Is Symantec getting ready to buy Splunk?

Yesterday, Symantec CEO of Symantec, Greg Clark flexed his M&A biceps, saying that Splunk could be an attractive target at a $9+ billion valuation.

Clark definitely plans to go whale hunting to regain Symantec’s long lost security position. Symantec expects to grow 3% to 5% in 2018. Compare that to Splunk – which projects to grow upwards of 20% this year and generate $1.2 billion revenues, up from $950 million last year, and it’s not hard to see why Clark is interested.

In the second quarter 2017 results, Splunk’s revenues grew by 30% Qquarter on quarter. Analysts gushed with “congratulations on a great quarter” as Doug Merritt, CEO and David Conte, CFO fielded the calls, digging into Splunk’s security opportunities and trends. Splunk has handily kicked the backsides of all the legacy security players.

Symantec, Cisco, IBM and HP each of which were mired in their own corporate challenges. CEO transitions, acquisitions and divestitures kept them distracted. IBM’s security revenues are growing at 5%. Cisco’s security business grew 9% in FY 2017. HPE’s software revenues have been dropping by 8% to 11% in first two quarters of 2017.

While they are eating dust, Splunk has continued to grab security market share at an enviable pace. By some estimates, Splunk will pull in upwards of $400 million from its security division this year. Which is over 40% of its annual revenues.  Splunk is rapidly becoming the defacto SIEM replacement product, causing heartache for HP-ArcSight as well as IBM. But Splunk never started out to be a security company. How did it even get here?

Let’s do something – like cure cancer, or… aggregate machine data

While hunting for ideas for his third startup, Erik Swan, co-founder of Splunk started to think big: cure cancer. He most probably googled “how to cure cancer” and even confessed that he bookmarked web pages on genomics research. After all, curing cancer has so much cachet to it. But a week later, reality set in. Instead of cancer, he decided to solve a problem that’s aligned more closely to his universe.

He found that IT operations team struggled with troubleshooting – gathering and analyzing relevant data to get to the bottom of the issues was nearly impossible. Erik and his co-founder, Rob Das polled over fifty potential users over a period of nine months and found this to be a pressing problem.  People were writing all kinds of scripts.

To access data, the database administrator would often get involved. No one person had access to all the data. Each corporate silo – IT, BizDev, Ops – were doing their own thing. Analytics was another growing nightmare.  And so they started to build an engine that gobbled up machine data. Spelunking, or exploring caves is  a hobby for some. IT teams were used to digging into the caves of data to identify patterns. For the two founders, the vision was simple – all machine data within any enterprise could be gathered, stored, searched and analyzed.  Every user they polled said, they need and they’d pay for something like this. It sure sounded like a Google appliance for machine data.

As it got off the ground, the company raised around $5 million at a pre-money of $5.7 million. David Hornik of August Capital invested in the first round. Fourteen years later, he still serves on the board of the company. “As the longest standing member of the Spunk team, I recall the pitch as ‘search engine for log files’ – whatever that meant” he says.  “But this was one of the first few teams to to hit the nail on the head on several fronts – they understood the importance of gathering ever burgeoning machine data well in advance of anyone else. The ability to store this data easily and then conduct arbitrary searches on top of it blended together into a compelling opportunity.”  And Splunk did not know back then, that the security team would love such a central repository of all data. The company consumed less than $50 million in venture capital and completed its IPO, eight years later.

For the modern day Unicorn, this is an interesting challenge – can you get to an IPO on less than $50 million?

Splunk’s revenue growth (Actual & 2018 full year projections)


First the culture, then the people

Merritt joined the company when it was pulling in $348 million in revenues and worked his way up to become its CEO in 2015. His mantra for growth is simple — freedom & accountability, with a healthy dose of humility. In a day and age when CEOs often exude an air of invincibility, complete with chest-thumping braggadocios, Merritt is quite the opposite. While he establishes the overarching guidelines and framework, he often tells his team, “I am dependent on you. Please guide the way.”

Splunk’s cultural DNA — “low on politics and high on accountability” combined with intellectual rigor and  humility has become Splunk’s strong suite.  Its team stays nimble, innovative and keeps an ear close to the customer. These characteristics allow the ship to move into unchartered waters. Splunk never started off to build a security platform but rather, it evolved into one of the leading solutions of the day.

The technology stack was evolving rapidly. At one one end of the spectrum, the perimeter dissolved in cloud and mobility wave. Data storage became cheaper, unstructured data sources grew and Hadoop clusters were being evangelized. Words like Big Data popped up everywhere but very few knew what it exactly meant, or what would anyone do with all this data.

Merritt recalls, “With processing power, new schema and ability to rapidly query, the nightmarish days of data warehouse, data lakes and swamps could come to an end. Data sets and pairings can be made very rapidly to draw conclusions.” Splunk soon became of the first companies to help make sense out of the big data madness.

David Hornik of August Capital says, “There were a lot of ways Splunk could grow — the team was savvy. Even though they did not have the magic key, they studied the user engagement closely. The security use-case was a natural extension of debugging  and traffic analysis / compliance became the drivers.”

Security revenue growth has sextupled in three years

As customers gathered data, security teams started to poke around to analyze patterns and trends. The best part – everyone was working of the same repository. There were no multiple silos, hidden copies and master copies. Everyone was looking at the same dataset, yet from different angles.

By 2014, as much as 20% of Splunk’s revenues, or upwards of $50 million were coming from security markets. Splunk soon formed a Security Market Group to dig deeper. Haiyan Song came onboard as SVP of Security Markets. Previously, she had spent nine years at ArcSight, driving the product strategy of its security event and information management (SIEM) product line.

Legacy SIEMs were unable to adapt to market changes and the shift from Arcsight to Splunk was a well calculated move. Between 2014 and 2017, Splunk started to pull in as much as 40% of its revenues, or close to $350 million from security markets. That’s a 6X ~ 8X growth in three years. While there is no easy way to measure innovation, a 6X revenue growth speaks to the culture, hunger and drive of Splunk’s security team.

Show me the ROI

DJ Goldsworthy, Director of Security Operations and Threat Management at AFLAC has over a hundred team members in his infosec department. He says, “I heard about Splunk when I was trying to build a similar internal system using .net code. I tried it and in ten minutes, I could do everything I needed. I got buy-in very quickly to replace our legacy systems. Today, I can gather my security metrics and offer them to our board of directors in record time. We can manage and measure our security posture and protect our clients.”

A Chief Information Security Officer (CISO) of a publicly traded company, who uses Splunk SIEM in the Cloud says, “We monitor 12 billion events and before Splunk, we had all these data silos, time consuming reporting and manual troubleshooting. After Splunk, my dashboard has 12 billion events reduced to 140 actionable alerts. I have a great ‘helicopter’ view and much efficient use of my team’s time.”

One security executive told me that ‘thanks to the false positives, our Intrusion Detection Systems (IDS) had become somewhat of an internal joke’ so we started using Splunk. Our data had an interesting pattern. The operations and applications data clocked at 20% each, while security data was as high as 50% of the volume And our application / SaaS Data was only 5%. Splunk is now our defacto security platform.

Despite that, its largest customers are indexing less than 25% of their total data. While the average selling price is around $75,000 most people I spoke with were clear of the ROI they see.  Security analysts were moving up the productivity chain. They were doing bigger & better things. Morale and team dynamics were up and customers continue to pump in more data. One customer pumps in 10X more data from when they started, five years ago. Yet some large customers struggled with costs, which increase with volume of data ingested. The company has now developed an array of pricing options, away from volume of data even though AWS is its largest expense.

Competition from SumoLogic (which aims for an IPO),  Loggly for cloud native offerings and Log Rhythm is heating up. Open source offerings like Elk stack (Elastic Search, Kibana, Logstash) are a growing threat. Elastic (backed by Benchmark, Index, NEA) acquired Prelert for  its machine learning and Opbeat for application performance. And then there is adjacent pressure from the likes of New Relic / AppDynamics (now Cisco). All of these impact Splunk’s growth rate. For those who think Amazon will eat up Splunk, it’s unlikely to happen as long as customer’s data floats on-prem or the hybrid cloud.


Capital Raised ($m)

Year Started

Select Investors

Sumo Logic

$230 m


Accel, Greylock, Sequoia, Sapphire

Log Rhythm

$126 m


Access Ventures, Adams Street, Grotech


$47 m


Trinity Ventures, Data Collective, Cisco, True Ventures


$40 m


(IPO in 2012)

August Capital, Ignition Partners