Cybereason

Cybereason is a cybersecurity company that provides endpoint prevention, detection, and incident response solutions. Cybereason was built to detect any suspicious activities, quarantine compromised users from the network, and help in conducting a fast, detailed and thorough investigation in the event of a breach.

Founding Date

Jan 1, 2012

Headquarters

Boston, Massachusetts

Total Funding

$ 851M

Stage

series g

Employees

1001-5000

Careers at Cybereason

Memo

Updated

September 14, 2023

Reading Time

16 min

Thesis

In 2022, there were nearly 2K successful cyber breaches, 70% of which originated from endpoints. The term endpoint in this context refers to any device that can connect to a network. These include corporate laptops, desktops, phones, or servers, among other things. Endpoints have become easy targets for cybercriminals because they act as entry points to corporate systems, with 68% of corporate endpoints hit by attempted data breaches and at least one endpoint attack that compromised and/or IT infrastructure in 2019. Additionally, 73% of all enterprise devices contain sensitive data, increasing the threat of endpoint attacks.

The risk has been exacerbated in recent years by the wide adoption of work-from-home and bring-your-own-device policies which expanded the attack surface available to hackers. Traditional antivirus solutions such as McAfee were made to detect and remove known vulnerabilities, but have struggled to contain the rapidly evolving malware attacks as cybercriminals became increasingly sophisticated. This led to the rise of modern endpoint detection and response (EDR) platforms which provide advanced threat detection capabilities, real-time remediation, and proactive hunting of potential attacks. In 2022, 44% of companies invested in endpoint security.

Cybereason is a Boston-based cybersecurity company that provides endpoint breach prevention, detection, and incident response solutions. Cybereason’s product suite creates an opportunity for it to gain market share against traditional antivirus solutions like McAfee. Considering the increasing number of endpoints, organizations are seeking ways to protect themselves from cyber-attacks. Endpoint security protects these points of entry from risky activity and malicious cyber attacks. Cybereason, among other competitors, aims to enable organizations to maintain control over the growing number and types of endpoints that cyber attackers can utilize to breach an organization.

Weekly Newsletter

Subscribe to the Research Rundown

Founding Story

Cybereason was founded in 2012 by Lior Div (CEO), Yonatan Striem Amit (CTO), and Yossi Naar (Chief Visionary Officer). Prior to founding Cybereason, Div served in the cyber and intelligence division of the Israeli Defense Force (IDF) for six years. While there, he was a member of Unit 8200, the unit responsible for collecting signal intelligence and decrypting codes (similar to the US National Security Agency).

In 2010, the joint efforts of the US and Israeli intelligence agencies were thrown into the global spotlight. The two governments were working together to launch attacks on the computer systems that ran Iran’s nuclear enrichment facilities. Prior to this, as Div has since explained, the agencies used to “run in the shadows,” but suddenly, “everyone was talking about what we were doing.”

Part of this is because it was the first example to attract the global spotlight of “using software as a weapon to achieve military goals”, which led Div and other cybersecurity experts to fear that the weaponization of software could extend beyond military intelligence. In 2010, Div said:

“We realized we have a lot of insight into the nature of the problem that you can't understand if you haven’t worked in something that’s equivalent to the NSA. You can’t learn this at any school.”

Since nearly everything in computer programming is hackable, Div wanted to use his IDF intelligence experience to address this issue. Therefore, Div joined forces with two of his former IDF colleagues, Yonatan Striem Amit and Yossi Naar, to begin building Cybereason in 2012. The goal of the team was to build software solutions that would proactively scan for any threats to enterprise devices and neutralize them. The founding team’s experience within the Israeli military cybersecurity unit was put to use in building an endpoint platform.

In April 2023, Cybereason announced that Lior Div was stepping down as CEO and being replaced by Softbank’s Eric Gan. The news came after a $100 million cash infusion from Softbank that cut Cybereason’s valuation by 90%.

Product

Cybereason was built to detect any suspicious activities, quarantine compromised users from the network, and help conduct a fast, detailed, and thorough investigation in the event of a breach.

Source: Cybereason

Endpoint Detection and Response (EDR)

Cybereason’s EDR product provides visibility to all endpoints, instant detection and remediation, and a threat intelligence tool that generates detailed information about the different types of malware attacks and the adversary groups trying to gain access to the organization's systems. The company claims that it uses behavioral analysis and machine learning to detect threats quickly and with a high degree of accuracy. Cybereason’s MalOp engine cross-correlates data between multiple endpoints like firewalls and SIEM, allowing security teams to identify threats quickly and more accurately than traditional EDR solutions.

Source: Cybereason

Next-Generation Antivirus (NGAV)

Cybereason offers an Anti-Virus solution that provides nine distinctive layers of protection. These include blocking unauthorized endpoints like USBs, protection against known variants of malware, analyzing documents for any embedded malicious code, and, unlike traditional anti-virus products, detecting, isolating, and eradicating zero-day or unknown malware variants.

Source: Cybereason

Ransomware Protection

Cybereason claims that its ransomware protection product utilizes artificial intelligence to predict ransomware activities on endpoints and block them before encryption takes place. The product stops any encryption-related suspicious activities, detects signs of ransomware in network drives, and in the event of an attack, recovers and restores files encrypted by attackers.

Extended Detection and Response (XDR)

Powered by Google Chronicle (GCP’s cybersecurity arm), Cybereason’s XDR solution extends protection beyond endpoints into networks, email, productivity suites, and identity management tools.

Source: Cybereason

Cybereason XDR combines its capabilities to analyze over 23 trillion security-related events per week with Google Chronicle’s ability to ingest and normalize huge volumes of data. The solution monitors for early signs of malicious activities across devices, applications, and cloud deployments and predicts the attacker's next steps to anticipate and proactively block them. It also provides security teams with a response framework including automated threat prevention and guided response on what to do in the event of an attack.

Cloud Workload Protection (CWP)

Cybereason’s CWP product provides protection for containers and workloads that reside across an organization's infrastructure. It is designed to offer broad visibility and a comprehensive view of threats across workload telemetry. Security analysts can use Cybereason CWP to execute a full suite of remediation actions with a single click.

Managed Detection and Response (MDR)

Cybereason’s MDR product offers a fully managed security operation that includes active threat hunting, detection and remediation services, and security experts that can be deployed remotely. MDR services are suitable for organizations with no security teams or expertise.

Digital Forensic and Incident Response (DFIR)

Cybereason’s DFIR product provides clients with tools to investigate incidents post-mortem. DFIR utilizes Cybereason’s defense platform to enable companies to remediate threats comprehensively and eliminate embedded threats. The product is intended to streamline investigations and uncover security gaps that attackers use to compromise the company.

Threat Hunting

Cybereason’s Threat Hunting product enables companies to proactively identify unknown attacks. The product is intended to be preventative to minimize damage and business disruption. Cybersecurity analysts utilizing the platform can perform with greater proficiency.

Market

Customer

Cybereason serves organizations of all sizes, from large and well-funded enterprises to SMB security teams interested in its managed services. The majority of its customers in 2023 were large enterprises according to one third-party source. It also caters to government agencies through its subsidiary, Cybereason Government. While the company doesn’t disclose its total customer count, in 2022 it claimed to have had customers in over 50 countries. Some of the company’s notable clients include Oracle, Guess, Capgemini SA, and Dyson.

Source: Cybereason

Market Size

The global endpoint security market was estimated to be $14.9 billion in 2022 and is expected to grow at a CAGR of 9.0% to reach $25.9 billion billion by 2028. This market growth is largely being driven by the increasing number of endpoints in organizations (e.g., IoT connections grew by 18% in 2022) which itself is driven by an increasing diversity of devices and the growing presence of hybrid work models. Further, growth is driven by the increasing number of cyberattacks on software supply chains. A supply chain in this context refers to anything that touches an application or plays a role in a company's software development life cycle (SDLC).

Competition

The increased endpoint security spending in recent years by both public and private sectors has attracted many players into the endpoint security space. Cybereason competes with multiple next-gen vendors including prominent names like Crowdstrike and SentinelOne, as well as adjacent players like Bitdefender, Carbon Black, and Cylance. Crowdstrike, with its Falcon platform, is considered a leader on Gartner’s Magic Quadrant while SentinelOne offers a nearly similar suite of EPP, EDR, and MDR solutions.

Source: Gartner

Cybereason’s next-gen anti-virus product also competes with legacy anti-virus companies such as Mcafee and Symantec. Moreover, network security vendors, such as Palo Alto Networks, have been offering EDR solutions to large existing customer base, which represents a challenge for smaller players. Microsoft has also built endpoint products and in 2021 it committed $20 billion in cybersecurity product investments through 2026.

Cybereason attempts to differentiate itself with its operations-centric approach to responding to malicious attacks. Traditionally, cybersecurity teams would receive alerts and notifications when the security tools detect suspicious activities. They would then have to manually investigate each alert and remediate it. This process is often inefficient and time-consuming, leaving more than 60% of security tickets generated each day unattended.

Cybereason claims that it collects and processes all of the attack data in real-time and visualizes, through a single click, the malicious operation from the root cause to all affected endpoints and users. According to the company, this approach enables security teams to respond to attacks swiftly and with precision. Cybereason also claims to have reduced the investigation time by up to 93% and increased monitoring efficiency to one security analyst per 200K endpoints.

Crowdstrike: Crowdstrike, founded in 2011, is a cybersecurity company that developed the Falcon platform. Like Cybereason, Crowdstrike offers products for cloud security, endpoint security, XDR, threat intelligence, and hunting. Additionally, the company offers similar services to Cybereason in incident response. According to Cybereason, detections on Crowdstrike were delayed 10% of the time, whereas Cybereason was delayed 0% of the time. In 2019, Crowdstrike announced its initial public offering at a $612 million market cap. As of September 2023, the company was trading at a market cap of around $40 billion.

SentinelOne: SentinelOne, founded in 2013, is a cybersecurity company that developed the Singularity platform. The company primarily specializes in XDR, with integrated endpoint security, cloud security, and identity protection products. According to SentinelOne, the company separates itself from competitors like Crowdstrike by not being cloud-dependent, not relying on human detection, automating remediation, and offering an out-of-box solution. Like Cybereason, SentinelOne offers MDR and threat detection services. According to Cybereason, SentinelOne relies on rollbacks for ransomware attacks and detects and prevents such attacks. In 2021, SentinelOne announced its initial public offering at a $1.2 billion market cap. As of September 2023, the company is trading at around a market cap of $5.1 billion.

Trend Micro: Trend Micro, founded in 1988, is a global cybersecurity company based in Tokyo, Japan. Trend Micro’s flagship platform, Vision One, specializes in cloud and endpoint security. Like Cybereason, the company offers products in endpoint security, cloud security, and XDR. Additionally, both companies offer managed incident services. According to IDC, Trend Micro ranked number one in market share for Worldwide Cloud Workload Security at 16%. In 2000, the company announced that it was listed on the first section of the Tokyo Stock Exchange. As of September 2023, Trend Micro was trading at a market cap of around $5.6 billion.

VMware Carbon Black: VMware, founded in 1998, is a cloud services company offering cloud infrastructure, cloud management, security, and other cloud-related products. VMware’s Carbon Black product is an endpoint protection solution. Like Cybereason, Carbon Black offers ransomware detection, managed detection and response, threat hunting, and similar cybersecurity features. However, Cybereason claims that Carbon Black’s ransomware detection product misses common attacks, detection is an “empty box” requiring manual inputs to respond, and its MDR product is immature and unproven. In 2007, VMware announced its initial public offering at a market cap of $957 million. In September 2023, VMware is trading around $164 per share at a market cap of around $71 billion.

Microsoft: Microsoft, founded in 1975, is a corporation that sells various software products and services. Microsoft Security offers a suite of cybersecurity options for businesses and consumers. Among these various solutions is Microsoft Defender, the most direct competitor to Cybereason. Defender offers cloud security, endpoint security, XDR, managed incident response, and many other cybersecurity products. According to Cybereason, Microsoft offers subpar ransomware protection, poor MDR services, and is forcing server workloads to Azure meaning server security is an expensive add-on license. Microsoft had its IPO in March 1986. As of September 2023, Microsoft is trading at a market cap of approximately $2.5 trillion.

Business Model

Cybereason employs a subscription-based business model, and charges organizations per endpoint (i.e., the number of devices protected). The company offers four plans: Cybereason Professional, Cybereason Business, Cybereason Enterprise, and Cybereason Ultimate. The pricing of each bundle is not disclosed publicly. Sources estimate that Cybereason starts at $50 per endpoint per month, scaling down with volume. For comparison, Falcon Enterprise is estimated to start at $15 per endpoint per month.

Source: Cybereason

Traction

Cybereason reportedly generated over $120 million ARR in 2020 and was growing its revenue by 200% per year as of November 2021. The company was named a visionary in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms and named a leader in 2022. In the MDR report conducted by Forester, the company was named a high performer. In addition, Cybereason has partnerships with other technology companies, including security and identity management platforms such as Zscaler, Palo Alto, Okta, Netskope, and Splunk. The company does not publicly disclose the size of its customer base.

In 2021, Cybereason was recognized as a top 100 emerging privately held US company. The key reasons for inclusion in the list were the launch of the US government subsidiary, raising significant crossover funding, the acquisition of security analytics platform Empow, being listed on the CNBC 2021 Disruptor 50, debut in Gartner Magic Quadrant, recognition in the Forrester XDR Wave report, exposing an Iranian state-sponsored cyber espionage campaign, and exposing a Chinese state-sponsored cyber espionage campaign.

Cybereason confidentially filed for IPO in January 2022, which it has since scrapped. Its Series G valuation of $300 million was in stark contrast to the company’s expected $5 billion initial public offering valuation. The company had over-hired employees at high wages which caused it to cut more than 300 employees in 2022 during the economic downturn. These workforce reductions were in line with adjacent cybersecurity companies including Sophos, Lacework, and Jumio.

Valuation

Cybereason has raised a total of approximately $850 million from investors including Softbank, CRV, Spark Capital, Lockheed Martin Ventures, and Google Cloud Platform. In April 2023, the company announced a $100 million Series G led by Softbank which valued the company at approximately $300 million. The Series G shares were sold at a 90% discount to Cybereason's prior round in mid-2021 when it was valued at approximately $2.7 billion.

Key Opportunities

Global Expansion

With Japan-based Softbank as a funding partner, Cybereason announced in 2016 that it was launching a new company to deliver its product to the Japanese market. Softbank’s most recent investment in Cybereason made it the largest stakeholder in the cybersecurity company. Following the down round, Lior Div was replaced as CEO of Cybereason by Softbank’s Eric Gan. As of 2023, Cybereason had a 35% market share in Japan and around 50% of its revenue comes from outside of the United States. In a statement following his appointment, Gan stated “I look forward to supporting Cybereason's next stage of global growth and scale.” Further, the appointment of Gan suggests that Cybereason will double down on its Japanese market growth since Gan previously co-founded Japanese mobile company eAccess and before that served as a telecom analyst for Goldman Sachs Japan.

Extended Detection and Response Growth

The extended detection and response (XDR) market was valued at $754.8 million in 2022 and is expected to grow at a CAGR of 20.7% through 2030. The emergence of XDR is driven by the increased complexities of managing multiple integrated security solutions and the need for unified detection and response solutions for the entire ecosystem. Cybereason released its XDR product in December 2021 in partnership with Google Chronicle, the cybersecurity arm of Google Cloud, and has the opportunity to tap into the strong go-to-market strategy of Google Cloud and position itself as a leader in the nascent, but rapidly developing XDR market.

Marketing MDR services to SMBs

Rather than offering its managed detection and response solution as just an add-on to enterprises, Cybereason could package and sell it to smaller organizations that have no in-house security teams. In 2019, 68% of SMBs experienced data breaches and 43% didn’t have a cybersecurity plan in place in 2020. In 2023, the global MDR market size was valued at $3.3 billion and is expected to grow at a CAGR of 23.3% to $9.5 billion by 2028. Cybereason has the opportunity to go after the SMB market, competing against companies such as Arctic Wolf.

Key Risks

Market Confidence

Having abandoned its attempt at an IPO, laid off over 300 employees, taken a 90% discount on its most recent funding round, and replaced its founding CEO, Cybereason may have lost the confidence of key stakeholders. In October 2022, Cybereason reportedly hired JP Morgan Chase to find a buyer, and as of September 2023, has not yet found one. These factors have led to negative publicity which could impact current customer retention and its ability to close new customers.

Competition

The market for modern endpoint security solutions is crowded with Cybereason competing against well-resourced industry players like Crowdstrike, VMware, and Microsoft. New competitors from the adjacent security spaces such as Network, SIEM, and Zero-trust are also attracted to the endpoint security market and increase the competition for pure-play brands like Cybereason. Going forward, the company could struggle to compete for enterprise deals against the cybersecurity industry leaders.

Weekly Newsletter

Subscribe to the Research Rundown

Summary

Cybereason is a Boston-based cybersecurity company specializing in endpoint protection. The company passed the $100 million ARR mark in 2020 and raised over $850 million as of 2023. Further, the company has established a strong global presence with half of its revenue coming from outside of the United States. Despite solid early growth, Cybereason was susceptible to the economic downturn of 2022, canceling its planned IPO, laying off over 300 employees, and taking a 90% discount on its Series G. As a result, founder and CEO Lior Div was replaced by Softbank’s Eric Gan.

Despite its tumultuous 2022, Cybereason is looking to rebound. With the appointment of Eric Gan, the company has indicated that it will continue to expand internationally, especially in Japanese markets where it already holds around 35% as of 2023. Further, the global market for endpoint protection and XDR services is expected to grow through the decade, and Cybereason could capitalize on this market growth.

Important Disclosures

This material has been distributed solely for informational and educational purposes only and is not a solicitation or an offer to buy any security or to participate in any trading strategy. All material presented is compiled from sources believed to be reliable, but accuracy, adequacy, or completeness cannot be guaranteed, and Contrary LLC (Contrary LLC, together with its affiliates, “Contrary”) makes no representation as to its accuracy, adequacy, or completeness.

The information herein is based on Contrary beliefs, as well as certain assumptions regarding future events based on information available to Contrary on a formal and informal basis as of the date of this publication. The material may include projections or other forward-looking statements regarding future events, targets or expectations. Past performance of a company is no guarantee of future results. There is no guarantee that any opinions, forecasts, projections, risk assumptions, or commentary discussed herein will be realized. Actual experience may not reflect all of these opinions, forecasts, projections, risk assumptions, or commentary.

Contrary shall have no responsibility for: (i) determining that any opinions, forecasts, projections, risk assumptions, or commentary discussed herein is suitable for any particular reader; (ii) monitoring whether any opinions, forecasts, projections, risk assumptions, or commentary discussed herein continues to be suitable for any reader; or (iii) tailoring any opinions, forecasts, projections, risk assumptions, or commentary discussed herein to any particular reader’s objectives, guidelines, or restrictions. Receipt of this material does not, by itself, imply that Contrary has an advisory agreement, oral or otherwise, with any reader.

Contrary is registered with the Securities and Exchange Commission as an investment adviser under the Investment Advisers Act of 1940. The registration of Contrary in no way implies a certain level of skill or expertise or that the SEC has endorsed Contrary. Investment decisions for Contrary clients are made by Contrary. Please note that, although Contrary manages assets on behalf of Contrary clients, Contrary clients may take any position (whether positive or negative) with respect to the company described in this material. The information provided in this material does not represent any investment strategy that Contrary manages on behalf of, or recommends to, its clients.

Different types of investments involve varying degrees of risk, and there can be no assurance that the future performance of any specific investment, investment strategy, company or product made reference to directly or indirectly in this material, will be profitable, equal any corresponding indicated performance level(s), or be suitable for your portfolio. Due to rapidly changing market conditions and the complexity of investment decisions, supplemental information and other sources may be required to make informed investment decisions based on your individual investment objectives and suitability specifications. All expressions of opinions are subject to change without notice. Investors should seek financial advice regarding the appropriateness of investing in any security of the company discussed in this presentation.

Please see www.contrary.com/legal for additional important information.

Authors

Luqman Osman

Fellow

See articles

Spencer Stewart

Contributor

See articles

© 2024 Contrary Research · All rights reserved

Privacy Policy

By navigating this website you agree to our privacy policy.