Varonis An Interesting Play On New Corporate IT Demands And Threats

| About: Varonis Systems (VRNS)
This article is now exclusive for PRO subscribers.

Summary

Varonis is looking to help enterprise IT staffs make better use of user-generated metadata, and particularly with respect to deliberate misuse of data from people inside the firewall.

Varonis is targeting larger customers and more up-selling, but the pattern of license revenue growth and margin leverage has been frustrating and inconsistent since the company's public debut.

Varonis shares seem more or less reasonably valued, but the market (and margin) opportunity is large if the company can execute better than expected.

Enterprises generate tremendous amounts of data and collecting, aggregating, interpreting, and securing it is a major set of challenges for IT departments. Varonis (NASDAQ:VRNS) is an interesting take on that reality, as well as the increasing realization that sometimes the greatest threats to a company's IT/data security come from within, as the company's platform of products is designed to collect, analyze, and help manage large amounts of user-generated unstructured data that exist within a corporate/enterprise IT environment.

Varonis shares are up about 50% over the past year, but still more than a third below their debut price, as the company has had its challenges living up to initial expectations regarding license growth and margin leverage.

Although Varonis's addressable market may well be quite large (multiple billions of dollars), operating leverage is a tricky question and competition from large established players like Symantec (NASDAQ:SYMC) and Dell, not to mention small upstarts, is unlikely to lessen from here. Taken in the context of growth software stories, Varonis isn't that expensive, though, and the tight bunching of sell-side expectations leads me to think that the shares could react strongly to surprises (good or bad).

Putting Metadata To Work

Like Splunk (NASDAQ:SPLK), Varonis is bringing new solutions to a large, complicated, and often ill-defined market opportunity. Whereas Splunk provides tools for enterprises to collect and analyze unstructured machine data (log files, and so on), Varonis is focused on providing solutions to collect and analyze the metadata that comes from user-generated unstructured data produced through emails, documents, spreadsheets, PDFs, and so on.

Using expertise in large-scale data management, storage, security/identity/access management, and other disciplines, Varonis can allow enterprises to monitor who has access to what and who has accessed what, as well as where sensitive data lies within a system (and who can/should/does access that info).

Varonis products can also help automate IT processes (like requesting/granting access), enable easier file-sharing (while keeping sensitive or proprietary data out of the cloud), simplify data movement/archiving, and monitor access and security measures. Most recently, the company has also launched DatAlert - a product that monitors a network for unauthorized or inappropriate access and use, as well as offering threat monitoring, forensics, and other tools.

While Varonis initially positioned itself as a broader-based facilitator of user-generated metadata analysis and management, the security angle has increasingly started to drive the story. Companies like Palo Alto (NYSE:PANW) and Check Point (NASDAQ:CHKP) focus on products designed to keep out, block, or detect external threats (products like firewalls, URL filtering, app controls, etc.), but sometimes the biggest threat to an enterprise is from within.

Companies like Target (NYSE:TGT), Sony (NYSE:SNE), and Home Depot (NYSE:HD), not to mention the Eric Snowden case, were examples of data security issues caused (at a basic level) by an employee, someone inside the firewall, exploiting access to material they shouldn't have had. The products that Varonis offers are designed, then, to help enterprises monitor and modify who can and does have access to specific types of data within the organization.

Like Splunk, one of the things that makes the Varonis story interesting, and a little more challenging to analyze, is that there isn't a lot of like-for-like competition. Symantec, Dell, CA (NASDAQ:CA), and others do compete to some extent in the identity/access management, but those are more limited "case by case" comparisons and nobody (yet) really competes with Varonis across the board in terms of the capabilities and functionality it can offer.

I do expect that this will change over time (IBM, Dell, Oracle (NASDAQ:ORCL), and Hewlett Packard Enterprise (NYSE:HPE) would seem like probable future rivals), and I do have some concerns that Varonis's pivot towards security will make it a little easier to pigeonhole and compete with.

Even so, for now, Varonis seems to have an edge. The company's Varonis Metadata Framework is a proprietary platform built on a single code case that powers all of its products. It allows IT departments to enable/control access, monitor and audit user-access patterns (useful for finding unusual behavior), and automates a lot of otherwise tedious and time-consuming functions. What's more, it can do this without compromising system performance.

The Path Forward

Varonis is somewhat unusual in that it's a (relatively) new software story that uses the traditional license model. Varonis uses both an internal sales force as well as channel partners and it charges an annual maintenance fee approximating 20% of license value. The company offers seven primary products, and pushing add-on sales has been a key focus from day one. About 48% of customers use two or more Varonis products, with DatAdvantage as the anchor product and Data Classification Framework the next most popular.

Pricing is based upon the number of users in a system, the number of network environments and so on. For large enterprises, the ASP for DatAdvantage can exceed $100K (versus around $25K for a smaller business), but the other products are priced at lower price points and there are multi-product discounts. The accessible market of larger enterprises is in the neighborhood of 80,000 (and likely well over 150,000 smaller enterprises), but no company gets 100% of its addressable market.

There have been attempts to quantify the market opportunity for Varonis using data from sources like Gartner and IDC regarding the market opportunities for IT security (endpoint security, vulnerability mgmt, et al), access software, file system software, and so on, but I find that to be tricky given that what Varonis offers really doesn't address all of those markets. In any case, I think an addressable market opportunity is north of $8 billion on the assumption of 30K to 40K enterprises paying up to $200K/year and over 100K paying over $25K/year is plausible.

Right now, Varonis is focused on recruiting larger companies and selling more add-on products to that customer base. The company is also spending quite a bit to expand its sales and marketing capabilities. This is not uncommon for a growth-stage software company (it is in the company's interests to stake out as much territory as possible before the inevitable competitive inroads), but it does lead to periodic worries about margin leverage. "Spend today for growth tomorrow" will often work for periods of time with software companies, but if/when license growth slows down, the questions about margin leverage get sharper.

The Opportunity

I'm expecting Varonis to generate mid-teens annualized growth for the next decade, which would still mean the company only gets around 5% market share (if $8.5 billion is a reasonable estimate of today's market size, and that market opportunity only grows at a low single-digit rate). I do believe that margin leverage will kick down the road and drive FCF margins into the high teens, but "down the road" likely means more than five years.

On a discounted cash flow basis, then, the shares appear to me to be within 5% (+/-) of fair value today. You could argue for a higher fair value on the basis of what the market has been willing to pay for various combinations of revenue growth and (expected) adjusted operating margin, but that's a volatile valuation methodology given that relatively small changes in the input assumptions can lead to big swings in the estimated fair value. At a bottom line, then, I would say that Varonis isn't really that expensive for a software growth story, provided that growth comes to pass.

One thing I would like to observe is that the spread of high/low estimates for revenue in 2017 and 2018 is narrow (less than 1% in 2017 and less than 7% in 2018). That strikes me as an unusual level of agreement for a company at this stage of development (the 2018 spreads for Oracle and Symantec are both about 5%, while that of Splunk for the year ending Jan 2019 is 24%). It's anecdotal, but my experience has been that these are situations where surprises (good or bad) tend to have a disproportionately large impact on the share price.

The Bottom Line

I do like Varonis as a play on insider threat prevention, and I would not be shocked if this company gets bought out at some point over the next couple of years. On its own, I think the standalone opportunity and growth outlook are good, but I also recognize that names like this tend to be volatile as the Street flies between elation and depression with the swings in license growth and the jerky progress toward margin leverage. I'd want a wider margin of safety to compensate for those aggravations, but the quality of the opportunity does likely merit closer due diligence from readers interested in growth software stories.

This article is part of Seeking Alpha PRO. PRO members receive exclusive access to Seeking Alpha's best ideas and professional tools to fully leverage the platform.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.