Last week ICS manufacturer Rockwell Automation bought OT security company Verve Industrial Protection for an undisclosed (non-material) price. Today I’ll cover this from the Verve and OT security company’s point of view. On Thursday I’ll have a bonus article that covers the acquisition from the Rockwell Automation and ICS manufacturer’s point of view.
First, congratulations to founder and current CPO Bob Bevis, CEO John Livingston and the whole team at Verve. It is no small accomplishment to found a company, stay in business for 30 years, and exit with an acquisition of some millions of dollars.
Market Commentary
We are seeing the trend, not unique to OT security, of the second and third tier bowing out as the top tier sorts itself out and widens the gap. It’s best to be on the front end of this trend. In 2019/2020 Microsoft bought CyberX, Cisco bought Sentryo, and Tenable bought Indegy. (Note: I don’t include Forescout buying SecurityMatters. SecurityMatters could still be considered top tier at acquisition.)
These three companies were the leaders in second tier. It was doubtful, but not impossible, that they could rally and reach top tier. It was still early in the market and raising more money at an increased valuation was still possible for them. They had choices. This let them shop for the best deal, and wisely decide it was time to cash out.
Since that time Claroty, Dragos and Nozomi, and newcomer to OT Armis, have all grown significantly in mindshare, employees, money raised, and revenue (although revenue numbers is a subject of much speculation). The gap has widened so much that it is hard to say there is a second tier. The remaining companies in the OT Detection space have to sell if their growth story fades relative to the leaders. In 2022/2023 Sabanci bought Radiflow. Honeywell bought SCADAfence. And now Rockwell Automation bought Verve.
If you are in the OT detection space and you’re not at least doubling every year to catch up, it’s time to get what you can and get out.
There are other OT security product segments that aren’t determined yet. The OT Secure Remote Access market is one example. The question is if this will remain a separate category from the more general Secure Remote Access market. The same could be asked of the OT SDN market and OT EDR market. Is there a separate OT cyber risk management market or will this be a feature of the OT Detection market? The SBOM/ Supply Chain market is still in the very early days and where the action is likely to be the next 3 years.
Verve Commentary
One of the challenges in analyzing these acquisitions is we don’t have the company’s financials nor the acquisition price. Rumors, yes. Confirmation, no. Maybe Verve was in high demand from multiple suitors and got a price they couldn’t refuse. Maybe they were running out of cash and needed to sell. Or anywhere in between.
What product segment did Verve compete in? It’s a question I was never able to answer. Their most similar competitor might be another OG, Industrial Defender. Perhaps this is due to being too early to market. Their main and first offering isn’t achieving the desired growth, so let’s create another product or product extension. And another, and another …
Verve’s solution spanned multiple product segments. This is ok, as minor product extensions to a top three position in an important and fast growing segment. Not the case with Verve.
Verve had a choice. If they were growing, albeit slowly, and were profitable, they could stay the course. Waterfall is one of the small number of examples in the OT security space that has had profitable growth over two decades. It’s in a niche market, one-way technology for OT, unlikely to draw in big name competitors. Waterfall has maintained their focus. Waterfall has been top three, actually number one, for a long time in the one-way technology for OT market.
Another example was PAS pre-sale-to-Hexagon. Their focus on extracting detailed asset inventory and security info from DCS config files was unique and profitable. They could still have a profitable company with this focus today if they didn’t sell.
Verve didn’t have this niche or dominant position. They competed across a number of increasingly competitive product segments. I’m less confident than some of my sources and peers that Verve was consistently profitable and had a likelihood of future profits. They were facing a variety of competitors, OT and OT/IT in asset inventory. The same in detection, OT SIEM and IR. The same in EDR. The same in vulnerability management. Big players with lots of resources. If they have been profitable, the path to maintaining this is hard. Even if their technical solution is strong, they lack the people and resources to compete. They would need to find a niche where the others wouldn’t want to compete.
The other challenge is Verve is 30 years old. 30 years in business is an accomplishment. It’s also hard to make dramatic changes in a 30 year company where the founder is still the CPO. They had a chance, even an advantage with their team and IP, in the go-go times from 2016 – 2020. They had a lead and were passed and left behind. To make a turn around Verve would have had to admit their strategy and implementation had failed the last ten years to capture the market opportunity. They would need an overhaul of leadership, strategy, and large parts of the company. This is so rare. It’s also undeserved. As stated at the start, creating and keeping a company in business for 30 years and selling for millions of dollars is unworthy of such an unhappy ending.
Selling Verve now makes sense. It would have been a better exit in 2019/2020. It is understandable why pre-Covid there was still a belief in Verve that they could catch up to the leaders.