"Ultimately, the reason why the consolidation is occurring is people have to remain competitive in a very, very crowded market right now," Thomas says. Larger security companies are stuck on creating new offerings, and they look to the startup community to help them fill the gaps. He points to a "lack of innovation" in larger endpoint players, including McAfee and Symantec, and he believes their goal will likely be to grow through acquisition of smaller companies.
The stream of M&A is constant and telling: VMware agreed to buy Carbon Black, HP recently agreed to acquire Bromium, BlackBerry picked up Cylance, and Thoma Bravo snapped up Sophos. "There are probably too many vendors coming at this market in different ways, so a degree of simplification is in order," says Rik Turner, principal analyst at Ovum, of the ongoing activity.
Some of these deals could hold clues for where the future of the market is headed. VMware, for example, could boost the appeal of its infrastructure platform if it promises to integrate security; both Firstbrook and Thomas agree the deal could accelerate growth for the company. Elastic's acquisition of Endgame is another deal bringing security into a non-security business.
But it poses an important question, Firstbrook notes: What if others – Kubernetes, Red Hat, Google – did the same thing? Companies buying operating system technology will find security already built in, and they could choose to enable that directly rather than buy a separate product. He thinks we can expect these types of acquisitions to continue into the future.
This is also why Microsoft is a company to watch, he adds. "They're the biggest threat to all of these vendors because they're built right into the OS and they're proving a good product now," Firstbrook says.
Still, the security landscape is littered with acquisitions of security companies that didn't work, Pescatore says. There is a belief that baking in security can overcome obstacles, but "the big issue is one thing we've proven: it's really, really hard for the infrastructure to protect itself," he says. Microsoft integrated security into Windows, for example, but Windows still has vulnerabilities.
Not every endpoint security startup will be acquired by a security company. Some will move into an adjacent business, like the Internet of Things (IoT) and operation tech (OT) security; others will be bought by OS or hardware vendors. Firstbrook anticipates we'll see some rolled into other technology vendors.
Thomas says he thinks the industry will also see the private equity community get more involved. Thoma Bravo, for example, has developed expertise in buying security firms: Barracuda, Veracode, Imperva, McAfee, and LogRhythm are among its investments. It's not just the big players jumping into the acquisition game – private investment firms have joined as well.
"Essentially, the best private equity guys are taking companies private to relieve them from the pressure of Wall Street, allowing them to grow in private and then potentially go public again at a later date," Turner says.