Sacra Logo
View PDF
Eden Prarie, MN
Nick Schneider
Home  >  Companies  >  Arctic Wolf
Arctic Wolf
Arctic Wolf is a cybersecurity company that provides an end-to-end platform for threat monitoring.





As networks have evolved beyond traditional network perimeters, enterprises have realized a need to manage a rapidly growing attack surface with a greater number of devices and applications.

Cybersecurity initiatives tend to lag digital transformation initiatives. Secular tailwinds driving recent growth include enterprise workloads migrating to cloud, the increasing sophistication of cyber attacks, greater adoption of zero trust architectures, security budget expansion, initiatives to secure more distributed networks, and more consolidation.

The security space has a fast velocity of disruption cycle, which makes it complex and crowded. The red queen hypothesis applies here as hackers are becoming more sophisticated at a fast pace too. Continued focus on innovation is a necessary but not sufficient condition to win the space.

So far we have seen three types of winners emerging: (1) innovative platform vendors who expand into adjacent tools, excel in cross-sell and demonstrate strong net dollar retention, e.g. crowdstrike; (2) mega-caps who excel in enterprise sales, e.g. Microsoft. (3) best-in-class solutions get acquired by traditional vendors to boost their next-gen product suites.

Endpoint security

Endpoint security is one of the most important subsegments within security and the top spending priority for CIOs. Endpoint security provides protection to laptops, phones, which may become potential gateways for hackers.

Gartner estimates endpoint security to be a $6.4B market, with an 8% CAGR. Endpoint platforms, such as Crowdstrike, SentinelOne saw high double digit growth in 2020.

Two growth drivers are (1) higher numbers of mobile devices from the shift to remote working; (2) next-gen platforms gaining market share from traditional endpoint protection systems.

Traditional signature-based antivirus systems lack efficacy against increasingly sophisticated cyber-attacks. Enterprise customers increasingly favour advanced AI/ML-based detection and response technologies to detect malicious activities.

The risk here is the difficulty of sustaining growth as endpoint growth decelerates post- COVID and competition from new vendors at lower price points ramp making market share gains more challenging.

Identity and access management

Identity and access management refers to a continuous process of managing the identities and privileges of users in an organization.

With increasing complexity in enterprise working environment (on-premise or cloud-based workload, BYOD, SaaS application, etc), compromised credentials can serve as an entry point for hackers to breach an organization’s security system.

Gartner classifies IAM into the following four sub-segments:

Access management tools provide authentication, SSO, session management and authorization for applications. Leading players include: Okta, Microsoft, OneLogin, RSA, SecureAuth, Ping Identity.

Identity governance and administration (“IGA”) tools manage digital identities of an organisation’s employees, customers and supplies to ensure that right users have access to the correct data and for legitimate business reasons. Leading players include Okta, SailPoint, Saviynt, Oracle, Microsoft, IBM, One identity.

Privileged access management. Leading players include Thycotic, CyberArk, Centrify, BeyondTrust, ManageEngine, Broadcom.

User authentication. Leading players include Duo security, Microsoft, NortonLifeLock (Symantec), Imprivata, Okta, Centrify.

Gartner estimates IAM would reach $14B by 2023, with a CAGR of 9%. IAM is an initial component of Zero Trust Network Access (“ZTNA”) adoption. Growing interests in Zero Trust can drive meaningful demand for IAM. Recent growth drivers also include remote working, stricter compliance and regulatory requirements.

Vulnerability assessment

Vulnerability assessment tools help companies to assess how well their organisations are protected against threats and remediate potential vulnerabilities.

Growth: Gartner projects that the vulnerability assessment market will grow at a low double-digit over the next couple of years, to $1.8B by 2022. The VA market is also fragmented. IDC data suggests that Qualys, Rapid7 and Tenable comprise approx. 25% of the VA market. Beyond security, Alert Logic, Tripwire, Balbix and Arctic Wolf Networks are smaller players in this segment.


Security information and event management (“SIEM”) solutions collect, store and correlate security incidents from endpoints, servers and network devices. Anomalous 6 events will be flagged to provide greater visibility into an organisation’s security posture.

SIEM technology analyses data in the cloud using AI/ML and behavioural patternmatching. The threat graph looks for correlation across the entire dataset, it can detect threats and stop security breaches that on-premise legacy security solutions find hard to replicate.

Growth: The SIEM market is estimated to surpass $6B by 2023, with a CAGR of 13%. Growth in this segment is mainly driven by organisation’s need to detect threats and respond to incidents in real-time. The market was dominated by Splunk, IBM and Micro Focus, that own 50% of the market in 2018


The overall security industry remains relatively fragmented, north of 3,000+ companies in the space.

Network and endpoint security markets remain the largest segments. Endpoint markets are undergoing significant disruption as legacy incumbents face disruption from cloud- native new entrants. Remote working accelerated adoption, the top four enterprise security spending priorities are endpoint, identity, vulnerability assessment (“VA”), security information and event management (“SIEM”).


Endpoint security

The endpoint security market is relatively fragmented. The market is still dominated by traditional signature-based vendors. Legacy vendors, e.g. NortonLifeLock (formly, Symantec), Trend Micro and McAfee, account for c.45% of the market. Nevertheless, vendors with next-gen endpoint detection and response (“EDR”) and AI/ML capabilities are taking share.


Identity and access management

Barriers to entry tend to be high in IAM because high investment is required upfront to create a comprehensive platform that integrates seamlessly with different IT systems.

In addition, the switching costs for identity solutions tend to be high since they require extensive integration to provide full coverage of digital identities.

Therefore, deployment can be sticky, which could drive pricing power for vendors. IAM is also a focus of large platform vendors, e.g. Cisco acquired Duo Security, Allstate acquired InfoArmor. Microsoft is also expanding into this space, with Azure Active Directory, which offers authentication, access management and governance solutions

Point solution vs. platform

A growing distinction between vendors is whether they are point solutions or platform providers. For example, Tenable has remained largely focused on the VA space, partnering with other vendors for network access control as the company views these complementary functions as commodities in nature.

In contrast, Qualys has shifted its focus towards expanding its platform to encompass adjacent functions (e.g. cloud container security, web application firewalls, etc); Rapid7 has extended its capabilities beyond vulnerability management to offer SIEM solutions.

As vendors become more mature, they tend to move into adjacent markets to expand TAM, drive more growth and become more platform-oriented solutions. There is an increasing convergence across subsegments, particularly as vendors in vulnerability assessment, SIEM, and endpoint security extend into adjacent markets.

Security data analytics makes SIEM compatible with other security needs, such that SIEM can provide natural portfolio expansion opportunities. E.g. Splunk, Elastic and Rapid7 moved into SIEM from tangential markets; existing SIEM vendors can also expand into adjacent security segments, e.g. Elastic acquired Endgame to enter endpoint security; Secureworks began offering threat detection and response, combining SIEM and endpoint detection and response (“EDR”) capabilities.

The ability to cross-sell into a large installed base and expand from a point solution to a platform could be an important driver for growth. Gartner recently reports that an average enterprise has ~75 security solutions and almost half of them want to consolidate security vendors in the next 2–3 years.

Key Questions

Key questions for management:

Product: Where do you sit in the value chain? Where do you sit in the network? do you have agents that you deploy throughout the network? How can we think about the architecture

Expansion: How many different products do you have on your platform? How do you think about your roadmap, product expansion and market share gain?

Growth: What are the most prevalent verticals across your platform?What technology, sales effort can leverage across your customer base?


This report is for information purposes only and is not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. Nothing in this report constitutes investment, legal, accounting or tax advice or a representation that any investment or strategy is suitable or appropriate to your individual circumstances or otherwise constitutes a personal trade recommendation to you.

This research report has been prepared solely by Sacra and should not be considered a product of any person or entity that makes such report available, if any.

Information and opinions presented in the sections of the report were obtained or derived from sources Sacra believes are reliable, but Sacra makes no representation as to their accuracy or completeness. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a determination at its original date of publication by Sacra and are subject to change without notice.

Sacra accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that liability arises under specific statutes or regulations applicable to Sacra. Sacra may have issued, and may in the future issue, other reports that are inconsistent with, and reach different conclusions from, the information presented in this report. Those reports reflect different assumptions, views and analytical methods of the analysts who prepared them and Sacra is under no obligation to ensure that such other reports are brought to the attention of any recipient of this report.

All rights reserved. All material presented in this report, unless specifically indicated otherwise is under copyright to Sacra. Sacra reserves any and all intellectual property rights in the report. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of Sacra. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any report is strictly prohibited. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of Sacra. Any unauthorized duplication, redistribution or disclosure of this report will result in prosecution.