Palo Alto Networks (PANW) is acquiring a new cybersecurity company. This article explores how the acquisition fits into the big picture. I start by giving an overview of the evolving cybersecurity space. I also explore the growth opportunity and growth trend. Finally, I explain the impact of this acquisition on Palo's financials, valuation, and competitive positioning.

Background

Earlier in the year, I penned a private report on the evolving cybersecurity landscape. After drawing a framework for the report, I immediately realized that protecting the cyberspace is more of an art than science. As a result, I expect all stakeholders would continue to play big and strategic roles in ensuring cybersecurity best practices. Innovating in cybersecurity is mostly about anticipating human errors that lead to cyber-attacks while providing proactive solutions or quick responses where applicable. This makes the assignment a tough one for all parties.

And Nir got excited about the data they were collecting because it's a hard technical problem to go collect data from everything in the world and monitor 10% of the Internet traffic on a daily basis on multiple times a day. - Source - Palo Alto Source: Palo Alto

Palo Alto recently proposed to acquire Expanse, a leader in attack surface management. With Expanse, Palo Alto can actively scan for insights across the globe. These insights will be merged with insights from Cortex (endpoint, network, cloud) to provide continuous monitoring of the attack surface. Cortex is a robust security operations solution provided by Palo Alto Networks.

Source: Palo Alto

The chart above shows how multiple data repositories connect to Cortex Data Lake. Going forward, Expanse will also send data to the data lake.

Expanse has three products.

Expander

Expander provides a complete and accurate inventory of an organization's internet assets throughout the world. No agents, sensors, custom configuration, or deployment are required. Readers will recall that attackers don't use agents either. With Expander, Palo Alto is attempting to beat attackers at their own game. I expect a lot of honeypots when the game starts. In a carefully orchestrated nation-state attack, honeypots and self-replicating malware can be leveraged to keep a system like Expander busy. This is my biggest concern. From a cost optimization standpoint, I wonder if it isn't best to leave that task to Chronicle, a cloud SIEM offered by Google (GOOGL) (GOOG), one of the biggest hyperscalers in the world.

Link

Link allows comprehensive visibility and management of suppliers and internet assets to proactively identify cybersecurity exposures, policy violations, or misconfigurations across a company's supply chain. The big deal about Link is that organizations can monitor the attack surface of their suppliers. This is a task that is tough to achieve.

Behavior

Behavior helps to continuously analyze suspicious traffic patterns and exposed services anywhere in the world. Behavior significantly improves Palo Alto's XDR capabilities. Readers will recall that players like Qualys (QLYS) and Microsoft (NASDAQ:MSFT) are now at parity with Palo Alto in XDR.

Expanse was founded 8 years ago by experts in data science, distributed systems, and cybersecurity. Palo Alto claimed that Expanse makes 10 trillion decisions every day. Palo Alto highlighted how tough and challenging scanning a significant portion of the internet can get without the right strategy. This highlights the enviable skills of the founders.

The difference between expanse and vulnerability scanners like Qualys, Tenable (TENB), and Rapid7 (RPD) is that Expanse scans data not necessarily owned by the customer. With Expanse, getting more insights across the globe is a real game changer. Expanse also helps Palo Alto in the following ways:

1. Data in disconnected lakes

With Expanse, Palo Alto can further consummate more signals into Cortex. This means all the hidden cloud workloads and IT assets churning off signals in an organization will send insights into one central data lake. This will improve Palo Alto's XDR (extended detection and response) strategy and overall endpoint security offering.

2. Aligns with Cortex vision

Readers will recall that Palo Alto has stopped the back and forth with Zscaler (ZS) about the best way to perform cloud access security. It's obvious Palo Alto is laser-focused on innovating for its customers. This acquisition will draw Palo Alto a step closer to achieving its vision.

3. Cross-sell opportunity

Palo Alto has 1600 of the Global 2000 customers. This means the opportunity will sway towards large customers. That solidifies the ARR/Customer potential. This makes the cross-sell opportunity attractive. As the CISO of a Fortune 500 company, I will be highly interested in Expanse. Like I highlighted at the beginning of the article, the attack surface has become really complex. The complexity is best understood if we can picture athletes participating in perpetual Olympic games in stadia across the globe. The chaos is unimaginable.

4. XSOAR (extended security orchestration, automation, and response).

The addition of Expanse also improves Palo Alto's security automation capabilities. By centralizing more feeds into one lake, Palo Alto can reduce the number of false alerts generated by network devices. I believe XSOAR remains a competitive point of difference.

5. The acquisition of Crypsis

Earlier in the year, Palo Alto completed the acquisition of The Crypsis Group. The Crypsis Group is a leading incident response, risk management, and digital forensics consulting firm. As Expanse alerts on potential cyber threats, The Crypsis team will swing into action.

6. Prisma Cloud 2.0

Source: Palo Alto

The release of Prisma cloud 2.0 highlights Palo Alto's data security strategy. This is a part of its effort to evolve a compelling go-to-market strategy.

Prisma cloud 2.0 has data loss prevention, web application security, API security, identity, and access management capabilities.

Readers will find more insights by comparing the positioning statement in the 2019 annual report to the updated positioning statement in the 2020 annual report. The updated statement provides more clarity into Palo Alto's next-generation bets, and readers will find that most of these bets operate with data and insights. With the addition of the new updates to Prisma, Palo Alto significantly improves its protection of the internal attack surface.

Source: Palo Alto

Expanse will be closed for $670m (cash and stocks) and $130m in replacement equity awards. Expanse is expected to generate $67m in ARR in FY'21. When combined with Palo Alto, this will reach $73m. It is growing revenue at above 100%, and it is averaging ARR of $650k/customer. Expanse has about 50 customers. Expanse also has a solid presence in the government vertical.

Palo Alto has generated strong cash flow margins in recent quarters. This has been boosted by share-based compensation (a non-cash expense), which has diluted EPS. The debt-to-equity ratio doesn't provide many insights because Palo Alto is investing in new growth options. The important number to focus on is the incremental ARR growth opportunity and how the acquisition solidifies Palo Alto's competitive moat.

I believe Expanse is a game changer. Beyond endpoint security, Expanse can also help develop solutions in IT Ops. Use cases include M&A network redesign, attack surface reduction, asset inventory, supply chain management, and cloud governance.

Expanse is solid innovation, and I am surprised the market barely reacted to the news of the acquisition. It currently protects customers like Allergan, PayPal (NASDAQ:PYPL), Accenture (ACN), and Lockheed Martin (LMT). These are exactly the kind of customers I expect Expanse to court. I was excited when I read one of the case studies provided by Expanse. It correlated strongly with my thoughts about protecting the security space. Tenable is the only company that I recently came across with an agentless scanner. In Tenable's case, it will leverage commands from AWS. I believe this is entirely different.

Finally, I don't see this acquisition as a threat to CrowdStrike (OTC:CRWD). CrowdStrike is so good at what it does; it is hard to yank it out of your architecture because you found something exciting. I believe this acquisition is mostly going to be geared towards cross-selling existing customers. In terms of synergies and returns, my concern is in the cost of running a system that can scan 10% of the internet. That's a lot of cloud resource consumption. I am not worried about efficacy or the percent of the internet that can be covered. During the call, analysts asked questions about covering the dark web. The dark web is a big movie theater where cybercriminals watch the internet. I don't think Palo Alto should be watching the dark web. I think the important surface area is the suppliers' side and everything that leads to the corporate network. If adversaries run honeypots, and they flag Palo Alto, it goes both ways. Palo Alto also flags its security analysts (Crypsis), which is exactly why this acquisition was made in the first place.

I think Palo Alto can easily achieve sustainable high double-digit ARR growth from Expanse on a combination of mostly cross-sell and expansion from Cortex to joint customers. I also believe Palo Alto can easily achieve double-digit margins, given that it has most of the endpoint security assets it needs.

With the current growth rate of Expanse coupled with the cross-sell potential, I believe Palo Alto is on to something big.

