Palo Alto (PANW) & CrowdStrike (CRWD) – PANW Earnings Review & CRWD/Cybersecurity Implications – February 24, 2024

Palo Alto (PANW) & CrowdStrike (CRWD) – PANW Earnings Review & CRWD/Cybersecurity Implications – February 24, 2024

Palo Alto is a cyber security company competing across endpoint, cloud and network use cases. Most of its platform is made up of integrated M&A while it competes with pretty much everyone besides identity brokers in the space. The network security suite is called Strata; the endpoint security suite is called Cortex; the cloud security suite is called Prisma.

Demand

Palo Alto missed billings guidance by 0.4%. It met revenue estimates and met its same revenue guidance.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases

Profitability

• Beat EBIT (operating income) estimates by 10.6%.
• Beat free cash flow (FCF) estimates by 3.7%.
• Beat $1.30 earnings per share (EPS) estimates & beat its same guidance by $0.16 each.
  • GAAP net income for Q2 2024 excludes a one-time, $1.5 billion tax benefit. EPS rose 39% Y/Y without this tax help.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases

Balance Sheet

• $3.3 billion in cash & equivalents.
• $3.6 billion in long term investments.
• $1.82 billion in convertible senior notes. No traditional debt.
• Diluted share count rose by 8.9% Y/Y. This must slow down.

Annual Guidance & Valuation

For Palo Alto’s fiscal year (FY) 2024, it lowered billings guidance by 5.6%. I’ll explain the reasoning for this in the next section. It also lowered revenue guidance by 2.4%, which missed estimates by 2.6%. Conversely, it raised EBIT margin guidance by 50 bps, which beat estimates by 45 bps. Finally, it slightly raised EPS guidance to $5.50, which met estimates. 

Palo Alto now expects to fall short of the 3 year demand targets it set just 6 months ago. It still expects to meet the profit targets.

The firm trades for 47x FY 2024 EPS and 28x FY 2024 FCF. EPS is expected to grow by 24.2% Y/Y while FCF is expected to grow by 16.7% Y/Y.

Call & Release Highlights

Platformization:

The theme of 2023 software earnings was the power of the platform (i.e. multiple integrated services). As I’ve discussed repeatedly, software vendors able to displace more point solutions, drive better product cohesion, deliver superior efficacy and lower cost are standing out. ServiceNow was a great example from this current season. This quarter told us that Palo Alto has more work to do in its journey of turning Cortex + Prisma + Strata into a unified, interoperable platform. Palo Alto is changing its go-to-market approach to accelerate what it calls “platformization.” This simply refers to cross-selling more of its products to clients to displace other vendors. Customers of more than 1 of its 3 platforms deliver a a 5x value boost while users of all 3 generate a 40x value boost. Cross-selling is deeply positive for Palo Alto’s business, so it’s getting more intentional about driving that trend.

Up until this quarter, it had been assuming that customers will “platformize” at their own pace. It was basically waiting for competing contracts to expire before trying to cross-sell (why?). Now, Palo Alto will get more aggressive by pursuing those customers before expiration to tee them up for more expedient up-selling. As part of this, it will offer things like free trials to signed future customers until contracts with other vendors expire. That, it thinks, will allow it to deliver proof-of-concept and easier platformization upon contract extension. This also means Palto Alto will “share in the customer’s platformization risk” via forgoing revenue for a period of time. Ideally, this wouldn’t be necessary and it could deliver that proof of concept as part of its request for proposal (RFP) responses. I guess that’s not feasible. This change will lead to billings weakness over the next 12-18 months, with growth expected to accelerate afterwards as comps normalize.

Weakness in the product/hardware revenue bucket intensified the billings guidance weakness. Palo Alto cited “competitors rolling back price increases” and participating in “rogue pricing behavior.” I’m confident that leadership was talking about Fortinet, as it told us this behavior was coming mainly from legacy vendors on the product side (so probably firewalls). This “rogueness” is yet another reason why Palo Alto wants to drive platformization. It thinks cross-selling the rest of its product suite within network security separates it from Fortinet and others. 

Leadership talked about “spending fatigue” within cybersecurity as companies push back against adding more products without realizing a positive return on investment (ROI). Platform-powered vendor consolidation is how to deliver the positive ROI they’re increasingly demanding.

“Despite many demand drivers, we’re beginning to notice customers face spending fatigue in cybersecurity. This is new. Adding incremental point products is not driving better outcomes. There’s more focus on ROI from more clients.” – Founder/CEO Nikesh Arora

These were 2 of the 3 reasons why billings guidance was so disappointing.

Public Sector Weakness:

Public sector weakness was the 3rd material source of the billings guidance shortfall. Palo Alto is struggling to close important U.S. federal government contracts. This started in Q1 and worsened this quarter. It thinks this trend will continue in Q3 and Q4. CEO Nikesh Arora blamed this on a miscalculated revenue ramp from a large program. It fully staffed up for this business, which didn’t “materialize at the pace or spending levels expected.” Arora told us that updated guidance takes a “very cautious” approach to how this program will ramp going forward. Hopefully that means PANW is gearing up for an easy quarter of under promise, over deliver.

Billings for this current quarter were in line despite these headwinds. That was related to “having to make up the billings number with shipping some non-product backlog,” per the team.

Next-Gen Thriving:

Next-Gen Security (NGS) annual recurring revenue (ARR) was the standout for Palo Alto this quarter. It doesn’t expect the go-to-market change to impact growth here all that much. It reiterated the NGS portion of its 3 year targets offered last August and didn’t cite any macro or selling headwinds for this category. It also guided to annual NGS growth of 34.5% this year. It sees NGS growing significantly as a % of total revenue; that will boost recurring revenue above 90% of total over time.

Within Network, its secure access service edge (SASE) next-gen product grew by 50%+ for the 5th straight quarter. Next-gen cloud security also enjoyed its highest new contract volume in over a year with 3+ module customers rising 60% Y/Y. 30% of its new SASE customers are brand new to the company, which shows this product becoming a solid lead gen for new clients along with being a compelling up-sell candidate.

SASE combines network security tools (like URL filtering and data loss prevention) to prevent unauthorized access, network abuse and to promote broad hygiene visibility. It’s a large chunk of its “Zero Trust” offering. Zero Trust means requiring more consistent verification after a device or user enters an environment. This ensures a bad actor cannot breach the most vulnerable piece of a tech stack and move throughout it unchecked thereafter. Zero Trust is an imperative aspect of its platformization approach within network to win vs. legacy firewall players (who lack an effective Zero Trust approach). 

In endpoint, Extended Security Intelligence and Automation Management (XSIAM) was a large driver of the biggest contracts secured during the period. XSIAM users within Cortex deliver 5x higher lifetime value to PANW vs. non-users. XSIAM is similar to CrowdStrike’s and SentinelOne’s extended detection and response (XDR) products. It infuses 3rd party data sources (beyond the endpoint) into the endpoint protection process to uplevel security and aid remediation. XSIAM bookings overall again neared $100 million for the period.

NGS powered 36% spending growth Y/Y within its 10 largest customers. It also facilitated 22% Y/Y remaining performance obligation (RPO) growth. The legacy pieces of this model are struggling; the disruptive piece of this model is working.

AI:

Palo Alto is in alpha or beta testing for its planned GenAI products. When I heard that, all I could think was “what took you so long?” CrowdStrike is already gearing up to directly monetize its Charlotte AI security assistant. ServiceNow has already debuted assistants and its Vancouver platform. CloudFlare has already debuted compelling updates to its Workers AI platform. SentinelOne is already monetizing GenAI tools too. Palo Alto should be going faster here. It has the scaled 1st party data source, the talent and the balance sheet to carve its niche within this monstrous opportunity. So, go faster.

It sees a couple of opportunities in GenAI. All of them center around demand for cloud-based app, traffic and data security proliferating. This proliferation will naturally prop up demand for products like Palo Alto’s. It also has copilots in beta testing to automate mundane and tedious security tasks.

Take & Implications for CrowdStrike & Other Cybersecurity Disruptors

This was a good quarter and a poor guide. The excuses used to explain the shortfall create new and significant execution uncertainty for Palo Alto. The company has been a remarkably consistent performer for years, and this broke that trend. One quarter shouldn’t be enough to ruin an investment case for bulls, but if I were a shareholder, this would be on a somewhat tighter leash going forward.

With that said, I think these struggles are more specific to Palo Alto rather than evidence of broader sector weakness for the disruptors in the space. I’ll frame this conversation around CrowdStrike, but I think the same idea applies to SentinelOne and also Cloudflare and Zscaler despite those two being in network security where the aforementioned discounting is occurring. So why am I not yet concerned?

First, the federal market weakness is specific to Palo Alto. The challenges that began to creep up last quarter were not at all felt by CrowdStrike. CrowdStrike, conversely, talked up robust public sector activity as contributing to its positive results. 

Next, the pricing pressures hurting Palo Alto are not within Next-Gen Security. NGS performed very well. The call made it clear that this is being felt within hardware and firewall-based revenue. Cloudflare told us nothing about pricing pressures hurting its network security business a couple of weeks ago. Fortinet has been the fundamental straggler talking about difficult market conditions. I’m confident that’s where the “rogue pricing” and competitive headwinds are coming from. That is irrelevant for CrowdStrike and the others I’ve mentioned.

Furthermore, if PANW is skating to where the puck is going by pushing to build a more cohesive platform, it’s skating to CrowdStrike. CrowdStrike routinely displaces 10+ point solutions thanks to its end-to-end cloud and endpoint security platform (called Falcon). Macro headwinds have been a tailwind for CrowdStrike’s market share gains. Why? Because of the superior value that it provides and the heightened need to seek out strong investment returns when the backdrop sours. Hints can be frequently found in the long list of Microsoft, SentinelOne and Palo Alto displacements it secures year after year and its soaring market share. 

Falcon operates under one interface, one light-weight agent and with all-but-endless 3rd party integrations. This means customers can basically have whatever they want in the Falcon ecosystem. CrowdStrike IS the overarching platform in these categories outside of network security. It then frequently works with Zscaler on the network security side to conjoin product suites in big deals and emulate Palo Alto’s 3-pronged platform.

But wait, there’s more. Palo Alto cited a pressing need to improve managed breach remediation for customers. CrowdStrike’s aggregate product bucket enjoys what most see as a material tech lead vs. the field in remediation. That lead is perhaps the largest in managed detection and response (MDR) where CrowdStrike meshes its massive data set, Falcon Threat Graph and world-class threat hunters to remove the headache from client cleanups. That’s an important pillar in Palo Alto’s platformization push, and CrowdStrike is (in my view) well ahead there.

All of the cited factors result in CrowdStrike’s unmatched recipe for growth, scale, margin, leverage and market opportunity. That’s the financial byproduct of its product suite. CrowdStrike the company is a gem and the Palo Alto report does nothing to change my subjective view there. Still, CRWD expensive! Some would say very expensive. The numbers should be very good when it reports next month. The stock could easily shrug off the positive data and healthily digest recently explosive gains. Regardless, I do not expect the results to change anything about my point of view.