The pandemic precipitated what is shaping up to be a permanent shift in cybersecurity spending patterns. As a direct result of hybrid work, chief information security officers have invested heavily in endpoint security, identity access management, cloud security and further hardening the network beyond headquarters.

Moreover, the need to build security into applications from the start, rather than bolting on protection as an afterthought, has led to vastly heightened awareness around DevSecOps, which integrates software development, security and information technology operations. Finally, attacking security as a data problem with automation and artificial intelligence is fueling new innovations in cybersecurity products and services and spawning well-funded, disruptive startups.

In this Breaking Analysis, we present our quarterly findings on the security sector. We’ll share the latest Enterprise Technology Research survey data, identify the companies with customer spending momentum and identify some of the market movers.

What’s the news in cybersecurity?

Nary a week goes by without more concerning news about cyberattacks. The latest focus in the headlines is Russia’s relentless attacks on critical infrastructure in the Ukraine – including banking and government websites — and weaponizing information to spread panic.

The hacker group BlackByte put the double whammy on the San Francisco 49ers, meaning they exfiltrated data and encrypted the organization’s files.

Then there was the best Super Bowl ad last Sunday, the Coinbase Global Inc.’s floating QR code. Millions of people rushed to scan the code and participate in the Coinbase BTC giveaway. This highlights yet another exposure, the willingness of individuals to click on unknown links and random QR codes. So many people read the code on their smartphones that it crashed Coinbase’s website. What does that tell you?

In other security news, Securonix Inc. raised $1 billion. This on top of Lacework Inc.’s massive $1.3 billion raise last November. Both of these companies are attacking security with data, automation and APIs that can engage machine intelligence. In its announcement, Securonix specifically mentioned the momentum from MSSPs – managed security service providers – and that’s a trend we see as increasingly gaining traction as customers are just drowning in security incidents without the staff to handle them.

Peter McKay’s company Snyk Ltd. acquired Fugue Inc., a company focused on making sure security policies are consistent throughout the software development lifecycle. It’s an example of developer-defined security where policy can be checked at the dev, deployment and production phases of software development to ensure the same policies are in place at all stages, including monitoring at runtime. Fugue, according to Crunchbase, had raised $85 million to date.

In other company news, Cisco Systems Inc. was reported to be acquiring Splunk Inc. for not much more than Splunk is worth today and talks reportedly broke down. This would be a major move in security by Cisco and underscores the pressure in the market to consolidate. Cisco would get an extremely strong customer base and through efficiencies could improve Splunk’s profitability. But it seems like the premium Cisco was willing to pay was not enough to entice the board to act — probably at least a few billion dollars shy of what it will take to get a deal done. We’ll discuss this later in the post.

Datadog Inc. blew away earnings again and the stock rose 12%. It hass pulled back now thanks to Putin, but it’s one of those companies disrupting Splunk. Datadog is less than half the size of Splunk in revenue, but its valuation is more than two-and-a-half times greater.

Finally Elastic, another Splunk disruptor, settled its trademark dispute with Amazon Web Services Inc. and there will be only one Elasticsearch in the marketplace now, removing confusion for customers and stress for Elastic.

Recent market pullbacks don’t diminish cyber’s long-term performance

Let’s take a high level look at how cyber companies have performed in the stock market over the past five years. The graph below shows the performance of the CIBR ETF. Note the March 2020 crosshairs signifying the start of the lockdown.

The trajectory of cybersecurity stocks as shown by the orange and blue lines surely steepened post Mach of 2020. And it has been down with the market lately, but the runup as, you can see, was substantial, eclipsing the trajectory of the previous year, thanks to the spending dynamics we talked about at the open.

Comparing the pandemic performance of SPLK, PANW, FTNT, OKTA, CRWD and ZS

The chart below shows data from six top companies we’ve been following closely in the space since before the pandemic. The top two rows show the benchmark S&P 500 and Nasdaq prices. The bottom rows list the specific stocks.

The remaining columns track: 1) The index price or market cap of the company just before the pandemic; 2) The same data one year later; 3) The peak value during the pandemic; 4) The current value; 5) Percentage change since pandemic peak; 6) The change from pre-pandemic prices in February 2020; 7) The pre-pandemic revenue multiple (using a trailing-12-month revenue metric); 8) The revenue multiple in August 2020, when multiples were really high; 9) Today’s TTM revenue multiple; and 10) Near-term growth rates based on recent quarterly guidance from managements.

Lots of data, but what does it tell us? First, the S&P and the Nasdaq are well up from pre-pandemic levels. And they’re off today roughly 9% and 15% respectively from their peaks during the pandemic.

Now let’s look at the companies by comparison. Splunk has been struggling. It definitely had a tailwind from the pandemic as all boats seemed to rise, but its execution has been lacking and it’s now 30% off from pre-pandemic levels. And its multiple is compressing, so perhaps Cisco thought it could pick the company up for a discount.

Turning to Palo Alto Networks Inc, we had reported on some of the challenges the company faced moving to a cloud-friendly model pre-pandemic and we said at the time we fully expected the company to rebound and that’s exactly what happened. It rode the tailwinds of the last two years, is up over 100% from its pre-COVID levels and its revenue multiple is expanding thanks to its healthy growth rates and strong execution.

Fortinet Inc. had been doing well coming into the pandemic – in fact, we had said it was executing on a cloud strategy better than Palo Alto Networks at the time. So it didn’t get as much pandemic momentum at first. But the company has been rewarded for executing well. And as you can see, with a 155% increase in valuation since just before the pandemic, it’s going more than OK for Fortinet investors.

Okta Inc. is a name that we’ve followed closely. The identity access management specialist rocketed post pandemic, but since its Auth0 acquisition the stock has pulled back. Investors are concerned about its guidance and profitability and several analysts have downgraded their price targets on Okta. Investors are also concerned with the tough comparisons year over year and the effects of the Auth0 ingestion.

We still really like the company. The Auth0 acquisition gives it a strong developer vector to complement Okta’s enterprise focus. We think the company is going hard after market presence and is willing to sacrifice short-term profitability. We actually like that posture. It’s very Frank Slootman-like. The question is: Does Okta have inherent profitability, meaning could the company, if it so chose to do so, dial down its spending and show a healthy profit?

We think yes. Okta is sticky. The company has a strong net revenue retention rate of around 120%. The company spends a lot on R&D –  well over 30% of its revenue  – and a whopping 55%-plus on go-to-market. It’s guiding a compound annual growth rate in revenue in the mid-30s over the mid- to long-term, and near-term should beat that benchmark handily.

But you can see the red highlights on Okta, and even though it’s up 59% from its pre-pandemic levels, it’s far behind its peers shown on this chart — especially CrowdStrike Holdings Inc. and Zscaler Inc., which has outperformed all its peers in this chart. The latter is somewhat less impacted by the pullback in stocks as fears of inflation, interest rates and a Russian invasion escalate. But these highfliers were bound to pull back. The question is: Can they maintain their category leadership? For the most part, we think, they can.

Yes, the security market got more crowded

Below is one of our favorite XY view charts with Net Score or spending momentum on the Y axis and Market Share or pervasiveness in the data on the horizontal axis. The red line at 40% indicates highly elevated spending levels and the chart insert shows how the data is plotted by each company.

Although the graph above is an eye chart, this shows only the companies ETR captures in its survey with more than 50 mentions. And there are many more out there which don’t get reported in the ETR spending data. So the first takeaway is this crowded market and with the private funding of startups it’s only getting more crowded.

The second point to note is there are a lot of companies above the 40% mark and plenty with respectable Net Scores just below. Third, check out SentinelOne Inc., Elastic N.V., Tanium Inc., Datadog, Netskope Inc. and Darktrace PLC. Each has under 100 Ns but they’re increasingly prominent in the survey and deserve attention — especially SentinelOne pos- IPO.

Zooming out… the market is still really crowded

The chart below shows the same XY view but filters the data on companies with more than 100 mentions in the survey.

The chart gets a bit cleaner but still pretty crowded. Auth0 leads everyone in Net Score. Okta is also up there, so that’s a very positive sign for the acquisition, despite its high price tag. CrowdStrike, SailPoint Technologies Holdings Inc., CyberArk Software Ltd., Cloudflare Inc. and Zscaler all are right up there as well.

Then the bigger companies come into focus. Palo Alto Networks is very impressive because it’s well above the 40% mark and it has a large presence. Microsoft Corp. is just ubiquitous.

The positions of Cisco and Splunk make an interesting combination. Both have respectable Net Scores and presence in the data. Al Shugart was the founder and chief executive of Seagate Technologies Inc. and a brilliant Silicon Valley icon. Asked if he’d consider buying a specific company he said:

If you want to know if I’m thinking about buying a company, ask yourself if it were free, would I take it? The answer isn’t always yes, because acquisitions can be messy.

In the case of Cisco and Splunk, we think the answer would be a definitive yes. It would expand Cisco’s portfolio and make it the leader in security with an opportunity to bring greater operating leverage to Splunk. Cisco just has to pay more if it wants the asset.

We asked our ETR colleague Erik Bradley what he thought and he weighed in with this comment:

Splunk isn’t growing the customer base, but it’s sticky. Cisco could roll Splunk into its security suite and expand its portfolio. Splunk is a leader in the security information and event management space and Cisco really is missing that piece. Yes, it makes sense at a discount.

Eight cyber firms on the move

Now we filter the data even more and look at some of the companies that have moved in the survey over the past year and a half. First we’ll go back to July 2020. The chart below shows the same two-dimensional picture isolating Auth0, Okta, SailPoint, CrowdStrike, Zscaler, CyberArk, Fortinet and Cisco.

Why are we highlighting these firms? Because they’ve made some major moves to the right and some even up in since last July and that’s what we show next.

Expanded survey presence for Auth0, Okta, SailPoint, CrowdStrike, Zscaler,  CyberArk, Fortinet and Cisco

Below is the data from the January 2022 survey. The arrow start points show the positions in July 2020 (from the previous chart). All these players have made major moves to the right. Why? Well, it’s likely a combination of strong execution and the fact that security is on the radar of every CEO, chief information officer, CISO of course, business head, board directors… everyone. The market momentum, especially for the leaders, is tremendous.

Auth0 has improved on its already high Net Score since the acquisition. Okta, for its part, is expanding its presence in the data set with solid spending momentum. With Auth0 that only improves. SailPoint is holding Net Score high while expanding its presence, as is Zscaler. CrowdStrike making moves up and to the right, and Fortinet is expanding while maintaining momentum. Cisco as well continues to be a trusted security player. Its notable decrease in momentum could, over time, be buoyed by an acquisition of Splunk.

Four-star security firms in Q1 2022: Microsoft, Palo Alto Networks, CrowdStrike and Okta

Let’s take a look at what’s become a bit of a tradition in Breaking Analysis, and look at the firms that have earned four stars.

Four-star firms are leaders in the ETR survey data that demonstrate both a large presence and elevated spending momentum. In this chart above we filter the firms (N>100) to isolate those companies with more than 100 responses. On the lefthand side, we sort by Net Score or spending velocity, and on the righthand side we sort by Shared Ns. We show the top 20 for each, and the red line shows the top 10 cutoff points.

Companies that show up in the top 10 for both spending momentum and presence in the data set earn four stars. If they show up in one and make the top 20 in another, they get two stars, and we’ve added one star as an honorable mention for those companies making the top 20 in both.

Microsoft, Palo Alto Networks, CrowdStrike and Okta make the four-star grade. Okta makes it even without Auth0, which has the No. 1 Net Score in this data set and 115 Shared N. So you can add that to Okta. The weighted average would pull Okta’s Net Score to just above CyberArk to take 4th place and its Shared N would bump Okta up to 3rd on the list.

Cisco, Splunk, Proofpoint Inc., KnowB4 Inc., Zscaler and CyberArk get two stars and you can see the honorable mentions with one star.

Now, thinking about a Cisco-Splunk combo, you’d get an entity with a Net Score in the mid 20s – not too bad – and they’d be No. 1 on the righthand side of this chart with the largest market presence in the survey, by far.

Expectations for 2022 in cyber

The trends around hybrid work, cloud migration and the attacker escalation continue to drive cybersecurity momentum and will do so indefinitely.

You’re seeing private companies getting gobs of money which really speaks to the fact that there’s no silver bullet in this market. It’s complex, chaotic and cash rich.

This idea of MSSPs on the rise will continue. About half the midsized and large organizations in the U.S. don’t have a security operations center and outsourcing to one that can be tapped on a consumption basis – as a service – just makes sense.

We see the momentum companies that we’ve highlighted over the many quarters of Breaking Analysis episodes as forming a strong base in the market, going for share and footprint and focusing on growth. They have good balance sheets and strong management teams and we think they’ll be the leading companies in the future. Zscaler, CrowdStrike, Okta, SentinelOne, CyberArk, SailPoint – over time joining the ranks of $1 billion cyber firms such as Palo Alto Networks, Fortinet — and Splunk if it doesn’t get acquired.

All that underscores the pressure for consolidation and M&A in the market. That is almost assured with the fragmentation of companies and so many well-funded new entrants fighting for escape velocity.

Keep in touch

Thanks to Stephanie Chan who researched several topics for this episode, and to Alex Myerson on production. Alex handles the podcasts and media worklflows. And special thanks to Kristen Martin and Cheryl Knight, who help us keep our community informed and get the word out.

Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.

Email david.vellante@siliconangle.com, DM @dvellante on Twitter and comment on our LinkedIn posts.

Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.

Here’s the full video analysis:

All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Image: GraphicsRF