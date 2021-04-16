Photo by Maxger/iStock via Getty Images

I am maintaining a positive stance on Intrusion's (NASDAQ:INTZ) business profile due to the following reasons:

1. A clear and well-defined positioning statement backed by the capabilities to drive innovation in the coming quarters. I am mostly attracted to the advanced persistent threat capabilities and Intrusion's potential to expand its network security offerings.

2. There is clear evidence that Intrusion has a valid product strategy built around its data analytics technology. There are peers with a similar business model to confirm the validity of Intrusion's product offerings and product roadmap.

3. Intrusion's improved sales and marketing team means it has the capabilities to address most of the concerns raised by bears in recent quarters. These include the pending patent for Intrusion Shield, security certifications, and the need to participate in third-party product reviews.

4. Combining its valid positioning, product strategy and the improved sales team, if Intrusion proves its critics wrong in the coming earnings season, I expect volatility to subside.

This thesis reiterates my net positive stance after considering a blend of positive and negative developments since my previous coverage. These include:

1. Positive updates about the market's adoption of Intrusion Shield. These updates align with my expectations of the business outlook, which anticipates continued sales expansion and marketing to drive product visibility.

2. My outlook also factors in the points highlighted in a recent short report. After a careful study of the report, I have updated some of the mutual concerns shared in the risk section of this analysis.

3. I am also slightly comforted by management's response to the short report. I remain slightly worried about my inability to get quick updates to some of the risk concerns shared in this article after reaching out to Intrusion's Investor Relations team. Regardless, I remain positive about getting favourable updates.

Valid Positioning Statement

In its IPO press release, Intrusion provided an overview of its positioning statement.

The positioning statement covers three important capabilities.

1 Entity identification

2. High-speed data mining

3. Advanced persistent threat detection

Investors will note that Intrusion isn’t calling itself a cloud security company. This means Intrusion isn't competing with cloud security players like Zscaler (ZS) and CrowdStrike (CRWD).

Cloud security in this context mostly applies to the protection of cloud assets and cloud processes. For example, if you set up a virtual network on AWS or spin up virtual machines and containers, Intrusion can't protect any of that. Noting these points, we know that Intrusion's total addressable market doesn't include the market for protecting cloud resources, assets, processes, networks, and apps.

Intrusion is also not claiming to be a provider of next-generation network security offerings. This is the turf of network security and SD-WAN providers like Palo Alto Networks (PANW), Check Point Software (CHKP), and Fortinet (FTNT).

It is important to highlight these points for investors assuming Intrusion has offerings to disrupt the cybersecurity space given its modest cash position and assets relative to bigger cybersecurity companies.

Let’s review the top capabilities.

Entity identification

This is a basic capability required of cybersecurity platforms. It typically covers the identification of endpoints such as servers, laptops, containers, and devices. To protect endpoints and networks, it is important to identify the resources residing within and/or beyond the network. This capability is mostly offered by endpoint/network security providers. Some call it asset discovery. In some cases, it extends to asset mapping, classification, and risk scoring.

This capability is a category-parity offering. This means we can't expect it to be a huge revenue driver. However, in some instances in which a company can map and identify its suppliers' assets, such innovation can be hugely rewarded. This is particularly important given the recent Sunburst hack. The hack is a supply-chain attack that infiltrated networks via the third-party tools of its victims. In response to the huge danger that supply-chain hacks can pose, players like Palo Alto Networks have invested in technologies that can map assets beyond a company's network and resources. Palo Alto recently paid $670m for Expanse to acquire this capability.

The reason for highlighting the table above is to help investors appreciate the importance of the asset discovery process. The table highlights some of the patents owned by Expanse, which Palo Alto recently acquired.

I have been skeptical of the monetization of asset discovery capabilities in my recent articles. This was detailed in my previous report on Qualys (QLYS).

Here is a link to the patent page on USPTO for the network asset discovery patent highlighted in the table above.

Link

Here are some interesting points from the patent page:

In some embodiments, a network asset or attribute suggester determines network assets or attributes based at least in part on a WHOIS service.

In some embodiments, a network asset or attribute suggester determines network assets or attributes based at least in part on DNS information .

. In some embodiments, a network asset or attribute suggester determines network assets or attributes based on certificate information or cryptographic information.

In some embodiments, a network asset or attribute suggester determines network assets or attributes based on autonomous system number information.

These highlights show that the assets bought by Palo Alto Networks include IPs that rely on publicly available databases on assets to map the internet. Innovating around these databases makes sense to improve an organization's data collection and security analytics process. Like I alluded to earlier, it isn't about mapping assets or collecting data; it is about performing the process efficiently.

The push to squeeze water out of stone birthed data analytics technologies like SIEM (security information and event management), SOAR (security orchestration, automation and response), and XDR (extended detection and response) as the market is constantly innovating to build efficient and reliable data collection and analytics solutions.

If top players like Palo Alto Networks can rely on these publicly available databases for asset discovery, this means Intrusion's product strategy built around its TraceCop product can be validated.

High-speed data mining

This capability covers the analysis of data traversing a network. While TraceCop is the database, Savant is the network analysis solution that helps with data mining.

Whereas Savant remains positioned as a network reconnaissance and attack analysis tool for forensic analysts in the DoD and Federal Government and security aware corporations. Looking forward, Shield customers will have an option to bring all of the Savant real-time visibility, analysis, reporting, and forensic retention capabilities to their networks in addition to the enhanced network traffic protection offered by Shield. Source: Intrusion

The excerpt above highlights the difference between Shield and Savant. Savant is positioned to collect and analyze data to extract intelligence. Shield is positioned to act on the data extracted by Savant. The two shouldn't be confused.

3. Advanced persistent threat detection: this is the compelling part of the positioning statement.

APTs were popularized by the famous FireEye (Mandiant) report highlighting how a state-sponsored hacking team successfully infiltrated the network of over 100 US organizations.

Due to their virulent nature, only the most sophisticated cybersecurity companies can prevent APT attacks. Preventing APT attacks requires the deployment of a lot of network resources and intelligence. This is where Intrusion TraceCop helps.

I noted in my previous coverage that positioning itself as an APT player is a good move by Intrusion. However, I was a bit disappointed by its omission in the analysis by Radicati of the top APT players. I expect the world to witness more APT attacks as more organizations migrate their resources to the web. I believe this trend bodes well for the future adoption of Intrusion Shield.

Improved Product Strategy

The recent release of Intrusion Shield improved its prospects to sell into the enterprise market and expand its market presence beyond the US market. The press release noted that Shield could:

Monitor all incoming and outgoing traffic

Alert on cybersecurity threats

Neutralize threats

Protect against supply-chain attacks (Sunburst hack)

The claim that Intrusion Shield can prevent the Sunburst hack. Intrusion's plausible argument here is that since the Sunburst hack could get past firewalls and other network security rules and devices, there is a need to adopt a multi-layered approach (defense in depth) to cybersecurity. This claim is correct since Intrusion claims to inspect network traffic.

The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Source: FireEye

FireEye's explanation of the Sunburst hack confirmed my assumption that the Sunburst hack totally evaded every device and configuration designed to kill it. This further validates Intrusion's defense-in-depth argument. This means no network traffic analyzer was able to identify the illegal activity carried out by the Sunburst hack. Scenarios like this level the playing field for cybersecurity players.

The closest info we have to a third party assessment to verify the efficacy of Intrusion's offerings is a product innovation award by ASIS. ASIS International is regarded as the world's largest membership organization for security management professionals.

While the award doesn't suffice in the long term. Though it is encouraging to know that Intrusion is being recognized by cybersecurity thought leaders.

The improved product strategy is further supported by recent updates, which highlight the growing traction of Shield. These include:

The protection of over 50,000 seats (almost 8x the company’s original Q1 goal)

The hiring of a new Chief Sales Officer, Darryl Athans, to drive continued growth

The signing of over 30 channel partners, including resellers in Australia and Mexico

These updates are encouraging. Though, the revenue update from Shield is modest relative to recent multiple expansion. Also, it is important to wait for the upcoming earnings report to confirm Intrusion's true strength beyond the US market, given its huge exposure to a handful of US government customers.

Expanded Sales and Marketing Team

We will be leveraging the powerful Value-Added Reseller channel as well as the Managed Security Service Providers channel Source: Intrusion

Intrusion highlighted its need to expand its leadership team after its IPO. Intrusion has since filled most of the key roles. This means Intrusion has more talents to educate the market on the importance of its products. I expect the expanded sales and marketing teams to accelerate the achievement of key initiatives, including:

Expanded IP protection for Intrusion Shield

More visibility for Intrusion's capabilities, including third-party assessments and security tests.

Valuation

Given these clarifications relative to recent bearish prints, here are my updates to the valuation profile.

Positioning: can potentially address the APT market and some network security functions. Currently unranked in assessments of top APT players.

Market Size: Expecting coverage to remain limited to the US market in the short term. Significant tests and certifications required to penetrate the enterprise market. The current TAM is significantly modest relative to an APT player like FireEye.

Growth: encouraging signs of decent adoption of Intrusion Shield using a recent update of 50,000 seats (almost 8x the company’s original Q1 goal).

Revenue prints are still modest relative to recent multiple expansion.

Liquidity: Sufficient to boost the visibility of Intrusion Shield as a niche player. Intrusion shouldn't be compared to bigger cybersecurity players like Palo Alto Networks.

Momentum: Expecting current correction to be drawn out given growing market skepticism, growing short interest, and heightened sensitivity towards an earnings miss.

Risk Concerns That Might Precipitate More Volatility

Earnings disappointment

Given the huge doubts about the adoption of Intrusion's offerings, an earnings miss will lead to more price correction. The market is already anticipating this scenario, given the recent price action. The lack of a specific revenue estimate also makes it difficult to develop a convincing growth projection.

Short interest has also been on the rise, which means the margin of error is small when Intrusion releases the current quarter's earnings result.

Security certification

A recent short report highlighted that Intrusion doesn't have any security certification. I find this to be the most compelling bear argument. I doubt this claim is true for the following reasons.

1. Intrusion has been in existence for a long period. It is almost impossible to operate without the right security certifications for such a long period while serving US government customers. Also, the latest annual report highlighted several points that Intrusion has worked with notable US organizations. Here are some interesting notes from the latest annual report:

Customers. Our end-user customers include U.S. federal government, state and local government entities, large and diversified conglomerates and manufacturing entities.

Savant uses several original patents to uniquely characterize and record all network flows. Savant is a network reconnaissance and attack analysis tool used by forensic analysts in the DoD, Federal Government and corporations with in-house threat research teams Sales to U.S. government customers accounted for 86.3% of our revenues for the year ended December 31, 2020, compared to 87.4% of our revenue in 2019 Source: Annual Report

2. I reached out to Intrusion to confirm the status of its security certifications. I was informed that an update would be provided to me. I am still anticipating an update from Intrusion.

Third-party tests

The lack of third party reviews will continue to add a lot of credibility to the bear case. Until a reputable third party platform publishes a detailed report on Intrusion's offerings, there will be doubts about Intrusions plans to land enterprise customers.

Patents for Shield

In addition, we have received two patents, and we are in the process of applying for patents for our Shield family of solutions. We have also entered into non-disclosure agreements with our suppliers, resellers, and certain customers to limit access to and disclosure of proprietary information. Source: Annual Report

Intrusion is yet to publish any update on a successful patent application for Intrusion Shield.

Conclusion

The recent short report highlights a lot of loopholes to be filled as Intrusion scales its business. Some of these loopholes have serious consequences for Intrusion's valuation if they aren't filled on time. Most of these loopholes have been highlighted in the risk section of this analysis. Regardless, I remain positive due to Intrusion's clear product and sales strategies. If Intrusion can prove its critics wrong, we can continue to track the growth story.