CyberArk’s (NASDAQ:CYBR) business is going from strength to strength in a difficult macro environment, driven by the rise of its cloud business and the growing importance of PAM. While CyberArk’s stock is far from cheap, and growth is likely to moderate from current levels, the quality of CyberArk’s business still appears to be underappreciated.
The last time I wrote about CyberArk, I suggested that its PAM leadership positioned it to develop a unified identity platform and capitalize on the importance of identity in cybersecurity. I continue to think that this is the case, with AI agents potentially supporting CyberArk’s competitive positioning by elevating the importance of protecting machine identities.
Market Conditions
CyberArk believes that over 90% of organizations have suffered an identity-related cyberattack. As a result, Privileged Access Management is becoming more important, and identity security is at the top of the priority list for CISOs. This is creating a large opportunity for CyberArk, as its platform is able to secure all identities with the right level of privileged controls. Tailwinds include:
- The pace of attacker innovation
- Digital transformation
- Cloud migration
- Exponential increases in human and machine identities (workloads, code, applications, IoT devices and containers)
The number of machines is rapidly outpacing the growth in their human counterparts, with more than 40 machine identities for every human identity. AI, along with technologies like IoT, is contributing to this growth, supporting demand for CyberArk’s services. This is important as machine identities present different requirements and more complicated lifecycle challenges. Existing solutions include local vaults and opensource tools, which CyberArk believes do not scale or provide the necessary security.
IBM is acquiring HashiCorp for 6.4 billion USD in an attempt to create an end-to-end hybrid cloud platform. This is potentially a tailwind for CyberArk, as IBM appears to be more focused on the infrastructure side of Hashi’s business, and less on security. CyberArk already believed that it was well-placed relative to Hashi, due to customers focusing on scalability, and IBM’s acquisition probably strengthens any advantage.
While CyberArk’s business is performing well, the macro environment has lengthened deal cycles and is making new logo acquisition more difficult. CyberArk has been less impacted than many software companies, though, which may be because it is benefiting from the growing importance of identity without being negatively impacted by weak employment growth.
CyberArk Business Updates
CyberArk is a Privileged Access Management focused identity security vendor. PAM has expanded beyond high-risk IT personnel and now encompasses a broader group of privileged users (developers, shadow IT and database and cloud administrators). CyberArk is supporting this by introducing new features to its platform which meet the unique needs of each user group.
CyberArk recently acquired Venafi, a leader in machine identity management, for 1.54 billion USD to support the creation of a comprehensive machine-identity platform. While there are competing solutions, CyberArk believes it is differentiated by its focus on providing machine identity security at scale. The transaction is expected to close in the second half of 2024 and will add around 150 million USD of annual recurring revenue and be accretive to margins. CyberArk also expects there to be go-to-market synergies. The acquisition expands CyberArk’s TAM by around 10 billion USD.
CyberArk’s Endpoint Privilege Manager reduces the attack surface by removing local admin rights and enforcing the least privilege. This strategy also protects organizations from attackers who turn off EDR agents. This is a growth area for CyberArk, with its EPM solution recently surpassing 100 million USD ARR.
CyberArk’s Secure Browser was also recently made generally available. This is a workforce security product that provides secure access to on-premises and cloud resources from the browser. It is designed to protect against attack methods like cookie harvesting and browser-based attacks.
CyberArk is also throwing its hat into the generative AI ring by introducing CoraAI, an AI assistant and analysis tool. CoraAI helps customers to detect and respond to threats and improves decision-making. CyberArk is introducing Identity Threat Detection and Response capabilities, supported by CoraAI. ITDR aims to detect anomalous behaviors and take appropriate countermeasures, like rotating stolen credentials and terminating sessions.
40% of security customers are expected to consume solutions through a managed service by 2026. CyberArk is positioning itself for this with its recently launched MSP console.
Financial Analysis
CyberArk generated 221.6 million USD in the first quarter, an increase of 37% YoY. Subscription revenue increased 69% to 156.2 million USD, while maintenance and services revenue was down approximately 4% to 62.4 million USD.
CyberArk’s ARR was 811 million USD at the end of the first quarter, an increase of 34% YoY. Subscription ARR grew 54% to 621 million USD, while Maintenance ARR was down roughly 6% to 190 million USD.
CyberArk signed close to 200 customers in Q1, the majority of which continue to land with PAM, and now has over 8,080 customers globally. Around half of new logos bought more than one solution, demonstrating the growing strength of CyberArk’s platform. Growth of CyberArk’s 500,000+ USD ARR customer cohort is outpacing growth of the 100,000+ USD ARR cohort, which is outpacing growth of the total customer base. CyberArk also had a strong expansion quarter, driven by its secrets management solution.
CyberArk expects 215-221 million USD in the second quarter, an increase of 24% YoY at the midpoint. This is probably overly conservative though, and I would expect something more like 225 million USD. For the full year, CyberArk expects 928-938 million USD, representing a 24% YoY increase at the midpoint.
The number of job openings mentioning CyberArk in the job requirements supports the notion that landing new customers is relatively difficult at the moment.
CyberArk’s operating profit margin is recovering as its business model transition matures. The increase in operating expenses has been driven by investments in sales and marketing and R&D, which, given the size of the opportunity ahead of CyberArk, and its history of efficient growth, seems reasonable.
Unlike most software companies, CyberArk is still ramping hiring. While this could weigh on margins later in the year, it could also suggest that CyberArk is expecting growth to remain robust going forward.
Conclusion
CyberArk is an emerging winner in the critical identity security market, and this is likely to be supported by a proliferation of machine identities driven by AI agents. While Okta is a threat, and competition is likely to increase now that Okta’s PAM solution is generally available, I believe that CyberArk is well positioned to navigate this threat.
CyberArk believes that multifactor authentication and single sign on tools are becoming commoditized, and that it can add value by placing privilege controls on top of these solutions. To the extent that this is true, it suggests that CyberArk is as much a threat to Okta as Okta is to CyberArk.
While CyberArk’s valuation is rich, investors have to pay for quality, particularly at the moment, and CyberArk still looks undervalued relative to some of its higher profile peers. Investors probably need to be prepared for CyberArk’s growth rate to drop back into the 20% range over the course of 2024, but improving margins should help to soften this blow. Overall, CyberArk appears as strong as almost any software company at the moment and this isn’t fully reflected in the company’s share price.
Read the full article here