Part 1 looks at some of the major changes in the competitors focused primarily on the ICS detection market since the May update. Part 2 comes out next Tuesday and will map out where the competitors stand relative to each other and be a major change to the Tiers approach in the May update. I will do a LinkedIn Live next Wednesday, December 16, at noon EST to answer any questions on the analysis.

BOOM … $110M

The Dragos team had a decisive advantage in US-based ICS security talent since the start. With Rob Lee leading the way, Dragos has been a PR and branding juggernaut. Now add to this a C Round of $110M, and they are also in the dominant financial resource position.

I had made an easy prediction in May that Dragos was going to raise another round, and there were rumblings all summer that it was a done deal waiting to be announced. Perhaps the round got bigger and bigger, or perhaps they were waiting for a better valuation with the Covid vaccine becoming a reality. In any event, $110M is by far the largest OT security round to date and makes quite a statement.

The investors are betting on the belief there will be a large OT security market. This fall I moderated a panel of VC’s where Bob Ackerman of AllegisCyber Capital said he believed there would be multiple multi-billion dollar companies in the OT security space.

No one has highly accurate numbers on the size of the OT security market today. My estimate is it is less than $1B and may be closer to $500M. There are not a lot of data points. We know from the Hexagon press release that PAS 2020 revenue was expected to be $41M, and a big chunk of PAS revenue is alarm management. So if PAS, a successful established vendor, has $25M in OT security revenue, it would take two or three companies at 10x PAS revenue to get close to a $1B market size.

Rob Lee has been consistent, including in a call last week, in his assertion that he does not want Dragos to be acquired. (I will note that the founder of Slack and many other founders have said the same thing with as much conviction. It does not mean they are being dishonest. Things can change quickly. I’m not ready to give up on my prediction that Dragos will be acquired by Crowdstrike in 2021). Rob believes there is a place for a large OT security company, and he wants to retain control so they are not be forced to sell out. It is likely that the deal still leaves Rob and the founding team with enough control to prevent this. I don’t claim any expertise in valuation, but Dragos is certainly valued by the C Round investors at over $500M post money. Maybe well over that amount.

——

Leading the funding / finance area is important, but not determinative. Ask Claroty. Who had a big lead in this area after raising $60M in June of 2018.

I asked Rob what he was going to do with the money. Much of it will be spent on expanding the market presence and improving the existing customers’ success with the Dragos platform. Dragos greatest success is in the US, and there are other opportunities out there.

On the product front, Dragos had a major upgrade that improved their ability to create an asset inventory after losing deals because of a serious deficiency in this area. While I agree that asset inventory doesn’t belong in a detection and response product, much of the market has one pile of a money and like / believe the argument that one product can do asset inventory and detection.

I’ve talked with a few asset owners post upgrade that have done bake-offs where they provide the same traffic to each vendor, and evaluate the asset inventories they create. Dragos, while improved, still did not match up to Nozomi and Claroty in the asset inventory area. Not excelling in one aspect is not a major issue unless that is the top issue for the customer.

The Rest Of Top Tier and Second Tier

I was rough on Claroty in May’s analysis due to the heavy executive turnover. The team has been stable since May with the exception of Yaniv Vardi joining Claroty in July as CEO, replacing the interim CEO. 

The comment I keep hearing is “we don’t see Claroty that much anymore” or just their name not being mentioned when I ask who the major competitors are. The positive spin on this could be the management team has brought focus to the company and they are being more selective. The negative spin is they either have been forced to cut back due to funding or personnel limitations. Whatever the reason, there has been a pullback in multiple markets.

My May prediction of Claroty being acquired by Siemens, not Siemens-Energy, or Schneider Electric this year is looking grim. Claroty is 2+ years since their last round of funding. Something needs to happen. The Dragos $110M only raises the pressure.

Claroty is still in the game though. They have the best asset inventory capability, slightly edging Nozomi, and their research group continues to put out quality and quantity of work. It’s not the product or technical team that is holding Claroty back.

A few things have become clear with Nozomi:

  1. They are the leading ICS detection vendor in Europe.
  2. They see partnerships as an important vehicle. Just last month they announced Honeywell and Yokogawa will be using their product for managed security services. And they have been gathering small “strategic investments” from large asset owners such as Telefonica and Dubai’s DEWA.
  3. Similar to Claroty, Nozomi needs to raise money in a D round or be acquired.

I still don’t have a prediction for what lies in Nozomi’s future.

The Future? OT Security Rundle

After reading Ben Thompson on bundling and unbundling for years, I’ve been trying to figure out if a bundle will be in the future for OT security. Then Scott Galloway coined the term “Rundle” for a recurring revenue bundle, and I believe that will be the future for some of the winners in this market. 

The most obvious rundle includes an ICS detection software subscription, ICS monitoring services, level 2 and 3 SOC support, and an incident response retainer. A CISO purchases this rundle, at a significantly reduced price to the sum of the services, can make the case they have addressed the detect and respond functions of the Cybersecurity Framework for OT. And the vendor is now an integral part of ICS security program and painful to pull out.

It also addresses a major problem in this ICS detection market. Asset owners buy the products, make immediate use of the asset inventory, and are often overwhelmed by the detection data deluge. Pass that problem onto someone else.

We see movement in this direction with the vendors adding the pieces they are missing. Nozomi announced their Vantage managed service in October, but is missing incident response. Incident response is key to this rundle because if I’m an asset owner, I want the people that know the most about ICS and the most about the system with forensic data in on the incident response.

Claroty is relying on partners for these services, for now. Dragos could offer this rundle now and likely has customers that are buying some or all of this rundle from them.

The downside to this bundling, I’ve been told, is that the venture community doesn’t value services revenue at the same multiple as software subscription revenue. It’s similar to not wanting to be called a services company. At some point either the revenue is needed or the asset owners aren’t happy with buying a product they can’t handle.

Risk Metrics and IEC 62443 Compliance

Asset owners are asking for cyber asset and zone risk metrics, and the competitors large and small either have them or are working on them as I covered in a recent article.

The other area where demand is driving features is measuring IEC 62443 compliance. This can also support the risk metrics. As an example, Radiflow’s compliance process requires the asset owner to enter information, not relying solely on passive or active obtained data, and this information can better inform the risk metrics. 

Rise Again of Niche Competitors

In May, we saw Tier 2 largely cleared out by acquisitions. This provided an opportunity for the Tier 3 vendors to move up. While I don’t think the tiers are the best way to look at the market anymore, as you will see in Part 2, many of the focused on ICS detection vendors not named Dragos, Claroty or Nozomi are finding wins in niches.

Most of the products are good and have value for an asset owner. So a niche competitor who has a close relationship with the buyer, is willing to spend more time with the customer, be more flexible on demos and pilot pricing, customize their solution, or just knows that niche better will win some deals. 

Rhebo’s winning of projects in Germany is an example of this. Radiflow’s success in Singapore is another. The niche could also be sector based. A competitor could choose to focus on maritime or wastewater and have success. 

Companies like SCADAfence, Otorio, Industrial Defender and others could be viable small businesses for years, and they could set themselves up to be acquired by someone who wants the technology rather than the business.

On Tuesday … Part 2 – The Market Splits

—–

Caveats: As always, full respect for those in the companies trying to start and grow a business. The are, as TR said it, the people in the arena. 

Some additional company information will be in Part 2 where it made more sense, primarily acquired companies and vendors not exclusively in the ICS detection market.