CA’s two M&A strategies come together in Veracode

Contact: Brenon Daly 

CA Technologies plucks Veracode out of the IPO pipeline, paying $614m for the application security scanning startup. The acquisition bridges the two areas where CA has been shopping recently: security and DevOps. According to 451 Research’s M&A KnowledgeBase, all 10 of CA’s transactions in the four years leading up to the Veracode purchase have either brought additional technology for software development or security, primarily related to identity and access management. Including Veracode, CA’s recent shopping spree has cost the company slightly more than $2bn.

Originally a spinoff of Symantec, Veracode raised $122m from investors over the past 11 years, including a late-stage round in September 2014 that was expected to bridge the company to the public market. Shortly afterward, it tapped J.P. Morgan Securities to lead the planned offering. (J.P. Morgan gets the print for advising Veracode on its sale.) The IPO paperwork was filed with the SEC but never publicly revealed.

As it angled toward Wall Street, however, Veracode’s revenue growth slowed a bit, according to our understanding. (Subscribers to the M&A KnowledgeBase can see our estimate of Veracode’s top line.) Also working against an IPO for Veracode has been the rather lackluster market for new tech offerings overall, compounded by a slump on Wall Street for the two previous information security vendors to come public on US exchanges, SecureWorks and Rapid7. In opting for a sale rather than an IPO, Veracode secured a valuation that essentially matches the multiple that CA paid in its similarly sized pickups of fellow infrastructure software providers Automic Software in December and Rally Software in May 2015.

Veracode has steadily expanded its customer base, more than doubling that count since 2014 to 1,400. And, based on 451 Research surveys of more than 200 information security buyers, the company still has room to move higher once it is acquired by CA, which is expected in Q2. In our Voice of the Enterprise: Information Security survey in late 2016, Veracode ranked only as the fourth-most-popular supplier of application scanning, trailing open source tools from Qualys and IBM.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.