Attack Surface Management , Governance & Risk Management , Security Operations
Pen Test Firm NetSPI Gets $410M Boost From KKR to Fuel M&A
KKR Now Majority Owner of NetSPI as Offensive Cyber Vendor Pursues More AutomationRising offensive security star NetSPI has received a massive follow-up investment from KKR to pursue acquisitions and expand the offensive cybersecurity vendor's technological and geographic footprint.
See Also: How to Empower IT with Immutable Data Vaults
The Minneapolis-based penetration testing and attack surface management vendor says the private equity giant's $410 million growth investment comes on the heels of 50% organic revenue growth in 2021 and 61% year-over-year sales growth thus far in 2022. The latest investment comes just 18 months after KKR led a $90 million growth round to expand the company's security and client experience teams (see: Hatem Naguib on Charting Barracuda's New Course Under KKR).
"We're really challenging the status quo in our segment of cybersecurity," NetSPI CEO Aaron Shilts tells Information Security Media Group. "Growth is paramount, especially given the market volatility."
Automation Takes Center Stage
NetSPI was founded in 2001 and employs 400 people, up roughly 50% from a year earlier, according to Shilts. A chunk of the $410 million will be used to recapitalize Sunstone Partners, which brought Shilts in as CEO in 2017, along with an investment. Sunstone Partners is now exiting its position in NetSPI, and with its latest investment, KKR is now the majority owner of NetSPI, he says.
"It's an incredibly smart group of people with amazing credentials," Shilts says. He specifically praised KKR for connecting NetSPI with other portfolio companies and helping the company expand abroad. KKR in August bought SMB security stalwart Barracuda for a reported $4 billion and also owns Optiv, though Reuters reported KKR is looking to unload the cybersecurity service provider via IPO or $3 billion sale.
Shilts says NetSPI is open to acquiring companies with a similar culture and focus on offensive security but isn't looking to stray beyond that technologically. Specifically, Shilts says, NetSPI would be interested in companies with technology that can help automate pieces of the penetration testing and offensive security process so that employees can be focused on manually finding the most critical vulnerabilities.
"We've looked at many, and we've passed on many," says Shilts, emphasizing the company's cautious approach to M&A. NetSPI has acquired just one company in its 21-year history, purchasing Utah-based Silent Break Security in December 2020 to strengthen its network and application testing, red-teaming and adversary simulation capabilities.
Pen Testing Travels Abroad
Acquisitions could also help NetSPI expand its physical footprint in Europe, the Middle East and Africa, where Shilts says the company started building an organic presence earlier this year. Getting a stronger base of skilled talent in Europe via acquisition would be helpful as NetSPI looks to establish new client relationships in the region, he adds.
NetSPI generates less than 10% of its revenue outside North America today but is looking to get that figure to 20% a year from now by doubling down on the United Kingdom and Middle East, Shilts says. Demand has been particularly strong around the company's next-gen delivery model for attack surface management as well as its penetration testing as a service, which is NetSPI's fastest-growing offering.
NetSPI competes with everyone from large public accounting firms to small boutique consultancies in the pen testing space and has set itself apart through its approach to the intersection of technology and talent, Shilts says. Most rivals treat pen testing as a purely human-driven professional services endeavor, while NetSPI automates much of the testing process so experts can focus on very critical vulnerabilities.
From a metrics perspective, Shilts says NetSPI closely tracks figures pertaining to growth and profitability, including gross margins, EBITDA profitability, and net retention rate. Maintaining robust gross margins is important given NetSPI's focus on technology-enabled services, he says. Keeping the net retention rate above 120% will ensure NetSPI continues to thrive in serving the Fortune 500 and Global 2000, he adds.
"Market volatility notwithstanding, the need for strong solutions in offensive cyber has remained incredibly strong," Shilts says.