, that means there is zero left for anyone holding non-preferred shares.

Now to be clear, I don't have inside information on any of these transactions, and don't know what the terms were in any of the agreements.  It's likely that the share register at Sensory changed a great many times over the years as funds were raised, investors came and went, founders departed, the employee share scheme ebbed and flowed (since it is in everyone's interests to ensure the key team members remain motivated and incentivised to make the company succeed), and perhaps at the end a few people were holding enough of the right shares to do reasonably well after years of hard work... But it's also possible that nobody did.

My intention here is simply to highlight the fact that for aspiring tech entrepreneurs out there who heard the figure "$21.5 Million" and thought "Pay Day! I'm starting a company!", life often isn't that simple.  While it's fairly self-evident that a company going bust doesn't make the founders rich, it's less self-evident that a company being sold for an eight-figure sum, also may not make the founders a fortune.

I do hope that the team who worked so hard, for so long, to build the technology and the business of Sensory, did reasonably well out of this.  Looking to build an engineering-heavy cyber-security hardware company in Australia in the early 2000s was ambitious and courageous, and they contributed significantly to the cyber-security talent pool that we now have.


PacketLoop - The next generation

A month before the Sensory Networks and Sendmail transactions, it was announced that Arbor Networks ( acquired PacketLoop ( - see for official press release.  While both innovative cyber-security technology companies, in many ways, PacketLoop is the antithesis of the Sensory Networks story.  It was started in 2011 and sold just 2 years later, and as far as I know, was bootstrapped throughout that period, without external venture capital involvement (although I could be wrong in that assumption).     


For those who are new to the industry, it is worth noting that the PacketLoop team have experience in this area - their previous cyber-security consulting firm ThinkSecure was sold to Infoplex in 2007 (  

The great thing about this transaction from my perspective, is that PacketLoop is genuinely innovative, IP-driven, and Australian.  The company has focused on research and development, and getting the product right before taking it hard to market.  The attraction of PacketLoop to Arbor can only have been the IP - while I'm sure they have some clients and revenue, an acquisition at this early stage of the company's genesis is about getting access to the technology.  And that is really exciting, a great credit to Scott Crane, Michael Baker and others involved, and also is a really powerful message to others that it can be done.

The financial details of the deal haven't been made public and I don't know what they are, but I hope the founders and others have done well out of it, and I am also very confident that the deal would have been structured to provide significant incentive to stay and build the company further with Arbor's support and backing - which is great for the industry, the technology, and for cyber-security research and development in Australia. 

Security Company Earnings Reports - Nuggets of Gold (Part 2)

I received some great feedback on my thoughts on the highlights of the Symantec, Checkpoint and Fortinet earnings calls, so through popular demand have continued working my way through security company earnings calls.  In this edition, one of the newer and sexier market players: Sourcefire

Of course, IT security is to 'sexy' what Eddie "the Eagle" Edwards was to ski jumping, so I still wouldn't necessarily be opening with your latest 'penetration testing' gag at the bar later tonight.  Unless the bar happens to be hosting a Star Trek party, in which case, make hay while the sun shines.

Anyway, on with the review.



"Revenue for the first quarter of 2013 came in at $56.2 million, an increase of 21% over the year-ago period."

That's why they're the sexy ones.  21% year-on-year growth.

"21% was below our expectation."

Wow, expectations were high.  But then, when your PE Ratio is 339 (, I guess that's what happens to expectations.

"Our U.S. Commercial and International business revenue grew a combined 37% over the same period last year."

Great numbers.  Unsustainable, but good to get them when you can.

"We believe our U.S. Federal business was impacted by funding uncertainties related to sequestration and the continuing resolution that wasn't approved until March 26, resulting in a year-over-year decline of 36%."

OK, should have seen that coming.  Good news first, then the bad news.  A 36% year-over-year decline is huge.  (For those who don't immediately recognise that a 36% loss is much worse than a 37% gain is good, remember that to get back that 36% loss, will require in excess of a 50% gain.)

"This approach starts by first acknowledging that there are 3 distinct phases of security from a defender's point of view. You have heard us refer to this as the attack continuum: a before, during and after phases of an attack."

Which sounds eerily similar to 'Protect, Detect and React' which we've been saying for decades.  Old wine, new bottles.

"Our cybersecurity solutions... address the full attack continuum across all attack sectors and respond at any time, all the time in realtime... This is in contrast to traditional security layers that only operate at a point in time... They have no capability versus a threat later in time."

I think I need to re-read Stephen Hawkings' A Brief History of Time to understand this.  Any time, all the time, in real time, not at a point in time, but definitely later in time.  Got it.  On a serious note, it is interesting to see how the amount of investment being poured in to solutions aimed at detecting pre-existing breaches in an environment; effectively acknowledging the fact that organisations simply cannot prevent the breaches from occurring. 

"Our [Advanced Malware Protection] solution [FireAMP] has capabilities and scope that will have the competition playing catch-up for years"

From what I've seen and read, I think FireAMP is indeed going to be a powerful tool in the security business.  As with all the latest-and-greatest technologies, however, the question will be whether anyone in Australia has the capability to implement it, configure it correctly, and manage/monitor it the way it is intended.  Otherwise it will be the next very expensive paperweight to hit our desks.

"As we continue to scale our International operations, we will benefit from the tax structure implemented last year and believe we can drive our long-term effective tax rate below 30%."

Seems pretty conservative.  Apple have managed to get theirs down to under 2%, with a "Dutch Sandwich" and some Catch-22-esque workmanship resulting in some of Apple's legal entities not being resident anywhere.  

"We don't traditionally break out our International business. I can tell you that it was strong across the board. We added 40 resellers in Q1 and a little bit more than half of them were International. In fact, half of them were in Asia-Pacific. That business is really starting to pick up for us."

Obviously Asia-Pacific is a lot broader than just Australia, but it's interesting to see how many companies are reporting strong demand and growth from this region.  It certainly matches the demand and growth in the domestic information security services sector, and I continue to believe that the services market in particular is growing faster than the supply-side can keep up with.

A question from the floor:

"And regarding the balance sheet, could you give us some color around the trends in deferred revenue? It was flattish quarter-to-quarter. Any color on that?"  

Boom!  Two uses of the buzzword-of-the-moment 'color' in one go!  I am still yet to hear it used at all in Australia, but maybe I'm moving in the wrong circles.  It can only be a matter of time.

In response to a question about which companies the FireAMP product competes with (this is long, but worth reading):

"In terms of who we compete with, there are a number of players in kind of the advanced network space that are out there, and a lot of people who claim they're out there as well. I think you look at the core anti-virus guys, a lot of them will say they're dealing with events now, where you look at newcomers, they're a bunch of startups out there. You have guys like FireEye as well. They're all kind of swirling around the problem right now looking for a solution. I would say that relative to any of them that are out there right now, there are -- some companies are taking a purely network-based approach, some are taking a purely end-point-based approach. Many of them -- well, very few of them consider the totality of networks endpoints, mobile devices and virtual environments. And of all the companies that are out there really, we're the only guys who consider them all. We use one unified detection infrastructure to analyze everything that comes in. We operate on a continuous capability model using streaming telemetry from the devices that we're connected to. And what that means effectively, if you look that this versus any of them that are out there, they all operate in what we call a point in time. They're presented with a piece of data. They make the decision either good or bad, and if they're wrong, they completely miss it and have no opportunity to go back there and do something about it again. We have continuous capability where we can see all the time, in realtime, not just the structure of advanced malware, but also its operations and behavior. And really, at the end of the day, we believe we're a disruptive player in this space because we're one of the first movers and we have a fully scoped solution that addresses the entire problem set that is out there."

A good summary of their positioning and how they see the market.  If FireEye is being included as a competitor, I assume RSA NetWitness, Solera Networks, Australian start-ups like Packetloop, and US-based companies that as far as I know haven't made it to our shores such as Damballa and Invincea should be included in there too.  It's becoming a crowded market and logically will consolidate pretty heavily over the next 1 - 2 years (noting that Blue Coat recently bought Solera Networks; and of course RSA reasonably recently bought NetWitness).  

For those in the IT security professional services industry, providing implementation, configuration, support and management around these 'next generation' tools is a huge opportunity.  While not all the products and vendors in this space will continue to be here in a few years' time, the amount of venture capital being thrown at this part of the market should guarantee short term viability at least.