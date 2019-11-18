While not profitable yet, at current speed, it can continue for well over a decade before running out of cash. Leverage will kick in much sooner than that.

We think that the 3.6x 2020 EV/S multiple is too low for a market leader with these characteristics. The company has multiple large greenfield opportunities in front of it.

While not a pure SaaS play, the company nevertheless sprouts a SaaS-like business model with recurring maintenance sales, 80%+ gross margins, 30%+ revenue growth, and large up-sell revenues.

At the end of September, we took a position in Tufin Software (TUFN) for the SHU portfolio as the shares sold off quite massively:

We couldn't really come up with a convincing reason for the share crash in July and August; both the Q1 (in June) and Q2 figures (early September) seemed fine to us and both produced small beats on revenue and earnings.

In fact, as we will argue below, the company is a market leader with 30%+ revenue growth and 80% gross margins and the shares are really very reasonably priced (see below).

The objection investors could have is that the company still produces a loss and loses cash, but the obvious answer is that it can afford to, sitting on a massive amount of cash from the IPO in April this year.

With the amount of cash on the books, it can keep going for years and years, as the cash bleed is actually not large, and with 30%+ revenue growth, one can expect operational leverage to kick in well before they run out of cash, and even if not, they could take their foot off the accelerator by stopping ever increasing spending on S&M and R&D (or even reverse some of these).

That is, the company could become profitable and cash generating if and when management wishes, but there is really no need for that anytime soon, given its large cash holding and relatively small cash bleed.

What is more important to us as an investment thesis is that the company really is a market leader in network security policy and security automation. To get a general idea, here is Wikipedia:

A network security policy (NSP) is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a committee. A security policy goes far beyond the simple idea of "keep the bad guys out". It's a very complex document, meant to govern data access, web-browsing habits, use of passwords and encryption, email attachments and more. It specifies these rules for individuals or groups of individuals throughout the company.

But the problem most organizations are facing is that networks are increasingly complex and fragmented, and as a result, managing this is becoming ever more unwieldy. What's more, it requires continuous change, which can have ramifications elsewhere in the network. What's needed is a unified approach.

This is exactly what Tufin offers (Q3CC):

We give customers the ability to increase agility without sacrificing security. Our products govern how users, systems and applications are permitted to communicate and provide policy based security automation enabling customers to reduce the time that is required to implement complex network changes from days to minutes with dramatically better security and accuracy.

And from the company website:

The award-winning Tufin Orchestration Suite is a policy-centric solution for automatically analyzing risk, designing, provisioning and auditing network security changes. Tufin reduces the attack surface and minimizes disruptions to critical applications. Its network security automation enables enterprises to implement security changes in minutes instead of days with continuous compliance and increased agility. Tufin Orchestration Suite provides multi-vendor device support for leading enterprise networks, including finance, telecom, energy and utilities, healthcare, retail, education, government, manufacturing, transportation and auditing. Tufin's Technology Alliance involves close partnership with industry leaders to provide seamless integration of the award-winning Tufin Orchestration Suite with their solutions.

The three main products of the Orchestration Suite are:

SecureApp (manage network connectivity and security policy from an application perspective)

SecureTrack (firewall management)

SecureChange (network security change automation)

And here is the whole suite, with two new products, Iris and Orca, that are cloud specific (from the September IR presentation):

Growth

There are a number of growth drivers:

Increasing network complexity

Public sector

Cloud (Orca and Iris)

International

Up-selling

Much of the market is still a greenfield opportunity.

There is competition, but Tufin excels particularly on automation (Q3CC):

And the competitive landscape has not really changed significantly right. We have our usual suspects. We have AlgoSec, pharma and Skybox and competitive deals. And most customers actually don't have an automated solution yet. So from an automation perspective which is where the growth really is, it's significantly a Greenfield opportunity and in those we win because we have superior automation capabilities. It's the depth and the breadth of automation including the scalability and the change accuracy.

The proliferation of apps, networks, firewalls (big corporations have hundreds of them), public and private clouds, virtualization solutions, access rules, data protection protocols etc. is all working in Tufin's advantage, and there are new issues constantly arriving on the scene, like software defined networks, virtual firewalls and SD-WAN initiatives, increasing the fragmentation and complexity.

The company not only constantly improves and updates its existing products (for instance by integration with the latest Cisco (NASDAQ:CSCO) ACI or VMware (NYSE:VMW) NSX network products), but also comes up with new products like Orca and Iris, both are products for the cloud.

The latter products are being rolled out generally in Q1 next year (there are a few beta customers already using them), and rather than perpetual licenses, it sells on a SaaS subscription model.

The public sector is another big greenfield opportunity for the company (Q3CC):

Tufin Orchestration Suite has recently been added to the GSA schedule 70 which will enable us to sell to the entire US federal government, as well as state and local governments... The government sector is huge, right, yet complex fragment and networks, $100 billion annual IT budgets. So it's a huge market opportunity for us that is largely untapped both in the US. So everything I mentioned up to now is US federal market. We're seeing pickup in governments everywhere. I think in many ways if you look even at politics things are becoming more polarized and from our perspective as people become more and more defensive, they need more and more security locally within their local government.

The company also partnered with reseller Network Runners whose engineers are certified with security clearances for the US federal government.

While the company's product revenues largely consist of perpetual licenses, not SaaS subscriptions, which potentially make the business model less attractive, they do generate recurring revenues:

Recurring maintenance contracts which are recurring comprise 55% of the company's revenues and generate 70.7% gross margin (in Q3) and enjoy renewal rates well into the 90s. That is, the characteristics of these recurring maintenance contracts are really SaaS like.

Its cloud products Iris and Orca will sell on a SaaS basis and are expected to take off next year.

Despite the perpetual product licenses, the company nevertheless gains a significant part of revenue from its existing customers.

On the latter (from the IPO prospectus):

The chart below shows the initial and incremental sales of perpetual and term licenses, excluding maintenance renewals, by cohort. Each colored segment represents a new customer cohort in their initial year of purchase. The pattern of a large spend in the initial year followed by consistent and incremental buying in subsequent years reflects our ability to expand the deployment of our solutions as our existing customers purchase additional products or cover additional parts of their networks.

International sales are another greenfield opportunity as for instance just 3% of revenue in Q3 came from APAC countries and 38% of revenues came from EMEA countries.

Q3 results

From the company PR:

The difference between product and maintenance and professional services is explained in the IPO prospectus:

Product Revenues. We generate product revenues from sales of our software licenses and third-party hardware to new customers and sales of additional licenses and third-party hardware to existing customers. We generate the vast majority of our revenues through sales of software with less than 5% of our revenues generated through sales of third-party hardware in 2017. We primarily sell our software through perpetual license agreements and, to a lesser extent, term-based license agreements. Beginning on January 1, 2017, we adopted ASC 606. As a result, we recognize revenues from software sold through term-based license agreements upfront, upon delivery... Maintenance and Professional Services Revenues. We generate maintenance and professional services revenues by selling maintenance contracts and, to a lesser extent, by providing professional services to our customers. Maintenance includes software updates and technical support. Our contracts with customers for software licenses include maintenance for a specified term. We recognize revenues associated with maintenance on a straight-line basis over the specified maintenance period. Professional services consist of deployment services for our products, and customization of our solutions and their integration in the customer's environment. We typically bill for professional services and training services on a fixed fee basis and recognize revenues as we perform the services.

Basically, Q3 results came in line with expectations with revenues rising 32.4% y/y.

Guidance

From the earnings PR:

Fourth Quarter 2019: Total revenue between $34 million and $38 million.

Non-GAAP operating profit between $0.0 million and $3.0 million. Full Year 2019: Total revenue between $107 million and $111 million.

Non-GAAP operating loss between $10.3 million and $13.3 million.

Margins

Data by YCharts

The graph above does not yet reflect Q3 results. Gross margin increased sequentially to 81% (but declined 2 points y/y) and non-GAAP gross margin was 82% (down from 84% a year ago). Gross margin is a little lower this year due to the increased part of professional services.

Operating expenses are still growing faster than revenues with non-GAAP operating expenses at $26.1M, up from $18M a year ago (+45%). This might seem a little worrying for investors, but the cash bleed is actually really modest compared to the cash holdings.

The growth in operating cost is in R&D rose from 26% of revenue last year to 31% of revenue in Q3, and the company will still do a little more hiring in Q3 to be able to be where it wants to be. This suggests that after Q4, leverage can set in here.

S&M decreased to 59% of revenue (from 60% last year). There was some increase in G&A (which rose from 7% of revenue last year to 12% in Q3) but this is mostly one-off, related to the IPO preparations.

Cash

While the net loss in the first nine months of the year was $20.9M, the company used just $3M in cash in operations and another $2.3M in CapEx. The difference comes from share-based compensation ($6.3M) and deferred revenue ($6.1M).

The company loses well under $10M a year in cash while it is still sitting on $122.7M, most of it from the IPO and no debt.

In this mode, it can keep at it for well over a decade before there is a threat of running out of cash. There really can be no worries here as leverage will start kicking in well before that.

Valuation

Based on the following metrics:

2019 revenue: $109M (midpoint guidance)

Market cap: $630M (36.6M outstanding shares)

Net cash: $122M

The company's 2019 EV/S is 4.7x, and if one adds 30% revenue growth for 2020, this falls back to 3.6x. We keep saying that this seems low to us.

Conclusion

We have a market leader producing 80% gross margins and 30%+ revenue growth selling for 3.6x next year's EV/S, which seems low to us. Yes, the company isn't profitable and it's losing some cash, but at this speed, it can keep doing that for well over a decade and surely operational leverage will start kicking in well before that.

The company faces huge greenfield opportunities and has just added two more with the public sector and its cloud solutions, so we see 30% revenue growth for the foreseeable future, as the ongoing digitalization of organizations and increasing complexity of networks only increase the need for the type of solutions the company is providing.

The valuation discount might be the result of the company not being a pure SaaS play, but maintenance revenues are recurring and generate "SaaS-like" 70%+ margins while it moves to a SaaS model with its newest products, and last year half of its product sales came from existing customers, so we think it is as good as a SaaS business model.

Disclosure: I am/we are long TUFN. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.