Semperis, a specialist in Active Directory security now worth more than $1B, raises $125M



Active Directory – the Microsoft directory service for connecting users with network resources – is used by more than 90% of all Fortune 1000 companies and many more besides. So it’s no surprise that it’s a giant target for malicious hackers. 

That also means a lot of attention for security companies that are building tools to protect and recover AD services. 

Today, Semperis – a Hoboken, NJ, startup focused on AD protection – is announcing funding of $125 million from J. P. Morgan and Hercules Capital, money that it will be using for R&D and business development. In addition to Active Directory, these days Semperis also provides threat detection, response, recovery and related services for users of Entra ID (formerly known by the more wordy name Azure Active ID) and Okta in cases where customers are using these for some or all of their cloud services. Its customers include Lenovo, Prime Healthcare, Sanofi, United Airlines, Starbucks, Hertz and many others, covering some 100 million user identities in all. 

The funding is coming almost exactly two years since Semperis raised a $200 million Series C. 

Unlike that round, this financing is a mix of equity and debt – more on why it took debt below – and also unlike that round, TechCrunch has confirmed the valuation of the company: it’s now over $1 billion – or, in the words of Mickey Bresman, Semperis’ founder and CEO, “I have a horn.”

(The $651 million noted in PitchBook is inaccurate.)

Alongside the financing, Semperis is also adding three executives that Bresman said will be critical for it taking its next steps as a business, which he said currently looks like an IPO, but I’d say could also be M&A in the right situation, given how much consolidation we’ve been witnessing in the cybersecurity market in the last few years.

Jeff Bray is coming on as a CFO; Mike DeGaetano is joining as its chief revenue officer, and Annabel Lewis is coming on as chief legal officer and corporate secretary. All three have extensive backgrounds with some of the more successful cyber companies of the last decade. 

Semperis has been around since 2013 (with services formally launching in 2015), and Bresman says he likes to joke that the company was both too early and too late to the market. 

Early because cybersecurity simply was not as big of a deal just ten years ago, and the conversation was not really about ID management ( today that is a huge theme). Late because actually AD was launched in 1999 already being used very ubiquitously, thus laying the groundwork for the extensive hacking that would eventually grip AD-using organizations. There have been waves upon waves of attacks exploiting vulnerabilities through the Active Directory architecture. 

And despite the beating drum of cloud services (and more specifically the beating drum of the cloud services marketing machine), on premises services are still huge, and AD is the route to how many of them are used among enterprises. One of the more recent and damaging AD-exploitations was NotPetya, which has been described as one of the “most devastating” attacks in cyber history. 

Since then, of course, a number of others focused on AD have emerged. They include Palo Alto Networks, Bitsight, BigID, Wiz and many others.

One of the problems with a lot of AD attacks is that across a distributed system, breaches can be complicated, costly, and drawn out to fix. Semperis’ pitch is that it can cut that time by 90%. With downtime being typically even more costly to a business than the breach itself, bringing it down, if not avoiding it altogether, becomes a primary focus for cyber buyers.

“As CISOs shift their focus towards securing and building resiliency into their identity infrastructure, we see enormous demand for specialized hybrid AD and Entra ID protection,” said Bray in a statement.

“Semperis is a clear leader in the urgently needed area of identity system defense, with machine-learning-based attack prevention, detection, and response,” added Scott Bluestein, CEO and CIO at Hercules Capital. “Leading organizations around the world depend on Semperis to safeguard their hybrid Active Directory environment, which is foundational to the IT infrastructure and heavily targeted by attackers.”

As for why the company took debt instead of equity, Bresman simply said that the company had multiple options but it chose this one in part because it has the mix of investors on its cap table that it wants. (He didn’t say the following, but it also means that it has to give up less equity en route to an IPO.)

“Semperis, with new support from J.P. Morgan and Hercules Capital, and our existing team of world-class backers, KKR, Insight Partners, Ten Eleven Partners, Paladin, Advocate Health and others, will continue to drive innovations to disrupt cyberattacks,” said Bray. “The growth financing complements an already strong balance sheet, allowing Semperis to accelerate the investment in R&D and expand our global footprint to meet market demand.”




Source