Semperis, a specialist in Active Directory security now worth more than $1B, raises $125M

Active Directory, the Microsoft directory service for connecting users with network resources, is used by more than 90% of all Fortune 1000 companies and many more besides. So it’s no surprise that it’s a giant target for malicious hackers. 

That also means a lot of attention for the security companies that are building tools to protect and recover Active Directory (AD) services. On Thursday, Semperis, a Hoboken, New Jersey, startup focused on AD protection, said it had raised $125 million from J.P. Morgan and Hercules Capital, and will be using it for R&D and business development.

In addition to Active Directory, Semperis also provides threat detection, response, recovery and related services for users of Entra ID (formerly known as Azure Active ID) and Okta. Its customers include Lenovo, Prime Healthcare, Sanofi, United Airlines, Starbucks, Hertz and many others, covering some 100 million user identities in all. 

The funding has come almost exactly two years since Semperis raised a $200 million Series C. 

Unlike that round, this financing is a mix of equity and debt, and TechCrunch has confirmed the valuation of the company: It’s now worth over $1 billion. Or, in the words of Mickey Bresman, Semperis’ founder and CEO, “I have a horn.”

Alongside the financing, Semperis is also adding three executives that Bresman said will be critical for the company’s next steps as a business, which, he said, currently looks like an IPO. I’d say they could also be M&A in the right situation, given how much consolidation we’ve been witnessing in the cybersecurity market in the last few years.

Jeff Bray is coming on as a CFO; Mike DeGaetano is joining as its chief revenue officer, and Annabel Lewis is coming on as chief legal officer and corporate secretary. All three have extensive backgrounds with some of the more successful cyber companies of the last decade. 

Semperis has been around since 2013 (it started offering services in 2015), and Bresman says he likes to joke that the company was both too early and too late to the market. 

He feels it was early because cybersecurity simply was not as big of a deal just 10 years ago, and the conversation was not really about ID management (which is a huge theme today). And he thinks it was also late because actually AD was launched in 1999 and already being used ubiquitously, thus laying the groundwork for the extensive hacking that would eventually grip companies that use it. There have been waves upon waves of attacks exploiting vulnerabilities through the Active Directory architecture. 

And despite the beating drum of cloud services, on-premises services are still huge, and AD is how many of them are used at enterprises. One of the more recent and damaging AD-exploitations was NotPetya, which has been described as one of the “most devastating” attacks in cyber history. 

Since then, of course, a number of other companies focused on AD have emerged. They include Palo Alto Networks, Bitsight, BigID, Wiz and many others.

One of the problems with a lot of AD attacks is that across a distributed system, breaches can be complicated, costly and drawn out to fix. Semperis’ pitch is that it can cut that time by 90%. With downtime being typically even more costly to a business than the breach itself, lowering that downtime, if not avoiding it altogether, becomes a primary focus for cyber buyers.

“As CISOs shift their focus towards securing and building resiliency into their identity infrastructure, we see enormous demand for specialized hybrid AD and Entra ID protection,” said Bray in a statement.

“Semperis is a clear leader in the urgently needed area of identity system defense, with machine-learning-based attack prevention, detection and response,” added Scott Bluestein, CEO and CIO at Hercules Capital. “Leading organizations around the world depend on Semperis to safeguard their hybrid Active Directory environment, which is foundational to the IT infrastructure and heavily targeted by attackers.”

As for why the company took debt instead of equity, Bresman simply said that the company had multiple options, but it chose this one in part because it has the mix of investors on its cap table that it wants. (He didn’t say the following, but it also means that it has to give up less equity en route to an IPO.)

“Semperis, with new support from J.P. Morgan and Hercules Capital, and our existing team of world-class backers, KKR, Insight Partners, Ten Eleven Ventures, Paladin, Advocate Health and others, will continue to drive innovations to disrupt cyberattacks,” said Bray. “The growth financing complements an already strong balance sheet, allowing Semperis to accelerate the investment in R&D and expand our global footprint to meet market demand.”


Leave a Reply

Your email address will not be published. Required fields are marked *