Most Successful Cybersecurity VCs: The Top Firms. (Part III)

In Part I I’ve written about perception of great VCs, and in Part II I showed some data on actual meaningful exits with outcomes greater than $500m over the past ten years. Meaningful exits often take 9 to 11 years to materialize (e.g. FireEye was founded in February 2004 with IPO in September 2013; Forescout was founded in April 2000 with IPO in October 2017). These are long journeys. I wanted to know in how many IT Security and Cybersecurity companies the top firms invested since 2001.

Limitations of Analysis

One problem with using publicly available data (versus actual fund performance insights my firm has) is that we cannot deduct if these were not only great exits but also great deals for the individual investors. Selecting great firms with exit valuations greater than $500M are only a limited proxy for selecting great deals with great returns. These sums might not be easily comparable with each other. Some venture firms might have had exposure to the same startup, but:

  • One at an early stage, the other at a late stage
  • Both at the same stage, but one with a an unsubstantial small amount, the other with a large ownership stake
  • Both at the same stage, but one did not follow-on in subsequent transactions and got diluted
  • One as part of a round, the other in a secondary transaction of same round at a discount
  • One before a recap, the other after

The result could be a bit like Startup-Unicorn-Logo-Collecting, without any indication of actual performance. However, assume that the firms acted as experienced institutional investors and would have minimized such effects. In lieu of disclosing actual distributions and performances, we use this exposure as a rough proxy.

Disclaimer: Past performance is not an indication for future success and returns.

TopFirms.png

The gray bar is the total number of IT Security and Cybersecurity investments made since 2001, to see what the success rate of these firms is so far.

Concentration of Success

  • There were a total number of 200 (!) individual or institutional  investors with exposure to exits with valuations larger than $500M at exit.
  • A total of 23 investors had exposure to 2 exits. We selected to show both Trinity and KPCB as they (a) had very different exposure with less overlap of other firms, and (b) Ted Schlein has a good track record in IT Security investing with exits before 01/01/2008 and we were curious how that would turn out.
  • Sequoia, Meritech, and KPCB together backed 56% of all meaningful exits. The three firms together had exposure to 78% of the total $$ amount of all meaningful exits in the past 10 years together.
  • Greylock had 100% overlap with Sequoia in it’s exposure to 5 of the 25 large outcomes (SkyHigh, Okta, OpenDNS, Aruba, Palo Alto Networks). Greylock invested in Aruba stock in December 2008 after it had gone public but from its venture fund, with liquidity in July 2013.

Partnerships Dynamics

Some of these firms shared the investments between a variety of general partners, others were concentrated on one specific partner. Some of them might be affected by generational changes. Here are three examples:

Partnerships

“Hit Rates” of Venture Firms

It’s not quite fair to calculate the hit rate when some firms like Wing Venture Partners just started to invest; or others started to massively increase their exposure in cybersecurity investments after 2012. Meaningful exits often take 9 to 11 years to materialize (e.g. FireEye was founded in February 2004 with IPO in September 2013; Forescout was founded in April 2000 with IPO in October 2017). Most of the firms above are early-stage investors, Firms with portfolios younger than five years might have more potential in their portfolio, and a “hit rate” is definitely less meaningful. Here are the six firms that have made more than 40% of their total number of investments since 2001 in the past five years.

LessThan5Years

I hope that sheds some light on VC firms that had some outstanding performance over the past ten years in IT Security and Cybersecurity.

Thoughts? Opinions? Comments? Corrections?