In a year of high-profile attacks, Microsoft grabs RiskIQ to expand threat and exposure visibility

July 13 2021
by Scott Crawford, Brenon Daly


A parade of highly visible cyberattacks has driven home to acquirers and investors alike the need for more effective visibility into – and response to – today's threats. These factors have contributed to the stratospheric valuation of security plays in recent months, with our data showing the prevailing price-to-sales multiple soaring into the double digits. Microsoft is the latest willing to pay up to meet today's realities, reaching for RiskIQ to complement the extensive visibility it offers its customers within their organizations with a similar approach to visibility from the outside.

Snapshot Snapshot






Threat intelligence / Attack surface management

Deal value


Date announced

July 12, 2021


None disclosed

The 451 Take

RiskIQ hits a lot of high notes that have captured the attention of the cybersecurity market this year. High-profile attacks often affect not only a single organization's exposures, but also its relationships with other entities across networks, as well as across business partnerships, technology supply chains, and other interactions. RiskIQ's technology and expertise focus on these exposures and relationships – with visibility collected from public networks and exposures evident outside and beyond an organization – giving it distinctive footing across vulnerabilities and exposures, attack surface management, threat intelligence, response, and more.

All of these are areas of keen interest to Microsoft, which has become a high-value target in its own right given the pervasive adoption of its properties throughout businesses worldwide, as well as its own leading role in cybersecurity, which it recently emphasized. The tech giant can already offer enterprises a substantial 'inside out' view of their security derived from its own extensive assets. RiskIQ complements this view with an array of 'outside in' datasets that give visibility into an organization's exposure as seen externally. This view represents a valuable asset that could further extend the impact of any acquirer – including some of Microsoft's most significant rivals in all of the segments in which RiskIQ plays. This deal thus not only represents a strategic enhancement of Microsoft's security portfolio, but also is a move that takes RiskIQ's potential off the table for those competitors.

Deal details

While terms of the transaction were not disclosed, several market sources have indicated that Microsoft paid a low-double-digit price/sales multiple for RiskIQ. Assuming that is correct, the valuation would line up very consistently with other related transactions as well as broader multiples in the infosec M&A market.

Figure 1

Figure 1: Median Price/Sales Valuation For Infosec Acquisitions 451 Research

In terms of precedent acquisitions, Palo Alto Networks paid $800m for attack surface management startup Expanse in December 2020. According to our understanding, Expanse was only slightly smaller than RiskIQ at the time of its exit. Nonetheless, the deal stands as Palo Alto's largest purchase. (Assuming RiskIQ garnered a similar price, that transaction would be the largest infosec acquisition for Microsoft listed in the M&A KnowledgeBase.)

Similarly, threat intel vendor Recorded Future was valued at $780m (or 12x sales, according to our estimates) in its sale to existing backer Insight Partners in mid-2019. And last month, private equity investors paid a similar price and multiple for network threat detection and response provider ExtraHop, which is a kind of close cousin to RiskIQ. The rich prints have pushed the median multiple for infosec acquisitions to a stunning 11x so far this year, which our data indicates is about twice the level of the broader tech M&A market.

Deal rationale

If 2020 hadn't been shock enough on multiple fronts, 2021 made its own mark early on in the realm of cybersecurity. The adversary campaign against SolarWinds, first announced late last year, continued to make itself felt into 2021 as its implications radiated out across those relying on the initial victim's offerings and beyond. Attacks against Colonial Pipeline and food industry supplier JBS highlighted exposures of society's critical dependencies beyond technology alone.

Microsoft has not been immune from these threats, with its Exchange family targeted early this year, and implications for multiple assets across the company's widely adopted estate evident in everything from ransomware to attacks on the IT supply chain. Microsoft's threats don't end with cyber-adversaries, however. Its direct rivals in security would love to have a greater piece of the $10bn security pie that the vendor touted earlier this year.

RiskIQ speaks to many of these issues across the board, with an emphasis on the view external parties have of an organization and its assets that factor into threat and exposure intelligence. The company's datasets and distinctive technology in graphing relationships and identifying exposures across networks along with their implications for any one organization, and offering threat intelligence into the ways adversaries target those exposures, represent a combination of functionality that all of these issues bring to the fore.

It touches on segments that include attack surface management as well as threat intelligence, vulnerability and exposure management, incident response and containment, and more. This deal should thus further augment Microsoft's own portfolio in these areas, complementing assets particularly in security operations and threat intelligence – from Azure Sentinel to the Microsoft Defender family and beyond – and introducing new capabilities in cyber-risk management and threat mitigation.

Target profile

Founded in 2009, San Francisco-based RiskIQ leverages automation to gather a variety of datasets that offer visibility into vulnerabilities and exposures across networks worldwide, and reveal those of highest interest to an individual organization. Its proprietary technology leverages a global network of proxies and a 'virtual user' concept to obtain this visibility, with threat analysis functionality to correlate exposures with observed threats. RiskIQ's acquisition in 2015 of PassiveTotal gave it access to several of these datasets such as DNS and WHOIS data, digital certificate information, and other findings that help organizations optimize scarce resources to correlate observables and counter cyberthreats.

In 2017, the vendor reached for Maccabim to enhance its ability to mitigate brand threats, including threat takedown and dispute resolution. Today, RiskIQ's portfolio provides visibility into an organization's attack surface, vulnerabilities and exposures, adversaries and threat infrastructures, third parties and digital suppliers, and integrates this insight into security operations.

Founders Chris Kiernan, David Pon and Elias Manousos remain with the company, which Manousos currently leads as CEO. RiskIQ has raised $83m in funding to date, most recently in a $15m series D round led by National Grid Partners in June 2020. Additional investors include Summit Partners, Battery Ventures, Georgian Partners and Mass Mutual Ventures.

Acquirer profile

Ever since the launch of its Trustworthy Computing Initiative in 2002, Microsoft has played a unique role in security, and has invested in expanding that role. The company currently claims over $10bn in trailing 12-month security revenue across a wide variety of assets, including those focused primarily on the security market as well as those playing a leading role in securing enterprise IT assets at multiple levels. Its unique profile as a supplier of endpoint IT systems, productivity and business applications, and development resources, and as a cloud hyperscaler give it a distinctive footprint in the security sector, where it is viewed as dominant among enterprise practitioners in areas such as endpoint security, as reflected in a 451 Research survey.

Figure 2

Figure 2: Main Endpoint Vendors Used by Enterprises 451 Research 2020


With Microsoft's assertion of dominance across multiple cybersecurity technology areas, its competitive field has become as broad as the security market itself, but with rivalry focused among strategic contenders in both traditional and emerging segments. As the above-referenced data point suggests, the company has already staked a leadership claim in areas such as endpoint security – but as that field evolves, it is now embracing key aspects of threat detection and response where players such as CrowdStrike have gained momentum not only on the basis of threat and adversary research and intelligence, but also due to agent functionality that helps protect both traditional and more modern endpoints, such as cloud workloads.

In security operations, Microsoft has challenged incumbents in realms such as security information and event management via Azure Sentinel and other offerings. As noted, these assets give organizations an inside-out view of their security posture – RiskIQ complements this with the outside-in view of its datasets to offer security teams (and now, Microsoft) more comprehensive telemetry across the threat landscape.

Microsoft may be more challenged in domains such as network security, but in this arena, cloud technologies have become the more recent battleground, where vendors from Palo Alto Networks to incumbents such as Cisco and IBM continue to invest. Palo Alto in particular raised the stakes against RiskIQ with the acquisition of Expanse last year for attack surface management.

Meanwhile, other recognized names such as FireEye's Mandiant are now carving out their futures on the basis of their own approach to outside-in visibility, threat intelligence and automation. Mandiant recently announced its planned separation from FireEye's security products business, and will emphasize its Mandiant Advantage portfolio in areas such as threat and adversary research and intelligence, and continuous automated security controls validation punctuated by its purchase of Verodin in 2019 and pickup of extended threat detection and response specialist Respond Software18 months later.