Quick, how many publicly traded cybersecurity companies are there? Take a guess. I’ll wait.
…
Struggling to come up with an answer? If you took a shot, how confident are you that you're right?
If you're feeling a little bit rattled right now, don't worry. The answer is wayyyyyy trickier than it seems. I struggled to answer this question myself, and I've been covering publicly traded cybersecurity companies for a while. I literally found 20 more companies while writing this paragraph.
I was planning to write a different article about public cybersecuity companies until I realized how difficult it is to come up with a list of companies in the first place. Why is it so damn hard?!
It's partly because different answers get reported all the time. Richard Stiennon's public cybersecurity stocks spreadsheet has 13 companies. Momentum Cyber tracked 38 companies as of its 2022 Cybersecurity Almanac report. Cybersecurity Ventures tracks 60+ companies. And all of them are right!
Back to the original question — how many publicly traded cybersecurity companies are there? The short answer: 71. I know… finally, number we can rely on! Not really…
…How do you classify pure cybersecurity companies versus hybrid ones? Do you have a minimum threshold for small-cap companies? What about companies on global stock exchanges? And weren't there just a bunch of cybersecurity companies that were taken private?
Are you starting to see what I mean about this being tricker than it seems?
The real answer to this question is: it depends. I know — how unsatisfying. Everyone wants a number we can all agree on. I regret to inform you this isn't going to happen. But trust me, the nuances are why this is a super interesting question.
Let me start by telling you a quick story about a deranged billionaire and one of the wildest estate sales of all time.
"I'm not a paranoid deranged millionaire. Goddamit, I'm a billionaire," the eccentric Howard Hughes once quipped about himself.
We've all heard stories about Hughes' quirks, antics, trials, and tribulations as a businessperson and celebrity. You probably haven't heard how bad of an accountant he was.
What casinos, hotels, TV stations, ice cream, and airplanes have in common is that Howard Hughes owned one or more of all of them. The stories about why he owned this large and eclectic set of assets are even more wild.
He bought several casinos in Las Vegas, including one because the rotating slipper on its sign annoyed him. He bought a hotel because management tried to kick him out after staying past his reservation. He bought a TV station so his late-night movie watching wouldn't get interrupted by commercials. He stockpiled Baskin-Robbins banana nut ice cream because he was obsessed with it. He owned a massive plane (the "Spruce Goose") that he flew one time at only 70 feet of altitude.
We haven't even talked about the companies, real estate, mining claims, art, and bank accounts Hughes also owned. He had a %&@^load of stuff, and nobody knew where all of it was. He probably didn't either.
Howard Hughes died without a will in 1976. Nobody could figure out what he owned or how to liquidate it. It took almost 15 years and millions of dollars for teams of lawyers, judges, advisors, and heirs to sort out his vast and disorganized estate.
The story of Howard Hughes and his sprawling estate is a metaphor for our industry. I would lovingly call cybersecurity a vast and disorganized estate, too.¹
We're like an industry version of Howard Hughes right now. We don't really know how many public companies we have, let alone the 3,000+ private ones.²
Cybersecurity isn't some cottage industry anymore. Our public companies have a combined valuation of over $350 billion.³ We're not paranoid, deranged millionaires. We're billionaires…oh, wait a minute.
Let's get our own estate in order with some solid numbers about cybersecurity's public companies.
Remember when I said there are currently 71 public cybersecurity companies at the beginning of this article? You're about to see why I'm not 100% confident about this answer.
The big question is: how do you define the cybersecurity industry? This exact question is why the reported number of public cybersecurity companies varies widely between different sources.
It all depends on how you cut the data. Here are the most logical ways to slice it.
A never-ending industry debate is the classification of "pure" versus "hybrid" cybersecurity companies. The uncertainty is whether companies whose products and revenue are a mix of cybersecurity and other tech should be considered cybersecurity companies.⁴
I'm firmly anchored in the "yes, they are cybersecurity companies" camp. I understand how including hybrid companies can skew the numbers on the cybersecurity industry, though. Including larger companies like Cloudflare makes metrics like the overall count of companies and valuations go way up.⁵
I'm happy to make the case for why that's a good thing all day long, but the diplomatic answer is to show you the data both ways:
See what I mean about hybrid cybersecurity companies making the overall count go way up? There are 31 of them, or 43.7% of the total company count:
Even if you exclude hybrid companies, having 40 pure cybersecurity companies traded globally is still super respectable. Here's the full list of companies:
Would you have guessed the number was this high? I sure wouldn't have. And remember, the totals are down from all-time highs after 21 delistings from M&A and take-private activity since 2020.
Right or wrong, the business side of the cybersecurity industry has a very U.S.-centric slant to it. For our purposes, this means public company counts get skewed towards major U.S. stock exchanges like Nasdaq and the New York Stock Exchange (NYSE).⁶
Here's the breakdown of companies by U.S. and non-U.S. stock exchange listings, which also includes our previous filter of pure and hybrid company types:
The count of companies is skewed towards the U.S., but much less than you might think. There are 24 companies listed on non-U.S. stock exchanges, and 17 of them are of the "pure" variety.⁷
Discovering and tracking global cybersecurity companies is sort of like excavating for dinosaur fossils — they're really hard to find. I'm certain this part of the list is still incomplete.⁸
Two other widely debated criteria for classifying public companies are the path a company took towards listing and their valuation (or stock price).
How a company listed is contentious to the point of throwing punches, especially in the investment banking community. An era of SPACs (and their cousin, the reverse merger) in the early 2020s high-nosed the traditional IPO process and brought some questionable companies into public markets. Capital markets people don't like that, so companies on this path often get ignored.
SPACs and reverse mergers have been popular in tech but rare in cybersecurity — 79.4% of our current public companies have gone public through traditional IPOs or direct listings. We've only seen six non-traditional listings so far:
Chamath Palihapitiya hasn't played a hand in any cybersecurity SPACs yet, but the results have been similar. IronNet filed for bankruptcy in 2023 (and delisted shortly after). HUB Security's stock has lost 95% of its value. You can see why people get fired up about this topic.
Small-cap stocks are like the cousins of SPACs and reverse mergers. Professional investors generally consider companies with a stock price of $5 or lower (and/or sub-$100 million valuations) speculative. So, they're also excluded from a lot of industry counts.
In cybersecurity, there are currently 12 companies globally which are valued under $100 million:
The number is likely a bit higher because market data isn't readily available for some global exchanges.
We've done it! Our burgeoning, multi-billion-dollar cybersecurity estate is much more buttoned-up and put together now. We might not have the slicked-back hair and pressed suits of Wall Street stalwarts, but we're definitely not an enigmatic recluse like Howard Hughes anymore.
This is no time to get complacent, though. Keeping up with our public companies is an ongoing quest. Companies come and go from public markets all the time.
And remember, cybersecurity is still an up-and-coming industry! Like I said last week, it's not hard to imagine 20 or 30 more public cybersecurity companies a decade from now. This list is going to get bigger quickly whenever the tech IPO pipeline opens up again.
The next time you're asked how many public cybersecurity companies there are, you can calmly answer (with a bit of a smile): "it depends…" before confidently putting on a clinic on the nuances of the biggest companies in our industry.
¹Several smart people put lots of time and money into tracking industry data. It's not widely available or understood yet, though.
²In fairness, this problem isn't limited to cybersecurity. I'm more encouraged about our situation. Our industry is big enough to lose track of, but small enough to figure out.
³Based on data from Google Finance as of January 18, 2024.
⁴Classifying companies as pure or hybrid is also a judgment call without companies consistently disclosing business unit level revenue breakdowns.
⁵This definition (and data) is still excluding large, diversified technology companies like Microsoft, Cisco, Accenture, and others. These companies all have multi-billion-dollar cybersecurity business units. It's a stretch to include them in the count of companies and other metrics like valuation.
⁶Being listed on a U.S. stock exchange doesn't mean the company is also headquartered in the United States. This data analysis counts companies by stock exchange, not the location of their headquarters.
⁷It's starting to feel like we are breeding dogs or horses here — something where the purity of genetics matters.
⁸I'm still taking suggestions if you know of global public cybersecurity companies you didn't see listed in this article.
*** This is a Security Bloggers Network syndicated blog from Strategy of Security authored by Cole Grolmus. Read the original post at: https://strategyofsecurity.com/demystifying-cybersecuritys-public-companies/