It’s been over five years now since the OT Asset Inventory and Detection market sorted itself out. The top tier has changed little. The increased acceptance of cloud-based solutions has helped Armis join original top tier vendors Claroty, Dragos, and Nozomi. There still are a number of vendors in the bottom tier who can focus on a sector, geography, and offer extreme attention and customization to stay in business. If they stay small, they can even be profitable.
The big change that occurred ~5 years ago is most of the middle tier got acquired.
- Forescout acquired SecurityMatters in 2018
- Tenable acquired Indegy in 2019
- Cisco acquired Sentryo in 2019
- Microsoft acquired CyberX in 2020
These exits were all success stories for the founders and investors. Not home runs, but solid singles mostly with maybe one Texas Leaguer. The best exit was the first, Security Matters. Not because of the $113M price, but because the founders got almost all of that money.
How did the acquirers fare with their purchases? Not as well, which is typical for acquisitions.
Microsoft has done the best, primarily because their goal was not to acquire a product or customer base. In fact, CyberX customers have moved on as expected. Microsoft wanted the OT protocol code and related IP plus the development team to speed improvements of their Azure IIoT offerings. Microsoft could have done this cheaper, but not faster than this acquisition. Given the size and importance of Azure … Verdict: Successful acquisition.
The other three acquirers were looking to add OT capabilities to their IT product lines. Tenable was the most promising of the three. They had and have a large installed base of enterprise/IT customers who have OT that is the reason the companies are in business. Hypothesis: add OT capabilities to the product and have a credible solution for the entire company. Tenable hired ex-INL, DHS, ISA Marty Edwards and got instant credibility. More competent OT security talent was brought on board. It looked promising.
The problem was the product seemed to languish. The integration was lacking. And the OT story not well presented. Why? I don’t know. I do know they let go of Marty and most of the OT security talent last summer. They haven’t been sponsoring or showing up at industry events or creating OT security content since summer 2024. Verdict: Failed acquisition.
Cisco is well known for their failed security company acquisitions. Buy a company. Market the new solution. Channel can’t or won’t move it. Solution gets discontinued. The Sentryo acquisition made technical sense. Cisco could provide the sensor as a low cost / no cost container in their network infrastructure equipment and charge for the management application.
The problem is, like other security acquisitions, the channel can’t or won’t sell it. When I participate in an RFP for an asset owner I ask do they use Cisco (or Fortinet or Tenable). If the answer is yes, they get included in the RFP. What I don’t do is go through my contacts with those companies. I let the asset owner work with their normal sales and support channels, see what they offer and how they perform. The answer in my admittedly limited experiences is quite poorly.
The channel partner doesn’t know the product, doesn’t bring in the right resources to help, and surprisingly has been the most expensive solution. This product, like many previous Cisco security acquisitions, is a grain of sand in the beach of Cisco offerings. Current verdict: Failed Acquisition
What could change? Splunk’s OT Security add-on has been promising from V1.0 given the Splunk deployed base. It is a path to the unified IT/OT SOC. Most OT asset inventory and detection solutions can send data to Splunk, and it’s not in their interest to do this unless the customer demands it. Every second the asset owned diverts from the OT product to Splunk reduces the value of the OT security product.
If Cisco hasn’t given up on Cyber Vision, they should focus on making the switch container version of the product so low cost and so simple that it’s a no-brainer to add, and then send the data directly to Splunk. Low cost and existing systems can overcome being a lesser product. Old timers will remember the dent the relatively very low cost Cisco’s PIX firewall gave the firewall market leader Checkpoint.
Forescout made the first major acquisition in this space by acquiring former top tier vendor SecurityMatters. The verdict on this is tougher. Their market cap was $1.45B the day before the SecurityMatters acquisition announcement and 14 months later they were acquired and taken private for $1.9B. Did SecurityMatters help the story that led to the acquisition? If yes, then it would be a successful acquisition.
Forescout is rarely competing with Claroty/Dragos/Nozomi. They do go head to head with Armis a bit more. As a long term development of the market position they bought in SecurityMatters it would be a failure. Like others outside the top tier, it will take something to shake up what has been a consistent strata in this product segment. They could be more successful in markets that are less visible to the OT world. Verdict: You tell me.
Two more recent acquisitions in this space:
- Honeywell acquired SCADAfence in 2023
- Rockwell Automation acquired Verve in 2023 (not a pure play competitor)
These were smart exits by the founding team. Unless they were happy focusing on being a smaller, profitable niche company they were in trouble.
What is unclear is how OT product security offerings will work in very large ICS vendors. Microsoft showed the way. Take the IP and talent and use it to improve the core ICS offering by integrating and adding security. I’m skeptical selling add on security solutions is a viable business for two reasons. First, their market is practically limited to their own ICS customers (so why not integrate it in those ICS). Second, they have the Cisco problem that it is a blip of sales / profit for the company.
Using these products and capabilities as part of a managed service is more likely to succeed. It has a number of problems, fox watching hen house being the biggest. And yet the relationship between these vendors and customers and integrators is often strong enough to overcome these reservations.
Forced prediction: I’d say these product offerings will fade away. Losing support during tough times when a tight focus is mandated. Still this is a low confidence prediction. There are a number of paths to success for these acquisitions.