Sendmail, Sensory Networks & PacketLoop - Pondering Interesting Transactions

Sendmail - Watch this space 

ProofPoint - who are serial acquirers in the cyber-security industry - acquired Sendmail for about $23 Million in cash, paying a revenue multiple of something like 10, and a profit multiple of n/a since by the sounds of the announcement, Sendmail as a commercial enterprise has been losing money pretty consistently.  

sendmail.png
"For the fourth quarter of 2013, Proofpoint expects Sendmail to have an immaterial impact on revenue while widening the company's non-GAAP net loss by approximately $2 million or $0.06 per share, as the company takes on the costs associated with this new team and begins to build a recurring revenue stream."  (http://finance.yahoo.com/news/proofpoint-inc-acquires-sendmail-inc-201000890.html)
"Sendmail brings a global community of open source users and a compelling set of enterprise customers, but little in the way of near-term recurring revenue due to their legacy business model built around the sale of appliances and perpetual licenses."  (http://finance.yahoo.com/news/proofpoint-inc-acquires-sendmail-inc-201000890.html)

So why are they buying it?  It seems the strategy is primarily about supply chain protection and/or integration:

"Noting that ProofPoint's enterprise protection solution is built on Sendmail's MTA, ProofPoint CEO Gary Steele said, "Acquiring Sendmail gives Proofpoint ownership of this definitive industry-standard technology...""  (http://www.fool.com/investing/general/2013/10/01/proofpoint-makes-another-acquisition.aspx)

Although the opportunity could well also be larger than that.  There is certainly precedent for taking a semi-open-source software product and surrounding it with commercial services and support (with Snort/Sourcefire and Nessus/Tenable being two prime examples in the cyber-security industry) and creating significant value in the process.  Key to success will be ensuring the community continues to participate in the open source project, and see that the overarching commercial organisation that is now supervising them, is an organisation whose values they align to.  That ProofPoint has already started reaching out the community (eg http://www.sendmail.com/sm/open_source/community_letter/) is a positive start to that relationship.

 

Sensory Networks - A mixed result

 The same day as the Sendmail transaction, it was announced that Intel is acquiring Australian cyber-security tech company Sensory Networks for $21.5 Million (http://www.smh.com.au/it-pro/business-it/intel-to-acquire-australian-tech-company-sensory-networks-for-21-million-20131001-hv1un.html).  Intel is listed on the Sensory website as a partner, so as with the Sendmail acquisition, it could simply be case from Intel's perspective of protecting the supply chain.

sensory.png

I have a soft spot for Sensory Networks as it was on Matt Barrie's recommendation that a number of our earliest team members at SIFT were recruited, and without exception they turned out to be some of the best and brightest minds in security that I have had the privilege to work with.  That being said, early media reports of the Sensory Networks sale really wanted to be able to present it as a success story, but that became progressively more difficult when additional context was added to the deal and the company.  

Like the fact Sensory had raised about USD $30M in venture capital to get to this point.  Like the fact Sensory was not a 'start-up', but had been running since 2003.  Like the fact Sensory started life as a hardware company (and by all accounts was excellent at it, from an engineering standpoint) and in 2009 changed tack to be software focused.  And the fact that at the date of the transaction the company had only five (5) employees.

Does anyone actually make any money in a deal like this?  It's an interesting question, and the answer is... It depends.

It depends on a few things, like:

  • The terms under which the venture capitalists invested
  • The degree to which the early shareholders were diluted in the various funding rounds
  • The importance of the remaining key employees and their ability to renegotiate equity plans over time
  • Other technical things like whether it's an asset sale or a share sale, and what the balance sheet of the company looks like

The first of those is probably the most significant.  Essentially, a venture capitalist is likely to get 'Preferred Stock' rather than 'Common Stock'.  One of the benefits of this preferred stock is that it will generally have 'liquidation preferences' attached to it.  At the simplest level, the 'preference' referred to in the name of the stock, is that it gets paid before the common stock.  There are a few different approaches to preferred stock (broadly known as 'Straight Preferred', 'Participating Preferred', or 'Partially Participating Preferred' - http://venturebeat.com/2010/08/16/beware-the-trappings-of-liquidation-preference/), but the crux of the issue is the same... basically, if you've got preferred stock, you will generally get back the cash you put in, prior to the common stockholders getting anything.  And if you put in $30M, and the company sells for $20M, that means there is zero left for anyone holding non-preferred shares.

Now to be clear, I don't have inside information on any of these transactions, and don't know what the terms were in any of the agreements.  It's likely that the share register at Sensory changed a great many times over the years as funds were raised, investors came and went, founders departed, the employee share scheme ebbed and flowed (since it is in everyone's interests to ensure the key team members remain motivated and incentivised to make the company succeed), and perhaps at the end a few people were holding enough of the right shares to do reasonably well after years of hard work... But it's also possible that nobody did.

My intention here is simply to highlight the fact that for aspiring tech entrepreneurs out there who heard the figure "$21.5 Million" and thought "Pay Day! I'm starting a company!", life often isn't that simple.  While it's fairly self-evident that a company going bust doesn't make the founders rich, it's less self-evident that a company being sold for an eight-figure sum, also may not make the founders a fortune.

I do hope that the team who worked so hard, for so long, to build the technology and the business of Sensory, did reasonably well out of this.  Looking to build an engineering-heavy cyber-security hardware company in Australia in the early 2000s was ambitious and courageous, and they contributed significantly to the cyber-security talent pool that we now have.

 

PacketLoop - The next generation

A month before the Sensory Networks and Sendmail transactions, it was announced that Arbor Networks (www.arbornetworks.com) acquired PacketLoop (www.packetloop.com) - see http://www.arbornetworks.com/recent-in-the-news/4983-news-packetloop for official press release.  While both innovative cyber-security technology companies, in many ways, PacketLoop is the antithesis of the Sensory Networks story.  It was started in 2011 and sold just 2 years later, and as far as I know, was bootstrapped throughout that period, without external venture capital involvement (although I could be wrong in that assumption).     

packetloop.png

For those who are new to the industry, it is worth noting that the PacketLoop team have experience in this area - their previous cyber-security consulting firm ThinkSecure was sold to Infoplex in 2007 (http://www.computerworld.com.au/article/188385/infoplex_acquires_thinksecure_/).  

The great thing about this transaction from my perspective, is that PacketLoop is genuinely innovative, IP-driven, and Australian.  The company has focused on research and development, and getting the product right before taking it hard to market.  The attraction of PacketLoop to Arbor can only have been the IP - while I'm sure they have some clients and revenue, an acquisition at this early stage of the company's genesis is about getting access to the technology.  And that is really exciting, a great credit to Scott Crane, Michael Baker and others involved, and also is a really powerful message to others that it can be done.

The financial details of the deal haven't been made public and I don't know what they are, but I hope the founders and others have done well out of it, and I am also very confident that the deal would have been structured to provide significant incentive to stay and build the company further with Arbor's support and backing - which is great for the industry, the technology, and for cyber-security research and development in Australia. 

Transaction Analysis - Cyber-Security M&A

With a handful of recent transactions (eg NTT acquiring Solutionary; and Malwarebytes acquiring ZeroVulnerabilityLabs), we have just gone over the 650 transaction level in our database of cyber-security industry M&A.  Given that, I thought it was about time for another post teasing out some of the trends and intelligence that this data set has to offer.

Geographic - Transaction Size

The average transaction size, 2004-2013, for cyber-security companies with the following US / non-US transaction profile is as follows:

  • Non-US Buyer / Non-US Seller         $ 93 Million
  • Non-US Buyer / US Seller               $ 198 Million
  • US Buyer / Non-US Seller               $ 295 Million
  • US Buyer / US Seller                      $ 420 Million

So the more 'US' you can get into your transaction, the bigger the number tends to get.  If you have a cyber-security product and want to maximise the return, heading to the US and getting venture capital funding is probably still your best option.

Buyer Industry Sector & Influence on Multiples

We have worked through the transaction data and categorised the buyers into one of a few groups: 

  • Defence industry
  • IT industry
  • Cyber-security industry
  • Professional services
  • Private equity / venture capital
  • Other

A couple of interesting observations from the transaction data, when analysed in this context:

  • Defence industry buyers pay the lowest revenue multiples, slightly below the private equity / venture capital community.  Realistically, this is likely to be more of a reflection of the difference in acquisition targets between the buyer groups, with the defence industry focused on services-intensive companies, and many of the other groups (eg the IT industry, and the cyber-security industry) are completing lots of acquisitions of product-led companies.
  • Cyber-security companies pay the largest multiples, by a significant margin.  The average profit multiple paid by the IT industry, the defence industry, and the private equity / venture capital community, varies by less than 10%.  The average cyber-security company-led acquisition multiple is over 6 times higher.  As per the above, this is primarily a function of the types of companies being acquired, with many cyber-security company-led transactions being of relatively early stage product companies, with significant R&D and sales and marketing expenses, but a relatively low base of revenue and profit, resulting in extremely high multiples.

This again demonstrates the importance of understanding the market, and particularly of the market as it pertains to your company.  The types of companies being acquired, and the level of maturity of those companies, varies significantly between buyer groups, and the prices paid vary accordingly.  

Outlying Transaction Valuations & Effect

While this blog isn't intended to be a tutorial on maths terminology, I'll just briefly revisit the distinction between the 'mean' (commonly called the 'average') and the 'median'.  The mean is calculated by simply summing all of a set of numbers together and dividing by the number of numbers.  

eg:  1, 1, 2, 2, 9

Gives a total of 15, and 5 numbers, so a mean of 3.

The flaw with using a 'mean' is that while it may be true to say the 'average' of that set of numbers is 3, the fact is also that 80% of the numbers are below the average, since it is skewed upwards by the larger number at the end.  Means are susceptible to being skewed by outliers.

The 'median' is basically just the value of the middle number when the numbers are arranged in order.  In this case, the median is 2.  What that number says is that 50% of the data is equal to or less than that number; and 50% of the data is equal to or greater than that number.  Generally speaking, that's going to be a more useful number.

How big a difference can this really make?  Let's take the example of transactions with a Cyber Security company as the acquirer.  The multiples data looks like this:

security company data.png

Obviously a profit multiple of 38.49 is nothing to be sneezed at, but 117.08 as an average profit multiple is pretty crazy.  How is it possible that the averages could be that high?  Transactions like this:

These transactions skew the averages up rapidly, particularly in an environment where not every transaction has data available.  (ie, if price data was available for all 650 transactions, it would have much less of an impact; but with price data only available for maybe 10% of transactions, and the rest being 'not disclosed', it can have a big influence).

Multiples by Year - There's Really No Bubble

The average revenue multiple from 2004 until 2006, was a shade over 14.

The average revenue multiple from 2007 until 2009, was a shade under 3.

The average revenue multiple from 2010 until mid-2013, was almost exactly 3.

Profit multiple data similarly hasn't changed markedly over the period 2007 to mid-2013. 

In other words, back in the early days of cyber security, there were fewer transactions being completed, but the ones that did complete tended to be for high valuations - for example, Juniper's acquisition of NetScreen (https://www.networkworld.com/edge/news/2004/0209juniscreen.html) and Symantec's acquisition of Brightmail (see above).  

 

transactions-by-year.png

There are now many more transactions, but the valuations have remained steady.   That's not a bubble - that's just a healthy market with strong demand for valuable companies.

 

Cyber-Security Transactions - Buyer Analysis (or "who is buying all these cyber-security companies?")

At Delling Advisory, we believe that we can provide the best advisory services to our IT security industry clients, through having an unsurpassed understanding of the market, both from first-hand experience having started, built and run IT security companies, as well as from access to unique data and analytics.  

This year, we have collated the data on about 650 cyber-security related transactions around the world, dating back to 2004.  A significant amount of work has been completed to categorise each transaction based on the 'company type' of the acquiring firm, as well as the security-related services that the acquiring firm previously provided and that the target firm provided (professional services / hardware / software / managed services), the country of origin of the acquirer and target, as well as the financial details of the transaction where that information is available (either publicly or via our industry contacts).  An early version of this data set is graphically represented in the map at the start of this post - blue being the acquirer and yellow being the target of the acquisition.

Over the next few weeks, we will start presenting snapshots of this information, to provide a high-level picture of the trends and directions that have taken shape over the last decade, with respect to the cyber-security market.  Obviously there is a significant amount of proprietary data that we have compiled through this process, and we use this information in our advisory roles to better understand and communicate the state of the market, as well as valuation trends and trends in the 'buyer universe'.

To get started, a couple of initial data sets.

Q. Who is buying all these cyber-security companies?

In short, many different companies (and 'company types') are acquiring cyber-security companies.  The defence industry has been in the media for the last few years as one of the most significant buying groups, but back to 2004 they only account for about 12% of all transactions.  Just taking the years 2010 to 2012, when transaction volume was highest in the defence sector, those firms still only accounted for about 18% of transactions (since although their transaction volume went up significantly, so did everyone else's).

The most prevalent acquirers of cyber-security companies are now (and have been every year since 2004), other cyber-security companies, and other IT companies seeking to expand their security-related offerings.

(As an aside, I'm sure people will wonder what 'other' contains.  'Other' contains a mix of companies buying capability to build into their own products, or for diversification.  Some example transactions in the 'other' bucket:

The heavy acquirers - as can be seen from the transaction map at the start of this post, have tended to be companies such as Cisco, McAfee, Oracle, CA Technologies, Symantec, IBM, Microsoft, EMC Corporation and Dell - although the defence primes Raytheon and BAE Systems have also made a dent.

Q. Are transaction volumes sky-rocketing?

Not really.  There are certainly many more cyber-security related transactions now than there were in 2004... but there are many more cyber-security businesses now than there were in 2004.  In broad terms, from 2009 onwards, transaction volume has been about 50% higher than in the period 2006 to 2008.

Cyber-security has become very important to a lot of companies, very quickly.  As a result, and given the difficulties in recruiting cyber-security professionals, adding this capability by acquisition continues to be very attractive.