The following is a thread we posted last week on Semiconductor Insider. And for reference, this is a follow up to the video we did on CyberArk (CYBR) a couple months ago, as well as one back in spring 2024, which you can find here: https://youtu.be/KZNef6PbrBo https://youtu.be/DAjstoo-SK4
CyberArk vs. Okta — what’s the difference, in layperson’s terms?
Let’s first start with a simple question that still hangs up a few of us out there: How exactly is CyberArk’s privileged access management (PAM) different from Okta (OKTA)?
In the simplest of terms, Okta is very broad in what it does. It’s a way to manage credentialed access to things like applications and an organization’s data. CyberArk’s PAM is much more specific, a subset of the larger access management (AM) security segment that Okta is a leader in.
You can see it reflected in tech researcher material, like Gartner‘s Magic Quadrant ratings. See both Okta and CyberArk listed in AM, but Okta is not in PAM where CyberArk is listed as a leader? Here are the links to those: https://www.okta.com/resources/gartner-magic-quadrant-access-management/ https://www.beyondtrust.com/blog/entry/gartner-pam-magic-quadrant
Let’s talk a bit about company total addressable market (TAM). Given Okta’s broad scope, it stands to reason the TAM is bigger for it than a company like CyberArk.
However, a company’s TAM is often used to judge how much growth potential it has. It’s a problematic measure, because TAM is always larger than SAM (serviceable addressable market, products and services a company actually has to earn revenue from the TAM it participates in).
For what it’s worth, with Venafi’s machine identity services now acquired by CyberArk as of October 1 when the acquisition was complete, CyberArk now says its total TAM is $60 billion. This includes the larger AM market that Okta is a general leader in.
Rather than using this TAM, though, we still prefer our measure of CyberArk’s opportunity via our security software industry market overview.
When trying to figure out who needs this PAM and machine identity security (versus the more general workforce AM from Okta), we found the following series of slides from CyberArk’s recent presentation helpful. Notice the sizable chunk of the pie chart showing ARR (annualized recurring revenue) coming from banking and financial services? Machines aren’t always robots with a physical form. Most often, it’s some sort of cloud or on-prem workload, like a program that automates the organization and long-term storage of financial transactions.
See our last video update for some more details on the above, and just how large the “machine identity” market is already.
Speaking of identity, personal identity, data protection, and security shouldn’t be overlooked either. Check out the following link for a 14-day free trial of the identity protection and software security suite from Aura. We get a kickback if you start a free trial, which supports the creation of the public research we provide to investors. https://aura.com/chipstockinvestor
Is CyberArk stock now too expensive?
Ok, let’s do a pivot to the financials and a brief valuation update on CYBR stock. Clearly the best time to have bought this one would have been in the spring when we first discussed the unnoticed potential. Oh well. Hopefully a few of you hopped aboard at that time.
With Venafi now in the fold, here’s the Q4 and full-year 2024 outlook. Note that Venafi, acquired on Oct. 1, is only contributing revenue and free cash flow (FCF) profit in Q4. The revenue contribution from Venafi is $41 million, and adjusted net income of $11 million (which will roughly align with FCF).
We lamented the high P/FCF valuation earlier this year, but CyberArk is quickly turning a corner on high FCF profit margins — now pegged at a ~21% expected margin for full-year 2024. Also notice GAAP net income was a milestone this year too Clearly a lot of room for improvement still, so this is a growth and margin expansion story that will demand a premium valuation for some time.
CYBR is now valued at a price to FCF multiple of 65x, based on the market cap of $13.6 billion and expected full-year FCF of $203-$213 million shown in the guidance above. It’s a rich multiple for sure. But given 30%+ revenue growth in the next year (thanks in small part to Venafi added in, compared to no Venafi for most of this last year), plus rising margins, don’t expect the stock to look cheap anytime soon.
But of course, DO EXPECT VOLATILITY.
It will strike in some form or fashion. Maybe the catalyst will be an operating SNAFU like CrowdStrike’s. Or maybe an analyst downgrade based on “channel checks” or some such nonsense. Or maybe a quarterly earnings update that “misses” near-term expectations. Whatever the reason, expect volatility.
So per usual, if interested at all, utilize a small dollar-cost average plan, and build a position gradually over time. And let CyberArk prove its worth in your portfolio, rather than letting emotion and perceived conviction in the business (which is really hope a stock price keeps going parabolic for forever) lead you to throwing 1%, 2%, or more of your portfolio on a small up-and-coming business.
Here at CSI, we aren’t buying just yet. We’re still looking at getting our cash balance up to ~5% in early 2025, so we have some firepower to throw at opportunities we find next year. But CYBR is one of them. We’re interested in adding this to our cybersecurity stock basket.