Core Security flux leaves questions about direction

With change underway in Core Security’s executive and engineering ranks and its ability to drive revenue being questioned by industry watchers based on the availability of cheaper technologies from its rivals, company leaders contend that the penetration testing specialist’s future is as bright as ever and that they’re not priming it for short-term acquisition.

In mid-July, company insiders divulged that two of Core’s most visible leaders, CEO Paul Paget and Lead Product Manager Max Caceres, would soon be leaving the firm to pursue other opportunities.

Based on the high-profile departures and apparent disparity in the firm’s ability to turn a profit despite a growing customer base, some industry watchers have taken the executive change as an indication that Core, which sells software used by enterprise companies to carry out automated network penetration and end-user security testing, has hit a wall and is rapidly shifting its strategy to prepare for an eventual buyout.

In a new report published by industry analysts at 451 Group, market researchers conclude that Core’s products are under pressure from cheaper alternatives, pushing the venture-backed company to prime itself for acquisition.

Founded in 1996, Core currently claims more than 500 customers, a roughly 25 percent increase since the beginning of calendar 2007, yet the company has told its financial backers, including Pegasus Capital and Morgan Stanley Venture Partners to the tune of $4.5 million apiece, that it isn’t yet profitable based on operational expenses, according to 451 Group’s report.

Nick Selby, the 451 Group analyst who authored the research, said that Core has been discounting its products to pump up its customer base, which he tabs as the actual cause for a shortage of profits.

The strategy behind such a move, while replacing its CEO of five years, is in all likelihood aimed at positioning itself for a buyout, the analyst said.

Makers of other testing tools that directly rival Core’s — those that not only scan IT systems for vulnerabilities but also execute code to analyze just how the flaws can be exploited — charge less and, in the case of Metasploit Project, are being given out for free, forcing Core to rapidly assess its future growth plans, Selby contends.

With an understanding of the industry trends, Core’s venture backers may also be pushing for a sell-off, he said.

“We’re strongly of the opinion that Core’s tools are very effective but that the market for these products might be more limited than Core or the investors originally thought,” said Selby. “If you asked the other companies in this space if they’d be happy to have Core’s sales, they’d be ecstatic, but there’s a different set of expectations with this level of venture backing.”

Much as applications security providers SPI Dynamics and Watchfire were recently swept up by Hewlett-Packard and IBM respectively for undisclosed sums of money the analyst said that either firm could be interested in adding Core.

There is little question that automated penetration testing applications have a strong future, Selby said, but it remains unclear whether businesses will buy the tools from independent vendors or from larger services providers.

“I definitely think this is an important piece of a larger market, there’s an opportunity for customers to save money they might spend on consultants to do internal testing for security preparedness and awareness,” said Selby. “But we think that they’re angling for an acquisition, and IBM or HP could be a logical place for them to end up.”

Core executives, including Paget, flatly deny the accuracy of 451 Group’s assessments.

Rather than priming the company for a sale, Core’s leadership is undergoing the process necessary to position the firm to take advantage of significant business opportunities as a standalone, the CEO said.

While not ruling out acquisition as a possible fate for Core as it is for all VC-backed startups, Paget maintained that the executive shift is one aimed at aligning the right team for continued growth, not for an immediate sale.

Paget has agreed to remain on as the interim CEO as the talent search is carried out, and he also remains a significant shareholder in the firm, according to sources close to the company.

“We’re currently growing very fast and see an opportunity to make this a very substantive company over the next few years in terms of its role in the information security space,” Paget said. “The attacks are becoming more sophisticated, and what we’ve been preaching for years about attackers compromising corporate information has become an important topic among customers.”

“Sometimes to achieve these types of goals you have to swallow your pride and consider what might help the company best take advantage of the opportunity, and bringing onboard a new CEO was one of the moves we wanted to make to support that,” he said.

Company representatives accounted for the departure of Caceres, the outward face of the firm’s flagship Core Impact product line, as a personal matter with the lead engineer and chief marketer seeking a change of pace after spending a decade in the company.

The timing of the two announcements was coincidental, Core media officials said.

At least one of Core’s directors confirmed the plans for the pen-testing outfit to continue to go it alone.

Robert Steinkrauss, a Core board member who most recently served as Chairman and CEO of data encryption specialist Ingrian Networks, said the executive change is indeed directed at finding the individual best suited to helping the pen tester tackle its next wave of growth.

“Paul has grown the company tremendously, and it’s about to finish its best quarter ever by far, but this is about having the right CEO in place to help extend the business even further,” Steinkrauss said. “This company is in a position right now to raise additional funding and expand its channel and product capabilities; people are spending billions on security, and this is a company whose products can tell you if those investments have been worthwhile.”

However, Steinkrauss said that isn’t impossible that Core would accept the right acquisition offer.

In fact, the board member only signed on with Core in mid-June and has a personal history of leading security buyouts, having served as the chairman at Authentica when it was sold to EMC in 2006 and acting as CEO at both Xedia — sold to Lucent for $246 million in 1999 — and Raptor Systems — which was taken public in 1996 and eventually sold to Axent Technologies for $240 million in 1998.

“I would say this company probably isn’t ready for an IPO, but we feel we can take it to the next level in terms of return-on-investment for the [venture backers], and I don’t think they’re ready to sell the company,” Steinkrauss said.

Other market watchers observed that Core faces mounting competition but that the company has a loyal following among large enterprise customers that will allow it to assess all of its options over the next several years in terms of growth, investment, and potential acquisition.

The overall market for automated penetration testing — pioneered by Core — will see continued expansion over the next several years, said Dr. Chenxi Wang, analyst at Forrester Research.

“I’m not entirely sure about their market position, but technology-wise they are very solid,” Wang said. “The other tools on the market haven’t surpassed Core, but there are more choices out there now compared to only several years ago when they were one of the few products on the market.”

Wang said that Core is “absolutely” a potential target for acquisition by a larger vendor, and she agreed that IBM could be a likely suitor despite its buyout of Internet Security Systems just under one year ago, which armed Big Blue with some pen-testing products.

“Another buyer might be someone like Symantec. They’ve been trying to grow their services business for some time, and pen-testing might be something that fits their plans,” said Wang. “Pen-testing could eventually become part of the larger systems assurance business, in which a lot of large vendors want to compete.”