A reader asked how cybersecurity investors value business metrics differently from their broader SaaS counterparts, and as an example, how ACV and CAC might mean different things to an investor in a company like $GTLB vs. a cybersecurity company like $ZS.
It’s a question I feel qualified to answer only partially, as I don’t have conversations with institutional public equity investors around anything except cybersecurity companies. What I can speak on is what they prioritize when it comes to valuing cybersecurity companies against each other.
I'm going to focus on the most important metrics for growth in this post using a handful of examples, though there are some cybersecurity companies like $TENB and $QLYS that trade on profitability, where FCF margin and FCF growth are the more important metrics. To answer the example question specifically, in the 6 or so years I've been doing this, CAC has not come up in my conversations with investors.
What they are all looking for is how much business a company sold and renewed in the quarter (“bookings”), and whether that is an acceleration or deceleration based on previous guidance. The trouble is the bookings metric, especially with older cybersecurity companies, is not typically provided to investors by the company. Instead, investors must do their best to approximate it. Let me explain.
There are two major business models within cybersecurity, and the rest of cybersecurity companies fall somewhere in between these two models. The first and older model is a hybrid mix of perpetual and subscription revenue like what $PANW, $FTNT, and $CHKP have. They sell perpetual licenses for their on-prem firewalls, plus recurring support and subscriptions. The second model is an almost purely subscription/recurring revenue model, with a little bit of consumption pricing mixed in ($CRWD, $S, $ZS).
The preferred metric for growth is ARR. If the company doesn't give an ARR number, then investors look at Revenue + some other way to approximate bookings, which might be cRPO or Billings. Sometimes a company gives an ARR number, but it doesn’t represent the majority or entirety of their revenue, so Billings will still play an important role.
This all helps determine how investors value certain metrics depending on the company’s business model. Net-new ARR is highly important for $CRWD because all of its revenue is derived from ARR. Even though they give a Billings number, it's less important because net-new ARR is a more precise indication of future business. On the other hand, $PANW, with its hybrid mix of perpetual and subscription revenue, has several revenue segments, of which "next-gen” ARR is one component. If they don't blow next-gen ARR out of the water, it might not be the end of the world if they can make up for it in other revenue segments.
At the same time, weak Billings is going to impact $PANW and $FTNT (given their hybrid revenue models) much more heavily than $CRWD due to the fact investors are still looking for ways to approximate bookings for the rest of their hybrid revenue segments. $ZS is interesting because, despite the fact their revenue is all recurring, they do not give a net-new ARR number. As a result, their Billings number is also more consequential than $CRWD's in the eyes of investors.
Nuances like this can easily be lost on an analyst trying to apply the same fundamental analysis to companies that tend to get grouped within the same sector, like $CRWD, $OKTA, $ZS, and $PANW. They may be further skewed when trying to apply that same formula to a basket of 50 SaaS stocks across a variety of sectors. These companies each have different business models that create variability in the importance of their financial metrics and how indicative those metrics are of future business.
Remember This
Everyone is trying to measure acceleration or deceleration in growth in bookings, and an analyst must use what the company gives them to do their best to approximate it. The most valuable metrics are the ones that help an analyst do that job. In cybersecurity, those are most often a combination of ARR/net-new ARR, cRPO, and/or Billings.