SECUREWORKS CORP SCWX
January 13, 2022 - 9:34pm EST by
Brown Mamba
2022 2023
Price: 15.75 EPS 0 0
Shares Out. (in M): 84 P/E 0 0
Market Cap (in $M): 1,326 P/FCF 0 0
Net Debt (in $M): -205 EBIT 0 0
TEV (in $M): 1,121 TEV/EBIT 0 0

Sign up for free guest access to view investment idea with a 45 days delay.

Description

(FY22 = YE 12/31/2022)

Situation Overview

Although we are generally wary of SaaS businesses and their elevated multiples, we view SecureWorks (SCWX) as one of the most asymmetric opportunities in the market today. At the current valuation, we are buying a security software business that has grown revenue 170+% YoY at just 12.3x FY22E (CY2021) revenue or 5.1x our estimate of FY23E (CY2022) revenue. 

Due to the large Dell ownership stake/voting rights and limited float, this is restricted to a PA idea for most. SCWX is undergoing a transition from a managed security service provider (MSSP) to an extended detection and response (XDR) software provider (called the Taegis platform) which dramatically improves the margin structure and increases the TAM. Despite this, the street appears to be asleep at the wheel, focusing on the stagnating top-line as they work through this transition. Meanwhile, the Taegis platform is growing faster than SentinelOne which trades at 28x FY23E revenue. As a result, we believe SCWX is materially undervalued and model an 8x up/down skew. 

Business Overview

SCWX was the #1 player in the MSSP space by market share. However, they have recently been executing a transition to the XDR software space which we view as highly advantageous. We briefly cover key security terminology at a high level in Appendix A.

SCWX really began its transition to TaegisXDR in Q4FY21. Management is now guiding to $155m in ARR (definition appears to be closer to TCV) for the platform by the end of FY22. As it stands today, YTD revenue is split 62%/14%/24% between the MSSP platform, Taegis, and Professional Services respectively. On a long-term basis, the business has guided to a 90%/10% split between Taegis and Professional Services. 

As they undergo this transition, they are shutting down their MSSP business and have announced end-of-sale and end-of-life dates for the majority of MSS contracts. They are looking to convert their existing MSS customer base to the XDR platform. Although they are working with their customers to transition, there will be a subset of them that will not convert. Management has said the following regarding the current progress on transitioning their existing customer base:

“[Lost revenue] is primarily the nonstrategic revenue that we don't want to continue in. And so that is the majority of the impact as opposed to customers who are in our target for resolutioning, if you will, those customers largely are transitioning to Taegis…what you see is that the average revenue on those customers who are not moving are very small kind of sub-20,000 per. So the shift to a holistic security solution on Taegis with the full coverage, just may not be the kind of compliance checkbox play that they're looking for.” –  12/02/2021 SCWX Q3 2022 Call

An example of nonstrategic revenue would be firewall management. This cut down on nonstrategic revenue leads to lower revenue per MSS customer and general customer churn at the end of contract life. This has led to the headline companywide KPI’s struggling as seen below:

With the street primarily focused on the headline KPI’s, they are missing what is going on with the Taegis platform. 

Management has come across consistently positive on their ability to transition their target clients although have not given any hard numbers on what % will transition. They have also indicated that they expect the ARR trough to be at some point in the back half of FY23 now that they have accelerated transitioning with the end-of-sale and end-of-life announcements. 

Industry Overview

Cybersecurity remains one of the most attractive and complex industries in software. Management calls out a TAM of $100b growing in the mid-teens for their XDR product. Although this TAM is laughable considering the current ARR of $123m, it does speak to a large runway for continued growth. 

Security will remain a high priority for businesses around the world. With growing cloud workloads and an increased number of remote workers, the attack surface has never been larger. According to IBM, the average cost of a data breach is now ~$6m and can extend to $401m in the case of a mega-breach. These numbers only continue to grow while the attack surface continues to increase. To compound on this, there is a lack of available talent with a shortage of 3.1m security engineers/analysts according to a 2020 study. As a result, Gartner is forecasting the following for the security software industry: 

CISO surveys from RBC only confirm that security remains an extremely high priority for enterprises: 

However, one of the key issues with the current security stack is the large number of point solutions that an enterprise must work with. The importance of vendor consolidation is also reflected in the RBC CISO survey: 

XDRs are the new emerging trend in the industry to help solve this issue. There are varying views on where they stand with respect to SIEM’s. From the looks of it, XDR’s can replace SIEM’s in some cases but not all (however, XDR’s can also work in unison with SIEM’s). SCWX management has actually called out SIEM displacement as one of their prime drivers of customer acquisition:

“In fact, SIEM displacement is a big opportunity for us… Our Taegis XDR use cases go beyond what SIEM promised, but never delivered on, especially on the response side. Increasingly, we're seeing companies put out RFPs to upgrade their SIEMs, but switch to buying Taegis instead.” – 12/02/21 SCWX Q3 2022 Call

Although this is a highly nuanced industry, we think the key takeaway is that the XDR industry is just getting started. We think the following from SentinelOne reflects this:

“And to be honest, I don't think anybody has a formidable XDR offering right now, including us. I think it's a market that's [happening].” – 12/08/21 SentinelOne Inc at Barclays Global TMT Conference

With the industry still in the first inning, we believe this will be a classic case of “a rising tide lifts all boats” despite it likely becoming a highly competitive environment. The evolution of the EDR industry is reflective of this with several successful players despite the superiority of CrowdStrike’s platform. 

Considering this backdrop, we believe SCWX is well-positioned for three primary reasons:

  1. Existing customer relationships and reputation

  2. Solid offering built on 20 years of experience

  3. Strong success thus far

We touch on each below:

  1. Existing customer relationships and reputation

As the leading player in the MSSP space with a strong relationship with Dell, SCWX is already very well entrenched within the industry. As previously discussed, they have shown a reasonable degree of success with converting their existing customer base into XDR clients and management seems optimistic about their ability to continue to do so. Our expert calls confirmed this with a TaegisXDR client stating the following regarding their reason for transitioning to Taegis instead of another platform: 

“Because of the relationship with SecureWorks... It was led by the customer because they already had the relationship, then they ultimately did go with Taegis XDR.” - Former Strategic Alliance Partner Marketing for Business Development, Sales, Cloud and Software at A10 Networks

Their reputation is also nothing to sneeze at and appears to help SCWX in new customer acquisition:

“We definitely see customers that come straight to us simply because of our reputation in the marketplace.” – 6/03/21 SCWX Q1 2022 Call

“Secureworks has done this type of business for years, and they've dealt with every size client. They've dealt with every type of threat… You're not going to be disappointed or surprised if you're going to go buy it just because these vendors have the reputation, have done so much.” - CISO Senior Security Consultant at Nth Generation Computing

With this existing foothold, SCWX is in a very strong position and its growth thus far reflects that. Thinking just through existing customers, they currently have ~800 Taegis customers and ~2900 MSS customers. If they were to convert just half of these remaining MSS customers to Taegis customers that would bring them to 2250 customers (almost 3x). Meanwhile, they have also been performing well with new customers as 50% of their existing Taegis customer base are brand new customers. 

Additionally, as a former MSSP, SCWX benefits from its existing relationships with other vendors. They have a longstanding relationship with the CrowdStrike and Carbon Black endpoint solution for example. The initial question for many is why CrowdStrike would continue to partner with SCWX considering they are now beginning to compete. However, the importance of vendor neutrality cannot be understated. The XDR is emerging as a new trend in part to fix the flaws of the previous evolutions (i.e., EDR) which means it needs to be able to consolidate a large amount of telemetry across an entire organization. As a result, XDR’s will have to work with other third-party offerings, and existing relationships give SCWX a leg up in developing these integrations. The following from SentinelOne and SCWX management confirms the importance of vendor neutrality and SCWX’s positioning to succeed in this environment:

“XDR comes to do pretty much everything that the SIEM has done but layer in an active mode that can actually enforce and orchestrate action across different facets, different products, truly break down the silos between the different products in the ecosystem. And if you ever want to accomplish that, I think one very important ingredient is that your XDR platform has to be open. It has to support all vendors. It has to be inclusive.” - 12/08/21 SentinelOne Inc at Barclays Global TMT Conference

Our solution takes all the relevant security telemetry from our own proprietary data sources as well as third-party sources, across our customers' entire IT ecosystem, endpoint, network, cloud and business systems for comprehensive and timely visibility.” 9/02/2021 SCWX Q2 2022 Call

As an early player in the XDR space with a strong reputation, existing clients, and existing relationships, SCWX is well-positioned to succeed in this environment. 

  1. Solid offering built on 20 years of experience

When first researching the business, our initial thought was that the Taegis offering would be subpar and struggle vs competitors. However, we were pleasantly surprised that although not perfect, Taegis stacks up relatively well against competitors and is continuing to work to improve its flaws. 

One of the key advantages that SCWX has compared to the EDR players is that through their 20-year history as an MSSP, they have had exposure to the entire security ecosystem, not just endpoints. This means they have years of data on cloud workloads, endpoints, networks, and servers and how they interact (EDR’s do not have access to this). They also built the product bottom-up to be an XDR versus acquiring their way into the space. We heard the following from expert calls: 

Taegis is ahead in that, in XDR, because with Red Cloak, I mean Red Cloak really was launched for XDR, right? Where CrowdStrike is advancing, though, in this area as well is from the acquisition they did on Humio, right? So again, that was just earlier this year that they made that acquisition, right? So I imagine there's going to be work to do because like with any big company acquiring the technology, how fast can they integrate it with their existing solutions and make that work and deliver it to be full-functioning.”- Former Strategic Alliance Partner Marketing for Business Development, Sales, Cloud and Software at A10 Networks

Our calls with SCWX IR also indicated that SentinelOne does not currently have a full-fledged XDR offering. Despite SentinelOne talking up its singularity platform, IR stated that they have never come up against SentinelOne in the XDR RFP’s, and SentinelOne is still primarily an endpoint solution (although SCWX is obviously not a part of every bake-off so they may not have come up against SentinelOne yet). 

SCWX is also far from perfect and is continuing to improve its integrations with GCP and Azure for example. However, thus far client feedback has been generally positive and the SCWX team is rapidly working to improve its current flaws. The industry hasn’t been around enough to develop a clear competitive hierarchy, but we view the following from Forrester and IDC on the MDR space (Includes Taegis ManagedXDR offering) to be positive with both considering SCWX to be a leader: 

Although it is not the best offering, SCWX remains in a strong position and is poised to capitalize on the general industry tailwinds. 

  1. Strong success thus far

The growth and ability to convert existing customers and acquire new customers speaks volumes to the quality of the Taegis platform. However, we believe a comparison to SentinelOne’s ARR growth from a couple of years ago really puts the success in perspective: 

(dotted line = our estimates)

Through 5 quarters they have grown faster sequentially than SentinelOne when it was at the same ARR base (in each quarter) and management guidance for Q4 (quarter 6) is indicative of continued strong outperformance. 

A common counterpoint would be that the business has benefited from its existing customer base which is artificially inflating near-term growth but caps the potential for long-term growth. This is fair and is why we do not model a consistent outperformance of SentinelOne’s sequential growth, rather we assume underperformance for quarters 7 to 11. 

However, the new customer trend based on management commentary is similarly outperforming SentinelOne’s trend, albeit through 3 quarters (red bar). If this does continue to outperform through the coming quarters, our estimates could prove conservative

SentinelOne currently trades at 28x FY23E revenue and is growing slower than Taegis (114% LTM growth for SentinelOne vs 170% for SCWX). Although we could never confidently underwrite a multiple like that considering its elevated nature and the Dell overhang on SCWX, we believe the current valuation discount is far too high. 

Margin Structure

Anytime we use a sales multiple, having a ballpark estimate of the potential margin profile becomes critical. SCWX management has guided to 35% CFFO margins at maturity which implies a ~30+% FCF margin profile (Investor Day targets in Appendix B). Prior to the transition from an MSSP, they were running at ~10-15% FCF margins as they were starting to reach scale. 

The margin structure should drastically improve as this transition drives down costs and simultaneously increases revenue per customer. Management called out that on customers who transition they have seen ARPC increase from 117k to 156k on average as they cover more services for the customer after the transition. 

Management has laid out a path to mid-70% gross margins long-term from the current 65% level today. This is driven by the transition in the mix to Taegis revenue. We view this as a reasonable assumption as the impact of the mix can already be seen over the last 2 quarters: 

Management also expects S&M to decline drastically as the business scales. This is driven by a shift in their GTM strategy. Historically 90% of their sales were driven by direct marketing and 10% through the channel (Resellers/VARs, MSSP’s, Dell). Now that they are transitioning to a software product, they expect this number to move towards 50% long-term. They have already taken steps to improve this and have signed 30 MSSPs to their partner program and have more in the pipeline. S&M currently sits at 25% of revenue and if management targets are reached, 15% appears reasonable. However, in our base case, we underwrite 20% of revenue as there is still quite a bit of work to do to get to that level of penetration. 

G&A is relatively straightforward and currently sits at 12-14% of revenue and we think a reasonable assumption at scale is for this to lever to 8-10%.

R&D on the other hand is now going to be higher than it was prior to the transition. Thus far it has ballooned from 20% of revenue to 25% of revenue. Long-term we think it remains in the same ballpark between 20 and 25% as R&D investment will remain vital to their continued success. 

This brings us to a ~20% EBIT margin in our base case and FCF conversion on EBIT appears to be above 100%. As a result, under relatively conservative assumptions we see this business as having a 20% FCF margin profile with the potential for it to be upwards of 30%. 

Management

SCWX management itself appears to be relatively competent and their guides lean slightly conservative. The transition to XDR and their success thus far is highly impressive, although it is still early stages. The following is the history of guidance vs actuals for the current CFO: 

This alone does not give us enough confidence to just take management at their word, but, it does indicate that they have been in the right ballpark historically and do not significantly overestimate. As a result, we consider Investor Day targets (Appendix B) and general management commentary to be directionally correct. 

A large portion of management compensation is in stock as seen below:

Although SCWX does not do a great job disclosing the incentive targets, we believe the stock as a % of compensation suggests that management is relatively aligned with shareholders. The former CEO also owns 2% of the company which is quite high considering only 17% of the company’s shares outstanding are available for purchase. 

Near-Term Setup

One of the key issues with this opportunity is the lack of free float preventing institutions from purchasing. Sell-side also appears to not be paying attention. IR indicated that sell-side only covers them because Dell forces them to. As a result, the key turning point in this investment likely comes when the company-wide trends bottom, and they guide to growth on headline metrics. Management has stated that this will likely occur near the back half of FY23. As a result, we view Q3 or Q4 as optimal entry points but are happy to own through the next couple of quarters considering the valuation discount. 

Valuation

We value the business primarily on Taegis NTM revenue at the end of FY23 (1/31/2023) in our base and bull case. Our risk/reward outputs can be seen below:

Our downside case is based on a 5% miss to consensus numbers in FY24 and a 1.5x NTM sales exit multiple which remains a bit below their historical average multiple. Considering the benefits of the Taegis transition, we believe steady-state FCF margin could reach 15% (compared to ~13% pre-transition) which implies only 10x steady-state FCF. 

In our base case, we model Taegis revenue to grow in the mid to high teens sequentially through FY23 and FY24 bringing us to NTM revenue of $413m (vs FY21E of $91m). We want to reiterate that our growth assumptions assume underperformance compared to SentinelOne’s historical trend despite Taegis’ outperformance thus far. The acceleration of existing customer transitions after the end-of-life announcements provides a degree of support to our assumption. Implied growth rates of our estimates are 141% in FY23E and 89% in FY24E (compared to 183% in FY21E). We assume a 5x EV/Taegis NTM sales exit multiple which implies slight multiple compression versus the current multiple (5.3x) despite the massive valuation disparity between Taegis and SentinelOne/CRWD. 

Our bull case assumes Taegis revenue slightly outperforms our base case sequentially leading to $425m in NTM Taegis Revenue. We then use a 10x NTM sales exit multiple which we believe could still prove conservative considering the growth rates of this business and valuations of competitors (below SaaS median multiple of 11x). However, we are aware that the Dell overhang will prevent the business from truly realizing its entire value so we remain conservative. 

Risks

Unless sequential trends on Taegis rapidly decelerate as the business scales, we do not believe there is much fundamental risk at this valuation. 

As a result, the key risk in our view remains Dell’s ownership and voting power. There remains potential for Dell to conduct a squeeze-out which could screw shareholders. However, we would expect this to happen at a valuation above the current valuation in any case providing a degree of valuation support. 

IR did not have much information on Dell’s plans but stated that they have not mentioned any plans to acquire SCWX as of now. Additionally, IR mentioned that they wouldn’t expect Dell to pursue a squeeze-out at a share price below today’s value considering the potential reputational stigma for ~$100m of value saved. We remain wary of Dell’s plans but believe the situation remains highly asymmetric despite this considering the limited downside potential. 

Appendix A: Key Security Software Terminology

  • MSSP (Managed Security Service Provider): IT provider that monitors, maintains, and manages security for a business 24-7. The industry has continued to grow driven by the lack of security analyst labor supply. MSSP’s usually use third-party software to manage a client’s security ecosystem. Although the terms get blurred, generally an MSSP is focused on the prevention of security threats, not a response to security threats. 

  • MDR (Managed Detection and Response): This product is the successor to MSSP’s and can be thought of as a substitution if a business requires higher levels of security protection. The key difference is this product focuses on the detection and response of security threats. 

  • EDR (Endpoint Detection and Response): Provides an organization the ability to monitor endpoints (i.e., end-user devices such as laptops and mobile devices). Endpoints cover roughly 70% of all security logs making EDR's a crucial part of any security ecosystem. There are several new players who are rapidly growing in this space such as CrowdStrike and SentinelOne.

  • XDR (Extended Detection and Response): The evolution of EDR. It extends coverage to networks, servers, cloud workloads, and more giving clients a unified “single pane of glass” view across the entire ecosystem. 

  • SIEM (Security Information and Event Management): A SIEM collects a large volume of log data across the entire enterprise. So, it similarly gives clients a total view of the ecosystem. However, it does have several flaws including a large amount of effort to set up and monitor with alert fatigue being a common complaint. 

Appendix B: Investor Day Targets

I do not hold a position with the issuer such as employment, directorship, or consultancy.
I and/or others I advise do not hold a material investment in the issuer's securities.

Catalyst

  • ARR trend reversal
  • Return to top-line growth
  • Continued Taegis growth
    show   sort by    
      Back to top