VMware's acquisition of Carbon Black - podcast
In this podcast, we hear from Igor Babić, the lead analyst of our Cyber Security research programme. Igor discusses VMware's recently announced acquisition of Carbon Black and how this fits with VMware's broader strategy.
Listen to or download the podcast
On 22 August 2019, VMware announced the acquisition of Carbon Black for USD2.1 billion.
Carbon Black is a vendor of cloud-native endpoint security solutions, and most of its customers are large enterprises (including around a third of the Fortune 100). Its main competitors include Crowdstrike, Cybereason, Cylance and Tanium, as well as larger vendors such as McAfee, Palo Alto Networks and Symantec.
This deal is part of VMware’s broader strategy to provide software to build, run, manage, connect and protect any application across any cloud and on any device. It follows acquisitions of four security start-ups: Intrinsic (which provides software for securing serverless workloads) and Veriflow (which focuses on network monitoring and verification) earlier in 2019, and E8 Security (a user and entity behaviour analytics specialist) and CloudCoreo (which focuses on cloud platform configuration) in 2018.
The acquisition of Carbon Black is the second-largest ever made by VMware (and VMware has executed 17 acquisitions since the beginning of 2017).
The company hopes that its wide distribution network and business reach (as well as those of Dell, VMware’s majority shareholder, and Secureworks, which is another subsidiary of Dell) will accelerate the adoption of Carbon Black’s products. It also plans to embed Carbon Black’s technology into its current products more deeply (a number of Carbon Black’s products already integrate with VMware’s).
VMware has cyber-security capabilities, but it has never established itself as a security vendor. The company launched its first pure-play security product, AppDefense, in August 2017 and it has developed a deep relationship with Carbon Black since then. It initially partnered with Carbon Black to give AppDefense customers access to Carbon Black’s Predictive Security Cloud platform, and VMware later made Carbon Black’s technology available with a number of its products. The two firms also jointly developed a cloud and data centre security solution, CB Defense for VMware.
Acquisitions have been central to VMware’s efforts to expand its portfolio of software for application development (for example, Bitnami, Heptio and Pivotal), management (for example, CloudHealth) and security across all major cloud platforms.
VMware has increased the pace at which it is acquiring companies since 2017 (it acquired three companies in 2017, five in 2018 and nine so far in 2019). Carbon Black is by far the company’s largest security acquisition, and the only one of a publicly traded security vendor. In an interview in July 2019, VMware’s CEO stated that acquisitions will continue to be a major driver of revenue growth for the company.
VMware’s acquisition of Carbon Black represents a logical continuation of the close relationship that the companies have had since 2017. VMware’s strategy recognises that a strong cyber-security presence is required in order to be a technology leader in the multi-cloud, hybrid cloud environment, and the company decided to acquire a well-established security specialist to address its shortcomings in this area. Choosing one that it has partnered with extensively in the past de-risks the acquisition, and is likely to make integration less complex.
VMware expects to turn Carbon Black into a profitable business within the first year following the acquisition.
Various synergy benefits on both the product side (such as bolstering VMware’s current solutions with Carbon Black’s technology) and the sales side (such as selling Carbon Black’s products using VMware’s and Dell’s extensive partner ecosystem) should help to achieve this aim.
VMware is also in the process of forming a new security business unit which the CEO of Carbon Black is expected to head and in which Carbon Black will be a central element. VMware also plans to redirect some of its existing assets to this unit.
Looking at Carbon Black’s financials, we can see that its revenue has been growing steadily, but that its profitability has been problematic. The company’s revenue grew by 30.4% year-on-year in 2018; this was one of the higher revenue growth rates recorded by security vendors in 2018. However, this growth was achieved from a relatively small base and the rate was not significantly different to that for other similarly sized vendors (such as CyberArk, Qualys and Rapid7).
Despite the strong revenue growth, Carbon Black’s losses remained high (quarterly net losses were consistently equivalent to more than 30% of quarterly revenue). This depressed the share price, which fell as low as USD12 in December 2018 (this is around half the April 2018 IPO price). The share price recovered from June 2019 onwards, partly due to rumours of a sale.
All things considered, this deal is likely to benefit both VMware and Carbon Black, but its success might depend on how autonomous Carbon Black remains.
The acquisition will allow VMware to better position itself as a provider of security services, and will strengthen its current offerings. It will also give Carbon Black access to more funds and an increased number of channels to market.
The acquisition is likely to be welcomed by VMware’s current customers, who will be able to purchase more of the services that they use from a single vendor. On the VMware earnings call during which the acquisition was announced, the company’s CEO said that “the current cyber-security industry is simply broken,” and talked about how the model of buying different solutions separately is not working for businesses.
VMware aims to allow businesses to reduce their security costs, while ultimately using security as a tactic to support its core business. This will make VMware very different from standalone security vendors, and could prompt the company’s competitors to further their security-related efforts, potentially through acquisitions.
The deal might not be as well-received by Carbon Black’s customers that are not using or do not plan to use VMware. However, this might not be much of a concern for VMware given that it purchased Carbon Black primarily for its technology, rather than its customer base.
What remains uncertain is whether Carbon Black’s team will be able to continue to innovate as it did prior to the acquisition, or whether it will be limited in doing so by VMware’s plans to embed Carbon Black’s existing technology into VMware’s core products.