FireEye: Does The Sandbox Dominance End In 2017?

| About: FireEye, Inc. (FEYE)


2017 is a make or break year for FireEye.

Management is firing on all cylinders to revive the growth story.

Can they complete the turnaround in the face of mounting competition?

In a bearish survey which was to determine the sales performance of top security vendors heading into 2017, FireEye (NASDAQ:FEYE) stumbled woefully after a series of channel checks by Piper Jaffray left unpromising forecasts for the advanced security vendor.

In the survey:

Resellers said demand for FireEye has gotten worse and they are no longer leading with FireEye products for advanced threat protection. Most believe advanced threat protection is just a feature on a larger platform, though we would argue that FireEye has assembled a larger platform of integrated products. The company now has virtual/subscription-based versions of their products, including their flagship NX-series. We believe the new head of sales Bill Robbins has a lot of work ahead of him re-engaging key channel partners.

FireEye accounted for over half of the advanced malware industry revenue in 2015. Being the pioneer of the green field malware sandbox niche, FireEye was poised to disrupt the cyber security space by taking market share from network security vendors via its combination of best-of-breed security offering. This offering which has at its heart, a malware sandboxing technology, for detecting advanced security threat before they find their way into a network has been well received as a gold standard technology for combating sophisticated cyber-attacks.

However, after years of declining revenue growth, it is increasingly clear that FireEye might be losing out on the competitive fronts to the network security vendors it would have replaced.

The counter argument has always been that persistent instance of security breaches is proof that network security boxes don't work. Yet, if 2016 is anything to reckon with, giants like Palo Alto (NYSE:PANW) and Fortinet (NASDAQ:FTNT) have continued to gain market share in a heavily fragmented industry.

These giant leaps have come as a result of a bundling strategy which network security vendors have mostly adopted. What does this entail?

Simply, a network security vendor, sensing a chance at being disrupted innovates via horizontal integration. This is done via the acquisition of substitute products capable of causing market share erosion.

For the average network security vendor offering a next generation firewall, these substitutes include malware sandboxes, threat intelligence feeds, network analytics tool and a combination of other security products, which when knitted together, can give network vendors a run for their money.

At the heart of this disruption is the malware sandbox technology. This innovation caused a roar in the security landscape. Chronicling the advanced threat related M&A that have happened since FireEye's grand entrance, it is clear that the competitive dynamics have been fierce.

This advanced threat solution has been morphed into Cisco (NASDAQ:CSCO) Firepower to provide a robust APT solution.

Palo Alto built Wildfire (a cloud-based malware analysis platform) to provide advanced threat solutions.

This deal provides advanced threat protection for Symantec's (NASDAQ:SYMC) enterprise customers. It leverages Bluecoat's web security strength via the Bluecoat proxy, SSL and malware scanning via its sandboxing technology.

While Symantec already has capabilities in web security via its SSL certificate, this deal provides more innovative capabilities by merging the web security capabilities of both parties.

Checkpoint (NASDAQ:CHKP) has Sandblast. The solution boasts of the capability to detect zero-day exploits with a sandbox engine for threat emulation and extraction at the CPU level.

  • Fortinet developed Forti Sandbox

The Forti Sandbox provides proactive detection and mitigation with threat intelligence.

What is left of FireEye's USP ?

FireEye has boasted the best combination of advanced security technology from detect to response.

They have what is arguably the best malware sandbox and threat detection solution coupled with the proprietary M.L/A.I based MVX engine. This has been orchestrated to provide maximum protection at the lowest TCO. To back it up, they have the incident response pros from Mandiant who blend human/machine intelligence to provide end-to-end security assessment and remediation of any network no matter how complicated.

While the human element cannot be overlooked, Mandiant professional services has brought in little revenue to FireEye. This implies two things:

  1. Either the market is not growing fast enough or
  2. FireEye is losing market share to competitors.

The second hypothesis holds true.

This is obvious as recent market share gains by competitors who are growing subscription revenue at a faster rate indicates that the malware-sandbox greenfield, which FireEye created, might be too fragile to stand alone.

Rather, what we have is a scenario in which network vendors have been able to innovate the technology while providing it as an add-on to their product offering.


Source: Checkpoint

Nearly all top security vendors boast of solutions capable of detecting zero-day exploits. A zero-day is an advanced threat that is yet to be exploited. This means no malware signature has been developed to detect it. This explains the little difference in security effectiveness in the NSS chart.

In the NSS test performed on network security devices, FireEye lost out to a number of competitors largely on network throughput. One of the importance of high network thoroughput is to prevent a network device from failure in instances of denial of service attacks when a network is bombarded with malicious traffic.

The introduction of Helix is poised to further reduce the total cost of ownership, however, the Piper Jaffray survey indicates the increasing lack of faith in FEYE's product offerings, largely driven by its inability to compete on network throughput.


While FireEye remains undervalued compared to its peers, this has been a result of the dearth of growth that has overshadowed the firm. I believe most of the negatives have been priced into the stock.

The last going concern remains the small standalone competitors like Proofpoint (NASDAQ:PFPT) who keep gnawing at FireEye for the little that is left to savage. Keeping its current customers is one thing, gaining new ones is another.

With a new head of sales, the bet is no longer on the product viability. Rather, this is left to management to convince clients that FireEye is in it for the long run and its USP remain intact and valid as ever.

Also, the gains from the cost cutting measures have to be fully recognized. If these can be achieved, the turnaround will form a solid base for the business model to rest on, as more competitive sharks dominate the security landscape.

I reiterate my hold rating with a PT of $16 driven by the potential of a buyout in the near future.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

About this article:

Author payment: Seeking Alpha pays for exclusive articles. Payment calculations are based on a combination of coverage area, popularity and quality.
Tagged: , , , Application Software
Want to share your opinion on this article? Add a comment.
Disagree with this article? .
To report a factual error in this article, click here