Analysis: Public Cybersecurity Companies

Over the last week, Crowdstrike’s IPO has taken the public markets by storm. At one-point, Crowdstrike was the second highest valued public cybersecurity company after Palo Alto Networks. Across the five largest standalone cybersecurity companies, today Crowdstrike is the smallest and spends the most on expenses as a percentage of revenue. We also analyzed the financial metrics of 40 public cybersecurity companies to understand how Crowdstrike stacks up. Overall, Crowdstrike’s revenue is growing the fastest YoY (110%) and is trading at the highest EV/ LTM Rev multiple (56.3x). But it has a below average gross margin; S&M %, R&D %, and G&A % spend in the top decile; and the lowest operating margin among the cohort.

Publicly traded standalone security businesses have created $143.4B in enterprise value. The five largest standalone cybersecurity companies are Palo Alto Networks, CheckPoint, Symantec, Okta, and Crowdstrike. It is impressive that two of the five businesses, Okta and Crowdstrike, went public over the past two years. Crowdstrike is the youngest of the group and was founded in 2011.

While Crowdstrike has the smallest revenue, it grew 110% YoY, the fast of the five. Okta is in second place with a 53% YoY revenue growth rate.

Crowdstrike’s gross margin is ~700 bps below Okta and Palo Alto. CheckPoint has the highest gross margin at 89%, especially impressive since some products are appliances.

Across the cohort, Crowdstrike spends the most across sales and marketing and research and development as a percentage of revenue. Crowdstrike’s general and administrative spend as a percentage of revenue is second highest after Okta. Overall, Crowdstrike generating the lowest operating margin.

We also analyzed the financial metrics of 40 public cybersecurity companies to understand how Crowdstrike compared. We sliced the data two different ways: 1) averages across standalone vs. non-standalone security businesses and 2) across 40 public cybersecurity companies.

On average, standalone cybersecurity companies outperform peers that sell cybersecurity solutions as part of a larger portfolio. Standalone businesses are growing faster with a higher gross margin. However, standalone companies tend to spend more as a percentage of revenue, particularly sales and marketing. Despite the higher expenses, they trade at an EV/LTM revenue multiple almost two times non-standalone security companies.

Amongst the 40 companies, Crowdstrike is a highflyer with the highest YoY revenue growth rate of 110% and EV/ LTM rev multiple of 56.3x. The company’s 65% gross margin is in the bottom quartile and S&M %, R&D %, and G&A % spend is in the top decile. In turn, Crowdstrike achieved the lowest operating margin among the cohort.

Crowdstrike’s impressive IPO suggests Wall Street has an appetite for high growth software-based security businesses. Despite Crowdstrike’s gross margin and business expenses, it is trading at the highest EV/ LTM revenue multiple of any public cybersecurity company.

Standalone companies (28): Palo Alto Networks, CheckPoint, Symantec, Okta, Crowdstrike, Fortinet, Zscaler, Proofpoint, Avast, Trend Micro, CyberArk, Qualys, FireEye, Mimecast, Sophos, Rapid7, Tenable, Varonis, Sailpoint, Forescout, Carbon Black, Secureworks, Radware, Zix, Tufin, OneSpan, A10, and Absolute Software.

Non-standalone companies (12): Cisco, IBM, VMware, Verisign, Splunk, Citrix, Akamai, Juniper, Solarwinds, F5, Netscout, and MobileIron.

We did not include public defense contractors that sell security solutions.