Why aren’t venture capitalists flocking to fund cybersecurity startups?

On the back of pretty strong earnings reports and valuations, public cybersecurity companies are outperforming the broader technology segment. Yet, funding for cybersecurity startups has flatlined.

The Exchange explores startups, markets and money.

Read it every morning on TechCrunch+ or get The Exchange newsletter every Saturday.

It’s an interesting issue that is worth taking a moment to consider. This morning, let’s look at how cybersecurity companies have performed, as well as a number of datasets regarding Q1 2023 venture capital investment to understand why investments have been tepid in this sector despite stellar results from the companies.

Sounds good? To work!

How to make a lot of money in the technology game

If you want to earn truckloads of cash selling software today, I wouldn’t recommend making an API to connect a blockchain to the e-sports world. Both of those sectors are struggling after a period of overinvestment and hype, though I hope both rise again: The former because it would be entertaining in a business context, and the latter because I am a huge nerd who is patiently waiting for a Starcraft revival.

No, if you wanted to make a lot of money in the technology game today, you would build and sell cybersecurity products.

The evidence is clear. Cybersecurity is chugging along quite smoothly, even as the largest tech companies muddle along and Zoom figures out how to grow again after one of the most impressive runs in corporate history.

Here’s a bit of data for your delectation:

  • Palo Alto Networks reported better profit and revenue than analysts had expected, and investors are happy about it, with shares up 7.9% this morning. The company’s report reads like a victory lap: Revenue increased by 24% while total billings rose 26%. Its remaining performance obligations climbed 35%, leading to a 61% improvement in operating income and a 68% rise in free cash flow. All that helped its adjusted earnings per share increase 83%, moving the company into the realm of GAAP profitability. In today’s economy!
  • Zscaler won’t report earnings until June 1, but it’s already telling investors to expect a show. Zscaler is expecting Q3 revenue to land between $415 million and $419 million, above its previous forecast of $396 million to $398 million. That’s not a small change — the midpoint of the new forecasted range works out to around 45% growth.
  • Over at CrowdStrike, investors expect the company to report revenue of $677.4 million in the quarter ended April 2023, up from $487.8 million a year earlier. That’s roughly 39% growth.

We also have other examples, but I think the ones above make it clear that public cybersecurity companies are doing quite well for themselves.

Investors are paying attention. If you sort the Bessemer cloud index by revenue multiple, you will find CrowdStrike, Cloudflare, Zscaler and SentinelOne toward the top. So if you want a revenue multiple in the double digits, cybersecurity will lead you in that direction.

How to make less money in the technology game

Given clear market demand and impressive results from mature cybersecurity companies, are venture capitalists pouring capital into cybersecurity startups? Nope.

As Crunchbase News reported recently regarding Q1 2023 venture totals:

Venture-backed startups in cybersecurity saw nearly $2.7 billion in the first quarter of the year, per Crunchbase data. That is a slight uptick from the $2.4 billion in the final quarter of last year, although it represents a 58% drop from the $6.5 billion such startups saw in Q1 2022.

The best thing we can say about cybersecurity VC investment in Q1 2023 is that it matches what we saw in Q3 2022 and is better than what Crunchbase counted in Q4 2022. So things are not terrible, even if they’re far from outstanding.

A report by startup accelerator and investor DataTribe also covered how the cybersecurity startup sector struggled to find much to crow about in Q1 2023 (emphasis added):

The first quarter of 2023 marks the close of a grim quarter for most founders raising venture capital. U.S. Cybersecurity deal activity in the quarter was at or near decade lows from seed (21 in Q1 2023 vs. 20 in Q1 2015) to Series E. Year-over-year, cybersecurity seed deal volume was down 56% (from 48 to 21) and down 50% (42 to 21) from the previous quarter. The broader U.S. Venture Capital ecosystem marked similar low points, albeit with a sharper decline than what we observed in cybersecurity. Valuations remain compressed at all stages except seed, with the notable exception being the $300M Series D raised by Wiz at a 54x revenue multiple and a $10 billion pre-money valuation.

DataTribe went on to note that some early-stage cybersecurity valuations are above prior norms, mirroring what we have seen in the larger seed-stage segment. But that’s about it when it comes to good news.

So, what’s going on? There are a few possible answers to this conundrum. In no particular order:

  • A startup die-off is limiting the number of companies that are going to make it through the venture slowdown, therefore constraining the amount of capital that can be put to work efficiently. Per DataTribe, “the number of cybersecurity companies reported as ‘Out of Business’ in Q1 2023 is well above historical norms and nearing an all-time high,” so this could be a factor.
  • A lot of cybersecurity startups are growing quickly enough that they don’t need capital at this time. A good way to fund a business is through gross profit, and strong growth could be helping limit these startups’ need for outside capital.

That’s all I got. Given that valuations are down across the board, today’s cybersecurity equity prices have been dramatically depressed, even if they remain more expensive than other tech subcategories.

You would think that VCs would be swooping in to buy shares on the cheap. And yet.