Table of Contents

• 1. Palo Alto (PANW) – Earnings Review

  • Palo Alto 101:

  • a. Demand

  • b. Profits & Margins

  • c. Balance Sheet

  • d. Guidance & Valuation

  • e. Call & Press Release

  • f. Take

• 2. Jobs Revision Thoughts

• 3. Snowflake (SNOW) – Earnings Review

  • Snowflake 101:

  • a. Demand

  • b. Profits & Margins

  • c. Balance Sheet

  • d. Annual Guidance & Valuation

  • e. Call & Release Highlights

  • f. Take

• 4. PayPal (PYPL) — Adyen & Fastlane Review

Max subs — the planned transaction spelled out in Saturday’s article (section 6) took place on Monday Morning as telegraphed. There have been no other portfolio changes since the last update sent.

1. Palo Alto (PANW) – Earnings Review

Palo Alto 101:

Palo Alto is a cyber security company competing across endpoint, cloud and network use cases. Most of its platform is made up of integrated M&A, while it competes with pretty much everyone besides identity brokers in the space. Palo Alto is pushing very hard to bundle next-gen products into larger deals to differentiate vs. firewall-based competitors like Fortinet and beat next-gen disruptors. It calls this process “platformization,” which will again be a key piece of this review.

Its endpoint security segment is called Cortex. Extended Security Information and Event Management (XSIAM) is the main product being used for platformizing this section. XSIAM brings together Extended Security Orchestration, Automation and Response (XSOAR), Extended Detection and Response (XDR) and Security Information, Event Management (SIEM). XSOAR helps automate and guide best practices for incident response while ranking severity of threats. XSOAR is also where its attack surface management product (called Cortex Xpanse) lives to obsessively seek out and uncover any vulnerabilities.

XDR infuses non-endpoint data sources into breach protection to extend coverage beyond strictly that endpoint. It relies on significant 3rd party data sharing to optimize potential utility. SIEM aggregates data and events. XSOAR relies on scaled, complete data ingestion; SIEM’s and XDR’s capabilities allow that to happen.

The network security suite is called Strata. This is where Palo Alto is supplanting legacy firewall vendors by offering (what it views as) superior, software-enabled firewalls alongside a suite of network security software. It deploys software-defined wide area networks (SD-WANs) within firewall environments. SD-WANs serve as virtual network securers to use a software-based approach to protection. Palo Alto secures networks using a “zero trust” architecture. Zero trust means a bad actor cannot penetrate the most vulnerable part of a digital ecosystem and move freely within it thereafter. Zero trust ensures consistent and complex validation of these permissions at every turn. It ends the game of “everyone within a firewall environment getting perpetual, unconditional access” and greatly limits the potential damage of network breaches.

There are two pieces of the network bucket: modern hardware and software. In hardware, PANW provides “next-gen firewalls” with tools like contextual app inspection (more malleable access rules), intrusion prevention, URL filtering, data loss prevention (DLP) and more. Secure Access Service Edge (SASE) is the overarching software product that ties its network platformization approach together.  SASE conjoins tools that help prevent unauthorized access to data, abuse of networks (like phishing attacks to overwhelm networks with traffic) and broad visibility into health and performance of a network.

The cloud security suite is called Prisma. Like XSIAM and SASE are the platformization pillars in endpoint and network, in cloud it’s the Cloud Native Application Protection Platform (CNAPP). CNAPP includes Cloud Security Posture Management (CSPM), which organizes access compliance, provides overarching cloud ecosystem visibility, and proactively blocks misconfigurations. Beyond that, Cloud Workload Protection Platform (CWPP) is Prisma’s cloud workload protection tool. Most recently, Palo Alto debuted (CDEM) to “evaluate internet exposure risks and discover unknown internet-exposed cloud assets.” Finally, it added cloud detection and response (CDR).

While these three product groups are technically separate, they routinely pull context, service and data from each other to uplift overall value creation. Again, that’s how PANW is looking to more effectively compete. Prisma Access is important for network security, its AI runtime tool (more later) is vital for both Prisma and Strata, its CDR Cortex tool readily utilizes Prisma, etc.

a. Demand

• Beat revenue estimate by 1.2% & beat guide by 1.4%. Its 21.5% 3-year revenue compounded annual growth rate (CAGR) compares to 22.8% last quarter and 24.7% two quarters ago.

• Next-gen security (NGS) annual recurring revenue (ARR) and remaining performance obligation (RPO) were ahead of internal expectations.

• Beat billings estimate by 1.4% & beat guide by 1.3%.

b. Profits & Margins

• Beat EBIT estimates by 5.6%.

• Met GAAP GPM estimates.

• Beat $1.41 EPS estimates & beat identical guidance by $0.10 each.

• Beat adjusted FCF estimates by 3.6%.

c. Balance Sheet

• $2.6B in cash & equivalents.

• $4.1B in LT investments.

• No traditional debt. ~$1B in convertible debt.

• Diluted shares +3.5% for the year. Added another $500 million to its buyback authorization, leaving it with $1 billion left (less than 1% of market cap).

d. Guidance & Valuation

Because this was Palo Alto’s fiscal Q4, we got new annual guidance from the company. Annual revenue and EBIT guidance were both slightly ahead. Annual $6.25 EPS guidance also beat expectations by $0.06. Its next quarter guidance was also slightly ahead across the board. It added NGS ARR guidance and RPO guidance of 29% Y/Y and 19.5% Y/Y respectively. It removed billings guidance, but did tell us it would have guided to 12% Y/Y billings growth had it not made this change. More on this later.

PANW trades for 58x next year’s earnings. Earnings are expected to rise by 10% next year and by 16% the year after.

e. Call & Press Release

Platformization Progress:

Platformization remains the top priority for Palo Alto. This process creates higher retention, higher lifetime value customers, while also allowing it to flex the incremental value it provides beyond typical legacy firewall suites. Previously, the company had been waiting for contracts with competing vendors to expire before aggressively pursuing cross-selling. Now, it’s more proactively offering free trials to these clients while contracts unfold. This has already materially shrunk the sale cycle, as prospective customers have direct experience with these products before existing contracts end.

Palo Alto completed another 90 customer platformizations this quarter (moving customers to 1+ of its complete product platforms) vs. 65 last quarter. It has now completed 1,000+, with plans to bring that number up to 3,000 by 2030. That’s a big piece of its confidence in reiterated $15 billion in 2030 NGS ARR and a 22% NGS CAGR from now to then. Last quarter, leadership told us that non-platformized customers generate $200,000-$300,000 in ARR to start. For platformized customers, depending on how many of the three they choose, deliver $2,000,000-$14,000,000. It’s a massive difference, and that lead grew Q/Q with ARR per platformized customer again rising by over 10% sequentially. The pivot to platformization was abrupt, surprising and punished as key metrics like billings growth tanked (more on this later). A few quarters into this journey, and it’s looking like leadership absolutely made the right choice. 

For some evidence, it pounded its chest about several 7-9 figure deal wins and expansions, which were all driven by its breadth of solutions and “superior efficacy.” Short term pain; long term gain.

Platformization Financial Impact:

For the next 15 months, the platformization approach will hurt billings growth. Billings are realized only when payments are collected by Palo Alto. Part of platformization enables longer term contracts with more deferred payments as customers “grapple with the higher costs of money.” More free trials for potentially up-sold customers hurts too. Bookings and remaining performance obligations (RPO) (RPO includes bookings) are forward-looking demand metrics that eliminate this noise. It still counts all of that deferred business as “booked” even if it isn’t yet “billed.” For this reason, Palo Alto removed forward billings guidance and added RPO and NGS ARR guidance for next year. Importantly, everything included in RPO is “nonrefundable.” It did tell us that billings growth would be around 12%, but the explanation above and chart below both show you why they’re doing this. The change took place in early fiscal year (FY) 2024.

GenAI:

Usage of its GenAI tools rose 2x over the last ten months. Its AI runtime app protection tool is enjoying “strong interest” early on. Its secure GenAI app access tool also already has 1,000 interested customers. We didn’t hear much more about the platform copilots teased last quarter. All in all, GenAI ARR rose 4x Y/Y from a very small base to $200 million. Like other technological waves, “innovation is driving the speed of adoption while security is currently an afterthought.” That’s ideal for PANW over the long haul. It means minimal friction associated with creating and running GenAI apps and workloads, which means maximum asset creation today. All of these assets will eventually all need proper security.

Threat Environment:

It’s more of the same here. Between the CrowdStrike incident (which is “elevating c-suite conversations”), new SEC disclosure requirements and 50% ransomware growth since 2022, the threat environment remains intimidating and chaotic. War has only accelerated these trends as adversaries take advantage of chaos. Notably, the public sector ransomware wave has picked up steam to add another layer to this complexity.

This is why cybersecurity is stickier and more durable as a spend category compared to other parts of software. Scaling and adding new products are not as mission critical as ensuring your existing infrastructure is secure. That’s why Palo Alto, despite its love for guidance sandbagging and the major strategic shift (platformization), still set initial annual targets slightly ahead of consensus. Barring economic turmoil, I expect modest beats and raises throughout the year like it usually delivers. This all bodes well for endpoint, network and cloud security vendors.

SASE/Strata Traction:

Firewall as a Platform (FWaaP) encompasses its hardware and its SASE suite. Over the last two years, SASE as a % of overall FWaaP revenue rose from 42% to 67% as Palo Alto continues to shed lower quality reliance on legacy firewall hardware sales. SASE customer count rose 21% Y/Y, and ⅓ of those new customers were brand new to Palo Alto. This is becoming a highly impactful tool for lead generation and new logo wins.

Subscription traction here also continues to build and yield more high margin, high visibility revenue for the segment. Its Advanced URL Filtering subscription now has 34,000 customers, while its newer Advanced WildFire subscription already has 11,000 customers just 18 months into launch. On average, Palo Alto Strata has 3.5 subscriptions per customer vs. 2.6 in 2022 (offers 10 total within Strata). It just launched its newest Advanced Domain Name System (DNS) subscription to manage, filter and orchestrate network traffic.

• 70% of its network security business was from protecting public cloud networks. PANW was chosen over native product integrations with the hyperscalers, which all offer varying degrees of this product.

• Appliance and hardware growth remains challenged. SASE and subscriptions are driving this section’s growth. It sees firewall appliance market demand rising by about 2.5% annually going forward. Growth will be driven by software.

• As part of its Talon acquisition in Q2, PANW debuted the market’s first enterprise web browser integrated right into its suite of high quality SASE network security tools. It sees browser-level protection as a key piece of the future of network security and is also seeing strong interest for this tool early on.

• Debuted experience management within SASE to “help customers identify sources of downtime and ensure network availability for hybrid and branch office workers.” This is directly integrated into its next-gen firewalls too.

Prisma:

Next-gen cloud momentum also remains palpable. CDR is enjoying “strong initial traction” while Prisma was credited for procuring 3 large deals. All in all, PANW is the first cybersecurity player to reach $700 million in cloud ARR and saw average contract value (ACV) rise 30% Y/Y. For evidence of product leadership here, it has signed deals with leading cloud platforms across HR, collaboration and customer resource management (CRM). These software leaders picked PANW to lead another section of their software-based operations. Good vote of confidence.

• Unveiled its data security posture management (DSPM) tool as part of its Dig Security acquisition. DSPM has already been fully integrated across Prisma.

Endpoint/Cortex: 

XSIAM bookings just crossed $500 million during the quarter, compared to over $400 million last quarter. Active customer count quadrupled Y/Y. Overall, Cortex ARR crossed $900 million, with customer count now over 6,100.

XSIAM is driving significant compression in mean time to resolve (MTTR) an incident from 2-3 days down to “as low as” 60 seconds. More than half of XSIAM’s new customers are enjoying a sub-10 minute MTTR, with continued improvements as these relationships mature. This matters a lot considering hackers can exploit a vulnerability in less than a day, while GenAI shrinks that timeline further.

• Launched XSIAM for cloud (another example of product pillars converging) to offer more complete visibility into cloud environment health.

• Will partner more aggressively with system integrators to build momentum here.

CrowdStrike:

Per the team, CrowdStrike’s outage has “elevated cybersecurity conversations further” and pushed buyers to demand a deeper understanding of the tech behind protection. The blunder has “caused a number of customers to re-evaluate their options, which should help drive more Cortex momentum. PANW did say they were satisfied with how CrowdStrike handled the situation, but they clearly do see this as an opportunity to steal market share.

f. Take

This was a very good quarter. The world is an immensely volatile place right now across macroeconomics and geopolitics. To offer initial guidance ahead of consensus is positive to me – no matter how small the beats were. NGS momentum is fantastic, and CrowdStrike’s misstep should bolster that traction at least for the next few quarters. Six months ago “platformization” was ridiculed and cited as evidence for PANW falling behind. Fast-forward to today, and their competitive positioning seems to be improving if anything. More compounding, margin expansion, successful product additions and execution.

I do find this stock to be too expensive based on expected profit growth. PANW’s forward gross profit multiple is about 18x compared to SentinelOne at 10x. Palo Alto is much more profitable today, but SentinelOne is currently inflecting to positive profits, delivering sharper leverage, much faster growth and is the next-gen endpoint pure-play. Endpoint is the category where CRWD’s issue leaves the largest market share opportunity. SentinelOne’s product reputation is second to none, and it’s currently fixing a broken go-to-market approach to nurture large enterprise traction. Palo Alto is a lot more mature of a name and not my favorite to pick. Still, I find nothing alarmingly wrong with PANW… I just think it’s too expensive. Strong showing regardless.

2. Jobs Revision Thoughts

Much attention was paid to the ~800,000 job estimate reduction from Bureau of Labor Statistics (BLS). This was actually smaller than the 1 million job reduction expected. But regardless of that, I still find this news to be encouraging for stocks. Why?

Estimates try to forecast economic health. Companies operate within actual economic backdrops, rather than presumed economic backdrops. Earnings results from 2024 will not be revised lower alongside the labor metrics; companies had to execute within reality, rather than fiction. They delivered profit and revenue growth in a world where macro headwinds were stronger than we gave them credit for.

And now? A downward revision has zero impact on the real-time consumption trends these companies are enjoying. The economy didn’t suddenly worsen just because our government can’t correctly track data. This leaves us with a status quo economy, and a Fed that will be even more emboldened to practice aggressive dovishness.

3. Snowflake (SNOW) – Earnings Review

Snowflake 101:

Subscribe to our premium content to read the rest.