Active Directory, Microsoft’s directory service for connecting users to network resources, is used by more than 90% of all Fortune 1000 companies and many others. So it’s no surprise that it’s a huge target for malicious hackers.
This also means a lot of caution for security companies that build tools to protect and recover Active Directory (AD) services. On Thursday, Seperisa Hoboken, New Jersey startup focused on AD protection said it has raised $125 million from JP Morgan and Hercules Capital and will use it for R&D and business development.
In addition to Active Directory, Semperis also provides detection, response, recovery and related services for Entra ID (formerly Azure Active ID) and Okta users. Its customers include Lenovo, Prime Healthcare, Sanofi, United Airlines, Starbucks, Hertz and many others, covering a total of approximately 100 million user identities.
The funding comes nearly two years since Semperis raised a $200 million Series C.
Unlike this round, this funding is a mix of equity and debt, and TechCrunch confirmed the company’s valuation: It’s now worth more than $1 billion. Or, in the words of Mickey Bresman, founder and CEO of Semperis, “I’ve got a horn.”
Along with the funding, Semperis is also adding three executives that Bresman said will be critical to the company’s next steps as a business, which he said is currently looking like an IPO. I’d say it could also be M&A in the right situation, given the great consolidation we’ve seen in the cybersecurity market in recent years.
Jeff Bray comes in as CFO. Mike DeGaetano joins as Chief Revenue Officer and Annabel Lewis joins as Chief Legal Officer and Corporate Secretary. All three have extensive backgrounds with some of the most successful cyber companies of the last decade.
Semperis has been around since 2013 (it started offering services in 2015), and Bresman says he likes to joke that the company was too early and too late to the market.
It feels like it was early because cybersecurity just wasn’t that big of a deal just 10 years ago, and the conversation wasn’t really about identity management (which is a huge topic today). And he believes it was also too late because AD actually came out in 1999 and is already in use everywhere, setting the stage for the widespread hacking that would eventually catch the companies using it. There have been waves of attacks exploiting vulnerabilities through the architecture of Active Directory.
And despite the incredible drumbeat of cloud services, on-premises services are still huge, and AD is how many of them are used in enterprises. One of the most recent and damaging AD exploits was NotPetya, which was is described as one of the “most devastating” attacks in cyber history.
Since then, of course, a number of other AD-focused companies have emerged. They include Palo Alto Networks, Bitsight, BigID, Wiz and more.
One of the problems with many AD attacks is that in a distributed system, breaches can be complex, expensive and difficult to resolve. Semperis’ pitch is that he can reduce that time by 90%. As downtime is typically even more costly to a business than the breach itself, reducing that downtime, if not avoiding it entirely, is becoming a primary focus for cyber buyers.
“As CISOs shift their focus toward securing and building resiliency into their identity infrastructure, we’re seeing tremendous demand for specialized hybrid AD and Entra ID protection,” Bray said in a statement.
“Semperis is a clear leader in the urgently needed area of identity system defense, with machine learning-based attack prevention, detection and response,” added Scott Bluestein, CEO and CIO of Hercules Capital. “Leading organizations around the world depend on Semperis to protect their hybrid Active Directory environment, which is fundamental to their IT infrastructure and highly targeted by attackers.”
As for why the company took debt instead of equity, Bresman simply said the company had multiple options, but chose this one in part because it has the mix of investors at the capitalization table it wants. (He didn’t say as much, but it also means he has to give up less equity on the way to an IPO.)
“Semperis, with new backing from JP Morgan and Hercules Capital, and our existing team of world-class backers KKR, Insight Partners, Ten Eleven Ventures, Paladin, Advocate Health and others, will continue to drive innovation to disrupt cyberattacks,” he said. Bray. “The growth funding complements an already strong balance sheet, allowing Semperis to accelerate R&D investment and expand our global footprint to meet market demand.”
