Cybersecurity Software Companies: Securely in Favor

Koji Bratcher
7 min readFeb 22, 2021

In a rapidly digitalized global economy (in part, accelerated by the coronavirus pandemic), cybersecurity has become a primary concern among middle-market business leaders. This is not surprising given the media attention on high-profile data breaches and the vast number of people that are impacted by these attacks. Furthermore, companies have become even more vulnerable to security breaches with the number of people now working from home due to the coronavirus pandemic. For more information on the accelerated evolution of cybersecurity in 2020 and beyond, check out this article by Jeremy Swenson.

Intuitively, investors tend to favor companies experiencing high demand — cybersecurity software companies certainly fall into that category. In this article, I will briefly analyze the trends that seem to be driving valuations for publicly-traded cybersecurity software companies.

This article was first posted in the ValuInsights Industry Blog. Visit us for more valuation insights and resources and follow me on LinkedIn!

Important notes: This article examines potential driving factors for cybersecurity company valuations from a financial statement perspective. An actual valuation of a company requires an in-depth analysis of the business operations as well as associated risk factors that cannot always be directly considered through the data on financial statements. Also, in order to keep the length manageable, this article will focus on what I interpreted to be the primary value drivers and will not touch on every observation in the data. For a quick read on the basic concepts of risk and return and how they apply in the context of this article, please visit: What is Value? and Risk and Return in the Market Approach.

The industry constituents for this analysis are listed below. I honed in on cybersecurity companies that were traded on major U.S. exchanges for at least a year with a stock price of $1 or more, and focused on enterprise-level clientele. The effective date of this analysis is December 31, 2020.

The cybersecurity companies’ median enterprise value (“TEV”) and median revenues are summarized in Figure 1. Latest fiscal year is notated “LFY” (2019), while latest 12 months is labeled “LTM” (latest available information as of December 31, 2020). Since many of the companies in this space generate negative cash flow, I have excluded EBITDA trends in Figure 1.

Figure 1 shows a rising trend in both median revenue and enterprise values. Although revenue growth flattened in the LTM, enterprise values continued to grow. Many of the companies in this industry provide their services on a subscription basis, better known as the Software-as-a-Service (“SaaS”) business model.

To provide some brief background, SaaS companies make significant upfront investments in the development of their products or services and to create market awareness. Frequently, a lot of these costs are incurred before the company even generates any revenue. As a SaaS business goes to market and successfully acquires customers, revenue starts to grow. SaaS companies are unique (relative to more traditional business models) in that customers subscribe to services and, ideally, will continue to renew their contracts year after year. As new customers are acquired over time and added to the existing subscriber base, revenue can grow rapidly. The recurring nature of revenues tends to lend some predictability to (successful) companies in the SaaS space and is likely a key reason why the cybersecurity companies analyzed here were able to maintain revenue through 2020.

When analyzing SaaS companies, another important consideration is the relationship between revenue and expenses. The cost structure of a SaaS company tends to be comprised primarily of fixed expenses, which provides an opportunity for high levels of profitability for companies that can scale up. SaaS companies tend to trade on revenue metrics (multiples to be presented shortly) due to the expectation of major growth and, therein, the prospect of significant future returns in the form of cash flow. This analysis will be limited to the revenue reported in financial statements under Generally Accepted Accounting Principles (“GAAP”), which is a historical-looking metric. An important revenue metric that should always be considered when performing a formal business valuation of a SaaS business is its annualized run-rate. This figure is a forward-looking measurement of the current revenue-generating potential of a business based on currently subscribed customers. However, an analysis of annualized run-rates is outside the scope of this article.

Despite a flattening of the growth curve in the LTM, enterprise values grew substantially. Expectations for continued growth amid heightened interest around cybersecurity appear to be driving valuations in this space, which I will discuss later in this article. The disproportionate rise in enterprise values compared to flat revenue growth has driven multiples ever higher. This is illustrated in Figure 2.

The Growth Story

Growth often has a strong influence on how companies are valued and cybersecurity software companies are no exception, especially in the SaaS space. A comparison of median revenue growth between December 31, 2020 and the prior year is presented in Figure 3 below (note that “NFY” means next fiscal year; NFY = calendar 2020 for most companies).

In Figure 3, the revenue growth trends in 2020 (blue line) remained similar to those of 2019 (orange line). Although the industry experienced modest growth in 2020, revenues are expected to catch up in 2021 and 2022. This projection highlights the increasing relevancy of cybersecurity and why investors have had such an interest in this industry.

When plotting the projected growth in revenue against the revenue multiples observed in the publicly-traded cybersecurity software companies, I noted some interesting trends. See Figure 4 below.

The companies with the highest growth rates traded at the highest multiples and the companies with the lower growth rates appeared to trade at lower multiples. Given the disparity in growth rates in Figure 4, I also looked closer at the “low-growth” companies with growth rates of less than 20%. These companies are graphically presented in Figure 5.

Among the companies with less than 20% projected growth, revenue multiples tended to be aligned with industry growth-rate trends, but there is some dispersion in the data. This would suggest that, while growth is an important consideration, it is not the only factor impacting valuations of these companies as of December 2020.

The Size Story

Larger companies are generally perceived to have lower levels of risk relative to smaller companies. This can be due to a number of factors, including improved product or geographic diversification, deeper management teams, access to a variety of distribution channels, and better availability of capital. Figure 6 presents a comparison of size (measured by market capitalization) and LTM revenue multiples.

The size of the companies in this industry ranges widely so I took a closer look at smaller constituents (see Figure 7).

In Figure 7, there is clustering of multiples among similar-sized companies. The smallest companies traded at the lowest revenue multiples, while the largest companies of this subset traded at the highest multiples. Again, there is some dispersion among the data points, which suggest that other factors are impacting valuations.

The Profitability Story

Revenue multiples are typically heavily influenced by profitability. Higher revenue multiples are usually observed in companies with higher levels of profitability. For cybersecurity software companies, this relationship was not observed. This makes sense given the SaaS business model as explained earlier. Because the future success of SaaS businesses are dependent on their ability to scale up, it makes sense that the revenue multiples may not align with current EBITDA margins.

Tying it All Together

Qualitative factors aside, the trends observed in this article suggest that valuations of cybersecurity software companies are primarily impacted by revenue growth and size. As cyberattacks and data breaches continue to occur, these businesses are likely to benefit from greater levels of demand for their services.

I hope you found this analysis helpful. Any and all input, feedback, suggestions, and questions (including disagreements with my high-level analysis) are welcome! Thanks for reading.


SaaS companies are complex organizations with numerous value drivers. The valuation of a company requires an understanding of its risks and of the industry as a whole, and proper interpretation of capital market evidence. Helios Consulting, Inc. is a full-service valuation service provider with the experience needed to guide you through your valuation requirements.

Don’t need a full valuation but looking for a high-level assessment of how your company compares to its publicly-traded peers? ValuAnalytics, LLC provides cost-effective, expert-level valuation analytics to give you the insight you need to make better internal decisions around valuation.

For more information, please visit us at:



Koji Bratcher

Director/Principal @ Helios Consulting, Inc. ( and Founder of ValuAnalytics, LLC (