The shortlist of Boston-area tech companies on deck for an initial public offering got shorter after Monday’s announcement that Veracode has agreed to be sold to CA Technologies for $614 million in cash.
The 11-year-old Veracode, which helps businesses secure and test their software applications, had raised around $150 million in venture capital, according to a spokeswoman. The company seemed like it was on an IPO path for the past couple of years. “It very much was an option,” says Veracode CEO Bob Brennan (pictured above).
But the IPO market, particularly for tech companies, is “tepid” right now, Brennan says. His Burlington, MA-based firm sold to CA Technologies (NASDAQ: [[ticker:CA]]) for a higher price than the valuation that Veracode estimated it would have received in the public markets, he says.
Plus, there are “constraints you have to live in as a newly public company that don’t allow you to fully invest in the opportunity,” he says.
Joining forces with New York-based CA Technologies, which provides a range of software products and services, should give Veracode access to more resources and customers. Veracode has about 550 employees and 1,400 customers, Brennan says. By our rough math, based on CA’s financial projections, Veracode’s annual revenue is about $100 million. Meanwhile, CA employs around 11,000 people, has thousands of customers, generates over $4 billion in annual revenue, and has about $1 billion in annual operating cash flow.
With CA Technologies, “we’re able to cast a much longer shadow than we would’ve been able to cast on our own,” Brennan says. “This [deal], as a strategic alternative, towered above all others.”
For the Boston tech scene, the Veracode sale means one of the stalwarts of the local cybersecurity cluster is no longer independent. It also intensifies the spotlight on Carbon Black, another longstanding local security-tech firm (formerly known as Bit9), which is seen as a potential IPO candidate or acquisition target.
Veracode and CA had conversations over the past two years, but they didn’t begin having serious deal discussions until last fall, Brennan says. He says the outcome was “very strong for our investors on a money on money” basis.
He didn’t comment specifically on whether the deal was a good financial return for employees. But there are no plans to lay off Veracode employees post-acquisition, according to Brennan and Mordecai Rosen, general manager of CA’s cybersecurity business.
“This is all about growth,” Brennan says. There have been “zero conversations around cost synergies.” Brennan will stay on with the company and will have a general manager title, he says.
CA Technologies was founded in 1976 as Computer Associates International. It went public in 1981. The company helps medium-sized businesses and large enterprises develop, test, deploy, and manage apps. It also offers a variety of cybersecurity products and services in areas such as authentication and identity management, privileged access management, securing mainframes, and securing application programming interfaces, according to CA’s website.
Rosen says the addition of Veracode gives CA new capabilities that “bridge” its security offerings with its “DevOps portfolio”—the tools and services for software development and IT operations.
Both companies believe “that security itself has to be inserted into the software development lifecycle and pushed way left toward the developer,” Rosen says. Veracode gives CA the “human beings and tech that allow us to take a leadership position there.”
What Rosen means is that the volume of software applications is exploding, and the process of developing and deploying apps and websites is getting faster. Companies are updating their applications constantly, sometimes several times a day. These apps and updates are a prime target for hackers, and businesses are realizing they need to put in more safeguards and check for vulnerabilities earlier in the development process, Rosen says. “That’s the only way to secure software at this scale,” he adds.
That’s where Veracode comes in. It hunts for vulnerabilities by scanning customers’ software throughout the development lifecycle. Veracode created a way to do this by analyzing the software’s binary code, not the source code, in order to alleviate customers’ concerns about potential theft of proprietary technology. The goal is to catch software flaws early, when it’s cheaper to fix them—and before hackers get a chance to inflict damage.
“That’s what every organization who’s developing applications is pursuing aggressively,” Rosen says. “We’re incredibly excited about this acquisition.”
