Revenge Of The SaaS: Mandiant Dumps FEYE

In a cybersecurity divorce that had fewer leading indicators than the dissolution of Kim and Kanye, Mandiant has finally untangled itself from FireEye (FEYE) by selling the product portion of the firm to Symphony Technology Group (STG) for $1.2 billion. FireEye’s history as the most “almost acquired vendor” is finally over as STG takes the reins. The long and winding saga of two companies that never should’ve been put together will come to a close in Q4 of 2021.

A Culture Clash From Day One

The FireEye and Mandiant cultures never truly meshed. FireEye personnel were masters of hardware sales, while Mandiant cultivated a culture of expertise and mastery. Both groups earned their swagger, but the dream team envisioned never materialized. This misalignment was never truly rectified, and the damage was done with the post-acquisition brain drain leading to a Mandiant diaspora of launching startups, running other security companies, and leading security programs as chief information security officers. FireEye personnel exited just as quickly, doing much of the same.

When FEYE bought Mandiant, it was a cybersecurity darling that had just had a successful IPO, with a stock price that shot up 80% above its IPO debut, and instantly became one of the leading innovators in the cybersecurity space. At the time, FEYE was at the leading edge of a security renaissance, a “new vendor” with a new approach that emerged as an alternative to the antivirus-heavy security vendors of the prior decade. But all too soon, the spotlight FireEye relished turned far too intense. Financial losses, missed opportunities, and products that were good but never displaced incumbents weighed the vendor down. Mandiant gained its own fame with the release of the APT1 report and became one of a handful of go-to incident response firms, having responded to several intrusions by state-nexus actors.

FireEye Never Became The Vendor It Was Supposed To Be

FEYE’s portfolio included security hardware that sat across almost the entire technology stack, but those devices never truly displaced other controls. Firewalls still exist, and sandbox functionality became a feature of them. FEYE’s other offerings such as TAP and Helix never took over the security analytics or security orchestration, automation, and response (SOAR) space either. The company constantly searched for the dominance Mandiant enjoyed over the incident response market but ultimately never found it. While the products failed to obtain a dominant position in the market, Mandiant slowly began to reinvent itself through legacy services and software as a service (SaaS).

FireEye’s history of seeing where the markets are going well before others is perhaps the thing it should be remembered most for. In addition to snapping up Mandiant, FireEye also acquired one of the earlier cyberthreat intelligence firms — iSIGHT Partners — which joined forces with Mandiant’s team. It acquired an early SOAR player in Invotas (now Helix) and acquired Respond Software. But seeing what’s coming and acting early isn’t sufficient, and in all these cases, FireEye products never became must-haves. While, during the same time frame, the Mandiant side of the business mostly excelled, placing in several Forrester Wave™ evaluations as a Leader, FireEye security products did not fare as well in our evaluations. The relationship between the two sides of the business was never equal, and eventually, Mandiant recognized that legacy FireEye solutions were holding it back.

Mandiant Found Itself Making FireEye Products “Work” For Clients

In multiple earnings calls throughout 2020, Kevin Mandia mentioned that the company was committed to moving off a FEYE-only ecosystem of products within its services practice. The sale to STG certainly proved that to be true, so no half measures there. Mandiant was able to find momentum through SaaS offerings such as Mandiant Security Validation, Mandiant Advantage Threat Intelligence, Mandiant Managed Detection and Response, and its legacy incident response business. The security market now values the ability to integrate far higher than the ability to bundle, although combining both works, too.

Services Shedding Products Is Not The Norm

Often in M&A transactions like this, the product vendor buys the services vendor. Higher margins, more cash flow, and higher multiples puts software and SaaS companies in a better position to buy services companies than vice versa. But we’ve seen — and written about — the increasing number of companies launching with services wrapped around their own IP in managed detection and response (MDR), cybersecurity consulting, and managed security service markets. Managed SaaS or bundled solutions that include “managed platforms” are the rage and will continue to be. The economics of SaaS are compelling for vendors — and buyers — but SaaS is just a product hosted somewhere else by someone else. Security teams still use the solution. By layering a managed security service capability on top of SaaS and selling bundles, vendors and end users get the best of both worlds.

Much like FireEye’s moves into SOAR, or its more recent early move in the breach and attack space through the acquisition of Verodin (now known as Mandiant Security Validation), the company continues to make the right moves well before competitors. Just because those moves did not always pan out doesn’t mean they were bad choices, and they acted as catalysts for competitors to do the same.

STG Knows Something We Don’t — Or Thinks It Does

Whatever the reasons STG acquired McAfee, RSA, and now FireEye, each of those vendors represents a once proud security brand that found itself failing to move to the cloud and pivoting far too late to SaaS, then watching its market share disappear to competitors. The capital advantages of these acquisitions must be enormous, or the private equity firm has confidence that it can put these broken companies back together. Perhaps STG plans to create some sort of cybersecurity super group reminiscent of the Damn Yankees.

STG has either added to its collection of billion-dollar boat anchors or has set the stage for an amazing comeback story. It certainly doesn’t lack ambition. The likely outcome is a pared-down product portfolio vendor, an exciting new rebranding announcement in 18–24 months, and the IPO of an innovative security company that we all shouldn’t remember as the barely stitched-together components of McAfee, RSA, and FireEye.

Mandiant Will Benefit From Divesting Of Its Acquirer

For end user security leaders who want to see how this plays out, Mandiant seems to be in position to continue its forward momentum by streamlining itself. Mandiant struggled to sell its “controls agnostic” services while attached to the FireEye brand. That is now a solved problem. The split will also allow Mandiant to capitalize on its intelligence-driven services and grow the Managed Defense business, satisfying one of its clients’ most frequent requests in our recent Wave evaluation on the MDR space. By opening up more to monitoring and managing any vendor’s security controls, the cyberthreat intelligence teams will benefit from increased visibility into the global threat landscape. As Kevin Mandia said, this removes all bias from Mandiant.

FEYE benefits from the bank account of STG and its removal from the investor spotlight as it retools. The risk is that it gets merged and saddled with some Frankenstein creation that includes McAfee and RSA, which is unlikely to solve more problems than it creates. FireEye does shine when compared to STG’s other two big-brand cybersecurity “has-beens.” Being the best player on a bad team, however, still means that you lose most of your games. So far, PE acquisitions of cybersecurity companies has resulted in plenty of activity for investors but little, if any, innovation for end users.

In five years, we expect to see Mandiant as a highly recognizable security brand, while FireEye will likely get buried in a renamed IPO full of “synergies” … for investors.