Apart from the recent market turmoil, Palo Alto Networks (NASDAQ:PANW) is very mispriced due to a lack of investor understanding. We aim to lay out the cybersecurity industry dynamics that will make it one of the most lucrative industries in years to come, highlight the security areas investors should focus on, and explain why Palo Alto Networks is well positioned to prosper along the way.
Key Financial Trends
On the whole there are very few bearish points, though we’ll point out a couple:
A further note on gross margin: Assessing the direction of PANW’s gross margin once inflation and supply chain pressures subside is rather complicated. Usually, the scale economies from the cloud would drive gross margin higher but in PANW’s case there are many existing customers switching from and expanding from the higher gross margin product-based solutions to the lower gross margin SaaS-based solutions. Product revenue is still 25% of total revenue, so this transition may continue to have a negative impact on gross margin even after cost pressures ease up. Furthermore, PANW is beginning a new refresh cycle that promises more product-based market share gains but such cycles put pressure on gross margins. Though, the positive is that a significant portion of G2000 customers are only using 1 out 3 available security platforms (Network, Cloud, or SOC), so there is substantial high-quality land-and-expand revenue up for grabs which should have positive effects on gross margin and other cost items over the intermediate term.
A word on the terminal profitability: At present, Arora’s decision to keep aggressively capitalizing on the market opportunities, appear to be the right moves. In the next few years, the cybersecurity industry that is worth tens of billions of dollars, is anticipated to grow 10%-20% per annum, which offers high and durable growth for leading players. A predominant focus on increasing margins would have surely resulted in significantly less market capture over the past several quarters, and this will likely be the same going forward.
In the long-term, we think investors should consider CHKP’s profitability profile as a way to model PANW’s terminal profit margins. This comparison is useful because this is legacy vendor, despite the growth opportunities in the past 10 years, has decided to prematurely and predominantly focus on profitability at the expense of losing considerable market share, so a current CHKP margin profile could be applied to a future PANW. On a TTM basis, CHKP’s FCF margin is 55%, operating margin is 42%, and net margin is 38%, which gives investors a glimpse at how profitable PANW can be eventually, though management is going to aim for this until the growth outlook matures – so patience is key.
Based on the growth outlook and terminal FCF margin we think PANW’s intrinsic value per share should be $900+, or market cap double what it is now.
By conducting a sum-of-parts relative valuation exercise PANW looks very attractive. The quick back-of-the-envelope way to do this is to simply add up the market caps of Check Point Software (CHKP), Zscaler (ZS), and CrowdStrike (CRWD) and compare the total to PANW’s market cap. The reason we’ve selected these 3 companies is because if you were to merges these businesses then the combined entity would have a very similar profile to PANW.
If one can say that CHKP, ZS, and CRWD are at least fairly valued right now, then the upside for PANW looks to be c. 1.4x, or 40%.
Figure 1 - Back-of-the-Envelope Relative Valuation
If you want to check whether the revenue and FCF aggregate of CHKP, ZS, and CRWD is close enough to PANW’s in order for the above market cap comparison to be meaningful, then firstly take a look at the following table. As indicated by the circled figures, PANW’s TTM revenue is actually more (this will get closer again when CRWD and ZS release quarterly earnings in a few days) than the total revenue of CHKP/ZS/CRWD, but PANW’s growth-adjusted P/S [similar to the PEG factor but for revenue instead of earnings] is much lower than the revenue-weighted average of CHKP/ZS/CRWD.
Figure 2 - PANW Sum-of-Parts Relative Valuation (1)
Of course, investors shouldn’t assess relative attractiveness based on revenue multiples alone, because cash flow and profitability need to be factored in. As ultimately, FCF [free cash flow] is the main driver of DCF valuations, we will compare the FCF between CHKP/ZS/CRWD and PANW and the associated multiples.
As the table below shows, PANW’s FCF is in the same ballpark as the total FCF of CHKP/ZS/CRWD, yet PANW’s growth-adjusted P/FCF is much lower than the FCF-weighted average of CHKP/ZS/CRWD.
Figure 3 - PANW Sum-of-Parts Relative Valuation (2)
So, the relative mispricing is apparent by comparing PANW’s revenue and FCF to the total for CHKP, ZS, and CRWD and then comparing the growth-adjusted multiples. And in essence, this validates the back-of-the-envelope exercise of simply comparing PANW’s market cap to the total of CHKP/ZS/CRWD.
We think this sum-of-parts relative valuation is an eye-opener to PANW’s attractiveness, especially if you think CHKP/ZS/CRWD should be at least fairly valued right now given the recent selloff.
But why is PANW (and Fortinet (FTNT)) trading at such a discount? Well, we think possible reasons are:
A notable source of alpha is that most investors believe vendors serving on-prem security [i.e., firewalls] have no growth prospects. The reality is that enterprises need to adopt hybrid infrastructures to deliver solid security and excellent user experience. So, the likes of PANW and Fortinet – as is already showing in their product growth since 2020 – will continue to benefit from hybrid use cases.
In the next sections, we’re going to outline the cybersecurity landscape, the catalysts driving 10%-20% growth in this market already worth tens of billions of dollars, and also discuss PANW’s appeal in each area of security to help all types of corporations effectively fight cybercrime. The final section will briefly cover some of PANW’s financial metrics and the DCF valuation.
Before the pandemic, enterprises’ security postures were already weakening due to the rising popularity of workplace SaaS apps, BYOD policies, and more infrastructure shifting to the hyperscalers. Then, the pandemic arrived and forced enterprises to adopt distributed workforces and enhance online consumer experiences to compensate for the removal of in-person interaction. This necessitated enterprises to accelerate their cloud transformations in order to maintain data security and workforce productivity, and also to deliver better digital experiences for consumers.
Though, this has resulted in an abundance of IT sprawl – enterprises now have infrastructure on-prem, across multiple clouds, and even in the edge as IoT devices have become connected online. And this sprawl greatly expands the attack surface, presenting bad actors with plenty more entry points in which to target. The increase in ransomware attacks is testament to the expansion of enterprises’ digital fabric.
Figure 4 - Ransomware Attacks Have Spiked and Remain Elevated Since the Pandemic
Further exacerbating this situation, is the rampant activity of software developers as they are pushed to build increasingly sophisticated apps to outdo the competition amidst the pandemic-induced rise in digital expectations. Developers are creating in the cloud at a prolific rate but security is an afterthought, thus offering bad actors a plethora of opportunities to wreak havoc.
Then, on top of this, enterprises are increasingly becoming targets of state- or criminal group-sponsored attacks – something that has and will continue to be more frequent since the Russia-Ukraine War. Trends in automation and Cybercrime-as-a-Service, along with Russia’s retaliations, will contribute to the most advanced attacks - that were once confined to only a few unlucky large enterprises and institutions - cascading down and reaching out to a much wider section of the corporate world.
And apologies beforehand for adding even more misery, but all this challenging landscape is in the backdrop of a huge cybersecurity talent shortage - currently, there are c. 3.5 million unfilled jobs worldwide. The causes of this shortage are 1) the IT sprawl brought on by digitalization, 2) the rise in cybercrime sophistication, and 3) deep-seated structural factors within the educational system. This mismatch in labour demand and supply is generating substantial need for security vendors that provide a large degree of AI-based autonomy and automation in their software.
Before we discuss PANW’s prospects, we’ll add one more factor of misery to this bleak security landscape – the industry’s own technical debt. In the 1990s, the industry began with stateless firewalls and signature-based AV, then stateful firewalls, then NGFW [Next-Gen Firewalls], then WAF [Web Application Firewalls], then SWG [Secure Web Gateway], then vulnerabilities management, then SIEM [Security, Incident, & Event Management], then EPP [Endpoint Protection Platforms], then EDR [Endpoint Detection & Response], and then XDR that aims to blend EPP and EDR together. These things have been developed independently of each other leading to unmanageable numbers of point solutions. The end result for the high majority of companies is an overarching cybersecurity architecture that is incredibly messy without a dominant platform or architecture. Ironically, over the decades as the industry has done its best to stop cybercrime, it has simultaneously made the threat landscape worse - the wonders of hindsight.
The following diagram summarizes the catalysts that are creating the highly vulnerable enterprise environments. The security vendors that can deliver the needs inside the circle, will be industry winners over the next 5-10 years. We have high conviction that PANW will be one of these winners.
Figure 5 - High-Level Catalysts Driving the Cybersecurity Industry
The Russia-Ukraine war and rising geopolitical tensions will almost undoubtedly lead to more ransomware and other cybercrime and exacerbate the already treacherous security landscape. In this section we’ll navigate the key security areas and the main public and privately-owned [though vendors likely to do an IPO in the next couple of years] companies likely to prosper – with a particular focus on PANW.
Russia’s retaliation to its sanctions is resulting in an escalation of state-backed attacks – which means more funding going to skilled bad actors. This funding will pay for increased automation to scan for openings across the web, therefore, enterprises with global IT sprawl are the most vulnerable.
PANW has the best solution to fight this. In 2020, PANW acquired Xpanse, a startup with a ML-powered engine that scans the entire internet for organizations’ public-facing systems that are vulnerable to hackers. These vulnerabilities may be an abandoned server that’s connected to the internet, or a cloud instance that has been forgotten about, or domain registry information inadvertently presented on the internet, or an improperly decommissioned networking device. As you may infer, the number of vulnerabilities is highly correlated with the size, complexity, and age of organizations. Xpanse discovers and then maps out all of an organization’s internet-facing assets on a global scale and then devises a plan of action to reduce the attack surface.
If/when bad actors do enter a network, they’ll need to move laterally [known in the industry as east-west] searching for systems and data. The best way to prevent this is with segmentation.
Segmentation entails the partitioning of a network to prevent unnecessary lateral movement. Segmentation, or more specifically microsegmentation, gives SecOps complete visibility of all their assets and workflows, and then empowers them to quickly set policy to ensure machines/apps/workloads are only communicating with what they absolutely need to. For instance, if there is no need for Machine A to ever to connect with Server X, the pathway might as well be blocked. Blocking such unnecessary pathways right across the IT infrastructure makes it very difficult for bad actors to move around to find systems and data. And stalling their progress also gives SecOps and/or security software time to detect the threat before the hacker can cause damage.
PANW has one of the most effective microsegmentation solutions which involves tagging each and every workload with metadata such as identifiers like the associated app, its process, and its host. Therefore, each workload has a specific set of associated tags that can be used by a centralized policy controller to enforce, for example, that all workloads associated with tags A and F should not receive ingress connections coming from Server Cluster B.
This is a nascent market but holds a lot of promise given that microsegmentation appears to be the best solution to counter ransomware. Apart from PANW, we also like startup Illumio in this space. As can be seen in the following table, Illumio is currently one or two rounds behind some of the well-known high-growth SaaS stocks in recent memory; however, Illumio has raised a relatively high amount of funding. Therefore, security investors should monitor Illumio’s progression toward its IPO because it could happen within the next couple of years.
Figure 6 - Pre-IPO Funding & Revenue Estimates of High-Growth SaaS Vendors
Enterprises also need to secure north-south connections - i.e., client to the data centre or the cloud. The best way to do this amid the distributed environments is with ZTNA [Zero Trust Network Access] and SWG + CASB [Secure Web Gateway with Cloud Access Security Broker], respectively. ZTNA secures a connection between an employee and the internal application they’re accessing located in the enterprise’s private data centre – a much better way than using VPNs which connects to the network and hence gives bad actors that have compromised the connection an opportunity to access the whole network. And SWG + CASB secures connections between employees and the websites and SaaS apps they’re using.
Recently, Gartner has named the bundling of ZTNA, SWG, and CASB into one unified platform as Secure Service Edge, or SSE [which is a trimmed down version of SASE]. Since Nikesh Arora became CEO in July-18, PANW has made an impressive transition to deliver its best-in-class security performance in SaaS form – its Prisma Access platform being the embodiment of this transition.
We are surprised not to see PANW in the Leaders section, as it is our understanding that technically speaking there isn’t much difference in terms of quality between Zscaler, Netskope, and PANW. As per the commentary in the Magic Quadrant report, it appears that Gartner has penalized PANW for greater complexity. However, our take is that this is because PANW has a much wider security portfolio and doesn’t appear to have tailored their platform to align precisely with Gartner’s new definition [that is, shifting to SSE from SASE]. Hence, extracting SSE only from their vast platform may seem more complicated than using a vendor like Zscaler or Netskope that have a narrower portfolio that is pretty much completely encapsulated by the SSE term.
Figure 7 - Gartner's Magic Quadrant for SSE
Apart from PANW’s absence, we agree with Gartner’s inclusion in the Leaders section – Zscaler and Netskope. Zscaler has been very popular with investors during the past 2 years, though in our opinion, privately-owned Netskope with its origins specializing in data protection [whereas Zscaler’s roots are in threat protection] is more competitively positioned to prosper as we enter deeper into the era of big data. Furthermore, Netskope has built out a super-fast global network that we think will give them the upper hand with increasing volumes of data and 5G. Netskope has raised over $1bn over 12 rounds of VC funding, and at its latest funding round in July-21, the company was valued at $7.5bn. So, it’s likely we’ll see Netskope’s IPO in the next year or so – definitely a company for investors to monitor.
We’re also surprised that FTNT and NET are not in the SSE Magic Quadrant. Very similar to PANW, FTNT can deliver the full suite of SSE, has a great reputation in the industry, can serve cloud-only or hybrid use cases, and has the intelligent networking capability with its superior SD-WAN [Software-Defined Wide Area Network]. Furthermore, FTNT has built the majority of its portfolio in-house, meaning deployments and management are comparatively stress free. We can see the argument for not including NET because their out-of-band CASB was in beta mode at the time of Gartner’s report. However, they do have other means of securing access to SaaS apps and are the epitome of a pure as-a-Service vendor – the type that Gartner seems to favour – and can deliver the ZTNA and SWG along with intelligent networking. So, on the whole we think it's unfair that they are not included and they’ll definitely keep benefitting from SSE demand regardless. Though, following NET’s acquisition of out-of-band CASB startup, Vectrix, we expect NET to feature in Gartner’s next SSE Magic Quadrant.
Even after having all the above implemented – the attack surface reduction, the east-west segmentation, and the north-south security - some bad actors will still manage to reach some endpoints [client devices & servers]. And from there, they can implant malware, open a backdoor for easy future system access, or move around looking for valuable data ready for a ransomware attack.
There have been several evolutions in the endpoint security market during the past 30 years. The market started out with signature-based AV >>> then signature-based AV with firewall tweaks >>> then app whitelisting and sandboxing >>> then cloud-based EDR >>> then EPP with static AI AV >>> and the latest trend is XDR.
EDR consists of collating telemetry from endpoint agents into the cloud for large scale analysis of the global threat landscape and malware/suspicious behaviour detected on individual endpoints can be contained, investigated, and deleted remotely from the cloud. XDR expands the sources of telemetry to include information from network logs, SIEM systems, and any other point solution that can provide useful context for detecting threats, and applies more advanced analytics for correlating alerts to gain richer insights with reduced alert fatigue for analysts.
CRWD is widely regarded as the market leader in XDR, however, we believe PANW and S have the best approach. CRWD’s endpoint agent is very lightweight and doesn’t do any heavy local analysis of threats – instead it sends telemetry to the cloud for analysis and any threat response can be done remotely by CRWD analysts. On the contrary, PANW and S have an endpoint agent that can autonomously detect and confirm threats, and then proceed to eliminate those threats, without needing to send the telemetry to the cloud for investigation. The more sophisticated threats that evade detection by the endpoint agent will get caught by PANW’s/S’ operations in the cloud. This means that with PANW and S, the majority of threats can be eliminated within seconds whereas with CRWD’s approach it takes considerably longer to complete the detection-to-elimination process.
We surmise that this local + cloud approach is why PANW and S have outperformed CRWD in each of the 4 rounds of MITRE ATT&CK testing. The autonomy built into the agent also gives PANW and S an off-the-shelf quality – evident in their zero configuration changes in prep for the testing – which is particularly manifesting in S’ rapid triple-digit revenue growth.
Furthermore, all three are XDR vendors, though CRWD is what is described as a hybrid XDR vendor because they integrate with third-parties to ingest data sources beyond that of the agent telemetry into their XDR platform. PANW and S are considered more native XDR vendors because they integrate with other security tools within their portfolio. And PANW in particular, has the added advantage of incorporating its network analysis for richer and bigger picture insights of the threat landscape.
So, the local + cloud approach combined with the more native XDR platform, in our opinion, will help PANW and S effectively compete against CRWD in the long-term.
Adding more complexity to this treacherous security landscape outlined thus far, is the rampant developer activity in the clouds. Something called IaC [Infrastructure as Code] templates are empowering developers to quickly provision infrastructure, greatly contributing to the rapid pace of innovation. The problem, however, is that developers do not typically have a security-first mindset and now they have automation tools like IaC templates to insecurely provision infrastructure at scale. One insecure configuration at the infrastructure level can lead to thousands of security alerts which are time-consuming and difficult to troubleshoot.
Last year, PANW acquired Bridgecrew, which is a shift-left startup that specializes in building in security into IaC templates. In essence, Bridgecrew’s technology gives DevOps teams a systematic way to enforce infrastructure security standards. Adding Bridgecrew to PANW’s Prisma Cloud makes it the most comprehensive cloud security platform. PANW is now able to deliver end-to-end security for DevOps teams – right from the initial build right through to runtime – which is desperately needed in order for enterprises to continue their rapid digital innovation in a secure manner.
The need for better processes for building in security right from the beginning of DevOps workflows is apparent in the numerous breaches being reported almost on a daily basis. In 2021, the largest breaches involved hundreds of millions records and terabytes of data, often due to hackers exploiting a misconfigured AWS S3 bucket or some other infrastructure.
Figure 8 - Daily Incidents Related to Cloud Misconfigurations
The securing of IaC and cloud hosting environments more generally, is still a nascent market and there isn't a ton of competition for PANW. PANW has harmoniously stitched together a platform consisting of Best-of-Breed cloud security solutions via an aggressive M&A strategy since 2018. Usually such an aggressive M&A strategy doesn’t yield worthwhile synergy, however, PANW empowers the acquired founders to keep thinking visionary, sustain a high level of innovation, and to lead large divisions within the security giant. As a result, acquired founders are generally staying with PANW which is bringing the potential synergy to fruition. And this is evident in the growth in the Prisma Cloud customer base. Though, despite the breadth and quality of PANW’s cloud security platform, investors should also consider HCP, GTLB, and privately-owned Snyk, that is preparing for its IPO, according to reports.
Figure 9 - PANW's Prisma Cloud Growing Customer Base [fiscal year ends 31st July]
Despite all the aforementioned security software, enterprises still need an in-house or outsourced SOC [Security Operations Centre]. Software alone is insufficient to protect against attacks that are high in variety, sophistication, and dynamism. This acceptance has generated increasing demand for Managed Security Services, that consist of security professionals that hunt for and respond to threats, analyze threat intelligence, reverse engineer attacks, and improve the overall security posture for enterprises.
Many of the XDR vendors also have managed services to add further value to their software. Similar to our XDR assessment, we prefer the outlook for PANW and S more than CRWD in regards to growth in the managed services market. As previously outlined, CRWD’s security operation is more labour-intensive due to the heavy reliance on the cloud-powered EDR component. This means it is essentially a competitor to independent MSSPs [Managed Security Service Providers]. On the contrary, PANW’s and S’ operations are more of a hybrid local-cloud operation and the autonomy and capability of the endpoint agent is proving to be very enriching for the work of MSSPs. The agent being able to do most of the detection, response, and remediation, frees up MSSPs to concentrate on the more sophisticated attacks.
We would say S even has an edge over PANW in this area of security, because they’ve recently released a scripting platform for security analysts to customize detection and responses to threats and scale these rules across millions of devices. And this is manifesting in the triple-digit partner-related growth the company is currently experiencing. Though, in our opinion, PANW has the edge in providing analysts with the bigger picture view attributed to PANW’s insights into network analysis.
For the new distributed environment era, the most effective overarching security philosophy for both north-south and east-west connections is a Zero Trust Architecture [ZTA]. In the old perimeter-based, castle-and-moat corporate network layout, once a user had authenticated to the network they were trusted from then on. This wasn’t too much of an issue, however, because all connections were established after having been inspected by a firewall at the network’s perimeter.
Now the network perimeter has been almost obliterated a new security paradigm is required because remote employees want direct access to SaaS apps. That new paradigm is Zero Trust, which initiates each connection with distrust and builds up the trust via information from identity directories, device status [software version, security posture, etc.], contextual sources [location, time, etc.], and user behaviour analytics. However, all these checks add latency and can degrade the user experience and productivity.
We think PANW excels in balancing security with user experience for two reasons:
As more of the world’s population comes online, and we increase our usage of IoT, 5G, and edge compute, and enterprises implement ZTAs, vendors will need to strike the right balance of security and user experience. We think PANW’s risk policy engine built into Prisma Access and their SD-WAN technology will provide this balance better than any other vendor.
CISOs [Chief Information Security Officers] have been wanting to consolidate their enterprise’s innumerable point solutions for a while. Having a bunch of disjointed security solutions, each operating in siloes, makes it extremely difficult to manage, weakens the security posture, and makes the enterprise more vulnerable to attacks.
However, the conundrum is that CISOs want consolidation but also want the BoB individual solutions. With PANW, they can actually have their cake and eat it because of PANW’s platform breadth and BoB solutions, that are either home-grown [as is the case for their network security platform Prisma Access] or acquired [as is the case for their cloud security platform Prisma Cloud].
The success of Prisma Cloud is really something to marvel at. The platform that was released in early 2020 and has already reached $1bn+ [this is an estimate due to lack of disclosure] and is the result of Arora’s assertiveness to only acquire the BoB of the market, the founder empowerment, the infusion of PANW’s first principles understanding of security, and PANW’s prowess in sales and marketing. Arora has effectively stitched together BoB solutions into an end-to-end cloud security platform and made it highly value accretive to the business. And going forward PANW will benefit from this dichotomy of CISOs wanting both vendor consolidation and BoB.
In essence, we’ve covered all areas that enterprises need to consider in order to develop a solid security posture. From vulnerability management [reducing attack surface], to stopping east-west movement, to securing north-south connections [with SSE], to protecting endpoints, to cloud security, to managed security services, to intelligent risk-based assessments and networking, and to vendor consolidation, PANW is a leader. Below is a snippet from their FY21 investor presentation, highlighting their leadership across key security areas – much of which has been achieved by Arora’s leadership since he became CEO in 2018.
Figure 10 - Incredible Transformation in the Past Few Years
Compared to CHKP, ZS, and CRWD, which collectively match PANW’s business profile very well, PANW is significantly undervalued. The Rule of 40 and growth-adjusted EV/FCF multiples also indicate relative attractiveness. And our conservative DCF parameters also indicate a 2x to intrinsic value.
Along with FTNT, PANW is the most optimally positioned security vendor to capitalize on the cybersecurity industry’s dynamics, tailwinds, and trends outlined in this article. We think the industry outlook combined with PANW’s competitive positioning and PANW’s attractive terminal profitability potential, makes the stock a must-have in any portfolio.
Become a member of Asymmetric Tech Investments to gain the information edge required to maximize long-term returns in the tech sector. Receive 50% time-limited legacy discount - this equates to $380 per year, fixed for life. Offer ends when we reach 50 members.
This article was written by
Long-time tech investors with special interests in cybersecurity and cloud-related stocks. Recently we decided to turn our passion into an equity research business called Convequity. We combine quantitative and qualitative methods to gain a deep understanding of a company's business, products, and markets, and the stock's intrinsic valuation. Our process aids us to identify companies in-process of developing wide and sustainable moats with the promise of exceptional long-term returns.
Disclosure: I/we have a beneficial long position in the shares of PANW either through stock ownership, options, or other derivatives. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.