There has been a slew of earnings announcements in the past two weeks as companies end Q3 and move into the final quarter of 2021. All of the public cybersecurity companies are doing well — some very well. It's a good time to be a publicly-traded cybersecurity company. And more companies will be joining the party soon.
Earnings calls are one of the best ways to get a peek into a company's strategy. Looking at a group of companies in aggregate is interesting because it gives us some insights into developments across the entire cybersecurity ecosystem.
I wanted to spend some time doing a roundup of a few specific companies and trends: Mandiant, SailPoint, and Qualys for this article. I've written about Mandiant in the past. Coverage for SailPoint and Qualys is new.
This quarter is the first major grouping of earnings announcements since I started writing (we were at the tail end of Q2 when I wrote my first article). Bigger picture, I will continue expanding coverage and analysis of cybersecurity companies and their strategies.
I plan to analyze both private and public companies, similar to how I've written about companies like Okta, Tessian and more. There's a bit of runway required to reach widespread coverage, but I expect the results will be worth the time once I get there.
On to the updates.
It's an interesting time for Mandiant — there's a lot going on with the company. Given the amount of activity, this is a longer update.
From Seeking Alpha:
Mandiant (NASDAQ:MNDT) shares fell more than 3%, Friday, as investors had a mixed response to the cybersecurity company's first quarterly results since it was spun off from FireEye in October.
On Thursday, Mandiant (MNDT) said its third quarter adjusted pre-spinoff earnings were 6 cents a share, on revenue of $122 million, compared a profit of 11 cents a share, on $100 million in revenue in the same period a year ago. Wall Street analysts were looking for the company to earn 6 cents a share on $120.2 million.
Kevin Mandia made one thing explicitly clear on the Q3 earnings call: expect volatility for a year or more until the post-divestiture activity from FireEye settles down. In his exact words:
We felt very confident saying that we are going to be operating margin positive from a non-GAAP perspective in 2023 because there is significant Mandiant’s re-launch costs that happened in Q4 and carried through 2023. So there’s a little bit more noise in 2022. But 2023, we feel very good that you will start seeing pretty significant leverage each and every quarter going forward.
For investors, that's going to mean inconsistency in their financials and stock price for the next year or so. For anyone taking a longer-term outlook, these are totally reasonable expectations and part of a much bigger and exciting business strategy.
Post-FireEye revenue growth
The new Mandiant is growing at a rapid rate — especially for a company with substantial revenue from professional services. Total revenue for Q3 increased 22% year-over-year to $122 million. Annual recurring revenue (ARR) grew 26% year-over-year to $264 million.
Anything over 20% growth is great for a public cybersecurity company. Both the growth and total amount of ARR is especially great for a professional services focused company like Mandiant. Traditional professional services firms have essentially no recurring revenue — they have to win it year over year, project after project.
Mandiant also won several projects greater than $1 million. Wins included a specific example of their productized services strategy. From Kevin Mandia:
Mandiant deals greater than $1 million grew 79% year-over-year from 14 deals a year ago to 25 deals this past quarter. The total value of these deals greater than $1 million almost doubled, growing from $24 million to $47 million year-over-year.
As an example of these larger deals we added a new Fortune 50 customer, who in addition to our incident response expertise, asked us to help transform this security program through a powered by Mandiant approach that leverages our full suite of intelligence validation, and a Mandiant advantage platform.
The Fortune 50 security program transformation example is more important than your average citation for a customer win. This demonstrates progress towards fixing one major problem: consistency of revenue outside of up-and-down incident response services. It's also a quick win for their vision of professional services enabled by technology. As I've previously written, quick results like this are desperately needed:
Mandiant's productized services model has to start showing results quickly. If it doesn't, investors are going to view Mandiant as just another professional services firm with underperforming profitability.
Mandiant Advantage platform expansion
Mandiant announced several big plans for additional features on their Mandiant Advantage SaaS platform. The first announcement was the addition of active breach and intel monitoring:
We plan to launch active breach and intel monitoring the first quarter of 2022. This capability enables visibility into Mandiant threat intelligence in real time. It is the functional equivalent of collaborating with our incident responders in the field, proactively checking our customers’ environment with the most up-to-date intelligence available as respond to the new and novel cyber attacks.
The idea of building "the functional equivalent of collaborating with our incident responders in the field" is exactly in line with the productized services theme I've been so excited about.
The second announcement was the addition of attack surface management, driven by the acquisition of Intrigue:
Intrigue allows Mandiant to deliver attack surface management (or ASM) as another module in the Mandiant advantage platform. ASM identifies how organizations could be compromised by identifying applications that are visible, vulnerable and exploitable and we point that out net. We have already derived significant value in our services business from this capability, and we plan to integrate attack service management into the Mandiant advantage platform in the first quarter of 2022.
Attack surface management is important because it's a layer deeper than pure asset management. Knowing your asset inventory is still important, but the ability to understand what could be exploited and how is valuable. As Kevin Mandia stated, it's also a driver of add-on services — someone has to prioritize and fix the vulnerabilities.
A deeper dive into the vision for the Mandiant Advantage platform is another article for another time. For now, it's encouraging to see the progress with additional platform capabilities and cohesion with professional services.
Professional services growth and opportunities
Mandiant's professional services are extremely profitable. Like, 2x or more than industry average profitable. Margins in Q3 were 51%, which is relatively consistent with prior quarters. They're also growing at a rapid pace across both incident response and proactive consulting engagements. From Kevin Mandia:
We had a record third quarter for Mandiant consulting revenue at $61.7 million, representing 20% year-over-year growth while growing deferred revenue to $113.1 million.
While we continue to respond to very prominent and well publicized security breaches globally, we also continue to maintain a healthy balance across our services portfolio, scheduling proactive and strategic services well into 2022. Our security transformation practice grew revenues approximately 40% year-over-year.
When you're investing a ton of money in building a SaaS platform, it sure helps to have this kind of profitability in professional services to draw from. Better yet, the investments in the SaaS platform are mutually reinforcing: they create even more services revenue and higher margins.
The longer-term opportunity is productized services. Mandiant seems to understand this opportunity more than anyone else. From Kevin Mandia:
We believe we are uniquely positioned to address an enormous market need. We intend to continue automating Mandiant expertise to create a scalable more effective platform for the next generation of security operations. I believe we are at the onset of the convergence of security automation, managed services, XDR and security consulting. And this convergence is necessary to help deliver the outcome organizations want. They want a comprehensive, effective and efficient security program that instills confidence that the organization is secure from the latest cyber threats.
...
We are building towards technology enabled services as well, where you get more leverage from the consultants. What that means is, as our consultants use the platform more and more to deliver things like Ransomware assessments or as we learn to scale managed defense with other products through our own platform, you get to see the margins increase, gross margin will get better. And at the same timeframe you just see more leverage there and more scalability. We can deliver things quicker and faster, which leads to growth.
The machinery to do this is being built as we speak, and it's already starting to work.
Partnerships
Finally, a quick word on partnerships. It was interesting to hear Mandiant's leadership team speak so bluntly about how badly FireEye handcuffed their ability to create and sustain partnerships. Kevin Mandia summarized the problem like this:
We were surrounded as FireEye. We were email security, network security, we had a SIM, we had an endpoint. We had services, managed services, intel, we were in every single business and it made it very hard to have frictionless partners. So we have a very aligned strategic operations group to get leverage from partnerships that historically, we haven’t had any.
With FireEye, they were basically competing with everyone and couldn't form partnerships. This approach works great if you're a closed ecosystem with industry-leading products in nearly every product category you operate in. FireEye was certainly not that, so the strategy didn't work.
Now that Mandiant is more conflict-free, the phone for partnerships has already started ringing:
I can’t emphasize how important Mandiant being vendor agnostic is, it literally allows us we are getting inbound calls to partner for the first time since about 2015. So now we’ve got leverage from partners that are possible.
This might not seem significant, but partnerships are one of the main channels for growth in the cybersecurity industry. I wrote about ForgeRock's potential over-reliance on partnerships in ForgeRock's IPO, Identity Crisis, and Path Forward:
At this point, ForgeRock is essentially locked into its parter-driven distribution model. Put differently, much of their future growth is beholden to others. The company doesn't have many options other than to accept the risk and try to keep its partners happy and engaged. Top-down sales models work — they're just more complicated and tumultuous when powerful third parties are involved.
Under FireEye, Mandiant was in exactly the opposite situation. Nobody wanted to partner with them, so all of their sales had to be driven organically. For Kevin Mandia to flat out say they got no inbound calls for partnerships since 2015 is an incredible anecdote for how difficult their situation was. Under-reliance on partners is not a recipe for success, either — as Kevin Mandia made blatantly clear.
Mandiant still has a lot of work to do to build a partnerships program from the ground up. A balanced mix of sales-driven and partner-driven growth is the path forward. The progress so far is encouraging.
I have been wanting to write about SailPoint for quite a while. Now seems like a great time to start — Q3 was all sunshine and roses for them.
From Seeking Alpha:
SailPoint Technologies (NYSE:SAIL) up 12% after yesterday's third quarter results beat top and bottom-line estimates.
Total revenue grew 17% year-over-year to $110.1M, above the consensus of $103.9M. The company did break even in the quarter, above $0.07 loss expected by analysts.
SailPoint is one of the pillar companies among the current group of publicly-traded cybersecurity companies. This quarter showed exactly why. Their overall revenue growth was solid, but the fundamentals are even better. Most importantly, they're successfully transitioning to a subscription-based revenue model with a balance of product investments in their on-premise and SaaS offerings.
Transition to subscription-based pricing
SailPoint's transition to subscription-based pricing is important for both customers and the company itself. For most customers, subscription pricing is a better model than multi-year licensing contracts because they don't have to pay the entire license up front. For SailPoint, it means more predictable revenue and essentially indefinite contract lengths.
SailPoint's CEO, Mark McClain, explained more about where the company is at in the transition:
Our transition to a subscription-based business model, which we outlined at our analyst day earlier this year, has happened well ahead of our initial expectations. In Q3, 87% of the total new bookings came from our subscription-based offerings up from 82% last quarter, and 72% in Q1. This accelerated timeline has been driven by two key factors. Incredibly strong growth in demand for our SaaS platform, and customers desire to procure our other products on a subscription basis. Our transition to a subscription model is, in our view, largely complete.
For SailPoint, perpetual licenses are essentially a thing of the past:
We ended the third quarter with $179 million of ARR from our subscription-based offerings, which represents an 81% year-over-year increase. Our subscription ARR consists of $132 million from SaaS and approximately $47 million from recurring term licenses.
With over $110 million of total revenue this quarter, less than 10% came from perpetual licenses. Further highlighting that our transition to a subscription revenue model is in our view largely complete, but we expect to see the occasional new perpetual license transaction and ongoing expansion deals for current customers, our entire team's principal focus is on selling SaaS and term licenses.
Subscriptions are primarily measured in ARR, and 81% growth in that category means they're well on their way. Bigger picture, the transition in pricing model is an indicator for the company's overall shift to a SaaS mentality.
Transition to being "SaaS-first"
Companies like SailPoint, who built and grew with exclusively on-premise software, often stumble when crossing the chasm from their legacy on-premise products to SaaS solutions. It appears that SailPoint is going to be an exception — one of the few companies to successfully navigate the transition and remain a market leader on the other side.
On the earnings call, they talked about "leading with SaaS":
That's the motion, it's the principal motion of the sales force today is to lead with SaaS and we're doing that, and it's having great success and that's demonstrated by the numbers you saw in the release today.
Shifting the mindset of the sales organization is a good start. More importantly, customers need to be in the mindset of buying SaaS. Mark McClain gave some good historical context on this topic:
We talked to the market 15 years ago, when get this company started...it was just very clear that those high-end customers were not really interested in getting this product delivered as a SaaS offerings, that has shifted. I think their preference has shifted to a kind of a SaaS first expectation, their confidence in the kind of bulletproof nature of the security environments of the cloud providers like Amazon and Azure and Google is just very high. And so I think they trust and believe this is in fact, a very secure way to manage it and they get that SaaS is just a really, really smart way to do this to continue to allow them and as to extend the product quickly and easily over time.
For SailPoint, this mindset shift to SaaS is important because they've been building their IdentityNow SaaS offering for years. They were prepared for this transition and made the appropriate investments in product.
Migrating customers from on-premise to SaaS
Even though the licensing model transition was relatively fast, the transition of customers from SailPoint's on-premise IdentityIQ product to its cloud-based IdentityNow product is happening slowly. Their strategy is clearly to let customers make the transition at their own pace, at least for the time being. From Mark McClain:
We really do want to reinforce we're not pressing people to make this move, where we're going to increasingly think we'll hear more about their interest in it from some subset of our base. But as Cam said, there is pressure on those customers to migrate, but we do anticipate seeing a little more uptick over -- starting more next year and probably increasing frankly in the next few years, but still with a large IQ base probably for quite a long time in front of us.
This is probably a good business strategy given SailPoint's focus on long-term customer relationships. The nature of Identity and Access Governance (IAG) tends to be long-term usage — once the product is implemented, it's prohibitively expensive to replace. Customers remain customers for years, and possibly decades.
SailPoint's challenge with this approach is in product strategy. Continuing to make investments in building both an on-premise and SaaS product is expensive. From Cam McMartin:
And quite frankly, the fact that we continue to make investments in the IdentityIQ product portfolio, to enrich and extend the value prop there. So in both ways, that this will be a multi-year transition process.
In their case, IdentityIQ and IdentityNow are essentially two separate products with minimal overlap in the codebase. This differs from competitors like ForgeRock, who run essentially the same product on-premise and in the cloud.
A multi-year transition process with no end in sight either means continuously high expenses in developing both products or dilution of progress in both. This conundrum is more a reflection of the market than a fault of SailPoint: a significant portion of companies aren't ready to run their IAG solution in the cloud yet.
Opportunities for replacing legacy IAM solutions
Being stuck in the middle of the IAG market's on-premise to cloud conundrum isn't great news in the near term, but there is a lot of longer-term upside. Mark McClain explained exactly how far there is to go and how much opportunity remains:
I think we're in the first third of the game in terms of the amount of legacy particularly legacy implementations in these larger enterprises that is still yet to be turned over. And so we're pretty bullish on the number of places, we think we can still take the solution in the Fortune Global 5000 around the world, I think there's a lot of installed identity products out there still from the legacy players.
Continuing the metaphor, SailPoint reached the point of being a public company with $400m in annual revenue in the first third of the game alone. They still have lots of room to grow. Even better, the COVID-19 pandemic has accelerated people's understanding about the importance of identity to a security program:
In general, this is more like a sea change of people just recognizing that identity is a vector they weren't as focused on managing wealth in their enterprises, that only got exposed and highlighted a bit through the early stages of the pandemic.
...
It's just a level of awareness that so many of the bad things that happen are related to some level of compromised identity. And that's just driving a lot of focus in this area.
This trend is great news for SailPoint and any other company in the broader access control portion of the cybersecurity ecosystem.
Qualys is one of the more mature public companies in cybersecurity, having IPO'ed nearly 10 years ago in 2012. The company's stock and overall growth have struggled in the past year — it's down 25% from all-time highs. However, positive trends in their strategy are starting to show.
From NASDAQ:
Qualys, which belongs to the Zacks Security industry, posted revenues of $104.93 million for the quarter ended September 2021, surpassing the Zacks Consensus Estimate by 0.77%. This compares to year-ago revenues of $93.07 million. The company has topped consensus revenue estimates four times over the last four quarters.
Qualys shares have added about 2.5% since the beginning of the year versus the S&P 500's gain of 23.3%.
Qualys is at an interesting juncture as a company. They have long been known for vulnerability management, dating all the way back to their beginnings in 2000 when they became the first SaaS-based vulnerability management platform. They're a market leader in vulnerability management, but the company has struggled with growth relative to top performing cybersecurity companies — just a 13.97% compound revenue growth rate over the past three years.
Qualys is a notable exception among public cybersecurity companies because they're profitable at the expense of growth. To increase growth, they are now pursuing a broader platform strategy with product consolidation as its primary value proposition.
Consolidation of security tools
Qualys is using its strong position as a leader in vulnerability management to implement a broader platform strategy. Vulnerability management is a solid foundation for expansion into other adjacent product categories because it's established and ubiquitous — every company needs to do vulnerability management, and Qualys is the tool of choice for many.
Qualys's goal with the Qualys Cloud Platform is to be at the center of a company's end-to-end security program with integrated "apps" that cover multiple needs. Their marketing headline is an accurate depiction of this strategy: "One Platform. One Agent. One View."
They believe this strategy is starting to show proof of results. From CEO Sumedh Thakar:
We believe that these new wins and expansions illustrate that when customers are ready to re-architect and consolidate their security stack, Qualys is the best cloud-native, multi-solution platform to meet their needs.
Qualys's broader thesis is that companies want to consolidate their security tools and use a centralized platform. Sumedh Thakar went into additional details about what Qualys is seeing and hearing from their customers:
What we see right now is new customers, when they are coming to us they are in the mental state where they really are looking to re-architect their security solution and look for a new vendor. And so when they see that Qualys is providing not only just a list of vulnerabilities, but the ability to patch, the ability to have asset inventory, the ability to have File Integrity Monitoring and other capabilities, policy compliance built in that's why we see that our top new customers this quarter, as we said also last quarter, right out the bat when they buy something from Qualys, they're not just buying VMDR, they're buying other capabilities, including patch management, as well as file integrity monitoring and other solutions right off the bat. So we see that desire to consolidate with the fact that our platform actually provides that in a seamless and easy manner. A combination of that is what we see in our conversation with customers.
The vendor fatigue is real — nobody would question the sentiment companies feel about too many vendors or pains from integrating products. Qualys's strategy to try and address the problem is a logical. It's also a tall order to execute successfully.
I remain skeptical about the monolithic, one-platform-to-rule-them-all product strategy in cybersecurity, at least in the near term:
The risk with this strategy is dilution: average or below-average products in multiple product categories. Market leadership in few to none.
Qualys already has market leadership in vulnerability management, so it will be interesting to see the progress they can make with their centralized platform strategy.
Entering the XDR market
Like seemingly everyone these days, Qualys is entering the XDR market. The interesting part isn't the news — it's their strategy for differentiating the XDR product from others in the market. Sumedh Thakar described their approach for differentiation like this:
Where we differentiate ourselves in the approach that with Qualys platform deployed, as you see, so many solutions already consolidated on the platform, a customer who has the current Qualys capabilities already is getting all the telemetry needed...So the amount of additional information needed for correlation from third party products is limited to firewalls and a few other solutions like that.
The deployment and the value that a customer can get by being in their existing Qualys account and enabling this capability XDR capability and then being able to bring third party data, we believe is going to be very differentiating in the market where typical XDR solutions require a lot of time to get them deployed and get them working and a lot of professional services are required.
Qualys's strategy for entering the XDR market is a specific instance of the centralized platform strategy in practice. If a customer is using multiple apps within the Qualys Cloud Platform, they already have most of the data they need for an XDR product to function. A few additional integrations might be required, but the total nets out to less because of the centralized platform. That's a pretty compelling value proposition.
Again, an interesting strategy to watch — especially in an emerging market like XDR where value propositions vary widely and remain somewhat unclear.