FireEye puts the capital market to work in Mandiant deal

Contact: Brenon Daly

A little more than three months after going public, FireEye is handing some $883m of that newly minted equity – along with $107m in cash – to acquire Mandiant. We would note this is one of the few times in the past decade that a high-flying debutant has used its IPO to pull off a transaction like this. In fact, most of the other fast-growing enterprise tech companies that have gone public in the past two years and trade at double-digit valuations have done only small tuck-ins (Splunk, ServiceNow) or stayed out of the M&A market altogether (Workday, Tableau Software). And that’s despite having boatloads of cash and richly valued shares thanks to their offerings.

And to be clear, this equity-heavy acquisition wouldn’t have been possible without an IPO, or at the very least, privately held FireEye would almost certainly have had to give up far more of the company if it wanted to acquire Mandiant. (As it is, FireEye is only giving up 13% of the company, but will add about 40% to its revenue this year.) Recall that when FireEye raised a round almost exactly a year ago, the company was valued at slightly more than $1.1bn, according to our understanding. The company is now worth more than $6bn on the Nasdaq.

Based on total consideration of $990m, the deal stands as the eighth-largest infosec transaction. (The largest deal in the sector, of course, is well known to many of many FireEye executives, a number of whom came over from McAfee after its $7.7bn sale to Intel.) Although FireEye is handing over nearly $1bn for Mandiant, by many measures it is getting a bargain. For starters, there’s the currency it is using. FireEye will cover approximately 90% of the purchase of the startup with its own richly valued equity. At a market capitalization of $6.2bn, FireEye is valued at almost 40 times expected 2013 revenue of $157m. (For those who prefer non-GAAP financials, that works out to 25 times projected 2013 billings of $245m.)

The unusual acquisition certainly found solid support on Wall Street. Investors bid FireEye stock up more than 20% to the highest point of its short history. Shares of FireEye, which first traded in the mid-$30s in September, topped $50 in mid-Friday trading. We’ll have a full report on the transaction on the 451 Research website later today.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Blue Coat plays in sandbox with Norman Shark

Contact: Scott Denne Wendy Nather

After coming up empty in its efforts to secure funding, Norman Shark opts for an acquisition by Blue Coat. Many venture capitalists question whether sandboxing technology, which isolates suspicious code before it can execute on an endpoint, can sustain a large independent business, especially in a market where they’ll run up against FireEye’s freewheeling sales and marketing spending.

Fellow sandboxing vendor Invincea was able to pull together a $16m series C funding round this week, an effort that took up most of this year. Bromium had better luck with its $40m series C round, which we understand came with a $380m valuation.

We gather that Norman Shark anticipated revenue of $5m in 2012 while it was seeking capital for the business, though it’s not clear if it met or surpassed that goal. The purchase of the 50-person company is likely far smaller than Blue Coat’s recent acquisitions of Solera Networks (451 M&A KnowledgeBase subscribers can click here for our estimated valuation on that deal) and Crossbeam Systems (click here for estimate). We’d also note that this transaction is the second sandboxing acquisition announced this week, after Invincea said Monday that it had scooped up Sandboxie sometime earlier this year.

Broadly speaking, there’s demand among security providers to add new ‘advanced malware detection’ capabilities, which include sandboxing and behavioral analysis, as a way to compensate for what antivirus is missing. FireEye raised awareness of this new breed by going public in September, though malware analysis M&A activity had been going on for a while.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Trustwave’s latest deals bring revenue, not just product

Contact: Scott Denne

Trustwave picks up Application Security Inc in a $25m stock deal that highlights the acquirer’s shifting M&A strategy since its aborted IPO attempt two years ago. With this transaction, like the purchase of M86 Security before it, Trustwave is grabbing a business with significant revenue, not just interesting products to roll into its MSSP division.

Like Trustwave, Application Security targets customers under pressure to comply with industry regulations like HIPAA and PCI, so pairing the two businesses together should create upsell opportunities. Application Security made a name for itself in the database security sector, but its growth was hindered by the small size of the market and aging investors with limited capacity to add to the company’s coffers – only one of its four venture investors has raised a fund since 2003 and its most recent round came in 2006.

Though smaller than anti-malware vendor M86, which Trustwave bought early last year (see our estimate of that deal here ), Application Security built a business that, we understand, reliably generated $20-25m in annual revenue, though little growth in the past few years. Still, that revenue will give about a 10% boost to Trustwave’s top line and strengthen its position for a potential IPO.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Barracuda sets up for an IPO that should go swimmingly

Contact: Brenon Daly

The holdout is over for Barracuda Networks. After a decade of steady expansion behind closed doors, the closely held information security (infosec) vendor is now set to step onto the public market. And it will be a big step by a big company: At about a quarter-billion dollars in revenue this fiscal year, Barracuda is roughly twice as large as other infosec firms that have come public recently.

Barracuda shipped its first product – a firewall – back in 2003. It has used a half-dozen or so acquisitions since 2006 to move into other infosec markets, as well as expand into storage. The company’s core security business represents about two-thirds of overall revenue, with the remaining revenue coming from its faster-growing storage business. It sells primarily to SMBs, having rung up some 150,000 customers.

Barracuda’s planned offering comes at time when Wall Street is particularly bullish on infosec IPOs. Most notably, FireEye doubled in its debut last month on its way to creating almost $5bn in market value. That’s a head-spinning valuation for a company that will do about $150m in sales this year.

But we wouldn’t necessarily hold out FireEye, with its triple-digit growth rates and enterprise focus, as a comparable offering to Barracuda. Instead, we might look back to the IPO four years ago from another appliance-based, multiproduct infosec provider, Fortinet.

Although that company is about twice as big as Barracuda, it is growing at just half the rate of Barracuda. Currently trading at about the midpoint of its 52-week range, Fortinet is valued at roughly $3.5bn, or about 6x this year’s sales. Putting that multiple on Barracuda, we come up with a rough valuation of about $1.5bn for the company. That’s probably a baseline valuation for Barracuda as it hits the market.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Experian’s $310m reach for 41st Parameter continues high multiples in antifraud

Contact: Scott Denne

In spending $310m to purchase antifraud vendor 41st Parameter, Experian is paying a healthy 14.1x trailing 12-month revenue. It’s the latest in a recent string of high-value deals in the fraud-protection market, but even at that multiple it’s the lowest of the three recent transactions in this sector. In August, IBM spent an estimated $900m on Trusteer, valuing the company at 25.7x revenue. That doesn’t come close to the multiple that F5 Networks paid for Versafe last month. (Subscribers can click on the following links for more details on the Trusteer and Versafe acquisitions.)

Part of the reason for the high valuations is the trend toward rising valuations of security firms in general as security grabs an increasing portion of IT budgets. Another reason is a maturation of the market, especially the device-identification end of antifraud where 41st Parameter plays. That company and its competitors have been around for about a decade and are now starting to hit their stride: 41st Parameter had roughly $22m in trailing 12-month revenue at the time of its sale, while rivals Iovation and ThreatMetrix have nearly identical revenue as 41st Parameter.

Annual value-to-revenue multiples on security deals

Year Median multiple
2013 5.25
2012 2
2011 3.6
2010 3.5

Source: The 451 M&A KnowledgeBase

Now that those companies have proven that there’s a real business in helping banks, retailers and other businesses identify fraudulent transactions, we’d expect to see more deals happen in this space. 41st Parameter and its peers have had acquisition interest from a variety of vendors – not just traditional security providers, but also banking technology businesses and cloud services companies. This type of technology fits into the product portfolio of any company that enables businesses to connect with consumers.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Arbor reaches Down Under for network analytics startup

Contact: Brenon Daly

Three years after Arbor Networks sold itself to Danaher, the security company has announced its first transaction as part of the technology conglomerate. Arbor has picked up Packetloop, a bootstrapped, five-employee startup based in Sydney, Australia, that specializes in network security monitoring and analytics.

The addition of Packetloop takes Arbor far beyond its core offering and market, which, historically, has been selling DDoS detection products to service providers. While service providers still account for a majority of the company’s revenue, sales to enterprises now represent 40% of total revenue, and are growing faster than the service providers business.

The deal also fits into a growing trend of existing security vendors looking to add capabilities around data analytics and visualization, rather than using M&A strictly as a way to step into new infosec markets. Just last week, for instance, Click Security reached for fellow startup VisibleRisk, while earlier this summer, Proofpoint added an in-memory threat-scoring startup called Abaca Technology.

Even old-line Blue Coat Systems caught the trend, paying an uncharacteristically rich multiple for Solera Networks. In fact, much of the network forensic capabilities that Packetloop offers are directly competitive with Solera, which was acquired just three months ago in what we understand was a highly competitive process.

Welsh Carson cleans up cap table for IPO-bound Alert Logic

Contact: Brenon Daly

In its first major move into IT security, buyout firm Welsh, Carson, Anderson & Stowe has acquired a majority stake in SaaS security vendor Alert Logic. The deal substantially cleans up the capital table at 11-year-old Alert Logic, which has drawn backing from six firms since its series A in 2005, including at least two shops that are designated as early-stage investors. As is typical for these late-stage growth investments by private equity (PE) firms, we would expect the next major capital event for Alert Logic to be an IPO.

Closer at hand, having a single, deep-pocketed owner should help Alert Logic take on its next opportunity for growth: international expansion. Currently only about 230, or 10%, of Alert Logic’s total customers are outside its home US market. The Houston-based company doesn’t have any direct sales outside the US.

International expansion for cloud-based companies like Alert Logic can be expensive because not only do they have to hire sales and marketing staff, they may also have to open in-country datacenters, depending on data residency laws. With $20bn in total capital, Welsh Carson can write those checks. (While Welsh Carson doesn’t currently hold any information security vendors in its portfolio, we would note that the PE firm is well-versed in the service-provider market, where Alert Logic does the majority of its business. The PE shop has put money into both Savvis and Peak 10.)

Alert Logic’s streamlined ownership also should help smooth the way for an IPO, although an offering may not come until 2015. The company finished 2012 with GAAP revenue of $30m and will likely bump that to nearly $45m in 2013. Assuming that growth rate roughly holds, Alert Logic could do $60-65m in sales in 2014. (Keep in mind, too, that Alert Logic is a subscription business, so revenue lags bookings.)

The two most-recent SaaS security providers to debut (Proofpoint and Qualys) both went public when their quarterly sales hit approximately $25m. (Proofpoint went public in April 2012, while Qualys followed suit last September. The two companies have market caps of $1bn and $600m, respectively.) However, we would note that although Alert Logic is smaller, it is growing twice as fast as Qualys and about half again as fast Proofpoint. Alert Logic has been clipping along at a 40-45% growth rate, compared with 20% at Qualys and 30% at Proofpoint.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

IBM puts its antifraud faith in Trusteer

Contact: Tejas Venkatesh

In its first security deal in two years, IBM reaches for financial antifraud and endpoint integrity software provider Trusteer. According to The 451 M&A KnowledgeBase, this is the highest-valued (on a price/sales basis) security acquisition for IBM, and should help further its already strong presence in the financial services vertical.

Terms of the transaction were not disclosed, but our sources corroborated the reported $800-1bn price range that IBM paid for the seven-year-old company. Using the midpoint of that range and our own verified revenue estimates gives the target a valuation far north of any of Big Blue’s other security deals. (Subscribers to the KnowledgeBase can view our estimates, including last year’s, trailing 12-month and projected revenue, here.)

Trusteer is known for providing lightweight fraud-prevention technology that scales en masse and provides an unobtrusive user experience. Having made its mark in the banking sector for end users, Trusteer recently launched an enterprise product in its foray into that market. From Trusteer’s perspective, having IBM as a parent will further accelerate its product’s adoption in the enterprise segment.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Where might FireEye be casting its eye for M&A?

Contact: Brenon Daly

When business is booming, who has time to shop? We were wondering that as we skimmed the prospectus for FireEye, an ‘advanced threat protection’ vendor that has doubled revenue so far this year. As we noted in our full report on the company’s planned IPO, FireEye has only really had its product out for three years, but is likely to put up about $150m in sales in 2013.

That’s astonishing growth, a testament to the company’s calculated effort to expand as quickly as possible. In the prospectus, FireEye notes that 375 employees – a full 40% of its entire payroll – work in sales. (That goes some distance toward explaining how FireEye has spent more just on sales and marketing than it has brought in as revenue so far this year.)

With all of the focus on – and enviable results from – organic growth, it’s no wonder inorganic growth has yet to figure into FireEye’s business. In that way, it’s basically following the practice of other high-flying companies that have come public – the companies that will serve as ‘comps’ for FireEye.

Neither Workday nor Splunk nor Tableau has been active in M&A, despite having the windfall of an IPO and richly valued equity to use in deals. Only ServiceNow has done a deal, and that was just a $13m purchase announced last month, a full year after it went public. (For those with a longer view, we would note that salesforce.com didn’t ink its first acquisition until almost two years after its IPO in mid-2004.)

Nonetheless, my colleague Wendy Nather has penciled out a few possible targets should FireEye want to go shopping. (And the company may need to use M&A, if just for customer perception. As she notes, threat intelligence and sandboxing at the network layer are not going to be considered a complete solution for handling malware attacks in the future.) We have a few thoughts around possible markets (think endpoints) and even a few specifics that may figure into FireEye’s future M&A plans in our full report.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

A red-hot IPO expected from FireEye

Contact: Brenon Daly

The next billion-dollar tech IPO is moving closer to the public market. FireEye has revealed its paperwork for an offering that’s sure to draw bullish interest from investors willing to put money into an early-stage company that’s still in hyper-growth mode. The cybersecurity vendor, which only really began shipping product in 2010, is putting up eye-popping growth rates but is also spending heavily to get them.

For instance, FireEye doubled sales in the first half of 2013 to $62m. Granted, that’s coming off a small revenue base, but it’s still an astonishing rate compared with the overall information security (infosec) market. In a survey by TheInfoPro, a service of 451 Research, more than half (52%) of infosec buyers forecasted their 2013 budgets would be the same (44%) or even lower (8%) compared with 2012. (Among the remaining roughly 48% who projected a larger infosec budget this year, most indicated it would be only a single-digit percentage higher.)

To post its enviable growth, FireEye has been spending heavily. In fact, so far this year, the company has spent more on sales and marketing costs than it has taken in as revenue. That’s appropriate (though clearly not sustainable) for a company growing in the triple digits that sees a vast opportunity in front of it.

Nonetheless, we would note that it is significantly higher than the two most-recent infosec providers that have come to market. Sales and marketing spending at both Palo Alto Networks and Imperva ranges between 50-60% of revenue. (We don’t consider Qualys, which came public last September, a fitting comp for FireEye because it is a subscription-based business rather than a product-based business like FireEye, Imperva or Palo Alto.)

Of course, we don’t expect the red ink at FireEye to deter many public market investors. Both Palo Alto and Imperva don’t turn a profit, even though they are growing at much slower rates than FireEye. (Palo Alto is increasing its top line at about a 60% rate, while Imperva is roughly half that level.) And yet, Wall Street has bid up both of the recent infosec IPOs to double-digit price-to-sales valuations. Collectively, those offerings have created $4.8bn of market value.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.