Signal v. Noise in the RSA Innovation Sandbox

Discover RSA Innovation Sandbox's impact on cybersecurity startups, explore winner outcomes, anti-portfolio insights, and key observations to understand its industry significance.

This post is a collaboration between Rami McCarthy (@ramimacisabird) and Return on Security.

Introduction to the RSA Conference

The RSA Conference (RSAC) is coming up next week, with tens of thousands of attendees, hundreds of speakers and sponsors, and 🥳 dozens of parties 🥳.

For those who follow along with the newsletter, RSAC is a great opportunity to catch the latest trends in funding, innovation, and success stories within the cybersecurity industry. Return on Security closely monitors developing funding events and helps cybersecurity professionals keep their finger on the pulse of the industry, so you should sign up here

The Winners

This is what most people are looking for, so here is a running list of the winners for each year that the RSA Innovation Sandbox has been running.

RSA Innovation Sandbox Overview

BSidesSF traditionally holds its event right before RSAC. Last year, I had the opportunity to chat with multiple founders at the conference as they were getting ready to pitch at the RSA Innovation Sandbox.

This contest, originally presented as the “Innovation Station” back in 2005, identifies (up to) ten innovative new startups and gives them a chance to make a 3-minute pitch to a set of judges.

Updated for 2024

Clearly, inclusion as a finalist can help a startup gain traction, and the group has many successes. Phantom Cyber founder Oliver Friedrichs attributes (on The Decibel Podcast) some of that company's success to their win:

We had the unique opportunity to win the RSA Innovation Sandbox in 2016, which really propelled the company as well

However, after 18 years and over 181 unique companies, some of whom have been finalists in more than one year of the competition, we have meaningful data available to answer:

Is there a useful signal for the winner of the RSA Innovation Sandbox?

The average Venture Capital (VC) fund works on a 7-10 year lifecycle. VCs look to return proceeds to their General Partners (GPs) on this timeline, which generally creates exit pressure on startups.

As a result, we can expect the majority of RSA Innovation Sandbox finalists (those from the first decade) to have reached this milestone. In the VC-backed startup landscape, rapid growth, fundraising, and eventual exit value are often proxies for success.

The Economic Impact

There is no denying the economic impact that the RSA Innovation Sandbox has for both the companies competing and the broader cybersecurity ecosystem at large.

Over its 18-year history between 2005 to 2023, the cohort of finalists that have made up the RSA Innovation Sandbox:

  • Have been a part of more than 80 acquisitions

  • Have been funded nearly 700 times

  • Have raised just shy of $15 billion in investments

  • Have exited with nearly $15 billion in M&A transactions

Being in the sandbox seems to at least guarantee a path to high levels of funding and a strong likelihood of being acquired. What is harder to quantify are the knock-on effects of what it means to even be in the competition.

Success often begets success in the cyber world. Simply by being a finalist in the competition, these companies will have more appeal and leverage when it comes to raising future funding rounds, conveying expertise and appeal to potential customers, and bolstering future exit plans.

Just look at Talon Cyber Security, a remote browser isolation platform and winner of the 2022 RSA Innovation Sandbox competition, which was acquired by Palo Alto Networks for $625.0 million. (more)

Even a “near success,” being in the sandbox competition but not being a winner, still has a positive halo effect for all of the above.

Also of note, the 2024 sandbox contestants are the cohort that has received the second-lowest amount of funding to date. Only the 2007 cohort raised less money than the 2024 class. This funding dip could be, in large part, due to the fact that most of the companies in this cohort are younger startups compared to previous cohorts.

It’s also important to note that not every company that partakes in the sandbox competition is a newly formed startup. While the startups in the competition are still squarely in the “early stage” range, not all early-stage traction is created equally.

Some companies will have been around for a few years, while others will be approaching 10 years. Additionally, and a more important measure for future success, some companies in the competition will already come in with a few million in ARR, a list of big-name customers, and the knowing nod of Product Market Fit signals.

This competition is as exciting as the cyber industry is competitive.

The Outcomes of RSA Innovation Sandbox Winners

Overall, it’s obvious on its face that the RSA Innovation Sandbox crowns solid companies.

Out of 18 winners to date, under 20% seem to have failed to return the principal invested. These winners rarely fail, consistently go on to garner future funding, and vastly outperform the statistics (~two-thirds) on startup failure.

However, in venture capital, this isn’t enough. Jason Lemkin offers a stellar explanation of the 10x rule:

Assume you have to return a liquidity event (sale or IPO) of at least 10x the amount you raise for raising venture capital to be worth it.

From that perspective, the Innovation Sandbox winners are a significantly more mixed bag. Of the exits, these crucial outsized returns are only apparent for Sourcefire and Imperva.

In recent years, Sandbox winners have garnered significant funding, but we will need to wait to see whether their exits justify that investment.

Misc Observations

There is a common theme among entrants to the RSA Innovation Sandbox over its history.

Data Protection, which includes many different types of companies in data discovery, data classification, data loss prevention, and various forms of encryption and certificate management, is the top product category across all years.

Data Protection being the top product category to enter the competition makes sense because, at the end of the day, isn’t protecting data what the cyber industry is all about?

Looking at the winners describes a different story, however. Mobile Device Security and Endpoint Protection tie for first place with the winners, with a 14-way tie for all the remaining categories. Of which, Data Protection holds only one win in 2020 from Securiti.

To date, only two RSA Innovation Sandbox winners have become publicly traded companies:

  • Imperva (2006)

  • Sourcefire (2005)

Looking at other cohorts of the sandbox contest, there are currently only a handful of companies that have gone on to be publicly traded:

  • Class of 2005: Sourcefire went public in 2007 and later went private

  • Class of 2006: Imperva went public in 2011 and later went private

  • Class of 2009: Yubico went public via SPAC in 2023

  • Class of 2012: Sumo Logic went public in 2020

  • Class of 2015: SentinelOne went public in 2021

Very few of the public cybersecurity companies around today have ever competed in the RSA Innovation Sandbox. You can get a full table of all the current publicly traded cyber companies from around the world, both pure-play and hybrid, here:

On the acquisition front, 81 of the 181 companies, or 45% of the sandbox finalists, went on to be acquired between 2005 and 2022. This includes 11 winners of their respective sandbox years.

The early heavyweights in the cybersecurity and computing industry were the most aggressive in acquiring RSA Sandbox finalists. Here are the top ten leaders on the acquisition side:

This chart hasn’t changed since 2022

How things probably felt in retrospect:

The good ole days

There was also one instance of a sandbox finalist acquiring another sandbox finalist (very meta):

  • Imperva (2006) acquired Incapsula (2010) in 2014 for an undisclosed amount.

While there is some minor geographic diversity among the finalists, the Sandbox overwhelmingly highlights American startups:

And following that finalist distribution, the same holds relatively true for the sandbox winners:

The RSA Innovation Sandbox Anti-Portfolio

Another way to assess the RSA Innovation Sandbox is through the finalists who did not win. Bessemer Venture Partners coined the concept of an “anti-portfolio,” publishing a list of potential investments that they passed on that later became “tremendously successful companies.”

Looking through all 161 finalists between 2005 to 2022, a dozen are already differentiated through their success. In chronological order:

2009: Compared to the 2009 winner, AlertEnterprise, Yubico has been much more successful in both continued fundraising and industry impact.

2012: While Appthority was acquired, the Sandbox passed over Sumo Logic (‘20 IPO at ~$3b valuation), Sonatype (taken private by Vista Equity Partners in ‘19), and Dome9 Security ($125m acquisition in ‘18 on ~$30m raised).

2014: Cylance rode $300m in funding to a $1.4b acquisition by Blackberry. RedOwl Analytics’ $54m outcome on $30m raised pales in comparison.

2015: Waratek hasn’t made much of a splash since their Sandbox win. Two of their cohort have become companies of note: SentinelOne went public in ‘21 at a valuation ($10.9b) 9x their last private valuation, while CyberReason hit a $3.2b valuation and came close to a $5b IPO before the market changed.

2017: UnifyID found an outcome in their ‘21 Prove acquisition, but undisclosed terms and Prove’s funding levels imply this wasn’t a 10x for investors. RedLock, on the other hand, joined Palo Alto for $173m on only $12m raised. Alternatively, Cato Networks, while still private, has gone on to raise over half a billion dollars.

2020: Recent vintages have yet to show their full returns. Winner recently raised a $75m Series C, but competitor Sqreen sold for $260m to Datadog back in 2021 on only $18m in funding.

2021: Apiiro has gotten off to a great start, raising $125m and with reported talks of a $550m Palo Alto acquisition. Wiz, however, is the (self-identified) “fastest-growing software company ever” and has already hit $100m in ARR and raised $300.0M in 2023 at a $10.0B valuation.

Closing Thoughts

Looking over the Sandbox’s legacy so far, there are a few takeaways:

  1. The winners seem to be biased toward enterprise security software, targeting big companies and their problems most acutely. These are the same class of companies that form the top leg of the K-Shaped Recovery of the Cybersecurity Industry predicted for the next year or two.

  2. The quality of the finalists is remarkable in how much their selection appears to align with startup continuity, if not success.

  3. Given the failure rate of startups, remarkably few finalists have closed their doors, even over a seventeen-year history.

  4. Winners consistently go on to get respectable funding. This could be attributed to the credibility of a Sandbox win among VCs and potential customers, but it is likely equally correlated with the fact that the Sandbox is assessing with the same rubric as investors and customers.

  5. After a strong start with two incredible winning companies in Sourcefire and then Imperva, there is no indication that the Sandbox can consistently identify the “best in batch” if the goal is to go IPO.

  6. If the goal is to get acquired, there is a strong correlation between being a contestant in the sandbox competition and being a great M&A target later on down the road. The vast majority of outcomes for RSA Sandbox finalists are acquisitions. An IPO, often discussed as the North Star of a venture-funded startup, is a vanishingly rare prospect.

  7. It would be interesting to assess the quality of finalist selection in the same way we have looked at the winners. Did now-public Cybersecurity giants like ZScaler apply in their early days?

Data Methodology and Sources

  • All of the data is captured point-in-time from publicly available sources.

  • All financial figures are converted to U.S. dollars (USD) when collected.

  • Company country locations are pulled from publicly available sources.

  • Companies are categorized using our own system at Return on Security, and we write all of the company descriptions.

  • Sometimes, the details about deals, like who led the round, how much money was raised, or the deal stage, might get updated after the issue is first published.

  • If you spot any errors, let us know, and we’ll fix them.

About Return on Security

Return on Security is all about breaking down the cybersecurity industry for you with expert analysis, hard facts, and real-life stories. The goal? To keep security pros, entrepreneurs, and investors ahead in a fast-moving field. Read more about the “Why” here.

Feel free to borrow any data, charts, or advice you find here. Just make sure to give a shoutout to Return on Security when you do.

Thank you for reading. If you liked this analysis, please share it with your friends, colleagues, and anyone interested in the cybersecurity market.

Follow me on LinkedIn or Twitter to never miss Return on Security updates.

Join the conversation

or to participate.