First Look: Palo Alto Networks
This Monday, we heard reports of a wide scale cyber attack that targeted twelve or more of America’s major airports. This comes just a month after Uber and Take-Two Interactive reported major breaches and Twitter’s former Head of Security testified in front of Congress on the social media site's lax security infrastructure. If it feels like all you’re hearing about in the news is the threat of cyber attacks, it’s because you are.
What you won’t hear on the news is the true reality and scale of the cyber attack industry, because the average attack isn’t a wide scale breach of a public company or a headline-grabbing threat to major infrastructure. The average attack might be a quick in-and-out job on your local insurance office or college or even dentist. These types of attacks aren’t sexy, but they are efficient, and hackers are taking home billions.
With the proliferation of high-end security software, one would assume that this would negate the threat somewhat. Unfortunately, this is far from the truth. Businesses are more exposed than ever: 41% of executives don’t think their security initiatives have kept up with digital transformation; only 50% of SMBs have a cybersecurity plan in place; only 43% of companies feel financially prepared to face a cyber attack in 2022.
This is all set in the background of a heightened-threat environment, with more advanced and well-funded hackers now at the forefront of clandestine technology. Positive Technologies reports that cybercriminals can now penetrate 93%of company networks, while the number of weekly attacks in 2021 grew 50% year-over-year.
The demand for cybersecurity products is obvious and well-represented in the stock market, yet I still believe the scale of adoption is still in its infancy. For that reason, today we are taking a look at one of the stalwarts of the industry: Palo Alto Networks.
The company describes itself as ‘The Zero Trust Network Security Platform that secures a world where any user can work anywhere—without restrictions. Doesn’t sound like the worst line of business to be in right now, does it?
It is one of the market leaders in network security, which demands about 20-25% of security budgets. Its network security architecture is built from software and hardware firewalls. This exciting new architecture is called SASE, or secure access service edge, which has been a growing trend in the industry and is seen as a way of delivering zero-trust networks for cloud-based technologies. A SASE architecture identifies users and devices, applies policy-based security, and delivers secure access to the appropriate application or data. This approach allows organizations to apply secure access no matter where their users, applications, or devices are located.
It’s growing fast. The number of customers who spent over $1 million on SASE in 2019 was 27; by the end of 2022, this figure had grown to 210. In fact, SASE customers grew 51% in its fiscal 2022, which ended on July 31, 2022, to over 3,500.
But that’s not all Palo Alto does, it’s also a market leader in cloud security. Its Prisma platform secures all processes that run on the cloud, while Cortex, the latest of Palo Alto’s platforms, is geared toward security operations and includes endpoint security and automated security responses. This last one is a relatively recent development and looks to be encroaching on CrowdStrike’s territory in endpoint security, but as it stands it contributes a much smaller piece of overall revenue.
Cash is King
Numbers-wise, we’re in really good shape. The company is growing revenue at 29% year-over-year, taking in $5.5 billion in its fiscal 2022. It just turned a net profit on a GAAP basis, which isn’t much to shout about for a $47 billion company until you realize that it paid out $1 billion in stock-based compensation this year. It has also promised to grow margins, deliver 25% revenue growth, and achieve GAAP profitability for its fiscal 2023.
What’s really enticing about this business, though, is the amount of cash it generates. On an adjusted basis, it had a 31% free-cash-flow margin last year, which comes in at about $1.7 billion. For 2023, this is expected to expand to 34%, which would mean free cash flow of about $2.4 billion.
That’s a piggy bank Scrooge McDuck would be proud of, but what is management doing with all of its cash?
We’ve seen a number of strategic acquisitions over the past few years, in which Palo Alto is bolting on functionality through buying up smaller competitors. This does two things: it provides an opportunity to upsell existing customers with a broader product offering, and it also negates the risk of disruption from more nimble, one-product specialists. The cybersecurity space is a very consolidative industry. This bodes well for a large company like Palo Alto with boatloads of cash flow and allows it to continue to exert its dominance.
Land and Expand
Similar to CrowdStrike, which operates in a separate area of security, Palo Alto benefits from the growing demand from Chief Information Security Officers (CISO) to consolidate their operations. Vendor fatigue is a very real issue within the industry and having to provide training and staff for a number of different systems has become inefficient. It’s estimated that large enterprises maintain between 60 and 80 separate security solutions. In bundling network security, cloud security, and security operations, Palo Alto can distinguish itself from the pack. The beauty of bundling also greatly reduces customer acquisition costs, as it can nab a customer with one product (land) and then upsell them on other offerings at little extra cost (expand).
This also insulates itself from the threat of one-product competitors. Similar to how Teams eclipsed Slack, customers are much more likely to tack on one more product than have to set up a new vendor on their system.
The CEO Nikesh Arora is very popular, with a 93% approval rating on Glassdoor. He has overseen much of the company’s acquisition strategy in his time at the helm since 2018. Interestingly, he was actually the president of Softbank from 2014 to 2016.
Competitors-wise, the network security space is populated with more old-school players like Checkpoint Software and Cisco. There is also the recently launched private entity of Trellix, made up of a merger between McAfee and Fire Eye. Palo Alto’s next generation firewalls have been unseating these industry incumbents for the last 15 years, and it shows no signs of slowing down.
Interestingly, a recent interview with CrowdStrike CEO George Kurtz saw him double down on the company's lack of interest in entering the network security market. While both companies’ platform approach means they are expanding capabilities so much that there is bound to be a crossover — as evidenced by Palo Alto’s security operations platform — for the most part, we will likely see their core competencies remain separate.
In terms of the wider macro environment, maybe it’s not the best time to be pitching a stock with a high price/sales ratio that has just turned a profit for the first time in 4 years, but I would push back on that a bit. In the CrowdStrike Stock of the Month piece, I spoke about how cybersecurity is going to fare a lot better than the rest of tech in an economic downturn, and while barely profitable on a GAAP basis, the company is actually incredibly profitable if you negate the non-cash expense of stock-based compensation.
I don’t love the stock-based compensation being that high, but I see it as a necessary evil. Talent is at a premium in the industry right now thanks to a shortage of workers, if this is what it has to do to attract and retain the right staff, so be it. It does dilute shareholder value but the company also has a buyback plan for the next year that negates this somewhat.
All in all, Palo Alto Networks has all the right assets to become a long-term compounder over the next decade. I’m a big believer that cybersecurity will be a rare bright spot throughout this economic downturn, and its enviable position at the head of the network security market will ensure that it will be one of the winners.