Congratulations, another high tech unicorn, ForeScout Technologies, was born this year. The birth was without any complications, after the firm raised $76 million to reach a company value of $1 billion. The proud parents, the six founders who have been together for 16 years, are in fine health. The unicorn’s midwife was the private investment management company Wellington Management; and all the company’s previous investors participated, too.
The rare and legendary animal has bestowed its name to privately owned high-tech startups that have reached billion-dollar valuations. For example, Waze received its unicorn status when Google bought it for approximately $1.3 billion in 2013. But as opposed to Waze’s high pre-sale profile in the media, ForeScout is still relatively unknown despite being far from a brand new company.
Why has ForeScout flown under the radar so far, even as its value climbed into the hundreds of millions of dollars? Possibly because it is not an apps company, like Waze, but a cyber (or network security) firm; and maybe because its customers are large banks, medical institutions and national governments.
As opposed to many startups, ForeScout was not founded by a group of young, motivated post-army graduates, and certainly not in a garage. “When we founded the company we already had a critical mass of gray hair,” says Doron Shikmoni, one of the six entrepreneurs behind ForeScout.
Hezy Yeshurun, chairman and another cofounder, explains: “Sixteen years ago a young man named Oded Comay had a truly brilliant idea. Today, many firms are following his idea of creating a deception for someone who had already succeeded in penetrating your network, on the assumption that a determined attacker will always succeed in penetrating the network. What Comay invented is still one of the features, a good feature in our comprehensive product.”
Today, cofounder Comay is CTO. Yeshurun gives the names of a few startups in the cyber industry that specialize in deceiving attackers and creating a smokescreen of data, such as Cymmetria, Illusive Networks and Trapx Security.
“As opposed to 12-year-olds who program from age three, and I really am not underestimating them, we are at the other end of the spectrum. When we founded the company we were 40 to 50,” says Shikmoni.
“Oded was the technology guru of the Tel Aviv University network and the [Inter-University Computation Center],” says Yeshurun. “Doron was the information security expert, and I was a university professor who worked on computer models of the brain, but also very active in the high tech scene. ForeScout was the fourth company I was a partner in establishing.”
Privately, Shikmoni is one of the most outspoken voices against Israel’s new biometric database of information on citizens.
ForeScout was founded in 2000, an especially bad year for new startups. “The very first investor was an angel named Benny Bergman, who had a fund named BCS, which no longer exists,” said Yeshurun. “We had prior connections. I picked up the phone and told him we were building something new, and he answered: ‘You have $1.5 million, now tell me what you are building.’”
In addition to the difficulties that the Dot-com bubble burst caused, ForeScout started working in the organizational software field, one in which it can take 10 or even 15 years to take off, says Yeshurun. “It is a sector in which you compete with the entire world, where sales processes last at least a year, which demands a large support network on the ground. It is not uploading an application to the App Store, with all due respect to those companies. It is work with organizations that put you through ruthless testing.”
Yeshrun acknowledges this field requires a lot of money to take off. “The investments in semiconductors and organizational software reach tens of millions of shekels, and even $100 or $200 million. We were lucky we had exceptional investors,” he says. “After Bergman, the Pitango [Venture Capital] and Accel [Partners] funds joined, who were some of the largest venture capital funds in the world. They have in their portfolios another company [whose name] begins with ‘F,’ Facebook. All the original investors in the company joined in all of the additional fund raising rounds.”
The long-term support from the funds is not to be taken for granted in today’s rapidly shifting high-tech world. Such funds were to see a return on investment within eight to ten years, while ForeScout has been going for 16. Long-term relations is the key to success, says Rami Kalish, the managing partner and cofounder of Pitango, who is a member of ForeScout’s board.
“These are guys who were mature entrepreneurs back in 2001. They came with a very interesting idea for cyber security even before these terms even existed – and to tell the truth, the market arrived a few years after they did,” says Kalish. “That is why it took time, but if you want to issue at a billion dollars, a company needs to reach sales of $150-200 million and show growth, and that takes time. Sometimes there are opportunities for quick exits, and we are not against quick exits, but as an investor it is preferable to have a mix in the portfolio.”
Every young entrepreneur knows they have to adopt the mantra: “We are not here to make an exit, we want to build a large company, a billion dollar company.” Mostly they are lying. But Forescout really did it: So far the company has raised $150 million, including the latest round of $76 million, which awarded it a $1 billion price tag.
ForeScout employs 600 people, 150 of whom work in its Tel Aviv development center and the rest in Europe and the United States. In 2015, sales were about $125 million, a 50% rise over the previous year. The firm has some 2,000 paying customers in 60 countries. It took years of patience, consistency, focus and hard work to get there, say the founders – time after time.
As for profitability, Yeshurun says: “Profitability is something under our control, and depends only on how much money we want to invest in growth.” Until 2009 they were a “classic startup who asked for money from its parents,” he says. But from 2009 through 2014 they did not need any outside funding. Only when revenues are high enough, and depending on market conditions, does Forescout plan to have an IPO.
At the end of 2013 the company considered a Nasdaq IPO at a $400 million valuation. Reports last August spoke of a $500 million IPO. If the latest fund raising round reflects the company’s true value, then they were wise to wait. They even went on a road show, which is where they met Wellington, says Yeshurun. But an IPO is not the goal, rather a means for raising funds with certain advantages, such as transparency, he says. Raising money privately is not a replacement for an IPO, but the time has to be right with a mature business model and the ability to provide accurate financial forecasts, says Yeshurun.
In some ways, ForeScout reminds us of the story of another Israeli cyber firm, CyberArk, which is a year older than ForeScout and had its IPO in 2014. It now trades on the Nasdaq with a market cap of $1.4 billion. At the recent Cybertech – Security Conference in Tel Aviv, CyberArk CEO Udi Moakdy said that success happened overnight, but was 15 years along the way.
So what does ForeScout actually do?
Shikmoni explains: “The first thing we do is to see and know immediately how many endpoint [devices] the organizational network has. We recently met with a network manager at a large company and asked him how many endpoints he had on the network. He answered, and was off by only 200,000. We put sensors on the network that know how to listen to raw information and discover every endpoint device that connects to the network, without installing anything on [the device].”
This means ForeScout is prepared for the Internet of Things, as well as for the “Bring Your Own Device” era, in which every employee brings their own personal and private computing devices, such as smart phones, to work and connects them to the company network. This is considered one of the greatest challenges for IT and information security professionals.
ForeScout’s technology identifies not only computers on the network, but also devices such as IP cameras, network printers and any other nonstandard device, as well as phones, laptops or tablets.
The company does a great deal of business with the health sector and hospitals, which contain large numbers of computerized devices, such as MRI and ultrasound machines. Most of these devices are “closed,” which means anti-virus or other security software cannot be installed on them. So how can one ensure they are not being used as a back door to penetrate the organization’s network? ForeScout knows how to identify such components and impose a security policy.
After mapping the network and devices, ForeScout provides an authentication and authorization engine. The security manager builds a list of conditions for using the product, which are in fact the organizations’ security policy, says Yeshurun. For example, if a certain computer does not have the latest anti-virus updates, it will be disconnected from the network immediately, or a polite warning can be sent to the user to update. “It is possible to define a huge range of conditions that take into account location, time and many other variables,” he says.
The security manager still needs to do this work manually, admits Yeshurun. But once the initial definitions are completed, the manager has a powerful tool in his hands. “The problem in the world of security lies in its being organized into separate assemblages – firewall, anti-virus and such – and there is no across-the-board connection between security products,” he says. Using terms of modern warfare, the product allows a closed circle of intelligence and action with all the tools on the network in order to isolate and minimize damage, and to neutralize the attack, he says. ForeScout does not replace any other security products. It just connects them – a sort of control center, the glue that holds the security system together, says Yeshurun. A sort of App Store for cyber security.