Palo Alto Networks: High Expectations May Be Difficult To Fulfill (NASDAQ:PANW)

Palo Alto Networks (NASDAQ:PANW) offers a broad platform of competitive security solutions. The transition from products to cloud delivered subscription services is progressing well, and this has been reflected in the share price. I argued several years ago that Palo Alto was an attractive investment opportunity as software growth was not really being priced into the stock at the time. I am more neutral on the stock now as investors may be over extrapolating recent success. Palo Alto is currently having a large amount of success due in part to the size of their distribution footprint relative to peers. With budgets becoming tighter and competition increasing, Palo Alto’s growth could be threatened going forward.

Firewall

Palo Alto started as a next generation firewall company, rapidly finding success (29% market share) despite being a late entrant to the market. Firewalls inspect traffic for things like malware, bad URLs and bad DNSs. Next-generation firewalls combine traditional firewall functionality with other network device filtering functions. They perform a deeper inspection and improve the filtering of network traffic that is dependent on the packet contents.

While this market has been Palo Alto’s traditional strength, a shift in preferred network security architectures provided Palo Alto with an opportunity to focus on software. Traffic can either be inspected with a hardware firewall, a software firewall or a SASE product. Software has a lower total cost of ownership and provides greater security, as updates can be simultaneously rolled out. In use cases where low-latency and high-bandwidth are important, like data centers, hardware firewalls may still be preferable. While the expectation is that the importance of hardware firewalls will decline over time, the transition of data and applications to the cloud has been providing a tailwind, as there is now more traffic to inspect.

Palo Alto’s legacy business may suffer from the shift to SASE, but they also have 62,000 firewall customers who they can target with software solutions. Palo Alto’s non-NGS business could be criticized for performing poorly, but this should be viewed as part of a successful business transition.

The firewall market has been hot in recent times due to strong demand and supply chain issues leading to price rises and pre-ordering. Supply issues are now moderating and deals are also receiving more scrutiny. It is fairly easy for customers to delay firewall purchasing decisions, and hence this is likely to be the most vulnerable part of Palo Alto’s business in a downturn. Long-term Palo Alto expect this part of their business to grow 5-8% annually.

Zscaler (ZS) has suggested that firewalls are an outdated approach to network security that will fade in time and that the market is currently being driven by buyer inertia. Cloudflare’s (NET) CEO is also quite negative regarding the prospects of the hardware business, believing that growth is being artificially inflated by a combination of:

• Tax changes that have incentivized CapEx
• Increased demand due to COVID and the growth of remote workers
• Supply chain issues that have possibly led to overordering

Zscaler and Cloudflare can hardly be considered unbiased observers, but the rise of cloud-based solutions along with fading tailwinds could lead to a period of poor performance for hardware sales once backlogs are consumed.

Prisma Cloud

Cloud security has a lot of aspects, providing a large market that can only be addressed with a fairly diverse range of solutions. Organizations must secure development, deployment and production processes and an average enterprise has around 100 third-party tools that they utilize, creating significant supply chain risk.

Palo Alto has been moving aggressively to address cloud security use cases through a combination of internal development and acquisitions. Palo Alto has offered workload protection and CNAPP for a while and recently introduced a cloud core security module with infrastructure as code scanning.

Palo Alto acquired Bridgecrew in 2021 for approximately 156 million USD in cash. The acquisition helps Palo Alto deliver shift left security and enables Prisma Cloud to deliver security across the application lifecycle. Shift left refers to DevOps teams ensuring application security as early as possible in the development lifecycle. Bridgecrew is now fully integrated and is being used by 65% of Palo Alto’s customers, and this potentially highlights why Palo Alto has had success in recent years. Acquisitions have allowed Palo Alto to rapidly expand their capabilities, and Palo Alto’s large customer base and salesforce ensure new products expand quickly.

Palo Alto acquired Cider Security in 2022 for approximately 195 million USD cash. Cider is a leader in application security and software supply chain security and should be complimentary to Bridgewater and Palo Alto’s recently announced Software Composition Analysis capabilities. Cider enables the visualization of a customers’ application development and deployment environment. Customers can analyze their tools, identify risks and work out how to remediate issues.

Prisma Cloud delivers security to more than 2,000 customers and half of Palo Alto’s Prisma Cloud customers are using 2 or more modules, and nearly 20% are using 4 or more modules. Growth continues to be robust, with credit consumption growing 55% YoY in Q1. Palo Alto believe that Prisma Cloud is going to be a 1 billion USD business in the next 12 to 18 months.

In the next five to eight years Palo Alto expects there to be 1 trillion USD of public cloud being consumed annually and based on their own public cloud consumption and public cloud security usage, that 5-7.5% of cloud spend should be directed towards security. This implies that 50-75 billion USD should be spent on cloud security in the next 5 to 8 years. The current market is only 2 billion USD, proving a huge opportunity for a company with competitive solutions and a large salesforce.

Cortex

Cortex is Palo Alto’s suite of AI driven solutions targeted at SOCs. It includes XDR, XPANSE, XSOAR and XSIAM. Extended security intelligence and automation management (XSIAM) moves XDR in the direction of SIEM. XSIAM is focused on acquiring data and running machine learning models on it to find and remediate problems, and seeks to automate SOC operations.

XSOAR is a “security orchestration, automation and response (SOAR) platform that unifies case management, automation, real-time collaboration and threat intel management to serve security teams across the incident lifecycle”.

XDR platforms may take a closed, open or hybrid approach. Palo Alto is taking a closed approach, attempting to provide the EDR capabilities and all other detection services used to provide context. Open XDR attempts to use the XDR platform as a common layer across existing security tools. CrowdStrike (CRWD) and SentinelOne (S) are taking a hybrid approach where they provide EDR capabilities and some detection services, but also support a tightly integrated ecosystems of partners.

Cortex is another area of strength for Palo Alto, achieving greater than 50% YoY customer growth in Q4. This is a competitive market that is led by CrowdStrike, but Palo Alto has suggested the market is becoming less competitive, as it is consolidating towards a 3-4 player market. Technical evaluations suggest that Palo Alto has a competitive product, which supported by their large salesforce, should result in continued growth.

Prisma SASE

Functionally, the five main pillars of SASE are SD-WAN, firewall-as-a-service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), and zero trust network access (ZTNA). Palo Alto’s SASE products include Prisma Access and Prisma SD-WAN. Prisma Access is Palo Alto’s zero trust solution, which protects application traffic and secures both access and data.

SASE is part of a broader trend towards platform solutions that consolidate vendors. The number of customers consolidating on a single vendor for cloud-delivered SWG, CASB, ZTNA, and FWaaS is expected to rise from less than 5% in 2020 to 30% in 2024. It is also expected that by 2025 70% of organizations will choose an SSE provider instead of a dedicated ZTNA vendor, up from 20% in 2021.

Palo Alto believes that there are only really 2.5 true SASE vendors currently in the market. This is somewhat dismissive though, as a number of vendors are able to offer SASE solutions through a combination of internal products and partnerships.

Some vendors, like Zscaler and Netskope, have built out their own networks, but Palo Alto is leveraging the networks of the hyperscalers. Maintaining a global network introduces a large fixed cost, but is likely to be less expensive at scale and also potentially provides performance advantages. Utilizing hyperscaler networks can provide redundancy and also lowers the barrier to entry. SASE is both a security and networking offering, which raises the question of whether companies can succeed without building their own networks. Zscaler has suggested that relying on the hyperscalers becomes excessively expensive at scale.

Zscaler is quite dismissive of Palo Alto’s solution, indicating that amongst larger and more sophisticated buyers Palo Alto isn’t a competitor. This seems to be based on a belief that Palo Alto has the wrong architecture and hence doesn’t have a competitive product. Firewall companies are more likely to be involved in deals with smaller customers though where Zscaler has had a limited presence in the past.

A significant portion of Palo Alto’s current success is likely coming from their existing customer relationships and the ability to rapidly introduce new products to this customer base. In Q1 only approximately 30% of new Prisma SASE customers were new to Palo Alto, which indicates that new customer wins are only responsible for a portion of growth. Palo Alto still has a significant growth runway within their existing customer base though as firewall customers outnumber SASE customers by 15x. SASE continues to represent Palo Alto’s largest pipeline.

Palo Alto believe that they are involved in approximately 60% of SASE deals, but aspire to hit 100%, and hope to be able to win half of these deals. SASE deals can range anywhere from 15-30 million USD and Palo Alto believe the market opportunity is 8-10 billion USD and growing double digits annually. On a like-for-like basis, SASE deals are generally 2-3x times larger than firewall deals, depending on customer requirements.

Financial Analysis

Cybersecurity has remained resilient compared to most subsectors of technology, but there has been a dip in performance at the margins. Palo Alto’s smaller customers have been more impacted than large organizations, and the slowdown has varied significantly across sectors, with technology, CPG and some parts of retail feeling the impact the most.

For Palo Alto, this is taking shape in the form of deals elongating or being structured to ramp over time. There is also now more discussion around payment terms and discounts, which contributes to the lengthening of deal cycles. In response to this softness, Palo Alto has increased their sales efforts and continue to hire aggressively.

Palo Alto is also using the large amount of cash on their balance sheet to finance customers. This is another advantage that Palo Alto has: a larger and more mature security vendor, but it also raises questions about the extent to which they are winning deals based solely on the merits of their products.

Palo Alto’s NGS solutions are expected to grow 40-43% this year and are now really driving the company’s performance. This type of growth at Palo Alto’s scale is impressive, regardless of circumstances, but it is not clear it is equivalent to companies like Crowdstrike and Zscaler. Palo Alto has a broader set of products, and hence on a comparable basis they are likely growing significantly slower at the same size. Palo Alto are also leveraging a much larger salesforce and to a large extent, selling into an existing customer base.

The number of job openings mentioning Palo Alto in the job requirements appear to be more reflective of a waning products business than a growing software business. This could be indicative of Palo Alto primarily gaining traction within their existing customer base rather than attracting new customers.

Palo Alto’s gross margins are also somewhat questionable given the nature of their business. The deterioration in product margins is understandable given recent supply chain issues. Elevated costs are primarily related to expediting orders for certain parts rather than high component costs and Palo Alto believe these pressures will ease in the next 6-9 months.

Subscription margins are well below companies like Crowdstrike and Zscaler, although the cause is not really clear. Some of this may be related to pricing and product mix, but Zscaler has also suggested that relying on hyperscalers significantly cuts into margins at scale.

Despite softening gross profit margins, Palo Alto is making progress towards operating profitability and believes they can sustain 20% operating profit margins with growth in excess of 20%. The uncertain macro environment is also leading Palo Alto to increase its focus on costs, which should yield margin improvements in 2023.

Palo Alto’s operating expenses are showing the trends that would be expected from a relatively mature organization that is executing well. The burden of sales and marketing and general and administrative expenses are declining, even though growth remains robust. R&D expenses continue to be high, but this has been necessary for Palo Alto to build out a comprehensive portfolio of solutions. With the burden of R&D expenses now beginning to fall, and Palo Alto shifting focus to costs, margins should begin to improve more rapidly.

Salesforce productivity is also likely to improve once macro headwinds begin to fade. Like many companies, Palo Alto has faced high attrition rates recently, leading to higher costs and lower productivity. A more modest hiring rate should also result in productivity improvements as a larger proportion of sales reps will be mature.

Job openings at Palo Alto declined significantly in late 2022, which could be a sign of deterioration in market conditions or may be due to management prioritizing profits over growth. Similar trends have been observed across peer companies, and hence this does not appear to be a Palo Alto specific issue.

Valuation

Palo Alto’s valuation hasn’t compressed much so far as the company’s performance has been consistent. As a result, any stumble could cause a significant rerating. The stock isn’t particularly expensive given the company’s prospects, but in the current market there are better opportunities.

Analysts are projecting Palo Alto’s revenue growth to stay fairly constant going forward, whereas growth for companies like Crowdstrike and Zscaler is expected to deteriorate meaningfully. There is clearly a discrepancy here, with either expected growth fading too fast for Zscaler and CrowdStrike or not fading fast enough for Palo Alto. This difference in expectations is likely largely responsible for Palo Alto’s current valuation.

Conclusion

While Palo Alto is not necessarily overvalued, it is no longer obviously undervalued. Unlike security peers, analysts are yet to project a meaningful deceleration in growth for Palo Alto, which could make the stock vulnerable to downgrades. Palo Alto has a large market opportunity and continues to execute, but the company is not immune to the macro environment or competitive pressures.