In this holiday episode special, we’re joined by Hamza Fodderwala, Executive Director at Morgan Stanley, where he leads cybersecurity equity coverage. He joined Morgan Stanley's software research team in early 2016 and leads coverage for public cybersecurity companies like Palo Alto Networks, CrowdStrike, Fortinet, SentinelOne, Okta, Zscaler, Cloudflare, Rapid7, Check Point, Qualys, Varonis and Tenable. Before Morgan Stanley, Hamza was an equity research associate at Susquehanna International Group covering the financial technology sector. Hamza graduated from New York University, with a Bachelor of Arts in Economics.
We dive into Hamza’s insights on the major customer buying patterns in cybersecurity throughout 2024 and what might shift in 2025. Hamza shares his observations on how the Generative AI boom is influencing product adoption in the industry, and whether enterprises are currently adopting AI security solutions. Additionally, we explore key trends from cybersecurity resellers, discuss what might unlock public equity markets for new IPOs, and which private cyber companies could go public next.
Our discussion covers the cybersecurity M&A landscape, highlighting over $50B in deal volume this year with companies like Juniper, Darktrace, Recorded Future, Synopsys, Venafi, and more all getting acquired. Finally, Hamza shares lessons for founders, offering advice on identifying areas ripe for disruption, navigating the venture funding landscape, and building resilience in a competitive industry.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sid Trivedi (00:04):
Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk (00:08):
I am Ross Haleliuk.
Mahendra Ramsinghani (00:10):
And I am Mahendra Ramsingani. We have
spent decades building,investing, and researching
cybersecurity companies.
Sid Trivedi (00:19):
On this podcast, we invite you to join us inside the
network, where we bring the bestfounders, operators, and
investors building the future ofcyber.
Ross Haleliuk (00:31):
We will talk about the hard parts of the
founder journey. Launchingcompanies, getting to product
market fit, raising capital, andscaling to an exit.
Mahendra Ramsinghani (00:42):
And, yes, we will also be talking about
epic failures.
Sid Trivedi (00:46):
But, Mahendra, we're here to make the founder
journey easier.
Mahendra Ramsinghani (00:50):
That is correct, Sid. But we cannot make
it too much easier becausestartups are hard. And, of
course, you already knew that.
Ross Haleliuk (00:57):
Alright, you too. Enough let's get started with
this week's episode.
Mahendra Ramsinghani (01:06):
Before we dive into the program today, let
me share a quick word aboutequity analysts. They are
essentially the deep researchersof Wall Street publicly traded
stocks, providing crucialinsights that help investors
make informed decisions aboutwhere to put their money. That
analysis is particularlyvaluable for founders,
(01:29):
especially ones who are justgetting started as it helps you
to chart your own trajectory. Byunderstanding how public markets
value technology companies,business models, and growth
strategies, start up founderscan benefit and better position
their own companies for success.We're thrilled to have one of
(01:49):
the top cybersecurity analystswith us today, Hamza Fodderwala,
executive director at MorganStanley, where he leads the
firm's cybersecurity equitycourage.
Hamza brings deep expertise inanalyzing companies that are at
the forefront of protecting ourcyber digital world. Industry
leaders like Palo Alto Networks,CrowdStrike, Fortinet and many
(02:12):
more. Since joining MorganStanley's software team in 2016,
Hamza has established himself asa leading voice in cybersecurity
investment research. Followinghis earlier work in analysis at
Susquehanna International Group,Hamza holds a bachelor's degree
in economics from NYU. For allthe entrepreneurs listening to
(02:32):
our program today, Hamza willshare some valuable insights
into how Wall Street thinksabout cybersecurity businesses,
what metrics matter most, andhow successful companies have
continued to scale and createvalue.
Sid Trivedi (02:46):
Welcome, Hamza, to Inside the Network.
Hamza Fodderwala (02:48):
Thank you, Sid, Mahendra, and Ross for
having me.
Sid Trivedi (02:51):
We're excited to end out 2024 with you and talk a
little bit about all the trends,all the things that are
happening in the cybersecurityworld. Maybe let's start with
assessing customer patterns. Andas you take a look back at 2024,
what were the major customerpatterns that you saw in cyber?
And how do you think this willchange as we go into the new
(03:12):
year?
Hamza Fodderwala (03:12):
Yeah. It's a great question. I'd say, the
major customer buying patterns,there were there were a few. You
know, 2 really stood out. 1 isthe trend towards vendor
consolidation remained, youknow, very strong.
We saw this start really in inlate 22, and we saw it really
permeate through 23 and 24. Soif you look at from the public
(03:34):
market, right, which I cover,you look at the public
cybersecurity stocks that arethe perceived consolidators, the
ones that have larger revenuescale, that have multiple
products, the Palo AltoNetworks, CrowdStrike, Fortinet,
and others, they're trading atroughly 2x the valuation
multiples on EV to salesrelative to the ones that are
(03:56):
the perceived point productvendors in the cybersecurity
market. So that trend continues.The average enterprise today has
over 50 different cybersecuritytools. The largest enterprises
have, you know, sometimes 2,300.
So there's definitely a awillingness to bring that down.
And the other area that startedto really come up more, and I
think you're starting to seesome some buying around this, is
(04:19):
around AI. Right? Andspecifically, security for AI.
How do we secure some of theseAI models as well as AI for
security automation, which Ithink is gonna be a bigger theme
into next year.
Ross Haleliuk (04:29):
On the topic of AI, it is definitely the case.
The Gen AI craze remained thenumber one topic for everybody,
like every single event, likeevery single security leader is
talking about it. Have you seencustomers actually adopting
those solutions? Or are we stillat the stage where we are mostly
exploring where gen AI securitymight fit? And how do you see
(04:50):
that changing in 2025?
Hamza Fodderwala (04:52):
Yeah. Definitely. And, Ross, you've
written a lot of great thingsabout this, by the way. Anyone
who isn't subscribed to Ross'snewsletter should definitely,
shameless plug for you, Ross,but definitely should should be
on it. Look, I think it's earlyinnings.
I think, early on when westarted talking about genera.
AI, we're talking about genera.AI for security operations. And
a lot of that was tied to okay.How do we take a lot of this
(05:16):
redundancy, a lot of this manuallabor outside of the security
operation center, outside ofyour SOC?
And a lot of that meant, okay,we need to replace the legacy
SIEMs, whether that be an IBM ora Splunk has had pretty dominant
market share in the space. Soyou're seeing companies like
Palo Alto Networks, likeCrowdStrike, like Microsoft go
after this next gen SIEM, nextgen security operations market.
(05:40):
And I do think that's going todrive more meaningful dollars.
You know, Palo Alto Networkstalks about Cortex, which is
their next gen SIM opportunity,their AI for security
automation, if you will, thatbeing their next, you know,
$5,000,000,000 opportunity overtime in terms of ARR. And I
think that's gonna be a a majorproduct cycle for them,
especially since theirpartnership slash acquisition of
(06:02):
IBM.
Microsoft, you know, talkedabout Azure Sentinel, which is
their next gen SIEM being1,500,000,000 ARR. So I do think
you're gonna see a lot morefocus on AI for security
operations. You know, I shouldmention CrowdStrike as well with
LogScale. But I think what wasinteresting earlier this year at
RSA, we started to hear a lotmore about okay. Hold on.
(06:23):
AI for security automationsounds great, but how do we
actually do security for AI? Howdo we actually enable this
technology within ourorganization? How do we govern
it? How do we classify what'ssensitive and what's not? How do
we prevent sensitive dataleakage?
And so you're seeing a lot moreinvestment in that area. We do a
CIO survey every quarter, andthe number one hurdle for
(06:44):
adopting, you know, next gen AIML capability within an
organization is data security.Right? How do I prevent an LLM
for querying sensitive data? SoI think, that is gonna be, I
think the most immediateopportunity, but the bigger
opportunity, I think, is goingto be AI for security
automation.
Mahendra Ramsinghani (07:01):
No. Thank you, Hamza. When you look at the
AI and how the securityoperations are getting, shaped
up, it's a fascinating, trend.And Sid and I have seen a lot of
startups coming up with, youknow, agentification, how agents
and, sort of this new wave oftechnologies can be used to
improve the SOC. But if you zoomout a little bit, a lot of
(07:24):
startups don't necessarilyappreciate the role of
resellers.
And when you look at the worldfrom your vantage point,
especially when you look at thelarge players, they have a very
elegant way of partnering withresellers. I mean, this is a
business of trust. The resellersplay a very important role in
the last mile. Give us someinsights. Help our audience
understand how the reseller sideof the market is shaping up.
Hamza Fodderwala (07:44):
Yeah. It it's a great point, Mahendra. So the
average cybersecurity vendorwill generate somewhere between
70 to 90% of their sales fromthe channel community. Now some
of that is, you know, resellersor value added resellers. Some
of that increasingly now isMSSPs, the managed security
service partners, which willoftentimes help operationalize a
(08:05):
lot of these technologies, whichis really important.
And so, you know, these partnersare really the last mile when it
comes to cybersecurity becauseit's not just about selling you,
you know, a bunch of softwareand then telling the customer,
okay, you figure it out. Youknow, you do need to have a
partner to help enable thistechnology and also give you
leverage from a go to marketperspective. So I think, you
know, as far as the start upcommunity is concerned, really
(08:26):
try to engage these partnersearly on. A lot of these, you
know, channel partners,particularly within the MSSP
community, you'll find thesefolks are very forward thinking.
These are folks who worked inindustry themselves.
You know, they wanna partnerwith the cutting edge
technologies. And, the earlieryou can build those
relationships, you know, thebetter it is. And I think, the
industry, the reseller industry,if you will, is going through a
(08:47):
bit of consolidation. So that'swhy it's really important to
have, you know, these MSSPcapabilities, you know, be able
to add value on top of justreselling that becomes more and
more important. So their marginsare under pressure.
Certainly, they're looking tooffer more services on top of
just reselling. So if you're a astart up company and you've
reached a certain scale and youfeel like you have a product
(09:08):
that's, you know, very much indemand, you know, partner with
these folks early on, have thosediscussions early on, and I
think it'll pay dividends downthe line.
Mahendra Ramsinghani (09:14):
You know, you make a great point, Hamza,
about building theserelationships early on. If I put
myself in the shoes of afounder, you know, they are
young. They don't havenecessarily the the size and the
scale. What's your advice? Whatkind of thresholds do you see
in, let's say, revenues beforethe partners get excited?
You know, obviously, there's theside of innovation. They want
the cool new products, but theyalso wanna say, hey. Are you
(09:37):
stable? Are you able to serveour community and our geography
well? Do you have theinfrastructure to help our teams
to sell better?
So what kind of trade offs doyou see in in that dynamic?
Hamza Fodderwala (09:48):
Yeah. I mean, I'd say, generally speaking, you
start to you you start to reallycatch on with the channel
reseller community once you onceyou approach that 100,000,000 of
ARR or more. But you'd besurprised, I think, there are a
lot of smaller companies. I'mthinking of companies within the
data security and posturemanagement space, for example,
or the application securityspace, right now. There's a lot
(10:10):
of interest among the channelcommunity in those areas because
that's what their customers areasking for.
So it really depends. Right?There are some companies where
okay. If it's an establishedmarket within cybersecurity that
you feel like you have a bettermouse trap in, then certainly,
you know, you wanna curate somedemand. You wanna get to the,
you know, 9 figures in ARRbefore you really start to
(10:30):
engage the reseller community ina big way.
But I think if you have a aproduct that is very much
missing in the market, and Ithink there's a lot of white
space again in applicationsecurity and data security, I
think engaging with the partnercommunity early on even at 10,
20, 30,000,000 of error, whichwe have started to see, I think,
can pay dividends down the lineas well because these are
(10:51):
technologies that oftentimes aretied to broader initiatives.
Right? So data security, forexample, may be aligned with the
broader AI transformationinitiative. Right? And so the
partner is coming in, the systemintegrator is coming in to the
to the customer and trying tohelp the customer deploy these
technologies, but they don'treally, you know, know how to do
(11:12):
this securely.
That's why we're bringing in adata security vendor might be
helpful even if it is a subscalevendor. If they have good
backing, good investors, thenthey can be viewed as a
strategic partner longer term.
Ross Haleliuk (11:25):
Hamzah, when you're talking about the need to
engage with the resellers andand MSSPs and so on and so
forth, How is it related to theneed to engage with industry
analysts? Like, which comefirst? Should startups at first
start approaching Gartner andand the likes, or should they be
working on the reseller side? Oris this something that happens
(11:45):
in parallel where one side feedsfeeds into the other? Like, how
are you seeing that?
Hamza Fodderwala (11:49):
Yeah. I think ultimately, if you if you have a
product that has good demand,good backing, ultimately, all
that will come. You know? And, Ijust think it's a matter of
inertia. Right?
So once you start to gain thatmomentum in terms of your
product go to market, whichagain, the the channel community
is a big part of. Right? Whetherthat's resellers, MSSPs,
(12:11):
marketplaces, which are becomingmore and more important. Getting
that momentum, right, I thinkshould be the primary focus. And
then adjacent to that, right,and over time, you'll start to
see the analyst community startto take notice and start to, you
know, mention your company intheir various reports as well.
Sid Trivedi (12:28):
I wanna move things a little bit further and talk
about the public equity marketsthat you cover so acutely.
Between 2022 and today, we'vehad just 4 software IPOs. We
just had a new software IPO inservice Titan, which just went
public. Looks like the stock hasreally popped. So hopefully,
it's a sign of of more positivekind of tailwinds.
(12:49):
But what factors could help openup the public markets for new
issuances at a much largerscale? And when you look at the
different cybersecurity privatecybersecurity companies that are
out there, who do you think isthe most likely to go public
next?
Hamza Fodderwala (13:04):
Yeah. It's a great question. I'll try to keep
a high level rather thanmentioning any specific company,
but I I would say it does feellike the public markets are open
again. If you look at, you know,the average software stock over
last year is up almost 30%. Theaverage cybersecurity company
over last year has been up 40 to50%.
So, you know, we're certainlyseeing more appetite to invest
(13:27):
in software as well ascybersecurity. Cybersecurity has
been an area of more defensiblegrowth. Right? So not only are
you participating in a lot ofthe secular tailwinds around AI,
cloud, the expansion of theattack surface area, but these
are also very resilientcompanies in terms of this is
their last area of your ITbudget to get cut. So I think we
(13:47):
are seeing appetite for newpublic issuances again.
Looks like there's a generalgrowth scarcity in the market. I
think right now, you know, if welook at 20 25, I can't think of
1 company that is going to grow30%, at least, you know, guide
to 30% initially. So I thinkhaving, you know, new companies
(14:07):
within the IPO market that arethat are growing faster, that
are aligned to a lot of seculartailwinds in the market, whether
it's AI or cyber. I do thinkthere is a growing appetite for
that. And, you know, we've hadsome IPOs recently, which have
done quite well in the last 6months.
So as far as going forward, Ithink, you know, in general, I
think if you're a company with250 to 500,000,000 in ARR and
(14:32):
you're growing, I think, youknow, north of 30%, especially
within that cohort. Now if youget to 500,000,000 to a
1000000000 of ARR, right, thegrowth rates become different.
I'd say you wanna be growingnorth of 20 in that cohort. I do
think that there's going to bedemand, you know, for those
types of assets again. It'sgonna be harder to bring public
those 100,000,000 plus ARRcompanies, right, that are more
(14:55):
subscale, that don't really havea, near term path to
profitability.
I don't think we're quite thereyet. But the 2 50 to 500, 30%
plus type growers with a path toprofitability in 12 to 18 months
time frame. I do think thatthere's an appetite to, invest
in those companies again becausethere's so much growth scarcity
in the public market again.Like, I can't think of 1 company
(15:16):
that's that's gonna guide to 30percent revenue growth in 2025.
Sid Trivedi (15:19):
You and me both. I I agree with this point around,
you know, the lack of companiesthat are 30% plus growers on an
annual basis. Just more broadlyon that topic, though, I mean,
the number of very, very highlyvalued large scale unicorn or
deca con companies that are overa 100,000,000 of ARR that
haven't yet gone public has nowreally, really gotten to to a
(15:39):
large enough scale. And I'm justcurious on your opinion. Do you
think that these numbers that wehave figured out in the public
markets of 250,000,000 plus ARRgrowers and anything below that,
it's very hard to go public.
Do you think that's fair for thepublic markets? I mean, the
average person, the average, youknow, just investor can't invest
in a whole bunch of high growthcompanies until they become
(16:02):
really, really scaled. I mean,this is very different to what
things were like 10 years ago,certainly what things were like
20 years ago.
Hamza Fodderwala (16:08):
And there's no shortage of capital in the
private market these days, itseems. You know, I think it's if
it's a company that is I think250,000,000 in ARR is at the low
end, that would be harder, ifyou will. But if it's a company
that is disruptive, that isaligned to a a a secular theme
that isn't available right nowin the public market. So if you
(16:30):
had a AI security company or apure play vendor in the cloud
security space, for example,where maybe there isn't an
avenue to invest in the publicmarket, that would be
interesting. Right?
But there'd have to be somescarcity value if you're at
250,000,000 plus. I think onceyou get to 500 to a 1000000000
of ARR and you're still growing20, 30% plus, that's where the
(16:51):
need to have that scarcity valueperhaps diminishes. Right? You
can be the 2nd or third playerin your category. If you're a
disruptor and you're gainingmarket share, most likely you
will get a multiple that iscomparable or maybe a slight
premium to the peer group that'salready public.
So I think 250 to 500 scarcityvalue would really matter.
Right? If it's something that'sreally unique that isn't
(17:14):
addressed by public vendors, Ithink you can see some appetite,
for those types of assets. But Ithink, outside of that, it will
be it will be tougher. That'swhere you do have to get to a
bigger scale, 500 to a1000000000 of ARR.
Sid Trivedi (17:26):
I guess my question is more, do you think that's
fair for the average, you know,stockholder to not have access
to those high growth players whoare very much focused on the
private markets? There thereisn't capital from the private
markets.
Hamza Fodderwala (17:38):
Yeah. I mean, I think if you are a company
that's in an existing category,let's just say, for example, in
in SaaS, secure access serviceedge, which is, you know, part
of the part of the networksecurity market, you know, there
are companies you can invest in.Right? You can invest in a
Zscaler or a Palo Alto networksor what have you. Cloudflare
comes to mind as well.
(17:58):
Now there are a lot of greatnext gen Sassy players in the
private market too that I thinksome of them, you know,
eventually will reach thatscale. But I think, you know,
there are options in the publicmarket, if you will, to invest
behind those themes that, youknow, are also available in the
in the private market. I think,again, it it really depends on
the category. I think a questionof fairness is a good one.
(18:19):
Right?
We want investors to have moreaccess to the growth that we're
seeing in America, whether it bewithin cybersecurity or
elsewhere. But I do think thereare many companies in the in the
public markets today that areinvesting and really align with
a lot of these themes.
Ross Haleliuk (18:32):
Hamza, this year, we saw the creation of the first
$100,000,000,000 plus market capcybersecurity company in the
industry, that being Palo AltoNetworks. And it looks like
CrowdStrike is not, not farbehind. A lot has been said
during this year about thetrend, of platformization or or
industry consolidation orwhichever language you choose to
(18:54):
use. How much do you think thatholds as you evaluate public
companies' earnings result thisyear and also looking into the
2025, estimates and forecasts?
Hamza Fodderwala (19:03):
Yeah. And it it's pretty amazing that, you
know, CrowdStrike still is notvery far behind from that goal
despite obviously the incidentthat they had in mid July. So
kudos to them and and that teamfor doing a great job in their
response. Yeah. I think it'sgonna matter a lot.
I think the fact is it's youhave Palo Alto Networks, which
have announced ourplatformization initiative
earlier this year. And then keepin mind, CrowdStrike, after this
(19:26):
outage, also announced, youknow, an effort, which they call
Falcon Flex, and now that'sbeing broadened out into these
customer commitment packages.Effectively, both these
companies, you know, have beengiven a hall pass, if you will,
for the next 12 to 18 months todiscount, some might say price
bomb the market. So if you'recompeting with a Palo Alto
Networks or CrowdStrike, it hasgotten much more difficult. The
(19:49):
Street, analysts like myselfhave have have cut their numbers
on both these companies quite abit to allow them to to to do
this stuff.
And so I think, if you'recompeting against one of these
larger scale companies that areable to discount more
aggressively now that had thescale to do so, I think it's
gonna become harder. So whatthat means is if you're a
(20:10):
smaller company, you know,really making sure that, you
know, one, not only you have a agreat product, but you're
solving a need that these bigplatforms are not. Right?
They're not gonna be able tosolve everything for everybody.
Right?
So a great example I can thinkof is with an email security.
Right? These platform players,for the most part, have not
focused on that area because theview was, well, Microsoft is
(20:31):
just gonna dominate this space.And we've seen great companies
like Abnormal, even Proofpoint,who's out there as well, you
know, come out with some greatproducts here. Checkpoint even,
which recently invested in acompany called Avanade a few
years ago, talked about gettingto a 100,000,000 of ARR in their
email security products.
So I think, you know, makingsure you have products and are
solving problems that these thatthese companies aren't is is
(20:52):
first and foremost. And I thinkalso once you get to a certain
scale, having that multiproductvision of your own. Right? You
it may not be there necessarilytoday, but engaging with your
customers, with your strategicpartners, and and aligning them
on a future road map saying,hey. Look.
You know, we do these two thingsreally well, or we do this one
thing really well. And we'regonna focus on doing that one
(21:14):
thing really well, but we have abroader vision here. Right? We
wanna we want you to partnerwith us and see where this
vision goes and, you know, seehow we can deliver this
innovation to you. So I thinkit's about, 1, solving problems
and having a product that, youknow, these other big sort of
platform vendors are not gonnabe able to focus on as much.
And then 2, also engaging withyour customers, engaging with
(21:37):
your strategic partners earlyon, having that roadmap, that
vision, and that they can see,okay, you know what? This
company is gonna be an evenbetter version of the existing
platform players that I might beusing today.
Mahendra Ramsinghani (21:48):
Speaking of platforms and
platformization, I think that'ssort of the buzzword. Going back
to the earlier comment you madeabout consolidation, I think
that's clearly one industrytrend, Hamza. Let's zoom out a
little bit. You know, in a fewweeks, a new president will step
in. That changes sort of thegeopolitical dynamics.
(22:08):
On one side, you have China. Youhave Russia. In fact, one of our
earlier guests on the podcast,Dmitry Alperovitch, has written
a fascinating book about it,which, by the way, in 2024 has
been named one of the best bookson this topic. So you have this
whole geopolitical dynamic thatis going to shift. Okay.
And of course, you also haveIsrael. What challenges do you
(22:30):
see in our our sector play outas a result of that?
Hamza Fodderwala (22:34):
Yeah. Unfortunately, the world is
going to become more challengingfrom a geopolitical standpoint.
Whoever is president, right, andand whoever is president, you
know, obviously, you know,president-elect Trump, we wish
them, you know, all the best inin solving these challenges.
But, you know, certainly, theworld's gonna get the world has
become more dangerous from acyber perspective and otherwise.
(22:54):
You know, I think, you know, forus, you're looking at a lot of
the enterprise securitycompanies.
I don't think this necessarilychanges anything. Right? I mean,
the fact is, you know, we'regonna continue to see growth in
ransomware attacks. Some mightsay that that that may even be
be peaking right now if you lookat some of the more recent data.
But I think, you know, nationstates are gonna continue to be
a big driver.
(23:15):
You also have cyber criminalsthat are gonna continue to be
big drivers of cyber demand. ButI think, you know, more
domestically, you know, this,these new initiatives around the
Department of GovernmentEfficiency or or Doge and the
willingness to reduce the sizeof the federal government, you
know, whatever you think aboutthat is probably gonna have some
headwinds short term for a lotof enterprise software and
(23:38):
cybersecurity vendors. And weactually recently wrote about
this in our 2025 cybersecurityoutlook. But, you know, you look
at the typical cyber securitycompany that's public today.
Right?
And I think it probably goesthrough for a lot of private
vendors, but they're generatinganywhere from 7 to 8% of their
revenue from the US publicsector. Right? And and some of
(23:59):
the larger vendors, like ApolloAlta Networks or Tenable,
Zscaler, and others, you know,in some instances, they generate
10% plus of their revenue fromthe US public sector. And
federal government alone spendsover $25,000,000,000 a year on,
on cybersecurity. So I think,the fact that you wanna reduce
the size of the federalgovernment and in some
(24:20):
instances, there have beenreports around, you know, should
we downsize or eliminate CISAentirely or should we, you know,
take out a $1,000,000,000,000from the federal budget over
time?
You know, that's gonna have someimpact on IT and cyber budgets,
and I think is going to be aheadwind in 2025. Longer term,
right, if the government canbecome more efficient, use more
(24:41):
technology, perhaps it could bea tailwind. But short term, I
think, it's a headwind. And thenalso a big driver of of
cybersecurity demand has been,you know, a favorable regulatory
backdrop. Right?
When you think about all therecent rulings around from the
SEC around disclosing cyberbreaches, around having better
cyber practices, you know, thequestion's gonna be with this
new administration, with the newSEC head, are we gonna see the
(25:04):
same, you know, types ofregulations and and the
enforcement around theseregulations going forward that
we did in recent years? So Ithink the fiscal backdrop, the
regulatory backdrop, there'ssome uncertainty there, and I
think the general the view isright now perhaps those, those
backdrops are not gonna be asaccommodative for cybersecurity
spend as they have been inrecent years.
Mahendra Ramsinghani (25:23):
No. You make great points there, Hamza,
both on the fiscal and theregulatory standpoint. And also
from the fact that, theransomware angle, or call it
attacking, this continues toescalate in some ways on how the
relationships evolve. If youjust take a counterpoint, you
know, this is, of course,rumored now, but Trey Stevens,
(25:45):
who is a partner at FoundersFund, has been active investor
in cybersecurity companies likeExpanse that got acquired by
Palo Alto Networks. He is, Ithink, on the board of Anduril,
which which is a kind of asecurity from a different angle,
if you will.
He's rumored to be the 2nd, youknow, highest ranking position
at the Pentagon undersecretaryof defense. And this if this
(26:06):
happens, this could be the firsttime that somebody who wears a
VC hat and has been acybersecurity investor is,
squarely in the center of, avery important role in national
security and the department ofdefense. Do you see new
opportunities open up as aresult of, some of these
dimensions playing out?
Hamza Fodderwala (26:27):
Yeah. I think the fact that you're seeing more
folks from, you know, SiliconValley and the technology
community get involved in publicpolicy and and and Washington
certainly is favorable for techlonger term. And so to the
extent that, you know, you dohave some folks from the cyber
VC community advising the DODand and the president, I think
(26:47):
those are those are good things.I would say if we look at the
the cyber budget today, right,in the federal government, it's
about $25,000,000,000 annuallyproducts and services. Half of
that is DOD, you know, half ofthat is civilian based on the
the numbers that we have.
I'd say DOD is probably safe.Right? I think, this incoming
administration is known forwanting a strong military. It's
(27:09):
a civilian portion that youworry about. So, you know, to
the extent that you're lookingat eliminating thousands of
seats at the IRS or the DHS orwhat have you, that means, you
know, less endpoint security,for example.
Right? Because each of thoseseats might be, you know, an
endpoint or a PC workstation orwhat have you. Or, you know, you
might not need to buy as manyfirewalls or SaaS seats or what
(27:32):
have you. So I I think, yes,longer term, you know, those are
all good things, and the federalgovernment certainly has a lot
of room to modernize. I thinkthose modernization initiatives
take a long time.
In the short term, though, ifyou're eliminating a lot of
these people and you're reducingthe size of the organizations,
ultimately, their nest there'sjust not gonna need as much IT,
which means they're not gonnaneed as much cyber.
Mahendra Ramsinghani (27:52):
Yeah. There could be a consolidation,
obviously, just following thesame trend of if you wear a
business hat, which says, hey,multiple organizations are
buying these products. How canwe bring efficiencies,
Sid Trivedi (28:16):
conversation over to M and A. And you've touched a
little bit around consolidation,but we've seen a relatively
active m and a market this yearwith over $50,000,000,000 of
deal volume to date in cyber.And we've seen companies like
Juniper, Darktrace, RecordedFuture, Synopsys, Venafi, and a
whole bunch more that have beenacquired. And the year hasn't
(28:36):
even ended. You know, the thetime of this recording, the
year's there's still a few moreweeks to go, but it's already
that 50,000,000,000 of dealvolume is already up from last
year's numbers.
So what are the valuationexpectations looking like today,
and what are buyers looking forin general?
Hamza Fodderwala (28:52):
Yeah. You know, I think of the m and a
market very similar to thehousing market. Right? So the
the sellers have expectations,the buyers have expectations,
and obviously, there's the costof financing and everything
else. And so, you know, I thinka big active buyer within
cybersecurity historically hasbeen private equity, the
financial sponsors.
I'd say they've been less activein recent years just given how
(29:14):
interest rates have have reallyincreased in the last couple of
years. So they certainly havevaluation expectations that I
think if anything, you know,they're they're not willing to
pay the multiples that were in2020 and 2021. The strategics
have been less active. I mean,certainly, we've seen some.
We've seen Cisco, Splunk, we sawCyberArk, Medify, and those, you
(29:35):
know, buyers tend to pay highermultiples.
So, you know, based on ouranalysis looking at
cybersecurity transactions overthe last 10 years, strategics
have on average paid about 9, 9and a half times NTM revenue for
US cybersecurity companieswhereas private equity is paid
between 6 to 7 times. So I dothink, we are seeing more
(29:57):
interest from from both areaswithin the cybersecurity market.
I think what's what changed overlast year was perhaps seller
expectations. So if you were acybersecurity company or
enterprise software company andyou realized, okay, whether
you're public or private, themarket is not gonna necessarily
gonna value, you know, me at themultiple that I want them to,
right, if I go public or remainpublic. There are a lot of
(30:19):
investments that or a lot oftransformation that has to be
done that probably isn't greatto be done in the public market
view.
Right? If you're going through,you know, a major product
transformation or you're goingthrough some sort of, you know,
m and a spree, doing that in thepublic market where you have to
report quarterly earnings is issomewhat difficult. So I do
think seller expectations havecome down. But at the same time,
(30:41):
when you see stock markets tendto decline and, you know, even
for larger companies, if theirshare price is worth 30, 40%
less, well, a lot of times they,you know, they use their stock
as a currency to buy thesecompanies. So what we've seen, I
think, is very much a buyer'smarket in security and software.
The big are getting bigger.Right? If you are a large cap
(31:02):
company, $20,000,000,000 plusmarket cap, you're still trading
in a double digit salesmultiple. If you are below that,
you know, the average multiplecomes down to about 6 times
sales. So the larger capcompanies are the the main
driver of outperformance inenterprise software and
security.
So you still have a favor youstill have a high stock, you
know, and favorable currency tobuy these assets. And then if
(31:24):
you are a a smaller SMid capcompany, you know, there's some
that are still trying to breakthe sound barrier, right, but
are having a a difficult time.So I do think we start to see
some of these companies that are5, 7, 8, $9,000,000,000 in in
enterprise value look at saying,okay. Are we ever gonna break
that sound barrier to get to 20,30, 40, 50,000,000,000? I think
(31:45):
most of them will realize it'smuch tougher than realized.
And, I think, you know, we'lleventually make that, you know,
move to perhaps get acquired bya larger vendor or look at a
private equity route. So I dothink we start to see a little
bit more of that from thosebigger companies. Right? So far,
the transactions predominantlyhave been, you know, companies
with less than $5,000,000,000 inenterprise value or a lot of
private companies that areselling for less than a
(32:07):
1,000,000,000 even, but not asmuch of those big companies like
the Splunks that we saw lastyear.
Sid Trivedi (32:11):
And just as a follow-up on that topic, you
speak to a lot of these CEOs ofthese public companies. Are you
hearing from them that there issome kind of they are in some
ways holding off and waiting forthe new administration to come
in and then launching moreactive m and a strategies. Has
that been a topic ofconversation or, you know, is
the card move the the the movethat they are playing?
Hamza Fodderwala (32:32):
I think they all have strategies. They all
have, you know, m and a targetsthat they've looked at.
Certainly, this the the lastadministration, I don't think is
any secret, was perhaps, youknow, less accommodative in
terms of, those transactionshappening. And I think there's
an expectation. I mean, we'llhave to see.
Obviously, we just had a new FTCappointed. We'll have to see
what what those policies are.But I do think there's a general
(32:54):
view that, you know, this newadministration may be more
favorable towards, you know,that outcome.
Ross Haleliuk (32:59):
How is private equity shaping the m and a
landscape in cybersecuritytoday? With certain market
segments seeing a significantpercentage of companies owned by
PE firms, what are some of thetrends or shifts that you
anticipate as we move into 2025?
Hamza Fodderwala (33:13):
Yeah. I think, private equity has been shaping
the cyber m and a landscape inin a lot of ways in the last few
years. I mean, if you look atthe identity market, you know,
Thoma Bravo has been very activethere. Endpoint security, email
securities. There's certainlybeen a lot of, interest in
cybersecurity.
If you think aboutcybersecurity, these are very,
you know, durable companies.Right? They tend to be, you
know, high retention rate, verysticky, high margin at scale.
(33:37):
They tend to be very goodbusinesses. And so I think, I
think from the PE standpoint,they do have a lot of assets
that that they acquired in thelast 5 years, particularly
during that last wave during2019 and 2022 that I think
they're looking to monetizefrom.
Right? Whether it's exiting VisaVA IPO or looking to sell them
to a larger company. So I Ithink that there's a there's a
(33:58):
bit of a monetization wavethat's gonna happen assuming the
public markets remain open. Andthen I think eventually there's
gonna be some interest inlooking at, you know, some cyber
assets, whether public or latestage private that, you know,
are ripe for consolidation. So Ithink, what we're gonna see more
from the private equity playersgoing forward is similar to what
we, you know, did see with ThomaBravo acquiring in the identity
(34:20):
space.
Right? They acquired 3 greatcompanies. Some of those
companies they'll look to merge,others they'll look to keep
standalone. And, I think there'sa lot of opportunity to do that
in the late stage private andpublic space. Right?
I mean, you know, finding maybea public company and a private
company that have overlap, maybeneither of those are going to be
viable on a standalone basislonger term. Maybe you acquire
(34:43):
those 2 companies, combine them,and in 3 to 5 years, look to
spin spin a a bigger publiccompany, right, that could be
more palatable for the publicmarkets. And I think we'll see a
lot more of that, and there's alot of opportunity for that. As
you know, there's, you know,something, what, like, 7,000
cybersecurity vendors out thereand, you know, less than a 100
of them are public. And so Ithink, there's certainly
(35:03):
opportunities for consolidation.
Mahendra Ramsinghani (35:05):
You know, Hamzah, when we look at, how
these consolidation trends areoccurring, there's a very
interesting pattern that we arestarting to see. And we'd love
to get your views on how theuniverse of acquirers is
expanding. And let's take themost recent example of, Recorded
Future, you know, a company thatwas acquired by Mastercard. Now
(35:26):
Mastercard and cybersecurity notnecessarily go in the same
sentence, but it was interestingto, as I read and researched
this acquisition, thatMastercard was losing something
in the range of $5,000,000,000 ayear on fraud. And they paid
about 2,650,000,000 for recordedfuture.
So, you know, if you just do themath in 2 years, that's that
(35:48):
could be a reasonably goodrecovery if it just follows that
simple logic. But the fact thata financial entity is losing so
much on fraud and then isstepping into saying, we need to
do something aboutcybersecurity, there's a very
interesting shift in ouracquisitions marketplace. Give
us a little bit more from yourvantage point on how you see
(36:09):
this, shifting.
Hamza Fodderwala (36:11):
Yeah. That was a very interesting and unique
acquisition for sure. And Ithink it's I think it really
comes down to, you know, 2things. Is cybersecurity gonna
be a source of growth for, youknow, companies going forward? I
think the answer to that is yes.
But then the second point is, isthis gonna be synergistic to my
core business? And so, you know,in Mastercard's case, right, it
(36:33):
sort of checked both boxes. Ithink other companies we've seen
outside of cybersecurity makeinvestments in the past. You
know, yes, it's a growth driver.Right?
It adds some diversification totheir revenue stream, but, you
know, perhaps it's not assynergistic. Right? So we've
seen, you know, defensecompanies, for example, acquire
in the cybersecurity space,recently and in the past.
Sometimes it works, sometimes itdoesn't. Right?
(36:55):
We've seen enterprise softwarecompanies invest in
cybersecurity companies and and,you know, those can be hit or
miss as well. So I I do think,there's gonna be that interest.
Right? But I think the keyquestion is not just that, hey.
This is another business, youknow, segment within my broader
organization that can maybe beaccretive to growth in the short
(37:15):
term perhaps, but it's reallyaround how do I integrate this
and make this synergistic towhat my core offering is.
I think Mastercard answered thatquestion with Recorded Future
again. And looking within cyber,you know, companies like Palo
Alto Networks have done a greatjob of this as well. You know,
making almost 20 differentacquisitions in the last five
years, you know, some of thosewere very successful maybe a few
(37:36):
of those weren't, but the onesthat really were successful were
synergistic, were easy to sortof sell into the distribution
engine, and, ultimately becamemuch bigger businesses under
Palo Alto or, you know,CrowdStrike. Bigger businesses
under Palo Alto or, you know,CrowdStrike than they would have
been on a stand alone basis. SoI think that those, you know, 2
questions are really importantto ask to the extent that you
(37:57):
are looking to invest in thecybersecurity market.
Mahendra Ramsinghani (37:59):
You know, you make a great point there,
Hamza, about, when you look athow Palo Alto has done, a great
point there, Hamza, about, whenyou look at how Palo Alto has
done for almost, 20 plusacquisitions over its time and
done a very good job ofintegrating them very well. On
the flip side, you know, thetelcos have somewhat of a mixed
bag, in terms of, you know,playing this game. I mean,
(38:19):
Singapore Telecom boughtTrustwave for 800,000,000. This
was almost a decade ago. Andthen recently, they divested
Trustwave for, like, about a130,000,000.
So, are telcos not well suitedto play this game at all, or are
there some examples that jumpout at you where they've done a
very good job?
Hamza Fodderwala (38:38):
I can't think of any examples of, but, I
think, I might be wrong on thatfront, but, I think, I think it
goes back to that earlier point.Right? I think initially, the
telcos and I could understandwhy it was intuitive. Right? I
mean, hey.
You know, a lot of times telcosare involved in really being a a
channel partner forcybersecurity companies. Right?
(38:59):
Being an enabler forcybersecurity adoption and just
thinking, you know what? Youknow, why can't we just do this
ourselves and get a 100% of theeconomics? And, I think the
logic makes sense.
Right? But, again, it's is thisjust gonna be another business
segment within your broaderorganization? Right? Or is this
actually gonna be a core pillarof what you're offering? Right?
Is this gonna be your corebusiness? Right? Is this gonna
(39:20):
be synergistic with your corebusiness? And that question I
think is is is more important toanswer than just, you know,
saying, okay. You know what?
We're gonna make this anotherbusiness segment. We're gonna
throw a bunch of money at it andhope hopefully, it sells. No.
No. It really has to be, youknow, core to your offering for
it to be successful becausecybersecurity is hard.
Right? I mean, a lot ofenterprise software companies,
(39:41):
you know, Microsoft comes tomind, which is the biggest one,
and they built a great, youknow, cybersecurity business,
$25,000,000,000 plus in revenue.But, you know, even even they've
had their challenges in certainmarket segments. And so I think
just given how hard security is,you really have to make sure
that this is something that, youknow, you think about every
single day because I canguarantee you, you know, folks
(40:02):
like George Kearse fromCrowdStrike or Nikesh Arora from
Palo Alto Networks or JayCharter from Zscaler, you know,
they're thinking about this 247.They're thinking about how can
they win in the market, youknow, every single day.
And, if this is an afterthoughtfor you, it's gonna be tough to
compete. That's a great way
Sid Trivedi (40:20):
to put it that, you know, cyber can't be an
afterthought, whether you'rerunning a business or whether
you're using those cybersecuritysolutions. I wanna move to the
last segment of our conversationand executives of every major
cyber incumbent vendor, and youyou spoke about a few of those
(40:42):
names just now. What insights doyou have for do you have for
founders on which areas are ripefor disruption and where they
should focus their time?
Hamza Fodderwala (40:51):
Yeah. It's a it's a great question because, I
mean, there's some areas thathave been ripe for disruption
that you wouldn't really thinkare areas that people have been
focused on. So I think it kindabreaks onto 2 categories. 1 is
solving new problems, and then Ithink the other one is solving
existing problems that, youknow, people haven't addressed
(41:12):
for a long time. So I think, thenew problems would be areas like
we talked about earlier, AIsecurity.
Right? Coming up with moremodern data security,
application security productsthat are gonna be able to solve
this new world of securing AIand large language models
because I think, there are somebigger companies that are going
(41:32):
to certainly try to address thismarket, but I I think, this is
gonna be an, you know, agreenfield area that every
Fortune 500 company or, youknow, small and large is trying
to figure out right now. Everycompany right now is
establishing AI governanceboards and trying to figure out
how to securely enable thistechnology. And then the second
is, you know, solving existingproblems that a lot of people
(41:55):
have sort of abandoned. So theone that comes to mind clearly
is, email security.
I mean, I, you know, coveredProofpoint when it was a a
public company, and the numberone question you get from
investors was, okay. Well, whenis Microsoft going to crush
them? And, you know, that hasn'thappened. Right? But what we've
seen, if anything, in recentyears is we're seeing, you know,
(42:17):
new email security companiescome up.
You know, abnormal comes tomind, which obviously recently
had a had a big raise invaluation round and is now over
200,000,000 of ARR and has donereally well in that email
security market. Obviously, westill have, you know, Proofpoint
out there. In the private space,we've had other email security
companies that have raised, youknow, money at at pretty, decent
(42:39):
valuations recently as well. Wewe saw Check Point, Fortinet
recently acquired in the emailsecurity space. So, again, this
is a existing area that peoplejust thought was not going to be
innovated on and, you know,Microsoft is gonna take that
space over.
But I think, with AI now with,you know, the increase in
phishing attacks, attacks, we'reseeing more innovation in this
market. I think another areathat's been coming up more and
(43:01):
more has been this, market forcyber resilience. Right? Whether
that's backup and recovery. Youknow, we've seen some companies
go public around that front likea Rubrik, which has done quite
well recently, or others.
Right? So I think cyberresilience, backup and recovery,
data management, those are gonnabe areas that I think are gonna
get more attention, more fundingas well. So, again, newer
(43:22):
problems, newer attack surfaceareas that you have to secure,
whether it's, you know, AI orelsewhere, and then existing
problems that have been sort ofleft for dead like cyber
resilience, like email security.I didn't mention, GRC,
governance risk, and compliance,which, you know, we're seeing a
lot more investment in. I thinkAI has a potential to disrupt
existing categories and createnew categories.
(43:44):
So that's where I would I wouldfocus on. Those would be sort of
the the broad umbrellas, if youwill, that I would really try to
focus on if I was a if I was afounder.
Mahendra Ramsinghani (43:52):
You know, Hamzah, I'm seeing a very
interesting dichotomy from myvantage point. I mean, you make
absolutely spot on observationsabout how AI security for AI and
AI for security is going to playa very big role. And of course,
the Proofpoint Microsoftexample, in a parallel world,
people joke about Google cansolve this problem. But either
(44:13):
they don't have the time or theinterest. It's not a big enough
problem for them.
And you have the likes ofcontinue to sort of take on the
email security problem. Thedichotomy I'm seeing is the SMB
side of the world. You know, wehave interviewed, governor
Snyder. He's the former governorof of Michigan. He's now CEO of
one of my portfolio companiescalled Sensei.
(44:35):
And he's squarely focused on SMBmarket, which is employees or
sizes that are a certainthreshold below. I mean, these
are too small for the Palo AltoNetworks of the world, but they
often become the vector, theattack. Like, if you look at the
Home Depot story of how thisHVAC vendor, a 40 person
company, was used as an entrypoint into some of their point
(44:57):
of sale systems. Besides theeconomic rationale that this is
not a big enough market, thereis too much churn, what do you
think rationale that this is nota big enough market, there is
too much churn, what do youthink can be done to make that
side of the economic landscapemore resilient?
Hamza Fodderwala (45:09):
Yeah. It's a great question. You know, I
think, obviously, there thereneeds to be an education and an
investment in sort of, thechannels to sell to these, you
know, market segments. So Ithink this is where partnering
going back to our earlierquestion, partnering with the
MSSPs, the managed securityservice partners, is is gonna be
really important. And, you know,having sort of managed, services
(45:33):
offerings yourselves, I thinkcan also be important.
Right? Really, like, deployingthat technology is one thing,
but operationalizing it is theother thing. And I think a lot
of, issues with perhaps thatmarket, the SMB market, when you
get below a 1000 employees isthey don't have the resources to
buy and deploy a bunch of thesesecurity technologies. Right?
(45:54):
Even if they had the budget tospend a 100,000 or 200 1,000 on
a security product, you know,them being able to use it is a
whole another different story.
So how do you reduce that costto serve, which I think
certainly a lot of MSSPs beenable to do, but also the cost to
operationalize is a big thing.And, you know, most large
organizations will have to seeso. Nowadays, They might have a
head of endpoint security, ahead of identity, a head of
(46:16):
owner you know, a lot of theseorganizations don't have a CISO.
They have 1, you know, 1 guy orgal who's the head of IT, maybe
the head of networking theymight have. And then, you know,
one of those people get stuckwith the security job, and it's
obviously a big task.
So I think partnering withMSSPs, having managed services,
often offerings of your own isgonna be vital if you're trying
(46:37):
to address that market. But Ithink, finding a way to scale
that profitably is anotherchallenge and hopefully that's
where AI can come in. Right? Ifyou can use the power of
generative AI to, you know,offer and solve security
problems, I think that couldalso be a big thing too. I'm
thinking for the MDR vendors inparticular, you know, that that
could be an area where you couldsee, you know, an AI, SOC as a
(47:01):
service, if you will, marketstart to come up more and more
as we as we figure these how tooperationalize these
technologies.
Sid Trivedi (47:07):
Very topical because we had Kumar Saurabh
right before you on the episoderight before you. So very
topical for our listeners.
Hamza Fodderwala (47:14):
I might have gotten the idea from him. So
thank you, Kumar. Yeah. But, youknow, one
Sid Trivedi (47:19):
other thing is that kind of the number one cyber
analyst on the street, you spendmost of your time with these
legendary founders, like GeorgeKurtz, like Todd McKinnon, like
Jay Chaudhry. Is there a singletrait that you see amongst them?
I mean, you've probably spent100 of hours with each of these
individuals debating whatthey're doing from a strategy
perspective. Is there somethingthat you see that you're gonna
(47:42):
say, like, this is what makes anamazing cyber founder?
Hamza Fodderwala (47:45):
Yeah. I do have to give a a shout out to
Nikesh Arora. He may not be afounder of Palo Alto Networks,
but he's definitely foundermode. I can tell you that. I
would say they're all very muchlocked in and they're obsessed
with, you know, solving theseproblems.
So, you know, I think of a aGeorge Kurtz, right, and kind of
what he's been through in thelast, 6 months, with this
(48:06):
incident that they had in midJuly. You know, he was at the
forefront. He was on televisionthe next day, took full
responsibility, didn't hide fromanybody. He was at Black Hat. He
was at his conference.
He was at your event at BlackHat as well, Sid. And, you know,
this is a person that took onthis challenge, a lot of
integrity and was, you know, atthe forefront and, you know, is
living and breathing this stuff,you know, every day. Right? One
(48:28):
of the things that I I alwaysfind, right, whether it's, you
know, George or Cash or whoever,whenever you reach out to them,
you send them something, right,they get back to you right away.
So they're always on and they'revery passionate about solving
these problems for theircustomers and ultimately winning
in the marketplace.
Right? It's a competitive space.So if you're a founder and you
believe you have the next$100,000,000,000 cybersecurity
(48:49):
company, you wanna have thatself belief almost to, like, a
delusional level becausecertainly these these folks not
only believe they have the next100,000,000,000 cyber companies,
which some of them have beenable to achieve, but they think
they can get to 2, 300, maybe a$1,000,000,000,000 over time. So
I think, it really just comesdown to passion. And I I have to
mention, obviously, Jay Chaudhryas well, you know, who is
(49:09):
working 247.
Right? And you just think ofthe, you know, where he's come
from and what he's been able toachieve. This is a person who's,
you know, sold and and startedcompanies several times. So he's
not in it to, you know, make aquick dollar. Right?
He's he's really in it to winand and and and build a a
Zscaler into a a much largercompany and a company that can
(49:29):
endure over time. And so Ithink, I think that's really the
the the one trait that I'llmention from the the CEOs and
founders that I'm particularlyclose to is is all of them, you
know, are very passionate, veryhardworking, and are always
thinking around the corneralmost to a paranoid, you know,
level, if you will, on how theycan be disrupted. Right? So if
(49:50):
you're a small cybersecuritycompany and you're a founder and
you think that you can stayunder the radar, maybe you can
for a little while, but Iguarantee you, you know, they
will take notice at some point.
Sid Trivedi (49:58):
Yep. There are over 80 cybersecurity companies that
have reached unicorn status, andabout 5 of 100 of them have
raised over $50,000,000 inventure funding. And despite
this, exits are still quitelimited. What advice do you have
for founders who are raisingventure capital in in 2025?
Hamza Fodderwala (50:16):
Probably a better question for you, but, so
maybe you can answer it as well.I mean, it really depends, like,
what what stage I'd say, youknow, if you're an early stage
company and you're solving aproblem that will be bigger down
the line, but you might not havea distribution, I would just be
thoughtful about valuation. Justremember Palo Alto Networks,
CrowdStrike, some of theselarger cybersecurity companies
(50:37):
that you may wanna eventuallysell to, these companies have
not made acquisitions that areabove a $1,000,000,000 in
purchase price yet. And, youknow, if if they eventually
will, you know, it might besomething of scale, right, that
they can perhaps, you know, isis could be accretive to their
growth. So just be mindful that,you know, you might have, you
know, the best AI securityproduct in the market, but at at
(51:00):
a certain price point, it's moreeconomical for these larger
cyber companies to perhaps builda product on their own and
compete with the talent thatyou're trying to compete with as
opposed to going out and payinga $1,000,000,000 for for your
company that might be great, butit's only 10,000,000 of ARR.
And so folks like myself willprobably start to question the
the prudence of that deal. So Ijust think be thoughtful about
(51:21):
valuation. Right? If you wannabe the next $100,000,000,000
cybersecurity company, right,then perhaps that's a different
calculus that you have to makeearly on. But, I just think, you
know, it really depends on onthe stage and what your exit is,
but just don't take that thatbig valuation increase without
thinking about, you know, whatyour ultimate exit strategy is.
Sid Trivedi (51:41):
I couldn't have said it better myself. I think
the the factor around really bethoughtful on what is your goal,
why are you raising thiscapital? What's the value of
that capital? What are you gonnado with it? And is it a fair
valuation?
Just so, so important.
Mahendra Ramsinghani (51:55):
And then you have, of course, people like
Asaf, Adwiz, who have, you know,what the last rumored valuation
was $12,000,000,000 or$20,000,000,000 Is that correct,
Sid?
Sid Trivedi (52:06):
Yeah. We don't know what the yeah, there's a round
going on right now. But yes,it's potentially a round.
Mahendra Ramsinghani (52:10):
It's rumored.
Sid Trivedi (52:12):
That's right.
Mahendra Ramsinghani (52:12):
So I think that when you fall into that
category, obviously, there isthis now, you have only one path
forward, which is you have to gopublic because you essentially
price yourself out of the marketthat the 3 or 4 public acquirers
could have paid. And if you zoomout a little bit, Hamzah, what
are some things take a look at acrystal ball. What are some
(52:35):
things we should prepare for in2025? And we already touched on
some of these in earlier partsof our conversation about
regulatory changes that arecoming. But, you know, if you
had to end on optimistic or apositive note, what are some
sound bites that come to mind?
Hamza Fodderwala (52:50):
Sound bites that come to mind of optimism. I
think, you know, in that case,just to address, you know, Wiz,
I mean, these are folks, whetherit's Asaf or or, you know, and
and that whole team. Yeah. Thisis a team that really believes
they're gonna be the$100,000,000,000 cybersecurity
company. Right?
So the fact that they, you know,reportedly had an offer from
Google at 23 $1,000,000,000 andand were able to walk away from
(53:13):
that, I think really shows that.So I think for them, you know,
they've been able to, obviously,raise bigger rounds and and, you
know, may grow into thosevaluation rounds. Certainly, the
trajectory seems to suggestthat. And so more power to them.
Right?
And, we'll we'll see when theydecide to make that leap into
the public markets. I thinksigns of optimism is look. You
(53:33):
know, technology today is aboutlittle over 40% of the S and P
500, and there's no signs ofthat slowing down. Every
organization in the world istrying to play more technology
within the organization withwhen it comes to AI, cloud, you
know, what have you. And so Ithink it's a great time to be in
cybersecurity because,ultimately, the more technology
(53:54):
you deploy in organization, themore AI you use, you have to
secure that.
And I think that's gonna open upnew threat vectors, which is
gonna open up new opportunities.And, you know, ultimately, that
that's gonna mean, moreinnovation in the market. And so
I think it's exciting times. Ithink if you look at the public
markets right now, the macrobackdrop is is certainly
favorable. There's a lot ofgrowth scarcity.
(54:15):
I mentioned the public markets.That means that, you know, if
you're a company that is500,000,000 of ARR, 250,000,000
of ARR you're growing fast andyou have a a great product, I
think this is the time to reallygo out. And I'd also say, you
know, you know, great companiesthroughout the history of, you
know, tech and software usuallyare born during difficult times
(54:36):
or tested during difficulttimes. If I think about the
cybersecurity companies thathave come up in the last, you
know, 15 or 20 years, whetherthat's Okta or Zscaler or
whoever. Right?
These all came up in and aroundthe financial crisis. And so I
think, you know, there there'sgonna be a a cohort of
cybersecurity and tech companiesthat, you know, could
(54:56):
potentially be the next100,000,000,000,
$200,000,000,000 companies ofour generation. And we've got
this massive compute cycle inAI, which is really driving
every organization, large orsmall, to really rethink their
technology architecture andmodernize their technology
architecture. Because a lot ofthese folks, you know, still
haven't really fully embracedthe cloud, You know? And so I
(55:19):
think this AI is really gonna bethe catalyst for them to, you
know, put technology more at theforefront, which means more
dollars, for these companies.
Mahendra Ramsinghani (55:29):
On that on that note, Hamzah, first of all,
I wanted to thank you not justfor coming today and sharing
your insights, but I thinkyou're one of the few analysts
that is always accessible. Youhave this fantastic blend of
humility with very deep researchand good work that you do.
(55:50):
Obviously, your team has beennamed number 1 now for, what, 6
years, consistently at MorganStanley. So your work speaks for
itself. But most importantly,Sid, Ross, and I are serving
founders.
These are people that are justgetting started. They are sort
of in a classic state where veryfew people care for them. And
the work that you do, theinsights that you share are
(56:11):
extremely valuable for them toplan their journey. So I wanted
to say a big thank you. And, ofcourse, as we end our year in
2024, Sid, Ross, and I also wantto take this opportunity to
thank all our listeners forhelping our podcast to become
number 1 in 2024 incybersecurity.
That's self proclaimed. Is thatcorrect, sir? It's self
proclaimed?
Sid Trivedi (56:32):
It's definitely self proclaimed.
Mahendra Ramsinghani (56:35):
Well, at least we are one of the few that
is focused on cybersecurity, andwe're bringing some of the best
best brains, the best minds, inthe industry to our founders. So
on that note, thank you, Hamza.Thank you, Sid. We'll we'll see
you in 2025.
Sid Trivedi (56:50):
Thank you, Hamza, and thank you to our listeners.
Thank you for joining us Insidethe Network.
Ross Haleliuk (56:58):
If you like this episode, please leave us a
review and share it with others.
Mahendra Ramsinghani (57:03):
If you really, really liked it and you
have some feedback for us, wrapit on a bottle of Yamazaki and
send it to me first.
Sid Trivedi (57:12):
No. Don't do that. Mahendra gets too many gifts
already. Please reach out byemail or LinkedIn.
Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk (00:08):
I am Ross Haleliuk.
Mahendra Ramsinghani (00:10):
And I am Mahendra Ramsingani. We have
spent decades building,investing, and researching
cybersecurity companies.
Sid Trivedi (00:19):
On this podcast, we invite you to join us inside the
network, where we bring the bestfounders, operators, and
investors building the future ofcyber.
Ross Haleliuk (00:31):
We will talk about the hard parts of the
founder journey. Launchingcompanies, getting to product
market fit, raising capital, andscaling to an exit.
Mahendra Ramsinghani (00:42):
And, yes, we will also be talking about
epic failures.
Sid Trivedi (00:46):
But, Mahendra, we're here to make the founder
journey easier.
Mahendra Ramsinghani (00:50):
That is correct, Sid. But we cannot make
it too much easier becausestartups are hard. And, of
course, you already knew that.
Ross Haleliuk (00:57):
Alright, you too. Enough let's get started with
this week's episode.
Mahendra Ramsinghani (01:06):
Before we dive into the program today, let
me share a quick word aboutequity analysts. They are
essentially the deep researchersof Wall Street publicly traded
stocks, providing crucialinsights that help investors
make informed decisions aboutwhere to put their money. That
analysis is particularlyvaluable for founders,
(01:29):
especially ones who are justgetting started as it helps you
to chart your own trajectory. Byunderstanding how public markets
value technology companies,business models, and growth
strategies, start up founderscan benefit and better position
their own companies for success.We're thrilled to have one of
(01:49):
the top cybersecurity analystswith us today, Hamza Fodderwala,
executive director at MorganStanley, where he leads the
firm's cybersecurity equitycourage.
Hamza brings deep expertise inanalyzing companies that are at
the forefront of protecting ourcyber digital world. Industry
leaders like Palo Alto Networks,CrowdStrike, Fortinet and many
(02:12):
more. Since joining MorganStanley's software team in 2016,
Hamza has established himself asa leading voice in cybersecurity
investment research. Followinghis earlier work in analysis at
Susquehanna International Group,Hamza holds a bachelor's degree
in economics from NYU. For allthe entrepreneurs listening to
(02:32):
our program today, Hamza willshare some valuable insights
into how Wall Street thinksabout cybersecurity businesses,
what metrics matter most, andhow successful companies have
continued to scale and createvalue.
Sid Trivedi (02:46):
Welcome, Hamza, to Inside the Network.
Hamza Fodderwala (02:48):
Thank you, Sid, Mahendra, and Ross for
having me.
Sid Trivedi (02:51):
We're excited to end out 2024 with you and talk a
little bit about all the trends,all the things that are
happening in the cybersecurityworld. Maybe let's start with
assessing customer patterns. Andas you take a look back at 2024,
what were the major customerpatterns that you saw in cyber?
And how do you think this willchange as we go into the new
(03:12):
year?
Hamza Fodderwala (03:12):
Yeah. It's a great question. I'd say, the
major customer buying patterns,there were there were a few. You
know, 2 really stood out. 1 isthe trend towards vendor
consolidation remained, youknow, very strong.
We saw this start really in inlate 22, and we saw it really
permeate through 23 and 24. Soif you look at from the public
(03:34):
market, right, which I cover,you look at the public
cybersecurity stocks that arethe perceived consolidators, the
ones that have larger revenuescale, that have multiple
products, the Palo AltoNetworks, CrowdStrike, Fortinet,
and others, they're trading atroughly 2x the valuation
multiples on EV to salesrelative to the ones that are
(03:56):
the perceived point productvendors in the cybersecurity
market. So that trend continues.The average enterprise today has
over 50 different cybersecuritytools. The largest enterprises
have, you know, sometimes 2,300.
So there's definitely a awillingness to bring that down.
And the other area that startedto really come up more, and I
think you're starting to seesome some buying around this, is
(04:19):
around AI. Right? Andspecifically, security for AI.
How do we secure some of theseAI models as well as AI for
security automation, which Ithink is gonna be a bigger theme
into next year.
Ross Haleliuk (04:29):
On the topic of AI, it is definitely the case.
The Gen AI craze remained thenumber one topic for everybody,
like every single event, likeevery single security leader is
talking about it. Have you seencustomers actually adopting
those solutions? Or are we stillat the stage where we are mostly
exploring where gen AI securitymight fit? And how do you see
(04:50):
that changing in 2025?
Hamza Fodderwala (04:52):
Yeah. Definitely. And, Ross, you've
written a lot of great thingsabout this, by the way. Anyone
who isn't subscribed to Ross'snewsletter should definitely,
shameless plug for you, Ross,but definitely should should be
on it. Look, I think it's earlyinnings.
I think, early on when westarted talking about genera.
AI, we're talking about genera.AI for security operations. And
a lot of that was tied to okay.How do we take a lot of this
(05:16):
redundancy, a lot of this manuallabor outside of the security
operation center, outside ofyour SOC?
And a lot of that meant, okay,we need to replace the legacy
SIEMs, whether that be an IBM ora Splunk has had pretty dominant
market share in the space. Soyou're seeing companies like
Palo Alto Networks, likeCrowdStrike, like Microsoft go
after this next gen SIEM, nextgen security operations market.
(05:40):
And I do think that's going todrive more meaningful dollars.
You know, Palo Alto Networkstalks about Cortex, which is
their next gen SIM opportunity,their AI for security
automation, if you will, thatbeing their next, you know,
$5,000,000,000 opportunity overtime in terms of ARR. And I
think that's gonna be a a majorproduct cycle for them,
especially since theirpartnership slash acquisition of
(06:02):
IBM.
Microsoft, you know, talkedabout Azure Sentinel, which is
their next gen SIEM being1,500,000,000 ARR. So I do think
you're gonna see a lot morefocus on AI for security
operations. You know, I shouldmention CrowdStrike as well with
LogScale. But I think what wasinteresting earlier this year at
RSA, we started to hear a lotmore about okay. Hold on.
(06:23):
AI for security automationsounds great, but how do we
actually do security for AI? Howdo we actually enable this
technology within ourorganization? How do we govern
it? How do we classify what'ssensitive and what's not? How do
we prevent sensitive dataleakage?
And so you're seeing a lot moreinvestment in that area. We do a
CIO survey every quarter, andthe number one hurdle for
(06:44):
adopting, you know, next gen AIML capability within an
organization is data security.Right? How do I prevent an LLM
for querying sensitive data? SoI think, that is gonna be, I
think the most immediateopportunity, but the bigger
opportunity, I think, is goingto be AI for security
automation.
Mahendra Ramsinghani (07:01):
No. Thank you, Hamza. When you look at the
AI and how the securityoperations are getting, shaped
up, it's a fascinating, trend.And Sid and I have seen a lot of
startups coming up with, youknow, agentification, how agents
and, sort of this new wave oftechnologies can be used to
improve the SOC. But if you zoomout a little bit, a lot of
(07:24):
startups don't necessarilyappreciate the role of
resellers.
And when you look at the worldfrom your vantage point,
especially when you look at thelarge players, they have a very
elegant way of partnering withresellers. I mean, this is a
business of trust. The resellersplay a very important role in
the last mile. Give us someinsights. Help our audience
understand how the reseller sideof the market is shaping up.
Hamza Fodderwala (07:44):
Yeah. It it's a great point, Mahendra. So the
average cybersecurity vendorwill generate somewhere between
70 to 90% of their sales fromthe channel community. Now some
of that is, you know, resellersor value added resellers. Some
of that increasingly now isMSSPs, the managed security
service partners, which willoftentimes help operationalize a
(08:05):
lot of these technologies, whichis really important.
And so, you know, these partnersare really the last mile when it
comes to cybersecurity becauseit's not just about selling you,
you know, a bunch of softwareand then telling the customer,
okay, you figure it out. Youknow, you do need to have a
partner to help enable thistechnology and also give you
leverage from a go to marketperspective. So I think, you
know, as far as the start upcommunity is concerned, really
(08:26):
try to engage these partnersearly on. A lot of these, you
know, channel partners,particularly within the MSSP
community, you'll find thesefolks are very forward thinking.
These are folks who worked inindustry themselves.
You know, they wanna partnerwith the cutting edge
technologies. And, the earlieryou can build those
relationships, you know, thebetter it is. And I think, the
industry, the reseller industry,if you will, is going through a
(08:47):
bit of consolidation. So that'swhy it's really important to
have, you know, these MSSPcapabilities, you know, be able
to add value on top of justreselling that becomes more and
more important. So their marginsare under pressure.
Certainly, they're looking tooffer more services on top of
just reselling. So if you're a astart up company and you've
reached a certain scale and youfeel like you have a product
(09:08):
that's, you know, very much indemand, you know, partner with
these folks early on, have thosediscussions early on, and I
think it'll pay dividends downthe line.
Mahendra Ramsinghani (09:14):
You know, you make a great point, Hamza,
about building theserelationships early on. If I put
myself in the shoes of afounder, you know, they are
young. They don't havenecessarily the the size and the
scale. What's your advice? Whatkind of thresholds do you see
in, let's say, revenues beforethe partners get excited?
You know, obviously, there's theside of innovation. They want
the cool new products, but theyalso wanna say, hey. Are you
(09:37):
stable? Are you able to serveour community and our geography
well? Do you have theinfrastructure to help our teams
to sell better?
So what kind of trade offs doyou see in in that dynamic?
Hamza Fodderwala (09:48):
Yeah. I mean, I'd say, generally speaking, you
start to you you start to reallycatch on with the channel
reseller community once you onceyou approach that 100,000,000 of
ARR or more. But you'd besurprised, I think, there are a
lot of smaller companies. I'mthinking of companies within the
data security and posturemanagement space, for example,
or the application securityspace, right now. There's a lot
(10:10):
of interest among the channelcommunity in those areas because
that's what their customers areasking for.
So it really depends. Right?There are some companies where
okay. If it's an establishedmarket within cybersecurity that
you feel like you have a bettermouse trap in, then certainly,
you know, you wanna curate somedemand. You wanna get to the,
you know, 9 figures in ARRbefore you really start to
(10:30):
engage the reseller community ina big way.
But I think if you have a aproduct that is very much
missing in the market, and Ithink there's a lot of white
space again in applicationsecurity and data security, I
think engaging with the partnercommunity early on even at 10,
20, 30,000,000 of error, whichwe have started to see, I think,
can pay dividends down the lineas well because these are
(10:51):
technologies that oftentimes aretied to broader initiatives.
Right? So data security, forexample, may be aligned with the
broader AI transformationinitiative. Right? And so the
partner is coming in, the systemintegrator is coming in to the
to the customer and trying tohelp the customer deploy these
technologies, but they don'treally, you know, know how to do
(11:12):
this securely.
That's why we're bringing in adata security vendor might be
helpful even if it is a subscalevendor. If they have good
backing, good investors, thenthey can be viewed as a
strategic partner longer term.
Ross Haleliuk (11:25):
Hamzah, when you're talking about the need to
engage with the resellers andand MSSPs and so on and so
forth, How is it related to theneed to engage with industry
analysts? Like, which comefirst? Should startups at first
start approaching Gartner andand the likes, or should they be
working on the reseller side? Oris this something that happens
(11:45):
in parallel where one side feedsfeeds into the other? Like, how
are you seeing that?
Hamza Fodderwala (11:49):
Yeah. I think ultimately, if you if you have a
product that has good demand,good backing, ultimately, all
that will come. You know? And, Ijust think it's a matter of
inertia. Right?
So once you start to gain thatmomentum in terms of your
product go to market, whichagain, the the channel community
is a big part of. Right? Whetherthat's resellers, MSSPs,
(12:11):
marketplaces, which are becomingmore and more important. Getting
that momentum, right, I thinkshould be the primary focus. And
then adjacent to that, right,and over time, you'll start to
see the analyst community startto take notice and start to, you
know, mention your company intheir various reports as well.
Sid Trivedi (12:28):
I wanna move things a little bit further and talk
about the public equity marketsthat you cover so acutely.
Between 2022 and today, we'vehad just 4 software IPOs. We
just had a new software IPO inservice Titan, which just went
public. Looks like the stock hasreally popped. So hopefully,
it's a sign of of more positivekind of tailwinds.
(12:49):
But what factors could help openup the public markets for new
issuances at a much largerscale? And when you look at the
different cybersecurity privatecybersecurity companies that are
out there, who do you think isthe most likely to go public
next?
Hamza Fodderwala (13:04):
Yeah. It's a great question. I'll try to keep
a high level rather thanmentioning any specific company,
but I I would say it does feellike the public markets are open
again. If you look at, you know,the average software stock over
last year is up almost 30%. Theaverage cybersecurity company
over last year has been up 40 to50%.
So, you know, we're certainlyseeing more appetite to invest
(13:27):
in software as well ascybersecurity. Cybersecurity has
been an area of more defensiblegrowth. Right? So not only are
you participating in a lot ofthe secular tailwinds around AI,
cloud, the expansion of theattack surface area, but these
are also very resilientcompanies in terms of this is
their last area of your ITbudget to get cut. So I think we
(13:47):
are seeing appetite for newpublic issuances again.
Looks like there's a generalgrowth scarcity in the market. I
think right now, you know, if welook at 20 25, I can't think of
1 company that is going to grow30%, at least, you know, guide
to 30% initially. So I thinkhaving, you know, new companies
(14:07):
within the IPO market that arethat are growing faster, that
are aligned to a lot of seculartailwinds in the market, whether
it's AI or cyber. I do thinkthere is a growing appetite for
that. And, you know, we've hadsome IPOs recently, which have
done quite well in the last 6months.
So as far as going forward, Ithink, you know, in general, I
think if you're a company with250 to 500,000,000 in ARR and
(14:32):
you're growing, I think, youknow, north of 30%, especially
within that cohort. Now if youget to 500,000,000 to a
1000000000 of ARR, right, thegrowth rates become different.
I'd say you wanna be growingnorth of 20 in that cohort. I do
think that there's going to bedemand, you know, for those
types of assets again. It'sgonna be harder to bring public
those 100,000,000 plus ARRcompanies, right, that are more
(14:55):
subscale, that don't really havea, near term path to
profitability.
I don't think we're quite thereyet. But the 2 50 to 500, 30%
plus type growers with a path toprofitability in 12 to 18 months
time frame. I do think thatthere's an appetite to, invest
in those companies again becausethere's so much growth scarcity
in the public market again.Like, I can't think of 1 company
(15:16):
that's that's gonna guide to 30percent revenue growth in 2025.
Sid Trivedi (15:19):
You and me both. I I agree with this point around,
you know, the lack of companiesthat are 30% plus growers on an
annual basis. Just more broadlyon that topic, though, I mean,
the number of very, very highlyvalued large scale unicorn or
deca con companies that are overa 100,000,000 of ARR that
haven't yet gone public has nowreally, really gotten to to a
(15:39):
large enough scale. And I'm justcurious on your opinion. Do you
think that these numbers that wehave figured out in the public
markets of 250,000,000 plus ARRgrowers and anything below that,
it's very hard to go public.
Do you think that's fair for thepublic markets? I mean, the
average person, the average, youknow, just investor can't invest
in a whole bunch of high growthcompanies until they become
(16:02):
really, really scaled. I mean,this is very different to what
things were like 10 years ago,certainly what things were like
20 years ago.
Hamza Fodderwala (16:08):
And there's no shortage of capital in the
private market these days, itseems. You know, I think it's if
it's a company that is I think250,000,000 in ARR is at the low
end, that would be harder, ifyou will. But if it's a company
that is disruptive, that isaligned to a a a secular theme
that isn't available right nowin the public market. So if you
(16:30):
had a AI security company or apure play vendor in the cloud
security space, for example,where maybe there isn't an
avenue to invest in the publicmarket, that would be
interesting. Right?
But there'd have to be somescarcity value if you're at
250,000,000 plus. I think onceyou get to 500 to a 1000000000
of ARR and you're still growing20, 30% plus, that's where the
(16:51):
need to have that scarcity valueperhaps diminishes. Right? You
can be the 2nd or third playerin your category. If you're a
disruptor and you're gainingmarket share, most likely you
will get a multiple that iscomparable or maybe a slight
premium to the peer group that'salready public.
So I think 250 to 500 scarcityvalue would really matter.
Right? If it's something that'sreally unique that isn't
(17:14):
addressed by public vendors, Ithink you can see some appetite,
for those types of assets. But Ithink, outside of that, it will
be it will be tougher. That'swhere you do have to get to a
bigger scale, 500 to a1000000000 of ARR.
Sid Trivedi (17:26):
I guess my question is more, do you think that's
fair for the average, you know,stockholder to not have access
to those high growth players whoare very much focused on the
private markets? There thereisn't capital from the private
markets.
Hamza Fodderwala (17:38):
Yeah. I mean, I think if you are a company
that's in an existing category,let's just say, for example, in
in SaaS, secure access serviceedge, which is, you know, part
of the part of the networksecurity market, you know, there
are companies you can invest in.Right? You can invest in a
Zscaler or a Palo Alto networksor what have you. Cloudflare
comes to mind as well.
(17:58):
Now there are a lot of greatnext gen Sassy players in the
private market too that I thinksome of them, you know,
eventually will reach thatscale. But I think, you know,
there are options in the publicmarket, if you will, to invest
behind those themes that, youknow, are also available in the
in the private market. I think,again, it it really depends on
the category. I think a questionof fairness is a good one.
(18:19):
Right?
We want investors to have moreaccess to the growth that we're
seeing in America, whether it bewithin cybersecurity or
elsewhere. But I do think thereare many companies in the in the
public markets today that areinvesting and really align with
a lot of these themes.
Ross Haleliuk (18:32):
Hamza, this year, we saw the creation of the first
$100,000,000,000 plus market capcybersecurity company in the
industry, that being Palo AltoNetworks. And it looks like
CrowdStrike is not, not farbehind. A lot has been said
during this year about thetrend, of platformization or or
industry consolidation orwhichever language you choose to
(18:54):
use. How much do you think thatholds as you evaluate public
companies' earnings result thisyear and also looking into the
2025, estimates and forecasts?
Hamza Fodderwala (19:03):
Yeah. And it it's pretty amazing that, you
know, CrowdStrike still is notvery far behind from that goal
despite obviously the incidentthat they had in mid July. So
kudos to them and and that teamfor doing a great job in their
response. Yeah. I think it'sgonna matter a lot.
I think the fact is it's youhave Palo Alto Networks, which
have announced ourplatformization initiative
earlier this year. And then keepin mind, CrowdStrike, after this
(19:26):
outage, also announced, youknow, an effort, which they call
Falcon Flex, and now that'sbeing broadened out into these
customer commitment packages.Effectively, both these
companies, you know, have beengiven a hall pass, if you will,
for the next 12 to 18 months todiscount, some might say price
bomb the market. So if you'recompeting with a Palo Alto
Networks or CrowdStrike, it hasgotten much more difficult. The
(19:49):
Street, analysts like myselfhave have have cut their numbers
on both these companies quite abit to allow them to to to do
this stuff.
And so I think, if you'recompeting against one of these
larger scale companies that areable to discount more
aggressively now that had thescale to do so, I think it's
gonna become harder. So whatthat means is if you're a
(20:10):
smaller company, you know,really making sure that, you
know, one, not only you have a agreat product, but you're
solving a need that these bigplatforms are not. Right?
They're not gonna be able tosolve everything for everybody.
Right?
So a great example I can thinkof is with an email security.
Right? These platform players,for the most part, have not
focused on that area because theview was, well, Microsoft is
(20:31):
just gonna dominate this space.And we've seen great companies
like Abnormal, even Proofpoint,who's out there as well, you
know, come out with some greatproducts here. Checkpoint even,
which recently invested in acompany called Avanade a few
years ago, talked about gettingto a 100,000,000 of ARR in their
email security products.
So I think, you know, makingsure you have products and are
solving problems that these thatthese companies aren't is is
(20:52):
first and foremost. And I thinkalso once you get to a certain
scale, having that multiproductvision of your own. Right? You
it may not be there necessarilytoday, but engaging with your
customers, with your strategicpartners, and and aligning them
on a future road map saying,hey. Look.
You know, we do these two thingsreally well, or we do this one
thing really well. And we'regonna focus on doing that one
(21:14):
thing really well, but we have abroader vision here. Right? We
wanna we want you to partnerwith us and see where this
vision goes and, you know, seehow we can deliver this
innovation to you. So I thinkit's about, 1, solving problems
and having a product that, youknow, these other big sort of
platform vendors are not gonnabe able to focus on as much.
And then 2, also engaging withyour customers, engaging with
(21:37):
your strategic partners earlyon, having that roadmap, that
vision, and that they can see,okay, you know what? This
company is gonna be an evenbetter version of the existing
platform players that I might beusing today.
Mahendra Ramsinghani (21:48):
Speaking of platforms and
platformization, I think that'ssort of the buzzword. Going back
to the earlier comment you madeabout consolidation, I think
that's clearly one industrytrend, Hamza. Let's zoom out a
little bit. You know, in a fewweeks, a new president will step
in. That changes sort of thegeopolitical dynamics.
(22:08):
On one side, you have China. Youhave Russia. In fact, one of our
earlier guests on the podcast,Dmitry Alperovitch, has written
a fascinating book about it,which, by the way, in 2024 has
been named one of the best bookson this topic. So you have this
whole geopolitical dynamic thatis going to shift. Okay.
And of course, you also haveIsrael. What challenges do you
(22:30):
see in our our sector play outas a result of that?
Hamza Fodderwala (22:34):
Yeah. Unfortunately, the world is
going to become more challengingfrom a geopolitical standpoint.
Whoever is president, right, andand whoever is president, you
know, obviously, you know,president-elect Trump, we wish
them, you know, all the best inin solving these challenges.
But, you know, certainly, theworld's gonna get the world has
become more dangerous from acyber perspective and otherwise.
(22:54):
You know, I think, you know, forus, you're looking at a lot of
the enterprise securitycompanies.
I don't think this necessarilychanges anything. Right? I mean,
the fact is, you know, we'regonna continue to see growth in
ransomware attacks. Some mightsay that that that may even be
be peaking right now if you lookat some of the more recent data.
But I think, you know, nationstates are gonna continue to be
a big driver.
(23:15):
You also have cyber criminalsthat are gonna continue to be
big drivers of cyber demand. ButI think, you know, more
domestically, you know, this,these new initiatives around the
Department of GovernmentEfficiency or or Doge and the
willingness to reduce the sizeof the federal government, you
know, whatever you think aboutthat is probably gonna have some
headwinds short term for a lotof enterprise software and
(23:38):
cybersecurity vendors. And weactually recently wrote about
this in our 2025 cybersecurityoutlook. But, you know, you look
at the typical cyber securitycompany that's public today.
Right?
And I think it probably goesthrough for a lot of private
vendors, but they're generatinganywhere from 7 to 8% of their
revenue from the US publicsector. Right? And and some of
(23:59):
the larger vendors, like ApolloAlta Networks or Tenable,
Zscaler, and others, you know,in some instances, they generate
10% plus of their revenue fromthe US public sector. And
federal government alone spendsover $25,000,000,000 a year on,
on cybersecurity. So I think,the fact that you wanna reduce
the size of the federalgovernment and in some
(24:20):
instances, there have beenreports around, you know, should
we downsize or eliminate CISAentirely or should we, you know,
take out a $1,000,000,000,000from the federal budget over
time?
You know, that's gonna have someimpact on IT and cyber budgets,
and I think is going to be aheadwind in 2025. Longer term,
right, if the government canbecome more efficient, use more
(24:41):
technology, perhaps it could bea tailwind. But short term, I
think, it's a headwind. And thenalso a big driver of of
cybersecurity demand has been,you know, a favorable regulatory
backdrop. Right?
When you think about all therecent rulings around from the
SEC around disclosing cyberbreaches, around having better
cyber practices, you know, thequestion's gonna be with this
new administration, with the newSEC head, are we gonna see the
(25:04):
same, you know, types ofregulations and and the
enforcement around theseregulations going forward that
we did in recent years? So Ithink the fiscal backdrop, the
regulatory backdrop, there'ssome uncertainty there, and I
think the general the view isright now perhaps those, those
backdrops are not gonna be asaccommodative for cybersecurity
spend as they have been inrecent years.
Mahendra Ramsinghani (25:23):
No. You make great points there, Hamza,
both on the fiscal and theregulatory standpoint. And also
from the fact that, theransomware angle, or call it
attacking, this continues toescalate in some ways on how the
relationships evolve. If youjust take a counterpoint, you
know, this is, of course,rumored now, but Trey Stevens,
(25:45):
who is a partner at FoundersFund, has been active investor
in cybersecurity companies likeExpanse that got acquired by
Palo Alto Networks. He is, Ithink, on the board of Anduril,
which which is a kind of asecurity from a different angle,
if you will.
He's rumored to be the 2nd, youknow, highest ranking position
at the Pentagon undersecretaryof defense. And this if this
(26:06):
happens, this could be the firsttime that somebody who wears a
VC hat and has been acybersecurity investor is,
squarely in the center of, avery important role in national
security and the department ofdefense. Do you see new
opportunities open up as aresult of, some of these
dimensions playing out?
Hamza Fodderwala (26:27):
Yeah. I think the fact that you're seeing more
folks from, you know, SiliconValley and the technology
community get involved in publicpolicy and and and Washington
certainly is favorable for techlonger term. And so to the
extent that, you know, you dohave some folks from the cyber
VC community advising the DODand and the president, I think
(26:47):
those are those are good things.I would say if we look at the
the cyber budget today, right,in the federal government, it's
about $25,000,000,000 annuallyproducts and services. Half of
that is DOD, you know, half ofthat is civilian based on the
the numbers that we have.
I'd say DOD is probably safe.Right? I think, this incoming
administration is known forwanting a strong military. It's
(27:09):
a civilian portion that youworry about. So, you know, to
the extent that you're lookingat eliminating thousands of
seats at the IRS or the DHS orwhat have you, that means, you
know, less endpoint security,for example.
Right? Because each of thoseseats might be, you know, an
endpoint or a PC workstation orwhat have you. Or, you know, you
might not need to buy as manyfirewalls or SaaS seats or what
(27:32):
have you. So I I think, yes,longer term, you know, those are
all good things, and the federalgovernment certainly has a lot
of room to modernize. I thinkthose modernization initiatives
take a long time.
In the short term, though, ifyou're eliminating a lot of
these people and you're reducingthe size of the organizations,
ultimately, their nest there'sjust not gonna need as much IT,
which means they're not gonnaneed as much cyber.
Mahendra Ramsinghani (27:52):
Yeah. There could be a consolidation,
obviously, just following thesame trend of if you wear a
business hat, which says, hey,multiple organizations are
buying these products. How canwe bring efficiencies,
Sid Trivedi (28:16):
conversation over to M and A. And you've touched a
little bit around consolidation,but we've seen a relatively
active m and a market this yearwith over $50,000,000,000 of
deal volume to date in cyber.And we've seen companies like
Juniper, Darktrace, RecordedFuture, Synopsys, Venafi, and a
whole bunch more that have beenacquired. And the year hasn't
(28:36):
even ended. You know, the thetime of this recording, the
year's there's still a few moreweeks to go, but it's already
that 50,000,000,000 of dealvolume is already up from last
year's numbers.
So what are the valuationexpectations looking like today,
and what are buyers looking forin general?
Hamza Fodderwala (28:52):
Yeah. You know, I think of the m and a
market very similar to thehousing market. Right? So the
the sellers have expectations,the buyers have expectations,
and obviously, there's the costof financing and everything
else. And so, you know, I thinka big active buyer within
cybersecurity historically hasbeen private equity, the
financial sponsors.
I'd say they've been less activein recent years just given how
(29:14):
interest rates have have reallyincreased in the last couple of
years. So they certainly havevaluation expectations that I
think if anything, you know,they're they're not willing to
pay the multiples that were in2020 and 2021. The strategics
have been less active. I mean,certainly, we've seen some.
We've seen Cisco, Splunk, we sawCyberArk, Medify, and those, you
(29:35):
know, buyers tend to pay highermultiples.
So, you know, based on ouranalysis looking at
cybersecurity transactions overthe last 10 years, strategics
have on average paid about 9, 9and a half times NTM revenue for
US cybersecurity companieswhereas private equity is paid
between 6 to 7 times. So I dothink, we are seeing more
(29:57):
interest from from both areaswithin the cybersecurity market.
I think what's what changed overlast year was perhaps seller
expectations. So if you were acybersecurity company or
enterprise software company andyou realized, okay, whether
you're public or private, themarket is not gonna necessarily
gonna value, you know, me at themultiple that I want them to,
right, if I go public or remainpublic. There are a lot of
(30:19):
investments that or a lot oftransformation that has to be
done that probably isn't greatto be done in the public market
view.
Right? If you're going through,you know, a major product
transformation or you're goingthrough some sort of, you know,
m and a spree, doing that in thepublic market where you have to
report quarterly earnings is issomewhat difficult. So I do
think seller expectations havecome down. But at the same time,
(30:41):
when you see stock markets tendto decline and, you know, even
for larger companies, if theirshare price is worth 30, 40%
less, well, a lot of times they,you know, they use their stock
as a currency to buy thesecompanies. So what we've seen, I
think, is very much a buyer'smarket in security and software.
The big are getting bigger.Right? If you are a large cap
(31:02):
company, $20,000,000,000 plusmarket cap, you're still trading
in a double digit salesmultiple. If you are below that,
you know, the average multiplecomes down to about 6 times
sales. So the larger capcompanies are the the main
driver of outperformance inenterprise software and
security.
So you still have a favor youstill have a high stock, you
know, and favorable currency tobuy these assets. And then if
(31:24):
you are a a smaller SMid capcompany, you know, there's some
that are still trying to breakthe sound barrier, right, but
are having a a difficult time.So I do think we start to see
some of these companies that are5, 7, 8, $9,000,000,000 in in
enterprise value look at saying,okay. Are we ever gonna break
that sound barrier to get to 20,30, 40, 50,000,000,000? I think
(31:45):
most of them will realize it'smuch tougher than realized.
And, I think, you know, we'lleventually make that, you know,
move to perhaps get acquired bya larger vendor or look at a
private equity route. So I dothink we start to see a little
bit more of that from thosebigger companies. Right? So far,
the transactions predominantlyhave been, you know, companies
with less than $5,000,000,000 inenterprise value or a lot of
private companies that areselling for less than a
(32:07):
1,000,000,000 even, but not asmuch of those big companies like
the Splunks that we saw lastyear.
Sid Trivedi (32:11):
And just as a follow-up on that topic, you
speak to a lot of these CEOs ofthese public companies. Are you
hearing from them that there issome kind of they are in some
ways holding off and waiting forthe new administration to come
in and then launching moreactive m and a strategies. Has
that been a topic ofconversation or, you know, is
the card move the the the movethat they are playing?
Hamza Fodderwala (32:32):
I think they all have strategies. They all
have, you know, m and a targetsthat they've looked at.
Certainly, this the the lastadministration, I don't think is
any secret, was perhaps, youknow, less accommodative in
terms of, those transactionshappening. And I think there's
an expectation. I mean, we'llhave to see.
Obviously, we just had a new FTCappointed. We'll have to see
what what those policies are.But I do think there's a general
(32:54):
view that, you know, this newadministration may be more
favorable towards, you know,that outcome.
Ross Haleliuk (32:59):
How is private equity shaping the m and a
landscape in cybersecuritytoday? With certain market
segments seeing a significantpercentage of companies owned by
PE firms, what are some of thetrends or shifts that you
anticipate as we move into 2025?
Hamza Fodderwala (33:13):
Yeah. I think, private equity has been shaping
the cyber m and a landscape inin a lot of ways in the last few
years. I mean, if you look atthe identity market, you know,
Thoma Bravo has been very activethere. Endpoint security, email
securities. There's certainlybeen a lot of, interest in
cybersecurity.
If you think aboutcybersecurity, these are very,
you know, durable companies.Right? They tend to be, you
know, high retention rate, verysticky, high margin at scale.
(33:37):
They tend to be very goodbusinesses. And so I think, I
think from the PE standpoint,they do have a lot of assets
that that they acquired in thelast 5 years, particularly
during that last wave during2019 and 2022 that I think
they're looking to monetizefrom.
Right? Whether it's exiting VisaVA IPO or looking to sell them
to a larger company. So I Ithink that there's a there's a
(33:58):
bit of a monetization wavethat's gonna happen assuming the
public markets remain open. Andthen I think eventually there's
gonna be some interest inlooking at, you know, some cyber
assets, whether public or latestage private that, you know,
are ripe for consolidation. So Ithink, what we're gonna see more
from the private equity playersgoing forward is similar to what
we, you know, did see with ThomaBravo acquiring in the identity
(34:20):
space.
Right? They acquired 3 greatcompanies. Some of those
companies they'll look to merge,others they'll look to keep
standalone. And, I think there'sa lot of opportunity to do that
in the late stage private andpublic space. Right?
I mean, you know, finding maybea public company and a private
company that have overlap, maybeneither of those are going to be
viable on a standalone basislonger term. Maybe you acquire
(34:43):
those 2 companies, combine them,and in 3 to 5 years, look to
spin spin a a bigger publiccompany, right, that could be
more palatable for the publicmarkets. And I think we'll see a
lot more of that, and there's alot of opportunity for that. As
you know, there's, you know,something, what, like, 7,000
cybersecurity vendors out thereand, you know, less than a 100
of them are public. And so Ithink, there's certainly
(35:03):
opportunities for consolidation.
Mahendra Ramsinghani (35:05):
You know, Hamzah, when we look at, how
these consolidation trends areoccurring, there's a very
interesting pattern that we arestarting to see. And we'd love
to get your views on how theuniverse of acquirers is
expanding. And let's take themost recent example of, Recorded
Future, you know, a company thatwas acquired by Mastercard. Now
(35:26):
Mastercard and cybersecurity notnecessarily go in the same
sentence, but it was interestingto, as I read and researched
this acquisition, thatMastercard was losing something
in the range of $5,000,000,000 ayear on fraud. And they paid
about 2,650,000,000 for recordedfuture.
So, you know, if you just do themath in 2 years, that's that
(35:48):
could be a reasonably goodrecovery if it just follows that
simple logic. But the fact thata financial entity is losing so
much on fraud and then isstepping into saying, we need to
do something aboutcybersecurity, there's a very
interesting shift in ouracquisitions marketplace. Give
us a little bit more from yourvantage point on how you see
(36:09):
this, shifting.
Hamza Fodderwala (36:11):
Yeah. That was a very interesting and unique
acquisition for sure. And Ithink it's I think it really
comes down to, you know, 2things. Is cybersecurity gonna
be a source of growth for, youknow, companies going forward? I
think the answer to that is yes.
But then the second point is, isthis gonna be synergistic to my
core business? And so, you know,in Mastercard's case, right, it
(36:33):
sort of checked both boxes. Ithink other companies we've seen
outside of cybersecurity makeinvestments in the past. You
know, yes, it's a growth driver.Right?
It adds some diversification totheir revenue stream, but, you
know, perhaps it's not assynergistic. Right? So we've
seen, you know, defensecompanies, for example, acquire
in the cybersecurity space,recently and in the past.
Sometimes it works, sometimes itdoesn't. Right?
(36:55):
We've seen enterprise softwarecompanies invest in
cybersecurity companies and and,you know, those can be hit or
miss as well. So I I do think,there's gonna be that interest.
Right? But I think the keyquestion is not just that, hey.
This is another business, youknow, segment within my broader
organization that can maybe beaccretive to growth in the short
(37:15):
term perhaps, but it's reallyaround how do I integrate this
and make this synergistic towhat my core offering is.
I think Mastercard answered thatquestion with Recorded Future
again. And looking within cyber,you know, companies like Palo
Alto Networks have done a greatjob of this as well. You know,
making almost 20 differentacquisitions in the last five
years, you know, some of thosewere very successful maybe a few
(37:36):
of those weren't, but the onesthat really were successful were
synergistic, were easy to sortof sell into the distribution
engine, and, ultimately becamemuch bigger businesses under
Palo Alto or, you know,CrowdStrike. Bigger businesses
under Palo Alto or, you know,CrowdStrike than they would have
been on a stand alone basis. SoI think that those, you know, 2
questions are really importantto ask to the extent that you
(37:57):
are looking to invest in thecybersecurity market.
Mahendra Ramsinghani (37:59):
You know, you make a great point there,
Hamza, about, when you look athow Palo Alto has done, a great
point there, Hamza, about, whenyou look at how Palo Alto has
done for almost, 20 plusacquisitions over its time and
done a very good job ofintegrating them very well. On
the flip side, you know, thetelcos have somewhat of a mixed
bag, in terms of, you know,playing this game. I mean,
(38:19):
Singapore Telecom boughtTrustwave for 800,000,000. This
was almost a decade ago. Andthen recently, they divested
Trustwave for, like, about a130,000,000.
So, are telcos not well suitedto play this game at all, or are
there some examples that jumpout at you where they've done a
very good job?
Hamza Fodderwala (38:38):
I can't think of any examples of, but, I
think, I might be wrong on thatfront, but, I think, I think it
goes back to that earlier point.Right? I think initially, the
telcos and I could understandwhy it was intuitive. Right? I
mean, hey.
You know, a lot of times telcosare involved in really being a a
channel partner forcybersecurity companies. Right?
(38:59):
Being an enabler forcybersecurity adoption and just
thinking, you know what? Youknow, why can't we just do this
ourselves and get a 100% of theeconomics? And, I think the
logic makes sense.
Right? But, again, it's is thisjust gonna be another business
segment within your broaderorganization? Right? Or is this
actually gonna be a core pillarof what you're offering? Right?
Is this gonna be your corebusiness? Right? Is this gonna
(39:20):
be synergistic with your corebusiness? And that question I
think is is is more important toanswer than just, you know,
saying, okay. You know what?
We're gonna make this anotherbusiness segment. We're gonna
throw a bunch of money at it andhope hopefully, it sells. No.
No. It really has to be, youknow, core to your offering for
it to be successful becausecybersecurity is hard.
Right? I mean, a lot ofenterprise software companies,
(39:41):
you know, Microsoft comes tomind, which is the biggest one,
and they built a great, youknow, cybersecurity business,
$25,000,000,000 plus in revenue.But, you know, even even they've
had their challenges in certainmarket segments. And so I think
just given how hard security is,you really have to make sure
that this is something that, youknow, you think about every
single day because I canguarantee you, you know, folks
(40:02):
like George Kearse fromCrowdStrike or Nikesh Arora from
Palo Alto Networks or JayCharter from Zscaler, you know,
they're thinking about this 247.They're thinking about how can
they win in the market, youknow, every single day.
And, if this is an afterthoughtfor you, it's gonna be tough to
compete. That's a great way
Sid Trivedi (40:20):
to put it that, you know, cyber can't be an
afterthought, whether you'rerunning a business or whether
you're using those cybersecuritysolutions. I wanna move to the
last segment of our conversationand executives of every major
cyber incumbent vendor, and youyou spoke about a few of those
(40:42):
names just now. What insights doyou have for do you have for
founders on which areas are ripefor disruption and where they
should focus their time?
Hamza Fodderwala (40:51):
Yeah. It's a it's a great question because, I
mean, there's some areas thathave been ripe for disruption
that you wouldn't really thinkare areas that people have been
focused on. So I think it kindabreaks onto 2 categories. 1 is
solving new problems, and then Ithink the other one is solving
existing problems that, youknow, people haven't addressed
(41:12):
for a long time. So I think, thenew problems would be areas like
we talked about earlier, AIsecurity.
Right? Coming up with moremodern data security,
application security productsthat are gonna be able to solve
this new world of securing AIand large language models
because I think, there are somebigger companies that are going
(41:32):
to certainly try to address thismarket, but I I think, this is
gonna be an, you know, agreenfield area that every
Fortune 500 company or, youknow, small and large is trying
to figure out right now. Everycompany right now is
establishing AI governanceboards and trying to figure out
how to securely enable thistechnology. And then the second
is, you know, solving existingproblems that a lot of people
(41:55):
have sort of abandoned. So theone that comes to mind clearly
is, email security.
I mean, I, you know, coveredProofpoint when it was a a
public company, and the numberone question you get from
investors was, okay. Well, whenis Microsoft going to crush
them? And, you know, that hasn'thappened. Right? But what we've
seen, if anything, in recentyears is we're seeing, you know,
(42:17):
new email security companiescome up.
You know, abnormal comes tomind, which obviously recently
had a had a big raise invaluation round and is now over
200,000,000 of ARR and has donereally well in that email
security market. Obviously, westill have, you know, Proofpoint
out there. In the private space,we've had other email security
companies that have raised, youknow, money at at pretty, decent
(42:39):
valuations recently as well. Wewe saw Check Point, Fortinet
recently acquired in the emailsecurity space. So, again, this
is a existing area that peoplejust thought was not going to be
innovated on and, you know,Microsoft is gonna take that
space over.
But I think, with AI now with,you know, the increase in
phishing attacks, attacks, we'reseeing more innovation in this
market. I think another areathat's been coming up more and
(43:01):
more has been this, market forcyber resilience. Right? Whether
that's backup and recovery. Youknow, we've seen some companies
go public around that front likea Rubrik, which has done quite
well recently, or others.
Right? So I think cyberresilience, backup and recovery,
data management, those are gonnabe areas that I think are gonna
get more attention, more fundingas well. So, again, newer
(43:22):
problems, newer attack surfaceareas that you have to secure,
whether it's, you know, AI orelsewhere, and then existing
problems that have been sort ofleft for dead like cyber
resilience, like email security.I didn't mention, GRC,
governance risk, and compliance,which, you know, we're seeing a
lot more investment in. I thinkAI has a potential to disrupt
existing categories and createnew categories.
(43:44):
So that's where I would I wouldfocus on. Those would be sort of
the the broad umbrellas, if youwill, that I would really try to
focus on if I was a if I was afounder.
Mahendra Ramsinghani (43:52):
You know, Hamzah, I'm seeing a very
interesting dichotomy from myvantage point. I mean, you make
absolutely spot on observationsabout how AI security for AI and
AI for security is going to playa very big role. And of course,
the Proofpoint Microsoftexample, in a parallel world,
people joke about Google cansolve this problem. But either
(44:13):
they don't have the time or theinterest. It's not a big enough
problem for them.
And you have the likes ofcontinue to sort of take on the
email security problem. Thedichotomy I'm seeing is the SMB
side of the world. You know, wehave interviewed, governor
Snyder. He's the former governorof of Michigan. He's now CEO of
one of my portfolio companiescalled Sensei.
(44:35):
And he's squarely focused on SMBmarket, which is employees or
sizes that are a certainthreshold below. I mean, these
are too small for the Palo AltoNetworks of the world, but they
often become the vector, theattack. Like, if you look at the
Home Depot story of how thisHVAC vendor, a 40 person
company, was used as an entrypoint into some of their point
(44:57):
of sale systems. Besides theeconomic rationale that this is
not a big enough market, thereis too much churn, what do you
think rationale that this is nota big enough market, there is
too much churn, what do youthink can be done to make that
side of the economic landscapemore resilient?
Hamza Fodderwala (45:09):
Yeah. It's a great question. You know, I
think, obviously, there thereneeds to be an education and an
investment in sort of, thechannels to sell to these, you
know, market segments. So Ithink this is where partnering
going back to our earlierquestion, partnering with the
MSSPs, the managed securityservice partners, is is gonna be
really important. And, you know,having sort of managed, services
(45:33):
offerings yourselves, I thinkcan also be important.
Right? Really, like, deployingthat technology is one thing,
but operationalizing it is theother thing. And I think a lot
of, issues with perhaps thatmarket, the SMB market, when you
get below a 1000 employees isthey don't have the resources to
buy and deploy a bunch of thesesecurity technologies. Right?
(45:54):
Even if they had the budget tospend a 100,000 or 200 1,000 on
a security product, you know,them being able to use it is a
whole another different story.
So how do you reduce that costto serve, which I think
certainly a lot of MSSPs beenable to do, but also the cost to
operationalize is a big thing.And, you know, most large
organizations will have to seeso. Nowadays, They might have a
head of endpoint security, ahead of identity, a head of
(46:16):
owner you know, a lot of theseorganizations don't have a CISO.
They have 1, you know, 1 guy orgal who's the head of IT, maybe
the head of networking theymight have. And then, you know,
one of those people get stuckwith the security job, and it's
obviously a big task.
So I think partnering withMSSPs, having managed services,
often offerings of your own isgonna be vital if you're trying
(46:37):
to address that market. But Ithink, finding a way to scale
that profitably is anotherchallenge and hopefully that's
where AI can come in. Right? Ifyou can use the power of
generative AI to, you know,offer and solve security
problems, I think that couldalso be a big thing too. I'm
thinking for the MDR vendors inparticular, you know, that that
could be an area where you couldsee, you know, an AI, SOC as a
(47:01):
service, if you will, marketstart to come up more and more
as we as we figure these how tooperationalize these
technologies.
Sid Trivedi (47:07):
Very topical because we had Kumar Saurabh
right before you on the episoderight before you. So very
topical for our listeners.
Hamza Fodderwala (47:14):
I might have gotten the idea from him. So
thank you, Kumar. Yeah. But, youknow, one
Sid Trivedi (47:19):
other thing is that kind of the number one cyber
analyst on the street, you spendmost of your time with these
legendary founders, like GeorgeKurtz, like Todd McKinnon, like
Jay Chaudhry. Is there a singletrait that you see amongst them?
I mean, you've probably spent100 of hours with each of these
individuals debating whatthey're doing from a strategy
perspective. Is there somethingthat you see that you're gonna
(47:42):
say, like, this is what makes anamazing cyber founder?
Hamza Fodderwala (47:45):
Yeah. I do have to give a a shout out to
Nikesh Arora. He may not be afounder of Palo Alto Networks,
but he's definitely foundermode. I can tell you that. I
would say they're all very muchlocked in and they're obsessed
with, you know, solving theseproblems.
So, you know, I think of a aGeorge Kurtz, right, and kind of
what he's been through in thelast, 6 months, with this
(48:06):
incident that they had in midJuly. You know, he was at the
forefront. He was on televisionthe next day, took full
responsibility, didn't hide fromanybody. He was at Black Hat. He
was at his conference.
He was at your event at BlackHat as well, Sid. And, you know,
this is a person that took onthis challenge, a lot of
integrity and was, you know, atthe forefront and, you know, is
living and breathing this stuff,you know, every day. Right? One
(48:28):
of the things that I I alwaysfind, right, whether it's, you
know, George or Cash or whoever,whenever you reach out to them,
you send them something, right,they get back to you right away.
So they're always on and they'revery passionate about solving
these problems for theircustomers and ultimately winning
in the marketplace.
Right? It's a competitive space.So if you're a founder and you
believe you have the next$100,000,000,000 cybersecurity
(48:49):
company, you wanna have thatself belief almost to, like, a
delusional level becausecertainly these these folks not
only believe they have the next100,000,000,000 cyber companies,
which some of them have beenable to achieve, but they think
they can get to 2, 300, maybe a$1,000,000,000,000 over time. So
I think, it really just comesdown to passion. And I I have to
mention, obviously, Jay Chaudhryas well, you know, who is
(49:09):
working 247.
Right? And you just think ofthe, you know, where he's come
from and what he's been able toachieve. This is a person who's,
you know, sold and and startedcompanies several times. So he's
not in it to, you know, make aquick dollar. Right?
He's he's really in it to winand and and and build a a
Zscaler into a a much largercompany and a company that can
(49:29):
endure over time. And so Ithink, I think that's really the
the the one trait that I'llmention from the the CEOs and
founders that I'm particularlyclose to is is all of them, you
know, are very passionate, veryhardworking, and are always
thinking around the corneralmost to a paranoid, you know,
level, if you will, on how theycan be disrupted. Right? So if
(49:50):
you're a small cybersecuritycompany and you're a founder and
you think that you can stayunder the radar, maybe you can
for a little while, but Iguarantee you, you know, they
will take notice at some point.
Sid Trivedi (49:58):
Yep. There are over 80 cybersecurity companies that
have reached unicorn status, andabout 5 of 100 of them have
raised over $50,000,000 inventure funding. And despite
this, exits are still quitelimited. What advice do you have
for founders who are raisingventure capital in in 2025?
Hamza Fodderwala (50:16):
Probably a better question for you, but, so
maybe you can answer it as well.I mean, it really depends, like,
what what stage I'd say, youknow, if you're an early stage
company and you're solving aproblem that will be bigger down
the line, but you might not havea distribution, I would just be
thoughtful about valuation. Justremember Palo Alto Networks,
CrowdStrike, some of theselarger cybersecurity companies
(50:37):
that you may wanna eventuallysell to, these companies have
not made acquisitions that areabove a $1,000,000,000 in
purchase price yet. And, youknow, if if they eventually
will, you know, it might besomething of scale, right, that
they can perhaps, you know, isis could be accretive to their
growth. So just be mindful that,you know, you might have, you
know, the best AI securityproduct in the market, but at at
(51:00):
a certain price point, it's moreeconomical for these larger
cyber companies to perhaps builda product on their own and
compete with the talent thatyou're trying to compete with as
opposed to going out and payinga $1,000,000,000 for for your
company that might be great, butit's only 10,000,000 of ARR.
And so folks like myself willprobably start to question the
the prudence of that deal. So Ijust think be thoughtful about
(51:21):
valuation. Right? If you wannabe the next $100,000,000,000
cybersecurity company, right,then perhaps that's a different
calculus that you have to makeearly on. But, I just think, you
know, it really depends on onthe stage and what your exit is,
but just don't take that thatbig valuation increase without
thinking about, you know, whatyour ultimate exit strategy is.
Sid Trivedi (51:41):
I couldn't have said it better myself. I think
the the factor around really bethoughtful on what is your goal,
why are you raising thiscapital? What's the value of
that capital? What are you gonnado with it? And is it a fair
valuation?
Just so, so important.
Mahendra Ramsinghani (51:55):
And then you have, of course, people like
Asaf, Adwiz, who have, you know,what the last rumored valuation
was $12,000,000,000 or$20,000,000,000 Is that correct,
Sid?
Sid Trivedi (52:06):
Yeah. We don't know what the yeah, there's a round
going on right now. But yes,it's potentially a round.
Mahendra Ramsinghani (52:10):
It's rumored.
Sid Trivedi (52:12):
That's right.
Mahendra Ramsinghani (52:12):
So I think that when you fall into that
category, obviously, there isthis now, you have only one path
forward, which is you have to gopublic because you essentially
price yourself out of the marketthat the 3 or 4 public acquirers
could have paid. And if you zoomout a little bit, Hamzah, what
are some things take a look at acrystal ball. What are some
(52:35):
things we should prepare for in2025? And we already touched on
some of these in earlier partsof our conversation about
regulatory changes that arecoming. But, you know, if you
had to end on optimistic or apositive note, what are some
sound bites that come to mind?
Hamza Fodderwala (52:50):
Sound bites that come to mind of optimism. I
think, you know, in that case,just to address, you know, Wiz,
I mean, these are folks, whetherit's Asaf or or, you know, and
and that whole team. Yeah. Thisis a team that really believes
they're gonna be the$100,000,000,000 cybersecurity
company. Right?
So the fact that they, you know,reportedly had an offer from
Google at 23 $1,000,000,000 andand were able to walk away from
(53:13):
that, I think really shows that.So I think for them, you know,
they've been able to, obviously,raise bigger rounds and and, you
know, may grow into thosevaluation rounds. Certainly, the
trajectory seems to suggestthat. And so more power to them.
Right?
And, we'll we'll see when theydecide to make that leap into
the public markets. I thinksigns of optimism is look. You
(53:33):
know, technology today is aboutlittle over 40% of the S and P
500, and there's no signs ofthat slowing down. Every
organization in the world istrying to play more technology
within the organization withwhen it comes to AI, cloud, you
know, what have you. And so Ithink it's a great time to be in
cybersecurity because,ultimately, the more technology
(53:54):
you deploy in organization, themore AI you use, you have to
secure that.
And I think that's gonna open upnew threat vectors, which is
gonna open up new opportunities.And, you know, ultimately, that
that's gonna mean, moreinnovation in the market. And so
I think it's exciting times. Ithink if you look at the public
markets right now, the macrobackdrop is is certainly
favorable. There's a lot ofgrowth scarcity.
(54:15):
I mentioned the public markets.That means that, you know, if
you're a company that is500,000,000 of ARR, 250,000,000
of ARR you're growing fast andyou have a a great product, I
think this is the time to reallygo out. And I'd also say, you
know, you know, great companiesthroughout the history of, you
know, tech and software usuallyare born during difficult times
(54:36):
or tested during difficulttimes. If I think about the
cybersecurity companies thathave come up in the last, you
know, 15 or 20 years, whetherthat's Okta or Zscaler or
whoever. Right?
These all came up in and aroundthe financial crisis. And so I
think, you know, there there'sgonna be a a cohort of
cybersecurity and tech companiesthat, you know, could
(54:56):
potentially be the next100,000,000,000,
$200,000,000,000 companies ofour generation. And we've got
this massive compute cycle inAI, which is really driving
every organization, large orsmall, to really rethink their
technology architecture andmodernize their technology
architecture. Because a lot ofthese folks, you know, still
haven't really fully embracedthe cloud, You know? And so I
(55:19):
think this AI is really gonna bethe catalyst for them to, you
know, put technology more at theforefront, which means more
dollars, for these companies.
Mahendra Ramsinghani (55:29):
On that on that note, Hamzah, first of all,
I wanted to thank you not justfor coming today and sharing
your insights, but I thinkyou're one of the few analysts
that is always accessible. Youhave this fantastic blend of
humility with very deep researchand good work that you do.
(55:50):
Obviously, your team has beennamed number 1 now for, what, 6
years, consistently at MorganStanley. So your work speaks for
itself. But most importantly,Sid, Ross, and I are serving
founders.
These are people that are justgetting started. They are sort
of in a classic state where veryfew people care for them. And
the work that you do, theinsights that you share are
(56:11):
extremely valuable for them toplan their journey. So I wanted
to say a big thank you. And, ofcourse, as we end our year in
2024, Sid, Ross, and I also wantto take this opportunity to
thank all our listeners forhelping our podcast to become
number 1 in 2024 incybersecurity.
That's self proclaimed. Is thatcorrect, sir? It's self
proclaimed?
Sid Trivedi (56:32):
It's definitely self proclaimed.
Mahendra Ramsinghani (56:35):
Well, at least we are one of the few that
is focused on cybersecurity, andwe're bringing some of the best
best brains, the best minds, inthe industry to our founders. So
on that note, thank you, Hamza.Thank you, Sid. We'll we'll see
you in 2025.
Sid Trivedi (56:50):
Thank you, Hamza, and thank you to our listeners.
Thank you for joining us Insidethe Network.
Ross Haleliuk (56:58):
If you like this episode, please leave us a
review and share it with others.
Mahendra Ramsinghani (57:03):
If you really, really liked it and you
have some feedback for us, wrapit on a bottle of Yamazaki and
send it to me first.
Sid Trivedi (57:12):
No. Don't do that. Mahendra gets too many gifts
already. Please reach out byemail or LinkedIn.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.