Description

Summary

Varonis is a leading data security software vendor which has traded off in recent months in response to macro-driven pressures on the results, a messy upcoming business model transition, and the general unwinding of high multiple software valuations. The company’s ~4.5x revenue multiple doesn’t reflect its leading software gross margin profile (high 80s) and I also suspect that the narrative improves towards the second half of 2023 when end-demand recovers and they can provide more clarity on their SaaS transition. From here I think they deliver upside to numbers and the multiple grinds higher towards ~6x or they get taken out for a premium by PE who sees the ability to improve margins.

Business Overview

Varonis provides organizations greater visibility into their sensitive data through its comprehensive data security platform. The product enables security teams to better protect critical data, manage insider threats, and ensure regulatory compliance. The company’s flagship product, DatAdvantage, helps customers to map out enterprise data across disparate sources and manage data access policies & usage in a unified fashion. Given this visibility into the data across an enterprise’s environment, Varonis can then layer on incremental products which classify the sensitivity of data and alert enterprises to suspicious data access activity. 

The company was founded in 2005 by CEO Yaki Faitelson and co-founder Ohad Korkus. Yaki had been working for a large oil & gas company which had collected a set of subsea images that it was using for exploration. The images were very valuable (cost several million dollars to collect) and were stored on a central file system. One day the images disappeared from the folder and Yaki was brought in to try to recover them. As a part of his investigation he revealed that many employees had access to the folder who probably should’t and that some of those employees had accessed the folder in a pattern that deviated from normal. This was the problem that he aimed to solve with Varonis.

The Varonis solution is able to identify and manage proper access for unstructured data files stored both on premise and in the cloud. They index data stored on shared network drives, Microsoft OneDrive, Sharepoint, Box, network attached storage devices, and more recently other cloud data stores. They then extract critical meta-data about each file to create a mapping of employees, data, and access / usage metrics. Varonis applies machine learning models to accurately classify data sensitivity to help identify vulnerable files. For example, a spreadsheet with a cell that says “FY23 financial plan” is more sensitive than the average spreadsheet. Varonis will help you identify which of your files contain sensitive information so that you can triage risk. In 2013, the company released its first major security offering, DatAlert, which helped detect suspicious file access activity, visualize risks, and prioritize investigations. DatAlert also extended the platform to incorporate more data from perimeter devices like VPN appliances, web proxies, and DNS systems. DatAlert can create historical baselines of activity and can identify when access activity deviates from the expected trend line. 

One key component of the Varonis sales motion is a very unique free risk assessment that they offer to prospects. Varonis will deploy its platform in the prospect’s environment and conduct a highly customized demo experience as opposed to just presenting slide-ware. The free risk assessment helps customers to answer questions about where their sensitive data lives, what kind of sensitive data they have, and how much data is over-exposed. The risk assessments demonstrate that the average number of files exposed to each employee is 17 million and every employee on average has access to 22% of the company’s folders. 87% of risk assessments find over 1,000 stale sensitive files, 58% of assessments find over 1,000 stale user accounts, and 53% of assessments find at least 1,000 sensitive files open to every employee. In some cases, the Varonis sales team has been able to show that even the receptionist has access to private company-wide payroll documents.

Varonis benefits from several multi-year demand drivers which should be tailwinds to continued revenue growth. IDC forecasts that the volumes of data created worldwide will compound at a 20-30% rate through 2030. The rapid growth of unstructured data within enterprises has led to a proliferation of security risk across emails, word documents, PDFs, spreadsheets, presentations, images, and audio & video files. Additionally the ongoing enterprise transition from on-premise to hybrid and multi-cloud environments has spread this data out over many disparate data stores. Data privacy regulations (HIPPA, PCI, GDPR, CCPA, etc.) have also fueled C-suite engagements with data security initiatives. Fortune 500 companies spend and average of $16M/year to be compliant with these regulations and to avoid the clear dollar penalties for remaining non-compliant. Moreover, Varonis is well aligned with the emergence of zero-trust security approaches which deviate from the traditional castle-and-moat / perimeter-centric security framework. Varonis provides internal threat detection by monitoring access, leveraging identity & roll-based access controls, and restricting permissions to sensitive enterprise data. The rise of ransomware attacks and the need for data-loss prevention have also been clear demand drivers.

Varonis argues that they see very limited competition and only run up head-to-head against someone in 5-10% of deals. Varonis serves a highly specialized use case very well and has been attacking this problem for nearly 2 decades. They are very entrenched in heavily regulated industries like healthcare, financial services, energy, etc. and have done a good job serving both the compliance and the security buyer. There are a few other companies in this space like StealthBits and Netwrix (which merged a few years back) but no one has put together the same exhaustive platform that Varonis has. Some large data store vendors have something like Varonis built in to their platform (like Salesforce Shield) but they can’t offer that visibility across all other data stores. There are a few small VC-backed players like BigID and Dig but they are going after slightly different use cases and have not been large enough to really move the needle. There are also some ancillary technologies which are relevant here like identity & access management (Okta/Ping/ForgeRock), identity governance & administration (Sailpoint), and privilege access management (CyberArk/Delinea) but those are not accomplishing the same outcome as Varonis and are most often deployed with Varonis in a complimentary fashion. 

The company has continued to add more features and support for more data licenses to its platform. Customers typically start with the base offering and then need to buy additional licenses for each new data store they want to include. The company now has over 25 licenses across 6 product families, but the average customer is still only using 5-6 licenses so there is a large opportunity for greater license adoption in the existing base. In late 2020, they bought an Israeli-based startup called Polyrize which extended their data store coverage to many leading cloud apps and services. Re-branded as DatAdvantage Cloud, the offering now allows customers to get the same data security insights for information sitting in notable SaaS apps like Salesforce, Slack, Dropbox, Jira, Gitlab, Github, and G-suite as well as public cloud offerings like AWS. This was a key development for the company as it responded well to customer feedback and reduced Varonis’ exposure to on-premise data stores which are declining in relevancy more and more each year.

Subscription Transition

One key driver of greater license adoption has been the subscription business model transition that the company embarked on in late 2018 / early 2019. Historically, Varonis sold on-premise perpetual licenses but given the required cash outlays the average customer would only adopt 2-3 licenses on the initial deal. In some sense, this would be like buying electricity but it only works in 2-3 rooms of your house. It’s great for those rooms, but it’s hard to see the full value of electricity until you can get it in every room of the house. Under the on-premise term subscription model, customers land with an average of 5 licenses given the smaller upfront cash outlay per license. The subscription model also comes with a host of financial benefits to Varonis as revenue gets stickier and more predictable over time and new lands come in at 2x larger amount of licenses than they did in the past. Importantly, this transition is purely financial as the delivery model is still an on-premise deployment. The subscription offering was still not SaaS and the Varonis mgmt. tool and dashboard lived on the customers infrastructure. Customers could host this in the cloud of their choosing if they wanted to but it was importantly not Varonis’ responsibility.

Given a clear customer preference for subscription over perpetual, the subscription model transition was completed with incredible speed as the business went from 7% recurring revenue in 4Q 2018 to 98% in 1Q 2020 (~18 months to completion). As is expected with a perpetual-to-subscription transition, revenue growth declined from positive 25% in 2018 to negative 6% in 2019 and the margin profile was pressured given the reduction in top-line (EBITDA margins went from +5% to -8%). As the company exited the transition, growth accelerated to 15% in 2020 and 33% in 2021. On the back of that rebound in revenue, EBIT margins improved from -8% in 2019 to +9% in 2021. Since the start of the transition the percent of customers with 6 or more licenses has grown from 13% in 4Q 2018 to an impressive 47% in 3Q 2022.

Pressures on the Business Throughout 2022

In addition to the mechanical recovery in revenue, the overall sales execution and demand environment throughout 2021 was very strong. However, in 2022 the pace of revenue growth has decelerated from +33% to +21% (per the high-end of the guide) as a function of slowing end-demand and lower sales rep productivity in the current climate (the two are of course related). Additionally, some of the new growth bets around DatAdvantage Cloud have not matured yet as the salesforce is still getting familiar with those offerings and haven’t focused on them as much as investors have. Furthermore, a meaningful portion of Varonis’ business is conducted overseas and the volatility in currency exchange rates has become a material headwind to reported metrics. The company also exited its business operations in Russia which created another small revenue headwind.

In 3Q 2022, the company came in below the mid-point of its revenue guidance and delivered headline ARR growth of 26% vs. 30% 2Q 2022. This reflected net new ARR in the quarter of $22M which was down 17% from the net new ARR of $26M in 3Q 2021. Adjusting for FX/Russia the ARR growth in Q3 was 30% which declined slightly from the adjusted ARR growth of 32% in Q2. On the Q3 earnings call, the company referenced a greater level of deal scrutiny causing some deals to slip from Q3 to Q4. This was especially pronounced in the EMEA region. Varonis also highlighted that its federal business came $4-5M short of expectations (on ARR). Security as a category has been one of the more resilient areas of IT spending (and software stocks) throughout 2022 as the relevancy of security continues to remain elevated in most boardroom discussions. I think Varonis has for a long time been drawing some of its budget from a compliance use case / buyer and so it has been a little less resilient than other pockets of security software spend (network security, endpoint, etc.). The federal vertical can also be very lumpy and slow to adopt new technologies.

The real negative was when Varonis reduced its guidance for FY22 ARR growth from 26% to 20% (with only 1 quarter to go) which suggests Q4 net new ARR will be down ~70% year-on-year which is very shocking. They also gave a preliminary outlook for FY23 which was below expectations. The company now expects to grow ARR in the 10-12% range during 2023 which suggests net new ARR will be down roughly 30% next year (after being down ~20% this year). This is partially due to a continuation of the currency headwinds as the dollar strengthened sort of linearly throughout 2022 (creating some more year-on-year pressure in the first part of 2023). The decline in net new ARR is also a function of the assumption that weakness that they saw in EMEA during Q3 would spread to North America in Q4 and 2023. 

Software-as-a-Service Transition

On top of the poor results and underwhelming guidance, Varonis announced a new business model transition from subscription to SaaS. This was a little surprising to me as investors have asked the company about moving to SaaS (while also highlighting the downsides of on-premise) for years now and the company never seemed to indicate any desire to do so. It appears that they have finally opened up to this idea and they were perhaps motivated by what they are hearing from customers during 2022. It can be very operationally expensive to provision the infrastructure needed to deploy Varonis’ platform and to dedicate FTEs to manage this deployment. During 2022, the economic pressures on customers have made this problem worse, slowing down the pace of risk assessments and impacting the sales cycle as large upfront expenses are facing more scrutiny in the deal approval process. 

A SaaS model can make it cheaper and faster for customers to deploy the platform and start getting value. Additionally, the product experience should get a lot better with SaaS as new features/versions of the software can be pushed out in real time without needing customers to manually update the Varonis software to the next version. When the Log4J incident happened, Varonis quickly pushed out a software update but then needed to call all their customers and tell them to manually install it (SaaS would not need this). The net revenue retention for SaaS businesses can typically be higher as churn is usually lower and it can be easier to upsell new licenses (no new infra needed from the customer on those either). The risk assessments should also be way less intrusive which should help speed up pipeline lead conversion in theory. The SaaS offering will be priced at a 30% higher amount on a like-for-like basis to account for the increased post-production responsibility Varonis will be taking on. After a period of lower gross margins during the initial customer adoption phase, Varonis should be able to get very high GMs on their SaaS offering as they scale (high-70s). 

The transition here will take much longer than the subscription model transition did. The company expects this to take roughly 4-6 years and will be focused more on net new customers in the beginning. In my view, this announcement is ultimately a good move the company but also quite a mess to throw in with the poor Q3 results and lowered forward outlook. The company also announced a $100M buyback on the same day so they really did a good job burying investors in news flow that night. The stock was off ~35% on the day after 3Q earnings and interestingly the management team started buying shares right after that.

Path from Here

So now we have a decent security software vendor which has fallen on some tough times in 2022 (not surprising given the macro/FX/Russia developments) and they confused everyone with a big unexpected SaaS transition. People are now weary that this will be like Guidewire where the SaaS move gets over-hyped and then takes forever to get customer traction while being a big drag on operational resources. But the business should ultimately get better with SaaS, the sales execution/demand issues feel more short term, the company’s outlook appears conservative and de-risked from here, and the management team is buying the stock.

Varonis is now trading at ~4.5x revenues for likely mid-teens growth and low-teens EBITDA margins next year. It feels like the perfect candidate for Thoma Bravo as it fits right in with the security assets that TB has bought recently. They bought Sailpoint for 13.3x revenue, Ping for 8.0x, ForgeRock for 8.4x, and Proofpoint for 9.4x. These are all identity/governance/email security type assets with growth in a similar ballpark to Varonis and they paid an average of 9.8x revenue for them. There’s also probably some co-selling / lead-sharing synergies that TB hopes to get by owning these assets together as they all sell to the same buying center. TB also just raised $32B for 3 new buyout funds.

Varonis is a high 80s gross margin business and there is considerable room to increase the operating margins from here. They are spending ~47% of revenue on S&M and they are only driving teens growth next year on that spend. Per the high-end of the 2023 outlook they will generate ~$62M of net new revenue so call it ~$54M of net new gross profit on S&M spend in 2022 of like ~$225M. It just looks way out of whack from an efficiency standpoint. Just as one example, I have personally seen several brand advertising billboards from Varonis in strange places that feel ill advised. They probably spend a few million bucks a year on those and plastering their logo with no context on the side of a highway probably doesn’t do much of anything for them. PE probably looks at this asset and thinks okay if I can get the EBITDA margins from ~10% to ~25% (doable with ~88% GMs) then paying ~4.5x revenues is effectively paying ~18x EBITDA for a decent quality software business that can compound mid-to-high teens for the next few years. PE can generate some nice returns if they throw on some leverage and exit to public markets again or sell to a strategic player trying to add data security to a broader security software platform.

Valuation

I think the company will deliver decent results against subdued expectations from here and there is the potential that the narrative starts to improve in the 2nd half of 2023 as they work through some pockets of demand softness, recover from FX headwinds, and provide more positive datapoints on the SaaS front. I think that by the end of 2023, Varonis can trade to ~6x 2024 revenues of ~$630M which gets you to $33/share or a 44% return from $23/share today. I think the potential for a PE takeout will keep the stock above $20/share and should provide some good downside protection. If the potential for a takeout does materialize, I think you could see a price in the 7-8x range (discount to recent deals). 7.5x 2024 revenue of ~$630M gets you to an enterprise value of ~$4.7B or a stock price of around $40/share (~75% upside from here).

Catalyst

• Recovery of end-demand
• Diminishing FX headwinds
• Upside to subdued revenue outlook in 2023
• SaaS business model transition data points
• Potential PE deal