The Washington PostDemocracy Dies in Darkness

D.C.-area cybertech companies persuade West Coast investors to head east

Washington-area cybertech firms are attracting the attention of West Coast investors. (Chris Ratcliffe/Bloomberg News)

The Washington area is rarely thought of as a hotbed for technology companies. The region’s biggest firms have generally gravitated toward the quiet, stable business of government contracting, while start-ups tend to move elsewhere in search of growth capital.

The area’s cybersecurity companies, however, are proving to be an exception to the rule.

A handful of recent “exits” — start-up lingo for taking a company public or otherwise cashing out — are beginning to show investors that the area’s crowded cybersecurity industry can yield returns.

Tenable Network Security, a Columbia, Md.-based cybersecurity firm that helps large organizations spot network vulnerabilities, recently filed for its initial public offering after raising more than $300 million from investors. In a separate deal in late February, a company called Phishme was bought by private equity giants BlackRock and Pamplona Capital in a deal that valued it at $400 million.

All of that activity is persuading some well-known Silicon Valley investors to head east in search of opportunity.

Social SafeGuard, a Charlottesville-based start-up, recently disclosed that it has raised $11 million in new funding from a pair of West Coast funds. The first, Allegis Cyber, is a Palo Alto, Calif.-based venture fund known for investing in companies that utilize talent and know-how from the region’s spy agencies. The other is NightDragon Security, a fund set up by Dave DeWalt, who ran cybersecurity giant FireEye as chief executive for four years.

That investment followed a $20 million one led by Scale Venture Partners, another Silicon Valley-based fund, in a Herndon-based company called Expel. Expel is headed by Dave Merkel, who was a top executive at AOL before becoming chief technologist at Mandiant, a cybersecurity company that was bought by FireEye for close to $1 billion.

It’s much easier to raise money when you’ve already sold a $1 billion company

They are riding a wave that has been building for years. Cybersecurity companies in the District, Maryland and Virginia struck 47 deals with venture investors in 2017 compared with just 15 in 2011, according to an internal analysis by Paladin Capital, a D.C.-based venture capital firm. There have already been 24 such deals in the first half of 2018, suggesting the trend will continue.

All of that extra capital, combined with new federal cybersecurity spending from defense and intelligence agencies, has spawned hundreds of new companies in the D.C. area. A 2017 survey by Amplifier Ventures and the Kogod School of Business at American University found a whopping 858 D.C.-area companies engaged in cybersecurity work.

Departing NSA veterans catch the eye of Silicon Valley investors

Their business is more than just protecting IT networks.

Bethesda-based Quantum Xchange, for example, wants to build futuristic fiber-optic cables between Washington and Boston, using a novel encryption method it says will be able to resist not-yet-developed code-crackers based on the laws of quantum mechanics. The company has raised $10 million for the effort.

Another is Social SafeGuard, which helps companies including Johnson & Johnson, Sun Life Financial and McAfee track their social media presence, which includes spotting accounts that have been commandeered by hackers. Some companies use its service to find fake social media accounts set up by hackers to spoof their way into corporate networks. Some projects involve tracking down accounts set up to impersonate corporate executives, for example.

In other cases, Social SafeGuard’s corporate customers are surveilling their own employees to make sure they don’t leak proprietary information or do anything improper online. Executives say the company gathers the data from more than 50 “digital and social channels” including Facebook and Twitter, all of it with employees’ consent.

“If you’re a CEO of a well-known company, chances are there are hundreds of people spoofing you. In addition to that, you have lots of employees getting in trouble for saying and doing things on social media,” said Spencer Tall, managing partner at Allegis Capital.

Social Safeguard “tracks it all,” he said. “You can monitor what key employees are doing on an individual basis.”

They’re on the lookout for malware that can kill

In January, the company partnered with anti-virus giant McAfee to identify what it called a “targeted campaign to spread pro-Pakistan and pro-Turkey propaganda,” in which former TV news anchor Greta Van Susteren’s account was temporarily taken over and used to send direct messages to President Trump, who follows her on Twitter.

Social SafeGuard is still small, but the performance of other D.C.-area cyberfirms sets a high bar. Events of the 2016 U.S. presidential election may have added fuel to the fire, too.

“With the election in 2016, everyone became aware of the inherent risks of digital channels,” said Otavio Freire, the chief technology officer at Social SafeGuard.