Demand accelerates in 2021, notably strong growth at larger firms

We present our annual analysis of publicly traded, enterprise-focused cybersecurity firm performance. We highlight that 2021 revenue grew 27%, a notable acceleration from 2020’s 19.8% growth and 2019’s 20.3% growth, and that actual 2021 revenue exceeded initial guidance by an average 7% and a median 6%, suggesting robust overall demand has only increased.

We also highlight the emergence of two giants in the cybersecurity sector, something that hasn’t happened previously in the sector’s history. Fortinet (FTNT) and Palo Alto Networks (PANW) have accomplished what competitors in the past failed to do: successfully extend their offerings to new growth areas and thereby grow above industry-average rates at massive scale.

With this change, the cybersecurity market structure is for the first time beginning to look more like many other software markets, where a few megacap leaders dominate and many smaller players fill emerging voids.

We examine the correlations between top- and bottom-line outperformance and stock price performance and believe they indicate cybersecurity investors are still more focused on top-line growth than bottom-line metrics.

Our analysis of one-, three-, and five-year cybersecurity stock performance through March 28, combined with other elements of our sector analysis, points to prospects for the group to outperform the broader indexes over longer time frames than we’ve seen historically.

How we looked at the market

This report presents our annual analysis of publicly traded, enterprise-focused cybersecurity firm performance. Unlike our previous annual analyses published in December, which relied on preliminary indications of full-year performance, the late-March timing this year enables us to include final results for companies with a Dec. 31 fiscal year and those with a Jan. 31 fiscal year, which we treat as 2021 in our analysis.

To be included in this year’s analysis, companies had to be listed on a U.S. exchange, have most-recent year revenue greater than $100 million, derive the vast majority of their business from supplying cybersecurity solutions to businesses and government customers (not consumers), and have been public for all of 2021. Relative to our most recent annual analysis in December 2020, we have removed three companies that were acquired during the year: McAfee, Proofpoint and Zix. In addition, due to the mid-year sale of Mandiant‘s (MNDT, formerly FireEye) products division, we exclude Mandiant from our revenue growth and guidance analysis, as its original 2021 guidance included this divested division. Consistent with our focus on business-to-business companies, we again exclude consumer-focused cybersecurity companies such as NortonLifeLock (NLOK).

Revenue growth suggests demand accelerated

We use revenue as a proxy for demand. As Table 1 shows, aggregate 2021 revenue grew 27% to $19.5 billion. This is a notable acceleration from 19.8% growth in 2020, which was the year most impacted by COVID-19. However, as we noted in last year’s analysis, the COVID-19 impact in 2020 was modest, with growth slowing by less than 1% relative to 2019’s 20.3% growth. We believe the sustained solid growth is consistent with underlying demand trends, which we have always believed are not particularly sensitive to economic cycles but rather driven by relentless innovation and cybersecurity attacks. In 2021, cybersecurity attacks remained top-of-mind, with the high-profile SolarWinds (SWI) and Colonial Pipeline attacks in the first half and frequent news of feared or actual attacks by state-sponsored actors pursuing geopolitical goals. 

TABLE 1: Revenue and revenue growth 2019 to 2021 (sorted by 2021 revenue growth)

Source: Company data, Capital IQ, First Analysis.

Notes: (1) Revenue and growth rates are based on CRWD’s, OKTA’s and SCWX’s reported revenue for its fiscal year ended January of 2019, 2020, 2021 and 2022. (2) Revenue and growth rates are based on ZS’s and PANW’s reported revenue of the four quarters through January (its fiscal Q2) in 2019, 2020, 2021 and 2022. (3) Revenue and growth rates are based on MIME’s reported revenue of the four quarters through January (its fiscal Q3) of 2019, 2020, 2021 and 2022.

We acknowledge the limits of using revenue growth as a proxy for demand, which include:

• Some companies are still transitioning their business models to more subscription sales, which depresses reported revenue during the transition, or are de-emphasizing a line of business as part of a business model change. This was the case for the two companies that saw revenue decline in 2021: SecureWorks (SCWX), which intentionally exited some of its managed security service provider business to focus on its higher-margin Taegis software, and OneSpan (OSPN), which is undergoing a multi-year transition to recurring revenue (though we note OneSpan also had execution challenges that led to mid-year board and management changes). Similarly, CyberArk (CYBR), which grew only 8% in 2021, is transitioning to a recurring revenue model, which masks a much stronger level of bookings growth and overall demand.
• Some companies recognize most of their revenue from contracts already booked (from deferred revenue balances), making bookings or changes in short-term deferred revenue better indicators of current momentum.
• Revenue includes acquired revenue; in most cases, acquired revenue did not materially affect growth rates, but there are instances where it caused some distortion. We try to call these out in our analysis; for example, Okta’s (OKTA) 2021 revenue growth rate was skewed by its large mid-year acquisition of AuthO.

Demand strong, growth accelerating

The growth acceleration in 2021 was broad-based within the group, as 15 of the 19 companies saw the rate of change in revenue improve from 2020. Overall growth was also broad-based, as the average growth rate was 25.5% with a median growth rate of 22.9%. However, the fact that the average and median growth rates were below the aggregate growth rate means the larger-revenue companies are growing faster than the smaller ones—a reversal of the historical pattern.

In part, this reversal is due to changes in the group constituents: Several large, slower-growth companies have been taken private in recent years, including Symantec and McAfee. But this is not the only dynamic at play, as slow growth among the larger players has been the norm for many years. Symantec was a perennially slow grower prior to its acquisition, and Check Point Software Technologies (CHKP), which for many years has been one of the largest companies in terms of revenue, saw growth between 3.5% and 4.9% in each of the past three years. Cisco Systems (CSCO), which is not in our index due to a change in how it breaks out security revenue and the small proportion of total revenue that comes from security, is another example of a large player showing modest growth: For the four quarters ended Jan. 31, Cisco’s security division reported $3.4 billion in revenue, making it second only to Palo Alto Networks in our security group in terms of revenue, but Cisco’s security revenue grew only 5.3% in that period and only 8.0% the prior year.

The more important factor in the reversal, in our view, is the emergence of two giants in the cybersecurity market, something we haven’t seen before in the sector’s history. Fortinet and Palo Alto Networks have accomplished what competitors in the past failed to do: successfully extend their offerings to new growth areas and thereby grow above industry-average rates at massive scale. While acquisitions have contributed somewhat to their growth rates, the vast majority of their growth is organic. Further, both slightly accelerated revenue growth in 2020 and then substantially accelerated growth in 2021, to 28.4% for Palo Alto Networks and to 28.8% for Fortinet. In addition to Check Point, CrowdStrike (CRWD) and Okta also had over $1 billion in 2021 revenue, and both posted tremendous growth rates (64% for CrowdStrike and 56% for Okta). In CrowdStrike’s case, the growth rate is slowing, while Okta’s accelerating growth reflects its $6.5 billion acquisition of AuthO closed in the middle of its fiscal year. And for both Okta and CrowdStrike, their core business and close product extensions account for most of their growth, not new areas as is the case for Palo Alto Networks and Fortinet.

We think Palo Alto Networks’ and Fortinet’s ability to grow at scale ($4.9 billion 2021 revenue for Palo Alto Networks and $3.3 billion for Fortinet) is a notable change in the market that may portend changing competitive dynamics. With this change, the cybersecurity market structure is beginning to look more like many other software markets, where a few mega-cap leaders dominate and many smaller players fill emerging voids, not in an attempt to challenge the leaders’ overall market dominance in the long term, but to establish a notable presence and likely be acquired by one of the leading companies at some point. Palo Alto Networks’ and Fortinet’s emerging dominance is evident not only in revenue, but also market cap (see Table 2). Together, they account for about a third of the sector’s total market capitalization. Adding CrowdStrike and Okta puts the top four at greater than 50%. We have not thoroughly analyzed market concentration data for the more than 25 years we have been following the industry; however, we cannot recall a time when there was this level of concentration in market cap. The cybersecurity competitive environment of the past 30 years may not be dead, but the current data point to the likelihood of a substantial change.

Cloud continues to shine

Many of the fastest-growing cybersecurity companies have a cloud orientation as their core value proposition. These companies include this year’s revenue growth champion, CrowdStrike (64% growth), as well as ZScaler (ZS), Okta and Cloudflare (NET), all of which posted greater than 50% growth (though, as noted above, Okta’s growth reflected a large acquisition). Cloud-focused SentinelOne (S) grew 115%, but it is not included in our analysis because its IPO was during 2021.

TABLE 2: Cybersecurity stock price and market cap analysis

Source: First Analysis, Capital IQ.

Revenue guidance outperformance also points to strong demand

We compare initial guidance to actual results (Table 3) for a few reasons. First, it provides an indication of whether demand over the course of the year strengthened (with companies beating their initial revenue guidance) or weakened (companies falling short of initial guidance). Second, when we bring stock price performance into the analysis, we can make some assumptions about how investors perceive the importance of growth versus profitability.

Actual 2021 revenue exceeded initial guidance by an average 7% and a median 6%. By contrast, in 2020, companies fell short of guidance on average by about 1% (median also 1%). The 2020 data reflected the fact guidance was given prior to COVID-19 being widespread, so conditions did, in fact, get tougher as the year progressed. Given lingering COVID-19 uncertainties, some of 2021’s outperformance may reflect managements being more conservative with guidance than usual. However, the magnitude of 2021’s outperformance suggests demand strength beyond the effect of any conservatism.

TABLE 3: 2021 revenue and EPS initial guidance compared to actual results (sorted by revenue difference)*

Source: First Analysis, company reports, Capital IQ.
Notes: *For July and December year-end companies, we show fiscal 2021 figures; for January and March year ends, we show fiscal 2022 figures. As such, the figures for MIME under “Reported” are based on consensus estimates as of March 28, 2022. For companies lacking initial revenue and/or EPS guidance, we show initial consensus estimates as of approximately one week after reported year-end results. EPS = earnings per share.

Okta beat revenue guidance by the widest margin, but this reflected its AuthO acquisition, which was not anticipated in initial guidance. Three of the next four largest beats came from cloud specialists (Zscaler, Cloudflare and CrowdStrike), which also posted among the highest revenue growth rates. This indicates cloud is not only the fastest-growing sizeable subsegment of cybersecurity, but also that cloud cybersecurity growth is exceeding cloud players’ expectations.

Only two companies fell short of their revenue guidance. SecureWorks’ shortfall reflected an intentional change in business focus during the year that likely helped the company beat its initial bottom-line guidance for a $0.28 loss per share with reported EPS of $0.11 and see only a 2% stock price decline for the year ended March 28 despite the revenue shortfall. OneSpan (OSPN), in contrast, missed on both its top and bottom line, and its stock was down a sector-worst 43%. The company made midyear changes in management and its board, suggesting company-specific execution, not market weakness, was a major factor in the misses.

Connection between EPS guidance and stock performance less clear in 2021

Historically, beating revenue guidance has been correlated with stock performance, but the correlation weakened in 2021. For 2019, our analysis showed a 0.31 correlation between revenue outperformance and one-year stock price performance. For 2020, the correlation was 0.65. This year, the correlation was only 0.16. If we remove Okta, whose revenue outperformance reflected a large acquisition, the correlation jumps to 0.43. If we also remove Mimecast (MIME), whose stock price is tied to a pending takeout, the correlation rises further to 0.48.

Reported earnings relative to initial earnings guidance was more of a mixed bag. Four companies fell short of their initial targets and 15 beat. And with so many of the companies losing money as they invest heavily in growth and several guiding for losses and reporting gains, statistical analysis of the differences is more difficult. Where it was possible to calculate a percentage difference between initial earnings guidance and reported results, the correlation with stock performance was slightly negative at -0.03. The case of CyberArk may be representative of reasons for this low correlation: CyberArk missed its $0.55 initial earnings guidance by $0.22, or 39%; however, the reason was faster-than-planned adoption of its subscription offerings, which investors view positively, so the stock is up 26% over the past year.

While our analysis is not conclusive, we believe it suggests cybersecurity investors are still more focused on top-line growth than bottom-line metrics.

See prospects for sustained cybersecurity stock outperformance

We have been doing this type of analysis for many years and often see our index of cybersecurity stocks significantly outperform for one or two years and then underperform for a year or so. While the overall cybersecurity market has grown tremendously, stock returns have been uneven and not necessarily reflective of the strong industry growth. Only those who were very good at selecting the few names with multiyear success saw gains that outpaced the Nasdaq for any extended period. A broad-based cybersecurity index generally provided returns that differed minimally from the tech heavy Nasdaq over any extended period.

This year’s analysis breaks that trend. This may be in part due to the absence of some perpetual underperformers like McAfee and Symantec, but this year’s outperformance is still noteworthy. The average one-year cybersecurity stock gain as of March 28 was 23% and the median gain 25%, all well above Nasdaq’s 9% gain (and also meaningfully above the S&P 500’s and Russell 2000’s gains). The cybersecurity group’s three-year gain of 90% on average (78% median) is slightly above the Nasdaq’s 87% gain and well ahead of both the S&P 500 and the Russell 2000. Over five years, the cybersecurity group trounced all three indexes with a 240% average return, nearly double the Nasdaq return and multiples of the S&P 500 and Russell 2000 returns.

The cybersecurity group’s outperformance on a market-cap-weighted basis is even more striking, with the group posting a 53% one-year gain, a 128% three-year gain, and a 285% five-year gain. As noted earlier, Palo Alto Networks and Fortinet have been growing revenue at rates above the industry average despite their large scale. Investors have rewarded this performance with one-year gains of 96% for Palo Alto and 85% for Fortinet. Over five years, Fortinet leads the group with an 826% gain, and Palo Alto Networks’ gain is third at 454%. (Relatively small Rapid7, RPD, had the second-best performance at 654%, but it is not a major factor on a market-cap-weighted basis.) As their market caps have grown, Palo Alto Networks and Fortinet have become major drivers of the one- and three-year performances.

This is not to say the tide will lift all boats. As usual, the variance of returns was wide with five (of 19) companies seeing their share prices decline over the past year and another company gaining less than the Nasdaq. However, should large-cap cybersecurity growth continue to match or exceed overall industry growth and long-term demand drivers remain robust, we would not be surprised to see the weighted average cybersecurity index continue to meaningfully outperform broader market benchmarks.