💰 Security, Funded #93 - Earnings Ups & Downs, Slow Funds, Big Bucks, and Amazon vs HIPAA

Hey there,

Happy Monday, and I hope you had a great weekend!

Trying something new with a rundown of the entire issue:

🎯 The Rundown

• Rapid7 and CyberArk's contrasting Q1 earnings

• Potential threats to HIPAA protections with Amazon Clinic

• Slow funding and advice for raising capital

• $1.04B raised across 13 companies; $870.0M in M&A

• Reflections on recent cybersecurity events

• Importance of privacy in the age of AI

• Defense in depth in cybersecurity

Onward to this week's issue.

🗣Sponsor

Get compliant without spreadsheets and screenshots

Don’t waste time on security scavenger hunts. With pre-mapped controls and over 75 integrations to your tech stack, Drata automates the compliance process.Drata supports 14 frameworks, including SOC2, ISO 27001, HIPAA, and GDPR, so your team can scale security without duplicating work. Best of all, you get real-time visibility into your risk levels with powerful dashboards and alerts.

Have to see it to believe it?

Book a quick demo to see Drata in action

🔮 Earnings Reports 🆕

A section for notable earnings reports from public cybersecurity companies, be they “pure play” or hybrid companies:

• Rapid7 ($RPD) - Rapid7 had a mild earnings report, and analysts gave them business by lower their price targets for its public stock. The team cited continued macroeconomic headwind challenges, and that platform consolidation play not yet living up to the hype for a lower-than-expected quarter.

• CyberArk ($CYBR) - CyberArk crushed its earnings and saw a 42% YoY growth in Q1 2023. Demand from financial services increased, contrary to what other cyber players have been saying, and expanding privileged access management (PAM) use cases drove a successful quarter. CyberArk is also one of the very few public cyber companies to raise their annual revenue guidance, whereas most companies are still playing it conservatively.

The takeaway: While broader cybersecurity product consolidations are unlikely to ever happen, capability consolidation at the IAM/PAM layer is actually very likely at the right price point. Identity security offerings of SSO, MFA, PAM, etc., are common stock. The strength, however, relies on what other security ecosystem integrations are possible, and there will naturally only be a few players in this space.A concerning but predictable trend: Be prepared for every cyber company to say how the rise in the use of generative AI by attackers is the reason you need to buy their product offerings 🙄. Stay frosty out there, potential buyers, and think through these claims from first principles for your own threat models at your own company.

🛞 Industry News Roundup

• Don’t use Amazon Clinic unless you want to waive your HIPAA protections (more)

• Merck’s Insurers On the Hook in $1.4 Billion NotPetya Attack (more)

• FBI says it has sabotaged hacking tool created by elite Russian spies (more)

📅 YTD Funding

A rolling 12-week chart to compare funding each week between 2022 and 2023.

If you throw out the mega post-IPO debt round (see details below), you can see just how slow new funding from outside investors has gotten. For the folks modeling at home (and I know there are at least 10's of you, and I'm not the only crazy one 😅), I kept in the debt round for consistency's sake. Removing that round from the data shows that both companies and investors alike are being more thoughtful with capital deployment.

The best way to raise capital at these times? Good, old-fashioned sales. Sell so much that you don't need funding, and investors' dollars will come flooding your door.

💰 Funding Summary

• 13 companies raised $1.04B across 11 unique product categories

• 4 companies were acquired or had a merger event across 3 unique product categories for $870.0M

🧩 Funding By Product Category

• $1.0B for Business Continuity Planning (BCP) / Disaster Recovery across 1 deal

• $15.5M for Fraud and Financial Crime Protection across 3 deals

• $14.0M for Data Security Posture Management (DSPM) across 1 deal

• $6.2M for Software Supply Chain Security across 1 deal

• $3.0M for Cybersecurity Education & Training across 1 deal

• $2.7M for Data Privacy across 1 deal

• $654.4K for Quantum Security across 1 deal

• $50.0K for Attack Surface Management (ASM) across 1 deal

• An undisclosed amount for Security Orchestration and Automated Response (SOAR) across 1 deal

• An undisclosed amount for Secure Collaboration and Messaging across 1 deal

• An undisclosed amount for Password Management across 1 deal

🏢 Funding By Company

• Iron Mountain, a United States-based data protection and disaster recovery company, raised a $1.0B Post-IPO Debt round. (more)

• 1touch.io, a United States-based data security posture management (DSPM) platform, raised a $14.0M Series B from Neotribe Ventures. (more)

• ThreatFabric, a Netherlands-based fraud threat intelligence platform, raised a $12.5M Seed from ABN AMRO Venturesand Motive Ventures. (more)

• Cybeats Technologies, a Canada-based software bill of materials (SBOM) security platform, raised a $6.2M Post-IPO Equity round. (more)

• Cloudburst Technologies, a United States-based cyber threat intelligence and fraud detection for cryptocurrency transactions, raised a $3.0M Seed from Strategic Cyber Ventures. (more)

• Hook Security, a United States-based cybersecurity awareness and training company, raised a $3.0M Venture Round. (more)

• Optery, a United States-based consumer data privacy platform focusing on opting out of data broker platforms, raised a $2.7M Seed from Bayhouse Capital. (more)

• Quantum Bridge, a Canada-based quantum-resistant encryption key distribution platform, raised a $654.0K Grant from National Research Council Canada.

• GETSecured, an India-based external attack surface management platform, raised a $50.0K Seed from Graviton Web3 Accelerator.

• DataVisor, a United States-based fraud and financial crimes protection platform, raised an undisclosed Venture Round from CMFG Ventures. (more)

• Keeper Security, a United States-based password and secrets management platform, raised an undisclosed Private Equity Round from Summit Partners. (more)

• Port443, a South Africa-based managed security orchestration and automated response (SOAR) service, raised an undisclosed Corporate Round from Iziko2.0.

• SnippetSentry, a United States-based secure mobile data communications platform, raised an undisclosed Series A fromCarolina Financial Group. (more)

🌎 Funding By Country

• $1.02B for United States across 8 deals 🇺🇸

• $12.5M for Netherlands across 1 deal 🇳🇱

• $6.9M for Canada across 2 deals 🇨🇦

• $50.0K for India across 1 deal 🇮🇳

• An undisclosed amount for South Africa across 1 deal 🇿🇦

🤝 Mergers & Acquisitions

• Absolute Software, a Canada-based suite of secure remote access and endpoint solutions, was acquired by Crosspoint Capital Partners for $870.0M. (more)

• La Jolla Logic, a United States-based professional services firm focused on national defense and cybersecurity, was acquired by Boecore for an undisclosed amount. (more)

• Netsecure Sweden AB, a Sweden-based professional services company focused on vulnerability and red team assessments, was acquired by Integrity360 for an undisclosed amount. (more)

• OneComply, a Canada-based governance, risk, and compliance platform for the gaming industry, was acquired by GeoComply for an undisclosed amount. (more)

📚 Great Reads

• Deconstructing a Cybersecurity Event - Dragos, the industrial control systems (ICS) cybersecurity company, had an attempted breach and extortion scheme run against them by a known cybercriminal group. Dragos breaks down what happened.

• The Security Auditing Manifesto: Shared Values for Effective Security and Compliance Management - Learn how adopting a collaborative approach that values transparency, shared understanding, and continuous improvement can help organizations build stronger security partnerships, reduce friction, and better manage real risks to the business while effectively addressing compliance requirements.

• Why more transparency around cyber attacks is a good thing for everyone - Eleanor Fairford, Deputy Director of Incident Management at the NCSC, and Mihaela Jembei, Director of Regulatory Cyber at the Information Commissioner’s Office (ICO), reflect on why it’s so concerning when cyber attacks go unreported – and look at some of the misconceptions about how organisations respond to them.

🗣Sponsor

AI can’t replace privacy lawyers, but it can translate their policies into code

Track, measure, and prove privacy program success!

Privacy is complicated and expensive, meaning it’s ready for a serious shakeup. Chief Privacy Officers and CISOs are at the center of this complexity, surrounded by evolving regulatory requirements and a growing network of internal partners because privacy is truly cross-functional. No single team can manage it alone. PrivacyCode brings everyone all together by translating legal requirements into tangible tasks for developers and product teams. Finally, everyone gets privacy requirements in their respective context with metrics their teams actually care about!

Learn more

🧪 Labs

It’s called defense in depth, sweaty, look it up 😤👊

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Security, Funded is brought to you by Return on Security.

🤝 Want to partner with Security, Funded? Learn more here.

🐝 If you run a newsletter, I can't recommend Beehiiv enough.