When it comes to initial public offerings, the security software sector has had an unusually long dry spell. Its last IPO was in 2001, when NetScreen stepped up to the public trough. Three years later, the company was acquired by Juniper Networks ( JNPR). And those that have come close to going public -- antispam company Brightmail in 2004 and enterprise security firm Sybari in 2005, for instance -- were snapped up by Symantec ( SYMC) and Microsoft ( MSFT), respectively, at the last minute. Industry observers say the money needed to go public, the demands of the market, competition and the trend toward working with fewer vendors have all contributed to steer many private companies to stay private -- or take an easier exit by getting acquired. "The IPO market is weak, and I don't really see that changing," says Deborah Magid, director of strategic alliances and software strategy for IBM's ( IBM) venture capital group. Mergers and acquisitions in security, on the other hand, are "a very vibrant market." Big players like McAfee ( MFE) and Symantec certainly aren't shy about paying big bucks to acquire fledgling startups, as the larger companies look to fill gaps in their own businesses and add to revenue. And it's not just security-software makers doing the buying, Magid says. Technology companies are pairing security with their other offerings. Just a few weeks ago, EMC ( EMC) picked up RSA Security ( RSAS). In October, IBM bought a security firm called DataPower. The offers are generally pretty rich. "These companies are getting paid attractive enough valuations," Peter Kuper, an analyst at Morgan Stanley says. "The decision makers say, 'This is a great payout, so let's take the money and go.'" Yet despite the significant hurdles, some privately-held firms are building their companies with a firm goal of going public. Security watchers say there are a handful of contenders who may try to go for an IPO in the next 12 to 18 months.