The Premise
There is a playbook in private equity that works reliably for SaaS platforms, niche insurers, and subscription media. Acquire the asset. Load it with debt. Cut headcount. Optimise for EBITDA. Harvest recurring revenue. Exit to the next buyer in 4–7 years.
That playbook breaks catastrophically when the asset is a security product embedded in the perimeter of critical national infrastructure. Because when you cut the engineering team that patches the firewall, the recurring revenue you were harvesting becomes recurring breaches. And the blast radius is not a portfolio write-down — it is the Pentagon, NASA, the Federal Reserve, and 2,000 banks.
This is not hypothetical. It happened. And the timeline is damning.
Intelligence Update: The Ivanti/Pulse Secure Timeline
Pulse Secure was, for over a decade, an industry-standard VPN product. Its client list read like a national security directory: US Air Force, Navy, Department of State, FAA, NASA, the Federal Reserve, Deutsche Bank, Wells Fargo. Over 40,000 organisations. The product sat at the network boundary — the single point where external traffic meets internal infrastructure. There is no more security-critical position in an enterprise architecture.
September 2020 — The Acquisition: Clearlake Capital, backed by co-investors TA Associates and later Charlesbank Capital Partners, acquired Pulse Secure and merged it into Ivanti Inc. The combined entity was loaded with approximately $2.8 billion in debt. Morgan Stanley, UBS, and BofA provided the financing.
December 2020 — The Cuts Begin: Immediately post-close, Ivanti cut 11% of staff. Over the following months, the engineering team responsible for maintaining Pulse Secure’s codebase was slashed by more than half. Key security developers in California and the UK were let go. Replacements hired in lower-cost markets struggled with legacy code that required deep institutional knowledge.
April 2021 — First Breach: Chinese state-sponsored hackers (tracked as UNC2630/APT5) exploited multiple vulnerabilities in Pulse Connect Secure, including a zero-day rated CVSS 10 (CVE-2021-22893). Mandiant identified 12 distinct malware families deployed through the compromised VPN appliances. DHS confirmed at least five federal agencies were breached.
January 2024 — Second Wave: CISA issued an emergency directive ordering all federal civilian agencies to disconnect Ivanti Connect Secure devices immediately. Chinese espionage group UNC5221 had been exploiting chained vulnerabilities since December 2023. Over 2,100 devices were confirmed compromised worldwide.
February 2024 — CISA Itself Falls: The agency responsible for defending US civilian cyber infrastructure confirmed that its own Ivanti systems had been breached. Two internal systems — the Infrastructure Protection Gateway and the Chemical Security Assessment Tool — were taken offline. The agency that wrote the emergency directive could not protect itself using the product it had just ordered others to disconnect.
January 2025 — Third Wave: Mandiant reported exploitation of yet another zero-day (CVE-2025-0282), a buffer overflow granting remote code execution. CISA ordered federal agencies to patch within the shortest timeline it had ever issued. Custom malware families DRYHOOK and PHASEJAM were deployed, with anti-forensics tools designed to evade detection.
May 2025 — Debt Restructuring: Ivanti reached a deal with lenders to extend maturities and raise $350 million in new debt. Its $1.7 billion term loan was trading at 70 cents on the dollar. Customer base had dropped by a third, to approximately 34,000. The financial engineering continued even as the product engineering crumbled.
The “Leveraged Perimeter” Mechanism
What happened at Ivanti is not an anomaly. It is the logical outcome of applying leveraged buyout mechanics to security-critical infrastructure. The mechanism works as follows:
Step 1 — Debt Loading: The acquirer finances the deal with 4–6x leverage. The portfolio company’s own cash flows service the debt. Every dollar of operating income is pre-allocated to interest payments, not R&D reinvestment.
Step 2 — Headcount Optimisation: To meet debt covenants, the new owners cut costs. In a security product, the highest-cost line item is the engineering team. Senior security researchers and legacy code maintainers are expensive. They get replaced or not replaced at all.
Step 3 — The Patch Deficit: With a reduced engineering team, the time-to-patch for critical vulnerabilities extends. Zero-day response capability degrades. Code review cadence drops. The product accumulates what we call a security debt — the inverse of the financial debt that created it.
Step 4 — The Adversary Advantage: Nation-state actors do not wait for restructuring timelines. Chinese APT groups reverse-engineer patches within 72 hours of release. When the engineering team is half-strength and the codebase is under-maintained, the adversary has a structural advantage that no amount of debt refinancing can close.
The Result: The LBO thesis was recurring revenue from sticky enterprise contracts. The reality was recurring breaches across government and critical infrastructure. The financial return was extracted from the security budget of the Western defence perimeter.
Field Evidence: The Breach Log
The Ivanti case is the most egregious, but not the only data point. The PE-to-breach pipeline is becoming a pattern.
Date: 2021–2025 (Ongoing)
Clearlake acquired Pulse Secure in late 2020, merged it into Ivanti, and loaded the combined entity with $2.8 billion in debt. Engineering was cut by more than half. Over the next four years, Chinese state-sponsored hackers exploited the product in at least three distinct campaigns, compromising the Pentagon, NASA, FAA, the Federal Reserve, CISA itself, and thousands of private-sector organisations. CISA issued multiple emergency directives. The Pentagon, Navy, and Treasury ripped out Ivanti systems entirely.
The Lesson: When a PE firm cuts the engineering team of a product embedded in the US defence perimeter, the cost is not measured in EBITDA compression. It is measured in national security exposure. The debt was $2.8 billion. The blast radius was incalculable.
Date: February 2024
CISA published a devastating finding: Ivanti’s Integrity Checker Tool (ICT) — the product designed to detect whether the VPN had been compromised — was itself being deceived by threat actors. In lab testing, CISA demonstrated that attackers could maintain root-level persistence even after a factory reset. The tool meant to verify security was itself insecure. Ivanti disputed the findings; CISA maintained its position.
The Lesson: When the integrity checker cannot check integrity, you have entered a trust collapse. The product has become a liability masquerading as an asset. Every “clean” scan result is potentially false. This is what happens when the team that writes the detection logic has been halved to service a leveraged capital structure.
Date: February 2026
Kroll surveyed 325 PE portfolio leaders globally. The findings: 80% of firms experienced cybersecurity disruption during the hold period. Average financial impact per incident was $2.1 million. 94% suffered some form of financial consequence from cyber risk. Only 12% of smaller PE firms (<$25bn AUM) enforced mandatory cybersecurity baselines across portfolio companies, compared to 55% of larger firms. 35% of firms under $500 million AUM had no defined baseline at all.
The Lesson: The industry knows this is a problem. It has the data. It has not changed the behaviour. Because the incentive structure rewards cost reduction during the hold period, not resilience investment. Cyber is still treated as a hygiene issue, not a value-creation lever.
The Systemic Risk Dimension
The Ivanti story is not just a cybersecurity failure. It is a systemic risk event that exposes three structural problems in how critical infrastructure is governed.
Problem 1 — No Ownership Scrutiny: When Clearlake acquired Pulse Secure, no federal regulator assessed whether the new ownership structure was compatible with the product’s role in national security. There is no CFIUS-equivalent review for PE acquisitions of enterprise security vendors. The capital structure changed. The threat surface didn’t care.
Problem 2 — The Customer Cannot Exit: Enterprise VPN products are deeply embedded. Migration takes 12–18 months. Rip-and-replace costs are enormous. The Pentagon eventually did it. Most organisations cannot. They are locked into a degrading product with no exit velocity, paying maintenance fees that service someone else’s debt.
Problem 3 — The Adversary Has a Business Model: Chinese APT groups have systematically targeted PE-owned security infrastructure since 2020. The pattern is clear: identify products where engineering investment is declining, stockpile zero-days, and exploit the gap between disclosure and patch. The leveraged perimeter is not just a vulnerability — it is a targeting criterion.
Tactical Mitigation
For PE partners, risk committees, and CNI operators, the Ivanti case demands immediate reassessment.
Ownership Due Diligence on Vendors: Before renewing any enterprise security contract, assess the vendor’s capital structure. Debt-to-EBITDA above 4x on a security-critical product is a red flag. If the vendor’s engineering headcount has declined post-acquisition, escalate to the board.
The “Patch Velocity” Metric: Track time-to-patch for critical CVEs across your security vendors over 24 months. A degrading trend line is an early warning of the Leveraged Perimeter dynamic. If patch velocity is slowing while the vendor is issuing new debt, you have your answer.
Exit Readiness Scoring: For every perimeter security product, maintain a documented migration plan with a 90-day execution timeline. If you cannot replace a VPN, firewall, or endpoint product within 90 days, you are operationally captured. Treat it as a concentration risk.
PE Firms — Ringfence R&D: If you own a security product deployed in government or CNI, the engineering budget is not a discretionary cost line. It is a fiduciary obligation. The Kroll data is clear: cyber incidents during the hold period are destroying portfolio value. The cheapest mitigation is not cutting the team that writes the patches.
The Verdict
The leveraged buyout model assumes that recurring revenue is durable and that cost reduction is value creation. In enterprise security, both assumptions are false. Revenue is only recurring while the product is trusted. Trust erodes when the engineering team is gutted to service debt. The result is not an underperforming portfolio company — it is an open door in the Western defence perimeter, held ajar by a capital structure designed in Santa Monica and exploited from Beijing. If your firewall vendor’s biggest line item is interest expense, you do not have a security product. You have a leveraged liability with a login page.