Yesterday’s tech stock rout was not evenly distributed; some companies and technology sectors fared better than others. The same can be said about tech sectors in 2022 more generally. For example, the basket of cloud stocks that we track was off 45% year to date before the open today, while cybersecurity index funds ($IHAK, $CIBR, etc.) are off around 20% apiece, a far smaller decline.
Cybersecurity stocks have given back some gains this year; they are not immune from market repricing. But at the same time, the cohort is taking on less water.
The Exchange explores startups, markets and money.
Read it every morning on TechCrunch+ or get The Exchange newsletter every Saturday.
We’re curious if the generally more durable cybersecurity public equities are translating into more stable venture capital patterns as well. More simply, is cybersecurity venture capital deal activity holding up better than other sectors this deep into Q3? We’ve pulled a sheaf of data to help us understand just that.
During the early quarters of the COVID-19 pandemic, the world learned that software companies’ products were not the first to be cut from corporate budgets. But with some large tech shops telling their investors that they are seeing some macroeconomy-related impacts on their business, are we entering a new, changed and worsened period for tech sales? Let’s answer the question through the lens of cybersecurity.
The good news
CrowdStrike had a good run-up to the public markets, pricing its shares above its target range. Once public, the good news kept coming, with CrowdStrike seeing its shares rapidly appreciate after its 2019 listing. Things went so well that TechCrunch caught up with its CEO to learn more about how the cybersecurity company had managed its debut.
Priced at $34 per share initially, CrowdStrike saw its value appreciate to a peak of $298.48 in the last year; today it trades for a slimmer $176.34 per share but still a firm multiple of its initial IPO price. How is the company able to hold onto so much of its valuation appreciation? Really good results, more or less.
In its most recent quarter, for example, CrowStrike beat revenue and profit expectations. And it provided what CNBC called “strong guidance for the third quarter and full year.” CrowdStrike’s CEO was clear on why it was putting up solid numbers:
Moving to our markets, the competitive environment remains favorable and our win rates remain consistent. We continue to see strong demand even as organizations responded to macroeconomic conditions. For CrowdStrike, this primarily manifested in the form of increased levels of required approvals on some deals as companies evaluated investment priorities, which can extend the time it takes to close deals. However, cybersecurity is not a discretionary line item.
Cybersecurity is a priority for CIOs, CEOs and CFOs and boards of directors, and our value proposition resonates strongly with these stakeholders. Deals committed to close in the quarter did close in the quarter, and we entered Q3 with a record pipeline.
This contrasts with what we heard from Hashicorp yesterday after its own earnings — that it was seeing real impacts from a slowing economy.
Sounds good, yeah? So what was the market reaction to all the above? CrowdStrike lost value. Indeed, its share price fell from the mid-$190s at the start of the week to $175.43 in pre-market trading this morning.
Surprised that we’re seeing the company shed value when its earnings were so well received? Welcome to 2022; get used to it.
We need a bit more context to understand the market reaction to CrowdStrike’s earnings. If you zoom out to the year-to-date time frame, CrowdStrike has traded mostly in the mid- to high $100s range, with some spikes into the $200s that didn’t seem to last. The market is more or less maintaining a valuation range for CrowdStrike, despite its growth. That means that CrowdStrike, like other companies, is seeing its revenue multiples contract as time goes along. But unlike other tech companies, it is not doing so at the cost of a huge fraction of its value.
Sure, the cybersecurity company would be happier if it was gaining value regularly, especially after reporting results that were better than expectations. But some other companies managed to best trailing result estimates and were censured by investors. CrowdStrike’s somewhat choppy trading this year is actually pretty damn good in comparison.
Recall up top that we noted that cybersecurity stocks more generally are also down this year, like other tech stocks. Just not as much.
It appears that cybersecurity companies are faring a bit better than their larger grouping — tech, in general — which matters for their backers. But is similar sentiment also showing up in venture capital data?
The bad news
Cybersecurity may be mandatory for buyers, but the same doesn’t apply to venture capitalists. When it comes to investing in cybersecurity startups, the data shows that things have really slowed in recent quarters.
What is and what isn’t a cybersecurity startup is open to debate, so the two sources we have at hand don’t exactly overlap in how they measure activity in Q3 and previous quarters.
Indeed, PitchBook presumably tends to take a broader view than Crunchbase, as its estimates of money flowing into cybersec have been consistently higher for 2022. But what’s relevant here is that both datasets are both moving in the same direction: down.
Cybersecurity startups have raised at least $10.15 billion in venture funding since the beginning of the year, Crunchbase data shows. PitchBook’s $12.55 billion tally is superior, but both agree that Q1 saw more capital being deployed and more deals getting closed than in following quarters — $4.85 billion across 222 deals according to the former and $5.62 billion across 271 deals for the latter.
Investment into cybersecurity startups declined both in dollar volume and deal volume in Q2, to $4.06 billion and 186 per Crunchbase; or, according to PitchBook, to $5.24 billion and 233 deals. However, things really changed in Q3. Of course, the caveat is that this quarter isn’t over yet. And even if it were, recent data is often more incomplete because deals aren’t always disclosed immediately. But this time, the decline is sharp enough that lag and missing data can’t be the only explanation.
Crunchbase and PitchBook reported that deal count was on track to be halved in Q3 compared to the first two quarters of the year, while funding also plummeted. Crunchbase only found 85 cybersecurity deals in Q3 for a total amount of $1.35 billion. PitchBook is slightly more optimistic, saying that 122 cybersecurity startups raised funding in Q3, for a total of $1.69 billion — but again, its previous tallies were higher than Crunchbase’s. This means that no matter the source, Q3 2022 is on pace to lag far behind what we saw in the first half of the year when it comes to cybersecurity venture capital events.
Pulling from another source, Momentum Cyber’s 1H 2022 Cybersecurity Market Review, we also know that the first six months of the year hadn’t exactly broken records. By its count, cybersecurity financing activity was never higher in any quarter before or after Q4 2021, when cybersecurity startups collectively raised $8.9 billion across 241 deals.
This decline in funding leaves us with a paradox: If cybersecurity spending is somewhat recession proof, why aren’t VCs betting harder on the sector? Well, CrowdStrike’s CEO gave us a partial answer: Some buyers are pondering more before signing cybersecurity contracts, and that’s usually not a good thing for new entrants who have less pedigree and less cash flow to deal with longer sales cycles.
As a result, we might see cybersecurity startups take the M&A route — and we will definitely be looking out for consolidation signs in the upcoming months.