CyberArk: PAM Leader (NASDAQ:CYBR) | Seeking Alpha

CyberArk (NASDAQ:CYBR) is an identity management vendor that has traditionally been focused on Privileged Access Management (PAM). In recent years the company has been increasing its cloud presence and expanding into adjacent areas like access management. This is increasing the size of CyberArk’s opportunity and supporting growth but has been a drag on margins and is increasing competition with vendors like Okta (OKTA). CyberArk could benefit from a shift towards more granular management of access, but the stock appears fairly expensive given uncertainty around competition.

Privileged Access Management

PAM software is used to provision and manage privileged accounts and access. These accounts have greater access to IT systems, applications, and data, which is a necessity, but also a point of weakness. PAM software helps organizations improve security posture, minimize the potential damage caused by a breach and meet compliance requirements.

PAM enforces granular access control, and it is this aspect that CyberArk appears to be leveraging in its access management product. Granular control is enforced using principals like:

• Only providing the minimum necessary level of privilege
• Enabling access only when required
• Segregation of duties

Other common PAM capabilities include monitoring and password management.

There are a number of secular tailwinds driving growth in the identity management market, including:

• Migration to the cloud
• Remote work
• Zero-Trust architectures

While the pandemic likely dragged some growth forward, the market will continue to grow as penetration is still relatively low. For example, 92% of cybersecurity professionals consider identity security mission-critical, but only 9% have a comprehensive strategy in place.

Like many software verticals, the identity management market appears to be converging, with IAM, IGA and PAM increasingly being offered on the same platform. This is likely being driven customers wanting to consolidate vendors and potential economies of scale and scope for vendors. CyberArk could benefit from this as the leader in PAM, but competition is also likely to increase when Okta brings its PAM solution to market.

While the long-term opportunity is promising, CyberArk is currently facing macro headwinds. Sales cycles were longer in the first quarter of 2023 and a number of larger deals were downsized. Despite this, CyberArk has a record pipeline, with strong momentum within its Access, EPM, and Secrets businesses as well as its Privilege Cloud offering. Identity security is mission critical, which should help to protect customer spending in a downturn, but the market is clearly not immune to macro uncertainty.

CyberArk

CyberArk is a leading provider of identity management software, with a focus on the PAM market. The company aims to apply privileged controls to all human and machine identities through a unified platform. Its product portfolio includes:

• Workforce Access
• Customer Access
• Endpoint Privilege Security
• Privileged Access Management
• Secrets Management
• Cloud Privilege Security
• Identity Management

These solutions are designed to secure and control privileged access across on-premises, cloud, and hybrid environments.

Competition

CyberArk faces competition from a number of companies across its end markets. The most important competitors are likely to be those that have scale and can offer a solid unified solution across IGA, PAM and IAM.

BeyondTrust has a comprehensive PAM solution which can be deployed on-prem, in the cloud or in hybrid environments. The company is a leading vendor within PAM, but lacks the product portfolio breadth of CyberArk. Beyond Trust also provides vulnerability management services, although the relevance of this to the PAM market is unclear.

Microsoft (MSFT) is a leader in cybersecurity more broadly and offers a number of identity solutions has part of its security portfolio. Microsoft is a strong competitor due to the strength of its distribution, but similar to a number of other cybersecurity vendors, CyberArk doesn’t see Microsoft as a particularly large threat. CyberArk has suggested that CISOs understand that it offers a stronger product, and as a result is confident when in direct competition with Microsoft. This seems to echo the comments of CrowdStrike (CRWD), which suggested that Microsoft has success when selling a bundle of products to CFOs, but generally has low win rates.

Broadcom (AVGO) offers PAM solutions as part of its cybersecurity portfolio, focusing on securing and managing privileged access to critical systems and applications. Broadcom’s software business has been growing, and the company is in the process of trying to acquire VMware (VMW) to strengthen its product portfolio. Broadcom probably fits into the same bucket as Microsoft, in that it has strong distribution capabilities, but its product is lacking.

Okta is the leader in cloud-based IAM, a position it strengthened with the acquisition of Auth0 for its CIAM solution. There have been integration issues associated with this acquisition, particularly within Okta’s salesforce, but these problems now appear to be resolved. This should allow the company to focus on the rollout of its IGA and PAM solutions, which have been lacking in the past.

Okta Identity Governance has been on the market for some time now and Okta is reportedly pleased with its adoption. In the past 6 months, hundreds of organizations have purchased OIG, which Okta believes is validation of its integrated cloud-based approach to identity. Okta currently has around 18,000 customers though, so it is early days. OIG is gaining traction amongst some larger organizations, in addition to the mid-enterprise customers that Okta has primarily been targeting. It is also being adopted alongside other governance solutions, and in some cases is replacing other solutions.

Okta’s PAM solution recently had a beta release, and general availability is expected by the end of the year. PAM products have been somewhat siloed in the past, whereas Okta’s solution will provide the same capabilities across resources, with a focus on the cloud. Okta wants to extend its access management and identity governance capabilities to privileged resources, which management hopes will accelerate adoption.

OneIdentity is owned by Quest, a software company that provides a range of services including cloud management, security, workforce mobility, and backup & recovery. OneIdentity has a comprehensive suite of solutions, including:

• Identity governance and administration
• Identity and access management
• Privileged access management
• Active directory management and security

OneIdentity has over 11,000 customers, and counts 80% of the Fortune 100 as customers.

CyberArk believes that the IAM market is a large opportunity, but Microsoft and Okta are tough competitors within this market. CyberArk’s differentiation in this market comes from its application of privileged controls, although Okta is likely to bring the same capabilities to bare in coming months. Even without a large amount of success against Okta and Microsoft, CyberArk can still do extremely well just through replacing legacy solutions.

CyberArk has stated that win rates continue to be strong, suggesting competition is not currently a large issue. Despite this, management commentary on the most recent earnings call suggests that there has been pricing pressure.

We’re understanding with our customers when the budget is a core concern, and we’re working with those customers to make sure that we can fit within their budget – CyberArk COO

This appears to be a far more negative comment than a number of other cybersecurity vendors that have explicitly stated that pricing has been stable.

Financial Analysis

Subscription ARR grew 84% YoY in the first quarter of 2023 with total ARR growing 42% YoY. Revenue growth was 27% over the same period. CyberArk’s subscription bookings mix reached 95% in the first quarter, driven by demand for its SaaS solutions and platform selling motion.

Revenue growth in the second quarter is expected to be roughly 21% YoY, and for the full year approximately 23%. Growth is quite strong given the current environment, and CyberArk’s stock is likely being rewarded for the fact that growth isn’t rapidly decelerating.

CyberArk’s customer base is fairly evenly distributed across industries, and the company has minimal tech exposure. This has probably helped to protect the company from the recent slowdown, but a large exposure to finance and manufacturing could be a problem in the event of a recession.

CyberArk continues to land new customers and expand within existing customers, demonstrating the strength of the underlying platform. 200 new customers were signed in the first quarter and the number of customers with ARR in excess of 100,000 USD increased by over 40% YoY.

There is evidence that demand is beginning to moderate though. The number of job openings mentioning CyberArk in the job requirements has fallen sharply in recent months. This is similar to the trend in job openings mentioning identity management in the job requirements.

CyberArk has had solid profit margins in the past, but the shift to the cloud is currently creating headwinds. Gross profit margins are down slightly, and operating losses are now quite large. This situation has likely been exacerbated by CyberArk’s soft growth over the past few years.

A moderation in hiring should support margins going forward, if growth can be maintained, but there is a risk that the drop in job openings is indicative of an expected growth slowdown.

Valuation

CyberArk’s valuation is broadly in line with peers given its current growth rate and profit profile. It should be noted that growth is currently depressed for many companies due to market conditions, but this does not appear to be the case for CyberArk. In addition, the launch of Okta’s PAM product could negatively impact CyberArk if the product gains traction with customers.