Description

Short FireEye, FEYE.  Despite the recent selloff in momentum stocks, FEYE is still a compelling short.  It remains one of the most expensive stocks in the market.  Valuation aside, its impressive growth rates are not sustainable because its products focus on a small niche of the security market that is rapidly changing and competition is eroding its position, which will lead to disappointing results and severe multiple compression.

FEYE is a leader in malware threat detection and its technology supplements existing security solutions.  Its value proposition has been that it is one of the few security vendors that have been able to combat the advanced persistent threats (APT) that have proliferated over the past two years.  These APT are often uniquely designed to specifically take advantage of a previously unknown vulnerability in a network.  This kind of threat is known as a zero day threat because it has never been documented before, so there is no known signature for it.  Most traditional security solutions can not detect them because they rely on signatures of known threats, but FEYE has a solution that does not rely on signatures.  Its technology is based on a virtual execution engine that identifies potential threats and then executes the suspicious code in a virtual environment to determine whether the threat is real or not.  It can then monitor the threat across multiple vectors (i.e. Web, email, file) and create an alert, so that the threat can be blocked and data can not be exfiltrated.  

There is an innovation feedback loop that is driving new threats and new technology to protect against them, so there are always hot new growth areas in the security industry.  Constant innovation leads to very short product cycles and low barriers to entry though, so creating a sustainable competitive advantage is difficult.  Security is often near the top of IT departments’ list of priorities due to a couple of trends: the amount of targeted attacks continues to grow, but more unsettling is the fact that stolen identities and information is growing even faster.  As discussed earlier, APT are emerging that can not be detected or mitigated by existing traditional security technology.  This has caused a number of new entrants to pick up market share on the leading edge and is causing incumbents to aggressively play catch up.  This dynamic is common in the early stages of certain software products where customers are willing to purchase many different point products.  These early adopters of technology products, particularly security software, tend to be big businesses that handle very sensitive information (gov/defense, tech, retail, healthcare) and have correspondingly huge IT budgets.  Although they can generate big deals there are relatively few of them, so their purchasing trends can not be extrapolated out to other industries or smaller organizations.

FEYE’s product portfolio consists of web, email, content, and forensic threat prevention appliances, as well as central management appliances.  Web appliances are 60-70% of billings, while email is 20-30%, with the others making up the balance.  FEYE acquired Mandiant in December, 2013 for around $1 billion, which had $105 million of revenue in 2013 and was growing c50%.  Strategically, the acquisition made sense because FEYE lacked breadth and this added endpoint products to its portfolio.  FEYE IPO’ed in September, 2013.

Pro forma for the follow on offering on March 7^th and the options for a recently closed acquisition, there are approximately 171 million shares outstanding.  At $50 the market cap is $8.585 billion.  Pro forma for the offering, cash is approximately $785 million and there is no debt outstanding, so the enterprise value is $7.8 billion.  In 2013, FEYE generated $162 million in revenue with -107% operating margins.  In 2014 revenue is projected to be in the order of $410 million as core revenue should grow roughly 60% to $260 million plus acquired revenue from Mandiant.  The consensus for 2015 is about $600 million.  Therefore, FEYE is trading at 48x LTM, 19x NTM, and 13x out year sales.  There are some expectations that FEYE might achieve an operating profit in 2019.

The mental gymnastics that some analysts are performing in order to reverse engineer target prices is fascinating.  There almost appears to be collusion on the point that FEYE will grow 40% forever and will go from -107% operating margins today to 27-30% at some indefinite point in the future.  From there it is relatively simple to ascribe a 15-20x revenue multiple on 2015, or a 35x FCF multiple on 2019.  DCFs are popular when near term valuations look so excessive.  There also seems to be a consensus that 20x is the appropriate terminal cash flow multiple in the 2024 timeframe.  Many believe that despite spending 35% of revenue currently in capex in a few years FEYE will have no need for capex, presumably because it had already spent so much.  And as far as I can tell, GS is of the opinion that capex will actually be a cash inflow some time next decade.

That FEYE’s valuation is rich is undeniable on an absolute and relative basis, but it is a hyper-growth company, so it is a good idea to analyze whether it can ever grow into the valuation.  The total addressable market is much smaller than management and their bullish analysts would have you believe.  There is an oft cited IDC study that threat prevention is a $10 billion market today growing 6-7% annually to $13.4 billion in ’17.   And now that FEYE acquired endpoint technology with Mandiant and is introducing intrusion protection, there are estimates that its TAM is approaching $20 billion.  However, the core business is a point product that addresses a small portion of the market.  My due diligence affirmed that this is disruptive technology in a nascent market that is not well defined, such that it is often a special add-on to existing IT budgets, and the appliances, themselves, are supplemental add-ons to the security platform and might be run with multiple other detection and mitigation solutions. Therefore, the addressable market for its core antimalware business and newly entered adjacent markets is really a fraction of these existing security categories, although growing much faster.  Even if the $20 billion TAM were realistic, you have to assume that a market cap of around $8.5 billion is pricing in a great deal of success in taking market share, and you have to assume that the likes of CSCO, JNPR, SYMC, CHKP, FTNT, PANW, Trend Micro, PFPT, HPQ, INTC, etc will still manage to take a small piece of the pie in their respective areas of expertise.

I spoke with a number of security software product managers and resellers and there was a general consensus regarding FEYE’s position in the market (I am a layman though, so I will try to relay the observations as coherently as possible).  There is a reason that it has grown so rapidly.  It has a great point product that addressed a critical need that large enterprises were desperate to fill.  They had an effective product that readily demonstrated value to customers in a high priority area that lacked a real existing solution at the leading edge for APT, so the sales cycle was very quick.  Dave DeWalt was brought on board as CEO and he executed on the opportunity by aggressively ramping up the sales force, getting the company in IPO ready shape in no time.  My contacts generally feel that FEYE’s position is untenable though.  The kill chain of an APT has multiple steps and therefore the response, mitigation and remediation needs to also address multiple steps.  Many believe that the incumbents will develop internally or acquire, and the standalone point products will disappear, thus the reasoning behind the Mandiant acquisition to try to fill out the product portfolio.  

Universally, the feedback that I’ve gotten is that the decision to purchase FEYE products seemed like a stopgap measure.  Customers are generally pleased with the results and the ease of use, but price points are quite high.  Therefore, many are trying to evaluate whether this investment is really worth it to roll out further in their enterprises and to maintain the ongoing operational cost.  More importantly, only very large enterprises have the expertise to perform bakeoffs with competitors, and the budget for expensive add-on point products and for running multiple antimalware platforms.  This could hamper FEYE’s ability to move down market into the SMB space, which is an important driver of future growth.

Almost everyone also agrees that FEYE enjoys the best mindshare and that it is winning the marketing game.  Part of this success stems in part from FEYE’s well respected, high profile management team getting better access to C-suites to pitch their solutions, so that decisions are being made higher up than they otherwise would be and then passed down to security teams.  The other part of it is that in 2013 FEYE spent 104% of revenue on sales and marketing.  This is clearly not sustainable and sales force productivity has deteriorated, but they have managed to quickly grab a lot of real estate with their appliances in the hope that once they are installed they will become incumbent, but the history of the industry has shown standalone products rarely have staying power in these ecosystems.

FEYE boasts that its technology creates negligible false positives and can be run at near real time speeds.  There are many happy customers that like the ease of use and that the product worked almost out of the box.  On the other hand, there were also quite a few that felt that it generated too many alerts, which then require actual humans to evaluate them.  The implications being that this does not really run close to real time and is not really as automated as advertised.

There is some evidence now that FEYE’s early success as a first mover may, ironically, lead to the obsolescence of the approach it pioneered, obviating the need for organizations to purchase its APT mitigation solutions.  Due to the efficacy of FEYE detection, creators of malware are more aware of its presence.  There are new versions of malware that specifically wait for end user input before it will conduct attacks to make sure that it is running on an actual endpoint, rather than in a FEYE virtual engine.  Whether this becomes a major issue remains to be seen, but it is another risk in dealing in a fast moving market.

FEYE is facing competition from incumbents that are much larger, better capitalized and profitable, which are beginning to offer better integrated solutions, as well as from a slew of startups with strong point products.  These range from traditional networking companies like JNPR and CSCO, to network security vendors like CHKP and FTNT, and endpoint security vendors like Trend Micro, McAfee and SYMC.  They are building in various ways to isolate suspicious files and monitor behavior with mechanisms similar to FEYE.  Ultimately, most believe APT mitigation technology will end up being integrated into existing platforms, like firewalls and gateways, rather than having a separate appliance to do it, or rather than having FEYE create a new paradigm for security solutions.  Incidentally, FEYE has five patents and has not made an effort to block anyone from closely replicating their solution.

PANW is also a formidable competitor.  It is first and foremost a next generation firewall, but it also bundles in a cloud based antimalware solution, called Wildfire, that competes directly with FEYE’s core business.  Its customers pay 20% of the appliance price to include Wildfire, so it is a fraction of the cost of FEYE.  Customers also like that it is cloud based, whereas FEYE requires a separate box for every ingress point, which leads to higher equipment and operating costs, as well as issues of a lack of coordination between appliances.  In an ESG research survey, 58% of respondents said that antimalware functionality should be integrated into a next generation firewall, which FEYE does not have, so there is evidence that the market is moving in a different direction than FEYE.

Earlier in April, NSS Labs published a report on breach detection systems, in which FEYE fared poorly, which led to a critical response from FEYE’s CTO about NSS’s methodology.  NSS maintains that test was run properly.  It found that FEYE overall detected 94.5% of threats with no false positives.  This might sound pretty good and have been sufficient to close deals with less competition, but most enterprises want much greater reliability.  And many competitors like CSCO, FTNT, and Trend Micro scored 99%.  Adding insult to injury, the report said that FEYE is very uncompetitive from a cost of protection standpoint with CSCO offering the best bang for the buck at $231.86 per Mbps protected versus FEYE at $427.85.

There has been heavy insider selling.  In the March 7^th offering insiders sold 8.4 million shares.  14.6 million shares came off lock up in the past month and another 95 million share lockup expires May 20^th.

Shorting is inherently risky.  Risks to the thesis:

• Animal spirits.  Many formerly high flying momentum stocks appear broken.  I am very confident in the fundamental thesis, but momentum stocks could bounce hard making this a painful short in the near term.
• Positive attributes of the business model.  There is an estimated attach rate of $.0.50 of subscription and support for every $1 of product sold, so there is a component of recurring      revenue with contracts of 1-3 years.  In addition to the predictability of the revenue and the potential stickiness of the customer, these contracts are paid upfront, so the deferred revenue tends to be a strong cash inflow part of working capital in growth years.  As long as this condition holds, FEYE could maintain a high multiple.
• The       partial offset to this cash flow item, which is itself a liability, is that FEYE capitalizes the cost of its demonstration units, leading to capex/revenue of 35.6% in 2013, which makes it look like a not so good business.
• Billings growth guidance could be conservative, which could lead to beating consensus numbers in the short term.
• Given the valuation and competition I am ok with this.
• Good management.  CEO DeWalt has a strong track record in security software, having run McAfee and sold to INTC, as well as running Documentum and selling it to EMC.  FEYE and Mandiant founders/CTOs are innovative and well respected.
• You could argue they’ve already created all the value they’re going to create here.
• M&A.  FEYE has a rich currency with which to      do deals and Mandiant is probably just the beginning.  If it is successful, FEYE could cobble together a comprehensive solution that would allow it to compete better.
• Generally empire building is not a good strategy, nor does acquiring companies at 10x revenue generate strong ROIC, even if one does the acquiring with >20x revenue stock.

Further reading:

Threat reports

http://www.symantec.com/security_response/publications/threatreport.jsp

http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2013.pdf

https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf

Case studies

http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

http://www.ciosummits.com/LM-White-Paper-Intel-Driven-Defense.pdf

Catalyst