Sourcefire Turns Failed Deal Into an Opportunity

By Dina ElBoghdady
Washington Post Staff Writer
Tuesday, May 30, 2006

Network security firm Sourcefire Inc. enthusiastically agreed to sell itself for $225 million in October, watched the deal crumble in March, then immediately began searching for new investors -- and found them.

Not many companies bounce back after an attention-grabbing deal fails. But Columbia-based Sourcefire has secured $20 million in late-stage funding, announced its first-ever cash-flow positive quarter and started preparing to go public since its proposed sale to Check Point Software Technologies Ltd. fell through.

Check Point, of Ramat Gan, Israel, and Sourcefire agreed to withdraw the deal after a federal panel, the Committee on Foreign Investment in the United States, expressed concerns about the transaction's national security implications. Sourcefire makes software that protects against hackers and sells it to U.S. intelligence agencies and some of the country's largest companies, such as Lockheed Martin Corp. The companies and the federal panel declined to discuss details of the investigation or why the deal was scuttled.

While the deal's collapse was disappointing, it may turn out to be fortuitous, said Wayne Jackson, Sourcefire's chief executive. As the investigation into the sale dragged on, Sourcefire's revenue kept increasing, and presumably so did its value.

"By the end of it, we felt we were leaving quite a bit of money on the table," said Jackson, who joined Sourcefire in 2002, about two years after selling his firm Riverbed Technologies Inc. to Aether Systems Inc. for $1 billion. "The company's value changed quite a bit during that time, and we started to see a lot of additional potential in the company as a stand-alone entity."

Sourcefire does not disclose its revenue or income, except to say that the company is profitable and that its sales in 2005 rose 68 percent from the previous year. Analysts estimate that the company had $35 million in revenue in 2005 and that its list of customers keeps growing.

For all those reasons, Meritech Capital Partners of Palo Alto, Calif., led the most recent round of financing, which injected the largest one-time infusion of capital into Sourcefire since it was founded in 2001.

"We've looked at dozens of security companies out there, and this is one of two or three that we've decided to invest in," said Mike Gordon, Meritech's managing director. "In this sector, it's very hard to get beyond a few initial customers and develop momentum, and Sourcefire has developed that momentum."

The company has raised $53.7 million and still has about half of that in cash, Jackson said.

Sourcefire is the creation of Martin Roesch, who invented the coding program Snort in 1998 in his home in Eldersburg, Md., while juggling a day job as a software engineer. Roesch posted Snort, which "sniffs" packets of data to detect signs of network intrusion, on the Internet.

Snort is an open-source program, meaning anyone can download it free, modify it, copy it or resell it.

While allowing anyone to inspect and manipulate network security software may sound counterintuitive, it's not, said Scott Crawford, a senior analyst at Enterprise Management Associates, an information-industry research firm in Boulder, Colo.

"One of the security virtues of open source is it's open to everybody's scrutiny," Crawford said. "You can look at every line of code, and in that sense, it's inherently more trustworthy. If there's a weakness that exists, it's more probable that someone will catch it because so many eyes are looking at it."

Anyone who uses Snort for commercial purposes must publish changes made to the software or to any software they create that links to Snort, said Roesch, who is Sourcefire's chief technology officer.

It's an honor system, he said, but ignoring the rules "results in the technology equivalent of accounting fraud. Someone figures it out and blows the whistle on you and everyone who writes open-source software basically blacklists you."

So how does a firm that offers its wares free make money?

By enhancing its offering.

The free Snort basically inspects traffic for potential threats to a network, but the money-making Snort adds to the technology by enabling it to make decisions about the flow of traffic and block attacks in networks on a global scale. Those added features, particularly the prevention aspects, are what companies and intelligence agencies find useful.

"It's one thing to give away the engine for free, and it's another thing to build the car," Jackson said. "We make the whole car and make it robust and fail-proof."

Most of the company's money comes from ready-to-use hardware loaded with Snort programs that sell for $6,000 to $125,000, depending on the rate of traffic it is capable of inspecting. The equipment fits directly into the customers' network. More money comes from distributing updates of Snort's detection rules in advance of their release on the Internet.

Greg Young, an analyst at information-technology research firm Gartner Inc., said the real value of open-source Snort is that it gives Sourcefire greater foot-in-the door recognition for selling the souped-up commercial product.

"There's a mistaken perception that Check Point was buying Sourcefire for open-source Snort," Young said. But they were really buying them for the intellectual property they have around the commercial product, he said.

View all comments that have been posted about this article.

© 2006 The Washington Post Company