Recently went through the incredibly impressive Crowdstrike S-1. It was almost as good as the Zoom S-1. However, I generally believe that cybersecurity is an awesome space for VC investing but tough for public equity investors.
This belief is a function of three different factors. First, the threat landscape changes so rapidly that startups with no technical debt almost always have an advantage when it comes to addressing the newest threats from a feature perspective. This makes it difficult to build a large, dominant platformesque company that can be a $10b plus market capitalization public company. Second, per commentary from hacker(ish) friends, building a large company is even more difficult for the simple reason that hackers focus upon weaknesses in the cybersecurity companies with the largest market share — success sows the seeds of future failure. Third, pressure to contribute to open source threat databases makes it hard to build a data advantage.
The constantly changing threat landscape and critical nature of cybersecurity make it the easiest area in which to go from 0 to $1b. And it is really hard to get beyond this given above dynamics. Hence great for VC, tough from public equity perspective. I suspect cybersecurity has the by far the lowest ratio of combined public company market cap over $10b to cumulative VC funding of any industry — and might even try to quantify this at some point.
So I am really impressed that Crowdstrike will likely IPO up well over 100% from their 2018 $3.35b round, which puts them in striking distance of $10b. Marketing efficiency and net retention are improving dramatically & the ”platform” strategy is working as customers are increasingly buying multiple modules. Every single metric in the S-1 has improved over the last year.
However, important to realize that much more so than other areas of software — and due to all of the above dynamics — there are regular renewal cycles where incumbent cybersecurity companies are subjected to competitive bakeoffs and quickly ripped out if they don’t measure up to newer competitors. There isn’t the same degree of “lockin” that accompanies application software (user familiarity, etc.) or other areas of infrastructure software. So big revenue ramps are often followed by increasing churn and decreasing retention looking out 2–3 years.
Crowdstrike approaches cybersecurity via traditional ML. So it is fascinating that new security companies based entirely upon deep learning — i.e. BlueHexagon — are emerging just as Crowdstrike IPOs. Having diligenced some of these co’s (not BlueHexagon), there are real advantages to deep learning vs. the more traditional ML methods used by Crowdstrike. These companies are just releasing their solutions into the wild, which is obviously the ultimate test, but early results were very promising. Blue Hexagon is a network security company rather than an endpoint security company** but there are several endpoint security companies based entirely around deep learning. Regardless, endpoint and network security approaches often converge. Witness both spaces moving away from signature based approaches towards ML approaches and now perhaps to deep learning.
And new deep learning approaches aside, endpoint security is a very crowded space with perpetually heavy VC funding. So it will be a race to see whether the newer companies can build a salesforce/channel faster than Crowdstrike can improve their product. Will Crowdstrike be the one to “break the wheel” or will it “be queen for a time. Then comes another, younger, more beautiful, to cast you down and take all you hold dear.”
*originally published on Twitter on May 23, 2019. **Appreciate the correction on Twitter.