News was released yesterday, 21/10/21, that Invicti security had received an injection of $635m to further expand their global takeover of the DAST market.
Invicti security is a vendor that we know well and are renowned in the dynamic application security testing market.
They are predominantly a channel focused vendor which has seen massive growth in the past few years with their utilisation of distribution and channel partners.
Without knowing the equity share given for the investment, we are unable to determine the current valuation but a rough guess would put them above the $1b valuation.
How did they get there?
Invicti is made up of two brands, Acunetix and Netsparker. Acunetix was formed in 2004 in Malta by Nick Galea, who now heads up 3CX from Cyprus. 3CX is another channel focused vendor in the unified communications space.
It’s taken them 17 years to get to where they are today, so one thing we can suggest is that it’s been a marathon as opposed to a sprint.
Acunetix was the first to market with a commercial DAST scanner but it certainly wasn’t the first DAST scanner available. OWASP Zap, an open source DAST scanner was available the year before this which was, and still is, available on an Apache 2.0 licence that allows for anybody to take the source code and create a commercial product from it.
Being the first to do this gave them an advantage against everyone else that has done the same since as they have had the time to build on what they have.
It was only in 2018 that they got their first round of VC funding from Turn River Capital based in the US. A VC company that has other security vendors such as Endpoint Protector within their portfolio.
Prior to this period, they had a mature channel in place, albeit a messy one with around 7 different stages of partnership and margins scattered all over the place.
In 2019, they switched to a more coherent 2-tier distribution model and reverted to a simple structure with 3 tiers which allowed for simpler management of channel partners.
Having covered the globe with distributors who can support the recruitment of channel partners and increase in territories, they advanced quickly by taking over regions for their sector that they didn’t previously have.
China was a big focal point with the introduction of the distributor called 51 Component based in mainland China who made it possible to transact into this elusive territory.
Having an on-premise version of the software gave them the advantage of selling into China as China won’t generally use anything that is hosted outside of China.
Working with mid scale distributors gave them the attention that they needed on the ground in regions that were deemed difficult to penetrate.
The game changer for this vendor was the switch in channel structure and a focus on entering markets that they didn’t have already.
The office was spun up in the US to concentrate on the US channel as well enterprise sales although they still had distribution in place in the US and Canada.
Competitors in the space
Competition in the DAST space comes from several different vendors. The original DAST vendors which include Rapid7, Qualys and to some extend Tenable who also have DAST offerings on top of their network scanning technologies. These vendors specialise in Application and Network Security with all of them offering some form of Network Scanning and Web App Scanning.
Then we have the larger software vendors who have a web app scanner but isn’t their primary focus. These vendors include Synopsys, Microfocus and HP.
Another source of competition is the new players in the market who have sprung up post 2017 by taking Zap or other open source technologies and re-skinning them, hosting them in a data centre and offering them as SaaS solutions. There are too many to name here but we can name at least one for every major country. We know of them in the UK, Ireland, Sweden, France, Netherlands, Germany, Portugal, Russia and the US a plenty!
The problem with all of these new players coming to market is that they will find it difficult to move the channel partners away from the leading vendors in the space unless something drastic happens. The more the new players focus on their partners and not only their bottom line, the more market share they will capture.
The mass majority of vendors in the space are channel focused vendors. Many of them are selling through distribution, resellers as well as having MSP programs.
As the newer players in the market try to sell through channel, are they left with only the partners that are no longer being worked by the larger vendors?
What we see is that the local level competitors from the countries mentioned above struggle to break out of their own territories because of the presence of the major players through their existing partnerships in all countries.
It’s not unheard of that partners switch from one allegiance to another one but something has to happen in order for that switch over to occur.
A prime example is when Rapid7 put most of their distribution in the hands of ArrowECS and removed the mid scale distributors that they worked with. This presented the opportunity to onboard all of those distributors at Acunetix and capture the partners that were being worked by those distributors. Effectively shifting the market.
Where to next?
With an investment of $635m and going with a conservative valuation of $1b+, this puts them outside of the scope for acquisition for a lot of the players who would typically acquire a vendor of this kind.
Could this mean that they are aiming to float on the stock exchange?
Could they be looking to be acquired by one of the big 5?
What I can say is that competition is hotting up in this space and the space is evolving.