X
102435

Rapid7 doubles down on M&A with IntSights threat intelligence buy

July 20 2021
by Scott Crawford, Brenon Daly


Introduction


The adversary's view of the target landscape rules the day for security deals once again, as Rapid7 more than doubles its M&A spending with a single transaction, picking up threat intelligence provider IntSights for $335m. Along with Microsoft's purchase last week of threat intel startup RiskIQ, the pair of prints in this sector have added what we estimate to be $1bn in total acquisition spending to what has already been a record year for cybersecurity.

Snapshot Snapshot

Acquirer

Rapid7

Target

IntSights

Subsector

Threat intelligence / security operations

Deal value

$335m in cash and stock

Date announced

July 19, 2021

Closing date

July 16, 2021

Advisers

Foros Group (Rapid7)

The 451 Take

An ongoing parade of high-profile attacks in recent months has underscored the extent to which organizations are demanding more actionable insight into malicious activity. Access to the attacker's view of opportunity – and the defender's view of attacker tactics – has galvanized security vendors across the board, driving deals and reshaping entire segments of the market, such as security operations. In that space, the rise of new approaches to threat detection and response have challenged incumbents, and brought opportunity to those able to give organizations the adversary's view from without, and actionable visibility within.

Rapid7 has capitalized on this and other trends to challenge its competitors and play a role in reshaping the nature of the security portfolio vendor. From its beginnings in vulnerability management – which remains a foundation of its Insights platform – Rapid7 has expanded into new domains. Its threat detection, response and automation offerings have given it a competitive footing against incumbents in other aspects of security operations, including recognized names in fields that are as well established as security information and event management (SIEM). With IntSights, it joins others seeking to extend actionable visibility beyond the boundaries of the enterprise. This broad concern has given rise to a number of high-value deals across a variety of segments that, for all their differences, have that outside-in view in common, to help organizations get a handle on an increasingly troubling threat landscape.

Deal details


Announcing its largest-ever acquisition, Rapid7 said it paid $335m in cash and stock for threat intelligence startup IntSights. (Rapid7 covered the purchase, which closed last Friday, with $314m in cash along with $21m in stock that went to the startup's founders.) The single deal effectively matches Rapid7's total spending on its 10 previous acquisitions over the past decade, according to 451 Research.

Based on guidance, Rapid7 is paying roughly 12x annual recurring revenue for IntSights. (Rapid7 itself trades at right around that valuation, according to S&P Capital IQ.) Further, that low double-digit multiple almost exactly matches what Microsoft paid in its even-larger bet on threat intel, which it announced a week earlier. Foros Group advised Rapid7, while IntSights did not use a banker.

Deal rationale


This year got an early start in cybersecurity thanks to the December 2020 disclosure of the far-reaching attack campaign against SolarWinds. Before 2021 was half over, additional high-profile attacks against Microsoft, Colonial Pipeline, food industry supplier JBS and others raised the value of actionable threat awareness both inside and outside organizations.

The field of threat intelligence is far from new, but within the enterprise, technologies in threat detection and response that capitalize on recognition of attacker activity have become disruptors in security operations markets. Visibility outside the business, meanwhile, has driven a range of acquisitions and organic developments alike – from sizing up the attack surface to risk-based approaches to security management on a number of fronts.

In addition to Microsoft-RiskIQ, other recent prints include Recorded Future's pickup by backer Insight Partners in mid-2019, valued at $780m (12x sales according to our estimates). In the related field of attack surface management, Palo Alto Networks paid $800m for Expanse in November 2020. A similar price and multiple was announced in June by private equity investors intending to acquire network threat detection and response provider ExtraHop, while Cisco recently picked up Kenna Security for risk-based vulnerability management (RBVM) – which helps organizations prioritize vulnerability remediation, in part through observed adversary activity targeting exposures – for undisclosed terms.

Target profile


Like many successful security ventures, New York- and Tel Aviv-based IntSights was founded by veterans of Israel's elite security services. Cofounders Guy Nizan, Gal Ben David and Alon Arvatz head the company as CEO, CTO and CPO, respectively. Like many intelligence organizations, IntSights researches both widely accessible venues such as social media, app marketplaces and websites, as well as more underground sources and attacker forums.

Where IntSights seeks to differentiate is in making this information more directly actionable for security teams. The company's Threat Command offering provides external insight as well as takedown services for threats to an organization's brand or reputation. Vulnerability Risk Analyzer aligns with the Rapid7 portfolio by augmenting the company's approach to RBVM, with insight into adversary efforts to exploit vulnerabilities. Threat Third Party offers intelligence on an organization's partners, suppliers and others.

The company's Threat Intelligence Platform (TIP) unifies its resources, while IntSights Extend integrates threat intelligence into the browser – an increasingly popular approach to aligning threat intelligence with analysts' day-to-day work. These capabilities can be further expected to augment Rapid7 initiatives such as its Project Sonar effort to analyze public networks, Project Heisenberg observation of adversary activity through global honeypots, and the recently introduced Project Doppler for attack surface analysis, which represents an outgrowth of both.

IntSights has raised $71.3m in five venture rounds to date, with investors including Blackstone, Glilot Capital Partners, Blumberg, Tola, Qumra, Wipro Ventures and ClearSky. In a call with Wall Street investors, Rapid7 indicated IntSights had 180 employees and 400 customers at the time of acquisition.

Acquirer profile


Founded in 2000 by Alan Matthews, Tas Giakouminakis and Chad Loder, Boston, Massachusetts-based Rapid7 began as a contender in the then-rising field of vulnerability management, and gained a reputation as an iconoclast through moves such as its acquisition of Metasploit, the provider of an exploit toolkit well known to penetration testers, in its very first deal in 2009.

Corey Thomas, who has been with Rapid7 since 2008, currently heads the company as chairman and CEO while Giakouminakis continues to serve as CTO. Rapid7 currently has 2,200 employees in offices around the world, and has traded publicly since 2015. According to S&P Global Market Intelligence CapitalIQ data, total annual revenue has grown from $76.9m in 2014 to $411.5m in 2020, with $434.6m reported for the previous 12 months in March 2021.

With IntSights, Rapid7 has expanded through a total of 11 acquisitions; IntSights is the company's third in 2021 alone. 451 Research includes the following:

Rapid7 Acquisitions Prior to IntSights Rapid7 Acquisitions Prior to IntSights

Announced

Target Name

Target Abstract

Total Deal Amount

October 21, 2009

Metasploit

Penetration testing development software

$1.1m

October 9, 2012

Mobilisafe Inc.

Mobile security management SaaS

$7.1m

May 4, 2015

NT OBJECTives

Web & mobile penetration testing

$6.5m

October 13, 2015

RevelOps Inc. [dba Logentries]

Log management & analytics SaaS

$68m

July 18, 2017

Komand

Security automation & orchestration SaaS

$14.8m

October 15, 2018

tCell.io Inc. [dba tCell]

Web application firewall SaaS

$14.5m

April 2, 2019

NetFort Technologies Limited

Network analysis & monitoring software

$15m

April 28, 2020

Divvy Cloud Corporation [dba DivvyCloud]

CSPM & compliance SaaS

$145m

February 1, 2021

Alcide.IO Ltd. [dba Alcide]

Kubernetes application security SaaS

$50m

April 21, 2021

Velocidex Enterprises [dba Velociraptor]

Endpoint security software

Not disclosed

451 ResearchThrough these expansions, Rapid7 has broadened its markets and its Insight portfolio, and now contends in application security, security for cloud environments, threat detection and response, security orchestration and automation, and security services. The addition of IntSights further extends this portfolio into threat intelligence and mitigation.

Competition


Rapid7's primary competitors have long revolved around vulnerability management, where its principal contenders are Qualys and Tenable. Risk-based vulnerability management has expanded that field, analyzing exposures through lenses including intelligence on actively exploited vulnerabilities, where Cisco now counts itself a competitor through its pickup of Kenna Security earlier this year.

In terms of external visibility, the number of deals across a variety of related segments raises the competitive ante on multiple fronts. Microsoft's reach last week for RiskIQ brings attributes of IntSights to the Redmond incumbent, including takedown services and third-party risk management, in addition to the external visibility and threat intelligence that complements Microsoft's internal initiatives, where Azure Sentinel as well as Microsoft's endpoint security and threat protection offerings compete with Rapid7's assets in SIEM, threat detection and response.

Other security operations (SecOps) competitors include SIEM incumbents like IBM and Splunk, the latter of which recently picked up TruSTAR to augment its threat intelligence capabilities, and Palo Alto Networks through its many intelligence and SecOps initiatives. Competitors that broaden the field of extended threat detection and response include the likes of CrowdStrike and also boast depth in threat intelligence, and VMware through its ownership of Carbon Black. The part of FireEye soon to become Mandiant competes in both security operations and threat intelligence as well as in security controls validation.