Anup Ghosh, founder and chief executive of Invincea, poses in his Fairfax City office in 2013. (Evy Mages for The Washington Post)

Invincea, a midsize cybersecurity firm based in Fairfax City, Va., said Wednesday morning it is being bought by Sophos, a British cybersecurity firm, in a deal that could be worth up to $120 million.

The deal keeps the 90-person firm in Fairfax City and also coincides with a spinoff of Invincea Labs, an arm of the company that holds at least 20 research and development contracts with the Department of Defense.

John Backus, a partner at the venture capital firm New Atlantic Ventures and one of Invincea’s earliest investors, said the company wasn’t looking for a buyer but jumped at the chance when Sophos offered what was seen as a good deal. Invincea would receive $100 million with a chance to collect another $20 million contingent on meeting certain business goals.

“Sophos made us a good offer and, when someone makes you a good offer, sometimes it’s hard to say no,” Backus said.

The core technologies of both companies focus on some form of “endpoint” protection designed to automatically deny hackers access. These sorts of automated fixes, like firewalls or anti-virus programs, have gone out of style lately in favor of solutions that track hackers’ movements. In recent years, Invincea has built out its own threat detection technology, but still refers to itself as a “next-generation anti-virus” company.

“I think this will be really disruptive for the industry as the others try to catch up to these combined capabilities,” Invincea founder Anup Ghosh said in an interview. “It’s not something we’ve been planning for a while, but this is the logical next step for Invincea.”

For Sophos, a company that is publicly traded on the London stock exchange, Invincea is the latest in a stream of acquisitions designed to build out a comprehensive set of corporate security fixes. Invincea’s commercial business targeting big corporate customers is expected to complement Sophos’s solutions, which are geared more toward midsize firms.

“We’re pretty excited about the outcome,” Backus said of New Atlantic Ventures’s outlook on the deal. “It’s a good price for the software business, plus we now own a big chunk of Invincea Labs, which from a revenue perspective is even bigger [than the part of the company that was sold to Sophos] and it’s profitable.”

The buyout makes Invincea the latest in a string of D.C.-area cybersecurity outfits to cash out after taking money from local investors, contributing to a small but growing software product industry here.

Tenable Network Security, which recently raised $250 million in a deal that partially bought out its founder, sells a platform designed to help corporations quickly scan for holes in their networks. Other transactions involved Mandiant and Sourcefire, which sold for $1 billion and $2.7 billion, respectively. Both cyber firms built businesses around technologies that track cyberthreats.

Buyouts like this are seen as a coup for the local technology ecosystem because the founders tend to stay and invest in new companies, and Invincea’s board is packed with local investors. In its early days, the firm benefited from taxpayer-funded seed investments through the CIT GAP Funds program. The company’s first big funding round came from New Atlantic Ventures and Grotech Ventures, both of them large venture funds based in Northern Virginia. The company went on to raise at least $45 million from larger investors, including Dell Ventures and Aeris Capital, and last year raised $10 million from ORIX Growth Capital, a private equity firm.

Local economic development boosters seem heartened by Sophos’s decision to keep the small company in Northern Virginia. Under the terms of the deal, Invincea will keep its name and remain in Fairfax City and slowly integrate its engineering team with that of Sophos.

“Everybody is staying here,” Ghosh said. “We continue to do today and tomorrow what we did yesterday.”

Read more: