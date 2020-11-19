I recently took an interest in Tufin (NYSE:TUFN). Tufin appears to be a fairly obscure name that has barely surfaced on my radar. As a result, I am approaching the opportunity with the following assumptions and expectations that will be proven right or false in the course of my analysis. Given its obscurity, I expect Tufin to have:

A unique sales or distribution strategy to lock in its market positioning. This essentially turns the positioning into a moat. A robust network of MSSPs and resellers for scalability and international sales expansion. A unique set of customers and strategic relationships mostly concentrated in key verticals. Exposure to special contracts in regulated verticals. An irrational sell-off in the past, driven by unforeseen events. Low analyst coverage impacting price discovery. Possible regulatory concerns or lawsuits. Partnerships that could lead to acquisitions. A unique pricing model.

I expect this analysis to present a decent bargain opportunity that fits my robust risk-taking strategy and long-term investment horizon. If this leads to a solid conviction, I will be initiating a position.

According to the company profile, Tufin provides:

SecureTrack, which enables security administrators to define and manage a centralized security policy, minimize the attack surface, and ensure continuous compliance across the network; SecureChange that is used to assess, provision, and verify security configuration changes across physical networks and cloud platforms, while maintaining security and compliance; and SecureApp, which is used to define, manage, and monitor network connectivity for their applications. It also offers SecureCloud, a security policy automation service that provides the real-time visibility and control needed to ensure the security and compliance of hybrid cloud environments.

These capabilities make Tufin a cybersecurity company. Its focus on managing security policies is unique. This is important to note because it makes Tufin an attractive acquisition candidate by a bigger company. SecureTrack helps in policy management and continuous compliance. This is attractive because the need to stay compliant with the latest industry regulation remains one of the key reasons why enterprises increase their security budget.

Tufin also offers SecureChange, SecureApp, and SecureCloud. SecureCloud is interesting to watch. It can be a solid growth driver down the road because more companies are increasingly leveraging managed cloud services to set up their IT infrastructure.

Tufin shared the chart above in a previous earnings presentation. The chart further expands the many facets of Tufin's capabilities. These include visibility into IT assets, cleanup, analysis and design of network topologies, security automation, and touchless automation. Tufin further explained in the presentation that it has capabilities to gain visibility into on-prem and cloud environments. That significantly confirms its broad coverage of IT assets. This is important when understanding the market opportunity.

Tufin pegged its addressable market at $10.3b. The largest segment is the physical network space. This was estimated using the average compliance and automation spend for firewalls across all business segments. This is already giving a peek into Tufin's market positioning. Since it offers capabilities focusing on all business segments, safe to say there aren't many players focused on the security policy market. From my insights database developed from covering cybersecurity stocks, I found security compliance and automation capabilities to be one of the next generation bets that will drive growth and value for cybersecurity firms. This insight bodes well for Tufin if it can double down on improving its capabilities in its niche.

Tufin pegged the public cloud security orchestration opportunity at $2.9b by assuming 5% of IT spend goes to security automation. This is fair, given the efficiency and cost savings to be derived from automating security policies and processes. In reality, I expect the monetizable opportunity to be less than 5%. As a CISO, I will prioritize cloud security solutions for access and identity management, threat prevention, and detection above policy management. Therefore, the portion of my IT security budget allocated to security orchestration will be small. I expect this to be true for most companies.

Lastly, Tufin pegged the security management market opportunity for private cloud SDN orchestration at $1.2B. SDN technologies like Cisco (CSCO) ACI help with network segmentation. This jives with Tufin's Zero-Trust strategy.

So we're seeing more and more customers deploy NSX and ACI. I think NSX is a little bit more mature than ACI. So NSX is kind of standardized data center SDN with a firewall built into it. And Cisco ACI, I think people are deploying it now more than before and figuring out how to manage it and how to use it with other firewalls. For us, we're seeing more and more business coming from NSX and ACI. - Source - Q3'20 earnings

The market opportunity looks enticing. However, for Tufin's size and unique positioning, it is surprising that Tufin's revenue size is still small. As we will explore in the financials section, Tufin needs to educate its customers and invest more in its capacity to expand its monetizable TAM.

For its sales strategy, Tufin has a different model for large and mid enterprises. For large companies, it has direct, regional, and target sales reps. For the mid-market, it has inside sales teams and territorial sales teams. These are supported by a global network of over 140 channel partners. Tufin also integrates with leading network and cloud platforms, such as Check Point (NASDAQ:CHKP), Cisco, Fortinet (NASDAQ:FTNT), Palo Alto Networks (PANW), F5 Networks (NASDAQ:FFIV), Forcepoint, Juniper Networks (JNPR), VMware (VMW), AWS, Google Cloud (NASDAQ:GOOG) (NASDAQ:GOOGL), Microsoft (NASDAQ:MSFT) Azure, and Kubernetes, to provide vendor-agnostic solutions.

Tufin's customers cut across multiple verticals. Customers include Visa (NYSE:V), Bloomberg, Verizon (VZ), Pfizer (PFE), ConocoPhillips (COP), and Target (TGT).

The chart above highlights Tufin's competitive differentiation. Its leadership and track record are attractive points. I find it tough to match the deep knowledge of a company that has focused on policy management and automation for several years. This is supported by Tufin's claim that it is the first to market with security automation capabilities. Tufin also cites vendor agnosticism, cloud agnosticism, and scalability as key competitive differentials. These are attractive points. Though, they are subject to scrutiny, and the strength of these moats is significantly challenged when we consider the fact that enterprise cybersecurity companies like Palo Alto and Fortinet are increasingly investing in security automation and orchestration offerings. Regardless, I find Tufin's partnerships with top security firms to be a good move as it will increase its potential to be acquired down the road.

Tufin's growth drivers are similar to other SaaS companies. A land and expansion opportunity, underpenetrated TAM, international expansion, and a robust cloud opportunity. The cloud opportunity is the most compelling. The land and expansion opportunity is only attractive if the initial customer acquisition cost [CAC] isn't too huge. The underpenetrated TAM in the Global 2000 space is also attractive, and I rate it as an equal opportunity as international expansion. Again, CAC is the biggest concern.

The growth metrics to watch are renewals, retention, expansion, and new logos. Revenue ($25.6m) growth was flat last quarter, as Tufin was impacted by the pandemic. Product revenue in Q3 was $10 million, up 27% sequentially and down 13% y/y. Maintenance and professional services revenue grew 11% y/y to $15.6 million. Tufin observed strong renewals and moderate growth from new logos.

In Q4, Tufin is guiding for revenue of $24m - $29m and a non-GAAP operating loss of $5.9m - $1.6m. That's flattish revenue growth at the midpoint. The sequential decrease in operating income was attributed to seasonality.

Going forward, here are the factors I'm betting on as the growth story evolves:

Compliance: highly regulated verticals will continue to force companies to spend on security best practices. This is accretive to Tufin's growth.

The need to protect cloud security workloads will drive more adoption of Tufin's offerings. Tufin stated in its last earnings that it is still early days for its SecureCloud offering.

Security automation: automating security processes and policies can drive true cost savings. This was highlighted in some of the notable wins in the last quarter. Here is a compelling example:

In fact, lowering cost was one of the drivers behind a seven-figure automation deal that we closed this quarter with a large global bank, the customer with an existing SecureTrack subscription customer. They made 1,500 network policy changes per week using a manual process, which was very time consuming and expensive in terms of labor hours. In respond to the COVID environment, the Company needed to reduce costs, so we decided to add SecureChange with the goal of reducing labor hours.

Expansion opportunity from new offerings. This will be assisted by Tufin's marketplace.

International revenue. Tufin's revenue is well diversified due to the ease of internationalization of its products.

Here are the not so favorable catalysts driving my risk premium:

Pressure from competitors: this is a real concern because I've observed many security players evolving security automation and orchestration capabilities. This has a big impact on Tufin's growth and pricing power. Customer acquisition cost: while Tufin is not GAAP-profitable because expenses are concentrated in the early years of its business lifecycle, I still find the huge Opex % of revenue to be a concern, given its small revenue growth. Margins improved last quarter due to cost optimization efforts and COVID-19-related savings. The non-GAAP gross profit margin was 84% last quarter. This means further cost optimization will mostly come from SG&A and R&D expenses. Cash flows: Tufin is not cash flow positive. It is still burning cash. Operating cash flows stands at -$22m over the trailing twelve months. Though OCF improved q/q in Q3, it is yet to be seen if this is sustainable. Tufin has cash of $84.4m and a debt of $22.7m on its balance sheet. Working capital is positive; however, Tufin has to perfectly execute its cost optimization drive to avoid running out of cash. If competitors continue to add policy management capabilities to their offerings, Tufin's customer acquisition cost will grow. This is highly probable. Lawsuit: a lawsuit was highlighted in its latest annual report relating to misstatements and omissions in its IPO filing. This isn't good for its brand premium.

Conclusion

In summary, I believe the growth story is attractive. Compared to the average high growth cybersecurity company using 2021 growth estimates, Tufin is cheap. Assuming revenue of $107m in 2021, at an enterprise value of $186m, Tufin will trade at a P/S of 1.7x. The market expects 16.5% growth in 2021, and analysts have an average price target of $11.5. This is also a function of favorable y/y comps. This fact adds a lot of conviction to my bullish expectations.

Last quarter, revenue growth rebounded sequentially from the COVID-19-induced dip. I expect this trend to improve in 2021. I am aware that the growth options are capped and concentrated due to Tufin's niche strategy. This means the growth story will pan out at a steady pace.

Overall, I rate Tufin a hold. I don't see things getting worse from here. My strategy is to buy stocks with favorable risk-reward while maintaining a long-term outlook. I like it when a company has all the time in the world to improve. I also find it attractive if the adoption of the catalyst driving a stock is still being contested or if the catalyst will be adopted by the younger generation. This creates true market mispricing that can be explored. This is true for concepts like cryptocurrencies, e-commerce, and augmented reality. For Tufin, this is not the case as I expect competitors to develop policy management and automation offerings.

