Thomas Bravo Makes Nearly $1BN Bet On SaaS Security Company Veracode

Thoma Bravo, the Chicago, Illinois-based private equity firm and veteran software security investor, is making a big bet on application security testing, paying $950 million in cash to acquire Veracode, which operates a software as a service platform that helps security professionals and software developers identify and fix defects in software applications.

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

The firm is acquiring Veracode from Broadcom, the San Jose, California-based semiconductor company. It just completed its $18.9 billion acquisition of CA Technologies, which acquired Veracode for $614 million in March of 2017.

“Software security is one of the most consequential issues facing companies as they look to compete in the digital economy,”  said Sam King, current Senior Vice President and General Manager of Veracode in a press release announcing the deal in early November. King will become the CEO of Veracode following the close of the transaction. “Partnering with Thoma Bravo, a proven security software investor, is expected to extend our market reach and further fuel our innovation so that we can offer the broadest software security platform and empower us to accelerate growth — all to allow us to transform the way companies achieve their software security goals.”

The acquisition on the part of Thoma Bravo comes at a time when securing software, many of which resides in the cloud is becoming critical for an economy that is increasingly digital. As companies bring more of their critical operations to the cloud, SaaS companies have to make sure everything is protected from hackers. After all, one data breach could put their business out of operation or hurt their reputation greatly. Spotting and rectifying the flaws has also increased in complexity as organizations amass even more data.

According to Veracode’s most recent state of security report, more than 85% of all applications have one or more vulnerabilities with more than 13% owning at least one critical severity flaw. More than 70% of all flaws remain in place one month after discovery with close to 55% still remaining after three months. Veracode found that one in four high and very high severity flaws aren’t addressed within 290 days of discovery.  

With Veracode’s platform, customers get a scalable way to manage security risks across all of its applications. The platform relies on a broad array of security testing and threat mitigation techniques to change how companies build and buy software by integrating security into the software development lifecycles.

“In today’s digital economy practically every company is turning into a software company through their own digital transformation. As these companies continue to build complex applications, many of which contain sensitive data, the applications themselves increasingly become the target of more sophisticated and omnipresent cyber-attacks,” said Chip Virnig, a partner at Thoma Bravo. “As such, applications need to be built with security in mind day one, and we see a significant, growing market opportunity for Veracode’s product offerings.”

Thoma Bravo is no stranger to cybersecurity investments and acquisitions. To date, the PE firm has completed more than 30 acquisitions of enterprise security companies including high profile players such as Barracuda Networks, BlueCoat Systems, SonicWall and Entrust. Business Insider reported in early November that the PE firm has approached Symantec about acquiring it. Citing people familiar with the matter, Business Insider cautioned talks may not result in Thoma Bravo acquiring a leading U.S. cybersecurity firm which has been in the crosshairs of activist investors.