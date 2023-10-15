Arisara_Tongdonnoi/E+ via Getty Images

CyberArk-Trying to find its secret sauce in a space with many conflicting claims

The cybersecurity space is extraordinarily complex with a multiplicity of overlapping solutions. Most growth stock investors well understand that a high growth technology portfolio needs to have a significant weighting in cybersecurity in order to achieve relative performance. At Ticker Target, the web site that this author runs, our high growth portfolio has a 20% weighting in the cybersecurity space. I imagine that many other readers looking to invest in the IT space have a similar, or even high weighting.

The question then becomes which cyber-security companies make the most sense. One size is simply not going to fit all investors. There are some very profitable security vendors whose growth trajectory is quite modest such as Check Point (CHKP). Then there are rapidly growing cybersecurity vendors such as Zscaler (ZS) whose valuation cannot be described as compressed. Many people find the investment merits of Palo Alto (PANW) which combines decent growth with high profitability to be appropriate.

CyberArk’s (NASDAQ:CYBR) valuation, while not hugely elevated is not remarkable, just looking at current numbers. But that’s the point; the company is all about how it will look in terms of growth metrics and profitability when its transition is complete. It has been a while since I last looked at CyberArk, and in reviewing some of the numbers behind the headlines, I had an aha moment. Cyber Ark shares won’t appeal to everyone, and I haven’t yet bought them in the Ticker Target portfolio, more because to do would requiring selling a position I don’t want to sell at this point.

CyberArk’s raison d’etre for its users is all about privilege. Not the kind of privilege that one might be born with, but the kind of privilege for different users in terms of their access to a particular source of data, or a particular application. An organization has many different kinds of identities that need to be secured including both human and machine. These days, in cyber-security as in much else IT, a platform approach is king, and it turns out that it can be true when it comes to securing entities as much as anything else.

CyberArk began its transition to a subscription model a couple of years ago-its current CEO came from PTC (PTC) where he had been instrumental in instrumenting a similar transition. The impacts of that transition are beginning to subside, with perpetual license revenues down to 3% of revenues last quarter, compared to 8% of revenues in the year earlier period. Reported profitability and free cash flow metrics are also showing improvements. The company actually reported a small non-GAAP profit last quarter. As is typical for a company moving to a subscription model, the growth in deferred revenues has slackened.

Because of the transition, some underlying trends can be obscured or ignored. The one metric that I focus on in these transitions is that of ARR growth which gives the best and most objective picture of the company’s sales success. The company’s ARR grew by 40% in its latest reported quarter, and the company had $49 million in net new subscription ARR on a subscription base of $451 million. That net new ARR compares to $39 million in Q1 and is the highest growth of ARR the company has ever achieved except for the seasonally influenced Q4 of 2022. In fact, it was this performance of ARR growth that has been the motivating factor for me in writing this report at this time. Subscription ARR growth 77% year on year.

The company’s new customer count increased from 200+ in Q1 to 235 this past quarter. The company’s CEO, Matt Cohen, also indicated that the company’s pipeline has continued to build at a record pace. He also talked about strong win rates-but I have never seen an IT CEO talk about weak win rates.

CyberArk’s share price performance over the last year has been relatively muted. It is up by a bit less than 20% over the last 12 months and a bit more than 27% since the start of the year. By contrast, the HACK cyber security ETF has risen by 21% over both the past year and on a YTD basis. The shares did appreciate by about 13% on the day after the company’s last earnings release and have remained at about that level since that time. While most analysts who cover the company increased their price targets, no one upgraded the shares-most analysts’ rate the shares a buy in any event.

As I write this, we are in day 5 of the war between Hamas and the Israelis. This is anything but an analysis of that conflict. However, CyberArk shares initially were down somewhat, before finishing up marginally on Monday, with a further marginal gain on Tuesday, as many IT stocks rallied. CyberArk is not headquartered in Israel. Its headquarters are in Newton, MA, a leafy suburb of Boston. But it has significant development operations and physical assets in Israel-although in the northern part of that country. The kneejerk reaction of some has been to sell shares of anything with the slightest Israeli exposure. While not universal, most companies with significant Israeli exposure have shown relative weakness so far this week, and in that regard, CyberArk shares have been no exception.

Forecasting how this conflict will develop is not the subject of this article. The pictures of the massacre of small children are too despicable for any comment I might offer. I find myself embarrassed to note that I graduated Harvard Business School. I am sure all subscribers/readers hope for a peaceful resolution as soon as possible and a return of all hostages unharmed. But this is an investment site and not a site that forecasts geopolitical developments.

My own guess is that CyberArk’s business will not be materially impacted by the conflict. At this point, I haven’t seen anything that suggests that its ability to continue to develop and release products on schedule will be upset. Almost certainly some CyberArk employees will be or have been drafted to serve in the IDF; the call-up that has been announced is of a magnitude that assures that. But the impact will not be that of shutting down development efforts, but more in the line of developing short term workarounds and redeploying some work to other development venues.

Of course some kind of apocalyptic scenario might develop, although if it does, worrying about portfolio performance might not be a primary issue for most readers, but this is the age of virtual companies, and I imagine most activities can be conducted without using some physical premise.

At the moment, investors are spooked, but less so about CyberArk then some other companies with an Israeli presence or headquarters. I can’t project how irrational, blood-thirsty terrorists might react, or the reaction of other state actors; but I think contemplating a catastrophe probably isn’t an optimal investment strategy.

Almost all cyber security companies have operations in Israel-it is one of the leading geos for the development of the most advanced cyber security solutions. It may be hard to believe, but most of the major cyber security concepts have been developed in Israel. Obviously there are apocalyptic scenarios in which this current conflict escalates out of control. But investing is about the probable and not some apocalyptic scenario that will have far more dire consequences than delaying a release of code for a week or two.

The war, inevitably, has focused some attention on the cybersecurity space. Some cybersecurity stocks have been strong performers this week. There seems to have been some failure of intelligence before the attacks were launched. I am not entirely sure if further investment in cybersecurity would have helped much, or if there was a need for the use of more AI in forecasting the potential actions of terrorists and their state actor allies. If the war further accelerates the demand for cyber security software, Cyber will benefit along with much else.

CyberArk shares are certainly not the cheapest investment in its space, but their valuation is far from nosebleed levels. Currently, the company has an enterprise value of about $7 billion based on 46.8 million outstanding shares. The share count is that forecast by the company and includes the dilution from the company’s convertible which is necessary because the company is forecasting non-GAAP profitability. The EV/S ratio based on revenues of $875 million over the next 4 quarters is a bit less than 8X based on the closing price as of 10/11/23.

As the company’s transition from an on premise revenue model to a subscription model comes to an end, growth rates and free cash flow margins are going to rise significantly. Currently, the consensus revenue growth forecast for 2024 is 24%. I think actual growth will be greater than 30%. I am estimating a free cash flow margin of 9% over the next 4 quarters. The combination of a 32% 3 year CAGR coupled with a free cash flow margin of 9% puts CyberArk’s valuation well below average. I recommend the purchase of CyberArk shares in a growth oriented portfolio.

Taking a look at the CYBR Platform: Does it have a moat and how fast can it grow as the transition winds down?

When many investors think of identity management, they tend to think first of Okta (OKTA). After all, Okta was founded to provide enterprises with identity management solutions. But identity management is not the same as privileged asset management (PAM) and larger enterprises recognize that maintaining a successful security posture requires both. Cyber offers the most complete identity security platform available and its mission is to secure all identities, including those of physical assets, from end-to-end. Sadly, cyber criminals have been able to leap over traditional endpoint security solutions that still are deployed to safeguard many enterprises.

This is not intended to be a primer on cyber security, identity management or privileged access. I am not qualified by any means to provide that level of knowledge. It is intended to highlight some of the key technologies Cyber is developing and to look at some of the demand tailwinds they have created. Cyber security is an exceptionally complicated field, even when compared to other areas of enterprise software, and AI is making it more complicated. I don’t suggest that it is necessary for readers to understand all there is to know about the nuances of the space in order to make reasonable investment decisions.

CyberArk is one of the leaders in what is known as privileged access management. The concept is about enforcing a “least privilege policy” across identities, infrastructure and applications from the endpoint to the cloud. Privileged Access is more complex than it sounds. In typical use cases there are multiple levels of privilege and these are usually quite dynamic. One route cyber criminals take is by gaining access to disused privileges-the best practice involves just-in-time provisioning which makes the technology more complicated, but also makes it harder to defeat.

Secrets Management is another significant component of the CyberArk solution. Secrets management is about securing non-human identities for applications, DevOps pipeline and cloud workloads. Part of the solution relates to securing credentials. These days, cyber criminals target acquiring credentials so they can break into applications and gain access across the software supply chain. The criminals often are able to steal access to applications and automation tools disrupting the creation of applications. The sophistication and the pervasive and organized nature of cyber-crime is probably still underestimated-and from an investment perspective this has led to resilient demand despite macro issues.

The CyberArk platform includes other required elements of access management including security for bots and for virtual agents. There are, as many readers will be aware, an increasing number of DevOps tools and cloud native applications being built by these tools. The rise of the IoT means that multiple devices need to their access confirmed before they can provide data to different clouds. All of these potential points of access need to be secured. In addition, identity management needs to be able to deal with the rise of remote workforce access, making sure that cloud workloads can only be accessed by accredited parties and that a user is protected from ransomware attacks.

These days, users are encountering “weaponized AI” assaults on their security posture. Weaponized AI is designed to defeat some of the end-point technologies that have most recently been introduced. As the criminals move to defeat some technologies, enterprises are turning a bit more to broad scale identity protection as an additional solution to secure their networks.

As I have written on other occasions regarding vendors in different areas of the IT space, the issue isn’t whether CyberArk has some unique technology that is unmatched by any other vendor. I don’t think that is actually the case. It is very rare these days in the enterprise software space for one vendor or the other to have something that is unduplicated or unduplicable. It generally comes down to being able to offer a broad platform and to the potential for vendor consolidation. I will provide some commentary about the company’s competitive position and market size in the next section.

This company has been best known because of its privileged access management technology and there are certainly other vendors including Okta who offer that as well. Offering some kind of a PAM solution is a requirement for relevance at this point. But cutting to the chase, CyberArk has seen success both because it has a broad platform in what its CEO calls a “non-negotiable requirement” and because its sales execution has improved noticeably over the past year or so.

The company has steadily innovated new solutions over the years. It spends an outsized 26% of its revenues on research and development, and that is actually less than the expense ratio for that category in the recent past. The company’s CEO, Matt Cohen, has a sales background. But this company has an executive chairman, Udi Mokady who remains active in the business. Mr. Mokady founded CyberArk more than 20 years ago and is considered by many as a thought leader and pioneer in the cyber security industry, While he doesn't have an explicit technology platform, his expertise in understanding and acting on technology trends is well documented.

CyberArk's latest SKU is Secure Browser that was introduced at the customer/sales/analyst even held in May. Secure Browser is intended to protect the security gap between consumer-based web browsers and SaaS applications. Hackers these days have become proficient in hijacking sessions, stealing cookies, and harvesting data and IP.

Of course the company has a team dedicated to integrating AI across the company’s product portfolio. Whether AI will be offered as separate product with their own SKUs, or just how the company will monetize AI is not immediately apparent at this point.

Market size and competitive trends in the space

As the linked survey indicates, the overall market size for Identity and Access management was about $16 billion last year, and is expected to achieve a CAGR of almost 13% through the end of the decade. The Privileged Identity management market has been much smaller, and the linked study shows it rising from just over $2 billion last year to about $8.5 billion over the next 5 years. Most of Cyber’s current business is in the PAM space but it obviously sells products in adjacencies that increase its TAM substantially. The company’s last investor presentation in May identified a TAM of $50 billion because the TAM for CyberArk includes what might be called vanilla identity management, cloud security, secrets management and endpoint privilege security. I try to present these surveys, not because I believe in the absolute numbers, so much, but because they do, at least at some level, present a reasonable CAGR forecast and allow me or a reader to identify which space is growing more rapidly. The PAM space is growing rapidly, and that is one reason to believe that CyberArk’s CAGR will remain elevated for the foreseeable future. Regardless of the TAM, the market size is of a magnitude that CyberArk’s growth runway is substantial and can support a hyper growth CAGR for years to come.

While CyberArk has been long known as the leader in the PAM space, it faces multiple competitors who provide both point and platform solutions. I have linked here to Gartner’s listing of competitors to Cyber in the PAM space. While both Oracle (ORCL) and IBM (IBM) are listed here as competitors, they really do not compete actively for business in this area. The one name that is familiar to me is HashiCorp (HCP) which I reviewed a few months ago. Hashi’s most significant product is Vault and that is a competitor. The survey shows that Cyber is better than Hashi at service and support. It also has a far greater market share, and has a much more extensive and developed platform when compared to Hashi.

Some readers are going to focus on comparing Okta and CyberArk. They both are identity management-Right? As the linked article suggests while they both do offer identity management as their core solution, CyberArk is considered by the author to be best for larger enterprises. That isn’t because Okta wants it that way; it just is the way the solutions work in the context of typical user priorities. CyberArk is said in this article to have attributes that make it suitable for compliance and for users who need both cloud and on premise identity protection solutions. Again, I do not suggest that I am the appropriate writer to evaluate products, but the article presents the specifics of how CyberArk’s multifactor technology protects users, applications and data.

When it comes to pricing, Okta is cheaper for smaller users, and CyberArk’s list prices are quite a bit less expensive for larger users. Okta has a privileged asset manager solution that introduced a couple of years ago. Okta has thousands of customers and it will wind up selling some significant cohort of these users their PAM product regardless of which technology ranks higher in 3rd party surveys. But based on recent data as well as this specific review, my guess is that CyberArk will wind up gaining significant share over time.

In terms of EV/S, Okta shares are cheaper-my estimate of the Okta EV/S ratio is about 6.1X while my estimate for CyberArk's EV/S is, as mentioned around 8X, reflecting both a lower CAGR estimate for Okta and its operational struggles in the recent past. My guess is that CyberArk will continue to grow somewhat faster than Okta on a percentage basis, and that this will become more evident as the impact of CyberArk’s transition to pure subscription moves into its endgame.

Okta is several times the size of CyberArk and it has taken some significant cost remediation actions that have shown up in improved estimates for non-GAAP operating margins and free cash flow generation. I think owning some kind of a position in the identity management space should be a priority for growth investors, and some investors looking to invest in larger, better known companies, will choose Okta over CyberArk. My projections show that Okta shares have an average valuation for its estimated CAGR in the 20% range, with a free cashflow margin in the mid-teens, while CyberArk has a below average valuation for its CAGR estimate in the low 30% range with a free cash flow margin rising rapidly from the 9% I estimate for the next 4 quarters. Given the ACV momentum of CyberArk last quarter, I have chosen to recommend its shares compared to those of Okta at this point-but that is more relative than absolute-Okta shares can perform well in a decent market environment.

CyberArk’s business model-improvements despite the transition to subscription

CyberArk’s operational performance has been improving consistently after reaching a nadir in the midst of the impact of its transition to a full SaaS subscription model reaches. That said, the company still gets a substantial component of its revenues from maintenance and it will be a long time before that revenue line drops significantly so that headline growth numbers will be burdened by what is essentially a boat anchor. Last quarter subscription revenues were 60% of total revenues compared to 46% of revenues in the year earlier quarter, while maintenance revenues were 37% of revenues compared to 46% of revenues in the prior year. Sequentially, subscription revenues rose from 57% to 60% of the total and they rose by 21% in absolute dollars.

Last quarter, the company’s non-GAAP gross margin was 81.4%, and that compared to 82.1% in the year earlier quarter and to 81.3% in the prior sequential quarter. There is, I believe, significant potential leverage in gross margins as subscription revenues rise substantially; most companies moving to a subscription model achieve substantial leverage at scale, and CyberArk is not likely to be an exception. Gross margins have faced a noticeable headwinds as revenue from perpetual license has fallen rapidly; non-GAAP gross margins on perpetual license revenue are 95%, while gross margins on subscription revenues are 84%.

CyberArk historically has had very high operating expense ratios since it started its transition to a subscription model, and reported revenue growth atrophied. These ratios have started to decline now, but are still elevated. There is lots of room for further improvement. Specifically, non-GAAP research and development expense was 26% of revenues last quarter compared to 28% of revenues in the prior year. Sequentially research and development expense rose about 5% while revenues rose about 9%.

Sales and marketing is the largest operating expense category. Last quarter, non-GAAP sales and marketing expense was nearly 50% compared to a bit more than 52% in the prior year. Sales and marketing expense rose by just 2% sequentially-progress, but obviously, CyberArk will not have decent margins without taking some further actions to constrain that expense ratio. Sales productivity has to be a principal component of the company’s ethos going forward.

Non-GAAP general and administrative expense was about 8% last quarter compared to 9% in the year earlier quarter. On a sequential basis, general and administrative expense rose by about 8%.

Overall, non-GAAP operating expenses were 84% of revenues last quarter, compared to almost 90% of revenues in the year earlier quarter. On a sequential basis, non-GAAP operating expenses rose 3%. Constraining opex growth, while achieving above plan revenues was just enough to produce a small level of non-GAAP EPS in the quarter.

Free cash flow was a small burn last quarter. This was mainly an artifact of the company’s transition to a SaaS revenue model. Most companies with a SaaS model have seen smaller increases in deferred revenue when compared to a perpetual model and that proved to be the case for this company-this is primarily a function of maintenance customers prepaying a year in advance; the increase in the company’s deferred revenue balance fell from $35 million to $10 million over the first half of the year, and this, in turn led to a cash burn of $5 million for the first half of the year. Based on how other companies with a SaaS model operate, my guess is that free cash flow will spike substantially during Q4 which is likely to be a seasonal highpoint for SaaS renewals. I have projected a full year free cash flow margin of 9%, and that metric should trend significantly higher in the next couple of years as the impacts of the transition lead to stronger cashflow.

CyberArk does use stock based comp. Last quarter stock based comp. was 18% of revenue, compared to 21% of revenue in the year earlier period, and to 19.5% of revenues in Q1. As I have written on many past occasions, the cost of SBC is not that which is carried in income statements. On an economic basis the cost of SBC is the dilution of existing shareholders and nothing else. Outstanding shares rose by around 2.5% year on year, and by 0.9% sequentially. The company is now projecting non-GAAP profits for both Q3 and for the full year. When this happens, the convention is for fully diluted shares to include the “as if converted” dilution from the company’s convertible debt. Based on that formula, and the most recent dilution, I am using 48.1 million outstanding shares to calculate valuation metrics.

Wrapping up-summarizing the case to own CyberArk shares

CyberArk is a somewhat lesser known in the cyber security space with a full year revenue run rate of now crossing $700 million. It is, however, a leader in the space known as privileged asset management. It is often compared to Okta-but amongst users that perception is less than might be the case than for investors. The reality is that larger enterprises, looking to maximize their security posture really need both Okta and CyberArk to handle different use cases and specific requirements.

While CyberArk is headquartered just outside of Boston, it does have extensive operations in Israel. There is no indication that the current war has materially impacted the company’s operations or will impact the flow of new products.

Like almost all IT company’s AI is having a noticeable impact on the company’s business. Cyber criminals have taken to AI with marked enthusiasm, and have been using the technology to circumvent some endpoint security offerings that rely on anomaly detection to expose potential breaches. The company is infusing AI technologies into all of its offerings with more details to be presented regarding functionality and monetization-perhaps at the time of the upcoming earnings release on 11/2. I actually think the demand tailwinds, both from the use of AI by cyber criminals, and by concerns about cyber breaches in the wake of current hostilities will have more near term impact on CyberArk's operating than new AI offerings, although over time AI will become a significant component of the technology involved in protecting privileged assets.

The company’s revenue growth has been masked to some degree by transition to a pure SaaS model, now in its final stages. The company’s current CEO has spearheaded the effort and was rewarded by his recent promotion. Results last quarter were unusually strong when looked at by new ARR generation, the most objective way to measure the performance of a SaaS vendor. ARR growth was 40% last quarter, and the product portion of ARR actually grew by 77% year on year. Headline revenues grew by 24% and the company wound up raising its full year forecast for both revenues and EPS.

The company has an extensive platform of solutions that relate to all phases of access, secrets and privilege. This has enabled the company to act as a consolidator despite its current modest size. The combination of continued significant growth, even at a headline level, coupled with some expense discipline has started to show up in profitability metrics, and the company is forecasting positive non-GAAP EPS and should continue to generate a rising level of free cash flow.

For many readers/investors, looking at historical data, CyberArk business profile probably is not sufficient to motivate a buying interest. But for me, the strong growth of ARR stood out, and while the shares went higher in the wake of the latest earnings, the move has been tempered in the last several weeks and the current valuation in no way reflects the kind of growth the company is experiencing. I think revenue growth estimates for 2024 are significantly below the company’s likely performance, and stronger revenue growth will show up in better than anticipated operating margins and free cash flow generation.

Is CyberArk a better investment than Okta? The two are often compared as they focus on cyber identity protection as their core competence. This is a case where one size doesn’t fit all-CyberArk will be of greater interest for investors looking for faster growth and more dramatic improvements in profitability metrics from a low base. Given its size, it is possible that the company might be of some interest to P/E and of substantial interest to a strategic buyer. Okta has a different set of investment attributes that likely appeal to a slightly different investor cohort.

The company will be announcing its earnings for Q3 in another 3 weeks. I wouldn’t be surprised to see another strong performance, particularly in terms of product ARR growth given the size of the backlog the CEO spoke to at the time of the last call, and the company’s improved selling motion. I believe that CyberArk shares will produce positive alpha over the coming year.