The HP cybersecurity acquisition made for a world of increasing malware threats

In this weekly series, CNBC takes a look at companies that made the inaugural Disruptor 50 list, 10 years later.

When Bromium made its debut on the inaugural CNBC Disruptor 50 list in 2013, its pitch was that fighting malware with traditional fire is a losing battle and the only way to wage and win a new war against cyber attackers is to isolate viruses rather than try to keep them out entirely.

“Disruption occurs when customers in a mature market are presented with a fundamentally different, and far more effective, way to solve a problem. Ultimately, the new markets and value networks created by disruptive products overtake and displace existing market,” Bromium CEO Gaurav Banga told CNBC at the time. “As the market embraces this innovative approach, we are able to move towards our ultimate objective — to restore trust in computing.”

For Bromium, founded in 2011 by former Citrix engineers, it was the same approach to endpoint protection that resulted in HP‘s acquisition of the company six years later. Though it was not a straight line up for the company in terms of success or market valuation. In 2016, Bromium’s valuation was nearly cut in half after a failed attempt to raise additional funding, which was also around the same time that its growth and profitability were reported to be in the single digits.

Still, analysts at the time described the move as a safe, likely inexpensive bet. No acquisition price was disclosed, but HP had been a reseller of Bromium software since 2017 (its isolation technology was used in HP Sure Click to protect endpoints from malware introduced through email attachments, infected links, web browsers, or downloadable files) and endpoint security market consolidation was occurring quickly, with other players including Carbon Black and Symantec in deals with larger tech companies. Rival Dell announced a partnership with another CNBC Disruptor, CrowdStrike, a few months before the HP deal, leading analysts to speculate that HP’s acquisition of Bromium was a move in response to the competitive threats including Dell’s newest partnership, according to a 2019 report from TechTarget.

Today, Bromium’s technology serves as part of HP’s proprietary malware protection, which is a staple of the computer giant’s cybersecurity offerings, covering products from commercial PCs to printers.

The competition has only intensified in the years since, due in large part to a new cycle of investments in cybersecurity amid increasing high-profile attacks from both nation-state actors and criminal hacking organizations with more advanced versions of malware in the category known as ransomware targeting key supply chains and infrastructure. The massive move to the cloud by companies across all sectors of the economy, further accelerated by the pandemic, also has heightened the need for a stronger suite of cyber tools from technology vendors for remote workers and operations.

As tensions between Russia and the West intensify, it’s put the cybersecurity preparedness of institutions back in the spotlight, while also highlighting cybersecurity deals like the 2019 tie-up between HP and Bromium as timely bets.

Last week, Alphabet made its second-biggest acquisition ever, a $5.4 billion deal for cybersecurity firm Mandiant. Alphabet chief financial officer Ruth Porat told Wall Street the price tag on the deal reflects the growing need to compete on cyber for its clients and against larger rivals in the cloud, Microsoft Azure and Amazon Web Services. Microsoft had reportedly been a suitor for Mandiant previous to the deal.

With cloud customers demanding more artificial intelligence and automation, Alphabet is also seeing more demand for better, faster threat detection, Google Cloud CEO Thomas Kurian said in a blog post about the deal.

Bromium founder Gaurav Banga has since founded another cybersecurity firm, Balbix, with John Chambers among his investors, who noted in a blog post earlier this month that his firm increased its investment.

Last year was a record-setter for cyber M&A, according to advisory firm Cyber Momentum, with 286 transactions totaling $77 billion, an increase of nearly 300%. There was also more than $21 billion in venture capital invested last year, an increase of roughly 145% compared to 2020, according to data compiled by Crunchbase, including the largest funding round ever for a security start-up, Lacework’s $1.3 billion in November at a valuation of $8.3 billion.

The deals are occurring in all markets, with SentinelOne’s June IPO surpassing CrowdStrike’s $6.7 billion mark in 2019 to make it the highest-valued cybersecurity IPO in history, and two of the biggest deals taking companies private – McAfee being acquired by an investment consortium for more than $14 billion in November, and Proofpoint being acquired by Thoma Bravo for $12.3 billion in April.