The ESTC Endgame Acquisition

Here’s some relevant info on the just announced ESTC acquisition of endpoint security software firm Endgame.

What is endpoint security?

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of laptops, tablets, mobile phones and other wireless devices to corporate networks creates attack paths for security threats.[1][2] Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

Remember that Elasticsearch has Beats.
Beats is the platform for single-purpose data shippers. They send data from hundreds or thousands of machines and systems to Logstash or Elasticsearch.

We have also started to see our Beats agents being used more and more beyond just as server-side machines, and being installed on endpoints of many kinds, including workstations. Endgame’s endpoint product is purpose-built to run on a variety of endpoints, such as Windows, Mac, Linux, and Solaris devices, and using Beats will form a foundation to ship endpoint data into Elasticsearch.…

See the fit there?

The Endpoint platform is currently based on Elasticsearch. Also from that blog.

We have known about Endgame and its endpoint product for quite some time. The product embeds Elasticsearch as its main data store for its alerts and investigation workflows, and is considered one of the best endpoint solutions out there today.

The deal is reported as $234M in all stock issuance. What is Elastic getting for that?

“Endgame had been working on growing its annual recurring revenue, which it said in materials sent to investors earlier this year was about $21.8 million in 2018, up from just $3.6 million in 2016. It had been aiming for $39 million in revenue for 2019, according to those materials.”…

Endgame expects $39M in revenues for 2019 up from $21.8M in 2018. That comes in at 79% yoy growth. At $234 price tag that represents a forward P/S of 6! And growth of 79%! For the revenue add-in alone that is very attractive.

Endgame gets very high reviews. Here’s the Gartner insights with a stellar 4.9/5. Note there are only 15 reviews, they are a fairly small company after all.

“The product itself is best-in-class”…

What does Elastic plan to do with Endgame and the Elasticsearch stack? From Shay during Q&A.

“But then we’re also moving up, and you should expect us to see over the next year a more curated experience when it comes to the SIEM product and the SIEM market and are starting to release a concrete product in that space. I’m also excited about the – I’ll mention it again. I’m excited about the endpoint market and our Endgame opportunity.

We’ve been developing the ability to shift some security events obviously not at the scale of what the Endgame product has into the Elastic stack because we know once you put all of this type of information in a search engine, you really empower security researchers and security users across the world. And to be honest, you bring security capabilities to dev ops and ops people out there. So we’re excited about doing that. And when you really look at these two markets, you start to see that they’re really – they work wonderfully together, and it’s a compounding effect that you can give to any type of security user out there by merging together SIEM and endpoint.

And that’s our goal moving forward with this acquisition, is to be able to provide the best product to market and asking tough questions like why do you have two products? Or single-user experience that any security user out there deserves.”

It appears the roadmap is to develop a more concrete combined SEIM/endpoint security platform for the entire digital stack.

Very interesting.



Nice post Darth, thanks!
I noticed this similar blog yesterday, from Endgame side of house:

What I find most interesting is the sales motion here.
There are a ton of endpoint security companies, from legacy hardware like Cisco, PANW, Forcepoint, Trend Micro, and upcoming IPO Crowdstrike, etc etc…

So my first thought was similar to when Nutanix started broadening their product base so rapidly, and I worried their sales teams would lose some of that laser focus on HCI that was core to their growth.

But in Elastic’s case, they focus on the “bottom up” approach and their Users drive/create use cases. I have pointed out that they tend to say “use case” a ton of times in their CC, about 30 times in each of the past two ER CC’s.

From that Endgame blog:
“Endgame would gain an ability to get our endpoint technology into the hands of dev ops, security practitioners, and IT users throughout the world, and Elastic would gain access to endpoint telemetry in the market in order to enhance a security use-case their users were already embracing.”

So this is approaching endpoint security, imo, from a much different angle than I traditionally see in IT sales. Often IT (hardware side) is in charge of creating/procuring the infrastructure
(on-prem or in cloud) needed to run the apps/workloads demanded by the business and developers and DB admins, etc… So if the dev ops folks are already looking at and familiar with Elastic solutions and then take it a step further with the Endgame software, it basically cuts out a step in the sales cycle, and when Cisco or whoever looks to push Endpoint Security with the IT contacts in charge of either Security or Personal Systems (or sometimes the Network team) they will be told there is no need.

The “other wireless devices” category could be interesting too…and is basically IoT in my mind. If you have thousands of sensors deployed in factories or field or wherever, and you want immediate/actionable data regarding alerts or security issues, etc… and you want to also secure that environment at the same time, then Elastic could provide the whole package.

Without digging into it too much, this is how I read it at a high-level.
I like the move, but I still want to hear/see more about Enterprise search and other use cases outside of endpoint, but due to the Endgame acquisition being so fresh, that is probably where the PR focus will be for a bit.

Elastic is/was also at BoA/Merrill Lynch Tech Conf today:



Thanks Dreamer,

Very insightful. With the comparison to Nutanix. They simultaneously launched what like 8 products or so.

Where I think the difference is, With Elastic they are focusing on one platform, what was known as the Elastic Stack. Elasticsearch, Logstash, Kibana, and Beats. And leveraging those core features to different use cases as you point out, all based on that core offering. And like you point out the development of those use cases is largely done by the users and community. And then Elastic works to embed those developments into the core product or bolt on some capabilities like with Endgame.

So they’re already using the stack with minimal changes to enter the security and SEIM markets because that core offering is so good naturally at doing those use cases.

It’s not that they’re building a separate and new product/offering it’s that they’re taking taking the same product and configuring it to leverage the Stacks core competencies to do new things or do things it’s already doing better.

Reminds more of what SMAR is doing with accelerators. Taking the same platform that was a simple Smartsheet project management tool yesterday and using existing technology inside the platform to turn it into a GDPR “operational framework to consistently and effectively manage, demonstrate, and report on processes for ongoing GDPR compliance.” In a turnkey solution.

Thanks for your insight there.



Darth, Dreamer… great insight and discussions… thanks for sharing.

When I read Darth’s post, I was thinking precisely SMAR’s connector strategy and also TWLO’s call center product (I forget the name)… rather than NTNX’ wide reach portfolio.

I still remember Dreamer’s excellent post on NTNX and how its portfolio became burden on sales team rather than benefit. I have seen this in my industry and I can relate to it.

SMAR, ESTC, SQ, SHOP and TWLO have demonstrated much much focused and successful approach in portfolio expansion and thats why they continue to deliver really strong top line growth.

1 Like

Fantastic recap of the acquisition, Darth - many thanks. Extra bonus with the great discussion thread afterwards. Must read by ESTC owners.

This is circling around what I was getting at at the end of my recent deep dive and why I was surprised and excited by the potential. ESTC is starting to acquire enterprise-focused SaaS companies being built on their platform. This in turn gives them massive OPTIONALITY, as ESTC can continue do what MDB does (make a database, and make a lot of money selling support and cloud hosting of it) PLUS gets to make highly-focused services off it. This is a highly unique circumstance they find themselves in; I’m not sure I’ve seen this combination before, and it is direction that MDB can’t really enter. They are not only a database provider and cloud hosting service, but ESTC is now wrapping up and spinning off enterprise-focused SaaS services built on their system. It started with Search-as-a-Service but is now taking a sharp turn into Security-as-a-Service offerings.

It is NO SURPRISE they took this tack. The two main tracks at their developer conference over the past 2 years has been using Elastic Stack for 1) Infrastructure monitoring and 2) Security and SEIM. They have bolted on many products around monitoring (Beats, Logstash) over their history, but none around security – any security stack had to be “hand-built” on Elastic Stack. And many many people are doing so.

There were two tidbits that caught my eye:

  • CEO: “you should expect us to see over the next year a more curated experience when it comes to the SIEM product and the SIEM market and are starting to release a concrete product in that space”

  • PR that Dreamer posted: “together, we will bring to market a holistic security product that combines endpoint and SIEM”

[SEIM = Security Event Information Management, a system for tracking and correlating disparate events from network, system and device logs to generate real-time alerts.]

So with Endgame, they are gaining an endpoint protection product that is sold as a SaaS service to enterprises for network security – but gave us a glimpse that that is just the beginning. It seems that endpoint protection will be just a piece of the ultimate platform they plan on releasing as a SEIM SECaaS service.

I expect this foray into enterprise SaaS services to continue, and with these move into SECaaS, possibly with other services may be acquired, all rolled up into a SEIM service.

long ESTC


thanks for insight Muji. your statement of “ESTC is now wrapping up and spinning off enterprise-focused SaaS services built on their system” is quite eye opening.

If we pursue that line of thinking, it is possible that we see potential for ESTC expanding rapidly in multiple areas simultaneously… ofcourse either diluting current share holders or taking on debt… but thats ok as long as they can do so successfully.

Clearly, building on Elastic platform and getting a focused team would help them get product development right. Next I am wondering how would that play out on sales side. We have learned that from NTNX that just expanding portfolio doesnt get you too far.

I am not sure if SIEM sales cycle would benefit from ESTC classic “get the developers through open source” approach.

So, I have a question, probably for Dreamer but also for anyone else knowledgeable in the field.

From a perspective of approaching sales and closing deals, do you think the Endgame acquisition aligns well with ESTC? Or would it change, and how? What probability of success you would assign to it.


also just read Muji’s another excellent post……

that trig erred another question in my head to consider.
If ESTC strategy of expanding into different curated solution based on their platform, would it discourage their potential customers as they will see ESTC as their future competition? Ofcourse, startups will like this potential to get acquired but established players won’t.

And what other potential areas ESTC can expand into?

This is very interesting and ESTC management certainly seems very aggressive and savvy, just not sure if they are pursuing a viable strategy or one will backfire.

Based on what Muji describes, this situation is not similar to SMAR’s connector strategy… it is more complex than that… specially if ESTC can expand into more than one space like SIEM.

BTW - for those interested, ESTC is seeing some selling pressure now in the middle of tremendous pull for saas / cloud stock… presumably because all insiders can now sell at the end of the lock up period.

May be good time to buy for long term holders…

Ethan & Muji’s write ups has certainly increased my interest but I am not ready to buy nor I have cash in spare to buy… will continue to evaluate this one.


Great discussion on this acquisition. Just wanted to note that my company uses Endgame. We were hit with a crippling ransom ware attack last year that took us months to recover from. For a month or so, we didn’t even know what our revenues were. We were just selling blindly. Only cell phones worked for business right after the attack. Any company “land line” was down. Customers couldn’t get in touch with us and we lost a good amount of business though we have no idea how much.

Endgame was what was installed on our laptops. So far so good. This doesn’t add anything to the equation, but just letting you know my anecdote. I believe it was installed at our parent company as well, so that likely isn’t a terribly small sale as the company has somewhere around $5B in revenues. We are private so I don’t really know exactly.

Just thought I’d share. We hired a consultant to handle our problems and they recommended Endgame. I have no idea what we pay for the service unfortunately.