Earnings: February 2022 Recap

February is the busiest month of the year for annual earnings releases by public cybersecurity companies. Thirteen cybersecurity companies made their annual earnings announcements this month. We've got some catching up to do!

This article is a quick recap of four companies: Cloudflare, Fortinet, Mandiant, and Qualys. We're not going to have space to go super deep on all of them without ending up with a 10,000 word article. However, the depth is enough to pull out interesting insights about each company. We'll also cover some principles (like the "Rule of 40") that apply to the broader market.

The focus is a little more on financials than pure strategy. While I don't aspire to be a finance writer, it's an important part of understanding the business and strategy of cybersecurity. Going deeper into finance once in a while is good for all of us.

Why does the financial health of cybersecurity companies matter? As a practitioner (and definitely as an investor!), you want to work with companies who are financially healthy. That's not to say you definitely should avoid working with companies who aren't, but you need to understand the impact it's likely to have on you.

If a company is in good shape financially, they can invest in innovation, provide good service, and do all of the other beneficial things that come with positive momentum. On the flip side, companies who aren't risk acquisition, management changes, and the bad things that come from a lack of momentum.

Financial health — especially demonstrated over a longer period of time — is usually indicative of the quality and value a company provides. People vote with their money, and the law of averages tends to normalize results over time. Good marketing, hype cycles, one-hit wonder products, and other tactics can boost short-term performance. This rarely lasts without a sustainable foundation.

The companies you want to buy from, partner with, build on top of — or any other business interest you might have — are the companies that can deliver reliable long-term financial performance and growth. That's the strategy we're after. It's the reason we spend time looking at earnings, growth, and overall financial performance here.

On to the earnings.

From Cloudflare's earnings press release:

• Fourth quarter revenue totaled $193.6 million, representing an increase of 54% year-over-year; fiscal year 2021 revenue totaled $656.4 million, representing an increase of 52% year-over-year

• Record dollar-based net retention of 125%, representing an increase of 600 basis points year-over-year, driven by continued strength from large enterprise customers

• Achieved record operating cash flow and positive free cash flow for the fourth quarter; operating cash flow was $40.6 million, or 21% of total revenue, and free cash flow was $8.6 million, or 4% of total revenue

I haven't written about Cloudflare in a meaningful way yet. Their 2021 earnings release is a great place to start. Put briefly, these results are fantastic.

As I wrote about in Cybersecurity is Going Public, Cloudflare is what I called a "hybrid" cybersecurity company:

Some companies are "hybrids" — a combination of two or more traditional industries. This type of company is debatably part of the cohort of public cybersecurity companies. Opinions vary, sometimes based on financial data, and sometimes based on perception and beliefs.

They are a combination of networking and security with significant product offerings and percentages of revenue coming from both. Most industry analysts and investors classify Cloudflare as a cybersecurity company. And, as we'll discuss later, their recent actions validate this stance.

The Q4 and 2021 annual earnings call was upbeat from the beginning — CEO Matthew Prince even opened it up with a quote from Bill and Ted's Excellent Adventure. Ignoring the stock price fluctuations, the financial results all look great. Revenue growth of 52% year-over-year and gross margins of 79% are the two most impressive stats.

Don't worry about Cloudflare's losses and profitability. As long as they keep racking up 50%+ revenue growth year after year (as they have done for the last five), all is well.

The textbook way to explain why is the "Rule of 40". The rule is a financially precise (and responsible) way of managing the tension between investments in growth and company profitability. TL;DR, the difference between growth and losses should be a maximum of 40%.

Matthew Prince explained this concept in a fun way during the earnings call:

The story I told them was to imagine every year you saw your neighbor shoveling money into a machine. A year later, a lot more money came out. Year after year, the money kept piling up and getting shoveled back in.

If, one year, you look at your window and didn’t see your neighbor shoveling all the money back into the machine you would worry, what’s wrong with the machine?

To be clear, there is nothing wrong with our machine. We will continue to shovel money back in to drive innovation and reach new customers as long as we can achieve exceptional growth.

Cloudflare's money-making machine is working perfectly. In 2021, their operating loss was 21.2% of total revenue. This investment generated a 54% increase in revenue.

The Rule of 40 guideline would say a ~20% increase in revenue is good (mirroring the ~20% operating loss for a 40% difference between the two). For Cloudflare, if the rule hypothetically states 20% growth is good, an actual result of 54% growth is spectacular.

Visually, the five year growth trend looks like this — the magic of compounding in action:

Source: Cloudflare, Inc. 2021 Q4 Earnings Call Presentation

Cloudflare's long-term financial model is a perfect case study for what all of the newer public cybersecurity companies want to do:

Source: Cloudflare, Inc. 2021 Q4 Earnings Call Presentation

The imprecise timing of the "Long-Term Model" isn't important to understand the concept. The idea behind investing in long-term growth is:

  • Expenses like Sales and Marketing and G&A become a lower percentage of revenue over time as revenue growth compounds and the business scales.

  • Research and Development remains relatively stable because new home-grown products generate additional revenue.

  • Profitability (operating margin) goes up as revenue grows and expenses remain stable or decrease.

That's how great companies get built. Most growth companies try to achieve this model. Not all of them reach it. Cloudflare is well on its way.

Outside of the earnings, Cloudflare is already off to a fast start in 2022. They are clearly widening their presence in security with two acquisitions already in 2022. They're clearly committed to cybersecurity as a major driver of growth, which is why they're important to follow and understand.

I will be taking you a lot deeper into Cloudflare this year given the company's importance and impact on the cybersecurity ecossytem, so stay tuned.

From Nasdaq:

Fortinet Inc. FTNT delivered fourth-quarter 2021 non-GAAP earnings per share (EPS) of $1.23, beating the Zacks Consensus Estimate of $1.14.

Moreover, revenues of $963.6 million topped the consensus mark of $962.8 million and increased 28.8% year over year.

Strategic investments in developing powerful products and services, efforts to expand into the adjacent addressable markets and boost the firm’s global sales force aided Fortinet’s quarterly performance.

FTNT stock has gained 89.2% in the last 12 months while the Security Market industry declined 29.7% over the same time frame.

Fortinet is a steady and consistent cybersecurity industry leader that doesn't get the same level of hype as companies like Zscaler and CrowdStrike. It's easy to lose sight of this when the market focuses on short-term gains and the newest IPOs.

However, the results speak for themselves. Fortinet is currently the highest valued cybersecurity company based on market cap:

Source: CompaniesMarketCap.com – Largest IT security companies by market cap (February 22, 2022)

It's also one of a relatively small number of cybersecurity companies to increase its share price in the past year — up 81.79% as of last week:

Source: Seeking Alpha (February 22, 2022)

By comparison, CrowdStrike, Okta, and SentinelOne are all down over 25% in the past year as public markets for tech companies have taken a hit.

One of the most impressive stats about Fortinet (and bigger picture than the current year's earnings) is the overall growth of the stock since its IPO. Richard Stiennon published a helpful analysis of returns since IPO for cybersecurity companies last week. Fortinet has generated an annual return of 298.24% in its 11 years as a public company. In practical terms, $1,000 invested at the time of their IPO is worth $33,806 today. That's a fantastic return in a period just over 10 years.

From a strategy perspective, Fortinet has done an impressive job navigating the evolution in technology for their part of the ecosystem. Fortinet's original product (circa 2002) was a hardware firewall. Networking has changed a lot since then, especially looking at today's hype around Zero Trust and perimiterless security. Many companies haven't been as successful making the transition. So far, Fortinet has thrived.

To put "thrived" in perspective, let's talk about the consistency of Fortinet's profitability. They have been profitable every year since their IPO in 2009. That's 13 straight years, for those keeping score. A lot of companies can't string together 13 straight quarters of profitability, let alone years. In today's era of loss-fueled hypergrowth companies, Fortinet stands out for its textbook approach to profitability, operating margins, and steady growth.

Right on brand, their Q4 2021 financial results presentation is impressively boring...in the best way possible. The company's financials are remarkably healthy. I read a lot of these investor presentations. The usual profile is a long set of entertaining slides about strategy and possibilities, followed by financials with heavy losses. There are exactly zero entertaining slides in Fortinet's deck — just straight up financial prowess.

Revenue growth was 29%. Growth has been over 20% for four consecutive years. That puts Fortinet squarely into Momentum Cyber's "high growth" category of cybersecurity companies. And remember, that growth happened at $3.3 billion in revenue in 2021. It's a lot harder to grow 20%+ at $3 billion than it is under $1 billion because the scale is much bigger.

For context, 29% revenue growth for Fortinet is an increase of $748 million dollars in revenue from 2020 to 2021. Zscaler's total revenue for its 2021 fiscal year (reported in September 2021) was $673 million. So, Fortinet grew its existing business by more than the size of Zscaler's entire company this year. This example is somewhat contrived (and unfair to Zscaler) since Zscaler hasn't existed as long (the compounding growth hasn't caught up yet!). You get the idea, though — Fortinet is growing rapidly at a large scale.

Their margins are great for any business, let alone a hardware business. Gross margin was 77.5% and operating margin was 26.2%. Margins on their FortiGate hardware business are equally impressive: 77.3% combined for product and services revenue. You might expect lower margins for a business with heavy reliance on hardware products. That's not the case here.

As for Fortinet's strategy: don't believe any of the Zero Trust maxis who tell you hardware firewalls and networking are dead. Fortinet's product revenue grew 37% in 2021 — "product," meaning hardware revenue. That 37% growth also happened in the face of devastating global supply chain challenges for technology manufacturers. Fortinet is one of the only companies in the industry who could have pulled this off.

If you're into business strategy, Fortinet is a great company that more people should be excited about. Rote consistency of execution and financial performance doesn't get the headlines, but Fortinet is worth your attention.

From Mandiant's earnings press release:

• Revenue from continuing operations increased 21 percent from the fourth quarter of 2020

• Annualized recurring revenue for continuing operations increased 23 percent from the end of the fourth quarter of 2020 to $279 million

• Deferred revenue increased 44 percent from the end of the fourth quarter of 2020 to $410 million

• Repurchased $200 million of common stock in the fourth quarter under Board-approved stock repurchase program

However, Mandiant's 2021 earnings (which were good, btw!) were overshadowed by rumors of acquisition talks with Microsoft. Excitement around the potential acquisition, not the earnings, caused an 18% spike in the stock price.

Founder and CEO Kevin Mandia declined to comment (naturally) on the rumored acquisition during the earnings. Stoking the flames in the middle of a deal is both a risky move and a good way to kill a deal. However, he later offered this perspective to CRN:

"We run this company like it’s ours forever, and that’s what we’re going to do."

Let's quickly rewind a few months to the announcement of Mandiant divesting FireEye. At the time, I was concerned about Mandiant potentially having a short timeline for transformation:

Mandiant's productized services model has to start showing results quickly. If it doesn't, investors are going to view Mandiant as just another professional services firm with underperforming profitability.

Unfortunately, the underperforming profitability looks like it will continue until at least 2023. Mandiant's full 2021 financial statements haven't been released yet, but operating margins for Q4 2021 were announced as negative 17% on the earnings call. Their operating margin forecast for 2022 was negative 13% to negative 15%.

Mandiant leadership has been open and honest about the timeline for continued losses — this news wasn't new as of the Q4 earnings call. They're doing all they can. However, as a public company, they're in a vulnerable position until their balance between profitability and growth gets fixed.

The fixing starts with perception. This iteration of Mandiant isn't the Mandiant of old. Here's one example: do you still think Mandiant is in the professional services business? Think again. From Kevin Mandia:

"We're not a services company. We don't wake up every day and go, let's maximize services."

Mandia's dismissal of perceptions that Mandiant is a professional services business couldn't have been more clear. The shift in perception is important from a strategy perspective, and also for managing investor expectations.

As we discussed with Cloudflare, software businesses get more forgiveness about operating losses from investors. CrowdStrike is one of many examples — annual operating losses averaging over $100 million for the past five years. Forgiveness happens because losses are caused by aggressive investments in growth, which (if achieved) pay off in large and sustained profits later (another example of the Cloudflare "Long-Term Model" concept). This is one of the reasons why the perception about what type of business Mandiant is matters.

Either Mandiant is fooling themselves, or they're deeply committed to productized services. I would bet on the latter. It's the more difficult and risky option, but it's also the best strategy for Mandiant to thrive as a standalone company.

Despite the acquisition rumors, I continue to hope that Mandiant gets the opportunity to build its future vision. I still feel the same way about this statement I made in Mandiant and the Future of Cybersecurity Services:

Building a successful productized services business to address an important societal issue like cybersecurity attacks is an interesting problem to solve. In the process, Mandiant may also revolutionize the delivery model for professional services in the industry.

Disrupting or losing Mandiant's threat intelligence and incident response services in 2022 would be an incredible disservice. We can't afford to lose one of our best assets while the private sector defends itself against unprecedented foreign cybersecurity threats.

From Nasdaq:

Qualys...posted revenues of $109.78 million for the quarter ended December 2021...This compares to year-ago revenues of $94.8 million. The company has topped consensus revenue estimates four times over the last four quarters.

Q4 2021 was an interesting time for Qualys as a company who specializes in vulnerability management. When the vulnerabilities in Apache Log4j were discovered in December, companies of all sizes were scrambling to manage and patch their systems. Qualys was at the center of this flurry of activity.

CEO Sumedh Thakar addressed the topic on the Q4 earnings call:

Recent high-profile ransomware attacks and critical vulnerabilities like Log4Shell have highlighted organizations need for a scalable vulnerability management solution like Qualys VMDR that not only accurately detects these vulnerabilities but also helps reduce exposure time with integrated asset discovery and remediation capabilities.

His assessment isn't hyperbole — what he said is exactly right. Qualys proves its value when critical, systemic, and widely impactful vulnerabilities like Log4Shell happen. Smart companies always want to be as good as they can at patching and vulnerability remediation.

As we discussed in Q3, consolidation of security tools was a key theme again — clearly a central part of Qualys's strategy to advance beyond their vulnerability management origins. I was skeptical of this strategy when discussing Qualys's Q3 results, but I became more optimistic that a bundling strategy is possible after looking deeper into CrowdStrike's strategy.

Another interesting topic to highlight is Qualys's plan to shift sales from top-down to bottom-up. Sumedh Thakar described the vision for this transition on the earnings call:

Our goal is to remove friction for customers while making product expansion simple and hassle-free. A customer, who may currently only use VMDR, should be able to adopt all of our other applications with the click of a button.

This is interesting because you normally don't see bottom-up adoption done in reverse. Companies traditionally start with bottom-up adoption and add top-down enterprise sales over time as they reach larger customers. Qualys started with top-down adoption and is now trying to undo it, or at least create a better balance. The reasoning makes sense; we'll see if it works in practice.

On the earnings call, Qualys announced their new eXtended Detection and Response (XDR) product has now reached general availability. As Sumedh Thakar said, the market is still in the early innings. As I discussed previously when covering CrowdStrike's XDR strategy, companies entering the XDR market typically have existing Endpoint Detection and Response (EDR) or SIEM products. Qualys is coming out of left field (continuing the baseball metaphor) by entering the market from their position as a vulnerability management leader. The product does have some early traction, though, so it will be interesting to follow their entry into XDR in 2022.

Revenue grew 13% in 2021. The quarter-by-quarter trend was slightly upward with 16% growth in Q4. This level of growth isn't spectacular, especially compared to the likes of Cloudflare and CrowdStrike. They're firmly entrenched in the "low growth" category of Momentum Cyber's industry analysis.

However, Qualys has at least remained profitable as a company. Their situation would be looking dire if they were losing money and growing at only 13% (remember the Rule of 40 we discussed with Cloudflare?). Progress is being made, and there are some positive signs to be excited about. 2022 is going to be an important year for Qualys and their new management team.

Earnings, Earnings, Earnings

February is the busiest month of earnings announcements because it's when most 12/31 year end companies finalize their financial statements and file. However, there are still several important companies with 1/31 year ends (or later) coming up soon.

In March, I'm planning to cover a couple cohorts of companies who release earnings around the same time:

  • Identity and Access Management (IAM) companies (Ping Identity, SailPoint, ForgeRock, and Okta) all announce annual earnings around the beginning of March.

  • Endpoint Detection and Response (EDR) companies CrowdStrike and SentinelOne release their annual earnings later in March.

Both market segments are interesting to talk about. We'll spend some time on those before taking a break from earnings for a while.

Finally, if you have any specific questions about earnings for the companies discussed in this article (or others that I didn't), feel free to DM me on Twitter. I consumed a lot more information than I was able to cover in this article, so I'm always happy to talk about it.


Thanks for reading! How did you like this article?

LovedGreatGoodMehBad