Congrats, though we've not interacted much here, you feel like a neighbor... so it feels great to see... and i've learned a LOT from your posts, like never typing the letters, A, E, S in consecutive order, for starters. : )
First, congratulations. I did notice though a change in your comment tone from some time ago. (Unfortunately I can't recall exactly when and there is no easy way to draw up comments on HN from "x" days ago you have to go through page by page.) I'm wondering though if it coincides with this (or maybe another deal) going down. Meaning either the stress or elation of this or another potential transaction altered your writing.
You actually can do this using HNSearch and the by: keyword. If you ever do find some inflection point at which I become/became even more annoying, shoot me an email.
There was a point about 12-18 months ago where you stopped explaining yourself each time and made more appeals to authority (your own) on crypto issues. Admittedly, you were right, and these were all things which you'd explained in detail before, and on which the academic and practical communities have pretty much reached a consensus.
this inflection point is almost certainly not unique to you, though since you're probably one of the first to discuss it in this way, you should probably name it so we can all start identifying it in ourselves and other founders :)
We're continuing as an independent business; the two biggest changes are (1) we're hiring more people than our original plan, and (2) we get to work directly with our friends and rivals at iSEC, who were bought by NCC 2 years ago.
(2) is a big deal --- there are so many smart people doing what we do at NCC companies that we expect research time to get way more productive; also, iSEC and NGS/NCC (the UK "us") have different research focuses, like Android and 3G to our crypto and trading protocols. Black Hat next year should be fun. (there are crypto people at iSEC; I'm sleep deprived and on an airplane)
Yeah I'd reckon with the depth and breadth of talent across the testing business now, it should be really cool. I hope they make the internal information sharing/collaboration piece a priority.
My flight out got cancelled, so my celebratory meal was "Marriott room service Caesar salad".
Apropos nothing: I do not understand why anyone in 2012 flies United. And while I understand why someone might order a Marriott room service Caesar salad, I do not recommend it.
SWUs for international flights. Especially if you buy them on eBay for $200. A cheap coach international fare + a $200 SWU puts you in United Business, which is sometimes better than best-carrier coach. (honestly, I'd prefer CX Economy to UA business on most routes, but UA wins for SFO-IAD-KWI.)
United business between Edinburgh and Newark means seats that fold down into beds and was entirely worth the US$480 I paid to upgrade my flight home last month.
They also have a monopoly on direct flights to the US from Edinburgh, which is another reason someone might end up on a United flight.
Not in our case; we're a wholly-owned subsidiary, but not integrated with our parent company. Our sibling company on the west coast, iSEC Partners, has been operating independently under NCC for several years.
We work a little bit like small record labels.
The changes that will happen include "we're hiring more people" and "we get to share research with sibling companies".
This is an interesting purchase as Matasano is a services company that has some of the smartest people in infosec. For those not in the field, Thomas, Dave and Jeremy are well known and highly respected.
Many acquisitions are to get the talent but I can't remember another one where it's so apparent. The problem is that talent is mobile and $13m for a few super-smart people who leave after a year is expensive.
There is no such thing as a non-talent acquisition in consulting. We're not going anywhere; like iSEC before us, we continue to run independently as Matasano.
So have the acquired you solely for your (current & expected) revenue, or will you bring other wider benefits to the group? Will you just be producing profits for them, or are you planning any kind of inter-play with other group companies?
I used to work for a company NCC Group bought a few years ago and I heard Rob Cotton say the same thing...
Things got interesting really fast after our friends in Manchester bought us - changing what computers we use (on the desktop and server), changing email, etc, etc.
I'm one of the founders of iSEC (acquired by NCC in Oct 2010) and I can confirm that we've had a lot more freedom than anybody actually expected. There should be a lot more collaboration between iSEC and Matasano as Tom pointed out, but they don't have to fear the NCC borg assimilating them just yet.
From my understanding of the NGS buyout (which preceded the great NGS exodus) it was on different terms to the SecureTest buyout.
Also SecureTest and NGS were very different creatures. The phrase 'herding cats' was never so much an understatement as it was from what I've been told about life at NGS.
It's also a bit more difficult to bring that level of control into a company outside of the UK. I'm sure there'll be an eventual absorption into the NCC cube (more likely co-absorption of iSEC and Matasano into one entity if previous activities are considered) but I imagine there'll be a fair level of autonomy as long as the founders stick around.
Also I still chuckle about the SAP implementation. We offered to test it years back but for some reason NCC weren't up for it.
It was apparent with NGS too, who were (are) one of the most highly regarded pen testing companies here in the UK. Having worked with many of the leading ones I can say NGS was always at the top of the list, helped not only by their talent but also small size which made them flexible and adaptable. After the acquisition I noticed this changed and a number of the guys I'd worked with left. So it is probably good that Matasano is staying Matasano but with the ability to draw on the collective resources of all the other teams.
I wouldn't say that NGS were the most highly regarded by anyone but themselves. They had a lot of technical expertise in various areas but terrible account and product lifecycle management. Still, there were some extremely smart people there (and I'm sure there still are, you just don't hear from them as NGS).
It almost feels like a personal win here(not in SV, "more experienced guy", networking background etc)...also shows you can be obnoxious and right at the same time
[Off topic] I really like the name "matasano", it means bad doctor in informal Spanish. Matasano = matar(kill) + sano(healthy) literally means the doctor who kills the healthy patients.
We like the name too! We picked it after giving up on naming the company (we had chosen "Aperture Security" only to find a week later that it had already been taken) and consulting a "list of plant names" for cool-sounding plants.
We hired a (very smart) Argentine national friend of ours who immediately made us aware of the connotation. We were somewhat unhappy for about 500 milliseconds, and then immediately very very happy.
How come only ~1.3x annualized revenue (the press release said: Year to 30 June 2012, Matasano revenue was $5.0m)? That seems like a very low multiplier -- are consulting companies treated differently from product companies in this regard?
Services companies, of which consulting companies are a subset, typically receive 1.5x to 2x multiples. [n.b. Your math does not match my math.] Why is this less than product companies get? That's less because consulting companies are a bad place to be and more because successful products are an awesome place to be.
It is totally reasonable to have a product company do $7 million of revenue on, say, $2 million of costs. (Let's see: four devs, two sales guys, one marketing, two founders... throw in overhead and we're there.) An acquiring company might have an easy, obvious path to turning that into $70 million of revenue on $5 million of costs. (For example: "We change essentially nothing about your company. We hawk your product to our customer base, using our sales guys, who 6 weeks ago only uttered your name if a customer brought it up, to disparage you. This makes us a mountain of money.")
A services company, on the other hand, might have $7 million revenue on $4 million in costs (16 consultants, 1 business manager, 2 founders). The most straightforward pathway to take this business from $7 million to $70 million is to add 144 consultants. They cost ~$40 million a year. This would be a radically less attractive proposition if it were even possible, but if hiring 144 consultants was easy, you wouldn't have to buy a company to find only 16 of them.
Also, with a dev company you're buying some capital (software) plus renting access to brains. With a consulting company, you're renting access to brains. In all circumstances, brains can move. Software rarely decides to do that spontaneously.
Edit to elaborate: The above is not a strike against doing consulting, by the way. Thomas, for example, has frequently mentioned on HN two true, salient facts: a) almost all products fail miserably and b) the principals at a consulting company beat BigCo salaries approximately the second they call themselves "principals at a consulting company", which is very much not the case at most product companies.
What keeps me building product each day after billing 8 hours of consulting time is that consulting profit is a linear function of time * employees but I can't make more time and I don't want to manage a bunch of consultants.
More congratulations for tptacek, I'm significantly less stupid for his comments and wish him all the best.
It's weird, just today I was thinking about what it would be like to work at a company like Matasano instead of being the paranoid security guy on every web app project I'm hired for.
I've had a look at the requirements and I'm not really up to scratch, additionally I've spent the last five years trying to get out of full-time employment. If I were looking for a day job and was able to relocate to the states, I would totally spend a few months training up on the required skills and send my details over.
tptacek is one of the few names on HN I recognize during my short time here (not to mention he posts alot!), so needless to say it's pretty awesome to see this happened to him/her.
Besides being very happy for you, I'm now very happy for myself, for listening to your advice during the last half-year of starting my own consulting business.
Your very generous and open comments about everything to do with running a consulting business were, and are, a constant source of help and encouragement.
So congratulations, and I hope you have a lot of fun with your new friends at sibling companies! Much deserved!
Split how many ways? (and maybe there is equity split beyond the top 3?) I personally would be quite happy with $5-10mm, but to net that, I presume he'd have to sell the company in the $40mm+ range. Nice that they did it this year before cap gains go up, though.
HN always seems so fixated on the big payout. tptacek, the other founders, and employees have also just taken their baby to the next level in so many ways. Getting acquired doesn't have to be the end-game.
There's a not-always-unjustified perception in the SV startup scene that it is the end-game, at least of a particular run, because so many startups' products are shuttered by the acquirer. So it better be a big enough payout that you're satisfied with that cashout.
But it looks like this is a quite different kind of acquisition, where they'll basically be doing the same job as before, just under a new umbrella, so it's not really cashing out and shutting down the old business at all.
I'll add yet another "Congratulations, Thomas." Not only have your posts enlightened me with answers about security, more importantly they have taught me to ask questions about security practices. Thank you. This WIN was well-deserved.
