Security VC hit nearly $30B in 2021, with startups rapidly going from ‘zero to billions’

Venture capital funding for cybersecurity companies in 2021 surged to nearly $30 billion, more than doubling the tally from the previous year — and ultimately outpacing both 2020 and 2019 put together, according to data from security-focused advisory firm Momentum Cyber.

Security companies raised a total haul of $29.3 billion in venture funding last year — compared to $12.4 billion in 2020, which was the previous record, the firm said in its Cybersecurity Almanac 2022. In 2019, the VC tally for security companies was $9.7 billion, Momentum Cyber said.

The VC funding growth was just one of many record stats for the security industry in 2021 — a year that included a string of high-profile cyberattacks, along with massive security challenges for many businesses resulting from continued remote work and accelerated digital transformation.

“When the threat environment elevates almost exponentially from the prior period, what happens right after that? Massive customer spending,” said Dave DeWalt, founder and chairman at Momentum Cyber, and founder and managing director at venture firm NightDragon. “And what happens right after that? Massive investment spending.”

‘Supercycle’

DeWalt, who previously served as CEO of major cybersecurity companies including FireEye and McAfee, said he’s seen “cyber supercycles” occur in security in the past — and that we’re undoubtedly in another one right now.

However, this one is on a different scale — judging by the many record highs for the industry last year:

• The total number of VC deals for security was 1,043 (versus 728 in 2020)
• 30 privately held security companies achieved $1 billion “unicorn” valuations (compared to six in 2020)
• 83 cybersecurity funding deals surpassed $100 million
• Total security M&A reached $77.5 billion in value
• 14 M&A deals in security were valued at greater than $1 billion
• Five cybersecurity companies completed IPOs

In a nutshell, we’re currently living in a “golden age of cyber,” DeWalt said in an interview.

One of the major dynamics that’s changed in the market is that “cyber is now a boardroom conversation,” said Bob Ackerman, founder and managing director at venture firm AllegisCyber Capital, in an interview.

The SolarWinds breach at the end of 2020 was followed by 2021’s series of ransomware incidents, including attacks against fuel pipeline operator Colonial Pipeline, meat processing firm JBS Foods, and IT management software firm Kaseya — all of which had repercussions far beyond their corporate walls.

Meanwhile, critical vulnerabilities were another major theme of security in 2021 that served to raise awareness even further. Those included flaws affecting Microsoft Exchange and the widely used Apache Log4j logging software.

The innovation coming from security startups, of course, was pivotal to enabling the 2021 record highs as well, DeWalt and Ackerman said.

In the current security environment, “virtually 100% of the innovation in cyber takes place in private companies,” Ackerman said. “The cycle of innovation in cyber is accelerated — and frankly, most public companies cannot innovate at that velocity because the threats change so quickly. And so from an investor’s perspective, the private side of the equation is the place to be.”

Unicorn stampede

The fact that 30 cybersecurity companies achieved billion-dollar valuations in 2021 is notable on its own — but on top of that, some new unicorns got there in just a few years. For instance, cloud security startup Wiz, which raised a $250 million round in October at a valuation of $6 billion, was only founded in 2020. And cloud protection firm Orca Security — which raised a $550 million round in October at a $1.8 billion valuation—was founded in 2019.

Other security companies, with just a few more years under their belt than that, achieved valuations last year that are typically reserved for publicly traded companies. Software development security firm Snyk announced $530 million in funding in September that valued the company at $8.5 billion, while cloud security firm Lacework raised a $1.3 billion round in November that brought a valuation of $8.3 billion. Both companies were founded in 2015.

Still, this type of trajectory for the most innovative security companies is not necessarily the exception now — and can actually be seen as the “new norm,” DeWalt said.

“Watching companies go from zero to billions in market value in short periods of time is here because of the TAM—the total addressable market,” he said. “You can just see massive, multi-billion dollar segments happening practically overnight.”

In the past, within security, “it took much longer to grow those TAM sizes,” DeWalt said. “Now, there are opportunities for companies to go zero to billions in market value — and revenue — in much quicker windows.”

Key segments

In terms of security segments that received the most funding in 2021, cloud security led the way with a total of $4.3 billion in funding, according to Momentum Cyber. Identity and access management companies raised $3.5 billion in funding during the year, while endpoint security companies raised $3.1 billion. Here’s the full list of funding by security segment, via Momentum Cyber:

• Cloud security — $4.3 billion
• Identity and access management — $3.5 billion
• Endpoint security — $3.1 billion
• Risk and compliance — $2.7 billion
• Data security — $2.5 billion
• Network and infrastructure security — $2.4 billion
• Fraud and transaction security — $2.3 billion
• Blockchain security — $1.8 billion
• Application security — $1.8 billion
• IoT security — $1.7 billion

Looking ahead, DeWalt said he doesn’t see any indication that this is a bubble that is soon, or inevitably, going to burst. Many of these security companies are building real businesses—and addressing real threats that aren’t going away, he said.

“What’s different than the dotcoms, with the world of security, is that the antagonizers are the governments—and the governments sponsoring [hacker] groups,” DeWalt said. “Why are we watching companies grow into billions of market value and revenues? It’s because the threat is persistent. And that’s why I think [these companies are] real, and this is here to stay.”