What Happens When Cybersecurity Unicorns Lose Their Horns?Noname Security Is Reportedly Up for Sale But Will Have to Shed Its Unicorn Status
2021 might have been the Year of the Ox on the Chinese calendar, but in the world of cybersecurity, it was the year of the unicorn.
Just 10 security startups achieved a valuation of more than $1 billion - or unicorn status - prior to October 2020 and remain privately held today, according to CB Insights. And not a single cyber vendor has notched a billion-dollar valuation over the past eight months as the economic downturn intensified.
But in the 21-month stretch from October 2020 to June 2022, a whopping 48 cybersecurity startups received their unicorn horns, CB Insights found. Many of these companies received 10-figure valuations despite having limited revenue and massive losses, as investors evaluated prospects based on potential rather than performance.
Now that the financial boom has gone bust, what happens to all these unicorns from a different economic era?
What the Economic Downturn Means for Newly Minted Unicorns
Two of these boom-time unicorns have defied the laws of economic gravity as skyrocketing revenue and customer wins provided escape velocity. Cyber insurance startup Coalition increased its valuation from $3.5 billion in 2021 to $5 billion in 2022 after partnering with Allianz, while cloud security startup Wiz raised its valuation from $6 billion in 2021 to $10 billion this February after notching $100 million in ARR (see: Wiz Raises $300M on $10B Valuation to Safeguard Cloud Data).
Two unicorns kicked the valuation can down the road, issuing debt rather than doing another equity round. Security operations vendor Arctic Wolf and cloud security vendor Netskope issued $401 million in convertible notes in October 2022 and January 2023 after achieving valuations of $4.3 billion and $7.5 billion, respectively, in July 2021. The notes will convert into equity once a funding round or IPO occurs.
Thus far, only one security unicorn has publicly bitten the bullet and reduced its valuation to attract financial suitors. That occurred in December 2022, when application security vendor Snyk cut its market cap from $8.5 billion in September 2021 to $7.4 billion to land $196.5 million of Series G funding from the Qatar Investment Authority (see: Snyk Raises $196.5M Weeks After Laying Off 14% of Workforce).
But of the 58 unicorns in the cybersecurity industry today, not a single one has sacrificed its 10-figure valuation to secure a financial future - until now.
Will Noname Security's Valuation Sink Below $1 Billion?
Noname Security was the 27th and final cybersecurity vendor in 2021 to receive a valuation at or above $1 billion, which the API security startup achieved despite emerging from stealth just one year earlier and having less than $5 million in annual sales, according to Calcalist. Noname in December 2021 closed a $135 million Series C funding round led by Georgian and Lightspeed and notched a $1 billion valuation.
Less than 15 months later, Noname is reportedly on the selling block. The company is in negotiations to be acquired, Calcalist reported Tuesday, and several companies, including Akamai, have expressed interest. Both Noname and Akamai declined Information Security Media Group's request for comment.
But there's a catch.
The anticipated purchase price for Noname is only in the "hundreds of millions of dollars," Calcalist says, below the $1 billion Georgian and Lightspeed said the company was worth not too long ago. This would be the first known instance of a security startup losing unicorn status to consummate a transaction. But given how many cyber unicorns were minted in an overheated economy, it's unlikely to be the last.
How many cybersecurity unicorns should we expect to lose their horns? And with the IPO market closed for the indefinite future, how many other billion-dollar startups will exit the space through acquisition?
What's Unique About Noname's Approach to Protecting APIs
Noname Security, founded in 2020, has raised $220 million of outside funding and employs 379 people, up 26% from 300 employees in March 2022, according to LinkedIn. The firm initially focused on securing APIs in runtime environments, identifying vulnerabilities in APIs before they're pushed to production and ensuring all APIs are routed correctly, co-founder and CEO Oz Golan told ISMG in June (see: Why Adversaries Like Going After APIs - and How to Stop Them).
The company recently focused more time and investment on helping organizations secure the APIs they're consuming from outside sources such as cloud and SaaS providers, Golan said. Organizations have far less visibility into outside APIs than APIs they developed on their own, and the challenge is compounded by the encrypting of traffic, meaning companies don't know which third-party apps an API is consuming.
Golan said Noname can be deployed in any environment under any circumstances and is completely out of C band, meaning the technology is very lightweight and isn't influencing other traffic. Noname's platform covers everything from design, preproduction and testing to posture management and runtime security, which Golan says is a broader range than the company's competitors.
Going forward, a central question for Noname and other niche startups will be whether customers like purchasing emerging technologies from a pure-play vendor or as part of a broad security platform. If the latter is true, the API protection market might face rapid consolidation.
Why the Web Application and API Protection Spaces Are Converging
Gartner in September said API security has become a key part of web application firewall evaluations, and WAF companies are competing against specialized API threat protection vendors such as Noname and Salt Security (see: Akamai, Cloudflare, Imperva Top App & API Defense Gartner MQ).
Unlike the traditional web application firewall market - which is a mature, lower-growth sector - Gartner found the bot management and API threat protection markets continue to be quite dynamic. Many web application firewall vendors have introduced decent API discovery capabilities since fall 2021. Akamai's two biggest rivals in the WAF market - Cloudflare and Imperva - have doubled down on defending APIs.
Cloudflare has worked to improve its anomaly detection for API traffic, beefing up its threat intelligence capabilities and building out functionality across client-side security, Vice President of Product Patrick Donahue told ISMG. The company is using unsupervised machine learning to identify where APIs are and what's exposed to the internet and to determine if someone has taken an unusual path through an API.
Imperva, meanwhile, recognized years ago that cloud-native application development would force the web application firewall market to evolve, Vice President of Application Security Ryan Windham told ISMG. Imperva API Security debuted last year to give developers visibility into the APIs' underlying payload and to protect critical applications and infrastructure from automated attacks and API abuses.
Why API Defense Appeals to Application Security Testing Firms
As for applications, Checkmarx Chief Revenue Officer Roman Tuma believes API protection will become prevalent over both dynamic and interactive application security testing in the long run. As a result, Tuma said, Checkmarx determined it was commercially and strategically better to partner with Imperva around DAST and deliver something more cutting-edge to clients around API security in the years ahead (see: Synopsys, Checkmarx Top Gartner MQ for App Security Testing).
Also in the application security testing market, Micro Focus rolled out an API discovery capability that pulls in relevant files, enhances automation and is fully integrated with the API testing process. And testing the efficacy and security of APIs remains challenging given that many API endpoints are headless and lack a front end or interface with the application environment, Synack CEO Jay Kaplan told ISMG.
Synack has tapped into its crowdsourced testing model to conduct adversarial API penetration tests, according to Kaplan, looking not only for vulnerabilities in an ad hoc fashion but also using a checklist-driven approach to ensure the common attack vectors are covered.
Would a company such as Cloudflare, Checkmarx, Imperva or Micro Focus look to leapfrog the competition by purchasing a pure-play leader such as Noname Security? Or would Noname be more appealing to a WAF or application security company with little to no API protection capabilities that's looking to dive headfirst into the market?
Only time will tell.