Part 1 – COVID 19 Impact, Tier 2 and Tier 1 Analysis, and Valuation

My previous ICS Detection Market Update was in November, 2019. A lot has changed. Part 2 next week will include analysis of the acquirers, enterprise vendors and Tier 3. As always, huge respect for the people in these companies taking risks and working hard … TR’s “in the arena”.

COVID-19 Impact

This is the most obvious point in the market update … COVID-19 has had a big impact on the companies in the ICS Detection market. The valuation of the companies almost certainly has decreased, with 25% being a reasonable estimate. This will make raising money more costly, give potential acquirers more leverage in negotiations, and accelerate the shaking out of this market.

Revenue numbers will be lower this year and at best be shifted to future quarters. Large rollouts are being delayed or set aside. Proof of concepts, pilot installs, and other in-person sales efforts aren’t happening. Yes, pcaps can be analyzed remotely and remote demo’s can be given. It’s not a substitute. On top of this, a portion of the market has stopped spending wherever possible. Even if a company wants to spend, are the legal department, purchasing department and others able to issue the order? Likely yes, but not with the same efficiency.

The bright side is that some sectors and companies are doing ok or even benefiting from the changes in demand. And critical infrastructure is required so these utilities may be dinged but will not go out of business.

Every company in this market has a different available cash and burn rate, and almost all were in ‘grow fast’ mode. It’s not a bold prediction that some of the 20+ companies will have cash flow issues that will lead to an ungraceful exit. We have seen companies in this market needing investment approximately every two years. The buzz around ICS detection made this money readily available with a decent story. This was already starting to change pre-COVID.

And the most regrettable part is many of the competitors in this market have laid off or terminated employees. It’s likely the right business decision. Hopefully those who lost work got a good exit package, and the red hot ICS hiring market returns to at least a normal level. I do know that many companies are still hiring ICS security pro’s.

One last comment on the COVID impact. Dragos and other companies that had non-trivial recurring service revenues will have a still challenged, but more reliable revenue stream.

Tier 1

The companies in Tier 1 have not changed. The circumstances have. The predictions for these companies are my gun-at-your head must make a prediction, not high confidence.

Claroty

There is something wrong at Claroty. This level of turnover in leadership in one year doesn’t happen in a top startup with a foreseeable lucrative exit.

  • CEO: Amir Zilberstein -> Thorsten Freitag -> Phil Rugani (Interim)
  • CFO: Yaron Shalom – Udi Bar Sela
  • CSO: Dave Weinstein out
  • CMO: Patrick McBride -> Jennifer Leggio
  • COO: Yuval Tzeiri -> Phil Rugani (now Interim CEO)

Leadership on the product side is still intact, and the product continues to be competitive. Claroty still is on short lists and winning some deals. The shake-up is likely an issue with strategy and expectations. The current environment makes uncertain leadership an even larger issue.

Claroty’s next move is more difficult having already raised the market’s largest $93M. Their last round was $60M in June, 2018. With Tier 1 vendor SecurityMatters being acquired for $113M and Tier 2 vendor Indegy being acquired for $78M, both pre-COVID, the numbers are not looking good.

Prediction: Claroty will be acquired this year by Siemens, with a second choice of Schneider Electric. Both of these companies invested in the $60M Series B round.

Dragos

There has not been much change with Dragos since the last update in November. My analysis has changed though as written last February in Prediction: ICS Incident Response Services Will Be Key Criteria For ICS Detection Product Selection. Yes, Dragos will still sell product, but the real value is to have access to their analysts, threat intel feed and incident response.

The value of their incident response service grows substantially if the Dragos product is on site collecting info and awaiting on-site or off-site incident response. This would be true of any vendor as they know their product best. To date Dragos has been the most aggressive and successful by far in selling incident response servers, and most others in the market are pushing off incident response to partners who don’t have credible experience with the product. I expect more vendors to pivot to the product driving services model, especially as the sensors get integrated into the switches, and the ICS detection GUI is replaced in use by whatever the SOC has.

Dragos has two challenges. First, their asset inventory capability still lags the Tier 1 and Tier 2 vendors. This should not be a key determinant in the long run as asset inventory and detection will not be a single solution. They will be two solutions that communicate together. Today, many asset owners have money for one ICS security project and no asset inventory. They want an asset inventory, quick and easy, today, and to start down the detection path. My guess is Dragos can quickly determine if they will win a deal early on based on what is important to the asset owner. They are the most different from the other competitors.

Second, how do they get enough money to weather this COVID storm with certainty. Dragos has raised $48M to date with the last round of $37M in November 2018. At the time I questioned whether they should have raised more. Dragos made the right decision because their current valuation, even with the COVID hit, is likely higher than it was in November 2018.

Prediction: Dragos will have another funding round this summer, and then in 2021 be acquired by Crowdstrike. The company’s value is the unprecedented team of top ICS security talented. It seemed like every month they add multiple well known and respected names to the team. They cut part of this talent in response to COVID. Of all the competitors, Dragos can least afford to lose talent due to reduced revenue. Even if it made business sense it would strike at the key component of their brand — having the largest group of the best talent in detection, analysis and response. It seems sensical to add more in case COVID affects revenue for the rest of 2020 and part of 2021, so they can push off acquisition until valuations recover.

Dragos has followed the Crowdstrike strategy in many ways, has partnered with Crowdstrike, and has the co-founder on the Board. It’s easy to see how these companies fit together and how the Dragos founders and key employees could feel comfortable in Crowdstrike.

Nozomi Networks

Claroty’s loss is Nozomi’s gain. Similar to Dragos, they have not changed much since the November update. Nozomi has continued to execute on their strategy. This is a good thing. If Claroty continues to stumble then it would be a Dragos / Nozomi Top Tier, and those two solutions are quite different. The goal then will to be convince the market of which vision is better, and importantly spend time selling to those who buy into their vision.

Nozomi has not pursued providing managed services or incident response. 

Again similar to Dragos, Nozomi raised $52.5M with the last round occurring in September 2018. While they don’t have the payroll or marketing expenses that Dragos has, they were due to go for another round of funding this year or early 2021. Nozomi has let some staff go in selected markets to cut costs. What will Nozomi due if the total market revenue remains down for another quarter, two or three?

Prediction: ??? I don’t have a good answer here. Is that a problem?

Tier 2

I believe my previous Tier 2 selections are somewhat validated by the acquisition of two (Sentryo acquired by Cisco and Indegy acquired by Tenable) and rumored acquisition of a third (Microsoft to acquire CyberX). The other two companies in Tier 2 in the November ’19 update are Kaspersky and Radiflow. The ICS detection market is a small portion of Kaspersky’s business. They are being moved from Tier 2 to a new category along with the acquirers and will be discussed in Part 2.

Radiflow then will then be the only company in Tier 2, assuming the CyberX sale is real. They are in this tier in large part due the respect I have for the Singapore ST Engineering investment. Radiflow’s focus is on Europe and Asia, so I have less visibility and information then usual. However with the ST Engineering investment and RAD Group track record, the most likely case is they remain a successful mid-size company in this space and are not acquired in the next two years.

With Tier 2 emptying out and a number of potential acquirers in the market, Tier 3 will get sorted out and the best will move up to Tier 2. Tier 2 may be represented by the next companies to be acquired. (Tier 3 analysis next week)

Valuation

The information available on the SecurityMatters, Indegy and potential CyberX acquisitions provide some clues on how the market is valued. 

  • $165M for CyberX would be higher than the others, including former Tier 1 vendor Security Matters which sold for $113M.
  • The cap table and particularly the percentage ownership that remains with the founders may be key. CyberX founders have 6% of the company, based on a detailed article. SecurityMatters had 69% when it was acquired, had control of when to cash out, and walked away with meaningful money.
  • CyberX decision, again if the article is correct, is in the hands of VC’s. Is this why the price is higher and the deal has not closed? Will COVID 19 change the price? Watching closely.
  • CyberX has $47M in venture funding, very similar to Dragos and Nozomi. 
  • Indegy had raised $36M and sold for $78M. Sentryo had raised $13.5M, with no sales price given. Given previous acquisitions it is likely somewhere around $50M.

Next Week: Tier 3, Acquirers and Enterprise Vendors