Is Q1 the one for IBM?

Contact: Brenon Daly, Andrew Hay

Despite posturing for a public market debut for some time, we understand that Q1 Labs may instead be headed for a trade sale. IBM is reportedly set to acquire the fast-growing ESIM vendor in a deal to be announced this week. The price for Q1, which recorded sales of some $60m over the past four quarters, couldn’t be learned. Goldman Sachs was in line to be lead underwriter for the IPO but instead will get the print, according to our understanding.

Assuming it closes, the deal would come almost exactly a year after ESIM kingpin ArcSight sold to Hewlett-Packard. (In that process, we gather that IBM was a bidder for ArcSight through the late rounds, as was EMC. McAfee was interested as well but was priced out relatively early on.) HP paid roughly 8 times trailing sales for ArcSight. Slapping that same multiple on Q1 values the Waltham, Massachusetts-based company at nearly a half-billion dollars. IBM had paid a similar multiple for Netezza and BigFix and only a slightly lower one in its most recent significant security acquisition, Guardium.

Rumors about a possible sale of Q1 have swirled for a number of years, with suitors ranging from Cisco to Oracle to McAfee. However, the most consistent name attached to Q1 has been its largest OEM partner, Juniper Networks. Indeed, sources indicated earlier this year that Juniper was considering an acquisition but a wide gap emerged over the valuation. Apparently, Juniper was offering about $300m, while Q1 was holding out for a number significantly higher than that.

What lies ahead for independent ESIM vendors?

Contact: Thejeswi Venkatesh, Ben Kolada

Hewlett-Packard recently announced the availability of ArcSight Express 3.0, an upgraded version of the product it acquired last year. In light of this release, we note that independent ESIM vendors aren’t resting on their laurels, either. They continue to develop, innovate and position themselves as potential IPO/acquisition candidates. Competition is already fierce among ESIM players, with each trying to expand their addressable markets, but with HP, Attachmate and Sophos adding ESIM offerings to their portfolios, rivals might look to add to their own to compete effectively.

In a recent report, my colleague Andrew Hay notes that there are several potential acquirers and targets. The list of takeout candidates continues to include Q1 Labs, although there have been M&A rumors around the company for a decade. Q1 Labs is also primping itself for an IPO, but we wouldn’t be surprised if it became the latest target in the growing line of dual-track acquisitions announced so far this year. Given its enviable revenue growth (Q1 Labs reported that its revenue grew 75% in 2010), we expect that Q1 Labs would catch a valuation similar to ArcSight. HP picked up that Cupertino, California-based security provider in September 2010 in a deal valued at nearly 8 times trailing sales. Beyond Q1 Labs, we could point to NitroSecurity, which was allegedly in talks with McAfee earlier this year. We’d also note that McAfee lost out on the ArcSight assets, and could look to NitroSecurity as an alternative.

Confab-ulous M&A at two cloud companies

Contact: Brenon Daly

Two of the most richly valued tech companies are each hosting annual get-togethers this week, and M&A is figuring into both of the confabs. VMware opened VMworld in Las Vegas on Monday, while saleforce.com followed a day later with Dreamforce in San Francisco. As these companies were getting ready to open the doors for the event, both announced that they had done acquisitions – with both deals coming in the security market.

VMware reached for PacketMotion, a startup that was able to capture who’s doing what on a network and whether they should be doing that at all. VMware indicated that the acquisition should allow its customers to automate security and compliance policies. For its part, salesforce.com added encryption vendor Navajo Systems. While terms weren’t announced on either transaction, we suspect that the price tags for both startups were in the low tens of millions of dollars. On the other side, we’d note that, collectively, VMware and saleforce.com are valued at north of $50bn.

Part of the tremendously rich valuation that both VMware and salesforce.com enjoy can be chalked up to the fact that each company is the sort of corporate representation for two key components of the whole cloud computing model: VMware for virtualization and salesforce.com for on-demand delivery of software and, more recently, infrastructure.

So it’s no surprise that these cloud stalwarts both recognized the need to shore up their cloud offerings by going out and buying security startups. After all, security remains probably the most important concern for broader adoption of cloud computing. In a recent survey, our sister organization ChangeWave Research asked both IT purchasers and users at companies to rate the security of current cloud offerings on a scale of 1 (very unsecure) to 10 (very secure). The median response was a distinctly middling 5.6. As a point of reference, the rating for cloud security was actually lower than the median rating for the reliability of cloud offerings, even after several high-profile outages at Amazon Web Services so far this year.

Maybe M&A for McAfee?

Contact: Brenon Daly, Andrew Hay

With the ink barely dry on the M&A papers of SolarWinds’ purchase of TriGeo, we understand that another deal in the enterprise security information management (ESIM) market may be already in the works. Several industry sources have indicated that McAfee and NitroSecurity are thought to be close to an agreement that would give Intel’s subsidiary a solid ESIM offering.

McAfee has been looking in this market for some time. We gather that the company lobbed a bid (thought be in the neighborhood of $600m) for ESIM kingpin ArcSight before that company went public in February 2008. More recently, we weren’t surprised to hear that McAfee was in the process early for ArcSight last summer but got outbid by Hewlett-Packard, which ended up paying $1.65bn, or a steep 8 times trailing revenue for ArcSight.

If the acquisition indeed comes together, NitroSecurity would make a great deal of sense for McAfee. NitroSecurity, which we understand is running at about $40m in revenue, sells big-ticket installations to enterprises and the federal government – a market that McAfee clearly wants to be in. (NitroSecurity is also one of the few security vendors that has been able to crack into the industrial control system market, which gives the company a shot at lucrative contracts securing some of the nation’s critical infrastructure.)

The only other ESIM provider of size that might also give McAfee a comparable presence in the enterprise market would be Q1 Labs. However, that firm has a deep relationship with Juniper Networks, which is its single largest OEM partner. Nonetheless, Q1 has ascribed itself a fairly rich valuation, according to sources. The market may well soon have its vote on that, as Q1 recently indicated that it is looking toward an IPO.

Different exits at different prices

Contact: Brenon Daly

Imperva’s pending IPO offers a fairly intriguing counterpoint to the trade sale of rival Guardium nearly two years ago. In 2009, both companies would have been rather similarly sized (basically, $35-40m) and posting roughly comparable growth rates.

Rather than continue as a stand-alone vendor, however, Guardium took a relatively rich bid from IBM for what we understand was about $232m, or about 6 times trailing sales. For a deal that was announced in November 2009, when the overall market was only starting to recover from the credit crisis, Guardium’s valuation looked positively platinum. (It was even more shiny when we consider that the Boston-based company raised just $21m in venture backing.)

But now with Imperva’s IPO, we may well get to see what Guardium might have been worth if it had opted for the other exit. (Obviously, there are a lot of flaws built into standing Imperva as a proxy for Guardium, and doing so glosses over the impact of time and risk on the return. But, arguably, it’s still a useful exercise.)

Nonetheless, assuming that Imperva can garner roughly the same trailing valuation that Guardium got in its sale, that would imply an initial valuation of about $330m – or roughly $100m more than its rival’s clearing price. That $330m would work out to about 4.5x this year’s expected revenue, which seems like a reasonable starting point for Imperva when it does hit the NYSE. (See our speciual report on Imperva’s offering.)

Imperva impervious to consolidation

Contact: Brenon Daly

The next exit for a database security vendor appears likely to be an IPO. Word is Imperva has picked Goldman Sachs and Deutsche Bank Securities to lead its offering, with a prospectus likely to be filed in the next few weeks. The Redwood City, California-based company is thought to be running at roughly $60m in revenue.

If Imperva does indeed go public, the IPO would cap a run of a half-dozen deals in a sector that has seen purchases by some of the biggest technology providers on the planet. Among the companies that have bought their way into the database security market over the past two years are Oracle, IBM and McAfee. That’s not to say those big players have been paying big prices.

With the exception of Guardium’s sale in November 2009 to IBM, which we valued at $232m, the other transactions have been modest ones. And the most recent deal has been less than modest: BeyondTrust likely paid only a few million dollars for Lumigent last week. In fact, as we tally the aggregate value of all M&A in the database-monitoring space, we suspect that the total bill will be less than the value Imperva creates in its IPO.

BeyondTrust buys beyond its core market

Contact: Brenon Daly

Announcing its first acquisition since the September 2009 combination that created the current company, BeyondTrust recently picked up the assets of Lumigent. The deal adds Lumigent’s database monitoring to BeyondTrust’s core privileged identity management platform, so the purchase is a fairly logical step into an adjacent market. Terms weren’t disclosed, but we would guess that Lumigent didn’t sell for much more than the $4m of revenue that it generated last year. The company had been struggling in part because of a strategic misstep two years ago to go into the market for application governance, risk and compliance.

BeyondTrust paid for the Lumigent acquisition from its own treasury, even though it does have Insight Venture Partners as a backer. And the company is not done buying. We understand that it is likely to announce another two acquisitions this year. BeyondTrust can afford to do deals because it generates a fair amount of cash, running at a 35% EBITDA margin. The company recorded revenue of some $40m last year, up from $32m in 2009. Assuming those transactions go through, we gather that roughly half of the growth at BeyondTrust for 2011 would come organically, with the remaining half coming through M&A.

Updata secures a bargain from CA

Contact: Brenon Daly

When CA Technologies ‘partnered’ with Indian outsourcing firm HCL Technologies to try to offload its security business in November 2007, we termed the move a ‘kind-of, sort-of’ divestiture that was unlikely to fit well with either party. Three and a half years later, the full divestiture is finally done: CA sold it to Updata Partners last week. Although terms weren’t disclosed, we understand that Updata is paying only about $10m for the business, a price that reflects just how much the division had suffered under the joint venture. The roughly $50m in sales at the unit is less than half the level it was at the time of the CA-HCL accord.

The fact that CA got any money for its security assets surprised some. We hear from several participants that at least one bidder put forward a ‘cashless’ offer, offering to take the unit off of CA’s hands for only the assumption of liabilities. (We gather that there was some interest in the business from a few of the larger, privately held security vendors, while from the financial world, both Platinum Equity and Symphony Technology Group were rumored to be bidders.) However, the deal was a very complicated one, not the least of which because there were some questions about the revenue sharing with HCL.

The split ownership, exacerbated by uneven commitments from the two sides, meant that the security business itself was rather starved, particularly for sales and marketing support. (It didn’t help that the division focused on consumers and small businesses, while its corporate parent, CA, targets enterprises. CA will continue to sell enterprise security offerings, which is primarily its identity and access management software.) Out from under the untenable ownership structure, the security unit will likely enjoy renewed focus and resources from its soon-to-be owners at Updata as the buyout firm tries, first, to stabilize the business and then ultimately get it growing again. The deal should close next month.

Tripwire pulls the plug on its IPO

Contact: Brenon Daly

Almost exactly a year after Tripwire formally filed its IPO paperwork, the security vendor has opted for the other exit, a trade sale. Thoma Bravo, a buyout shop with a number of other security and management companies in its portfolio, expects to close the acquisition of Portland, Oregon-based Tripwire this month. Terms weren’t disclosed but we understand that Thoma Bravo is paying about $225m. The decision by Tripwire to sell isn’t a surprise, any more than the fact that a buyout shop is its new owner.

If it had gone ahead with its IPO, we suspect that Tripwire would have had a rough go of it as a public company. Wall Street looks for growth, and while Tripwire has put up steady growth, it hasn’t been explosive growth or particularly valuable growth, at least in the eyes of portfolio managers. In 2010, Tripwire bumped up its overall top line 16% to $86m, primarily driven by increases in maintenance revenue and, to a lesser degree, consulting work. Collectively, those lines of business, which now represent more than half of Tripwire’s total revenue, rose 25% in 2010 – three times the rather anemic growth rate of 8% in license sales. (License sales actually flatlined in both the third and fourth quarters of 2010.)

The lagging license sales certainly wouldn’t have helped the company attract interest from strategic buyers. We noted earlier that nearly four years ago Tripwire came very close to selling to BMC. Since it filed its prospectus, we’ve heard that both Quest Software and CA Technologies looked at Tripwire. Still, in our view, Tripwire has a financial profile that should fit well inside a PE portfolio: some 6,000 customers; seven consecutive years of revenue and operating income growth; a rock-steady – and growing – maintenance stream of about $40m; and roughly $10m in cash flow per year.

EMC bolsters security portfolio with NetWitness

Contact: Brenon Daly, Josh Corman

Announcing its first deal in almost five months, EMC moved to bolster its security management portfolio by picking up fast-growing NetWitness. The purchase adds the rich network data and powerful analysis capabilities of the NetWitness NextGen platform, which is a bit like a TiVo for network traffic – capturing, indexing and storing massive amounts of network traffic. From a financial point of view, it is EMC’s first significant security acquisition since buying RSA Security in mid-2006.

In fact, we would estimate that the price of NetWitness tops EMC’s spending, collectively, on the four bolt-on acquisitions it has made to RSA since the $2.1bn deal. According to our understanding, NetWitness more than doubled revenue to about $45m in 2010. Given the growth rate and premium customer list NetWitness had assembled, we have no trouble believing market speculation that EMC paid $450-500m for NetWitness. A double-digit multiple isn’t out of whack for a fast-growing startup that has strategic value to EMC. We understand, for instance, that last summer EMC paid just shy of $400m for Greenplum, a data-warehousing startup that was clipping along at just under $30m in sales.