Yuval Krigel
The massive valuations and funding rounds of 2021 left some room for optimism around the state of the Israeli cybersecurity industry in 2022, instilling a sense of security in Q1 of the new year. While other sectors began to feel the shifting tides of the market as the year progressed, capital continued to freely flow into cybersecurity, further reinforcing the belief that it is a persistently resilient outlier in tech, immune to market instabilities and unable to be shocked into a downturn.
After closing the book on 2022 this week, it is safe to say that this optimism was somewhat misguided. With hindsight, 2021 can be categorized as an anomaly that sent the industry into a tailspin, with bloated valuations exceeding actual revenue and funding rounds scaling at what many warned was an unhealthy pace. The repercussions of this spiral are evident in our 2022 analysis of funding and M&A data for the Israeli cybersecurity ecosystem.
In 2022, overall funding for Israeli cybersecurity startups fell by a dramatic 64%, from $8.84 billion in 2021 to $3.22 billion this year, and the number of funding rounds decreased from 135 in 2021 to 94. When compared to overall funding in 2020 ($2.75 billion over 109 funding rounds), it seems that 2021 was a blip on the radar, and that the industry is returning to where it left off in 2020.
Early stage gets the funding
Our data indicate that the majority of capital that did flow into cybersecurity this year poured directly into one very distinct area: seed rounds of early-stage cybersecurity startups. The average 2022 seed round actually shattered the 2021 record ($7 million), reaching a whopping $9 million. In total, seed funding rose by 65% this year, from $233 million in 2021 to $384 million in 2022.
This striking amount of capital, dedicated to the earliest stages of company building, demonstrates ongoing investor confidence in the cybersecurity industry’s potential to innovate and build solutions for increasingly acute threats.
Furthermore, it indicates the difficulty in raising Series A rounds this year, as investors’ thresholds for these rounds grew in light of the economic crisis. While the number of Series A rounds remained almost unchanged since 2021 (30 rounds last year and 24 rounds in 2022), investors preferred to support the seed rounds of startups that will grow sustainably and cautiously from the get-go.
“Investors understand that seed funding has a clear baseline, as the costs of building a company have not decreased,” says Iren Reznikov, director of Corporate Development and Ventures at Sentinel One. “They know that building a company from the ground up and ensuring that it reaches its Series A round with maximum maturity while hitting all of its benchmarks, costs money. At the same time, investors expect founding teams to set clear goals for reaching their Series A and strive to reach product-market fit at an early stage by engaging with prospective customers faster.”
This confidence is shared by cybersecurity founders, who, despite this year’s market volatility, still believe in the potential to build something meaningful for enterprise protection and business continuity. “Early-stage startups are best poised to respond to the changing needs of a fiscally constrained market,” says Slavik Markovich, co-founder and CEO of Descope, a stealth startup building a service for application developers in the authentication space.
“A tight economy is usually accompanied by increased fraud and cyber attacks. User adoption and conversion have become even more critical in this market, with businesses looking for solutions that reduce friction for their end customers in order to prevent any sources of churn. Founding teams at early-stage companies that focus on solving these problems will continue to attract investor interest.”
Return of the cyberveterans
While 2022’s soaring seed rounds underscore investor confidence that this is a prime time to build new companies, the number of cybersecurity startups dropped from 58 new companies in 2021 to only 47 in 2022. This slight decline can be attributed to rising table stakes and an increasingly saturated cyber market. It is also possible that this year’s mega-seed rounds, as well as the return of veteran founders, intimidate new startups from exiting stealth.
One-third of new startups launched this year were founded by serial entrepreneurs (an increase from last year’s 22%) including seasoned professionals who have been active in the cybersecurity sector for many years. Their successful track records are likely why investors feel comfortable with writing such large checks in this economy, along with the founders’ belief that the industry still has significant untapped problems to address, disrupt and build category-leading companies to resolve.
By contrast, first-time founders are doubling down on ideation for longer periods of time and finding it challenging to discover a clear angle and edge in such a saturated market. It is becoming increasingly difficult to zero in on untapped spaces, resulting in fewer new companies overall. In order to compete, many first-timers are seeking out investors with domain expertise for assistance with ideation, feedback, early exposure to customers and advisors and early GTM.
Stunted growth and unremarkable exits
While 2021’s data showed a polarized funding environment with massive seed and late-stage rounds, this year’s data shows growth stages taking a monumental hit. It is interesting to note that 1,035 IPOs took place last year across all sectors, but 2022 only saw 173 — the lowest number of IPOs in the U.S. stock market since 2016.
A similar trend plagued growth stages in the Israeli cybersecurity space. Series B rounds decreased by 30% this year, and funding rounds from Series C onward plummeted by almost 80% from last year, dipping from $6.46 billion in 2021 to $1.47 billion this year — an even lower figure than the total for growth rounds in 2020 ($1.63 billion).
Raising growth-stage funding is known to be challenging in the best of circumstances and demands substantial resources, effort and a strong balance sheet. Investors have been extremely cautious about taking part in large follow-on rounds in such an unstable market and have required more assurance around their founders’ ability to reach benchmarks and show strong business results. Both investors and founders prefer to wait out the economic crisis and postpone any follow-on funding rounds until the market recovers and valuations decrease.
2021 was rife with extraordinary growth rounds that propelled many startups to unprecedented heights. In 2022, this meteoric growth burned out quickly for several of these giants, as their valuations and funding did not necessarily match actual business performance. This forced founders to reassess their runway, spending and headcount in 2022, leading to painful layoffs. Consider cyber unicorn Snyk’s $196 million Series G funding round that took place right on the heels of laying off 16% of their workforce this year.
This latest injection of capital is considered a down round, based on a decreased valuation of $7.4 billion compared to 2021’s valuation of $8.5 billion. Nonetheless, though this clearly demonstrates how even 2021’s superstars took a blow this year, securing such a sizable round in this economic environment is still an impressive feat.
Other notable 2022 funding rounds: Island raised $225 million in two funding rounds this year (A, B); Axonius raised a $200 million Series E round; Pentera raised a $150 million Series C round; Salt Security raised a $140 million Series D round; Talon raised a $100 million Series A round, and Perimeter81 raised a $100 million Series C round. It should be noted, however, that four out of these six rounds were raised during the first quarter of 2022, and only one was raised in the third quarter of this year. This is a clear indication that, although impressive, these rounds were ultimately powered by capital from 2021’s cybersecurity bonanza.
This year’s economic instability also impacted M&A transactions, with only 16 acquisitions in 2022, compared to 35 in 2021. The average sum of acquisitions also decreased from $201 million last year to $139 million, indicating that larger vendors may also be reassessing their finances. Savvy corporate development executives understand that if they hold out for a few more quarters, they may be able to acquire startups that interest them for a considerably lower price.
Notable exits that broke the mold this year include Siemplify, which was acquired by Google for a reported $500 million; Cider Security, which was acquired by Palo Alto Networks for $300 million; Illusive Networks, which was acquired by Proofpoint; and CyberMDX, which was acquired by Forescout Technologies for a reported $80 million. We anticipate that the number of M&A deals in cybersecurity will increase in 2023 as the ramifications of 2022 begin to sink in and startups that have burned through their capital and are struggling to secure follow-on funding will look for the nearest exit.
Taming the unicorn
In direct correlation with the decline in growth funding, there has also been a decrease in the number of new unicorns this year. After last year’s phenomenal record of nine new unicorns, only five startups became unicorns in 2022, which is the exact number of new unicorns in 2020. This year’s unicorns include Island, Pentera, CHEQ, Salt Security and Perimeter 81. Interestingly, much like this year’s few exceptional funding rounds, three out of these five were announced in the first quarter of 2022 and were likely a spillover from 2021’s record-breaking funding rounds and valuations. Our data also shows that the time it took startups to become unicorns increased by 30% from four years in 2021 to 5.2 this year. Once again, this is the exact same number of years it took in 2020.
2022’s hot spaces
A consistent trend since 2020 has been the market’s interest in application security. For the third year in a row, funding rounds focused on software supply chain security solutions. Organizations are increasingly relying on open source software to do so, putting them at risk as illustrated by the SolarWinds breach and the Log4Shell vulnerability. Concerns regarding this attack vector grew, and efforts to mitigate supply chain risks became the focus of President Joe Biden’s executive order requiring software vendors contracting with the U.S. Federal Government to provide a software bill of materials (SBOM) — an inventory of all software components.
“Security professionals are going back to the root causes of their risk and understand that their supply chain is an easy target for malicious actors,” says Lior Levy, co-founder and CEO of Cycode, a leading software supply chain security solution focusing on securing all phases of the software development life cycle (SDLC). “Connecting the dots between anomalies in the SDLC has become a critical component of an organization’s security posture in the past few years, in light of the rise in attacks targeting the software supply chain. As long as this attack surface continues to expand, we’ll see an increasing number of startups in this space.” Top-tier performers in application security that raised funding rounds this year include Jit ($38.5 million in seed and Series A rounds) and Ox Security ($34 million in seed and Series A rounds).
Identity and access management was another extremely popular space this year, specifically for new startups founded in 2022. As the number of identities grows with ongoing migration to the cloud and an increasingly distributed work environment, controlling user access and securing digital identities has become paramount. Attackers leverage poor identity management and identity theft through compromised credentials, phishing or purchase on the dark web in order to abuse privileges and access organizational assets.
Demand for IAM solutions will continue to grow as rising compliance constraints and regulations concerning identity and access generate demand for better governance. Several sizable seed rounds were raised in this space this year, but all of these startups are still in stealth mode — indicating that we can anticipate an explosion of IAM solutions in 2023.
Job security is jeopardized
The 2022 macro environment harshly impacted growth expectations for some of 2021’s funding superstars, and as the economy slowed down, so did their ability to sustain hypergrowth over time. Last year’s unicorns raised massive amounts of capital and burned much of it in order to sustain this growth, but doing so in a harsh economic climate is hardly sustainable. Expansive layoffs ensued, afflicting some of the largest security vendors that rose to success in the past two years. It is safe to say that as the economy continues to falter, we can expect significant layoffs to continue — and perhaps even increase — in 2023 as capital begins to run dry.
It is important to remember, however, that cybersecurity remains a critical business need that drives demand for cybersecurity experts in technical fields. Startups that strive for longevity and market domination in the coming years cannot afford to let go of their core technical teams, even when budgets are constrained. This demand will continue to rise and create job opportunities for top-tier cyber professionals, as will the attacks that necessitate a strong cybersecurity industry in the future.
2023 forecast
We believe that the industry has learned an important lesson in 2022 and will move at a more responsible pace next year, ensuring that startups back their valuations with ARR and market traction, support their budgets with solid strategies and drive growth in a sustainable fashion. In many cases, growth-stage startups that burned through their capital in the last two years will be forced to raise new capital in 2023 or seek alternatives in the form of potential buyers. This reality may lead to an increase in growth rounds next year, though with more unfavorable terms for founders, employees and existing investors. Other solutions that are growing in popularity in order to allow founders to extend their runway for as long as possible and refrain from raising capital at lower valuations include raising SAFE (simple agreement for future equity) rounds, debt financing rounds and other creative solutions.
Overall, 2022 was a sobering year for the cybersecurity industry and finding a soft landing from the highs of 2021 will still take some time. While we do not anticipate the industry’s full recovery in 2023, it is important to remember that as the industry licks its wounds, attackers will continue to explore more sophisticated methods of exploiting vulnerabilities. This is especially likely as economic and geopolitical circumstances continue to pile on a multitude of challenges and difficulties for global businesses.
Cybersecurity, therefore, will remain an essential part of the business budget, and we anticipate continued innovation, ground-breaking tech and the birth of new cybersecurity startups in 2023, as well as investors willing to fund them. The industry would do well to chalk up 2021’s wild numbers to a market anomaly and treat 2023 as the year of recovery, realignment and resilience in the cyber realm.
*Cycode is a YL Ventures portfolio company.
Comment