Signal v. Noise in the RSA Innovation Sandbox

Discover RSA Innovation Sandbox's impact on cybersecurity startups, explore winner outcomes, anti-portfolio insights, and key observations to understand its industry significance.

This post is a collaboration between Rami McCarthy (@ramimacisabird) and Return on Security.

Introduction to the RSA Conference

The RSA Conference (RSAC) is coming up next week, with tens of thousands of attendees, hundreds of speakers and sponsors, and 🥳 dozens of parties 🥳.

For those who follow along with the newsletter, RSAC is a great opportunity to catch the latest trends in funding, innovation, and success stories within the cybersecurity industry. Return on Security closely monitors developing funding events and helps cybersecurity professionals keep their finger on the pulse of the industry, so you should sign up here

RSA Innovation Sandbox Overview

BSidesSF traditionally holds its event right before RSAC. Last year, I had the opportunity to chat with multiple founders at the conference as they were getting ready to pitch at the RSA Innovation Sandbox.

This contest, originally presented as the “Innovation Station” back in 2005, identifies (up to) ten innovative new startups and gives them a chance to make a 3-minute pitch to a set of judges. Over its 17-year history, this cohort of finalists has seen 71 acquisitions and $12.31 billion in investments. 

Clearly, inclusion as a finalist can help a startup gain traction, and the group has many successes. Phantom Cyber founder Oliver Friedrichs attributes (on The Decibel Podcast) some of that company's success to their win:

We had the unique opportunity to win the RSA Innovation Sandbox in 2016, which really propelled the company as well

However, after 17 years and over 171 unique finalists, some of whom have been finalists in more than one year of the competition, we have meaningful data available to answer:

Is there a signal for the winner of the RSA Innovation Sandbox?

The average Venture Capital (VC) fund works on a 7-10 year lifecycle. VCs look to return proceeds to their General Partners (GPs) on this timeline, which generally creates exit pressure on startups.

As a result, we can expect the majority of RSA Innovation Sandbox finalists (those from the first decade) to have reached this milestone. In the VC-backed startup landscape, rapid growth, fundraising, and eventual exit value are often proxies for success.

A Short Review of RSA Innovation Sandbox Winners

2005 - Sourcefire - Network security, IDS, IPS, Anti-Malware
Raised $40.5M over 6 funding events
‘13 acquired by Cisco for $2.7 billion

2006 - Imperva - WAF (Web Application Firewall)
Raised $94.4M over 8 funding events
‘11 IPO’d at $398 million
‘18 taken private by Thomas Bravo for $2.1 billion

2007 - Yoggie - consumer security appliances
‘08 raised an additional $2.8 million
‘11 acquired by CUPP

2009 - AlertEnterprise - fraud and theft prevention, enterprise access management 
Raised $27 million in two additional rounds

2010 - Altor Networks - virtualized firewall
‘10 acquisition by Juniper Networks for $95 million

2011 - Invincia - advanced endpoint protection
11 acquired by Sophos for $100 million

2012 - Appthority - enterprise mobile threat protection
‘18 acquisition by Symantec

2013 - Remotium - bring-your-own-device security via virtualization
‘15 acquisition by Avast

2014 - RedOwl analytics - behavioral analytics platform
Raised $30m total
‘17 acquired by Raytheon (Forecepoint) for $54 million

2015 - Waratek - Security-as-Code Application Security platform
Raised $2.57 million in 2018

2016 - Phantom - ​​Security Orchestration Automation and Response
‘18 acquired by Splunk for $350 million

2017 - UnifyID - implicit authentication and behavioral biometrics
‘21 acquired by Prove

2018 - BigID - privacy and personal data protection
Raised $70 million in 2020 Series D at a unicorn valuation

2019 - Axonius - asset management
Raised $200 million in 2022 Series E at a $2.6 billion valuation

2020 - Securiti.ai - privacy compliance
Raised $50 million in 2020 Series B, $75 million in 2022 Series C 

2021 - Apiiro - application security platform
Raised $35 million in 2020 Series A, $100 million in 2022 Series B

2022 - Talon - browser-based cybersecurity
Raised $43 million in 2022 pre-Series A funding

2023 - HiddenLayer - machine learning security
Raised $6 million in 2022 Seed, ~$32 million in 2023 venture funding

Want to dive deeper into the data? Check out this Airtable view with even more data and more ways to slice and dice:

Note: This is a live list. If you see something wrong or missing, let me know, and I can update it!

The Outcomes of RSA Innovation Sandbox Winners

Overall, it’s obvious on its face that the RSA Innovation Sandbox crowns solid companies.

Out of 17 winners, under 20% seem to have failed to return the principal invested. These winners rarely fail, consistently go on to garner future funding, and vastly outperform the statistics (~two-thirds) on startup failure.

However, in venture capital, this isn’t enough. Jason Lemkin offers a stellar explanation of the 10x rule:

Assume you have to return a liquidity event (sale or IPO) of at least 10x the amount you raise for raising venture capital to be worth it.

From that perspective, the Innovation Sandbox winners are a significantly more mixed bag. Of the exits, these crucial outsized returns are only apparent for Sourcefire and Imperva.

In recent years, Sandbox winners have garnered significant funding, but we will need to wait to see whether their exits justify that investment.

The RSA Innovation Sandbox Anti-Portfolio

Another way to assess the RSA Innovation Sandbox is through the finalists who did not win. Bessemer Venture Partners coined the concept of an “anti-portfolio,” publishing a list of potential investments that they passed on that later became “tremendously successful companies.”

Looking through all 161 finalists between 2005 to 2022, a dozen are already differentiated through their success. In chronological order:

2009: Compared to the 2009 winner, AlertEnterprise, Yubico has been much more successful in both continued fundraising and industry impact.

2012: While Appthority was acquired, the Sandbox passed over Sumo Logic (‘20 IPO at ~$3b valuation), Sonatype (taken private by Vista Equity Partners in ‘19), and Dome9 Security ($125m acquisition in ‘18 on ~$30m raised).

2014: Cylance rode $300m in funding to a $1.4b acquisition by Blackberry. RedOwl Analytics’ $54m outcome on $30m raised pales in comparison.

2015: Waratek hasn’t made much of a splash since their Sandbox win. Two of their cohort have become companies of note: SentinelOne went public in ‘21 at a valuation ($10.9b) 9x their last private valuation, while CyberReason hit a $3.2b valuation and came close to a $5b IPO before the market changed.

2017: UnifyID found an outcome in their ‘21 Prove acquisition, but undisclosed terms and Prove’s funding levels imply this wasn’t a 10x for investors. RedLock, on the other hand, joined Palo Alto for $173m on only $12m raised. Alternatively, Cato Networks, while still private, has gone on to raise over half a billion dollars.

2020: Recent vintages have yet to show their full returns. Winner Securit.ai recently raised a $75m Series C, but competitor Sqreen sold for $260m to Datadog back in 2021 on only $18m in funding.

2021: Apiiro has gotten off to a great start, raising $125m and with reported talks of a $550m Palo Alto acquisition. Wiz, however, is the (self-identified) “fastest-growing software company ever” and has already hit $100m in ARR and raised $300.0M in 2023 at a $10.0B valuation.

Misc Observations

To date, only two RSA Innovation Sandbox winners have become publicly traded companies:

  • Imperva (2006)

  • Sourcefire (2005)

Imperva, a database web application firewall (WAF) platform, was a part of the 2006 cohort of the sandbox context in the second year of the competition. Since going public in 2011, Thoma Bravo acquired Imperva in 2018 for $2.1B and taken back private.

Sourcefire, an intrusion detection system (IDS), was a part of the initial cohort in 2005. Sourcefire went public in 2007 and was acquired by Cisco in 2013 for $2.7B.

Looking at other cohorts of the sandbox contest, there are currently four companies that have gone on to be publicly traded:

Very few public companies that are either hybrid or “pure play” cybersecurity companies have ever competed in the RSA Innovation Sandbox.

You can get a full table of all the current publicly traded cyber companies, both pure-play and hybrid, by referring four people to the newsletter.

On the acquisition front, 71 of the 171 companies, or 41% of the sandbox finalists, went on to be acquired between 2005 and 2022. This includes 9 winners of their respective sandbox years.

The early heavyweights in the cybersecurity and computing industry were the most aggressive in acquiring RSA Sandbox finalists. Here are the top ten leaders on the acquisition side:

Most acquisitions were performed by other cybersecurity companies, with only a small handful being acquired by a Venture Capital firm or Private Equity Group (PEG).

There was also one instance of a sandbox finalist acquiring another sandbox finalist (very meta):

  • Imperva (2006) acquired Incapsula (2010) in 2014 for an undisclosed amount.

While there is some minor geographic diversity among the finalists, the Sandbox overwhelmingly highlights American startups:

And following that finalist distribution, the same holds relatively true for the sandbox winners:

Closing Thoughts

Looking over the Sandbox’s legacy so far, there are a few takeaways:

  1. The winners seem to be biased toward enterprise security software, targeting big companies and their problems most acutely. These are the same class of companies that form the top leg of the K-Shaped Recovery of the Cybersecurity Industry predicted for the next year or two.

  2. The quality of the finalists is remarkable in how much their selection appears to align with startup continuity if not success.

  3. Given the failure rate of startups, remarkably few finalists have closed their doors, even over a seventeen-year history.

  4. Winners consistently go on to get respectable funding. This could be attributed to the credibility of a Sandbox win among VCs and potential customers, but it is likely equally correlated with the fact that the Sandbox is assessing with the same rubric as investors

  5. After a strong start with two incredible winning companies in Sourcefire and then Imperva, there is no indication that the Sandbox can consistently identify the “best in batch.”

  6. The vast majority of outcomes for RSA Sandbox finalists are acquisitions, with a total of 71 acquisitions for $7.9B from 2005 to 2022. An IPO, often discussed as the North Star of a venture-funded startup, is a vanishingly rare prospect.

  7. It would be interesting to assess the quality of finalist selection in the same way we have looked at the winners. Did now-public Cybersecurity giants like ZScaler apply in their early days? What about BigID’s companions in the 2022 IPO pipeline?

Join the conversation

or to participate.