Here’s a depressing story about how private equity deals can quietly destroy the security infrastructure that millions of people depend on. Bloomberg just reported that Chinese hackers breached Pulse Secure, a VPN subsidiary of Ivanti, way back in February 2021. The kicker? A backdoor they planted in the software gave them access to 119 other organizations using the same product.
That’s not even the worst part.
When Cost-Cutting Becomes a Security Liability
The real culprit here wasn’t sophisticated hacking tradecraft. It was Clearlake Capital Group’s acquisition of Ivanti in 2017, followed by aggressive rounds of layoffs and cost-cutting that hit particularly hard in 2022. Bloomberg’s reporting suggests that cutting experienced employees who understood the company’s products and their security architecture left massive blind spots.
Think about that for a second. You’re running security infrastructure for government agencies and major corporations, but you’ve just fired the people who actually understood how it all worked.
Mandiant, the cybersecurity firm now owned by Google, knew about the breaches. They even alerted Ivanti that European and U.S. military contractors had been compromised. But here we are, years later, and the public is just finding out about it.
This Pattern Keeps Repeating
What happened at Ivanti isn’t unique. Citrix, a rival provider of remote access tools, went through similar chaos after Elliott Investment Management and Vista Equity Partners bought it in 2022. Post-acquisition layoffs, followed by a cascade of cybersecurity incidents and critical flaws. It’s starting to feel like a playbook.
The difference is that Ivanti’s problems didn’t stop in 2021. In early 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies to disconnect their Ivanti VPN appliances within 48 hours because hackers were actively exploiting unknown vulnerabilities. That’s the kind of emergency that makes you realize something is seriously broken.
Last year, Ivanti warned customers about another critical flaw in its Connect Secure product. Hackers were using it to compromise corporate networks. At what point does a company’s technology become a liability instead of a solution?
The business Case for Investing in Security
This is where the private equity math falls apart. Sure, you can cut costs and boost short-term profits by trimming the fat. But when you fire security engineers and product experts to hit quarterly targets, you’re not really saving money. You’re just pushing the cost forward, and it comes back as customer lawsuits, regulatory fines, and destroyed reputation.
Companies dependent on Ivanti’s VPN products didn’t just lose access to critical infrastructure. They lost trust. And once that’s gone, it’s nearly impossible to get back.
The frustrating part is that nobody at Ivanti or Mandiant responded to Bloomberg’s requests for comment. No explanation. No apology. Just silence while the details of what went wrong slowly leak out to the public.
Government agencies use these tools to protect sensitive operations. Military contractors rely on them for national security. When a private equity firm decides that institutional knowledge is an unnecessary expense, the consequences ripple far beyond one company’s balance sheet.
Maybe the real question isn’t whether Ivanti’s leadership team failed. It’s whether private equity acquisition is simply incompatible with managing critical infrastructure that millions of people depend on.
