Why KKR is Increasing its Investment in NetSPI

On October 5, NetSPI announced that global investment firm KKR is increasing its investment in the company with $410 million in new funding. The investment was officially completed on November 4. Upon completion, the KKR Tech Growth team and I spent time reflecting on the past year working with NetSPI and looking forward to the future of the offensive security leader. 

1. Why did you choose to invest in NetSPI? 

We believe penetration testing is an increasingly important and strategic aspect to any enterprise’s security posture. We believe NetSPI is a category-defining player in the space through their core “Resolve” technology, Pen-Testing as a Service (“PTaaS”) delivery model and innovative new software products.  

Since our initial investment 18-months ago, we have been very impressed by the performance of the company and the exceptional execution by the entire NetSPI team. The company has experienced an impressive trajectory of strong and accelerating organic growth coupled with strong unit economics and profitability.  We are excited about the opportunity to continue to build upon this momentum with further investments in technology, people, geographical expansion and strategic acquisitions. 

2. What makes NetSPI so compelling? 

We believe NetSPI is compelling for a number of reasons, but the NetSPI team and technology are key differentiators. 

  • The Team: We’ve been impressed by the strength and execution of the NetSPI management team, even before we made our initial investment. We had built a dialogue with Aaron Shilts well before our initial investment in early 2021 and he came highly referenced from his previous large company experience.  We view Aaron as an experienced CEO who has been able to combine his large company experience with an impressive vision on how to take NetSPI to the next level.  Aaron has also assembled a remarkable team of other C-suite level of VP-level execs, many of whom have come up through the organization organically. NetSPI has taken this experience of cultivating A+ talent and built their NetSPI University training program, which we believe is one of the most comprehensive training and certification programs in offensive security and has resulted in a strong pipeline for developing top talent internally.   
  • The Technology: NetSPI has continued to carve a leading position in the pen-testing space through their continuous, tech-enabled pen-testing services, underpinned by their Resolve Platform which aggregates, manages and correlates vulnerability data for pen-testers and internal security teams to discover, identify and fix vulnerabilities – reducing risk exposure at scale. This technology, coupled with their differentiated delivery model and strong reputation in the market, has created a truly differentiated offering in the market. NetSPI also recently launched an Attack Surface Management (“ASM”) software platform, which provides continuous detection and reporting of vulnerabilities across all owned assets, and is highly complementary with their core pen-testing offering.  The company has a significant pipeline of new products to come in 2023 and beyond, which should allow NetSPI to continue offering a distinguished offensive security platform.   

Combined with an excellent and growing team across the organization and innovative technology, we are excited about NetSPI’s potential as they continue to advance their products. 

3. Where do you believe there may be opportunity for NetSPI to disrupt the offensive security market? 

From a macro perspective, we believe the demand for tech‐enabled, continuous pen‐testing has increased as legacy vulnerability management platforms can often give companies a false sense of security and traditional pen-testing consultancies often lack a tech-first approach to testing and remediation. With the ever‐changing threat landscape, we believe constant and persistent testing is paramount to maintaining an optimum security posture. Given the additional compliance requirements mandating human intervention and “hands on keyboard” to complete these complex tests, along with the proliferation of zero-day vulnerabilities, we believe NetSPI’s approach to tech & services positions them to be a defining player in this emerging PTaaS category. 

4. How do you plan to support NetSPI’s continued growth? 

We are increasing our investment in NetSPI to support their continued growth. We see this as an opportunity to put more capital to work behind  i) New product development; ii) Geographic expansion in EMEA and APAC; iii) Go-to-market and partnership related initiatives; and iv) Growing headcount to serve the company’s fast growing enterprise customer base. 

5. What does this acquisition mean to KKR? 

For KKR, the Tech Growth strategy is about identifying platforms – management teams, businesses, and sectors – where we can invest, seeking to build leading global enterprises. Since the beginning, we have been impressed with and excited about our strategic partnership with the management team and continued acceleration of NetSPI’s organic growth. We believe the KKR portfolio, network and value-add resources can enrich NetSPI’s existing capabilities and we are looking forward to the many opportunities ahead. 


The views expressed in each blog post may be the personal views of each author and do not necessarily reflect the views of KKR and its subsidiaries (“KKR Group”). Neither KKR Group nor the author guarantees the accuracy, adequacy or completeness of information provided in each blog post. No representation or warranty, express or implied, is made or given by or on behalf of KKR Group, the author or any other person as to the accuracy and completeness or fairness of the information contained in any blog post and no responsibility or liability is accepted for any such information. Nothing contained in each blog post constitutes investment, regulatory, legal, compliance or tax or other advice nor is it to be relied on in making an investment decision. Blog posts should not be viewed as a current or past recommendations or solicitations of an offer to buy or sell any securities or to adopt any investment strategy. The blog posts may contain projections or other forward-looking statements, which are based on beliefs, assumptions and expectations that may change as a result of many possible events or factors. If a change occurs, actual results may vary materially from those expressed in the forward-looking statements. All forward-looking statements speak only as of the date such statements are made, and neither KKR Group nor each author assumes any duty to update such statements except as required by law. To the extent that any documents, presentations or other materials produced, published or otherwise distributed by KKR Group (collectively, “KKR Materials”) are referenced in any blog post, such KKR Materials should be read with careful attention to any disclaimers provided therein. 

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.