Description
Palo Alto Networks is a cybersecurity company selling proprietary hardware products with SaaS software solutions to secure organizations’ network, endpoints, and cloud. Superior product performance and breath of offering is driving market share wins in a $20B+, growing market. Our thesis is summarized below:
· Gaining Share in large, growing market
o Gartner, Forrester, and the SANS institute rank PANW as the best next generation firewall vendor
o PANW is growing 25%+ and has ~15% market in the ~$20B cybersecurity enterprise market
o 28% customer growth in most recent quarter
· Network Effects and Tipping Points, Create a Competitive Moat
o PANW’s 50K customers learn from each other in real time to automatically update their defenses. Very difficult to replicate for new entrants
o Most CTOs and CSOs do not want to own the second best market solution
o PANW is the only company with AWS Networking Competency
o Greater scale, allows increased R&D investment
§ PANW spends 2x what its peers do on R&D. Over five years that’s $1B of extra R&D
· Large Cross-Sale opportunity
o Increased penetration of current software solutions could drive $1 billion of revenue growth over the next several years
o Unattached services are run-rating $240M of sales growing 85% YoY
· Strong Recurring Revenue
o PANW does not receive sufficient credit for the recurring nature of sale
o Approximately 63% of sales generated from recurring software service and maintenance revenues, up from 40% in 2014
o Five year old cohort generates 5.1x the initial purchase implying ~100% dollar retention
· Launch of Application Framework is Material
• Launch of Application Framework or the PANW “app store” to accelerate revenue growth, market share gains, and margin expansion
• Application Framework creates important channel for M&A and capital deployment
· Attractive Valuation
• PANW trades at ~5% current FCF yield, despite 28% growth in the most recent quarter
· Strong Secular Trends
o The number of recorded breaches is growing exponentially
o “The global cyber threat landscape is becoming increasingly sophisticated. Attacks are now in their 5th generation, while 97 percent of enterprises are not prepared for these attacks and remain primarily focused on protections for 2nd or 3rd generation attacks.” CHKP CEO, Q1 2018 Conference Call
· Product Overview
o Firewall Appliances. Our appliances are designed for different performance requirements throughout an organization and are classified based on throughput, ranging from our PA-200, which is designed for enterprise remote offices, to our top-of-the-line PA-7080, which is designed for large scale data centers and service provider use. Our firewall appliances come in a physical form factor, as well as in a virtual form factor that is available for virtualization environments from companies such as VMware, Inc, Microsoft Corporation, and Amazon.com
o Panorama. Panorama is our centralized security management solution for global control of all of our appliances deployed on an end-customer’s network as a virtual appliance or a physical appliance. Panorama is used for centralized policy management, device management, software licensing and updates, centralized logging and reporting, and log storage
o Threat Prevention Subscription. This service provides the intrusion detection and prevention capabilities of our platform. Our threat prevention engine blocks vulnerability exploits, viruses, spyware, buffer overflows, denial-of-service attacks, and port scans from compromising and damaging enterprise information resources
o URL Filtering Subscription. This service provides the uniform resource locator (“URL”) filtering capabilities of our platform. The URL filtering database consists of millions of URLs across many categories and is designed to monitor and control employee web surfing activities
o WildFire Subscription. This cloud-based or appliance-based service provides protection against targeted malware and advanced persistent threats. This service provides a near real-time analysis engine for detecting previously unseen malware. Once identified, preventive measures are automatically generated and delivered to all devices that subscribe to the service. By providing this as a cloud-based service, all of our end-customers benefit from malware found on any network
o GlobalProtect Subscription. This appliance-based service provides protection for mobile users of both traditional laptop devices and mobile devices. It expands the boundaries of the physical network, effectively establishing a logical perimeter that encompasses remote laptop and mobile device users irrespective of their location
o VM-Series Subscription. VM-Series, the virtual form factor of our Next-Generation Firewall, is offered as both a perpetual license as well as a term-based subscription service. The VM-Series provides all of the same security capabilities of our hardware appliances, but as a software package that can be deployed on VMware’s ESXi, Microsoft’s Hyper-V, and Red Hat KVM hypervisors, as well as natively in Amazon’s AWS cloud and Microsoft’s Azure cloud
o Traps Endpoint Protection Subscription. This service provides protection for endpoints against cyber attacks that aim to run malicious code or exploit software vulnerabilities. Through its integration with WildFire, it is also capable of preventing cyber attacks that rely on malware
o AutoFocus Subscription. This cloud-based service provides threat intelligence capabilities to our end-customers’ security operations teams. Indicators of compromise and anomalies that occur on an end-customer’s network can be correlated with similar data that has been centrally collected by us in our Threat Intelligence Cloud from among all our participating end-customers. This offers our end-customers priority alerts, deep attack context, and high-fidelity threat intelligence across millions of malware samples and tens of billions of file artifacts
o Aperture Subscription. This cloud-based service provides content control for IT-sanctioned SaaS applications that are used to store and share end-customer’s data. It offers end-customers the capability to safely use these SaaS applications and avert risks associated with improper sharing of confidential data and risks associated with sharing of malicious content
o MineMeld is an open source application that streamlines the aggregation, enforcement and sharing of threat intelligence including aggregation and correlation of threat intelligence feeds, enforcement of new prevention controls, including IP blacklists, evaluate the value of a specific threat intelligence feed for your environment. Extract indicators from Palo Alto Networks device logs and share them with other security tools.
o Magnifier / LightCyber applies machine learning to rich network, endpoint, and cloud data, precisely detecting and preventing targeted attacks, insider abuse, and endpoint compromise
o
· Valuation
o If PANW grows top line at 25% a year and EBIT at 30%+ and the multiple stays the same, the stock should compound at 30% a year before smart capital allocation less about 3% for SBC annual dilution
I do not hold a position with the issuer such as employment, directorship, or consultancy.
I and/or others I advise hold a material investment in the issuer's securities.
Catalyst
Continued growth and execution