Cyber Defense, Sovereignty and Growth By Acquisition

volume xviii - issue 5

Palo Alto Networks and Their Acquisition String

I penned an article in September, “Cyber Growth, Building an Ecosystem”, featuring Palo Alto Networks (NASDAQ:PANW) as a proxy in cybersecurity.  Pointed out there, that an astute investor would want to know about Palo Alto’s business with the government.  Cyber Defense is a strategic mission within developed countries that lives in both the military and the intelligence communities.  The most sophisticated cyber attacks come from sovereign domains.

Some due diligence about relationships with Uncle Sam is warranted here.  There is a  tremendous advantage when a company is given an opportunity to build cutting edge technologies for the military and intelligence community.  We spend a lot of tax dollars in these branches of government.  There is a long history of game changing applications in IT that comes to us by way of government research.  Mega disruptors appear every ten years or so and often the base technologies come from the government.

Alliance with Israeli Intelligence

Palo Alto does not segment government sales in financial statements.  Nor do they divulge much about their R&D efforts.  And they certainly don’t publish information about our government’s alliances with foreign countries.  So, it’s worth a deeper dive into the history of Palo Alto, its founders, financing, and evidence of government relationships that can be parsed from evaluating their acquisitions.

Palo Alto has been acquisitive from the start, founded by Nir Zuk in 2005.  He retains the role of CTO and is a board member. Mr. Zuk served in the Israeli Defense Forces intelligence corps, Unit 8200, their SIGINT (signal intelligence) division.  Unit 8200 in the Israeli military is comparable to our National Security Agency (the NSA).

It’s not much of a stretch, given an acquisition string that includes many Unit 8200 alumni, to believe that our own national defense agencies team with Israel as a military ally and cooperate with international cybersecurity defense programs.

Israel is probably the best choice.  We engage in competing and hostile cyber activity with other parts of the developed world.  Just read the daily news to speculate about the countries we compete with and who are likely to be our cyber foes.


Cash is needed for acquisitions.  So far, Palo Alto has gone the route of public debt financing only twice.  $575m of convertible notes were issued in April 2014 that mature next year.  The notes convert at $110 per share so given current prices ($178 at this writing), it’s likely the notes will be retired in exchange for stock.  In August, another $1.5B in convertible notes was raised in a private placement.

Borrowing money for acquisitions is usually a signal that the management team believes their growth opportunities will create more shareholder wealth with debt finance than issuing common stock.  Key officers have a significant stake in their performance compensation plans with awards paid in common stock and stock options.

These new notes convert at an equivalent price of roughly $418 per share, more than a double premium over current share prices.  The notes mature in 2023.  In five years and given CEO Nikesh Arora’s growth plans, it is within reach.  Continuing the share repurchase program should also serve to concentrate equity and improve the price of the stock.

Summary of Early Acquisitions

Cash on the balance sheet as of July 31, 2018, including proceeds from the new debt is about $2.5B.  It’s clear that Palo Alto prefers acquisitions rather than organic growth, and the successful deals are vertical integrations adding certain niche cyber solutions.  Here are the early-on additions:

  • Morta Security – the first acquisition made in 2014, an automated threat protection platform with a variety of utilities beyond firewalls.  The founders and seed capital originated inside the NSA,

  • Cyvera – acquired in 2014 for $200m, a small Israeli security firm with 55 employees.  The technology blocks “zero-day” attacks introduced through endpoints.  It integrates well with Traps, the award-winning flagship offering at Palo Alto that secures fringe networks and,

  • CirroSecure – acquired in 2015, a Silicon Valley company.  The technology secures SaaS applications, like Dropbox and Google Drive, cloud versions of SalesForce and Office 365.

The total spent on acquisitions since 2015 is $675m, not including Morta and CirroSecure.  The terms with these two early acquisitions were undisclosed.

Recent Acquisitions

Here are terms of more recent deals:

LightCyber – was acquired in February 2017 for $105m cash.  The company was founded in 2011, and over the course of their four private funding rounds, raised $36.5m.  Shlomo Kramer, who has been called the “Godfather of Israeli Cybersecurity”, is an investor.  He is also a graduate of the Israeli intelligence community, and co-founded Checkpoint.

LightCyber tracks adaptable malware, a threat that morphs from its original fingerprint and can hide inside a computer network for months.  The company points out that “dwell time” from introduction to the network until attack, usually through phishing, can last on average five months.  The undetected software, that probably changed several times since infection, eventually will launch the attack suited to its original purpose, to create havoc or worse – denial of service, destruction, ransom and theft of key data.  In January LightCyber was rebranded.  Its new name at Palo Alto is “Magnifier”.

Evident.IO – of Santa Clara, CA was acquired this March for $300m cash.  Rebranded simply as “Evident”, this application focuses on securing physical infrastructure in the cloud.  This means the servers, switches, routers and firewalls that manage the cloud application.  Cloud computing today requires distributed networks.  The associated hardware and switching equipment need not be co-located in the same data center, nor on the same continent for that matter.

Evident brought along a stable list of US government customers.  They successfully raised $49.1 million in venture capital prior to acquisition, including an undisclosed amount from the CIA’s financing arm In-Q-Tel.  Evident chief executive Tim Prendergast points out that government investment allowed the company to work more closely with our military and intelligence agencies and helped align Evident’s product road map with their customers’ missions.

Secdo – incorporated in Israel with headquarters in Ra’anana (near Tel Aviv) is a new addition, following on the heels of Evident.  Terms were not disclosed.  Sources believe the Secdo deal was about $100m cash with some equity.  Secdo was founded in 2015 by Gil Barak and Shai Morag.  Both served in Unit 8200.  Secdo is an endpoint detection and response (EDR) company – the fastest growing niche of cybersecurity applications.

Endpoint detection has traditionally meant anti-virus software installed on a workstation and at the firewall.  Even though the threats still originate out in the fringes, EDR now has more to do with detection deep inside networks.  The application creates threads – strings of related events – and populates an incident report log integrated with Palo Alto’s Traps EDS.  Once an event is flagged as a potential breach, false positives are sorted out and an automatic defensive response is made within seconds.  This preempts the need for an immediate human reaction and gives the security team more time to evaluate and completely shut down the uncovered threat.

RedLock, Inc. – is the most recent transaction, closed last month for $173m in cash.  RedLock was launched in 2015 and raised $12 million while private.  RedLock addresses new international rules, the General Data Protection Regulation (GDPR), enacted by the European Union (EU) and effective last May.  GDPR requires cloud network vendors to prove they can secure their own infrastructure and protect their customers’ Personally Identifiable Information (PII).

The three largest cloud service providers, Amazon Web Services, Google Cloud and Microsoft Azure have done a decent job shoring up their networks.  GDPR as written has teeth.  The EU can impose penalties up to four percent of gross annual revenue for each instance of non-compliance leading to a breach and theft of PII.  Says RedLock founder Varun Badhwar, “We built a technology platform that’s entirely cloud-based [with a] very quick time to [create tangible] value since customers can just turn it on through API’s”.  This means that RedLock can easily link a company and its cloud application to its cloud service provider and can assure customers they are immediately GDPR compliant.


  • Palo Alto Networks is in the space of supporting US cyber defense initiatives in alliance with other countries, namely Israel.

  • It is assumed that the US and Israel devote significant budget for custom cyber defense software development.  Cybersecurity is such a large international threat that cannot be ignored.

  • A technique is used with this evaluation that probes the depth of a financial relationship between the United States and Israel in the growth of Palo Alto Networks, by means of exploring its acquisitions.

  • Of the complete list of acquisitions here, over $800m has been spent on companies with origins, operations and financing inside the US and Israeli military and intelligence agencies.  Well over half of what Palo Alto has spent on acquisitions since its inception.

Copyright © 2018 New Edge Analytics, All rights reserved

Cyber Growth, Building an Ecosystem

volume xviii - issue 4

Please see the companion article, NextGen Firewalls and the Cyber Business Cycle, on the New Edge Analytics website. New Edge considers Palo Alto Networks as a proxy for the cybersecurity industry and gives the company a Gold Performance rating.

Palo Alto Networks (NASDAQ:PANW) needs a strategy to maintain double-digit growth in a consolidating cybersecurity industry. New CEO Nikesh Arora has thrown down the gauntlet and challenged the company to grow the business 2 to 3 times current revenue. Doing the CAGR math, this means 15% to 25% annual growth over the next five years.

Investors need to look for success in developing an ecosystem. One that attracts the best talent in the industry, fills out the key industry segments by acquisition, and all at a time when it will become more important to avoid paying too much for the assets. I count human capital, particularly cyber programmers, informally as assets to the corporation. You simply need to hire the best hackers. Such developments won’t show up in quarterly earnings reports.

While 20% to 30% revenue growth has been the norm for PANW since they went public, firewall sales have slowed. The business of firewalls is midway through a technology refresh cycle that began in early 2017. When firewall replacements among Palo Alto’s customers and competitive wins are complete, it could be another three to five years before the next buying cycle returns for hardware.

The size of the market for all cybersecurity solutions in 2017 was about $138 billion in sales. There is a lot of very bullish sentiment out there, particularly among industry consultants. But Wall Street and CEO’s in the cybersecurity industry agree that a likely annual growth rate going forward is 8% to 10%. Taking the high side of the range, this makes a planning number for size of the market about $200 billion by 2021.

Palo Alto’s refresh product line falls in their Next Generation Firewall group among a bevy of cyber solutions. There are two offerings: VM-Series and GlobalProtect. PANW cites a competitive advantage with their NextGen firewalls. They have 54,000 and counting customers, and recent competitive wins versus Cisco, Checkpoint and Symantec.

When PANW went public in 2012, annual revenue was $225.1 million. For the fiscal year ending July 31, 2018, revenue was $2.3 billion. PANW stock trades at 10x fiscal 2018 revenue and is in the low end of a valuation range between 6- and 20-times trailing revenue using the price-to-sales ratio for guidance about valuation. Maintaining these growth rates requires scaling.

Mr. Arora was hired in part for his tenure at Google as Chief Business Officer, where he served in key strategic roles with the company from 2004 to 2014. Sales grew from $3.2 billion to $65.7 billion in that timeframe. He served as President and Chief Operating Officer at SoftBank between 2014 and 2016 and was widely thought to succeed CEO Masayoshi Son, until Son decided to stay on for at least five more years.

Palo Alto went live with Application Framework in August. This is the third iteration of attempts to create an open source software development platform for cyber coders that integrates with their firewalls. They absolutely must make it work this time. Growth in the industry is shifting to software subscriptions – cloud revenue – and Application Framework needs to be the catalyst at Palo Alto Networks.

Develop an ecosystem. Therein, lies the opportunity, and the risk.

Smooth Integration and Economics Required

By recent estimates, over 80% of security breaches happen in the application layer, so application security testing is the current buzz. If PANW can incorporate solutions to address the application threats and integrate the software with their Next Generation Firewalls, they should be successful in developing an industry leadership reputation.

Application Framework creates sticky relationships. Developers and their customers become dependent on PANW because they have already bought the firewalls. New Application Framework customers include Microsoft, ServiceNow, ProofPoint, Phantom, and Splunk. So there appears to be a market and Palo Alto is assumed to have pedigree. PANW promotes that AF will make it easier and less expensive to integrate software solutions with their firewalls.

The economics for developers in private cybersecurity companies include cheap access to next generation firewall technology, bloom on the rose from association with Palo Alto, and access to private equity and partnerships with the best cyber companies in the industry. It is difficult to hang a value on Application Framework because sales due to the platform are not broken out with revenue and expenses in financial reports. Contribution to sales, net income and a higher valuation are strategic initiatives and depend on the performance of the ecosystem.

Investors should look for an ecosystem and consider these variables:

  • Can new software go straight to a SaaS model,

  • Can the opportunities and financial incentives attract the best cyber programmers,

  • Can engineers’ compensation with acquisitions be applied to COGS,

  • Can new customers be acquired without adding salespeople,

  • Can key acquisitions be made at fair prices,

  • Can any premium paid be absorbed without increasing operating expenses,

  • Is there enough cash on hand and plentiful VC funding to incubate startups?

Employee compensation is the largest chunk of operating expenses. Silicon Valley reports non-GAAP net operating income/loss where the stock compensation expense is stripped out. Because of this, PANW has shown a non-GAAP net operating profit the last four years. In 2018 operating margin was 14% of sales. But financial statements must be adjusted for GAAP requirements and include share compensation as an expense, which creates a net loss and negative 6% operating margin for 2018. It’s notable that the negative operating margin is narrowing and half the amount in 2015.

The obvious attractions for software engineers are stock signing bonuses and compensation plans that include a large percentage of pay in the form of incentive stock options. This has been the Silicon Valley model for decades. Palo Alto has one of the largest percentage share compensation plans for employees in Silicon Valley. The only way to measure whether PANW is attracting the best talent is to ask around. Talk with the millennial engineers at the company, among PANW competitors and the FANG crowd. Who are the cyber rock stars and where do they work? This is a soft metric but may be the most important. Trade journals and local papers might have some good insight.

Qualification of Risks

PANW is publicly concerned with attracting large enterprise customers where they compete with Cisco and Juniper Networks, others that have a strong switch/routing platform with firewalls in the product mix. Probably the biggest risk, is the acquisition of a major competitor by a behemoth network equipment manufacturer who has an installed base among the largest enterprise customers and the government. Cisco buying Fortinet comes to mind as a possibility.

Virtually all PANW revenue is generated through resellers and channel partners – which would be a valuation risk if Arora and the board decide that PANW is for sale. With recent private cyber deals, the channel partner sales are stripped out of revenue when figuring the multiple. PANW as currently structured gives up a measure of control by relying on channel partners to build the business.

Next. ASC Rule 606, Revenue from Contracts with Customers, is an accounting standard published in 2014 and required for revenue measurement this year. PANW has chosen the full retrospective method, which will be in place for the fiscal year beginning August 1, 2018. Adjustments will be included in the 2018 annual report when published, for prior accounting periods. This has an effect of boosting revenue in the year adopted, but less predictable figures in forward years.

There is much greater forgiveness charging employee compensation expenses to Cost of Goods Sold (COGS) in a software subscription model, where gross margin is many times a whopping 80%. And here is where accounting meets strategy. R&D software development is charged as an operating expense and can easily create a loss, particularly with the GAAP numbers. Via thoughtful acquisitions, if a new software-only cyber solution company is brought into the fold, it would be hoped that the bulk of the R&D effort was completed while the company was still private.

A Good Strategy for Scaling

Arora has spent his first three months as CEO with key customers, the management team, outside experts and integrators. When asked about generalizing Application Framework, he points out that customers want better integration in a market that has become fragmented. IT managers want to manage the cost and level of effort needed to incorporate solutions that work.

About $500 million was spent on acquisitions between 2015 and 2018. Goodwill and intangibles increased from $216 million to $664 million – so about $450 million in that period. It doesn’t seem that they are overpaying for new technology and new customers in the last three acquisitions. All three solutions are applied to segments in the industry that don’t overlap, and they are all software-based.

Total debt in April 2018 was $540 million and reflects the remaining obligation on convertible senior notes due for repayment or conversion by 2019. $1.5 billion of new capital was raised with convertible notes offered through a private placement and completed in August. Cash on the balance sheet for the fiscal year ending July 31, 2018, including proceeds from the convertible underwriting, is $2.5 billion. It’s likely this money in part is raised to finance more acquisitions tied into Application Framework.

Palo Alto already has in place a $20 million venture fund in association with Greylock Partners and Sequoia Ventures. One could reasonably assume that Arora can pick up the phone and call a partner at SoftBank given a deal that makes sense – would love to see his Rolodex! One could also make a case that all this access to capital and the Silicon Valley elite makes Palo Alto look like a private equity fund. An interesting point of view.

Guidance for Investors

Foremost, understand that the thesis by CEO decree is 15% to 25% per annum revenue growth in a business that is now widely forecasted to improve at a more modest 8% to 10%, which is about the compound annual growth rate for the S&P 500. Look for evidence in quarterly reports that the company is on that “fifteen to twenty-five” trajectory in their year-over-year statistics.

Look at the quarterly SEC filings, the 10-Q, for the income statement, under “Total Revenue”, and calculate the percentage of total revenue that is reported as “Subscriptions and Support”. This metric should be increasing annually. Reviewing this data quarterly might be too granular but it’s worth checking out. Per the most recent 10-K (page 41) the ratio is 61.7% so about two-thirds of total. “Product” listed under Total Revenue makes up the other third.

PANW doesn’t itemize their sales or discuss software development efforts with the US Government in reports. An astute investor would like to know more about this. Remember the soft data example about success with hiring the best hackers. Information about US Government installed firewalls, agencies participating with Application Framework, and cyber software R&D efforts, would be useful but hard to find.

The notion of ecosystem is about creating a community so that the best and brightest talent in the industry will seek to join the Application Framework platform. PANW will hopefully establish themselves as the go-to employer/partner due to pedigree of the new CEO, an installed base of firewalls, and access to billions of dollars in capital. The best acquisitions are going to win large swaths of enterprise customers, delivering to them SaaS solutions that integrate with firewalls.

Don’t be alarmed by a mega-deal that includes a competitor acquired by someone like Cisco. There is plenty of room in the market among the larger players, and PANW may in fact have the best solutions for cyber software and firewalls, for now and going forward if AF succeeds. Cisco makes switches and routers.

Decide as an investor how much you personally are willing to pay based on a multiple of sales. The price-to-sales ratio is currently 10x. The range has been 6x to 20x. With negative earnings, a price-earnings ratio has no meaning. It would be great if Palo Alto soon reports a quarterly profit on a GAAP-adjusted basis. Eventually everyone must grow up.

A broad NASDAQ selloff, or a selloff more specific to IT, isn’t farfetched in the next twelve months. This bull market has had a relatively normal cyclical rotation and IT is due to slow down. It’s ok to buy the dips if you are on board with the opportunities discussed here. Finally, growth and momentum investors will tell you that the fundamentals are bunk but, in the end, it pays to be able to make a buy or sell decision understanding both technical and fundamental characteristics of a stock. This is one of those truths that cannot easily be taught. Palo Alto is a great story. Tech stocks are volatile.

Copyright © 2018 New Edge Analytics, All rights reserved

NextGen Firewalls and the Cyber Business Cycle

volume xviii - issue 3

Firewall companies are midway through a technology refresh cycle that began in early 2017.  This is common in the IT sector.  All businesses go through growth cycles when sales are robust, and then fade a little.  Those who make it through a full cycle emerge with stronger product platforms and services.  The new technology achievements in cyber worthy of attention live in what is called a Next Generation Firewall (NGFW).  New Edge Analytics believes these new and updated features are a good proxy for the direction of the cybersecurity industry as a whole.

Cyber is a fragmented and consolidating industry and a big spend for IT departments.  Sales and order growth are likely to slow down in the next twelve months after the bulk of the new firewall hardware and related apps are installed.  Now is a good time to benchmark the new features.  Despite a plethora of cyber solutions and the thousands of companies working in the space, those companies that make the firewalls and have an application framework to peer with third-party software developers have the upper hand.

Palo Alto Networks (NASDAQ: PANW) is a New Edge Gold Performance company.  A gold performer is a company whose metrics are cream of the crop, with better financial performance than 90% of its peers over the past 26-weeks (half a year).  Gold Performance is a ranking that NEA awards based on data from financial reports and computer models, aggressive growth in sales and earnings, price and volume trading patterns of the stock, news releases and comments from the management team.

PANW has the financial depth to do it all – an application firewall, central and distributed controls for security equipment, encryption with a VPN (virtual private network) interface, traditional packet and port analysis, and endpoint management.  Cloud security at PANW is only a five-year-old effort.  They must adapt quickly to build market share to address increasing competition from Amazon Web Services, Microsoft Azure and Google Cloud.

The basics of how firewalls manage computer viruses and malware have been the same for over thirty years.  There have been lots of new risks and improvements.  A Next Generation Firewall goes beyond port and protocol inspection that denies or allows traffic through the firewall based on permissions.  The developing model takes the same idea and looks for misbehavior in the operating system and application layers.

A computer application has its own unique fingerprint so to speak. Applications have predictable behavior; how they use the CPU, how they manage resources like DRAM and storage, how they make program calls to the operating system.  Threat analysis also considers how the algorithms work, how the application communicates with other servers, network management and other cyber applications.

Threats also have their own signatures and are becoming a lot more complex.  Some of the most dangerous can live undetected inside a network for an extended period before exploiting a vulnerability and creating havoc.  Operating directly on databases and applications, these threats as a group are called ‘malicious code’.

Malicious code searches for a path to hack and disable an application or steal database records.  Of the most formidable challenges ahead, is the ability to detect and manage threats enabled with Artificial Intelligence.  AI-enabled malware has the disturbing ability to repeatedly morph into another difficult if not impossible to track piece of harmful code that remains hidden inside the network.

In the business of cyber, the ability to find, analyze and shut down malicious code can be grouped according to techniques.  Vulnerability assessment, dynamic firewall, threat mitigation, threat detection, and incident response are the most common classifications.  Leading edge solutions in these categories are the industry fundamentals that management and investors must understand as the business of cyber continues to mature.

The Palo Alto Networks Application Framework, beyond the ability to manage all of Palo Alto’s own hardware and cyber applications, allows integration with software made by third parties.  PANW will be rolling out Application Framework over the next twelve months, it was discussed extensively in their last earnings conference call in June.

Rapidly becoming a threat, and maybe the most vexing problem to challenge cyber defense programmers, are thugs (a personification) that penetrate the network through endpoints; mobile devices, sensors and IoT actuators for automated factories and connected cars.  The list in a world of IoT is possibly endless.  Microsoft, Amazon and Google are keen to build endpoint defense and working on it now.  Palo Alto is addressing the endpoint race with their Traps Advanced Endpoint Protection.

Rather than a piecemeal approach to traditional antivirus protection, Traps AEP provides its own application framework to manage viruses and malicious code, particularly those threats introduced by endpoint devices.  NSS Labs published its 2018 Advanced Endpoint Protection (AEP) Group Test  in April, an independent evaluation of twenty endpoint cyber solution vendors and announced the results at RSA 2018.  The findings placed Traps AEP 4.1 at the top of the list. Traps AEP 5.0 was released in March.

A final bit about the economic cycle and a consolidating industry:  M&A in this space will be vibrant over the next 24 months.  Stick to looking for companies who make network routers, switches and firewalls as the buyers.  Stick to evaluating the main categories of cyber solutions.  A good solution by a small company with paying customers still will need a parent or a peer to grow.

Avoid giving much attention to companies who claim to have a – unique and independent solution – to a cyber threat, other than in one or more of the categories mentioned here.  The classifications for threat management are clear by now and they are going to live in hyper-programmable firewalls with portable cyber application development platforms.

Copyright © 2018 New Edge Analytics, All rights reserved.