This article was originally published on Forbes on Mar 25, 2020,10:18am EDT
Cybersecurity stocks were on a roller coaster ride in 2019 months before the coronavirus took hold. Last year saw exhilarating highs and sudden drops in stocks such as Crowdstrike and Zscaler with both losing nearly fifty percent of their market cap from August to October.
These companies post solid revenue growth yet their bottom lines reveal evidence of stiff competition in the very crowded cybersecurity sector.
YCHARTS
Crowded Cybersecurity Space
In 2004, the global cybersecurity market was worth a mere $3.5 billion and grew nearly 35-fold to $120 billion by 2017. As of 2018, there were up to 200 vendors competing in each layer of cybersecurity. Primary stakeholders, such as chief information security officers (CISOs), use as many as 80 security vendors across their teams.
According to Cybersecurity Ventures, global spending on cybersecurity will exceed $1 trillion cumulatively over the five-year period of 2017 to 2021. (The 80-plus vendor per CISO certainly doesn’t hurt).
Where there is 35-fold growth, startups are sure to follow. This growth helps companies out of the IPO gate while sustaining long-term can become challenging in crowded markets.
The recent RSA conference in San Francisco, one of the last to be held before the coronavirus took hold, was a reminder of cybersecurity being a peak saturation with over thirty-six thousand attendees and hundreds of exhibitors – all for a market that is roughly equal to 1/8thof Apple’s market cap (or Google, Amazon and Microsoft’s).
Solid Top Line Growth, High SG&A Costs
In Crowdstrike’s recent earnings report last week, the company reported a fourth-quarter loss of $28.4 million, or 14 cents a share, with an adjusted loss of 2 cents a share when considering stock-based compensation and amortization of acquired assets. Revenue was up an impressive 90% in the fourth quarter at $152.1 million compared to $80.5 million in the year ago quarter. This was well above the forecast of $135.9 million to $138.6 million.
There is no question that Crowdstrike’s top line is investable. Meanwhile, the bottom line may face headwinds. SG&A expenses eat at the company’s operating expenses. Sales and Marketing last year required fifty-five percent of revenue, or $266.6 million of the $481.41 in revenue. Total SG&A expenses were at $355 million, or 73% of total revenue.
Historically, Crowdstrike spent 91% SG&A to revenue in the quarter ending October 2018 and 72% in the quarter ending October 2019.
Fierce competition in a rather small addressable market was one reason I cautioned against buying Crowdstrike at the IPO. The market size for endpoint security was at $6.4 billion in 2018 and will grow to $13.2 billion by 2022, according to Statista.
Compare this to Crowdstrike’s market cap of $11 billion today with a peak market cap of $21 billion in August of 2019. In the S-1 filing, Crowdstrike states the addressable market is $24.6 billion and will reach $29.2 billion, yet this includes modules for categories that cannot stand alone.
Zscaler Inc (NASDAQ: ZS) released its second-quarter fiscal year 2020 results on February 20, 2020. Revenue grew 36% year-over-year, which is slower than the CAGR of 56% from the fiscal year 2016 to the fiscal year 2019. The company’s full-year revenue guidance of $414-417 million, which suggests a year-over-year growth of 37% at the mid-point. This was slightly better than the median analyst estimate of $410.85 million.
Zscaler’s report also shows evidence of a crowded sector that requires outsized sales and marketing expenses of $61 million per quarter, or 61% of revenue, and total SG&A at 90% of revenue.
Cybersecurity Consolidation on the Way
Crowded markets typically evolve into consolidation as startups with more advanced R&D are acquired by larger companies who need to move quickly to protect their moat. Consolidation in the cybersecurity space will make it more challenging for nimble security vendors to compete, especially because large-cap companies with moats can offer a more intrinsic approach to problems.
VMWare’s acquisition of Carbon Black in October of 2019 for $2.1 billion is an example of consolidation. Financial analysts were cautious of the acquisition, stating, “What remains to be seen is whether VMware backed the right horse in this race.” The comment refers to the very crowded space of endpoint security, where Crowdstrike, Cylance, Symantec, McAfee, Sophos, Palo Alto Networks, and FireEye all offer endpoint protection and compete.
VMware’s moat lies in its access to 70 million virtual machines and over half a million customers, which can help Carbon Black scale very quickly. After acquiring endpoint security company Carbon Black, the combined entity is now able to offer a more complete service rather than requiring CISOs to pile up on separate tools for various endpoints.
Sign up for I/O Fund's free newsletter with gains of up to 403% – Click hereSign up for I/O Fund's free newsletter with gains of up to 403% – Click hereClick here
Following the acquisition, VMware reports a new revenue line item in its earnings reports titled “subscription and SaaS revenue” in which Carbon Black’s revenues will partly contribute. This segment reported revenues of $556 million, an increase of 52% year-over-year and faster than the group’s revenue of $3.07 billion, which grew 11% year-over-year for the 4Q of fiscal year 2020.
Akamai is similar to VMWare in that they are expanding from their core products to compete in cybersecurity. Akamai is traditionally a content-delivery network and website-acceleration company. With this level of access to the edge, where most security hacks occur, Akamai has found itself in a serendipitous position to offer competitive security products, such as protection from distributed denial of service (DDoS) and website-application security.
One of the main value propositions Akamai offers is to simply reduce vendor bloat, as the company consolidates content delivery network (CDN) needs with the adjoining website security. Notably, Akamai’s SG&A expenses are 33% of total revenue with sales and marketing at 18% of revenue.
Coronavirus Selloff Will Require Conviction
Splunk and CyberArk had reclaimed 52-week highs in February prior the coronavirus selloff. Despite having a healthy competitive lead in their respective domain, both companies could not stave off the indiscriminate selling.
Founded in 2003 with a public listing in 2012, Splunk is one of the original big data platform companies that came of age at time when big data software had a long runway. The company has since expanded to security to leverage their data software as a way to troubleshoot and scan for breaches.
Splunk Inc announced its 4Q fiscal year 2020 results on March 4, 2020 with total revenues growth of 27% year-over-year to $791 million. Software revenues grew 33% y-o-y to $617 million with average recurring revenue (ARR) up 54% year-over-year.
According to Gartner’s magic quadrant, CyberArk is the leader in privileged access management. The company listed on the public markets over five years ago, posted 90% revenue growth in 2015, and has since stabilized to a consistent 20% revenue growth. CyberArk released its 4Q and full-year 2019 results on February 12, 2020. Revenue for the 4Q rose 19% year-over-year to $129.7 million with the full-year revenue growth of 26% year-over-year to $433.9 million.
Conclusion:
The coronavirus selloff will level the playing field for cybersecurity stocks. Investors will need to evaluate if their investments can overcome the risk that too much supply inherently brings to a marketplace. Expect to see smaller vendors repeatedly challenged by large players who have millions of customers. The word “moat” is popular in the financial industry, but it’s never been more important than in a crowded field such as cybersecurity.
Just to be clear: this is not the shopping list of top stocks. That’s on the way! This is an overview of the cybersecurity industry and cybersecurity growth stocks.
RSA is a popular cybersecurity conference with around 45,000 attendees. It’s a good source of information on public companies who overlap between data, cloud and security. This particular conference has quite a few executives attend compared to other cybersecurity conferences, where developers or hackers attend.
Here is a sample list of companies that were at RSA:
I met with quite a few of these companies and want to give my premium subscribers any intel that I found this week.
This is in no particular order …
1. Cybersecurity is crowded; platform consolidation will occur …
You won’t see me recommend a cybersecurity company very often under premium analysis due to vendor saturation. I’ve been to RSA and BlackHat on and off for the past few years (since 2015) and there are so many companies that it’s nearly nauseating.
Here’s a snapshot of the cybersecurity vendor landscape from 2018:
For instance, you may have noticed that I haven’t talked much about Zscaler or Crowdstrike. This is because cybersecurity is very vendor-heavy. If you do invest in a cybersecurity company, then rely on Gartner’s Magic Quadrant to help sift through the various products. Gartner does a particularly good job with cybersecurity. Okta, for instance, is a clear leader according to Gartner.
I’m especially wary of newly public security companies because they seem to have really strong numbers coming out the gate that are hard to sustain due to the competitive landscape. This is because of the crowded market; the supply is overwhelming the demand.
An investment strategy for cybersecurity should be one of the two:
a) The company is a neutral player between Microsoft, Amazon, Google, Oracle and IBM. As multi-cloud continues to grow in popularity, and also hybrid cloud, the very best neutral player in each category should do well. This is because companies will want to avoid vendor lock-in with Microsoft, Amazon and Google. One tactic is to use a vendor who works seamlessly across all of the major cloud players.
b) Look for dominate platforms who own the data, endpoints, or servers, etcetera. Expect to see platform consolidation, which is when companies who own the data or servers acquire smaller specialist vendors.
As with many tech industry verticals, the best moat comes from having the most data. As you can see from the landscape, it is much easier for a dominate tech player to acquire a cybersecurity vendor than for a small vendor to acquire data or endpoints. We saw this with VMWare and Carbon Black last year.
Putting on the Watch List
Of the companies I met with, I think the following companies are interesting for future positions:
OKTA:
Per the first requirement above, Okta is the industry-leading neutral player for identity access management. They work seamlessly across the giant cloud competitors. Okta rates high on the product side by Gartner and in conversations with cybersecurity professionals.
My favorite catalyst for Okta is the blockchain. I believe this company will soar once blockchain is widely adopted. I will absolutely want to have a position before blockchain takes off and Okta may be one of my biggest blockchain positions.
(Remember that blockchain can assist centralized currency transactions and will overhaul the fees and costs associated with finance while lessening the burden on financial institutions to fight fraud. Do not think of blockchain only as crypto. Even governments will use centralized blockchain).
However, I’ve been less than enthusiastic about Okta in the past because I believe the company “is fundamentally weaker” than financial analysts believed when the valuation was incredibly high compared to its peers (I wrote about this in September).
The operating costs steepened as the company lowered EPS guidance from losses of $0.22 per share to losses of $0.45 to $0.49. Most importantly, the company has high sales and marketing costs at about 66% of revenue (they reached 85% of revenue in the quarter ending April 2019).
That shows the tough battle they fight in the competitive cybersecurity field. At the time, I said that Okta would need to continue to spend heavily on S&GA or R&D to maintain its leadership position. Subsequently, the company is expected to report more losses this year.
Increasing losses is not necessarily a reason to not invest. To me, it shows the battle Okta fights in basic supply and demand despite being the best IAM product on the market. Like I said, the real catalyst will be blockchain.
Takeaway: I’d like to get a good entry on Okta and hold the stock for identity access on blockchain. We will publish a PDF if/when we initiate and Knox will update on an entry.
SPLUNK:
Splunk and Elastic overlap on some customers (Elastic is more search but they do overlap). I initiated coverage on Elastic and recommended a position because one of my favorite setups is a small company eating market share as a unique pureplay with few competitors.
Although Splunk may not be as agile as Elastic right now, there are some important merits to the company’s position. The first thing to note is Splunk’s ability to successfully pivot and expand the addressable market. The company expanded to include SIEM about two years ago and security now makes up a large portion of the business.
Spunk’s three products are: data platform, analytics and security operations. Splunk fits #2 in the investment criteria due to being a company who has the data. It’s an easy transition for Splunk to expand beyond being a data platform and analytics to also help with security operations as they can offer automation rather than incident response.
Examples of customers for Splunk’s data and security operations include: monitoring for fraud in wire transfers or monitoring for patient record snooping in hospitals. SIEM is complimentary to endpoint security (Crowdstrike), network security and identity access (Okta)
Overall revenue is growing around 30-35% with software revenue growing 40-50% year-over-year. Annual recurring revenue is at 86%. This ARR is actually decent for a company as old as Splunk (founded in 2003; went public 2012) as ARR declines over time.
Takeaway: Splunk may not be the most exciting growth stock but it’s stable and steady. I don’t think there will be any major bullish or bearish surprises on the product level but it is worth keeping on the radar for the reach it has with data and now security operations.
F5 Networks:
The only reason I would recommend F5 Networks is for the potential catalyst of 5G. Otherwise, the company has been posting a slim 2-5% revenue growth year-over-year since 2015.
Regarding 5G, the company recently partnered with Rakuten to eliminate the need for coaxial or fiber cables to offer 5G in homes. Network functions virtualization (NFV) architecture reduces cost of ownership. By combining software and hardware, 5G networks can scale quickly especially in densely populated areas. This framework is also compatible with future edge computing.
AT&T plans to have 75% of their network virtualized by 2020. For F5, smaller global networks are key to growing this area of its business. Security is also baked in as AT&T states, “virtualization could be the most crucial advancement related to 5G security, for both the provider and their enterprise customers.”
Takeaway: There are competitors in NFV but F5 Networks could potentially stand out for their strength in security. Due to F5 Networks lack of growth in other areas, I would need to see more progress here before initiating — but it’s definitely something to keep on the radar as any decrease in infrastructure costs for 5G is bound to be a growth driver.
More info to consider:
SLACK:
Regarding Slack, I’ve mentioned before that we are very early to business messaging and the real use cases are yet to come. The RSA conference helped solidify an even stronger conviction in Slack as security companies discussed integrating Slack as the messaging notification system for monitoring anomalies – i.e. when an anomaly appears, the team will be notified via Slack rather than email as the response is statistically faster. This is already happening with one or two companies.
Although security companies also integrate with Microsoft Teams, it’s worth relaying that in presentations they only mention “Slack.” This is because Slack is more universal and does not force an ecosystem lock-in.
VMware and Carbon Black
I think VMware and Carbon Black may become a serious competitor to Crowdstrike. This is due to VMware having access to millions of machines and having a neutral position across the various cloud infrastructure companies. Although Crowdstrike and Carbon Black are competitive on endpoints (Crowdstrike was beating Carbon Black in the market), VMware is clearly stronger on the server level. This acquisition was completed in October.
CROWDSTRIKE:
Crowdstrike is a top-rated stock on our cloud software spreadsheet for revenue growth, even beating out Zoom Video, Datadog and Slack. The fundamentals rank high right now. With that said, I can’t quite get over the fence with Crowdstrike as a solid long-term play and have to make these tough choices sometimes especially as we have initiated on many others ranked high on revenue.
The Elastic stack includes Elasticsearch, Logstash, Beats and Kibana.
Elastic has partnered with cloud infrastructure companies, such as Microsoft Azure, Amazon AWS, Google Cloud and Alibaba Cloud. The Elastic Stack works well with Kubernetes, which is the machine learning powerhouse for containerized applications.
Elasticsearch:
Elasticsearch is the core product and search engine that allows for storing, searching and analyzing data.
Google search is built for users to query hundreds of thousands of terabytes of HTML data (or about 20 petabytes per day). In contrast, Elasticsearch is built for developers who need to design more complex application searches. For instance, Elasticsearch can forecast data center storage capacity with queries or can search customer sentiment that is determined by natural language processing.
To further illustrate, here are some examples of how Elasticsearch is used today:
Business-to-consumer:
• Pairing a passenger with an Uber driver with search
• Recommending grocery items on Instacart
• Matching online dating profiles for Tinder dates
• Processing billions of log events for Sprint to monitor outages
• Processing billions of log events for Fitbit, which has a rate of 250,000 logs per second, to enhance data discovery and validate failures
Business-to-business:
• E-trade uses Elasticsearch to identify trading anomalies across 115 terabytes of data
• Adobe uses Elasticsearch to search across both textual and non-textual formats, such as images, videos, 3D templates. This helps assist computer vision, which trains computers with ML to have a high-level understanding of non-textual items. This is done at a rate of 600 queries per second and an ingestion rate of 25,000 per second.
• Blizzard uses Elasticsearch to make sure their games are running at peak performance
• Cox Communications and TV2 use Elasticsearch to analyze billions of content delivery logs
• John Deere uses Elasticsearch to handle 18 billion documents and 11 terabytes of data storage, running 20,000 events every second. This helps to support remote management, variable rate application and field and water management.
Products such as Elastic Cloud Enterprise allows companies to run the entire stack in the cloud with a SaaS offering. The Elastic Stack is also available on-premise, or a hybrid of both. Elastic Cloud Kubernetes extends the Elastic Stack for use on cloud native technologies and containerized architectures.
Logstash and Beats:
Logstash and Beats are ingestion tools that can be put on thousands of applications to query external systems. From the examples above, John Deere is ingesting data from thousands of external sensors in the field, for instance. This helps complete the stack for the optimal use of Elasticsearch.
Ingestion can become quite technical. For instance, eBay uses Beats to break down the silos from containerized machine learning platforms, such as Docker and Kubernetes. This helps to automate application deployment and keep up with fast-evolving application lifecycles. The Beat product also has an auto-discovery feature to ingest newly discovered workloads, to collect and enrich data, and to send to the internal monitoring system.
In eBay’s case, the company built a way to tag the metadata from Beats auto-discovery so that users could access the information with familiar labels. A real-life example of this might be analyzing data from website logs, call centers and competitor website scans with the end result being a system that can the difference between skis named SALOMON QST 92 17/18, Salomon QST 92 2017-18 and Salomon QST 92 Skis 2018 – and also measure rising popularity perhaps with social media.
Kibana:
Kibana is a free, open source tool that integrates tightly with Elasticsearch.
The visualization and exploration tools include interactive charts, mapping support, pre-built aggregations and filters, plus easily accessible dashboards. Elastic allows enterprises to pull more data in for visualization purposes with products such as Elastic Cloud Enterprise or Elastic Cloud on Kubernetes.
SECTION 2: Elastic Fundamentals
A major fundamental risk for Elastic is that revenue growth may not be rewarded in 2020 as we’ve seen plenty of evidence that investors’ appetites are turning more towards profitability, which Elastic is far from reaching.
The market was not kind to Elastic in 2019. Tech growth companies with negative earnings that did not have a perfect earnings report were penalized last year. Elastic was no exception.
Analysts are projecting EPS estimate of negative -$1.35 in fiscal year 2021 compared to negative -$1.22 in fiscal year 2020 ending in April. Revenue in fiscal year 2020 ending in April is estimated at $416 million and fiscal year 2021 at $567 million. The company has $307 million in cash and $42 million in debt.
The stock has a 52-week high of $104 in July and hit a new 52-week low of $61 a month ago on December 5th. The most recent earnings report revealed a slowdown in annual billings from 53% in the year-ago quarter to 45% in the most recent quarter. The company beat on all other estimates, including revenue, EPS and net expansion rate – which is phenomenal at 130. Despite this, the billing slowdown was enough to cause a 20% drawdown on stock price following the earnings report, from $78 to $61.
The recent drawdown has resulted in Elastic trading at one of its lowest valuations yet as a public company. The stock is currently trading at 12 Forward EV/Revenue with an enterprise value of $5.03 billion. When considering revenue growth, this is an attractive valuation as Elastic is reporting 59% YoY revenue growth. Notably, revenue has decelerated from 79% YoY in early 2018 — yet has remained stable at 59% for the past three quarters.
So, the question that remains, will Elastic have an earnings surprise, which is the purpose of this report. There is an important catalyst to consider, which I’ve outlined below. I believe it’s highly probable that Elastic’s fundamentals improve in the coming year due to its entry into endpoint security.
Market Size & Competitors
Determining the market size for Elastic is challenging for a few reasons. The first is that the company does not neatly fit into a specific category. In fact, the company is absent from Gartner’s magic quadrant for Insight Engines, although Elastic is mentioned as the brains behind two products on the quadrant: Intrafind and Lucidworks. Here is what Gartner says about Elastic:
“Of the vendors most often shortlisted by the reference customers we surveyed, Elastic (Elasticsearch) appears in the top five, and Apache (Solr) in the top 10. Neither Elasticsearch nor Solr are considered insight engines — extensive development is required for them to meet the market definition. However, they do provide highly effective search engines for those seeking only search capability or wishing to undertake development. Consequently, they form a foundational layer in the stacks of a number of commercial insight engines, including two in this Magic Quadrant: Lucidworks and IntraFind.” Of the vendors most often shortlisted by the reference customers we surveyed, Elastic (Elasticsearch) appears in the top five, and Apache (Solr) in the top 10. Neither Elasticsearch nor Solr are considered insight engines — extensive development is required for them to meet the market definition. However, they do provide highly effective search engines for those seeking only search capability or wishing to undertake development. Consequently, they form a foundational layer in the stacks of a number of commercial insight engines, including two in this Magic Quadrant: Lucidworks and IntraFind.”
According to Jefferies’ analyst John DiFucci, Elastic’s addressable market is around $40 billion and could double to $71 billion by 2022. He cites the technology is only limited by the “creativity of the customers.” I agree that the limitations for Elastic’s growth will eventually lift as we are in the early stages of machine learning (ML), computer vision and natural language processing (NLP).
ML and NLP are two markets that will grow rapidly over the next decade, with Elastic a recipient. NLP will grow from $3 billion in 2017 to $43 billion in 2025 (source: Statista). Research on Global Markets estimates ML will reach $19.4 billion by 2023, at a CAGR of 48.3%. Big data analytics is quite large at $168 billion in 2018 and forecast to grow at a CAGR of 13.2% to $274 billion by 2022. Elastic sits somewhere between these three markets.
The companies listed on the Insight Engines magic quadrant are not direct competitors. Rather, I would consider Splunk the biggest competitor as their customer value proposition of providing log analytics most closely overlaps. Elastic Stack and Splunk frequently compete for customers. According to developers who work with the products, Splunk is more mature while Elastic is more flexible due to its roots in open source. Other competitors include Sumo Logic on the enterprise side and Greylog on the open source side. The Elasticsearch open source tools are also available through Amazon without the need for enterprises to upgrade through Elastic (although the more optimal experience is with Elastic Stack).
SECTION 3: Endpoint Security
The log management and analytics dashboard offered by both Splunk and Elastic has evolved into an important secondary offering for Security Information and Events Management (SIEM). In other words, because these companies monitor so many endpoints for data ingestion, the platforms are also useful for security monitoring.
By using Search Processing Language (SPL), log management systems are able to perform high-order security analysis and assessments regarding the collective state of these systems from a single interface. For instance, Elastic has been used for threat protection by organizations such as the University of Indiana to monitor hundreds of thousands of devices across students, faculty, and staff.
In October of 2019, Elastic closed the acquisition for Endgame, a leader in endpoint security for $234 million. This followed Elastic launching a Security Information and Events Management (SIEM) product in June. Endgame has enough credibility to be used by the U.S. Navy and the U.S. Air Force.
To raise the stakes, Elastic will be the first to charge for endpoint security by the amount of the data stored rather than by machine. This will allow companies to scale endpoint security more efficiently and will help Elastic compete with Splunk.
Splunk was ranked number one in SIEM by market share in 2018. The SEIM market was worth $5.3 billion in 2018 and is expected to grow at a 19.7% annual rate to reach $12.9 billion by 2023. Elastic should be able to compete very closely with Splunk due to Elastic Stack having similar capabilities of ingesting data from endpoints. Even claiming a small portion of this market should help boost Elastic’s $500 million in annual revenue.
We believe Elastic’s market entry into endpoint security along with competitive pricing will be an important catalyst for the company in the near future.
SECTION 4: Basic Technical Analysis and Closing the Gap
By Knox Ridley
Elastic (ESTC) is in a clear downtrend. After testing the all-time lows at $60.10, Elastic is bouncing back towards an important resistance price region at $67.50, highlighted with a red dotted line in the chart. If Elastic can close above this price, we will likely see a closing of the gap around $77.50, which is highlighted in yellow. This move would be about a 14% move from current prices (and about 24% from its recent bottom).
Furthermore, it’s worth noting that Elastic has taken back its 10-day Exponential Moving Average (EMA) and closed just below the 21-day EMA. The volume of this bounce is on very light volume, which is descending as the price is ascending. This means that the market is not buying this beyond just a bear market bounce, and should be factored into any buying plan.
Internals (MACD, RSI, MFI)
Looking at the internal strength of Elastic (ESTC), the MACD, Relative Strength Index (RSI), and Money Flow Index (MFI) are all telling an interesting story. First off, they are all in well-defined downtrends, which is highlighted by the dashed red lines.
The RSI and MACD are also bouncing against support while trending down, and doing so at lower levels, which looks to be coiling for a move up. We will want to see these indicators break this downtrend in unison with the price of ESTC breaking out as well to indicate a possible change in trend.
The MFI, which is basically the RSI with volume factored in, is showing a positive divergence. In other words, as the price is making lower lows, the MFI is making higher lows. This is always a great indication of fading selling, and usually indicates a shift in sentiment.
Closing above the start of this gap with high volume, and internals that are breaking out would be a key pivot that would further identify that Elastic is in a new uptrend, and not just a bear market correction.
Price Symmetry
Symmetry is a very powerful force in technical analysis. When a move in a certain direction reaches the length of prior moves, we usually see this resistance zone terminate the short-term, corrective move, and signal the continuation of the bigger trend. On the other hand, if the price can break through, it’s a strong indication that the larger trend has possibly changed.
The above chart shows the length of the last correction in the current downtrend. The price increased by about 24% before continuing the larger trend to new lows. After bottoming recently, a 24% move up from the low would coincide with closing the gap just discussed. There is a lot of overhead resistance above Elastic, and until we see ESTC break above this region with heavy volume, we can only assume that this move is a correction in a larger downtrend trend.
Elliott Wave Count
Elastic’s price structure, since its IPO, has been a series of overlapping structures. An overlapping structure, where the price retreats most of the previous move, indicates the uncertainty in the market.
The above count shows Elastic is completing a corrective, 3-wave move up, which is highlighted by the red (A), (B), (C), and then began a new, corrective 3-wave move back down. In both 3-wave trends, the C wave unfolded in a 5-wave move, which is highlighted in blue and also common in 3-wave corrections. My best count has us in the final 4th wave of the C wave, which would suggest newer lows ahead.
The alternative count has us as completing the 5th wave down, which would suggest we are in the very early stages of a renewed uptrend. I have a problem with this count due to Elliott Wave rules; however, if Elastic can close the above gap on heavy volume and close above the 100% extension, I will take that as evidence that this alternative count is in play.
How to Trade
Elastic is a high conviction idea, that may take some time to play out. The market obviously hasn’t seen the value in Elastic over the past month, hence the current trend. We do not think this will last, but how early we are is the real question. Depending on your investment style, we have 3 suggestions:
Buy now and Forget: If you want to buy your position today and hold it, a good stop would be just under $53. Below here and we are entering uncharted territory with all-time lows.
Layering in: If you prefer to layer in, the same stop above would hold. Then, if Elastic hits lower, you can layer in more in the green target region on the chart, between $58.50-$53.50. if ESTC decides to continue higher from current prices, if it closes above $74.50 on heavy volume, with the internals breaking the current downtrend, then you can put the remainder of your position in with a 25% trailing stop.
We plan to trade with the layering in approach.
Wait and See: If you prefer to wait and see, I’d target the green box in the chart between $58.50-$53.50
Another day, another headline saying Alphabet’s Google and Facebook are being investigated for allegedly breaking privacy laws and engaging in anti-trust behavior.
Google GOOG, +0.95%GOOGL, +0.98% has been the subject of three antitrust investigations conducted by the European Union, resulting in more than $8 billion in fines.
Now the company, which controls 31% of global digital ad dollars, will face the U.S. on anti-trust matters. A big question is if governments will be effective, as they may not understand how social-media and internet businesses operate.
In April 2018, Congress tried to piece together how Facebook’s FB, +2.74% platform works. It ended up being a disaster. Anyone who works in the mobile-ad industry knows that the mobile device, notorious for its massive data leakage, could be used to collect thousands of data points daily to reveal personal thoughts, behaviors and political preferences.
When Facebook CEO Mark Zuckerberg answered a question on how Facebook makes money — “We sell ads, senator” — he wasn’t fooling the ad industry. It’s well aware that Facebook sells audiences and identities, as the company’s ads would be worthless without extracting data points from the mobile device and aggregating them for targeting.
This isn’t your typical targeting of pizza (or beer) ads during football games. This targeting knows you better than you know yourself, as it monitors your actions with data science and look-alike modeling.
The only force that can stand up to the complex tracking methods used by Google and Facebook will be an opposite, yet equal, force. It will not come from governments, which think that paying for search results is the problem. Rather, the problem is the pervasive code and software that continually tracks people, which no competitor can compete with.
Turns out, there is an opposite and equal force in magnitude that has chipped away at the anti-competitive tracking that occurs in the browser with Intelligent Tracking Prevention (ITP). Yet it has not done so on the leakiest device of all: mobile. And that would be Apple AAPL, +0.85%.
Pervasive tracking is anti-competitive
Facebook and Google aren’t the only companies that track users on mobile and browsers. They simply have software and code in more places. For instance, Facebook’s software is in 32% of the top 500 app market — and up to 800,000 applications. They track billions of non-Facebook users with software that can track you whether you have navigated one of their digital properties or not.
There is no way to opt out of Facebook or Google from tracking you, as their tracking is simply everywhere. In fact, security experts, including Bruce Schneier of the Berkman Center for Internet and Society at Harvard, call such tracking outright surveillance.
The incredible depth of information those giant companies have on mobile and internet users is the “moat” that generates unprecedented cash flow in advertising. Both ad-dollar machines have inertia from the data being collected, and it doesn’t appear that the EU’s General Data Protection Regulation (GDPR), anti-trust lawsuits in Europe and the U.S., or the Cambridge Analytica scandal is going to slow those companies.
The flow of data is provided by tracking code across websites. Those include the Facebook “like” button and sign-in. It’s also done through software development kits (SDKs), such as Facebook Audience Network, which is installed in 32% of the top 500 apps on the market. Google simply acquired Android to have tracking across the majority of mobile, and then went further, acquiring AdMob in 2009. That ad network was especially popular on the Apple iPhone.
The moat that Google and Facebook have enjoyed comes from having first-party relationships with nearly every user who has a smartphone. This is called first-party data and is a loophole used to collect data even after a user is on another property where there is no relationship. For instance, Facebook uses first-party data to power ads on streaming service Hulu, but at this point, the first-party relationship does not exist with Facebook’s social network once someone is on Hulu, and this is done without explicit consent (by both Facebook and Hulu). Easy-to-navigate opt-ins are not offered, as it’s unlikely Hulu viewers, who pay for the app, would want Facebook accessing their viewing data if they had to opt-in.
Privacy issues aside, there is no way for another ad company to compete when Google and Facebook collect that much data. Other companies are copying their approach by tracking users with universal ad IDs, including leveraging Apple’s Identification for Advertisers (IDFA).
Apple’s ITP prevents browser tracking
To understand how technology can neutralize tracking, it’s important to look at Apple’s Intelligent Tracking Prevention measures, which were launched in 2017. Apple’s ITP placed a limit on how long cookies are available for third-party contexts by removing third-party cookies after 24 hours.
At first, ITP did not have an effect on Google, as users of its search service and other properties visit those sites daily and, therefore, are not considered third-parties. Some critics say ITP strengthened Google as one of few remaining options to target niche audiences.
In 2018, Apple continued to battle data collection on the Safari browser by shutting down finger printing, a method of triangulating a user’s identity through fonts, screen dimensions and plug-ins.
In March 2019, Apple announced ITP 2.1, which limited first-party cookie storage to seven days. To put that in perspective, a Google Analytics cookie, in theory, would last for up to two years. Safari can now delete it within a week.
Finally, in May 2019, Apple limited tracking to 24 hours, including Google and Facebook.
We’ve seen statistics from publishers where they get half the CPM value — cost per thousand impressions — as a result of ITP’s impact. If they can’t have good targeting, some of their sites become less worthwhile for their advertisers.
Google and Facebook are the companies most affected by ITP 2.2, which was released in May 2019. Still, the companies reported record second-quarter ad revenue — $16 billion for Facebook and $38 billion for Google.
That may be due to Apple’s Safari and Mozilla having a small share of browser activity, or it could be because Facebook and Google have daily first-party relationships with users. A third possibility is that it’s too soon to understand the effects of ITP.
Keep in mind, the browser is not nearly as powerful as the mobile device.
At the Advertising Week conference in New York last week, there was a presentation by Gadi Eliashiv of Singular titled “A World Without IDFA: The Implications for Marketers.” I caught up with him after the presentation to get more background on Apple’s Identifier for Advertisers, or IDFA, and the possibility of Apple restricting the identifier. Unlike cookies on the web, where there is a tag on the browser, mobile identifiers have much stronger tracking capabilities. The identifier belongs to the device and works across applications and devices.
Eliashiv pointed out that attribution, or the tracking of advertising’s effectiveness, will always be a reality as it’s important for advertisers to track return on investment (ROI), and this ultimately supports the mobile ecosystem for the development of new apps and features. He also thought the recent iOS 13 upgrade, which offers users the option to sign into apps via an email address that Apple generates, is a way of logging into apps and getting personalized experiences without having to give up personally identifiable information.
As Eliashiv said, if it were an easy decision, then Apple would have already made it.
Apple’s chance to make a statement
As of now, Apple has no plans to remove the IDFA, although for a company that insists it is a protector of privacy, at the very least, there should be better opt-ins. The changes made with ITP on the browser may not have had a big effect. However, the implications of Apple restricting IDFAs on iOS becomes more serious with the iPhone having a global penetration of up to 20% of smartphone sales.
Even companies that have fancier IDs, such as Trade Desk TTD, +3.04%, with its Unified ID, relies on IDFA to some extent, and any changes to IDFA would limit the ability to collect and stitch together fragments about the user.
That said, perhaps Apple should have addressed those issues before hyping its privacy efforts. As of now, Apple is enabling a lot of tracking with the IDFA, and this may not be an appropriate compromise for attribution as users are completely unaware their activity can be tracked across the entire device.
Furthermore, users don’t have any method for approving the software development kits, from Facebook’s Audience Network or Google’s AdMob.
Even with anti-trust regulations, this level of tracking will continue. That is, unless Apple steps in.
Okta is fundamentally weaker than many analysts believe, making its booming stock priced to perfection.
The company was early out of the gate for cloud-subscription IPOs in 2017, and the valuation has reaped the benefits of Wall Street’s enthusiasm for subscription models. However, a reasonable price to initiate Okta as a buy-and-hold investment is now in the rearview mirror, rendering it a momentum play. That will be important for investors when they review its earnings report for the three months through July after the stock market closes Wednesday.
Okta’s stock dropped 10% on weakening guidance for both revenue and earnings per share (EPS) in the March earnings report. The stock quickly recovered, as there was little adjustment given for lower EPS guidance.
Investors put that out of their mind, as the stock recovered with renewed momentum within a few days and has not looked back. Last quarter, Okta raised its guidance to expected losses of $0.45 to $0.49 per share, although this “improvement” is relative, as the original expectations of the full-year loss was at $0.22 per share prior to the March earnings report.
Valuation has been an ongoing worry with Okta, as the company has the highest forward price-to-sales in its category, at 27, with a current price-to-sales of 34. Compare this to Workday at 12 forward price-to-sales, Veeva Systems (which is profitable) at 22, and Twilio at 15.
There is ample evidence that, although Okta is priced to perfection, it does not need to report perfection to continue its momentum. This is one red flag for a buy-and-hold strategy at current prices, but a positive sign for momentum trading. Eventually, the market will want perfection for the price it’s paying when macro conditions warrant more discernment.
For instance, many analysts are touting the stock for positive free cash flow (FCF), although this is from operating cash efficiencies. Okta does not have positive free cash flow from positive net income, which is something financial analysts are writing out of the script entirely.
Free cash flow becomes more indicative of financial health when net income is positive; to separate the two underweights profitability, which is a mistake for buy-and-hold investors (or analysts) when evaluating the stock. Free cash flow positive is much more celebratory when net income is positive.
In fact, Okta suffered a record net loss in the fiscal first quarter that ended in April. Okta’s loss widened nearly 200% year-over-year, to $51.9 million. This led to diluted EPS of negative 46 cents, compared with negative 25 cents in the year-earlier quarter.
Lastly, Okta is no longer a debt-free company and is carrying $275 million in convertible senior notes.
Wall Street is laser-focused on Okta’s top line, and is a little blind-sided to the bottom line as free cash flow and subscription growth were the only touted highlights from last quarter’s earnings report.
Okta posted 53% year-over-year growth in subscription services to $108.5 million, while professional services revenue grew 15% to $7 million. Total calculated billings hit $158.9 million, with trailing 12-month subscriptions jumping 55% to $488.2 million.
The increase in net losses from the most recent quarter was under-reported due to subscriptions driving revenue growth of 50% year-over-year.
In the upcoming earnings report, the bar for revenue is set to less than 40%, which is an easy hurdle for a subscription cloud company that has been posting 50%-plus revenue growth for many consecutive quarters.
In Okta’s case, there are two areas I am watching more closely, as spending is substantial and executive decisions are slightly unusual.
The first is sales and marketing expenses, which are nearly two-thirds of revenue. At Workday, sales and marketing comprise 30% of revenue, Twilio is at about a third and Zoom Video Communications is at about half.
This signifies Okta needs to spend a lot to scale and maintain its footing. Selling, general and administrative (S&GA) expenses were nearly 85%, or $107 million, of $125 million in total revenue in the most recent quarter. Notably, Okta’s S&GA and research and development (R&D) exceed revenue at 114%.
The second clue is a few recent acquisitions that will hurt Okta’s financials. For instance, Okta’s $52.5 million purchase of early-stage startup Azuqua will dent operating expenses. (Early-stage startups tend to have thin margins, although exact numbers from Azuqua weren’t provided.)
There is also a recently announced $50 million venture fund. Creating venture funds is typically a positive, as companies including Twilio and Workday also have created venture funds to help incubate firms that use its product and services. However, in Okta’s case, it’s funding startups to help innovate the core product, which is concerning because Okta is not even profitable yet and is already looking for help to iterate the core product, rather than incubate to increase demand in the market.
Looking deeper, I believe Okta is throwing a lot of weight into product because the mega-cap cloud server companies are in the identity and access management (IAM) market. Okta has to provide a compelling reason to use an add-on service to Microsoft Azure, Google Cloud, Amazon’s AWS and IBM Cloud rather than use the in-house identity and access management service.
See: Beth Kindig runs a premium service that includes a forum on tech stocks where she answers questions from readers. See: Beth Kindig runs a premium service that includes a forum on tech stocks where she answers questions from readers.
Okta does have a competitive advantage due to its superior product, which is confirmed by third-party analysts Gartner and Forrester. The one issue to consider for the long term is that larger rivals are going to protect their turf. Cloud infrastructure is a revenue segment that will determine the world’s most valuable company over the next few years, and Okta has an incredible feat ahead to remain more agile and to iterate faster than opponents that have bottomless amounts of cash. On that note, Okta could make a great acquisition for one of those companies, though any prospective suitor would have to overpay.
Okta is unlikely to miss estimates on revenue as the subscription model helps protect growth, yet other line items may continue to miss or weaken. Okta has no choice but to spend heavily on its market position — either through S&GA, R&D or acquisitions — to fend off larger cloud competitors that are a one-stop shop for identity and access management, and are currently engaged in a battle for cloud infrastructure.
Overall, Okta became a fundamentally weaker company in the past two quarters, yet the stock price does not reflect this, which is why it makes a better momentum play than a buy-and-hold. Previous earnings reports prove that although priced to perfection, the company does not need to report perfection in order for the stock to claw at a higher price-to-sales ratio.
Crowdstrike is another Silicon Valley startup that recently went public with triple-digits across the board including revenue growth, net retention rate, and annual revenue-run rate, which may have you wondering, how does one tell all of these Silicon Valley IPOs apart? For the Crowdstrike IPO, as with most cybersecurity companies, competitive landscape is crucial and requires bulletproof product differentiation as security is a very crowded space. This analysis will look into the product differentiation between Crowdstrike and its competitors for endpoint security to achieve an understanding of valuation and to form a prediction of how Crowdstrike will perform as a public company. Addressable market will also be taken into consideration as endpoint security has demand limitations.
Overview of Endpoint Security
Understanding the basics around endpoint security is important as Crowdstrike’s strength resides in how the software uses artificial intelligence to detect breaches. Some of the company’s growth may also come from offering multiple cloud modules, which provides various product features for flexibility.
The primary category for Crowdstrike is endpoint security, which secures endpoints on a network, defined as end-user devices, such as mobile devices, laptops and desktop PCs, although endpoint security can also include servers in a data center and IoT devices. Endpoint security protects the corporate network from remote devices by securing the endpoints on the network. Traditionally, endpoint security consists of security software centrally managed on a server or gateway and software on the client devices. The server authenticates logins from the endpoints and updates the software when needed.
Crowdstrike’s product improves this process by aggregating the data from the endpoints across their entire customer base, while using AI and behavior pattern-matching to stop breaches. According to CrowdStrike, their Falcon product correlates more than 90 billion security events globally to prevent and detect threats. Relying on AI’s detection capabilities for security breaches and fraud is becoming a trend into the foreseeable future. For instance, I recently interviewed Mastercard’s Vice Chairman on how Mastercard uses pattern-matching to detect fraud and unusual behavior on my tech podcast, and has been successful in preventing high-loss activities such as money laundering as these behavioral patterns appear erratic to AI, and become easily detectable.
Crowdstrike had one offering until 2017 when the company launched multiple cloud modules to provide flexibility, which are all subscription-based. According to Crowdstrike, offering different subscription options has been successful with 47% of customers buying over 4 modules, per the S-1 Filing.
Crowdstrike IPO and S-1 Filing by the Numbers
Crowdstrike has grown at a blistering pace from $37 million in revenue in 2017 to $92 million in 2018 to $219 million in 2019. The numbers published for the Crowdstrike IPO show an undeniable triple-digit growth trajectory, but keep in mind, that cybersecurity is a crowded field with many players dealing in endpoint security – more on this below.
Loads of Competition:
Endpoint security is a crowded space. Not only do you have incumbents like Symantec, but you have small to mid-cap companies – both public and private. The market size for endpoint security was at $6.4 billion in 2018 and will grow to $13.2 billion by 2022, according to Statista. Meanwhile, you have more than 20 companies competing for the $7 billion slice of pie. This is the bigger concern for Crowdstrike. Investors in Crowdstrike will have to believe that crowdsourcing endpoints and scanning for breaches with AI is enough of a differentiator to pull ahead and maintain a lead.
Assuming Crowdstrike claims the entire endpoint security market, the current valuation impedes investor returns. The market cap for Crowdsrike is at $14 billion, at time of writing – or 200% of the current addressable market and over 100% of the addressable market for 2022.
This is not the addressable market in the S-1 filing, however, which is listed at $24.6 billion in 2019 and expectations to reach $29.2 billion in 2021. The addressable market that Crowdstrike claims is a bit distorted, in my opinion, as it aggregates various forms of revenue streams (which are not later broken out in the S-1 filing). For the most part, Crowdstrike is considered an endpoint security product and frequently ranks on analyst reports for this category. There is very little mention of Crowdstrike ranking in any of the other categories which are being used to stretch the addressable market, notably, threat intelligence, security and vulnerability management, IT service management software, and managed security service.
We have some indication that 47% of customers bought over 4 modules, per the S-1 Filing, but it’s unclear if these modules should fall under the endpoint security addressable market rather than under separate addressable markets as these modules cannot stand on their own. This is paramount to valuing the company (is Crowdstrike endpoint security or should it be placed under various categories) as the growth for endpoint security is too lean to have this high of a valuation.
Meanwhile, other cyber security companies such as Carbon Black, Trend Micro and Palo Alto Networks have not don’t particularly well on the public markets recently relative to other tech investments.
Carbon Black went public in 2018 in the $23 price range and is now trading at $15 due to a shift to cloud and other challenges required to keep up with competition. CarbonBlack is going through a “significant corporate transition,” consolidating its offerings into a cloud-based security platform, which confirms the competitive environment.
Trend Micro is the third-largest vendor in the Endpoint Protection Platforms (EPP) market and has a market cap of about $6.3B and has traded sideways for years between $30-$50 with a peak in September/October this year at $60 but saw a correction and resumed the $45 price.
Palo Alto Networks provided weaker guidance in the most recent earnings report and we’ve seen the price drop over the last month from $250 to $195. The company is also transitioning to the cloud and undergoing changes that impacted the recent earnings.
Conclusion
Crowdstrike’s IPO financials sparkle with triple-digit growth percentages across the board, as do many startups going public this year. However, the competitive landscape is fierce and the addressable market of $24 billion provided in the S-1 filing questionable. Perhaps the cloud modules expand the endpoint security addressable market beyond the $7 billion size, but not by much in the current calendar year as endpoint security platforms are more of a value-add than a sum of the aggregate security markets. In addition, cybersecurity is a lukewarm market compared to hotter tech industry verticals. The cloud-level AI aspect to detecting breaches is very interesting for future years, however, I am respectfully on the sidelines for now.
This is the second article in a 2-part series. The first article “Best Bet for Growth Stocks in 2019? Secular IaaS.” can be accessed here.This is the second article in a 2-part series. The first article “Best Bet for Growth Stocks in 2019? Secular IaaS.” can be accessed here.here.
One reason for Microsoft’s success with growth rates of 76% in the last two quarters is the company’s hybrid approach. This approach helps customers keep their most sensitive data on their own servers while sending workloads that have advantages as cloud apps, such as real-time data analytics, to Azure. This, in turn, has caused Amazon to chase Microsoft with recent efforts to improve its hybrid solutions.
The Department of Defense is a perfect example of an entity that would want to keep its most secure data with on-premise servers while leveraging the cloud for artificial intelligence and machine learning. Fortune 500 companies with substantial IP are another example of who would require on-premise security.
Understanding hybrid is key because it gives transparency into how companies with big budgets think and how they evaluate the cloud. Security is clearly a concern as on-premise servers continue to be in demand as a counterpart to the public and private cloud. Therefore, small to mid-cap companies which help to make the cloud more secure have room for near-term growth.
Additionally, the strengths and benefits of the public and private cloud include mining data more efficiently and improving accuracy and also productivity. Therefore, any small to mid-cap companies that assist with data insights or improved work flows will have room for near-term growth. For example, SalesForce is a major growth story that came from improving both the accuracy of sales targets and productivity of sales teams.
Below are a few of the more popular stocks in the cloud space. Although it is my belief some of these are overbought, and will have to prove themselves if we do go through a bear market, it most certainly doesn’t hurt to have them on the radar and to look for the right entry point.
Okta and Zscaler are both in cloud cybersecurity. Okta is in the identity and access management market which secures access to APIs, provides single sign-on, and prevents data breaches by protecting identity credentials through multi-factor authorization.
Zscaler is a “zero trust security architecture” that verifies identification and access. Currently, most companies use a virtual private network (VPN) as a security architecture and Zscaler improves on this by leveraging the cloud rather than physical or virtual appliances.
Risks: One of the greatest risks to these companies is the ongoing competition in cybersecurity. Cybersecurity, in general, is a hard space to create a competitive moat. In Okta’s case, the tech giants can duplicate the majority of these services. An acquisition, especially talent based, would be a good outcome for Okta. In Zscaler’s case, a competitor could come in and create a pricing war. I also noticed recently that insiders of Zscaler have been selling their stock – one at $2.1 million in stock and another at $4.5 million.
Twilio is a common household name in the San Francisco and Silicon Valley area due to a well-run developer evangelism team. This company was heavily promoted at every developer conference over the last 10 years and you can bet that most of its revenue comes from a very loyal fan base. Twilio’s cloud products are voice-based and SMS/text messaging based, as well as other communication functions through APIs. The translation here is that you can essentially make phone calls and send text messages in the cloud, for instance, like when you call or text through Lyft’s ride share app. Developer-led technologies with strong adoption and loyalty are hard for competitors to shake. In fact, it’s one of the primary key metrics I look for when making tech stock buys.
Risk: There could be a point where artificial intelligence begins to eat into Twilio’s market share. Any manual requests by users or communication done through texting, for instance, will be replaced with highly accurate voice commands. We will speak what we want rather than type what we want. Google, Amazon and Apple are quickly building this out, and the accuracy will be nearly perfect. You can read more on my analysis about the rise of AI assistants here. Twilio has clearly had amazing returns of 335%, so if you got in early, you’re high-flying right now.
My newsletter subscribers get this information first. Sign up here.My newsletter subscribers get this information first. Sign up here.here.
Slack is also a common household name in the San Francisco and Silicon Valley area, and the 8 million subscriber base in 2018 includes 50% global teams in Europe and Asia. Slack is a collaboration hub for work that lets you communicate across multiple team members without having to create long and confusing email threads. There are many productivity features such as sharing files, making calls in-app, and having separate work spaces and threads. Programmers were especially fond of Slack in the beginning and now it’s caught fire across all departments. In fact, I’m currently logged into Slack as I type this communicating with my team.
Risk:Slack filed for an IPO this week, actually. The company is choosing to do a direct listing which introduces risk as the founders and VCs don’t have to wait to cash out of the shares they sell. For obvious reasons, it’s better to have the founding team be in the same sink-or-swim boat as its stock investors (if you don’t believe your company will have returns over the next 6 months, why should I?). Direct listings for buzzy tech IPOs are relatively new, and I’m still a bit weary of them. That point aside, Slack does have serious potential for growth.
Veeva is disrupting the pharmaceutical and life sciences industries by assisting with sales and operations while meeting health industry regulations. Veeva has a history of being an outlier with no competition to speak of, and is one of the rare companies that was already profitable when it made its public offering in 2013. Today, Veeva is close to securing the fifth spot for a cloud software company to reach $1 billion in revenue. If Veeva does hit TAM, an exit strategy could be a solid acquisition for deep pocketed Walgreens, CVS or Amazon who has big ambitions to get into pharmaceuticals.
Risk: The major risk to Veeva is the current valuation and total addressable market as they are targeting a specific industry. With a PE ratio hovering around 100 and price to sales of 19, this stock is priced to perfection. Quite a few tech stocks that came of age during the bull streak (for Veeva this was 2013) may have an awakening ahead of them. If there is a good entry point, Veeva’s revenue growth will continue with analysts projecting revenue to “reach just over $2 billion by fiscal 2024.” As an individual investor, I have to make sure the first $1 billion in revenue is priced right with a fair valuation or the second billion in revenue (projected to be five years from now) won’t matter for my returns.
Workday is a cloud platform that increases productivity across HR and finance. This is done through machine learning, analytics and real-time reporting through a cloud platform. Products include financial management and human capital management. Workday is a large cap company and is ranked as the 27th largest internet company by revenue and is one of the first five cloud software companies to achieve $1 billion in revenue.
Risks: Similar to Veeva, Workday came of age during a raging bull market in 2012 and its valuations reflect this. It saw an 83% increase the day of its public filing and went on a tear in 2017/2018. The 52-week low is $107 and its current price is $186. With a price to sales ratio of 15, and no P/E ratio to speak of, I think we will see a better entry point than where it currently stands.
New car firms such as Tesla are promoting increasingly high-tech features that require a connection to the internet, which has propelled cybersecurity in connected vehicles forward as a major safety feature. Last year, Chinese security researchers from Keen Security Lab successfully managed to hack a Tesla Model S from 12 miles away. By focusing on Tesla’s on-board software, the hack targeted the car’s controller area network, or CAN bus, which connects the chips found inside the cars. In this hack, the Model S P85 and Model 75D were targeted. Tesla continued to make news in 2015 for safety concerns in cybersecurity of connected vehicles. In November 2016, security personnel from the Norwegian company Promon were able to use the Tesla’s Android app as an entry point to successfully hack the vehicle. What’s more, using the features in the app, the hackers were able to locate the vehicle, unlock it and drive away unhindered.
As GM CEO Mary Barra said in a keynote speech, “A cyber incident is a problem for every automaker in the world. It is a matter of public safety.” As Tesla, GM and many others continue to release connected vehicles, the dangers of cybersecurity are very real. In fact, more than half of the vehicles sold today are connected and vulnerable. This threat will only grow as manufacturers begin to release autonomous vehicles.
Cybersecurity in Connected Vehicles and Mobile Applications
While gaining access to, and being able to control or steal, a vehicle such as a Tesla is disturbing enough, it raises several concerns about not only cybersecurity in connected cars, but also the mobile applications that extend the features of these vehicles and others. In fact, mobile apps are quickly becoming the main target for malicious behavior. Over the last four years, there has been a 188 percent increase in the number of Android vulnerabilities and a 262 percent increase in the number of iOS vulnerabilities. In addition, according to Gartner, 75 percent of mobile apps would fail basic security tests.
Digging deeper, Veracode found that four out of five applications written in PHP, Classic ASP and ColdFusion failed at least one of the OWASP Top 10, implying that many web-based applications and websites contain security vulnerabilities. More than 80 percent of mobile apps on both the Android and iOS platform revealed cryptographic implementation issues. This attempt to protect and then doing it poorly highlights the importance of updated training and tools to aid these feature developers as they target secure and protected applications.
Recently, Android malware has become more stealth. Last year, in 2015, malware began to obfuscate code to bypass signature-based security software. Despite Google’s response to critical vulnerabilities and patches of critical issues in the Android OS, end users are still dependent on device manufacturers for these updates.
Tesla and other automobiles today can have the computing power of 20 personal computers and feature 100 million lines of programming code. While features such as web browsing, Wi-Fi access points and remote-start mobile phone apps, help to enhance the enjoyment of the vehicle, they also add more opportunities for advanced attacks. In real life, thieves are hacking keyless entry systems in the UK to steal cars, meanwhile, software recalls have doubled within the past year, and soon they will match mechanical recalls.
The mobile application industry is pushing forward a new level of interoperability that will require heightened security and privacy measures. App developers are in a position where they can reduce the number of vulnerabilities before the app ships. Auto manufacturers are also prioritizing cybersecurity in connected vehicles as a major safety feature to compete with features requiring connectivity.
This article originally appeared on Intertrust.com Intertrust.com
Read more about how Intertrust’s suite of products helps automobile manufacturers address privacy and security in the age of the connected car. connected car.