The reason anti-trust action has chilled M&A is because there were only four strategic buyers. Due to decades of failed anti-trust.
The other reason isn't so much weakness as much as pandemic-era valuation madness. Reasonably priced, a lot of start-ups would sell for less than their last valuation. That would seriously cut into the founders' pay-outs, which are usually based on common stock.
I can only really speak to Cybersecurity and other adjacent parts of Enterprise SaaS, and M&A activity is fairly strong in both.
The big issue is a number of startups in that space raised at very favorable terms with Growth Funds in 2019-23, which made them extremely expensive to acquire versus to either build in-house or conduct a tuck-in acquisition.
What's I've noticed is that if it costs greater than $100-150M to acquire, it's difficult to make a case for acqusition versus build in-house unless you are extremely behind and need an internal culture change (eg. Cisco and Robust Intelligence being similar in magnitude to Cisco's previous foray into SDN w/ Meraki)
Series C and below remains fairly robust ime, as we can see with Dig Security, Talon Security, Robust Intelligence, NeoSec, etc.
There have been a decent number of tuck-in acquisitions in 2024. Flow Security (CRWD) and Eureka Security (TNBL) were fairly notable.
The main open question right now is about AI Security and Safety - specifically, whether to build or buy.
Most other segments (DSPM, OT Security, Vulnerability Management, CNAPP, etc) have largely been acquired and consolidated.
The thing is, there aren't that many startups in the space left that garner mutual interest in acquisition.
It's basically bimodal now, whereby
- a number of Series B/C startups have enough cash in hand to potentially do a tuck-in for a Seed or Series A AI Safety/Security startup and as such don't want to get acquired by a larger company because they have a strategic path forward to differentiating themselves from larger players [Acquirers interested, Startups uninterested]
- a number of Series E/F companies that have raised capital at multi-billion valuations but do not have a path forward to generate revenue at those valuations (eg. Lacework valued at $9B but ARR shy of $100M) [Startups interested, Acquirers uninterested]
Most notably, the earlier stage startups are now founded by startup founders who already have a $1M-50M net worth now due to successful cybersecurity exits in the 2019-23 period (IPO or acquisition). You can see this first hand in the Israeli and Bay Area cybersecurity startup scene.
Databricks' acqusition of Tabular was absolutely strategic.
Both Databricks and Snowflake are in the process of integrating Iceberg capabilities into their own lakehouses, because the industry is consolidating towards Iceberg, especially after Clickhouse and Dremio integrated Iceberg support in 2022.
This is why Snowflake preemptively announced the Polaris Catalog right before the acqusition by Databricks was announced.
Databricks, Snowflake, Dremio, and Clickhouse are all competing for the same piece of the pie, and much like Cybersecurity in the late 2010s to early 2020s, there is a drive to "everything" platforms, and RFPs can absolutely get sank due to lack of capabilties in comparison to a vendor.
