Photo

David and Orion Hindawi at the offices of Tanium, their cybersecurity start-up, in Emeryville, Calif. Orion Hindawi said potential investors have started asking, “Do you guys actually make money?”Credit Talia Herman for The New York Times

Stories from Our Advertisers

SAN FRANCISCO — A funny thing happened to Orion Hindawi while he was raising $120 million for his cybersecurity start-up last month: Investors asked him about profits.

A year ago, Mr. Hindawi raised $90 million, followed by an additional $52 million this year from the Silicon Valley venture firm Andreessen Horowitz. Investors were willing to place a $900 million valuation on his company, called Tanium, without so much as a glance at revenue or profit margin.

This time, not so. As he made the rounds with investors like Institutional Venture Partners and T. Rowe Price, Mr. Hindawi said, he was asked to show profits and sales margins. “A lot of the funders we spoke with are starting to get really scared,” he said. “This time the questions were, ‘Is this a sustainable business? Do you guys actually make money?’”

That sudden dose of skepticism about cybersecurity start-ups, which as a group recorded record investments last year, may be a harbinger of change across the entire technology sector. With global stock markets struggling, investors may be ready to move away from the focus on growth over profits of the last few years.

If that shift proves to be more than a blip, it will represent a dramatic turnabout. Cybersecurity entrepreneurs in recent years have had an easy time raising money as breaches at the nation’s largest companies and government agencies have become front-page news.

In 2014, American venture capitalists poured $1.77 billion, a record amount, into private security start-ups, topping the previous record of $1.62 billion invested in 2000, at the height of the dot-com bubble, according to Dow Jones VentureSource.

“There was a big rush to fund cyber companies over the past 12 to 24 months,” said David Cowan, a partner at Bessemer Venture Partners. “But now there’s a sense that there are many, many out there already and a good story is not enough to attract capital anymore.”

And there are too many companies trying to do the same thing: identify “anomalous” behavior on computer networks and respond to attacks in real time, Mr. Cowan said.

“That pretty much sums up 95 percent of the companies raising money at the RSA show,” he said, referring to the giant RSA cybersecurity conference held in San Francisco in April. “If that’s what you’re promising and you think you’ve found a really sexy value proposition, guess what — it’s not that sexy when the room is full of people just like you.”

If interest from venture firms is any indication, Tanium must still be sexy. The Emeryville, Calif., company’s technology can test the millions of computers that are attached to corporate networks, ask them questions, and patch them or shut them down in seconds, if need be.

Tanium has been profitable since shortly after it started working with customers in 2012 (it was founded in 2007). Mr. Hindawi and his father, David, were not initially interested in raising venture capital, but the value Andreessen Horowitz was willing to put on their company and the business connections the venture firm could provide were too good to ignore.

Still, Mr. Hindawi said he was surprised that venture capitalists were willing to place a $900 million valuation on a young company without so much as a glance at revenue or margin.

“Up until a year ago, nobody cared that we were cash flow positive,” he said. “None of those things factored in. They basically said, ‘We don’t really care. What’s the growth rate?’”

The diligence he encountered during the company’s latest funding round was almost a relief, he said, maybe an indication that some semblance of sobriety had returned to tech funding.

But it may be just a semblance. Mr. Hindawi turned away $400 million in cash offers in the latest round. The investors who made the cut — Institutional Venture Partners, TPG Capital and T. Rowe Price — valued Tanium at $3.5 billion, nearly four times the $900 million valuation it received last year and double the $1.75 billion valuation that Andreessen Horowitz gave it last March, according to two people familiar with the deal who spoke on the condition of anonymity because the terms were confidential.

Tanium did not need the cash, Mr. Hindawi conceded, but he chose to raise money now, in part, because word that he had recently turned down an acquisition offer sent investors flocking to the company’s door — and a quarter-billion dollars in the bank would help it survive if a downturn hit.

“I never want to raise money again,” Mr. Hindawi said. “If there’s a market downturn or a ‘black swan’ occurs, I want to make sure we cross that bar.”

Saving up cash from private investors may also be wise because the public markets have not been kind to security companies lately.

So-called next-generation security companies like FireEye, the company that owns Mandiant; Palo Alto Networks; Qualys; and Splunk have all experienced sharp drops in their share prices. Qualys’s stock is down to half the $55 it traded at last May, Palo Alto Networks’ stock is down nearly 18 percent since July, Splunk’s stock is down 20 percent since July, and FireEye’s stock, which reached a high of $85.64 last year, now hovers under $40.

The slide could continue. On Tuesday, the tech-heavy Nasdaq composite index dropped 2.94 percent for the day and remains down 11 percent from its recent high, and the Dow Jones industrial average, a popular gauge of the broader market, tumbled 469.68 points, or 2.84 percent.

With the risk of a downturn growing, Tanium is not the only security start-up putting money away for a rainy day. Crowdstrike, which runs cyberthreats through a powerful cloud computing system, received $100 million from Google Ventures in July, for example.

George Kurtz, the company’s chief executive, said the investors from Google were not just throwing money around. They spent a lot of time with Crowdstrike’s customers, to understand the technology before investing.

Mr. Kurtz said he learned from the dot-com crash that it is better to give up a little ownership stake in return for investment dollars that can turn into a safety cushion if business turns bad.

“I’ve never seen a company go out of business from dilution, but I have seen companies go out of business because they didn’t raise enough money,” he said.