Core Security flux leaves questions about direction

With change underway in Core Security's executive and engineering ranks and its ability to drive revenue being questioned by industry watchers based on the availability of cheaper technologies from its rivals, company leaders contend that the penetration testing specialist's future is as bright as ever and that they're not priming it for short-term acquisition.

In mid-July, company insiders divulged that two of Core's most visible leaders, CEO Paul Paget and Lead Product Manager Max Caceres, would soon be leaving the firm to pursue other opportunities.

Based on the high-profile departures and apparent disparity in the firm's ability to turn a profit despite a growing customer base, some industry watchers have taken the executive change as an indication that Core, which sells software used by enterprise companies to carry out automated network penetration and end-user security testing, has hit a wall and is rapidly shifting its strategy to prepare for an eventual buyout.

In a new report published by industry analysts at 451 Group, market researchers conclude that Core's products are under pressure from cheaper alternatives, pushing the venture-backed company to prime itself for acquisition.

Founded in 1996, Core currently claims more than 500 customers, a roughly 25 percent increase since the beginning of calendar 2007, yet the company has told its financial backers, including Pegasus Capital and Morgan Stanley Venture Partners to the tune of $4.5 million apiece, that it isn't yet profitable based on operational expenses, according to 451 Group's report.

Nick Selby, the 451 Group analyst who authored the research, said that Core has been discounting its products to pump up its customer base, which he tabs as the actual cause for a shortage of profits.

The strategy behind such a move, while replacing its CEO of five years, is in all likelihood aimed at positioning itself for a buyout, the analyst said.

Makers of other testing tools that directly rival Core's -- those that not only scan IT systems for vulnerabilities but also execute code to analyze just how the flaws can be exploited -- charge less and, in the case of Metasploit Project, are being given out for free, forcing Core to rapidly assess its future growth plans, Selby contends.

With an understanding of the industry trends, Core's venture backers may also be pushing for a sell-off, he said.

"We're strongly of the opinion that Core's tools are very effective but that the market for these products might be more limited than Core or the investors originally thought," said Selby. "If you asked the other companies in this space if they'd be happy to have Core's sales, they'd be ecstatic, but there's a different set of expectations with this level of venture backing."

Much as applications security providers SPI Dynamics and Watchfire were recently swept up by Hewlett-Packard and IBM respectively for undisclosed sums of money the analyst said that either firm could be interested in adding Core.

There is little question that automated penetration testing applications have a strong future, Selby said, but it remains unclear whether businesses will buy the tools from independent vendors or from larger services providers.