Cyber Defense, Sovereignty and Growth By Acquisition

volume xviii - issue 5

Palo Alto Networks and Their Acquisition String

I penned an article in September, “Cyber Growth, Building an Ecosystem”, featuring Palo Alto Networks (NASDAQ:PANW) as a proxy in cybersecurity.  Pointed out there, that an astute investor would want to know about Palo Alto’s business with the government.  Cyber Defense is a strategic mission within developed countries that lives in both the military and the intelligence communities.  The most sophisticated cyber attacks come from sovereign domains.

Some due diligence about relationships with Uncle Sam is warranted here.  There is a  tremendous advantage when a company is given an opportunity to build cutting edge technologies for the military and intelligence community.  We spend a lot of tax dollars in these branches of government.  There is a long history of game changing applications in IT that comes to us by way of government research.  Mega disruptors appear every ten years or so and often the base technologies come from the government.

Alliance with Israeli Intelligence

Palo Alto does not segment government sales in financial statements.  Nor do they divulge much about their R&D efforts.  And they certainly don’t publish information about our government’s alliances with foreign countries.  So, it’s worth a deeper dive into the history of Palo Alto, its founders, financing, and evidence of government relationships that can be parsed from evaluating their acquisitions.

Palo Alto has been acquisitive from the start, founded by Nir Zuk in 2005.  He retains the role of CTO and is a board member. Mr. Zuk served in the Israeli Defense Forces intelligence corps, Unit 8200, their SIGINT (signal intelligence) division.  Unit 8200 in the Israeli military is comparable to our National Security Agency (the NSA).

It’s not much of a stretch, given an acquisition string that includes many Unit 8200 alumni, to believe that our own national defense agencies team with Israel as a military ally and cooperate with international cybersecurity defense programs.

Israel is probably the best choice.  We engage in competing and hostile cyber activity with other parts of the developed world.  Just read the daily news to speculate about the countries we compete with and who are likely to be our cyber foes.


Cash is needed for acquisitions.  So far, Palo Alto has gone the route of public debt financing only twice.  $575m of convertible notes were issued in April 2014 that mature next year.  The notes convert at $110 per share so given current prices ($178 at this writing), it’s likely the notes will be retired in exchange for stock.  In August, another $1.5B in convertible notes was raised in a private placement.

Borrowing money for acquisitions is usually a signal that the management team believes their growth opportunities will create more shareholder wealth with debt finance than issuing common stock.  Key officers have a significant stake in their performance compensation plans with awards paid in common stock and stock options.

These new notes convert at an equivalent price of roughly $418 per share, more than a double premium over current share prices.  The notes mature in 2023.  In five years and given CEO Nikesh Arora’s growth plans, it is within reach.  Continuing the share repurchase program should also serve to concentrate equity and improve the price of the stock.

Summary of Early Acquisitions

Cash on the balance sheet as of July 31, 2018, including proceeds from the new debt is about $2.5B.  It’s clear that Palo Alto prefers acquisitions rather than organic growth, and the successful deals are vertical integrations adding certain niche cyber solutions.  Here are the early-on additions:

  • Morta Security – the first acquisition made in 2014, an automated threat protection platform with a variety of utilities beyond firewalls.  The founders and seed capital originated inside the NSA,

  • Cyvera – acquired in 2014 for $200m, a small Israeli security firm with 55 employees.  The technology blocks “zero-day” attacks introduced through endpoints.  It integrates well with Traps, the award-winning flagship offering at Palo Alto that secures fringe networks and,

  • CirroSecure – acquired in 2015, a Silicon Valley company.  The technology secures SaaS applications, like Dropbox and Google Drive, cloud versions of SalesForce and Office 365.

The total spent on acquisitions since 2015 is $675m, not including Morta and CirroSecure.  The terms with these two early acquisitions were undisclosed.

Recent Acquisitions

Here are terms of more recent deals:

LightCyber – was acquired in February 2017 for $105m cash.  The company was founded in 2011, and over the course of their four private funding rounds, raised $36.5m.  Shlomo Kramer, who has been called the “Godfather of Israeli Cybersecurity”, is an investor.  He is also a graduate of the Israeli intelligence community, and co-founded Checkpoint.

LightCyber tracks adaptable malware, a threat that morphs from its original fingerprint and can hide inside a computer network for months.  The company points out that “dwell time” from introduction to the network until attack, usually through phishing, can last on average five months.  The undetected software, that probably changed several times since infection, eventually will launch the attack suited to its original purpose, to create havoc or worse – denial of service, destruction, ransom and theft of key data.  In January LightCyber was rebranded.  Its new name at Palo Alto is “Magnifier”.

Evident.IO – of Santa Clara, CA was acquired this March for $300m cash.  Rebranded simply as “Evident”, this application focuses on securing physical infrastructure in the cloud.  This means the servers, switches, routers and firewalls that manage the cloud application.  Cloud computing today requires distributed networks.  The associated hardware and switching equipment need not be co-located in the same data center, nor on the same continent for that matter.

Evident brought along a stable list of US government customers.  They successfully raised $49.1 million in venture capital prior to acquisition, including an undisclosed amount from the CIA’s financing arm In-Q-Tel.  Evident chief executive Tim Prendergast points out that government investment allowed the company to work more closely with our military and intelligence agencies and helped align Evident’s product road map with their customers’ missions.

Secdo – incorporated in Israel with headquarters in Ra’anana (near Tel Aviv) is a new addition, following on the heels of Evident.  Terms were not disclosed.  Sources believe the Secdo deal was about $100m cash with some equity.  Secdo was founded in 2015 by Gil Barak and Shai Morag.  Both served in Unit 8200.  Secdo is an endpoint detection and response (EDR) company – the fastest growing niche of cybersecurity applications.

Endpoint detection has traditionally meant anti-virus software installed on a workstation and at the firewall.  Even though the threats still originate out in the fringes, EDR now has more to do with detection deep inside networks.  The application creates threads – strings of related events – and populates an incident report log integrated with Palo Alto’s Traps EDS.  Once an event is flagged as a potential breach, false positives are sorted out and an automatic defensive response is made within seconds.  This preempts the need for an immediate human reaction and gives the security team more time to evaluate and completely shut down the uncovered threat.

RedLock, Inc. – is the most recent transaction, closed last month for $173m in cash.  RedLock was launched in 2015 and raised $12 million while private.  RedLock addresses new international rules, the General Data Protection Regulation (GDPR), enacted by the European Union (EU) and effective last May.  GDPR requires cloud network vendors to prove they can secure their own infrastructure and protect their customers’ Personally Identifiable Information (PII).

The three largest cloud service providers, Amazon Web Services, Google Cloud and Microsoft Azure have done a decent job shoring up their networks.  GDPR as written has teeth.  The EU can impose penalties up to four percent of gross annual revenue for each instance of non-compliance leading to a breach and theft of PII.  Says RedLock founder Varun Badhwar, “We built a technology platform that’s entirely cloud-based [with a] very quick time to [create tangible] value since customers can just turn it on through API’s”.  This means that RedLock can easily link a company and its cloud application to its cloud service provider and can assure customers they are immediately GDPR compliant.


  • Palo Alto Networks is in the space of supporting US cyber defense initiatives in alliance with other countries, namely Israel.

  • It is assumed that the US and Israel devote significant budget for custom cyber defense software development.  Cybersecurity is such a large international threat that cannot be ignored.

  • A technique is used with this evaluation that probes the depth of a financial relationship between the United States and Israel in the growth of Palo Alto Networks, by means of exploring its acquisitions.

  • Of the complete list of acquisitions here, over $800m has been spent on companies with origins, operations and financing inside the US and Israeli military and intelligence agencies.  Well over half of what Palo Alto has spent on acquisitions since its inception.

Copyright © 2018 New Edge Analytics, All rights reserved