How Private Equity Debt Left a Leading VPN Open to Chinese Hackers

Layoffs at Pulse Secure accelerated as financial pressure mounted

Laura Galante Photographer: Nicole Combeau/Bloomberg Photo by Nicole Combeau /Photographer: Nicole Combeau/Blo

Article content

(Bloomberg) — In early 2024, the agency that oversees cybersecurity for much of the US government issued a rare emergency order — disconnect your Connect Secure virtual private network software immediately. Chinese spies had hacked the code and infiltrated nearly two dozen organizations. 

Article content

The directive applied to all civilian federal agencies, but given the product’s customer base, its impact was more widely felt. The software, which is made by Ivanti Inc., was something of an industry standard across government and much of the corporate world. Clients included the US Air Force, Army, Navy and other parts of the Defense Department, the Department of State, the Federal Aviation Administration, the Federal Reserve, the National Aeronautics and Space Administration, thousands of companies and more than 2,000 banks including Wells Fargo & Co. and Deutsche Bank AG, according to federal procurement records, internal documents, interviews and the accounts of former Ivanti employees who requested anonymity because they were not authorized to disclose customer information. 

Article content

Article content

Article content

Soon after sending out their order, which instructed agencies to install an Ivanti-issued fix, staffers at the Cybersecurity and Infrastructure Security Agency discovered that the threat was also inside their own house. Two sensitive CISA databases — one containing information about personnel at chemical facilities, another assessing the vulnerabilities of critical infrastructure operators — had been compromised via the agency’s own Connect Secure software. CISA had followed all its own guidance. Ivanti’s fix had failed.

Article content

Article content

This was a breaking point for some American national security officials, who had long expressed concerns about Connect Secure VPNs. CISA subsequently published a letter with the Federal Bureau of Investigation and the national cybersecurity agencies of the UK, Canada, Australia and New Zealand warning customers of the “significant risk” associated with continuing to use the software. According to Laura Galante, then the top cyber official in the Office of the Director of National Intelligence, the government came to a simple conclusion about the technology.

Article content

Article content

“You should not be using it,” she said. “There really is no other way to put it.”

Article content

That attack, along with several others that successfully targeted the Ivanti software, illustrate how private equity’s push into the cybersecurity market ended up compromising the quality and safety of some critical VPN products, Bloomberg has found. Last year, Bloomberg reported that Citrix Systems Inc., another top VPN maker, experienced several major hacks after its private equity owners, Elliott Investment Management and Vista Equity Partners, cut most of the company’s 70-member product security team following their acquisition of the company in 2022.

Article content

Some government officials and private-sector executives are now reconsidering their approach to evaluating cybersecurity software. In addition to excising private equity-owned VPNs from their networks, some factor private equity ownership into their risk assessments of key technologies. 

Article content

Rob Leahy is the former chief information officer for NASA’s Goddard Space Flight Center. He declined to discuss NASA specifically but said the Ivanti incidents underscored concerns he has about private equity-owned cybersecurity companies. In his experience, Leahy said, private equity firms often prioritize increasing profits and paying down debt over continuous investment in product development.

Article content

“This should be part of a risk assessment when you’re looking at a product: What is the ownership structure? Are they investing in the future or are they not? Over the years, have we seen them shift dollars from investing into paying off debt? To me, that’s a big risk,” he said.

Article content

Utah-based Ivanti was created in 2017 as a rollup of two IT software firms that private investment outfit Clearlake Capital Group acquired through leveraged buyouts. Three years later, Ivanti bought a California maker of VPNs called Pulse Secure in another debt-financed acquisition. At that point, the Covid-19 pandemic had brought the economy to a standstill and the Federal Reserve had cut interest rates to zero. Private equity firms took advantage of the low borrowing costs to go on a buying binge, snapping up companies such as McAfee Corp., Proofpoint Inc. and Citrix. 

Article content

Ivanti was drawn to Pulse Secure’s extensive portfolio of government and corporate contracts for its VPNs. In the midst of the pandemic, the move looked like a safe bet: VPNs enable users to remotely access IT networks, making them an essential tool for working from home. Pulse’s sales doubled in 2020, according to people familiar with the company’s finances who requested anonymity because they weren’t authorized to disclose confidential figures.

Article content

Article content

Upon adding Pulse Secure to Ivanti’s portfolio, along with a mobile-device security company called MobileIron Inc., the company’s owners immediately loaded Ivanti with even more debt to pay for another purchase. This is a common tactic in private equity — the idea is that by rapidly increasing a company’s revenue and reducing its expenses, the business will eventually be able to handle the extra debt.

Article content

In this case, however, it backfired, according to former employees. In all, Bloomberg reviewed internal documents and interviewed 15 former Ivanti and Pulse Secure employees and more than a dozen others, including people familiar with the companies’ finances, customers, government relationships and other sensitive matters. The former employees, most of whom were on the Pulse engineering team or in senior management positions at Ivanti and who asked not to be identified discussing private information, detailed how significant pressure to cut costs resulted in Ivanti’s private equity owners firing, among others, engineers critical to maintaining Connect Secure at a time of escalating cyberattacks. 

Article content

Article content

Clearlake owns Ivanti alongside TA Associates and Charlesbank Capital Partners, which joined as equity co-investors several years after the company’s founding. All three declined to comment.

Article content

Ivanti rejects the notion that cost-cutting measures compromised the safety of its Connect Secure products, according to a statement the company provided to Bloomberg News. It added that the quality of Connect Secure has improved under Ivanti’s ownership. 

Article content

The company has made “substantial investments in people, processes and technology that have advanced the Ivanti Connect Secure (formerly Pulse Secure) product far beyond where it was when it was acquired in 2020,” according to Ivanti. The company pointed to Connect Secure software released in September as a “major advancement” of its technology, and said that the product now “benefits from many security-focused resources and processes that were not in place when Ivanti acquired Pulse five years ago.”

Article content

It denied that its ownership model negatively impacted its operations and emphasized that VPNs are always at high risk of attack.

Article content

“Today, the relentless and highly sophisticated state-sponsored attacks on edge devices are a direct result of their positioning and role within networks and the types of customers supported,”  Ivanti said in its statement. “Public or private ownership of cybersecurity companies is irrelevant.”

Article content

VPNs, the products targeted in the attacks, have been around for decades and often rely on older code. That was true of Connect Secure’s VPNs, according to the former employees, who said that Ivanti inherited software with many undiscovered flaws. Soon after Ivanti closed its acquisition of Pulse Secure, they noted, some inside the company realized that the technology was in dire need of investment.

Article content

But the financial climate was changing. With the worst of the pandemic over and inflation taking a toll, the Federal Reserve started to hike interest rates in 2022, causing payments to skyrocket across Clearlake’s businesses, which had borrowed significantly through floating-rate loans. This wasn’t unique to Clearlake — the private equity buying boom created plenty of debt that its holders are now unable to afford. But the investor’s big bets left its portfolio companies particularly exposed to rising interest rates and the subsequent crash in companies’ valuations.

Article content

Article content

Within a few years, Ivanti, saddled with $2.8 billion in debt, was slashing budgets and gutting teams across the company, including the VPN division. That left Connect Secure and its more than 20,000 customers vulnerable, according to public documents and the former employees.

Article content

Ivanti began laying off employees immediately after taking over the VPN maker in late 2020. Dismissals peaked in 2022 as interest rates skyrocketed, and have continued ever since. Over this period, three separate Chinese state-sponsored hacking campaigns exploited more than a dozen previously unknown weaknesses in Connect Secure VPNs. (China’s Ministry of Foreign Affairs didn’t respond to messages seeking comment.)

Article content

Nicholas Leiserson, who was the assistant national cyber director for cyber policy and programs under former President Joe Biden, said that while hackers have targeted a broad range of VPNs in recent years, what makes Ivanti unique is the prevalence of its Connect Secure technology and the fact that hackers have been able to find serious vulnerabilities in its VPNs year after year. He said that US officials ultimately had a “loss of faith” in Ivanti’s ability to secure its products.

Article content

Article content

“The first time you see an exploit in a particular area of a codebase, shame on you,” Leiserson said. “The second, third, fourth and fifth time, it’s shame on me.”

Article content

Cybersecurity is an arms race. Staying ahead of hackers requires constant investment, and this is especially true for makers of VPNs and other technologies that act as a barrier between private networks and the open internet. Those in the field know that hiring and retaining experienced engineers is not just an advantage, but the core of the business. The highest-paid engineers at Pulse Secure made around $300,000 per year, according to internal company documents.

Article content

Private equity firms, by contrast, typically operate with a slim margin for error, loading portfolio companies with so much debt that they’re left with little financial room to maneuver if expenses suddenly rise. Should that happen, the businesses can end up burning cash, further limiting their ability to turn things around.

Article content

Over the last decade, Chinese state-sponsored hackers have targeted water, energy and electricity systems across the US in what officials describe as an unprecedented espionage effort by Beijing. And around the world, hundreds of millions of cyberattacks take place each day, with the majority focused on data theft and extortion, according to statistics from Microsoft Corp. As a result, the field of cybersecurity is thriving. According to the most recent statistics from the advisory firm Gartner Inc., the market was expected to reach $213 billion in global revenue last year, up from $193 billion in 2024, and to continue growing more than 10% annually.

Article content

This growth has attracted the attention of private equity, which is taking an increasingly large stake in the sector. In some instances, the investments have reaped big rewards. In 2024, for instance, private equity and venture capital firm Insight Partners sold the cyber threat intelligence firm Recorded Future to Mastercard Inc. for $2.65 billion — more than three times the $780 million it paid for the company in 2019.  

Article content

From 2020 through 2025, buyout firms spent about $208 billion on more than 1,600 acquisitions and investments in cybersecurity companies globally — nearly triple the number of deals compared to the previous six-year period, according to data from PitchBook.

Article content

Some recent high-profile cybersecurity failures have been associated with makers of legacy technologies placed under private equity ownership. A 2023 report published by Alphabet Inc.’s Mandiant Inc., which tracks and responds to digital attacks, details some of the products that were infiltrated during a years-long Chinese hacking campaign. Most of them were made by private equity-owned companies, Bloomberg determined, including Citrix and Ivanti. 

Article content

Article content

Cloud Software Group Inc., which owns Citrix, didn’t respond to a request for comment. The company has previously said it inherited vulnerabilities in Citrix’s products and has since then “measurably improved our ability to proactively identify and mitigate cybersecurity threats.”

Article content

Ivanti bought Pulse Secure from another private equity firm, Siris Capital Group. Prior to that, the software was owned by Juniper Networks Inc., which was known for its popular internet routers and networking hardware. Juniper bundled its VPNs alongside these products, helping the VPNs become ubiquitous in government and across private industry. In 2014, when activist investors pressured Juniper to sell its VPN and related businesses, the sale to Siris Capital fetched $250 million. Six years later, Siris sold Pulse Secure to Ivanti for more than $500 million, according to people who were involved with the acquisition and who requested anonymity because they weren’t authorized to discuss confidential financial details. Siris declined to comment for this story.  

Article content

Pulse Secure generated an all-time high of about $300 million in sales in 2020, three people familiar with the company’s finances told Bloomberg. In the big picture, however, that was a blip. For years before the pandemic, demand for legacy VPN software like Connect Secure had been declining in favor of newer, more secure “zero-trust network access” technologies. Those products, made by Zscaler Inc., Palo Alto Networks Inc. and others, enable users to directly access specific applications and data within networks, reducing the risk of catastrophic hacks. (Pulse Secure was also developing these technologies, but the revenue they brought in was small compared with its legacy VPN software, according to former employees.) 

Article content

Article content

Phil Richards was Ivanti’s chief security officer at the time of the acquisition, and it was his job to assess Pulse Secure. He told Bloomberg that he alerted management to warnings that Microsoft and government agencies had issued the year before about Chinese hackers targeting VPN software — including products made by Pulse. Because of this, Richards said, he believed it was likely that Pulse products had issues that Siris wasn’t aware of. The deal moved ahead anyway. Ivanti declined to comment on Richards’ statement. 

Article content

At the time of Ivanti’s takeover, Pulse Secure had only a handful of product security engineers out of an engineering staff of about 300, according to the former members of Pulse’s engineering team and senior Ivanti managers, as well as a January 2021 internal staffing document reviewed by Bloomberg which identified each position in the department and the worker who occupied it. Up until the acquisition, there had only been a few recorded attacks on the software. According to cybersecurity experts, the skeleton staffing of product security engineers under Siris Capital was likely one reason why serious product vulnerabilities went unnoticed prior to the Ivanti purchase. 

Article content

The day after the acquisition closed, Ivanti revealed plans to lay off 70 Pulse employees, according to a disclosure Ivanti filed with California employment regulators, or about 11% of Pulse’s 650-person staff.

Article content

The cuts included nearly all of Pulse’s top executives and several senior engineers. The engineering department was targeted shortly after, when Ivanti eliminated vacant positions, terminated long-term contractors and began firing some of the most experienced — and best paid — members of the core team in California, who were responsible for high-level design of the VPNs and developing the next generation of technologies, according to internal documents and the former members of Pulse’s engineering team and senior Ivanti management who weren’t authorized to discuss the matter publicly. Even more employees went on to resign as a result of the ownership change, and out of concern that they might be laid off as well. Of the unfilled positions that Ivanti did eventually staff, the people said, many went to less-experienced new hires in India, where staff generally focused on lower-level product support work.

Article content

Article content

This downsizing left Ivanti exposed when an alarming discovery came to light: In February 2021, the company learned that Chinese hackers had compromised Pulse’s internal IT systems, according to Richards and three other people who were involved in the response. Those three people asked not to be identified discussing confidential information. 

Article content

The breach of Pulse’s own network, which has not been previously reported, had been in the works long before the sale was finalized. Months before, hackers had secretly installed a back door in the company’s proprietary VPN software, which Pulse used at its California data center, and gained access to the network. Mandiant reached out after the acquisition to alert Ivanti that US and European military contractors had also been hacked via those same products, according to Richards and the three others. Mandiant did not respond to a request for comment. 

Article content

Ivanti ultimately determined that 119 organizations were compromised, according to Richards and another former employee who was involved in the response. That number has not been previously reported. This was the first of at least three major hacks of the Connect Secure products since 2020.

Article content

Article content

CISA, Mandiant and Ivanti issued a coordinated statement about the incident several months later. Without revealing that Pulse’s own network had been affected, Ivanti said it had rewritten some code and worked with infected customers to fix defects in hacked Connect Secure products. The company also named a vice president of security and vowed to expand its product security team. In its statement to Bloomberg, Ivanti did not comment on the breach of Pulse’s network or the number of victims targeted in these attacks.

Article content

The coming months, Ivanti pledged after the attacks, would mark its “summer of security.”

Article content

But inside Ivanti, that message rang hollow, the former employees said. Many staffers who best understood the intricacies of the products had already resigned or been let go, according to Richards and multiple former employees who were involved in the response to the breaches and witnessed their aftermath inside the company.

Article content

Richards would soon join their ranks. Ivanti fired him after the crisis subsided, he said.

Article content

At that point, he was convinced the Connect Secure VPN had so many defects that Ivanti needed to either substantially rewrite its code or consider divesting. “I believe Ivanti did a very good job of assessing and addressing the risks as they came to light,” he said. “It just wasn’t enough.” Ivanti declined to comment on Richards’ departure from the company.

Article content

One major problem, Richards said, was that reductions to Pulse’s engineering team and related departures had diminished Ivanti’s ability to investigate software flaws and rewrite portions of the code to prevent future attacks. “Before the job cuts, all the knowledge and the wisdom was still intact at Pulse Secure,” said Richards, who decided to go public to call attention to what he sees as the problems associated with private equity’s growing role in cybersecurity.

Article content

The trend also worries Leiserson, the former assistant national cyber director. Because software makers generally ensure that they can’t be held liable if their products are hacked, he said, there is little downside for owners — whoever they may be — to slash staff and cut costs, even if that makes their software more vulnerable. “The story of Citrix and of Ivanti is one of incentives not being aligned,” Leiserson said, calling this “an enormous problem.”

Article content

“If the incentives are such that you are removing the people who best understand the code, that is a broken system,” he added.

Article content

As the pandemic receded, VPN sales started to slump. In 2021, its first year under Ivanti, revenue for the former Pulse Secure division fell by about half to roughly $150 million, according to the people familiar with the company’s finances. Still, Ivanti had weathered the fallout from the Chinese state-sponsored hacks, and ratings agencies were generally positive about its outlook. S&P Global Ratings deemed Ivanti “unaffected” by the Connect Secure breaches; its analysts wrote that the company had ample cushion to absorb the costs of responding to them. In a report published in February 2022, Fitch Ratings highlighted the firm’s more than 50,000 clients, its $86 million in cash and its five- to six-year runway before the bulk of its loans would mature.

Article content

Article content

Yet other warning signs were flashing. With $2.8 billion in debt on its balance sheet, Ivanti had less room to invest in upgrades, according to former employees. Then, in March 2022, the Federal Reserve began a rapid rate hiking cycle, which would eventually roughly double the cost of borrowing for some of Ivanti’s floating-rate debt.

Article content

Over the next two years, Ivanti grappled with the one-two punch of rising interest rates and slowing sales. Revenue decreased from just over $950 million in 2023 to about $906 million in 2024, according to people familiar with the company’s finances. The company’s annual interest payments also grew by about $100 million over that period, they said, bringing the payments to around $290 million in 2024.

Article content

Much of the decline in Ivanti’s revenue can be attributed to a change in its business model, according to the ratings agencies. In recent years, along with much of the software industry,  Ivanti has shifted from a model in which customers pay for licenses up front to one in which they pay recurring subscription fees. As a result, Ivanti now makes less when it signs up a new customer or renews an existing subscription, but stands to make more over time as fees accumulate. 

Article content

Article content

Ivanti’s owners did not give it additional equity during this transition period — one way for private equity firms to support struggling portfolio companies. Rather, financial pressures continued to mount, and Ivanti responded with layoffs, former employees said.

Article content

The most severe cuts occurred in 2022 as the shock of higher interest rates hit Ivanti’s balance sheet. The company laid off staff across departments and geographies, said former employees who were affected by or were aware of those layoffs. In the engineering department for Connect Secure VPNs and related technologies, nearly all of the core team in California was let go, and the UK branch was closed. Ivanti also shuttered or drastically downsized engineering offices across Europe, sending much of that work to India. By 2024, the former employees said, layoffs, resignations and other restructuring actions had reduced the former Pulse Secure engineering team by more than half. Ivanti continued laying off nearly all the remaining engineers in its California office through the end of that year, according to people familiar with the company’s staffing. 

Article content

Ivanti contested this account. “The article’s fundamental premise is based on purported past reductions in former Pulse engineering team headcount numbers that are completely inaccurate,” the company wrote in its statement, adding that after its acquisition of Pulse Secure it “enhanced the number and sophistication of qualified individuals” focused on software security.

Article content

In early 2024, Chinese government-backed hackers successfully breached Connect Secure VPNs again. 

Article content

CISA, the US cybersecurity agency, disclosed the news in coordination with security firms Mandiant and Volexity as well as Ivanti.  Once it discovered it was also a victim, CISA sent a letter to Congress noting that its emergency response efforts “greatly reduced exposure and interrupted the actor’s ability to exfiltrate data from the systems.” The agency ordered all Ivanti products removed from its network.

Article content

Several months after the hacks, Ivanti’s chief executive officer appeared at a security conference in San Francisco to emphasize the company’s commitment to safety. In a blog post for the event, he promised to modernize Ivanti’s network security products, make further investments and improve information-sharing with customers. “The imperative to put security first has never been greater,” Jeff Abbott wrote.

Article content

Article content

But by the end of that year, he had resigned, in what Ivanti described as a planned transition, saying he would remain on the board of directors. Ivanti declined to make Abbott available for an interview, and he did not respond to messages. Meanwhile, Ivanti continued to lose customers. 

Article content

The MITRE Corp., which runs research centers for US government agencies, removed all Connect Secure products in 2024 after it discovered that hackers had accessed one of its networks via the software, Chief Technology Officer Charles Clancy told Bloomberg. That same year, the Pentagon got rid of Connect Secure products across the military after investigators found evidence that outside actors had used the technology to breach its networks, according to an inspector general report published in June 2025. Continued use of Ivanti VPNs “put DoD networks at a greater risk of compromise,” the report stated. In statements to Bloomberg, the Navy said that it and the US Marine Corps no longer use Connect Secure, and the Federal Aviation Administration said the same.

Article content

Although the Energy Department was not hacked, the agency’s then-chief information officer Ann Dunkin told Bloomberg, its officials lost confidence in Ivanti’s ability to make promised improvements. “We can’t keep a product that is repeatedly breached in our environment,” she said. “It just introduces too much risk.” The Treasury Department also proactively removed its Connect Secure products, according to people familiar with the matter.

Article content

Article content

The Federal Reserve declined to comment, as did the State Department and Army. An Air Force spokesperson referred Bloomberg to the Pentagon inspector general report. NASA had several dozen Connect Secure VPNs on its network and discovered evidence after being contacted by CISA that some had been compromised in 2024, according to a person  involved in the agency’s response who requested anonymity because they weren’t allowed to discuss the matter publicly. The agency ordered their complete removal, apart from a small number that were being used in missions and could not be taken offline until a later date, the person said. 

Article content

A representative for NASA said a “limited number” of partner organizations still use Connect Secure VPNs to access NASA networks, and that the agency “took immediate action” to protect its systems following CISA’s emergency directive. It did not identify what those actions were. Wells Fargo and Deutsche Bank said they no longer use Ivanti products. 

Article content

Because replacing VPNs can be costly and time-consuming — and often involves putting critical services on pause — it may be too soon to calculate the full fallout of the Connect Secure hacks. An executive at one large American healthcare company, who asked that he and his employer not be named because he wasn’t authorized to speak to the press, told Bloomberg that his organization removed most of its Connect Secure VPNs after the breaches but continues to use a small number of them for its manufacturing operations, which can’t be stopped to swap out the technology. For now, the person said, the company has placed extensive security controls around the remaining VPNs and is looking to replace them at the earliest opportunity. 

Article content

Alexandre Dulaunoy runs the Computer Incident Response Center Luxembourg, which is part of the country’s national cybersecurity agency and responds to hacking attacks. In 2024, CIRCL published an advisory urging all organizations in Luxembourg to remove Connect Secure products from their networks — the first time in the center’s more-than-15-year history that it singled out a technology vendor and deemed its products unsafe.

Article content

“For us the problem was simple: we had customers in Luxembourg using the product and we saw that the company was a complete mess,” he told Bloomberg. “People were asking for information and what we decided to tell people was, ‘This company doesn’t work properly — go for another one.’”

Article content

By February 2025, Ivanti’s customer base had shrunk to 34,000 — a decline of nearly a third from its peak of about 50,000 just a few years earlier, according to a Fitch report. Its cash reserves had dwindled to $8 million, and it had drawn $76 million from a line of credit, analysts wrote.

Article content

And the month before, Connect Secure had been targeted in a third major Chinese state-led cyberattack. 

Article content

Article content

Ivanti said at that time that a “limited number” of customers were compromised before it disclosed the issue, and the full extent of the hacking campaign remains a mystery. 

Article content

One of the victims was Nominet, a UK-based tech company that helps direct traffic to more than 10 million websites using the .uk web domain. Early that year, the company detected a breach of its network via its Connect Secure software, said Paul Lewis, Nominet’s then-head of information security. The company disclosed the incident, and Lewis told Bloomberg that the company ordered all Ivanti products removed from Nominet’s network. 

Article content

Ivanti’s financial troubles came to a head several months later, when in May the company opted for what Fitch classified as a distressed debt exchange — a type of liability management exercise, an increasingly common alternative to bankruptcy in which private equity-owned firms conduct out-of-court debt restructurings with their lenders’ permission. The last few years have seen a spike in these exchanges, as higher interest rates have eroded firms’ ability to pay the interest on their debts. (In January of this year, Bloomberg reported that RSA Security, a leading name in cybersecurity, and now co-owned by Clearlake and Symphony Technology Group, was embarking on a distressed exchange that would reduce its debt and impose severe losses on some of its creditors.)

Article content

Article content

According to Moody’s Ratings, there have been 182 distressed exchanges in the last three years — up from 100 in the period prior. That’s affected hundreds of billions of dollars in loans and bonds since 2020. 

Article content

As part of the exchange transaction, Ivanti took out a new $350 million loan, which allowed it to put much-needed cash on its books while pushing its total debt to about $3.1 billion, according to people familiar with the company’s finances. Lenders were able to roll forward their debt at face value and the transaction extended the maturities on Ivanti’s existing debt to 2029, buying the company more time.

Article content

The refinancing gave Ivanti much-needed breathing room, and it has started to benefit from interest rate cuts. Yet the firm’s third-quarter results reveal that revenue has continued to slide, declining 7% compared to the prior year. Cash burn has persisted, with Ivanti’s balance sheet showing $92.5 million in cash at the end of the third quarter — a decline of about $28 million from the previous quarter, according to people familiar with the company’s finances. Ivanti owes roughly $280 million annually in interest, one of them said. 

Article content

Opting for a distressed debt exchange is a gamble. While the move does enable some companies to stave off bankruptcy and financially recover, that isn’t true for the majority of them. More than half of firms that used the exchanges between 2009 and 2022 defaulted on their debt again, according to a recent paper from Edward Altman, emeritus professor of finance at the NYU Stern School of Business, and Eric Rosenthal, a senior director at KBRA DLD. In most cases, that happened within two years.

Article content

Still, the people noted, Ivanti’s annual recurring revenue has ticked up slightly, a sign it’s slowly growing again. And the company is likely to benefit from its switch to a subscription model. But Ivanti still has a painfully large debt load to contend with. Should it fail to further increase revenue and bring down costs in the near future, it could struggle to service its debt.

Article content

Galante, the former US intelligence official, cautioned that the Ivanti breaches should raise broader questions about trends in the field. At a moment when China and various hostile governments are pouring resources into hacking VPNs, private equity investment has paradoxically resulted in money flowing away from some of the companies that secure these technologies.

Article content

When it comes to our most critical networks, she warned, “we need to rethink who we’re relying upon.”

Article content