Let’s look beyond the obvious counter-narrative points about enterprises moving more slowly, sunk cost in enterprise SaaS, retraining staff, and capital expenditure on AI infrastructure build-outs. One, because those horses have been beaten to death, and two because those things didn’t prevent companies from spending the time and money to refactor workloads for the cloud, or for cloud consulting services and development staff. For all their virtues, they have not been convincing enough points to cause investors to pause and think through the nuances of this particular situation.

The enterprise shift to the cloud taught us that when the incentives are great enough, enterprises are increasingly willing to spend resources on re-doing things.

Even though that’s the case, the transition from on-premises software to cloud-native taught us something else- there are always winners and losers. How do we tell the difference?

The most important way to answer that question is to consider what unique threats AI presents to enterprise software companies based on the users and use cases those companies serve.

Three-Layer Positioning
Let’s frame up what I consider to be the most fundamental shift with AI in its current iteration, which is its use as a new type of interface.

If we think of enterprise software in very simple terms, its purpose is to allow the storage of -and interaction with- a subset of an enterprise company’s information. We can imagine it has three layers.

1. The user interface is the surface layer.
   
   This is where we type our information into forms, where we search for information, and where information is displayed for us. It’s our interactive window into what the software is supposed to do for us.
   

2. The search, read, and write functions are the middle layer.
   
   This layer handles the exchange of instructions between what the user wants to do in the user interface layer, and the information stored in the deepest (database) layer.
   

3. The database is the deepest layer.
   

   It’s like a giant warehouse where all the information for a piece of software is stored on different shelves, and the place from which data is retrieved when a user requests it.

You may be wondering what this has to do with AI disruption, and here is the answer: AI has the potential to disrupt existing software at all three layers in the future, but the most immediate disruption potential exists at the surface -the user interface layer-right now.

Remember, timing is everything. If enterprise companies are busy replacing software that holds the most value in its surface layers first, it gives software vendors offering deeper layer solutions more time to adjust to AI adoption and to potentially leverage it to their advantage. Therein lies our opportunity as investors.

To illustrate what I mean by surface layer user interface replacement, take the example of working with an AI chatbot like ChatGPT or Claude. You type in a question, and it serves up an (hopefully accurate) answer in the time it takes to sip your coffee. It’s much more time effective than going out to google search and sifting through results of mixed relevance, especially as you ask the AI bot subsequent questions. It hasn’t necessarily replaced the deepest layer -the database layer- because the information is probably about the same as what you could find on your own if you wanted to work hard enough. But it’s greatly reduced the friction between you as the user and the information you’re trying to find. Even though this example is more consumer focused, for the vast majority of non-technical people making decisions about how to use AI within their organizations, this is a use case they’re thinking about.

NOTE: As I said before, AI has the potential to disrupt the other two layers as well. It can do many things in the background without human intervention. Cybersecurity has strong examples of this. I will write about that in a separate entry in the future.

The following are some questions I use to evaluate my stance on a software company’s exposure to AI disruption based on their users, use cases, and who they’re selling to.

1. Which software companies are most valued for their use as a user interface for working with a subset of a company’s data?

2. Who are the early adopters within an enterprise organization to leverage AI coding tools to improve their work experience?

3. Who is least likely?

4. Which existing software companies are best-positioned to accommodate new AI workloads, both technically, and from a business model/pricing standpoint?

5. What AI-driven activity might happen within a software vendor’s customer base for its earnings growth to either slow or expand?

I’ll use some real company examples to highlight my thinking.

NOTE: As we start talking about specific companies, I want to add a disclaimer here that this is not investment advice, and more importantly, I am not saying that companies I see as better-positioned than others will be able to actually capitalize on that opportunity, and similarly, I’m not saying that companies I view as having more exposure to AI disruption won’t figure out a way to spin it in their favor. But we have to work with what’s going on today, and I think this article would be pretty useless without some real examples of what I’m talking about. With that out of the way, let’s proceed.

Potential Winners - Database Companies and Deepest Layer Defense

ESTC, MDB

From my perspective, database companies like MongoDB and Elastic are well positioned to benefit from new AI workloads. I worked in software for a long time in various technical roles, and there was a time in my life where I couldn’t be convinced there was a wide-spread, enterprise-scale use case where an unstructured database like MongoDB was superior, or even on par with a SQL database. But times have certainly changed, and the volume, structure, and processing of massive amounts of data has also changed. AI may finally be the nail the NoSQL database hammer was searching for all along. These database companies have also added relational data and SQL-like query capabilities to their platforms which have broadened the use cases they can effectively serve.

Widespread adoption of these databases, open source versions that allowed for early experimentation, and their scalability all set them up for success in the AI world. If a developer is working on a proof of concept for a new AI use case, nothing can slow down time-to-market faster than having to learn a new database technology. The wheel does not need to be re-invented in databases right now, the wheel everyone is focused on re-inventing is the user interface.

Perhaps equally as important is that these database companies don’t have to do much to revamp their business or pricing models to suit the influx of new data from AI workloads. Having to accommodate this change doesn’t slow them down in any way. They are already priced for data ingestion and expansion, and additional data works to their benefit. Retro-fitting a new pricing model during a technological sea change and expecting customers to get on board is no easy feat, as software vendors in other categories are likely to find out.

Potential Losers - User Interfaces for Technical Teams

TEAM, DDOG

Software vendors that offer what are essentially user interfaces for data or workflow within technical teams are in the most trouble. Particularly if they are very expensive or difficult to work with.

They are facing several headwinds.

Technical teams are the earliest experimenters and adopters of AI, and can easily understand its best use cases and limitations. It’s much easier for an enterprise company’s internal development team to build a replacement for some of Atlassian’s functionality, than it is for a non-technical sales and marketing team to build a replacement for the product managing their inbound leads.

If “software developers can rebuild software faster” doesn’t sound like a profound insight, I’d like to point out the obviousness of the statement is not reflected in software stock prices as they sit today. There is no differentiation happening as software names continue to get sold across the board.

Further, when a product is used by focused teams, rather than cross-organizationally, it’s easier to plan and measure a replacement. What will it cost, what will it save, how much easier will their lives be if they don’t have to use this product’s interface any longer? Much easier to sort when you don’t have to run across HR, Sales, IT, and every other team a workflow routes through to figure out the answers to those questions. The security complexity becomes more manageable as well (an entry for another day).

Time Will Tell - Cross-Organizational User Interfaces

CRM, NOW

Companies that sell to non-technical audiences, and/or are used more widely across the organization than just within technical teams are likely to fair better. Here is why.

Replacing an entire piece of enterprise software touching multiple departments across the organization is extremely disruptive to businesses processes and productivity. Not only that, but predicting cost and setting budget becomes much more challenging as well. You may be wondering why I don’t put these companies in firmly in the “Potential Winners” category. I believe it’s more likely small use cases will slowly get peeled off from these vendors and simplified by AI over time, which will feel like paper cuts to companies like Salesforce and impact their growth rate, but will not create the immediate disruption exposure cross-organizationally.

A bigger challenge to these companies is going to be hanging onto seats, and worrying about how they might leverage AI to make their products less cumbersome to configure and more user friendly over time before something new and shiny comes along solidly enough to cause a real problem. I believe they have time to do it.

Final thoughts

The question that emerges from this framework is:
At what price is it safe/smart to own a software company based on its three-layer positioning and current valuation? Blood is certainly running in the streets.

It’s a question I feel qualified to answer only partially, as I don’t have conversations with institutional public equity investors around anything except cybersecurity companies. What I can speak on is what they prioritize when it comes to valuing cybersecurity companies against each other.

I'm going to focus on the most important metrics for growth in this post using a handful of examples, though there are some cybersecurity companies like $TENB and $QLYS that trade on profitability, where FCF margin and FCF growth are the more important metrics. To answer the example question specifically, in the 6 or so years I've been doing this, CAC has not come up in my conversations with investors.

What they are all looking for is how much business a company sold and renewed in the quarter (“bookings”), and whether that is an acceleration or deceleration based on previous guidance. The trouble is the bookings metric, especially with older cybersecurity companies, is not typically provided to investors by the company. Instead, investors must do their best to approximate it. Let me explain.

There are two major business models within cybersecurity, and the rest of cybersecurity companies fall somewhere in between these two models. The first and older model is a hybrid mix of perpetual and subscription revenue like what $PANW, $FTNT, and $CHKP have. They sell perpetual licenses for their on-prem firewalls, plus recurring support and subscriptions. The second model is an almost purely subscription/recurring revenue model, with a little bit of consumption pricing mixed in ($CRWD, $S, $ZS).

The preferred metric for growth is ARR. If the company doesn't give an ARR number, then investors look at Revenue + some other way to approximate bookings, which might be cRPO or Billings. Sometimes a company gives an ARR number, but it doesn’t represent the majority or entirety of their revenue, so Billings will still play an important role.

This all helps determine how investors value certain metrics depending on the company’s business model. Net-new ARR is highly important for $CRWD because all of its revenue is derived from ARR. Even though they give a Billings number, it's less important because net-new ARR is a more precise indication of future business. On the other hand, $PANW, with its hybrid mix of perpetual and subscription revenue, has several revenue segments, of which "next-gen” ARR is one component. If they don't blow next-gen ARR out of the water, it might not be the end of the world if they can make up for it in other revenue segments.

At the same time, weak Billings is going to impact $PANW and $FTNT (given their hybrid revenue models) much more heavily than $CRWD due to the fact investors are still looking for ways to approximate bookings for the rest of their hybrid revenue segments. $ZS is interesting because, despite the fact their revenue is all recurring, they do not give a net-new ARR number. As a result, their Billings number is also more consequential than $CRWD's in the eyes of investors.

Nuances like this can easily be lost on an analyst trying to apply the same fundamental analysis to companies that tend to get grouped within the same sector, like $CRWD, $OKTA, $ZS, and $PANW. They may be further skewed when trying to apply that same formula to a basket of 50 SaaS stocks across a variety of sectors. These companies each have different business models that create variability in the importance of their financial metrics and how indicative those metrics are of future business.

Remember This
Everyone is trying to measure acceleration or deceleration in growth in bookings, and an analyst must use what the company gives them to do their best to approximate it. The most valuable metrics are the ones that help an analyst do that job. In cybersecurity, those are most often a combination of ARR/net-new ARR, cRPO, and/or Billings.

Over the last several quarters, the firewall market has slowed, and FTNT has already taken a beating because of it. Meanwhile, CHKP is at all-time highs and received a couple of upgrades recently.

What I can tell you about CHKP is they have a steady business and a very conservative management team. They don't grow much, but their growth doesn't slow much either. We’re talking 5% growth. It’s bulled up because people are looking for value in a space where we’ve seen a big run-up in valuations, and without understanding the nuances, it is relatively cheap. CHKP trades at 6.3x EV/rev(Cy24), while PANW, CRWD, ZS are all double digits, and even FTNT is trading around 8x after the beating it endured last year. Generally, I view CHKP as a safe, defensive name in the space- a nice way to participate in cybersecurity without taking on as much risk, though that will be reflected in modest returns. 

I like FTNT as a company, but I’m not convinced the stock has been beaten down enough to tamp down high expectations. They are returning to what I believe will be sustained pre-pandemic growth levels, but investors are not ready to let go of those parabolic growth levels from 2022 and early 2023, and we’ve watched the stock creep higher in line with those expectations. I think a beat and raise are priced in, consensus is low, and it could be achievable, but it’s not a bet I’m willing to make. I think this is a slightly higher risk trade going into the call, so I’m pointing it out if that’s your style.

One that is very interesting to me is CYBR, which we’d categorize as an Identity vendor for financial industry purposes. They had a huge upward inflection in their business in late 2018 and rode that trend for a year or so. When the pandemic happened, everyone was scrambling to re-architect their networks for wfh, and CYBR didn’t do as well as vendors like ZS, FTNT, and PANW who benefited not only from the re-architecture, but also pull-forward demand of hardware based security due to supply chain constraints/concerns. Side note: I think the digestion of this additional capacity, combined with multiple price increases from those vendors are what’s impacting firewall growth. 

Returning to CYBR- now that those network security re-architecture projects are being digested, we are seeing CYBR’s business tick back up again. New cybersecurity regulations are mandating Privileged Access Management (which CYBR dominates) for high-risk orgs, which is a nice tailwind for them. CYBR is not as cheap as CHKP, but it’s growing faster and is still under a double digit EV/rev multiple for now. OKTA, which is not a direct competitor but is an Identity vendor, has continued to fumble around and create problems for itself. All other pure-play Identity vendors were acquired over the past few years, so investors who want exposure to the Identity space are buying CYBR. It’s also completed a transition from perpetual licensing to subscription, which has made its business less lumpy and more predictable.

Speaking of perpetual to subscription transitions, VRNS has been going through a painful one. They continue to trudge through it, now in their second year. They’re small and don’t get as much love as other security companies because they operate in a niche space -unstructured data security- with little competition as a point solution vendor. For this reason, it’s hard for investors to value it and triangulate its place in the market. I think it’s pretty fairly valued, but I like it better under $40. Still, if one doesn’t mind enduring the transitional pains they’re going through, there is upside potential here. I still view it as a potential acquisition target, but if I were buying it for that purpose, I would need to build a position starting closer to $30. You can read more about my criteria for what makes a good acquisition target here.

If, like me, you feel things in cybersecurity are getting a bit extended, these are decent companies to hold for the long term, but pick your spot based on your investment style. I’ll have more to share on the Fy reporters in a couple of weeks before their earnings start flowing in March. This feels like a year where looking for the right short in cybersecurity has more potential upside than in the last few years. I’ll share more on that when I write about the next round of reporters. Send me any questions you have on Threads.

There are the standard deployments in traditional datacenters and in the cloud that are kind of always going on at a steady rate. Aside from that, many companies went through network re-architecture over the pandemic to accommodate work-from-home requirements, and that drove a lot of firewall growth over the lock-down period. This was obviously only a temporary growth driver for PANW and FTNT, so how are they still growing their firewall businesses?

A bigger, more sustainable driver of growth has been all of the network segmentation that’s being driven by “Zero Trust.” Zero Trust is a concept born out of Google that represents a paradigm shift in the way a network should be architected in order to promote optimal security. I’ll circle back to this in a minute.

To illustrate this shift, imagine a medieval kingdom surrounded by a perimeter wall, with all the individuals makings of a kingdom inside- a castle for the king, a blacksmith, food storage, an alehouse- you get the idea. The wall surrounding the kingdom represents a firewall. The individual makings of the kingdom all represent applications that exist inside a company’s network, a.k.a inside the perimeter. The perimeter wall around the castle has a gate with a few guys who decide who gets to go in and out. Firewalls are a bit like that too, with rules about what traffic to allow or disallow.

Now, unlike medieval kingdoms, a company’s network often has more than one gate, which you can probably imagine makes it more difficult to keep track of who is going in and out. For many companies, one such gate was the SolarWinds ($SWI) software. Unfortunately, in late 2020, it was discovered that SolarWinds’ network management platform, Orion, had been hacked, and that a large number of enterprise companies and government agencies were affected. Orion had access to pretty much everything on a customer’s network. It was bad.

I bring this up because everything in cybersecurity gets done faster after big hacks- they’re a catalyst for change and for making big dollar cybersecurity purchases.

The SolarWinds hack acted as one such catalyst. After the hack, many cybersecurity vendors saw an opportunity to take hold of the “Zero Trust” concept, turn it into a marketing buzzword, and start selling the heck out of it. No matter what the vendor was doing before, they were now able to help customers with Zero Trust in some form or another. The SolarWinds hack also accelerated the adoption of the Zero Trust concept across the traditional networking and security groups within the enterprise customer base simply because many of them used SolarWinds or something similar and needed to reconsider their own architecture to prevent a recurring hack of the same nature.

So what does this have to do with medieval kingdoms, and more importantly, firewall growth for PANW and FTNT?

Well, before customers started adopting the zero trust framework, their networks resembled the kingdom as I described it before- a perimeter wall surrounding all the individual makings of a kingdom, with a gate to get in or out. The trouble is, some rogue who shouldn’t be inside the perimeter wall inevitably figures out a way to get in, and once they’re in, they can move freely throughout the kingdom- stealing from the blacksmith, hassling the castle guards, terrorizing the women at the alehouse.

If we examine a customer’s network that has been re-architected using the zero trust framework, the kingdom might look different. It would still have the individual makings of a kingdom surrounded by a large perimeter wall, but now it also has an individual wall around the castle, and one around the alehouse and food stores, and another around the blacksmith. If a rogue who shouldn’t be inside the walls gets in, he’s suddenly met with several other walls he must find a way through before he can actually steal, hassle, or terrorize.

This concept of protecting smaller pieces inside the kingdom represents Zero Trust, which is kind of what it sounds like- don’t trust anyone or anything unless they prove who they are and why they need access… you may have gotten inside the big perimeter wall around the kingdom, but why do you need to see the blacksmith?

In my example, Zero Trust is achieved using what is called network segmentation, and the individual walls represent firewalls. If a customer really wants to do network segmentation with a purpose-built solution, they might use a Software Defined Networking (SDN) solution like VMware’s NSX or Cisco’s ACI**, but they are very expensive and come with a lot of implementation challenges… they’re not always practical. Instead, many customers segment their networks by putting a firewall in front of each application, or in front of smaller groups of applications.

This is a big reason why PANW and FTNT have been able to grow their firewall businesses so handily- this ongoing re-architecting of the network to achieve better security. A customer decides to segment their network and suddenly, they need five firewalls instead of one.

It’s hard to say how long this network re-architecture and subsequent firewall growth will last. I’ll admit it’s gone on longer than I thought possible. In the meantime, PANW and FTNT investors can enjoy the growth that comes from these trends.

**Note: I do not cover VMW or CSCO and can’t speak to the quality of these solutions.

Yet despite this mass migration of applications to the cloud by enterprises the world over, PANW and FTNT are two of the strongest stocks in the security space. It turns out some part of the narrative was wrong. The truly surprising thing isnt’ that these two companies have managed to survive mass cloud migrations. It’s the fact that firewalls continue to be the biggest aspects of their businesses, and more importantly, this is where the most significant battle between these two vendors is being waged today- five years after the investment community thought firewall growth would have died off already. There is a lesson here- Don’t Trust the Narrative, Narratives Change.

For those familiar with PANW, the inclination might be to assume the investments they’ve made in acquiring and building new cloud products are fueling their growth. If we were to stop there and take it at face value - more cloud workloads equals more growth for a security company with a lot of cloud products - we’d be right, but as it turns out, actually more wrong than right because PANW is still a very firewall dependent company. Last year they grew revenue 29% YoY, but 2/3** of that growth came from their firewall business.

**I don’t want to suggest this is something management is trying to obfuscate in their numbers, but they have changed the way they do revenue breakouts in their reports several times over the past couple of years, and this number has been tougher to get to over time. I’m not the only investor annoyed by this, so please don’t get discouraged if you are just now diving into PANW.

Then you have FTNT, who has grown their Enterprise business to about 40% of revenue, from less than 20% five years ago. No easy feat for a security company starting out as an SMB and Mid-market vendor, and with few cloud products in their portfolio.

So we have on one hand, PANW, with a primarily Enterprise security business, investing heavily across product, sales, and marketing in its cloud security solutions. It has no real Secure SD-WAN (the convergence of security and networking) or OT security (commerical IoT) story.

On the other, we have FTNT, very focused and invested in Secure SD-WAN and OT security, with little cloud security story, and a majority SMB and Mid-market customer base (albeit with a fast growing Enterprise business).

When we look at the two businesses this way, they seem to swim in different lanes… with the exception of their core firewall business, and that is what’s so fascinating about them. There is also another lesson here- Do the Work. Without understanding this breakdown, it’s easy to miss what’s currently happening between them. They’ve not only collectively wrecked the “firewall is dead” narrative, customers are actually deciding which vendor to work with on the basis of TCO of their firewall deployments. All of the investments PANW and FTNT have made in other aspects of their businesses have certainly helped their growth, but at the end of the day, customers still need firewalls, and they’re picking the best firewalls they can get for the price. The interesting thing about the investment FTNT has made in Secure SD-WAN is that it has further increased the value proposition of FTNT’s firewall, without requiring a separate product offering. They’ve taken two products and combined them into one.

So why does this matter?

Budgets are getting tighter this year across the board. PANW and FTNT have both done multiple price increases over the past couple of years, but FTNT is still the value firewall between the two of them, and FTNT’s aforementioned growth in Enterprise business it starting to encroach upon PANW’s. It took a while, but the swim lanes are converging, and FTNT is taking share of the firewall market from PANW. If we were still under the impression PANW’s growth was primarily being driven by its cloud product portfolio, we may not think losing firewall share to FTNT is that material to their business, but since we’ve done the work, we now know that is not the case.

I’m not in the business of making predictions. I think given the recent run up in stock prices, FTNT and PANW are both facing very high expectations from investors this quarter, at a time when customers are taking more time to make decisions and digest current projects before making big investments in new ones. The point is really that if FTNT continues to take firewall market share from PANW, this will certainly impact PANW’s business and therefore its stock price, and I think that’s a point many investors may overlook.

FTNT’s value firewall is an imminent threat for PANW, one that is more imminent than PANW management would like to admit to investors.

Another issue, and one I suspect had less of an impact on the downward revision, was they were annualizing consumption based revenue. Consumption revenue is not as predictable as subscription revenue. It probably wasn't a big deal when that line item was a small portion of revenue, but became an issue as revenues grew over time.

Altogether, these were a a $27mm problem. On top of this, they missed and guided revenue down. Once the street can't trust a company's numbers, it's very tough to recover.

These are the current problems, and they present what I would consider to be a glaring opportunity… which is that $S is beginning to take the shape of a company that fits the profile of a perfect acquisition target. You can read a previous article on my substack that details my criteria for what makes a good acquisition target, but to summarize:

• It’s Misunderstood

• It’s Cheap

• It Fits the Bill

• Management has to want to sell

• The acquisition price needs to clear 52 week highs

How well does $S fit the criteria? A heck of a lot better after that call last night. I’ll touch on each point. To start, it’s now misunderstood by the street because it misunderstood it’s own numbers to the point it had to go back and revise them. Not a good look. It’s already on it’s way to being hated. It’s getting cheap too, it just took $2B off its market cap after earnings. It fits the bill because it has an excellent endpoint solution being used by many enterprise customers and MSSP partners, and any cybersecurity platform provider without a competitive endpoint solution could benefit from adding a solid endpoint to their platform. If management doesn’t want to sell yet, just wait until the pain of a lack of faith and recovery in the stock price wears them down over time. This could take 6+ months to happen. The acquisition price needs to clear 52 week highs, and it’s currently sitting around $30 from Q2 2022, instead of the closer to $50 level it was at in Q1 2022.

$11.50 is where I plan to start buying heavily, as that's about 3x EV/ARR (Fy24), which is what $SUMO got sold for, and $S is a much better company that $SUMO. I think investors are going to do the math and expect a sale at some point. If I’m going to hold something for 6 months or more, I want to make sure I have an entry price that can sustain broader market moves without sweating it too much. I do believe we’re headed for a recession and we will see multiples come in as a result.

A question I now have is how many other companies have been annualizing consumption-based revenue? A recession could spell trouble for them in more than one way.

Recent PE Acquisitions of Public Cybersecurity Companies

SAIL - acquired by Thoma Bravo

PING - acquired by Thoma Bravo

FORG - acquired by Thoma Bravo

SUMO - acquired by Francisco Partners

MNDT - acquired by Google (Obviously not PE, but PE was sniffing around this one before Google acquired it, and some of its characteristics were in line with what I’d consider a good PE target, so I’m including it)

Common Characteristics

It’s my job as a cybersecurity research consultant for institutional investors to understand what these cybersecurity companies do, how they operate, their management teams’ backgrounds, how they compete in the market, and their financial profiles. It’s also important for me to understand how analysts and investors think about the companies I research, and the reason is that I can’t present my research in a way that is helpful unless I understand what it is they want to know about a company.

After almost 6 years of doing this type of research and seeing companies get acquired over that period of time, it becomes very evident when a company on my coverage list starts looking like an acquisition target. So what are those common characteristics? Using the 5 companies above as examples, let’s take a look.

It’s Misunderstood

There are several reasons a company might be misunderstood by the broader investing community, and not just by retail, but by institutional investors and analysts as well. It might be that the company is a niche player, or competing in a niche space, or it may be that their category is too complicated or boring, that they are the only public company in their category, or that they are a small player in a very saturated market and investors don’t understand how they could possibly compete in it (this was the case for SUMO for a long time). Sometimes a company goes through a lot of change in management or strategy over a period of time, and the stock gets extremely beaten down and no one wants to own it. You might even say these stocks are hated (I would place MNDT in this category of misunderstanding). No matter the reason, companies that get bought by PE are usually misunderstood.

The first three companies in my list up above, SAIL, PING, and FORG, were all part of the Identity Governance, Management, and Federation spaces. If that sounds extremely boring to you, you’re not alone. The identity sub sector of cybersecurity isn’t sexy, and you can tell just by attending their conferences, which are not designed to be flashy, but are educational. By contrast, companies like CRWD and ZS dump a ton of money into marketing and big, fancy booths at the big security conferences. That type of promotional activity also helps their stock because the analysts walking around trying to understand what all of these companies do are naturally going to gravitate to the ones that are more interesting and fun. Interesting and fun companies on the surface do not generally make good PE acquisition targets.

If it’s well understood, it’s probably too expensive and doesn’t need PE help anyway, which brings me to the next characteristic…

It’s Cheap

A lot of companies in my coverage list are way too big and expensive for PE. CRWD currently has a $30B market cap and is trading for ~10x revenue… forget it. We are generally looking for companies that are trading around a $5B market cap or below, which was true for all 5 of the companies in my list up above before they got bought. They should be trading for single digit multiples of revenue, and if they are down in the 2-3x revenue range, that is ideal.

There are times when a good company goes through a tough time and becomes an excellent value. OKTA is a good example of a company that went through a tough time recently, and if it had remained at the beaten up level it was trading at, I thought it would be an acquisition target. The stock traded down to around $45, which meant OKTA had a roughly $7.5B market cap (a little high for a PE target) and was trading for 3.2x forward revenue. This was a relative bargain though since the other identity companies I listed above were getting bought in the 7-10x revenue range, and OKTA is a market leader with solid growth. As you can see, the stock did not stay that low for long, as many investors understood the relative value and bought it up right away. It now trades around $83, and has a $13.25B market cap. I was buying OKTA heavily below $50.

Side note: This is where understanding fundamentals can have a positive impact on your trading strategy. If you want to see how I use fundamentals to inform my trading, check out my SavvyTrader portfolio. Coincidentally, OKTA was one of my first entries there.

You may be wondering why I thought a company as big as OKTA might be an acquisition target. Especially since I just said we’re generally looking for things under $5B in market cap. Well, it’s more than just the relative value of OKTA, and that brings me to the next characteristic…

It Fits the Bill

If you follow a space long enough, you start to notice patterns. A really obvious pattern to the cybersecurity community was that Thoma Bravo seemed to be buying up every identity company on the planet over the past couple of years. They bought SAIL, PING, and FORG just last year. The reason I thought OKTA might be a target for them as well wasn’t just because it was a relative value, but because Thoma Bravo is clearly building a large Identity portfolio and has some kind of plan in place to dominate the Identity space. For that reason, OKTA fit the bill of a company they might be interested in.

If you look at the firewall space, you’ll see that the major players (PANW, FTNT, and CHKP) have all added cloud security capabilities over the past several years, and especially for PANW, it’s become a huge part of their growth strategy. I bring this up because if you look at the portfolio companies of PE firm Francisco Partners and sort by the Security sector, you’ll see they have invested in several cloud security solutions already. Further, they own Sonicwall, a mid-market firewall company. It’s easy to see how a company like SUMO, which offers a cloud observability and security platform, can fit into Francisco Partners’ portfolio of security companies. (If it isn’t easy to see yet, it will be as you get to know the cybersecurity space. That’s what I intend to help with)

So what about MNDT? I think of all the traits MNDT had that made it a good PE acquisition target, this trait was the weakest. It made a lot more sense for Google, a company that is trying to get enterprise customers to take Google Cloud seriously from a security standpoint, to buy MNDT, which for all its weaknesses had some of the most brilliant minds in cybersecurity working for it. I was a huge believer in MNDT, and I might write a separate piece about them because I think there is a lot to learn from their journey if you are trying to better understand the space and how investors think about the companies in it.

The next point is going to sound obvious, but hear me out…

Management has to want to sell

Imagine you spend a decade or more building a software company. You put your blood, sweat, and tears into it. You take the company public and learn how to deal with analysts and investors breathing down your neck. Then one day you have a bad quarter or a bad analyst day and your stock takes a nose dive. It probably seems to you like an over-reaction… wouldn’t years of strong performance be enough to buy you a little slack over a rough quarter? Not so fast. The market is forward looking, and it doesn’t take much for the narrative on the street to flip and for the viability of your beloved company’s future to be called into question. Analysts are building financial models out over several years, and so any change in the numbers today or next quarter can alter those models pretty quickly and crush your valuation via your stock price.

The question is- can you fix it before or after that happens, and do you want to?

For many companies bought by PE, the answer is no. The conditions really have to be right (or wrong) for a management team to want to sell. What contributes to those conditions? This is going to be the most speculative part of this article, but here are some things I think contribute:

• Deteriorating market conditions: Maybe spending has rotated to other areas of security and the outlook is uncertain, or maybe a recession is imminent. Uncertainty is bad for public companies, especially those who are not market leaders or are operating in sectors that are not considered a priority.

  For example, SAIL offered identity governance solutions which allowed customers to automate and manage the rollout and revocation of employees’ access policies. Before that, they were doing it manually, which they could theoretically do again. In a recession, will a customer buy that tool, or allocate dollars to securing endpoints? Endpoint security cannot be done manually.

• They’re tired: Some of these founders and management teams have just been doing it forever, and I think they are just tired. The founder of SAIL has been working in the space for 35 years, and the CEO of PING has been running the company for 21 years.

  Kevin Mandia, who took over as CEO of FEYE before it became MNDT, is just a super smart guy who wants to make the world a more secure place, and he got stuck with trying to run a product company after Dave DeWalt blew up FEYE’s stock price. Kevin Mandia was a services guy, not a product guy. I think he was tired of fighting to show investors the value, and getting folded into Google will give him an opportunity to focus on what he actually cares about.

  SUMO’s CEO didn’t found the company, and had some bad luck with timing, going public shortly before the pandemic, and having to do layoffs right as they were gaining traction going upmarket into enterprise, and then just fighting to get that company to a good place with a new management team around him.

  By contrast, OKTA’s CEO founded the company and is younger and hungrier to keep going, and I think that would’ve prevented a sale to PE anyway. No way a bad quarter or two is going to convince him to sell the company for less than what he thinks it will one day be worth.

  Watch management teams present at their analyst days and pay attention to the level of enthusiasm on earnings calls to get a hint about how they’re feeling.

• They’re distressed or going through a transition: In many cases, companies can see the writing on the wall due to internal and external factors. A PE firm might buy a company and take it private, help them through a transition, and take them public again. An example of a transition might be a company that is struggling with transtioning from a perpetual licensing model to subscription, and they may be doing that as they’re trying to get their customers moved over to a cloud-based version of their product. Maybe they are also transitioning to a new management team.

  When public companies go through these types of transitions and they don’t go as smoothly as expected, it gives investors a view into the sausage being made, which can tarnish the image of a public company from an investor’s eyes. I think SPLK is a company whose stock price is suffering from a prolonged and muddy transition, but other characteristics do not make it a good PE target.

Final Rule of Thumb: The acquisition price needs to clear 52 week highs

Investors are not likely to agree to a PE buyout of a stock that has had a temporary pullback due to a bad quarter or a broader market selloff. For example, SentinelOne ($S) is an excellent endpoint security company that currently has a market cap under $5B, and is trading for ~5.5x revenue. What PE firm wouldn’t like to own it for that price given it’s very high growth rate? The trouble is if you look at the stock price, it’s 52 week high is $41.68, and no PE firm is going to pay that much per share to acquire it. Why does the 52 week high matter? Because if you’re an investor you are expecting the stock to get back there eventually, only time can cause you to lose hope. Why would you take $20/share when it was trading at twice that less than a year ago?

Now, starting in Q4 of 2022, it started getting down into the $15/share range, which is where it’s currently trading. If the stock hasn’t rallied much from where it’s at now, then in Q4 of this year, once it’s 52 week high is in the $15 range instead of $41.68, I will be looking at it as a certainty for acquisition. That could be by PE or another cybersecurity platform company. I think it’s a good value at this price, but it could dip lower into the $12-13 area, where I will be a heavy buyer. Could a non-PE buyer try to swoop in now? Of course, but remember, management has to want to sell.

The companies that get bought by PE have generally been trading lower or sideways for over a year.

Going Forward: Companies I Think Meet The Criteria

Now that I’ve outlined these common characteristics of companies that make good PE acquisition targets, I’m going to be writing about some I think are shaping up to be potential targets. Recessions are the perfect time for PE to go shopping, as multiples compress and valuations become more reasonable. This means good setups for investors who know what to look for.

A (very) Brief History of Next-Gen Firewalls and Security Platforms

Six years ago, when I started in the space, $PANW was still riding the massive wave it had created in the firewall business with its next-gen firewall capabilities. The next-gen capabilities essentially took what required 3 different hardware appliances from 3 different vendors at an enterprise level, and condensed those requirements down to a single operation on a single $PANW appliance, using what they referred to as their “single pass architecture.”

Prior to $PANW arriving on the scene, its big pure play competitor in the enterprise firewall space, $CHKP, had only offered one of those required appliances and operations. $FTNT was not considered an enterprise firewall vendor until a bit later, when they started making major inroads upmarket in 2018-2019, as firewall features approached better parity with $PANW’s and cost-conscious enterprise customers began looking for something cheaper than $PANW, but more advanced than $CHKP.

Even before $PANW’s arrival, $FTNT was in the UTM space, which was a way for mid-market companies to buy a single appliance that performed all 3 capabilities for a lower cost, but its architecture couldn’t support enterprise network traffic volumes. Single pass architecture made $PANW’s appliance more performant, and able to handle enterprise traffic volumes. When other vendors like $FEYE popped up and added things like sand-boxing, $PANW was able to easily add similar modules to its appliance and maintain its single pass capabilities.

This was really the advent of the security platform. The next step in the evolution of the security platform was all of the security vendors deciding what kind of security platforms they were going to be when they grew up. The answers were somewhat different depending on what area of security the vendor serviced (i.e. network security, endpoint, identity, etc.) but for this piece, I will focus on explaining what it meant for firewall vendors like $PANW and $FTNT.

**Please keep in mind that I just reduced the history of the next-gen firewall market and security platform into a few paragraphs, and that required some simplification.

The Cloud … dun dun dun

Sometime around 2019, while security vendors were starting to add new capabilities to their offerings, the traditional firewall market was cooling off a bit. MSFT’s Azure and AMZN’s AWS cloud platforms were taking off, and that meant fewer hardware firewalls were being bought for customers’ on-prem networks. Firewall vendors were being forced to decide more quickly how they were going to grow their security platforms - and their businesses - going forward. This is where the deviation in strategy between $PANW and $FTNT really became evident.

$PANW, whose customer base is comprised almost entirely of enterprise customers, hired a new CEO and headed down the cloud security path at a rapid pace. They bought up several cloud security startups at big premiums and started integrating them into their platform. We know from looking at the stock price that focusing on cloud security has been a successful strategy for them (if you ignore the recent sell-off and zoom out to 2019). Now, even though $PANW sells all of those cloud modules, it’s important to note that 70% of their business is in what they call “Network Security.” Network Security includes hardware firewall appliances, virtual firewalls, and SASE (their $ZS competitive product). It does not include their Cloud Security or SOC Security offerings. This is important when it comes to competition, especially from $FTNT, and the impact on PANW’s overall business. Pesky $FTNT, who was once an ankle biter, is now a formidable competitor. You may be wondering; how did that happen? I’ve got 4 reasons for you.

Fortinet’s Security Platform Strategy

When forced like other security vendors to decide where to go next due to the shift to cloud, $FTNT took a different approach. It doubled down on on-prem security and network offerings. Initially, that didn’t seem like the best idea, especially to investors who were all abuzz about cloud taking over the world, but it’s actually worked out for them. Here’s how they did it:

1. $FTNT integrated SD-WAN capabilities into its proprietary firewall appliances, and once customers began to understand the advantages, they were selling like hotcakes. The best part for customers was (and still is) the SD-WAN capabilities were free with firewall appliance purchases. It’s hard to compete with free if you’re $PANW… they’ve been developing their own SD-WAN capabilities for their firewall appliances, but it hasn’t sold well. One might assume it’s because it doesn’t work well since they’ve been successful at selling pretty much everything else. They also bought a cloud SD-WAN company (CloudGenix) and added it as a module, but it’s expensive. Because of this, $PANW has not made much progress in SD-WAN.

1. $FTNT took an additional step with its platform strategy by building out its security offerings in the OT (Operational Tech) space. OT is all of the equipment running in hospitals, airports, utility companies, on factory floors, like machine tools, automated pumping mechanisms, etc. That OT security business has been growing ~50% a year, granted it was off a small base, but it’s not so small anymore.

2. Since $FTNT worked its way up-market from servicing SMB and Mid-market customers, it has a smaller share of the enterprise, but its customer base is about 3-4 times the size of $PANW’s. It offers security platforms at each level, which provides additional expansion opportunities and further diversifies its business. One thing to keep in mind is that smaller companies may not fare as well in a recession, so $FTNT does have some exposure there.

3. $FTNT firewalls are 25-30% cheaper than PANW’s, and lately the channel partners of these companies, and subsequently their customers, are recognizing the capabilities of the firewalls as “good enough’ when compared to $PANW’s. $FTNT’s price performance leadership and “good enough” firewall feature parity are very attractive to enterprise customers, especially in a recession, and extra especially when $PANW’s pricing is fast approaching a ceiling for what customers are willing to pay for it.

This is how $FTNT is narrowing the gap between its own share of the enterprise firewall market and that of $PANW’s.

Both companies have done well, and it would be easy to chalk that up to a healthy firewall market, but I think these nuances are really important if you are an investor in either company going forward, especially given how different their strategies are. I’ll write a lot more about PANW and FTNT in the future, but I thought this would be a good primer if you’re coming into it with no prior knowledge about the firewall market.

What about $CHKP?

I didn’t spend much time on $CHKP, so you might be wondering; how does $CHKP fit into all this? Well, the profile of a $CHKP customer is they are generally slow-moving and not first adopters, or even second or third adopters of new technology. They are not rushing to the cloud right away to try new things, or making massive changes to their network architectures, and as a result, $CHKP has a really steady business. It’s not growing fast, but it’s not going anywhere fast either. Their management team is also quite conservative, which minimizes surprises during earnings season, but frustrates investors who feel they could be doing more to promote and market their business, and to compete with $PANW and $FTNT in other areas. $CHKP is a company I buy as a defensive name when cloud stocks are getting sold. It usually trades in a nice range, and again, there are very few surprises with this company.

If you are an institutional investor and would like to subscribe to our professional research down the road, you can find me on LinkedIn.

Disclosure: I am not an Investment Advisor, and the information I provide through this publication is not investment advice. Do your own research.

You can see my positions, performance, and general market commentary here:

Cybersecurity Portfolio on Savvy Trader

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than through Substack, when the time comes). I have no business relationship with any company whose stock is mentioned in this article.

I have been bullish on $CRWD since before they went public, when I had an opportunity to talk with a Product Manager about their architecture. I knew they were going to be disruptive, and the acquisitions of Cylance, Carbon Black, and Symantec really created an environment in which $CRWD could flourish in a saturated endpoint market. With $S, which went public more recently, I really wanted to wait and see how things played out before making any decisions about how effective they were going to be competing with $CRWD.

What I came to realize is that in a vast market with a lot of legacy players, there was plenty of room for $CRWD and $S to do well swimming in their own lanes, and I’ve been bullish on both despite the fact many analysts and investors were talking about how the newly public $S was going to encroach on $CRWD’s business. You can look back on $CRWD’s chart and see where the narrative started to change after $S IPO’d. As these two vendors grow their businesses, it naturally follows that they will compete more heavily as time goes on, and while that was happening to a small degree last year, now we have a catalyst for acceleration. So what is it?

The catalyst that has forced $CRWD and $S’s lanes to converge more rapidly is the fear of a recession. Gone are the days of blank check enterprise security budgets. Customers (those of CRWD and S) are going to be analyzing budgets across the board with much more scrutiny. They’re going to ask the tough questions like, “Why are you so much more expensive than X vendor?” To be honest, I wasn’t convinced recession fears were much of a catalyst for anything other than customers pausing to consider their budgets, which would only create short term demand hiccups and not actual demand destruction as far at the endpoint space was concerned. However, a headline from the week before last announcing $CRWD had poached $S’s CMO and CPO (of 5 years) changed my thinking. Why?

It's important to understand that $CRWD is a market leader in its segment, and is widely considered the best of the best when it comes to endpoint security. By who? The cybersecurity channel that resells and implements security solutions for a variety of vendors, by customers, and by investors. It’s not easy to build an excellent reputation in the channel as a new vendor, and yet, $CRWD has managed to do it in only a few years. They did it by developing a solid product, great marketing, and a winning channel program. None of those things have changed. It begs the question- why does a company with excellence in all three areas need to steal executive level talent from what is considered by many to be its biggest competitor? I think the answer is obvious. They have more money than $S, and they did it to handicap their competition. I can’t judge them too harshly for that, but unfortunately, I, along with other investors, are going to see this as an act of desperation. In many ways it validates that narrative that was wrong for so long about how $S was encroaching on their business. Now we know for sure that it is.

Unfortunately for $S, this is in no way a positive for them either. Going into a recession, and to the extent it actually materializes, I had been of the opinion $S had an advantage over $CRWD in that the base cost of their solution had been running about ~25% cheaper than $CRWD. Some might say it doesn’t have all the bells and whistles of $CRWD’s solution, but who is buying bells and whistles in a recession anyway? Further, many channel partners are of the opinion the solutions are at enough parity to be competitive, and clearly they are or $CRWD would not be stealing talent. So what is $CRWD doing with those two new hires they stole from $S?

The ex-CMO of $S will now be in charge of Channel at $CRWD, and will help them move down market. The ex-CPO of $S will continue as CPO at $CRWD and will oversee data, identity, cloud, and endpoint. This is a good time to mention that for most cybersecurity vendors, the Channel is absolutely critical to their sales and growth initiatives. I don’t need to explain why this is bad for $S, there has never been a time where losing 2 key executives to a competitor has been a net positive for a company. The more interesting thing is how this could impact $CRWD negatively, other than the “validating the competition narrative” I outlined earlier. Imagine you work at $CRWD for years to develop an amazing channel program and build a highly competitive product. You’re crushing it. You’re warding off ankle biters left and right, and then suddenly the CEO you work for hires the guy you’ve been competing against for all these years and makes him your boss, rather than promoting you, or at least putting him under you. I can’t say I would be pleased about that personally, or that I would be very motivated to continue working at $CRWD. It feels a bit like they’re cutting off their nose to spite their face. In turn, $S announced several new executive hires this morning, including $CRWD’s Global VP of Product Marketing.

Anyway, it’s going to be a very interesting earnings cycle, and while there’s no way to know for certain, I’m not expecting either vendor to blow it out of the water, especially when it comes to guidance. I believe $S will experience some short term difficulties as a result of the news, but nothing they can’t recover from. We will see if $CRWD is able to successfully move down market- their growth rate (and stock price) depends on it.

If you are an institutional investor and would like to subscribe to our professional research down the road, you can find me on LinkedIn.

Disclosure: I am not an Investment Advisor, and the information I provide through this publication is not investment advice. Do your own research.

You can see my positions, performance, and general market commentary here:

Cybersecurity Portfolio on Savvy Trader

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than through Substack, when the time comes). I have no business relationship with any company whose stock is mentioned in this article.

Subscribe now