Varonis, Part 2: How the company is doing.

Varonis, Part 2: How the company is doing.

Brittlerock wrote up Varonis’ products (which was Part 1), and I have to admit I didn’t understand a lot of it, except that he thought the products were interesting and promising. Here’s another part of the picture: my impressions of the company, and what it is doing.

First of all, Tom Gardner threw it out for us, along with another small company, saying he “loved” them both. I thought that that was enough for me to give them a look. I preferred Varonis because it had turned positive, while the other company was still a long way from positive.

First some statistics that got me interested:

2015:			     43.9  =  127.5
2016:   30.5   38.6   40.9   54.4  =  164.5
2017:   40.4   50.1   53.6 

**Precent increase in revenue**
2016:	                  24%  =  29%
2017:   33%   30%   31% 

**Adjusted Earnings**
2015:			  +17  =  -52
2016:   -29   -12   -03   +24  =  -20
2017:   -23   +01   +06 

And they are predicting +29 cents for the Dec quarter.

Then Ethan did a nice summary. Here it is, abridged.
Varonis IPO’ed in 2014 amid high expectations at a price of $55, but over the next two years it dropped to around $15 and in the last 20 months has had a meteoric rise to the low $50s. At its core it’s a data management company bundled as a security company. It implements a metadata (data about data) framework on top of your existing data system. This allows it to provide near real time analysis and threat detection on your data.

It has multiple products that are all ultimately based on making sure your data is appropriately managed and accessed. Using their metadata they make sure the correct people have access to the correct files, file permissions are correct, out of data permissions are retired, sensitive data is appropriately secured, user behavioral analysis (is Joe Blow copying all your sensitive files to a thumb drive), audit trail management, and I’m sure more things that I’m missing.

It is not focused on keeping the bad guys out, but rather on not allowing them to do damage if they get in your network (whether that is your own employee or someone who has penetrated your network). They have automated and developed monitoring tools to ensure your data has a system to follows best practices. They have recently begun to target the cloud and feel well positioned to manage data for enterprises in that space (AWS etc).


Revenue in millions (% growth)
2011: $40
2012: $53 (32%)
2013: $75 (42%)
2014: $101 (26%)
2015: $127 (30%)
2016: $164 (29%)

2017 is estimated at $211 up 28%, but it’s actually up 31% so far, after three quarters. The last few quarters they have been guiding to mid-20% revenue growth but coming in at low 30% growth.

About 40% of revenue is international

Almost 50% of customers pay for more than one product, with that number on a slow steady increase

Gross profit margin has stayed about 90% and they expect it to stay there.

Year to date, they generated positive operating cash flow of $10.8 million, up from $4.5 million a year ago.

Cash: 120 million in cash.

They have over 5500 customers and are adding 200-250 a quarter. Their existing customers are signing up for additional products and seats, which is how we are getting around 30% growth.

Security is an interesting field but I don’t think any company can approach the TAMs that are thrown about. The bigger the footprint a security company gets, the bigger the reward is for “hackers” as they can compromise one platform and have access to many enterprises.

With the above disclaimer I’m not sure that I would call Varonis the typical security system. A large part of what they do is automate best data and access practices, which seems easy but in reality is quite difficult. As more and more high profile companies have high profile data breaches, data management becomes a no-brainer. They also seem to have one relatively large potential catalyst in the near future. The EU passed GDPR or (General Data Protection Regulation) This law becomes enforceable across the EU May 2018. Varonis has introduced a new product to ensure GDPR compliance.

Varonis isn’t cheap right now, historically their P/S peaked around 7, cratered to 3ish and now is back in the mid 7 range. They are occasionally profitable with a trend toward being always profitable which will probably happen next year. They are projecting $211 million in revenue for 2017, and even if they beat the 4th quarter estimate by a huge amount their P/S would still be around 7. Long story short, Veronis is expensive. I find their business interesting but I don’t have a good handle on how big they can grow or how profitable they can become. They only have about 5500 customers, that number seems like it could be much much higher, onboarding customers is quick and easy. I’d say they have a pretty large runaway.

Then Jimbo’s take: (also greatly abridged)
Overall I like this company, I think they are thinking outside the box on IT security. I like their approach of identifying data breaches when they happen, as opposed to trying to stop all hackers from getting in, which I think is very hard because the hackers will find new ways in.

Things I like:
Different approach to IT security
Founder led
Cash flow positive
$128M cash on hand
No long term debt
Steady growth of about 30% with
A long TAM runway
Margins improving and
Earnings turning positive
EV/S of just over 6, not bad for a 30% grower.


(Saul here)
I also read Brittlerock’s posts with interest. Then I looked at the investor presentation slides, read the latest conference call, looked back through a half-dozen press resleases, and decided to take a small position (which was about 2.5%, but it was down a bunch yesterday, so now it’s a 4.0% still small [for me] position). I have to admit that I was influenced by Tom G having said he loved it, but it’s not a bad little company.


For Knowledgebase for this board,
please go to Post #17774, 17775 and 17776.
We had to post it in three parts this time.

A link to the Knowledgebase is also at the top of the Announcements column
that is on the right side of every page on this board


I too took a small position. I won’t wax on about what they do, I already wrote a piece on that. I would caution to not overestimate the product capabilities. Stupid humans can defeat any product. Fireeye used to offer similar functionality to a limited degree. I don’t know if they have completely withdrawn their s/w products or not, but they are primarily an IT security consultancy now.

Target had the Fireeye monitoring tools in place and actually observed the breach while it was underway. They did nothing. The CIO had left the company and the CEO was asleep on the job and didn’t replace him. The IT guys had no one to report to so nothing was done. Fireeye also had automated tools that could have stopped the breach, or at lessened the damage, but they had not been turned on.

Nevertheless, the Varonis products appear to be far more robust and comprehensive (with the notable gap with respect to database information). And surprisingly, they have very low computational overhead. A masterwork of s/w design in and of itself.

Another thing that gives me pause is that a lot, if not all, of their protections seem geared to detect behavioral anomalies based on user ID. I have no idea if they address anonymous attacks which is what I understand to have happened at Target a while back. Seems like one of their products should be able to sound an alarm if something like this occurs, but I couldn’t determine which.

Anyway, I took a watch it position. So, I’ll watch it.


Sounds a lot like part of Splunk’s business.