10 biggest cybersecurity M&A deals of 2019

2019 was another big year for mergers and acquisitions (M&A) in the cybersecurity industry. According to Momentum Cyber, more than 150 deals totaling more than $23 billion in value took place this year. Four billion-dollar deals have occurred in the security space this year, the same as in 2018.

Technology M&A advisory firm Hampleton Partners’ latest report shows that 30% of all deals were for security services providers, with identity and access management (22%), network and endpoint security (15%), and anti-malware (11%) rounding out the top four.

Here are the ten largest cybersecurity M&A deals from 2019 and an early look at what to expect in 2020

1. Broadcom buys Symantec’s enterprise security business for $10.7 billion

Broadcom, which spent $18.9 billion buying CA Technologies in 2018, this year acquired Symantec’s enterprise security business for $10.7 billion — by far the year’s largest acquisition in the security market.

Broadcom CEO Hock Tan has said he plans for the company to focus on Global 2000 organizations as small- to medium-sized businesses (SMBs) are less “sticky.” Symantec retained its consumer-facing brands including LifeLock and Norton and has rebranded to NortonLifeLock.

“Broadcom is functioning less as a strategic product provider and more as a financial investor. This isn’t a product-synergy move,” explains Henrik Jeberg, director at Hampleton Partners. “Rather, Broadcom sees Symantec’s struggles in a growth market as an opportunity to optimize returns on an underperforming asset. Reducing costs and improving sales are only the tactical part of the challenge. Strategically, the Symantec of tomorrow will have to make hard choices to embrace, on the one hand, a future defined by cloud and cloud-native technologies, and internet of things (IoT).”

2. Thales completes its acquisition of Gemalto for $5.4 billion

First announced in late 2017, the acquisition for the digital security provider could only be completed this year after Thales had offloaded hardware security module company nCipher to Entrust. Gemalto will be renamed Digital Identity and Security (DIS) and will be one of Thales’s seven global divisions.

3. Francisco Partners and Evergreen Coast Capital Corporation buy LogMeIn for $4.3 billion

One of many private equity deals in the list, PE firms Francisco Partners and Evergreen announced in late December that they had acquired collaboration software provider LogMeIn for $4.3 billion. Included in the deal was password manager LastPass, which LogMeIn bought for $110 million in 2015.

“We believe our partnership with Francisco Partners and Evergreen will help put us in a position to deliver the operational benefits needed to achieve sustained growth over the long term,” LogMeIn CEO Bill Wagner said in a statement.

Fransisco Partner’s CEO Dipanjan Deb added that the deal ‘builds on the strength of the firm’s infrastructure and security software franchise’ which currently includes Quest, One Identity, BeyondTrust, SonicWall and WatchGuard.

4. Thoma Bravo buys Sophos for $3.9 billion

Following a busy 2018, spending a collective $4.75 billion acquiring Imperva, Barracuda Networks and Veracode, Thoma Bravo slowed its pace in 2019, acquiring UK-based Sophos for $3.9 billion.

“The acquisition will put Sophos — a company that until now primarily targeted the mid-market segment — on the fast lane towards developing next-gen cybersecurity solutions for the enterprise,” says Jeberg.

Sophos itself had been busy in 2019, snapping up San Francisco-based cloud security startup Avid Secure, endpoint security platform DarkBytes, and MDR provider Rook Security.

This, along with Insight Venture Partners buying Recorded Future (more on that below) and Sonatype, continues the recent trend of private investment firms seeing a lot of value — or at least profit potential — in the cybersecurity space. Hampleton Partners reports that nearly 13% of security M&A deals in 2019 were by private equity firms, a higher proportion than any other year this decade.

“Sophos will be the tenth cybersecurity/identity and access management company to join Thoma Bravo’s ranks in the last three years, the beginning of which started with the McAfee acquisition in 2017. In 2018, it acquired Barracuda Networks, a company noted for its network and cloud security prowess, and therefore a direct competitor of Sophos.

5. VMware buys Carbon Black for $2.1 billion

Virtualization giant VMware has been slowly increasing its security product portfolio over the last few years, but with the $2.1 billion acquisition of cloud-based endpoint protection provider Carbon Black, the company has become a full-blown security provider. The company has said Carbon Black will “form the nucleus” of VMware’s security offerings going forward.

“In purchasing the agent-based endpoint security vendor, VMware is looking to expand its visibility across IT systems,” says Jeberg. “That’s already a key aspect of security and one that will likely become more important as communication becomes increasingly encrypted and endpoints become increasingly varied.”

VMware also bought Intrinsic, a San Francisco-based security start-up focusing on serverless computing in 2019.

6. OpenText buys Carbonite for $1.42 billion, and Carbonite buys Webroot for $618 million

In February, cloud backup and recovery firm Carbonite acquired endpoint security and threat intelligence provider Webroot for $618.5 million in an effort to unify data protection and cyber security technologies. By November, Canadian information management company OpenText announced it had acquired Carbonite for $1.42 billion to build on its current security portfolio and appeal more to the SMB market.

“This acquisition will further strengthen OpenText as a leader in cloud platforms, complete endpoint security and protection,” said CEO and CTO Mark Barrenechea, “and will open a new route to connect with customers.”

“Carbonite ranks among the largest cloud backup vendors, with a focus on the SMB and prosumer markets,” says Jeberg. “This deal should enable OpenText to leverage Carbonite’s existing offerings and go-to-market channel, while potentially helping the buyer integrate data backup and endpoint-protection capabilities into its existing security offering.”

7. F5 buys Shape Security for $1 billion

An acquisition announced very late in the year, Seattle-based F5 revealed that it was buying Santa Clara startup Shape Security for $1 billion in cash. Shape provides a number of solutions around application security and fraud prevention.

“Shape’s machine learning and AI-powered capabilities will scale and extend F5’s broad portfolio of application services,” said F5 President and CEO, François Locoh-Donou, “and expand our ability to optimize and protect customers’ applications in an increasingly complex multi-cloud world.”

8. Jacobs Engineering Group buys KeyW Corp for $815 million

American technical professional services firm announced in April it was acquiring KeyW, a professional engineering services provider, for $815 million. KeyW’s cyber-services including “offensive cyber operations,” risk assessment, penetration testing, network hardening and training courses. Jacobs said it planned to integrate of KeyW into its aerospace, technology and nuclear business to expand its offerings around intelligence, cyber and counterterrorism

9. Insight Venture Partners buys Recorded Future for $780 million

Continuing the previous year’s heavy spending by investment firms in the security space, Insight Venture Partners bought threat intelligence provider Recorded Future for $780 million in May 2019. “Recorded generates information to help customers better understand the external cyber threats they are facing. It’s easy to see where a company like that could have value in today’s world,” explains Hampleton’s Jeberg.

Cybersecurity is one of the key fields of interest for Insight, with Insight partner Teddie Wardi previously saying the company believes “it is possible to build giant companies in this sector.”

Insight Venture Partners has a large portfolio of security companies including ownership or investment in Tenable, OneTrust, Thycotic, Darktrace and SentinalOne. According to Insight, the two companies will “leverage Insight’s deep experience and internal consulting arm, Insight Onsite, to further its technical and product vision through a range of growth-oriented activities.

10. Orange buys SecureLink for $577 million

Following AT&T’s acquisition of AlienVault for around $600 million last year, 2019 saw another telco making major moves into the security consulting space with Orange buying Dutch managed security services provider SecureLink for just over half a billion Euros. This, along with the company’s purchase of the UK’s SecureData in February, has made the company a large player in the European security consulting space almost overnight.

“Telecos have been diversifying beyond core ISP business for a while, especially Orange which has had a string of business services acquisitions recently,” explains Jeberg. “I believe there are two interacting major forces in play: First the more commoditized the raw data transport becomes, the more the push for differentiating moves. Second is that cybersecurity will be not only a differentiating factor from a marketing standpoint, it is simply a need for telcos to provide a safe mode of transport.”

Other notable cybersecurity acquisitions

Most of the big security firms made deals in 2019 in what Jeberg describes as “smaller, tuck-in acquisitions” that boost their overall security offerings:

• Palo Alto bought Demisto for $560 million and PureSec for $410 million.
• Fortinet bought California-based endpoint security provider enSilo.
• Trend Micro spent $70 million on Australian cloud security startup Cloud Conformity.
• McAfee bought container security startup NanoSec.
• FireEye acquired security instrumentation vendor Verodin.
• Check Point bought web application and API startup ForceNock.
• Proofpoint spent close to $400 million in 2019 — $225 million on ObserveIT to extend its data loss prevention offering and $120 million for zero-trust access provider Meta Networks.

In the telecom space, NTT Security, Dimension Data and NTT Communications were folded into a new technology services banner of NTT Ltd. (NTT also bought application security provider WhiteHat Security but plans to keep it as a standalone business.) Comcast announced it acquired Virginia-based BlueVector.

Two private firms bought groups of smaller security companies and rolled their capabilities into new firms. Australian private equity firm BGH Capital launched a new cyber consulting firm called CyberCX after acquiring 12 Australian MSSPs – Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co., Phriendly Phishing, Sense of Security, Shearwater, TSS and YellIT – and rolling them into one company.

Investment firm Sunstone Partners completed a triple acquisition of Terra Verde Security, TruShield Security Solutions and Sword and Shield Enterprise Security and then combined the three to create a new managed cybersecurity services entity called Avertium. “Avertium will focus its comprehensive expertise on supporting mid-to-large enterprises, making it one of the largest managed cybersecurity services companies focused on this market,” says Jeberg.

HP Inc. bought endpoint security start-up Bromium and has said it plans to combine its virtualization-based security technology into HP’s Sure Sense, Sure View and Sure Start products.

Cisco announced it had acquired operational technology (OT) cybersecurity firm Sentryo for an undisclosed amount.

While not an acquisition, Alphabet’s security “moonshot” company Chronicle was folded into Google Cloud. While some viewed it as another product failure for the company, Jeberg thinks that the move makes strategic sense for Google Cloud, which he says has been “bulking up its team as of late” most recently by acquiring the data analytics company Looker.

Cyber M&A in 2020

2019 was one of, if not the outright, busiest and most valuable years on record for cybersecurity M&A activity. Hampleton Partners predicts that acquisitions will continue at a high level as incumbents battle to complete the “single pane of glass” promise. Jeberg acknowledges that the rapid consolidation of many startups into existing large companies has its pros and cons for CISOs.

“The move towards suites with broad, if not all-encompassing, functionality makes it easier to acquire and maintain the necessary bits and pieces to secure your environment and manage cyber risk,” says Jeberg. “However, it reintroduces the classic suite vs. best-of-breed discussion. CISOs will be married to one vendor, and it will be more difficult to pick and choose the best-suited individual components to satisfy their particular risk profile.”

The largest deals of 2020 so far have been:

• Insight Partners buys Veeam for $5 billion
• Symphony Technology Group buys RSA for $2.075 billion
• Advent International buys Forescout for $1.4 billion
• Hellman & Friedman buys Checkmarx from Insight Partners for $1.15 billion
• Insight Partners buys Armis for $1.1 billion
• LexisNexis Risk Solutions buys Emailage for a reported $480 million
• Palo Alto Buys CloudGenix for $420 million
• LexisNexis Risk Solutions buys NortonLifeLock’s ID Analytics Business for $375 million
• WatchGuard Technologies buys Panda Security for a reported €250 million [~$286.5 million]
• Palo Alto buys The Crypsis Group for $265 million
• Investcorp Technology Partners buys Avira for $180 million
• Microsoft buys CyberX for a reported $165 million
• Rapid7 buys Divvy Cloud for $145 million

Here’s a list of disclosed cybersecurity M&A deals in 2020:

August 24: Palo Alto Networks announced it would acquire incident response and digital forensics consulting firm The Crypsis Group from ZP Group for $265 million. Palo Alto said it plans to integrate The Crypsis Group’s processes and technology into its Cortex XDR platform.

August 24: Kaseya announced it had acquired phishing protection provider Graphus for an undisclosed amount.

August 13: Healthcare cybersecurity firm MedCrypt Inc. bought MedISAO, a provider of cybersecurity information sharing for the medical device industry.

August 6: LogPoint announced it had acquired SAP security solution agileSI from Orange Cyberdefense for an undisclosed fee.

July 30: In its second deal of the year, Mimecast acquired eTorch Inc, the owner of messaging security provider MessageControl. 

July 29: Qualys announced that it had bought the software assets of Spell Security to bring endpoint behavior detection and additional telemetry to the Qualys Cloud Platform.

July 20: Fortinet acquired cloud security company OPAQ Networks. Fortinet plans to combine its Security Fabric product with OPAQ’s Zero Trust Network Access solution.

July 16: Acronis bought DLP provider DeviceLock. Acronis said it will integrate DeviceLock’s technology into the Acronis Cyber Platform while keeping the company wholly-owned subsidiary and continuing support for DeviceLock DLP.

July 14: Managed security services provider CyberCX acquired Basis Networks.

July 10: Datapath announced it had bought MSP Bright Bear Technology Solutions.

July 9: Herjavec Group revealed it had bought UK Identity Management firm Securience.

July 1: VMware announced it had bought disaster recovery firm Datrium for an undisclosed amount.

June 30: OneTrust acquired data discovery firm Integris Software.

June 24: Atos bought Managed Detection and Response firm Paladion for an undisclosed fee.

June 23: Siemens Digital Industries (DI) acquired UltraSoC, a Cambridge, UK-based System on Chip security startup. Siemens plans to integrate UltraSoC’s technology into the Xcelerator portfolio as part of Mentor’s Tessent software product suite.

June 22: Microsoft announced it had bought CyberX, a specialist IIoT and OT security firm for a reported $165 million. 

June 15: IBM bought Spanugo, a cloud security firm serving the financial services sector. Spanugo will be rolled into IBM’s financial services public cloud to assist clients’ compliance efforts.

June 11: GitLab announced a double acquisition in application security testing firm Peach Tech and continuous fuzz testing solution Fuzzit.

June 4: VMware announced it had bought LastLine and planned to incorporate its malware detection capabilities into Carbon Black’s Threat Analysis Unit and the VMware NSX team.

June 2: Thoma Bravo acquired secure business partner management firm Exostar.  

June 2: Thycotic announced it had bought privileged access management provider Onion ID for an undisclosed amount.

May 28: Zscaler announced its second acquisition of the year in application authentication startup Edgewise Networks.

May 21: Information archiving firm Smarsh announced it had bought Entreda, a cyber-risk and compliance specialist in the wealth management industry. Entreda will continue to operate as a stand-alone, wholly-owned subsidiary.

May 21: Open Systems acquired Azure security specialist Born in the Cloud for an undisclosed amount.

May 20: Singaporean startup Responsible Cyber bought digital identity specialist Secucial for $7 million.

May 14: Venafi announced it had acquired UK-based Kubernetes training and services provider Jetstack. 

May 13: Code quality and security firm SonarSource announced it had bought static application security testing startup RIPS Technologies.

May 13:CyberArk acquired Identity as a Service provider Idaptive in a deal worth $70 million.

May 13: VMWare revealed it has bought Octarine, a security platform for Kubernetes applications, for an undisclosed fee. Octarine technology will be embedded into the VMware Carbon Black Cloud.

May 7: Under-fire video app Zoom announced it had bought end-to-end encryption messaging and file-sharing startup Keybase for an undisclosed fee and plans to offer end-to-end encrypted meeting mode to all paid accounts in the future.

April 28: Rapid7 announced it had acquired cloud security posture management company Divvy Cloud for around $145 million.

April 21: Terahash, a provider of password cracking software and appliances, acquired the L0phtCrack password auditing software. The company plans to integrate L0phtCrack with its own Hashstack software.

April 16: SOAR startup Swimlane acquired incident response firm Syncurity Corporation for an undisclosed amount.

April 16: Auriga revealed it had bought the Lookwise Device Manager business unit from European MSSP S21sec. Terms were not disclosed.

April 9: Private equity firm Investcorp Technology Partners acquired Germany antivirus company Avira for $180 million.

April 9: Zscaler announced it had bought Cloudneeti for an undisclosed fee. Cloudneeti’s cloud misconfiguration detection and remediation technology will be integrated into Zscaler’s Cloud Security platform.

April 7: Accenture acquired US cybersecurity startup Revolutionary Security, its third security purchase of the year. Terms were not disclosed.

March 31: In its first acquisition of the year, Palo Alto announced it was buying SD-WAN provider CloudGenix for $420 million. The company plans to integrate CloudGenix’s cloud-managed SD-WAN products into its Prisma Access package.

March 16: Hellman & Friedman bought Checkmarx from Insight Partners for $1.15 billion.

March 16: Deloitte acquired Australian security consulting firm Zimbani for an undisclosed fee.

March 12: Auth0 announced its first acquisition in Apility.io, an API-security startup that identifies blacklisted IP addresses, domains, and email addresses. Terms were not disclosed.

March 11: SOC service provider OutSOC made its first acquisition in SIEMPlexus Technology. Terms were not disclosed.

March 9: WatchGuard Technologies announced it would acquire Spanish endpoint security firm Panda Security. The two companies have said they will consolidate security services under the single WatchGuard brand. Terms were not disclosed but Panda was reportedly valued at around €250 million [~$286.5 million].

March 6: Accenture revealed it had bought UK cybersecurity consultancy firm Context Information Security from Babcock International Group for an undisclosed amount.

February 24: McAfee announced it had bought browser isolation startup Light Point Security. Terms were not disclosed but Light Point will be integrated into Secure Web Gateway and MVISION UCE products.

February 24: German cybersecurity firm Utimaco GmbH acquired cryptographic key management firm Geobridge Corporation for an undisclosed price.

February 20: In its first acquisition, Nominet announced it had bought Boston-based network security startup CyGlass for an undisclosed amount.

February 18: Private equity firm Symphony Technology Group announced it had acquired RSA from Dell Technologies for $2.075 billion. The all-cash deal includes RSA Archer, RSA NetWitness Platform, RSA SecurID, RSA Fraud and Risk Intelligence, and the RSA Conference.

February 11: Behavioral biometrics company BioCatch acquired biometric authentication platform provider AimBrain.

February 6: Private equity firms Advent International and Crosspoint Capital acquired for $1.9 billion. This price was later lowered to $1.43 billion.

February 5: Relx subsidiary LexisNexis Risk Solutions announced it had bought fraud prevention and identity verification startup Emailage for a reported $480 million and will become a part of the company’s Business Services group.

February 5: Insurance broker Aon reported it has acquired incident response firm Cytelligence Inc.

February 3: HPE bought zero-trust identity startup Scytale for an undisclosed amount.

February 3: SafeSwiss Secure Communication AG announced it acquired end-to-end encrypted email provider Secure Swiss Data.

January 30: Quantum communication startup Qubitekk bought the Quantum Key Distribution (QKD) patent portfolio of British defense company QinetiQ.

January 30: Avast announced it was winding down its Jumpshot Inc subsidiary after the company was found to be selling user data. 

January 22: Cyber insurance provider Coalition acquired internet scanning and threat intelligence; startup BinaryEdge. The terms were not disclosed. BinaryEdge’s technology will be integrated into Coalition’s cyber risk management platform.

January 21: FireEye revealed it had bought cloud security startup Cloudvisory for an undisclosed amount. The deal will see FireEye add cloud workload security capabilities to its Helix solution.

January 15: PE firm Skyview Capital announced it had acquired Fidelis Cybersecurity for an undisclosed fee. 

January 14: Deloitte acquired Kuala Lumpur-based cybersecurity advisory firm SecurePath. The company will be rolled into Deloitte’s Risk Advisory practice in Malaysia.

January 14: Wind River bought Star Lab, an embedded security startup specializing in Linux. Terms of the deal were not revealed but Star Lab will become a wholly-owned subsidiary.

January 14: Cellebrite announced its acquisition of Californian digital forensics provider BlackBag Technologies for $33 million.

January 14: LexisNexis Risk Solutions bought NortonLifeLock’s ID Analytics Business for $375 million. The company will become part of the LexisNexis Risk Solutions Business Services group.

January 13: LogicMonitor acquired Swedish IT infrastructure monitoring startup Unomaly for an undisclosed amount.

January 10: New York City-based risk consulting firm Kroll announced it had bought RP Digital Security, a Singapore-headquartered cyber forensics services provider. The company will join Kroll’s Asia Pacific Cyber Risk practice.

January 9: Synopsys acquired application testing startup Tinfoil Security for an undisclosed amount and plans to integrate its API testing capabilities into the Polaris platform.

January 9: Insight Partners made its second billion-dollar acquisition in a week in a $5 billion deal to acquire backup and disaster recovery company Veeam.

January 8: Industrial automation provider Rockwell Automation acquired Israeli OT cybersecurity services provider Avnet Data Security for an undisclosed amount.

January 7: Cloudflare announced it had bought browser isolation startup S2. The company said it expects to add S2’s technology to its Cloudflare Gateway product.

January 7: Accenture agreed to acquire Symantec’s Cyber Security Services business from Broadcom for an undisclosed amount.

January 7: Private equity investment firm Insight Partners made the first major cybersecurity deal of 2020 just a week into the new year, buying IoT security firm Armis for $1.1 Billion.

January 6: Mimecast acquired Sagasec, a startup that protects against phishing and fraud attacks, for an undisclosed amount thought to be around $40 million.