Palo Alto Results sets the bar for Cyber Security Q4 announcements

Palo Alto have just released their Q2 FY23 results (to 31st January 2023, which they have turned around pretty fast).

They pretty much beat across the board - revenues $1.66bn (+26% growth), NGS ARR $2.33bn (+63% growth) billings $2.03bn (+26%), RPO $8.8bn (+39%), FCF $685m (+55%), gross (75.5%) and net margin (22.8%), Op Inc $377m (+55%) and EPS ($1.05 + 28c v guidance +81% YoY).

Their guidance again was a raise and above expectations across the board with the exception of revenue which they held.

Going through their release, results presentation and transcript, some observations stand out to me.

  1. They are growing at a rate that isn’t so far out of touch from Crowdstrike, ZScaler and Sentinel One AT SCALE (3x Crowdstrike, 6x ZScaler & 15x Sentinel One). In fact their ARR/subscription revenues are arguably growing faster and at a similar scale approaching 2/3rds of the entirety of the Sentinel One, ZS and Crowdstrike ARR combined.

  2. They have navigated their transition to the cloud and their business model to an ARR basis very elegantly and ARR is now 40% of their business (combining organic and acquisition strategies).

  3. They are growing at scale most effectively at the largest enterprise level with deal value of >$1m deals growing by 59%, >$5m deals by 132% and >$10m deals by 196%

  4. They are already reaching SaaS like levels of GM, net margin, FCF and GAAP profitability whilst having had to transition from hardware to software to ARR.

  5. They lay out, manage and communicate their flywheel business model (R&D>Innovation>Product Leadership>ARR) very effectively and make a convincing case for enterprise consolidation category ownership within cyber security.

When I was invested in Palo Alto I was in no doubt that their Next Gen firewall would supersede CheckPoint Software. When I shifted to investing in CyberArk and Fortinet and then on to ZS and Crowdstrike I was confident that the ZS and Crowdstrike cloud businesses would supersede Palo Alto or at least the opportunity for greater investment returns.

At this point I am concerned that Palo Alto might have competed its way back into the game. Have they pursued a platform strategy the way Crowdstrike has with Falcon - no and do they deliver protection to the level that Sentinel One achieves - no.

However it does concern me that ZS and Crowdstrike aren’t out delivering in a way that sees them becoming de facto leaders which is maybe what is required for growth durability in Cyber Security. Perhaps there is room in the market for more players versus an SFDC or Microsoft Office type market situation however to Buy and Hold at the valuation levels that ZS, CRWD & S are at requires much longer growth leadership durability than they look to be delivering vs the market leader (Palo Alto) at this point.




Apologies if you don’t have access to SeekingAlpha, otherwise available on the company website.



Thank you ant for this summary!

I also listened to the call and apart from the implications for the cybersecurity space (which you highlighted very well) one thing stood out to me…

Maybe a little introduction first:
Everyone is talking about AI/ML right now - companies like suddenly jump by 200% - nobody cares about Nvidia’s revenue slowdown and the new Bing aka chatgpt is in everyones mind. I thought a lot about this coming change and who could potentially profit the most. Right now everybody is jumping on companies which are directly linked to the technology, if it’s a slow growing software provider like or a hardware+software provider like Nvidia.

That’s why I wrote a little thread on another platform a few weeks ago about the importance of data as the “food” for AI applications and about the cloud as the “fertile soil” for them to grow. Therefore the companies which benefit the most might not be the most obvious ones, similar to when the Internet was invented and many thought telecommunications companies would benefit the most. But on to the PANW conference call.

What stood out to me:
Of course AI/ML was also a topic on Palo Alto’s conference call. Nikesh highlighted how they use it for years to provide better security outcomes and block threats.

Now to the point, Nikesh talked about one thing all the time:

Data. Data. Data. This word was used 35x on the call. Nikesh repeatedly mentioned the importance of high quality data as the most important part of using AI/ML successfully for enterprise operations. A few excerpts:

“The challenges you all know is that AI has been a data problem and continues to be so. Unlike consumer where we can talk about Sonnets and ChatGPT’s creative capabilities and the revolution that is going to drive in search or advertising, its ability to summarize data and continue to amuse and inform us, the demands from AI and enterprise are far more exacting and so are the returns. An enterprise AI needs to be clean.”

“It has to have comprehensive data. And in security, especially it needs to be real-time. So, not only do you need to have the best data to create great security outcomes you also need to be positioned in line to block threats.”

“We have over 60,000 customers where we can help them use this data. As we conceived with Cortex, we built XDR to ensure we collected the best endpoint data across the industry.

“Let me make a case why with petabytes of data from trillions of events, billions of sessions, hundreds of millions of URLs, and tens of millions of files flowing through our product across cloud, network, and endpoints daily, we are best positioned to deliver security outcomes using AI machine learning.”

—> What comes through to me is that the crux doesn’t lay in creating a good model but to have the most and highest quality data.

In the Q&A he talked about their emerging XSIAM product (I copied the whole question/answer because I found it very interesting) :

Saket KaliaBarclays – Analyst
But maybe a strategic question for you. As you think ahead, maybe the next couple of years for XSIAM, how do you think that that will have started to disrupt the SIM market, either from a tech or a pricing perspective? And maybe just to flip that on its head a little bit, is it possible that tools like XSIAM maybe help expand the SIM market?

Nikesh AroraChairman and Chief Executive Officer

So, I think, Saket, the SIM market doesn’t have a pricing problem. It has a value problem. I spent a lot of money. I don’t get enough value.

And if you ask some of the customers out there, how do they use the SIM, SIM is used post breach or post event to figure out what happened. A SIM is not doing on-the-fly real-time blocking. So, when SolarWinds happens, Log4j happens, you can go to your SIM and look at where it happened and figure out and trace it back and try and block the hole. What it won’t do for you is stop it mid-flight.

And that’s a paradigm shift as far as security is concerned. The only way you can do that and stop it mid-flight is analyzing data as it’s being created. So, to us, the reason we call XSIAM not SIM is here’s our words. We watch the data in flow.

We watch it coming from the endpoint. We cross-correlate mid-flight with firewall data. We go and triage it. We automate some of the alert, some of the noise away.

And we’re looking at like real incidents between triage already, which are not being put in some large data lake, and then running query language against to see how do I solve the problem. They’re already doing it in the back end. Now, of course, with the availability of new LLMs (Me: large language models like chatgpt) that are out there, which you all I’m sure have been talking about and dealing with in their free time, they do a lot more useful things than write poetry for your wife. They can actually analyze data to tell you what is anomalous and what is off pattern.

And if you can figure that out, then what do you have to do? You have to go ahead and remediate it. How do you remediate it? You got to be a firewall to remediate a network. You’ve got to be an endpoint to remediate the endpoint. You got to be Prisma Cloud, remediate it in the cloud.

So, I think what XSIAM is going to do is going to bring real-time capability in the SOC, or real-time capability in security. It’s early days. Again, I’m going to say – keep repeating, in a repetition to not fall the prayer, don’t get ahead of itself, but this is where we’re heading. And if you can picture chat ChatGPT 10 years from now, picture AI and security 10 years from now.

You will not have humans trying to analyze because it’d be too hard for humans to analyze petabytes of data. Already, the data in an organization is too much for a security analyst to analyze.

I would recommend reading the whole transcript, Nikesh definitely is one of the best CEO’s out there and always interesting to listen to. Link: Palo Alto Networks (PANW) Q2 2023 Earnings Call Transcript | The Motley Fool

This again gives me confidence that companies like Snowflake and Databricks will have high and durable future growth ahead of them. And it makes sense that companies want to build their business directly on Snowflake. And of course others will profit too - this data needs to be stored in the cloud, it needs to be secured, we need it at the edge… and so much more. I’m excited about this future!