knowledge centre

VMware’s cyber-security offering will be strengthened by the purchase of Carbon Black

Igor Babić Analyst

"The acquisition of Carbon Black will provide VMware with a strong cyber-security foundation to build on."

Listen to or download the associated podcast

VMware announced the acquisition of Carbon Black for USD2.1 billion on 22 August 2019. Carbon Black is a vendor of cloud-native endpoint security solutions, and most of its customers are large enterprises (including around a third of the Fortune 100). Its main competitors include Crowdstrike, Cybereason, Cylance and Tanium, as well as larger vendors such as McAfee, Palo Alto Networks and Symantec.

This deal is part of VMware’s broader strategy to provide software to build, run, manage, connect and protect any application across any cloud and on any device. It follows acquisitions of four security start-ups: Intrinsic (which provides software for securing serverless workloads) and Veriflow (which focuses on network monitoring and verification) earlier in 2019, and E8 Security (a user and entity behaviour analytics specialist) and CloudCoreo (which focuses on cloud platform configuration) in 2018.

The acquisition of Carbon Black is the second-largest ever made by VMware in terms of cost (the company has executed 17 acquisitions since the beginning of 2017). VMware hopes that its wide distribution network and business reach (as well as those of Dell, its majority shareholder, and Secureworks, another subsidiary of Dell) will accelerate the adoption of Carbon Black’s products. It also plans to embed Carbon Black’s technology into its current products more deeply (a number of Carbon Black’s products already integrate with VMware’s).

Carbon Black will provide VMware with a strong cyber-security foundation

VMware has cyber-security capabilities, but it has never established itself as a security vendor. The company only launched its first pure-play security product, AppDefense, in August 2017 and it has developed a deep relationship with Carbon Black since then. It initially partnered with Carbon Black to give AppDefense customers access to Carbon Black’s Predictive Security Cloud platform, and VMware later made Carbon Black’s technology available with a number of its products. The two firms also jointly developed a cloud and data centre security solution, CB Defense for VMware.

Acquisitions have been central to VMware’s efforts to expand its portfolio of software for application development (for example, Bitnami, Heptio and Pivotal), management (for example, CloudHealth) and security across all major cloud platforms. VMware has increased the pace at which it is acquiring companies since 2017 (Figure 1). Carbon Black is by far the company’s largest security acquisition, and the only one of a publicly traded security vendor. In July 2019, VMware’s CEO stated that acquisitions will continue to be a major strategic driver of revenue growth for the company.

Figure 1: VMware’s acquisitions, beginning of 2017 to August 2019 (* denotes security vendors)

Source: Analysys Mason, 2019


VMware’s acquisition of Carbon Black is a logical continuation of the close relationship that the companies have had since 2017. VMware’s strategy recognises that a strong cyber-security presence is required in order to be a technology leader in the multi-cloud, hybrid cloud environment, and as such, the company decided to acquire a well-established security specialist to address its shortcomings in this area. Choosing one that it has partnered with extensively in the past de-risks the acquisition, and is likely to make the integration less complex.

VMware expects to turn Carbon Black into a profitable business within the first year following the acquisition. Various synergy benefits on both the product (such as bolstering VMware’s current solutions with Carbon Black’s technology) and sales (such as selling Carbon Black’s products using VMware’s and Dell’s extensive partner ecosystem) side should help to achieve this aim. VMware is also in the process of forming a new security business unit which the CEO of Carbon Black is expected to head and in which Carbon Black will be a central element. VMware also plans to redirect some of its existing assets to this unit.

Carbon Black’s revenue has been growing steadily, but profitability has been problematic

Carbon Black’s revenue grew by 30.4% year-on-year in 2018; this was one of the higher revenue growth rates recorded by security vendors in 2018. However, this growth was achieved from a relatively small base and the rate was not significantly different to that for other similarly sized vendors (such as CyberArk, Qualys and Rapid7). Losses remained high, despite the strong revenue growth (net losses were consistently equivalent to more than 30% of revenue; see Figure 2). This depressed the share price, which fell as low as USD12 (around half the April 2018 IPO price) in December 2018, before recovering from June 2019 onwards (partly due to rumours of a sale).

Figure 2: Carbon Black’s quarterly revenue and net losses as a percentage of revenue, 2017–2Q 2019

Source: Analysys Mason, 2019


The deal is likely to benefit both sides, but its success might depend on how autonomous Carbon Black remains

The acquisition of Carbon Black will allow VMware to better position itself as a provider of security services, and will strengthen its current offerings. It will also give Carbon Black access to more funds and an increased number of channels to market.

This acquisition is likely to be welcomed by VMware’s current customers, who will be able to purchase more of the services that they use from a single vendor. On the VMware earnings call during which the acquisition was announced, the company’s CEO said that “the current cyber-security industry is simply broken,” and talked about how the model of buying different solutions separately is not working for businesses. VMware aims to allow businesses to reduce their security costs, while ultimately using security as a tactic to support its core business. This will make VMware very different from standalone security vendors, and could prompt the company’s competitors to further their security-related efforts, potentially through acquisitions.

The deal might not be as well-received by Carbon Black’s customers that are not using or do not plan to use VMware. However, this might not be of much of a concern for VMware given that it purchased Carbon Black primarily for its technology, rather than its customer base. What remains uncertain is whether Carbon Black’s team will be able to continue to innovate as it did prior to the acquisition, or whether it will be limited in doing so by VMware’s plans to embed Carbon Black’s existing technology into VMware’s core products.