Signal v. Noise in the RSA Innovation Sandbox

Learn about the impact of RSA Innovation Sandbox on cybersecurity startups, including winners, key observations, and industry significance.

Last updated in April 2025

This post was originally created in collaboration with Rami McCarthy. He writes a lot of great technical posts, so you should follow him and read what he writes.

Table of Contents

The RSA Conference

Behind the headlines and hype of the RSA Conference lies one of the industry's best predictive machines. The Innovation Sandbox has become synonymous with being a launchpad for new unicorns and breakaway companies in the industry.

But not everything that glitters goes public.

For those who follow the newsletter, RSAC is a great opportunity to catch up on the latest trends in funding, innovation, and success stories within the cybersecurity industry. Return on Security closely monitors emerging funding events and helps cybersecurity professionals stay up to date with the industry. Sign up here.

The RSA Innovation Sandbox Overview

BSidesSF traditionally holds its event right before the RSA Conference. Last year, we had the opportunity to chat with multiple founders at the conference as they prepared to pitch at the RSA Innovation Sandbox.

This contest, originally presented as the “Innovation Station” back in 2005, identifies up to ten innovative new startups and gives them the chance to make a 3-minute pitch to a set of judges.

As of 2019, only seven finalists had closed their doors. Clearly, being a finalist can help a startup gain traction, and the group has had many successes. Phantom Cyber founder Oliver Friedrichs attributes (on The Decibel Podcast) some of that company's success to their win:

We had the unique opportunity to win the RSA Innovation Sandbox in 2016, which really propelled the company as well

Oliver Friedrichs

However, after almost 20 years and over 190 unique companies, some of whom have been finalists in more than one year of the competition, we have enough meaningful data available to answer the following question:

Is winning the RSA Innovation Sandbox a good signal?

The average Venture Capital (VC) fund works on a 7-10 year lifecycle. VCs look to return proceeds to their General Partners (GPs) on this timeline, which generally creates exit pressure on startups.

As a result, we can expect the majority of RSA Innovation Sandbox finalists (those from the first decade) to have reached this milestone. In the VC-backed startup landscape, rapid growth, fundraising, and eventual exit value are often proxies for success.

The Economic Impact

The RSA Innovation Sandbox clearly impacts companies in the competition and the wider cybersecurity ecosystem.

To illustrate the economic scale, let’s look at the 20-year history of the competition from 2005 to 2025. The finalists in the RSA Innovation Sandbox have (so far):

  • Raised funding nearly 750 times.

  • Put just shy of $17 billion of investments to work.

  • Gone public via IPO 5 times.

  • Been a part of over 95 acquisitions.

  • Exited with nearly $48 billion* in M&A value (from publicly available sources).

*Google's acquisition of Wiz makes up $32 billion of this figure should the deal go through. Fun fact: Wiz did not win the competition in their year.

Being in the sandbox seems to at least guarantee a path to high levels of funding and a strong likelihood of being acquired. What is harder to quantify are the knock-on effects of what it means to even be in the competition.

Success often begets success in the cyber world. Simply by being a finalist in the competition, these companies will have more appeal and leverage when it comes to raising future funding rounds, conveying expertise and appeal to potential customers, and bolstering future exit plans.

Just look at Talon Cyber Security, a remote browser isolation platform and winner of the 2022 RSA Innovation Sandbox competition, which was acquired by Palo Alto Networks for $625.0 million. (more)

Even a “near success,” of being in the sandbox competition but not winning, still has a positive halo effect for all of the above.

Also of note, the 2024 sandbox contestants are the cohort that has received the second-lowest amount of funding to date. Only the 2007 cohort raised less money than the 2024 class. This funding dip could be, in large part, due to the fact that most companies in this cohort are younger startups compared to previous cohorts.

It’s also important to note that not every company that partakes in the sandbox competition is a newly formed startup. While the startups in the competition are still squarely in the “early stage” range, not all early-stage traction is created equally.

Some companies will have been around for a few years, while others will be approaching their 10th year. Additionally, and a more important measure for future success, some companies in the competition will already come in with a few million in ARR, a list of big-name customers, and the knowing nod of Product Market Fit signals.

This competition is as exciting as the cyber industry is competitive. Speaking of competition, let’s look at the winners.

The Winners of the RSA Innovation Sandbox Competition

This is what most people are looking for, so here is a running list of the winners for each year that the RSA Innovation Sandbox has been running.

Note that there was no Innovation Sandbox in 2008 for undisclosed reasons.

What Happens to Winners?

It’s obvious on its face that the RSA Innovation Sandbox crowns solid companies. The winners rarely “fail” (as in, shut down), consistently go on to secure future funding, get acquired, and vastly outperform the statistics (around two-thirds) on startup failure.

Three such notable companies at the time of refreshing this piece:

  • Sourcefire - went IPO and then private equity acquisition

  • Imperva - went IPO and then private equity acquisition

  • Talon Cyber Security - acquired by Palo Alto

IPO has been the name of the venture capital game since the beginning, as well as achieving the elusive 10- to 100x returns. Jason Lemkin from SaaStr offers a stellar explanation of the 10x rule:

Assume you have to return a liquidity event (sale or IPO) of at least 10x the amount you raise for raising venture capital to be worth it.

Jason Lemkin

IPOs and M&A Outcomes

But things have changed on the IPO front, and public markets demand more. The price of admission, the level of competition, and economic challenges have changed a lot in the last 20 years.

Looking at other cohorts of the sandbox contest, there are currently only a handful of companies that have gone on to be publicly traded:

  • Class of 2005: Sourcefire (winner) went public in 2007 and later went private

  • Class of 2006: Imperva (winner) went public in 2011 and later went private

  • Class of 2009: Yubico went public via SPAC in 2023

  • Class of 2012: Sumo Logic went public in 2020

  • Class of 2015: SentinelOne went public in 2021

Very few of the public cybersecurity companies still operating at the time of writing this post have competed in the RSA Innovation Sandbox, which is an interesting difference.

While having a successful IPO is one measure of success, it’s no longer the only measure. M&As, whether they are strategic roll-ups or private equity buyouts, are now the most common path for both winners and non-winners.

On the acquisition front, 51% of the 191 sandbox finalists were acquired between 2005 and 2025.

Taking the flip side of the M&A equation, we see a strong concentration of power. The early heavyweights in the cybersecurity and computing industry were the most aggressive in acquiring RSA Sandbox finalists and made out like bandits.

Here are the top ten leaders on the acquisition side:

This chart hasn’t changed since 2022

How things probably felt in retrospect:

The good ole days 😢 

There was also an instance of a sandbox finalist acquiring another sandbox finalist (very meta):

  • Imperva (2006) acquired Incapsula (2010) in 2014 for an undisclosed amount.

In any event, just being in the game gives you a leg up. Being a finalist gets you into an “elite club” with a “vibe tailwind” that is more valuable than any funding round.

That may not last forever, though, as some significant changes arrived in 2025 and the industry has mixed feelings about it.

Changing of the Guard and New 2025 Rules

Let’s take a quick walk down memory lane to set the stage for the 2025 changes.

Back in March 2022, the private equity firm Crosspoint Capital Partners acquired the RSA Conference, backed by Clearlake Capital Group and Symphony Technology Group. The transaction involved purchasing a significant interest in the RSA Conference from RSA Security and making the conference an independent, standalone business.

Given the conference's enormous appeal, this move makes a lot of sense. Fast forward two years after the acquisitions, however, and a new private equity playbook began to emerge.

In November 2024, Crosspoint Capital Partners announced a new rule. Starting in 2025, the top 10 finalists in the Innovation Sandbox competition must accept a $5 million investment to take part. Being selected as a finalist now automatically comes with this funding requirement.

This investment will use a Simple Agreement for Future Equity (SAFE), popularized by Y Combinator, with no cap and includes pro-rata rights and information rights. While this gives startups a lot of money and flexibility, it comes with new strings attached:

  • “Uncapped” means there is no limit on the valuation when converting a SAFE. If the company’s value rises, the investor gains accordingly.

  • The uncapped structure can dilute founders more than capped SAFEs. Capped SAFEs set a maximum conversion price. Dilution means founders own a smaller percentage of the company after new shares are issued in a new funding round.

  • Pro-rata rights allow investors to buy more shares in future funding rounds. This helps them maintain their ownership percentage as the company grows.

  • Information rights help investors get important updates, financials, and performance data, keeping them informed about the company's progress.

Carta has the best breakdown of the pros and cons of using SAFE agreements for anyone who wants to go deeper.

This mandatory investment is a controversial but predictable move for the RSA Conference. As backers of the mega security conference, it makes sense from a business perspective to tap into the huge benefits that competitors see. But it won’t be without its complications and mixed feelings.

Some founders and investors may see this as a “pay-to-play.” This might scare off startups that don’t want outside money. It also affects those who are cautious about dilution and investor rights. Some may also see this as a way to artificially prop up companies that might not have otherwise survived as long without that investment.

It’s too early to tell, but the big question now is: will other conferences, like the Black Hat Startup Spotlight Competition, follow suit?

Misc Observations

There has been a common theme among entrants to the RSA Innovation Sandbox throughout its history.

Data Protection, which encompasses various companies in data discovery, data classification, data loss prevention, and different forms of encryption and certificate management, is the top product category across all years.

Data Protection being the top product category to enter the competition makes sense because, at the end of the day, isn’t protecting data what the cyber industry is all about?

The RSA Innovation Sandbox Anti-Portfolio

Another way to assess the RSA Innovation Sandbox is to look at the finalists who did not win. Bessemer Venture Partners coined the concept of an “anti-portfolio,” publishing a list of potential investments that they passed on that later became “tremendously successful companies.”

Looking through all 191 finalists from 2005 to 2025, a dozen have already been differentiated by their success. In chronological order:

  • 2009: Compared to the 2009 winner, AlertEnterprise, Yubico has been much more successful in both continued fundraising and industry impact.

  • 2012: While Appthority was acquired, the Sandbox passed over Sumo Logic (‘20 IPO at ~$3.0B valuation), Sonatype (taken private by Vista Equity Partners in ‘19), and Dome9 Security ($200.0M) acquisition in ‘18 on ~$30.0M raised.

  • 2014: Cylance rode $300m in funding to a $1.4b acquisition by BlackBerry. RedOwl Analytics’ $54.0M outcome, compared to the $30.0M raised.

  • 2015: Waratek hasn’t made much of a splash since their Sandbox win. Two of their cohort have become companies of note: SentinelOne went public in 2021 at a valuation of $10.9 billion, nine times their last private valuation, while CyberReason reached a $3.2 billion valuation and came close to a $5.0 billion IPO before the market changed.

  • 2017: UnifyID found an outcome in their ‘21 Prove acquisition, but undisclosed terms and Prove’s funding levels imply this wasn’t a 10x for investors. RedLock, on the other hand, was acquired by Palo Alto for $173 million despite having raised only $12 million. Alternatively, Cato Networks, although still private, has raised over half a billion dollars and is expected to go public in 2025.

  • 2020: Recent vintages have yet to show their full returns. Winner Securit.ai recently raised a $75 million Series C round, but competitor Sqreen was acquired by Datadog for $260 million in 2021 despite having only $18 million in funding.

  • 2021: Apiiro has gotten off to a great start, raising $ 125 million, with reported talks of a $ 550 million acquisition by Palo Alto. Wiz, however, is the self-identified “fastest-growing software company ever” and has already hit $100 million in ARR, raising $300 million in 2023 at a $10 billion valuation. Wiz later went on to be acquired by Google as part of the largest cybersecurity acquisition ever in 2025.

  • 2022: Wiz hits $100M ARR in 18 months.

  • 2024: Wiz hits $500M ARR en route for its first acquisition offer from Google for $23 billion (which it later walked away from).

  • 2025: Wiz was acquired by Google for $32 billion, marking the largest-ever cybersecurity acquisition and one of the highest valuation multiples.

Closing Thoughts

Looking over the Sandbox’s legacy so far, there are a few takeaways:

  1. The winners seem to be biased toward enterprise security software, targeting big companies and their problems most acutely. These are the same class of companies that form the top leg of the K-Shaped Recovery of the Cybersecurity Industry predicted for the next year or two.

  2. The quality of the finalists is remarkable in how much their selection appears to align with startup continuity if not success.

  3. Given the failure rate of startups, remarkably few finalists have closed their doors, even over a seventeen-year history.

  4. Winners consistently secure respectable funding. This can be attributed to the credibility of a Sandbox win among VCs and potential customers, but it is likely equally correlated with the fact that the Sandbox is evaluated using the same rubric as investors and customers.

  5. After a strong start with two incredible winning companies, Sourcefire and Imperva, there is no indication that the Sandbox can consistently identify the “best in batch” if the goal is to go public.

  6. An IPO, often discussed as the North Star of a venture-funded startup, is a vanishingly rare prospect. Even with the tailwinds of being in the competition or winning it.

  7. If the goal is to get acquired, there is a strong correlation between being a contestant in the sandbox competition and being a great M&A target later on down the road. The vast majority of outcomes for RSA Sandbox finalists are acquisitions.

  8. It would be interesting to assess the quality of finalist selection in the same way we have looked at the winners. Did now-public cybersecurity giants like ZScaler or Palo Alto apply in their early days? We may never know these answers.

Data Methodology and Sources

  • All data is captured at a point in time from publicly available sources.

  • All financial figures are converted to U.S. dollars (USD) upon collection.

  • Sometimes, details about deals, such as who led the round, how much money was raised, or the stage of the deal, may be updated after the issue is first published.

  • If you spot any errors, let us know, and we’ll fix them.

Reply

or to participate.