Discover more from The Cyber Why
Zombiecorns, by the numbers
How many Zombiecorns are now roaming the cybersecurity marketplace? Let's check out 2022's numbers!
This is a companion piece to Tyler’s ZOMBIELAND-themed post. This post will make a bit more sense if you go check that one out first.
While reviewing a draft of Tyler’s ZOMBIELAND post at his request, I started throwing out some numbers and stats, because that’s how my brain works. He suggested that I should maybe put together a companion piece, and here we are!
Thanks for reading The Cyber Why! Subscribe for free to receive new posts and support my work.
The cybersecurity market itself is a unicorn in some ways. It’s unique from a VC perspective, and many startup rules of thumb don’t seem to apply. For example, it’s unlikely we’ll see many 100x returns in this market, but we also don’t see many duds - especially when compared to the general B2B startup market. It’s relatively rare to see a VC-funded cybersecurity startup to simply run out of money and fail to find an exit. In fact, the last time we saw a large number of failures in the cybersecurity market was during the 2008 recession.
2023 could see a repeat of 2008, with some of the weaker categories struggling to find market fit finding themselves short of funding, sales, and an exit.
To understand why, we’ll examine the strange year we had in 2022, from unicorns to layoffs, and finally, the Zombiecorns.
Before we dive in…
While there are some dedicated cybersecurity investment firms, the majority of funding in our startup market comes from the general pool of venture capital firms, particularly in the later stages of a startup’s journey. Investors also come from a general pool once later stages begin turning into companies going public or exiting in private equity deals.
Therefore, the big market downturn that occurred in 2022 has affected cybersecurity companies at all stages of growth. As previously mentioned, security startups seem more resilient than other startup markets, but they’re not invincible, as we’ll discuss later.
It’s important to note that we don’t really know how this downturn will turn out, how long it will last or even what to call it. Most investors, especially those that experienced the Dot-com bubble first-hand think we haven’t reached bottom yet, and startups are in for an even tougher time in 2023.
The 2022 Unicorn Situation
I’m the host of the Enterprise Security Weekly podcast. Along with my co-hosts, Tyler Shields, Katie Teitler, and Sean Metcalf, we cover the security market in our news segment every week. We discuss major fundings, acquisitions, new companies, and new products. In February 2022, I decided I should start tracking security unicorns more closely, as we were seeing 2-4 new unicorns every month. Every month, I made a list of all cybersecurity unicorns and put it into a spreadsheet, to make it easier to track this trend.
We were also skeptical of some of these unicorns, with some receiving a $1B+ valuation at the same time we were hearing rumors of $5M ARR.
Overall, we saw 13 new cybersecurity unicorns added in in the first half of 2022, starting with 38 and ending with 50, between January and June. My list will vary from other lists, as many of public Unicorn lists have startups miscategorized, in my opinion.
The market felt a bit crazy and out of control in early 2022. There were companies less than 2 years old landing on the Unicorn list. Wiz was claiming $100M ARR only 18 months out of stealth. On the podcast, our production team (thanks Gus!) even created a graphic for Decacorns (a startup with a $10B+ valuation).
In June, it all abruptly stopped, and the layoffs began.
The Tides Turn
I’ve been closely following the cybersecurity market since 2013, when I became an industry analyst at 451 Research, and I can safely say that June 2022 is the most bizarre month I’ve ever seen. June announced both three new cybersecurity unicorns and 1500 employees laid off from 9 cybersecurity vendors in the same month.
While this was a weird circumstance, it’s not terribly surprising when we consider how quickly the market shifted and that raising funding takes time. The final three Unicorns we saw in June probably started raising their respective rounds long before there was any indication of a severe market change.
Rationalization aside, the market downturn sparked some real fear among investors and startups, and the layoffs began.
Yes, layoffs are bad. Layoffs days before major holidays are a really bad look. However, I feel like they’re widely misunderstood and get a bad rap, when there are actually a lot of positives around layoffs.
Layoffs imply you weren’t let go for performance reasons
They typically come with some severance (at least, they should)
Announcing you were laid off is one of the quickest ways to find a new job, apparently
Layoffs are designed to prevent a much worse situation: a business failure, which can result in everyone losing their jobs, sometimes the same day it is announced, with no severance
That latter point is the focus here, I think. While we’ve seen some other tech companies go under completely, we haven’t seen this happen to any cybersecurity startups yet. The overwhelming recommendation from folks who have operated high growth startups through tough economic times is to make a single big cut in the workforce (along with other measures to reduce burn), to reduce the chances of having to do a second cut (or a third…).
It all makes sense logically, but emotionally, people understandably get upset when they see a company laying off employees months after raising hundreds of millions of dollars on a multi-billion dollar valuation.
It’s common to see folks on social media shaming some of the most highly funded and ambitious startups for rounds of layoffs within a year of a large raise. How much they’ve raised isn’t a terribly useful metric for current or future performance. Rather, it’s more about factors outsiders can’t see, like burn rate and runway. VC-funded startups, by design, trade stability and profitability for speed.
Prior to 2020, a typical startup would raise every 18 months. Many were encouraged to burn that money by the end of the 18 month period to maximize growth and momentum in the market. By 2021, we saw the time between fundraising rounds shrink to 12, 9, or even 6 months. In the case of Island, the company raised a $115M Series B weeks after announcing a $100M Series A and coming out of stealth in early 2022. They didn’t stop there, announcing a $60M Series B extension last month.
While Island hasn’t announced layoffs, many other security unicorns with recent large raises have had to within months of their last raise. Companies like Lacework, Snyk, Devo, and Perimeter 81 aren’t doing layoffs because the money is already running out, but because they don’t know how long they’ll have to stretch it out.
Will sales suffer in 2023? Will sales cycles lengthen? By how much? Will it be possible to raise another round?
No one knows the answers to these questions, so it’s prudent to be conservative. There are plenty of examples of startups that don’t cut burn soon enough or deeply enough, or just fail to manage burn altogether.
So what does all this mean for Zombiecorns and the security market? As Tyler mentions in his post, Zombiecorns are startups that have money in the bank, might be struggling with growth, and might never raise another round. Fundraising and acquisition discussions become difficult, because past valuations are no longer relevant, now that there has been a market correction. There are no comps, and no one really seems to know what the new valuation should be, so it’s hard to agree on terms.
Is a unicorn with a $1B valuation from March now worth half that? A quarter? The only thing that’s for certain is that, as long as the startup doesn’t get a new valuation or raise a down round, they’ll continue referring to themselves as a unicorn, even though most of us suspect they’re now a Zombiecorn.
As I previously mentioned, we ended up with 50 cybersecurity unicorns by June (for context, the total number of unicorns broke 1000 in 2021). If we assume a 50% drawdown on valuations, 23 lose their horns. I lied earlier - we do have a comp. We’ve already seen the first major down round from a unicorn, and the difference in valuation wasn’t nearly as dramatic as we’ve seen in non-security markets. The difference in funding, however, was.
Just before the year wrapped up, Snyk announced a $196.5M Series G at a $7.4B valuation. That’s only a 14% reduction over the Series F valuation of $8.6B. However, the $196.5M raise is a 48% reduction over the company’s $379M Series F from September 2021.
The company has now raised over $1B in funding in three and a half years. That’s nearly $27M a month if you average it out across all 39 months. Surely that’s enough runway to avoid turning into a Zombiecorn? It’s hard to tell. Raise big, grow big - I suspect it’s all relative.
We also don’t know how this money is being used (sales & marketing? expanding into new geographies? cap table reset? founder buyout?), and there is something to be said for the danger of growth at this scale. If I’m correct, that it’s all relative, more money doesn’t necessarily mean more safety. A late stage startup with this much funding, with this high a valuation, has more limited options for an exit than an earlier stage startup.
I suspect we’ll have a much better picture a few months into 2023. We’ll have more acquisitions and funding rounds to investigate. I don’t anticipate seeing any new unicorns for a while though. In fact, the number has already shrunk from 50 to 45. Unicorns naturally fall off the list as they exit, but I don’t expect to see any come off the list due to down rounds.
How many Zombiecorns are there? Without inside information, it’s anyone’s guess, but my guess is at least half of the 50 unicorns we had earlier this year are zombies and will never realize those valuations.
In the last 6 months, we’ve seen a remarkable uptick in round extensions and vaguely named “venture rounds”. I suspect this is a strategy to raise more funds without having to announce a down round. I also suspect new valuations could threaten to rob many startups of their hard-won unicorn status.
It’s interesting to hear investors discuss this downturn, because most seem to feel that there isn’t anything particularly special or surprising about it. If we include the Dot-Com bust, this is our third such event in ~20 years, and the rules of survival outlined in Tyler’s post have served startups in previous market dips. Now for a few positive thoughts as we wrap this up.
Experienced investors say the best companies come out of a downturn - if you can make a business work in the worst-case environment, you can flourish when markets recover!
Security leaders are telling us they have too many tools, too much overhead, and want to see more consolidation. A market downturn like this one should eventually lead to a buyers market and a lot of consolidation (many of which will be Zombiecorns looking for an exit!)
What will happen when startups exit and the market recovers? A good chunk of those founders will start all over again, and we’ll likely start to see that Unicorn list start growing again.
Thanks for reading The Cyber Why! Subscribe for free to receive new posts and support my work.