Analysis · Identity

How to read an IAM services business.

Two identity services firms can show the same revenue and be completely different assets. The difference is in how the work gets delivered, not on the income statement.


Identity and access management is one of the most durable demand stories in cybersecurity, and identity services firms have been active acquisition targets for exactly that reason. But "an IAM services business" describes a wide range of quality. Two firms with matching revenue and margin can carry very different risk once you understand how each actually delivers. Here is what we look at first.

Repeatability of delivery

Is delivery productized, with accelerators, playbooks, and reusable patterns, or is every engagement a custom build that depends on a few senior people? Repeatable delivery scales and defends margin under growth. Bespoke delivery looks fine at current size and breaks when you push volume through it.

Key-person concentration

In identity work, a handful of architects often hold the hardest knowledge and the most important client relationships. Map who they are, what they touch, and what happens to the business if any of them leaves. Concentration here is the single most common gap between the reported numbers and the real risk.

Platform mix and ecosystem exposure

Which identity platforms does the firm build on, and how concentrated is revenue in one of them? Deep certification in a leading platform is an asset; total dependence on a single vendor whose partner terms or roadmap can shift is a structural risk. The ecosystem decides a lot of the defensibility.

Recurring versus project revenue

Managed services and run-state contracts carry very different quality than one-time implementation projects. A business that has converted implementations into ongoing managed relationships has a more valuable, more predictable revenue base than one living deal to deal, even at the same top line.

Why it takes an operator

None of these show up cleanly in a data room, and all of them decide whether the asset scales after close. Reading them correctly requires having built and run identity delivery, not just reviewed it. That is the lens we bring, drawn from building, scaling, and selling in exactly this market.

← Back to Insights

Considering a cyber investment?

Get an operator's read before the LOI.