Okta Ventures’ Austin Arensberg says cybersecurity startups need a new strategy from series B onwards if they want a profitable exit.
Cybersecurity startups aren’t struggling to get funding, but founders are finding it increasingly tricky to exit, according to Austin Arensberg, head of identity management software producer Okta’s corporate VC arm.
Cybersecurity is one of the key components in the Okta Ventures investment portfolio, and is also one of the few investment sectors that hasn’t seen much of a decrease in investment levels following the covid era boom of 2021 and 2022.
That is partly because startups in markets like Israel are getting better at translating their technology into marketable software products, Arensberg says. There is also an increasing number of startups emerging to address new threats created by artificial intelligence.
But there is now a problem with exits. Relatively few cybersecurity companies have so far made it to the public markets, where it is still difficult for tech startups to float. That means exits tend to come through acquisitions. But the valuations of growth stage cybersecurity startups have climbed too high for potential buyers.
“In 2021 and 2022 when rounds were really highly valued, the stock market was also highly valued,” explains Arensberg. “That allowed for some sort of exit environment because the overvalued public companies could buy the overvalued private companies.
“Today, the public stock markets have come back to reasonable 10-year norms. They’ve contracted. But the private marketplace either has legacy valuations from 2021 or they’re new AI startups that are also getting inflated valuations.”
The other issue is that there are too many cybersecurity startups addressing similar issues. Achieving a good valuation may be relatively straightforward when you’re fundraising, but when it comes to exit time you’re competing against multiple rivals, making it trickier to get a good price.
“In every single category in security, you have three to five relevant competitors at similar stages.”
“In every single category in security, you have three to five relevant competitors at similar stages,” Arensberg says. “What that means is the corporate development teams in those public companies, the potential acquirers, have options.
“So, even the best company in a particular category might not get bought. It may be the smaller one that gets bought, because the corporate development team believes it has the integration capacity to bring on that company and help build it.”
There have been few cybersecurity acquisitions above $500m, says Arensberg. A good company can get enough interest from investors to raise the money they want without diluting the shares so much. But then the valuation jumps over $500m and an exit becomes harder.
For instance, he says, a really hot cybersecurity startup might raise $200m for a series B round and that’s great. But now it needs to sell for $600m to clear a profit for investors and a $300m exit isn’t attractive anymore.
Portfolio companies should be getting an acquisition offer when they’re raising series B funding.
That’s why Arensberg tells startups series B is the most important round. He thinks portfolio companies should be gauging interest from corporate development teams and even getting an acquisition offer when they’re raising series B funding. That way you have an apple-to-apple comparison: the valuation of your next round versus the size of a potential acquisition, and you can price the rounds accordingly.
High valuations have also led to more interest in seed and series A stage rounds, because these are the only ones seen as offering a good return.
“What we’re seeing is highly competitive first rounds – inception rounds – because in order to achieve venture returns at an 8x to 10x profile, you need to be operating at seed,” he says.
“That would allow your $500m exit to potentially have a 10x outcome for the VCs backing you. And so, we’re seeing second-time cybersecurity founders being able to raise $10m, $20m, $30m, even up to $50m for their very first round of financing.”
AI expands the “blast radius” of cyber attacks
There are many factors in cybersecurity’s resilience, but the largest is simply that threats are expanding, with AI at the tip of the spear.
The AI threat has two sides. Hackers use AI to enhance their attacks, for example by using it to generate a million different variants of SMS-based phishing. But, says Arensberg (below), the wider danger is that companies using AI agents drastically increases the range of places they’re vulnerable.
“The potential blast radius for a human is relatively limited, simply by the amount of activities I can command at any one point in time,” he explains. You have permissions attached to your name and position but there are only so many things you can do or times you sign on during the course of the day.
“As an AI agent, essentially a robot that is operating within the SaaS environment, my blast radius can be much bigger because I can be logging into Salesforce 15,000 times a day to gather information,” he explains. “So, we have to completely think of the almost superhuman capabilities of these agents to have access to tools and assets [at a level] that we never thought would be like a normal scaled access point. The dangers are much greater.”
On the other side, AI is also giving cybersecurity startups greater capabilities to fight off attacks.
“If you look at something like a security operation command or control [centre], you can have an agent that understands every single threat that has been published by the government in the past week,” he says. “And then when it finds a threat inside your environment, it can contextualise that information and provide it in a very simple format to a security engineer to allow them to take action on that threat.”
Organisations are also more likely to be facing off attacks from sophisticated criminal operations using AI technologies like deepfakes and voice replication to launch identity-focused attacks on individuals. The attackers often go beyond criminal gangs.
“Some of these threat actors are state actors, so they could have tens of thousands of employees trying to refine a particular type of attack,” Arensberg says. “It is very difficult and asymmetric to be able to counter that, and they can operate at scale with a cost structure that is completely different to the average corporation. A lot of security companies are looking at some of the new attacks.”
Protection from these threats crosses into identity verification, which is Okta’s speciality. Arensberg cites recent cases of businesses unwittingly leaving themselves open to attacks by remotely hiring employees who turned out to be North Korean hackers. That’s why Okta Ventures’ portfolio includes Oyster, creator of a secure cross-border hiring and employment platform.
Cybersecurity has become a strategic bet for most CVC funds. Businesses from energy companies to hospitals and car manufacturers all have cybersecurity startups in their portfolio because they are vulnerable to attacks.
But Arensberg has a word of caution for startups developing cybersecurity platforms centred on AI — and those investing in them. Make sure the technology provides a lasting edge, otherwise it may soon be yesterday’s news.
“The standard of capabilities keeps on rising so fast that a lot of startups that think they may have a particular angle will find that actually, that’s available for everyone,” Arensberg says. “Commodification is the common theme that we ask ourselves and the investment committee: whether or not the startup using some of this new tooling has an edge or whether some of the larger models will make their work irrelevant.
“A common complaint is that something is like a wrapper for ChatGPT. And so if everybody has these tools, what does that mean for a startup’s prospects at growth stage? You really have to be very thoughtful about what your edge is and be able to execute on it.”