RSA Security: Identity Crisis

Welcome to the 182nd Pari Passu newsletter.

RSA Security is one of the oldest names in cybersecurity, founded more than 40 years ago by the three cryptographers who invented public-key encryption. Over its corporate history, RSA played a critical role in shaping today’s internet, has passed through EMC and Dell, and was carved out in 2020 by a PE consortium led by Symphony Technology Group for $2.075bn. Over the next four years, RSA’s sponsors fundamentally changed the course of the business, executing a business model overhaul and multiple divestitures. However, plans for RSA began to unravel amidst a capital structure that was much too large for the existing business. This situation is particularly relevant in today’s environment, as the software credit market has become a focal point of discussion in early 2026. 

In January 2026, RSA launched a consensual uptier exchange that raised $135mm of new money, extended maturities, and captured a substantial amount of discount. By LME standards, RSA’s transaction was quite successful, but it also exposed the flaws that led the company to where it sits today. 

In today’s writeup, we’ll start by overviewing RSA’s business model, including its current core identity and access management and fraud prevention units. From there, we’ll detail its extensive corporate history up to a Clearlake-led recapitalization in 2021. We’ll then walk through the path to distress, which looks quite similar to many other 2021-vintage software LBOs, before finally breaking down the 2026 LME and what it means for RSA’s future.

Few cybersecurity companies carry the legacy of RSA Security. The company was founded in 1982 by Ron Rivest, Adi Shamir, and Leonard Adleman (hence the name “RSA”). These three cryptographers were behind the RSA public-key encryption system that supports modern internet security. Put simply, RSA works by using a public key that anyone can use to encrypt a message, and a private key that only the recipient holds to decrypt it, allowing sensitive information to be transmitted securely over open networks. While we’ll detail RSA’s corporate history later, it’s important to understand that over the past four decades, RSA has grown into an expansive enterprise security conglomerate through a series of mergers and acquisitions. By 2020, RSA housed several distinct business lines: SecurID (identity and access management), Archer (governance, risk, and compliance), NetWitness (threat detection), and Outseer (fraud prevention). 

However, that version of RSA no longer exists. Between 2021 and 2025, RSA’s owners sold off most of its business units. What remains today operates under the parent entity, Redstone Buyer LLC, as “RSA Group”, and includes RSA (formerly known as SecurID) and Outseer. Together, these two segments generated $458mm in annual revenue as of 2025, close to half of the ~$840mm generated by the larger consolidated enterprise in 2020. We’ll examine each of its two current segments. 

RSA: Identity and Access Management: 

To understand what RSA's core business does, it helps to understand what identity and access management actually is. Every time an employee logs into a corporate network, cloud application, or VPN, an IAM system works behind the scenes, verifying that the person is who they claim to be and that they're authorized to access what they're requesting. At its simplest, IAM is the digital equivalent of a building's security desk, checking IDs, issuing badges, and making sure people only enter the floors they're cleared for.

RSA's flagship product is RSA ID Plus, a cloud and hybrid IAM platform that provides multi-factor authentication (MFA), single sign-on, and passwordless login capabilities. It is built on the legacy SecurID suite, which is the hardware-token product line that made RSA a leader in enterprise security for three decades. If you've ever used a small key fob that generates a new six-digit code every sixty seconds to log into a corporate system, there's a good chance it was an RSA SecurID token. The company also operates an identity governance platform that automates tasks like provisioning new employee accounts and certifying who has access to what.

RSA appeals to customers in heavily regulated environments where a security failure is catastrophic. The company protects 70% of Fortune 100 financial services firms, over 90% of U.S. federal agencies, and 67 national governments worldwide [1]. For these customers, compliance certification is a top priority, and switching costs are high. RSA’s platforms carry an array of government certifications and are built to satisfy various mandates, including its Federal Risk and Authorization Management Program (FedRAMP) authorization [1]. For the most sensitive applications, RSA offers sovereign deployment options that let clients run the full IAM platform in private cloud or completely offline environments, which newer, cloud-native competitors struggle to match. The key differentiator is RSA’s hybrid architecture. Most modern IAM providers are built cloud-first, meaning their services effectively stop working if internet connectivity is disrupted. RSA’s platform includes native failover mechanisms that keep the localized authentication service running during cloud outages. For sensitive clients, this is a meaningful selling point. 

Outseer: Fraud and Risk Intelligence:

If we imagine the RSA IAM business as verifying who’s knocking on the door, Outseer focuses on watching what happens once they’re inside, specifically within digital banking and payment environments. The platform monitors online banking sessions and uses behavioral analytics to flag suspicious activity [1]. In plain English, when a bank customer initiates an online transfer, Outseer evaluates whether the device, location, and behavior pattern match that customer’s history before deciding whether to approve, challenge, or block the transaction. The company covers over 450mm accounts and roughly $5tn in annual transaction volume, primarily across major financial institutions [1]. 

Historically, both businesses have experienced strong tailwinds in an increasingly online post-COVID world, driven by the growing need for enhanced security in identity management and fraud prevention applications. However, RSA, as a pure-play IAM company, has faced increasing competition from giants like Microsoft and Palo Alto Networks, which are bundling IAM capabilities into broader enterprise security suites. Not only are these competitors expanding capabilities, but they are also significantly larger and better capitalized, allowing them to continue investing amidst a changing software environment, a big advantage relative to a more highly levered sponsor-backed platform like RSA. 

These competitive pressures are playing out against a backdrop of recent turmoil in the enterprise software sector. In early 2026, software stocks experienced their sharpest correction in years, with big names like Salesforce and Adobe down nearly 30% as of late March. The driver of this downturn is the growing fear that agentic AI tools are automating the workflows that traditional software products were built to manage. This threatens the per-seat licensing model that has supported SaaS economics for decades. While still uncertain, the possibility that enterprises could consolidate multiple software tools into fewer AI-driven solutions has created an overhang on valuations, leading investors to reassess the durability of SaaS companies’ recurring revenue models. Whether this represents a genuine disruption or an overdue valuation correction remains up for debate. Regardless, even if RSA’s government and financial services niche is more insulated from AI displacement, the sector-wide repricing of software assets makes any future refinancing or sale process materially harder. Importantly, RSA’s restructuring was not driven by this 2026 selloff and was likely negotiated prior, meaning that in hindsight, RSA may have benefitted from executing its transaction before software sentiment deteriorated further.

As we mentioned above, RSA Data Security was founded in 1982 by Ron Rivest, Adi Shamir, and Leonard Adleman, three MIT cryptographers who had invented the RSA public-key encryption algorithm five years earlier. The algorithm was a landmark in computer science, providing the first commercially viable method for two parties to communicate securely without sharing a secret key in advance, and the company was created to commercialize it. RSA licensed its encryption libraries to the emerging technology industry, embedding its code into products built by Lotus, Motorola, Apple, Novell, and eventually Microsoft [2]. In 1989, RSA’s software was adopted as the encryption standard for the nascent Internet, and the following year the U.S. Department of Defense began licensing it over objections from the NSA, which viewed strong commercial encryption as a threat to its surveillance capabilities. 

Throughout the 1990s and early 2000s, RSA’s growth was powered by both the explosion of the commercial internet and the company’s willingness to fight publicly for strong encryption. The company waged a high-profile campaign against the Clinton administration’s Clipper Chip, a government-backed encryption system with a built-in backdoor for law enforcement, and ultimately killed the initiative. RSA’s role in “The Crypto Wars” cemented its reputation as the industry’s most trusted name in security. In 1996, RSA was acquired by Security Dynamics Technologies, the firm that manufactured the SecurID hardware authentication token, in a stock deal valued at roughly $250mm. The deal combined RSA’s encryption expertise with SecurID’s physical access control technology, and by 1999, the combined entity adopted the shortened RSA Security name. The company went on an acquisition spree over the next several years, adding digital certificate, smart card, biometric, and identity management capabilities through a string of deals [2].

In September 2006, EMC Corporation, the then dominant player in enterprise data storage, acquired RSA Security for approximately $2.1bn in cash, representing more than an 8x increase in valuation over the prior decade. EMC’s logic was that as data volumes exploded and compliance requirements tightened, securing data would become as important as storing it. RSA became EMC’s dedicated security division, and under the EMC umbrella, the company continued to expand, building a portfolio that included NetWitness, Archer, and the fraud prevention tools that would eventually become Outseer. 

The EMC years were not without turbulence, though. In March 2011, RSA suffered one of the most consequential cybersecurity breaches in history when attackers, later attributed to a Chinese People’s Liberation Army unit, penetrated RSA’s network through a spear-phishing email and stole the seed database for SecurID tokens [3]. Those seeds are the cryptographic keys that make each hardware token unique; with them, an attacker could clone any token in existence. The stolen data was later used to target defense contractors, including Lockheed Martin, forcing a scramble across the U.S. defense industrial base to replace compromised tokens. The breach cost EMC $66mm in direct remediation expenses, but the reputational damage for a name that had been synonymous with trust was harder to quantify. 

In 2016, Dell Technologies completed its landmark $67 billion acquisition of EMC, and RSA became part of the Dell family as a subsidiary of Dell EMC Infrastructure Solutions Group. The deal was driven by Dell's ambitions in cloud computing, as RSA's security capabilities were seen as complementary to Dell's hardware and managed services offerings. However, within the massive Dell-EMC integration, RSA was a relatively small unit, and the security business never became a strategic priority for Dell the way storage and cloud infrastructure were. By 2020, Dell had concluded that RSA was worth more to someone else than as an internal division, and in February of that year, Dell announced its intention to sell [1].

In September 2020, a private equity consortium led by Symphony Technology Group (STG), alongside Ontario Teachers' Pension Plan Board and AlpInvest Partners, completed the acquisition of RSA from Dell for approximately $2.075bn. The deal was financed with significant leverage, including a $1.05bn 1L term loan due 2027, $300mm 2L term loan due 2028, and $75mm RCF commitment, with $1.35bn in funded debt representing an LTV of 65%. Moody’s estimated pro forma leverage at an aggressive 8.7x, implying roughly $155mm in LTM adj. EBITDA. Using this EBITDA estimate, the $2.075bn purchase price valued RSA at roughly 13.4x. The thesis was likely similar to many other aggressive 2021-vintage software LBOs: by carving out RSA from EMC, STG could cut legacy costs and drive leverage down toward a more sustainable amount within 12-18 months. However, as we’ve learned from many past writeups, this is much easier said than done. 

Shortly after, in August 2021, Clearlake Capital made a strategic equity investment to become an equal partner alongside STG. The recapitalization that accompanied Clearlake's entry added meaningful incremental debt. Additionally, the recap was not a growth investment, but instead was used to fund a distribution to existing shareholders, less than a year after entry. At the time of Clearlake’s investment, sources indicated that RSA was valued at nearly $3.3bn, a more than 50% increase from the $2.075 acquisition price just one year prior. RSA issued a new $175mm RCF due 2026, a $1.55bn 1L TL due 2028, and a $450mm 2L TL due 2029, using the proceeds to repay all $1.35bn of existing debt. The transaction immediately increased the company’s funded debt load from $1.35bn to $2bn. However, despite the increase in debt, leverage remained in the 8x range, implying adj. EBITDA of ~$250mm [5], a 61% increase from the 2020 transaction, implying the meaningful realization of the cost reductions we mentioned above. Given a valuation of nearly $3.3bn, this equates to an EBITDA multiple of roughly 13x, which is broadly in line with STG’s buyout the year prior. When giving full-year credit for these reductions and accounting for one-time transaction costs, Moody’s estimated adjusted leverage at 6.5x, implying a run-rate EBITDA of nearly $350mm. At this point, RSA still owned all of its business units, including SecurID, Archer, NetWitness, and Outseer. 

Less than a year after the Clearlake recap, cracks began appearing in RSA’s sponsors’ acquisition thesis. While carving out four independent business units from Dell would allow RSA to shed legacy costs, it would also entail its own cash burden. The stand-up costs, or costs of building an entirely new corporate infrastructure, proved much larger than expected as RSA incurred finance, HR, IT, legal, and go-to-market costs for SecurID, Outseer, NetWitness, and Archer simultaneously. By the first half of fiscal 2023 (ending January 2023), these stand-up costs had driven the company into significant negative free cash flow. RSA bridged the cash gap by drawing down its RCF and using proceeds from the sale of its RSA Conference (RSAC) entity. By December 2022, the company had drawn $100mm of its RCF over the 18 months following the recap [6]. While the proceeds from the RSAC sale weren’t disclosed, we can assume RSA’s cash burn stemming from stand-up costs meaningfully exceeded the $100mm implied by the RCF.

Beyond stand-up costs, another headwind RSA faced was the pivot from a perpetual licensing model to a subscription-based model. We’ve covered this dynamic in a few of our software writeups, such as Magenta Buyer or Quest. As a reminder, a perpetual license grants the right to the software indefinitely for a one-time fee, which frontloads the revenue from acquiring new customers. A subscription model, which is increasingly common among SaaS companies today, focuses on annual recurring revenue (ARR), with customers paying an annual/monthly fee for access to the software and any support services/updates. Subscription-based models mitigate customer lock-in concerns associated with perpetual licenses or longer-term contracts and create opportunities to upsell during renewal periods. However, the issue with this pivot stems from its stress on near-term economics. New customers, rather than paying an upfront fee, simply pay the annual cost of the subscription, a much smaller cash inflow, placing a significant burden on a business already struggling to generate positive FCF. 

In June 2023, RSA sold Archer, its governance, risk, and compliance business, which was arguably the company’s best-performing unit at the time, to Cinven. While Archer’s own EBITDA wasn’t broken out, the segment was generating $220m in revenue, and the deal valued the business favorably at $1.38bn, or roughly 6.3x revenue [8]. RSA’s consolidated margins were in the low 20% range, and given Archer’s position as a higher-quality, more stable asset, it likely carried mid-20% margins, implying EBITDA of roughly $50-$60mm and an implied purchase multiple near 25x. For context, Archer comprised roughly 30% of RSA’s total $715mm in FY 2023 revenue [7]. Perhaps the most controversial part of the sale was the distribution of proceeds.