While IPOs are back and TechCrunch+’s eyes are peeled for new S-1 filings and early indications of how much public-market demand there will be for upcoming debuts, we’d be remiss to forget companies that made the opposite journey in recent years.
Case in point is SailPoint, a cybersecurity and identity management company that was taken private by Thoma Bravo in April 2022. The deal closed in mid-August of the same year.
The final earnings report that SailPoint disclosed before it was taken private detailed its Q2 2022 results, including revenue of $134.3 million (+31% year-over-year), annual recurring revenue (ARR) of $429.5 million (+47% year-over-year), and net loss of $29.4 million, worsening from a net loss of $16.7 million in the year-ago quarter. On an adjusted basis, the company’s net loss was a far smaller $2.2 million.
In the year since we last looked at the company, SailPoint told TechCrunch+ that it crossed the $600 million ARR milestone in the third quarter of 2023; the company said its SaaS revenue rose more than 50% in the first half of 2023 from a year earlier.
On the one-year anniversary of that deal, TechCrunch+ caught up with founder and CEO Mark McClain; Matt Mills, its president of worldwide field operations; and Andrew Almeida from Thoma Bravo to dig a bit into how things have gone since SailPoint was purchased.
Since the deal to take SailPoint private was announced, tech valuations have softened. Double-digit revenue multiples for software companies are now rare, instead of the norm. For SailPoint, which sold for $6.9 billion, what it may be worth today is an interesting question if it does intend to relist in the future. We also wanted to know how the company had performed since going private, what it had hoped to unlock while taking a break from the public markets, and whether Thoma Bravo is hoping for an exit.
This interview has been edited for length and clarity.
TC: Companies that are taken private often tout the ability to build away from the quarterly earnings cycle and the ability to invest on a longer timeframe. What has going private unlocked for SailPoint?
Mark McClain: We saw plenty of great market opportunity in front of us. Given how the market had not yet fully cooled off when we first started talking [with Thoma Bravo], I think we thought we would probably do a few more aggressive, larger-scale M&A types of moves.
As the market cooled and that became maybe not exactly the right playbook, we still saw a lot of reasons to partner and get out of the noise. [Going private] got all that noise off the table, and it did put us back in a position of working with folks who are very adept at helping you kind of look for ways to be [both] high growth and efficient.
That’s something we learned really well together [from] 2014 to 2018 [when Thoma invested in SailPoint]: How do we keep a hot growth engine but not do it in a way that we’re just burning lots of capital. At this stage of the company’s evolution, there was clearly an opportunity to have yet another inflection point.
How has it been in practice to keep the business efficient but still bring in enough new ARR to keep everyone happy?
Matt Mills: When I came to the company in 2019, the company was always about efficient growth, profitable growth. We made some big decisions in the end of 2019, early 2020, to really lean in hard in the go-to-market side of the house and build some capacity.
We changed a lot of our branding in January and February of 2020 to identity security. It just so happened March 13, 2020, was when everything shut down for the pandemic. Our timing was really fortunate that all the things that we thought were going to happen got accelerated with work from home.
Then companies, through the work from home [push,] really started to accelerate their digital transformation. I’ve read a number of articles where folks have indicated that maybe five to 10 times the amount of digital transformations happened in the last three or four years, maybe than the prior five. All of that fit very well with our vision and what we thought was out there from an identity security perspective.
How much of that accelerated market adoption was a demand pull-forward versus an acceleration of longer term growth rates?
Mills: If you sit here and look at what’s starting to happen in the market, we’re going through a pretty significant change. For years, we talked about “outside” in cybersecurity strategy. It was all about the firewall.
Looking at data today, depending on who you listen to, 50% to 60% to 70% of breaches today come inside out. People are starting to try to comprehend that you don’t take your eye off the outside in, the firewall, but you also have to start to pay attention to the identity side of things. SailPoint’s been at this for 17 or 18 years, and it started out focusing on the efficiencies and productivity. Those are still very, very important. But the third leg of the stool now is [that you have] to have the security component [as well].
We’re going through this process of not only growing, but [also] enabling and educating the market so that people understand the risks. And that’s really fueling our growth. I hate to say it, but the number of breaches doesn’t hurt, either. It gets people’s attention.
What about SaaS sprawl and the sheer number of digital services that people have? Has that forced more people to pay more attention to identity and identity security?
McClain: Yes, but that’s actually only one part of a multifaceted set of demand drivers. This is partly why I do believe sometimes when people look outside into our space within the security landscape: They’re a little puzzled why it’s gotten so hot. Part of it is just that awareness that breaches tend to have more of an identity centricity.
When we started, it was absolutely about employees. How do you let those in the identities? Then identities rapidly expanded to contractors and supply chain distribution, to all kinds of other humans, maybe quite a few of [whom have] never worked for you but still were part of your IT ecosystem. Now what you’ve got is this nonhuman set of identities that are just blowing up. Robotic software processes, intelligent devices. When people think about, “Oh my gosh, there’s so many identities I’m responsible for,” it’s gone way beyond their employees, to humans to nonhuman.
On the other side, we used to basically protect access to a relatively well-defined set of applications in a data center. Now it’s not just the apps. We tell people all the time, the average corporation probably puts really strong safeguards around access to their SAP system. Yet that same data gets exported out of SAP, into spreadsheets and spread all over SharePoint and Dropbox; they have no idea where all those copies of that data are.
So very quickly, people are understanding, they don’t really have a great handle on all the explosive identities they’re dealing with; they don’t really have a great handle on all the data that they care about and where it is. That’s where an identity security vendor shows up and says, “I could be a pretty strategic part of your future.”
How has SailPoint performed since it went private?
Andrew Almeida: It was tough [in] the first quarter, because Q3 of 2022 was a tough quarter for every enterprise software company, and SailPoint was not immune to that. Once we got through the tough first quarter, Q4 started to normalize [and] things started to feel a little better.
Then Q1 and Q2 of this year, it feels like things are maybe not getting back to peak levels, but certainly, we have a path to better times ahead. . . . The pressure of growing but doing it profitably, SailPoint has [flipped to material EBITDA profitability].
It’s our view that every enterprise software company can grow fast and be profitable, but it really takes a management team to buy into that, and to really believe it, because they are oftentimes conflicting ideas in the heads of leaders of enterprise software companies.
Thoma Bravo has made a number of cybersecurity purchases. We’re curious if that’s an attempt to build an internal muscle and knowledge of the market so you can make intelligent investment choices? Or if you’re hoping to take some companies that you have purchased and merge them together.
Almeida: We’d love to find a way to clone Mark and Matt, but we have no master plan to create a giant cybersecurity holding company. Our plan with SailPoint is to take them public as soon as we can, as an independent company, and re-IPO the business as a more SaaS-heavy, equally-to-higher growth business as to when they were public prior but generating a lot more cash flow.
If you’re king for a day, when do you take SailPoint back out?
McClain: We’re watching the evolution of the market. We are looking at when we think our profile and our predictability [reach] beyond the point at which we could get investors excited again, like we were able to do last time. We said, “Here’s where we are, here’s where we’re going.” The investment community responded very well to that.
The demand profile is strong. As long as we can execute well and the markets come back to anything like [they] should, probably not to the peaks we were at for some of the last five years, but just to a healthy normal. There’s a lot of trend lines that give us confidence we may be headed back there. With that kind of a backdrop, we feel pretty good that we can explore the public markets again.
(Note: This story was updated to correct a reference to SailPoint’s revenue in H1 2023. The previous version of this story referenced “ARR”, and the updated version references “SaaS revenue.”)