The cyber breach of Colonial Pipeline Co. that caused gas panics in parts of the eastern U.S. underscores the need to vigilantly maintain — and invest in — defenses against sophisticated hackers.

The hack also provides a timely backdrop for Thoma Bravo LP’s $12.3 billion purchase of ProofPoint Inc. (PFPT). Proofpoint is Thoma Bravo’s largest deal and marks the the largest privatization ever in cyberdefense, a field that has attracted such prominent investors as Silver Lake Partners LP, Vista Equity Partners LLC, Bain Capital and KKR & Co. (KKR).

“We love the cybersecurity market,” Thoma Bravo managing partner Seth Boro said in a written response to a query. Boro leads Thoma Bravo’s infrastructure software and cybersecurity efforts, with support from partner Chip Virnig.

“It represents the largest and highest growth TAM [total addressable market] in all of enterprise software and is the most dynamic and complicated market segment,” Boro said of the cybersecurity business. “The complexities around cyber are why we believe the market hasn’t historically been addressed by PE.”

The San Francisco- and Chicago-based sponsor, founded in 2008, has made prominent tech investments throughout software and technology. Major deals in the past year include the purchase of RealPage Inc., which valued the real estate data analytics company at $10.2 billion, and the sale of mortgage software company Ellie Mae Inc. to Intercontinental Exchange Inc. (ICE) for $11 billion. The firm has invested in security for more than a decade and made a series of cybersecurity investments exceeding $1 billion that includes Proofpoint, Sophos Group plc, Imperva Inc., Barracuda Networks Inc. and Blue Coat Systems Inc.

While Proofpoint offers a range of security and compliance services, the Sunnyvale, Calif., company made its name in email security.

For all of the sophistication of corporate networks and defenses, age-old vulnerabilities of human nature and the forbidden fruit of email attachments are the root of many corporate attacks. “People are the new perimeter,” Proofpoint CEO Gary Steele told investors during the company’s fourth-quarter earnings call in February. The company has branched out into compliance, archiving and other niches.

Going private makes sense for Proofpoint, D.A. Davidson & Co. analyst Andy Nowinski said.

Thoma Bravo is paying $176 per share, for a 34% premium to the closing share price before the announcement. The payout comes to a little more than eight times sales, Nowinski noted, while fellow cybersecurity company CrowdStrike Holdings Inc. (CRWD) trades at about 23 times sales.

Proofpoint’s revenue growth has decelerated to about 15%, Nowinski said, while most vendors are growing at 20% or more, and CrowdStrike is expanding its annualized recurring revenue at about 80%. Meanwhile, the analyst said Proofpoint’s operating margin is basically flat at 14% to 15, based on the outlook for fiscal 2021.

“When companies start to see a big deceleration in growth rate, to just the lower mid-teens, you have to give investors some sort of margin expansion to keep them interested in the stock,” Nowinski said.

By taking the company private, Nowinski suggested, Thoma Bravo can build up revenue growth without pressure to simultaneously boost operating margins. “Over the next two years, I think you’ll see Thoma Bravo making more acquisitions for Proofpoint and building out their portfolio to get the growth rate higher,” the analyst said. “Then, when they emerge with a high growth rate, then they can start to show hopefully some positive operating leverage as well.”

Thoma Bravo’s investment in Blue Coat illustrates the firm’s experience in building up portfolio companies.

Thoma Bravo and Ontario Teachers’ Pension Plan took Blue Coat private through a 2011 transaction that valued the Sunnyvale, Calif., web and network security company at $1.3 billion. The deal was Thoma Bravo’s first $1 billion-plus acquisition in the sector and only its second take private valued at more than $1 billion at the time.

After the buyout, Blue Coat expanded from on-premises services into a high-growth cloud franchise.

As the case study shows, Thoma Bravo backed a series of acquisitions to build up Blue Coat’s security platform before selling the portfolio company to Bain Capital for $2.4 billion in 2015. The follow-ons included fellow web security provider Crossbeam Systems Inc.; the division of Netronome Systems Inc. that inspects internet traffic for threats and data leaks; analytics and forensics company Solera Networks Inc.; and anti-malware software developer Norman Shark.

Since Thoma Bravo’s exit, Blue Coat has been party to cybersecurity consolidation. Bain sold Blue Coat to Silver Lake-backed Symantec Corp. for $4.65 billion in 2016. Symantec later sold its enterprise business for $10.7 billion in 2019 to Hock Tan’s acquisitive chipmaker Broadcom Inc. (AVGO), which itself has been compared to a private equity firm because of its acquisition strategy. Symantec has since rebranded as NortonLifelock Inc. (NLOK).

In a sense, Blue Coat set the table for subsequent Thoma Bravo security acquisitions such as Sophos, Imperva, Barracuda Networks, Proofpoint and Broadcom’s Veracode Inc.

The 2014 purchase of SailPoint Technologies Inc., meanwhile, was comparatively small but stands out because of the increase in the value of the business, which authenticates the identities of users of clients’ systems.

Thoma Bravo paid $318 million for the Austin, Texas, security company, according to SailPoint’s 2017 IPO prospectus.

Following Thoma Bravo’s purchase, SailPoint bolted on Whitebox Security Ltd. in July 2015 for $16 million. Thoma Bravo took the company public in 2017 as SailPoint Technologies Holdings Inc. (SAIL) through an offering that raised $240 million and valued the company at $1.2 billion at the close of its first day of trading. SailPoint’s market cap currently exceeds $4 billion.

Cybersecurity has been elevated beyond IT departments to a major concern for boards and a subject for ESG policies.

While pandemic lockdowns have shown the resilience of enterprise software systems that allowed staffers to work from home, they have opened new avenues for hackers.

“The risk of targeted attacks from criminal groups, foreign intelligence services and other bad actors has only increased with the mass shift to remote work arrangements, embrace of cloud-based operations and increased reliance on virtual commerce spurred by the pandemic,” Wachtell, Lipton, Rosen & Katz attorneys John Savarese, Sarah Eddy, Sabastian Niles and Jeohn Salone Favors said in a May 11 note on cybersecurity oversight.

Recent breaches suggest the threat is not abating.

“You have an underlying growth driver that will never go away — hacking activity,” D.A. Davidson’s Nowinski said. “You have to continually patch holes with best-in-class security solutions, or there are going to be severe consequences, as we can see with Colonial Pipeline.”

Meanwhile, Thoma Bravo has plenty of dry powder. In October, the firm announced the closing of three funds that collectively included $22.8 billion in capital commitments. The $17.8 billion Thoma Bravo Fund XIV makes large equity investments and is the firm’s richest flagship fund ever. The $3.9 billion Thoma Bravo Discover Fund III makes middle-market equity investments, and the $1.1 billion Thoma Bravo Explore Fund targets lower-middle-market equity investments. Kirkland & Ellis LLP advised the firm on the fundraisings.

Cybersecurity is apparently still on the sponsor’s list.

“We have invested a significant amount of time in the cybersecurity space, allowing us to develop more conviction in some of these categories than our peers, and we are just getting started,” Thoma Bravo’s Boro said.

This story first appeared as part of The Dealmaker Quarterly.