And without further ado, invite our next speakers to the stage. And this time we have two people from the same company, but with a completely different angle on this whole problem.
So yeah, we know that cybersecurity must evolve. We know there is a lot of trends, consolidation, emergence of platforms and stuff like that. Who better to tell us about those trends than the people who are actually paying for it, in a sense. So please welcome Philipp and Robin. Thank you for the invitation, KuppingerCole team. I know it's departure day, it's the session after lunch. So it's not always an easy one, but please feel free to make it as interactive as possible. Maybe just a quick introduction.
My name is Philipp von Grawert, I'm Managing Director at Stephens and I lead our cybersecurity efforts in Europe. We're an investment bank, we're owned 100% by a family, the Stephens family from the US. The gentleman smiling at you is our owner and his uncle founded the firm 90 years ago. So it's a very stable long-term platform. What we do is we don't invest, but we advise. So what we typically do is on the top right, you can see we advise founders, privately owned companies, quoted companies across mostly M&A, it's our core capability.
So sell side transactions is probably 70% of our deal flow, but also buy side. We also advise on debt, so acquisition financing, refinancing, and then also on equity financing. So if companies go public in the US, we do that as well. We're on 300 investment bankers across North America and Europe, around 70 across Frankfurt and London. And Rob and I were leading the cybersecurity practice out of Europe. And across really all relevant sub-verticals, traditional security, emerging tech, threat intel and managed security. So I'll hand over to Robin for a quick intro from his end and the next page.
My name is Robin Brandenbush. I'm also part of the tech team and specifically the cybersecurity practice in our Frankfurt office. I'm a director here and together with Philipp support the activities in the cybersecurity space. And we have done all our cybersecurity mandates together in the past.
Right, let's start off with setting the scene. So we don't have to tell you too much about the cybersecurity market, but from a perspective of an investor, there are certain areas worth mentioning here.
I mean, starting off with a red ocean market, just meaning it's not a, usually most companies in that space have an incumbent vendor. That's just the nature of the market. It's mostly too important to not do anything at all, which means there is a certain price sensitivity. There's quite a lot of competition and that's how you need to differentiate yourselves against other competitors and other players, usually as a European or German company against the US, but also against Israeli companies and other vendors in the world.
What we see more and more is it's either in the middle substitution risk or cannibalization risk, just meaning big hyperscalers like AWS or Microsoft or others are often offering security features as part of their more broader offering, right? So being at cloud security, being at identity and access management solution, also sometimes DDoS or other web and network application security. And that's why, this is a usual question that investors have. How do you compete against these large platforms and what is your right to win?
And there you need to put a lot of emphasis on really pointing out why you have a right to win and a right to operate in a certain market. And platformization is the last point. It's just meaning that the end users are getting more and more fatigued by a very broad offering. So sometimes they lack cybersecurity expertise in-house and so they're happy if they can get to a vendor who is offering a broader set of features instead of going to several different vendors.
And that's why we see that there are a number of companies who are enhancing their product offering in order to upsell and gain a larger share of wallet. And that, all that results in market consolidation, both from big strategic players, but also from private equity investors who put a lot of capital in the cybersecurity market.
Yeah, I mean, moving on to cybersecurity deal activity. How many of you have been involved in corporate development M&A transactions?
Okay, quite a few actually. So it's not very technical, but just good to know. So what we see is an overall positive momentum in the market. It's been a really, we'll come onto that later in the presentation over the last few years, but we see an improving outlook for M&A.
I mean, there remains uncertainty on a macro level, as we know. It'll be an interesting 25, but, you know, interest rates have stabilized. That returns confidence to the market. It reduces the cost of debt. So that's a positive. There's a lot of investor interest in cybersecurity. There's a lot of dry powder. So private equity capital needs to be deployed. So that is just going to lead to M&A. And if you see on the chart on the bottom left, over the past few years, these are the number of deals in the blue chart at the bottom in North America and Europe in cybersecurity software.
So this year, up to Q3, so up to end of September, we've seen over 150 transactions. The variation levels come up a bit compared to last year. It's around six and a half. It's a medium enterprise value to revenue. That's how currently, that's typically how the market values cybersecurity software companies. Yeah. The other interesting thing is we've seen the return of GoPublic.
So Rubrik, which you might know, it's a data security company backed by Microsoft, raised over $700 million in April this year. And that was the first cybersecurity IPO after two years. So that's a good signal. And then on the right-hand side, you can see that these are selected cybersecurity deals of the past few months. I would highlight maybe three of them. One is the top one, which was announced a few weeks ago. And maybe just stepping back, what is the rationale for these M&A deals? We see mostly three things.
It's either buying capability, so buying technology, a technology gap, filling that gap. It's expanding geographically. And then it's also just scaling, which is important. So if you consolidate, you just have more market relevance. So Sophos and Secureworks was a good example for the technology play. It was $850 million plus transactions. Sophos is backed by Tomo Bravo. Tomo Bravo, as you might know, is the largest investor in cybersecurity worldwide.
And Secureworks basically brought together very complementary MDR and XDR solutions and enabled Sophos to expand into next-gen SIEM and OT security. So it was a tech expansion. The second one I'd highlight is also UK, North America. It's the acquisition of Defender by Quorum Cyber. Quorum Cyber is a UK-based managed security services provider. It's backed by Charles Bank. Charles Bank is, again, a private equity firm. It's actually a private equity arm of the Harvard Endowment Fund.
And they bought Defender, which is a similar profile, so that was clearly a geographic expansion into North America. And the third one I'd highlight is a bit of an odd one. It's the two Swiss flags. It's Swiss Post, who's actually been quite active in cybersecurity, which you wouldn't expect. They bought a business a few years ago called Tresorit. And then they've built a cybersecurity division and recently acquired Open Systems from another private equity firm called Ecotea. And that enabled them to expand their secure communication activities into the SaaS category.
Yeah, so you see different rationale, but definitely an increase in activity and also more and more transatlantic. And hopefully the IPO is going to set some impulse for a future IPO. Please. I was wondering, because you didn't mention or you didn't point it out, that WorkForce is also maybe a good strategy to save WorkForce? That's a good one, yeah.
So, I mean, the acquiring for talent is, I mean, there's a shortage of cybersecurity talent, as we know. So I think that's definitely another one, which is a very, very important aspect to it.
Yeah, we see that, especially in the services space there, it's definitely fighting for skilled labor, especially in SOC offerings, MDR, you know, incident response, these very high level applications. There we see it definitely.
I mean, it's another, it's a good point. Another transaction both of us advised on was a business in southern Germany called Boxcryptor. It's a cloud security business, small business. It was acquired by Dropbox and it was basically, Dropbox was a make or buy decision. They could have developed that product within probably 24 months. They decided to acquire the business in an asset deal. So they just acquired, to your point, the R&D team of 12 people and maybe 10 percent of the IP. That's it. Nothing else.
But that just, you know, they basically cut off two years of development to get that product on board. So, no, it's a very good point.
Yeah, just a few examples of what we mentioned before in terms of consolidation in the market. Philip mentioned Toma Bravo, by far the largest investor into cybersecurity. That's really one of their key investment themes.
I mean, if they like the space, they know it inside out by now. That's why they can get a very good view on certain businesses, how they are developing and if there's potential to add value and do value creation. With SharePoint, for example, they owned it, then did an IPO, then the market cap went down again. The variation was so attractive for them that they took it, delisted it, took it off the stock exchange again.
I mean, this was still some of the consequences from COVID and some other effects, general tech devaluations in the market. And so they now own it again and took it private in early 2020. Ping Identity and ForgeRock was rather surprising for the market because usually Toma Bravo has no problem owning a lot of different companies who might compete a little left and right. But here they said it makes sense for us to combine these two. Most likely, I mean, the IAM space is pretty competitive. You have Microsoft and Okta and some really large players there.
So there was a way to compete against these really big battleships in a better way. I mean, Hornet might be the best blueprint we have in Germany for a very successful buy and build story. So these acquisitions that you're seeing here, they didn't only add certain product features that the company didn't have before, like backup solutions with Altaro, some other security awareness training with IT seal. But it also helped them get better scale, get better conditions. They have a very strong or basically channel-only approach. So they were able to sell more via the existing channel.
But most importantly, it added size and scale. And under the ownership, they have three private equity investors on board. They grew from under 10 million revenue to over 120 million revenue in a few years' time. So rather amazing buy and build story. And Akamai, I mean, it's a well-known name from the U.S., also did quite a few acquisitions left and right, mostly tech tokens. The most recent one was No Name, where they paid a very strategic price. These are some examples we have for you that can move on. First question, yeah, please. I'm pretty sure they didn't acquire Valence. Sorry?
They didn't acquire Valence. Hornet?
No, not Hornet. Akamai. Valence was not acquired. They invested in Valence. We can double check that. All right. Thanks. Thanks for pointing that out. So on this slide, this goes more into detail on what investors are looking at. So on the left, these are the things where you should get a – these are more general, but these are the tick in the boxes who they get quite quickly. So the market dynamics, I mean, cybersecurity, you mentioned it before, there is a lot of regulatory dynamics in there, strong tailwinds. So the market is growing.
There are more attack vendors, the international landscape, the geopolitical market. So that's all tick in the box. So the market is there. The defensible market position is something that we mentioned before where you need to prove your right to win, and that's often where we come in as an advisor, really to make sure we are not technical people, right, but we can position businesses in the best way and take the view of an investor on the business.
And then, obviously, growth strategy and other topics are also important. On the right, these are more quantitative. So you still, especially in Germany, still see businesses with on-prem revenue when they were not developed in the cloud, often also perpetual licenses. So that's something that investors obviously don't like because it's less plannable. So the clear wish is to develop, either do a subscription or SaaS transition pretty fast or have a business that has already done that. So if that's the case, that definitely results in a better valuation.
And then you have other points like customer diversification. Has a business already diversified beyond its core market? For German companies, that's especially important to prove that you can also operate in other jurisdictions. Then we have some typical KPIs like upselling potential, retention rates, and some other things. So what you see is basically a shift in recent years from pure growth focus, right? So if the company was break-even or close to break-even, that was fine. Then they're growing at 40, 50%. Investors were more than happy with that.
But now it has changed to you have to prove that you can operate profitably and not burn too much money. Sorry. Fantastic. I'm just trying to think a little bit on the opposite way. Do you guys think there is a sweet spot on how many investors who should help them more? Because too many investors, in my mind, is like too many cooks, right? And so therefore, do you guys, what do you also say as an advisor? Hello. So basically, what you guys say as an advisor, don't take on any more investors because that will increase bureaucracy. It will increase the amount of stakeholders.
So you will probably end up doing more reporting that you would actually do work. Do you guys consider there is something like a sweet spot? It's hard to generalize, but I think it depends also on the phase of the company.
I mean, what we see very often with small companies, these initial hurdles are getting to 5 million AR, right? Typically, you've got a business angel involved, maybe a VC. Getting to 10 million AR is the next big hurdle. You might have already a small cap private equity in, and the VC and the business angel still remain in as kind of passive minority shareholders. But the small cap PE takes the lead. So you're right to the point, the cap table gets more complex.
So what we typically see then, it's a size category then, above 10 million AR and above 50 million AR, you get to a level where you've got a lot more optionality for investors. And then typically you get one lead investor in who buys out all other passive shareholders. So I think the message should be, you should only have investors on board who add value and are real sparing partners. What is not good to have a bunch of passive legacy investors who just blob up the cap table. That's a bit how I put it.
Yeah, just conscious of time. I mean, this is an interesting chart on growth. So if some of you are decision makers, maybe also about when do I sell a company or a division and you ask yourself, when's the right time? That's always a difficult question to wrestle with. And growth is just a very important factor. And with the benefit of hindsight, we can see, we've looked at data over the past few years, pre and post COVID. And we've looked at, this is a sample of more than 80 SaaS companies. So listed companies, SaaS, North America and Europe, and we've divided them.
The three lines are color coded. High growth, 25% plus growth companies, the dark blue, mid growth, 15, 25% and low growth under 15%. And you can see it's really obvious. We had a bubble during COVID. It was a clear valuation bubble. The data just really points to it. The other thing you can see is high growth are just valued much higher at around 10 times revenue compared to the low growth segment, 4.4.
I mean, that's a big discount you get for lower growth. And actually, the lower growth companies, the blue line, the light blue line is lower value than it was in the years pre COVID. So in the years 17, 18 and 19.
So yeah, it's quite interesting. And this is all NTM. So next 12 months forward looking implied valuation basis.
Yeah, I think that's, yeah, scale. I think we're short on time. So I know you're already standing, I'll run through it shortly.
Well, let's do it this way, being kind of conscious of time and that you only have limited time left. So let's just kind of combine your session with the next panel into a single discussion. So please talk about what you want to present and let our other guests just kind of join you on stage.
Yeah, I'll just continue. So this one is on scale. And it's also an analysis we did on SaaS companies. We looked at over 200 companies in North America and Europe and analyze them by market cap. So you can see the large cap guys are the ones 10 billion market cap and above, small cap one to 10 billion, mid cap one to 10 billion, small cap under 1 billion. And here it's even the discount is even higher compared to growth. You got the large cap companies at 9.4 enterprise value to revenue and the small cap at 2.1. So that's a huge discount. So why is that?
Well, investors like large companies because you just de-risk your investment. Second of all, you've got just a longer track record. You've got a larger base to also do M&A and you just garner more attention, right? So even in the small cap category, if we do the analysis, we'd see also a big gap in that in each category itself. But I think the clear message is scale is important. And that's why we will see more consolidation in the market. It's a must.
Yeah, just real quick, this is the last content slide. So, I mean, in software, investors love KPIs and they love to put numbers to everything just to get a better understanding of how well a company is performing. The rule of 40 is something we'll have heard about. So it's basically some of the organic revenue growth and the EBITDA margin. So this combined should be above 40%. And what you see here is that usually the higher you're up, it can also be a rule of 50 or a rule of 60. We see that more and more.
For example, if a company is growing at 40% and has a 20% margin, it's a rule of 60 business. That's perfect. We love that. So the more, the better. But there are also, this is not the only KPI that the people are looking at when valuing their company. There are also companies right of the rule of 40 who are trading lower than some companies on the left. And this can be different reasons, right? The tech stack can, you know, the market they are in. So investors are taking a deeper look than only looking at one KPI.
Maybe just the last point on this one, you see the best performing company, Gen, has not a great valuation compared to other companies out there. And that's basically because they're only in the B2C segment. So B2C is definitely being punished in comparison to B2B from a valuation perspective. This is only a software. Only cybersecurity software. I'd add two points on it. Go ahead first, please.
Sorry, do we have many slides left? Nope.
No, that's it. Okay. Two points and then I'll take your question. Let's just kind of transition to the panel at the moment. Thank you very much. Tons of stuff to kind of digest. Maybe you just kind of take your shirts at the panel and we already have our first question for the panel.