A Brief Introduction

This is a slightly longer note than we usually produce and for that we both apologize and hope you find it useful. We're all busy and we all like to cut to the chase. But we ourselves went through something of an education process with SailPoint (NYSE:SAIL) and we wanted to share that with you. The education came courtesy of one of our own subscribers, an IT professional familiar with the products in this category and with a deep understanding of why he thinks SAIL can prosper going forward. Now, as everyone knows, a hot product is interesting as regards a stock's prospects but it is far from the whole story. Being numbers bores, what caught our attention was the combination of (1) hot product (2) unremarkable recognized revenue growth (3) unchallenging valuation multiple, (4) what appears to be a strong swell of growth happening below the waterline and (5) a stock chart that appears to indicate that a break to the upside is possible. So in short, what we think we have here is a relatively underappreciated stock than can start to move up meaningfully. We're pretty excited about it in fact. And we don't get excited about much.

Let's turn first to product, for this part of the story matters.

What Is Identity Governance?

The market for access management has been small and untested for many years - mainly due to the lack of need. The solution has been simple and cheap historically. Things started to change as the cloud delivery model became increasingly mainstream. Okta, Inc (OKTA), a key player in this market, has taken off since its IPO which surprised many - ourselves included! - who had been longtime software investors and saw no particular urgency for new solutions in this field. Indeed in the market at large, and in enterprise IT teams, there has been a belief that tools and systems around this industry are a luxury rather than a necessity. That appears to be no longer the case - as access methods proliferate and the enterprise IT stack itself fragments, these tools are becoming essential.

Active Directory Isn't The Whole Answer

In recent years the dominant form of access management tool has been Active Directory ("AD"), a Microsoft (MSFT) system. Any access requirements not compatible with AD are typically handled separately; examples of these would be physical access to an executive floor or, potentially, network firewall policies.

Active Directory is offered as a feature within Windows Server Operating System - organizations use it to control most access rights within their organization such as PC settings, deployment of scripts, creation/removal of system objects, and to create containers to segregate access between groups of objects. These "objects" can be anything such as an HR department (users) or Dallas Branch Printers (devices). The benefit to using AD is that a change (policy) only needs to be applied once and it affects everything in the container or scope. This setup works well in the traditional architecture in the pre-"Zero Trust" era. In the days when users would for the most part badge themselves to their desks and offices you knew with relative confidence that the person logging in to the device is who they say they are. In the new Zero Trust model where that same user could be logging in from an unsecured cafe Wi-Fi network 1,000 miles away, that philosophy doesn’t work. In addition, the underlying protocols upon which AD relies have some security issues when it comes to functioning over the public internet.

SailPoint And The “Zero Trust” Framework

Before we turn to SAIL particularly, let's go through a few use case scenarios - as you will see the complexity involved is significant.

Scenario 1: John Smith was just hired as an HR administrator. On his first day of work he needs to be able to physically access the 3rd floor at the Dallas branch and also various random offices & meeting rooms he will be visiting. He also will need to access branches at headquarters a few times a month. On his computer John needs to be able to use the dedicated folders his department uses to store applicant information. There are also a variety of email boxes his department uses, and a few fileshare drives dedicated to HR. John also will need to use several private chat channels from Slack (NYSE:WORK) to collaborate with both his coworkers and several third parties his organization uses. This access setup is considered onboarding.

Scenario 2: Two years later John decides that he would like to transfer to a more technical role and moves to the IT department based in Florida. He now requires administrator access to his laptop and to be able to also administrate the PCs that are at the Florida branches (but only the Florida branches). The IT department has its own third party vendors he will need to collaborate with. His account also needs new computer programs and tools, and the IT department also has its own mailboxes and fileshare drives. His access has completely changed. This type of workflow is known as transferring and is often where the most mistakes are made.

Scenario 3: 12 months later John is curious after not getting a raise and gets caught looking up salaries from his previous role. He is promptly terminated. Now the IT department needs to disable his email, the physical security department needs to remove his badge access, the phone dept needs to remove his office phone and voicemail account. This type of workflow is known as offboarding.

As you picture these example scenarios (which in fact are overly simplistic and only include a fraction of an average user's access rights) it’s safe to conclude that there is a lot of cost to be saved by automating access control workflow. The problem is that each type of system uses their own containers (or groups) to distinguish and manage access. Each department also likely differs by authentication protocols since some are more modern and managed in the cloud, others use on-premises AD, and some don’t use any - and that's all within the same corporation! The complexity can be endless and things can get out of hand quickly trying to keep up. It requires a tremendous amount of manual work across the enterprise just to maintain. Tracking and consolidated reporting is not possible under any sensible level of resource allocation.

SailPoint assists with this problem in many different ways. Here are three of the larger use cases from what we understand of the platform.

The first use is that SailPoint will combine all these different systems' containers into a single container often called a package. Depending on the complexity of the organization's environment it is common for these packages to be arranged into various groups themselves referred to as catalogs. SailPoint also stores each access request across the various systems individually (such as access to the loading dock back door) to assist with exceptions not included in a base package.

A second use is with reporting and compliance. SAIL tracks and reports the access of every user or device and can integrate into various security products to help assist with insider attacks or compliance reporting. The vast majority “hacks” are from current or former employees.

A third use is that it will create flows for access approval. A organization's IAM department designs and enforces access but its up to each resource owner to either approve or deny the access request. These flows can get very complex. A simple one would be to have a manager approve and then the resource owner to also approve. Once both approvals are complete the access is granted automatically (in most cases). A more complex setup can include 'signals'. An example of this would be that access to resource A can only be granted if access to resource B and C have not already been granted. A 'signal' can be almost anything such as the requestor's device type, his/her location, his/her track record of phishing tests etc… As you can see this can get very complex but can also be extremely powerful to prevent breaches if designed correctly. There is also the concept of JIT (just in time access) where the access is only granted on a one-time basis and only then if the requestor is eligible.

The fourth feature of SailPoint is that it creates a user friendly GUI that allows the requestor (the end user) to use access like an online shopping cart. This feature takes much of the burden off the IT dept and limits confusion due to the coordination that has already been automated.

Now, the make a bearish real-world argument against using SailPoint and products similar to theirs is the amount of manual work involved in the design and implementation - and this is correct insofar as the most difficult part of IAM is the initial design piece. It will take a significant amount of time and coordination with all parts of the business. Without a design or proper understanding of the organization's systems and how they interact, governance tools are useless. Similar to the big data and application performance monitoring markets, much of the success relies on the work put in on the design. Like many large-scale enterprise software products, this leads to a lot of professional services work, by the vendor themselves in addition to their consulting partner providers.

There is, of course, product competition. Chiefly, Okta and Microsoft have elements of SAIL's solution and each have announced an intention to keep building out their offerings. For now though, we believe SAIL has a lead which it can keep.

Financials

Let's take a look at SAIL financials. To get excited you have to look a little below the waterline.

Firstly, here's the numbers as reported, up to and including Q4 2020. (The company reports its Q1 on May 10 after the close).

Meh

These numbers are fine but not all that exciting in our view. We would, in short, describe them thus: meh.

Accounting profit and cashflow margins are increasing, and that's always good to see; cash balances are following suit, nice; and you can point to increases in the TTM revenue growth rate in the last four quarters, so the flywheel looks to be speeding up. But now look at the quarterly revenue vs. the same quarter in the prior year. Q3 and Q4 2020 weren't pretty - material reductions in the growth rate each time. In software we really want to invest in those names showing accelerating growth. The TTM indicator is a lagging, slow-burn indicator, whereas the quarterly number is as close to real time as you can get as an outsider. And since there are so many hot growth names around, putting capital to work solely due to increasing margins isn't so compelling a pitch.

The next place we look in company numbers is deferred revenue - that's the prepaid but yet to be recognized revenue that a company has on its books. You'll find deferred revenue as a balance sheet liability item. Liability because it represents the amount of value the company 'owes' to its customers by way of product or service yet to be delivered, and because it matches the cash asset that the customer has already paid the company for the privilege. At SAIL we see declining growth in deferred revenue. So that's not so exciting either.

Still Meh

We said above that just because a company has a great product, even one that is very much in vogue at the moment, is no kind of investment case. To put money to work, we want to see great numbers at the company and/or great sentiment about the stock.

Let's go deeper into the numbers. Let's look at 'Remaining Performance Obligation' (RPO). This is a measure which you won't find in companies' earnings releases for the most part. (ServiceNow (NOW) did just include it in theirs, that said, so perhaps this will change) did just include it in theirs, that said, so perhaps this will change). Usually you have to wait for the 10-Q or 10-K to be published a little later than the earnings report. So you can't always make short term trades on earnings day based on this indicator; but it's worth waiting for because it can change your perspective on a stock.

RPO is the total book of contracted revenue that a company has signed up, but has yet to be recognized. The element of RPO which has been prepaid by customers will show up in that deferred revenue number above. But usually - especially in software or services companies - RPO is a much larger number then deferred revenue, and we think it's a more meaningful measure as a result. Here's what SAIL's RPO balance has been in the last couple years.

Not Meh

Now this is exciting. Well, we find it exciting. But even before this whole pandemic thingummy, we didn't get out much. So it might not excite you. But - look at the acceleration! 33%-34%-44%-50%-51% vs prior year quarter in the last 5 quarters! That's not meh. That's great.

Bringing It All Back Home

So let's see if we can piece together what is happening here. From the product story we can say that customers are likely getting more needy of the solution SAIL offers. More complex network environment, more complex working environment, more difficult access control requirements, too hard to do manually, MSFT Active Directory lacks sufficient security, have to look for a specialist. Those specialists are OKTA and SAIL. OK. So, duly worried, customer traipses over to SAIL offices, places order. RPO up. The deferred revenue performance tells us that customers don't prepay as much as they used to, presumably a policy decision by SAIL to just get business in the door and don't sweat as much about prepaid revenue now that they are cash generative. Recognized revenue growth is yet to accelerate in reaction to RPO growth because, as we know from the product story, this stuff takes a long time to design and implement, so the sales cycle is long, the implementation time longer, and the time to revenue is long as a result.

So our working thesis here is: that below-the-waterline growth in RPO is going to bubble up into actual recognized growth, an acceleration in fact. This is merely a thesis right now, not a fact. But if the thesis is right, we will see recognized revenue growth start to accelerate in the coming quarters, dragging up TTM recognized revenue growth further, and with it we should see continued progress in profit and cash generation (because the revenue sat waiting in RPO has already been sold - it doesn't require new sales costs to achieve). And taking all that into account, our best judgment is that this is a Stock Which Could Go Up.

A Little Coloring-In To Start The Week

The fundamentals of SAIL, particularly that RPO analysis, suggest to us that long term this is a going-up stock. We aren't fool enough to believe that fundamentals drive stocks. But we do think that revenue growth coming out of nowhere can surprise the market and that can drive up sentiment and that can drive up stocks. And so long term we think there's a good chance of this at SAIL. Which is why we own the name in staff personal accounts.

But as much as we love numbers, we love charts more.

If you run a basic Fibonacci 'retracement' analysis on SAIL - if the method is unfamiliar to you, worry not, it sounds grander than it is - (1) Trading View does it all for you these days and therefore (2) it's just a little voodoo that you too can do - you can see that if you look at the runup from the March 2020 lows to the February 2021 peak, the stock did respect a number of those magical Fib levels as support and resistance, and so, market memory being what it is, it's possible that it does so again.

So if you are interested in SAIL and want to time your trades, you might consider that the stock looks like it could find support at $44, then $38, then $32 should the market and/or the stock itself continue to weaken. Equally, $52 and $64 might offer resistance for a time.

In Conclusion

We can't tell you what to do here. Only you know your own mind and your own brokerage account. But we're always happy to share what we're doing. In staff accounts we own SAIL with a long-term, multi-year outlook in mind and whilst that RPO balance is moving up like it is, and absent any kind of market meltdown, we plan to add at support levels should they be plumbed. If the story changes, our approach will change, for this is a stock relationship not a real relationship. We can love the stock all we like, but it still won't know who we are, so we don't plan to get all crazy-obsessive on the idea if it doesn't return our calls. We also like to trim holdings every now and then. Buy-and-hold-forever is a great story if you are an asset manager and want people to give-you-their-money-forever, but since stocks do in fact sometimes go down, we like to take a little profit when we can. And in SAIL's case we're looking to those resistance levels as opportunities to do so.

Apologies once again for the lengthy tome here. We're excited about the stock and wanted to share it with you. Any questions, hit us up in comments to this article. We'll always respond.

Cestrian Capital Research, Inc - 3 May 2021