Muji - ESTC Followup


We have been discussing ESTC in some detail on the Slack board and raised an important question as regards TAM/SAM. I was wondering if you might comment on this as a follow-on to your excellent 3 part series:

  1. ESTC has “optionality” with regards use cases. So what use cases does it have where it alone will rule that sector or have competitive advantage over others? I get its supremacy in search function…but then gain, you seem to have used ESTC for 4 years without needing to pay for it. So what mission critical high TAM “optionality” will it likely rule?

ESTC has made a MAJOR investment in SIEM with Endgame…does that suggest that they will be consumed with that “optionality” over all other? That is, does ESTC’s value reflect more that opportunity as compared to other options:

SIEM - CRWD, etc. What is the TAM that they could reasonable be competing for?
Search - what % of customers need to pay…you did OK without paying for 4 years?
Log Analytics - SPLK, etc. What is the TAM here?
APM - New Relic, SPLK, etc. What is the TAM here?

The question is not without merit IMO, since they may have so many potential irons on the skillet but may be masters of none. That chaos can be deleterious to focus and performance.

Bert referenced this as well in his recent article as to the challenge of quantifying in discrete terms what their opportunity is.


And while we are at that topic, is anyone else wondering why, with their great revenue growth, they have progressively worsening negative net income?

From most recent to latter quarters:

-34.84M -21.35M -27.54M -18.58M

OK, they have $300 million in cash at this time, but that is -100M in preceding year.

Assuming all these “optionality” business pursuits, perhaps each will cost more money to enter and compete…do they have sufficient war chest to diversify into these other pursuits?


What do they dominate at?

Search data store.


To expand on that. Search data store is the core. Every other use case that forks off that comes back to the search function.

All of those other functions derive from the ability to ingest data (beats, logstash, EndGame, etc) and search the data store. So you land with a search use case. You realize how powerful a tool it is. Then start to expand use cases.



What do they dominate at?

Search data store.

Hey Darth:

They do dominate search…but again, they are so dominant in that sector, to maintain >50% revenue growth in the years to come either “search data store” in general will be growing > 50% or they must enter new arenas since cannibalizing others in search seems less likely when they are already the king?

Do you have any information on how fast search data store “paying” customers are growing? SPLK is growing revenue in the mid 30’s.


One point I will add as a generality is that Elastic is now public. Once a company goes public, assuming everything else is great, that company tends to put on after burners as it goes into maximum high growth mode, has more money to spend on marketing and R&D, and gains a certain respect and notoriety. Elastic’s business should benefit from this trend.

They have many paying clients. Many very big ones like Microsoft, which says something, but it is difficult to get any marketshare numbers or who dominates what.



ESTC is ramping sales and marketing and R&D. Per the last call, the CEO said a few times…

“you can plot the past and see the future…”

and they have had %50 S&M, 30% R&D.

Last call they said they 200 people in one quarter!


Duma, SIEM is different from endpoint. See my post here for an explanation.…

The endgame acquisition is to get into the endpoint protection part of security. They plan on integrating/expanding it with their siem offering.

You may be wondering why we need yet another company moving into security. “Security” is a huge huge huge market. Gauchochris told me a nice analogy for the security world. ZS is like a border patrol agent, OKTA more similar to a passport issuer. Extending that analogy out then I would say EDR would be your FBI/(some surveillance and enforcement), SIEM (system wide data collection and monitoring) would be the NSA. You can see there are many different approaches to “Security”. All of which are important. Currently there is no one Security company that addresses the whole market. Mcafee, Symantec try but you can tell by the Crowdstrike, Zscaler, and OKTA’s of the world that the incumbents are losing.

The post has a lot more in it.



On my phone so sorry for the incomplete reply.

Crwd is in the endpoint market also. They offer the ability to export what they find to a SIEM system like elastic .

funny timing on use case discussion…bunch of SA articles today on ESTC or via their Twitter feed:…
Red Wing Shoes, an iconic manufacturer of safety footwear, relies on hosted Elasticsearch Service in Elastic Cloud to gain unified visibility into the manufacturing process on the factory floor, the health of its e-commerce website, and operations at over 600 retail store locations around the world. The team responsible for operations also leads the rollout of new applications and services aimed to grow the business. “We are able to do this with a tight-knit team because we focus on making our IT operations efficient,” said Marc Kermisch, Vice President and Chief Information Officer. “Seeing all the relevant operational data in a single datastore and UI interface has helped us get more effective at triaging and resolving issues based on actionable data. And the fact that the stack is fully managed for us in Elastic Cloud means our administrative overhead is low — all the deployment, scaling, and upgrades for the Elastic Stack happen at a click of a button."…
Elastic App Search is now generally available as a downloadable, self-managed search solution. Empowered with valuable feedback from the community over the last few months’ beta program, the team has worked hard to bring the simplicity and power of the Elastic App Search Service to any infrastructure. It’s now available to download and deploy at scale, alongside the default distribution of Elastic Stack 7.2 (or later), anywhere.

This press release features multimedia. View the full release here:…
The launch of Elastic SIEM builds on the momentum and success that the Elastic Stack already enjoys in the security analytics market. The initial launch of Elastic SIEM introduces a new set of data integrations for security use cases, and a new dedicated app in Kibana that lets security practitioners investigate and triage common host and network security workflows in a more streamlined way.

This press release features multimedia. View the full release here:…

new bullish SA article also out today:…

Dreamer (ESTC is my #2 allocation behind TTD)