The Darktrace Acquisition: What is Darktrace and How Big is Thoma Bravo’s Upside?

Thoma Bravo acquired the fast-growing cybersecurity player Darktrace on October 1st, 2024, for a sum of $5.3 billion. Darktrace was publicly traded on the London Stock Exchange and IPO’d in April 2021 at a valuation of $2.4 billion. In just over three years since its IPO, Darktrace has doubled its revenue and achieved profitability on a non-adjusted EBITDA basis in FY2022.  It’s been an up-and-to-the-right story for the company, so what is Darktrace and why would Thoma Bravo want to buy it?

While Darktrace offers individual products like email and endpoint protection, it's more accurately described as a platform company. Ultimately, the vision is to onboard the customer onto any Darktrace product and then cross-sell them onto others. To understand why this model is so lucrative for Darktrace, one must understand the core synergies that lie in the Darktrace platform. The key differentiator between Darktrace and other cybersecurity products is that Darktrace has a key innovation in its ability to detect novel threats that the world has never seen before. 

The core technological concept that is underneath this capability is unsupervised machine learning. Let’s take the simple example of e-mail protection. Let’s say you’re a top executive at a big tech company in San Francisco, California, and you usually check your email for the first time at around 8:15AM every day. Somehow, a hacker from Lithuania obtained the password to your email and is attempting to gain access in order to look at this quarter’s upcoming earnings presentation beforehand. At 3AM Pacific Time, the Lithuanian hacker types your email address into the login page, and then types in the correct password; he hits enter in hopes of gaining access to that wonderful earnings deck. “Access Denied” is the next thing he sees, your email is immediately quarantined from additional logons, and you’ll have to work it out with IT when you wake up. Your big tech company smartly uses Darktrace, which was the software that denied the hacker access and quarantined your email temporarily. If the log-in credentials were all correct, how did Darktrace know to invalidate the log-in attempt?

Darktrace has built an individual “pattern-of-life” for you, and knows that you live in San Francisco and always check your inbox for the first time of the day at around 8:15 AM. This is why, when a log-in attempt at 3AM from Lithuania came in, the software knew it was likely a hacker and not you. Darktrace sees the threat without needing a predisposed memory of it. This differs from the traditional cybersecurity approach of using an IDS—Intrusion Detection System.

An IDS works by matching known malicious signatures with real time information. In the same example, if there had been a previously manually identified incident with the same Lithuanian hacker, the hacker’s IP address would have been entered into an IDS for future reference. The second time around, when the same hacker tries a malicious act on your company, the cybersecurity software will see activity on his IP address in real time, check if it matches a known signature in the IDS, and then deny him access. In reality, just know that security threats and signatures are far more sophisticated and covert than the provided example. Darktrace identifies threats based off of atypical events with respect to your usual habits, whereas an IDS based system identifies threats based off of a known signature. The theoretical advantage of Darktrace over an IDS is that Darktrace can identify the threat the first time around. If a genius hacker discovers a new vulnerability in your system, an IDS wouldn’t be able to catch it until the threat is manually identified, whereas Darktrace would be able to automatically recognize anomalous behavior and catch the threat the first time around.

This is the value proposition for Darktrace, changing cybersecurity from being reactive to proactive. To be candid, this approach of behavioral analysis is no longer novel and is being employed by cybersecurity rivals like CrowdStrike and Splunk. Each company employs different techniques and their results can vary widely based on how good their behavioral analysis models are; But cyber is such a hot space that even the companies that aren’t the market leaders are still seeing massive growth. A rising tide lifts all boats, and Darktrace appears to be one of those boats. 

Though there are certain differences in capability between Darktrace and its competitors, buying cybersecurity software is still like buying a black box. There is a good chance you don’t know the exact performance of each option until you implement it, which isn’t realistic. This is exactly what is encouraging Darktrace to push hard on a platformer approach. Acquiring a customer is expensive, and is random to some extent. Did your sales guy wine and dine him/her? Was he/her college roommates with someone who works at a competitor? There are plenty of variables you can’t control as a cybersecurity company, and the black box nature of the industry amplifies this problem further as decision makers have less proven information to make calculated decisions. Due to how winning a customer is so difficult, the company’s aim is to make the most of each customer it wins.

Darktrace operates on basic platform economics. Let’s say you own one Darktrace product, network protection, and your corporation realizes it needs endpoint protection in an increasingly dangerous world. For context, Checkpoint estimates that global cyber attacks are up 75% just in the past year. In that case, the marginal cost of entry is extremely low when you compare adding a Darktrace product versus entering into an agreement with a new platform. You already have all your system information and events flowing through Darktrace to hydrate the network protection product, so adding endpoint protection with Darktrace is minimal effort. No need to retrain your SOC (security operation center) on a different platform, and no need to set up an entirely new environment. The hardest part is getting a new customer’s foot in the door, after that you can enjoy the effects of operating leverage on each successive cross-sell.

This aligns with Thoma Bravo's likely strategy in acquiring Darktrace. If the firm can utilize the switching cost moat Darktrace has entrenched its users in, cross-sell them even further, and find ways to boost operational efficiency, the 43x EV/EBITDA multiple it paid for the company will be well worth it. Here’s a look at just how powerful Darktrace’s operating leverage is. For reference, the last TTM EBITDA figure released was $125 Million, average incremental EBITDA margin has been 64% across the past 3 years, and the EV/EBITDA multiple paid was 43x.

It’s safe to say that there is massive EBITDA growth potential for the company, and it honestly seems like Thoma Bravo might have an easy one on their hands. Even though the LBO tacked on an additional $2.3 billion in debt to the company, Darktrace should have absolutely no problem servicing it. We can also estimate Thoma Bravo’s exit using some back of the envelope math. After 5 years, the company will conservatively have $500 million in EBITDA. Assuming an 18x EV/EBITDA exit multiple, Thoma Bravo will be able to exit Darktrace at around $8 Billion when including a net debt adjustment. The LBO was structured with $2.3 Billion in debt and $3 Billion in cash from Thoma Bravo, which means that the firm would have turned a 167% profit over 5 years, representing a 21.67% IRR on the investment. These numbers are undoubtedly great, and considering the momentum behind both Darktrace and cybersecurity right now, it is hard to imagine a world where Thoma Bravo doesn’t perform well on this purchase.