Signal v. Noise in the RSA Innovation Sandbox
Discover RSA Innovation Sandbox's impact on cybersecurity startups, explore winner outcomes, anti-portfolio insights, and key observations to understand its industry significance.
Mike Privette
April 20th, 2023
This post is a collaboration between Rami McCarthy (@ramimacisabird) and Return on Security.
Introduction to the RSA Conference
The RSA Conference (RSAC) is coming up next week, with tens of thousands of attendees, hundreds of speakers and sponsors, and 🥳dozens of parties 🥳.
For those who follow the Security, Funded newsletter, RSAC is a great opportunity to catch the latest trends in funding, innovation, and success stories within the cybersecurity industry. Security, Funded closely monitors developing funding events and helps cybersecurity professionals keep their finger on the pulse of the industry, and will be bringing you the most important details coming out of RSAC.
RSA Innovation Sandbox Overview
BSidesSF traditionally holds its event right before RSAC. Last year, I had the opportunity to chat with multiple founders at the conference as they were getting ready to pitch at the RSA Innovation Sandbox.
This contest, originally presented as the “Innovation Station” back in 2005, identifies (up to) ten innovative new startups and gives them a chance to make a 3-minute pitch to a set of judges. Over its 17-year history, this cohort of finalists has seen 71 acquisitions and $12.31 billion in investments. As of 2019, only seven finalists had closed their doors.
Clearly, inclusion as a finalist can help a startup gain traction, and the group has many successes. Phantom Cyber founder Oliver Friedrichs attributes (on The Decibel Podcast) some of that company's success to their win:
We had the unique opportunity to win the RSA Innovation Sandbox in 2016, which really propelled the company as well
However, after 17 years and over 171 unique finalists, some of whom have been finalists in more than one year of the competition, we have meaningful data available to answer:
Is there a signal for the winner of the RSA Innovation Sandbox?
The average Venture Capital (VC) fund works on a 7-10 year lifecycle. VCs look to return proceeds to their General Partners (GPs) on this timeline, which generally creates exit pressure on startups.
As a result, we can expect the majority of RSA Innovation Sandbox finalists (those from the first decade) to have reached this milestone. In the VC-backed startup landscape, rapid growth, fundraising, and the eventual exit value is often a proxy for success.
A Short Review of RSA Innovation Sandbox Winners
2005 - Sourcefire - Network security, IDS, IPS, Anti-Malware
Raised $40.5M over 6 funding events
‘13 acquired by Cisco for $2.7 billion
2006 - Imperva - WAF (Web Application Firewall)
Raised $94.4M over 8 funding events
‘11 IPO’d at $398 million
‘18 taken private by Thomas Bravo for $2.1 billion
2007 - Yoggie - consumer security appliances
‘08 raised an additional $2.8 million
‘11 acquired by CUPP
2009 - AlertEnterprise - fraud and theft prevention, enterprise access management
Raised $27 million in two additional rounds
2010 - Altor Networks - virtualized firewall
‘10 acquired by Juniper Networks for $95 million
2011 - Invincia - advanced endpoint protection
‘11 acquisition by Sophos for $100 million
2012 - Appthority - enterprise mobile threat protection
‘18 acquisition by Symantec
2013 - Remotium - bring-your-own-device security via virtualization
‘15 acquisition by Avast
2014 - RedOwl analytics - behavioral analytics platform
Raised $30m total
‘17 acquired by Raytheon (Forecepoint) for $54 million
2015 - Waratek - Security-as-Code Application Security platform
Raised $2.57 million in 2018
2016 - Phantom - Security Orchestration Automation and Response
‘18 acquired by Splunk for $350 million
2017 - UnifyID - implicit authentication and behavioral biometrics
‘21 acquired by Prove
2018 - BigID - privacy and personal data protection
Raised $70 million in 2020 Series D at a unicorn valuation
2019 - Axonius - asset management
Raised $200 million in 2022 Series E at a $2.6 billion valuation
2020 - Securiti.ai - privacy compliance
Raised $50 million in 2020 Series B, $75 million in 2022 Series C
2021 - Apiiro - application security platform
Raised $35 million in 2020 Series A, $100 million in 2022 Series B
2022 - Talon - browser-based cybersecurity
Raised $43 million in 2022 pre-Series A funding
2023 - HiddenLayer - machine learning security
Raised $6 million in 2022 Seed, ~$32 million in 2023 venture funding
Want to dive deeper into the data? Check out this Airtable view with even more data and more ways to slice and dice:
Note: This is a live list. Let me know if you see something wrong or missing, and I can update it!
The Outcomes of RSA Innovation Sandbox Winners
Overall, it’s obvious on its face that the RSA Innovation Sandbox crowns solid companies.
Out of 17 winners, under 20% seem to have failed to return the principal invested. These winners rarely fail, consistently go on to garner future funding, and vastly outperform the statistics (~two-thirds) on startup failure.
However, in venture capital, this isn’t enough. Jason Lemkin offers a stellar explanation of the 10x rule:
assume you have to return a liquidity event (sale or IPO) of at least 10x the amount you raise for raising venture capital to be worth it
From that perspective, the Innovation Sandbox winners are a significantly more mixed bag. Of the exits, these crucial outsized returns are only apparent for Sourcefire and Imperva.
In recent years, Sandbox winners have garnered significant funding, but we will need to wait to see whether their exits justify that investment.
The RSA Innovation Sandbox Anti-Portfolio
Another angle to assess the RSA Innovation Sandbox is through those finalists that did not win. Bessemer Venture Partners coined the concept of an “anti-portfolio,” publishing a list of potential investments that they passed on that later became “tremendously successful companies.”
Looking through all 161 finalists between 2005 to 2022, a dozen are already differentiated through their success. In chronological order:
2009: Compared to the 2009 winner, AlertEnterprise, Yubico has been much more successful in both continued fundraising and industry impact.
2012: While Appthority was acquired, the Sandbox passed over Sumo Logic (‘20 IPO at ~$3b valuation), Sonatype (taken private by Vista Equity Partners in ‘19), and Dome9 Security ($125m acquisition in ‘18 on ~$30m raised).
2014: Cylance rode $300m in funding to a $1.4b acquisition by Blackberry. RedOwl Analytics’ $54m outcome on $30m raised pales in comparison.
2015: Waratek hasn’t made much of a splash since their Sandbox win. Two of their cohort have become companies of note: SentinelOne went public in ‘21 at a valuation ($10.9b) 9x their last private valuation, while CyberReason hit a $3.2b valuation and came close to a $5b IPO before the market changed.
2017: UnifyID found an outcome in their ‘21 Prove acquisition, but undisclosed terms and Prove’s funding levels imply this wasn’t a 10x for investors. RedLock, on the other hand, joined Palo Alto for $173m on only $12m raised. Alternatively, Cato Networks, while still private, has gone on to raise over half a billion dollars.
2020: Recent vintages have yet to show their full returns. Winner Securit.ai recently raised a $75m Series C, but competitor Sqreen sold for $260m to Datadog back in 2021 on only $18m in funding.
2021: Apiiro has gotten off to a great start, raising $125m and with reported talks of a $550m Palo Alto acquisition. Wiz, however, is the (self-identified) “fastest-growing software company ever” and has already hit $100m in ARR and raised $300.0M in 2023 at a $10.0B valuation.
Misc Observations
To date, only two RSA Innovation Sandbox winners have become publicly traded companies:
Imperva (2006)
Sourcefire (2005)
Imperva, a database web application firewall (WAF) platform, was a part of the 2006 cohort of the sandbox context in the second year of the competition. Since going public in 2011, Thoma Bravo acquired Imperva in 2018 for $2.1B and taken back private.
Sourcefire, an intrusion detection system (IDS), was a part of the initial cohort in 2005. Sourcefire went public in 2007 and was acquired by Cisco in 2013 for $2.7B.
Looking at other cohorts of the sandbox contest, there are currently four companies that have gone on to be publicly traded:
Class of 2005: Sourcefire went public in 2007
Class of 2006: Imperva went public in 2011
Class of 2012: Sumo Logic went public in 2020
Class of 2015: SentinelOne went public in 2021
Very few public companies that are either hybrid or “pure play” cybersecurity companies have ever competed in the RSA Innovation Sandbox.
You can get a full table of all the current publicly traded cyber companies, both pure-play and hybrid, by referring four people to the newsletter.
On the acquisition front, 71 of the 171 companies, or 41% of the sandbox finalists, went on to be acquired between 2005 and 2022. This includes 9 winners of their respective sandbox years.
The early heavyweights in the cybersecurity and computing industry were the most aggressive in acquiring RSA Sandbox finalists. Here are the top ten leaders on the acquisition side:
Most acquisitions were performed by other cybersecurity companies, with only a small handful being acquired by a Venture Capital firm or Private Equity Group (PEG).
There was also one instance of a sandbox finalist acquiring another sandbox finalist (very meta):
Imperva (2006) acquired Incapsula (2010) in 2014 for an undisclosed amount.
While there is some minor geographic diversity among the finalists, the Sandbox overwhelmingly highlights American startups:
And following that finalist distribution, the same holds relatively true for the sandbox winners:
Closing Thoughts
Looking over the Sandbox’s legacy so far, there are a few takeaways:
The winners seem to be biased toward enterprise security software, targeting big companies and their problems most acutely. These are the same class of companies that form the top leg of the K-Shaped Recovery of the Cybersecurity Industry predicted for the next year or two.
The quality of the finalists is remarkable in how much their selection appears to align with startup continuity, if not success. Given the failure rate of startups, remarkably few finalists have closed their doors, even over a seventeen-year history.
Winners consistently go on to get respectable funding. This could be attributed to the credibility of a Sandbox win among VCs and potential customers, but it is likely equally correlated with the fact that the Sandbox is assessing with the same rubric as investors
After a strong start with two incredible winning companies in Sourcefire and then Imperva, there is no indication that the Sandbox can consistently identify the “best in batch.”
The vast majority of outcomes for RSA Sandbox finalists are acquisitions, with a total of 71 acquisitions for $7.9B from 2005 to 2022. An IPO, often discussed as the North Star of a venture-funded startup, is a vanishingly rare prospect.
It would be interesting to assess the quality of finalist selection in the same way we have looked at the winners. Did now-public Cybersecurity giants like ZScaler apply in their early days? What about BigID’s companions in the 2022 IPO pipeline?