In the past 12 months, the endpoint security market has seen a flurry of activity impacting four of the top 10 market leaders: 

  • BlackBerry announced its intent to acquire Cylance (November, 2018) 

  • CrowdStrike launched its IPO (June, 2019) 

  • Broadcom announced its intent to acquire Symantec Enterprise division (August, 2019) 

  • VMware announced its intent to acquire Carbon Black (August, 2019) 

Meanwhile, endpoint startup SentinelOne has just completed its series round D of funding which raised US$120 million. Furthermore, recent reports speculate McAfee has hired underwriters to pursue an IPO, bringing the current market leader back into the public domain following its acquisition and subsequent divestiture from Intel. Its owners are likely to be keen to capitalize on recent interest in the sector.

At surface-level, it is difficult to see why the endpoint security market is appealing to investors and acquisitive technology companies. Cybersecurity is one of the most attractive parts of the broader technology industry, yet few would characterize endpoint security as the vanguard of this sector. The market has long been led by two vendors, McAfee and Symantec, and despite competitors being quick to label their technologies obsolete, they have yet to be displaced from the summit. The sector also faces notable challenges:

  • The PC market is largely flat: PC protection has long been key to the revenue models for these companies and with an underlying stagnant sector the fight for market share becomes much more intense. The opportunity to deploy endpoint security on smart phones never manifested the same degree of revenue opportunity, but even this sector is seeing total unit growth start to level out.
  • Microsoft now offers a compelling endpoint solution: Windows Defender, as part of Windows 10 OS, represents a major threat to PC-centric endpoint security vendors. When Windows Defender is active, third-party anti-malware engines cannot be enabled, limiting their functionality to other features and raising the overall validity of having them deployed at all.
  • The endpoint security market remains incredibly fragmented: In 2018, McAfee led with just 16.5% market share, when assessing end-user spend. The barriers to entry are low, enabling a constant influx of new vendors with ideas of how to tackle cyberthreats. It is also a sector that is not dominated by US-based companies, unlike many other corners of technology. Leading vendors include Trend Micro (Japan headquartered), Kaspersky (Russia), Sophos (UK), ESET (Slovakia), F-Secure (Finland), Bitdefender (Romania) and Panda Security (Spain). The ability for new entrants to emerge from anywhere makes it difficult for any one vendor to establish global dominance in this space.

Virtualization and cloud expand the opportunities for endpoint security 

Yet there is optimism for endpoint security as highlighted by CrowdStrike’s successful IPO and the recent acquisitions in this sector. Despite all the innovations happening elsewhere in the cybersecurity arena, endpoint remains one of the most vulnerable parts of an organizations’ IT environment, and the value of endpoint security software is generally understood and accepted by businesses.

The definition of ‘endpoint’ is also rapidly expanding with the increasing use of virtual compute nodes in cloud environments. Each of these virtual endpoints requires protection and is the core reason VMware is acquiring Carbon Black. This market opportunity will expand as more businesses turn to public cloud platforms such as AWS and Microsoft Azure (both of which offer marketplaces for cybersecurity solutions to deploy on virtual endpoints). The adoption of container-based technologies and IoT creates another vector for endpoint security vendors to build solutions around.

This fact has not been lost on network security vendors. The two market leaders, Cisco and Palo Alto Networks, have significantly increased their focus on the endpoint space with their respective solutions: AMP and Traps. Palo Alto Networks also recently acquired Zingbox to cover IoT. Despite their established positions in cybersecurity via the firewall business, neither has been able to establish a strong footing in the endpoint security environment. It is a long-running enigma of the cybersecurity market that no vendor has been able to equivocally position themselves as a leader in both network and endpoint security.

What’s next for the endpoint security market vendors? 

Securing virtual endpoints will be the higher-value battleground and this is where VMware has made a significant stake. Cisco needs to respond to VMware’s acquisition of Carbon Black. VMware has spent the last decade building a portfolio of software solutions in the fields of networking, WAN and now security. With this expansive category of software-defined infrastructure solutions, VMware is Cisco’s largest threat.

Cisco may evaluate options to augment its security portfolio, which is still hardware dominant (its battle with Palo Alto Networks in the firewall market is too margin-rich a business to slack on). It is one of the few security vendors that has the financial might to take on a ‘major’ acquisition. But in the endpoint market there are few attractive options left. Crowdstrike is too expensive following its successful IPO and a sensitive political climate means Cisco is unlikely to pursue a foreign cybersecurity firm, ruling out Bitdefender, ESET and certainly Kaspersky. Vendors like McAfee and Malwarebytes have large consumer businesses that do not fit with Cisco’s core competency. That leaves SentinelOne which looks appealing at a glance. It is still an early-stage company with an interesting software platform which fits the profile of typical Cisco targets. SentinelOne has also forged some compelling partnerships in the industry from a technology integration standpoint and in its go-to-market (Pax8, a cloud-focused distributor with a big focus on security, is a recently signed partnership). Cisco could benefit from having a software security play that is run as a separate unit, similar to how it has managed its successful Meraki business.

Trend Micro needs to ask itself some tough questions. It has been very successful in forging an ecosystem play and was the first endpoint security vendor to build solutions specifically for VMware hypervisor environments. VMware’s acquisition of Carbon Black though is a stark reminder that partners can quickly turn to competitors. Trend Micro has built a strong relationship with AWS, but it would be wise to accelerate relationships with Microsoft and Google to reduce its reliance on any one ecosystem to drive growth. All three platforms are creating opportunities for growth, though AWS has done a superior job of integrating with the software ecosystem.

Symantec’s competitors will be on watch to see if it becomes vulnerable or stronger, and while there is little history to assess, the circumstances point to the former. The reason is Broadcom has also just completed its acquisition of CA Technologies and will now undergo a process of integrating CA and Symantec. Its stated plan is to target the Global 2000 accounts which creates significant opportunities for the rest of the industry to tackle Symantec’s installed base in everything below that threshold. Meanwhile, Broadcom has the undesirable task of managing three sets of infrastructures, cultures, brands, product lines and business models. It has also indicated it plans to cut costs, both across non-core product lines and generally across sales and marketing. So the advice for the rest of the industry is simple: go after Symantec’s partners and customers.

Receiving updates

Receive our latest PRs on emerging, enterprise and mobile tech delivered straight to your inbox.