The pandemic precipitated what is shaping up to be a permanent shift in cyber security spending patterns. As a direct result of hybrid work, CISOs have invested heavily in endpoint security, identity access management, cloud security and further hardening the network beyond the HQ. Moreover, the need to build security into applications from the start, rather than bolting protection on as an afterthought, has led to vastly heightened awareness around DevSecOps. Finally, attacking security as a data problem with automation and AI is fueling new innovations in cyber products and services; and is spawning well-funded, disruptive startups.
In this Breaking Analysis we present our quarterly findings on the security sector. We’ll share the latest ETR survey data, identify the companies with customer spending momentum and share some of the market movers.
What’s News in Cybersecurity?
Nary a week goes by without more concerning news about cyber attacks. The latest focus in the headlines is Russia’s relentless attacks on critical infrastructure in the Ukraine– including banking, government Websites and weaponizing information to spread panic.
The hacker group BlackByte put the double whammy on the San Francisco 49ers; meaning they exfiltrated data and encrypted the organization’s files.
Then there was the best Super Bowl ad last Sunday. The Coinbase floating QR code. Millions of people rushed to scan the code and participate in the Coinbase BTC giveaway. This highlights yet another exposure, the willingness of individuals to click on unknown links and random QR codes. So many people read the code on their smartphones that it crashed Coinbase’s Website. What does that tell you?
In other security news, Securonix raised $1B. This on top of Lacework’s massive $1.3B raise last November. Both of these companies are attacking security with data, automation and APIs that can engage machine intelligence. In its announcement, Securonix specifically mentioned the momentum from MSSPs – manage security service providers – and that’s a trend we see as increasingly gaining traction as customers are just drowning in security incidents without the staff to handle them.
Peter McKay’s company Snyk acquired Fugue, a company focused on making sure security policies are consistent throughout the software development lifecycle. It’s an example of developer-defined security where policy can be checked at the dev, deployment and production phases of software development to ensure the same policies are in place at all stages; including monitoring at runtime. Fugue according to Crunchbase had raised $85M to date.
In other company news, Cisco was rumored to be acquiring Splunk for not much more than Splunk is worth today and talks reportedly broke down. This would be a major move in security by Cisco and underscores the pressure in the market to consolidate. Cisco would get an extremely strong customer base and through efficiencies could improve Splunk’s profitability. But it seems like the premium Cisco was willing to pay was not enough to entice the board to act. Probably at least a few billion dollars shy of what it will take to get a deal done. We’ll discuss this later in the post.
Datadog blew away earnings again and the stock was up 12%. It’s pulled back now thanks to Putin but it’s one of those companies disrupting Splunk. Datadog is less than half the size of Splunk revenue-wise but it’s valuation is more than two and a half times greater.
Finally Elastic, another Splunk disruptor, settled its trademark dispute with AWS and there will be only one Elasticsearch in the marketplace now, removing confusion for customers and stress for Elastic.
Recent Market Pullbacks Don’t Diminish Cyber’s Long Term Performance
Let’s take a high level look at how Cyber companies have performed in the stock market over the past five years. The graph below shows the performance of the CIBR ETF. Note the March 2020 crosshairs signifying the start of the lockdown.
The trajectory of cybersecurity stocks as shown by the orange and blue lines surely steepened post Mach of 2020. And it’s been down with the market lately but the run up as, you can see, was substantial; and eclipsed the trajectory of the previous years. Owing much of the momentum to the spending dynamics we talked about at the open.
Comparing the Pandemic Performance of SPLK, PANW, FTNT, OKTA, CRWD & ZS
The chart below shows data from six top companies we’ve been following closely in the space since before the pandemic. The top two rows show the benchmark S&P 500 and Nasdaq prices. The bottom rows list the specific stocks.
The remaining columns track: 1) The index price or market cap of the company just before the pandemic; 2) The same data one year later; 3) The peak value during the pandemic; 4) The current value; 5) Percentage change since pandemic peak; 6) The change from pre-pandemic prices in February 2020; 7) The pre-pandemic revenue multiple (using a trailing twelve month revenue metric); 8) The revenue multiple in August 2020, when multiples were really high; 9) Today’s TTM revenue multiple; and 10) Near term growth rates based on recent quarterly guidance from managements.
Lots of data but what does it tell us? First the S&P and the Nasdaq are well up from pre-pandemic levels. And they’re off today roughly 9% and 15% respectively from their peaks during the pandemic.
Now let’s look at the companies by comparison. Splunk has been struggling. It definitely had a tailwind from the pandemic as all boats seemed to rise but its execution has been lacking and it’s now 30% off from pre-pandemic levels. And its multiple is compressing so perhaps Cisco thought it could pick the company up for a discount.
Turning to Palo Alto Networks. We had reported on some of the challenges the company faced moving to a cloud-friendly model pre-pandemic and we said at the time we fully expected the company to rebound and that’s exactly what happened. It rode the tailwinds of the last two years, is up over 100% from its pre-Covid levels and its revenue multiple is expanding thanks to its healthy growth rates and strong execution.
Fortinet had been doing well coming into the pandemic– in fact we had said it was executing on a cloud strategy better than Palo Alto Networks at the time. So it didn’t get as much pandemic momentum at first. But the company has been rewarded for executing well. And as you can see, with a 155% increase in valuation since just before the pandemic it’s going more than okay for Fortinet investors.
Okta is a name that we’ve followed closely. The identity access management specialist rocketed post pandemic but since its Auth0 acquisition the stock has pulled back. Investors are concerned about its guidance and profitability and several analysts have downgraded their price targets on Okta. Investors are also concerned with the tough comparisons year over year and the effects of the Auth0 ingestion.
We still really like the company. The Auth0 acquisition gives it a strong developer vector to complement Okta’s enterprise focus. We think the company is going hard after market presence and is willing to sacrifice short term profitability. We actually like that posture. It’s very Frank Slootman-like. The question is does Okta have inherent profitability. Meaning could the company, if it so chose to do so, dial down its spending and show a healthy profit?
We think yes. Okta is sticky. The company has a strong net revenue retention rate of around 120%. The company spends a lot on R&D – well over 30% of its revenue – and a whopping 55%+ on go to market. It’s guiding revenue CAGR in the mid 30’s over the mid to long term and near term should beat that benchmark handily.
But you can see the red highlights on Okta and even though Okta is up 59% from its pre-pandemic levels it’s far behind its peers shown on this chart. Especially Crowdstrike and Zscaler, which has outperformed all its peers in this chart. The latter being somewhat less impacted by the pullback in stocks as fears of inflation, interest rates and a Russian invasion escalate. But these high fliers were bound to pull back. The question is can they maintain their category leadership. For the most part we think they can.
Yes the Security Market Get More Crowded
Below is one of our favorite XY view charts with Net Score or spending momentum on the Y axis and Market Share or pervasiveness in the data on the horizontal axis. The red line at 40% indicates highly elevated spending levels and the chart insert shows how the data is plotted by each company.
While the graph above is an eye chart, this shows only the companies ETR captures in its survey with more than 50 mentions. And there are many more out there which don’t get reported in the ETR spending data. So the first takeaway is this crowded market and with the private funding of startups it’s only getting more crowded. The second point to note is there are a lot of companies above the 40% mark and plenty with respectable Net Scores just below. Third, check out SentinelOne, Elastic, Tanium, Datadog, Netskope and Darktrace. Each has under 100 N’s but they’re increasingly prominent in the survey and deserve attention. Especially SentinelOne post IPO.
Zooming Out…the Market is Still Really Crowded
The chart below shows the same XY view but filters the data on companies with more than 100 mentions in the survey.
The chart gets a bit cleaner but still pretty crowded. Auth0 leads everyone in Net Score. Okta is also up there so that’s a very positive sign for the acquisition, despite its high price tag. Crowdstrike, SailPoint, CyberArk, Cloudflare and Zscaler all are right up there as well.
Then the bigger companies come into focus. Palo Alto Networks is very impressive because it’s well above the 40% mark and it has a large presence. Microsoft is just ubiquitous.
The position of Cisco and Splunk make an interesting combination. Both have respectable Net Scores and presence in the data. Al Shugart, was the CEO and founder of Seagate and a brilliant Silicon Valley icon. Asked if he’d consider buying a specific company he said:
If you want to know if I’m thinking about buying a company, ask yourself if it were free would I take it? The answer isn’t always yes because acquisitions can be messy. -Al Shugart
In the case of Cisco and Splunk we think the answer would be a definitive yes. It would expand Cisco’s portfolio and make it the leader in security with an opportunity to bring greater operating leverage to Splunk. Cisco just has to pay more if it wants the asset.
We asked our ETR colleague Erik Bradley what he thought and he weighed in with this comment:
Splunk isn’t growing the customer base but it’s sticky. Cisco could roll Splunk into its security suite and expand its portfolio. Splunk is a leader in the SIEM space (Security Information and Event Management) and Cisco really is missing that piece. Yes it makes sense at a discount. -Erik Bradley
Eight Cyber Firms on the Move
Now we filter the data even more and look at some of the companies that have moved in the survey over the past year and a half. First we’ll go back to July 2020. The chart below shows the same two dimensional picture isolating Auth0, Okta, SailPoint, CrowdStrike, Zscaler, CyberArk, Fortinet and Cisco.
Why are we highlighting these firms? Because they’ve made some major moves to the right and some even up in since last July and that’s what we show next.
Expanded Survey Presence for Auth0, Okta, SailPoint, CrowdStrike, Zscaler, CyberArk, Fortinet and Cisco
Below is the data from the January 2022 survey. The arrow start points show the positions in July 2020 (from the previous chart). All these players have made major moves to the right. Why? Well it’s likely a combination of strong execution and the fact that security is on the radar of every CEO, CIO, CISO of course, business head, boards of director…everyone. The market momentum, especially for the leaders, is tremendous.
Auth0 has improved on its already high Net Score since the acquisition. Okta for its part is expanding its presence in the data set with solid spending momentum. With Auth0 that only improves. SailPoint is holding Net Score high while expanding its presence as is Zscaler. CrowdStrike making moves up and to the right and Fortinet is expanding while maintaining momentum. Cisco as well continues to be a trusted security player. It’s notable decrease in momentum could, over time, be buoyed by an acquisition of Splunk.
Four Star Security Firms in Q1 2022 – Microsoft, Palo Alto Networks, CrowdStrike & Okta
Let’s take a look at what’s become a bit of a tradition in Breaking Analysis and look at the firms that have earned four stars.
Four star firms are leaders in the ETR survey data that demonstrate both a large presence and elevated spending momentum. In this chart above we filter the firms (N>100) to isolate those companies with more than 100 responses. On the left hand side we sort by Net Score or spending velocity and on the right hand side we sort by Shared N’s. We show the top 20 for each and the red line shows the top ten cutoff points.
Companies that show up in the top 10 for both spending momentum and presence in the data set earn 4 stars. If they show up in one and make the top 20 in another they get two stars and we’ve added 1 star as an honorable mention for those companies making the top 20 in both.
Microsoft, Palo Alto Networks, CrowdStrike and Okta make the 4 star grade. Okta makes it even without Auth0, which has the #1 Net Score in this data set and 115 Shared N. So you can add that to Okta. The weighted average would pull Okta’s Net Score to just above CyberArk to take 4th place and its Shared N would bump Okta up to 3rd on the list.
Cisco, Splunk, Proofpoint KnowB4, Zscaler and CyberArk get two stars and you can see the honorable mentions with one star.
Now thinking about a Cisco Splunk combo you’d get an entity with a Net Score in the mid 20’s – not too bad – and they’d be #1 on the right hand side of this chart with the largest market presence in the survey, by far.
Expectations for 2022 in Cyber
The trends around hybrid work, cloud migration and the attacker escalation continue to drive cyber security momentum and will do so indefinitely.
You’re seeing private companies getting gobs of money which really speaks to the fact that there’s no silver bullet in this market. It’s complex, chaotic and cash rich.
This idea of MSSPs on the rise will continue. About half the mid-size and large organizations in the U.S. don’t have a security operations center and outsourcing to one that can be tapped on a consumption basis – as a service – just makes sense.
We see the momentum companies that we’ve highlighted over the many quarters of Breaking Analysis episodes as forming a strong base in the market. Going for share and footprint and focusing on growth. They have good balance sheets and strong management teams and we think they’ll be the leading companies in the future. Zscaler, Crowdstrike, Okta, SentinelOne, CyberArk, SailPoint – over time joining the ranks of $1B cyber firms likes of Palo Alto Networks, Fortinet and Splunk if it doesn’t get acquired.
Which underscores the pressure for consolidation and M&A in the space. That is almost assured with the fragmentation of companies and so many well-funded new entrants fighting for escape velocity.
Keep in Touch
Thanks to Stephanie Chan who researched several topics for this episode; and Alex Myerson on production. Alex handles the podcasts and media worklflows. And special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out.
Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.
Email david.vellante@siliconangle.com | DM @dvellante on Twitter | Comment on our LinkedIn posts.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail.
Watch the full video analysis:
Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.
All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.