In fewer than six years, Sucuri went from a team trying to decide when the founders should go full time, to a team of more than one hundred people, and an acquisition deal in their hands from one of the world's largest web hosts.
The company was founded in 2009, but it wasn't until January of 2012 that Tony Perez, Daniel Cid, and Dre Armeda were all full time on Sucuri, and business was booming, thanks in no small part to an incredibly nasty vulnerability in the TimThumb WordPress imaging script.
The TimThumb vulnerability would go on to show its face for years, and still does today every now and then, though most WAF (web application firewalls) and hosts now have automated ways to block the attack vector.
At the time, a lot of sites were getting hacked, and Sucuri was new on the security and site cleanup scene — as a group of founders with WordPress agency experience — ready to help folks get their sites cleaned and back on track.
The growth just kept coming. They developed a team with a reputation for discovering, disclosing, and helping to fix vulnerabilities — some being exploited in the wild, as well as plenty that existed but had not yet been exploited.
Today, Sucuri has twenty four hour support and site cleanup staff distributed all over the world, an engineering team, a widely used WAF product, their popular malware scanner, and partnerships with many companies to use and resell their products and services.
Stakeholders and funding
They have raised at least one round of funding, though they have decided to not discuss their financials with the acquisition news. They are in all likelihood a profitable company, though I cannot confirm it directly.
Their one public funding round was from Turn/River, a private equity firm that specializes in growth capital and offering founder liquidity. Turn/River managing partner Dominic Ang has been on Sucuri's board since November, 2013, likely as a result of the deal. I doubt that round was designed to provide runway to an unprofitable company as much as to allow for added growth or to manage partner equity issues.
Sucuri CEO Dre Armeda left the company in May of 2014, a surprise move, and after a summer break, spent about two years at WebDevStudios, before going back to Sucuri to lead business development in the early fall of 2016.
I did not receive direct confirmation from Sucuri about who holds what positions, but according to people I spoke to with knowledge of the matter, Dre's initial break from Sucuri was a complete one, and the lion's share of equity today is held by Tony and Daniel, minus whatever may have been given for the private equity investment or used for employee stock options.
Transition to GoDaddy
Dre will continue in his role directing Sucuri partnerships through the transition, and will “most definitely be staying onboard with GoDaddy,” and said he's very excited about the future.
Tony will be the Vice President of Product and Daniel will be the Vice President of Engineering for Sucuri. Tony told me, “We will both be running Sucuri, which will continue as it's own entity (similar to MediaTemple).”
Tony also told me that the entire Sucuri team is moving over to GoDaddy. He is most excited for, “the opportunity to scale our product and technology. This is what most technologists dream of.” Due to the expanded audience and data set to work with for their WAF and other products, he says, “our technology and network will only get better from here.”
They fully intend to keep their research arm together, though I'm sure it will include more information sharing with the broader GoDaddy organization. Tony says these arms of Sucuri, “are a staple of what we do and who we are, and what GoDaddy is investing in. This is a good thing for all the communities we support.”
GoDaddy has had an active partnership with SiteLock for security scanning, WAF, and similar services to what Sucuri provides, and those agreements are still in place. Based on talking to members of GoDaddy and SiteLock's teams, it appears there is much still for them to figure out going forward.
A crossed web of data and partnerships
Security companies like Sucuri, SiteLock, or CloudFlare have many partnerships in place, that give them access to data about hosting and other types of companies. Now that Sucuri will be part of the GoDaddy family of brands, it will surely impact current partnerships — at least in the long term.
SiteLock recently added new products to their agreement with GoDaddy, and was actively working with various stakeholders on implementation. SiteLock has something like 7 million websites they monitor, and at least “several hundred thousand” of those were through the GoDaddy partnership. This deal is a medium-term blow to SiteLock — though doesn't change much in the short term, and definitely has potential upside in the longer term.
Sucuri also recently secured a deal with SiteGround to do all their site scanning; and they've long worked with WP Engine, amongst other players in the market. While Sucuri may well want to continue those partnerships, it will surely make it more complicated for the partners themselves — to decide what kind of data they are willing to share with a competitor. Jason Cohen of WP Engine tells me they are, “already in active conversations about how to navigate that [their partnership] under new ownership,” and that they are happy for the Sucuri team.
A degree of apprehension and concern is something I've been able to confirm with some of their current partners, as well as others in the hosting space. And while SiteLock has upstream stakeholder ties with EIG, through Unitedweb, there's clearly more separation than GoDaddy's direct interest in Sucuri, and some of Sucuri's partners may choose to go with SiteLock.
Sidenote: If you really want a picture of how complicated investment ties get, also know that Unitedweb has ties with KKR (right there in their portfolio!) — a company that took on a massive stake in GoDaddy as part of the deal that included Bob Parsons becoming chairman of the company, rather than CEO. So at least in one direction, GoDaddy and EIG, two rivals, have common investors. You've got to love it.
I'm sure Sucuri would like to maintain the equivalent of a Chinese wall internally to reassure partners that their information is safe. However, that may be a bit naive, considering the primary value of Sucuri to GoDaddy isn't the monetary significance of their partnerships, but many other elements.
It's very possible that GoDaddy and Sucuri both want to maintain Sucuri in its current state, as a provider to others — while GoDaddy also gets the many benefits of owning Sucuri outright. I just don't know that it will be that easy.
Of course, all of this is in reference to Sucuri's business to business relationships, not business to consumer. All of their business to consumer stuff should stay the same, and will likely improve with more money and momentum behind them with GoDaddy.
The value of a company in an acquisition
Conveniently enough, Jason Cohen — CTO and co-founder of WP Engine — recently wrote a blog post that helps put an acquisition like this in context, about why big companies purchase small companies. I'm not saying Sucuri is small, but in context to GoDaddy it still applies well. In it, he describes how it's not about revenue or the value of the product, but about how it helps the larger company execute a strategy.
Apologies to Jason that I'm just going to drop a big quote from the piece. He lays out the questions a big company wants to answer in executing a new strategy:
“How can we de-risk the unknowns?”
“How can we accelerate the plan?”
“How can we become #1 or #2 in a new market?”
As a concrete example, suppose the product strategy included creating a new, complementary product that can be up-sold to existing customers, and that is unique in their existing market. One option is to build the new product in-house; this could take two years and millions of dollars.
(Startups shouldn’t act smug about this. Even for startups, it takes years for a new product to become good enough to demand many millions of dollars in revenue.)
Another option is to buy a startup that already built a decent product, which might take 6 months to integrate, accelerating the overall execution of the strategy by 18 months. Even if this costs more than 2 years of in-house assembly, it’s still worth it, due to accelerating revenue growth due to up-sales and market-differentiation.
This acquirer doesn’t care about the financials of the startup.
GoDaddy hosts more than 10 million websites. Even without Sucuri's partnerships, they would have a huge swath of websites and information to continue to improve their product. They can choose whether to integrate the product as a free value-add to customers, or to upsell them Sucuri's services to add to their ARPU (Average revenue per user) — a key metric.
If GoDaddy can improve their baseline numbers and never sell Sucuri products and services to any other business, that is fine, and perfectly logical, especially for a public company!
GoDaddy's view and putting this acquisition in context
GoDaddy is a public company now, meaning we have some insight into their financials and motivations.
One motivation is certainly Sucuri's brand. Sucuri has made a name for itself, just like ManageWP, the loyal customers of that brand may change their view on GoDaddy. Also like ManageWP, the pushback from a vocal minority is significant, but overall bringing in another reputable company is helpful for GoDaddy's broader push into the WordPress market. In Sucuri's case, that extends beyond just WordPress to the broader web security space.
Additionally, GoDaddy needs to be able to offer security services. A WAF, site scanning, and other things Sucuri provides are expected by many customers these days, and owning a company that does this stuff outright is just as well, or better, than having to constantly deal with costly partnerships.
And while the partnership with SiteLock was active, it seems SiteLock and GoDaddy viewed it in different ways. The deal was expensive for GoDaddy — to the point that they could not include it for all customers while maintaining a low price point.
GoDaddy frequently spends money to expand the services they can provide to customers — whether as upsells or standalone products. Two examples are the 2013 acquisition of Ronin, that is integrated inside GoDaddy as an online bookkeeping solution, and the 2014 acquisition of Mad Mimi, that is integrated as GoDaddy email marketing.
This is a playbook they've used before. Integrated products with standalone versions allows them to use resources for common goals, and either include or bundle products in various plans to increase revenues with existing customers.
GoDaddy nearly reached profitability in 2016. They made over $2.1 billion in revenue, an 12.5% increase year over year. It's also double what they reported when KKR and Silver Lake purchased it in mid-2011. But more importantly, their net losses were only $21.9 million — basically nothing at that scale.
A company like GoDaddy will make moves in many directions to shore up their product, be able to offer more products to their customers, and improve their bottom line. In recent years, the strategy from GoDaddy has not been to squeeze every penny by reducing costs, but to strategically invest to improve their product that had taken a reputation hit in more ways than one.
The purchase of Sucuri is one acquisition in line with that strategy. In 2016, they reported $118.5 million related to acquisitions, an increase from $61.8 million in 2015. It will be much more this year, as they are finalizing their purchase of HEG next quarter — a deal that will increase their customer base by more than 10%, better establish them in Europe, and included refinancing a $1.1 billion loan into a $2.5 billion loan.
GoDaddy is the largest company with an active presence in the WordPress space. They are one of the primary places new website owners or small business owners go to for web services. It is natural and expected for them to invest heavily in WordPress — both directly and via acquisitions — as a quality WordPress experience for their customers is important for them to retain those customers, and prevent them from going to the real competitors, which are hosted solutions.
Expect more to come in 2017, and beyond. The WordPress market will continue to consolidate.