Discover more from Tech Investments
Palo Alto Networks, the consolidator in cybersecurity
Projected IRR: 13%
Cybersecurity should be an attractive area for investing purposes:
This is a high growth industry where customers are planning to increase spending the most according to surveys.
While the industry is still relatively fragmented, over time there is room for consolidation both in terms of large scale M&A and smaller bolt-on acquisitions.
Palo Alto has sort of become the gorilla of the industry, leaving aside king kong Microsoft which is a beast of its own, and should be in a strong position to drive future performance:
The company has been building out and integrating their platforms over the last 5 years, investments that should bear fruits in terms of sales execution going forward.
The breadth of Palo Alto’s offering should give them a data advantage in the training of AI models, allowing customers to handle an increasing amount of security events with automation. Palo Alto’s new automated XSIAM product sounds promising here. Demand should be high, as most customers are facing an overload of security threats, resulting in slow response times and leaving them vulnerable for large data theft.
Large customers prefer software solutions being able to run in hybrid environments, i.e. the combination of private datacenters and the public cloud, and Palo Alto’s portfolio is well positioned for this.
Do me a favor and hit the subscribe button. Subscriptions let me know you are interested in research like this, which is a good motivation to publish more of the analysis I’m carrying out. Special thanks to the 470 subscribers so far!
Palo Alto is comprised of three platforms targeting different workloads. Strata provides network security, Prisma addresses cloud security, and Cortex manages the security operations center (SOC). Over the years, smaller bolt-on acquisitions were integrated into each of these, expanding the offering with innovative cybersecurity tech.
The key product within Strata are next-generation firewalls (NGFWs). A NGFW provides deeper insights and control into network traffic compared to traditional firewalls. All network traffic has to flow through this firewall, stopping both malware and malicious actors. This product can both be delivered as a physical hardware device, to install at your own premises or private data center, or it can be delivered over the cloud. Ten percent of Palo Alto’s revenues are still hardware devices. However, as this business is only growing at low to mid single digits, it will continue to fall as a proportion of the mix over time. Strata also provides threat detection and a user interface to manage and monitor the network. There is a long list of other capabilities so I’m probably not doing it fully justice here.
The main goal of the Prisma platform is to secure all of an organization’s services running in the cloud. The way this typically works is that you install an agent each time you spin up a virtual machine (VM) in the cloud. The agent protects the VM from potential threats and communicates with Prisma for monitoring and possible remediation purposes. Another module scans the cloud network to verify all devices and services connected to it.notes that Palo Alto was able to attract a lot of engineering talent from Google in this area, as CEO Nikesh Arora previously was part of the C-suite at Google.
You might know Nikesh Arora better from his two years at SoftBank, where the plan was for him to take over from the rather flamboyant CEO Masayoshi Son, ‘Masa’. Alas, Masa decided he wanted to go on for another decade and subsequently Arora made the move to Palo Alto. There is a good interview with him on the Grit podcast to learn more about his management style, as well as his times at Google and Palo Alto.
The hottest product currently in cloud security is SASE (Secure Access Service Edge) and Palo Alto’s product here is called Prisma Access. Traditionally, organizations would backhaul remote user traffic over a virtual private network (VPN) to its data center to have it go through a firewall, after which the user could access the company’s apps. However with the rise of both cloud services and employees working from home, there was a strong need for a faster solution i.e. with less latency. With SASE, these firewall checks can happen directly in the cloud, strongly reducing the distances your bytes have to travel. Palo Alto was a bit late to this party but they now have a top three product in this field, more on this later.
The Cortex platform is the security operations center (SOC), aiming to detect and respond to all threats an organization is facing. Palo Alto mentioned at its ‘21 capital markets day that the typical organization is faced with 11,000 security alerts per day, of which only a fifth are handled by automated tools. This overload in alerts results in them being investigated only after four days on average. By this time, all of your data might have been stolen. Palo Alto estimates that around a quarter of alerts are not being scrutinized at all.
To deal with this problem, the company recently announced their XSIAM solution, built into the Cortex platform. At the Morgan Stanley conference, Arora explained this module as follows: “Most enterprises have about 30 to 40 security vendors. They collect data from these and then try and cross-correlate it. It doesn't work like that. You need a single source of truth. So what we did internally is we took our business, where we had 67,000 alerts across 200 vendors. We've replaced all of that with 1 endpoint from ourselves. We cross-correlated the data, and we took our mean time to respond from 27 days to under one minute by using AI. That's the product we put in the market 4 months ago called XSIAM. That concept will be the disruptive event in security in the next 5 years. If there’s a ransomware attack, from the point in time they attack a company until the time they've extracted petabytes of data, can be 14 hours. So you have to be able to stop the threat in less than 14 hours. Today, the mean time to respond for most companies in days, which means everybody is susceptible. And another big problem is that there's a massive shortage of labor in cybersecurity. I've read over 3 million worker shortage.”
Zscaler mentioned at their ‘21 capital markets day how endpoint protection systems such as CrowdStrike communicate with their cloud platform to double check suspicious files. So Palo Alto’s approach of having all this data available within one company to build an AI system on top of this sounds like a logical approach. Zscaler is more of a pure play on cloud security with a strong SASE product and I’ll probably review this company in the coming months.
Training AI models is all about having the data available. The algorithms used in training can fairly easily be written by a talented engineer. Due to Palo Alto’s size and the breadth of its products, this can give them a clear edge in data availability. Arora made the following comments:
“In an enterprise, 85% of the security data is between the endpoint of the firewall. We've got 61,000 firewall customers and we've got 4,500 endpoint customers. So in a lot of cases, we have 85% of security data that should exist in the company. Our ability to cross-correlate those two data streams and reduce the number of alerts and amount of noise will eventually allow us to get customers to a place where they can start blocking threats in real time. In a typical day, we analyze nearly 750 million new, unique telemetry objects worldwide. Our AI models analyze this data. And every day, we see 1.5 million new attacks that we had never been seen before. We take these insights and add them to all the other things we already know about, and we use them to block 8.6 billion attacks across our customer base daily. We process over 3.5 petabytes of data a day across the customer state. From here, we apply approximately 1,000 AI models to detect attacks. We then leverage automation to accelerate investigation response. We are seeing early indications that customers are able to see reductions in mean time to respond from days or weeks down to hours or minutes just like we did.”
Also endpoint security is a key part of Cortex. Endpoint security is basically an agent installed on every device of an organization to protect it from malware and hackers. The agent is in communication with the cloud platform for monitoring purposes. This set-up can for example prevent phishing attempts, which are still the most common way to get inside a corporation’s systems. So if an employee attempts to run a malicious file he has received over email called ‘danger-malware.exe’, or perhaps a more subtle name, the installed agent can block execution of this file.
Cybersecurity can be a confusing field as every new software capability which gets added might get defined as a new industry with its own new acronym. So you end up with something like this then:
This might easily turn investors off. However, I do think over time, especially when growth matures, the smaller unprofitable players will get washed out, or alternatively get cobbled up by some larger players or private equity.
The main driver for this trend is the desire by customers to consolidate software solutions. During phases when innovation in the field is moving rapidly, there is a need to have the best solution in each area. However, as competition narrows the gap over time and the pace of innovation slows down, the desire shifts to having more and more solutions available on one platform. These cycles have been occurring regularly in the world of software, i.e. the best of breed solutions battling it out with the best suite. A classic example is WordPerfect, the dominant word processor from the eighties going toe to toe with newcomer Microsoft Office during the nineties. The suite won, and the suite often wins..
We might now be entering a phase of a consolidation within the cybersecurity industry. Gartner wrote already in 2021: “The trend continues for security and risk management leaders to seek security vendor and product consolidation to manage risk and improve security operations productivity.”
And this is getting translated into results, Arora: “When we look at purchases of our platforms amongst the Forbes Global 2000, we see now that 53% of our customers have bought a product in all 3 platforms of Strata, Prisma and Cortex, up from 48% a year ago, and 33% three years ago. Most of our competitors continue to provide only point products, while customer demand continues to shift towards the platform approach. When I came to Palo Alto, the largest deal was $28 million. Last quarter, we did a $75 million deal. So customers are buying more things from us. Our $5 million deals are growing, our $10 million deals, our $1 million deals. So I feel comfortable that we're seeding the market with $1 million deals, and we're driving customers to bigger and bigger purchases and consolidation as we spend more time with them.”
Since Arora arrived at Palo Alto, the company has been picking up the number of bolt-on acquisitions to build out their platform. Wikipedia provides a complete overview:
Another trend which should benefit Palo Alto is that the large majority of enterprises today are running their operations in a hybrid environment, meaning that part of the workload is running in private datacenters, with on top of that workloads being diverted to the public cloud such as AWS. Palo Alto’s platforms are able to run in this multitude of environments.
The key reason for this set-up is that private datacenters are cheaper for continuous and predictable workloads. The public cloud on the other hand is suitable if your workloads tend to spike at certain hours of the day, or if your organization is growing dramatically and you need the flexibility in scaling up in a rapid manner.
Palo Alto estimates their total addressable market (TAM) to be growing at an attractive CAGR of 14%. Within this, cloud security is growing at 30%, the security operations center at 15%, and network security is the most mature area with a 9% CAGR. The current TAM is around $90 billion which would give the company a market share of around 7.5%. Clearly this market is still fragmented although Palo Alto is becoming a sizeable player.
Let’s go through how Palo Alto is positioned according to the consultants.
In firewalls, both Forrester and Gartner see Palo Alto as a leader. Palo Alto is number one both in terms of strategy and offering. Check Point and Fortinet are the two key competitors in this area.
In software defined wide area network (SD-WAN), Gartner sees as three leaders Fortinet, Cisco and VMware, whereas Palo Alto is seen as having a strong strategy but needs to improve its execution. SD-WANs are basically software tools which allow you to manage wide area networks, which are used to connect an organization’s locations in different geographies. Palo Alto is fairly new to this area, having acquired CloudGenix in 2021. So as they have been integrating this capability there should be room to translate this in sales execution going forward.
In zero trust network access, Forrester scores Palo Alto as number one, before Zscaler and VMware. Zero trust means that digital transactions continuously get verified whether they are coming from trusted users or not. So it’s not like once an actor has gained access to the network, he can roam around freely. At every step there are checks implemented to detect intruders. All of Palo Alto’s products are designed with zero trust in mind.
In secure service edge (SSE), referred to as SASE above and which is currently the highest growth area within cybersecurity, Gartner ranks Palo Alto’s platform as number three, just behind Netskope and Zscaler. Palo Alto disclosed on their Q3 call that they are growing at a 50% rate in this area.did a large amount of detailed work in SASE and rates Cloudflare as number one in terms of product and technology, followed by Netskope. Zscaler and Palo Alto score best in sales execution.
In endpoint detection and response (EDR), the leaders are CrowdStrike and Microsoft. Forrester rates Palo Alto as a strong performer. Over time there should be scope here to move into the top right corner.
My impression on the above EDR market is that the barriers to entry aren’t really high. Both Palo Alto and Elastic seem to have built a capable product in a reasonably short timeframe and can now leverage their respective platforms and sales forces to cross-sell their solution here. I believe also Datadog might be looking to enter this market. As such I’m more cautious on CrowdStrike and SentinelOne which seem to be somewhat darlings in the investment community, but are faced with a market where strong competitors are entering. That being said, this remains a high growth market so those companies should continue to generate comfortable growth, although the rising level of competition gives more risk of not being able to meet forecasted revenues. This has been the case already for SentinelOne.
This chart is somewhat hard to read, but KuppingerCole rates Palo Alto as the leader in SOAR (Security Orchestration Automation and Response).
Overall, having gone through these, clearly Palo Alto has a strong offering. Typically the company’s platforms are rated as amongst the best solutions in the markets where they are competing.
Unit 8200 and Palo Alto’s roots
Like many other cybersecurity companies with Check Point being the most notable example, Palo Alto was founded by a former member of Israel’s military unit 8200, known for signal intelligence, code decryption and hacking. Founder Nir Zuk’s key idea was that firewalls were overly simplistic which led to his development of the next generation firewall. In contrast to traditional firewalls, which at the time relied on simple rules such as port numbers and protocol to block traffic, next generation firewalls would inspect all layers of the network stack and be able to block threats independently of port numbers or protocols being used. Later he successfully made these products available over the cloud and Palo Alto started building out its platform(s) to become a one-stop shop for cybersecurity.
Zuk, who’s still the company’s CTO, is probably the most entertaining figure in cybersecurity, driving around with license plates which read ‘checkpoint killer’ while being dressed in colorful t-shirts. He recently made some comments on a podcast that he’s in the process of killing Zscaler now, like other ‘proxy companies’ in the past.
In another recent interview he spoke about his vision for the industry:
“The reasons why software consolidation is important: for security teams it's cheaper, easier to deploy and easier to manage. But I think there are even more important reasons that are true today. The first one is that security works better when you don't have a split brain. When you have one brain for everything, it just works better and it's more secure. The second reason, if you believe that AI is going to run security operations. Well AI needs data. You're going to see data coming from a single vendor set of products: network, endpoint, cloud and so on, and you're going to see the processing coming from the same vendor. The only way to run cyber security operations is AI, and AI needs the right data. This will drive vendor consolidation. I don't know of any other vendor that's delivering this complete package of security of network, endpoint, cloud and so on as well as the central processing of the data. In five years, those customers that have gone through consolidation are going to have a cyber security infrastructure that is being run by machines. And they're going to be able to detect and stop attacks as they happen with a very very small mean time to detect and mean time to respond. They're going to be safe and those that haven't gone through consolidation, those that keep buying point products that don't talk to each other and are running their security operations with a seam, are going to be, I don't want to use bad words.”
Financials - share price at date of analysis is $212, ticker ‘PANW’ on the Nasdaq
Palo Alto has become the gorilla in the cybersecurity room. Not only is the company the largest revenue generator, but they are still achieving high growth rates. Mature software companies tend to trade at around 5x sales, although the better quality ones can trade well above that, and others in more competitive industries can trade well below. Overall, 8x NTM Sales looks far from excessive for a quality company which should have a long runway for growth and which can benefit from consolidation in the space. The company is also heavily outspending others in terms of R&D. Stock based compensation is high, but at around 15% of revenues now it’s much lower than at Crowdstrike, Zscaler and SentinelOne.
Looking at how the company could expand geographically, currently 64% of revenues are coming from the US, so I expect there to be plenty of room for growth in both Europe and Asia.
There is also still a lot of cross-selling potential within the existing client base. As already discussed, only around 53% of Palo Alto’s customers are on the company’s three platforms already. And within these, there are typically a variety of modules which can be sold as add-ons.
Below are Wall Street’s estimates for the coming years. The company has started generating a lot of cash and over the last four years the board has been approving on an annual basis share buyback programs, totalling $3.3 billion in total. Palo Alto currently has an attractive free cash flow (FCF) yield of 4% while growing the top line north of 20%. Dilution from share based compensation (SBC) can be offset by share buybacks, as FCF is much larger than SBC. The company is guiding for margins to improve going forward as over the last handful of years they’ve been investing in their next gen products. They are now expecting to translate these investments into sales execution.
Let’s have a crack at the possible IRR (internal rate of return) we can make in this stock. If I put revenues for the year ending in July ‘25 on 7.5x next twelve months’ revenues, modelling in a 3% dilution per annum, and taking into account the possibility of a 4% share buy back program per year, this gives an IRR of 13% over the coming 13 months, not bad at all. The way to think about an IRR in a simple way is to see it as an annualized return.
If Palo Alto can keep growing well, the 7-8x next twelve months’ sales should be able to hold. After all, around 7x is roughly the average multiple the company has been trading at during the last decade. Under that scenario, the share price could compound at roughly the top line growth rate for the coming years.
If you enjoy research like this, hit the like button and subscribe. Also, share a link to the research on social media with a positive comment, it will help the publication to grow.
Disclaimer - This article doesn’t constitute investment advice. While I’ve aimed to use accurate and reliable information in writing this, it cannot be guaranteed that all information used is of such nature. The shares’ future performance remains uncertain. The views expressed in this article may change over time without giving notice. Please speak to a financial adviser who can take into account your personal risk profile before making any investment.