Carbon Black (NASDAQ:CBLK), a cybersecurity company that has been private since 2003, has submitted its S-1 filing ahead of a near-term IPO. The VC-backed company has been a well-known name in cybersecurity for many years, and its IPO - to be led by Morgan Stanley (MS) and JPMorgan (JPM) - has already drawn early headlines in the markets.
To date, 2018 has already been a hot year for IPOs - and for equities in general. Volatility has given equity trading desks a spurt of new life after several quarters of stagnation, with big banks reporting huge upswings in equity trading revenues for Q1. The same volatility, as suggested in the Wall Street Journal, has prodded more and more companies into going public this year before the IPO window closes.
Looking at the massive success of software IPOs this year so far, it's a small wonder that more are waiting at the gates. Zscaler (ZS) was the first to go public this year in March, followed closely by Dropbox (DBX); last week brought us Zuora (ZUO), an ERP platform. All three are trading up 40% or more relative to their IPO prices. April will further bring us Pivotal Software (PVTL), a company owned by Dell, and Smartsheet (SMAR) and DocuSign (DOCU) are expected to follow.
Now there's Carbon Black. Arguably, Carbon Black has the best comparison in fellow security company Zscaler, which shot up 106% on its first trading day to $32.50, well above its IPO price of $16. Shares have since come down somewhat to the $27 handle, but it's still a healthy gain for IPO investors. Given that Zscaler is the closest indication this year of how Carbon Black will perform, it wouldn't be surprising to see Carbon Black's deal oversubscribed and see similar strong performance.
Especially in the wake of Facebook's (FB) Cambridge privacy scandal and the high-profile leak of 5 million credit cards from Saks Fifth Avenue, cybersecurity is a top-of-mind topic in 2018. It's too early to tell whether Carbon Black will be a buy right out of the gate - its pricing range is still TBD and the opening price usually shoots up way above the IPO price anyway - but there's a lot of information from Carbon Black's filings that we can digest now.
Top backers offer a patina of quality
Though Carbon Black has maintained a relatively low profile since its founding in 2003, it has attracted a swath of Tier 1 venture capitalists. Its private valuation has been reported, but with revenues of $162.0 million in FY17 (which we'll discuss shortly) at a ~40% growth rate, Carbon Black is likely to notch a "unicorn" valuation well in excess of $1 billion in its IPO. Zscaler, after all, traded at above 20x forward revenues on its opening day.
The chart below, courtesy of Crunchbase, details Carbon Black's funding history:
Figure 1. Carbon Black funding timeline
Source: Crunchbase
The company has raised a total of $191.7 million, and its lead investors include such Silicon Valley icons as Sequoia Capital, Kleiner Perkins Caufield & Byers, and Founders Circle - some of the top VCs in the valley. The patina of quality offered by Carbon Black's top-notch investors adds another element of desirability in the offering.
As listed in the company's S-1 filing, Sequoia and KPCB own 10% and 9% of the company, respectively:
Figure 2. Carbon Black VC ownership
Source: Carbon Black S-1 filing
Emerging vendor in the popular endpoint security market
Carbon Black describes itself as a "leading provider of next-generation endpoint security solutions." Endpoint security refers to protecting the physical device "endpoints" that are connected to highly sensitive networks - this includes smartphones, laptops, and any other device that is connected to a corporate network.
In its own words, Carbon Black believes endpoints to be highly appealing targets for cyberattackers because:
Endpoints are the primary focus of attacks because they store valuable data that attackers seek to steal; perform critical operations that attackers seek to disrupt; and are the interface where attackers can target humans through email, social engineering and other tactics. Endpoints are the physical and virtual locations where sensitive data resides and include desktops, laptops, servers, virtual machines, cloud workloads (services running on cloud servers), fixed-function devices such as ATMs, point of sale systems, and control and data systems for power plants and other industrial assets."
Carbon Black has been recognized by Gartner, a leading software industry research firm, as a "Visionary" in its annual Gartner Magic Quadrant for Endpoint Protection rankings. One potential caveat to Carbon Black's narrative - endpoint security is an extremely competitive space, and there are plenty of vendors with their own spin on the product. Gartner lists Symantec (SYMC), a large security company with a broad portfolio of cybersecurity offerings and with ~$4 billion in annual revenues, as the Leader in the space - followed closely by the UK-based Sophos and the Japan-based Trend Micro.
Nevertheless, Carbon Black has amassed a large base of 3,700 customers, with 33% penetration into the Fortune 100. Its customer count grew 49% y/y in 2017 from 2,500 in 2016. Approximately 1,600 of these customers deploy Carbon Black in the cloud (that is, on a hosted basis). And as is the mode with software companies in today's market, Carbon Black is primarily a subscription-based company, with recurring revenues making up 88% of its revenue base.
Perhaps moreso than other software companies, Carbon Black also relies heavily on its channel partners and resellers for its growth. Third-party firms accounted for more than 300 of the company's new customers in 2017, according to the IPO document.
Carbon Black estimates its market potential for its core endpoint security products at $6.5 billion, while its opportunities in the broader cybersecurity space are much larger:
Source: Carbon Black S-1 filing
Its flagship offering is called the Cb Predictive Security Cloud, which can replace legacy antivirus software and use predictive analytics to sift through endpoint data to protect against malware and ransomware.
Financial overview
And of course, the most meaty part of Carbon Black's filings: its financials. Here's a look at the company's results for the past three years:
Figure 3. Carbon Black financials
Source: Carbon Black S-1 filing
Revenues grew 39% y/y to $162.0 million, putting Carbon Black at a decent size relative to its fellow software IPO hopefuls (though, next to cybersecurity giants like Symantec and Palo Alto Networks (PANW), Carbon Black is still just a drop in the pond). Still, ~40% revenue growth is a tremendous growth rate, especially when considering that the company has a higher mix of recurring revenues (88%, as previously discussed) than most technology companies.
Carbon Black's subscription revenues saw even more robust growth in FY17, growing 42% y/y to $149.3 million. Note also that with Carbon Black's sky-high 92% subscription gross margin, nearly ever dollar of incremental revenues - whether from new business or expansion bookings - flows through to the bottom line. Total gross margin in FY17, after factoring the small amount of contribution from services which are essentially performed at cost, was 78% - still an above-average margin.
In terms of growth opportunities - note that Carbon Black generally prices its products on a per-seat, per-endpoint basis. Pricing is customized for specific enterprises, but software review boards have noted that pricing tends to start at $30 per endpoint, per year, with some commentators noting this as fairly expensive. When you consider the fact that typical companies have tens of thousands of employees - each with one or more devices - this can add up to a fairly large annual fee for Carbon Black if its customers grow their usage.
ARR (annualized recurring revenue) in FY17 was $174.2 million, up 40% y/y. ARR is larger than Carbon Black's recognized revenues in FY17 because it gives credit to the annualized billings potential of the current installed base for the coming year. This is a huge mass of revenues that Carbon Black doesn't have to chase again in FY18.
Billings also saw huge growth 48% y/y in FY18, as shown in the chart below. As billings captures Carbon Black's revenue "backlog" in the future as well as in the present, it's arguably the more important long-term metric to watch than revenues:
Figure 4. Carbon Black billings and key metrics
Source: Carbon Black S-1
On the bottom-line front, though Carbon Black focuses on channel sales, it still spends a hefty portion (66%) of its revenues on sales and marketing. Its GAAP operating margin was -34% in FY17, a five-point improvement from -39% in FY16. Note also that the company is pushing ahead toward free cash flow breakeven:
Source: Carbon Black S-1
With an FCF margin of just -8% in FY17, Carbon Black can't be more than one fiscal year away from full-year FCF profitability, provided its margins continue to improve.
Key takeaways
With the runaway success of Zscaler's IPO last month, the pending IPO of a well-funded cybersecurity company like Carbon Black will be an exciting one to watch. The company's sales model sets it up for huge expansion as customers add users and devices, and its 48% y/y growth in billings, an acceleration over 46% growth in FY16, points to tremendous results in FY18 as well.
The key in the equation for investors, of course, is Carbon Black's eventual valuation. If the company rises to Zscaler's enormous revenue multiples, it would be better to back off than to buy in. More to come as the more of the offering details become known.
