The Tech Sales Newsletter #84: Cybersecurity in 2024

This week we will review where the cybersecurity ecosystem ended in 2024 and think through some of the key trends and opportunities as we progress into 2025. At the end of the article there are a number of early-stage companies that you should research further if you are interested in those high-risk/high-potential-reward type of opportunities.

The key takeaway

For tech sales: Cybersecurity remains the most technical and difficult to figure out part of cloud infrastructure software. The winners often seem obvious in retrospect and typically there are very few of them. My recommendation remains as usual: focus on platform players, invest the time needed to get a deeper understanding of what's going on beyond the vendor's (often incoherent) marketing talk and aim to join upcoming players that you have an insider view of.

For investors: The majority of investors in cybersecurity stocks probably lost money compared to just following the S&P 500. If you are interested in the sector, you need to stay on top of the current trends and go well beyond financial metrics in order to get a chance at picking the winners. Early-stage investing "can" have higher returns, but I would advise against it if you are not an industry veteran.

A mixed year

It was an interesting year, mostly driven by the realities of customer budgets. While CISOs continued to receive increased budgets, their actual spend ended up significantly lower than what they requested. Investments moved towards cloud-native, data-oriented, AI-powered products. Acquisitions mostly involved low-growth players who are struggling with the next step. The biggest news of the year was the CrowdStrike outage, which did not exactly bring warmth and fuzziness into how the industry is perceived. Even the public markets were rather "boring", with the biggest winners being Fortinet on the investor expectation of a big appliance refresh cycle over the next two years and CyberArk for a strong displacement performance versus Okta.

While the volume and deal value of acquisitions went up compared to the lows of the bear market, we are still in a correction phase, not having regained the previous highs of '21. In practice, what that means is that while many cybersecurity companies will get acquired over the next year, we are not yet going into an aggressive "consolidation only" mode, which would drive M&A activity upwards. When (rather than if) that happens, there is no guarantee that the actual acquisitions will significantly go up in value, as companies realize that the platform players have a number of alternatives they can pick from and will aim to sell closer to what pays off the investors, rather than the employees.

The actual biggest deal of last year didn't even happen - the merger between Juniper and HPE remains on the chopping block, and even if it passes, it remains a highly unattractive value proposition for tech sales.

The HashiCorp merger was closer to a DevOps-related buy, similar to Red Hat, rather than per se a "cybersecurity play". The most strategic of these is the CyberArk play, who are aggressively displacing Okta and buying up market share from competitors. At this stage, it's becoming a 50/50 play for a tech sales rep - their strategy is not aimed at rewarding back the reps for growth, and as Identity Management remains a very saturated market, for many individuals success will depend on getting lucky with their randomly generated list of accounts.

Financing was more interesting last year, with some obvious high-growth plays. At this stage, none of these look like another Lacework, which is a positive. Wiz is likely oversaturated at this stage, and possibilities for an entry are limited.

The real winner from last year is unironically CrowdStrike, where it rallied from $217 during the outage bottom to $450 by February '25, prior to the local top of the S&P 500.

This was a clean double for anybody who was paying attention and one of the few opportunities most investors will get in this market, assuming they kept their conviction under pressure. For the rest, you need to calibrate with what the alternative of just holding the S&P 500 would have brought (23.31%). If we look at it from that lens, investing in cybersecurity stocks outside of a few winners was an extremely painful experience. The good news is that the underperformers were all obvious if you paid any attention to RepVue and market dynamics.

Opportunities ahead

While email security is hardly a new topic, there has been a significant tailwind in the sector following the integration of LLMs into scoping and evaluating the threat risk. Abnormal Security and Sublime Security are the two vendors with clear momentum and market potential ahead of them.

The big risk for both companies is whether they can keep their own networks safe. Email security vendors are one of the most heavily targeted organizations by state-funded threat actors, and you only need one high-profile breach for things to go sideways.

While the shortage of talented staff has been a consistent theme that "everybody knows" in the industry, a more significant trend has emerged where cybersecurity teams are realizing that they have a significant shortage of skills and knowledge of how a cloud-native, orchestration-oriented world actually operates. To put it more simply, the technical talent today is sitting in Platform Engineering (DevOps), not in cybersecurity teams. While agentic workflows have been highlighted as critical to AI adoption (because they replace human capacity shortage), the reality is that the bigger issue is "Do our internal teams even understand what's going on?" For a lot of companies this is leading to even more outsourcing, as covered by Venture In Security:

While tech companies have been hiring security engineers and security architects, and embracing an engineering mindset to security operations, the rest of the world works differently. The industry is maturing, but the definition of this "maturity" is much more nuanced. For tech companies, large banks, and the like, maturity may indeed mean hiring technical security practitioners (security engineers, architects, detection engineers, etc.), building customized tools to solve problems unique to their organizations, and so on.

However, they represent at best 1-5% of the market. For the other 95%+ of the market, maturity means admitting that they don't have the expertise to take care of their security needs, that they will most likely never afford that expertise, and that they have no idea where to even get started. For them, the outcome of maturity will be continued delegation of security to third-party providers, which includes security products but much, much more so - security services. Huntress, Arctic Wolf, and others have realized that many years ago. I am bullish about the next generation of security providers that are going to come in the next decade, and if there is one area where in my opinion AI has the potential to make a true difference it would be the delivery of services.

The fact that the government has been going after CISOs will only accelerate the move towards outsourcing security. When security leaders are being held liable for doing their jobs, it only makes sense that more and more of them will prefer to work with third parties to delegate more of security and thus to protect themselves from personal liability.

To conclude this article with a little bit higher-risk, higher-potential payoff opportunities, the overview above highlights some of the players trying to position tools that specifically reduce risks related to model implementations.

If you are interested in researching this sector further, this is a good opportunity to dig deeper into Francis's work at Software Vendor Analyst Cyber Research and his most recent article on AI security.

The SINET awards were also highlighted in the report and can serve as a good overview of high-potential companies that are likely to get acquired. They typically are on the top end of solving a specific problem, but for the most part should not exist as independent companies. If you have an interest in getting on the very risky end of cybersecurity startups with a high likelihood of getting acquired - this is a strong list to research further.