Cybersecurity Investment Market: Here’s to the Resilient Ones

By Anastasia Komissarova – Deputy CEO at Group-IB

I guess we all agree that AI is the hottest segment today – 90% of all discussions in VC / Tech are around AI, mega-rounds, extreme multiples. 3-4 years ago, the very same discussions were about cybersecurity.

Cyber was and still is one of the most well-funded tech segments  – in 2021 alone cybersecurity companies received an unprecedent amount of $21.8 bn (just $8.7 bn in 2023 though). 2021-2022 were the days of crazy valuations and 10x+ EV/Revenue multiples. Basically, it didn’t even matter if you were profitable or even planning to be profitable – if you were good in marketing, had a nice pitch and could sell fear well, the money was yours.

It all changed in 2023. The cost of funds, global instability, new technological shifts led to cooling of investors’ appetite for risk and thus raised quite existential questions for cybersecurity players. 

At the same time cyber threats continue to grow worldwide. In latest Hi-Tech Crime Trends 2023/2024 Group-IB disclosed 74% yoy growth in data leaks, 70% yoy increase in zero-day exploits for sale, 30% reduction of average price of corporate access etc. 

However fear is not selling that well anymore – we start seeing a certain level of fatigue from constant growth of cybersecurity expenses on the customers’ side. New siloed solutions arise every day and CISOs receive hundreds of pitches per month. But is just another EDR a gamechanger for the customer? Or are businesses more interested in receiving a holistic proposal covering most of the key attack vectors? 

If the latter is true (which it is) it could only mean one thing – limited growth opportunities for mono-product vendors. Limited growth of revenue means higher increase of cash burn rate.  Since in most cases such companies got used to accessibility of external financing, which is now gone, we shall be prepared for a new wave of M&As in cybersecurity or for some companies going out of business.

It’s also true that some 5 years ago founders of cybersecurity shops facing doubts about next round valuations could have used another goldmine of tech companies – Initial public offering (IPO). In the past if you were growing fast and generating some $50 mn in annual recurring revenue (ARR) – you were a great IPO target. Most of cybersecurity companies became publicly traded unicorns with ARR around $100 mn. Today it’s also not an option. With current 4-5x EV/Revenue multiples, you need to have a solid ARR of at least $250 mn to be able to have a moderately successful IPO.

So, let’s recap that now:

• • Growing fatigue level of executives in B2B segment limits growth opportunities for niche cybersecurity players
• • Private capital became less available, investor’s now look not only how cool the tech is but how sustainable the business model is.
• • Public markets’ requirements are toughening: only companies that reach significant revenue levels can be viewed as attractive IPO targets.

Some might feel that such shifts limit innovative potential and set higher barriers for entering the market. But I am feeling quite positive as it means the game is becoming more fair and more mature. It’s not just about those who burn cash on marketing and customers acquisition or spend more time in the Valley but more about those who know how to invest smartly and do more with less. I believe everyone will win from such shift in investment perspective:

• • Businesses will be getting better solutions as vendors will focus more on quality of the product than on marketing.
• • Start-ups will learn better financial discipline and healthier growth strategies.
• • Scale-ups will focus on building billion-dollar-revenue companies rather than on billion-dollar valuations.
• • Investors that do choose to invest into cybersecurity shops matching the new criteria even now will generate higher returns as their funds will be used more efficiently.

Cybersecurity has already become an existential part of each company’s strategy and it will preserve its place for years to come. Social significance of cybersecurity issues is crucial: from loss of privacy and advanced disinformation to artificial intelligence abuse. And this shall constantly drive the level of responsibility of cybersecurity companies. Tightening financial requirements, higher maturity of spending decisions from customers and investors will lead to more sustainable growth, higher resilience of cybersecurity companies and thus more probability to minimize cyber threats in the future.