Active Directory is the Microsoft directory service that connects users and network resources and is used by over 90% of the Fortune 1000. So it's no surprise that Active Directory is a huge target for malicious hackers.
This also means a lot of attention for security companies building tools to protect and restore AD services.
Today, Semperis, a Hoboken, NJ startup focused on AD protection, announced that it has raised $125 million in funding from JP Morgan and Hercules Capital. The funding will be used for research and development and business development. In addition to Active Directory, Semperis recently also offered threat detection, response, recovery, and related services for Entra ID (previously known by the longer name Azure Active ID) and Okta customers, if the customer uses these services for some or all of their cloud services. The company's customers include Lenovo, Prime Healthcare, Sanofi, United Airlines, Starbucks, Hertz, and many others, covering a total of approximately 100 million user identities.
The funding comes nearly two years after Semperis raised $200 million in Series C funding.
Unlike that round, this funding is a combination of equity and debt. We'll explain why we took on debt later. And unlike that round, TechCrunch has seen the company's valuation, which is now over $1 billion. In the words of Semperis founder and CEO Mickey Bresman, “I have horns.”
(The $651 million figure listed in PitchBook is inaccurate.)
In addition to the funding, Semperis has also hired three executives, which Bressman said will be important for the company's next steps as a business. While an IPO is on the cards now, Bressman said the move could be an M&A deal if the circumstances are right, given the increasing consolidation in the cybersecurity market over the past few years.
Jeff Bray will join as CFO, Mike DeGaetano as Chief Revenue Officer and Annabelle Lewis as Chief Legal Officer and Corporate Secretary. All three bring extensive experience from some of the most successful cyber companies of the past decade.
Semperis has been around since 2013 (it officially launched in 2015), and Bresman says he likes to joke that the company entered the market too early and too late at the same time.
Early because cybersecurity wasn't as big an issue 10 years ago and the conversation wasn't about identity management (as it is today). Late because AD was released in 1999 and was already in very widespread use, laying the groundwork for the massive hacks that eventually hit organizations that use AD. Attack after attack has emerged that exploits vulnerabilities in the Active Directory architecture.
Despite the frenzy of cloud services (or more specifically, the cloud services marketing machine), on-premise services remain big, and AD determines how much on-premise services are used across businesses. One of the most recent and damaging exploits of AD was NotPetya, which has been called one of the “most devastating” attacks in cyber history.
Of course, since then, many AD-focused companies have emerged, including Palo Alto Networks, Bitsight, BigID, and Wiz.
One of the problems with many AD attacks is that across distributed systems, breaches are complex, costly and time-consuming to remediate. Semperis' pitch is that it can reduce that time by 90%. Downtime is typically even more costly to businesses than the breach itself, so eliminating, if not avoiding, downtime is a primary focus for cyber buyers.
“As CISOs shift their focus to securing their identity infrastructure and building resilience, we're seeing a huge increase in demand for specialized hybrid AD and Entra identity protection,” Bray said in a statement.
“Semperis is the clear leader in the much-needed field of identity systems defense with machine learning-based attack prevention, detection and response,” added Scott Bluestein, CEO and CIO of Hercules Capital. “Leading organizations around the world rely on Semperis to protect their hybrid Active Directory environments, which are the foundation of their IT infrastructure and highly vulnerable to attackers.”
When asked why the company took out debt instead of equity, Bressman said the company had several options, but one of the reasons for this choice was that it had the investor mix it wanted on its cap table (though he didn't mention that this also meant the company would have less equity to give up in preparation for the IPO).
“With new backing from JP Morgan and Hercules Capital, and our existing team of world-class backers including KKR, Insight Partners, Ten Eleven Partners, Paladin and Advocate Health, Semperis will continue to drive innovation to stop cyber attacks,” Bray said. “The growth capital complements our already strong balance sheet and will enable Semperis to accelerate investments in research and development and expand our global footprint to meet market demand.”