Wiz is a young Israeli startup that develops cloud security products. Founded in January 2020, the company’s estimated revenue is just a few million dollars. Until December 2019 Wiz founder and CEO Assaf Rappaport was head of research and development at Microsoft Israel, which he came to after selling his software as a service startup Adallom to the international giant for $320 million.
This track record helped Rappaport raise $100 million for Wiz in December 2020, “when all he had was a presentation,” as an industry source said. That achievement generated a media buzz for the young startup that turned to a roar two weeks ago after Wiz announced that it had raised $130 million in a second round, at a $1.7 billion valuation post-money, in what was likely the fastest transformation of an Israeli startup into a unicorn, worth at least $1 billion.
Cybersecurity is profiting from the coronavirus pandemic, which pushed the world to shift to working from home and increased global web traffic. As a result, companies have needed to enable remote working and have quickly undergone digitization processes that also necessitate security.
Unicorns are not the exceedingly rare creatures they once were: In March, Wiz was one of four Israeli cybersecurity startups to earn this status. Orca Security, Axonius Solutions and Aqua Security was each valued at between $1 billion and $1.2 billion. As a point of comparison, in all of 2020 there were only five new unicorns in the field of cybersecurity.
Meanwhile, Armis, which passed the unicorn mark a while back, doubled its valuation over the course of a year, to $2 billion. And Bloomberg reported that Sentinel One is looking to go public on Wall Street with a shockingly high $10 billion valuation – only three months after raising money at a $3 billion valuation, and a year after the company passed the $1 billion mark. Even given the pandemic, these valuation increases are rare. The optimism about Sentinel One is partially explained by the rising share price of its main competitor, CrowdStrike, whose valuation shot up by 200% to $400 million, after revenues jumped 92% to $481 million.
Israeli cybersecurity companies raised a total of at least $1.1 billion in the first quarter of 2021, which ended Wednesday. When the official data is published, this past quarter is likely to emerge as a record-breaking quarter for the cybersecurity industry, after companies raised $2.68 billion in total for all of 2020, according to data from IVC (this statistic could still be adjusted upward due to deals for 2020 that were reported only in 2021).
Cybersecurity is becoming a more significant sector within Israel’s high-tech industry. In 2015 cybersecurity companies accounted for 10% of the total money raised by Israeli technology startups, according to IVC data. By 2016-18 their portion crept up to 16%-18%, then 22% in 2019 and 26% in 2020.
- Israeli hi-tech startups are booming. This is what it takes to raise a unicorn
- Israeli cyber firm Orca Security hits unicorn status with latest fundraising round
- The art of cyber: How to succeed in one of tech’s most crowded fields
Entrepreneurs and investors in the sector say that threats are worsening due to the pandemic, but a look at major companies’ balance sheets does not show that revenues are growing all that quickly. Palo Alto Networks’ revenues grew 23% in the six-month period ending in January versus the parallel period a year earlier, but its share price nearly doubled (90%) over the course of the year. Check Point Software Technologies revenue increased 3.5%, while its share price increased 21%, and Fortinet saw revenue rise 20% and its share price jump 85%. Price-to-earnings ratios increased, as did software share prices in general.
The relatively modest growth experienced by these three publicly-held companies may be because they are more veteran firms that may not be benefiting from the changing market as much as younger companies are. But they may also be a reflection of the market’s excessive optimism.
The question of whether cybersecurity valuations are in bubble territory isn’t new, and began back in 2016 as a debate within the venture capital industry. Around that time, investor Adi Shalev stated at an event, “There are too many players in the cybersecurity industry. We explicitly have a bubble. ... Customers, which are corporations, hate or very much don’t like buying niche products from a large number of small suppliers – and that’s a major problem.” Rona Segev-Gal, a founding partner of the TLV Partners venture capital fund, disagreed, saying: “Cybersecurity isn’t a bubble. Attacks and violence are shifting from the physical world to the digital world, and we currently don’t have good means of protecting ourselves. This is something real.”
The cybersecurity market is considered more mature than aspirational markets, such as autonomous cars, and its investors and entrepreneurs are more experienced and more knowledgeable about their customers, the industry and its challenges. Some cybersecurity companies are targeting markets that have emerged suddenly over the past few years, such as internet-connected vehicles. However, when it comes to organizational cybersecurity, Shalev’s point is still valid: Internal data security managers cannot handle dozens of different products from different companies.
One incident that raised the bubble question again was when YL Ventures, a seed-stage venture capital firm focusing on Israeli cybersecurity startups, sold its stake in Axonius for $270 million. YL was the company’s first investor, four years earlier, and Axonius tripled its value to $1.2 billion within one year. The decision to sell raised the question of whether the investors thought the company’s valuation was already too high. YL Ventures Managing Partner Yoav Leitersdorf, who founded the fund, claimed that wasn’t the case. He said the fund didn’t want to sell only part of its holdings and be left with a small percentage of the company but no influence over it. Leitersdorf says that while valuations are high now, the cybersecurity industry is still proportionate, as their sales revenues are very high. “There are some publicly-traded companies whose share-earnings ratios are detached from reality, but this isn’t the case for cybersecurity,” he told TheMarker.
Leitersdorf contends that as opposed to Axonius, which develops a broad range of products, there are dozens if not hundreds of smaller cybersecurity companies developing narrow products – “features” – with backing from “younger” investors. “There are lots of ‘tourist’ investors who entered cybersecurity because it’s a hot field,” he says. “It’s like as if I were to start investing in fish. What do I know about that?”
Arik Kleinstein of the Glilot Capital Partners firm disagrees. “It’s very hard to define what’s a ‘feature’ company. You could also describe CyberArk this way: It sells a tool to manage sensitive data permissions that many organizations want to incorporate into their years-old data security system, and it has annual sales of hundreds of millions of dollars and is valued at $5.5 billion. Should we call it a ‘feature’ company? As in the vehicle industry, you won’t find cars today that come with only seat belts and airbags; now there are other systems such as antilock braking systems that are activated in the event of a collision.”
While investments are being made at high share-earnings ratios, Kleinstein thinks they’re logical. “These companies have a good chances since they’re growing very fast, they have unusually strong teams in terms of their vision and execution capabilities, and we can help expedite this process with money,” he says. “If these companies were to lead a category within the industry, then a $1 billion valuation isn’t high. Firewall protection is already a 20-year-old technology, and it’s still needed and controlled by a few companies with billions in revenues. A mature market can have a few players, and now multiply that by 20 cybersecurity subcategories.”
Kleinstein says companies like Wiz and Orca has done a good job defining solutions in high demand. “Companies that switch over to the cloud need to know their data is properly secured. Time will tell whether these two companies’ approaches will succeed, but logically speaking at least, they seem like very interesting companies. The market is still rational. I’m not clutching my head and saying that someone will lose money for certain.”
Dror Davidoff, CEO and co-founder of cybersecurity unicorn Aqua Security, counters, “There’s a lot of hype,” adding, “There are companies raising money at unhealthy valuations, which is distorting the market.
“There’s a lot of money chasing after ideas and promises of ‘the next big thing,’ disproportionate to the companies’ results, and some of this is not smart money. I’m pretty sure the market will correct itself,” he said.
Other industry players look at what it would mean for companies to actually buy all these cybersecurity products on the market. “A data security manager who wants to protect their company buys lots of products and then needs to implement them, run them and use their data. The manager needs quality employees who may not actually want to work at that company,” says Yuval Wollman, the president of CyberProof.
Nadav Arbel, CEO of CyberHat, adds, “Cybersecurity products are becoming more and more complicated. A customer gets 800 alerts a week from 13 different systems: What are they supposed to do with all that? There are organizations with hundreds of workers but only one data security manager.”
Wollman adds, “There are companies raising $200-$300 million but still have relatively limited operations. They’re raising money at very high ratios, but they’re small fish in an ocean full of whales. Will these companies manage to maintain their growth for five to ten years alongside players like Microsoft and Amazon? I think the pricing isn’t taking this risk into account.”