The U.S. cybersecurity industry has seen a decline in venture capital investments recently, but Boston-area security startups are having a good week.
On Tuesday, Boston-based ObserveIT said it recently pulled in a Series B investment led by Bain Capital Ventures. The Boston Business Journal reported the initial amount was $16 million, but that number could grow. On Thursday, Boston-based Empow announced a $10 million Series B funding round backed by Ascent Venture Partners and others. And today, Boston-based Onapsis said it closed a $31 million Series C investment led by private equity firm LLR Partners, alongside return backers .406 Ventures, Evolution Equity Partners, and Arsenal Venture Partners.
Elsewhere this week, Herndon, VA-based security firm Expel closed a $20 million Series B investment led by Scale Venture Partners, and Karamba Security, which is based in Israel and the Detroit area, raised $10 million from Western Technology Investment.
The new investments come amid a dip in cybersecurity venture investments nationwide. In the first quarter of 2018, the number of U.S. cybersecurity venture capital deals—and the amount of money invested in those deals—declined for the third consecutive quarter, according to data from the MoneyTree Report produced by PricewaterhouseCoopers and CB Insights. U.S. security companies raised $528 million across 51 deals in the first quarter, down from $831 million invested in 54 deals in the previous quarter, and a far cry from the recent quarterly peak of $1.3 billion invested in 60 deals in the second quarter of 2017, according to the MoneyTree Report.
Maria Cirino, co-founder and managing partner of Boston-based .406 Ventures, categorizes the funding drop-off as a correction of record investment activity in cybersecurity over the past few years.
“We saw many more companies get funded than in the previous few years, as well as companies raising huge sums at multiples that far surpassed what would be considered ‘normal’ range for their size and stage,” Cirino wrote in a statement e-mailed to Xconomy.
She attributed much of the activity to inexperienced cybersecurity investors entering the market as it began to “heat up.” These cyber “tourists” didn’t understand the sector “at its base level,” and they placed bets on “shiny objects” and “point solutions,” she claimed. (Point solutions refer to products that solve a single problem or a narrow set of problems for customers, as opposed to a more desirable “platform” that can address a wide array of issues.) Because of this, the green investors have struggled to generate good returns, she argued.
“I believe the drop-off you’ve seen in the past three quarters is a result of this natural attrition of the tourist investors, and not endemic to the category as a whole,” she wrote in the statement.
The feedback that Onapsis CEO and co-founder Mariano Nunez (pictured above) has been getting from investors lately is there are too many cybersecurity companies “attacking the same problem with slightly different solutions,” and it’s difficult for investors to discern the most promising startups amid all the noise, he wrote in an e-mail to Xconomy. Many security investors are now pushing past the hype and “looking deeper” at businesses’ underlying financial performance, which makes it harder for some companies to raise money, especially at later stages, Nunez said.
His company was in a good spot, with strong demand from investors who wanted in on its latest venture capital round, Nunez said. “But I know first-hand that some other companies have unfortunately struggled lately and had to rethink their strategy,” he added.
Meanwhile, Cirino said, large corporations and other major buyers of security products have been “inundated with point solutions for over a decade now” and “can no longer manage this complex web of security solutions.”
“They’re starting to shift their focus to buying security platforms that are extensible and can continue to layer on advanced features and greater capabilities over time,” Cirino said. “Smart startups like Onapsis here locally, for example, saw that coming.”
Nine-year-old Onapsis helps businesses secure their most critical applications, such as enterprise resource planning (ERP) systems developed by SAP and Oracle. Customers use the company’s software to protect and manage sensitive data about employees and clients, finances, manufacturing processes, intellectual property, and so on.
Historically, most of Onapsis’s customers were concerned about insider threats to these crucial systems, Nunez said in the e-mail. (His company helps them address that through user activity monitoring and prevention tools, he added.) But with the shift to cloud-based servers and the proliferation of mobile and connected devices, the “attack surface” is growing larger and customers are increasingly worried about external threats—“mainly nation-state actors, unethical competitors, and cybercriminal organizations,” Nunez said. Onapsis’s software aims to defend customers through automated vulnerability and compliance checks, threat detection and response tools, and other capabilities.
“An interesting aspect is that most of the threats we see are not really advanced,” Nunez said. Hackers “are exploiting old, well-known—but hard-to-fix—ERP vulnerabilities and mis-configurations, which fall through the cracks between the traditional ERP administration and the information security teams.”
Nunez declined to share Onapsis’s revenue figures or whether the company—which has raised a total of $62 million from investors—is profitable. (It probably isn’t, since it plans to use the new cash to up its spending on sales, marketing, customer service, product development, and other areas.) A spokeswoman said more than 200 of the largest corporations use Onapsis’s products, including
