Even if cybersecurity remains a top IT priority for most organizations (along with AI, obviously) and, accordingly, keeps growing fast, two events affecting two of the largest cybersecurity vendors have weighed down on investor sentiment this year: Palo Alto’s aggressive pricing policy, fueling concerns about the company’s short-term outlook and potential industry-wide discounting initiatives; and, more recently, CrowdStrike’s massive IT outage and its repercussions on its commercial momentum. Quarterly earnings from both companies suggest that these concerns were overblown.
Palo Alto surprised most investors earlier this year when it announced a strategic shift towards a “platformization” of its product offering. In other words, the company sought to entice its customers to switch away from security vendors offering single solutions and to subscribe to Palo Alto’s all-in-one solution. To gain traction, Palo Alto decided to pursue an aggressive commercial policy, offering free use of its Cortex platform to customers until they transition away from rival offerings.
While we consider that cybersecurity firms have indeed no choice but to offer comprehensive platforms as customer enterprises demand packaged solutions to reduce costs and complexity, we wondered if Palo Alto’s initiative would not spark short-term disruption in the cybersecurity landscape, with the company’s main rivals potentially following suit and introducing their own incentives to retain customers, sparking growth and margin pressures across the industry.
Recent earnings from most cyber vendors (Fortinet, CyberArk, Cloudflare, SentinelOne…) reassured on both the top and bottom lines and Palo Alto, whose financials were the most at risk, also surprised on the upside on various metrics (Q4 billings +11% vs. guidance of 9-10%, Next-Gen Security ARR up +43%) as its platformization strategy appears to be successful with multiple 8-figure deals signed in FQ4. Importantly, Palo Alto’s EBIT margin continued it upward trajectory (to the high twenties) in FY24 and is expected to continue to do so in FY25, showing little impact from its new pricing policy.
Turning to CrowdStrike, just weeks after the massive IT outage that hit millions of computer systems, company’s earnings were widely expected to gauge the impact on the vendor’s reputation and commercial momentum. While CrowdStrike adjusted downwards its expectations for the second part of the year, the revision was not that significant (FY growth guidance reduced to 27.5% from 30.5% and EBIT margin to 20% from 22.5%) and the company shared several encouraging signs.
Notably, CrowStrike’s quarterly Net New ARR grew 11%, 10% above consensus, despite $60M slipped deals and the long-term ARR target was pushed out by one year but reiterated. Management also highlighted several 8-figure deals that closed post the outage, giving confidence that the reputation damage will be limited.
The precedent with identity & access management specialist Okta is telling and tends to confirm that reputation damage can be well contained and short-lived in the cyber industry, contrary to general perception. After suffering a massive breach in late 2023, Okta was back on its feet just one quarter later.
In conclusion, the outlook is becoming clearer for the cybersecurity industry, both at the top line and margin levels. This, combined with likely continued M&A activity, should support valuations going forward.