VMware makes a bold security statement with Carbon Black buy

August 23 2019
by Fernando Montenegro, Brenon Daly, Scott Crawford


With its bid for Carbon Black, VMware is putting security front and center of its current strategy. The deal may be a headscratcher for some: What business does a virtualization and cloud-native technology vendor have with endpoint security? The answer: More than you might imagine. Whether in the network, at the endpoint, in the cloud or in the security operations center, visibility has become a high priority for information security (infosec) strategies, while more modern techniques for defense promise to improve prevention. And with encrypted network communications 'eating the world,' visibility into activity at endpoints becomes even more valuable. But is this the right move for VMware?

Snapshot Snapshot




Carbon Black


Endpoint security

Deal value


Date announced

August 22, 2019

Closing date, expected

By the end of January 2020


J.P. Morgan Securities (VMware); Morgan Stanley (Carbon Black)

The 451 Take

VMware is being very proactive in adapting to modern cloud-heavy times: It has forged strong partnerships with providers, has bought into the cloud-native movement with Heptio, and keeps diversifying into other areas, including security. Its latest reach for Carbon Black is a strong signal regarding its security intentions, but for many, it's still puzzling. In some ways, it's reminiscent of BlackBerry's pickup of Cylance – a vendor with an eclipsed brand seeking new relevance through modern endpoint security. With the advance of the hyperscalers, VMware does not have the place in the sun it once had when virtualization in the enterprise led the pack of 'new IT.'

But on a tactical level, this move makes sense. Carbon Black can be used to deliver visibility and protection across a wide swath of terrain, on traditional endpoints as well as in the cloud and more. This visibility is even more valuable with attacks that penetrate defenses and encrypted communications obscuring much that can only be evident at endpoints. Carbon Black was also hurting on the public markets, unable to achieve the liftoff that rival CrowdStrike did. Regardless, it is a well-known independent endpoint security provider, and for VMware it brings a needed endpoint security offering to complement its network-centric NSX and management-centric Workspace One products. But to succeed, VMware will have to be focused more squarely on competitors in a security market where the dynamics are often quite different from more familiar territory. Not exactly home turf.

This hasn't kept VMware from trumpeting its intentions, however. The company claims that this transaction is a 'huge step forward in security' – which appears much too hyperbolic. Its broad plans for Carbon Black will require extraordinary amounts of integration, and not just across its own portfolio. Execution will require integrating security tightly across its entire set of offerings, not just its security products. To truly realize VMware's vision of comprehensive security, however, more realistic – and actionable – integration of prevention, visibility, detection and response will have to reach across silos, multiple vendors and individual organizational interests.

Deal details

A half-decade removed from its last billion-dollar deal, VMware is paying $2.1bn in cash for Carbon Black. Terms call for the buyer to hand over $26 for each share of Carbon Black, a level the target hasn't seen since the early days of investor enthusiasm following its IPO last year. As recently as April, Carbon Black's shares had been trading at about half the takeout price. (Slowing growth had been weighing on its valuation. After increasing sales 30% in 2018, Carbon Black's growth rate so far this year has dropped to 20%.)

Figure 1

Figure 1: Infosec M&A activity 451 Research's M&A KnowledgeBase

More significantly, VMware's big purchase pushes overall infosec M&A spending so far in 2019 to the highest level of any year in 451 Research's M&A KnowledgeBase. (On its own, the deal brings to 13 the number of infosec transactions listed in our database valued at more than $2bn since 2002.) So far this year, acquirers have announced some $17.7bn worth of cybersecurity deals around the globe, topping the previous record in 2016 by about $2bn. Obviously, Broadcom's $10.7bn purchase of Symantec's enterprise business – the infosec industry's largest-ever transaction – has boosted this year's total. But even excluding that blockbuster deal, infosec M&A activity is keeping pace with the elevated totals of the past three years, with spending running at roughly $1bn per month.

Deal rationale

VMware indicates that it is buying Carbon Black as part of a drive to burnish its place as a bona fide security vendor and to fix a 'broken' security industry. The company argues that the industry is made up of several separate products, forcing organizations to spend significant efforts on integration and ongoing operations. It claims that it is uniquely positioned to secure 'any application, on any cloud, on any device' given its various compute, networking and storage options.

For Carbon Black shareholders, the transaction marks an opportunity to wrap up a relatively short but eventful period in the public markets, which saw the stock recover from dire straits throughout most of its 15-month public life. The target was already a strategic partner and had been working with VMware on supporting the AppDefense functionality on vSphere. VMware expects Carbon Black's technology to fit with the rest of its security-heavy portfolio – NSX, AppDefense, SecureState and Workspace One – and provide it with a cloud-native analytics back end for security telemetry and threat information.

The buyer anticipates that it can enhance Carbon Black's market participation in a similar way to how it bolstered endpoint management specialist AirWatch after acquiring it in 2014. It plans to do this by leveraging its broad and deep sales channels and connections with Dell and SecureWorks. The latter was one of the MSSPs that pioneered the concept of managed detection and response (MDR), initially leveraging Carbon Black. MDR is now a highly visible aspect of managed security services.

Target profile

Carbon Black was founded as Bit9 in 2002, originally as a provider of application control and whitelisting. In 2014, Bit9 bought Carbon Black, one of the early entrants in endpoint detection and response. It then adopted the Carbon Black moniker and in 2016 the company acquired endpoint-protection vendor Confer, which used a cloud-centric architecture. Carbon Black went public in May 2018 at a valuation of approximately $1.2bn.

The company's portfolio has since centered around the cloud architecture originally used by Confer, now renamed the Predictive Security Cloud (PSC), as well as the original CB Protect and CB Response products. Since centering on the PSC, Carbon Black has released additional cloud-centric products such as Threat Hunter and LiveOps, as well as a managed service called ThreatSight. It has over 5,000 customers and numerous partnerships, including with VMware.

Acquirer profile

VMware offers a broad portfolio of virtualization, networking, storage, cloud and workforce productivity offerings. The company trades publicly but Dell Technologies owns a majority stake. Its vSphere virtualization offering is nearly ubiquitous in corporate environments, and VMware has expanded its portfolio to include ancillary storage and networking capabilities in the context of modern datacenter operations. The vendor has signed partnerships with the three major cloud suppliers to deliver cloud-based versions of its technology stack, and has moved into adjacent areas such as endpoint management and cloud security. VMware's security-focused portfolio includes NSX for network security and microsegmentation, SecureState for cloud security, AppDefense for workload protection, and Workspace One for digital workspace and endpoint management.

Figure 1: VMware's recent M&A activity Figure 1: VMware's recent M&A activity

Date announced


Target abstract

August 21, 2019


Cloud-based application security SaaS

August 14, 2019

Veriflow Systems

Network verification SaaS

July 25, 2019


Mobile network and application experience management SaaS

July 18, 2019


Accelerated coprocessor virtualization SaaS

June 13, 2019

Avi Networks

ACD functionality SaaS

May 15, 2019


Infrastructure management software and SaaS

February 5, 2019


Mobile device support software

November 6, 2018


Kubernetes container management software and services

August 27, 2018

CloudHealth Technologies

Cloud BPM and BI SaaS

March 28, 2018

E8 Security

Security analytics SaaS

February 22, 2018


Hybrid cloud deployment software

February 14, 2018


Public cloud configuration management and compliance SaaS

451 Research’s M&A KnowledgeBase

Competition and outlook

VMware's foray into endpoint security means that it is entering an active market with stiff competition. The key endpoint players are CrowdStrike, still basking in the glow of its public debut, as well as Cylance (now owned by BlackBerry), Symantec (whose enterprise business was recently scooped up by Broadcom), McAfee, Trend Micro, Sophos, Cybereason, SentinelOne, Cisco and Palo Alto Networks. Elastic's Endgame, Carbonite's Webroot, FireEye and Tanium are also options for many of the same use cases that Carbon Black supports. VMware's strategy of building a broader integrated 'platform' for security is similar in tone to that of Symantec's Integrated Cyber Defense or Palo Alto Networks' Cortex message, although it does so with different components – NSX, AppDefense and Workspace ONE.

There is also increasing competition from the 'technology' providers themselves. For a cloud deployment, for example, all of them offer capabilities to do varying levels of endpoint security. Given its massive footprint in enterprise deployments, Microsoft deserves a special callout – its baseline Defender product keeps improving and can be tied to a more comprehensive offering with Defender Advanced Threat Protection.

Moving forward, this deal puts pressure on other vendors – IBM, Fortinet, Barracuda and Citrix come to mind – to consider what other endpoint specialists may be open to strategic conversations. Possible targets could include Malwarebytes, Bitdefender, enSilo, Morphisec, ESET, F-Secure or other endpoint specialists.

Once the transaction closes – expected by the end of January 2020 – Carbon Black will become VMware's Security Business Unit, led by current Carbon Black CEO Pat Morley. According to VMware, the division will be complemented with additional security resources from its teams. The acquirer expects to integrate Carbon Black's technology into its other security-focused products, as well as harness the analytics capability of Carbon Black's Predictive Security Cloud for deeper security analytics.