elastic, endgame, endpoint, SIEM

Elastic has put out several blog posts about their Endgame acquisition. I think the stock dropped in response to these posts. IF you look at their chart on Oct 15th they dropped from the 80 range down to the mid 70 range when this blog post came out.

https://www.elastic.co/blog/introducing-elastic-endpoint-sec…

Why you may ask? Well, by all appearances they are going to give away endpoint protection to get people into their SIEM product. So the 234 million dollar acquisition appears to be a loss leader. Give away endpoint, make them pay for SIEM and hopefully, once people have installed the elastic stack they will use other products too.

They have since doubled down on that with this blog post

https://www.elastic.co/blog/elastic-endpoint-security-what-d…

My thoughts? If their endpoint/Siem ends up being good this could be rough for other security vendors. I don’t know how much the compute costs will be but from the face of it, this looks like a pretty good deal for customers. Definitely a shot across the bow showing that ESTC is serious about getting this business. Hopefully, they don’t lose too much money. But I think investors are starting to get fed up with elastic spending money like it is going out of style. I know I’m starting to get wary.

best,
ethan

Elastic is either at the foothills of one of the greatest land and expand strategies I have ever seen or they’ll fall flat on their face. They’re not playing games here. If their products are good, and I see no evidence they aren’t, they could upend several industries. Those same industries where some of the more well known products rely on the Elastic Stack in one way or another for the core functions.

Very interesting to see how it plays out. Early early innings in this journey.

I don’t read that they’ll be giving Endpoint away as they say here in the first sentence.

Starting November 1, Elastic Endpoint Security will be included in a new Enterprise subscription lane. You simply pay a subscription fee that is based on the computing resources you use to manage, store, search, and analyze event data from your endpoints. This gives you the flexibility to allocate resources as your needs change and Elastic’s capabilities grow.

With the Elastic Stack Enterprise subscription, you can bring all of your endpoint security event data into the Elastic Stack for detection and threat hunting and to enable automated response and orchestration. You can benefit from a flexible architecture of hot/warm/cold storage so that you have access to all the data you need when you need it, and you aren’t charged for ingestion rates, per-device, or per-user. On top of that, you also get the best malware and threat prevention technology for your laptops, desktops, and servers, in one single experience.

When you only pay for the resources you use, you aren’t locked into a specific use case or approach.

Say you want to try a new Elastic capability, like Observability. You could experiment with application metrics and would only need to expand your resources if you decide to store and analyze more data. It is that easy.

Our simple and flexible approach to pricing makes it easier to account for your current usage, and in the future, adopt new capabilities and fulfill new use cases.

Elastic has upheld a consistent resource-based pricing model across all of our products, from Elastic SIEM to Logs, Metrics, and APM.

For example, we chose not to price Elastic SIEM based on seat or ingestion rate. With Observability, we have eliminated per-agent and per-host pricing, and with search, we eliminated per-document, per-query, and per-user pricing.

The cats out of the bag on their strategy with pricing and expansion. The circle is now complete. That’s a lot under one pane of glass. To expand use cases you’ll need to expand your deployment. If Elastic is able to capture customers in multiple markets, the aggregate spend to Elastic could be quite substantial compared to what other vendors capture.

They’ve also expanded the amount of warm data storage provided with each instance.

Darth

No. of Recommendations: 1
Elastic is either at the foothills of one of the greatest land and expand strategies I have ever seen or they’ll fall flat on their face. They’re not playing games here. If their products are good, and I see no evidence they aren’t, they could upend several industries. Those same industries where some of the more well known products rely on the Elastic Stack in one way or another for the core functions.

I know right? Been kind of crazy to watch. I think we are seeing the market less and less willing to allow these companies to run crazy losses forever.

ESTC isn’t going to charge anymore for one endpoint or ten thousand endpoints which is a huge disruption in the pricing model for endpoint security. They are using endgame purely to get people’s data into elastic stack. So yeah, I agree…you will have to pay something to store and analyze the data that the endpoints generate.

I love this move.

They will move into other verticals, over time.

All the vetting of the next market is happening as they host for other companies building on top of Elastic.

Over time, as you pay for your estc usage, they will cover more and more aspects and increase value. It’s a platform that makes money on consumption and bills more directly to the cost drivers instead of some abstracted proxy like #endpoints.

I’ve said it before, but here goes again. The endpoint security market is making me crazy.

Does anyone who is more savvy and up to date than I have any idea about how this might impact Crowdstrike?

So far as I can tell, it has no impact on Zscaler or Okta. But Crowdstrike might be vulnerable. Is this a new consideration with respect to the Crowdstrike investment thesis? From what’s presented here, seems like the answer is “yes” but I really can’t say.

It is not a good strategy for a money losing company. I can understand a company like Microsoft, already makes tons of money from existing business, to give a free feature (like security) to retain customers. If you don’t or not able to charge for your products, does that say anything about the value of your products?

It is not a good strategy for a money losing company. I can understand a company like Microsoft, already makes tons of money from existing business, to give a free feature (like security) to retain customers. If you don’t or not able to charge for your products, does that say anything about the value of your products?

Seems to have worked for Bezos and Amazon over the years.

Prime owners that bought for the free shipping wound up with video streaming and other features over time.

There is an entire free sample industry at Costco that serves as a driver of business.

I dont pay for gmail or facebook or linkedin.

As use cases expand/explode and developers can continue leveraging elastic stack for multiple needs, it increases stickiness and oppty for the enterprise and cloud services Elastic sells.

Open-sourced based models are different and newer and may seem like strange business models focused on bottom-up sales motion.

https://www.forbes.com/sites/robertdefrancesco/2019/09/29/el…

“With its roots in open source, Elastic created Elastic Stack as its monetization vehicle. Comprised of proprietary software products that address numerous use cases”

Doesnt make any sense to expect their model to follow microsoft (which was helped by being a proven monopoly illegally stifled competition, btw…)

Dreamer

And besides, from the blog. It’s NOT free.

Tomorrow I guess we’ll see exactly where the subscription license falls. I’m guessing it starts only in Elasticsearch Service for now.

Darth

Tomorrow I guess we’ll see exactly where the subscription license falls.

What is tomorrow, darth?

challenge with loss leader strategy is its difficult to keep funding and keep up-to-date… specially for such a dynamic field as security (end point in this case), it is hard for any company to keep it state of the art without burning lot of money on-going basis.

So it seems to me that less impact on CRWD except may be a short term blip where some customers just fall for price vs real security…

For ESTC itself, its an expensive acquisition to create a loss leader…
May be we need to wait till ESTC mgmt to explain their strategy?

November 1st.

From the blog post.

Starting November 1, Elastic Endpoint Security will be included in a new Enterprise subscription lane. You simply pay a subscription fee that is based on the computing resources you use to manage, store, search, and analyze event data from your endpoints.

ahh…gotcha.
They have a nice twitter feed that captures a lot of these blog posts, for those unaware or intereted:

https://twitter.com/elastic

https://www.elastic.co/blog/elastic-endpoint-security-what-d…

And if you want to get notified of the latest with their endpoint security, you can sign up here:
https://www.elastic.co/products/endpoint-security/

If you scroll down at the above link, they list various use cases for the endpoint security product.
Further scrolling and you see a ton of info blurbs on the solutions, and a chart comparing their solution against CRWD and Carbonblack (acquired by VMware).

Will their stock price go lower than $70? Dunno…maybe. But I feel this company, in the $5-6b mkt cap range, would be a steal for any larger company that wants to acquire them. Likely their mgmt wouldn’t sell anytime soon, nor for anything under $10b anyway. Imagine GCP gobbling them up, or RedHat (a proven culture on selling solutions based on open source).

Unlike Nutanix, which expanded their portfolio rapidly in a very diverse manner, yet expected same sales people to sell it, despite the target client contacts being different for the various solutions, their bottom-up sales model allows the client to be the Subject Matter Expert (SME) and in effect they create their own use cases. On top of that, Elastic has an army of smart developers all with specializations to support the various solutions. In other words, they can scale.

My only regret, outside of not putting everything into ATT (T) on July 26th until mid-Oct, is that I don’t have more ways of cannibalizing my port to roll more funds into ESTC.

Despite the crappy Sept and Oct, I find myself up 50% YTD (ok…49.7%). I think individual stocks will continue to get punched down in valuation if they haven’t yet been administered their full beating from the market yet (looking at you, Okta). So while I love the company, I worry a bit for AYX post-ER, because that is just the type of market we are in. At a sub-20 P/S for a 60%+ grower, ESTC may not be at a complete bottom, but feels like a good value here. Maybe Nov becomes an up month, and by the time ESTC ER rolls around, the market will have gotten their saas/cloud/growth hate out of their system. We will see.

Dreamer

So while I love the company, I worry a bit for AYX post-ER, because that is just the type of market we are in. At a sub-20 P/S for a 60%+ grower, ESTC may not be at a complete bottom, but feels like a good value here. Maybe Nov becomes an up month, and by the time ESTC ER rolls around, the market will have gotten their saas/cloud/growth hate out of their system. We will see.

Again Dreamer, I just don’t think we can be this precise. You’re saying AYX at a PS ratio of 20.5 is too expensive vs ESTC which is currently at 17.8? Maybe that’s because:

AYX has positive EPS and ESTC does not
or
AYX revenue growth has been accelerating and ESTC’s has been decelerating
or
AYX has better gross margins than ESTC

I own and feel great about both. Can’t imagine trying to choose between them on what, a 15% difference in valuation?

Bear

Again Dreamer, I just don’t think we can be this precise. You’re saying AYX at a PS ratio of 20.5 is too expensive

I don’t understand why there is extrapolation on what I say.
I didn’t say anything about AYX P/S ratio.

Everything that follows from your assumption of what I meant can not be attributed to my thinking either.

I stated it doesn’t seem to have gotten that same deep beatdown as many of the other peer growth stocks have.

AYX and ESTC are very very different.
ESTC is a bottom-up developer-focused/led sales model.
AYX is a LOB-focused play…the non-techies in HR or Finance or wherever excel/data users reside that would benefit from advanced data analytics that is low/no-code based.

ESTC has a cloud strategy.
AYX is mainly an on-prem play (not a “cloud” stock presently)

AYX is a 20+ year old company the remade itself for the modern enterprise.
ESTC was created by a coder (Shay Banon) and the services-based company itself was launched 7 years ago, rapidly evolving their products and solutions into new areas (on purpose) and regularly stating on ERs they are investing in growth right now. AYX, not long after Tableau was bought, raced to let the market know about their projected op margins in next few years.

Dreamer

"challenge with loss leader strategy is its difficult to keep funding and keep up-to-date… specially for such a dynamic field as security (end point in this case), it is hard for any company to keep it state of the art without burning lot of money on-going basis.

So it seems to me that less impact on CRWD except may be a short term blip where some customers just fall for price vs real security…

For ESTC itself, its an expensive acquisition to create a loss leader…
May be we need to wait till ESTC mgmt to explain their strategy?"

ESTC strategy is not similar to a loss leader. They have demonstrated their strategy of applying their best in class search with applications three times.

1. Logging
2. APM
3. Endpoint Security

They find an application, adopt it to bottom-up developer lead sales model. Charge for consumption.

This is from Citi global technology conference transcript Sept 4th. ESTC investor site, which can be found here.

http://ir.elastic.co/Doc/Index?did=54029377

. .

"Unidentified Analyst: And so I guess maybe expand a little bit more on the strategy there. If there is kind of value in ending that entire kind of data life cycle. Obviously, you’re not going out and trying to compete in the very competitive endpoint market per se. But I guess, if there is value in owning that whole end-to-end process, I mean how does — how can you kind of do both if you’re not going out and competing in the endpoint market?

Shay Banon: I mean so first of all, I do think that we’ll end up competing in the endpoint market. So we didn’t acquire an endpoint company and then not do something on the endpoint space. We’re going to work the same way that we’re working on APM. We’re going to build the best APM product that we have. Even if the market converge in APM, stops being a use case and become a feature, we still want to build the best feature possible for our users.

I do think that it’s an opportunity for us to bring bottom-up adoption into the endpoint market as well. So it’s like how do we take our go-to-market and apply it now to endpoint. I do think that it’s going to take time. I do think that we need to take endpoint and integrate it, what Endgame has built and integrate it into our stack. There’s tons of IP in Endgame like that. The team is very, very strong. Some of them, some of the team members have been doing this for years. They’ve built like 5 different endpoints in 5 different companies from FireEye to others. And they have a lot of experience. And obviously, there’s a lot of IP that went into it. So I think that we can go to our users and say, “Hey, here’s a bottom-up adoption model that gets you into the endpoint space. You install that endpoint, and you get tons of value just from protection and remediation and everything. But also when it ships data, it ships it to a SIEM that is best in class.” That’s a very, very strong story that I think that we can make to our users. And if these markets — again, if they converge, I’d love to be prepared for it as a company.

Unidentified Analyst: And you would kind of contrast that bottoms-up approach in the endpoint market as something that you don’t see competitors doing to kind of go on after the C-level, and this would be kind of a way for you to differentiate?

Shay Banon: I think so. We’re definitely — even on a basic level, it’s like we’re running our company and we went up installing endpoints here and there on servers or laptops or what have you. And it’s — definitely, the interaction model that we have with these vendors is very, very different compared to what we used to. So I think that that’s — like you can’t do — you can’t test a product before — like going through like 9 levels of hell of talking to reps and everything just to get a chance to like test something. So we’re not used to it. So I love to go and say like, “Here’s a product. We think it’s the best one. Use it. And if it’s the best one, engage with us.” That’s how we work, and I’m excited about being able to go and bring that."

Torque, that is a really great find. Makes me much less worried they spent willy nilly on endgame for more users without a great plan to monetize.

thanks!

btw…because AYX was down so much today, into ER, I took a toe dip back in, in my taxable account.

Will see what market says.

My comments were that AYX is still basically “only” down to June prices. Until they moved to ASC606, they weren’t quite treated like the MDBs of the world in terms of mkt cap and P/S.

MDB, TTD, ZS and many others are at March levels or lower, in comparison. that is where my AYX comments were coming from.

I expect a great ER, but no idea what to expect of market reaction.
Because I had a lot of ESTC in both taxable and 401k, I took the oppty to take some tax losses.

Let’s see what happens.

Dreamer

Starting November 1, Elastic Endpoint Security will be included in a new Enterprise subscription lane. You simply pay a subscription fee that is based on the computing resources you use to manage, store, search, and analyze event data from your endpoints.

This is now updated on the Elastic Subscriptions page found here.

https://www.elastic.co/subscriptions

New subscription level called Enterprise. Prior to this update the subscription levels were Basic(Free), Gold, and Platinum. Enterprise is an entirely new level which includes Platinum plus:
-Endpoint protection
-Endpoint detection and response
-Endpoint event collection
-Access to ECE & ECK orchestration features

Elasticsearch Service and ECE (SaaS) also now how this same Subscription structure with the Endpoint at Enterprise (highest level).

https://www.elastic.co/products/elasticsearch/service/pricin…

I believe this is a great answer to what Elastic is doing with the Endgame acquisition.

Darth

Great, Darth! Thanks. Any idea of the ranges of their “contact us” pricing for the different packages?

Thanks again,
Bear

Any idea of the ranges of their “contact us” pricing for the different packages?

All of the paid levels, Gold, Platinum and Enterprise, provide no subscription pricing transparency. Instead, Elastic asks you to contact them.

This lack of transparency most likely leaves Elastic to price subscriptions differently, depending upon specific resource configurations, use cases and value provided.

However, it probably also creates a level of complexity that forces high touch treatment when selling and contracting.

In the Short run, it’s financially lucrative to leave a lot of room for negotiation. In the Long run, it can cause a lot of bad behaviors and create unintended consequences that could hurt business.

I have absolutely no insight into their licensing. But I’ve witnessed firsthand what happens in a company where everything gets negotiated.

As an investor in Elastic, however, I’d like to know if meaningful growth in the business needs to be high touch. If so, it could be a very rocky, long ride that I take with them, if I choose to do so.

Hopefully, somebody can answer your question.

DJ