Magenta Buyer: The Blocking Position Playbook

Welcome to the 173rd Pari Passu newsletter.

In today’s edition, we’re turning to Magenta Buyer, the legal entity behind Trellix and Skyhigh security and the $5.2bn product of a 2021 cybersecurity rollup by Symphony Technology Partners. The platform, which combined McAfee’s enterprise security franchise and FireEye’s threat detection business, was meant to build a differentiated platform in the rapidly evolving cybersecurity market. However, aggressive financial engineering left little margin for error, and as both businesses faced intense competitive pressure and were forced to adapt to a cloud-oriented cybersecurity environment, the company would be forced into one of the most interesting LMEs of 2024. 

In August 2024, Magenta Buyer and participating lenders launched a coercive hybrid dropdown / “double-dip plus”. Beyond its complex structure, this LME is a fascinating example of how a sophisticated creditor can influence the course of negotiations. 

In this writeup, we’ll walk through the two business models and formation of Magenta Buyer, before detailing the various headwinds leading to its distress. We’ll then detail the extensive pre-process leading up to its LME, before diving into the different exchange economics, heavily influenced by Elliott Management’s outsized control over the capital structure. We’ll also provide a returns estimation and recovery analysis, detailing the massive shift in value that occurred, before concluding with key takeaways.

We’ve been working on this piece for weeks, and it couldn't be more timely as the software leveraged loan market crumbles beneath us. Let’s dive in!

Recent LME Editions: MRP Solutions, Selecta, City Brewing, Oregon Tool, Better Health, Quest

Magenta Buyer LLC is the legal entity that owns two prominent cybersecurity businesses: Trellix and Skyhigh Security. Before we dive into the genesis of Magenta Buyer, it’s important to understand the business models of both Trellix and Skyhigh. 

Trellix is an enterprise cybersecurity vendor focused on protecting organizations against malware, ransomware, and other digital threats. The company’s core business revolves around endpoint security, which is software that protects individual devices (laptops, servers, mobile phones, etc.) that connect to corporate networks. If an employee opens a malicious email attachment or visits a compromised website, endpoint security software is the first line of defense, detecting and blocking the threat before it can spread. 

Trellix’s primary differentiator is its Extended Detection and Response (XDR) platform, which represents the next evolution of traditional endpoint security [1]. While basic endpoint tools protect individual devices in isolation, XDR platforms aggregate an organization’s security data to identify coordinated attack patterns that might evade single-point detection. To provide an easy analogy, traditional endpoint security is like having a Ring doorbell for each endpoint, while XDR is like having a central monitoring room. 

Trellix’s technology combines the capabilities of two legacy cybersecurity franchises [1]. The first is McAfee, founded in 1987 as one of the first antivirus software companies, and has built a dominant position in endpoint protection for three decades. The second is FireEye, founded in 2004, which became known for its threat detection and incident response capabilities. We’ll dive further into how Trellix was formed in the next section, but it's important to understand that the company has inherited legacy infrastructure and customer relationships. 

Today, Trellix has integrated artificial intelligence throughout its platform, notably through Trellix Wise, a generative AI engine introduced in 2024 that automates the triage of security alerts [1]. Large corporate security teams typically face thousands of security alerts every day, creating a tedious operational burden, especially for low-level alerts. Trellix claims its AI can handle 100% of Level-1 (routine, lower-priority) alerts, which frees IT to focus on more sophisticated threats [1]. 

Despite these capabilities, Trellix faces intense competition from newer cloud-native competitors, such as CrowdStrike and SentinelOne, which have built their platforms for modern cloud environments rather than adapting legacy on-premise software. Microsoft is also a major competitor, as it can bundle security features with existing software subscriptions. For context on scale, in 2023, Trellix held 5.8% of the endpoint security market, with $734mm in endpoint revenue [1]. 

Skyhigh Security is an enterprise cybersecurity vendor focused on protecting data as it moves between corporate networks and cloud applications. The company’s primary offering centers on Security Service Edge (SSE), a framework for securing access to the internet, cloud services, and private applications [1]. As enterprises have shifted from on-premises software to cloud-based tools such as Salesforce, Microsoft 365, and Slack, SSE has emerged as the security architecture for managing this environment. 

Skyhigh’s business model relies on its data-centric approach to SSE, particularly via its Cloud Access Security Broker (CASB) technology, which has been labeled as “best-in-class” [1]. A CASB acts as an intermediary between a company’s employees and the cloud services they access by enforcing security policies and monitoring for risky behavior. For example, if an employee attempts to upload sensitive customer data to an unauthorized file-sharing service, the CASB can block the transfer and alert the security team. CASB can be thought of as a checkpoint that inspects all traffic entering or leaving through cloud gateways. 

Skyhigh’s technology traces back to Skyhigh Networks, founded in 2011 as a pioneer in CASB solutions during the early wave of enterprise cloud migration [1]. McAfee acquired Skyhigh Networks in January 2018 to enhance its cloud security capabilities [1].  As we mentioned with Trellix above, we’ll dive further into Skyhigh’s corporate history shortly. Like Trellix, Skyhigh benefits from legacy customer relationships, but its technology is more recent and cloud-native. 

Today, Skyhigh has expanded its cloud-security platform beyond CASB to include Secure Web Gateway (SWG), Zero-Trust Network Access (ZTNA), and Data Loss Prevention (DLP) capabilities all under the same roof [1]. Unlike Trellix, Skyhigh operates in a higher-growth market and has shown stronger momentum. However, the company also faces intense competition from companies like Zscaler, Netskope, and Palo Alto Networks. 

The story of Magenta Buyer begins with Symphony Technology Group (STG), a Palo Alto, California-based private equity firm focused on software and tech-enabled services. In July 2021, STG looked to execute on a consolidation strategy in the enterprise cybersecurity market, beginning with the $4bn acquisition of McAfee’s enterprise business. Earlier that year, McAfee had split its consumer and enterprise divisions, with the latter division focusing on endpoint security, data protection, and cloud security. As a reminder, by this point, McAfee’s enterprise business had already acquired and integrated Skyhigh Networks. At the time of the acquisition, McAfee’s enterprise unit served 86 Fortune 100 firms and reported $1.3bn in revenue [4]. 

STG funded the McAfee acquisition with a $2.25bn first-lien term loan and a $575mm second-lien term loan, equating to $2.825bn of acquisition debt, and an LTV of ~71%. Prior to the carve-out, McAfee was a publicly traded company. However, as the company went public in October 2020, there are insufficient quarterly financials to derive an accurate LTM Segment EBITDA. Therefore, 2020 EBITDA will provide a close proxy. In 2020, McAfee’s enterprise division reported adjusted EBITDA of $335mm and revenue of $1.35bn, equating to a 25% margin [3]. Applying this same margin to the $1.3bn of LTM revenue at the time of the acquisition yields $325mm of adjusted EBITDA, which we will use as our transaction estimate, resulting in an implied valuation range of 12.0-13.0x EBITDA. Considering $2.825bn of debt at acquisition, this implies entry leverage of 8.0x-9.0x. 

Just three months later, in October 2021, STG acquired FireEye’s product business for $1.2bn. As we noted above, FireEye had built a reputation for its threat detection and incident response capabilities. It had also been popularized by its uncovering of the 2020 SolarWinds breach, which compromised numerous U.S. government agencies. Importantly, STG only acquired the products division, which included FireEye’s software offerings. The consulting and threat intelligence division, FireEye’s professional services business model, was retained by FireEye and later acquired by Google in 2022. STG viewed FireEye Products as “an undermanaged asset with significant growth potential hindered by a historical lack of strategic focus” [4]. The acquisition and subsequent merger were intended to create a differentiated platform capable of addressing all areas of endpoint security. FireEye also brought with it over 4,500 customers, including 17 G20 governments and 19 of the top 20 U.S. financial institutions [4]. 

STG funded the FireEye acquisition with a $925mm add-on to its 1L TL and a $175mm add-on to its 2L TL, resulting in an LTV of ~92% [10]. While FireEye was publicly traded prior to the acquisition, it did not separately break out the financials of its products division. However, we know that following this acquisition, Magenta’s pro forma leverage remained around 9.0x [4]. With $3.925bn of total debt, pro forma adjusted EBITDA would be around $440mm. Subtracting McAfee’s $325mm implies $115mm of adjusted EBITDA attributable to the FireEye acquisition. This estimate implies a valuation multiple of 10.0x-11.0x. Additionally, given $540mm of product division revenue, this implies an EBITDA margin of 21%. Pro forma revenue and EBITDA margin, therefore, equate to $1.84bn and 24%.  

This combined $5.2bn investment created a powerful cybersecurity platform that offers both endpoint and cloud security. However, rather than branding both business models under one name, STG decided to keep the two business models separate. The cloud security business, formerly known as Skyhigh Networks, was carved out of McAfee’s enterprise division and rebranded as Skyhigh Security. McAfee’s and FireEye’s endpoint security products were combined to create a comprehensive XDR platform known today as Trellix. 

The most striking detail of the two acquisitions above is the amount of leverage used. Given our estimates above and market consensus, entry leverage sat at ~9.0x EBITDA. However, STG justified this high initial leverage by targeting up to $230mm in potential synergies, stemming entirely from cost management and the integration of the pro forma entity. If the company were to achieve this goal, $670mm of pro forma EBITDA would bring leverage down to 5.9x, a theoretically much more manageable figure. As it stood following the acquisition, while Magenta Buyer had a strong recurring revenue base and high retention, the company’s PF EBITDA margins in the low-20% range lagged cybersecurity software peers. This margin deficit resulted from both companies’ legacy infrastructure, which had been built around on-premise systems and required higher ongoing support costs. Therefore, Magenta Buyer’s success and ability to service its debt load would be centered around cost cuts, rather than revenue growth. 

Throughout much of 2022, Magenta Buyer appeared to be successfully executing on its integration strategy. Trellix, which accounted for 88% of revenue at the time, saw topline growth remain flat. However, Skyhigh, which we noted above, sits in a faster-growing vertical, grew at nearly 10%, with 86% recurring revenue [5]. Since Skyhigh accounted for such a small share of the overall revenue mix, we estimate that total revenue grew in the low single digits, to approximately $1.9bn. However, the company was on track to reach $200mm in synergies by early 2023, which, if executed, would deliver a meaningful 46% increase in EBITDA [5]. 

However, the market optimism surrounding STG’s consolidation was short-lived. A combination of aggressive financial engineering, integration challenges, and a deteriorating market position would push the company into distress within three years of its formation. 

In late 2022, just over a year after closing the FireEye acquisition, STG executed a controversial financial maneuver. Magenta Buyer raised a $415mm incremental first lien term loan, due 2028, with just $50mm of proceeds going to the balance sheet and the rest for a dividend to STG [5]. To put this in perspective, STG was extracting nearly $400mm in cash from a business that was burning cash, mid-integration, and already levered at nearly 9.0x post-acquisition. The close of this transaction brought the company’s cash balance to $300mm, and with full revolver availability, liquidity was not an issue yet. However, with the incremental 1L TL priced at a flat 12.00% rate, its issuance immediately added $50mm in annual interest expense, partially offsetting the cash-positive impact of the pursued cost synergies while adding no real value to the enterprise. Using the interest build below, which assumes an average 2022 SOFR of 1.75%, we derive $339mm of run-rate cash interest expense following the dividend recap, consuming 77% of EBITDA, a substantial debt burden that would only grow larger. 

Around the same time, under new ownership, Magenta Buyer was transitioning from longer-dated contracts to Annual Contract Value (ACV) subscriptions [5]. This switch was strategic, as ACV contracts became the industry standard for software, enabling annual repricing and upselling to customers, as well as reducing customer lock-in concerns. While potentially beneficial in the long run, this posed an enormous working capital burden in the near term. Customers who had previously paid 2-3 years upfront now paid annually, and deferred revenue balances dwindled. Notably, this was projected to use up $300mm in cash over the transition period, presenting another burden on the company’s ability to service its growing debt load [5]. 

At the end of 2022, Fitch reported leverage of 6.2x, inclusive of the incremental 1L TL, implying adjusted EBITDA of $700mm [6]. Assuming very modest topline growth to $1.9bn, this equates to a 2022 EBITDA margin of 38%, a notable improvement from prior to the buyout, reflecting initial success in STG’s integrations. On paper, this $700mm figure implies that STG had effectively reached its full $230mm synergy target, as it represents a $260mm increase from the estimated $440mm pro forma EBITDA at acquisition.

However, during 2022, Magenta Buyer still burned $181mm of cash, which seems odd given the EBITDA figure above. With approximately $300mm of interest expense and $150mm of working capital cash outflows, our estimates indicate upwards of $400mm in addbacks for restructuring and integration-related cash expenses in 2022. These addbacks were likely related to consulting/advisory fees and system migration costs, as the company underwent a massive effort to consolidate two pieces of legacy infrastructure. While these costs are associated with integration and one-time in nature, hence the addback to adjusted EBITDA, they still represent meaningful cash outflows.

Beyond the initial liquidity pressures of the dividend recap and ACV transitions, Magenta Buyer faced mounting competitive pressure in both of its markets during the years following its transaction. 

In endpoint security, Trellix continued to be squeezed by its cloud-native competitors, which had built their platforms for modern cloud environments. Companies like CrowdStrike and SentinelOne continued to gain market share from traditional vendors, while Microsoft also emerged as a major competitor. While Trellix’s XDR platform was capable, it was constrained by the legacy architectures of McAfee and FireEye, which had not yet been fully unified.

While Skyhigh Security operated in a higher-growth market, it faced its own challenges. As with endpoint security, the SSE market was increasingly dominated by larger competitors, including Zscaler, Netskope, and Palo Alto Networks. While Skyhigh’s CASB technology remained well-regarded, it simply lacked the scale and resources of its larger competitors. 

This increased competition resulted in an 11% YoY decline in total revenue in Q3 2023 [6]. Trellix, which accounted for the majority of revenue, fell 12%, while Skyhigh revenues declined 4%. Additionally, recurring revenue, which accounted for 80% of total revenue, declined by 6%. For an investment predicated on customer retention and cost-cutting, these revenues were troubling, as they would continue to shrink the margin for error in STG’s broader integration efforts. 

Magenta Buyer faced another massive headwind: the Federal Reserve’s aggressive rate hikes from 2022 to 2024. When Magenta Buyer’s original debt was issued in mid-2021, SOFR was near zero, making 8.0x-9.0x entry leverage slightly more manageable. However, as rates rose, the company’s interest expense ballooned to nearly $475mm vs $339mm earlier, a $136mm or 40% increase. Additionally, since the acquisition, interest expense has increased by $186mm to $289mm, a 64% increase. 

By late 2023, Magenta Buyer’s liquidity was becoming a serious concern for lenders. The company had burned $257mm in cash for the LTM ending Q3 2023. Reportedly, this period featured an additional $199mm in integration-related addbacks [6]. Additionally, total liquidity fell to just $198mm [6]. As a result, at current cash burn rates, the company had less than a year of runway. The broader market took notice, as the company’s debt fell to deeply distressed levels, with the 1L TL trading in the high 60s and the 2L TL trading in the mid-30s. In Fitch’s late-2023 ratings downgrade to CCC, the agency bluntly stated that “In 2024, the company will require help from its sponsor to remedy the liquidity situation” [6]. The figure below illustrates our estimates of Magenta Buyer’s deteriorating liquidity position.