As Cyberattacks Surge, Security Start-Ups Reap the Rewards

SAN FRANCISCO — As cyberattacks proliferated this year, Sanjay Beri, the chief executive of Netskope, a cloud security start-up, got a phone call. Then an email. Then more messages.

All were from venture capitalists who wanted to invest in his company. Given the ransomware attacks and nation-state hacks that were making headlines, they told him, companies that made security products had a bigger market and mission than before.

“We weren’t looking for capital,” said Mr. Beri, who founded Netskope in 2012, but the cyberattacks “definitely increased their interest.”

After bids from seven investors, Netskope raised $300 million this month at a valuation of $7.5 billion, up from a $2.8 billion valuation last year. It was one of the year’s largest cybersecurity funding rounds, but not the maximum that Netskope could have attained.

“We could have raised $1 billion in capital,” Mr. Beri said.

Recent cyberattacks around the world have taken down operations at gasoline pipelineshospitals and grocery chains and potentially compromised some intelligence agencies. But they have been a bonanza for one group: cybersecurity start-ups.

Investors have poured more than $12.2 billion into start-ups that sell products and services such as cloud security, identify verification and privacy protection so far this year. That exceeds the $10.4 billion that cybersecurity companies raised in all of 2020 and is more than double the $4.8 billion raised in 2016, according to the research firm PitchBook, which tracks funding. Since 2019, the rise in cybersecurity funding has outpaced the increase in overall venture funding.

The surge follows a slew of high-profile ransomware attacks, including against Colonial Pipeline, the software maker Kaseya and the meat processor JBS. When President Biden met with President Vladimir V. Putin of Russia last month, cyberattacks perpetrated by Russians were high on the diplomatic agenda. This month, the Biden administration and its allies also formally accused China of conducting hacks.

The breaches have fueled concerns among companies and governments, leading to increased spending on security products. Worldwide spending on information security and related services is expected to reach $150 billion this year, up 12 percent from a year ago, according to the research company Gartner.

“Before we got to this point, we as security teams were having to go and fight for every penny we could get, and now it’s the exact opposite,” said John Turner, an information security manager at LendingTree, the online lending marketplace. Executives, he said, are asking: “Are we protected? What do you need?”

All of this is set to drive business for cybersecurity companies, creating a potential windfall that has excited investors. The average valuation of cybersecurity companies raising funds this year has more than doubled to $524.1 million from $221.8 million in 2020, according to PitchBook.

“In close to two decades as a V.C., I’ve never seen valuations so escalated,” said Asheem Chandna, a venture capitalist at Greylock Partners, who has invested in security companies such as Palo Alto Networks.

The money is flooding into start-ups that are tackling hackers in new ways. Traditionally, security systems at companies relied on the idea of securing a perimeter. That meant companies installed firewalls and other software to protect access to their corporate network.

But over the past several years, a shift to cloud computing has rendered the perimeter and the reliance on corporate networks obsolete. Employees now get access to applications over the internet, rather than through a data center operated by their employer. That has opened the door to start-ups that focus on cloud-based security and identity verification.

“Don’t build higher fences — have really good ID cards,” said Jason Crabtree, chief executive of Qomplx, a risk analytics start-up that provides identity verification software and is in the process of going public.

The funding frenzy has built for months. The pandemic provided momentum when companies shifted to remote work, which required securing those remote access systems, investors and executives said.

On a Friday evening in October, Mr. Chandna, the Greylock venture capitalist, introduced the chief executive of an email security company he had invested in, Abnormal Security, to another investor, he said. That investor, Venky Ganesan of Menlo Ventures, who had been pursuing a meeting with the chief executive, Evan Reiser, for months, immediately emailed Mr. Reiser to invite him to dinner that night.

Mr. Reiser drove, he said, from San Francisco to Mr. Ganesan’s home in Atherton, Calif., about 30 miles away. By the end of the weekend, Abnormal had signed a deal to raise $50 million at a $600 million valuation, putting its total funding at $74 million. Menlo’s $40 million check was the firm’s largest investment ever.

“As shotgun weddings go, it’s as shotgun as you can get,” Mr. Ganesan said.

Since then, the ransomware attacks have given the funding wave a further boost.

In January, Lacework, a cloud security start-up in San Jose, Calif., garnered $525 million in funding. Investors reached out because of Lacework’s products, which use artificial intelligence to identify threats, said Andy Byron, the company’s chief resource officer. In total, Lacework has raised $625 million since it was founded in 2015.

Mike Speiser, a venture capitalist at Sutter Hill Ventures, which led Lacework’s January financing, had no problem getting other investors to participate, he said.

“I called the five people that I thought were the best investors and asked them if they were interested. They were all interested, and within 48 hours we had a deal,” Mr. Speiser said. “One hundred percent of the people I called said they wanted in. We could have raised well over $1 billion.”

Business has boomed for Lacework because of “the combination of all of these ransomware and nation-state attacks, together with people moving to the cloud so aggressively,” said David Hatfield, who joined the start-up in February as chief executive.

Other security start-ups have also benefited. Orca, a cloud security start-up, raised $210 million in March. Trulioo, a company that makes sure users are who they say they are when they join a platform, collected $394 million last month.

Security start-ups are also being acquired for large sums or are going public. Last month, SentinelOne went public with a market capitalization of over $10 billion, the highest-valued cybersecurity public offering. In May, Auth0, an identity verification company, was bought by Okta, another security company, for $6.5 billion.

Mr. Beri of Netskope said that with cybersecurity threats mounting, the funding boom was likely to continue.

“Many investors are not security savvy,” he said. “But when your next-door neighbors go, ‘Hey, what’s up with this ransomware stuff,’ then you know that it’s reached public consciousness. From an investor’s perspective, when something hits the average person’s mind, they realize: ‘Wow. This is here to stay.’”