Summary
- We evaluate the cybersecurity industry and its market leaders such as PANW, FTNT, ZS, NET, S, and CRWD, by considering the private market dynamics.
- We discuss VCs and startups, PEs and legacy software names, and public cybersecurity giants and their M&A opportunities.
- We discuss the dynamics driving the size of the cybersecurity market, and in particular, how PANW and FTNT intend to capitalise.
- We offer a high-level, qualitative way to evaluate cybersecurity vendors, conduct a valuation exercise for PANW, and navigate through the main broad areas of cybersecurity.
Intro
This article takes a high level view of cybersecurity, mainly focusing on Palo Alto Networks and its leading technologies within cybersecurity. We also discuss SentinelOne, CrowdStrike, Fortinet, Cloudflare, Zscaler, and Check Point Software at various points. We opted to analyse the cybersecurity landscape by incorporating the dynamics of the private markets. This is important because the cybersecurity industry is a fertile breeding ground for innovative startups, and those that deploy the right mixture of PMF (Product Market Fit) and GTM (Go to Market) focus, are fast becoming serious rivals to these larger public companies. Additionally, software-focused PEs continue to acquire second tier cybersecurity vendors, which we think will be beneficial to leading names over the long run.
Public Stock Overview
-
PANW has the highest revenue base within the standalone public cybersecurity companies. We have a strong belief in PANW's products, vision, and execution. However, it is barely breakeven in profitability terms, which is something the market is discounting. Furthermore, because of its expansive product lines that includes legacy and cutting-edge products combined together, it is time-consuming for a generalist investor to appreciate and properly price PANW's potential. As a result, even though it has high growth rates, the market gives it a similar valuation as MSFT.
-
FTNT is another one of our long-term bullish ideas in the cybersecurity space. Similar to PANW, FTNT's portfolio complexity makes it a natural discount to many other standalone names like ZS or CRWD. However, FTNT has greater emphasis on profitability, which naturally makes it a less volatile, but higher valued, stock versus PANW in the current climate.
-
S experienced a heavy discount after the IPO lockup expiry and growing concerns of CRWD and MSFT killing this emerging cybersecurity star. We believe S has great technology and overall it has the upper hand over the strongest competitors, including CRWD and MSFT. Another source of the relative valuation discount, is SentinelOne's deep negative profit margins. We believe this shouldn't be overly concerning due to the company's strong unit economics that will translate to healthy profitability once the company has reached a certain scale.
-
CRWD to us is the second best choice to invest in endpoint security. It still has tons of room to grow and increase profitability due to its expansive EDR platform and continued founder control. However, as its revenue base grows and it is losing the leadership in the cutting-edge technology architecture compared to S, we see CRWD as a lower risk, lower reward bet versus S. That being said, CRWD should continue to be an attractive name for investors to hold with great risk-reward, especially during times of sharp discounts.
-
CHKP has been left for dead, generating mid to low single-digit growth for a few years now. IBs speculated CHKP would resurge in its growth. We don't think so after conducting quite lengthy governance research.
-
ZS has tons of momentum set to continue, catalysed by products such as ZIA, ZPA and ZDX, and a formiddable S&M prowess. However, we expect tougher comps in the future, and the space is crowded with competitors that have better architecture and products due to last-mover advantages.
-
NET is a great company, with great products, culture, founder, and execution. We would say fairly priced, however.
-
Previously, OKTA used to have the same investor appreciation as NET, but unfortunately it was priced to perfection, allowing zero room for execution error. It has had major troubles with its Auth0 integration and ensuring sales execution. We agree with IBs that OKTA's discount is becoming a great opportunity, but less so in terms of timing. At present, there seems to be too much optimism at an early stage without material evidence of fundamental improvements.
-
SNOW will benefit tremendously as cybersecurity is becoming a data problem. Priced to perfection, not very attractive for now.
-
PLTR a contrarian/peripheral cybersecurity player. Data is the future and PLTR has tons of room to grow as it helps enterprises securely manage their data fabric and build applications. Unfortunately, it has been overkilled by the market due to concerns over SBC and about its ability to scale.
Landscape Observations
In recent years, cybersecurity is the only subsector that has become increasingly nondiscretionary within the broader discretionary tech sector. And this is because the industry dynamics are so unique. Expanding digital sprawl makes it increasingly difficult for enterprises to defend their data and systems. Cybercriminals exploit the resulting new attack vectors to extort financial gain, with far better reward-to-risk than even cocaine trafficking in the 1990s. The most skilled bad actors can extort millions of dollars for almost negligible risk.
Enterprise vulnerability plus extreme reward-to-risk for cybercrime means that there will always be the demand for new security solutions. There are thousands of cybersecurity vendors - a few are tech giants, many are legacy names, and 100s to 1000s are startups - vying to provide these new solutions to deliver more comprehensive security for their customers. The major issue, however, is that more point solutions actually weaken the overarching defense posture. Ironically, more security means less defense.
This dichotomy perpetuates the CISO (Chief Information Security Officer) debate, that has been ongoing for decades now. Should enterprises choose BoB (best of breed) point solutions or consolidate its number of vendors by choosing to depend on a single broad-based vendor? BoB is the best option to defend against a particular threat, but adding a new vendor, console, and UI, weakens the enterprise's overall posture.
Gartner
Some CISOs are choosing BoB while others are choosing consolidation. This is why the cybersecurity industry will remain buoyant for many years to come, and it's why we've personally had such a great time analysing private and public names in recent months.
From an investment perspective - I guess like any other tech sector - there are 1 ) the VCs investing in the startups, 2 ) software-focused PE firms acquiring companies that have an established name but have experienced a permanent slowdown in growth, and 3 ) the hugely successful public names that are dominating their markets and making occasional bolt-on acquisitions of BoB startups. We'll briefly discuss each of these areas next.
Startups & VCs
Our view for about one year now, is that the general SaaS market (including cybersecurity) has become so fragmented, with enterprises managing 100s of apps, that the next wave of value surely needs to come from consolidation rather than more fragmentation. There are some startups that clearly acknowledge the fragmentation. They have hence developed an expansive platform of integrated solutions from the outset, rather than focusing on being the best at a single solution and providing an API to be interoperable with other BoB solutions.
Names that have been coined for such startups include compound and platform startups. To begin with a platform mindset, it appears that such startups need to have a graph-like focus, with the centre being what the whole business is committed to. For Meta that graph is a social one, for Salesforce it is a customer one. Rippling is a good startup example here. They compete against the likes of Workday by having the employee as the central focal point of their business, and thus they provide any feature, solution, and use case that helps enterprises better manage employee-related aspects.
Wiz is probably the best example of a cybersecurity platform or compound startup. It was only founded in February 2020, and has already surpassed $100m in ARR. And the reason for their success is the entire PMF (Product Market Fit) and GTM was designed from the outset to serve the most pressing compliance needs of enterprises migrating to the cloud or expanding their footprint in the cloud.
Along with Wiz, we would say the likes of Netskope, Illumio, and Orca Security are other platform/compound security startups. Cybersecurity investors interested in IPOs, should keep these types of startups in mind, because when the business cycle turns these names may go for their IPO. They are also important to monitor if you are a Palo Alto Networks, Cloudflare, or Fortinet investor, because such compound startups have the ability to eat away at their market share.
Recently, there has been somewhat of a funding squeeze, which is likely to benefit these platform startups. In the past few years, we've seen a sharp rise in the number of startups, though compared to 2021, this larger group is now competing for a smaller pool of capital. The following chart indicates VC activity is still historically high, but the dealmaking drawdown in 2022 will favour the platform/compound names over the niche startup players.
The venture funding scene looks slightly better when narrowed down to cybersecurity, however. This research by MomentumCyber was part of their 3Q22 cybersecurity review. If you extrapolate the deal value related to financing/VC activity, and do the same for the deal count, you can see that, while cybersecurity funding remains healthy, per startup there are fewer funds apparently available. On the M&A/PE side, the opposite appears to be the case, as we'll show later.
On the whole, we consider the current startup/VC landscape rather favourable for PANW, NET, and FTNT for two reasons. Firstly , if startups are competing for fewer funds, then the industry will endure a degree of consolidation. Secondly , if startup valuations remain on the low side, then these cybersecurity giants can snap up attractive bargains when they need to indulge in some M&A.
Legacy & PE
To evaluate the cybersecurity landscape and its long-term impact on public investors, it is also useful to consider the PE activity in the industry. In 2021, STG acquired McAfee's enterprise division. They turned the network security-related assets into Skyhigh Security, which is an SSE (Secure Service Edge) player, competing against the likes of ZS, Netskope, PANW, and NET. Then, STG acquired FireEye and combined it with the remainder of McAfee's enterprise assets to create Trellix, which is marketed as an XDR vendor. STG has also acquired RSA for identity access management.
Similarly, Thoma Bravo has been acquiring legacy names in the identity space (as well as email security, e.g., Proofpoint), though it is currently unknown as to whether the strategic objective is to combine SailPoint, Ping Identity, and ForgeRock into one identity giant.
Over the long-term, this level of PE activity in cybersecurity is good news for public market leaders like PANW, FTNT, S, NET, and CRWD. Private Equity is mainly focused on operating leverage rather than innovation, meaning that the likes of Skyhigh and Trellix will likely be good enough for many enterprises but are not going to become market leaders and pioneer cutting-edge technologies. Given the rising cyberattacks, the increase in cybercriminal sophistication, and the growing enterprise complexity, customers are more likely to choose the leaders rather than second tier players.
Over the shorter-term, the above table highlights the attractive valuations of some public names. In particular, if we consider the multiples paid by Thoma Bravo during 2022, well into the market drawdown, it makes PANW, FTNT, and JAMF look like bargains. Although the attractiveness isn't as obvious, we also consider OKTA to be of great value right now.
It is clear that PEs' as asset owners are willing to pay hefty premiums for legacy identity names. If you think about Warren Buffett's mantra - "I am going to buy a stock only if I can sleep nicely knowing the stock exchange will be closed for three years", then considering the relative quality of OKTA's technology and its number of customers, OKTA is a substantially better long-term bet. Thoma Bravo has bought legacy names for higher EV/S than OKTA but with lower expected growth, and in the case of ForgeRock, the EBIT margin is not that different either.
The following chart from Momentum Cyber's 3Q22 review, shows the median EV/Sales multiple across all M&A deals in the cybersecurity industry. Assuming the majority of buyers in these M&A deals are PE firms and the targets are legacy, or second tier names, then comparing PANW's EV/LTM Sales to the industry median highlights the valuation drawdown between legacy and first tier players.
MomentumCyber
Further PE activity in the cybersecurity industry will likely create a clearer divide between first and second tier players. For instance, ForgeRock is probably considered to be positioned at the lower rungs of the first tier, but it's likely in due course they will be become a second tier once Thoma Bravo has optimised operations and depleted R&D resources. There are/will be many more examples like this, which over time, will establish a clear divide between second tier and first tier players like PANW, FTNT, NET, ZS, S, and CRWD.
And it's likely it will continue. Indeed, as shown in the next two charts, during 2022 PE sentiment has declined leading to a drop in fundraising. However, the subsequent chart indicates the amount of funds ready to be invested (the dry powder pool ) is still near all-time highs.
$700bn of the $1.24tn global PE pot is located in the U.S. And 63% of the global PE capital has been raised since 2020. Typically, LPs commit capital for about 10 years, and typically PE firms hold portfolio companies for 5-7 years. So, by working backwards it's clear that a sizeable portion of the dry powder pool ought to be invested in 2023 and immediately thereafter. Given cybersecurity is one of the ripest subsectors for consolidation, we expect to see a significant continuation of PE activity. Again, this is really good news for long-term PANW, FTNT, NET, S, ZS, and CRWD investors.
Public Tech Giants M&A
The third area of the cybersecurity investment landscape is the public market leaders acquiring BoB startups. We think the VC and PE dynamics will actually give the public names more of the right opportunities. The higher rate environment is forcing VCs to be more selective, which combined with the SaaS fragmentation, means fewer startups are going to thrive. This is good for PANW versus its competition, but also over time it may help their selection due diligence and help them land better deals.
On the PE side, if PE firms are buying legacy names or borderline first-tier players, then, in turn, those are less likely to buy BoB startups. So, again the likes of PANW should have less M&A competition for BoB over time. And this is crucially important for cybersecurity names like PANW and CRWD because they now must rely on M&A in order to successfully adapt to the ever-changing landscape. PANW, in particular, has a very successful recipe for integrating its acquisitions, though, perhaps the prices paid have historically been at too high of a premium. If going forward the aforementioned dynamics can help them land better deals, it will be great for future shareholder value creation.
Cybersecurity TAM
Estimates for the current cybersecurity TAM range from $150bn to $200bn. About half of this TAM is for software/hardware and the other half is for services. The fragmentation means even the largest cybersecurity players, like PANW and FTNT, have low single-digit market shares. What is extra appetizing for investors is that the major cybersecurity software players are not just going after their core software TAM (c. $70bn to $100bn), they are also targeting the services TAM by developing automation technologies that replace much of services work.
PANW's CEO Nikesh Arora, has long had a specific objective of radically reducing the unmanageable number of alerts that in-house SOCs (Security Operation Centres) and MSSPs/IRs (Managed Security Service Providers / Incident Responders) need to respond to manually. And doing so would be for the greater good of the entire industry, because the majority of the innumerable daily breaches occur because an alert was missed by someone.
Here, we whet investors' appetite some more by sharing analysis by McKinsey below. The management consultancy believes the mature-stage TAM of cybersecurity is 10x from what it is today. This may seem overly optimistic to some; however, it does corroborate with data we shared in a previous SA article . In that article we discussed Cybersecurity Ventures' estimate of $6tn in annual damage caused by cybercrime, and yet according to IDC and Canalys, the amount spent on cybersecurity software each year is only $60bn to $100bn.
McKinsey
The rise of ransomware and BEC (Business Email Compromise) is leading to huge financial and reputational suffering for many enterprises. As a result, cybersecurity has recently become a board-level topic, thus receiving the attention and funding it deserves at most enterprises. This should gradually close this colossal chasm between what is being currently spent on defenses and the damage these cybercriminals cause.
With respect to PANW and FTNT, how can they best capitalise on this very large and still-growing double-digit industry? We think that PANW needs to perhaps focus more on developing an open ecosystem around itself and be even more interoperable - to embrace the industry fragmentation rather than fight it. In regards to FTNT, as it gets larger perhaps it needs to focus more on M&A and less on building everything from scratch in-house. This is a great trait, but to continue being adaptable this trait alone will not help them maintain their leadership. In fact, because of the company's focus on in-house over M&A, it has missed substantial market opportunity on the cloud side of things.
Vendor Evaluation
There are numerous ways in which to slice and dice the cybersecurity threat landscape and map this to the vendors most likely to succeed. For us, a quick way to assess the value that a vendor can bring to enterprises, is to consider these two high-level threat capabilities:
-
Can they prevent the bad guys from infiltrating (e.g., next-gen firewalls, SWG, NGAV, email security, shift-left security, vulnerability management, misconfiguration management, attack surface management, OT/IoT security, and Zero Trust/least privileged tech like CIEM, etc.)?
-
By how much and how quickly can they limit the blast radius when bad guys do eventually infiltrate (e.g., runtime protection for workloads running on bare metal, VMs, containers, or serverless; all of the shift-right aspects such as EDR/XDR, ITDR, microsegmentation, etc.)?
If vendors have a large scope across both of these areas, which we will abbreviate to prevent and react , then they should do well in their efforts to consolidate the market in the next few years. In the following table, we share our views on how the most prominent established (public) and emerging (private) vendors score against these two areas. Please note that this scoring is completely arbitrary and based only on our opinion after having researched these companies for the past 2-3 years.
Convequity
It is probably no surprise to readers that we believe PANW is the standout player when considering both prevent and react . This is because they have cutting-edge prevention capabilities (either developed in-house or acquired) while also having a formidable security operations capability (which includes EDR/XDR). Readers may note another observation is that the players that originated in network security (PANW, FTNT, NET, ZS, CHKP) score relatively higher on the prevention side and the players originating from endpoint security (CRWD, S) score relatively high on the reaction side. Then, the next-gen pure cloud names (Wiz, Orca, Lacework, Aqua) have a balanced mixture of both prevention and reaction.
While the above scoring is not scientific, perhaps it helps investors quickly evaluate the players most likely to succeed and generate incremental shareholder value in the coming years. Additionally, the rate of change is very important in any type of long-term vendor evaluation. For instance, NET has been frequently adding new solutions to both of these cybersecurity dimensions. S has also.
Another consideration for investors is that of security convergence. Security has been merging more and more with networking, software development, data engineering, identity, and productivity, to name a few. So, the vendors that do an excellent job at helping enterprises bridge security with these areas have a great opportunity to evolve and deliver shareholder value.
For instance, the hybrid and distributed enterprise, not only needs high-quality security, they also need low latency networking - so network security vendors with capabilities in SD-WAN (e.g., PANW and FTNT) should continue to be in high demand. In software development we're seeing DevOps players like GTLB and HCP expand more into security while security vendors expand out into securing DevOps. Similarly, in the data space, SNOW is pivoting toward cybsecurity, but security names like S and PANW have created their own data lake/warehouse specialised for cybersecurity. OKTA and JAMF are two more examples of vendors that are generating value by bridging security with other areas, that is identity and productivity.
So, we think there is significant long-term alpha that investors can capture if they consider which vendors are effectively riding these security convergence trends.
Valuation Exercise for PANW
Here we update a valuation exercise we've previously shared with SA readers. We compare PANW's revenue and FCF multiples to that of an aggregate weighted revenue and FCF multiple of Check Point Software ( CHKP ), Zscaler ( ZS ), and CrowdStrike ( CRWD ). Comparing PANW to these three names is a great match. The majority of CHKP's business is composed of on-prem network security, the majority of ZS' business is composed of SASE (off-prem network security), and the majority of CrowdStrike's business is composed of endpoint and cloud security. PANW's business is largely made up of all these areas, which makes for a good comparison. Additionally, the revenue level and the FCF level of PANW is similar to the CHKP, ZS, and CRWD combined.
We'll begin by comparing the market caps.
Convequity
The following table compares the revenue weighted TTM P/S divided by NTM growth estimate for CHKP, ZS, and CRWD, to that of PANW's. On a forward revenue basis, PANW is currently trading at half of the weighted three peer group (0.40 vs 0.83).
Convequity
We conduct the same approach for the forward P/FCF multiple. The P/FCF divided by NTM growth estimate for the weighted group is 2.26, while for PANW is 0.94. So, again, on a forward FCF basis PANW is trading at half that of the weighted three peer group.
As mentioned earlier, we believe PANW's relative discount is a result of its scope and firewall heritage. Some investors may discard the company due to the complexity of understanding its technological and market leadership across the main areas of cybersecurity. Later in the article, we'll break down the industry into network security, security operations, and cloud security, and attempt to articulate why PANW and others are growing stronger in these areas.
Cutting-edge vs Commoditised Solutions
It's important to consider vendor potential scope in order to evaluate their ability to consolidate the market. It is also important to consider where vendors are positioned within the cutting-edge versus commoditised areas of cybersecurity. In the same McKinsey research piece, we found the following chart that depicts the growth rate of patents within certain areas of security. We think it's useful as an aid to assess where the innovative spaces are likely to emerge in the next few years.
FTNT investors will be pleased to learn that they are becoming a leader in the emerging OT (Operational Technology) space. As verticals, such as manufacturing, that have been slow to modernize, begin to digitally transform, it is causing various security issues. Most issues are caused by dated appliances connecting online while running nonstandard operating systems, which don't integrate very well with endpoint security solutions. Therefore, new technologies are required to secure OT in factories, hospitals, and airports, for example. FTNT's software-defined technologies combined with its compact and affordable all-in-box (basically including every networking and security function needed), position it well to compete in the growing OT space.
McKinsey
Caveat : while this chart is useful, it doesn't necessarily mean these areas of high patent growth will result in a future high TAM or high growth for associated businesses. There is a large portion of patents that become unmonetizable and there is considerable patent flushing that occurs in the industry. Nonetheless, the McKinsey chart does indicate the current focus of innovation.
The chart also shows that security operations is an area of security experiencing high patent growth. This resonates with our own research as we've found that shift-right activities are becoming increasingly critical to thwart cybercriminals from succeeding. PANW, S, and CRWD are all leaders in the SecOps space, but it seems as though PANW and S have relatively more room to innovate.
For SecOps to evolve it certainly requires innovation at the backend. The backend is where the SIEM and other log management systems reside. Many of these are dated and legacy-fied, and hence don't provide speedy ingestion or retrieval of data, which is becoming more and more crucial to combat skilled adversaries. All three players have tackled this backend data problem by acquiring cutting-edge technologies (PANW acquired Demisto, S acquired Scalyr, and CRWD acquired Humio), but PANW and S appear to have added more value to the acquisitions. For instance, PANW has transitioned Demisto into XSIAM which is an AL/ML-based automation workflow platform - it's kind of like a next-gen SOAR and next-gen data lake combined. And S has launched products like XDR Ingest and Skylight that closely integrate with Scalyr (rebranded as DataSet) to give SecOps analysts (in-house SOC or MSSPs) a programmable platform for creating highly customised detection and automation rules at massive scale. The backend innovations from both PANW and S are revolutionising SecOps for SOCs and MSSPs, and considering that services compose roughly half of the $170bn to $200bn industry, these companies have a huge runway of growth.
Cloud security is another innovative space as indicated by the growth in patents. PANW's Prisma Cloud is the most comprehensive CNAPP (Cloud-Native Application Protection Platform), but they have fierce competition from the next-gen startups such as the ones listed earlier. Endpoint names like CRWD and S are also expanding within the cloud security space - we think S, in particular, has a great opportunity to compete well in the CWP (Cloud Workload Protection) space.
It's also interesting to see that network security is experiencing ongoing innovation. Cloud security certainly takes the limelight at present, though, network security is still the glue that holds an organisations' defense posture together. Gartner coined the SASE term to describe the need for the convergence of networking and security functionality for distributed enterprises - something that became urgently needed in response to the ramifications of the pandemic. Subsequently, it was narrowed down to SSE, which includes SWG, CASB, and ZTNA, which respectively, provides protection as users connect to the internet, protection as users interact with SaaS apps, and protection as users access private data centre applications. Somewhat aligned with Gartner's Magic Quadrant for SSE, we view PANW, FTNT, ZS, NET, and Netskope as the leaders in network security.
Lastly, we're not surprised to see IAM (Identity Access Management) is experiencing a relatively lower patent growth, because it has become somewhat of a commoditised area. SSO and MFA are mature technologies, and while passwordless technology is cutting-edge, it is a niche solution that many vendors are already incorporating. However, we are surprised that adjacent identity areas like CIAM, IGA, PAM, and ITDR are not represented on the chart. CIAM is a completely blue ocean market led by OKTA, and IGA and PAM are legacy identity tools that OKTA is working on revolutionising into their cloud-native way.
ITDR (Identity Threat, Detection & Response) is a niche but very important area for enterprises concerned about credential-based attacks. As security defenses have become really effective at stopping malware and unauthorised movements, bad actors are increasingly turning their attention toward looking like legitimate users. Thus, attacks involving credential theft and compromise have become all the more common. S and CRWD have both entered the ITDR space with recent acquisitions of Attivo and Preempt. And we believe this is one of the most important and innovative spaces of cybersecurity that has the potential to grow into a billion-dollar TAM.
To summarise, across network, cloud, security operations, and identity, we've attempted to highlight both the mature and nascent areas. Typically, the nascent, high-growth areas have replaced the mature technologies in an evolutionary manner, or have simply sprouted as a blue ocean type of market. We would say PANW is top-2 in network security (along with FTNT), #1 in cloud security (with close competition from Wiz and Orca), and top-3 in security operations (along with CRWD ad S). And in regards to identity, PANW mainly interoperates rather than having any standalone solutions.
Convequity Convequity
In the next sections we'll briefly discuss some things investors should be aware of in regards to network security, cloud security, and security operations. In our opinion, breaking the industry down into these three areas helps to get a clearer understanding.
Network Security
Expedited by the pandemic and the ensuing urgency for digital transformations, network security has fragmented into a few different directions. SASE and then SSE has received increasing demand as a way to securely connect remote employees with disparate IT resources. SD-WAN has emerged to reduce latencies and costs associated with connecting globally distributed enterprises. OT and IoT security have gained attention for helping the unmodernised verticals securely modernise. And virtual, or VM-based, firewalls have become extremely useful in cloud operations, whereby they can be deployed on commodity hardware to secure inbound connections, as well as connections between clouds.
The common denominator across these different form factors of networking and security is the firewall. The firewall is still hugely important, which is contrary to popular belief. The purpose of the firewall is to allow/deny network connections and then to secure those connections. And this is not a cutting-edge technology, but it requires ability on behalf of the vendor to transfer these firewall capabilities into the different form factors. This is why not all firewall vendors have successfully pivoted to SASE, or more specifically, FWaaS.
So, the innovation from these firewall vendors comes from them being able to collectively:
-
Deliver the firewall in on-prem deployed hardware - and this form factor usually gives the highest throughput and lowest latency between office branches and data centres.
-
Deliver the firewall as a virtual software form factor in the clouds - the majority of traffic has now become intra and inter cloud, where SASE and hardware are of little use.
-
Deliver the firewall via SASE - heavy use of the Internet so higher latency occurs, so SD-WAN is needed to optimise the balance between fastest routes and costs. The major benefits of SASE are the removal of tedious and costly hardware/software management and securely connecting remote users.
-
Interoperate with, or even integrate home-grown SD-WAN - firewalls operate at Layer 3 of the OSI reference model, so it's no surprise that they have found it relatively easy to interoperate with SD-WAN vendors. FTNT made a major step further by integrating home-grown SD-WAN into its FortiGate NGFW box.
The next diagram separates network security into the four areas we've just mentioned, and we've listed who we believe are the market leaders in descending order. From the earnings calls we listen to, it seems as though PANW, ZS, NET and Netskope are the SASE market leaders, as these names are mentioned most. However, technically we think FTNT is the best at delivering SASE. This is because they have packed all the security and networking, including home-grown SD-WAN, into one single box, which has not been done by any other vendor. And if, according to Gartner's definition, converged networking and security is one of the hallmarks of SASE, then FTNT can deliver SASE anywhere it can install a box >>> off-prem, on-prem, home office, etc. Thus, we have believed for a long time that FTNT is the most accommodative SASE vendor.
Convequity
As highlighted, a major innovation of network security has been adapting the firewall to the different form factors required as enterprises undergo digital transformation - SASE, cloud VM, on-prem, and OT. Other recent innovations in network security worth a more detailed mention include microsegmentation and ASM (Attack Surface Management).
To do microsegmentation, whereby, in a few clicks, you can segment a network into subnets, user groups, and applications, etc. to make it difficult for bad actors to move around the network, requires Layer 7 (of the OSI model) knowhow. The NGFWs (next-gen firewalls) of vendors such as PANW and FTNT have long had capabilities to do this level of granular network segmentation. This is certainly one reason for PANW and FTNT's market dominance in the NGFW market.
Newer, pure-play, microsegmentation players like Illumio leverage the host firewalls, built into machine operating systems, to control and secure inbound/outbound connections. Illumio is a Series F startup that has raised a total of $560m, and its last valuation in mid-2021 was $2.75bn. It is a vendor with novel technology that is riding the Zero Trust wave, plus it is very effective to thwart ransomware. We think this is a company that cybersecurity investors should monitor, because when the economy recovers, they might begin IPO proceedings.
ASM, or even Extended ASM (EASM), is another innovative area of network security. Taking the perspective of a potential attacker, typically this software involves scanning the Internet and corporate network to see if anything belonging to an enterprise is exposed. The open-source search engine, Shodan, and various other tools, enable attackers to scan and detect vulnerable assets and systems. On average, attackers start scanning for vulnerabilities with such tools within 15 minutes of a CVE (Common Vulnerability & Exposures) being announced. Additionally, many systems that are dated remain unpatchable, allowing attackers ample time to conduct their reconnaissance. Thus, tools like ASM are becoming necessary to combat these cybercriminal opportunists.
TENB is a strong name in the ASM space, having leveraged and expanded out from their core competencies of vulnerability management. Axonius is a startup attracting a lot of VC attention (Accel, Lightspeed Ventures, Bessemer Ventures), raising a total of $670m through its Series E, that has specialties in ASM/EASM. However, we still think PANW, after having acquired Xpanse in 2020, has the best ASM capability. And this is largely due to the synergy generated by combining Xpanse with its wider network security and security operations portfolios.
Security Operations
To simplify the complexity of security operations, it is useful to break it down into 1 ) the data management backend, 2 ) the work that SecOps analysts do, and 3 ) the endpoint agent.
Convequity
We consider this a huge TAM within cybersecurity. Firstly , the majority of enterprises still have mass signature-based AV deployments, such as Symantec and McAfee. This means there is still a long runway of growth for vendors related to EPP, NGAV and EDR, and even for endpoint security leader CRWD which has reached $2bn in TTM revenue. Secondly , as mentioned earlier, there is a huge innovation space related to automating workflows for SecOps analysts. And thirdly , for those vendors willing to spend big on revamping the data backend, there is significant value they can deliver to enterprises and MSSPs.
Our opinion is that S, followed closely by PANW, have innovated the most comprehensively across the three areas of security operations. S has the autonomous agent that works right out-of-the-box, which has proved to be a determining factor in the MITRE testing rounds in recent years. S has worked hard to provide a programmable PaaS for analysts whereby they can granularly customise and deploy at massive scale. And they have made a bold bet on acquiring and integrating Scalyr (now known as DataSet) to revolutionise the data ingestion, retention, and retrieval process, that provides great value to SOCs/MSSPs. In contrast, CRWD's agent has very limited autonomy, its EDR layer is not very programmable for third-parties (like in-house SOC or MSSP), and they have revamped their backend with the Humio integration, though, in our opinion, Humio is more about cost reduction than it is for speed.
Cloud Security
The major trend in cloud security at present is the race toward CNAPP (Cloud-Native Application Protection Platform). As we showed in the earlier table, vendors making a beeline for CNAPP are attempting to incorporate as many of the individual solutions as possible. And in essence, the major innovation space is seamless integrating all of these solutions into a single-pane-of-glass platform.
We've recently done some deep dives into the established and emerging CNAPP players. It is a fertile ground of innovation, and there are few startups that have the technology and GTM to be potential security giants. However, it's probably no surprise by now, that we believe PANW's Prisma Cloud is the most complete CNAPP.
Cloud security started off with solutions such as first-gen CSPMs, that were very detective in nature - it was all about detecting misconfigurations, or noncompliant settings, or something untoward at runtime. Over time, the shift-left philosophy emerged, which is preventative in nature and about building security as early as possible into the software development lifecycle. More recently, there has been a focus on integrating cloud security with more shift-right activities, whereby cloud data is sent to SecOps via SIEM integrations so they can better protect their organisation.
So, cloud security can be described along a shift-left and shift-right dimension. But it can also include an abstraction dimension. This is because security in the cloud can operate at the bare metal level, within VMs, at the container level, or the serverless function level. The next diagram depicts how we view PANW's Prisma Cloud along these two dimensions.
Convequity
According to the research we've done so far, there is no other CNAPP contender that has this scope of cloud security. Indeed, PANW has made many acquisitions to complete their CNAPP, but it has still required skilled integrations and smart empowerment of the acquired founders.
This is a huge TAM and durable growth opportunity for PANW. Typically, the security allocation of an annual IT budget is 5% to 15%. According to Forrester (and many other research firms), cloud spending will reach $1tn in a few years , so if we take the mid-point of 10%, cloud security could be worth $100bn in a few years. PANW is the CNAPP leader with about $1bn revenue (an estimate), so it's clear that the growth opportunity is substantial.
Dave Vellante, of SiliconANGLE, theCube, and Wikibon, was the first to coin the term supercloud , which describes a SaaS vendor that can operate on top of multiple clouds and deliver a unified experience to enterprises and end users. In the process, such superclouds will help organisations simplify operations, speed up the time to market, and reduce costs. We believe that PANW's Prisma Cloud will be one of the first vendors to establish themselves in this category.
Cybersecurity Mesh
A Cybersecurity Mesh Architecture, or CSMA, was actually a term first coined by FTNT to market its Fabric platform, and later on Gartner began to use it to describe a comprehensive and highly interoperable cybersecurity ecosystem. After the initial buzz of SASE in 2019, and FTNT not being appreciated by Gartner for their SASE-like qualities, FTNT began pushing the CSMA terminology in attempt to show that what they can do is so much more than SASE. The vision of CSMA is to have individual security tools share data and interoperate with one another, with outcomes including fewer blind spots and consistent policy enforcement, thus leading to better security.
Gartner explains the four key components are 1) security analytics & intelligence, 2) identity fabric, 3) consolidated policy and playbook management, and 4) consolidated dashboards.
Gartner
In the CSMA report , Gartner elaborates that enterprises can begin implementing CSMA by 1) checking out the connectivity of their existing tools, 2) evaluating emerging technologies, 3) build some of their own layers, and 4) take the help of a consolidated security platform. Given the severe shortage in global cybersecurity talent, SecOps teams are most likely to take the quicker and easier route of getting a big head start by deploying something like FTNT or PANW.
Gartner
The issue, however, is not even FTNT's and PANW's highly comprehensive platforms can cover every single granular use case. Therefore, they need to develop their platform by not thinking they are the CSMA, but just the core of the CSMA, and hence make their technology super interoperable with all kinds of third-party solutions.
Fortinet
With the previously mentioned need for vendor consolidation, combined with Gartner's promotion of CSMA, the global talent shortage, and FTNT's and PANW's platform capabilities, we would not be surprised if these security giants became the CSMA core of most enterprises within the next 10 years.
In a head-to-head, FTNT's main advantage in regards to CSMA is that it has built the high majority of its solutions in-house, and from reading prior Gartner and Forrester reports, it's clear that this has a very positive effect on the ease-of-use of its Fabric platform. One of PANW's main advantages is the investment it has made in its XSIAM (its SOAR plus next-gen SIEM or cybersecurity-focused data lake). As Gartner explains analytics and intelligence is the foundational pillar of CSMA, XSIAM should give PANW a huge advantage to become that connective data layer for disparate third-party solutions. We expect PANW to eventually come out with their own terminology for describing this mesh architecture, now that FTNT has the marketing head start. And PANW's version will most likely be more inclusive of the cloud-native components, whereas FTNT's CSMA, as can be seen in the above diagram, is heavily tilted toward network security.
Conclusion
The current dynamics of the startup + VC and legacy + PE landscape makes for a favourable environment for leading public cybersecurity stocks, such as PANW, FTNT, NET, ZS, S, and CRWD. Fewer VC funds for startups mean that fewer will emerge as future competition. Moreover, the public players will benefit from better M&A deals. And the dry powder pool available in PE is also good news for these public names, as PE firms continue to buy up second tier names and we see a bigger innovation divide.
The TAM of cybersecurity is colossal. Not only does PANW, S, and FTNT have low penetration in the $80bn-$100bn software segment, their SecOps automation efforts are going to disrupt and grab significant share of the $80bn-$100bn services segment.
Finally, a useful way to breakdown the cybersecurity industry is to separate it into network security, cloud security, and security operations. We would say the fourth is identity but it kind of infuses into the other areas. PANW is the outright leader in the former three areas, with tremendous durable growth outlook, and an attractive valuation of NTM EV/S of 6.7x and NTM EV/EBITDA of 27x.
For further details see:
Cybersecurity Review 2023: Our Top Picks Palo Alto Networks And Fortinet