Like so many other startup sectors, cybersecurity is often a game of mergers and acquisitions. So who has got the biggest appetite?
Matt Suiche, a French hacker and cybersecurity entrepreneur, recently parsed the numbers to determine which companies lead the pack in terms of purchases. Suiche’s post on Medium used data sourced from Crunchbase, a site that tracks venture capital and other deals.
“I wrote some scripts to parse the data and extract what I wanted,” he told Fortune. “Since my main focus is security, I thought, Let’s have a look at the market.”
Get Data Sheet, Fortune’s technology newsletter.
With two dozen cybersecurity acquisitions under its belt, Cisco (CSCO) put its rivals to shame. Some of the networking giant’s recent buys included the cloud software security startup CloudLock for about $293 million last month, the network monitoring firm Lancope for more than $453 million in October, and the Internet security company for $635 million OpenDNS about a year ago.
The aging antivirus software firm Symantec (SYMC) was the runner-up with 15 purchases, most recently picking up the cybersecurity firm Blue Coat for $4.65 billion in what could be considered a reverse acquisition. Others that placed prominently on the acquisition leaderboard included Microsoft (MSFT), (IBM), EMC (EMC), and McAfee (brought onboard by Intel (INTC) for nearly $8 billion in 2010).
The chart below, which draws from Suiche’s own, lays out the top 10 acquirers. Rounding out the bottom were Singtel’s Trustwave, Google (GOOG), Blackberry (BBRY), and the Universal Protection Service.
“We often hear names but with no real data validation ,” Suiche wrote in his post. “Well, there is no more room for speculation, here is the chart you wanted to see.”
It’s difficult to place a price tag on the acquisitions because companies rarely disclose the value of deals amounting to less than $100 million, as Suiche explained. In fact, he sold one of his own security startups, CloudVolumes, to VMware (VMW) for an undisclosed sum in 2014. Most recently, he founded the Dubai-based memory forensics firm Comae Technologies (née MoonSols).
Another finding: the overwhelming majority of cybersecurity startups are founded in and acquired within the United States. Given the better odds for U.S.-based businesses, why the move to the Middle East?
Suiche said he expects that more people will move out from the Bay Area, as he did, after gaining some experience in the high-rent locale to go start businesses abroad. “I think we’ll start to see a shift in where companies are being founded,” he posited. “That’s why I did the article now, to be able to compare in two years or so.”
“A lot of startups in London are already asking Berlin to relocate,” Suiche added, mentioning one unintended consequence of Britain’s recent decision to leave the European Union.
View Suiche’s Medium post for an expanded list of about 50 acquirers. Other companies that ranked include Oracle (OCLCF) (5 cybersecurity acquisitions), Raytheon (RTN) (5), and Hewlett-Packard (HPQ) (3).
Asheem Chandna, a partner at the venture capital firm Greylock Partners, recently told Fortune that he expects “a steady clip of M&A” in the area of cybersecurity over the next couple of years. Indeed, Chandna added that he believes the best exit strategy for the vast majority of cybersecurity startups is to sell because most of them, in his view, do not meet the criteria to succeed as standalone companies in the public markets.
Get to know the likeliest bidders, above.