cybersecurity - credit suisse

DISCLOSURE APPENDIX AT THE BACK OF THIS REPORT CONTAINS IMPORTANT DISCLOSURES, ANALYST CERTIFICATIONS, LEGAL ENTITY DISCLOSURE AND THE STATUS OF NON-US ANALYSTS. US Disclosure: Credit Suisse does and seeks to do business with companies covered in its research reports. As a result, investors should be aware that the Firm may have a conflict of interest that could affect the objectivity of this report. Investors should consider this report as only a single factor in making their investment decision.

5 September 2017 Americas/United States

Equity Research

Technology

Cybersecurity

The Ideas Engine series showcases Credit Suisse’s unique

insights and investment ideas.

Research Analysts

Brad Zelnick

212 325-6118

[email protected]

William Lunn

212 325 4392

[email protected]

Syed Talha Saleem, CFA

212 538 1428

[email protected]

Kevin Ma

212 325 2694

[email protected]

INITIATION

The Cloud Has No Walls

Initiate on Firewall (PANW, FTNT, CHKP) with a Negative Category View

While we consider cybersecurity to be a secular growth theme, as the

corporate network disintegrates we anticipate spend will be redistributed away

from the network to the detriment of incumbent firewall vendors.

■ Cybersecurity Is a Secular Growth Theme: We believe the value of data

to firms is rising, as is the threat of its compromise. As long as malicious

innovation outpaces benevolent, the cybercrime wave will endure, putting

upward pressure on budgets for data defense.

■ Architectural Shift Deprioritizes the Perimeter: Traditional centralized

methods of IT delivery lend themselves to a walled garden defense: build

high, strong walls at the perimeter and defend them carefully. The cloud,

being by its very nature distributed, dissolves the concept of network

perimeter. As workloads move out of data centers, it becomes less clear at

what point the bounds of the corporate network begin and where they end.

■ Agile Compute Demands Agile Security: The new security paradigm

should mirror the cloud compute paradigm in that it is (1) on-demand,

(2) borderless, (3) without hardware, (4) dynamically priced, and

(5) scalable. An appliance-based approach fails on each account, thus we

expect spend to be redistributed to other controls and cloud-first innovators.

■ Multiple Structural Headwinds Face the Firewall: Even if the firewall

retains its relevance in the cloud, the space will continue to face multiple

structural headwinds, in our view. The most notable headwinds include

increasing competition, pricing challenges, the diminishing tailwind of TAM

expansion, and the shift in spend from prevention to detection and response.

■ Stocks: Most at risk and with the highest market expectations, we initiate

on PANW (TP:$125) and FTNT (TP:$33) with Underperform ratings. Less

optimistically priced and of higher quality, we rate CHKP (TP:$110) Neutral.

Figure 1: The Cloud Security Spending Disconnect

Source: Gartner, Credit Suisse Research.

7.1%9.3%

11.8%

14.4%

17.0%19.2%

6.7%7.8% 8.8% 9.8% 10.6% 11.3%

0%

5%

10%

15%

20%

25%

2015 2016 2017 2018 2019 2020

Spend on Cloud (IaaS, PaaS & SaaS) as % of IT budget

Spend on Cloud security as % of security budget

5 September 2017

Cybersecurity 2

Table of Contents

Executive Summary 5

Structural Thesis 21

Cybersecurity is Secular Growth .............................................................................. 21

Data Are of Enormous Value, and Thus Deserving of Expensive Protection ........... 21

Data Are Increasingly Valuable to the Firm .............................................................. 22

The Cyber Crime Wave Continues Unabated........................................................... 24

Why Are the Attackers Winning the Cyber War? ...................................................... 27

Securing the Cloud ..................................................................................................... 31

The Cloud Holds Great Promise, and Great Security Risk ....................................... 31

Spend Unlikely to Continue to Coalesce Around the Network .................................. 35

Agile Compute Demands Agile Security ................................................................... 35

Beware Disaggregation ............................................................................................. 36

Firewall—The Security Mainframe? .......................................................................... 46

Sector Thesis 49

Other NGFW Tailwinds to Slow ................................................................................. 49

Competition to Reaccelerate ..................................................................................... 52

Cloud Transition ........................................................................................................ 64

TAM Expansion Is Limited ........................................................................................ 77

SSL Decryption Less of a Tailwind ........................................................................... 81

Shift from Prevention to Detection ............................................................................ 84

Firewall Stocks ............................................................................................................ 86

Relative Exposure to Sector Headwinds ................................................................... 86

Relative Valuation ..................................................................................................... 89

Relative HOLT® Perspective ..................................................................................... 91

Stock Calls 97

Palo Alto Networks: Lost in Palodise ....................................................................... 97

Key Charts .............................................................................................................. 100

Supports for Our Thesis .......................................................................................... 113

Risks to Our Thesis ................................................................................................. 117

Fortinet: Fortinet & Unfortified = Underperform .................................................... 135

Key Charts .............................................................................................................. 138

Supports for Our Thesis .......................................................................................... 139

Risks to Our Thesis ................................................................................................. 149

Check Point Software Technologies: Without a Box… Check! ........................... 171

Key Charts .............................................................................................................. 174

Company Positives ................................................................................................. 175

Company Negatives ................................................................................................ 182

Valuation ................................................................................................................. 188

5 September 2017

Cybersecurity 3

Appendices 195

Appendix I: The HOLT® Framework ....................................................................... 195

Cash Flow Return on Investment (CFROI®) ........................................................... 195

HOLT Valuation ....................................................................................................... 197

Appendix II: Additional Drivers of Security Spending .......................................... 200

Regulation Is Catalyzing Action .............................................................................. 200

Attacks Move Down Market .................................................................................... 204

Connected Security ................................................................................................. 210

Appendix III: Who Are Those Guys?....................................................................... 212

Black Hats: Know Thy Enemy ................................................................................. 212

White Hats ............................................................................................................... 216

5 September 2017

Cybersecurity 4

How Are We Differentiated?

Primary Work the Key Drive of Our Differentiation

In formulating our counter-consensus firewall thesis and broader industry view, we have

engaged in differentiated primary data collection and leveraged Credit Suisse HOLT® to

sense check our conclusions:

■ Counter-Consensus: We present two highly anti-consensus stock calls, with

Underperform ratings on Palo Alto Networks and Fortinet. On FTNT, we are the only

Underperform rating, and on PANW, we are the second. On CHKP, 43% of analysts

have Outperform ratings, and we initiate with a Neutral rating.

■ Software SoundBytes: This report contains over 100 software SoundBytes:

anonymized quotes from our 50+ interactions with industry figures. These interactions

have been broad-based, from salespeople, resellers, and technical evangelists to

founders and CEOs (past and present) of start-ups, unicorns, and public companies.

In a sector in which data points are hard to come by, our proprietary SoundBytes offer

insight to what leaders and those with feet-on-the-street are seeing in the market and

envisaging for its future.

■ HOLT®: Using Credit Suisse HOLT, we back-stop and sense check our relative

valuation. We find HOLT to be reflective of our views, particularly CHKP's quality;

egregious stock-based compensation at PANW and FTNT; and high market-implied

expectations for PANW, both in terms of the top line and returns on capital.

■ Interviews: We include two interviews1 designed to shed some light on hard to

penetrate cybersecurity topics including what motivates hackers, how should hackers

collaborate with security professionals, and what should boards and senior leaders be

asking themselves about cybersecurity.

− Dr. Gráinne Kirwan: Chartered Psychologist and Lecturer in Cyberpsychology and

Forensic Psychology at Dun Laoghaire Institute of Art, Design, and Technology, to

better understand the psychology of cybercrime and how criminological and

forensic psychological theories explain what motivates and characterizes offenders.

− Keren Elazari: Senior Researcher at the Balvatnik Interdisciplinary Cyber

Research Center at Tel Aviv University and featured speaker at international events

including TED, RSA Conference, TEDMED, TEDx, DLD, DEFCON, NATO, and

WIRED. Objective: Better understand the evolution of the hacking community.

Figure 2: We present two highly counter consensus stock calls on PANW and FTNT

Source: Company data, Credit Suisse estimates

1 Kind thanks to Richard Kersley, the Credit Suisse Global Thematic Team and the Credit Suisse Research Institute for facilitating and providing these interviews

Underperform, TP$125Top disaggregation pick

Underperform, TP$33Top disaggregation pick

Neutral, TP$110Preferred Firewall Play

5 September 2017

Cybersecurity 5

Executive Summary

IT Security Is a Secular Theme

The modern day enterprise is first and foremost an agglomeration of digital assets that

demand defense. From a structural standpoint, the enterprise demand for protection

increases as a function of the following variables: (1) the volume of digitized data, (2) the

value of that data, and (3) the threat of its compromise. We believe each of these to be

increasing.

■ Volume: The volume of data continues to increase as connected devices proliferate

and the sensors they contain multiply; the data exhaust of an increasingly connected

society, unstructured data, is the key driver of data volume growth.

■ Value: We believe data to be a fundamental component of competitive advantage in

the information age and think both traditional and Big Data are increasing in their value

to the enterprise. The former is due to its undisruptable characteristics as a barrier to

entry, and the latter is due to the amplifying cycle of (1) data creation, (2) data storage,

(3) data transmission, and (4) data analytics.

■ Threat of Compromise: It stands to reason that as the volume and value of digital

assets grow, all else equal, the yield on cybercrime increases. However, should the

resultant increase in sophistication and deployment of threats be met with an

equivalent increase in defenses, it follows the number of successful breaches should

remain static. Our analysis supports a concerning conclusion: records lost to breaches

are rising exponentially and the sophistication and deployment of cybercriminals is

outpacing the defense; the bad guys are winning.

Figure 3: The Number of Records Lost to Data Breaches Is Increasing at an Exponential Rate

Source: Company data, Credit Suisse estimates.

100,000

1,000,000

10,000,000

100,000,000

1,000,000,000

10,000,000,000

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Hacking Accident Insider

ThreeWonga

PayAsUGym

Brazzers Snapchat

Clinton

campaign

Lynda

Dailymotion

Friend

Finder Network

River City Media

Syrian government

Minecraft

Mossack Fonseca

Mail.ru

Fling

Anthem

VK

TalkTalk

Slack

Sanrio

Adult Friend Finder

VTech

Premera

Experian

AshleyMadison

Voter Database

NASDAQ

AOL

Gmail

Sony

Korea Credit

Bureau

Home Depot

Ebay

Yahoo

Citigroup

Nintendo

Twitter Apple

Kissinger

Cables

Facebook

Yahoo Japan

Adobe

Tumblr

Yahoo

Medicaid

Apple

Massive Americanbusiness

hack

StratforSega

TexasState

Tricare

NHS

178.com

SonySteam

Sony PSN

AT&T

Gawker

BetfairJPM

Virginia Dept.

Of Health

RockYou!

US Military

Heartland

AT&T

RBS

Data Processors International GS Caltex

FNIS

Dai Nippon Printing

UK Revenue and Customs

TK / TJ Maxx

Hewlett Packard

KDDI

AOL

US dpt of Vet Affairs

Automatic Data Processing

Ameritrade Inc.

Citi

Cardsystems Solutions Inc.

AOL

Bell

Zomato

Expon. (Total Data Breaches)

5 September 2017

Cybersecurity 6

Cybercrime Is Costly to the Real Economy…

Studies place the annual cost of cybercrime in the range of $500bn, just under the global

cost of narcotic crime, and extracting roughly 15-20% of the Internet’s annual economic

value. In contrast, CISOs deemed the aggregate value of digital assets worthy of spending

~75bn on their defense in 2016.

We think the delta between cost to economy and spend is likely to narrow and expect

continued increases in the volume and value of data to drive an unabating cybercrime

wave. Combined, we believe these forces will drive sustained secular growth in security

software spending that will outpace prevailing forecasts of the market and industry

analysts alike.

Figure 4: Cybercrime Represents a Similar % of Global GDP as Drug Crime,

Piracy, and Car Crashes as Well as Just over Half That of Global Theft

Source: MIT Technology Review, Credit Suisse Research.

Additional Drivers of Secular Growth in Security Spending Include…

■ Regulation Catalyzing Action: We expect GDPR, billed as the largest change to data

privacy laws in 20 years, to catalyze a review of firms' security postures across the

spectrum. We imagine this will span governance, control, organization, processes,

sourcing, and technology.

■ Attacks Moving Down-Market: Blind, agnostic threats such as ransomware are

increasing the risk of cyber-attack for small and medium-sized enterprises. This space

has historically been an under-penetrated market segment but is now crowded and

price competitive.

■ Connectivity: Increased connectivity creates added risk exposure for corporations,

governments, and individuals. As a result, enterprises will need to invest in IT security

technologies to mitigate the potential cost of IT security incidents.

1.50%

1.20%

1.00%

0.90%

0.89%

0.80%

Pilferage

Transnational Crime

Car Crashes

Narcotics

Counterfeiting/Piracy

Cybercrime

5 September 2017

Cybersecurity 7

Securing the Cloud

Dissolution of the Network Perimeter

Traditional methods of IT delivery are internally oriented; applications run on an internal

datacenter and are accessed by a workforce sitting inside offices. The nature of this

architecture lends itself to a walled garden defense: build tall strong walls at the perimeter

and defend those walls carefully.

The cloud, being by its very nature distributed, dissolves the concept of network perimeter.

As workloads move out of data centers to cloud environments, it becomes less clear at

what point the bounds of the corporate network begin and where they end.

Figure 5: How We Conceptualize the Evolution of IT and Security Architectures

Source: Credit Suisse Research.

Internet

Internet

IaaS

PaaS

SaaS

On-Premise architechure1995-2005

Hybrid Cloudarchitechure2005-2015

Multi-cloud, cloud-first architechure2015- 2025

IaaS

Internet

SaaS

Perimeter Defined Security

Enterprise data is mainly stored in on-premise datacenters

Regional offices are connected

to HQ via hub-and-spokeEast-West traffic tends to

dominate North-South trafficThe workforce is internal, immobile and sedentary

Perimter centric hardware oriented security infrastructure Mostly everything sits behind the corporate firewall

Point Solution Security

Some enterprise data is stored on-premise, some in the cloud

Branches access cloud data via

backhauling to secure networkEast-West traffic and North-South

are equally importantThe workforce is increasingly mobile, there are more endpoints

Hardware and software oriented security infrastructureNetwork perimter less defined as cloud/mobility increasesPoint solutions addresses perimiter breaks for cloud and mobility

Cloud Defined Security

A majority of enterprise data is stored in the cloudRegional offices access enterprise

data via the cloudNorth-South traffic dominates East-

West traffic

The workforce is extremely mobile and multi-device is the norm

Software, rather than appliances, dominate the security infrastructureSecurity as a Service means

security is built into the edge of the network

5 September 2017

Cybersecurity 8

Security Spend unlikely to remain coalesced around the network

Historically enterprise security spending has focused on the network perimeter. This is well

exemplified by the success of the largest and most investible public cybersecurity plays –

Firewall vendors Check Point Technologies, Palo Alto Networks, and Fortinet.

Figure 6: Spend has historically coalesced around the perimeter, as reflected by

the cumulative market capitalization of the three key firewall vendors

Publically listed Firewall Vendors cumulative market capitalization

Source: Thomson Reuters Datastream, Credit Suisse Research

We believe many investors and industry analysts expect spend to continue to coalesce

around the network, and firewall to retain its relevance as an integral part of the security

stack. Gartner, for example, forecasts Network Security to grow 9% through 2020.

Figure 7: Industry analysts (and we believe the market) expects security spend

in the network and its perimeter to remain buoyant through 2020

Gartner market forecast CAGR to 2020

Source: Gartner, Credit Suisse Research

We believe agile IT requires a new agile security approach, and anticipate a reallocation of

spend away from the perimeter. In fact it already appears there is somewhat of a

disconnect between forecasted enterprise cloud spend (as a percent of total IT budget),

and enterprise spend on cloud security (as a percent of total security budget).

$0bn

$10bn

$20bn

$30bn

$40bn

1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016

Palo Alto Networks Fortinet Check Point

2%

4%

4%

6%

8%

9%

12%

Messaging security

Other security

Endpoint security

Web security

Identity and accessmanagement

Network security

Security and vulnerabilitymanagement

5 September 2017

Cybersecurity 9



Agile Compute Demands Agile Security

In our view, the new security paradigm should mirror the new cloud computing paradigm in

that it is (1) on-demand, (2) borderless, (3) without hardware, (4) consumption model pricing,

and (5) scalable. Traditional hardware approaches to security (appliances) fail on each of

these accounts. Appliances require capacity planning, aren’t on-demand or scalable,

are predicated on rigid hardware, and assume the existence of defined borders.

We think a sub-set of innovative vendors stand to benefit; as enterprises shift from

physical to virtual IT, whether public or hybrid cloud, the priorities become scalability,

managing who is granted entry in and dynamically protecting workloads. Ultimately, there

is a need to secure applications and data, and consumers of them, regardless of where

either resides. Security sub-sectors we expect will remain relevant include the following.

■ Security as a Service: We believe cloud-based security offerings that enforce policy

as an intermediary between the enterprise and the Internet via points-of-presence in

the network edge offer great promise to expand their capabilities to offer the entire

security stack as a service. Representative vendors include Zscaler, Cato Networks

Cloudflare, and Akamai.

■ Cloud Workload Protection Platforms (CWPP): Recognizing that server workloads

differ fundamentally from end-facing endpoints, CWPPs offer network segmentation,

traffic visibility, configuration and vulnerability measurement, application control, exploit

prevention, and memory protection. Representative innovators include vArmour, Illumio,

Dome9, CloudPassage, and Carbon Black.

■ Identity and Access: Once considered a mature market, we think identity will become

increasingly instrumental and something that many emerging cloud security vendors

will be wary of taking responsibility for themselves. Representative disruptive vendors

include Okta, CyberArk, SailPoint, BeyondTrust, and ForgeRock.

■ Security Analytics: Regardless of paradigm, we believe security event data still need

to be collected, stored, and correlated, and therefore we see security analytics as

architecture agnostic. We are positive on Splunk, having initiated with an Outperform

rating, $80 target price, representing 19% upside potential.

■ Application Security: If the programmatic code itself is well constructed without

vulnerabilities, the surface area for attack is greatly reduced. As application workloads

are increasingly transient, it is important security be embedded within the apps

themselves. We see value in companies such as CA’s Veracode, Qualys, and

WhiteHat Security.

7.1%

9.3%

11.8%

14.4%

17.0%

19.2%

6.7%7.8%

8.8%9.8%

10.6% 11.3%

0%

5%

10%

15%

20%

25%

2015 2016 2017 2018 2019 2020



5 September 2017

Cybersecurity 10

Ultimately, we would argue that should there be a current opportunity to, with a clean

slate, reimagine IT security in what is rapidly becoming a cloud-first world,

appliance-centric perimeter defense is unlikely to be the conclusion drawn. We therefore

wonder if the $11bn (forecast to rise to $16bn by 2020) network security market is ripe for

displacement.

Other Firewall Tailwinds to Slow

In addition to the overarching architectural challenges we believe face the firewall industry

as the world transitions to cloud, we consider five further meaningful headwinds to the

category:

■ Competition Is Set to Reaccelerate: A long-running theme has been easy

competitive wins for new entrants versus legacy competitors. Now that Juniper has no

share left to give, Cisco is getting its act together, and product parity is upon us, we

expect competition to meaningfully intensify.

Figure 9: Juniper Has Little Share Left to Donate Figure 10: Cisco Is Growing Security Rapidly

4Q rolling sum as share of total UTM and Firewall market Cisco Firewall & UTM y/y, quarterly, %

Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

■ Changing Dynamics in the Cloud: Cloud transitions mean short-term revenue

headwinds that hold value for investors in terms of greater Customer Lifetime Value

(CLTV). We are concerned network security investors are unprepared for a revenue

headwind, and moreover, we expect this transition to be deflationary. While transitions

that consolidate adjacencies can be price accretive, we worry that virtualizing firewall

disaggregates adjacencies and expect price pressure in the transition to a metered

model (greater price transparency, opportunity for better capacity utilization, and

lowered switching costs).

0%

10%

20%

30%

40%

50%

60%

70%

80%

2002 2004 2006 2008 2010 2012 2014 2016

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper 23%

-40%

-20%

0%

20%

40%

60%

2003 2005 2007 2009 2011 2013 2015 2017

5 September 2017

Cybersecurity 11

Figure 11: Virtualizing Firewall Disaggregates the

Combined Hardware/Software Model

Figure 12: Consuming firewall either by subscription

or on-demand reduces excess capacity

Traditional revenue model (not to scale, for illustrative purposes only) Conceptual traffic patterns and savings, for illustrative purposes only

Source: Credit Suisse Research Source: Credit Suisse Research

■ TAM Expansion Is Finite: The revenue preservation strategy of platforming is limited

by what remains to be consolidated onto the next-generation firewall and the ceiling for

consolidated product demand. We believe years of easy consolidation are likely at an

end and, therefore, so are the vendor benefits of feature consolidation: (1) TAM

expansion, (2) attach tailwind, (3) unit gravity. In addition, the relative scale of whatever

might be consolidated is much smaller than in the past due to the overall TAM having

already become significantly larger.

Figure 13: Many Point Solutions Have Already Been

Consolidated onto NGFW

Figure 14: UTM/NGFW already Accounts for in

Excess of 50% of the Security Appliance Market

Size of bubble represents size of TAM (not to scale, for illustrative purposes only)

Security appliance market share by revenues

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

■ SSL Decryption Is Not the Tailwind People Anticipate: Enterprises have been

upsizing to appliances with higher throughput in order to decrypt rising levels of SSL

encrypted traffic. We expect this tailwind to taper as the rate of increase in encrypted

traffic decelerates. Furthermore, we expect an increasing amount of decryption to be

done off-box by visibility appliances available from the likes of Gigamon and

Metronome (now Symantec).

2 3 4 51

Maintenance/support

Subscription

Year

Hardware

portion

of product

Up

-fro

nt

pro

du

ct

co

st

Jan Jan Mar Apr

Saved in Subscription pricing model

Saved in cloud virtual pricing model

Number of features

consolidated

Time

Core

Firewall

Core

Firewall

& VPN

Core

Firewall

& VPN

& WAF

Core

Firewall

& VPN

& WAF

& IDP

Core Firewall

& VPN

& WAF

& IDP

& AV

& DLP

Unified Threat Management (includes Next

Generation Firewall)

VPN

Content Management

IPS

Firewall

52%

16%

12%

18%

5 September 2017

Cybersecurity 12

Figure 15: Around 75% of browsing time is spent on

SSL encrypted sites on Chrome

Figure 16: The Majority of Traffic Occurs Within the

Same Datacenter and Doesn't Require Encryption

Chrome browsing patterns Traffic distribution

Source: Google, Credit Suisse estimates. Source: Cisco VNI, Credit Suisse estimates.

■ Shifting Spend from Protection to Detection and Response: As enterprises have

been conditioned to accept the inevitability of breaches despite investment in

protection, there has been a shift in security budgets to detection and remediation

capabilities. We expect that this shift continues and will be a disproportionate headwind

for network security players despite many having elements of detection and response

in their portfolios.

Figure 17: Enterprise Security Spend Shifting

Rapidly to Detection & Response

Figure 18: EDR Market Forecast to Grow ~17x the

EPP Market

% of Enterprise IT Security Budget Dedicated to Detection & Response

Endpoint Detection and Response (EDR) market vs Endpoint Protection Market (EPP)

Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research. Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research.

70%73%

75%78%

81%83%

45% 46%

54%57%

60%57%

66%68%

71% 70%74%

30%

40%

50%

60%

70%

80%

90%

Mar '15 Jul '15 Nov '15 Mar '16 Jul '16 Nov '16 Mar '17 Jul '17

Percentage of pages loadedover HTTPS in Chrome

Time spent browsing SSLencrypted sites on Chrome

Data center to user

Data center to data center

Within data center

14%

9%

77%

10%13%

18%23%

30%

39%

50%

60%

0%

10%

20%

30%

40%

50%

60%

70%

2013 2014 2015 2016 2017 2018 2019 2020

2013-2020 CAGR = 29.2%

3,166 3,249 3,333 3,420 3,509 3,600

238 640 797 9931,236

1,540

0

1,000

2,000

3,000

4,000

5,000

6,000

2015 2016 2017 2018 2019 2020

EPP

EDR

5 September 2017

Cybersecurity 13

Stock Calls

Ratings Driven by Negative Category View

Given our negative category view is a significant driver of our stock ratings, PANW

(Underperform, TP:$125, 14% downside), FTNT (Underperform, TP:$33, 14% downside),

CHKP (Neutral, TP:110, 1% downside), we have attempted to contextualize the exposure

to each headwind that results in heterogeneous risk.

This analysis highlights the differentiated exposure to each risk factor. On an aggregated

basis, we believe Check Point to be the best positioned, and Fortinet the worst, to deal

with the sector headwinds we have isolated.

Figure 19: Relative Exposure to Sector Risks


Substantial Nuance in Firewall Valuation

Broad conclusions from our deep-dive, holistic valuation work are as follows:

■ PANW Looks Misleadingly Cheap: On EV/UFCF, both Palo Alto Networks and

Fortinet appear inexpensive. Given higher relative growth expectations for PANW &

FTNT, the fact they trade in-line with CHKP is optically attractive. However, adjusting

out SBC (broadly accounting for the fact some cash would have had to have paid in

lieu of stock to retain talent) and adjusting for the change in LT deferred revenue

shows FTNT and particularly PANW to be more expensive than CHKP.

■ Only CHKP Trades on an Earnings Multiple: Looking at income statement multiples,

particularly non-GAAP P/E, reveals only CHKP to be trading within a reasonable range

on P/E, while both PANW and CHKP trade on revenues and cash flows.

■ Recurring Revenues Favor Fortinet: Fortinet is attractive on a recurring revenue

basis. While we think of recurring revenue multiples as more reflective of floor value

than intrinsic value, recurring revenues provide more support to FTNT than either

PANW or CHKP.

Check Point Palo Alto Networks Fortinet

CHKP PANW FTNT

Architectural Shift to Cloud ◔ ◑ ◕

Cisco increasingly competitive ○ ◕ ◑

Juniper has little share left to give ○ ● ◔

Cloud transitionary headwinds ◔ ◑ ◑

TAM expansion ◑ ◑ ●

Competition in the mid market ◑ ○ ●

Carrier Exposure ◔ ◑ ●

Total ◔ ◑ ◕

Who is best equipped to deal with…

5 September 2017

Cybersecurity 14

Figure 20: Valuation Matrix


NTM CY18 NTM CY18 NTM CY18

Cash Flow Statement Multiples

EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x

EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x

EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x

EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x

Income Statement Multiples

EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x

EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x

Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x

GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x

EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x

Absolute Valuation AnalysisCHKP PANW FTNT

Absolute Valuation Analysis



EV/UFCF 13.0x 12.5x 11.6x 10.6x 14.5x 12.7x





EV/Sales 7.0x 6.7x 4.7x 4.3x 3.2x 2.9x



GAAP P/E 21.3x 20.1x -48.2x -46.9x 70.7x 60.0x

Recurring Revenue Multiples


EV/Subscription Revenue 25.9x 23.2x 14.0x 13.4x n/a n/a

EV/Maintenance Revenue 16.9x 16.7x 16.5x 15.2x n/a n/a

CHKP PANW FTNT

5 September 2017

Cybersecurity 15

PANW: Our Take on the Key Debates Initiating Coverage with Underperform Rating and $125 Target Price

Despite being one of the most disruptive innovators of the security industry, we believe

investors are overly optimistic regarding Palo Alto Networks’ ability to sustain above-

market top-line growth rates. We believe this is a great company with great management

but not a great stock at current levels.

Key Debates:

■ How Long Can PANW Outgrow the Market? At present, consensus expectations call for

PANW to outgrow the firewall market by a factor of 2x. Can this be sustained at scale?

■ How Big of a Growth Driver Can Subscription & Support Be? With a compelling

platform strategy, subscription is an important revenue driver. As share gains contribute

less at scale, how large is the attached and unattached subscription opportunity?

■ How Material Is the Refresh Opportunity? Management guidance and model

mechanics point toward a refresh opportunity in 2H17 and FY18. We think sizing this

opportunity is an important debate for investors.

Our Takes:

■ Growth Expectations Are Too Optimistic: Past performance isn’t an indicator of future

success. We think PANW enjoyed a perfect storm of tailwinds as it grew; now these

tailwinds are abating, or becoming headwinds. In addition, PANW appears highly exposed

to the sector headwinds (architectural and otherwise) we believe face firewall incumbents.

■ Remaining Subscription Headroom Unclear: Attached products (e.g., Global Protect,

WildFire) appear highly penetrated, but there remains headroom for unattached. However,

we think subscription is largely tied to physical box sales, and unattached is too small to

move the needle.

■ The Refresh Cycle Is Less Supportive than Some Presume: We think the refresh cycle

is potentially less of a support (20-30% vs 50% of product) than some in the market

believe and believe a bull case constructed off the refresh dynamic to be overly optimistic.

Risks to Our Takes:

■ Substantial Balance Sheet Capacity: PANW has substantial balance sheet capacity

and has showed willingness to deploy it in a transformational manner when reportedly

bidding upward of $3 billion for Tanium in fall 2015.

■ Strength and Resilience of Financial Model: The overall execution of the transition to a

subscription-based model may prove more successful than anticipated and could provide

access to the >$8 billion CLTV expansion opportunity that management estimates.

■ Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could

become a potential target for a strategic buyer seeking to consolidate the market.

Estimates:

■ Revenue and EPS: We forecast FY18E/FY19E revenue growth at 21%/17% vs the

consensus at 22%/19% and EPS of $3.29/$4.09 vs the Street at $3.30/$4.12.

■ Cash Flow: We forecast 7.5% FCF 10 year FCF CAGR through 2027E.

■ Refresh Cycle: We model a ~5.5 year refresh cycle.

Valuation: ■ DCF: Our $125 target price is based on our DCF analysis, implying 15% downside and

20x post-tax SBC adjusted EV/uFCF (CY2019) vs CHKP at 16x and FTNT at 18x.

5 September 2017

Cybersecurity 16

Key Charts

Figure 21: PANW Benefited from a Perfect Storm of

Factors and Has Taken Substantial Market Share…

Figure 22: ...The Market Expects PANW Billings to

Continue to Outgrow Competitors and the Market …

Source: IDC, Credit Suisse Research. Source: Factset, Credit Suisse Research.

Figure 23: …However, Management Guidance

Implies Its Refresh Cycle Has Lengthened…

Figure 24: …Refresh Cycle and Rate Assumptions

Sensitivity Show Diminished Refresh Opportunity…

Source: Company Management, Credit Suisse Research. Source: Credit Suisse Research.

Figure 25: …The Tailwind from Support Is

Challenging to Increase at the Same Rate… Figure 26: …with Valuation Highest (Adj. for SBC)

Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse estimates.

0%

20%

40%

60%

80%

2002 2006 2010 2014

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper

0%

10%

20%

30%

40%

50%

60%

70%

80%

Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018

PANW CHKP FTNT

2

3

4

5

6

7

8

2013 2014 2015 2016 2017 2017

Refresh cycle guidance range

Midpoint

Refresh rate assumption (% )

80% 85% 90% 95% 100%

4.038% 40% 42% 45% 47%

4.531% 33% 35% 37% 39%

5.027% 29% 30% 32% 34%

5.523% 25% 26% 28% 29%

6.019% 21% 22% 23% 24%

6.515% 16% 17% 17% 18%

7.09% 10% 11% 11% 12%

Ave

rage

Ref

resh

(y)

30%

35%

40%

45%

50%

2008 2009 2010 2012 2013 2015 2016

FTNT PANW CHKP

14.9x12.2x 13.8x

16.4x19.2x

37.8x

0x

10x

20x

30x

40x

CHKP FTNT PANW

EV/UFCF, NTM

EV/UFCF Adjusted for SBC, NTM

5 September 2017

Cybersecurity 17

FTNT: Our Takes on the Key Debates Initiating Coverage with Underperform Rating and $33 Target Price

We respect Fortinet as an innovative vendor that provides exceptional products and an

integrated platform offering few competitors can match. Successes in hardware, however,

may not translate into the cloud, and FTNT faces the most risk from sector headwinds.

Key Debates:

■ Is Exposure to SMB a Positive? The SMB market is growing rapidly as agnostic attacks

threaten SMBs more than ever (e.g., ransomware) and regulation enforces greater

controls and accountability (GDPR for instance). Is FTNT's exposure here attractive?

■ How Does Competitive Advantage Translate to Cloud? As the virtual form factor

becomes an increasingly important method of consumption, debates surround whether

FTNT will retain its silicon-based competitive advantage in the cloud.

■ Is Carrier Market Exposure a Blessing or Curse? FTNT's success in the carrier market

has been a blessing in the past, while now investors are debating if this will continue.

Our Takes:

■ Despite Growth, Competitive Pressures Render SMBs Unattractive: In addition to

lower renewal rates, the SMB market is increasingly fragmented and competitive, and we

think these dynamics apply pricing pressure to vendors operating in this end of the market.

■ Silicon Isn’t a Competitive Advantage Anymore: We struggle to see how the

competitive advantage bestowed by superior silicon can be sustained as successfully in

the cloud.

■ Carrier Market Rapidly Virtualizing: We are concerned FTNT's ~20% carrier billings may

mature into a curse. Our field conversations underline that the carrier market is virtualizing

rapidly, and we think this may cannibalize appliance demand.

Risk to Our Takes:

■ Legendary Leadership: We view the dual leadership of Fortinet by Ken and Michael Xie,

CEO and CTO, respectively, to be a key strength. Given the brothers' track record of

disruptive innovation in the space, we don’t count out their ability to re-adapt FTNT's

strategy beyond the successful formula of the past five years.

■ Transformative M&A: We estimate FTNT could deploy as much as $4bn for

transformative M&A, albeit lower than peers (60% less than CHKP and 20% less than

PANW). This still represents non-trivial balance sheet capacity.

■ Becomes a Strategic Target: Given its relatively small market cap, FTNT could

represent a potential target for a strategic buyer. recognize

Estimates:


consensus at 17%/15%, with EPS of $0.94/$1.10 in FY17E/ FY18E vs Street estimates at

$0.95/$1.14.

Valuation: ■ DCF: Our discounted cash flow analysis yields a target price of $33, implying 14%

downside risk and an FY18E EV/uFCF (SBC adj.) of 13.5x.

■ Relative Valuation: Expensive on an absolute basis but less so once adjusted for

growth, we think of PANW as in between CHKP (best) and PANW (worst) on valuation.

5 September 2017

Cybersecurity 18

Key Charts

Figure 27: Highly Exposed to the SMB Market… Figure 28: ...Which Remains the Most Competitive

Fortinet 2016 Revenue Exposure by server class Herfindahl-Hirschman Index, 4Q moving average


Figure 29: FTNT Most Exposed to Sector Risks…. Figure 30: …with an Elongating Refresh Cycle

US$ in millions, unless otherwise stated US$ in millions, unless otherwise stated


Figure 31: Less Balance Sheet Capacity… Figure 32: …Valuation in Middle vs Firewall Peers

US$ in millions, unless otherwise stated EV/uFCF adjusted for SBC, and Non-GAAP P/E


High-end

Midrange

Volume

20%

24%56%

FTNT

0.00

0.05

0.10

0.15

0.20

0.25

2002 2005 2008 2011 2014

High-end

Midrange

Volume


CHKP PANW FTNT








Total ◔ ◑ ◕

Who is best equipt to deal with…

5%

10%

15%

20%

25%

30%

35%

2008 2010 2012 2014 2016

4 years

4.5 years

5 years

5.5 years

6 years

6.5 years

7 years

$9.9bn

$5.4bn

$4.0bn

$0bn

$2bn

$4bn

$6bn

$8bn

$10bn

$12bn

CHKP PANW FTNT

16.4x19.2x

37.8x

20.5x

38.8x

44.2x

0x

10x

20x

30x

40x

50x

CHKP FTNT PANW

EV/uFCF Adjusted for SBC, NTM

Non-GAAP P/E, NTM

5 September 2017

Cybersecurity 19

CHKP: Our Take on the Key Debates Initiating Coverage with a Neutral rating and an $110 Target Price

While we view transitionary challenges as a negative influence on the category as a whole,

Check Point excels over peers in nearly every major identifiable headwind and is thus our

preferred firewall play.

Key Debates:

■ Is the Product Line-up Competitive? How does Check Point's solution stand up to those

of PANW, which has aggressively grown share?

■ Where Are Margins Heading? While Gross Margins have held up, operating margins

have been trending downward since 2012, with sales & marketing spend rising.

■ How Prepared Is CHKP for the Architectural Shift? As security shifts from physical

appliances to virtual ones, uncertainty surrounds the scalability and performance of legacy

security companies and their products in cloud architecture.

■ What’s the Value of CHKP’s Substantial Idle Cash Balance? CHKP’s total cash &

equivalents are 20% of its market cap, which, undistributed or reinvested, may appear to

be lost opportunity for greater returns.

Our Take:

■ Recognized Offerings, with a Fully Integrated Management Console: We believe

Check Point's solutions in the Enterprise Network Firewall and UTM space are among the

best, while CHKP management console's ability to implement a unified policy across the

entire infrastructure provides a point of differentiation against rivals.

■ Margins Are Optimized: While we recognize management's long-term value creation and

superlative discipline against competitive pricing pressures, we see Check Point's margin

structure at peak and see limited opportunities to expand it further.

■ Management Has Adapted Successfully in the Past: We take confidence in the fact that

CHKP already transitioned from software to hardware in the mid-2000s, and we believe

that the experience will prove advantageous in the reverse as the industry moves away

from hardware and toward cloud-based solutions.

■ Large Acquisition Capacity Will Be Major Strategic Advantage: We estimate CHKP

has $9.7 billion of total firepower (2.3x FTNT’s capacity and 1.8x PANW’s), which we

believe is strategically significant.

Risks:

■ Successful Transition Not Guaranteed: Strong management notwithstanding, CHKP

has ceded 337bps of market share since its peak in 2012 of ~12%.

■ Management May Be Conservative with Cash: We note that management has

amassed a cash pile and not yet unleashed it for transformative acquisitions, which might

indicate conservativeness and unwillingness for relatively large deals.

Estimates:

■ Revenue: We forecast FY17E/FY18E revenue growth at 7.5%/7.5% vs the consensus at

7.5 %/7.0%, respectively.

■ EPS: We forecast FY17E/18E EPS of $5.18/$5.66 in-line with Street estimates at

$5.18/$5.67, respectively.

Valuation: ■ DCF: Our discounted cash flow analysis suggests a target price of $110, implying 1%

downside potential and 14.5x EV/uFCF (2018).

5 September 2017

Cybersecurity 20

Key Charts

Figure 33: CHKP Has Lost Share Since 2012… Figure 34: ...but Margins Have Remained High

4Q rolling sum as share of total UTM and Firewall market Reported Adjusted Operating margin

Source: IDC, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

Figure 35: Better Placed for Sector Risks Figure 36:Significant Cash Balance

Exposure to Sector Headwinds Cash (onshore and offshore) as a % of market capitalization


Figure 37: Balance Sheet Can Be Unleashed.. Figure 38: …Valuation Cheapest vs Peers

Assuming 3x leverage, Balance Sheet capacity vs Peers Valuation Analysis on EV/FCF basis


0%

10%

20%

30%

40%

50%

60%

70%

80%

2002 2004 2006 2008 2010 2012 2014 2016

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper

45%

50%

55%

60%

65%

2003 2009 2015

Adjusted operating margin


CHKP PANW FTNT








Total ◔ ◑ ◕


4%

14%

18%

20%

23%

27%

29%

44%

0% 10% 20% 30% 40% 50%

Qualcomm Inc

Alphabet Inc

Intel Corp

Microsoft Corp

Check Point

Oracle Corp

Apple Inc

Cisco Systems Inc

$9.9bn

$5.4bn

$4.0bn

$0bn

$2bn

$4bn

$6bn

$8bn

$10bn

$12bn

CHKP PANW FTNT

14.9x12.2x 13.8x

16.4x19.2x

37.8x

0x

10x

20x

30x

40x

CHKP FTNT PANW

EV/UFCF, NTM


5 September 2017

Cybersecurity 21

Structural Thesis

Cybersecurity is Secular Growth Data Are of Enormous Value, and Thus Deserving of Expensive Protection

This is not a new phenomenon; consider the Domesday book2, the perceived value of the

data it contained was such that when not travelling with the King, it was housed in the

royal treasury in Winchester, arguably the most secure location in the British Isles. Later it

was kept in an iron clad chest with three locks, the keys to which were divided amongst

three officials such that its opening required mutual consent.

As data have increasingly become stored in soft, rather than hard form, the security

surrounding it has naturally moved from physical walls and guards to their digital

equivalent. A digitized Domesday book should exist encrypted and backed up in a

hardened Oracle database with security controls activated, in a server located behind a

NGFW, segmented from east-west traffic on the corporate network via internal firewalls,

separate from the web server (which itself should be protected with a WAF to protect

against the injection of SQL queries), there should be honeypots to throw off potential

attackers and a full-time security monitoring team should be ensuring the health of the

network at all times.

Of course, the point is that the modern day enterprise is an agglomeration of digitized

assets, and is therefore in need of protection. From a structural standpoint, the enterprise

demand for protection increases as a function of three variables: (1) the volume, (2) the

value of digitized data, and (3) the threat of its compromise.

In 2016, CISOs deemed the aggregate value of digital assets such that c$75bn was spent

on its protection.3 We are of the view that continued increases in the volume and value of

data and an unabating cybercrime wave drive a secular increase in Security Software

spending that will outpace the prevailing forecasts of the market and industry analysts.

Figure 39: IDC Forecast IT Security Vendor Revenue to Grow 7.6% Through 2020

Source: Gartner, Credit Suisse Research

2 A manuscript comprising a great inventory of England and Wales commissioned by William I and completed in 1086. The Saxon Chronicle explained this exhaustive 'great survey' 'there was no single hide, nor yard of land nor indeed … one ox nor one cow nor one pig which was there left out, and not put down in his record.'

3 IDC Semiannual Security Spending Guide, Oct 12; includes software, hardware and services

6,713

11,297

16,072

7,715

8,652

10,064

2,889

5,914

9,141

3,618

5,410

7,471

1,738

2,190

2,732

2010 2016 2020

Messaging

Security

Web

Security

Identity and Access

Management

Security and

Vulnerability

Endpoint

Security

Network

Security

1.7%

5.7%

8.4%

11.5%

3.9%

9.2%

$26,663m

$36,240m

$48,525m 2016-2020 CAGR

7.6%

5.9%

5 September 2017

Cybersecurity 22

Data Are Increasingly Valuable to the Firm

Increasingly, the firm's most valuable asset is its data. As recognition of this continues to

take hold, we think firms will measure the value of their data more rigorously, learning not

only it is more valuable than they currently perceive but also that it is increasing in value

more rapidly than they appreciate. A greater enterprise understanding of the value of its

data assets will result, we think, in greater propensity to spend on its protection.

CEO Ginni Rometty of IBM eloquently connected data and cybercrime earlier this year at

the Security Summit in New York, where she said, “We believe that data is the

phenomenon of our time. It is the world’s new natural resource. It is the new basis of

competitive advantage, and it is transforming every profession and industry. If all of this is

true – even inevitable – then cybercrime, by definition, is the greatest threat to every

profession, every industry, every company in the world."

The HBR agree, describing most modern organizations as data-driven to some degree

and seeing data becoming 'a centerpiece of corporate value creation more generally' (Do

you know what your company's data is worth? HBR). We believe there are two common

components to a company's data assets:

■ Traditional Data: Customer lists, patents, budgets, plans, ideas, and other IP: these

are data that for the most part existed in hard form prior to the information age, and

have now been digitized. As a rule of thumb, we think about this as being stored in

legacy databases, analyzed using legacy tools, and creating value in traditional ways.

The IP traditional data represent are increasingly valuable. We believe that barriers to

compete are decreasing across the spectrum as a result of a confluence of disruptive

factors, not least the agility of cloud architecture and level of connectivity enabling

immense scalability. Consider IHG and Airbnb. Originally founded in 1777, the

multinational hotel group IHG operates c770k rooms globally, while Airbnb was founded in

2008 and lists in excess of 2m. In our view, proprietary IP represents an undisruptable

barrier, and therefore, against a background of decreasing barriers to compete, IP will

increase in value.

■ Big, Fast Data: Consider the rising volume of data (both structured and unstructured)

coupled with improving availability and ability of tools to store, analyze, and ultimately

monetize larger and larger amounts of data. We think about this as data existing as a

result of digitization; it’s the digital exhaust of the information age.

We define Big Data simply as datasets so large and unstructured that their storage,

management, and analysis is beyond traditional databases and tools. We believe the

amplifying cycle of (1) data creation, (2) data storage, (3) data transmission, and (4) data

analytics maps onto the determinants of Big Data value. We believe this virtuous data

cycle as one of the most unifying themes across the global technology space.

Figure 40: The Virtuous Cycle of Big Data Figure 41: Big Data Value Determinants

Source: Credit Suisse Research. Source: Gartner, IBM, Credit Suisse Research.

Data Creation

Data Storage

Data Transmission

Data Analytics

The Virtuous Cycle of

Big Data

Volume Variety

VeracityVelocity

Big Data

VALUE

Scale/amount

of data

Analysing

streaming data

Data

uncertainty

Different forms

of data

https://hbr.org/2016/09/do-you-know-what-your-companys-data-is-worth

https://hbr.org/2016/09/do-you-know-what-your-companys-data-is-worth

5 September 2017

Cybersecurity 23

Putting this virtuous cycle another way, as data storage and management follows Moore's

law to increasing affordability, the necessary yield from analysis of that data to justify its

storage decreases; as analytics become more advanced, and transmission faster, the

insight yield gained from the data increases while the exponential increase in data creation

supports an ever expanding pool of potential insight. Therefore, at its most fundamental,

the value proposition to the enterprise of Big Data-derived insights increases as

infrastructure costs decline, the amount of data grows and analytics improves.

Figure 42: Forecast Growth in

Connected Devices

Figure 43: Unstructured Data Growth

Greatly Outpaces Structured Data

Source: Company Data, Credit Suisse Research. Source: Oracle, ESG Digital, Credit Suisse estimates.

We thus believe two of the three key determinants of enterprise demand for protection, the

volume and value of digitized data, are rapidly growing. In addition, we believe the third

determinant, threat of compromise, is also increasing.

Unstructured Data Growth 15bn +11% 28bn

M2M: Non-cellular 2.6 +27% 10.7

M2M and consumer electronics; cellular 0.4 +25% 1.5

Consumer electronics; non-cellular 1.6 +12% 3.1

PC/laptop/tablet 2.4 +3% 2.8

Mobile phones 7.1 +3% 8.7

Fixed phones 1.3 +1% 1.4

2015 2021

Growth of Data

Driven by Unstructured Data

300 Exabytes

12%Structured Data

88%Unstructured Data

80Exabytes

2013 2015

5 September 2017

Cybersecurity 24

The Cyber Crime Wave Continues Unabated

It stands to reason that as the volume and value of digital assets grow, all else equal, the

yield on cybercrime increases. On the dark web, you can sell 100 credit card records for

more than you can ten, and the greater the value of data encrypted, the higher the

ransomware victims marginal propensity to pay for decryption.

Of course there are additional variables, including the sophistication and deployment of

threats and defenses. Should both of these rise in lockstep with the growth in volume and

value of digital assets, it follows that the amount of successful breaches will remain static.

However, upon examination, available data support a concerning conclusion:

sophistication and deployment of cybercriminals is outpacing the defense; the bad guys

are winning.

Figure 44: The Number of Records Lost to Data Breaches Is Increasing at an Exponential Rate


We make the following key observations: (1) the absolute number of records breached

appears to be increasing at an exponential rate, (2) which is driven by a 21% CAGR

increase in successful data breaches4 since 2011 that is accelerating (up 40% from 2015

to 2016), and (3) hacking, skimming, and phishing are behind this rapid increase (up 105%

from 2015 to 2016). The balance of power appears heavily tilted toward the offense, and

we continue to live in the midst of a cybercrime wave.

4 'The Identity Theft Resource Center (ITRC) defines a data breach as an incident in which an individual name plus a Social

Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will also capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of compromised records included in the cumulative total.'

100,000

1,000,000

10,000,000

100,000,000

1,000,000,000

10,000,000,000

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Hacking Accident Insider

ThreeWonga

PayAsUGym

Brazzers Snapchat

Clinton

campaign

Lynda

Dailymotion

Friend

Finder Network

River City Media

Syrian government

Minecraft

Mossack Fonseca

Mail.ru

Fling

Anthem

VK

TalkTalk

Slack

Sanrio

Adult Friend Finder

VTech

Premera

Experian

AshleyMadison

Voter Database

NASDAQ

AOL

Gmail

Sony

Korea Credit

Bureau

Home Depot

Ebay

Yahoo

Citigroup

Nintendo

Twitter Apple

Kissinger

Cables

Facebook

Yahoo Japan

Adobe

Tumblr

Yahoo

Medicaid

Apple

Massive Americanbusiness

hack

StratforSega

TexasState

Tricare

NHS

178.com

SonySteam

Sony PSN

AT&T

Gawker

BetfairJPM

Virginia Dept.

Of Health

RockYou!

US Military

Heartland

AT&T

RBS

Data Processors International GS Caltex

FNIS

Dai Nippon Printing

UK Revenue and Customs

TK / TJ Maxx

Hewlett Packard

KDDI

AOL

US dpt of Vet Affairs

Automatic Data Processing

Ameritrade Inc.

Citi

Cardsystems Solutions Inc.

AOL

Bell

Zomato

Expon. (Total Data Breaches)

http://www.idtheftcenter.org/

5 September 2017

Cybersecurity 25

Figure 45: Successful Breaches Are Increasing at

an Accelerating Rate, Up 40% from 2015 to 2016…

Figure 46: … Primarily by Breaches Due to Hacking

/ Skimming / Phishing, Up 105% from 2015 to 2016

Total number of breaches Breaches by cause, %

Source: ITRC Breach Statistics 2005-2015, Credit Suisse Research. Source: ITRC Breach Statistics 2005-2015, Credit Suisse Research.

How Much Does Cybercrime Cost the Real Economy?

In aggregate, several studies have pegged the cost of cybercrime at around half a trillion

USD per annum5. This extraordinary number is roughly 0.8% of global GDP, only 10bps

less than the annual cost of narcotic crime, and extracts roughly 15-20% of the annual

economic value generated by the Internet (estimated at 2-3trn annually).

Perhaps more extraordinary than the current cost is a recent report6 suggesting that, by

2019, data breaches will cost $2.1trn, a quintupling from today.

Figure 47: Cybercrime Represents a Similar % of Global GDP as Drug Crime,

Piracy, and Car Crashes as Well as Just over Half That of Global Theft

Source: MIT Technology Review, Credit Suisse Research.

According to Gartner, the global market for IT security software, hardware, and services

reached approximately $76 billion in 2015. Although this level of spending has increased

meaningfully in recent years, $76 billion in annual spending accounts for less than 20% of

the $400 billion in total damage inflicted from hackers each year, a price most people,

companies, and governments are willing to pay.

As a result, we expect the increase in IT security spending to continue to outpace overall

IT budget growth, given these solutions can reduce the potential financial losses stemming

from breaches of critical systems and the loss of valuable data and information.

5 Net Losses: Estimating the Global Cost of Cyber Crime (see here)

6 The Future of Cybercrime & Security: Financial and Corporate Threats & Mittigation (see here)

157

321

446

656

498

662

421471

614

783 781

1,093

0

200

400

600

800

1,000

1,200

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

0%

20%

40%

60%

80%

100%

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Hacking / Skimming / Phishing

Insider Theft

Data on the Move

Accidental Email /Internet

Other

1.50%

1.20%

1.00%

0.90%

0.89%

0.80%

Pilferage

Transnational Crime

Car Crashes

Narcotics

Counterfeiting/Piracy

Cybercrime

https://www.mcafee.com/de/resources/reports/rp-economic-impact-cybercrime2.pdf

https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion

5 September 2017

Cybersecurity 26

Which Country Gets Hacked the Most?

As indicated in research from security firm mi2g Intelligence, the United States is the most

hacked country in the world, and the scale of international theft of U.S. intellectual property

(IP) alone is unprecedented and is estimated at hundreds of billions of dollars per year, in

the order of the size of U.S. exports to Asia.

On September 24, 2015, Chet Nagle, a former CIA agent and current vice president of M-

CAM, wrote an article in the Daily Caller, stating, “At FBI headquarters in July, the head of

FBI counterintelligence, Randall Coleman, said there has been a 53% increase in the theft

of American trade secrets, thefts that have cost hundreds of billions of dollars in the past

year. In an FBI survey of 165 private companies, half of them said they were victims of

economic espionage or theft of trade secrets—95% of those cases involved individuals

associated with the Chinese government.”

The effect of IP theft is twofold:

■ Lost Revenue: Rewards that should have accrued to innovators, or those who have

purchased licenses to provide goods and services based on them, as well as of the

jobs associated with those losses, and,

■ Incentive Misalignment: Illegal theft of intellectual property undermines both the

means and the incentive for entrepreneurs to innovate, which could slow the

development of new technologies and industries.

How Much Does Cybercrime Cost the Enterprise?

Perhaps more digestible than big numbers is to think about the average cost per breach to

the enterprise. Studies such as the Ponemon Institute's Cost of Data Breach survey show

the average breach cost to be around $4m, comprised of detection, response, notification,

and (the lion's share) lost business.

Figure 48: A Breach Costs an Average of $4m

Source: Ponemon Institute 2016, Credit Suisse Research.

It’s interesting to note the substantial regional skew; the average breach in the United

States costs more just in lost business costs than the aggregate average breach in the

United Kingdom. Globally, the average data breach costs $160k in notification costs, just

over $1m for ex-post response, just over $1m for detection and escalation, and c$1.5m in

lost business costs.

7.01

5.01 4.984.72 4.61

3.95

3.31 3.27

2.491.93 1.87

1.6

US

A

Ger

man

y

Can

ada

Fra

nce

Mid

dle

Eas

t

UK

Japa

n

Italy

Aus

tral

ia

Bra

zil

Sou

th A

fric

a

Indi

a

Notification costs

Ex-post response costs

Detection and escalation

Lost business costs

5 September 2017

Cybersecurity 27

Ponemon annual survey data are consistent with our thesis that as the value of data

continues to increase, the costs of breaches are rising (up 29% to $4m in 2016 from

2013). Also consistent with our thesis that data volume is also increasing, per capita cost

increased 15% from 2013, implying the average number of records breached is

increasing.

Encouragingly, however, it appears that the organization can take steps that have a

measurable impact on the cost of cybercrime. Research by the Ponemon Institute

suggests that good security practices, such as appointing a CISO, having an incident

response team in place, and using encryption reduce the average cost per compromised

record.

Figure 49: Organizations Can Take Actions to Reduce the Cost of Breaches

Degree to which the cost per data record breached is decreased by…

Source: Ponemon Institute 2016, Credit Suisse Research.

Why Are the Attackers Winning the Cyber War?

We think a war is won by the weapons used (think of the atomic bomb), or as a result of

the landscape changing (think of the Germans dealing with the onset of Russian winter on

the Eastern front). The cyber war is no different, except the weapons are in bits and bytes

and the landscape is the IT architecture. In our view, the cyber arms race is being won by

cybercriminals, and the shifting landscape increases the cyber-attack surface they can

target.

■ Weapons Arms Race

Simply the fact that attacks are increasing in size and frequency even as security spend

increases implies malicious innovation is outpacing benevolent innovation. We think a

confluence of factors are contributing to the success of cybercrime:

− Increasing Yield Translates to Increasing Sophistication: We believe the value

of volume of data is increasing, meaning the yield on investment in malicious

innovation is rising. We think this results in enhanced investment, increasing the

volume of attempted attacks (Symantec witnessed a two-fold increase in attempted

attacks against IoT devices over 2016, and at times of peak activity, the average

IoT device was attacked once every two minutes) and increasing attack

sophistication. (In-memory attacks are rapidly increasing in incidence.)

9%

8%

4%

3%

3%

2%

-3%

-3%

-4%

-4%

-5%

-6%

-6%

-6%

-8%

-10%

Third party involvement

Extensive cloud migration

Rush to notify

Lost or stolen devices

Consultants engaged

Provision of ID protection

Insurance protection

Data classification schema

Board-level involvement

CISO appointed

Extensive use of DLP

BCM involvement

Participation in threat sharing

Employee training

Extensive use of encryption

Incident response team

Average cost per breached record:

$158

Average cost decreased

Average cost increased

5 September 2017

Cybersecurity 28

− Barriers to Entry Decreasing: The cost of developing code and technology to

mount attacks has fallen from millions of dollars to the tens of thousands; this

significantly reduces the barriers to entry for conducting such attacks. Internet

security firm Trend Micro reports this trend in its Russian Underground 2.0 research

paper: the cost of spreading malware to 1,000 computers in the United States had

reportedly fallen from $100-150 in 2011 to as low as $40 by 2015.

− Attack Velocity Increasing: The lifespan of 82% of malware is less than an hour,

and 72% of threats surface but once, according to FireEye. This is the result of

inexpensive crypting services available on the dark web that can take pieces of

malware, scan them against all available signature-based detection agents, and

iteratively perform custom encryption routines until the malicious nature of the code

becomes all-but undetectable. This state is known on the dark-web as fully un-

detectable, or FUD for short, ironic given the fear, uncertainty, and doubt (FUD)

marketing tactics employed by so many in the security industry.

We think a greater payoff combined with diminishing barriers to entry and increasing

velocity explains the efficacy of cyber defenses being outpaced by volume and

sophistication and volume of attackers. It seems clear, both from a logical and anecdotal

standpoint, that pernicious attacks that attract substantial publicity are likely to act to

increase budgets. We believe that as long as the problem set outpaces the solution set,

the aggregate market will remain in growth mode. For more information on hacking,

hackers, and cyber threats, please refer to Appendix III, ‘Who are those guys?’

Figure 50: Anecdotal Evidence Suggests Attacks

Such as Wannacry Positively Affect Security Budgets

Figure 51: Barriers to Entry Diminishing—Cost per

Malware Click Through Is Decreasing

Source: Linkedin.com. Source: Trend Micro, Credit Suisse Research.

0

50

100

150

200

250

300

2011 2012 2013 2014 2015

$150

$100

$250

$100

$120

$200

$150

$90

$100

$40

5 September 2017

Cybersecurity 29

Figure 52: Software SoundBytes Regarding Cybercrime


■ Landscape Is Changing

The conventional approach to network security has been to build a tall, thick wall around

the corporate network, in which sat the corporation’s valuable data. Currently, virtually

every enterprise defense begins with this strong first line; the walls have been built high

with on-premise bricks of NGFW, SWG, and IPS. This IT architectural paradigm had a

defined attack surface (the sum of attack vectors), which generally could be understood

and defended.

As workloads are moved into the cloud, the corporate network inverts and becomes hard

to define. The growing reliance on cloud services should be an area of substantial concern

for enterprises, as ultimately it results in a rapidly expanding attack surface.

− Attack Surface Expanding: Cybersecurity Ventures forecasts the cyber-attack

surface will grow an order of magnitude larger through 2021. (See here.) As

workloads move to the public cloud, data are stored outside the enterprise

datacenter; as mobile devices and remote working proliferate, the centrality of the

corporate network decreases. Ultimately, the attack surface expands, presenting a

greater space in which adversaries can maneuver.

− Information Asymmetry: Securing the environment must be predicated on an

understanding of the environment. Thus it is of concern that Symantec found the

average organization is using ~900 cloud applications (up 10% y/y) but the average

CIO believes their organization uses between 30 and 40. The information

asymmetry of shadow IT results in unknown unknowns makes accurate risk

assessment challenging and reduces the purview of the information security team.

Software SoundBytesCybercrime

Brad Zelnick

(212) 325 6118

[email protected]

“People are realizing that there is no silver bullet. All these different threat detection

techniques solve some problems, and not others”

“Hackers are getting more strategic, initially they spent the most of their time focusing on large

institutions, now they are industrializing and automating themselves into smaller businesses, and

we are seeing lots of ransomware attacks infecting SMBs.”

“Very basic tactics continue to be used – many attacks aren’t at all sophisticated! All

it takes is basic blocking to prevent 99.9% of attacks.”

“You have an explosive growth in devices that need protecting within the network.

Incidents are increasing – ransomware increased 300% from 2015-2016 with nearly

4k attacks each day…”

“The key is you need to know what is on the network to protect the network. Tanium’s hygiene checks found

the average environment had 12-20% more endpoints than previously known; 5-20% of these had failing or

non-existent endpoint agents, 60% were missing critical patches, and 90% missing at least one patch.”

“Hacking is a multi-billion dollar per year business– its industrialized … they can buy

top of the line stuff”

https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

5 September 2017

Cybersecurity 30

Figure 53: Software SoundBytes Regarding the Move to Cloud

Source: Credit Suisse Research

Software SoundBytesCloud transition

Brad Zelnick

(212) 325 6118

[email protected]

“On the cloud more generally, we don’t see the Fortune 500 decommissioning data

centers. Instead, their adoption of cloud is mostly adding compute rather than displacing

existing workloads.”

“It’s the third time in my career I have seen this shift—first it was mainframe, then ASP, now cloud.”

“No company wants to buy hardware or software anymore. So the majority of companies

predominantly are extremely hesitant to commit to a solution. They are okay with purchasing as an

operational expense—subscription.”

“For us, public cloud is not necessarily a replacement; often it's an addition. So

now what's in question is how the company is managing its data flow.”

“It is not necessarily true that running workload on Amazon is very cheap, for example if

you are running substantial DevOps workloads on Amazon once a day the cost saving is

more a perception.

“The fundamental change has been the mindset, for a very long time people looked at their

infrastructure like: I have these segments in my network, so I need these pieces and then I’m done.

People understand you aren’t set, because of the speed of change; the cycle is much shorter than

typical refresh, so this drives mindset of not buying solutions that will be obsolete in 5 years.”

“Everyone is doing something in the public cloud… In the public cloud you have to build

from bottom up, rather than try to retrofit… Everything is becoming virtualized, think about

software defined networking, software defined data center, et cetera”

“Everyone is using their own data centers and also using AWS … everyone

has a multi-cloud strategy… they have to play AWS off against GCP and

GCP against Azure for pricing reasons.”

“Cloud a few years ago was a VM, some storage, maybe a virtual database, maybe a load

balancer – now look at what the amazon menu looks like – Try taming this tornado!”

'There is no such thing as hybrid cloud – this is something VMware and Dell

and Cisco coined to fool enterprise buyers, most security vendors followed

their tune and 'cloudwashed' their solutions.”

“Our experience over last few years with our very largest customers (large financials, media

customers etc) is that they all have multicloud strategies – some say it’s to prevent lock-in: having

already been burned once by Oracle they are fearful of being tied to one vendor. That’s one

justification, but oftentimes people also want to hedge their bets when figuring out which vendor is

best suited for certain use-cases, for certain apps AWS is best, for others, where there are machine

learning objectives for example, GCP provides great out-of-box functionality.”

5 September 2017

Cybersecurity 31

Securing the Cloud The Cloud Holds Great Promise, and Great Security Risk

Traditional methods of IT delivery are internally oriented. (Applications run on an internal

datacenter and are accessed by a demarcated sedentary workforce.) The nature of this

architecture lends itself to a walled garden defense; build tall strong walls at the perimeter

and defend those walls carefully.

Figure 54: Traditional Methods of IT Delivery Have an Easily Identifiable, and

Therefore Defensible, Perimeter


The traditional IT architecture visualized above is rapidly giving way to cloud-oriented

distributed computing. Workloads are moving from defined processes executed within the

on-premise datacenter to transient and abstracted virtual activities; there is less ownership,

less visibility, and ultimately less control. However, the benefits are manifold; as we

discuss in our Industry piece (Software: Buy Aggregation, Avoid Aggravation), we expect

cloud adoption is likely to remain rapid, perhaps even surprising us by the speed at which

the enterprise transitions.

Gartner forecasts that 25% of corporate data traffic will bypass the corporate network

entirely by 2021, enabled primarily by cloud applications and infrastructure, in addition to

greater mobility (off-network work, corporate-owned laptops, branch offices, mobile

devices, etc.).

HQ

Internal

DatacenterInternal

Users

Branch Office Endpoint

Intranet

Internet

https://plus.credit-suisse.com/u/_XHOB2AN-Ytkb

5 September 2017

Cybersecurity 32

The cloud, being by its very nature distributed, starts to dissolve the concept of network

perimeter. The traditional corporate network has a clearly defined, and therefore

defensible, perimeter. As workloads move out of data centers to cloud environments, it

becomes less clear at what point the bounds of the corporate network begin, and where

they end.

Figure 55: The Perimeter Becomes More Difficult to Define in a Hybrid Cloud World


This has not gone entirely unnoticed by CIOs and CISOs. In our recent survey, 63% of

respondents indicated they believed that public cloud environments are less secure than

their internal data centers.

Of the respondents, approximately 64% indicated that they would increase their security

spending as they move workloads to public cloud environments. We imagine some of the

opex and capex cost savings associated with the public cloud transition would shift toward

IT security budget.

HQ

Internal

DatacenterInternal

Users

Branch Office Endpoint

Internet

IaaS

PaaS

SaaS

5 September 2017

Cybersecurity 33

Figure 56: 63% of Respondents

Consider Public Cloud Environments

Less Secure than Internal Data-Centers

Figure 57: 64% of Respondents

Expect to Increase Their IT Spending

as Workloads Move to the Cloud

Do you consider public cloud environments as more secure than your internal data centers?

Do you expect to increase your IT Security spending if you move workloads to a public cloud?

Source: Credit Suisse CIO/CISO Survey. Source: Credit Suisse CIO/CISO Survey.

Our survey's findings are corroborated by Gartner, which found in its 2015-16 Security and

Risk survey that security in the cloud occupies pole positions in terms of both mind and

wallet share.

Figure 58: Cloud Security Holds Both Mind-Share and Wallet-Share with Enterprise Customers

Source: Gartner Security and Risk Management Summit, June 2016, “Top Take-Aways: 2015-2016 Security and Risk Surveys “, Khushbu Prata.

Yes37%

No63%

Yes64%

No36%

Invest

Interest

5 September 2017

Cybersecurity 34

Figure 59: Software SoundBytes Regarding Security in the Cloud


Software SoundBytesSecurity in the Cloud

Brad Zelnick

(212) 325 6118

[email protected]

“2-years ago we saw 90-95% physical appliances, today adoption of virtual appliances

in small and medium sized enterprises is as much as 30-35%”

“Typically when talking about total client security in the cloud, there are a number of security

exposures that you either don’t know exist, or don’t need to worry about on premise, and vice versa.“

“The paradigm is breaking, resources can be spun up and then down again before the

firewall is even up and running in the cloud.”

“I believe there will continue to be a place for firewalls in security architecture, but

the definition of Next Generation Firewall will have to evolve to include

microsegmentation, with capabilities from companies like Illumio and vArmour.”

“The world is moving to ‘infrastructure as code’, and I don’t believe there is a need for

Firewall or Next-Generation Firewall going forward.”

“Identity is key to security. It’s important because it drives security policy… don’t believe

that Microsoft will ever cede its position in identity.”

“I believe everything moves to cloud, and believe in Google’s BeyondCorp security model.”

“Like for like units are less expensive when consumed virtually … Even so, the cost of firewall vs

infrastructure on smaller deployments can sometimes be a multiple of infrastructure. This is highly

dependent on what workloads you are running, and where you are running them”

“We generally recommend extending the same security controls [customers] have in

place, but they’re not always fully comprehensive, so we also push for next

generation solutions to fill the holes. The most common solution here is CASB.”

“There is volatility in the consumption model … some of our customers don’t think that they

need as much security on their premise”

“Amazon works on a shared responsibility model: It takes control of the infrastructure from the

Hypervisor down; everything up is customer’s responsibility. If you are ever compromised in an

Amazon environment, you can’t hold Amazon accountable, but should anything go wrong that is

Amazon’s fault then they aren’t allowed to sue at all. They have a Teflon view of putting legality

around security. They will work with and certify third party security that can be brought into the

Amazon world but only hypervisor up.”

“What I like about public cloud is that workloads don’t need application protection. Plus

the inbuilt firewalls provided by Azure and AWS are good enough for most people”

5 September 2017

Cybersecurity 35

Spend Unlikely to Continue to Coalesce Around the Network

The question naturally becomes, where does this expanded budget manifest itself? Many

expect it to remain coalesced around the network and that firewall will remain an integral

part of the security stack. However, we believe that agile IT requires a new agile security

approach and that a reallocation of spend away from the perimeter is likely.

Figure 60: Spend Has Historically Coalesced Around the Perimeter, as Reflected

by the Cumulative Market Capitalization of the Three Key Firewall Vendors

Cumulative Market Capitalization over time

Source: Thomson Reuters Datastream, Credit Suisse estimates.

As enterprise data centers shift from rigid structures, with clearly defined perimeters and

boundaries, to become perimeter-less and software-defined, we believe traditional security

fails to address the agility, elasticity, and dynamism implicit to the cloud paradigm.

If you can deliver an application and run it in five minutes, you need to have the same

flexibility with the security surrounding the application; you can’t wait for the InfoSec team

to write custom rules and deploy a firewall.

Netflix, for example, spins up 4,000-5,000 new servers every Friday night. We believe it

has to be able to protect these workloads in an agile fashion that seamlessly scales and is

priced in the same way as it buys its compute: on-demand. In this environment, we

struggle to see how appliances maintain their historical relevance.

In addition, as Gary Newe, F5’s director of systems engineering, has pointed out, there is

a blatant mismatch between the destination of security spend and the real world attack

vector.

“Ninety percent of security budget is focused on the network perimeter, although only 25

percent of the attacks are focused on that point in the network.”

- Gary Newe, F5’s director of systems engineering

Agile Compute Demands Agile Security

In our view, the new security paradigm should mirror the new cloud computing paradigm in

that it is (1) on-demand, (2) borderless, (3) without hardware, (4) consumption model

pricing, and (5) scalable.

Traditional hardware approaches to security (appliances) fail on each of the above

accounts. Appliances require capacity planning, aren’t on-demand or scalable, are

predicated on rigid hardware, and assume the existence of defined borders.

We think a sub-set of innovative vendors stand to benefit; as enterprises shift from

physical to virtual IT, whether public or hybrid cloud, the priorities become scalability,

$0bn

$10bn

$20bn

$30bn

$40bn

1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016

Palo Alto Networks Fortinet Check Point

5 September 2017

Cybersecurity 36

managing who is granted entry in, and dynamically protecting workloads. Ultimately, there

is a need to secure applications and data and consumers of them, regardless of where

either resides. Security sub-sectors we expect will remain relevant include:

■ Security as a Service: We believe cloud-based security offerings that enforce policy

as an intermediary between the enterprise and the Internet via points-of-presence in

the network edge offer great promise to expand their capabilities to offer the entire

security stack as a service. Representative vendors include Zscaler, Cato Networks,

Akamai, and CloudFlare.

■ Cloud Workload Protection Platforms (CWPP): Recognizing that server workloads

differ fundamentally from end-facing endpoints, CWPPs offer network segmentation,

traffic visibility, configuration and vulnerability measurement, application control, exploit

prevention, and memory protection. Representative innovators include vArmour, Illumio,

Dome9, CloudPassage, and Carbon Black.

■ Identity and Access: Once considered a mature market, we think identity will become

increasingly instrumental and something many emerging cloud security vendors will be

wary of taking responsibility for themselves. Representative disruptive vendors include

Okta, CyberArk, SailPoint, BeyondTrust, and Foregerock.

■ Security Analytics: Regardless of paradigm, we believe security data still need to be

collected, stored, and correlated and therefore see security analytics as architecture

agnostic. We are positive on Splunk, having initiated with an Outperform rating and $80

target price, representing 19% upside potential.

■ Application Security: If the programmatic code itself is well constructed without

vulnerabilities, the surface area for attack is greatly reduced. As application workloads

are increasingly transient, it is increasingly important security be embedded within the

apps themselves. We see value in companies such as CA’s Veracode, Qualys, and

WhiteHat Security.

Ultimately, we would argue that should there be a current opportunity to, with a clean

slate, reimagine IT security in what is rapidly becoming a cloud-first world, an

appliance-centric perimeter defense is unlikely to be the conclusion drawn. We therefore

wonder if the $11bn (forecast to rise to $16bn by 2020) Network Security market is ripe for

displacement.

Beware Disaggregation

We are concerned by the risk of disaggregation faced by legacy vendors. (We explain how

this concept underpins our thinking at length in our industry report, Software: Buy

Aggregation, Sell Aggravation.) Given legacy vendors’ business models are grounded in

the premise of box sale with software attach, we fear the pressures involved in

disaggregating hardware from software will be painful and believe this will be a

deflationary architectural shift.



5 September 2017

Cybersecurity 37

Figure 61: How We Conceptualize the Evolution of IT and Security Architecture

Source: Riverbed, Cato Networks, Zscaler, Credit Suisse Research.

We Think This Transformation Is Yet to Be Clearly Understood by the Market

Our wide-ranging discussions suggest the security implications of the cloud remain to be

fully understood. We generally believe Gartner offers a view into the industry consensus:

'No useful level of consensus exists on what constitutes best practices for cloud security,

and as a result organizations struggle to determine which cloud control processes they

should apply' (G00296116)

Internet

Internet

IaaS

PaaS

SaaS

On-Premise architechure1995-2005

Hybrid Cloudarchitechure2005-2015

Multi-cloud, cloud-first architechure2015- 2025

IaaS

Internet

SaaS

Perimeter Defined Security

Enterprise data is mainly stored in on-premise datacenters

Regional offices are connected

to HQ via hub-and-spokeEast-West traffic tends to

dominate North-South trafficThe workforce is internal, immobile and sedentary

Perimter centric hardware oriented security infrastructure Mostly everything sits behind the corporate firewall

Point Solution Security

Some enterprise data is stored on-premise, some in the cloud

Branches access cloud data via

backhauling to secure networkEast-West traffic and North-South

are equally importantThe workforce is increasingly mobile, there are more endpoints

Hardware and software oriented security infrastructureNetwork perimter less defined as cloud/mobility increasesPoint solutions addresses perimiter breaks for cloud and mobility

Cloud Defined Security

A majority of enterprise data is stored in the cloudRegional offices access enterprise

data via the cloudNorth-South traffic dominates East-

West traffic

The workforce is extremely mobile and multi-device is the norm

Software, rather than appliances, dominate the security infrastructureSecurity as a Service means

security is built into the edge of the network

5 September 2017

Cybersecurity 38

Figure 62: Cloud Spend Is Forecast to Grow Rapidly

Market IT Spend, US$ in billions

Source: I.H.S. Markit, Credit Suisse estimates.

However, as cloud grows as a percentage of forecast IT spend, the forecast for cloud

security spend share of security budget is not forecast to rise as much.



What seems clear, however, is that as the cloud continues to be adopted at an exceptional

rate, the debate about how to ensure security in the cloud will only increase in volume.

Endpoint Renaissance Reflects the Dissolution of the Perimeter

As of a few years ago, the corporate endpoint market has enjoyed a renaissance of sorts.

Very largely the result of cloud and mobile proliferation and the expansion/dissolution of

the network perimeter, endpoint security became more critical, as this is the point at which

the data reside unencrypted and are prone to poor user behavior such as clicking on

malicious links, and corporate data is more so than ever on devices connected to

unprotected networks. In a case of motive meeting opportunity, several disruptors in the

market advanced newer techniques for securing endpoints, seemingly one-upping the

traditional likes of Symantec, McAfee, and Trend Micro.

$28bn$41bn

$61bn

$93bn

$124bn

$163bn

$206bn

$249bn

$286bn

$0

$50

$100

$150

$200

$250

$300

$350

2012 2013 2014 2015 2016 2017 2018 2019 2020

Software as a Service (SaaS)

Platform as a Service (PaaS)

Cloud as a Service (CaaS)

Infrastructure as a Service (IaaS)

7.1%

9.3%

11.8%

14.4%

17.0%

19.2%

6.7%7.8%

8.8%9.8%

10.6% 11.3%

0%

5%

10%

15%

20%

25%

2015 2016 2017 2018 2019 2020



5 September 2017

Cybersecurity 39

Figure 64: Innovators Have Enjoyed Revenue

Growth…

Figure 65:… and Substantial VC Funding on a

Cumulative Basis

Endpoint Security Revenues Aggregate VC investment

Source: IDC, Credit Suisse Research. Source: CBInsights, Credit Suisse Research.

Okta’s Valuation Reflects Market Hunger for Security Disruptors

Okta listed at, and has maintained, an average EV/12m fwd sales multiple of 8x. We think

this market optimism around one of the few listed disruptive security vendors reflects

public market hunger for cybersecurity names away from firewall.

Figure 66: Okta Has Traded at an Average EV/Sales Ratio of 8x Since Listing

Okta, EV/12m fwd Sales, x


Release of Cloud Products from Traditionally On-Prem Vendors

Traditionally on-premise vendors have released a slew of cloud-based products aimed at

the hybrid audience. Examples include BlueCoat, Forcepoint (Websense), and most

recently Palo Alto Networks (GlobalProtect cloud service). We think this is reflective of the

reality of the architectural shift underfoot.

Venture Investment into Cybersecurity

Cyber security venture investments have been buoyant since 2013 with over 4bn USD

expected to be invested this year. The buoyancy shows no sign of abating; 1Q17 was the

highest Q1 on record in dollar terms and the highest quarter ever in terms of deals signed.

0

20

40

60

80

100

120

140

2012 2013 2015 2015 2016

Palo Alto FireEye Carbon Black

0

200

400

600

800

1,000

2011 2013 2015 2017

Tanium MalwareBytes Cylance Crowdstrike

6.0

6.5

7.0

7.5

8.0

8.5

9.0

9.5

10.0

May 2017 Jun 2017 Jul 2017 Aug 2017

Okta, EV/Sales Average, +/- 1stdev

5 September 2017

Cybersecurity 40

Figure 67: $4bn Is Forecast to Be Spent on Financing

Private Cybersecurity Companies This Year

Figure 68: 1Q17 Was the Highest Q1 on Record in

Dollar Terms and Highest Ever in Deals Signed

Cybersecurity Annual Global Financing History Cybersecurity Quarterly Global Financing History

Source: CBinsights, Credit Suisse Research. Source: CBinsights, Credit Suisse Research.

A Number of Scaled Private Companies

There are now a number of scaled private companies in the space that have received

press attention suggesting intentions to come to market. Should these disruptors become

public, we imagine their messaging during the listing process, and once public, will have

an edifying impact on investors.

5 September 2017

Cybersecurity 41

Figure 69: Software SoundBytes on The Relevance of Network Security


Software SoundBytesRelevance of Network Security

Brad Zelnick

(212) 325 6118

[email protected]

“We see security spend leaking into different areas. For example, NGFW had good growth

last year, but dropped off from 30-35% to the low 20s this year. The Next Generation

Firewall is no longer a key priority, and is becoming somewhat of a commodity.”

“Currently you still need a firewall for compliance reasons… Regulators are typically 5-7 years

behind what is going on – they all say there should be a firewall - therefore firewalls are still a driver

of spend, but the utility of them will reduce, it’s just the capacity conversation that will continue.”

“How you look at internal traffic is just as important as your edge traffic – for example

some may have Fortinet for edge but use Palo Alto Networks for internal.”

“I really don’t think the Fortinets, Palo’s etc will be the key winners: Our customers

struggle with buying security in a utility model or consumption model, their security guys

don’t do well in hourly usage models”

“Is there an existing brownfield opportunity to rip out an old firewall and put in a next

generation one? No that is very unlikely”

“I think pricing pressure could increase, we are seeing longer refresh cycles and

pricing pressure in this refresh, primarily resulting from competition”

“The hardware/software refresh cycle will diminish overtime but it will still be around.”

“Azure/AWS [security] is good enough for some of our customers.”

“What I like about public cloud is that workloads don’t need application protection. Plus the inbuilt

firewalls provided by Azure and AWS are good for most people”

“The downside risks to industry forecasts are competitive pressure, the extending refresh

cycle, transitioning to hourly consumption models and workloads increasingly being

protected by ‘good enough’ offerings from AWS/Azure.”

“The key areas to look at to talk about are analytics and endpoint, I have seen a clear

shift away from the pure play network security conversation”

“We will never not need some degree of network capabilities … the network will become the

Achilles heel to the enterprise, you still need to make sure your network is secure in a cloud world”

“We definitely think identity and encryption are higher priority than pure firewall – more of

our workloads in the cloud are transactional and don’t have same user component“

5 September 2017

Cybersecurity 42

Specific Challenges

The specific challenges faced from a security architecture standpoint depend on the type

of cloud strategy employed by the firm:

Hybrid Cloud – Combining Physical and Cloud Data-Centers

If an organization pursues a hybrid cloud strategy in which a portion of workloads will be

run on premise and a portion in the cloud, there is a need to connect the physical

hardware to cloud data-center. Two main architectural options exist:

Figure 70: Hybrid Cloud Adoption Is Significant According to Gartner

Source: Gartner, March 2016, n=1037.

(1) Connecting a physical firewall (open IPSEC VPN connection) to a native cloud

gateway (you VPN from your own premise to the cloud). This causes issues when

you have datacenters in multiple locations; you need to manage multiple policies,

and the on-premise firewall was not designed ground up to do this.

(2) Another option is to run a physical firewall on premise and then run the same

instance virtually in the cloud, connecting a VPN tunnel between the two. Most

vendors (Palo, CHKP, and FTNT) allow you to run this (but it's expensive, as you

need to pay for the firewall on premise and the firewall in the cloud. Again, these

firewalls weren't designed to run in this environment.

There is also the challenge of unpredictable Internet routing; if your physical datacenter is

in the United States and it needs to connect to an AWS datacenter in Europe, substantial

latency can be introduced.

Figure 71: There Is a Connectivity Trade-off in Datacenter to Cloud Connectivity

Source: Credit Suisse Research

36%40%

16%

7%

1%

Yes, using since2015 or earlier

Plan to be using byyear-end 2015

Plan to be using byyear-end 2017

No plans to use Don't know

5 September 2017

Cybersecurity 43

Multi-Cloud: Connecting One Cloud Datacenter to Another

Enterprises engaged in a multi-cloud strategy are presented with the challenge of securely

connecting different vendors to each other or datacenters hosted by the same vendor in

different regions.

You can think about multi-cloud as connecting two data centers from one cloud provider

across regions or as connecting two datacenters hosted by separate cloud vendors.

Neither is simple, the built-in management to the cloud instances isn't intuitive,

cross-region VPC peering isn't supported, and the VPN mesh configuration is difficult.

Even more complex is the true-multicloud environment, connecting cloud to cloud among

multiple vendors. Here there are multiple policies to manage, fragmented point solutions

from the native cloud tools, and a lack of consolidated visibility.

Figure 72: Connecting Cloud Data-Centers Figure 73: Connecting Different Cloud Vendors

Source: Cato Networks, Credit Suisse estimates. Source: Cato Networks, Credit Suisse estimates.

Connecting Branch Offices and Mobile Users to the Cloud

Another challenge, particularly for multinational corporations, is securely enabling branch

office connectivity. Trombone routing, in which the remote user, no matter their global

location, needs to VPN into the corporate network to access the Internet through the

organization's on-premise firewall.

Naturally a solution enabling direct access is highly preferable, and an increasing number

of vendors offer cloud-based services that act as an intermediary to enable secure

connectivity with reduced latency for the user and fewer potential choke points in the

security stack.

5 September 2017

Cybersecurity 44

Figure 74: Software SoundBytes regarding The Future of Security


The Last Transition in the Stack…

Thinking about enterprise IT architecture simply in terms of storage/compute, applications,

and perimeter, it's clear the traditional stack has been disrupted by AWS and other cloud

vendors and that the large applications vendors have been somewhat displaced by SaaS

offerings (Siebel to Salesforce). Without mincing words, it appears as if it’s the perimeter's

turn next.

Software SoundBytesThe Future of Security

Brad Zelnick

(212) 325 6118

[email protected]

“AMZN offers you a free of charge virtual networking –firewalling is built into this network.

Azure and Google also copied thesame concept.”

“Over the next 7-10 years traditional firewalls will cease to exist. If you can embed security around

workloads you don't need a firewall, there will be no more refresh cycles.”

“All cloud providers offer security functionality - but it’s not ready for enterprise

consumption.”

“The old world security model is to build castle, put guards on battlements, and dig moats. The New

world security model is to place bodyguards around critical workloads. Then have the solution scale

with workloads (add more bodyguards) and in the same way as body guards travel with the president,

have security follow the workload across physical, virtual, cloud and container environments”

“We had a well-defined market in terms of endpoint, network and cloud, these now

seem to be merging.”

“You need to spend about 10-15% of total cloud spend on security”

“Datacenters need to be segmented like a nuclear submarine. You need to be very careful

to segment nuclear warheads, and ensure they are separated from your bedroom. Equally

your toilet easily accessible from your bedroom, but not from your kitchen.”

5 September 2017

Cybersecurity 45

Figure 75: Security Moving into the Edge of the Network

Source: Cloudflare, Credit Suisse Research.

Netw

ork E

dg

eA

pp

lication

sS

tore/C

om

pu

te

Hardware/Software - Capex Services/Cloud - Opex

5 September 2017

Cybersecurity 46

Firewall—The Security Mainframe?

We Do Not View the Network Security Market as Growth

While our outlook for network security is less sanguine than the consensus view, we

believe that, like the mainframe, it is a platform that has durability and will be around for

years if not decades to come.

We appreciate the analogy has its limitations, but the thrust of our argument is that

firewalls are reliable workhorses and can be good businesses but are of declining

relevance as they become supplanted by other techniques and technologies. Bottom line,

we do not see the network security market en masse as a growth industry.

This is much the way the mainframe has been around for decades, is largely mature yet

very sticky, and today is a flat to declining business. There is cyclicality to both

mainframes and firewalls (product cycles and refresh cycles), and today the mainframe is

acknowledged to be a flat-to-declining business although with strong margins and

customer lifetime value.

Figure 76: CA's Mainframe Business Has Been in Decline, but Operating

Margins Remain Strong

CA Mainframe Solutions Segment, quarterly

Source: CA, Credit Software Research.

To be clear, we are comparing the future of firewalls (inclusive of UTM, NGFW, etc.) to

IBM’s System z mainframe business from the post dot.com era until today when it has

seen compounded annualized mid-single-digit losses (adjusted for cyclicality). To be clear,

we do not see this as the fate of firewalls in the near or even medium term but also

appreciate the firewall has been in existence for about 25 years vs. the mainframe, which

has been around for over 50 years.

0%

20%

40%

60%

80%

100%

0

100

200

300

400

500

600

700

2010 2011 2012 2013 2014 2015 2016

Expenses Operating Profit Operating Margin

5 September 2017

Cybersecurity 47

Figure 77: IBM z Systems Revenue Has Been in Decline for Two Decades

Source: IBM, Credit Suisse Hardware Research.

We further qualify our analogy to distinguish the firewall market from the mainframes of the

early 1990s when the category faced intense competition from distributed client/server

challengers and companies such as Compaq, Dell and, HPQ benefited greatly. While we

don’t foresee a similar precipitous decline in mainframe, we acknowledge this as

illustrative of what it can mean for being on the wrong side of a technology paradigm shift.

Is the shift to public cloud comparable to the adoption of distributed computing in the early

1990s? It’s a fair debate with compelling arguments on both sides.

Figure 78: IBM z Systems Revenues in the 1990s Illustrate the Ferociousness of

Being on the Wrong Side of a Paradigm Shift in the Technology Industry

Source: IBM, Credit Suisse Research.

Rather than take a firm stand, we instead acknowledge that IBM still exists today, and

while perhaps not a compelling investment in recent years, the company has stood the

test of time and has diversified very well away from the mainframe since the early 90s.

Many decades ago, the mainframe market was served by IBM and the seven dwarfs,

which included names such as Burroughs, Amdahl, and Honeywell. The only one left

standing is IBM, and while the revenue line for the mainframe might appear frightening,

the overall company diversified to drive growth, pretax income, and shareholder value

quite nicely from 1990 to 2015. The point being is that we expect companies such as

Check Point, Palo Alto, and Fortinet to evolve beyond what currently represents a very

high concentration of revenue for each. In fact they are all already moving in that direction,

but in our view, perhaps not quickly enough.

$3.1bn

$3.9bn

$3.9bn

$4.4bn

$3.6bn

$3.2bn

$3.6bn

$2.9bn

$4.1bn

$2.9bn

$3.3bn

$2.3bn$2.6bn $2.5bn

$2.7bn

$2.3bn

$1.8bn

$2.3bn

$1.7bn

$1.6bn1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

5,000

1998 2000 2002 2004 2006 2008 2010 2012 2014 2016

System z mainframe revenue

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000

IBM System z Revenues

5 September 2017

Cybersecurity 48

Figure 79: IBM Has Not Been an Attractive

Investment Relative Technology as a Whole Figure 80: IBM Relative to the S&P 500 IT

IBM = absolute, S&P = rebased to IBM at 01/01/1990 in millions, unless otherwise stated

Source: Thomson Reuters Datastream, Credit Suisse Research. Source: Thomson Reuters Datastream, Credit Suisse Research.

0

50

100

150

200

250

300

350

400

1990 1993 1996 1999 2002 2005 2008 2011 2014 2017

IBM S&P 500 Information Technology S&P 500

0

20

40

60

80

100

120

140

1990 1993 1996 1999 2002 2005 2008 2011 2014 2017

IBM relative S&P 500 InformationTechnology

5 September 2017

Cybersecurity 49

Sector Thesis

Other NGFW Tailwinds to Slow In addition to the overarching architectural challenges we believe face the firewall industry

as the world transitions to cloud, we consider five further meaningful headwinds to the

category:

■ Competition Is Set to Reaccelerate: A long-running theme has been easy

competitive wins for new entrants versus legacy competitors. Now that Juniper has no

share left to give, Cisco is getting its act together, and product parity is upon us, we

expect competition to meaningfully intensify.

Figure 81: Juniper Has Little Share Left to Donate Figure 82: Cisco Is Growing Security Rapidly

4Q rolling sum as share of total UTM and Firewall market Cisco Firewall & UTM y/y, quarterly, %


■ Changing Dynamics in the Cloud: Cloud transitions mean short-term revenue

headwinds that hold value for investors in terms of greater Customer Lifetime Value

(CLTV). We are concerned network security investors are unprepared for a revenue

headwind, and moreover, we expect this transition to be deflationary. While transitions

that consolidate adjacencies can be price accretive, we worry that virtualizing firewall

disaggregates adjacencies and expect price pressure in the transition to a metered

model (greater price transparency, opportunity for better capacity utilization, and

lowered switching costs).

Figure 83: Virtualizing Firewall Disaggregates the

Combined Hardware/Software Model

Figure 84: Consuming firewall either by subscription

or on-demand reduces excess capacity

Traditional revenue model (not to scale, for illustrative purposes only) Conceptual traffic patterns and savings, for illustrative purposes only

Source: Credit Suisse Research Source: Credit Suisse Research

0%

10%

20%

30%

40%

50%

60%

70%

80%

2002 2004 2006 2008 2010 2012 2014 2016

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper 23%

-40%

-20%

0%

20%

40%

60%

2003 2005 2007 2009 2011 2013 2015 2017

2 3 4 51

Maintenance/support

Subscription

Year

Hardware

portion

of product

Up

-fro

nt

pro

du

ct

co

st

Jan Jan Mar Apr



5 September 2017

Cybersecurity 50

■ TAM Expansion Is Finite: The revenue preservation strategy of platforming is limited

by what remains to be consolidated onto the next-generation firewall and the ceiling for

consolidated product demand. We believe years of easy consolidation are likely at an

end and, therefore, so are the vendor benefits of feature consolidation: (1) TAM

expansion, (2) attach tailwind, (3) unit gravity. In addition, the relative scale of whatever

might be consolidated is much smaller than in the past due to the overall TAM having

already become significantly larger.

Figure 85: Many Point Solutions Have Already Been

Consolidated onto NGFW

Figure 86: UTM/NGFW already Accounts for in

Excess of 50% of the Security Appliance Market


Security appliance market share by revenues


■ SSL Decryption Is Not the Tailwind People Anticipate: Enterprises have been

upsizing to appliances with higher throughput in order to decrypt rising levels of SSL

encrypted traffic. We expect this tailwind to taper as the rate of increase in encrypted

traffic decelerates. Furthermore, we expect an increasing amount of decryption to be

done off-box by visibility appliances available from the likes of Gigamon and

Metronome (now Symantec).

Figure 87: Around 75% of browsing time is spent on

SSL encrypted sites on Chrome

Figure 88: The Majority of Traffic Occurs Within the

Same Datacenter and Doesn't Require Encryption

Chrome browsing patterns Traffic distribution

Source: Google, Credit Suisse estimates. Source: Cisco VNI, Credit Suisse estimates.

■ Shifting Spend from Protection to Detection and Response: As enterprises have

been conditioned to accept the inevitability of breaches despite investment in

protection, there has been a shift in security budgets to detection and remediation

capabilities. We expect that this shift continues and will be a disproportionate

headwind for network security players despite many having elements of detection and

response in their portfolios.

Number of features

consolidated

Time

Core

Firewall

Core

Firewall

& VPN

Core

Firewall

& VPN

& WAF

Core

Firewall

& VPN

& WAF

& IDP

Core Firewall

& VPN

& WAF

& IDP

& AV

& DLP

Unified Threat Management (includes Next

Generation Firewall)

VPN

Content Management

IPS

Firewall

52%

16%

12%

18%

70%73%

75%78%

81%83%

45% 46%

54%57%

60%57%

66%68%

71% 70%74%

30%

40%

50%

60%

70%

80%

90%




Data center to user


Within data center

14%

9%

77%

5 September 2017

Cybersecurity 51

Figure 89: Enterprise Security Spend Shifting

Rapidly to Detection & Response

Figure 90: EDR Market Forecast to Grow ~17x the

EPP Market


Endpoint Detection and Response (EDR) market vs Endpoint Protection Market (EPP)

Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research. Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research.

10%13%

18%23%

30%

39%

50%

60%

0%

10%

20%

30%

40%

50%

60%

70%

2013 2014 2015 2016 2017 2018 2019 2020

2013-2020 CAGR = 29.2%

3,166 3,249 3,333 3,420 3,509 3,600

238 640 797 9931,236

1,540

0

1,000

2,000

3,000

4,000

5,000

6,000

2015 2016 2017 2018 2019 2020

EPP

EDR

5 September 2017

Cybersecurity 52

Competition to Reaccelerate

Cisco Is Getting Its Act Together, and Juniper Has No Share Left to Give

When thinking about competition in the firewall space, five key players hold the largest

revenue share of combined Firewall and Unified Threat Management (our preferred

method of considering the market).

Check Point, Cisco, Palo Alto Networks, Fortinet, and Juniper together share

approximately two-thirds of the market and are also (with the exception of Juniper)

considered highly in Gartner's Enterprise Network Firewall Magic Quadrant.

Figure 91: CHKP, CSCO, PANW, FTNT, and JNPR

Share Around Two-Thirds of the Market…

Figure 92: … and Occupy Prime Positions in

Gartner's Enterprise Network Firewall

Firewall and UTM Revenue by Vendor 2015 Red arrows indicate directional 2y momentum

Source: IDC, Credit Suisse estimates. Source: Gartner, Credit Suisse Research.

Cisco and Juniper have ceded share to the market over the past several years. This trend

has been a clear tailwind for FTNT and PANW, which have benefited from easy

competitive wins upon refresh against uncompetitive product offerings. While Check

Point's market share has remained remarkably stable through this period, industry

commentary suggests it has likely lost some of its installed base to PANW, which seems

to have been made up for by winning old JNPR and CSCO business.

Using the annual position on Gartner's magic quadrant as a proxy for product quality

momentum, it seems market share trends have been driven, at least to some extent, by

product differentiation. From first inclusion in the magic quadrant as a visionary in 2010,

PANW has seen significant upward momentum, leading the quadrant on completeness of

vision each year to 2015 (when it was overtaken by CHKP). Interestingly, there has been

some downward momentum, notably from 2016 to 2017.

Through the same time period, JNPR has slipped from best to worst among the five, and

CSCO suffered significant negative momentum before ticking up this year (in-line with our

thesis). FTNT has seen positive momentum to be recognized as a leader this year, and

CHKP is the only vendor to have maintained a leadership position each year since the

Magic Quadrant was first introduced over a decade ago in 2006.

Check Point

Cisco

Palo Alto Networks

Fortinet

Juniper

Sophos

Dell

Huawei2%

WatchGuard2%

Leadsec2%

Other

18%

16%

14%11%

5%

4%

4%

22%

Worldwide Firewall and UTM Revenue

$7.6bn

5 September 2017

Cybersecurity 53

Figure 93: Of the Major Players, Cisco and Juniper Have Been Share Donors to

Check Point, Fortinet, and Most Noticeably Palo Alto Networks

4Q rolling sum as share of total UTM and Firewall market

Source: IDC, Credit Suisse Research.

Figure 94: Product Quality Has Tracked Share

Transitions, with PANW Gaining MQ Momentum as

JNPR and CSCO's Dwindled

Figure 95: CHKP Is the Only Vendor to Have

Maintained a Leadership Position, While FTNT Has

Enjoyed Increasing MQ Momentum

Estimated based on 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Magic Quadrants


Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research

0%

10%

20%

30%

40%

50%

60%

70%

80%

2002 2004 2006 2008 2010 2012 2014 2016

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper

Cisco

Juniper

Palo Alto

Check Point

Fortinet

5 September 2017

Cybersecurity 54

We think this tailwind for PANW, FTNT and CHKP is set to significantly slow for the

following key reasons: (1) Juniper has no NetScreen share left to give, and its SRX line is

now competitive; (2) Cisco is getting its act together in its security portfolio; and (3) we

think the market is at product parity, meaning pricing may have to come down.

(1) Juniper Has No NetScreen Share Left to Give, and SRX Is Competitive

Juniper bought NetScreen for $4bn in stock in 2004. Founded by Ken Xie in 1996,

NetScreen was the original (and then only) vendor of high throughput ASIC-based

appliances. Mr. Xie left the company in 2000 to found ASIC-based competitor Fortinet.

Under the stewardship of Juniper, underinvestment in R&D and lack of strategic direction

resulted in multiple quarters of revenue declines in a growing industry, resulting in

substantial market share loss.

Figure 96: Juniper's Security Business Has

Declined over 50% from Its Peak in Revenue Terms

Figure 97: … and If We Look at Cumulative Share, It

Appears There Is Little Left for Juniper to Donate

Revenue, 4Q rolling sum, $m Cumulative share, 4Q rolling sum, %


NetScreen specifically has seen precipitous declines; after reaching a peak share of 7%

market in late 2008, Netscreen now accounts for only 0.07% of combined Firewall and

UTM sales.

Figure 98: Netscreen Revenue Has Fallen

Precipitously from Its 2010 Peak…

Figure 99: … Driven by Sustained Periods of -50%

Growth, Reflecting the Refresh Dynamic

Revenue, 4Q rolling sum, $m Quarterly revenue growth, y/y, %


0

100

200

300

400

500

600

700

800

2002 2004 2006 2008 2010 2012 2014 2016

VPN UTM IDP Firewall

0%

10%

20%

30%

40%

50%

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

VPN UTM IDP Firewall

0

20

40

60

80

100

120

140

160

180

200

2004 2006 2008 2010 2012 2014 2016

Netscreen

-60%

-40%

-20%

0%

20%

40%

60%

80%

100%

120%

140%

2004 2006 2008 2010 2012 2014 2016

Netscreen

5 September 2017

Cybersecurity 55

Periods of very significant decline in 2010 and 2013-14 are reflective of how the refresh

dynamic can present an opportunity for competitors, in this case Fortinet and Palo Alto

Networks, to take share during the cycle. As evidenced below, the NetScreen brownfield

opportunity is now much reduced.

Gartner suggests that, despite serving incumbent Juniper infrastructure customers well,

SRX is displaced more often than it enjoys competitive wins (Enterprise Network Firewall

Magic Quadrant 2017). While this suggests SRX is uncompetitive, we don't expect Juniper

to remain a material share donor via SRX in the coming refresh cycle for three reasons:

■ SDSN Message: Juniper's evolving message of Software-Defined Secure Threat

Protection, which aims to integrate security into the network, resonates with us given

our view of shifting sands in best-practice security architecture.

■ Network Clients Are Sticky: Despite a perception that Juniper lags competitors in

innovation and new feature releases, the synergy for some enterprises between

network and security integration should result in some stickiness.

■ Commitment to Security: We think that Juniper appears to be following a Cisco-

esque path in its messaging around the security business. Mather Hurley, VP of Global

Channels, said recently 'Juniper is completely committed to the security business. We

are open to competing again with the industry vendors. We take pride in Juniper's

innovations across networking and security solutions over the years. We have

relaunched a brand new roadmap in the security space, from low end firewalls that

goes right up the stack.' (CSO India, see here.)

Figure 100: Juniper's SDSN Ecosystem

Source: Juniper Networks.

http://www.csoonline.in/news/juniper%E2%80%99s-sdsn-game-changer-security-matt-hurley

5 September 2017

Cybersecurity 56

(2) Cisco Is Getting Its Act Together in Security

Security has been a focal point within Cisco's strategy for the past several years, and we

believe its investments are starting to yield meaningful results.

How Has Cisco Changed Direction in Its Security Business?

David Goeckeler (SVP, GM Networking & Security) said in late February 2017 that he was

charged around five years ago (early 2012) with taking a look at the security business, as

Cisco wanted to 'invest more in this space. [Understand] what's the architecture going to

be? … [and] build out a best-of-breed portfolio.'

Perhaps following Mr. Goeckler's review, it was widely reported in December 2012 that

John Chambers (then CEO) had given Chris Young (then head of security) a blank check

to turn around the security business. This check was written in mid-2013 when Cisco paid

$2.7bn in cash to purchase Sourcefire (a premium of c30% to the pre-announcement

closing price).

Figure 101: Sourcefire Revenue by Product Brand Pre-Acquisition

SourceFire revenue by product brand, 4Q rolling sum, $m


Following this integration, Cisco has focused heavily on a re-alignment of its security

strategy. Messaging and product offerings alike have increasingly focused on moving

security beyond the firewall and questioning the notion of perimeter-based security in a

cloud-first world with a dissolving network edge.

Cisco has positioned itself as the natural security vendor in this world of expanding attack

surface area; by virtue of seeing the network, Cisco arguably has an enhanced ability to

capture holistic information, therefore better understanding where threats exist and

pushing targeted policy to address them back into the infrastructure.

"the network's never been more relevant. I talked about how they're building up their

infrastructure, very distributed in ways. We're managing hundreds of thousands of devices

today, and they have to be ready to manage a million or more by 2020. And I think that,

that is why this automation and analytics capability in the security built into the

network is so important. The third is we continue to have our customers looking for us to

help them really build out the secure intelligent platform that spans across this multi-cloud

environment for their digital business. And I think that our security results, all the number

of new customers embracing the technology, I think, is indicative of how they're buying in

this new architecture.”

– Chuck Robbins, CEO, 16th August 2017

0

40

80

120

160

200

2002 2003 2004 2005 2006 2007 2008 2009 2010

Sourcefire 3D Sensor RNA 3D8000 Series 3D7000 Series IPSx

5 September 2017

Cybersecurity 57

An analysis of CSCO's evolving acquisition strategy gives credence to our view that the

security segment is viewed as strategically significant and that product has pivoted away

from the perimeter toward the cloud.

■ Strategic Significance: Cisco's acquisition history shows cumulative total disclosed

expenditure of $6.8bn across 20 deals in the security segment since 1995. Roughly

80% of the disclosed dollar activity and 43% of the deal activity have been in what we

call the blank check era, speaking to the strategic significance of the segment.

■ Pivot Toward the Cloud: The most recent acquisitions of CASB CloudLock,

OpenDNS with its suite of cloud security products, Lancope with its Stealthwatch

network visibility and enforcement capabilities, and most recently security analytics firm

Observable Networks underline the shifting focus toward Cloud Security at Cisco.

Figure 102: Cisco Has Acquired Heavily in the Cyber Security Space, Especially

During What We Call the Blank Check Era

Source: Crunchbase, Credit Suisse Research.

The increasing depth of Cisco's security offerings is a key part of the strategic roadmap,

and we also believe a tax reform scenario could see major balance sheet unleashed. In a

repatriation environment (assuming 10% repatriation tax) and allowing for tuck-in M&A and

an incremental buyback, as much as $10-20bn may be available for transformative M&A.

Date Name Business Cost ($)

27 Oct 1995 Network Translation Firewall $30

24 Jun 1997 Global Internet Software Group Firewall $40

18 Feb 1998 WheelGroup Intrusion detection $124

12 Mar 2004 Twingo SSL & VPN $5

22 Mar 2004 Riverhead Networks Distributed denial of service $39

21 Oct 2004 Perfigo Network endpoint security $74

20 Dec 2004 Protego Networks Network security $65

27 Feb 2005 Netsift Network security $30

26 May 2005 FineGround Networks Enterprise web security $70

29 Nov 2005 Intellishield Security reporting -

14 Jun 2005 M.I. Secure Corporation VPN $13

06 Jul 2006 Meetinghouse Network access control $44

04 Jan 2007 IronPort Email and web security gateway $830

27 Oct 2009 ScanSafe Malware analysis $183

05 Jan 2010 Rohati Systems Datacenter security -

16 Jul 2012 Virtuata Software security -

20 Nov 2012 Meraki Cloud-based security $1,200

29 Jan 2013 Cognitive security AI for threat detection -

07 Jul 2013 Sourcefire Network security and intrusion detection $2,700

21 May 2014 ThreatGRID Malware analysis -

10 Dec 2014 Neohapsis Security consulting -

13 Apr 2015 Embrane Firewall, VPN, SSL, LB -

30 May 2015 OpenDNS Cloud-delivered enterprise security service $635

30 Sep 2015 Portcullis Enterprise and government security -

15 Oct 2015 Pawaa Integrated file encryption -

27 Oct 2015 Lancope Threat detection and response $453

28 Jun 2016 CloudLock Cloud-Security Provider $293

17 Jul 2017 Observable Networks Network Behavior Monitoring -

Total disclosed $6,827

'Blank Check' era total disclosed $5,281

5 September 2017

Cybersecurity 58

Figure 103: Cisco Has Among the

Highest Absolute Levels of Offshore

Cash…

Figure 104: …and Offshore Cash as a

Percent of Market Cap Is Among the

Highest Too

Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse Research.

Cisco Firewall Offering

Specifically in Firewall, Cisco now has three key product lines: the Cisco Firepower NGFW

that includes all new releases, the older ASA (Adaptive Security Appliance), and the

Meraki range for SMBs. In sum, these appliances account for around two-thirds (c.$1.2bn

LTM revenue) of Cisco's security revenue on IDC data.

Figure 105: Firewall and UTM Appliance Sales Stood

at $320m Last Quarter, a c.$1.3bn Run Rate

Figure 106: Firewall and UTM Constitute 65% of

Cisco's Security Business's Revenues

Cisco Firewall & UTM quarterly revenues Cisco revenue, 4Q rolling sum, $m

Source: IDC, Credit Suisse Research. Source: Company data, Credit Suisse estimates.

We also see Cisco expanding its offerings and moving toward software and cloud-based

solutions, as it continues to do tuck-in acquisitions in the space (such as the recently

completed acquisition of Observable Networks).

Investment on the Brink of Payback

We think there are multiple signs to suggest that Cisco's five-year investment in its security

business is on the cusp of paying dividends.

■ Better Product: Cisco has enjoyed excellent momentum toward the leader's quadrant

on Gartner's Enterprise Network Firewall magic quadrant over the past five years. We

think this reflects genuine product improvement and note other corroborative data

points; for example, Cisco stated it has successfully reduced time to detection from 46

hours two years ago to 8.5 this year. We think this measure of how long does it take to

find a threat actor who got past all other defenses is increasingly important in the

context of mandated reporting periods enforced by regulation such as GDPR.

0

50

100

150

200

250

AA

PL

MS

FT

CS

CO

OR

CL

GO

OG

L

QC

OM

INT

C

AM

ZN

HP

E

IBM

HP

Q

NT

AP

0%

10%

20%

30%

40%

NT

AP

CS

CO

QC

OM

AA

PL

OR

CL

HP

E

MS

FT

HP

Q

GO

OG

L

INT

C

IBM

AM

ZN

0

50

100

150

200

250

300

350

2002 2004 2006 2008 2010 2012 2014 20160

200

400

600

800

1,000

1,200

1,400

1,600

1,800

2,000

2002 2004 2006 2008 2010 2012 2014 2016

UTM

Firewall

IDPVPN

5 September 2017

Cybersecurity 59

Figure 107: Cisco Has Seen Momentum Toward the Leaders Quadrant


■ Growth & Share Gain: Cisco has achieved two quarters of >20% growth. This growth

has been sufficiently in excess of the market that Cisco has regained 3.2p.p. of market

share relative to 1Q16. Over the past 15 years, we have observed only four instances

in which Cisco has grown its security offerings at this pace, with the last time being

over five years ago in 2012.

■ Channel Momentum: Our field conversations corroborate that Cisco's product

offerings are increasingly successful in competitive situations. In addition, Gartner sees

Cisco firewalls on an increasing number of shortlists, and sees continued momentum

for the Cisco Security Enterprise License Agreement (ELA). While a security or

collaboration ELA has been traditionally offered, consolidating these silos (security,

network infrastructure, computing and storage, and collaboration and video

conferencing) in a single ELA was first introduced in May 2017.

5 September 2017

Cybersecurity 60

Figure 108: Cisco Has Achieved Two Quarters of

>20% Growth in Its Firewall and UTM Segments…

Figure 109: … This Above-Market Growth Has

Resulted in a Tick-up in UTM/Firewall Market Share

Cisco Firewall & UTM y/y, quarterly, % Cisco market share, Firewall and UTM, %


Ultimately, we think that Cisco's five-year investment in its security product suite is likely to

be a driver of increased competition in the network security market for the foreseeable

future.

This view appears to be shared (and relished) by management at Cisco; David Ulevitch

(SVP/GM of Cisco's Security Business, previously CEO of OpenDNS) has remarked on

the record that he views the refresh cycle referenced by Fortinet and Palo Alto Networks

as a clear opportunity for Cisco:

'…We think that their [PANW’s] refresh, which is their first refresh at scale that they've

ever gone through, is our refresh opportunity. And so, we're focused on making sure that

our partners and our channel are really able to understand exactly the benefits of the

Cisco's architectural advantage and that where our product portfolio is to be as

extraordinarily competitive as possible. They are squarely in our crosshairs.'

- David Ulevitch, 06/06/2017

23%

-40%

-20%

0%

20%

40%

60%

2007 2009 2011 2013 2015 2017

10%

15%

20%

25%

30%

2007 2009 2011 2013 2015 2017

1Q17 growth saw market share tick up to

2015 levels

5 September 2017

Cybersecurity 61

Figure 110: Software SoundBytes Regarding Cisco

Source: Credit Suisse research.

(3) Product Parity Is Upon Us; Does Price Competition Come Next?

The firewall market is saturated and thus driven by refresh cycles of roughly five years.

This results in linear, as opposed to lumpy, share transitions. We think of the last refresh

cycle as characterized by remarkable share gains from innovators, most notably Palo Alto

Networks. This was very much a result of product differentiation, Palo Alto Network's

highly innovative granular application control in particular enabling a successful land-and-

expand market approach.

Since then, the product offerings of most major vendors have, in our view, converged. Our

field conversations and broader research suggest that Fortinet and Check Point have

caught up with, if not over-taken, Palo Alto.

“We recommend Cisco more than CHKP. They have done a great job with their acquisitions.”

Software SoundBytesCisco competition

Brad Zelnick

(212) 325 6118

[email protected]

“In my opinion a lot of people don’t realize how comprehensive Cisco’s cyber security offering

is—they have threat intelligence, firewall, etc. Cisco recently also announced integration on

almost all of their cyber products together. They can bring in solutions for switching, routing

right through to cyber security. Because it’s Cisco, they can bundle it all together.”

“We think of Check Point as number one, although we have a bigger base in Cisco, we don’t care for

its products – they don’t stack up well to Check Point and Palo Alto, but they remain kind-of-the-turf,

and its their datacenter at the end of the day. Overall we would rank Check Point first, followed by

Palo Alto, then Cisco and Fortinet last.”

“We are selling umbrella, and we are selling SourceFire. But we are doing it not at CHKPs

expense, we haven’t replaced a CHKP. However we have replaced Palo and Fortinet.”

“We never used to have Cisco as part of a true security strategy, now we do and are waiting to see this play

out. I think there will be some serious showdowns between Cisco and Vmware, with VMware partnering up

with Palo Alto. We are seeing it in enterprise accounts, there is a competitive bake off. Lots of companies

want to do network segmentation and use SDN to do that, and then it becomes a security play.”

“Cisco are self-aware on the health of their core business, and think about Security as a big

driver of all of it. At a high level they expect security to be increasingly outsourced, and

solved as a managed service over time, coupled with cyber insurance”

“Cisco gave a 58% discount and 2 years of free SmartNet on a deal worth over 20m dollars”

“Palo Alto are facing their first major product refresh now, and it is an opportunity for Cisco as well”

“Acquisition of SourceFire and open DNS has really changed things. Open DNS has been more

impactful than probably anything else, it is a very hot topic of conversation, they call it an umbrella

now. They also claim that nobody else can do this, I personally don’t believe that, there is rarely a

product that nobody else can imitate. Our Cisco security business has grown substantially.”

5 September 2017

Cybersecurity 62

NSS Labs corroborates our view, and Gartner now believes that, 'in effect, all vendors in

the enterprise firewall market have ... next-generation firewalls (NGFWs); in essence,

there is no longer a next-generation in the firewall market' (Enterprise Network Firewall

Magic Quadrant 2017, Gartner).

Figure 111: NSS Labs Next-Generation Firewall Security Value Map

Source: NSS Labs.

In terms of consolidated feature capabilities, there is also parity among the major vendors.

Figure 112: In Terms of Consolidated Features, There Appears to Be Parity

Among the Major Vendors

Source: Anitian, Credit Suisse Research.

We agree with David Goeckeler (Cisco SVP/GM Networking and Security) that IT security

is going to always remain a market driven by innovation due to the active nature of the

adversary. However, we struggle to imagine the next generation of security innovation to

be firewall, or even appliance focused. Should competition continue to increase, and

product parity endure, the natural conclusion is increased potential for commoditization

and price pressure.

FW VPN IPS AV WF App Email DLP

Checkpoint a a a a a a a aCisco a a a a a a a aFortinet a a a a a a a aJuniper a a a a a a a ✕

Palo Alto a a a a a a ✕ aSonicwall a a a a a a a aWatchguard a a a a a a a a

ProductFeature

5 September 2017

Cybersecurity 63

Figure 113: Software SoundBytes Regarding Product Parity


Software SoundBytesProduct Parity

Brad Zelnick

(212) 325 6118

[email protected]

“It’s all getting commoditized, now it’s all about SLAs… I don't care whose

labels are at my perimeter”

“It used to be that 'my tools are better than yours' and this would drive the competitive process, now the product

is commoditized and so we are reaching a place where vendors will compete on price rather than product.”

“There is undoubtedly less product differentiation… The key

differentiation is on the platform side”

“We see security spend leaking into different areas. For example, NGFW had good growth

last year, but dropped off from 30-35% to the low 20s this year. The Next Generation Firewall

is no longer a key priority, and is becoming somewhat of a commodity.”

5 September 2017

Cybersecurity 64

Cloud Transition

Transitionary Challenges Await Incumbents in a Successful Adaption Scenario

Even if we imagine the incumbent vendors strategically align themselves successfully with

what, in our view, represents the future of security infrastructure, we still expect them to

face transitionary challenges.

■ Top Line: Firstly, and perhaps most obviously, we don't think investors are prepared

for the large firewall names to face the revenue headwind inherent in a transition to

cloud.

■ Pricing: Secondly, and less obviously, we don't believe the market to be fully

cognizant of the deflationary pressures we expect cloud to exert on firewall. We believe

this to primarily result from this being one of the few examples of a cloud transition that

disaggregates (rather than aggregates) adjacencies.

Contextualizing a Traditional Cloud Transition

■ Short-Term Revenue Headwind Due to ACV Decline: The transition from a

license/maintenance business model to subscription cloud model is well known to

result in a short-term revenue headwind. This is a result of selling new customers, and

transitioning renewing customers, onto subscription contracts that tend to have a lower

annual contract value (ACV) but a greater customer lifetime value (CLTV). It is argued

there is value for shareholders who look through the near-term top-line pressure to

enhanced CLTV. Oracle's comments around its most recent quarter highlight this:

'Total cloud revenues totaled $4.7 billion, growing 68%. On-premise software declined 1%

to $25.6 billion as the 3% growth rate in software support was offset by cloud-related

declines in new software license, which were down 11%... Over the full year of FY '18, I

expect continued high growth in cloud revenues, with cloud revenues materially

surpassing new software license revenues.'

– Safra Catz, Oracle 4Q17 Earnings Call,

6/21/2017

Figure 114: Adobe's Guide to Its Cloud Transition’s

Near-Term Revenue Headwind in 2013…

Figure 115: … and the Actual Results as Reported

Showing Successful Execution

Adobe 2013 Analyst Day Creative Product Family Revenue guide Adobe reported Creative Product Family Revenue Guide

Source: Adobe, Credit Suisse Research. Source: Adobe, Credit Suisse Research.

~$2bn

FY12A FY13E FY14E FY15E FY16E

Su

bscri

pti

on

Revenu

e

Perp

etu

al

Revenu

e

$2.3bn

$1.9bn $1.8bn

$2.3bn

$3.2bn

FY12A FY13A FY14A FY15A FY16A

$28

$103

ADBE share price

5 September 2017

Cybersecurity 65

■ Consolidating Adjacencies Results in Greater CLTV: Cloud transitions tend to

consolidate adjacencies. Taking Oracle Database as a Service (DBaaS) as an

example, traditionally the enterprise would have bought a database license to host the

software on its own infrastructure; purchasing DBaaS shifts the responsibility for

hardware, power, cooling, maintenance, etc. to the vendor, therefore consolidating the

various total cost elements. From a price perspective, this drives the greater CLTV that

delivers value to the customer and ultimately shareholder.

'…When a customer who's on-prem paying us support moves to the cloud, they pay us

more money. They don't pay us 1:1, they don't pay us 2:1, they pay us more like 3:1. In

some cases, more than 3:1. In some cases, we also get the attach of platform … and that

is not included in the 3:1 that I'm giving you.'

– Mark Hurd, Oracle 4Q17 Earnings Call, 6/21/2017

Why We Are Concerned That Firewall Might Not Be as Successful…

We think that the key value component for investors in a cloud transition strategy is the

ability to look through the near-term revenue headwind toward the potential for CLTV

enhancement and revenue visibility implicit in subscription. The CLTV enhancement itself

results from adjacency consolidation and TAM expansion.

We (1) struggle to believe investors are yet fully prepared to look through a short-term

transitionary revenue headwind for incumbent firewall vendors, and (2) struggle further to

be convinced that this transition would be accretive to CLTV rather than deflationary.

The Market Is Underprepared for Any Revenue Headwind

Previous successful cloud transitions have relied on clear messaging from management to

the investment community. As yet, we have seen no signs of this; instead, management at

Check Point, Palo Alto Networks, and Fortinet continue to communicate that the market

should expect cloud to be incremental rather than cannibalistic.

Check Point Comments Around Its vSec Virtual Edition

Credit Suisse Interpretation of CHKP Messaging: (1) Cloud is incremental in most

cases; (2) there will always be a physical network and therefore demand for appliances;

and (3) cloud means more traffic, meaning you need more aggregate throughput.

'… I haven't seen that the cloud is changing a lot of customers' behavior of their physical

network. We still have physical network, we still need to secure them, sometimes they

need to connect them to cloud, which means that they need some appliances or some

devices to do the VPN through the cloud. The cloud in most cases, again not all of them,

but in 99% of the cases is an extension and expansion for the existing network.'

– Gil Shwed, CEO, 04/27/2017

'It's additive in most of the cases… So, just like you have if you had the 4,000 offices

around the world, now you have 4,001. You need another gateway, right? It might not be

physical one. It might be a virtual one. You still need to manage it.'

– Tal Payne, CFO, 11/15/2016

'We see it as an incremental long-term and short-term.… once you start going up into the

cloud, there's many different ways you can get your employees up to the cloud to use

those applications. Sometimes it's going through a direct connect through your data center,

so you still have to have a data center, or you're going to have to do SSL connections from

your perimeter. And in that case, you're going to need bigger boxes because you're going

to have more traffic, and that's not going to stop. So, besides that, and then having it in the

cloud, everything that we come up with is incremental.'

– Kip Meintzer, VP Investor Relations, 03/06/2017

5 September 2017

Cybersecurity 66

Palo Alto Comments Around Its VM-Series Product

Credit Suisse Interpretation of PANW Messaging: (1) Cloud is additive, (2) customers

want feature parity and consistency between virtual products and on-premise appliances,

and (3) more workloads moving to the cloud mean more opportunities to sell virtual

firewalls.

'… So far, and we think this will continue into the future. We've seen the cloud in general

and then our VM-Series and other cloud aspects like Aperture be additive. So we think

that's a lead provider for us and a growth provider for us for new use cases'

– Mark McLaughlin 05/31/2017

…we view the cloud as additive to us. We are helping our customers work through

architectural decisions that are both on-prem and cloud and we view this as positive.

- Steffan Tomlinson, 12/07/2016

'We view moving workloads to the cloud as incremental for our business. The fact that

companies want to have a consistent security policy to manage on-prem devices, plus

their cloud workloads, accrues to our benefit. Because we have virtualized our firewall a

number of years ago to have full feature and functionality of a next-generation firewall but

in a virtual form factor.'

– Steffan Tomlinson, 09/14/2016

'So when you think of a cloud, there is the going to and coming from the cloud

infrastructure that we deliver, but also what goes on in that cloud itself. Now, this is

typically big [iron]. That's a big machine that sits between the cloud and target. But in that

cloud, you have thousands of little machines that have to be protected, which is a great

opportunity for us to sell thousands of virtual firewalls, VM-Series firewalls, into those

infrastructures.'

– Rene Bonavanie 09/28/2016

'… our VM-Series [delivers] the traditional form factor of hardware in a software model for

deployment in virtual either public, private, or hybrid models. And that's also a mid eight-

figure business growing roughly the same rate as Traps.

…If anyone could find an industry analyst who actually has sized that market, let me know.

It is still very early stage and I think the industry itself is watching a slow evolution of

adoption of cloud, but that will be an important contributor.'

- Kelsey Turcotte, VP Investor Relations, 09/08/2016

Fortinet Comments Around Their Virtual Product

Credit Suisse Interpretation of FTNT Messaging: (1) Virtual is the fastest growth

segment at FTNT and will be the largest segment of revenues in three to four years, (2)

hybrid model is the way forward, and (3) there is pressure on the product line from virtual

product adoption.

'Definitely the cloud; starting to grow faster than real appliance' [in response to question

about how physical vs virtual will unfold over the next three to four years] .

– Ken Xie, Founder, Chairman of the Board & CEO, 02/02/2017

[That's more] incremental and also interesting, I also see -- I think we wrote a comment

about almost maybe a year ago we move lot of data to the Cloud. You actually need to

secure the access and also increase the bandwidth to -- for the -- whether encryption,

whatever, to access the data there. At the same time, even the data in the Cloud, you also

need to protect that, right? So, that's actually -- I believe, when some data application

move to the Cloud, they actually need the most security.

- Ken Xie, Fortinet Inc – CEO 2/28/2017

5 September 2017

Cybersecurity 67

'Our cloud and virtual business more than doubled year over year in the fourth quarter.

Although this is from a small base, it continues to represent the fastest-growing segment

of our total business… We are really trying to weight the money -- we're really to drive to

higher customer lifetime value, and the way you do that is attribute more to the recurring

higher profitability side of the business.'

- Drew Del Matto, CFO, 02/02/2017

'Where we are seeing the most uptick really is what I would call the hybrid model and what

we call that actually is BYOL, Bring Your Own License or Bring Your Own Device, and so

someone, a customer is generally buying a device and they are installing it in someone

else's cloud environment where they are managing it for them. Now, the other thing we're

seeing, I mean we're actually seeing an uptick in the virtual licenses being downloaded,

the metered models, the utility models.

But the problem is, it's so small, right. [It's not] necessarily a bad thing because if that's

going to grow, I think it really give us a kind of a nice path to growth without the risk of

cratering the revenue line, the topline as you transition. Look, investors are worried about

or people are often worried about is that it's going to be like Adobe going from perpetual to

subscription and you get this cratering effect on the P&L and the topline and what we hope

is that this thing just grows nice at a nice curve and a nice rate, we continue to take share

and we kind of sail through the transition.' -

Drew Del Mato – 9/07/2016

'There is a beneficial impact from the cloud. I think the non-beneficial impact could be

something like Drew was saying is that it extends the sales cycles. As customers are

planning their next-generation networks, perhaps shifting some to the cloud in the hybrid

model, it does slow things down in the decision making process. But we feel from a

competitive standpoint we are very well positioned.'

- Michelle Spolver, Chief Communications Officer, 10/27/2016

'Yes. The thing I would add, too, to what Drew said, is that product revenue, you see an

acceleration from most companies. And Drew talked about it being an overall opportunity.

We definitely see that, probably more in the long term than the short term.

But in Q3, for us, we had about 200 to 300 basis points of product revenue that moved into

services, and that was primarily accounting for sales of virtual products through AWS and

Azure. And so, that's something that, it's an incremental opportunity, but you get lower

upfront product revenue. We are selling it in that fashion. It certainly -- it helps on the gross

margin line, but it brings product revenue down a little bit.'

- Michelle Spolver, Chief Communications Officer, 11/09/2016

Complacency Is Evident in the Numbers

We illustrate potential unpreparedness via revenue revisions data. It is clear that when

analysts expect a cloud transition (generally following management communication to

market), they revise their forward revenue forecasts downwards.

Naturally, we recognize the market can react positively despite downward top-line

revisions, generally when investors applaud cloud transitions and look through the

revenue headwind to enhanced CLTV. While we argue strongly below a firewall cloud

transition disaggregates adjacencies, and is therefore unlikely to be CLTV accretive, we

appreciate this as a risk to our thesis.

5 September 2017

Cybersecurity 68

Figure 116: Revenue Revisions Data Show Analysts

Revised Down Their Top-Line Forecasts…

Figure 117: … After Messaging About a Cloud

Transition Began at ORCL and ADBE

Oracle revenue revisions Adobe revenue revisions

Source: Bloomberg, Credit Suisse Research. Source: Bloomberg, Credit Suisse Research.

Looking at revisions data for the incumbent firewall vendors, we believe the Street

continues to model virtual firewall as entirely incremental in nature.

Figure 118: PANW, CHKP, and FTNT Have Not Experienced Material Sell-Side Downward Revisions to

Forward Revenue Estimates

Source: Bloomberg, Credit Suisse Research.

Is a Messaging Shift Already Under Way?

We have analyzed the messaging from Palo Alto Networks regarding its virtual business

and wonder if there is a subtle messaging shift under way. In September 2016, Palo Alto

Networks CFO Steffan Tomlinson described shifting workloads to cloud as unequivocally

incremental for PANW.

'We view moving workloads to the cloud as incremental for our business. The fact that companies want to have a consistent security policy to manage on-prem devices, plus

their cloud workloads, accrues to our benefit. Because we have virtualized our firewall a number of years ago to have full feature and functionality of a next-generation firewall but

in a virtual form factor.' – Steffan Tomlinson, 09/14/2016

In December 2016, Mr. Tomlinson offered greater detail about the economics of cloud and

accepted that different transitions result in different economics. However, the message

remained consistent that cloud is additive and incremental.

12Y 13Y 14Y15Y

16Y 17Y

18Y

19Y

34,000

36,000

38,000

40,000

42,000

44,000

46,000

48,000

2010 2011 2012 2013 2014 2015 2016 2017

Larry Ellison announced Oracle Public Cloud in late 2011

10Y

11Y 12Y 13Y14Y

15Y

16Y

17Y

18Y

19Y

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

10,000

11,000

2007 2009 2011 2013 2015 2017

Adobe announced their cloud intentions in

November 2011

13Y 14Y

15Y

16Y

17Y

18Y

19Y

1,300

1,500

1,700

1,900

2,100

2012 2013 2014 2015 2016

13Y 14Y15Y

16Y

17Y

18Y

19Y

0

600

1,200

1,800

2,400

3,000

2012 2013 2014 2015 2016

13Y 14Y

15Y

16Y

17Y

18Y

19Y

500

800

1,100

1,400

1,700

2,000

2012 2013 2014 2015 2016 2017

Palo Alto Networks, $m Fortinet, $m Check Point, $m

5 September 2017

Cybersecurity 69

'Well, the operative engagement model that we're seeing today is really a hybrid one,

where we're seeing a combination of on-prem and cloud. And by the way we define cloud

as public cloud, private cloud and SaaS applications. Depending on how the customer

actually goes to market with their cloud strategy will determine the outcome around

the economics of the deal.

As an example, in one flavor, you could have a customer who has a public cloud or private

cloud infrastructure, but they're still routing their traffic back through their data center. In

that case, they will be actually buying high-speed chassis from us, physical product-related

revenue for us and they will be buying virtual firewalls from us for both the public

and private cloud options.

If they were just to go down the private or public cloud route, they'll be buying our virtual

firewalls. And the economics are favorable in both areas. The unit economics are different

because you have a physical firewall, which has a lot of hardware and throughput

capability. The virtual firewall has less throughput capability, because it doesn't have

the hardware component. But the cost per megabit within the same zip

codes for both on-prem equipment and virtual firewall.'

– Steffen Tomlinson, 12/07/2016

In June 2017, Mr. Tomlinson injected some measured caution around earlier statements

that cloud is unequivocally incremental, suggesting the transition to cloud is a long game

where the margin and revenue impacts remain to be seen.

'…what we've seen is lots of companies are moving workloads to the cloud, but it's not

moving everything to the cloud right now. We view the cloud as an incremental opportunity.

It remains to be seen. This is a long game. It remains to be seen, the margin impacts,

the revenue impacts, et cetera.

But I can tell you right now, there's not a one-for-one correlation between one physical

firewall and one virtual firewall because from the way that most firewalls are scoped out is

it's based off of throughput. If you have a 20-gig firewall and you're buying one appliance,

you're going to need to buy probably at least 20 if not more virtual firewalls, depending on

the network setup that you have. And so there's going to be an evolution of what the

revenue model looks like. But right now, we're not seeing any negative effect of

public cloud. We're seeing it is an incremental benefit.'

– Steffan Tomlinson, 06/06/2017

Having One's Cake and Eating It?

We think there may be a level of cognitive dissonance among management of CHKP,

PANW, and FTNT applauding growth in their respective virtual businesses and

simultaneously messaging cloud is entirely additive.

Especially in the context of Symantec's clarity in messaging around the economics of

physical vs hybrid vs pure virtual/cloud, we struggle to understand how virtual firewall

cannot be cannibalistic on some level.

5 September 2017

Cybersecurity 70

Figure 119: Symantec's Accepts That Virtual Appliances Are Not Necessarily Always Accretive to CLTV

Source: Symantec, Credit Suisse Research.

Can Cloud Be Accretive to CLTV?

As discussed above, we are concerned that the market is not cognizant of the potential

revenue headwind in a cloud transition scenario. However, why should investors not just

look through the short-term headwind to the greater CLTV opportunity that cloud security

promises?

We are concerned that a cloud transition is likely to be deflationary for pricing, regardless

of consumption model. We are cognizant of multiple factors that we think may impact the

ability of firewall vendors to maintain the tight control over pricing they have historically

enjoyed.

Figure 120: Pricing for High-End Units Has Remained Within a Relatively Tight

Band

High end ASP, adjusted for inflation by US PPI from most recent quarter


Hybrid Solution Virtual AppliancePhysical Appliance

Product/Support Product/Support & Subscription Subscription

$600

$269

$269

$269

$269

Year 1 Year 2 Year 3 Year 4 Year 5

$640

$391

$391

$391

$391


$380

$380

$380

$380

$380


CLTV $1,480 CLTV $1,930 CLTV $1,645

~4 year breakeven

* CLTV assumes an annual 5% discount factor

0

20,000

40,000

60,000

80,000

100,000

2003 2005 2007 2009 2011 2013 2015 2017

High end ASP, inflation adjusted (US PPI)

Average, +/- 1stdev

5 September 2017

Cybersecurity 71

Consumption Models

There are two main consumption models for virtualized firewall: (1) as a license to install in

one's own private cloud, or (2) via AWS and other public cloud vendors on a metered

basis. Of the below factors, we think that disaggregating adjacencies and the lowering of

switching costs represent potential pricing headwinds for both consumption models, while

the price transparency, deconsolidation, and capacity utilization arguments are more

specific to metered models.

■ Disaggregation of Adjacencies: NGFW/UTM/Firewall moving from a physical to

virtual form-factor actually disaggregates the value proposition of hardware with

software attach. The value delivered via product purchase is currently triplicate, (1)

the physical hardware itself, (2) the software platform that requires maintenance

payments, and (3) attendant attach optionality paid for via subscription.

Virtualizing product decomposes the product/support/attach model into software

subscription excluding hardware (product) and associated maintenance. All else equal,

the revenue (and profit to a lesser extent) opportunity should actually be lower for

virtualized product by virtue of the removal of hardware components, assembly, and

development. Put another way, why would the customer pay the same when they have

to provide their own hardware?

Therefore, assuming virtual is priced at parity (i.e., excluding the hardware component)

on a discounted basis, and assuming no growth, there is a sustained haircut to the

aggregate vendor revenue opportunity. This said, we recognize that the gross margin

on the software component of product is substantially higher than the hardware piece.

Figure 121: A Portion of the List Price Represents the Cost of Hardware

Traditional revenue model (not to scale, for illustrative purposes only)


■ Switching Costs Lowered: The physicality of hardware lends it gravity (both literally

and figuratively) in the IT infrastructure. It's expensive to rip and replace during the

deployment life cycle (we think about the average refresh as five years), as your sunk

costs greatly outweigh your variable costs. Virtualized firewall paid for on a subscription

basis implies no irrecoverable costs and therefore would greatly reduce the economic

imperative of delaying switching until the refresh.

We recognize the residual switching cost of policy gravity, which is the migration of

firewall policy from one vendor to another being challenging, but believe this to

represent only a portion of aggregate switching costs.

2 3 4 51

Maintenance/support

Subscription

Year

Hardware

portion

of product

Up

-fro

nt

pro

du

ct c

ost

5 September 2017

Cybersecurity 72

Figure 122: The Figurative Gravity of Hardware (with

Its Upfront Costs) Results in High Switching Costs…

Figure 123: … Subscription Reduces the Economic

Imperative of Switching Upon the Refresh

Traditional revenue model (not to scale, for illustrative purposes only) Cloud revenue model (not to scale, for illustrative purposes only)

Source: Credit Suisse Research. Source: Credit Suisse Research.

■ Price Transparency: While the above are pricing headwinds for virtual firewall sold

under a subscription model, we expect there will be significant demand for metered

pricing. The popularity of on-demand pricing is unlikely to pass by virtual firewall

additions; indeed Fortinet, Palo Alto, and Check Point's virtual solutions can all already

be consumed via public cloud vendors.

Moving to a metered pricing model results in greatly enhanced price transparency;

vendors can be compared more easily. We question whether this may expose an

historically price-opaque and insensitive business model to the whimsy of dynamic

pricing.

Year 2 3 4 51

Up

-fro

nt

pro

du

ct c

ost

Maintenance/support

Subscription

Sunk

cost

Sunk costs = high switching costs

Year 2 3 4 51

Subscription

No

Sunk

cost

No sunk costs = lower switching costs

5 September 2017

Cybersecurity 73

Figure 124: Fortinet, Palo Alto, and Check Point All Have Virtual Offerings

Available on a Metered Basis on the AWS Market Place

Source: AWS.

■ Capacity Utilization Is Deflationary: When the InfoSec team plans a firewall

purchase, it is making capacity decisions to ensure performance not just during max-

throughput occasions but also in the context of its forecast traffic growth during the

intended life of the appliance. We think that virtualized pricing models, in addition to the

ephemeral nature of workloads, will result in more efficient capacity utilization.

5 September 2017

Cybersecurity 74

Figure 125: Currently, Firewall Throughput Capacity

Is Planned Such That the Network Will Remain

Performant During High-Traffic Events

Figure 126: Buying Firewall Either by Subscription

or on a Metered Basis Will Reduce Excess Capacity

Relative to the Hardware Pricing Model

Conceptual, for illustrative purposes only Conceptual, for illustrative purposes only

Source: Credit Suisse Research. Source: Credit Suisse Research.

As we have attempted to illustrate in Figure 127, should a virtual firewall be consumed

via subscription, on a per-hour basis, on a per-seat basis, or on a throughput basis, we

expect it to be deflationary. This is because the delta between what you purchase and

what you consume decreases as a function of the granularity of pricing paradigm.

Figure 127: Illustration of Capacity Saved Under Different Pricing Models

Conceptual, for illustrative purposes only


■ Less Imperative to Consolidate: As we have referenced, consolidation has been a

beneficial trend for firewall vendors. These companies have continued to add

incremental controls and network security features onto their boxes and have done a

great job expanding TAM and simplifying the solution set for customers. NGFW has

been a consolidation story for the past several years and contributed to stock

outperformance during that time.

Jan Jan Mar Apr

Refresh cycle max traffic assumption

Max historical traffic

Illustrative daily traffic patterns

Jan Jan Mar Apr



Meteredpricing

Subscriptionpricing

Hardwarepricing

Actual traffic

Max historical traffic

Refresh cycle max traffic assumption

5 September 2017

Cybersecurity 75

Figure 128: Underlining Firewall Stock Outperformance During the Period of

Product Consolidation – the Aggregation Trade

Rebased to 100 on PANWs first trading day

Source: Thomson Reuters Datastream, Credit Suisse Research.

We posit the potential for a public cloud deployment and marketplace model to challenge

what has been the norm for the past several years. With the ephemeral nature of cloud

workloads, it might very well make sense for practitioners to more nimbly mix and match

different control from different vendors, perhaps even to vary the use of such controls by

workload instead of having more static one-size-fits-all solutions.

0

50

100

150

200

250

300

350

400

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

CHKP PANW FTNT

5 September 2017

Cybersecurity 76

Figure 129: Software SoundBytes Regarding Pricing of Security in the Cloud


Software SoundBytesPricing Security in the cloud

Brad Zelnick

(212) 325 6118

[email protected]

“If its BYOL model, it works great but the marketplace has been trending towards hourly

usage pricing models. Security guys have never done that and it’s challenging to achieve

any predictability. That’s working against the virtual firewall market.”

“If I look at the virtual firewall market it is not more than10% of the overall firewall market. 45% of

that is public cloud related, so only 3.5% - 4% of the firewall market is in the public cloud today.”

“Our customers struggle with buying security on a utility model”

“Security needs to be aligned with cloud consumption economics – pay as you go… People

buy excess capacity to not deal with refresh cycles – this will go away.”

“From a reseller perspective, the pricing on physical vs victual is still unclear – and

presence on AWS clearly alienates the channel – but does it mean that network

security players can recoup the channel margin?”

“Legacy vendors are not comfortable selling in a utility model; it goes counter to what the

trend has been, even with virtual FW on the private side the security guys really struggle

with how to do an on-demand security model. A lot of organizations are looking at security

in cloud more holistically, shifting spend to other areas like identity and encryption.”

“Like for like units are less expensive when consumed virtually … Even so, the cost of firewall vs

infrastructure on smaller deployments can sometimes be a multiple of infrastructure. This is highly

dependent on what workloads you are running, and where you are running them”

5 September 2017

Cybersecurity 77

TAM Expansion Is Limited

Feature Consolidation Is Limited, and So Is the Share Consolidated Solutions Can

Take

A multi-year theme in the firewall space has been the consolidation of point solutions onto

the firewall. We believe this has been a genuine response to the frustration of customers

(of all sizes) with an ever growing plethora of disparate solutions, but it has also been a

convenient revenue protection and enhancement strategy. We argue there is a limit to

what can be consolidated, as well as a limit to the share consolidated products can enjoy

in the marketplace.

The Problem with Point Solutions (for the Customer)

Separate Firewalls, intrusion detection/prevention (IDP) appliances, secure Web gateways

(SWG), SSL VPNs, and advanced threat prevention (ATP) sewn together by a large IT

services vendor are admittedly suitable for some very large sophisticated enterprises.

However, given the expense (both upfront and ongoing; you need an extensive security

team) and time to implement; this complexity limits broader demand for pastiche solutions.

Instead, the majority of enterprises would prefer a single platform from which to identify,

manage, and control security threats. Even if each constituent component is less strong

than a best-in-class point product, a platform solution tends to deliver greater functionality

via the integration inherent in consolidation, as well as better throughput and significant

cost savings.

Cisco's Marty Roesch (Vice President and Chief Architect of Cisco’s Security Business

Group, previously founder and CTO of Sourcefire) talks about the complexity trap of point

products. Each time a point product is added to one's security apparatus, the complexity

increases exponentially, while the value generated increases only linearly. This implies

that, at some point, the complexity of point solutions, even if they are best-of-breed,

overwhelms their utility.

Figure 130: Increasing Use of Point Products Increases System Complexity

Source: Credit Suisse Research, * System complexity proxy is number of connections necessary between point products should each be connected with every other.

The Benefits of Feature Consolidation (for the Vendor)

We believe there are three key vendor incentives to consolidate features onto a single

appliance: (1) synthetic TAM expansion, (2) the opportunity to increase attached

subscription and (3) enhanced unit gravity.

■ TAM Expansion: The more features consolidated onto a single box, the greater the

market addressable by that product. We visualize this phenomenon in Figure 131 and

see this as a top-line growth strategy in a saturated market.

0

50

100

150

200

0 2 4 6 8 10 12 14 16 18 20

Value Complexity *

5 September 2017

Cybersecurity 78

Figure 131: The More Point Solutions That Are Consolidated, the Greater the

TAM for Firewall Vendors Becomes



■ Tailwind for Attach: The more that can be consolidated onto a firewall, the more

features that can be sold attached to the box. We view this as a revenue protection

strategy in a saturated market. When the only incremental revenue opportunity is a

competitive (or defended) win on the refresh, the consolidation of adjacent products

offers an opportunity to both grow, and de-risk, the top line by the addition of sticky

recurring subscription revenues.

Figure 132: If We Look at the Five-Year Thru-Cycle Attach Rate, We Can See the

Financial Result of Feature Consolidation

Annualized subscription and support/maintenance as a percentage of 5y trailing product revenue


■ Greater Unit Gravity: The more attached to a single box, the heavier that appliance is.

That is, the more the enterprise relies on it as a single-point solution, the stickier the

appliance becomes. In addition, the more attaches per box, the more throughput

consumed, and therefore the greater capacity demanded. This, we think, ultimately

results in greater unit gravity, better price leverage, and heightened capacity demand.

Number of features

consolidated

Time

Core

Firewall

Core

Firewall

& VPN

Core

Firewall

& VPN

& WAF

Core

Firewall

& VPN

& WF

& IDP

Core Firewall

& VPN

& WF

& IDP

& AV

& DLP

CASB?

32%

34%

36%

38%

40%

42%

44%

46%

48%

50%

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

CHKP FTNT PANW

5 September 2017

Cybersecurity 79

In summary, customers wish to take a platform approach to lower costs and increase

efficacy and vendors to consolidate features as a revenue protection strategy. Given this

incentive alignment between customers and vendors alike to rationalize their security

infrastructure, the multi-year trend toward feature consolidation is unsurprising.

Figure 133: Looking at the Share of the Market by Product Type Shows the Trend Toward Consolidation

Revenue by product as share of total market, %


Consolidation Tailwind Unlikely to Sustain

While feature consolidation has been a sustained tailwind for at least two refresh cycles,

we believe the benefits accruing to vendors from platform strategies are likely to be less

pronounced.

■ Ceiling for Consolidated Product Demand: Chief security officers are often

concerned by the unsystematic risk inherent in a single-vendor platform approach.

Security silos are vulnerable, and the generally accepted wisdom of defense in depth

means that those with the budget and sophistication are likely to continue to demand

the best-of-breed point products necessary for an integrated layered approach. In our

view, this results in a demand ceiling for unified products (UTM/NGFW).

■ Significant Proportion of the Market Already Consolidated: Given c52% of the

market is already comprised of UTM/NGFW (50% in the high end of the market), we

think there is a limit to the second derivative rate of change in UTM share, especially in

the context of our view around consolidated product demand ceiling.

■ Little Left to Consolidate: A push-back to the above is, of course, that innovation in

the market itself grows new point products that can then be consolidated at a faster

rate than we expect. While a legitimate risk to our thesis, we see the speed of

consolidation of innovations such as CASB as reflecting what little is left to be

consolidated. Barracuda acquired the Sookasa CASB, CHKP has partnered with

multiple CASB providers (Firelayers, Avanan, and Microsoft), Cisco bought Cloudlock,

and Fortinet has the FortiCASB. Given the nascent nature of the CASB market, we

think the extent to which it has already been consolidated reflects the vendor appetite

for new platform additions; deduction would therefore suggest there is little left to

consolidate.

Furthermore, akin to the law of large numbers, we note the simple mathematical

argument that as additional features are consolidated into the NGFW, it becomes

increasingly difficult to move the needle on existing TAM.

0%

20%

40%

60%

80%

100%

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Unified Threat Management/Next Generation Firewall

Firewall

Intrusion Detection and Prevention

Content Management

VPN

5 September 2017

Cybersecurity 80

Figure 134: UTM Accounts for in Excess of 50% of the Security Appliance Market


VPN2%

Content Management

16%

IPS12%

Unified Threat

Management52%

Hybrid VPN0.3%Ipsec VPN

0.3%

SSL VPN2%

WAM0.4%

Web Security10%

Messaging Security

5%

IDS1.3%

IPS10%

Firewall19%

5 September 2017

Cybersecurity 81

SSL Decryption Less of a Tailwind

The argument made by many students of the firewall industry, not least Gartner, is that as

more traffic is encrypted, firewall capacity will need to increase. The logic is that decrypting

SSL traffic (so that it can be inspected) and then re-encrypting it is roughly 50% more

computationally taxing than a simple inspection of unencrypted inbound and outbound

traffic.

Figure 135: The Performance Loss Resulting from an Inspection of SSL

Encrypted Traffic On-box Is Substantial

Source: NSS Labs, Credit Suisse Research.

Many NGFWs have the ability to pose as the recipient of the SSL session, decrypt and

inspect the content of the packet, and then impersonate the sender by creating a new SSL

session with the intended recipient.

Figure 136: The Decryption Process

Source: Fortinet, Credit Suisse Research.

In Gartner's words: 'The vendors in the firewall space will be challenged over time by the

maturing of the cloud service providers' (CSPs') solutions. But in the near term, Gartner

predicts that more firewalls will be deployed to deal with the growth of encrypted traffic, so

this can be a source of near-term incremental demand for firewall vendors.' – Gartner

Event Summary: Gartner Security & Risk Management Summit 2017, 13th July 2017

NSS Labs (512b Cipher)

NGFW Performance loss by Vendor

Forcepoint 3202 -54%

Palo Alto 5020 -66%

SourceFire 8250 -77%

Check Point -87%

Fortinet -93%

Content

Scanning

Decryption Re-encryption

Firewall Appliance

Encrypted Packet Encrypted Packet

Decrypted packet

HTTPS session HTTPS session

User Server

5 September 2017

Cybersecurity 82

Figure 137: SSL Encryption Has Grown Rapidly, but the Rate of Acceleration Is

Forecast to Decrease

Source: Google, Credit Suisse estimates.

While the argument is not without apparent logic (SSL encrypted traffic is growing, and

SSL encrypted traffic requires more processing power to inspect), we think there are three

key reasons for this trend to be less of a tailwind than the market expects:

■ The Lion’s Share of Growth in Encrypted Traffic Has Already Occurred: As of

February 2017, the EFF reported that more than half of all Internet traffic was protected

by HTTPS. This data are corroborated by statistics from Google that suggest SSL

encryption is in place on more than half of the pages loaded by desktop users and that

the same users spend more than two-thirds of their time on HTTPS websites.

When we look at data from Chrome (the most popular web browser), we find that as of

September 2017, 83% of pages were loaded over HTTPS and 74% of time was spent

browsing HTTPS websites. Ultimately, this suggests that the second derivative growth

in encrypted traffic is likely to be less significant, and therefore less of a near-term

tailwind, than industry analysts suggest and the market believes.

Figure 138: Chrome Is the Most Popular Web

Browser, with over 60% of Web Traffic

Figure 139: Nearly 80% of Time Is Spent Browsing

SSL Encrypted Sites on Chrome

Source: w3counter.com, Credit Suisse Research. Source: Google, Credit Suisse Research.

■ Point Solutions Are Cheaper: While some argue the computational weight of traffic

decryption must result in greater aggregate firewall throughput demand, others argue

for a scale-out, rather than scale-up, model. Indeed our field work validates the cost

and security efficacy of using NGFW alongside stand-alone decryption devices from

vendors such as Gigamon or Symantec’s SSL Visibility Appliance (FKA Metronome

acquired by Blue Coat).

16%20% 19%

22% 23% 23% 25% 27%30%

34%39%

46%

59%65%

70% 75%

0%

10%

20%

30%

40%

50%

60%

70%

80%

2005 2007 2009 2011 2013 2015 2017 2019

Ponemon data (enterprise deployment of encryption)

Letsencrypt.org data (percentage of web pages Loaded by Firefox Using HTTPS)

NSS Labs 2019 forecast (interpolated)

62%

14%

9%

8%

3%

Chrome

Safari

Internet Explorer

Firefox

Opera

70%73%

75%78%

81%83%

45% 46%

54%57%

60%57%

66%68%

71% 70%74%

30%

40%

50%

60%

70%

80%

90%




5 September 2017

Cybersecurity 83

■ Trade-Down Effect Accounts for Some of This Step Increase: Should we

hypothetically assume a higher volume of encrypted traffic as a material short-term

driver of incremental physical firewall demand, some of this will likely be accounted for

by the trade-down effect. That is, upon the refresh, it's common for new offerings at

price parity with your retired boxes to have higher throughput capacity than the retired

appliance. Therefore some customers will ‘trade down’ to cheaper boxes with

equivalent throughput.

■ IP Traffic Volume Is Surging, but It Isn't Leaving the Datacenter: Traffic within the

data center makes up ~75% of the data center traffic and usually between same-stack

components (server, converged, storage, switching, and routing hardware). IP traffic

volume is surging, but it isn’t all leaving the data center, therefore there is no need to

encrypt all of it.

In addition, when interconnection is in place to put a cross connect in place, let’s say

Credit Suisse Low Latency trading and NYSE, that traffic is secured using one fiber

optic cable with no other parties using the same sockets; so as long as there is mutual

trust between both parties, the need to SSL encrypt is ameliorated.

Figure 140: 77% of All Traffic Occurs Within the

Same Data-Center…

Figure 141: … and This Is Forecast to Grow at a 23%

CAGR Through 2020

Traffic distribution, 2016, % Traffic in Exabyte’s per year

Source: Cisco, Credit Suisse Research. Source: Cisco, Credit Suisse Research.

Data center to

user

Data center to

data center

Within data center

14%

9%

77%

5,074 6,728

8,391 10,016

11,770

-

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

18,000

2016 2017E 2018E 2019E 2020E


Data center to user

Within data center

5 September 2017

Cybersecurity 84

Shift from Prevention to Detection

“Are you planning for resilience in the face of cyber-attack? I would counsel all large organisations to assume that they are being attacked, and that this will be both from

the outside and inside. In fact, it may make no sense to distinguish between the two in the short-term future. Therefore, if you cannot keep all the attacks out you must

assume that you need to plan to be resilient in the face of them existing.” – Dr. Sadie Creese, Director of the Global Cyber Security Capacity Centre at the

Oxford Martin School and a member of the Coordinating Committee for the Cyber Security Oxford network

Enterprise Investment Shifting from Prevention to Detection

It is increasingly accepted by practitioners that information security isn’t capable of

predicting or preventing targeted attacks, particularly in the context of an innovating

attacker and a mercurial attack surface.

In countering the increasing speed, sophistication, scale, and variety of attacks, we believe

companies are more likely to invest in enhancing detection and response capabilities, as

well as data origination and endpoint monitoring as opposed to prevention-centric security

measures. Gartner estimates that 60% of enterprise security budgets will be allocated for

detection and response by 2020, up from 10% in 2013, and that 80% of endpoint

protection platforms will include user activity monitoring by 2018, up from less than 5% in

2013.

Figure 142: Enterprise Security Spend Shifting Rapidly to Dedication & Response


Source: Gartner, Credit Suisse estimates.

Verizon notes in its 2016 Data Breach Investigation Report the average time taken to

exfiltrate data is a matter of days, although a nontrivial 21.2% of reported cases occur in

minutes. In addition, the vast majority of data, typically some form of credentials, is

compromised within minutes, if not seconds.

10%13%

18%23%

30%

39%

50%

60%

0%

10%

20%

30%

40%

50%

60%

70%

2013 2014 2015 2016 2017 2018 2019 2020

2013-2020 CAGR = 29.2%

5 September 2017

Cybersecurity 85

Figure 143: Time to Threat Discovery Is Improving, but Disparity Between Time

to Compromise vs. Time to Discover Continues to Widen

% of Breaches Compromised in “Days or Less” vs. Detection in “Days or Less” (Source: CS est, Verizon)


Meanwhile, although an increasing number of breaches are discovered within days or less

(albeit still <25% of cases), the proportion of incidences that takes days or less to

compromise data is nearing 100% and is increasing at a relatively greater pace.

In addition, according to a 2015 report by Mandiant, the average targeted malware

compromise was present for 205 days before detection, and 69% of discoveries were

made by external parties rather than by internal IT security divisions.

With a need for rapid detection, the market for endpoint detection and response (EDR) in

particular will likely see rapid growth. At present, EDR has roughly 40 million endpoints

installed (less than 6% of the total PC and tablet install base). Gartner estimates that

aggregate end-user spending on endpoint detection and response will grow from $238

million in 2015 to $1.5 billion in 2020 at a CAGR of 45.3%, markedly faster than the 2.6%

CAGR forecast for the endpoint protection market as well as the 7.0% forecast for the

overall IT security market.

Figure 144: Endpoint Detection & Response Market Will Likely See Growth ~17x

Greater than Endpoint Protection Market

EDR vs. EPP Revenue

Source: Gartner, Credit Suisse estimates.

In consideration of not only the magnitude and increasing sophistication of security threats

that enterprises face, but also the ongoing systemic migration of enterprise network

infrastructures to managed cloud services, we believe that allocation of enterprise security

spending will continue to see an increasingly dramatic shift toward endpoint detection,

monitoring, and diagnosis and away from prevention-based systems.

0%

20%

40%

60%

80%

100%

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Time to Compromise Time to Discover

3,166 3,249 3,333 3,420 3,509 3,600

238 640 797 9931,236

1,540

0

1,000

2,000

3,000

4,000

5,000

6,000

2015 2016 2017 2018 2019 2020

EPP

EDR

5 September 2017

Cybersecurity 86

Firewall Stocks

Relative Exposure to Sector Headwinds Ratings Driven by Negative Category View

Given our negative category view is a significant driver of our stock ratings, PANW

(Underperform, TP:$125, 14% downside), FTNT (Underperform, TP:$33, 14% downside),

CHKP (Neutral, TP:$110, 1% downside), we have attempted to contextualize the exposure

to each headwind that results in heterogeneous risk.

This analysis highlights the differentiated exposure to each risk factor. On an aggregated

basis, we believe Check Point to be the best positioned, and Fortinet the worst, to deal

with the sector headwinds we have discussed.



Explanation of Rankings

Network Architectural Shift

Figure 146: CHKP Best Positioned, FTNT


Check Point has the most substantial firepower (we estimate ~$10bn vs PANW with

~$5bn and FTNT ~$4bn), and therefore the path of least resistance to acquire their way

into the future. It is followed by PANW, with the second most transformative firepower, and

a convincing forward-leaning product suite (VM-Series, Global Connect, etc.). FTNT is, in

our view, the most exposed given its historical competitive advantage generation via

hardware.


CHKP PANW FTNT

Architectural Shift to Cloud ◔ ◑ ◕Cisco increasingly competitive ○ ◕ ◑Juniper has little share left to give ○ ● ◔Cloud transitionary headwinds ◔ ◑ ◑TAM expansion ◑ ◑ ●Competition in the mid market ◑ ○ ●Carrier Exposure ◔ ◑ ●Total ◔ ◑ ◕



CHKP PANW FTNT



5 September 2017

Cybersecurity 87

Cisco Increasingly Competitive

Figure 147: CHKP Best Positioned, PANW Most Exposed


Cisco has been explicit about its intentions to compete for refreshing customers. Given

management expects imminent refresh cycles at PANW and FTNT, we therefore see

these names as the most exposed on a relative basis. PANW's refreshed product is

expected to account for more than FTNT in our model; we thus rank PANW as the most

exposed.

Check Point's maturity results both in a more linear refresh, as well as greater salesforce

experience with competitive defenses. Therefore, we believe them to be the least exposed

to Cisco's investments in its security portfolio.

Juniper Has Little Share Left to Give

Figure 148: PANW Highly Exposed, FTNT and CHKP Well Positioned


PANW has derived roughly much of its growth via share gain, and we therefore think that

Juniper's lack of share left to donate is likely a disproportionate negative for PANW. Given

CHKP derives less of its growth from share gain than we believe the younger FTNT to do,

we see CHKP the least exposed to this risk.

Cloud Transitionary Headwinds

Figure 149: PANW and FTNT Equally Exposed, CHKP Well Positioned


While we recognize to some extent each name is equally exposed to this risk, we believe

CHKP to be the best positioned to weather a transition for the following reasons: (1) this is

not CHKP's first rodeo, as it has weathered a software to hardware in the past; (2) top-line

consensus growth expectations are lowest for Check Point at ~7% NTM y/y growth vs

PANW at ~20% and FTNT at ~15%; and (3) CHKP has shown great price discipline in the

past, most notably when PANW aggressively entered the market in the early 2010s.


CHKP PANW FTNT




CHKP PANW FTNT




CHKP PANW FTNT



5 September 2017

Cybersecurity 88

TAM Expansion

Figure 150: CHKP & PANW Least Exposed, FTNT Most Exposed


Again, somewhat of a homogenous risk; each incumbent has greatly expanded the

security pain points they address, and therefore it becomes incrementally harder to move

the TAM needle. However, we believe FTNT to have the most complete product suite with

its security fabric offering. While a clear positive historically, we believe it will make it

incrementally harder for FTNT to move the needle on its own TAM.

Competition in the Mid-Market

Figure 151: PANW Least Exposed, FTNT Most Exposed


The mid-market is highly competitive and saturated. We therefore rank exposure to this

risk simply as a function of exposure. PANW has principally enterprise customers, while

FTNT reports ~70% of billings to be derived from the entry-level and mid-range segments.

IDC data corroborate this, showing FTNT to have 56% exposure to the volume market vs

CHKP at 27% and PANW at only 14%. Comparing this against IDC data for high-end

deployments where FTNT has only 20% while PANW and CHKP have 59% and 53%,

respectively, informs our ranking.

Carrier Exposure

Figure 152: FTNT Highly Exposed to Carrier Customers


While historically a positive, we now view carrier exposure as a risk due to the higher

speed of virtualization of carrier customers. As above, we rank this simply based on our

view of percent of billings derived from carrier customers. FTNT has ~20% and is known

as the leader in this vertical. While neither PANW nor CHKP report their carrier exposure,

we view CHKP's installed base to be more diversified and therefore less exposed to carrier

virtualization relative to PANW.


CHKP PANW FTNT




CHKP PANW FTNT




CHKP PANW FTNT



5 September 2017

Cybersecurity 89

Relative Valuation Substantial Nuance in Firewall Valuation

Broad conclusions from our valuation work are as follows:

■ PANW Looks Misleadingly Cheap: On EV/uFCF, both Palo Alto Networks and

Fortinet appear inexpensive. Given higher relative growth expectations for PANW &

FTNT, the fact they trade in-line with CHKP is optically attractive. However, adjusting

out SBC (broadly accounting for the fact some cash would have had to have paid in

lieu of stock to retain talent) and adjusting for LT deferred revenue change (as yet un-

earned, and therefore expenses unpaid, revenue) shows PANW and FTNT to be much

more expensive than CHKP.

■ Only CHKP Trades on an Earnings Multiple: Looking at income statement multiples,

particularly non-GAAP P/E, reveals only CHKP to be trading within a reasonable range

on P/E, while both PANW and CHKP trade on revenues and cash flows. While we

appreciate higher growth expectations beget growth valuations, on a metric-specific

growth-adjusted basis, CHKP looks expensive and in-line on revenue growth.

■ Recurring Revenues Favor Fortinet: Fortinet is attractive on a recurring revenue

basis. While we think of recurring revenue multiples as more reflective of floor value

than intrinsic value; nonetheless recurring revenues provide more support to FTNT

than either PANW or CHKP. But some of this is discount is to be expected given its

greater mix of typically-higher-churn SMB customers.



Figure 154: Growth Rates Used in Adjusted Valuation (2Y CAGR)





EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x





EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x



GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x


CHKP PANW FTNT

Growth

2Y CAGR TTM-NTM FY18-FY17 2Y CAGR TTM-NTM FY18-FY17 2Y CAGR TTM-NTM FY18-FY17

uFCF 9% 9% 6% 18% 15% 31% 28% 29% 42%

Revenue 7% 7% 7% 21% 21% 18% 14% 14% 11%

Operating Income 6% 6% 7% 27% 27% 28% 23% 9% 22%

Non-GAAP EPS 9% 7% 9% 27% 22% 23% 22% 7% 17%

GAAP EPS 9% 6% 9% -32% -45% -40% 85% 13% 26%

Recurring Revenue 10% 10% 9% 32% 31% 26% 20% 21% 16%

CHKP PANW Fortinet

5 September 2017

Cybersecurity 90

Figure 155: Valuation Matrix Adjusted for Metric Specific 2Y CAGR


Figure 156: Valuation Matrix Adjusted for Top-Line 2Y CAGR


Growth adjusted (metric specific)



EV/UFCF 1.75 1.70 0.77 0.67 0.44 0.41

EV/UFCF Adjusted for SBC 1.92 1.87 2.12 1.69 0.69 0.65

EV/UFCF Adjusted for LT Deferred 1.84 1.81 1.19 0.95 0.60 0.55

EV/UFCF Adjusted for SBC & LT Deferred 2.04 2.00 n/a n/a 1.21 1.07


EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22

EV/Non-GAAP Operating Income 2.32 2.24 0.94 0.83 0.87 0.76

Non-GAAP P/E 2.19 2.09 1.65 1.48 1.75 1.57

GAAP P/E 2.45 2.33 n/a n/a 1.09 0.87

EV/Recurring Revenue 1.10 1.06 0.26 0.23 0.25 0.24

CHKP PANW FTNT

Growth adjusted (revenue growth)



EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82





EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22


Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49

GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32


CHKP PANW FTNT

5 September 2017

Cybersecurity 91

Relative HOLT® Perspective

HOLT Is Reflective of Our Views on Quality and SBC

Reflecting our fundamental view that Check Point is a high-quality wealth creator, in HOLT

it has succeeded in maintaining >15% CFROI® for ten years and has actually increased

returns from its 2013-14 nadir, which incidentally coincided with PANW's entry to the

market.

Figure 157: Check Point Has Maintained High and Stable Returns on Capital

(CFROI®); Adjusting Out SBC Has a de Minimis Impact on Returns and Forecast

Check Point HOLT CFROI profile

Source: HOLT, Credit Suisse Research.

Returns are materially lower for FTNT, and worst for PANW, although when adjusting

CFROI to exclude stock-based compensation (approximating non-GAAP), they are more

comparable (10% vs 7.4% LFY for CHKP and PANW, respectively).

Figure 158: Fortinet Has Seen Depressed Returns

on Capital in Recent Years as It Has Sacrificed

Margin for Investment in Sales and Marketing

Figure 159: Including SBC Palo Alto Networks Is Not

a Positive Spread Business; ex-SBC Returns in

FY16 Were ~7.5%...

Fortinet HOLT CFROI profile Palo Alto Networks HOLT CFROI profile

Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

The gap between returns on capital with, and without, accounting for stock-based

compensation expense has been broadening materially for FTNT, and even more so for

PANW over the last several years. This corroborates the conclusions of our

relative-adjusted multiple-based valuation method, which also depicts PANW as less

attractive than FTNT on UFCF ex SBC and FTNT in turn to be less attractive than CHKP.

(5 )

0

5

10

15

20

25

2007 2009 2011 2013 2015 2017

CFROI Forecast CFROI CFROI adjusted to exclude SBC

(5 )

0

5

10

15

20

25

2007 2009 2011 2013 2015 2017

CFROI

Forecast CFROI

CFROI adjusted to exclude SBC

(5 )

0

5

10

15

20

25

2007 2009 2011 2013 2015 2017

CFROI

Forecast CFROI


5 September 2017

Cybersecurity 92

Figure 160: The CFROI Spread Inclusive and Exclusive of SBC Shows the

Impact on PANW, Then FTNT's Returns to Be the Most Penal; CHKP's CFROI®

Exhibits Limited Sensitivity to Its Stock-Based Compensation Expense

Spread between HOLT CFROI including, and excluding Stock Based Compensation expense


Implied Expectations Are Highest for PANW on a Relative Basis

Check Point has the lowest market-implied expectations (the Green dot, based on a

reverse DCF, shows the future level of returns required to validate today's price) relative to

FY2 CFROI (Pink bars: CFROI as implied by IBES consensus expectations).

However, while embedded expectations appear conservative at 18% market-implied

returns vs 22% FY2 CFROI forecast, on an absolute basis, they remain substantially

above market expectations for FTNT and PANW (at 8.5% and 10%, respectively).

In addition, the market expects CHKP to sustain high returns for a long period. CHKP has

sustained high and stable returns for a sufficient period to be awarded an eCAP, and an

eCAP is rewarded by lengthening the fade window to ten years (reflective of high-quality

companies tending to be more successful at generating excess returns for longer), thus

expectations for returns on capital in excess of 18% are embedded through 2026.

Figure 161: Check Point Has Maintained High Relative Returns on Capital, and

the Market Is Pricing for These Returns to Sustain over a Ten-Year Time

Horizon

Check Point returns on capital (CFROI) & Discount rate (%)


Embedded expectations for FTNT imply a recovery in CFROI to 8.5% in 2021 from 5.2%

in 2016. This improvement is consistent with 2014 CFROI levels and suggests the market

is comfortable with the margin improvement guidance from management following

investment in sales capacity and marketing over the past several years having depressed

margins.

0%

2%

4%

6%

8%

2007 2009 2010 2012 2013 2014 2016

CHKP PANW FTNT

(5 )

0

5

10

15

20

25

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020

CFROI

Forecast CFROI

Discount rate

Historical median

Market impliedCFROI

2026

5 September 2017

Cybersecurity 93

Figure 162: The Market Is Pricing CFROI® to Improve to 2014 Levels

Fortinet returns on capital (CFROI) & Discount rate (%)


PANW has the highest embedded market expectations of its peers, with an implied

recovery from sub-discount rate returns in 2016 to 10% CFROI in 2021. Interestingly the

market implied is equivalent to CFROI adjusted to exclude SBC in the forecast years,

suggesting the market appears somewhat prepared to look-through high levels of stock

based compensation expense at PANW.

Figure 163: Market Implied CFROI Calls for PANW CFROI Improvement to as Yet

Unachieved Levels

Palo Alto returns on capital (CFROI) & Discount rate (%)


Sales Growth Expectations Are Highest for PANW

We sense check our belief that top-line growth expectations are the highest for PANW in

our valuation scenarios (included individually in the following company reports). Through

margin improvement driven scenarios, we can derive a long-term sales CAGR required to

justify the current share price.

Via simplistic margin scenarios, it becomes clear that, even when credited with unlikely

margin improvement, PANW's top-line growth expectations (in this case, >10% CAGR to

2026) are in excess of FTNT's (7.3%) and greatly in excess of CHKP (4.2%).

(5 )

0

5

10

15

20

25

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

CFROI

Forecast CFROI

Discount rate

Historical median

Market impliedCFROI

(5 )

0

5

10

15

20

25

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

CFROI

Forecast CFROI

Discount rate

Historical median

Market impliedCFROI

5 September 2017

Cybersecurity 94

Figure 164: Assuming Stable Margins, the Market

Embeds a Long-Term Sales CAGR of 4% to Achieve

CHKP's Current Share Price

Figure 165: Should Margins Rise to the Historical

Peak, the Market Embeds a Long-Term Sales CAGR

of 7.3% to Achieve FTNT's Current Share Price

CHKP: Operating projections implied by current price: $111 per share FTNT: Operating projections implied by current price: $38 per share


Figure 166: Assuming Margins Rise from Consensus Levels of (15%) to FTNT’s

Peak of 22%, PANW’s Current Price of $131 Implies a Sales CAGR of 11% over

the Next Ten Years

PANW: Operating projections implied by current price: $146 per share


Sales, Margins, and SBC

CHKP’s high returns are driven by high and stable margins vs. FTNT and PANW. PANW’s

stock option expense has increased dramatically in the past years.

49.9 49.9

0

20

40

60

1996 2000 2004 2008 2012 2016 2020 2024Historical margins Forecast

Margins w/o SBC

7.75.0

(10)

0

10

20

30

1996 2000 2004 2008 2012 2016 2020 2024

Historical growth Forecast

Assumed long term

margins of 50%1

Solved for the long

term sales CAGR

required to get to

current price of $111

2

Consensus

Consensus

16.9

8.0

(10)

0

10

20

30

2007 2011 2015 2019 2023


9.5

21.5

0

8

16

24

32

2007 2011 2015 2019 2023Historical margins Forecast

Margins w/o SBC

Assumed long term

margins to rise from

9.5% to historical

peak of 21.5%

1

Solved for the long

term sales CAGR

required to get to

current price of $38

2

Consensus

Consensus

26.2

11.8

0

20

40

60

80

2007 2011 2015 2019 2023


(14.6)

21.5

(20)

(10)

0

10

20

30

2007 2011 2015 2019 2023

Historical margins Forecast Margins w/o SBC

Assumed long term margins

to rise from -14.6% to

21.5% based on historical

peak of FTNT

1

Solved for the long term

sales CAGR required to get

to current price of $146

2

Consensus

Consensus

5 September 2017

Cybersecurity 95

Figure 167: Sales, Margins, and Stock-Based Compensation Expense as a % of Sales


What Is HOLT?

The HOLT methodology uses a proprietary performance measure known as Cash Flow

Return on Investment (CFROI®). This is an approximation of the economic return, or an

estimate of the average real internal rate of return, earned by a firm on the portfolio of

projects that constitute its operating assets.

A firm's CFROI can be compared directly with its real cost of capital (the investors' real

discount rate) to see if the firm is creating economic wealth. By removing accounting and

inflation distortions, the CFROI allows for global comparability across sectors, regions, and

time and is also a more comprehensive metric than the traditional ROIC and ROE.

63 3 3 4 6 7 8 9 10

0

10

20

30

2007 2010 2013 2016

Sales growth (%)

EBITDA margins (%)

FTNT PANWCHKP

(20 )

0

20

40

60

2007 2010 2013 2016

0

20

40

60

2007 2010 2013 2016

(20 )

0

20

40

60

2007 2010 2013 2016

EBITDA margins

Historical median

EBITDA margins w/o SBC

0

20

40

60

2007 2010 2013 2016

(20 )

0

20

40

60

2007 2010 2013 2016

0

20

40

60

2007 2010 2013 2016

Sales growth Historical CAGR

Stock option expense as % of sales

0 0 0 24 5

11

17

2429

0

10

20

30

2007 2010 2013 2016

5 4 3 3 3 3 4 4 5 5

0

10

20

30

2007 2010 2013 2016

SBC as % of sales Historical median

5 September 2017

Cybersecurity 96

Figure 168: How to Read a HOLT CFROI® Chart

Source: Credit Suisse HOLT.

Long-term level of returns

on capital required to

validate today’s

market value

Country market implied

discount rate adjusted for

company’s leverage and size

T+1 and T+2 returns on

capital forecasts based on

IBES consensus estimates

Adjusted historical returns on

capital based on HOLTs

proprietary framework

Market implied CFROI

CFROI Forecast

Historical CFROI

Market derived

discount rate

1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

Superior performance metric Market-calibrated valuationMarket Derived Discount Rate

CFROICash flows

Capital investment

Future value

Total Market

Value

=

(1 + DR)

Solve

Forecast

FCF

Forecast

CFROI is a cash-based return on capital metric that improves comparability of corporate performance across companies, geographies and time

Forecasted FCF calibrated to current

market values through observed, market implied discount rate

Calibrate future CFROI and growth rates embedded in the current stock price

The HOLT discount rate is forward-looking, derived from observed market valuation, and accurately reflects current investors’ risk appetite

Discount

rateFuture performance implied by

today’s stock price

Historical

returns

Competitive Lifecycle & fade

Empirically derived terminal value recognises competitive life-cycle of returns and growth (mean reverting fade concept)

Cumulative probability approximates

the likelihood of achieving future returns given the past return profile

Fading Turnaround?Mature

CFROI

Reinvestment

Growth

Discount

rate

5 September 2017

Cybersecurity 97

Stock Calls Palo Alto Networks: Lost in Palodise

Americas/United States Software

Palo Alto Networks, Inc. (PANW) Rating UNDERPERFORM Price (01-Sep-17, US$) 146.67 Target price (US$) 125.00 52-week price range (US$) 164.15 - 108.01 Market cap(US$ m) 13,468 Target price is for 12 months.

Research Analysts

Brad A Zelnick

212 325-6118

[email protected]

Jobin Mathew

212 325 9676

[email protected]


212 538 1428

[email protected]

Lost in Palodise

Initiating Coverage with Underperform Rating and $125 Target Price

Despite being one of the most disruptive innovators in the security industry, we

believe investors are overly optimistic in Palo Alto Networks’ ability to sustain

over 2x market growth rates. We truly believe this is a great company with great

management, but not a great stock at current levels.

■ What Comes After the Perfect Storm? Past performance is no indicator of

future success. The market view that PANW continues to outpace market

growth by a factor of 2x is overly sanguine, in our view. We believe PANW’s

past outperformance was the result of a perfect storm of tailwinds that are

now subsiding and believe the current product cycle, while technologically

compelling, remains a source of disruption for longer than many anticipate.

■ Competitive Refresh Cycle: We believe a refresh cycle is indeed coming,

but may be less impactful than many anticipate. PANW's refresh is an

opportunity that invites competition at a time when products in the category

are less differentiated than ever. Meeting Street expectations relies on

defense as much as offense for the first time in PANW’s history.

■ Structural Limitations: Cloud mania is not just an issue for firewall

companies because of a ratable revenue transition, in our view. We believe

the entire category will face pressures of disaggregation as well as an

architectural shift that relies far less on perimeter-based security.

■ Valuation: Our $125 target price is based on our DCF analysis, which

assumes an 7.3% FCF CAGR over the next 10 years. While seemingly

inexpensive on FCF multiples, adjusting for stock comp expense and long-

term deferred revenues tells a completely different story. If we instead

consider simple P/E (CY2018), PANW trades at ~40x vs. CHKP at ~20x and

FTNT at ~35x. Upside risks to our target price include better unattached

subscription growth including cloud/virtual and endpoint adoption and a more

powerful refresh cycle.

Share price performance

On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55

Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$145.18

Quarterly EPS Q1 Q2 Q3 Q4 2017A 0.55 0.63 0.61 0.92 2018E 0.68 0.80 0.84 1.00 2019E 0.88 0.99 0.97 1.25

Financial and valuation metrics

Year 7/16A 7/17A 7/18E 7/19E NON-GAAP EPS (CS adj., ) 1.89 2.71 3.29 4.09 Prev. EPS (CS adj., US$) P/E (CS adj.) (x) 77.5 54.1 44.6 35.9 P/E rel. (CS adj., %) - 256 234 209 Revenue (US$ m) 1,379 1,762 2,129 2,485 Non-GAAP Operating Income (US$ m)

271 355 451 570 Net Debt (US$ m) -1,438 -1,640 -2,029 -2,531 Unlevered Free Cash Flow (US$)

610 732 844 958 P/uFCF (x) 24.1 20.0 17.4 15.3

Number of shares (m) 91.82 Price/Sales (x) 7.66 Net debt (Next Qtr., US$ m) -1,692.6 Dividend (current, US$) - Dividend yield (%) - Source: Company data, Thomson Reuters, Credit Suisse estimates

5 September 2017

Cybersecurity 98

Palo Alto Networks, Inc. (PANW)

Price (01 Sep 2017): US$146.67; Rating: UNDERPERFORM; Target Price: US$125.00; Analyst: Brad Zelnick

Income Statement 7/16A 7/17A 7/18E 7/19E

Revenue (US$ m) 1,378.5 1,761.6 2,129.0 2,484.6 EBITDA 313.6 414.5 520.3 651.3 Operating profit 270.8 354.7 451.2 569.8 Recurring profit 278.8 367.3 463.8 586.5

Cash Flow 7/16A 7/17A 7/18E 7/19E

Cash flow from operations 659 871 922 1,056 CAPEX (73) (163) (100) (120) Free cashflow to the firm 586 708 822 936 Cash flow from investments (339) (473) (149) (132) Net share issue(/repurchase) 45 (365) (385) (385) Dividends paid 0 0 0 0 Issuance (retirement) of debt 0 0 0 0 Other (255) 189 2 (37) Cashflow from financing activities (209) (176) (383) (422) Effect of exchange rates 0 0 0 0 Changes in Net Cash/Debt 110 201 390 501 Net debt at end (1,438) (1,640) (2,029) (2,531)

Balance Sheet ($US) 7/16A 7/17A 7/18E 7/19E

Assets Other current assets 691 800 853 893 Total current assets 1,774 1,976 2,522 3,130 Total assets 2,858 3,438 4,176 5,035 Liabilities Short-term debt 0 0 0 0 Total current liabilities 847 1,201 1,471 1,770 Long-term debt 0 0 0 0 Total liabilities 1,963 2,679 3,276 3,845 Shareholder equity 895 760 900 1,189 Total liabilities and equity 2,858 3,438 4,176 5,035 Net debt (1,438) (1,640) (2,029) (2,531)

Per share 7/16A 7/17A 7/18E 7/19E

No. of shares (wtd avg) 91 93 97 99 CS adj. EPS 1.89 2.71 3.29 4.09 Prev. EPS (US$) Dividend (US$) 0.00 0.00 0.00 0.00 Free cash flow per share 6.42 7.58 8.45 9.45

Earnings 7/16A 7/17A 7/18E 7/19E

Sales growth (%) 48.5 27.8 20.9 16.7 EBIT growth (%) 80.5 31.0 27.2 26.3 Net profit growth (%) 84.1 46.6 26.3 26.5 EPS growth (%) 76.1 43.4 21.3 24.2 EBIT margin (%) 19.6 20.1 21.2 22.9

Valuation 7/16A 7/17A 7/18E 7/19E

EV/Sales (x) 8.73 6.71 5.37 4.40 EV/EBIT (x) 44.4 33.3 25.4 19.2 P/E (x) 77.5 54.1 44.6 35.9


Company Background

Palo Alto Networks is a leading provider of enterprise security. Core expertise in advanced firewalls that have advanced granular control over activity based on application and on user context have been extended to a platform NGFW approach.

Blue/Grey Sky Scenario

Our Blue Sky Scenario (US$) 168.00

Our Blue Sky scenario assumes a strong refresh cycle and upgrades driven by recent software innovation as well as continued success in growing the attached and non-attached subscription businesses.

Our Grey Sky Scenario (US$) 113.00

Our Grey sky scenario assumes high levels of competition on the refresh, in addition to pricing challenges and demand pauses against a backdrop of declining firewall relevance.



Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$145.18

Source: Company data, Thomson Reuters, Credit Suisse estimates

5 September 2017

Cybersecurity 99

PANW: Our Take on the Key Debates


Despite being one of the most disruptive innovators of the security industry, we believe

investors are overly optimistic regarding Palo Alto Networks’ ability to sustain above-

market top-line growth rates. We believe this is a great company with great management

but not a great stock at current levels.

Key Debates:

■ How Long Can PANW Outgrow the Market? At present, consensus expectations call for

PANW to outgrow the firewall market by a factor of 2x. Can this be sustained at scale?

■ How Big of a Growth Driver Can Subscription & Support Be? With a compelling

platform strategy, subscription is an important revenue driver. As share gains contribute

less at scale, how large is the attached and unattached subscription opportunity?

■ How Material Is the Refresh Opportunity? Management guidance and model

mechanics point toward a refresh opportunity in 2H17 and FY18. We think sizing this

opportunity is an important debate for investors.

Our Takes:

■ Growth Expectations Are Too Optimistic: Past performance isn’t an indicator of future

success. We think PANW enjoyed a perfect storm of tailwinds as it grew; now these

tailwinds are abating, or becoming headwinds. In addition, PANW appears highly exposed

to the sector headwinds (architectural and otherwise) we believe face firewall incumbents.

■ Remaining Subscription Headroom Unclear: Attached products (e.g., Global Protect,

WildFire) appear highly penetrated, but there remains headroom for unattached. However,

we think subscription is largely tied to physical box sales, and unattached is too small to

move the needle.

■ The Refresh Cycle Is Less Supportive than Some Presume: We think the refresh cycle

is potentially less of a support (20-30% vs 50% of product) than some in the market

believe and believe a bull case constructed off the refresh dynamic to be overly optimistic.

Risks to Our Takes:

■ Substantial Balance Sheet Capacity: PANW has substantial balance sheet capacity

and has showed willingness to deploy it in a transformational manner when reportedly

bidding upward of $3 billion for Tanium in fall 2015.

■ Strength and Resilience of Financial Model: The overall execution of the transition to a

subscription-based model may prove more successful than anticipated and could provide

access to the >$8 billion CLTV expansion opportunity that management estimates.

■ Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could

become a potential target for a strategic buyer seeking to consolidate the market.

Estimates:


consensus at 22%/19% and EPS of $3.29/$4.09 vs the Street at $3.30/$4.12.

■ Cash Flow: We forecast 7.3% FCF 10 year FCF CAGR through 2027E.

■ Refresh Cycle: We model a ~5.5 year refresh cycle.

Valuation: ■ DCF: Our $125 target price is based on our DCF analysis, implying 14% downside and

11x EV/uFCF (CY2019) vs CHKP at 14.5x and FTNT at 11.5x.

5 September 2017

Cybersecurity 100

Key Charts

Figure 169: PANW Benefited from a Perfect Storm of

Factors and Has Taken Substantial Market Share…

Figure 170: ...The Market Expects PANW Billings to

Continue to Outgrow Competitors and the Market …

Source: IDC, Credit Suisse Research. Source: Factset, Credit Suisse Research.

Figure 171: …However, Management Guidance

Implies Its Refresh Cycle Has Lengthened…

Figure 172: …Refresh Cycle and Rate Assumptions

Sensitivity Show Diminished Refresh Opportunity…

Source: Company Management, Credit Suisse Research. Source: Credit Suisse Research.

Figure 173: …The Tailwind from Support Is

Challenging to Increase at the Same Rate… Figure 174: …with Valuation Highest (Adj. for SBC)


0%

20%

40%

60%

80%

2002 2006 2010 2014

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper

0%

10%

20%

30%

40%

50%

60%

70%

80%


PANW CHKP FTNT

2

3

4

5

6

7

8

2013 2014 2015 2016 2017 2017


Midpoint


80% 85% 90% 95% 100%

4.038% 40% 42% 45% 47%

4.531% 33% 35% 37% 39%

5.027% 29% 30% 32% 34%

5.523% 25% 26% 28% 29%

6.019% 21% 22% 23% 24%

6.515% 16% 17% 17% 18%

7.09% 10% 11% 11% 12%

Ave

rage

Ref

resh

(y)

30%

35%

40%

45%

50%

2008 2009 2010 2012 2013 2015 2016

FTNT PANW CHKP

14.9x12.2x 13.8x

16.4x 17.4x

37.8x

0x

10x

20x

30x

40x

CHKP FTNT PANW

EV/UFCF, NTM


5 September 2017

Cybersecurity 101

Key Debates

■ How Long Can PANW Outgrow the Market?

Past performance is no indicator of future success. We believe the conventional logic that

Palo Alto Networks will continue to outgrow its competitors, and the market, for years to

come is overly sanguine.

Figure 175: PANW Consensus Estimates Imply it will Continue to Outgrow the

Firewall Market By a Factor of 2x...

US$ in millions, unless otherwise stated

Source: Company data, Thomson Reuters Datastream, Gartner, Credit Suisse research.

Figure 176: Company Messaging at Ignite 2016 Implies Long-Term Growth in

Excess of the Market

Source: Palo Alto Networks, Ignite 2016, Credit Suisse Research.

In our view, past outperformance of market growth is a function of a perfect storm of

positive factors, including (but not limited to):

− Surge in Industry Spending: Landmark breaches such as the Target credit card

hack (2013), Sony Pictures (2014), Ashley Madison (2015), and the Office of

Personnel Management (2015) drove a broad-based enterprise re-evaluation of

security posture. The benefits of the resulting increase in spending and accelerated

refresh accrued disproportionately, we think, to Palo Alto.

− Disruptive Message and Products: PANW got its proverbial foot in the door at

many enterprises due to the truly disruptive nature of its granular application control

capabilities. It then proceeded to expand its landing with an inspired platform vision,

very effectively messaged through the enticing narrative of Next-Generation

Firewall (NGFW) and single-pass architecture.

$9bn

$11bn$12bn

$12bn$13bn

0%

20%

40%

60%

$bn

$2bn

$4bn

$6bn

$8bn

$10bn

$12bn

$14bn

2016 2017E 2018E 2019E 2020E

PANW Revenue PANW y/y change (%) Firewall Market (Gartner)

Revenue growth >30%

High growth

20% - 30%

Growth

>Market

Long Term

5 September 2017

Cybersecurity 102

− Share Donation: As we have discussed at length, weak product offerings from

Juniper and Cisco left swathes of exposed brownfield opportunity. In addition, other

more competitive vendors (CHKP and FTNT) lacked the platform vision that PANW

leveraged to its success.

− Size Benefits: Small scale translated into a greater degree of nimbleness than the

large incumbents and endowed PANW with an ability to drive growth via expansion

into new channels, geographies, and product categories.

− Recurring Revenue Growth: PANW has been the ultimate aggregation play in

network security and security software more broadly. The consolidation of multiple

adjacencies into a single-platform approach created extraordinary value for

customers and generated shareholder value by propelling an ever increasing and

highly recurring subscription and support stream.

Figure 177: Palo Alto Networks Has Outgrown the Market and Taken Substantial

Share Since Its Entry in Late 2009

Revenue market share, Firewall and UTM,


We expect the majority of these tailwinds are now subsiding. Taking each in turn:

− Industry Spending: We still consider security spend to be an area of secular

growth, but while in 2014-15 accelerating spend coalesced around the network, we

now perceive the focus to be shifting toward areas more relevant in a cloud-first

architecture: identity, cloud based proxy, micro segmentation, etc.

− Product Convergence: While Palo Alto appliances remain undeniably of

exceptional quality, the competitive gap has materially closed in recent years.

Anecdotal evidence from our field conversations reflects the convergence evident

on Gartner's magic quadrant. Gartner’s statement that 'all vendors [now have]…

NGFWs… in essence there is no longer a 'next generation' in the firewall market'

(Enterprise Network Firewall Magic Quadrant 2017, Gartner) tempers the gravitas

of PANW's NGFW distinction.

0%

10%

20%

30%

40%

50%

60%

70%

80%

2002 2004 2006 2008 2010 2012 2014 2016

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper

5 September 2017

Cybersecurity 103

Figure 178: PANW Remains an Unequivocal Leader, but Has Lost Some

Momentum While Others Have Gained



− Share Donation Reversal: Instead of easy brownfield wins, Palo Alto now faces its

first refresh cycle at scale as defender, not aggressor. We think this defense is

going to be made more challenging as a result of (1) product convergence, (2)

Cisco's focus on competing for share, and (3) execution risk inherent in PANW

weathering its first refresh cycle.

− Victim of Success: Each year PANW grows in scale, the more difficult it becomes

to maintain the same growth in the next. Now that Palo is greater in scale than any

of its pure-play peers, second only to Cisco, we believe that to maintain 20%-plus

growth, competitive share gain as a vehicle is limited; it requires PANW to grow the

category itself.

− How Much Attach Headroom Is Left? PANW has been extraordinarily successful

at growing the subscription and support segment of its business. Although partly a

function of an upward trend in support rate, it is primarily driven by subscription

attach. The addition of unattached subscriptions (Traps, AutoFocus, Aperture, and

VM-Series) in particular drove combined services as a percentage of thru-refresh

cycle (5y trailing) product from sub-40% in 2012 to just under 52% as of the last

print. We applaud its success here but wonder how much headroom remains.

PANW

5 September 2017

Cybersecurity 104

Figure 179: PANW Has Two Options to Continue to

Outgrow the Market: Take Share, or Grow the Market

Figure 180: PANW Has Attached more Rapidly and

to a Greater Extent than Competitors

2017E revenue (CSCO and FTNT are Security revenue), y/y growth 5 year through cycle attach rates. Annualized subscription and support as a percentage of 5 year trailing product


Ultimately, given some of the tailwinds that have helped Palo Alto Networks achieve such

extraordinary success appear to be abating, or have already turned, we find ourselves

somewhat more cautious on PANW's ability to meet growth expectations.

■ To What Extent Will the Refresh Cycle Be a Tailwind?

It has long been a cornerstone of the PANW bull case that a refresh cycle is nigh. Upon

arrival, the refresh will bring many positives, particularly less dependence on net new

business to drive product growth and up-sell opportunities on the refresh sale.

Contrary to conventional refresh cycle wisdom, we perceive risk to the construction of a

bull case upon an unequivocally positive view of the internal refresh opportunity. Not only

do we contend a refresh cycle doesn't de-risk the product revenue line as much as the

market might think, but also we see several other question marks:

− Trade-Down Effect: Refresh cycle bulls assume PANW customers will renew,

upgrade, and attach at high rates; in the context of other factors, we think there is

risk to these assumptions.

− Competition: Palo's refresh is Cisco's opportunity; it has said as much, and we

think its scale now means meeting Street expectations relies upon defense as

much as offense for the first time in PANW's history.

− Execution Risk: This represents PANW's first refresh, and thus requires a different

playbook. Despite our confidence in the execution ability of an exceptional

management team, we perceive a level of residual execution risk as PANW enters

this refresh.

The Refresh of Yore Cycle Is Nigh…

Management has communicated strongly that it expects a refresh cycle affecting H2 fiscal

2017 and FY2018. CFO Steffen Tomlinson said in late 2016 '… we look at the refresh

cycles that are intended to happen in the second half of the fiscal year', adding in June

2017 that '… into '18 the refresh would be building in significance and momentum.'

We recognize there is some history around refresh cycle anticipation; in late 2013, CEO

Mark McLaughlin explained that although it's hard to come by hard data 'around the

$2.3bn

$1.9bn $1.9bn

$1.5bn

$0.3bn

5%

23%

8%

17%

-10%-15%

0%

15%

30%

45%

60%

-500

0

500

1,000

1,500

2,000

2,500

CSCO PANW CHKP FTNT JNPR

CY17 Revenues

Growth

30%

35%

40%

45%

50%

2008 2009 2010 2012 2013 2015 2016

FTNT PANW CHKP

5 September 2017

Cybersecurity 105

refresh cycles [he'd] heard a number of anecdotal points that [suggested] a big refresh

cycle … in the next 12 to 15 months.' He went on to justify this from a pipeline perspective:

‘We think we can see that from what we're seeing from a pipeline perspective, close rates.

I mean, it all points that direction that there is a big refresh cycle in front of us.’

– Mark D. McLaughlin, CEO, November 25th 2013

While investors have before been disappointed by guided refresh cycles failing to

materialize, this time we recognize may be different. There is an organic mechanical

element given the sheer size of Palo's FY2010-13 cohort (~12,000 net customer additions).

In addition, there is also an inorganic inducement element given Palo's February launch of

PAN-OS v.8.0 (with 70 new features), three new virtual firewalls, and new hardware

products across the performance spectrum.

It Appears the Refresh Cycle Has Lengthened

Management and market understanding of the PANW refresh dynamic's shape and

cadence have proved elusive in the past. It seems apparent to us that early cohorts of

Palo customers have not refreshed quite as rapidly as initially expected. When we

aggregate senior management commentary around the expected refresh cycle, duration

has both lengthened and widened.

CEO Mr. McLaughlin described a typical refresh cycle as between three and four years in

late 2013, implying a mid-point of 3.5 years. Progressive increases were communicated by

various executives before settling on a floor of four years (the same as the 2013 ceiling

assumption) and a ceiling of seven years, implying a mid-point around 5.5 years. We

illustrate the progression in Figure 181 and Figure 182.

Figure 181: Analysis of Palo Alto Networks

Executive's Commentary Around Refresh Cycles…

Figure 182: … Suggests Their View of Refresh Cycle

Duration Has Lengthened Significantly

Source: Thomson Reuters Eikon, Credit Suisse Research. Source: Thomson Reuters Eikon, Credit Suisse Research.

'…firewall … is characterized by first of all, a refresh cycle that is three to five years.'

- René Bonvanie, Chief Marketing Officer, March 21st 2013

'…It's hard to be mathematically exact in this, but a number of sources of the refresh that

comes up every three or four years, really big ones. We think we're at the beginning of

one of those.'

– Mark D. McLaughlin, CEO, November 25th 2013

'…if you think about the history of the Company and size or magnitude of the revenue

base of the Company and a refresh cycle generally being three to five years'

- Mark D. McLaughlin, CEO, February 24th 2014

Name Position Date Floor Ceiling

René Bonvanie CMO Mar 2013 3 5

Mark D. McLaughlin CEO Nov 2013 3 4

Mark D. McLaughlin CEO Feb 2014 3 5

Mark D. McLaughlin CEO Mar 2015 4 5

Steffan C. Tomlinson CFO May 2015 4 5

Kelsey D. Turcotte VP IR Jun 2015 3 5

René Bonvanie CMO Apr 2016 4 7

Mark D. McLaughlin CEO Nov 2016 4 6

Kathy Bonanno VP Finance Jan 2017 4 7

Mark D. McLaughlin CEO May 2017 4 7

Steffan C. Tomlinson CFO Jun 2017 4 7

Refresh cycle commentary Years

2

3

4

5

6

7

8

2013 2014 2015 2016 2017 2017


Midpoint

Illustrative

5 September 2017

Cybersecurity 106

'Refreshes generally occur [every] 4 or 5 years'. I think there was a lag on that on what

should have been the most recent refresh cycle because of the 2008 recession.'

- Mark D. McLaughlin, CEO, March 4th 2015

'… We are seeing our own customers starting to refresh in the earlier cohorts. And that's

not surprising given four- to five-year refresh cycles.'

– Steffan Tomlinson, CFO, 27th May 2015

'Firewall typically has a useful life of anywhere three, four, five years. And so that's

where this concept of refresh comes in.

- Kelsey Turcotte, VP Investor Relations, June 3rd

2015

'Device refresh occurs somewhere, in the security business, occurs somewhere between

four and seven years.'

– René Bonvanie, Chief Marketing Officer, April 4th 2016

'…It's a little hard to call those, but generally four to six years, but that seems to be the

case still.'

- Mark D. McLaughlin, CEO, November 21st 2016

'… refresh cycle being between four years to seven years with a sort of bell curve

peaking around, let's call it 5.5 years.'

- Kathy Bonanno, SVP Finance, January 10th 2017 1/10/2017

'…if you think of like 4-to 7-year average refresh cycle, somewhere in there, the big, big,

big part of our customer base is going to be in refresh cycles … we think that that's

something that should provide a tailwind for us in the go forward.

– Mark D. McLaughlin, CEO, May 31st 2017

'…customers typically run firewalls for 4-7 years kind of range, so that FY'09-FY'13

cohort is ripe for refresh … well over 10,000 customers)'

- Steffan Tomlinson, CFO, June 6th 2017

Figure 183: PANW Now Suggests an Average 5.5-Year Refresh Cycle


This Refresh Is Real

Assuming this 5.5-year refresh rate, and a (potentially conservative) 90% dollar renewal

rate on replacement hardware, we illustrate the mechanical nature of refresh in Figure 184.

LIFESPAN7 years4 years

Implies 5.5-year average

refresh cycle

5 September 2017

Cybersecurity 107

Figure 184: Assuming a 5.5-Year Refresh Rate and 90% Renewal Rate, We Can

See the Rising Impact of Refresh Product as a Percentage of the Product Line

Refreshed product as a % of our total product estimates (assuming 5.5 year refresh rate and 90% renewal rate)

Source: Palo Alto Networks, Credit Suisse Research, Credit Suisse Estimates.

Many argue, with good reason, this dynamic acts to support the product line, especially in

instances where customers can be upsold. Mechanically, the larger and larger cohorts of

2009-2013 become evident in the back half of FY17 and into FY18.

If we subtract our renewed product calculation from total product revenue to arrive at a

new product estimate, it becomes clear that consensus expectations for incremental

product are very low. This, it has been argued, is a reason to own the stock (i.e., greater

refreshing product supports product revenue, meaning new product estimates are handily

achievable). While we remain cognizant of the argument, we would argue that refresh isn’t

necessarily the support many assume.

Figure 185: Our (Somewhat Crude) Calculation of New-Product Shows

Expectations for Incremental Business are Low

New product (using consensus and assuming 5 year refresh rate and 90% renewal rate) y/y growth, %

Source: Palo Alto Networks, Credit Suisse Research, Credit Suisse Estimates.

From a mechanical perspective, the risk to refresh revenue being a true support is two-fold.

Either the refresh cycle continues to lengthen (that is, Figure 183 exhibits greater negative

skewness), or alternatively the dollar refresh rate is lower than we model.

16%

23%25%

28%

25%

31% 32%

38%

31%

2% 3% 4%5%

6% 7% 8%9%

12%

16%

23%

0%

5%

10%

15%

20%

25%

30%

35%

40%

2014 2015 2016 2017 2018

Estimated Reported

-20%

-10%

0%

10%

20%

30%

40%

50%

60%

2013 2014 2015 2016 2017 2018

Forecast New Product, y/y, %

5 September 2017

Cybersecurity 108

Figure 186: Positive vs Negative Skewness

Source: Credit Suisse research.

We are concerned the refresh cycle could lengthen due to:

− Execution Risk: Already Palo Alto Networks has experienced some level of

refresh pause due to the introduction of mandatory PAN-OS 8.0, a brand new OS

release, on all new product shipped. Large enterprises will typically wait to adopt a

new major release until a version X.1 or X.2. While bulls argue this is simply a

speed bump and that the new lineup will drive customers to refresh, we are

concerned this exemplifies the execution risk of PANW facing its first refresh at

scale.

− Trade-Down Effect: PANW products are of the utmost quality, and one of the

reasons for the increasing refresh length may be greater-than-expected product life.

A corollary of the trade-down effect we discuss below, we posit whether this has the

potential to result in continued cycle-lengthening. The disclosure in mid-2016 that

the '2009 cohort was 65% refreshed and there was dollar increase' (René Bonvanie,

Chief Marketing Officer, April 4th 2016) implies a long refresh tail.

− Architectural Shifts Delaying Decision-Making: We have noted management at

Fortinet cite service provider cloud transitions as creating a demand pause as

decisions are delayed by architectural discussions. We recognize PANW’s lower

relative exposure to the carrier market, but should this become a broader trend, we

believe it could result in further refresh lengthening.

'…the AWS/Azure piece is growing fast. And also, the traditional service provider also

starting consider offer the cloud solution now. So that may delay some of their decision

whether what kind of an architecture or infrastructure they may moving forward….'

– Ken Xie, Fortinet Chairman CEO

We are concerned dollar renewal could not be as strong as expectations:

− Competition: Cisco has explicitly stated it intends to take share from PANW upon

the refresh opportunity. We doubt it is the only incumbent who has lost share to

PANW since 2009 to have this view, and therefore expect PANW to face intense

refresh competition. This could be a headwind to customer renewals if competitors

succeed in their share attrition intentions. Given our view on trends toward product

parity, we consider this to be a greater risk than we perceive are built into the

Street's renewal assumptions.

− Execution Risk: The sales effort to defend against competitive refresh bids is not

only expensive but requires a different playbook. We believe this creates some

level of execution risk in customer retention and up-sell/cross-sell relative to a more

mature competitor, seasoned in retentive sales tactics.

5 September 2017

Cybersecurity 109

− Trade-Down Effect: Check Point is well known to have experienced a trade-down

effect in 2012 following a major product line revamp in late 2011. In the revamp, it

had tripled the performance of its boxes but left pricing comparable. This led a

portion of customers to choose lower price boxes rather than renew like-for-like.

‘the trade-down effect … because we introduced boxes at the same price level, but with 3

times the performance around this time last year. What that led to was a combination of

that macro environment, the increasing strength of the dollar on the FX side, leading to

shrinking budgets, which has resulted in folks, instead of buying the same level of box

trading down to something that was 2 times the power than the 3 times that we had

anticipated, or hoped for.’

– Kip Meintzer, VP IR, 11/07/2012

To quantify the potential impact of greater-than-expected risk to refresh rate and cycle

length, we have stress tested our model's assumptions below. We believe PANW bulls are

underwriting a scenario that assumes 40-50% of fiscal year 2018 product revenue derives

from refresh. We believe this is ambitious, as it implies a higher dollar refresh rate, shorter

average refresh cycle length, or combination of both. Every percentage point of

consensus product revenue growth not accounted for by refreshing boxes is a point of net

new product sale that must be captured.

Figure 187: If We Flex Refresh Cycle and Rate Assumptions, the New Product

Support/Tailwind from Refresh Reduces Dramatically

Percentage of FY18E new product accounted for by refreshed product

Source: Palo Alto Networks, Credit Suisse Research.

■ Services SaaS Transition as Growth Driver 2.0?

Linked but distinct, we consider the final over-arching debate in the stock to be around the

extent to which subscription growth can mature into a convincing growth engine. Palo Alto

Networks offers four attached (Wildfire, URL filtering, Threat prevention, and Global

Connect) and five unattached (Aperture, VM-Series, AutoFocus, Traps, and LightCyber)

subscription options.


80% 85% 90% 95% 100%

4.0 36% 39% 41% 43% 45%

4.5 30% 32% 34% 36% 38%

5.0 26% 28% 29% 31% 33%

5.5 22% 24% 25% 27% 28%

6.0 19% 20% 21% 22% 23%

6.5 14% 15% 16% 17% 18%

7.0 9% 10% 10% 11% 11%Ave

rage

Ref

resh

(y)

5 September 2017

Cybersecurity 110

Figure 188: PANW Product, Subscription, and Support Revenue Breakdown


Figure 189: Palo Alto Networks' Platform Offering

Offers Attached and Unattached Subscriptions…

Figure 190: … Penetration Rates Would Imply There

Remains Expansion Opportunity

Orange represents attached, blue represents unattached subscription options

Penetration rates in customer base for PANW subscriptions

Source: Palo Alto Networks, Ignite 2016. Source: Palo Alto Networks, Credit Suisse Research.

It is argued that as penetration rates of these subscriptions (particularly the unattached)

increase, there exists an >$8bn install base expansion opportunity.

Figure 191: PANW's Assessment of Its CLTV Customer Expansion Opportunity

CLTV install base expansion opportunity. Upside CLTV equals the potential value of future orders from existing install base, assuming all customers acquired between 2010 and 2015 eventually purchase 11.8x the value of their initial purchase, less their total purchases through 2015


Hardware PerpetualAttached

subscriptions

Non-attached

subscriptionsSupport

Threat Prevention Traps

URL Filtering VM-Series Support

Appliances Panorama GlobalProtect AutoFocus Professional Services

Accessories VM-Series WildFire Aperture

LightCyber*

Product Recurring subscription and support revenue

Renewals

Aperture

WildFire

Threat Prevention

URL Filtering

VM-Series

AutoFocus Traps

GlobalProtect

0%

25%

50%

75%

100%

Traps VM GlobalProtect

WildFire URLFiltering

ThreatPrevention

Q2FY15 Q2FY16 Q4FY17

8.67.2

4.2 2.71.9 1.3

11.89.3

5.6

3.73

2.11.3

FY09 FY10 FY11 FY12 FY13 FY14 FY15

FY15 FY14

>$8bn opportunity

5 September 2017

Cybersecurity 111

We understand the attraction of SaaS-esque revenue streams; mix-shifting toward

subscription results in better gross margins, better operating margins, and stronger free

cash flow generation.

Figure 192: Palo Has Increased Its Attach per

Device to 2.6, Although This Loses Some Relevance

Given Unattached Subscriptions

Figure 193: Therefore We Prefer to Look at Services

Attach Through the Refresh Cycle, Which PANW

Has Grown Ahead of Competitors

PANW reported attach per device, disclosed biannually (excludes unattached subscriptions)

5 year through cycle attach rates


Given the above, we understand the expectations around unattached subscription growth,

which has the potential to be gross margin positive. As we show in Figure 194, the mix-

shift toward subscription has been helpful in bringing up the GM from ~73% to 78% from

FY12 to FY15. We also note that in the short term, the mix-shift affects the operating

margin basis, as commissions are recognized earlier but over the long run are

incrementally beneficial. We note further room to grow these margins as the unattached

subscriptions increase their portion of revenue mix.

Figure 194: Mix Shift Driving GM Improvement… Figure 195: ..as Well as Operating Margin

Gross Margin improvement driven by mix shift Mix shift depressing near term margins, but net positive over time


Despite this, we assert that PANW is still a box-driven business, where subscription and

support upsell is only possible with continued product growth, while unattached

subscription revenue remains very small ($100mn run rate as of 1Q17).

1.51.6

1.7

1.9

2.12.2 2.2

2.3

2.6 2.6

1.3

1.6

1.9

2.2

2.5

2.8

2012 2013 2014 2015 2016

Subscriptions per device

30%

35%

40%

45%

50%

2008 2009 2010 2012 2013 2015 2016

FTNT PANW CHKP

72.7%

77.7%

70%

75%

80%

FY12 FY15

Gross Margin (%)

Services Billings Revenue Commission

Revenue to be recognized in future quarters

5 September 2017

Cybersecurity 112

" So those 4 nonattached subscription services as of our fiscal Q2 are north of $100

million run rate in terms of what we call billings and growing at triple digits, and we

plan on updating those metrics semiannually."

– Steffan C. Tomlinson, CFO, 06 June 2017

We also emphasize that PANW has saturated most options with regard to the

subscriptions it can add to its box and leverage its platform. This, in turn, indicates that it

will have limited opportunities in expanding PANW's TAM.

5 September 2017

Cybersecurity 113

Supports for Our Thesis

Company Negatives

■ Substantial Exposure to Sector Risks

We rank Palo Alto as more exposed to sector risks than Check Point but slightly less than

Fortinet. Areas of specific concern for PANW are the potential for increasing competition

from Cisco and the decreasing brownfield opportunity.



■ Valuation – Expensive

While on traditional EV/uFCF, PANW appears inexpensive, this multiple is flattered by

both its billings duration and stock-based compensation. Indeed, when we adjust for these

factors, PANW begins to look expensive, even on a growth-adjusted basis.




CHKP PANW FTNT






EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x





EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x



GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x


CHKP PANW FTNT

5 September 2017

Cybersecurity 114

■ Stock-Based Compensation Is High

Palo Alto Network has high levels of stock-based compensation in absolute terms as well

as relative to peers. We note that on a percentage of revenue basis, PANW's stock--based

compensation is over one-third of revenues, while the peer group average is just ~10%.

Figure 198: PANW Stock-Based Compensation Much Higher than Peers

Stock Based Compensation/Revenue, LFY, %

Source: Thomson Reuters Datastream.

We emphasize that high levels of stock-based compensation are not just dilutive to

investors but that they also negatively affect the economic return produced by the

company. In Figure 199, we illustrate this point using CFROI®, (a proxy for the company’s

economic return. (Refer to Appendix I for more details about the CFROI metric.) We show

the spread between PANW's CFROI including and excluding stock-based compensation

substantially reduces returns on capital.

Figure 199: Including and Excluding Stock-Based

Compensation PANW's CFROI…

Figure 200: … Pales in Comparison with Check

Point, with Returns Around 20%

Palo Alto Networks HOLT CFROI profile Check Point HOLT CFROI profile


■ Is There a Residual Go-to-Market Issue Aside from Refresh Pause?

29%

11%10%

5% 5% 4% 3%

0%

10%

20%

30%

Palo Alto Symantec Fortinet Check Point Juniper Oracle Cisco

SBC as % of Revenues

Average

(5 )

0

5

10

15

20

25

2007 2009 2011 2013 2015 2017

CFROI

Forecast CFROI


(5 )

0

5

10

15

20

25

2007 2009 2011 2013 2015 2017

CFROI Forecast CFROI CFROI adjusted to exclude SBC

5 September 2017

Cybersecurity 115

PANW has retooled its sales strategy after a disappointing miss earlier in the year. We

believe that PANW is struggling with its go-to-market strategy and that, while the company

is spending increasing amounts of money on sales & marketing, the efficiency of that

spend in terms of attracting new business is trending downward, as highlighted in Figure

201. At the same time, we find that job posting trends suggest continued spending. (See

Figure 203.) We note here that that the company already trails the peer average for

revenues per employee and that continued headcount increase will continue to pressure

this down.

Figure 201: Despite Ticking Up Recently, S&M

Efficiency Has Trended Down…

Figure 202: …While Revenue per Employee Already

Below Peer Group Average

Product/ Sales & Marketing and New business / Sales & Marketing Revenue/Employees, LFY, $

Source: Company data, Credit Suisse estimates. Source: Thomson Eikon.

Figure 203: Matching Job Posting Trend for Palo

Alto Networks Rising...

Figure 204: ...While Job Seeker Interest Also in

Uptrend

Palo Alto Job posting matches indicates recent uptick Palo Alto Job seeker interest has also rebounded

Source: Indeed. Source: Indeed.

50%

60%

70%

80%

90%

100%

110%

120%

1Q15 1Q16 1Q17

New business/S&M

Product/S&M

$0k

$200k

$400k

$600k

$800k

Cisco Juniper CheckPoint

Palo Alto Symantec Oracle Fortinet

Revenue per Employee ($ k)

Average

0.000%

0.010%

0.020%

0.030%

0.040%

0.050%

0.060%

2014 2015 2016 2017

Job Postings

0.00000%

0.00010%

0.00020%

0.00030%

0.00040%

0.00050%

0.00060%

0.00070%

2014 2015 2016 2017

Jobseeker Interest

5 September 2017

Cybersecurity 116

■ Expectations Remain the Highest

Ultimately, billings expectations remain the highest for PANW relative to CHKP and FTNT.

As we have discussed, in the face of structural industry challenges alongside numerous

idiosyncratic risks (as discussed in the ‘Can PANW continue to outgrow the market’

debate), we (perhaps crudely) believe the asset with the highest inbuilt expectations to be

most at risk.

Figure 205: PANW Has Overtaken Its Competitors

on a Billings Basis…

Figure 206: … While Consensus Builds in a Billings

Recovery Through 2018

Billings (Revenue + Δ Deferred Revenue), $m, 4Q rolling average Billings (Revenue + Δ Deferred Revenue), y/y, %

Source: FactSet, Company data, Credit Suisse estimates. Source: FactSet, Company data, Credit Suisse estimates.

We also analyze expectations for PANW in terms of billings and note that, while PANW

has already overtaken its rivals in billings (absolute $ amounts, 4Q rolling average), the

consensus estimates indicate a recovery and re-acceleration (well ahead of the market

growth rate).

0

500

1,000

1,500

2,000

2,500

3,000

3,500


PANW CHKP FTNT

0%

10%

20%

30%

40%

50%

60%

70%

80%


PANW CHKP FTNT

5 September 2017

Cybersecurity 117

Risks to Our Thesis

Company Positives

■ Significant Balance Sheet Capacity and Willingness to Use It

While we estimate PANW to have just over half the firepower of CHKP to be used for M&A,

we believe both companies have a very measured track record and propensity to make

smaller, tuck-in acquisitions. Cumulatively, PANW has used approximately $300 million in

acquiring companies, the largest of which was the most recent deal to buy LightCyber for

$105 million. The measured, disciplined approach is somewhat understandable given what

have been lofty valuations in security for the past several years, although we believe that

is changing given what some suggest are as many as 3,000 cybersecurity companies in

the world today.

About a year ago, a CRN magazine article suggested PANW had unsuccessfully bid over

$3 billion for Tanium in fall 2015. Assuming this is true, it would seem to suggest a need

to acquire something transformative, which aligns with our view of the company’s

opportunity more generally. We can envision several private companies strategically

aligning with PANW and are open-minded to changing our view on the stock should that

eventuality occur.

Figure 207: We Estimate PANW Has ~$5bn of

Balance Sheet Capacity…

Figure 208: … This Is Substantially Less than CHKP

but Still Represents Significant Capacity

Assuming 3x leverage, Total capacity for M&A Potential Balance Sheet Capacity for M&A


■ Phenomenal Innovator and Category Creator

Without any doubt, PANW should be applauded as key innovator and the creator of the

NGFW category. PANW entered the market with true product and technology

differentiation. Of particular note, we think, was the tripartite identification technologies at

the core of PANW's NGFW:

− App-ID: Identification techniques that can classify all traffic, on all ports, at all

times, irrespective of protocol, encryption, or evasive tactics.

− User-ID: Integrates the platform with a variety of enterprise user directories (Active

Directory, Exchange, ZENworks, etc.) as opposed to only IP addresses.

Firepower analysis CHKP PANW FTNT

Earnings, NTM basis

EBITDA 1,083 409 257

Δ Deferred Revenue 178 397 234

Cash EBITDA 1,261 805 491

Deal related accretion (15% return) 774 460 365

Theoretical lending EBITDA 2,035 1,265 855

Cash, Next quarter

Liquid cash & investments* 1,380 1,170 959

Cash & investments 3,588 1,889 1,217

Theoretical debt capacity (3x)** 6,106 3,278 2,566

Liquid firepower 7,486 4,448 3,526

Total firepower 9,694 5,167 3,783

*Cash and ST investments adjusted for offshore cash (20% repatriation assumption)

and 10% of NTM revenue

** 3x theoretical lending EBITDA excluding outstanding debt

$9.9bn

$5.4bn

$4.0bn

$0bn

$2bn

$4bn

$6bn

$8bn

$10bn

$12bn

CHKP PANW FTNT

http://www.crn.com/news/virtualization/300081068/sources-tanium-rejected-acquisition-bids-from-vmware-palo-alto-vows-to-stay-single.htm

5 September 2017

Cybersecurity 118

− Content-ID: Combines a real-time threat prevention engine with cloud-based

analytics and a comprehensive URL categorization database to block a variety of

threats.

Figure 209: Core Identification Technologies

Source: Palo Alto Networks.

■ Single-Pass Architecture

Palo Alto also utilizes a single-pass architecture in its design framework for its NGFWs.

The single-pass parallel processing (SP3) architecture reduces the latency that is

associated with daisy-chained point product solutions to perimeter security. Single-pass

architecture is comprised of two complimentary technologies:

− Single-Pass Software: Performs operations once per packet, scanning content in

a stream-based fashion, avoiding latency and enabling high throughput.

− Parallel Processing Hardware: Separates the data and control planes to reduce

interdependence in combination with discrete, function-specific processing at the

hardware level.

Figure 210: Single Pass… Figure 211: …with Parallel Processing Hardware

Single-pass software performs operations once per packet Hardware acceleration for each major functionality block

Source: Palo Alto Networks. Source: Palo Alto Networks, Credit Suisse Research.

While the SP3 architecture (and more specifically, single-pass software) has been a

perceived differentiator in the market, for which we give the company a lot of credit, our

view is that it’s a religious argument and not universally better than multi-pass.

Continuing Innovation with PAN-OS 8.0

Earlier in the year, Palo Alto Networks also rolled out major updates to its PAN-OS, adding

new features across its entire technology platform from upgrades for cloud security, multi-

Control Plane

Data Plane

MANAGEMENTconfiguration | logging | reporting

SIGNATURE MATCHIPS | CC# | SSN

SECURITY PROCESSINGsession setup | SSL| IPSec | Decompression

Network Processingflow control | route | ARP | MAC lookup | QoS | NAT

RAM

RAM

CPU

RAMCPU SSD

Single Pass

Report & Enforce Policy

5 September 2017

Cybersecurity 119

method threat detection, credential threat prevention, as well new hardware. We note that

the early feedback on the products has been positive and could potentially be a risk to our

thesis if it drives an upgrade cycle.

Platform Success

We also credit Palo for succeeding in consolidating multiple adjacencies and offering

attached subscription services, creating a recurring subscription and support stream. We

also note that the company has been relatively successful in upselling non-attach

subscriptions (such as Aperture, Autofocus and LightCyber) after landing the customer.

We also appreciate the vision to offer a cloud-based offering such as WildFire, as the

market is clearly moving in that direction.

"Our ability over the next 3 years to expand within that customer base, to sell, not only our

next-generation firewall with our attached subscription services but the 4

unattached subscription services led by our endpoint solution called Traps; our virtual

firewall, Aperture; AutoFocus. We're coming out with user-behavior analytics, subscription

service by an acquisition that we did with LightCyber. We're continuing to add meaningful

subscriptions to the platform"

- Steffan C. Tomlinson, CFO

On the other hand, we recognize that the company has not been wholly successful in its

strategy in offering a unified security platform with end-to-end security. We specifically

note the lukewarm response to its Advanced Endpoint protection solution, Traps. While we

believe that consolidation spurred by PANW’s early adoption of an integrated platform

strategy has so far provided significant acceleration to recurring revenue growth, we see

this as a theme that has largely played out.

■ Wonderful Go-to-Market – Land and Expand

PANW also implemented a very effective go-to-market strategy, utilizing multiple

deployment mechanisms to substantially widen the prospective customer base. Rather

than boldly attempting to take share head-to-head with well entrenched competitors,

PANW enabled prospective clients to deploy alongside an extant firewall, widening sales

opportunities to IDP, web filtering, and other refreshes.

PANW offered three different deployment methods:

(1) Firewall Replacement: Deployed as a replacement for an enterprise's extant firewall

and other point products;

(2) Transparent In-line: Deployed via virtual wire mode in-line as a transparent

compliment to the existing perimeter architecture; and,

(3) Tap Mode: Giving administrator’s network visibility without the disruption of in-line

deployment.

5 September 2017

Cybersecurity 120

Figure 212: Original Deployment Options


Once PANW had gained a foot inside the datacenter, it was able to both accelerate

firewall refresh cycles and upsell as customers realized the rationalization advantages of

the PANW platform. That is, it can replace other daisy-chained point solutions and lower

overall cost while increasing efficacy. The success of this land-and-expand motion is

evident not only in PANWs market share gain but also as shown in Figure 213.

Figure 213: The 2009 Cohort’s Land-and-Expand Motion


Superlative Marketing

Palo Alto Networks has captured as much (if not more) mind-share than it has market

share. We believe René Bonvanie, PANW's chief marketing officer, and the third most

highly compensated CMO in America in 2014 (Forbes, see here) to be integral to PANW's

mind-share gain. The disruptive messaging of ‘Next-Generation Firewall,’ with a strong,

simple narrative of single-pass architecture has proven very effective with decision-makers

and technology workers in general.

1.0x 1.2x2.0x

3.5x

5.1x6.3x

8.6x

11.8x

14.4x

Land 2009 2010 2011 2012 2013 2014 2015 2016

Renewals

Support

Subscription

Product

https://www.forbes.com/pictures/eeed45mlg/no-3-rene-bonvanie/#7081a3cb56fb

5 September 2017

Cybersecurity 121

Figure 214: PANW Marketing Dollars Emphasize Their Narrative...


As of early last year, PANW's marketing team under Mr. Bonvanie was 150 strong (8% of

total sales & marketing headcount), with 10% of his team focused on operationalizing

data-driven models. Mr. Bonvanie’s predilection with prescriptive analytics means PANW

captures data on every customer interaction it can, which includes its social media

platforms such as Twitter and Linked as well as its user community group and blog.

" …I want to talk about what it takes to drive a machine where we acquire that many

customers, where we grow our business that fast, and how we apply science, data and

relentless focus and alignment with our sales teams, with our channel partners, with our

hosting partners, to get to these results."

- Rene Bonvanie, CMO, Ignite 2016

Figure 215: Positioning to Be a Thought Leader… Figure 216: …Several Venues to Gain Mind-Share

Source: Palo Alto Networks. Source: Palo Alto Networks.

■ Large TAM

Palo Alto Networks puts its own TAM at $24bn in 2020, rising from ~$19bn currently at a

CAGR of ~8%, with most of the TAM increase coming from the network security products.

This is constructed of IDC's 2020 network security, web security, and commercial endpoint

security forecast. We note that a large TAM gives Palo Alto more room to navigate the

hurdles we lay out in our thesis, such as the shifting security model from prevention to

detection.

Founding Member

>70% more marketing events

>80% more pipeline

> 300% increase in social media

>100% more EBC visits

Blog Traffic

>5 millionUp >100% y/y Up >80% y/y

Up >200% y/y >35,000

5 September 2017

Cybersecurity 122

Figure 217: Palo Alto Sees a Rising TAM for Itself…


■ Leverage in the Model

Palo Alto Networks also benefits from inherent leverage in the subscription model, as we

have discussed earlier, and as Figure 194 and Figure 195 depict.

■ Partnerships and Joint Solutions

PANW has also built up a string of partnerships to address security in a cloud-centric

world. One example would be the Palo Alto Networks and VMware partnership in which a

uniform security approach across physical, virtualized, and cloud environments can be

implemented using a joint solution.

PANW and VMWare joint solution is built on the following main components:

(1) VMware NSX platform

(2) Palo Alto Networks VM-Series (Virtual NGFW)

(3) Palo Alto Networks Panorama (Centralized Management Platform)

Figure 218: PANW and VMW Joint Security Solution for Virtualized

Datacenters…

VMware NSX and Palo Alto Networks VM-Series Integrated Solution

Source: Vmware, Credit Suisse Research.

$19.1bn TAM

$14.7bn Network,$4.4bn Endpoint

$24bn TAM

$18.8bn Network,$5.2bn Endpoint

2017 2020

Cloud AdminPanorama registers the VM-Series with NSX manager

ManagerReal-time contextual updates on VM-Series changes

Security Admin

VM-Series deployed

automatically by NSX; policies

then steer select traffic to VM-

Series for inspection

AppWeb DB

NSX vSwitch

VMware ESG

Automated licensing

policy and deployments

5 September 2017

Cybersecurity 123

VMware NSX network virtualization platform provides the network virtualization layer,

while the joint solution works to deploy the Virtual appliance over each ESXi server, with

traffic inserted into the path of the virtual security appliance. The VM-Series natively

analyzes all traffic in a single pass to determine the application identity, the content within,

and the user identity. At the same time, context is shared between VMware NSX and

Panaroma so that whenever applications are deployed and moved from server to server,

security policies can continue to be enforced and there is separation of duty between

security and virtualization administrators.

The joint solution provides several significant benefits such as:

− Visibility into East-West Traffic: Deploying the VMware and PANW joint solution

has the additional benefit of offering visibility into server-to-server traffic within the

data center (which represents 80% of overall data center traffic). NSX's native

security capability, including kernel-based distributed firewalling, enables traffic flow

between ESXi servers to be automatically steered to the Palo Alto Virtual security

appliance (VM-Series) for granular inspection based on applications, content, and

users. Unlike current network security solutions built on a perimeter-based security

model, the VMware-PANW solution gives full visibility into data center traffic flows.

− Automation: Palo Alto's security management platform (Panoroma) works with the

NSX manager to automate the deployment and provisioning of security services.

Panorama registers the virtual PANW security device (VM-Series) with the NSX

manager, which then deploys the VM-Series on every ESXi Server in automated

fashion.

− Seamless Traffic Steering: The stateful, in-kernel NSX distributed firewall steers

traffic to PANW VM-Series via NSX APIs without needing to manually make

configuration changes to virtual networking elements.

■ A Strategic Asset

We appreciate the importance and role of PANW as an innovator in the NGFW space and

note that it remains a strategic asset (with interest from large-cap companies such as

CSCO). While we believe that both PANW and CSCO have significant portfolio overlap,

we do believe that it will bring scale to CSCO's security business, helping it transition

faster toward one of its strategic areas.

“...key priority areas such as security, the Internet of Things (IoT),

collaboration, next generation data center and cloud.”

Cisco 10-Q, February 2017

“…..first priority will be strategic investments that we will make, and then, obviously,

followed with a focus on continued capital allocation and our commitment to returning

capital to shareholders. It would be a combination”

Chuck Robbins, CEO – 15th February 2017

We, however, do point out that any M&A involving PANW will be a large-sized deal and

present material integration risk (with ~4,340 employees).

5 September 2017

Cybersecurity 124

Management and Board

Management

Palo Alto has plenty of impressive figures from the cybersecurity space on its

management team. Nir Zuk, the company founder, occupies the CTO role, and Rick

Howard, the chief security officer, brings 30 years of experience with US Army cyber

intelligence to Palo Alto. In Figure 219, we present a table of key management figures.

Figure 219: PANW Management

Source: Proxy Statement, FactSet, Credit Suisse estimates.

Interestingly, PANW’s management has less experience in the C-Suite than most. Part of

this can be attributed to the extensive military careers of some of its executives. The total

management experience per executive is closer to average when compared with our

coverage universe. Given the average age of a Palo Alto executive is only 55, this makes

sense.

Name Compensation Beneficial ownership C-Suite Experience

Position Year Prior Experience

Age Joined Salary ($) Bonus ($) Stock($) Number of Value of

shares shares

Mark McLaughlin 2011 $575,000 $632,500 $4,715,436 508,864 $74,650,349 ■ Chairman and CEO, Palo Alto Networks: 2011-Present

CEO & Chairman ■ President and CEO, VERISIGN: 2009-2011

51 ■ Executive Vice President, VERISIGN: 2000-2007

■ JD: Seattle University School of Law, BS: United States Military Academy

Nir Zuk 2005 $400,000 $200,000 $25,804,377 1,958,676 $287,337,769 ■ Founder and Chief Technology Officer, Palo Alto Netoworks: 2005-2017

Founder, CTO and Director ■ Chief Technology Officer, NetScreen: 2002-2004

45 ■ Founder and Chief Technology Officer, OneSecure: 1999-2002

■ BA: Tel Aviv University

Steffan Tomlinson 2012 $400,000 $240,000 $12,902,119 115,984 $17,014,853 ■ Chief Financial Officer, Arista Networks: 2011-2012

Chief Financial Officer ■ Chief Financial Officer, Aruba Networks: 2005-2011

44 ■ Vice President, Peribit Networks: 2000-2005

■ MBA: Santa Clara University, BA: Trinity College - Hartford

Rene Bonvanie 2009 $350,000 $175,000 $10,321,723 107,136 $15,716,851 ■ Vice President, Worldwide Marketing, Palo Alto Networks: 2009-2011

Chief Marketing Officer ■ SVP Marketing, SaaS and Information Technology, Serena Software: 2007-2009

55 ■ Senior Vice President of Global Marketing, SAP AG: 2006-2007

■ BA: Vrije Universiteit Amsterdam

Mark Anderson 2012 $700,000 $420,000 $30,105,176 208,419 $30,575,067 ■ Senior Vice President, Worlwide Field Operations, Palo Alto: 2012-2016

President ■ Various Roles including Executive Vice President: F5 Networks: 2004-2012

54 ■ Executive Vice President, North American Sales, Lucent Technologies: 2003-2004

■ BA: York University, Toronto

Rick Howard 2013 NA NA NA NA NA ■ Chief Information Security Officer, TASC, Inc: 2012-2013

Chief Security Officer ■ iDefense General Manager and Intelligence Director, Verisign: 2006-2012

■ US Army Computer Emergency Response Team Chief: 2002-2004

■ MS: United States Naval Postgraduate School, BS: United States Military Academy

Lee Klarich 2006 NA NA NA 385,807 $56,597,887 ■ Executive Vice President, Palo Alto: 2006-Present

EVP, Product Management ■ Director, Product Management, Juniper Networks: 2004-2006

42 ■ Product Line Manager, NetScreen Technologies: 2000-2004

■ BS: Cornell University

5 September 2017

Cybersecurity 125

Figure 220: PANW Executives Have Less C-Suite

Experience than Most…

Figure 221: But Their Overall Experience Is Closer

to Average

Source: Proxy Statement, FactSet, Credit Suisse estimates. Source: Proxy Statement, FactSet, Credit Suisse estimates.

Board

PANW’s board is a collection of impressive industry and venture capital figures. Alumni

from Red Hat, VMware, and VeriSign make up the backbone of the directorate, and they

are joined by venture capital veterans such as Asheem Chandra of Greylock and James

Goetz of Sequoia.

0 5 10 15 20

CRM

ORCL

CHKP

VMW

ADBE

SPLK

INTU

RHT

MSFT

AKAM

FTNT

HDP

NOW

SYMC

PANWManagement C-Suite

Experience Per Executive

VP

CEO

CFO

0 5 10 15 20 25 30 35 40

AKAM

CHKP

CRM

ORCL

SPLK

MSFT

VMW

ADBE

NOW

FTNT

PANW

RHT

INTU

HDP

SYMC Board Experience Per Director

CEO/CFO

Other Executive

Relevant Industry

Other Industry

Finance

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

126

Figure 222: Palo Alto Networks (PANW) Board of Directors

Source: Proxy Statement, FactSet, Credit Suisse estimates.

Name Beneficial ownership of shares Committee memberships C-Suite Experience

Position Director Independent Other Board Prior Experience and Principal occupation

Age Since? Director? Affiliations? Number of shares Value of shares Audit Comp. Gov.

Mark McLaughlin 2011 No 0 508,864 $74,650,349 ■ Chairman and CEO, Palo Alto Networks: 2011-Present

CEO & Chairman ■ President and CEO, VERISIGN: 2009-2011

51 ■ Executive Vice President, VERISIGN: 2000-2007

■ JD: Seattle University School of Law, BS: United States Military Academy

Nir Zuk 2005 No 0 1,958,676 $287,337,769 ■ Founder and Chief Technology Officer, Palo Alto Netoworks: 2005-2017

Founder, CTO and Director ■ Chief Technology Officer, NetScreen: 2002-2004

46 ■ Founder and Chief Technology Officer, OneSecure: 1999-2002


Asheem Chandna 2005 Yes 8 108,223 $15,876,314 a a ■ Partner, Greylock Partners: 2003-2017

Director Chair ■ Director, Imperva: 2003-2013

53 ■ Vice President, Business Development, Check Point Software: 1996-2003

■ MS, BS: Case Western Reserve University

James Goetz 2005 Yes 11 286,259 $41,994,195 a a ■ Managing Parter, Sequoia Capital Operations: 2005-2017

Director ■ Partner, Accel Partners: 2000-2004

50 ■ Cofounder, Vital Signs: 1996-1999

■ MS: Stanford University, BS: University of Cincinnati

Frank Calderoni 2016 Yes 0 9,228 $1,353,748 a ■ President and CEO, Anaplan: 2017-Present

Director ■ Executive Vice President and CFO, Red Hat: 2015-2017

52 ■ Executive Vice President and CFO, Cisco: 2004-2015

■ MBA: Pace University, BS: Fordham University

Carl Eschenbach 2013 Yes 1 5,191 $761,520 a a ■ Partner, Sequoia Capital Operation, 2016-Present

Director ■ President and COO, Vmware: 2011-2016

49 ■ Executive Vice President of WW Field Operations

■ BA: DeVry University

Daniel Warmenhoven 2012 Yes 1 23,517 $3,449,944 a a ■ Lead Independent Director, Palo Alto Networks: 2012-Present

Director Chair ■ Chief Executive Officer, NetApp: 1994-2009

65 ■ Chairman and CEO, N.E.T: 1989-1993

■ BS: Princeton University

John Donovan 2012 Yes 0 22,598 $3,315,127 a ■ Chief Technology Officer or Chief Strategy Officer: 2012-2017

Director ■ Chief Technology Officer, AT&T: 2008-2012

56 ■ Executive Vice President, Product, Sales, and Marketing, Verisign: 2006-2008

■ MBA: University of Minnesota, BS: University of Notre Dame

Stanley Meresman 2014 Yes 4 15,504 $2,274,437 a ■ Director, Snap Inc: 2015- Present

Director Chair ■ General Partner and COO, Technology Crossover Ventures

69 ■ Senior Vice President and CFO, Silicon Graphics

■ MBA: Stanford University, BS: University of California, Berkeley

Mary Pat McCarthy 2016 Yes 2 6,480 $950,616 a ■ Director, Palo Alto Networks: 2016-Present

Director ■ Director, Tesoro: 2012-Present

61 ■ Partner, KPMG: 1977-2011

■ BS: Creighton University

5 September 2017

Cybersecurity 127

Valuation We use Discounted Cash Flows to estimate the intrinsic value for FTNT at $125/share,

representing 14% downside. This informs our Underperform Rating, and is supported by

our multiples based relative valuation work. In addition, we have constructed blue-sky and

grey-sky scenarios. The Blue Sky assumes a 2.5% terminal growth rate, and the grey

assumes 0%, reflecting our view on the outlook for the space as a whole.

Figure 223: Blue-Sky/Grey-Sky Pricing Figure 224: Blue-Sky/Grey-Sky Scenarios

Source: Company Data, Credit Suisse estimates. Source: Company Data, Credit Suisse estimates.

Target Scenario

Our base case assumes a five-year transition period with FCF growth declining smoothly

from an estimated 9% in 2021. This scenario assumes the firewall market decelerates

broadly in line with our expectations (we model a 1.5% terminal growth rate from 2027E),

and PANW experiences enhanced competition from peers through its refresh cycle.

Blue-Sky Scenario

For our blue-sky scenario, we again model a five-year transition period but drive higher

free cash growth, which assumes a strong refresh cycle and upgrades driven by recent

software innovation as well as continued success in growing the attached and non-

attached subscription businesses. Our blue-sky scenario yields a $168 warranted price,

which represents 15% upside potential.

Grey-Sky Scenario

In the grey-sky scenario, we use a five-year transition period and lower free cash flow

growth assumption. Our Grey sky scenario assumes high levels of competition on the

refresh, in addition to pricing challenges and demand pauses against a backdrop of

declining firewall relevance.

Current Price $147 23.4x FY19E uFCF (SBC adj.)

Target Price $125 -14% 19.6x FY19E uFCF (SBC adj.)

Blue Sky $168 15% 27.2x FY19E uFCF (SBC adj.)

Grey sky $113 -23% 17.4x FY19E uFCF (SBC adj.)

Our Target Price scenario assumes the firewall market decelerates broadly in line with

our expectations (we model a 1% terminal growth rate from 2027E), and PANW

experiences enhanced competition from peers through its refresh cycle.

Our Blue Sky scenario assumes a strong refresh cycle and upgrades driven by recent

software innovation as well as continued success in growing the attached and non-

attached subscription businesses.

Our Grey sky scenario assumes high levels of competition on the refresh, in addition to

pricing challenges and demand pauses against a backdrop of declining firewall

relevance.

Target Price

Current Price

Grey Sky

Blue Sky

$125

$147

$113

$168

5 September 2017

Cybersecurity 128

Figure 225: Share Price Sensitivity to Cost of Equity and UFCF Growth Rate


Figure 226: PANW Valuation Matrix


Share price sensitivity to cost of equity and UFCF growth rate

Unlevered Free Cash Flow FY3 growth rate

125.466 10.0% 12.5% 15.0% 17.5% 20.0% 22.5% 25.0% 27.5% 30.0%

8.0% $154 $163 $174 $185 $196 $209 $222 $235 $250

8.5% $147 $156 $165 $176 $187 $198 $210 $223 $237

9.0% $140 $149 $158 $168 $178 $189 $201 $213 $226

9.5% $135 $143 $152 $161 $171 $181 $192 $204 $216

Terminal 10.0% $130 $138 $146 $155 $165 $174 $185 $196 $207

Cost of 10.5% $126 $134 $142 $150 $159 $168 $178 $189 $200

Equity 11.0% $123 $130 $137 $145 $154 $163 $172 $182 $193

11.5% $119 $126 $133 $141 $149 $158 $167 $176 $187

12.0% $116 $123 $130 $137 $145 $153 $162 $171 $181

12.5% $113 $120 $126 $134 $141 $149 $158 $166 $176

13.0% $111 $117 $123 $130 $138 $145 $154 $162 $171

13.5% $109 $114 $121 $127 $135 $142 $150 $158 $167

14.0% $106 $112 $118 $125 $132 $139 $147 $155 $163

14.5% $104 $110 $116 $122 $129 $136 $143 $151 $160

Valuation Matrix FY2016 (A) FY2017 (A) FY2018 (E) FY2019 (E) NTM LTM

Sales $1,379 $1,762 $2,129 $2,485 2 $2,039 $1,653

EBITDA $807 $1,017 $1,233 $1,427 3 $1,162 $967

EPS $1.89 $2.71 $3.29 $4.09 4 $3.24 $2.45

CFO $659 $871 $922 $1,056 5 $911 $816

FCF $586 $708 $822 $936 6 $785 $686

UFCF $610 $732 $844 $958 7 $801 $702

EV/Sales 7.3x 5.7x 4.7x 4.1x 4.9x 6.1x

EV/EBITDA 12.5x 9.9x 8.2x 7.1x 8.7x 10.4x

P/E 77.5x 54.1x 44.6x 9.0x 11.3x 14.9x

EV/CFO 15.3x 11.6x 10.9x 9.5x 11.0x 12.3x

EV/FCF 17.2x 14.2x 12.2x 10.8x 12.8x 14.7x

EV/UFCF 16.5x 13.7x 11.9x 10.5x 12.6x 14.3x

EV/Sales 8.7x 6.8x 5.7x 4.8x 5.9x 7.3x

EV/EBITDA 14.9x 11.8x 9.8x 8.4x 10.4x 12.5x

P/E 77.5x 54.1x 44.6x 35.9x 45.2x 59.8x

EV/CFO 18.3x 13.8x 13.1x 11.4x 13.2x 14.8x

EV/FCF 20.6x 17.0x 14.7x 12.9x 15.3x 17.6x

EV/UFCF 19.8x 16.4x 14.3x 12.6x 15.0x 17.2x

y/y, % y/y, % y/y, % y/y, % 2016-2019 CAGR

Revenue 48.5% 27.8% 20.9% 16.7% 21.7%

EBITDA 41.4% 26.1% 21.2% 15.7% 21.0%

EPS 76.1% 43.4% 21.3% 24.2% 29.3%

CFO 86.7% 32.3% 5.8% 14.5% 17.0%

FCF 83.8% 20.8% 16.1% 13.8% 16.9%

UFCF 78.6% 20.2% 15.2% 13.5% 16.3%

Esti

ma

tes

Ta

rge

tC

urr

en

tG

row

th

5 September 2017

Cybersecurity 129

Figure 227: PANW DCF Scenarios


Target Price

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL TP Value distribution

2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E 2027E Perpetuity

Period 1 2 3 4 5 6 7 8 9 10

Current risk-free rate of return 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0%

Beta 1.30 1.30 1.30 1.30 1.30 1.30 1.30 1.30 1.25 1.20 1.15 1.10 1.05 1.00

Equity Risk Premium 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2%

Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2%

FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 10.0% 9.0% 7.8% 6.5% 5.3% 4.0% 2.8% 1.5%

Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81

Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,053 1,148 1,237 1,317 1,387 1,442 1,482 1,504 17,208

Stock Based Compensation Expense 70.9 163.2 285.3 342.2 372.6 434.8

SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 39.0% 32.6% 26.2% 19.8% 13.4% 7.0%

FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 575.0 626.8 754.5 887.9 1,023.3 1,156.5 1,283.2 1,398.7 17,208.2

NPV of Free cash flow ($M) 420.3 437.4 429.2 417.3 449.3 474.3 491.6 501.2 503.0 6,119.0

Cumulative NPV of FCF ($M) 420.3 857.7 1,286.9 1,704.1 2,153.5 2,627.7 3,119.3 3,620.5 4,123.5 10,243

Cumulative NPV of FCF ($M) 10,243$

Shares outstanding (M) 93

NPV/Share of FCF 110$

(Net Cash) / Share 15.69$

Total NPV/Share 125

Current price / Share $147

Upside / Downside Potential -14%

Blue Sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value distribution


Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2%

FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 16.0% 16.0% 13.8% 11.5% 9.3% 7.0% 4.8% 2.5%

Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81

Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,111 1,288 1,466 1,634 1,785 1,910 2,001 2,051 26,500


SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 39.5% 33.6% 27.7% 21.8% 15.9% 10.0% 0%

FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 606.4 703.4 886.6 1,085.0 1,290.7 1,493.8 1,682.9 1,846.0 26,499.8

NPV of Free cash flow ($M) 420 437 453 468 528 580 620 647 660 9,423

Cumulative NPV of FCF ($M) 420 858 1,310 1,779 2,307 2,886 3,506 4,154 4,813 14,236




(Net Cash - 10% of Revenues) / Share 15.69$

Total NPV/Share 168


Upside / Downside Potential 15%

Grey sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value distribution


Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2%

FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 10.0% 10.0% 8.3% 6.7% 5.0% 3.3% 1.7% 0.0%

Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81

Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,053 1,159 1,255 1,339 1,406 1,453 1,477 1,477 14,423


SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 41.2% 36.9% 32.7% 28.5% 24.2% 20.0% 0%

FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 575.0 632.5 738.4 844.3 946.0 1,039.1 1,119.0 1,181.5 14,422.6


Cumulative NPV of FCF ($M) 420 858 1,287 1,708 2,148 2,599 3,053 3,503 3,942 9,071





Total NPV/Share 113



5 September 2017

Cybersecurity 130

HOLT®

PANW – HOLT Market-Implied Scenario and Sensitivity Analysis

Assuming margins rise from consensus levels of 15% to its historical peak of 22%,

PANW’s current stock price of $146 implies a sales CAGR of 12% over the next ten years.

Figure 228: CFROI (%) Figure 229: Valuation Sensitivity Analysis


Assumptions and Methodology

■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4 onward they are assumed

to rise up to 21.5% based on historical peak levels

■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, solved for the implied

CAGR required to reach the respective values per share

■ Asset Efficiency: Assumed constant from LFY levels

■ Fade Window: Used ten years of explicit forecasts for comparison with CHKP

■ Fade: After year ten, the HOLT methodology calculates the terminal value by fading

returns on capital and growth toward cost of capital and GDP growth, respectively

Figure 230: Assuming Margins Rise to 21.5% in the

Long Term from Consensus Levels of -15%...

Figure 231: …Indicates PANW's Current Price

Implies a CAGR of 11% over Ten Years

Source: HOLT®, Credit Suisse Research. Source: HOLT®, Credit Suisse Research.

(5.3)

23.5

(10 )

0

10

20

30

2007 2011 2015 2019 2023

Historical CFROI Forecast Discount Rate

- 600 bps - 400 bps - 200 bps 0 bps +200 bps +400 bps

5.8% 7.8% 9.8% 11.8% 13.8% 15.8%

- 1500 bps 6.5% $19 $26 $36 $49 $66 $88

- 1200 bps 9.5% $29 $39 $52 $69 $90 $119

- 900 bps 12.5% $39 $51 $68 $88 $115 $149

- 600 bps 15.5% $49 $63 $83 $107 $139 $180

- 300 bps 18.5% $59 $76 $99 $127 $163 $210

0 bps 21.5% $69 $88 $114 $146 $188 $241

2018 - 2026 Sales CAGR

26E EBITDA

Margins v

(14.6)

21.5

(20)

(10)

0

10

20

30

2007 2011 2015 2019 2023


Assumed long term margins

to rise from (14.6%) to

21.5%

1

26.2

11.8

0

10

20

30

40

50

60

70

80

2007 2011 2015 2019 2023


Solved for the long term sales CAGR required to get to current price of $146

2

Consensus

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

131

Figure 232: PANW Income Statement

US$ in millions, except per share items


Palo Alto Networks (PANW)

Income Statement$ in Millions except per share items

Fiscal year end: July 31st

2016 (A) Oct '16 Jan '17 Apr '17 Jul '17 2017 (A) Oct '17 Jan '18 Apr '18 Jul '18 2018 (E) Oct '18 Jan '19 Apr '19 Jul '19 2019 (E)

Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year 1Q19E 2Q19E 3Q19E 4Q19E Full Year

Non-GAAP Income Statement

Total Revenue 1,378.5 398.1 422.6 431.8 509.1 1,761.6 486.7 514.6 528.3 599.5 2,129.0 572.7 598.5 604.8 708.7 2,484.6

y/y change 49% 34% 26% 25% 27% 28% 22% 22% 22% 18% 21% 18% 16% 14% 18% 17%

Product 670.8 163.8 168.8 164.2 212.3 709.1 171.5 178.9 175.7 222.9 749.0 178.4 186.1 181.0 234.1 779.5

y/y change 36% 11% -1% 1% 11% 6% 5% 6% 7% 5% 6% 4% 4% 3% 5% 4%

Subscription & Support 707.7 234.3 253.8 267.6 296.8 1,052.5 315.2 335.7 352.6 376.6 1,380.0 394.4 412.4 423.8 474.6 1,705.2

y/y change 63% 57% 54% 46% 42% 49% 35% 32% 32% 27% 31% 25% 23% 20% 26% 24%

Total cost of revenue 301.1 81.9 90.5 101.7 115.6 389.7 104.5 110.9 110.7 118.5 444.6 109.9 117.9 123.5 136.3 487.6

Gross profit, non-GAAP 1,077.4 316.2 332.1 330.1 393.5 1,371.9 382.2 403.7 417.6 481.0 1,684.5 462.8 480.6 481.2 572.4 1,997.0

Gross margin 78% 79% 79% 76% 77% 78% 79% 78% 79% 80% 79% 81% 80% 80% 81% 80%

Research & development 146.7 45.4 47.3 47.7 50.4 190.8 47.2 49.9 51.2 58.1 206.5 55.6 58.1 58.7 68.7 241.0

% of total revenue 11% 11% 11% 11% 10% 11% 10% 10% 10% 10% 10% 10% 10% 10% 10% 10%

Sales & marketing 584.9 175.3 175.0 178.9 197.1 726.3 214.1 214.6 220.3 250.0 899.0 252.1 248.7 251.4 284.9 1,037.1

% of total revenue 42% 44% 41% 41% 39% 41% 44% 42% 42% 42% 42% 44% 42% 42% 40% 42%

General & administrative 75.0 23.7 26.7 24.2 25.5 100.1 29.2 30.9 31.7 36.0 127.7 34.4 35.9 36.3 42.5 149.1

% of total revenue 5% 6% 6% 6% 5% 6% 6% 6% 6% 6% 6% 6% 6% 6% 6% 6%

Total operating expenses, non-GAAP 806.6 244.4 249.0 250.8 273.0 1,017.2 290.6 295.4 303.2 344.1 1,233.3 342.0 342.7 346.3 396.2 1,427.2

% of total revenue 59% 61% 59% 58% 54% 58% 60% 57% 57% 57% 58% 60% 57% 57% 56% 57%

Operating income, non-GAAP 270.8 71.8 83.1 79.3 120.5 354.7 91.6 108.3 114.4 136.9 451.2 120.8 138.0 134.9 176.2 569.8

Operating margin 19.6% 18.0% 19.7% 18.4% 23.7% 20.1% 18.8% 21.0% 21.7% 22.8% 21.2% 21.1% 23.1% 22.3% 24.9% 22.9%

Interest income (expense), net -0.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Other income (expense), net 8.1 2.3 3.3 3.5 3.5 12.6 2.9 3.0 3.2 3.5 12.6 3.7 4.1 4.3 4.6 16.7

Interest & other income (expense), net, non-GAAP 8.0 2.3 3.3 3.5 3.5 12.6 2.9 3.0 3.2 3.5 12.6 3.7 4.1 4.3 4.6 16.7

Pretax income, non-GAAP 278.8 74.1 86.4 82.8 124.0 367.3 94.5 111.3 117.6 140.4 463.8 124.5 142.0 139.2 180.8 586.5

Pretax margin 20% 19% 20% 19% 24% 21% 19% 22% 22% 23% 22% 22% 24% 23% 26% 24%

Tax expense, non-GAAP 106.0 22.9 26.8 25.7 38.5 113.9 29.3 34.5 36.5 43.5 143.8 38.6 44.0 43.2 56.0 181.8

Effective tax rate 38% 30.9% 31.0% 31.0% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31%

Net Income, non-GAAP 172.8 51.2 59.6 57.1 85.5 253.4 65.2 76.8 81.1 96.9 320.0 85.9 98.0 96.1 124.8 404.7

EPS, non-GAAP $1.89 $0.55 $0.63 $0.61 $0.92 $2.71 $0.68 $0.80 $0.84 $1.00 $3.29 $0.88 $0.99 $0.97 $1.25 $4.09

Fully diluted shares 91.4 93.2 93.9 93.3 93.3 93.4 95.2 95.9 96.6 97.3 97.2 98.0 98.6 99.3 100.0 99.0

Research AnalystsBrad Zelnick

(212) 325 [email protected]

Jobin Mathew(212) 325 9676

[email protected]

Syed Talha Saleem, CFA(212) 538 1428

[email protected]

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

132

Figure 233: PANW Balance Sheet




Balance Sheet$ in Millions except per share items




Current Assets

Cash and Equivalents 734.4 839.4 761.4 692.0 744.3 744.3 797.3 893.1 1,016.7 1,134.0 1,134.0 1,290.4 1,401.4 1,565.7 1,635.4 1,635.4

Short-Term Investments 551.2 550.6 593.0 680.0 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7

Accounts Receivable - net 348.7 346.5 386.1 364.1 432.1 432.1 414.8 480.1 458.0 535.3 535.3 495.8 543.2 511.1 601.8 601.8

Prepaid Expenses and Other 139.7 129.4 139.9 159.1 169.2 169.2 170.0 178.3 194.2 221.8 221.8 211.9 221.4 223.8 262.2 262.2

Total Current Assets 1,774.0 1,865.9 1,880.4 1,895.2 1,976.3 1,976.3 2,012.8 2,182.3 2,299.7 2,521.8 2,521.8 2,628.8 2,796.8 2,931.2 3,130.1 3,130.1

Non-current Assets

Property Plant & Equipment - Net 117.2 125.0 154.1 192.3 211.1 211.1 256.8 296.8 337.4 380.2 380.2 429.1 478.8 528.6 581.7 581.7

Long Term Investments 652.8 708.4 790.5 719.1 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3

Goodwill 163.5 163.5 163.5 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8

Other Intangible Assets 44.0 41.7 39.5 56.5 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7

Other Noncurrent Assets 106.7 103.7 146.6 148.2 169.1 169.1 144.6 171.6 170.9 191.8 191.8 159.7 203.6 201.6 240.9 240.9

Total assets 2,858.2 3,008.2 3,174.6 3,250.1 3,438.3 3,438.3 3,496.0 3,732.5 3,889.7 4,175.6 4,175.6 4,299.4 4,561.0 4,743.2 5,034.5 5,034.5

Current Liabilities

Accounts Payable - Trade 30.2 29.2 28.0 33.2 35.5 35.5 32.0 39.5 37.6 42.7 42.7 37.7 45.9 43.1 50.5 50.5

Accrued Compensation 73.5 59.0 78.8 76.4 117.5 117.5 79.3 102.7 89.8 124.1 124.1 89.1 115.5 104.9 127.6 127.6

Accrued Expenses and Other 39.2 48.4 58.8 60.1 79.9 79.9 61.4 69.6 71.2 76.4 76.4 68.7 83.8 84.7 70.9 70.9

Deferred Revenue (Short-Term) 703.9 758.1 828.0 885.0 968.4 968.4 1,016.8 1,082.9 1,147.9 1,228.2 1,228.2 1,301.9 1,380.1 1,449.1 1,521.5 1,521.5

Convertible Debt 0.0 506.2 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Total Current Liabilities 846.8 1,400.9 993.6 1,054.7 1,201.3 1,201.3 1,189.6 1,294.7 1,346.5 1,471.4 1,471.4 1,497.4 1,625.3 1,681.7 1,770.4 1,770.4

Non-current Liabilities

Convertible Debt (Long-Term) 500.2 0.0 512.3 518.4 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7

Deferred Revenue (Long-Term) 536.9 601.5 670.6 726.8 805.1 805.1 861.5 934.7 1,004.8 1,100.2 1,100.2 1,155.2 1,213.0 1,273.7 1,337.3 1,337.3

Other Noncurrent Liabilities 79.4 80.2 127.5 137.1 147.6 147.6 144.6 171.6 170.9 179.4 179.4 171.8 179.5 181.4 212.6 212.6

Stockholder Equity

Additional Paid In Capital 1,515.5 1,543.1 1,613.3 1,615.8 1,599.7 1,599.7 1,653.6 1,714.4 1,779.6 1,862.4 1,862.4 1,942.1 2,029.9 2,119.5 2,236.6 2,236.6

Accumulated Other Comprehensive Income 1.0 -1.9 -5.1 -4.2 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4

Retained Earnings (Accumulated Deficit) -621.6 -677.0 -737.6 -798.5 -836.7 -836.7 -874.5 -904.2 -933.4 -959.1 -959.1 -988.5 -1,008.0 -1,034.4 -1,043.7 -1,043.7

Total Shareholders Equity 894.9 864.2 870.6 813.1 759.6 759.6 775.7 806.8 842.8 899.9 899.9 950.2 1,018.5 1,081.7 1,189.5 1,189.5

Total Liabilities & Shareholders Equity 2,858.2 3,008.2 3,174.6 3,250.1 3,438.3 3,438.3 3,496.0 3,732.5 3,889.7 4,175.6 4,175.6 4,299.4 4,561.0 4,743.2 5,034.5 5,034.5




[email protected]


[email protected]

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

133

Figure 234: PANW Statement of Cash Flow




Statement of Cash Flows$ in Millions except per share items




Cash From Operating Activities

Net Income (192.7) (56.9) (60.6) (60.9) (38.2) (216.6) (37.8) (29.7) (29.2) (25.7) (122.4) (29.4) (19.5) (26.4) (9.3) (84.6)

Stock-based Compensation 392.8 113.3 127.3 116.2 117.7 474.5 121.7 128.6 132.1 149.9 532.3 143.2 149.6 151.2 177.2 621.2

Tax Benefit From Exercise of Stock Options - - - - - - - - - - - - - - - -

Depreciation and Amortization 42.8 13.6 14.4 15.1 16.7 59.8 15.7 16.7 17.2 19.5 69.1 18.9 19.7 19.8 23.1 81.5

Other Amortization of Non-Cash Expenses/Gains 3.0 0.7 0.7 0.7 0.6 2.7 0.6 0.6 0.6 0.6 2.4 0.6 0.6 0.6 0.6 2.4

Amortization of debt discount & issuance costs 23.4 6.0 6.1 6.2 6.2 24.5 5.5 5.5 5.5 5.5 21.9 5.5 5.5 5.5 5.5 21.9

Other - - - 20.9 20.9 - - - - - - - - -

Changes in working capital & other assets/liabilities

Accounts Receivable (136.4) 2.2 (39.5) 22.4 (68.0) (82.9) 17.3 (65.3) 22.2 (77.3) (103.2) 39.5 (47.4) 32.2 (90.7) (66.5)

Prepaid Expenses (31.2) 10.1 (51.7) (8.0) 1.5 (48.1) 23.7 (35.3) (15.2) (48.5) (75.3) 42.0 (53.4) (0.3) (77.8) (89.5)

Accrued Compensation/Payroll Expense (6.3) (14.5) 19.8 (3.6) 41.1 42.8 (38.2) 23.4 (12.9) 34.3 6.6 (35.0) 26.4 (10.6) 22.7 3.4

Accounts Payable 15.1 1.8 (1.6) 2.6 3.1 5.9 (3.5) 7.5 (1.8) 5.1 7.2 (5.0) 8.3 (2.8) 7.4 7.8

Accrued and Other Liabilities 21.0 8.4 60.4 8.2 (23.8) 53.2 (21.4) 35.2 0.9 13.6 28.2 (15.2) 22.8 2.8 17.4 27.8

Deferred Revenue 527.1 118.8 139.0 112.3 161.7 531.8 104.8 139.3 135.1 175.8 555.0 128.7 135.9 129.7 136.1 530.4

Other Non-Cash Items - - - - 2.8 2.8 - - - - - - - - - -

Cash from Operations 658.6 203.5 214.3 211.2 242.3 871.3 188.2 226.5 254.3 252.9 921.8 293.7 248.4 301.5 212.0 1,055.6

y/y change 87% 39% 39% 24% 29% 32% -8% 6% 20% 4% 6% 56% 10% 19% -16% 15%

Cash From Investing Activities

Net proceeds (purchases) of investments (266.4) (50.3) (128.4) (27.5) (12.3) (218.5) (12.3) (12.3) (12.3) (12.3) (49.2) (12.3) (12.3) (12.3) (12.3) (12.3)

Capital Expenditures (72.5) (20.9) (44.7) (48.6) (49.2) (163.4) (30.0) (23.3) (23.3) (23.3) (100.0) (30.0) (30.0) (30.0) (30.0) (120.0)

Acquisition of Business - (90.7) - (90.7) - - - - - - - - - -

Cash From Investing Activities (338.9) (71.2) (173.1) (166.8) (61.5) (472.6) (42.3) (35.6) (35.6) (35.6) (149.2) (42.3) (42.3) (42.3) (42.3) (132.3)

Cash from Financing

Sales of shares through employee equity incentive plans 45.3 22.7 0.9 22.2 0.6 46.4 - - - - - - - - - -

Tax Benefit From Stock Based Compensation - - - (11.0) (10.4) - - - - - - - - - -

Repurchase of Common Stock - (50.0) (120.1) (125.0) (115.9) (411.0) (95.0) (95.0) (95.0) (100.0) (385.0) (95.0) (95.0) (95.0) (100.0) (385.0)

Total Cash Flows From Financing 38.9 (27.3) (119.2) (113.8) (125.7) (364.6) (95.0) (95.0) (95.0) (100.0) (385.0) (95.0) (95.0) (95.0) (100.0) (385.0)

FX impact on cash - - - - - - - - - - - - - - - -

Cash balance, beginning of period 375 734 839 761 691 734 746 797 893 1,017 746 1,134 1,290 1,401 1,566 1,134

Net change in cash 359 105 (78) (69) 55 13 51 96 124 117 388 156 111 164 70 501

Cash balance, end of period 734 839 761 691 746 746 797 893 1,017 1,134 1,134 1,290 1,401 1,566 1,635 1,635




[email protected]


[email protected]

5 September 2017

Cybersecurity 134

Credit Suisse PEERs PEERs is a global database that captures unique information about companies within the

Credit Suisse coverage universe based on their relationships with other companies – their

customers, suppliers and competitors. The database is built from our research analysts’

insight regarding these relationships. Credit Suisse covers over 3,000 companies globally.

These companies form the core of the PEERs database, but it also includes relationships

on stocks that are not under coverage.

Figure 235: Palo Alto PEERs


5 September 2017

Cybersecurity 135

Fortinet: Fortinet & Unfortified = Underperform


Fortinet, Inc. (FTNT) Rating UNDERPERFORM Price (01-Sep-17, US$) 38.30 Target price (US$) 33.00 52-week price range (US$) 41.10 - 28.61 Market cap(US$ m) 6,734 Target price is for 12 months.

Research Analysts

Brad A Zelnick

212 325-6118

[email protected]

Jobin Mathew

212 325 9676

[email protected]


212 538 1428

[email protected]

Unfortified


We respect FTNT as a highly innovative company with differentiated hardware,

superb product offerings, and a world-class founder-led executive team;

however, we remain convinced the weight of potential headwinds facing FTNT

tilts the relative risk/reward balance negatively.

■ Most Highly Exposed to Category Risks: Our analysis of sector headwinds

implies FTNT faces the greatest risk of the three firewall names. With the

least firepower and apparent willingness to strategically acquire as perimeter

security loses relevance, FTNT's outsized exposure to the SMB market and

carrier vertical are additional concerns.

■ Hardware Increasingly Irrelevant in the Cloud: Like Netscreen before it,

Ken Xie founded FTNT on the premise of ASIC architecture. Performant,

cost-effective hardware has differentiated FTNT in the past, particularly in the

carrier vertical (performance focused) and SMB segment (price sensitive);

however, we struggle to see how competitive advantage bestowed by

superior silicon can sustain as successfully in the cloud.

■ Outsized SMB Exposure: Fortinet should trade at a discount to CHKP and

particularly PANW given its substantially lower enterprise exposure (56% vs

PANW at 14% volume, respectively, on IDC data). We prefer enterprise

exposure on balance due to its higher renewal rates, and while some consider

the SMB market attractive given a recent a spending cycle, we believe it to be

increasingly competitive (50% more concentrated on the

Herfindahl-Hirschman Index, an indicator of competition) vs the high end.

■ Valuation: We see FTNT as expensive on an absolute basis but less so once

adjusted for growth; we think of FTNT as in-between CHKP (best) and PANW

(worst) on valuation. Our DCF valuation implies a $33 TP. Risks to our target

include an ability to gain significant share, stronger than expected midmarket

spending cycle, and acquisition of the company.



Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$36.83




133 193 238 292 Net Debt (US$ m) -1,164 -1,311 -1,515 -1,802 Unlevered Free Cash Flow (US$) 242 268 309 439 P/uFCF (x) 15.8 14.3 12.4 8.7


5 September 2017

Cybersecurity 136

Fortinet, Inc. (FTNT)

Price (01 Sep 2017): US$38.3; Rating: UNDERPERFORM; Target Price: US$33.00; Analyst: Brad Zelnick


Revenue (US$ m) 1,009.3 1,275.4 1,492.8 1,657.0 EBITDA 164.9 241.6 307.6 375.8 Operating profit 133.3 193.1 238.2 291.6 Recurring profit 135.5 193.3 251.3 303.6

Cash Flow 12/15A 12/16A 12/17E 12/18E

Cash flow from operations 283 340 466 541 CAPEX (37) (67) (150) (93) Free cashflow to the firm 245 273 316 447 Cash flow from investments (1) (74) (163) (93) Net share issue(/repurchase) 7 (66) (108) (160) Dividends paid 0 0 0 0 Issuance (retirement) of debt - - - - Other (116) (54) 9 (0) Cashflow from financing activities (109) (120) (99) (160) Effect of exchange rates 0 0 0 0 Changes in Net Cash/Debt 173 146 204 287 Net debt at end (1,164) (1,311) (1,515) (1,802)


Assets Other current assets 36 33 46 55 Total current assets 1,271 1,539 1,782 2,128 Total assets 1,791 2,140 2,569 2,981 Liabilities Short-term debt 0 0 0 0 Total current liabilities 679 829 1,015 1,221 Long-term debt 0 0 0 0 Total liabilities 1,035 1,302 1,624 1,940 Shareholder equity 755 838 945 1,041 Total liabilities and equity 1,791 2,140 2,569 2,981 Net debt (1,164) (1,311) (1,515) (1,802)

Per share 12/15A 12/16A 12/17E 12/18E


Earnings 12/15A 12/16A 12/17E 12/18E


Valuation 12/15A 12/16A 12/17E 12/18E



Company Background

Fortinet is a cybersecurity company selling appliances, software, and services. Fortinet has a platform approach to security called the Fortinet Security Fabric which enables third-party devices to share information with Fortinet appliances.



For our blue sky scenario we again model a 5-year transition period, but drive higher free cash growth, which assumes Fortinet enjoys a stronger than expected appliance refresh cycle tailwind in addition to virtual firewall retaining more relevance than we expect, and FTNT successfully selling into this virtual market. Our blue sky scenario yields a $42 warranted price.


In the grey sky scenario, we use a 5-year transition period and lower free cash flow growth assumption. The scenario results in a share price of $29. In this scenario, Fortinet struggles to attain significant virtual share, this is against a backdrop of declining firewall relevance and significant price pressures.



Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$36.83


5 September 2017

Cybersecurity 137

FTNT: Our Takes on the Key Debates


We respect Fortinet as an innovative vendor that provides exceptional products and an

integrated platform offering few competitors can match. Successes in hardware, however,

may not translate into the cloud, and FTNT faces the most risk from sector headwinds.

Key Debates:

■ Is Exposure to SMB a Positive? The SMB market is growing rapidly as agnostic attacks

threaten SMBs more than ever (e.g., ransomware) and regulation enforces greater

controls and accountability (GDPR for instance). Is FTNT's exposure here attractive?

■ How Does Competitive Advantage Translate to Cloud? As the virtual form factor

becomes an increasingly important method of consumption, debates surround whether

FTNT will retain its silicon-based competitive advantage in the cloud.

■ Is Carrier Market Exposure a Blessing or Curse? FTNT's success in the carrier market

has been a blessing in the past, while now investors are debating if this will continue.

Our Takes:

■ Despite Growth, Competitive Pressures Render SMBs Unattractive: In addition to

lower renewal rates, the SMB market is increasingly fragmented and competitive, and we

think these dynamics apply pricing pressure to vendors operating in this end of the market.

■ Silicon Isn’t a Competitive Advantage Anymore: We struggle to see how the

competitive advantage bestowed by superior silicon can be sustained as successfully in

the cloud.

■ Carrier Market Rapidly Virtualizing: We are concerned FTNT's ~20% carrier billings may

mature into a curse. Our field conversations underline that the carrier market is virtualizing

rapidly, and we think this may cannibalize appliance demand.

Risk to Our Takes:

■ Legendary Leadership: We view the dual leadership of Fortinet by Ken and Michael Xie,

CEO and CTO, respectively, to be a key strength. Given the brothers' track record of

disruptive innovation in the space, we don’t count out their ability to re-adapt FTNT's

strategy beyond the successful formula of the past five years.

■ Transformative M&A: We estimate FTNT could deploy as much as $4bn for

transformative M&A, albeit lower than peers (60% less than CHKP and 20% less than

PANW). This still represents non-trivial balance sheet capacity.

■ Becomes a Strategic Target: Given its relatively small market cap, FTNT could

represent a potential target for a strategic buyer. recognize

Estimates:


consensus at 17%/15%, with EPS of $0.94/$1.10 in FY17E/ FY18E vs Street estimates at

$0.95/$1.14.

Valuation: ■ DCF: Our discounted cash flow analysis yields a target price of $33, implying 14%

downside risk and 10x FY18E EV/uFCF; 13.5x when adjusted for SBC.

■ Relative Valuation: Expensive on an absolute basis but less so once adjusted for

growth, we think of PANW as in between CHKP (best) and PANW (worst) on valuation.

5 September 2017

Cybersecurity 138

Key Charts

Figure 236: Highly Exposed to the SMB Market… Figure 237: ...Which Remains the Most Competitive

Fortinet 2016 Revenue Exposure by server class Herfindahl-Hirschman Index, 4Q moving average


Figure 238: FTNT Most Exposed to Sector Risks…. Figure 239: …with an Elongating Refresh Cycle

Our sector risk exposure ranking Refresh cycle impact on product at different lengths


Figure 240: Less Balance Sheet Capacity… Figure 241: …Valuation in Middle vs Firewall Peers

Our estimates for balance sheet capacity EV/uFCF adjusted for SBC, and Non-GAAP P/E


High-end

Midrange

Volume

20%

24%56%

FTNT

0.00

0.05

0.10

0.15

0.20

0.25

2002 2005 2008 2011 2014

High-end

Midrange

Volume


CHKP PANW FTNT








Total ◔ ◑ ◕

Who is best equipt to deal with…

5%

10%

15%

20%

25%

30%

35%

2008 2010 2012 2014 2016

4 years

4.5 years

5 years

5.5 years

6 years

6.5 years

7 years

$9.9bn

$5.4bn

$4.0bn

$0bn

$2bn

$4bn

$6bn

$8bn

$10bn

$12bn

CHKP PANW FTNT

16.4x19.2x

37.8x

20.5x

38.8x

44.2x

0x

10x

20x

30x

40x

50x

CHKP FTNT PANW

EV/uFCF Adjusted for SBC, NTM

Non-GAAP P/E, NTM

5 September 2017

Cybersecurity 139

Supports for Our Thesis

Company Negatives

■ Most Exposed to Sector Risks

In our ranking of relative exposure to category risks, Fortinet appears the most exposed.

We believe it to be at substantial risk as the architectural shift to cloud accelerates via both

its hardware-based competitive advantage and carrier exposure. (Carriers are rapidly

virtualizing.) In addition, we believe exposure to the highly competitive mid-market, along

with limited ability to further expand TAM, are all incremental relative negatives.



■ Less Relative Firepower Makes Deployment of Strategic Capital Challenging

We estimate FTNT could deploy ~$4bn for transformative M&A. This is ~60% less than

CHKP and ~25% less than PANW. Given our views on the market direction and declining

relevance of perimeter security, we see Fortinet's more limited ability to make

transformative acquisitions as a relative negative. We believe management is liklely less

willing to make a transformative acquisition just given past tuck in deal activity.


CHKP PANW FTNT



5 September 2017

Cybersecurity 140

Figure 243: We Estimate FTNT Has ~$4bn in

Aggregate Firepower…

Figure 244: … This Is ~60% Less than CHKP and

~25% Less than PANW



■ Hardware-Based Competitive Advantage, Does It Translate to the Cloud?

Fortinet has, we think, generated substantial competitive advantage via its ASIC-based

architecture, which is highly performant and offers excellent cost/throughput ratios and

substantial power savings. These performance advantages have, in turn, contributed to

FTNT's success in the carrier and telecommunications market (where performance is key)

and the SMB market (where there’s cost sensitivity).

While in the past it has been easy to interpret Fortinet's hardware differentiation as a

competitive advantage, it seems logical to us that any advantage bestowed by superior

silicon will diminish as virtualization increases.

■ Absolute Valuation Is Unattractive, Except on EV/Sales

Fortinet isn’t noticeably cheap relative to PANW or CHKP on any absolute adjusted cash

flow or income statement multiple, excepting EV/Sales, which appears to be a function of

depressed margins, and a different business mix.

FTNT trades ~54% less expensive than CHKP and ~28% less expensive than PANW on

CY18 recurring revenues. This would seem to be due to lower renewal rates given greater

SMB exposure, which reduces the value to investors of this revenue stream relative to

higher renewal rate competitors. We calculate that a 5% reduction in renewal rate (from

95-90%) erases 25% of the recurring revenue stream’s NPV. While intuitively, PANW's

higher renewal rates should result in a higher recurring revenue multiple than that of

CHKP, we would note CHKP's substantially higher operating margin.

FTNT trades at a discount to CHKP and PANW on recurring revenue, which we largely

attribute to its depressed margins (18% in CY18 vs 22% and 53% for PANW and CHKP,

respectively). Even normalizing for margin, and certainly growth for that matter, we would

expect FTNT to be less expensive on recurring revenue given its significant SMB

exposure (56% for FTNT vs 14% and 27% for PANW, and CHKP, respectively7). We

estimate. To put this in perspective, we calculate a reduction in renewal rate from 95-90%

7 IDC ‘volume’ pricing bands used as a proxy


Earnings, NTM basis

EBITDA 1,083 394 279





Cash, Next quarter









$9.9bn

$5.4bn

$4.0bn

$0bn

$2bn

$4bn

$6bn

$8bn

$10bn

$12bn

CHKP PANW FTNT

5 September 2017

Cybersecurity 141

would erode 25% of the NPV of the intrinsic value of a recurring revenue stream in a runoff

scenario.

Figure 245: Relative Valuation, Absolute Multiples


■ Fortinet Is More an SMB than an Enterprise Focused Vendor

Despite the lumpier sales cycles, we prefer exposure to enterprise customers. Firms

serving enterprise customers in general enjoy far superior renewal rates relative to those

with SMB customers.

Figure 246: The Impact of Renewal Rates on Valuation Is Clear When We Look

at the Financial NPV of Recurring Revenues with Varying Renewal Rates

Impact of varying renewal rates on a floor value analysis of recurring revenue as % of FTNT EV. Assumes a 75% runoff margin on cash recurring revenues


Fortinet has the least exposure to enterprise customers of the firewall names we are

initiating upon. Using IDC data (which splits appliance sales into server class: volume,

mid-range, and high end) as a proxy exhibits this. Only 20% of 1Q17 appliance revenue

was generated via high-end server deployments, or 40% less than Palo Alto Networks.




EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x





EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x



GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x


CHKP PANW FTNT

82%

67%

59%

53%49%

46%43%

41% 40% 39% 37%

30%

40%

50%

60%

70%

80%

90%

95% 90% 85% 80% 75% 70% 65% 60% 55% 50% 45%

FTNT

Renewal rate% o

f EV

acc

ount

ed fo

r by

Rec

urrin

g R

even

ue F

loor

5 September 2017

Cybersecurity 142

Figure 247: Fortinet Has Lower Share in the

High-End, and the Market Is Less Fragmented

Figure 248: Fortinet Has High Share in the Volume

Market, but It Is Fragmented

High-end server class market share (FTNT bottom in red) Volume server class market share (FTNT bottom in red)


Figure 249: Fortinet Has Low High-End Exposure…

Figure 250: …Relative to Competitors Such as

PANW

Fortinet 2016 Revenue Exposure by server class Palo Alto Networks 2016 Revenue Exposure by server class


Looking at Fortinet's own reported billings metrics gives some credence to the IDC data.

High-end units account for just under 40% of billings on a trailing 12-month basis.

Assuming the high end is somewhat flattered in billings as opposed to revenue (enterprise

customers are more likely to pay in advance), a similar picture emerges – Fortinet is more

SMB than enterprise focused.

0%

10%

20%

30%

40%

50%

60%

70%

2006 2008 2010 2012 2014 2016

0%

10%

20%

30%

40%

50%

60%

70%

2002 2004 2006 2008 2010 2012

High-end

Midrange

Volume

20%

24%56%

FTNT

Renewal rate

59%27%

14%

High-endMidrange

Volume

PANW

5 September 2017

Cybersecurity 143

Figure 251: Fortinet’s High-End Billings Have Grown Slightly in Recent Years

Percent of Reported Billings by Product Segment

Source: Company data, Credit Suisse Research.

While it seems plain that FTNT's primary success is not in the enterprise, we do credit it

with having grown high-end billings substantially faster (35% vs 25%) than entry and

mid-range billings. This corroborates Gartner’s assertion that ‘Fortinet is present in an

increasing number of these [enterprise firewall] deals visible to Gartner, often because it

offers “good enough” features at a significantly lower price.’ (G00294631)

Figure 252: High-End Billings Have Grown on Average Faster Than Entry and

Mid-Level, Albeit with More Volatility


The Low End Is Substantially More Competitive than High End

Not only are renewal rates less attractive outside the enterprise segment of the market,

but the lower end is also substantially more competitive. Using IDC revenue data to

estimate the Herfindahl-Hirschman Index (an indicator of competition) for each segment

IDC tracks reveals substantially more competition in the mid-range and volume segments

of the market. Not only are there more players, but we have been hearing of more

competitiveness as players such as WatchGuard and SonicWALL have made significant

strides more recently.

High-End

Mid-Range

Entry-Level

0%

20%

40%

60%

80%

100%

2009 2010 2011 2012 2013 2014 2015 2016 2017

25%

35%

0%

10%

20%

30%

40%

50%

60%

70%

80%

2010 2011 2012 2013 2014 2015 2016 2017

Entry Level Mid-Range High-End

5 September 2017

Cybersecurity 144

Figure 253: The Midrange and Volume Segment of the Market Are Substantially

Less Consolidated (and Therefore Competitive) than the High End

Herfindahl-Hirschman Index, 4Q moving average


Competition Tends to Translate into Price Pressure…

We believe consolidation translates to pricing power, and vice-versa. Therefore, we expect

higher levels of competition in the mid- and volume markets to translate into higher-price

competitiveness. Looking at the volume market ASP relative to the five largest market

players suggests that while there hasn’t been broad-based pressure, pricing has come

down for the five largest in aggregate.

Figure 254: Pricing for the Five Largest Players Appears to Have Been Slightly

More Pressured Relative to the Market as a Whole

ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)

Source: iDC, Credit Suisse Research.

If we look at pricing across the product spectrum for the five largest players since 2010, it

seems clear there has been weakness in volume relative to the high end. While the

mid-range hasn’t been weak, per se, it has been weaker than the high end since 2014.

0.00

0.05

0.10

0.15

0.20

0.25

2002 2004 2006 2008 2010 2012 2014 2016

High end, 4Qma Midrange, 4Qma Volume, 4Qma

1,000

1,300

1,600

1,900

2,200

2,500

2,800

1,000

1,200

1,400

1,600

1,800

2,000

2,200

2003 2005 2007 2009 2011 2013 2015 2017

Volume ASP Volume ASP (CHKP, PANW, FTNT, JNPR, CSCO)

5 September 2017

Cybersecurity 145

Figure 255: Pricing Has Been Strongest in the High End, Slightly Weaker in the

Mid-Range, and Weakest in Volume

CHKP, PANW, FTNT, JNPR, CSCO ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)


■ Carrier Exposure, a Challenge as They Virtualize

Fortinet's highly performant products have previously given the company an edge in the

telecom service provider vertical. Anecdotally, we believe FTNT to be the leader in this

vertical, and over the last 12 months, it has generated ~20% of billings from service

providers. While this has reduced slightly as a percent of total billings as other verticals

have grown faster, it remains a material part of FTNT's business and has slowed

substantially from 2015 highs in recent quarters; last quarter it was described by FTNT

CFO Mr. Del Matto as 'the most disappointing part of the business…' (Q2 2017 Fortinet

Earnings Call, Q&A Session).

Figure 256: Service Provider Has Grown in Dollar

Terms, but Reduced as a % of Billings

Figure 257: Growth Has Substantially Retreated

from 2015 Peaks and Was Weak Last Quarter

Service provider as a % of total billings, reported Service provider growth, implied from reported, y/y, %


We believe from conversations in the field that the service provider vertical is virtualizing

network infrastructure at an increasing rate. Discussions on FTNT's 2Q Q&A call, we think,

give credence to our view that carrier exposure is a risk.

0.6

0.7

0.8

0.9

1.0

1.1

1.2

2010 2011 2012 2013 2014 2015 2016 2017

Top-5 High-End ASP Top-5 Mid-range ASP Top-5 Volume ASP

10%

15%

20%

25%

30%

35%

2011 2012 2013 2014 2015 2016

Service provider share of billings

-10%

0%

10%

20%

30%

40%

50%

2012 2013 2014 2015 2016

Service provider verticalgrowth, y/y, %

5 September 2017

Cybersecurity 146

'…the AWS/Azure piece is growing fast. And also, the traditional service provider also

starting consider offer the cloud solution now. So that may delay some of their

decision whether what kind of an architecture or infrastructure they may moving

forward… Before, it's kind of a separate team for cloud and service provider. Now it's one

team, so we feel that's also helping, like make future trend or direction.'

– Ken Xie, Chairman CEO

'… I mentioned there is a cloud trend. So that also may take a little bit long time to

evaluate. And also we started to offer the new 7000 series, and that also takes a long time

to evaluate. So we have the new platform and especially in the bigger enterprise service

provider, they take a longer time and whether using the new one or the old one, also takes

some time. So we do see a lot of test and interesting discussion…'

– Ken Xie, Chairman CEO

'They [telecom carriers] are more focused on cash flow […] and they do more pay-as-

you-go. I think that’s a shift in their business.'

- Andrew Del Matto, CFO, 7/26/2017

'What's happening now is that really, large service providers and large enterprises,

some of them are trying to design and think about their next generation network…

that's not a trend that we saw in 2012 or 2013. It's not just a matter of refreshing gear,

what they bought how many years ago. It's really in strategic discussions on how they

move forward for the future years. '

– Michelle Spolver, Chief Communications Officer, 10/27/2016

Fortinet's exposure to the service provider vertical is significant, and thus any deferred

spending patterns or competitive threats with the segment bring material risk. As we show

in Figure 258, lumpy service provider demand (which we proxy through service provider

billings growth) has manifested in the company's reported product growth.

Figure 258: Service Provider Demand Patterns Have Material Impact on FTNT


■ Refresh Cycle Unlikely to Be a Near-Term Tailwind

Fortinet has started to speak about a refresh opportunity that it anticipates will contribute

to 2018 product revenues. We expect the impact of this refresh cycle to be somewhat

muted as the average refresh appears to be elongating to some degree.

'When you get into '18, that's 4 years ago roughly from that happening and then spending

started to happen in '14, early '14. So I think probably somewhere in '18, you would begin

to see that click…'


-20%

0%

20%

40%

60%

2013 2014 2015 2016 2017

Product Growth y/y (%)

Service Provider Billings Growth (%)

5 September 2017

Cybersecurity 147

Figure 259: Assuming a Five-Year Refresh Cycle Implies 2013 Was the Peak of

the Last Refresh Cycle…

Refreshed product as a % of total new product (assuming 5 year refresh rate and 75% renewal rate) 4QMA


'The refresh cycle. Most people, generally, the products are deployed for 3 to 5 years. I

mean, the life of the product, they can go beyond 5 years. And I think some customers

probably stretch it a little bit. But generally speaking, think about 3 to 5 years. You can

all look at the models. If you go back in history, it looks like '14 and '15 were pretty good

years. So maybe if you walk forward some average of the 3 to 5 year, you'll probably get a

sense. I don't -- when we talk about it internally, we're not thinking '17 or as much as

we're thinking somewhere beyond that. '17's probably a bit early.'


'… I would probably say the deal in the cycles are elongated more than they were

then, because it's sort of a dynamic shift that's happening …it takes a lot longer. It's

not just a matter of refreshing gear, what they bought how many years ago. It's really in

strategic discussions on how they move forward for the future years. So I would probably

say that the cycles are longer now than they were four years ago'.

– Michelle Spolver, Chief Communications Officer, 10/27/2016

Management have spoken about the previous refresh cycle as having begun in 'late '13,

that was really the kickoff for the last big, I think, spike, if you will, in spending. And then it

went on for a couple of years…' (Andrew Del Matto, CFO, 04/27/2017)

If we try and back that out via our (admittedly somewhat crude) new product calculation, it

appears that to fit into this time frame, the average refresh would have been between five-

and-a-half and seven years in length.

10%

15%

20%

25%

30%

2009 2010 2011 2012 2012 2013 2014 2015 2016

5 September 2017

Cybersecurity 148

Figure 260: Cycle Elongation Appears Evident When We Try to Back Out Fortinet's Internal Refresh Cycle

Refreshed product as a % of total product (assuming varying refresh cycle and 75% renewal rate) smoothed via 5Q centralized average


■ High Levels of Earnings Volatility Remain a Question Mark

Fortinet exhibits rather high levels of volatility around earnings announcements. While not

the foremost risk we have discussed, an average relative move of 7.4% since 2012 on

earnings is, we believe, worth investor cognizance. It would seem the business is more

difficult to forecast over the past couple of years, perhaps the result of a broader shift to

cloud and virtual infrastructure.

Figure 261: Fortinet an Average 7.4% Relative One-Day Move Following

Earnings

Stock price movement the day after earnings were reported

Source: FactSet, Credit Suisse Research.

5%

10%

15%

20%

25%

30%

35%

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

4 years

4.5 years

5 years

5.5 years

6 years

6.5 years

7 years

-4%-4%

13%

-1%

-6%

8%

4%

-20%

11%9%

-8%

-1%

7%4%

2%1%

4%

-3%

21%

-17%

-25%

-15%

-5%

5%

15%

25%

20172016201520142013

5 September 2017

Cybersecurity 149

Risks to Our Thesis

Company Positives

■ ASIC Hardware Is a Relative Advantage

Under the leadership of Ken Xie, we believe Fortinet has become the industry leader in

ASIC (application-specific integrated circuit) based firewall appliances. Ken Xie said in

February 2017 that this endows Fortinet with a seven- to ten-year hardware advantage

compared with competitors.

'But on the cost base -- on the performance base, the ASIC definitely have a huge

advantage over the CPU. It can be 10x to 100x, more like computing advantage and also

the cost advantage there. But the virtual edition environments really, they can leverage

some of the free computing power…'

– Ken Xie, Founder, Chairman & CEO, 10/22/2015

ASIC architectures mean the hardware chips are specifically designed for select

use-cases. The use-case-specific nature of these processors results in substantial cost

advantages on a throughput basis, in addition to power saving relative to general purpose

hardware. Gartner notes, in particular, it accelerates packet processing for deep packet

inspection.

Ken Xie pioneered the use of ASIC technology for security appliances with his first

company, NetScreen, and has continued in the same vein with Fortinet. Fortinet was the

first company to increase firewall speed to one terabit per second in 2014, and our field

conversations and broader research confirm Fortinet is renowned for performance in

high-traffic conditions.

We believe performance and cost – the true benefits of custom hardware – have been key

contributors to FTNT's success in the carrier market where performance is key, and also in

the SMB market where cost is of primary import.

In competitive situations, ‘feedback from Gartner clients indicates that Fortinet wins when

value (dollar per protected MB) is a strong part of the evaluation. [Fortinet] has intrinsic

pricing advantages due to the way it produces its hardware.’ (G00294631)

Figure 262: Fortinet Offers Attractive Cost per Protected Packet According to

NSS Labs 2017 Firewall Test

Total Cost of Ownership per Protected Mbps

Source: NSS Labs, Credit Suisse Research.

0 5 10 15 20 25 30 35 40 45

Fortinet 6000

Sophos

Watchguard

Forcepoint

Fortinet 32000

Check Point

Palo Alto Networks

Cisco

Sonicawall

Barracuda Networks

Sonicwall

5 September 2017

Cybersecurity 150

We also believe the ASIC architecture enhances Fortinet's competitive advantage when it

comes to the internal segmentation firewall use-case. The higher speed of internal

networks requires high-speed, low-latency appliances, which in turn is best achieved via

purpose-built hardware.

We believe internal segmentation demand to be incremental, and given it tends to be

enterprises looking to implement these sorts of network architectures, the trend also offers

FTNT an opportunity to increase its high-end mix and market share.

'… the traditional firewall protection, even at the perimeter … is no longer enough. There

are so many ways you can bypass that… So that's where we see the big enterprise …

starting evaluating and consider all of this internal segmentation there … most of the

internal segmentation is all high end. They need high speed, like 40 gig, 100 gig, minimal

10 gig in the space, and also the same through port wire speed. Because the internal

network is much, much faster 10 to 100X faster than the Internet connection. So without

high speed, without low latency, they cannot deploy internally to do the segmentation.'

- Ken Xie, Founder, Chairman & CEO, 2Q2015 earnings call

While we expect internal segmentation demand to be incremental in nature, our field

conversations suggest customers aren’t yet segmenting their networks to the same

granularity needed to offset the rate at which network perimeters are dissolving.

Additionally, some enterprises eschew using security appliances, instead looking further

down the stack in their network topology and relying on the inherent security of products

such as VMware’s NSX to achieve their internal segmentation security goals.

■ Security Fabric Differentiates the Firm Through Product Integration

Fortinet emphasizes that its products are differentiated via their integration into a security

fabric. This unified end-to-endpoint approach to address all threats an enterprise might

face yields what we perceive to be a cohesive and comprehensive platform offering.

The fabric weaves together enterprise firewall, cloud security, advanced threat protection,

connected UTM, application security, secure access, and security operations.

Figure 263: Fortinet’s Goal Is to Create a Security 'Fabric' to Provide End-to-End

Enterprise Security

Source: Fortinet.

Client

Advanced Threat

Intelligence NOC/SOC

Cloud

Application

Partner API

Access

Network

5 September 2017

Cybersecurity 151

Customers demand strong integrated platforms, as they tend to outperform disparate

best-of-breed products in terms of efficacy, efficiency, and cost. We have addressed this

at length in section ‘TAM Expansion is Limited’.

The platform approach aggregates a number of adjacencies and is therefore accretive to

security appliance vendors’ TAMs. We believe this theme of aggregation to have been an

attractive security play over the last several years and FTNT to have been one of the most

successful consolidators, with products addressing a multiplicity of security pain points. A

recent example from June of 2016 is the acquisition of AccelOps, which adds the ~$2bn

SIEM (security information and event management) market to Fortinet’s TAM.

As a result, however, we think it will be even more difficult for FTNT relative to other

vendors to move the needle on its TAM. Additionally, given the majority of FTNT's value

proposition to customers is via consolidation and hardware, we are concerned by the

pressures it faces with disaggregation of adjacencies as workloads increasingly move to

the cloud.

■ Highly Rated Products

Fortinet products are highly rated. Whether during our conversations in the field, by

Gartner, NSS Labs, or other third-party reviews, Fortinet repeatedly stands out for the

depth, breath, integration, and particularly price performance of its security product

portfolio.

In the Enterprise Network Firewall (NGFW) market, the FortiGate offering has enjoyed

positive momentum over the last five years as it progressed from a challenger to leader in

Gartner’s magic quadrant. Prior to this, Fortinet had enjoyed five years of positive

momentum as it transitioned from the visionaries to challengers quadrants.

Figure 264: Fortinet Has Enjoyed Year-on-Year

Positive Momentum Toward the Leadership Quadrant

on Gartner's Enterprise Network Firewall MQ

Figure 265: Despite Slight Negative Momentum, in

Its Key Competency, UTM, Fortinet Has Been a

Leader Every Year Since Inception

Estimated based on 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Enterprise Network Firewall Magic Quadrants

Estimated based on 2009, 2010, 2012, 2013, 2014, 2015, 2016 and 2017 UTM (SMB multifunction firewall) Magic Quadrants

Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research.

Fortinet Fortinet

5 September 2017

Cybersecurity 152

Not only is Fortinet a leader in the Enterprise Network Firewall market, but it also the only

vendor to have remained a leader every year since 2009 on Gartner's Unified Threat

Management (UTM) magic quadrant.

If we look on a pure performance basis, NSS Labs (an independent security analysis and

testing firm) consistently ranks Fortinet highly relative to competitors on TCO per protected

Mbps and effectiveness in blocking simulated threats.

Figure 266: NSS Labs Consistently Ranks Fortinet Highly on Efficacy and Cost

Source: NSS Labs, Credit Suisse estimates.

Fortinet has substantially expanded its cloud offerings to help the security fabric scale to

the cloud. FortiGate VM integrates Fortinet and VMware products to help Fortinet scale to

software-defined networks, and Fortinet products are also available in both AWS and

Azure.

More broadly, Fortinet also offers FortiMail, which enables email screening and FortiWeb

for web application scanning and behavioral attack detection. Fortinet also provides

secure switching and access control solutions for network authentication. The company

offers single sign-on identity management with FortiAuthenticator and multi-factor tokens.

Fortinet allows customers to monitor the entire system with its FortiSIEM (security

information and event management) product. FortiSIEM allows customers to monitor their

security on a “single pane of glass” with cross-correlated analytics that can scale to IoT

devices and the cloud.

5 September 2017

Cybersecurity 153

It also offers enterprises the ability to integrate third-party products with its fabric as

“Fabric-Ready partners.” Fortinet recently added Microsoft as a partner to better expand

its cloud security capabilities. Fortinet currently counts 27 total partners. Fortinet’s wide

product offerings are designed to integrate all aspects of network security. Ken Xie says

that “our view is that if the network is involved, then we are there to protect it.”

■ Vision of the Xie Brothers Should Not Be Under-Estimated

We view the dual leadership of Fortinet by Ken and Michael Xie, CEO and CTO,

respectively, to be a key strength. We see the brothers' track record of innovation in the

space as supportive, and Ken Xie's commentary around the 'fourth era of firewall' (see

here) as evidence that Fortinet recognizes and is prepared (or preparing) to adapt its

strategy beyond its successful formula of the past five years.

The Xie brothers are legendary figures in the security industry. Ken has been the CEO of

Fortinet since the company’s inception in 2000. He started his first security company, SIS,

designing software firewalls while he was still studying for his second master’s degree at

Stanford.

Ahead of their time in understanding the limitations of selling software-only firewalls, Ken

and Michael founded one of the security industry's first aggregation plays – Netscreen – in

1996. Here, they developed and sold the industry's first ASIC-based firewall appliances.

Ken’s brother Michael has tended to hold technical positions, serving as chief architect for

NetScreen, and then chief technology officer since 2010 at Fortinet. In his tenure at

Fortinet, he has overseen execution of the brothers' consolidative vision for “unified threat

management,” the guiding tenet behind the Fortinet security fabric. Michael holds multiple

patents and is the author of several books.

While the benefits of founder-led technology companies are sometimes hard to quantify,

we look to Credit Suisse HOLT research, which shows since late 2014 founder-led have

substantially outperformed both S&P500 tech.

Figure 267: Founder-Led Technology Companies Have Outperformed Their

Non-Founder Led Peers and the S&P 500 Tech Index


Founder-led firms also generally place more emphasis on innovation, as evidenced by

increased cash deployed in R&D and capex, with greater research efficiency, as

evidenced by higher R&D turnover.

90

100

110

120

130

140

Aug 2014 Feb 2015 Aug 2015 Feb 2016 Aug 2016

Founder Led Tech Non-Founder Led Tech SP500 Tech

http://www.crn.com/news/security/300088101/the-firewall-evolution-fortinet-ceo-says-security-vendor-prepping-for-the-fourth-generation-of-firewall-market.htm

5 September 2017

Cybersecurity 154

Figure 268: Founder-Led Firms Deploy

More of Their Cash Toward R&D and

Capex

Figure 269: Founder-Led Firms Are

Also More Efficient in R&D, with

Higher Turnover

R&D + Capex as a percentage of cash deployed Sales/Capitalized R&D

Source: Credit Suisse HOLT. Source: Credit Suisse HOLT.

It's worth noting that with Gil Shwed at Check Point and Nir Zuk at Palo Alto, it appears

almost a pre-requisite for success that at-scale NGFW vendors have retained a

founder technologist executive.

Therefore, while it remains a benefit, we don't think this represents a material advantage

on a relative basis. Illustrating this, CHKP has the best R&D efficiency of the peer group

(software >5bn in market cap) followed by FTNT and PANW, both in the top-third.

Figure 270: PANW & FTNT Have Above Average R&D Efficiency

Sales / Capitalized R&D (R&D Efficiency), Software >5bn in market capitalization

Source: Credit Suisse HOLT, Credit Suisse Research.

Additionally, while FTNT devotes the most to R&D as a percentage of revenue, both

PANW and CHKP spend more in dollar terms.

62.8%

40.3%

0%

10%

20%

30%

40%

50%

60%

70%

Founder Ran Non-Founder Ran

2.1

1.8

1.6

1.7

1.8

1.9

2.0

2.1

2.2

Founder Ran Non-Founder Ran

2.92.3

2.22.12.1

2.02.02.0

1.91.7

1.61.61.6

1.51.51.5

1.31.31.3

1.21.2

0.90.9

0.7

CHKPVEEVCRM

OTEXULTI

FTNTLOGMPANW

NOWMSFTADBECTXSORCL

CAINTURHT

SPLKSYMCVMW

GWREDATATEAMWDAYADSK

5 September 2017

Cybersecurity 155

Figure 271: Palo Alto Spends the Most on R&D in

Absolute Dollar Terms…

Figure 272: … FTNT Spends 180bps More than

PANW and 370bps More than CHKP as % of Revenue

Non-GAAP R&D Expense, quarterly, $m Non-GAAP R&D Expense, % of revenue, 4Q rolling average

Source: Company data, Credit Suisse Research, Credit Suisse Estimates. Source: Company data, Credit Suisse Research, Credit Suisse Estimates.

■ Fully Ramped Sales Capacity

Fortinet has invested heavily in its go-to-market engine, which has more recently stabilized

and ramped to productivity. The company sees additional tailwinds from its 'fork-lift'

investments in its sales and marketing model, guiding for operating margin improvement of

150bps to 200bps per year, aiming for 25% OM by 2022, and long-term OM of 25%.

"We feel like we've made a lot of the forklift investments we needed to make to just get

the marketing team, the business, the process in place for the lead generation and giving

them information to expand our footprint within the installed base."

- Andrew H. Del Matto, CFO, 7th August 2017

"And then we've also made big investments in our sales and marketing go-to-market

engine in the enterprise over the last really 3 or 4 years. And that's a forklift investment

that we're pretty much through. And so now we're basically focused on just

productivity -- driving productivity and sales, which drives a lower cost of sales and

marketing. And again, that's how -- the combination of that, the lower sales and marketing

costs through the higher productivity, scaling that out along with the higher gross margin

drives an expanded margin"

- Andrew H. Del Matto, CFO, 13th June 2017

We see indications of a productivity ramp, as shown in Figure 273, with a recovering

billings per S&M employee as well as revenues per S&M employee. Also, we do point out

that product revenue metrics as well as new business metrics seem to be stabilizing.

0

10

20

30

40

50

60

2010 2011 2012 2013 2014 2015 2016

FTNT PANW CHKP

5%

7%

9%

11%

13%

15%

17%

19%

21%

2010 2011 2012 2013 2014 2015 2016

CHKP FTNT PANW

5 September 2017

Cybersecurity 156

Figure 273: Billings Indicates Recovery… Figure 274: ...Product and New Business Stabilizing

Billings in US$ thousand Product and Overall revenues in US$ thousands


■ Leverage from Rising Subscriptions

Fortinet is also benefiting from a rising subscription mix, up ~5% over the last two years,

with GM rising from 71% to 75%. We see the rising mix of high-margin subscription as a

tailwind for GM, combined with investments made in go-to-market resulting in a higher OM

profile.

"We feel like we've built that go-to-market model out. … we guided operating margin

improvement after 2017 of 150 to 200 basis points per year, with the goal of reaching 25%

operating margins by 2022. So the goal is 25% operating margins by 2022. And then

we want to remain in the range of 25% to 30% thereafter…. the way you get there, again,

is drive the higher-margin recurring revenue streams, expand the gross margin"

- Andrew H. Del Matto, CFO, 13th June 2017

Figure 275: Subscription Mix Rising… Figure 276: …with a Rising Corp. Gross Margin

Fortinet Billings Mix Fortinet Gross Margin, %


$k

$200k

$400k

$600k

$800k

$1000k

$k

$50k

$100k

$150k

$200k

$250k

Jun-14 Jun-16

Current Billings/ (S+M employees)Billings TTM/ (S+M employees)

$k

$50k

$100k

$150k

$200k

$250k

Jun-14 Jun-16

Product/(S+M employees)Revenues/(S+M employees)

47% 47% 43%

51% 50% 55%

0%

25%

50%

75%

100%

2014 2015 2016

ProfessionalServices

Subscription,Support &Maintenance

Product

67.5%

70.0%

72.5%

75.0%

77.5%

2014 2015 2016 2017

Gross Margin (%)

5 September 2017

Cybersecurity 157

■ International Exposure and Diversified Customer Verticals

Fortinet also has a large international business, with ~60% of LTM revenues outside of the

Americas. In terms of customer verticals, service providers, governments and financial

services remain the biggest verticals (in terms of Billings). We do highlight that the

exposure to international markets also comes with potential FX impact as well as inherent

lumpiness from high exposure to a service provider.

"We are a little more exposed than other companies are to Europe because of our globally

distributed business."

- Kelly Blough, IR, 26 July 2017

Figure 277: International Business Accounts for

Majority of Sales…

Figure 278: ..with Service Providers, Govt, and

Financials Verticals Largest for Billings

Revenue by Geography LTM Verticals by bookings, LTM

Source: Company data. Source: Company data.

■ Appears Less Expensive on a Growth-Adjusted Basis

On a growth-adjusted basis, FTNT appears less expensive, almost across the board. We

would highlight that on a recurring revenue basis, it trades almost exactly in-line with

PANW. (Given FTNT's lower recurring rates, perhaps investors slightly undervalue

PANW's subscription and maintenance revenue stream?)

Figure 279: Valuation Matrix Metric Specific Growth Adjusted


Americas

EMEA

APAC

42%

42%

37%

21%

FTNT

Service Provider

Government

Financial ServicesEducation

Retail

Others 20.5%

15.6%

12.0%10.1%

8.2%

33.5%

FTNT

Growth adjusted (metric specific)



EV/UFCF 1.75 1.70 0.77 0.67 0.44 0.41





EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22


Non-GAAP P/E 2.19 2.09 1.65 1.48 1.75 1.57

GAAP P/E 2.45 2.33 n/a n/a 1.09 0.87


CHKP PANW FTNT

5 September 2017

Cybersecurity 158

Figure 280: Valuation Matrix Revenue Growth Adjusted


■ Becomes a Strategic Asset in a Consolidating Sector

We do appreciate the strategic value of Fortinet, the smallest of three firewall names

analyzed herein. One potential suitor for the company might be Symantec, which might

see value in combining firewall and Bluecoat proxy solutions in a consolidation play. This

becomes especially true if proxy becomes integrated into NGFW even more and

Symantec realizes that it has to offer a complete solution to be competitive.

On the other hand, Fortinet itself developed organically for the most part as a founder-led

company. Any potential strategic play would have material integration risk, in terms of

retaining top talent (including the founders). We note the debacle of the

Juniper-Netscreen acquisition, where the business struggled to survive as part of a larger

organization and lost share to rivals.




EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82





EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22


Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49

GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32


CHKP PANW FTNT

5 September 2017

Cybersecurity 159

Management and Board

Management

Fortinet remains a founder-led company. Brothers Ken and Michael Xie, who founded the

company together in 2000, serve as CEO and CTO, respectively. Other senior

management have a range of technical and industry experience. Philip Quade, the chief

security officer, previously led the Cyber Task Force at the NSA, for example.

Figure 281: FTNT Executive Management


Fortinet management scores near the median on most of the metrics we track. C-Suite

experience is distributed mostly across CEO and VP level positions, with few former

CFOs. There is also limited financial services experience on the Fortinet management

team.

Name Compensation Beneficial ownership of shares C-Suite Experience


Age Joined Salary ($) Bonus ($) Stock($) Number of Value of

Shares Shares

Ken Xie 2000 $437,750 $301,689 $1,474,006 12,481,891 $478,056,425 ■ Founder and Chief Executive Officer, Fortinet: 2000-2017

CEO and Chairman ■ Founder, President and Chief Executive Officer, NetScreen Technologies:1996-2000

54 ■ Founder, SIS: 1993-1996

■ MS: Stanford University, MS, BA: Tsinghua University

Michael Xie 2000 $386,250 $133,138 $1,343,805 12,432,000 $476,145,600 ■ Founder and Chief Technology Officer, Fortinet: 2000-2017

President, CTO, and Director ■ Former Vice President of Engineering, ServGate Technologies

48 ■ Former Software Director and Architech, NetScreen

■ MS: Tsinghua University, MS: University of Manitoba

Andrew Del Matto 2014 $403,143 $206,555 $975,303 31,541 $1,208,020 ■ Chief Financial Officer, Fortinet: 2014-2017

Chief Financial Officer ■ Various Executive Positions, including Chief Accounting Officer, Symantec: 2005-2013

58 ■ Senior Finance Leadership Roles, Inktomi

■ MBA: Golden Gate University, BS: Ohio University

John Whittle 2006 $354,868 $170,086 $975,303 64,158 $2,457,251 ■ Vice President and General Counsel, Fortinet: 2006-Present

VP, Corporate Development, ■ Vice President and General Counsel, Corio: 2000-2005

General Counsel ■ Attorney, Wilson Sonsin Goodrich & Rosati: 1996-2000

48 ■ JD: Cornell University, BA: University of Virginia

Philip Quade 2017 NA NA NA NA NA ■ Former NSA Director's Special Assistant for Cyber

Chief Information Security Officer ■ Former Chief of the NSA Cyber Task Force, with White House Relationship Responsibility

■ Former Chief Operating Officer, NSA Information Assurance Directorate

■ BS: University of Maryland

Patrice Perche 2004 NA NA NA NA NA ■ Executive Vice President, Fortinet: 2005-Present

Sr. EVP, Worldwide Sales ■ Co-Founder and CEO, Risc Group

■ Over 20 Years of IT Industry Experience

■ MS: Insa Lyon

John Maddison 2012 NA NA NA NA NA ■ Vice President, Fortinet: 2012-Present

SVP, Products and Solutions ■ Former General Manager and Senior Vice President, Trend Micro

■ Former Senior Director of Product Management, Lucent Technologies

■ BS: Plymouth University, United Kingdom

Lisa McGill 2016 NA NA NA NA NA ■ Former Senior Vice President, Brocade Communications

SVP, People ■ Former Senior Vice President, Foundry Networks

■ Held Various Senior Human Resources Positions at Alcatel and PricewaterhouseCoopers

■ MBA: Pepperdine University, BS: University of Phoenix

Stacey Wu 2016 NA NA NA NA NA ■ Former Vice President, Marketing and Demand Generation, Avaya

SVP, Global Marketing ■ Former Vice President, Strategic Marketing and Planning, Symantec

■ Held Various Marketing Leadership Positions at Check Point, NEC, and HP

■ MBA: Massachusetts Institute of Technology, BS: San Francisco State University

5 September 2017

Cybersecurity 160

Figure 282: Fortinet Scores Toward the Middle of

the Pack in Overall Experience

Figure 283: It Also Is Close to Average in C-Suite

Experience


Board

Ken Xie and Michael Xie form the backbone of the board, but figures from outside tech,

such as Gary Locke, the former US ambassador to China, and William Neukom, the

former president of the American Bar Association, are also represented.

0 5 10 15 20 25 30 35

ORCL

VMW

AKAM

RHT

SPLK

FTNT

PANW

SYMC

NOW

HDP

CHKP

Management Experience Per Executive

Relevant Industry

Other Executive

CEO/CFO

Other Industry

Finance

0 5 10 15 20

ORCL

CHKP

VMW

RHT

SPLK

AKAM

FTNT

HDP

SYMC

PANW

NOW

Management C-Suite Experience Per Executive

VP CEO CFO

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

161

Figure 284: FTNT Board




Age Since? Director? Affiliations? Number of Value of Audit Comp. Gov.

Shares Shares

Ken Xie 2000 No 1 12,481,891 $478,056,425 ■ Founder and Chief Executive Officer, Fortinet: 2000-2017

CEO and Chairman ■ Founder, President and Chief Executive Officer, NetScreen Technologies:1996-2000

54 ■ Founder, SIS: 1993-1996

■ MS: Stanford University, MS, BA: Tsinghua University

Michael Xie 2001 No 0 12,432,000 $476,145,600 ■ Founder and Chief Technology Officer, Fortinet: 2000-2017

President, CTO, and Director ■ Former Vice President of Engineering, ServGate Technologies

48 ■ Former Software Director and Architech, NetScreen

■ MS: Tsinghua University, MS: University of Manitoba

Ming Hsieh 2013 Yes 1 5,332 $204,216 a a a ■ Chairman and Chief Executive Officer, Fulgent Therapeutics: 2012-Present

Director ■ President, 3M Cogent: 2010-2012

61 ■ Founder, President, and Chief Executive Officer, Cogent: 1990-2010

■ MS, BS: University of Southern California

Gary Locke 2015 Yes 2 13,750 $526,625 a ■ Chairman, Locke Global Strategies

Director Chair ■ United States Ambassador to China: 2011-2014

67 ■ United States Secretary of Commerce: 2009-2011

■ JD: Boston University, BA: Yale University

William Neukom 2013 Yes 1 39,275 $1,504,233 a a ■ Founder, President, and Chief Executive Officer, World Justice Project: 2006-Present

Director Chair ■ President, American Bar Association: 2007-2008

75 ■ Managing General Partner and Chief Executive Officer, San Francisco Baseball Associates: 2008-2011

■ LL.B: Stanford University, BA: Dartmouth College

Christopher Paisley 2004 Yes 5 68,275 $2,614,933 a a ■ Dean's Executive Professor of Accounting, Leavey School of Business: 2001-Present

Director Chair ■ Former Chief Financial Officer, 3Com: 1985-2000

64 ■ Director, Equinix

■ MBA: Universicle of California, Los Angeles, BA: University of California, Santa Barbara

Judith Sim 2015 Yes 0 15,000 $574,500 a ■ Chief Marketing Officer, Oracle: 2005-Present

Director ■ Various Marketing and Customer-Related Positions, Oracle: 1991-2005

48 ■ BS: University of California, Davis

5 September 2017

Cybersecurity 162

As with management, the board scores near average on most of the metrics on our

scorecard. Experience per director is close to the median, though the breadth of different

backgrounds is wider than most. In the aggregate, experience is slightly below average

since the board is small.

Figure 285: Fortinet Has a Wide Spectrum of

Experience on Its Board

Figure 286: Due to the Smaller Size, Aggregate

Experience Is Lower


Fortinet has two law degrees on its board, more on a per-director basis than any other

company in our coverage. Gary Locke received a JD from Boston University and William

Neukom achieved an LLB from Stanford.

Figure 287: Fortinet Has More Law Degrees than Any Other Company in Our

Coverage Universe


0 5 10 15 20 25 30 35 40

AKAM

CHKP

ORCL

SPLK

VMW

NOW

FTNT

RHT

PANW

HDP

SYMC

Board Experience Per Director

Relevant Industry

Other Executive

CEO/CFO

Other Industry

Finance

0 50 100 150 200 250 300 350 400

AKAM

ORCL

NOW

CHKP

SYMC

PANW

SPLK

VMW

RHT

FTNT

HDP

Aggregate Board Experience

Relevant Industry

Other Executive

CEO/CFO

Other Industry

Finance

0 0.5 1 1.5 2

SYMC

ORCL

RHT

FTNT

AKAM

NOW

HDP

CHKP

PANW

SPLK

VMW

Degrees Per Director

BA/BS

MBA

MS

JD

PhD

5 September 2017

Cybersecurity 163

Valuation We use Discounted Cash Flows to estimate the intrinsic value for FTNT at $33/share,

representing 14% downside. This informs our Underperform Rating, and is supported by

our multiples based relative valuation work. In addition, we have constructed blue-sky and



Figure 288: Blue-Sky/Grey-Sky Pricing Figure 289: Blue-Sky/Grey-Sky Schematic

Source: Check Point, Credit Suisse estimates. Source: Check Point, Credit Suisse estimates.

Target Scenario

Our base case assumes a five-year transition period, with FCF growth declining smoothly

from an estimated 5% in 2020. This scenario assumes the firewall market decelerates

broadly in-line with our expectations (we model a 1.5% terminal growth rate from 2026E),

and Fortinet is disproportionately impacted due to its exposure to service providers.

Blue-Sky Scenario


free cash growth, which assumes Fortinet enjoys a stronger-than-expected appliance

refresh cycle tailwind, in addition to virtual firewall retaining more relevance than we

expect, and FTNT successfully sells into this virtual market. Our blue-sky scenario yields a

$44 warranted price, which represents 14% upside potential.

Grey-Sky Scenario


growth assumption. The scenario results in a share price of $30, implying 23% downside

risk to the current share price. In this scenario, Fortinet struggles to attain significant virtual

share; this is against a backdrop of declining firewall relevance and significant price

pressures.

Current Price $38 16.4x FY18E uFCF (SBC adj.)

Target Price $33 -14% 13.5x FY18E uFCF (SBC adj.)

Blue Sky $44 14% 19.3x FY18E uFCF (SBC adj.)

Grey sky $30 -23% 11.7x FY18E uFCF (SBC adj.)

This scenario assumes the firewall market decelerates broadly in line with our

expectations (we model a 1% terminal growth rate from 2026E), and Fortinet is

disproportionately impacted due to its exposure to Service providers.

Fortinet enjoys a stronger than expected appliance refresh cycle tailwind in addition to

virtual firewall retaining more relevance than we expect, and FTNT successfully selling

into this virtual market.

Fortinet struggles to attain significant virtual share, this is against a backdrop of

declining firewall relevance and significant price pressures.

Target Price

Current Price

Grey Sky

Blue Sky

$33

$38

$30

$44

5 September 2017

Cybersecurity 164

Figure 290: Share Price Sensitivity to Cost of Equity and UFCF Growth Rate


Figure 291: Fortinet Valuation Matrix


Share price sensitivity to cost of equity and UFCF growth rate

Unlevered Free Cash Flow FY3 growth rate

33.46557 5.0% 7.0% 9.0% 11.0% 13.0% 15.0% 17.0% 19.0% 21.0%

8.0% $38 $40 $42 $44 $46 $48 $50 $52 $54

8.5% $37 $39 $40 $42 $44 $46 $48 $50 $52

9.0% $36 $37 $39 $40 $42 $44 $46 $48 $50

9.5% $35 $36 $38 $39 $41 $42 $44 $46 $48

Terminal 10.0% $34 $35 $37 $38 $40 $41 $43 $45 $46

Cost of 10.5% $33 $34 $36 $37 $39 $40 $42 $43 $45

Equity 11.0% $32 $34 $35 $36 $38 $39 $41 $42 $44

11.5% $32 $33 $34 $35 $37 $38 $40 $41 $43

12.0% $31 $32 $33 $35 $36 $37 $39 $40 $42

12.5% $30 $32 $33 $34 $35 $37 $38 $39 $41

13.0% $30 $31 $32 $33 $35 $36 $37 $39 $40

13.5% $30 $31 $32 $33 $34 $35 $36 $38 $39

14.0% $29 $30 $31 $32 $33 $35 $36 $37 $39

14.5% $29 $30 $31 $32 $33 $34 $35 $37 $38

Valuation Matrix 2015 (A) 2016 (A) 2017 (E) 2018 (E) NTM LTM

Sales $1,009 $1,275 $1,493 $1,657 2 $1,539 $1,331

EBITDA $133 $193 $238 $292 3 $253 $206

EPS $0.51 $0.74 $0.94 $1.10 4 $0.99 $0.80

CFO $283 $340 $466 $541 5 $505 $369

FCF $283 $340 $466 $541 6 $505 $369

UFCF $242 $268 $309 $439 7 $335 $313

EV/Sales 4.7x 3.8x 3.2x 2.9x 3.1x 3.6x

EV/EBITDA 35.9x 24.8x 20.1x 16.4x 18.9x 23.2x

P/E 72.2x 49.7x 39.1x 8.4x 9.3x 11.6x

EV/CFO 16.9x 14.1x 10.3x 8.9x 9.5x 13.0x

EV/FCF 16.9x 14.1x 10.3x 8.9x 9.5x 13.0x

EV/UFCF 19.8x 17.8x 15.5x 10.9x 14.3x 15.3x

EV/Sales 5.3x 4.2x 3.6x 3.2x 3.5x 4.0x

EV/EBITDA 40.4x 27.9x 22.6x 18.4x 21.3x 26.1x

P/E 72.2x 49.7x 39.1x 33.5x 37.3x 46.4x

EV/CFO 19.0x 15.8x 11.5x 10.0x 10.7x 14.6x

EV/FCF 19.0x 15.8x 11.5x 10.0x 10.7x 14.6x

EV/UFCF 22.3x 20.1x 17.4x 12.2x 16.1x 17.2x

y/y, % y/y, % y/y, % y/y, % CAGR

Revenue 31.0% 26.4% 17.0% 11.0% 18.0%

EBITDA 9.2% 44.9% 23.3% 22.4% 29.8%

EPS 7.0% 45.2% 27.3% 16.6% 29.2%

CFO 43.7% 20.4% 37.1% 15.9% 24.2%

FCF 43.7% 20.4% 37.1% 15.9% 24.2%

UFCF 50.2% 10.9% 15.1% 42.4% 22.0%

Esti

mate

sTarg

et

Cu

rre

nt

Gro

wth

5 September 2017

Cybersecurity 165

Figure 292: Fortinet DCF Scenarios


‘

Target Price


2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity

Period 1 2 3 4 5 6 7 8 9 10


Beta 1.40 1.40 1.40 1.40 1.40 1.40 1.40 1.40 1.33 1.26 1.20 1.13 1.07 1.00

Market rate of return 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2%

Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2%

FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 6.5% 5.0% 4.4% 3.8% 3.3% 2.7% 2.1% 1.5%

Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80

Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 468 491 513 533 550 565 576 585 6,694


SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5%

FCF adjusted for SBC 98.8 119.6 178.6 181.0 208.8 327.4 348.7 366.1 398.5 430.6 462.0 492.2 520.7 547.0 6,693.7


Cumulative NPV of FCF ($M) 196.7 478.7 745.1 993.3 1,233.9 1,466.2 1,689.9 1,904.4 2,109.5 4,501





Total NPV/Share 33



Blue Sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value dist ribut ion


Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2%

FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 15.0% 12.0% 10.4% 8.8% 7.3% 5.7% 4.1% 2.5%

Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80

Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 505 566 625 680 729 771 802 822 10,622


SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5% 0%



Cumulative NPV of FCF ($M) 196.7 478.7 766.3 1,052.2 1,345.3 1,641.9 1,938.5 2,231.3 2,516.7 6,312



NPV/Share of FCF 35


Total NPV/Share 44



Grey sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value dist ribut ion


Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2%

FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 6.0% 3.0% 2.5% 2.0% 1.5% 1.0% 0.5% 0.0%

Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80

Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 466 480 492 501 509 514 517 517 5,046

Stock Based Compensation Expense 31.1 41.3 66.6 87.1 99.8 111.9 0.0 0 0 0 0 0 0 0 0

SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5% 0%



Cumulative NPV of FCF ($M) 197 479 744 986 1,217 1,436 1,643 1,838 2,022 3,825



NPV/Share of FCF 21.5


Total NPV/Share 29.669834



5 September 2017

Cybersecurity 166

HOLT

FTNT – HOLT Market-Implied Scenario and Sensitivity Analysis

Assuming margins rise from consensus levels of 10% to historical peak of 22%, FTNT’s

current price of $38 implies a sales CAGR of 8% over the next ten years

Figure 293: CFROI® (%) Figure 294: Valuation Sensitivity Analysis



■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4 onward are assumed to

rise up to 21.5% based on historical peak levels

■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, we solved for the implied

CAGR required to get to the respective values per share

■ Asset Efficiency: assumed constant from LFY levels

■ Fade Window: Used ten years of explicit forecasts for comparison with CHKP


returns on capital and growth toward cost of capital and GDP growth, respectively

Figure 295: Operating Projections Implied by Current Price: $37 per Share


5.9

16.8

0

3

6

9

12

15

18

2007 2011 2015 2019 2023


-200 bps 0 bps +200 bps +400 bps +600 bps +800 bps

6.0% 8.0% 10.0% 12.0% 14.0% 16.0%

- 1200 bps 9.5% $17 $20 $23 $27 $33 $40

- 900 bps 12.5% $21 $24 $29 $35 $42 $52

- 600 bps 15.5% $25 $29 $35 $42 $51 $64

- 300 bps 18.5% $28 $34 $41 $49 $61 $75

0 bps 21.5% $32 $38 $46 $57 $70 $87

+ 300 bps 24.5% $36 $43 $52 $64 $79 $98

26E EBITDA

Margins ˅


16.9

8.0

(10)

0

10

20

30

2007 2011 2015 2019 2023


9.5

21.5

0

8

16

24

32

2007 2011 2015 2019 2023Historical margins Forecast

Margins w/o SBC

Assumed long term margins to rise from

9.5% to historical peak of 21.5%

1 Solved for the long term sales CAGR

required to get to current price of $38

2

Consensus

Consensus

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

167

Figure 296: Fortinet Income Statement, Non-GAAP


Fortinet (FTNT)

Income Statement$ in Millions except per share items

Fiscal year end: December 31

2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E)

Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18 2Q18 3Q18 4Q18 Full Year

Pro-Forma Income Statement

Product Revenue 476.8 124.6 136.6 128.0 158.9 548.1 135.3 142.7 138.2 168.5 584.6 138.0 148.4 142.4 175.2 603.9

Services and Other Revenue 532.5 160.0 174.8 188.7 203.9 727.3 205.3 220.8 232.9 249.2 908.2 248.9 257.7 267.2 279.3 1,053.1

Total Revenues 1,009.3 284.6 311.4 316.6 362.8 1,275.4 340.6 363.5 371.1 417.7 1,492.8 386.8 406.1 409.6 454.5 1,657.0

y/y change 31% 34% 30% 22% 22% 26% 20% 17% 17% 15% 17% 14% 12% 10% 9% 11%

Total Cost of Revenue, non-GAAP 274.0 74.1 79.8 79.4 85.3 318.6 85.6 90.6 92.2 105.6 374.1 94.5 100.1 99.0 114.6 408.2

Cost of Product Revenue 184.7 47.9 50.2 47.1 53.3 198.5 52.7 58.2 58.0 69.1 238.0 57.9 62.3 59.8 73.6 253.6

% product gross margin 61% 62% 63% 63% 66% 64% 61% 59% 58% 59% 59% 58% 58% 58% 58% 58%

Cost of Services and Other Revenue 89.3 26.2 29.6 32.3 32.0 120.1 33.0 32.4 34.2 36.6 136.1 36.5 37.8 39.2 41.0 154.5

% services gross margin 83% 84% 83% 83% 84% 83% 84% 85% 85% 85% 85% 85% 85% 85% 85% 85%

Non-GAAP Gross Profit 735.3 210.5 231.6 237.2 277.6 956.9 255.0 272.9 278.9 312.0 1,118.7 292.4 305.9 310.6 339.9 1,248.8

% Non-GAAP Gross Margin 73% 74% 74% 75% 76% 75% 75% 75% 75% 75% 75% 76% 75% 76% 75% 75%

Research and Development, non-GAAP 133.6 37.6 38.0 39.6 37.7 153.0 43.3 42.9 47.9 56.0 190.0 47.2 48.7 50.8 58.2 204.9

% of total revenue 13% 13% 12% 13% 10% 12% 13% 12% 13% 13% 13% 12% 12% 12% 13% 12%

Sales and Marketing, non-GAAP 420.9 130.3 145.7 137.5 144.9 558.4 151.4 146.6 155.9 167.1 620.9 170.0 170.6 170.0 172.7 683.2

% of total revenue 42% 46% 47% 43% 40% 44% 44% 40% 42% 40% 42% 44% 42% 42% 38% 41%

General and Administrative, non-GAAP 50.4 12.9 12.1 14.4 13.8 53.2 17.3 17.7 17.1 17.5 69.6 17.7 17.7 16.8 16.8 69.1

% of total revenue 5% 5% 4% 5% 4% 4% 5% 5% 5% 4% 5% 5% 4% 4% 4% 4%

Other non-GAAP Adjustments 2.9 0.4 0.3 0.2 0.0 0.8 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Total Operating Expenses, non-GAAP 602.0 180.4 195.6 191.3 196.4 763.8 212.0 207.2 220.8 240.6 880.5 235.0 237.0 237.6 247.7 957.2

y/y change 41% 37% 35% 23% 15% 27% 17% 6% 15% 22% 15% 11% 14% 8% 3% 9%

% of total revenue 60% 63% 63% 60% 54% 60% 62% 57% 60% 58% 59% 61% 58% 58% 55% 58%

Non-GAAP Operating Income 133.3 30.1 36.0 45.9 81.1 193.1 43.0 65.7 58.1 71.5 238.2 57.4 68.9 73.0 92.2 291.6

% Non-GAAP Operating Margin 13% 11% 12% 15% 22% 15% 13% 18% 16% 17% 16% 15% 17% 18% 20% 18%

Total Other Income (Expense), GAAP 2.1 0.4 0.4 1.1 -1.7 0.2 2.7 4.4 3.0 3.0 13.1 3.0 3.0 3.0 3.0 12.0

Income Before Taxes 135.5 30.5 36.3 47.0 79.4 193.3 45.7 70.1 61.1 74.5 251.3 60.4 71.9 76.0 95.2 303.6

Income Taxes 46.1 10.4 12.4 14.9 26.2 63.8 14.6 22.4 19.5 23.8 80.4 19.3 23.0 24.3 30.5 97.1

Effective Tax Rate 34% 34% 34% 32% 33% 33% 32% 32% 32% 32% 32% 32% 32% 32% 32% 32%

Non-GAAP Net Income 89.4 20.1 24.0 32.2 53.2 129.5 31.0 47.7 41.5 50.6 170.9 41.1 48.9 51.7 64.8 206.4TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE

Diluted Non-GAAP EPS $0.51 $0.12 $0.14 $0.18 $0.30 $0.74 $0.17 $0.27 $0.23 $0.27 $0.94 $0.22 $0.26 $0.27 $0.34 $1.10

Diluted Shares Outstanding 174.9 174.3 172.1 177.9 176.7 174.6 178.3 179.7 181.6 184.3 181.0 185.6 186.8 188.1 189.3 187.4




[email protected]


[email protected]

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

168

Figure 297: Fortinet Balance Sheet


Fortinet (FTNT)

Balance Sheet$ in Millions except per share items




Current Assets

Cash and cash equivalents 543.3 568.0 596.4 647.5 709.0 709.0 823.2 853.1 863.5 903.0 903.0 1,005.9 1,104.6 1,176.3 1,190.5 1,190.5

Short-term investments 348.1 384.6 388.4 382.9 376.5 376.5 375.4 354.2 354.2 354.2 354.2 354.2 354.2 354.2 354.2 354.2

Accounts receivable, net 259.6 220.1 254.4 239.0 313.0 313.0 270.1 274.5 271.4 352.9 352.9 302.4 307.4 303.7 370.1 370.1

Inventory 83.9 78.2 81.2 93.7 106.9 106.9 105.0 86.4 92.8 125.3 125.3 119.9 105.6 122.9 159.1 159.1

Prepaid expenses and other current assets 35.8 34.7 33.5 31.7 33.3 33.3 42.3 36.4 44.7 46.3 46.3 55.7 47.6 46.1 54.5 54.5Deferred cost of revenuesTotal Current Assets 1,270.5 1,285.7 1,353.9 1,394.9 1,538.7 1,538.7 1,616.1 1,604.6 1,626.5 1,781.7 1,781.7 1,838.1 1,919.4 2,003.2 2,128.4 2,128.4

Non-Current Assets

Long-term investments 273.0 241.9 237.2 240.2 225.0 225.0 242.3 257.6 257.6 257.6 257.6 257.6 257.6 257.6 257.6 257.6

Property and equipment, net 91.1 115.8 125.6 126.1 137.2 137.2 155.5 238.5 253.8 250.5 250.5 256.7 259.2 257.6 265.1 265.1Deferred cost of revenuesDeferred tax assets 119.2 131.7 180.8 189.4 182.7 182.7 199.2 207.0 216.7 227.1 227.1 228.2 235.4 241.7 281.8 281.8

Goodwill 4.7 4.7 14.2 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6

Intangible assets, net 17.6 16.5 31.5 27.8 24.8 24.8 22.5 20.3 18.3 16.5 16.5 14.9 13.5 12.1 11.0 11.0

Other assets 14.4 15.3 16.9 17.1 16.9 16.9 17.2 18.0 20.1 20.8 20.8 20.2 21.1 21.9 22.7 22.7

Total Assets 1,790.5 1,811.5 1,960.2 2,010.2 2,139.9 2,139.9 2,267.4 2,360.7 2,407.7 2,568.9 2,568.9 2,630.3 2,720.8 2,808.6 2,981.1 2,981.1

Current Liabil ities

Accounts payable 61.5 48.0 56.9 57.5 56.7 56.7 48.7 42.2 43.4 62.4 62.4 55.8 47.3 48.3 68.0 68.0

Accrued liabilities 33.0 33.5 32.9 37.3 35.6 35.6 43.4 41.2 40.8 45.9 45.9 42.5 44.7 45.1 50.0 50.0

Accrued payroll and compensation 61.1 58.2 70.8 65.6 78.1 78.1 73.2 80.3 70.5 79.4 79.4 73.5 77.2 77.8 86.4 86.4

Income taxes payable 8.4 9.2 8.2 7.8 13.6 13.6 14.1 15.2 15.2 15.2 15.2 15.2 15.2 15.2 15.2 15.2

Deferred revenue 514.7 538.4 563.2 582.1 645.3 645.3 677.1 706.7 738.5 812.3 812.3 848.9 891.3 935.9 1,001.4 1,001.4

Total Current Liabil ities 678.7 687.3 732.0 750.4 829.4 829.4 856.6 885.5 908.4 1,015.2 1,015.2 1,035.9 1,075.6 1,122.3 1,220.9 1,220.9

Non-Current Liabil ities

Deferred revenue, net of current 276.7 298.7 340.8 352.6 390.0 390.0 420.9 454.8 473.0 510.8 510.8 538.9 568.6 585.6 620.8 620.8


Other long-term liabilities 19.2 17.9 16.5 16.1 14.3 14.3 18.6 16.5 16.5 16.5 16.5 16.5 16.5 16.5 16.5 16.5

Total Liabil ities 1,035.1 1,069.1 1,155.6 1,187.1 1,302.3 1,302.3 1,369.1 1,438.6 1,479.6 1,624.3 1,624.3 1,673.1 1,742.4 1,806.1 1,939.9 1,939.9

Total Stockholders' Equity 755.4 742.4 804.6 823.1 837.7 837.7 898.2 922.1 928.1 944.6 944.6 957.2 978.4 1,002.5 1,041.2 1,041.2

Total Liabil ities + Stockholders' Equity 1,790.5 1,811.5 1,960.2 2,010.2 2,139.9 2,139.9 2,267.4 2,360.7 2,407.7 2,568.9 2,568.9 2,630.3 2,720.8 2,808.6 2,981.1 2,981.1




[email protected]


[email protected]

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

169

Figure 298: Fortinet Statement of Cash Flows


Fortinet (FTNT)

Statement of Cash Flows$ in Millions except per share items




Net Income 8.0 -3.4 -1.4 6.3 25.2 26.6 10.7 23.0 16.7 23.7 74.1 14.4 21.6 24.8 35.9 96.7

y/y change

Depreciation and amortization 31.6 10.6 11.3 13.1 13.6 48.5 13.5 14.0 20.1 21.8 69.4 20.6 21.3 21.3 20.9 84.2

Amortization of investment premiums 7.5 1.5 1.3 1.0 1.0 4.8 1.0 0.5 0.0 0.0 1.4 0.0 0.0 0.0 0.0 0.0

Stock based compensation expense 95.1 30.9 28.4 31.1 32.1 122.4 33.3 35.1 35.3 38.8 142.5 38.2 39.6 39.3 42.7 159.9

Other non-cash items, net 3.4 -0.4 1.6 3.7 -2.2 2.6 1.5 0.2 0.0 0.0 1.7 0.0 0.0 0.0 0.0 0.0

Changes in Assets and Liabil ities: 137.0 61.5 21.3 21.0 31.4 135.2 69.8 71.9 17.8 17.9 177.3 94.9 78.5 44.7 -18.1 199.9

Accounts receivable -66.5 38.9 -36.9 10.8 -70.7 -57.9 42.4 -4.5 3.1 -81.5 -40.5 50.5 -5.1 3.8 -66.4 -17.2

Inventory -19.1 -0.5 -7.5 -16.5 -18.5 -43.0 -3.5 13.3 -6.3 -32.5 -29.1 5.4 14.3 -17.3 -36.2 -33.8

Deferred cost of revenues 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Deferred tax assets -29.9 -13.1 -14.0 -7.9 7.2 -27.8 -16.6 -7.8 -9.7 -10.4 -44.5 -1.1 -7.2 -6.2 -40.1 -54.7

Prepaid expenses and other current assets -2.6 1.0 1.4 1.9 -1.7 2.6 -8.3 5.0 -8.3 -1.6 -13.2 -9.4 8.1 1.5 -8.4 -8.2

Other assets 0.7 -0.9 -1.5 -0.2 0.2 -2.4 0.7 0.1 -2.1 -0.7 -2.0 0.6 -0.9 -0.8 -0.8 -1.9

Accounts payable -2.5 -11.4 11.3 -1.5 1.6 0.0 -8.3 -11.6 1.2 19.0 0.4 -6.6 -8.6 1.0 19.7 5.6

Accured liabilities 0.9 0.3 -6.7 7.0 -3.8 -3.2 2.9 -1.2 -0.4 5.1 6.5 -3.4 2.1 0.4 4.9 4.1

Accrued payroll and compensation 11.3 -2.9 11.6 -5.4 12.4 15.7 -5.3 6.8 -9.8 8.9 0.6 -5.9 3.7 0.7 8.5 7.0

Other liabilities 2.0 -1.3 -1.5 -0.3 -1.9 -5.0 -1.1 -1.6 0.0 0.0 -2.7 0.0 0.0 0.0 0.0 0.0

Deferred revenues 222.3 46.1 65.0 31.8 100.1 243.0 61.8 63.6 50.0 111.7 287.1 64.7 72.1 61.6 100.6 299.0


Cash Flow from Operations 282.5 100.6 62.4 76.1 101.0 340.2 129.7 144.8 89.8 102.2 466.4 168.1 161.0 130.1 81.4 540.7

Investments, net 74.4 -4.2 -0.1 0.5 19.0 15.1 -17.8 4.5 0.0 0.0 -13.3 0.0 0.0 0.0 0.0 0.0

Purchase of property and equipment -37.4 -30.0 -14.4 -5.9 -16.9 -67.2 -13.5 -86.4 -33.4 -16.7 -150.0 -25.1 -22.3 -18.4 -27.3 -93.2

Acquisitions, net of cash acquired -38.0 0.0 -20.7 -1.4 0.0 -22.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Other 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Cash Flow from Investing -1.0 -34.2 -35.2 -6.8 2.1 -74.1 -31.3 -81.8 -33.4 -16.7 -163.3 -25.1 -22.3 -18.4 -27.3 -93.2

Proceeds from issuance/(repurchase) of stock/options, net 67.3 17.8 5.2 19.3 2.6 44.9 29.5 12.3 0.0 0.0 41.8 0.0 0.0 0.0 0.0 0.0Proceeds from exercise of stock options 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0Taxes paid related to net share settlement of equity awards -28.9 -9.4 -7.9 -12.5 -8.4 -38.3 -13.7 -12.2 0.0 0.0 -25.9 0.0 0.0 0.0 0.0 0.0

Excess tax benefit from stock-based compensation 0.0 0.0 -1.6 0.0 0.0 -1.6 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0Repurchase of preferred stock 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0Repurchase of common stock -60.0 -50.0 0.0 -25.0 -35.8 -110.8 -25.0 -33.2 -46.0 -46.0 -150.2 -40.0 -40.0 -40.0 -40.0 -160.0

Cash Flow from Financing -21.6 -41.6 -4.4 -18.2 -41.6 -105.9 -9.2 -33.0 -46.0 -46.0 -134.2 -40.0 -40.0 -40.0 -40.0 -160.0

Cash and cash equivalents, beginning of period 286.2 546.2 571.0 593.8 644.9 546.2 706.4 795.6 825.5 835.9 706.4 875.4 978.3 1,077.0 1,148.7 875.4

Foreign exchange translation impact on cash 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Net increase (decrease) in cash 260.0 24.8 22.8 51.1 61.5 160.2 89.2 29.9 10.4 39.5 169.0 103.0 98.7 71.7 14.1 287.5

Cash and cash equivalents, end of period 546.2 571.0 593.8 644.9 706.4 706.4 795.6 825.5 835.9 875.4 875.4 978.3 1,077.0 1,148.7 1,162.8 1,162.8




[email protected]


[email protected]

5 September 2017

Cybersecurity 170







Figure 299: Fortinet PEERs


5 September 2017

Cybersecurity 171

Check Point Software Technologies: Without a Box… Check!


Check Point Software Technologies Ltd. (CHKP)

Rating NEUTRAL Price (01-Sep-17, US$) 110.89 Target price (US$) 110.00 52-week price range (US$) 115.72 - 74.81 Market cap(US$ m) 19,395 Target price is for 12 months.

Research Analysts

Brad A Zelnick

212 325-6118

[email protected]

Jobin Mathew

212 325 9676

[email protected]


212 538 1428

[email protected]

Best of the Rest We initiate coverage of Check Point with a Neutral rating and a $110 target price,

reflecting 1% downside potential and 19.5x our 2018 earnings estimate. While

we are negative on the category as a whole, Check Point is our preferred firewall

play on a relative basis.

■ Best Placed to Weather Category Risks: Our analysis of category risks

suggests CHKP is substantially better placed to weather sector headwinds

compared with PANW and FTNT. We do not believe CHKP is the most at risk

on any single headwind we have identified.

■ Maturity & Discipline an Advantage: Ultimately, we expect the future

firewall market to be one in which the wisdom of age will trump the

exuberance of youth. CHKP is a highly disciplined wealth creator focused on

the long term. It is one of only 6% of >20k companies in Credit Suisse HOLT

to achieve an eCAP quality award. In addition, it benefits from abnormal

levels of incentive alignment and has exceptional price discipline.

■ Not Its First Rodeo: We take confidence in the fact CHKP has once already

traversed the transition from software to hardware in the mid-2000s. As the

hardware box & software attach trend reverses direction and this model

disaggregates, we expect the experience of a long-tenured management

team to be a distinct, albeit unquantifiable, advantage.

■ Firepower for Transformative M&A: We estimate Check Point could deploy

$10bn for transformative M&A. This is 80% more than PANW, and 130%

more than FTNT. In a market where we believe CHKP's core product to be

declining in relevance, the firepower to make strategically significant and

transformative acquisitions is a distinct competitive advantage.

■ Valuation: Our relative valuation shows CHKP to be substantially more

attractive than FTNT and CHKP on both cash flow and income statement

multiples. Value is most clearly discerned when adjusting uFCF for SBC (16x

vs PANW at 30x and FTNT at 18x CY18 EV/uFCF).



Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$77.98




927 948 1,003 1,069 Net Debt (US$ m) -3,615 -3,669 -3,731 -3,784 Unlevered Free Cash Flow (US$)

873 865 958 1,020 P/uFCF (x) 12.7 12.8 11.6 10.9


5 September 2017

Cybersecurity 172

Check Point Software Technologies Ltd. (CHKP)

Price (01 Sep 2017): US$110.89; Rating: NEUTRAL; Target Price: US$110.00; Analyst: Brad Zelnick


Revenue (US$ m) 1,629.9 1,741.3 1,870.5 2,003.8 EBITDA 937.6 959.0 1,015.1 1,080.4 Operating profit 927.3 948.1 1,002.9 1,068.8 Recurring profit 961.4 992.5 1,045.1 1,110.0

Cash Flow 12/15A 12/16A 12/17E 12/18E

Cash flow from operations 917 925 1,022 1,085 CAPEX (17) (24) (30) (32) Free cashflow to the firm 900 901 992 1,053 Cash flow from investments (114) (24) (30) (32) Net share issue(/repurchase) (883) (859) (932) (1,000) Dividends paid 0 0 0 0 Issuance (retirement) of debt - - - - Other 24 15 (4) 0 Cashflow from financing activities (859) (844) (936) (1,000) Effect of exchange rates (11) (4) 6 0 Changes in Net Cash/Debt (68) 54 62 53 Net debt at end (3,615) (3,669) (3,731) (3,784)


Assets Other current assets 86 41 92 97 Total current assets 1,781 1,892 2,188 2,264 Total assets 5,070 5,218 5,506 5,638 Liabilities Short-term debt 0 0 0 0 Total current liabilities 1,057 1,166 1,297 1,432 Long-term debt 0 0 0 0 Total liabilities 1,538 1,727 1,990 2,205 Shareholder equity 3,532 3,491 3,516 3,434 Total liabilities and equity 5,070 5,218 5,506 5,638 Net debt (3,615) (3,669) (3,731) (3,784)

Per share 12/15A 12/16A 12/17E 12/18E


Earnings 12/15A 12/16A 12/17E 12/18E


Valuation 12/15A 12/16A 12/17E 12/18E



Company Background

Check Point is a leading security software company. The first company to commercialize stateful firewall and VPN, Check Point now provides a wide range of security products across the Network, Endpoint, and Cloud security markets.



In our Blue Sky Scenario, Check Point unleashs balance sheet for transformative strategic M&A, which successfully enhances its ability to compete in a cloud-first world. Our blue sky scenario implies CHKP would trade on 16.8x 2018 UFCF.


Check Point is unable to adapt in a world where enterprises transition to the cloud faster than we expect, and traditional network security is less relevant in cloud-first security architectures than we anticipate.



Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$77.98


5 September 2017

Cybersecurity 173

CHKP: Our Take on the Key Debates Initiating Coverage with a Neutral rating and an $110 Target Price

While we view transitionary challenges as a negative influence on the category as a whole,

Check Point excels over peers in nearly every major identifiable headwind and is thus our

preferred firewall play.

Key Debates:

■ Is the Product Line-up Competitive? How does Check Point's solution stand up to those

of PANW, which has aggressively grown share?

■ Where Are Margins Heading? While Gross Margins have held up, operating margins

have been trending downward since 2012, with sales & marketing spend rising.

■ How Prepared Is CHKP for the Architectural Shift? As security shifts from physical

appliances to virtual ones, uncertainty surrounds the scalability and performance of legacy

security companies and their products in cloud architecture.

■ What’s the Value of CHKP’s Substantial Idle Cash Balance? CHKP’s total cash &

equivalents are 20% of its market cap, which, undistributed or reinvested, may appear to

be lost opportunity for greater returns.

Our Take:

■ Recognized Offerings, with a Fully Integrated Management Console: We believe

Check Point's solutions in the Enterprise Network Firewall and UTM space are among the

best, while CHKP management console's ability to implement a unified policy across the

entire infrastructure provides a point of differentiation against rivals.

■ Margins Are Optimized: While we recognize management's long-term value creation and

superlative discipline against competitive pricing pressures, we see Check Point's margin

structure at peak and see limited opportunities to expand it further.

■ Management Has Adapted Successfully in the Past: We take confidence in the fact that

CHKP already transitioned from software to hardware in the mid-2000s, and we believe

that the experience will prove advantageous in the reverse as the industry moves away

from hardware and toward cloud-based solutions.

■ Large Acquisition Capacity Will Be Major Strategic Advantage: We estimate CHKP

has $9.7 billion of total firepower (2.3x FTNT’s capacity and 1.8x PANW’s), which we

believe is strategically significant.

Risks:

■ Successful Transition Not Guaranteed: Strong management notwithstanding, CHKP

has ceded 337bps of market share since its peak in 2012 of ~12%.

■ Management May Be Conservative with Cash: We note that management has

amassed a cash pile and not yet unleashed it for transformative acquisitions, which might

indicate conservativeness and unwillingness for relatively large deals.

Estimates:

■ Revenue: We forecast FY17E/FY18E revenue growth at 7.5%/7.5% vs the consensus at

7.5 %/7.0%, respectively.

■ EPS: We forecast FY17E/18E EPS of $5.18/$5.66 in-line with Street estimates at

$5.18/$5.67, respectively.

Valuation: ■ DCF: Our discounted cash flow analysis suggests a target price of $110, implying 1%

downside potential and 14.5x EV/uFCF (2018).

5 September 2017

Cybersecurity 174

Key Charts

Figure 300: CHKP Has Lost Share Since 2012… Figure 301: ...but Margins Have Remained High

4Q rolling sum as share of total UTM and Firewall market Reported Adjusted Operating margin

Source: IDC, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

Figure 302: Better Placed for Sector Risks Figure 303:Significant Cash Balance

Exposure to Sector Headwinds Cash (onshore and offshore) as a % of market capitalization


Figure 304: Balance Sheet Can Be Unleashed.. Figure 305: …Valuation Cheapest vs Peers

Assuming 3x leverage, Balance Sheet capacity vs Peers Valuation Analysis on EV/FCF basis


0%

10%

20%

30%

40%

50%

60%

70%

80%

2002 2004 2006 2008 2010 2012 2014 2016

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper

45%

50%

55%

60%

65%

2003 2009 2015



CHKP PANW FTNT








Total ◔ ◑ ◕


4%

14%

18%

20%

23%

27%

29%

44%

0% 10% 20% 30% 40% 50%

Qualcomm Inc

Alphabet Inc

Intel Corp

Microsoft Corp

Check Point

Oracle Corp

Apple Inc

Cisco Systems Inc

$9.9bn

$5.4bn

$4.0bn

$0bn

$2bn

$4bn

$6bn

$8bn

$10bn

$12bn

CHKP PANW FTNT

14.9x12.2x

13.8x16.4x

19.2x

37.8x

0x

10x

20x

30x

40x

CHKP FTNT PANW

EV/UFCF, NTM


5 September 2017

Cybersecurity 175

Company Positives

■ Check Point Has the Most Significant Fire Power

Our analysis of potential debt capacity shows that CHKP has substantial firepower. With

the highest EBITDA margin, liquid cash balance, and highest total cash & investments,

CHKP enjoys (by our estimation) 2.3x greater firepower than FTNT and 1.8x that of

PANW.

In a market where we believe CHKP's core product to be declining in relevance (see

Security as the mainframe), we view the firepower to make strategically significant and

transformative acquisitions as a distinct competitive advantage

Figure 306: We Estimate CHKP Has ~$10bn in

Aggregate Firepower…

Figure 307: … 2.3x the Capacity of FTNT, and More

than 1.8x Palo Alto Networks


capc


Figure 308: Check Point Has a Large Cash Balance

and No Debt…

Figure 309: … as a Percent of Market Cap This Is

Greater than Microsoft

in USD millions, unless otherwise stated Cash (onshore and offshore) as a % of market capitalization

Source: Company data, Credit Suisse estimates. Source: Credit Suisse HOLT, Credit Suisse Research.


Earnings, NTM basis

EBITDA 1,083 394 279





Cash, Next quarter









2.3x

1.4x

1x

$0bn

$2bn

$4bn

$6bn

$8bn

$10bn

$12bn

CHKP PANW FTNT

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

2003 2005 2007 2009 2011 2013 2015 2017

ST Marketable securities

LT Marketable securities

Cash & cash equivalents

4%

14%

18%

20%

23%

27%

29%

44%

0% 10% 20% 30% 40% 50%

Qualcomm Inc

Alphabet Inc

Intel Corp

Microsoft Corp

Check Point

Oracle Corp

Apple Inc

Cisco Systems Inc

5 September 2017

Cybersecurity 176

■ Best Positioned to Face Category Risks

In our ranking of relative exposure to category risks, Check Point appears the least

exposed. In fact, in no single measure have we ranked CHKP the most exposed on a

relative basis.



■ Valuation

On valuation, we see Check Point as relatively better priced compared to firewall peers,

which currently trade at 14.5x CY18 EV/uFCF. We note that it looks even cheaper than

rivals, when adjusting for SBC & LT Deferred and similarly on a P/E basis (GAAP and

Non-GAAP).

Figure 311: Relative Valuation, Absolute Multiples



CHKP PANW FTNT






EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x





EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x



GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x


CHKP PANW FTNT

5 September 2017

Cybersecurity 177

Figure 312: Valuation Matrix Revenue Growth Adjusted


■ Check Point Is a Firm of Exceptional Quality

Highly Disciplined Capital Allocators

Check Point is both highly optimized and runs with superlative discipline. We think Credit

Suisse HOLT8 particularly well illustrates the quality of the business; having achieved over

ten years of ~20% CFROI returns, CHKP attains an eCAP award.

Only 6% of the ~20,000 companies tracked by HOLT achieve the conditions necessary to

be awarded an eCAP. It is awarded to those companies that have high economic return

(>8% CFROI), low volatility in returns (<30% CFROI variation), a favorable trend (>-0.10),

and sustainable levels of growth (<30%).

Figure 313: Quality Is Reflected in High and

Sustained CFROI®, and eCAP Qualification

Figure 314: Only 6% of Companies in HOLTs

Database of 20,000 Companies Achieve an eCAP

Check Point CFROI How many companies attain HOLT value awards


Philosophy of Long-Term Value Creation

We think Check Point exhibits characteristics of a firm run for long-term shareholder value

creation. This discipline is evident in many metrics, not least operating margins, which are

both high and have remained remarkably stable despite tumultuous market forces.

8 Credit Suisse HOLT is a proprietary valuation tool that aims to convert income statement and balance sheet information into a Cash Flow Return on Investment (CFROI®). The goal is to help assess a company's underlying economics. A firm's CFROI can be compared directly with its real cost of capital (the investors' real discount rate) to see if the firm is creating economic wealth. By removing accounting and inflation distortions, the CFROI allows for global comparability across sectors, regions and time.




EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82





EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22


Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49

GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32


CHKP PANW FTNT

0

5

10

15

20

25

30

35

40

1996 2000 2004 2008 2012 2016 2020 2024


Investible Universe

Super

eCAPs

2%

Wonderful Companies

Top 25% Sector-relative CFROI for 3

consecutive years

eCAPs

CFROI > 8% for at least 5 years

Low CFROI variation (<30%)

Favourable CFROI trend (>-0.10)

Sustainable levels of growth (<30%)

Super-eCAPs

CFROI > 8% for at least 10 years

Low CFROI variation (<15%)

Favourable CFROI trend (>-0.02)

Sustainable levels of growth (<40%)

5 September 2017

Cybersecurity 178

A cornerstone of this margin stability has been exceptional levels of price discipline. This is

particularly evident when we use IDC data to proxy ASP for CHKP through the period

(2009-2015) in which Palo Alto entered the market and proceeded to aggressively

compete for share. While a shorter-term, less disciplined operator may have responded to

this aggression by competing on price, CHKP instead appears to have increased its ASP

in the mid- and high-end (where PANW competes) from 2012 to present.

Figure 315: In Addition to High and Sustained

HOLT-Adjusted Operating Margin

Figure 316: Even in the Period Which Saw

Aggressive Competition from PANW, CHKP Did Not

Appear to Have Offered Substantial Discounts

HOLT-adjusted operating margin Check Point ASP (revenue/units)

Source: HOLT, Credit Suisse Research. Source: IDC, Credit Suisse Research.

True Shareholder Alignment with Management

We believe Check Point to benefit from an abnormal level of incentive alignment. CEO and

co-founder Gil Shwed is the largest shareholder, with ~25 million shares (15.4% of the firm)

as of the end of 2016. Marius Nacht, another co-founder, is the third largest shareholder,

with ~11 million shares (6.7% of the firm), and has been Check Point's

non-executive chairman since September 2015 after serving as its vice chairman from

2001.

In general, we believe the ~20% ownership by founders to be an almost undisputable

positive. As we note elsewhere, founder-led companies enjoy well-documented

advantages; they tend to outperform, deploy more cash toward R&D and capex, and enjoy

more efficient R&D.

We accept there remains a residual question mark over Marius Nacht's 40% reduction in

his CHKP stake through 2016.

Less Volatile than Peers…

CHKP shares have traded with lower volatility than both PANW and FTNT since both were

first publically traded, in 2012 and 2010, respectively.

0

20

40

60

1996 2000 2004 2008 2012 2016 2020 2024


16,000

17,000

18,000

19,000

20,000

21,000

22,000

23,000

60,000

70,000

80,000

90,000

100,000

110,000

120,000

2009 2010 2011 2012 2013 2014 2015 2016

High-end ASP Mid-range ASP

5 September 2017

Cybersecurity 179

Figure 317: CHKP Has Experienced the Lowest Volatility

100 day rolling volatility of daily returns


■ Track Record of Innovation

Check Point practically created the firewall category in 1993 with the introduction of

FireWall-1. This was the first commercialized 'stateful' firewall, and Check Point is credited

with coining the term 'stateful'.

By 1996, IDC had named Check Point the leader in firewall market share with over 40% of

the market. Indeed FireWall-1 debuted just as the Internet was truly taking off, and 'that

and subsequent Check Point offerings are credited with helping define the nascent

markets for network security and virtual private networks.' (CIO, October 1st 2002, see

here)

In 2006, Check Point created an innovative unified management console, and in 2009, it

completed the acquisition of Nokia's security appliance business as well as FaceTime

communications and launched its extensible Software Blade architecture.

Not Its First Rodeo…

Originally a software only vendor, Check Point's move to sell integrated appliances

represented one of the original security software aggregation plays. Combining the

hardware and software adjacencies enabled (at the time) Check Point to substantially

expand its TAM, increase its average price point (appliance price points were 1.5-2.0x that

of the underlying software). As we have discussed, we now believe the opposite to be

occurring; hardware and software adjacencies are disaggregated as enterprises shift to

the cloud. Given CHKP is in some ways returning to its roots, this gives us some comfort

that it may be more capable than peers of weathering this transition.

■ High, If Not Superior, Quality of Product Offerings

Check Point has been a leader of Gartner's Enterprise Network Firewall Magic Quadrant

from 1999 to 2002, and then from 2004 to present. In addition to strength in enterprise

offerings, Check Point has also been a leader in Gartner's Unified Threat Management

(UTM) Magic Quadrant (SMB focused) since 2010.

In addition to recognition from Gartner, Check Point has been a recipient of 'Recommend'

ratings from NSS Labs for Next Generation Firewall (2011-2016), Network Firewall

(2011-2013), IPS (2011-2013), and Breach Detection Systems (2015-2016).

0

0.01

0.02

0.03

0.04

0.05

2010 2011 2012 2013 2014 2015 2016 2017

CHKP PANW FTNT

http://www.cio.com/article/2440500/innovation/cio-20-20-honorees--innovator-s-profile--gil-schwed-of-check-point-software-technologies-.html

5 September 2017

Cybersecurity 180

Figure 318: CHKP Has Maintained a Leadership

Position in Gartner's Magic Quadrant for Enterprise

Network Firewall's Since Before 2006

Figure 319: With the Exception of 2009, CHKP Has

Also Maintained a Leadership Position in the Magic

Quadrant for Unified Threat Management

Estimated based on 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Enterprise Network Firewall Magic Quadrants

Estimated based on 2009, 2010, 2012, 2013, 2014, 2015, 2016 and 2017 UTM (SMB multifunction firewall) Magic Quadrants

Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research.

As a result of our field work and broader research, we are convinced the single

management console approach is a generator of competitive advantage. The consistency

inherent in the ability to implement unified policy across the entire infrastructure in a single

pane of glass, unified and fully integrated console appears preferred by customers.

Figure 320: Check Point Seems to Have a More

Thoughtful Pricing Strategy in the Cloud

Figure 321: …PANW VM Pricing Strategy in the

Cloud Takes a One Size Fits All Approach

Check Point AWS Pricing Palo Alto Networks AWS Pricing

Source: AWS, Company data, Credit Suisse estimates. Source: AWS, Company data, Credit Suisse estimates.

Check Point Check Point

5 September 2017

Cybersecurity 181

We also note that Check Point appears to have a much more thoughtful VM pricing

strategy for the cloud, with hourly software costs rising with more demanding workloads.

On the other hand, Palo has a one-size-fits all approach with the same hourly pricing

irrespective of workload or AWS instance. We see Check Point's approach as more

suitable and capturing greater value.

5 September 2017

Cybersecurity 182

Company Negatives

■ Empirically CHKP Have Lost Market Share

CHKP has empirically lost market share in the Palo Alto era; from a peak share of ~21% of

the combined firewall and UTM market in mid-2012, CHKP has ceded 337bps of share.

While not egregious share loss by any measure, we recognize this as a risk should

attrition sustain. Going forward, we note that competitive losses will pressure company's

ability to attach and cross-sell further services.

Figure 322: CHKP Has Lost Share Since 2012…

Figure 323: … When It Began to Under-Grow the

Market

4Q rolling sum as share of total UTM and Firewall market Total UTM and Firewall Market revenue growth, y/y %


■ Is Conservatism a Risk?

Check Point has maintained a cash balance of around $3.5bn since 2013, in part due to

tax constraints that have since been lifted as of 2015. While we address this specifically as

a company positive, the fact it has amassed this cash pile and not yet unleashed it for

transformative acquisitions raises a question mark for us. Might Check Point be too

conservative to use its firepower to acquire its way out of a market position challenged by

architectural changes? We believe there are a number of assets for purchase that can

propel Check Point’s position in cloud and virtual security and diversify itself from declining

relevance of core firewall.

0%

10%

20%

30%

40%

50%

60%

70%

80%

2002 2004 2006 2008 2010 2012 2014 2016

Others

Fortinet

Check Point

Palo Alto

Cisco

Juniper

0%

10%

20%

30%

40%

50%

60%

70%

2010 2011 2012 2014 2015 2017

Market, y/y, % Check Point, y/y, %

5 September 2017

Cybersecurity 183

Figure 324: Check Point Has Maintained Substantially More Cash on Its Balance

Sheet as a % of Market Cap than the Average Across the S&P500

US$ in millions, unless otherwise stated

Source: Thomson Reuters Datastream, Credit Suisse Research.

■ Margin Erosion Remains a Risk

Check Point achieves excellent operating margins on an absolute basis and remarkable

margins on a relative basis. If we look at adjusted operating margin across the software

universe, Check Point has the highest margin of the 50 largest software companies by

market capitalization. We use HOLT-adjusted operating margin for our analysis. Unlike the

traditional operating margin metrics, HOLT's operating margins are not reduced by

expenses for stock options, R&D, or rent to better reflect the cash generation of the

operating entity.

Figure 325: Check Point Has the Highest HOLT Operating Margins of the 50 Largest Software Companies

HOLT adjusted Operating Margin, LFY, %

Source: Credit Suisse HOLT®, Credit Suisse Research.

0%

10%

20%

30%

40%

2003 2005 2007 2009 2011 2013 2015 2017

Cash on balance sheet as a % of market cap, US Check Point cash as % of market cap

60.4

%56

.4%

53.9

%49

.4%

48.0

%47

.8%

46.9

%45

.7%

45.7

%44

.8%

44.5

%44

.3%

43.8

%43

.1%

42.7

%42

.4%

39.8

%39

.3%

38.8

%37

.0%

36.0

%35

.3%

35.2

%32

.2%

30.9

%30

.5%

30.3

%30

.1%

29.9

%29

.6%

25.4

%23

.5%

23.3

%21

.0%

20.0

%19

.3%

19.1

%16

.3%

16.2

%16

.0%

15.4

%13

.9%

13.5

%13

.4%

13.4

%10

.4%

7.0%

6.4%

5.5%

2.9%

2.3%

1.7%

-0.4

%-0

.9%

-2.8

%-2

.9%

-9%

-11%

CH

KP

OR

CL

CA

INT

UO

TE

XP

RG

SA

DB

EM

SF

TC

TX

SV

MW

NS

RT

DC

MA

NH

TE

AM

QLY

SM

ST

RS

YM

CN

ICE

VE

EV

RH

TS

NC

RC

YB

RN

UA

NV

RN

TLO

GM

GW

RE

RP

CU

DA

PE

GA

PA

YC

ULT

IA

DS

KC

RM

FT

NT

WD

AY

DA

TA

MIM

EP

CT

YS

AP

BN

FT

TW

LOR

NG

CA

LDE

GH

TN

OW

PF

PT

NE

WR

HU

BS

CS

OD

RP

DIM

PV

PA

NW

BO

XZ

EN

PR

OT

LND

FE

YE

SP

LK

5 September 2017

Cybersecurity 184

Adjusted operating margin has been in a band of 50-60% since 2003, although it has

come down slightly since 2012 (~60% to ~54%) before stabilizing in recent quarters.

Although we recognize CHKP has successfully weathered investor concern around the

margin for more than a decade, there remains risk should the margin erode. Quite frankly,

there is equal risk as well in CHKP’s willingness to invest and reduce margins; leading

industry margins, while a very enviable distinction, poses some risks. Given our arguments

around price pressures in a cloud transition, we think this risk may be somewhat increased

relative to history. At the same time, we appreciate Check Point has always solved for

profit and cash flow growth, not necessarily margin percentage, and has managed well.

Figure 326: CHKP Has Maintained Remarkably High Adjusted Operating

Margins of >50%...

Reported Adjusted Operating Margin, %


■ Limited Disclosure

Check Point as an Israeli-domiciled company is subject to less transparent disclosure

requirements relative to US-based companies. The foreign private issuer status enjoyed

by CHKP means, among other things, it is exempt from proxy rule and from filing

beneficial ownership reports and may use 'particular registration and reporting forms

designed specifically for them'. For full details regarding these disclosure rules, section III

of the SEC foreign issuers overview should be referenced. (See here.)

45%

50%

55%

60%

65%

2003 2005 2007 2009 2011 2013 2015 2017


https://www.sec.gov/divisions/corpfin/internatl/foreign-private-issuers-overview.shtml

5 September 2017

Cybersecurity 185

Management and Board Management

Check Point remains very much a founder-led organization, with Gil Shwed serving as

CEO since he founded the company in 1993. Dorit Dor, the vice president of products,

serves in the firm's highest level technical role. She holds a Ph.D. in computer science

from Tel Aviv University and was the 1995 recipient of the Israeli National Defense Prize.

Figure 327: Check Point Executive Management


Board of Directors

The influence of the founders is also very apparent on the board, with co-founder Marius

Nacht serving as chairman. The board also has its fair share of impressive industry

veterans, with ample Israeli and American venture capital and tech experience

represented.

Name Compensation Beneficial ownership of shares C-Suite Experience


Age Joined Salary ($) Bonus ($) Stock($) Number of shares Value of shares

Gill Shwed 1993 $14,800 NA $35,531,800 30,823,912 $3,513,925,968 ■ Founder and Chief Executive Officer, Check Point

Founder and CEO ■ Considered the Inventor of the Modern Firewall

48 ■ Honorary Doctor of Science, Tel Aviv University

■ MS: Tel Aviv University, BS: Hebrew University of Jerusalem

Amnon Bar-Lev 2005 $393,200 $89,400 $4,786,100 NA NA ■ President, Checkpoint: 2005-2017

President ■ Chief Executive Officer, Xpert Integrated System

■ Distinguished service in Israeli Air Force


Dorit Dor 1995 $325,100 $76,200 $3,550,000 NA NA ■ Various Research and Development Roles, Check Point: 1995-2017

Vice President of Products ■ Published in several scientific journals

■ 1993 Recipient of the Israeli National Defense Prize

■ PhD, MS, BS: Tel Aviv University

Tal Payne 2008 $213,300 $90,500 $3,196,000 NA NA ■ Chief Financial Officer, Check Point: 2008-2017

CFO and COO ■ Chief Financial Officer and Vice President of Finance, Gilat Satellite Networks

45 ■ CPA, PricewaterhouseCoopers

■ MBA, BA: Tel Aviv University

Sources: Check Point 2017 Proxy Statement, Company Website, Bloomberg

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

186

Figure 328: CHKP Board




Age Since? Director? Affiliations? Number of shares Value of shares Audit Compensation Governance

Marius Nacht 1993 No 1 11,214,986 $1,278,508,404 ■ Founder and Chairman, Check Point Technologies

Founder and Chairman ■ Senior Vice President, Check Point: 1999-2005

55 ■ Vice President of International Operations, Check Point: 1993-1999


Gill Shwed 1993 No 1 30,823,912 $3,513,925,968 ■ Founder and Chief Executive Officer, Check Point

Founder and CEO ■ Considered the Inventor of the Modern Firewall

48 ■ Honorary Doctor of Science, Tel Aviv University


Jerry Ungerman 2005 No 0 NA NA ■ Vice Chairman, Check Point

Vice Chairman ■ Various Executive Positions, including President and Executive Vice President, Check Point: 2001-2005

72 ■ Former Executive Vice President, Hitachi Data Systems

■ BS: University of Minnesota

Dan Propper 2006 Yes 2 NA NA ■ Chairman and CEO, Osem Group: 1981-2006

Director ■ President, Israeli Manufacturer's Association

76 ■ Honorary Doctorate: Technion - Israel Institute of Technology

■ BS: Technion - Israel Institute of Technology

Ray Rothrock 1995 Yes 2 NA NA a a a ■ Chairmand and CEO, RedSeal Networks: 2014-Present

Director ■ General Partner, Venrock: 1988-2013

60 ■ Participant in White House Cybersecurity Summit

■ MBA: Harvard Business School, MS: Massachusetts Institute of Technology, BS: Texas A&M University

David Rubner 1999 Yes 4 NA NA a a ■ Chairman and CEO, Rubner Technology Ventures

Director ■ General Partner, Hyperion Israel Advisors

77 ■ President and CEO: ECI Telecommunications: 1991-2000

■ BS: Quuen Mary College, University of London, MS: Carnegie Mellon University

Tal Shavit 2000 Yes 0 NA NA a ■ Organizational Consultant Specializing in Israeli-American Collaboration

Director ■ Consults with Companies Undergoing Structural Change

■ Work Emphasized Mergers and Acquisitions

Yoav Chelouche 2006 Yes 5 NA NA a a ■ Managing Partner, Aviv Venture Capital: 2000-Present

Director ■ President and CEO, Scitex: 1994-2000

62 ■ Various Managerial Positions, Scitex: 1979-1994

■ MBA: INSEAD, BA: Tel Aviv University

Irwin Federman 1995 Yes 3 NA NA a a a ■ General Partner, US Venture Partners: 1990-2017

Director ■ President and CEO, Monolithic Memories: 1981-1988

81 ■ Chairman, Mellanox Technologies

■ BA: Brooklyn College

Guy Gecht 2006 Yes 1 NA NA a a ■ Chief Executive Officer, Electronics for Imaging: 2000-2017

Director ■ Various Positions, including President, Electronics for Imaging: 1995-2000

52 ■ Director of Engineering, Interro Systems: 1993-1995

■ BS: Ben Gurion University

Sources: Check Point 2017 Proxy Statement, Company Website, Bloomberg

5 September 2017

Cybersecurity 187

Check Point has the most finance-oriented board in our coverage universe. Notably, all of

this finance experience comes from venture capital.

Figure 329: Check Point’s Board Has Disproportionate Venture Capital

Representation


In contrast with the executive team, the board is actually the most experienced group of

directors for any company in our coverage universe besides Oracle. While the

management team is relatively young, the board is second oldest, also to Oracle.

Figure 330: CHKP’s Board Is Second Oldest and… Figure 331: Second Most Experience, Both to Oracle


0 2 4 6 8 10

CHKP

SYMC

SPLK

RHT

HDP

PANW

AKAM

NOW

VMW

ORCL

FTNTAverage Financial Experience

Per Board Member

VC

Banking

PE

-10 -8 -6 -4 -2 0 2 4 6 8 10

ORCL

CHKP

AKAM

RHT

FTNT

SPLK

VMW

NOW

SYMC

PANW

HDP

Board Age Deviation from Average

0 5 10 15 20 25 30 35 40

AKAM

CHKP

ORCL

SPLK

VMW

NOW

FTNT

RHT

PANW

HDP

SYMC

Board Experience Per Director

Relevant Industry

Other Executive

CEO/CFO

Other Industry

Finance

5 September 2017

Cybersecurity 188

Valuation

Discounted Cash Flows

We use Discounted Cash Flows to estimate the intrinsic value for CHKP at $110/share,

representing 1% downside. This informs our Neutral Rating, and is supported by our

multiples based relative valuation work. In addition, we have constructed blue-sky and



Figure 332: Blue-Sky/Grey-Sky Pricing Figure 333: Blue-Sky/Grey-Sky Schematic

Source: Check Point, Credit Suisse estimates. Source: Check Point, Credit Suisse estimates.

Target Scenario

Our base case assumes a five-year transition period with FCF growth declining smoothly

from an estimated 7.5% in 2020. This scenario assumes the firewall market decelerates

broadly in-line with our expectations and Check Point successfully weathers the transition,

but is then, more than ever, a lower growth, true legacy vendor. This scenario results in a

target price of $110, implying downside of 1%.

Blue-Sky Scenario


free cash growth, assuming Check Point unleashes its balance sheet for transformative

strategic M&A, which is ultimately successful. Our blue-sky scenario yields a $126

warranted price, which represents 14% upside potential.

Grey-Sky Scenario


growth assumption. The scenario results in a share price of $96, representing 13%

downside risk to the current share price.

In this scenario, Check Point is unable to adapt in a world where enterprises transition to

the cloud faster than we expect, and traditional network security is less relevant in

cloud-first security architectures.

Current Price $111 15.7x FY18UFCF (adj for SBC)

Target Price $110 15.5x FY18UFCF (adj for SBC) -1%

Blue Sky $126 18.4x FY18UFCF (adj for SBC) 14%

Grey sky $96 13.0x FY18UFCF (adj for SBC) -13%

The firewall market decelerates broadly in line with our expectations, and Check Point

successfully weathers the transition, but is then, more than ever, a lower growth, true

'legacy' vendor.

In our Blue Sky Scenario, Check Point unleashs balance sheet for transformative

strategic M&A, which successfully enhances its ability to compete in a cloud-first world.

Our blue sky scenario implies CHKP would trade on 16.7x 2018 UFCF.

Check Point is unable to adapt in a world where enterprises transition to the cloud

faster than we expect, and traditional network security is less relevant in cloud-first

security architectures than we anticipate.

Target Price

Current Price

Grey Sky

Blue Sky

$110$111

$96

$126

5 September 2017

Cybersecurity 189

Figure 334: Check Point Software Discounted Cash Flow (DCF) Analysis


Target Price



Period 1 2 3 4 5 6 7 8 9 10


Beta 0.72 0.72 0.72 0.72 0.72 0.72 0.72 0.72 0.77 0.81 0.86 0.91 0.95 1.00

Market rate of return 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2%

Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2%

FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 8.0% 7.5% 6.5% 5.5% 4.5% 3.5% 2.5% 1.5%

Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25

Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,101 1,184 1,261 1,330 1,390 1,438 1,474 1,497 17,123


SBC as % of FCF 6.4% 7.0% 7.0% 7.9% 7.5% 7.5% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5%

FCF adjusted for SBC 604.1 666.4 812.2 797.3 885.6 943.4 1,018.9 1,095.3 1,168.5 1,234.9 1,292.8 1,340.3 1,376.2 1,399.3 17,123.2


Cumulative NPV of FCF ($M) 850.3 1,702.3 2,550.4 3,390.8 4,215.0 5,013.5 5,777.9 6,500.6 7,175.4 14,793





Total NPV/Share 110



Blue Sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value dist ribut ion


Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2%

FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 10.0% 10.0% 8.8% 7.5% 6.3% 5.0% 3.8% 2.5%

Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25

Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,122 1,234 1,342 1,442 1,532 1,609 1,669 1,711 22,107


SBC as % of FCF 6% 7% 7% 8% 8% 7% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5% 0%



Cumulative NPV of FCF ($M) 850.3 1,702.3 2,566.1 3,442.0 4,319.1 5,185.0 6,027.8 6,836.1 7,600.2 17,434



NPV/Share of FCF 104





Grey sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value dist ribut ion


Equity Risk Premium 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2%

Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2%

FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 7.0% 5.0% 4.2% 3.3% 2.5% 1.7% 0.8% 0.0%

Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25

Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,091 1,145 1,193 1,233 1,264 1,285 1,296 1,296 12,652

Stock Based Compensation Expense 41.3 50.5 60.8 68.2 72.0 76.2 0.0 0 0 0 0 0 0 0 0

SBC as % of FCF 6% 7% 7% 8% 8% 7% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5% 0%



Cumulative NPV of FCF ($M) 850 1,702 2,543 3,356 4,136 4,876 5,571 6,217 6,810 12,438



NPV/Share of FCF 74.2





5 September 2017

Cybersecurity 190

HOLT

CHKP – HOLT Market-Implied Scenario and Sensitivity Analysis

Assuming stable margins at 50%, CHKP’s current price of $111 implies a sales CAGR of

5% over the next 10 years

Figure 335: CFROI® (%) Figure 336: Valuation Sensitivity Analysis



■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4-FY10 assumed at 50%

based on FY3 IBES estimates

■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, we solved for the implied

CAGR required to get to the respective values per share

■ Asset Efficiency: assumed constant from LFY levels

■ Fade Period: CHKP earns an eCAP (empirical competitive advantage), hence

extending explicit forecasts to ten years before the fade


returns on capital and growth toward cost of capital and GDP growth respectively

Figure 337: Operating Projections Implied by Current Price: $108 per Share


21.1 21.1

0

5

10

15

20

25

1996 2000 2004 2008 2012 2016 2020 2024


- 400 bps - 200 bps 0 bps +200 bps +400 bps +600 bps

- 400 bps - 200 bps 0 bps +200 bps +400 bps +600 bps

1.0% 3.0% 5.0% 7.0% 9.0% 11.0%

- 400 bps 45.9% $80 $91 $104 $121 $141 $168

- 200 bps 47.9% $82 $93 $107 $125 $146 $174

0% 49.9% $84 $96 $111 $129 $151 $180

+ 200 bps 51.9% $86 $99 $114 $133 $156 $186

+ 400 bps 53.9% $89 $102 $117 $137 $161 $192

Incre

men

tal ch

an

ges in

EB

ITD

A m

arg

ins

20E-26E EBITDA

Margins ˅


49.9 49.9

0

20

40

60

1996 2000 2004 2008 2012 2016 2020 2024Historical margins Forecast

Margins w/o SBC

7.75.0

(10)

0

10

20

30

1996 2000 2004 2008 2012 2016 2020 2024


Assumed long term margins of 50%1 Solved for the long term sales CAGR

required to get to current price of $111

2

Consensus

Consensus

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

191

Figure 338: Check Point Income Statement


Check Point Software (CHKP)

Income Statement

$ in Millions, except per share items

Fiscal Year End: December 31


Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17A 2Q17A 3Q17E 4Q17E Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year

Income Statement (Pro Forma)

Products and licenses 555.8 122.7 136.2 136.9 177.1 573.0 126.3 138.3 129.4 185.4 579.4 130.1 141.8 137.2 183.5 592.6

y/y change 6.5% 7.4% 3.0% 1.3% 1.8% 3.1% 2.9% 1.5% -5.5% 4.7% 1.1% 3.0% 2.5% 6.0% -1.0% 2.3%

Software Blade subscriptions 318.6 88.1 92.7 98.6 110.5 389.9 112.1 117.9 123.2 137.0 490.2 137.8 140.4 145.4 158.9 582.5

y/y change 20.9% 18.5% 21.0% 23.8% 25.5% 22.4% 27.2% 27.2% 25.0% 24.0% 25.7% 23.0% 19.0% 18.0% 16.0% 18.8%

Software updates and maintenance 755.5 193.4 193.8 192.1 199.2 778.5 197.1 202.3 197.3 204.3 800.9 203.5 208.4 205.1 211.6 828.7

y/y change 6.3% 5.2% 4.0% 1.6% 1.6% 3.0% 1.9% 4.4% 2.7% 2.6% 2.9% 3.3% 3.0% 4.0% 3.6% 3.5%

Total revenue 1,629.9 404.3 422.7 427.6 486.7 1,741.3 435.5 458.6 449.9 526.6 1,870.5 471.5 490.6 487.7 554.0 2,003.8

y/y change 9.0% 8.5% 6.9% 5.9% 6.3% 6.8% 7.7% 8.5% 5.2% 8.2% 7.4% 8.3% 7.0% 8.4% 5.2% 7.1%

Cost of products and licenses 101.1 23.0 25.1 25.2 32.5 105.9 23.9 26.2 24.2 34.9 109.1 24.6 26.8 25.8 34.0 111.1

GM on product and license 81.8% 81.2% 81.6% 81.6% 81.6% 81.5% 81.1% 81.1% 81.3% 81.2% 81.2% 81.1% 81.1% 81.2% 81.5% 81.2%

Cost of software blade subscriptions 7.6 1.8 1.9 3.0 4.1 10.8 4.1 5.3 4.1 5.8 19.4 5.4 6.3 5.1 5.2 21.9

GM on software blade Subscriptions 97.6% 97.9% 98.0% 96.9% 96.2% 97.2% 96.4% 95.5% 96.6% 95.7% 96.0% 96.1% 95.5% 96.5% 96.7% 96.2%

Cost of software updates and maintenance 76.9 19.2 20.0 20.8 20.9 80.9 20.2 20.6 22.0 22.5 85.3 21.2 21.3 22.8 23.3 88.5

GM on updates and maintenance 89.8% 90.1% 89.7% 89.2% 89.5% 89.6% 89.7% 89.8% 88.9% 89.0% 89.4% 89.6% 89.8% 88.9% 89.0% 89.3%

Total cost of revenue 185.7 44.0 47.0 49.0 57.6 197.7 48.2 52.1 50.3 63.2 213.8 51.1 54.4 53.6 62.4 221.6

Gross profit 1,444.2 360.2 375.8 378.5 429.1 1,543.6 387.3 406.4 399.5 463.5 1,656.7 420.3 436.2 434.0 491.6 1,782.3

Gross margin 88.6% 89.1% 88.9% 88.5% 88.2% 88.6% 88.9% 88.6% 88.8% 88.0% 88.6% 89.2% 88.9% 89.0% 88.7% 88.9%

Sales and marketing 340.2 88.7 101.2 98.0 110.1 398.0 102.6 108.1 107.1 122.2 440.0 112.2 118.7 118.0 131.9 480.8

% of Revenue 20.9% 21.9% 23.9% 22.9% 22.6% 22.9% 23.6% 23.6% 23.8% 23.2% 23.5% 23.8% 24.2% 24.2% 23.8% 24.0%

Research and development 131.6 37.6 38.5 39.6 42.4 158.1 40.5 40.6 39.8 47.0 167.8 44.3 45.1 44.9 48.2 182.5

% of Revenue 8.1% 9.3% 9.1% 9.3% 8.7% 9.1% 9.3% 8.8% 8.8% 8.9% 9.0% 9.4% 9.2% 9.2% 8.7% 9.1%

General and administrative 45.2 10.3 8.7 10.3 10.2 39.4 11.0 9.5 13.5 12.0 46.0 11.8 12.3 12.2 13.9 50.1

% of Revenue 2.8% 2.5% 2.1% 2.4% 2.1% 2.3% 2.5% 2.1% 3.0% 2.3% 2.5% 2.5% 2.5% 2.5% 2.5% 2.5%

Total operating expenses 516.9 136.5 148.3 147.9 162.7 595.5 154.1 158.1 160.4 181.2 653.8 168.3 176.1 175.1 193.9 713.4

Operating income (loss) 927.3 223.7 227.4 230.6 266.4 948.1 233.2 248.3 239.2 282.3 1,002.9 252.0 260.1 259.0 297.7 1,068.8

Operating margin 56.9% 55.3% 53.8% 53.9% 54.7% 54.4% 53.5% 54.1% 53.2% 53.6% 53.6% 53.5% 53.0% 53.1% 53.7% 53.3%

Interest income (expense) 34.1 9.9 11.8 12.1 10.5 44.4 10.4 11.3 10.3 10.2 42.1 10.1 10.4 10.3 10.3 41.1

Pre-tax income 961.4 233.7 239.2 242.7 276.9 992.5 243.5 259.6 249.5 292.5 1,045.1 262.1 270.5 269.3 308.0 1,110.0

Income taxes 195.1 46.6 48.8 49.2 29.7 174.3 42.0 47.6 43.7 49.7 183.0 45.9 47.3 47.1 53.9 194.2

Effective tax rate 20.3% 19.9% 20.4% 20.3% 10.7% 17.6% 17.3% 18.3% 17.5% 17.0% 17.5% 17.5% 17.5% 17.5% 17.5% 17.5%

Net income (PF) 766.3 187.1 190.4 193.5 247.2 818.2 201.5 212.0 205.8 242.8 862.1 216.2 223.2 222.2 254.1 915.7

Net margin 47.0% 46.3% 45.0% 45.3% 50.8% 47.0% 46.3% 46.2% 45.7% 46.1% 46.1% 45.9% 45.5% 45.6% 45.9% 45.7%

PF EPS $4.18 $1.06 $1.09 $1.13 $1.46 $4.72 $1.20 $1.26 $1.24 $1.48 $5.18 $1.31 $1.37 $1.38 $1.60 $5.66

Fully diluted shares 183.4 177.0 174.8 171.9 169.6 173.3 168.5 167.7 165.8 164.0 166.5 164.7 162.8 161.0 159.2 161.9




[email protected]


[email protected]

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

192

Figure 339: Check Point Balance Sheet



Balance Sheet





Current assets

Cash & cash equivalents 192.3 244.0 209.7 224.3 187.4 187.4 230.3 278.9 247.3 203.2 203.2 326.7 305.4 293.7 256.0 256.0

Marketable securities 1,091.9 1,127.0 1,117.1 1,005.9 1,185.5 1,185.5 1,237.6 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0

Trade receivables 410.8 246.7 272.6 254.7 478.5 478.5 279.1 334.0 299.0 572.5 572.5 327.1 355.5 337.3 591.0 591.0

Other receivables and prepaid expenses 85.8 47.9 44.4 44.5 41.0 41.0 69.7 87.6 86.2 91.8 91.8 75.5 93.7 93.5 96.6 96.6

Total current assets 1,780.8 1,665.6 1,643.8 1,529.4 1,892.5 1,892.5 1,816.8 2,020.6 1,952.6 2,187.6 2,187.6 2,049.3 2,074.6 2,044.5 2,263.7 2,263.7

Marketable securities 2,331.2 2,358.2 2,381.2 2,477.6 2,296.1 2,296.1 2,328.9 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5

Property & equipment, net 48.7 50.7 54.0 58.0 61.9 61.9 66.8 69.9 74.8 79.7 79.7 85.1 90.3 95.2 100.1 100.1

Goodwill & Intangible assets, net 838.0 837.0 836.1 835.1 834.2 834.2 833.2 832.3 832.3 832.3 832.3 832.3 832.3 832.3 832.3 832.3

Deferred income taxes, net 20.8 56.5 58.5 62.0 94.6 94.6 168.9 153.7 150.7 163.3 163.3 165.0 174.2 173.2 199.5 199.5

Severance pay fund 5.3 5.2 4.7 4.8 4.6 4.6 4.9 5.1 5.1 5.1 5.1 5.1 5.1 5.1 5.1 5.1

Other 45.2 40.3 37.8 36.3 33.8 33.8 31.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4

Total assets 5,069.9 5,013.6 5,016.0 5,003.3 5,217.6 5,217.6 5,250.9 5,319.4 5,253.4 5,505.8 5,505.8 5,374.6 5,414.4 5,388.1 5,638.5 5,638.5

Liabilities & shareholders' equity

Trade payables and other accrued liabilities 339.3 310.8 334.3 323.6 351.4 351.4 300.7 334.8 334.9 368.7 368.7 309.1 343.4 352.2 384.8 384.8

Deferred revenue 717.5 695.2 687.9 677.8 814.4 814.4 802.4 792.8 777.0 928.5 928.5 909.9 914.5 898.9 1,047.2 1,047.2

Current liabilities 1,056.9 1,006.0 1,022.2 1,001.4 1,165.9 1,165.9 1,103.2 1,127.6 1,111.9 1,297.1 1,297.1 1,219.0 1,257.9 1,251.1 1,432.0 1,432.0

Long-Term Deferred Revenue 188.3 188.2 204.5 210.8 251.2 251.2 260.5 271.8 271.8 319.4 319.4 319.4 324.2 333.9 380.7 380.7

Income tax accrual 283.2 302.1 306.9 324.4 300.5 300.5 317.1 341.7 335.2 363.0 363.0 343.4 365.6 363.4 381.8 381.8

Accrued severance pay 9.5 9.8 9.1 9.2 9.0 9.0 9.7 10.0 9.7 10.0 10.0 10.0 10.0 10.0 10.0 10.0

Shareholders' equity 3,531.9 3,507.3 3,473.4 3,457.5 3,491.1 3,491.1 3,560.4 3,568.2 3,524.7 3,516.3 3,516.3 3,482.8 3,456.7 3,429.6 3,434.0 3,434.0

Total liabilities & shareholders' equity 5,069.9 5,013.6 5,016.0 5,003.3 5,217.6 5,217.6 5,250.9 5,319.4 5,253.4 5,505.8 5,505.8 5,374.6 5,414.4 5,388.1 5,638.5 5,638.5




[email protected]


[email protected]

5 S

epte

mb

er 2

017

Cy

be

rsec

urity

193

Figure 340: Check Point Statement of Cash Flows



Statement of Cash Flows





Net income 685.9 167.4 165.8 169.7 222.0 724.8 182.6 188.4 181.5 215.2 767.6 192.6 196.9 196.0 226.8 812.3

D&A of property, plant and equipment 10.4 2.7 2.7 3.1 2.4 10.9 3.0 3.0 3.1 3.1 12.2 2.7 2.7 3.1 3.1 11.6

Share-based compensation expense 76.3 18.2 22.0 20.8 21.7 82.7 19.1 23.4 21.8 23.1 87.3 20.7 23.8 23.6 24.3 92.3

Realized gain on marketable securities 0.0 0.3 -1.4 -1.7 -0.1 -3.0 0.1 0.1 0.0 0.0 0.1 0.0 0.0 0.0 0.0 0.0

Amortization of intangible assets 3.6 1.0 1.0 1.0 1.0 3.9 0.9 0.9 3.3 3.3 8.4 3.3 3.3 3.3 3.3 13.0

Deferred income taxes -15.8 1.3 -2.5 -0.7 -31.6 -33.5 11.4 15.6 2.9 -12.5 17.4 -1.8 -9.2 1.0 -26.3 -36.2

Excess tax benefit from stock-based compensation -19.4 -1.1 -3.7 -3.4 -9.2 -17.4 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Decrease (increase) in trade and other receivables, net -64.8 162.9 -21.6 20.3 -218.0 -56.5 191.2 -49.2 36.4 -279.1 -100.8 261.8 -46.6 18.4 -256.8 -23.2

Increase in deferred revenues, trade payables, and other accrued expenses and liabilities241.0 -28.9 42.8 4.9 194.7 213.5 -52.8 44.1 -22.5 260.9 229.8 -97.7 65.9 0.8 246.0 215.0

Changes in operating assets & liabilities 176.2 134.0 21.2 25.2 -23.4 157.0 138.4 -5.1 13.9 -18.3 128.9 164.1 19.3 19.2 -10.8 191.8

Net cash provided by operating activities 917.1 323.7 205.0 213.9 182.7 925.4 355.4 226.3 226.4 213.9 1,022.0 381.5 236.7 246.3 220.4 1,084.8

Purchase of property, plant and equipment -17.3 -4.7 -5.9 -7.1 -6.3 -24.1 -8.0 -6.1 -8.0 -8.0 -30.1 -8.0 -8.0 -8.0 -8.0 -32.0

Net cash used by investing activities -113.9 -4.7 -5.9 -7.1 -6.3 -24.1 -8.0 -6.1 -8.0 -8.0 -30.1 -8.0 -8.0 -8.0 -8.0 -32.0

Proceeds from issuance of shares upon exercise of options 102.9 16.2 17.4 46.3 49.4 129.2 24.4 39.3 63.7 0.0

Purchase of treasury shares -985.7 -247.3 -245.7 -247.0 -248.0 -987.9 -247.9 -248.0 -250.0 -250.0 -995.8 -250.0 -250.0 -250.0 -250.0 -1,000.0

Excess tax benefit on stock options 19.4 1.1 3.7 3.4 9.2 17.4 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

Payments related to shares withheld for taxes -2.6 -0.2 -3.9

Net cash used by financing activities -863.5 -230.0 -227.2 -197.3 -189.4 -841.3 -223.7 -212.5 -250.0 -250.0 -932.1 -250.0 -250.0 -250.0 -250.0 -1,000.0

Unrealized gain on marketable securities, net -11.4 24.7 6.9 -9.6 -25.9 -3.9 4.0 2.0 0.0 0.0 6.0 0.0 0.0 0.0 0.0 0.0

Net increase/decrease in cash and cash equivalents -71.7 113.8 -21.2 -0.1 -38.8 56.2 127.7 9.6 -31.6 -44.1 65.7 123.5 -21.3 -11.7 -37.6 52.8

Ratios

Depreciation and amortization % of previous Q PPE on BS 5.3% 5.0% 5.3% 3.9% 4.5% 4.3% 4.3% 4.3% 4.3% 4.3% 4.3% 4.3%

Free Cash Flow

FCFE 899.7 319.0 199.1 206.8 176.5 901.4 347.5 220.2 218.4 205.9 991.9 373.5 228.7 238.3 212.4 1,052.8

Interest income (expense), net 34.1 9.9 11.8 12.1 10.5 44.4 10.4 11.3 10.3 10.2 42.1 10.1 10.4 10.3 10.3 41.1

Effective Tax rate 22% 21% 23% 22% 12% 19% 17% 19% 19% 19% 19% 19% 19% 19% 19% 19%

UFCF 873.0 311.2 189.9 197.4 167.2 865.5 338.9 211.0 210.1 197.6 957.7 365.3 220.3 229.9 204.1 1,019.6

Diluted shares outstanding 183.4 177.0 174.8 171.9 169.6 173.3 168.5 167.7 165.8 164.0 166.5 164.7 162.8 161.0 159.2 161.9

UFCF per share $4.76 $1.76 $1.09 $1.15 $0.99 $4.99 $2.01 $1.26 $1.27 $1.21 $5.75 $2.22 $1.35 $1.43 $1.28 $6.30




[email protected]


[email protected]

5 September 2017

Cybersecurity 194







Figure 341: Check Point PEERs


5 September 2017

Cybersecurity 195

Appendices

Appendix I: The HOLT® Framework Overview

The HOLT Valuation Framework is based on two fundamental principles:

■ The market pays for economic (cash) performance and not accounting

performance.

■ The value of a company is determined by its discounted future cash flows over

its life cycle.

The HOLT methodology uses a proprietary performance measure known as Cash Flow

Return on Investment (CFROI®).

HOLT uses CFROI to estimate future cash flows and applies a unique notion of life cycle

fade to reflect the position of any individual company on its industrial life cycle.

Figure 342: HOLT metrics


Cash Flow Return on Investment (CFROI®)

Why use CFROI? Accounting statements often present a distorted view of underlying

economic performance. In order to better define a cash measure, HOLT's economic

CFROI corrects for the distortions found in traditional accounting-based measures of

performance by adjusting for inflation, off-balance sheet assets (e.g., leased property),

depreciation, LIFO & FIFO accounting, asset mix, asset holding gains or losses, asset life,

acquisition accounting, deferred taxes, pensions, investments, revaluations, special

reserves, research & development, and others.

As a result, CFROI provides comparability over time, among companies, and across

industries and national borders. This proprietary measure focuses on the cash economics

of businesses. Once the economics of the company are understood, we can more

accurately determine value by taking into account expected future cash flows, asset

growth rates, discount rates, and life cycles.

HOLT's CFROI is calculated in two steps. First, compare the inflation-adjusted (current

dollar) cash flows available to all capital owners in the company to the inflation-adjusted

(current dollar) gross investment made by those capital owners.

Next, translate the ratio of gross cash flow to gross investment to an internal rate of return

(IRR) by recognizing the finite economic life of depreciating assets and the residual value

of non-depreciating assets such as land and working capital. The process is identical to

calculating the yield to maturity for a bond. As a percent per year IRR, CFROI is directly

comparable to the return investors expect to receive (i.e., the cost of capital or discount

rate).

Accounting Cash Value

Income Statement

Balance Sheet

EPS, ROE, ROCE

Cash Flow Return on

Investment (CFROI)

Economic Performance

CFROI

Asset Growth

Life Cycle Fade

Discount Rate

5 September 2017

Cybersecurity 196

Figure 343: CFROI® Captures Economic Performance


Figure 344: CFROI® Formula in Detail


5 September 2017

Cybersecurity 197

Value Creation

Companies can create wealth for shareholders by making the right decisions with respect

to CFROI and asset growth.

Wealth is created when companies:

■ Improve CFROI

■ Grow assets when CFROI is above the discount rate (positive spread)

Shrink assets when CFROI is below the discount rate (negative spread)

Figure 345: Managing for Shareholder Value


Economic Profit

The economic profit formula underpins the value creation principle.

Economic profit (EP) is the amount of value a firm creates over a specified period, typically

annual. It is proportional to the spread between a company’s return on capital and cost of

capital.

If a firm is meeting its cost of capital, its EP is zero. Growth into projects that earn below

the cost of capital destroys shareholder value, and these projects should be rejected.

Growth at the cost of capital is value neutral. The HOLT EP is simply the economic spread

multiplied by assets if CFROI is specified as the return on capital.

Economic Profit = (return on capital – cost of capital) x invested capital

HOLT Economic Profit is calculated as =

(CFROI® – HOLT discount rate) x inflation adjusted gross investment

HOLT Valuation

The HOLT valuation model, at its foundation, is a type of DCF (discounted cash flow)

model. Among the model’s distinguishing features, along with the CFROI metric, is the

way by which the forecast stream of net cash receipts (NCRs) is generated and the

method by which the firm’s discount rate (DR) is estimated.

From a beginning asset base, key variables that drive the forecast NCR stream are

variables that actually generate cash flows namely, economic returns (CFROIs),

reinvestment rates (growth), and their expected patterns of change over time due to

competition (fade). The competitive life cycle is covered below.

5 September 2017

Cybersecurity 198

The discount rate is the rate of return investors demand for making their funds available to

the firm. DRs used in our model are real rates, not nominal rates, so they are consistent

with CFROIs. The DRs are also consistent with other aspects of our model, since base

DRs are mathematically derived from known market values and from NCR streams

consistent within our model. Adjustments (positive or negative) to the base rate are made

for company-specific financial and liquidity risk characteristics.

The result of discounting the NCRs at the market-derived DR is what is referred to as a

warranted value or warranted price. Essentially, this is the valuation that results (or is

"warranted"), given the default (or users’ own) assumptions built into the forecast and the

resulting present value of the NCRs plus the value of any non-operating investments.

Figure 346: Major Components of the HOLT Valuation Model


Warranted

Price

creates

+

+

–

–

÷

NPV of Existing Assets

NPV of Future Invests

NPV of Net Cash Receipts

MV of Non-Op. Assets

Total Enterprise Value

MV of Debt

Total Equity Value

Minority Interest

Common Equity Value

Adjusted Shares

Com Equity / Share

n

t=1

= Σ

Revenue Growth

Operating Margins

Asset Turns

Net Cash Receipts

(1+Disc. Rate) t

Country Base Rate

Size Differential

Leverage Differential

Growth

CFROI

Fade

Asset Base

5 September 2017

Cybersecurity 199

Figure 347: How to Read a HOLT CFROI Chart


Long-term level of returns

on capital required to

validate today’s

market value

Country market implied

discount rate adjusted for

company’s leverage and size

T+1 and T+2 returns on

capital forecasts based on

IBES consensus estimates

Adjusted historical returns on

capital based on HOLTs

proprietary framework

Market implied CFROI

CFROI Forecast

Historical CFROI

Market derived

discount rate

1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

Superior performance metric Market-calibrated valuationMarket Derived Discount Rate

CFROICash flows

Capital investment

Future value

Total Market

Value

=

(1 + DR)

Solve

Forecast

FCF

Forecast

CFROI is a cash-based return on capital metric that improves comparability of corporate performance across companies, geographies and time

Forecasted FCF calibrated to current

market values through observed, market implied discount rate

Calibrate future CFROI and growth rates embedded in the current stock price

The HOLT discount rate is forward-looking, derived from observed market valuation, and accurately reflects current investors’ risk appetite

Discount

rateFuture performance implied by

today’s stock price

Historical

returns

Competitive Lifecycle & fade

Empirically derived terminal value recognises competitive life-cycle of returns and growth (mean reverting fade concept)

Cumulative probability approximates

the likelihood of achieving future returns given the past return profile

Fading Turnaround?Mature

CFROI

Reinvestment

Growth

Discount

rate

5 September 2017

Cybersecurity 200

Appendix II: Additional Drivers of Security Spending Regulation Is Catalyzing Action

GDPR, and Its Ramifications, Is Top of Mind

A firm's security postures are increasingly in the regulatory spotlight. From existing and

well understood federal regulations such as HIPPA and FISMA, to the New York

Cybersecurity Regulations for Financial Institutions that recently entered into effect and the

General Data Protection Regulation that will enter into law in Europe next year, regulators

are focused on cyber safety.

At the top of many investors' minds is GDPR, which has been billed as the biggest change

to data privacy laws in 20 years. We think GDPR is worthy of specific examination, as its

attempts to enforce data privacy and empower citizens as custodians of their own data are

considered by some commentators (LA Times) as leading and, therefore, may act as a

guide toward potential future regulation more broadly. Professor Daniel Solove, for

example, has written 'the EU has been leading the debate on data protection. Nobody

ignores the EU … [which] has established itself as a formidable thought leader in this area,

and its regulation really does have a significant impact … Global companies follow EU

privacy law, using EU definitions of personal data more than US definitions. Other

countries pattern their laws much more on the EU than on the US.'

GDPR comes into law on the 28th of May 2018 – note that the text was actually first

proposed in 2012, and the regulation has been 'in force' since 25th May 2016. This is

customary with EU legislation, where there is a two-year period between when the

regulation is agreed and published in full, and when it becomes binding for member states.

Figure 348: GDPR Implementation Timeline


While this does mean that the full details of GDPR have been available to organizations

and the market for some time, it does not mean that enterprises are ready for the

regulation to become binding. Transitionary periods often result in lack of action.

Examples of this historically include PSD2 – The European Payments Directive – which

our European counterpart Charlie Brennan notes is still surrounded by great uncertainty,

20152012Spring

2014Spring

20162016

20172018

European Commission

publishes the

legislative proposal

Separate negotiations

within Parliament and

European Council

EP reaches

agreement

Negotiations and

approval among

the 3 institutions

Council

Agreement

Adoption of

regulation

Two-year

implementationRegulation in

effect

http://www.latimes.com/opinion/op-ed/la-oe-rule-nsa-privacy-european-union-20140513-story.html

5 September 2017

Cybersecurity 201

despite the fact that it entered into force more than six months prior to GDPR (on the 12th

January 2016). Another example, even closer to home for the global investment

community, is MIFID2 – The Markets in Financial Instruments Directives – which will

mandate the unbundling of research and commission spending. Both the buy- and

sell-side continue to be engaged in unresolved pricing discussions despite the fact MIFID2

will enter into force in early January next year.

Figure 349: Google Trends Interest in PSD2 May Indicate Lack of Preparedness


In the context of these comparisons its actually important to note that that a regulation (like

GDPR) is actually more severe than a directive (MIFID and PSD2). This is because a

regulation becomes immediately applicable to all EU member states without the need for a

nationally implemented legislation

GDPR Preparedness Remains Low

NetApp's survey of 750 CIOs, IT managers, and C-suite executives in April 2017 gives

some indication as to the level of preparedness for GDPR. The findings suggest that

preparedness for GDPR remains relatively low. Only 34% of respondents believed

themselves to have a good, or full, understanding of GDPR – this was reflected in the 35%

of respondents who considered themselves to be fully complaint; interestingly, this implies

that some senior decision makers in complaint organizations lacked a full understanding of

GDPR. Perhaps most extraordinary, 10% of respondents were fully unaware of GDPR.

5 September 2017

Cybersecurity 202

Figure 350: Understanding of GDPR Among

Respondents Was Surprisingly Low

Figure 351: Only 35% of Respondents Believed

Themselves to Be Fully Complaint


Key Aims of GDPR

The key aims of GDPR focus around creating a unified regulatory approach to data

security and consent. The ultimate aim of returning control of their personal data to the

citizens of the EU is to be achieved by both procedural standards for activities such as

breach reporting, increasing oversight by mandating the appointment of data protection

officers, as well as empowering the individual by enforcing a right to erasure.

The scope of the regulation is 'all EU citizens', this means there is no territorial scope, all

organizations resident in the EU are subject to these regulations, as are any organizations

outside of the EU that are in possession of the data of EU subjects. Thus, this captures

non-EU businesses with websites directed toward EU (advertisers, ecommerce, social

networks etc.). Anyone offering goods or services, even for free, will be subject to GDPR.

The key changes that will be enforced are as follows:

■ Increase Security Breach Reporting: Any security breach must be flagged to the

supervisory body within 72hrs.

■ Mandatory Data Protection Officer: All public bodies and businesses that meet some

criteria (handle lots of personal data) must appoint a data protection officer (chief

privacy officer).

■ Data Processors & Vendor Management: There are increased obligations for

processors that makes them more liable for breaches, including more detailed records

of processing activities.

■ Elevate the Threshold for Consent: THIS will make it harder to collect data from

individuals, as it requires consent to be more explicit – ‘specific, informed, freely given,

unambiguous’.

■ Enhanced Individual Rights: Individuals have a right to be forgotten; it also allows for

data portability and restriction of processing.

Those in breach of these new rules following the regulations entry into force will be subject

to material penalties. For serious breaches, firms will be liable for €10 million, or 2% of

total worldwide annual turnover (whichever is greater), and for very serious breaches €20

million, or 4% of total worldwide annual turnover (again, whichever is greater). The only

bodies exempt are law enforcement and intelligent agencies.

9%

47%

29%

15%

I do not know what GDPR is

I have some understanding of GDPR

I have a good understanding of GDPR

I fully understand GDPR

66% of respondents do not have a good

understanding of GDPR

35%

49%

14%

2%

We have made preparations and arecompliant

We have made preparations but arenot compliant

We have not made any preparations

I don't know what preparations weneed to make

65% of respondents are not compliant withGDPR

5 September 2017

Cybersecurity 203

Data from the Ponemon Institute's 2016 cost of data breach study show how much

progress needs to be made before firm's are capable of complying with GDPR's security

breach reporting standards. On average, their sample took an average of c200 days to

identify a data breach, with a range of between 20 and 569 days.

Figure 352: The Mean Time to Identity

a Breach Is over Six Months…

Figure 353: A Breach Costs More If It

Takes Longer to Identify

Time, days Cost given mean time to identify, $

Source: Ponemon institute, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

The Key Impacts of GDPR

GDPR is likely to catalyze a review of firm's security posture across the spectrum – we

imagine this review will span governance, control, organization, processes, sourcing, and

technology. As has been demonstrated, preparedness and the level of understanding and

knowledge around GDPR is mediocre at best, but we expect the key impacts to be:

■ A Mindset Shift in Data Compliance/Security Budgets

Will this change budgetary thinking in enterprises both large and small? It would seem

logical there may be more resources to chief data officers, chief privacy officers, etc. The

large penalties for data breaches may enhance the fear of breach at the firm level and

change perspectives around security budgets; the potential for higher investment in

security across the network would seem a logical conclusion.

■ Onus on the Processors – Impact on Cloud?

While data creators used to carry burden of legal compliance, GDPR expands the scope

to processors as well. Until now, some cloud deals have been characterized by the data

creator/controller failing to exert controls over how the data is processed by the processor.

GDPR shares responsibility equally with the processor, making them more accountable;

this may raise the cost of compliance for processors, and may change some firm’s cloud

strategy:

70

201

Mean time to containMean time to identify

$3.23

$4.38

<100 days>100

5 September 2017

Cybersecurity 204

Figure 354: The Impact of GDPR on Public Cloud Investment


■ SME Impact, Likely to Catalyze Spend

Larger organizations tend to have grappled with issues around data privacy and security

more than smaller firms simply by virtue of having been targeted more by malicious actors.

This seems to be changing. Recent attacks such as Wannacry hit SMEs too and are

reflective of the rise of ransomware attacks – which really scare the average SME. This

pressure together with GDPR may be a catalyst to fundamentally change the SME mind-

set toward data privacy and security.

Safe Harbor Invalidation – What Does This Mean for US/EU Data Sharing? More

Strict Safe Harbor 2.0 Likely – This Will Impact US Firms

Both the GDPR and the regulation it supersedes have stipulations around the level of

protection countries must mandate for data to be transferred out of the EU. Neither

legislation deemed the US to provide an adequate level of protection under EU law. (The

US was considered too focused on self-regulation and too fragmented in approach to

privacy law by EU regulators.) The solution historically was the Safe Harbor Arrangement

that was negotiated to continue to allow personal data flows between the EU and US, but

that was invalidated earlier this year.

The bottom line here is that a Safe Harbor 2.0 must be negotiated at some point. Experts

seem to think this is likely to involve concessions on the US side (the EU is considered

thought leader in data privacy/protection), and therefore, Safe Harbor 2.0 is likely to be

stricter, involving higher costs for firm’s to comply.

Attacks Move Down Market

Driving Mid-Market Spend, Increasing Competition and Pricing Pressure

While breaches of global banks, government entities, and other high-profile institutions

receive the most media attention, smaller businesses and individuals are increasingly

being targeted. According to Microsoft, more than 20% of small to mid-sized businesses

have been targets of cybercrime, and Barclaycard research suggested that 48% of SMBs

fell victim to at least one cyber-attack in 2015, and 10% were targeted more than once.

We think this phenomenon is here to stay and will have a significant impact on the shape

of a market that has historically been underpenetrated at the small and mid-sized

enterprise level.

50%

37%

25%21%

18%

6%

We will continue to investinto public cloud servicesand ensure compliance

with data regulationrequirements like GDPR

We are investing moreresources into data

regulation compliance

We are considering scalingback our public cloudservices investment

We have hired specificpersonnel with expertise in

data protection

We have already startedlowering our public cloud

services investment

We do not think GDPR hasbeen or will be a majorinfluence on our cloud

strategy

43% of respondents suggested that GDPR would result in a scale back of Public Cloud investment

5 September 2017

Cybersecurity 205

In an analysis of the UK cyber security market, a UK government paper written by Pierre

Audoin Consultants identified SMEs as a market with low IT security penetration but with

significant barriers to entry. Without sufficient security adoption, preventative internal

procedures, or experience to provide in-depth understanding of online threats, smaller

businesses must often rely on relatively simplistic but notably low- or no-cost bundled soft

These weaknesses are increasingly exploited by targeted ransomware: in a 2016 report by

PhishMe analyzing over 2,500 phishing attacks, ransomware composed 90% of all

identified malware payload URLs, costing victims more than $1 billion. Moreover, the

average ransom demanded in 2016 grew to $1,077, up from just under $300 only a year

before. The number of new ransomware families tripled to 101, while SYMC logged a 36%

increase in ransomware infections.

Figure 355: The Number of Ransomware Variants—

Historically Fairly Stable—Increased 30-Fold in 2016

Figure 356: Average Ransom Paid Has Spiked as

Variants, Volumes and Victims of Ransomware Rise

Average Ransom Paid Per Victim ($)

Cumulative Ransomware Variants

Source: Proofpoint 2016 Q4 Threat Summary, Credit Suisse estimates. Source: Symantec, Credit Suisse.

This increase in average ransoms may be due to the increasing sophistication of malware

delivery. Notably, a significant portion of phishing attacks in 2016 still used longstanding,

time-tested tactics such as remote-access Trojans and keyloggers—methods that are not

difficulty to eliminate, per se. What has changed, however, is that ransomware approaches

have increasingly adopted a quiet malware strategy, which involves infiltrating the victim to

assess their behavior for a period of time and subsequently tailoring ransoms based on

their individual abilities to pay for re-access to critical data.

Given the above-mentioned behaviors and growth trends of ransomware, we believe that

small and medium businesses are especially susceptible and will be an area of relative

growth for security spending. A June 2017 survey conducted by Osterman Research and

sponsored by Malwarebytes found that, among more than 1,000 SMB respondents, 35%

were victims of ransomware. More importantly, more SMBs stated that ransomware

prevention should rely on technology than those who prefer personnel training. Yet, as

previously mentioned, the popularity of bundled security software as the primary defense

for SMB users may explain the preference for technology over education and protocols.

This further suggests, however, that a growing need for more sophisticated security

technology is forthcoming.

While about 33% of SMBs in the Malwarebytes survey claimed to have been using

anti-ransomware technologies, roughly 33% have also experienced a ransomware attack

in the past year—of which 27% did not know the endpoint source of the ransomware at the

time of attacks, but results of later investigations often turn out to be malicious emails.

According to Proofpoint’s 2016 Threat Report, 15% of documented business email

2016 2017

$373

$294

$1,077

0

200

400

600

800

1,000

1,200

2014 2015 2016

5 September 2017

Cybersecurity 206

compromises (BECs) occur businesses employing less than 5,000 people, due to fewer

resources to mitigate such threats.

Although a need for greater security technology and procedures may be apparent among

SMBs, what suggests that they will actually spend more? Of ransomware infections, 90%

resulted in more than one hour of downtime, while 16% caused 25 hours or more of

downtime—a result of either an understandable stubbornness to pay ransoms, an inability

to identify and contain breaches, or both.

Results from a 2017 Imperva survey indicate that downtime from ransomware can cost

anywhere from $5,000 to $20,000 in lost business and damages, with 27% believing that

the amount could be over $20,000 a day.

Figure 357: Increase Costs of Ransomware May Drive Significant Increase in

Security Needs for SMBs

Estimated Aggregate Annual Costs to SMBs of Ransomware-Induced Downtime, Varied by Daily Cost of Downtime ($billions)

Source: Gartner, Imperva Rise of Ransomware Survey, Malwarebytes State of Ransomware Among SMBs Survey, U.S. Census Bureau, Credit Suisse estimates.

A Growing Need for Security Among SMBs Brings Heightened Competition…

Using IDC revenue data to estimate the Herfindahl-Hirschman Index (an indicator of

competition) for each segment (defined by price band) that IDC tracks reveal substantially

more competition in the mid-range and volume segments of the market. Not only are there

more players, but we have been hearing of more competitiveness as players such as

WatchGuard and SonicWALL have made significant strides more recently.

0.0

2.0

4.0

6.0

8.0

10.0

12.0

14.0

16.0

2016 2017 2018 2019

$20,000/day

$12,500/day

$5,000/day

5 September 2017

Cybersecurity 207

Figure 358: The Midrange and Volume Segment of the Market Are Substantially

Less Consolidated (and Therefore Competitive) than the High End

Herfindahl-Hirschman Index, 4Q moving average


…and Competition Brings Pricing Pressure

We believe consolidation translates to pricing power, and vice-versa. Therefore, we expect

higher levels of competition in the mid-end and volume markets to translate into higher

price competitiveness. Looking at the Volume market ASP relative to the five largest

market players suggests that while there hasn’t been broad based pressure, pricing has

come down for the five largest in aggregate.

Figure 359: Pricing for the Five Largest Players Appears to Have Been Slightly

More Pressured Relative to the Market as a Whole

ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)


If we look at pricing across the product spectrum for the five largest vendors since 2010, a

weakness in volume is apparent relative to the high end. While the mid-range hasn’t been

weak, per se, it has been weaker than the high end since 2014.

0.00

0.05

0.10

0.15

0.20

0.25

2002 2004 2006 2008 2010 2012 2014 2016

High end, 4Qma Midrange, 4Qma Volume, 4Qma

1,000

1,300

1,600

1,900

2,200

2,500

2,800

1,000

1,200

1,400

1,600

1,800

2,000

2,200

2003 2005 2007 2009 2011 2013 2015 2017

Volume ASP Volume ASP (CHKP, PANW, FTNT, JNPR, CSCO)

5 September 2017

Cybersecurity 208

Figure 360: Pricing Has Been Strongest in the High End, Slightly Weaker in the

Mid-Range, and Weakest in Volume

CHKP, PANW, FTNT, JNPR, CSCO ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)


Cybersecurity threats are especially of concern for small and mid-size businesses, with

insufficient endpoint security and preventive personnel training. Although smaller business

are relatively—albeit only slightly—less concerned about such threats, the rapid increase

in sophistication and sheer volume of malware will likely create greater urgency for

security spending among SMBs.

0.6

0.7

0.8

0.9

1.0

1.1

1.2

2010 2011 2012 2013 2014 2015 2016 2017

Top-5 High-End ASP Top-5 Mid-range ASP Top-5 Volume ASP

5 September 2017

Cybersecurity 209

Figure 361: Software SoundBytes on Attacks Moving Down Market


Software SoundBytesSMB security

Brad Zelnick

(212) 325 6118

[email protected]

“The cheaper lines (850s and 220s) are selling very well into mainly net new customers, but

also branches… The 220 is 1700 USD, and only costs 46USD after year one.”

“Hackers are getting more strategic, initially they spent the most of their time in large institutions,

now they are industrializing themselves and automating themselves into smaller businesses and

we are seeing lots of ransomware at SMBs.”

“Ransomware is agnostic and blind, and therefore attacks SMEs with impunity”

“The mid-market in Asia is largely not migrated from FW to NGFW (outside of

Tokyo the majority of Asia is MM) in his view 70-80% are on firewall not NGFW”

“The key is you need to know what is on the network to protect the network. Tanium’s hygiene checks found

the average environment had 12-20% more endpoints than previously known; 5-20% of these had failing or

non-existent endpoint agents, 60% were missing critical patches, and 90% missing at least one patch.”

“2-years ago we saw 90-95% physical appliances, today adoption of virtual

appliances in small and medium sized enterprises is as much as 30-35%”

5 September 2017

Cybersecurity 210

Connected Security

Continued Increases in Connectivity to Drive Threats

During the initial stages of data networking, organizations adopted data networks to

connect a limited number of computers within close proximity, allowing users to share

simple, common services (e.g., file servers and printers). In these local area networks

(LANs), the majority of traffic resided within the network and remain local to a specific part

of the organization. However, with widespread Internet usage, the proliferation of

client-server, Web-tier, and SaaS applications; distributed architectures; and the adoption

of new bandwidth-intensive applications, the majority of traffic traverses the boundaries of

the LAN to networks outside of the LAN, thereby increasing the risk exposure of enterprise

networks.

The pervasiveness of computing by businesses, organizations, and individuals, as well as

the Internet’s ability to interconnect computing devices to enable widespread

communication, has given rise to immense growth in data communications. For example,

Cisco Systems estimates that the number of connected devices worldwide will rise from 15

billion today to 50 billion by 2020. Intel is even more aggressive, claiming that over 200

billion devices will be connected by 2020. Although smartphones are the most visible

connected device, the number of cars connected to the Internet worldwide is expected to

grow more than six fold to 152 million in 2020, smart thermostats are expected to have

43% adoption in the next five years, and nearly half of U.S. consumers plan to buy

wearable technology by 2019.

Each application, operating system, and device introduced to a network contains

additional vulnerabilities that may be exploited by an unauthorized user. To adequately

secure a network, IT managers must have the resources to not only correctly configure the

security measures in each system but also to understand the risks created by any change

to existing systems on the network. Exacerbating this situation is the limited supply of

personnel knowledgeable in information security issues. These factors create a need for

enterprises to protect the information stored in their open computing environment and also

to protect the information when transmitted via the Internet. A failure to protect such

information could result in business disruption and significant financial loss. Adding to the

challenge of the sheer volume of Internet-connected devices, the majority of the new

technological devices operate across shared platforms and systems—meaning a single

security flaw can affect a wider range of technologies than ever before.

In addition to providing network connectivity through a corporate campus LAN, remote

network connectivity is increasingly viewed as a mission-critical function for enterprises,

and we believe that corporations will increasingly look toward technologies that enable

mobile workers to securely gain access to a full array of corporate resources. In fact, the

remote worker population has been increasing dramatically. For example, IDC estimates

the US mobile worker population will continue to grow over the next five years, increasing

from 96.2 million in 2015 to 105.4 million mobile workers in 2020, which would account for

three quarters (72.3%) of the total US workforce.

In the end, increased connectivity creates added risk exposure for corporations,

governments, and individuals. As a result, enterprise will need to invest in IT security

technologies to mitigate the potential cost of IT security incidents due to this increased

connectivity. We therefore believe that IT security companies that can successfully

mitigate risks to enterprise, government, and home systems are poised to benefit, as

attention to IT security driven by the exponential growth in connectivity increases.

5 September 2017

Cybersecurity 211

Figure 362: Software SoundBytes Regarding Connected Devices


Software SoundBytesConnected Devices

Brad Zelnick

(212) 325 6118

[email protected]

“How often are connected devices inspected? Not often. What function do they perform?

Limited. So the fact half their processing power is taken over isn’t important or noticeable.”

“Connected refrigerator manufacturers know all there is to know about the science of cooling, but

what do they know about security – why should they?”

“In this battlefield there is a deadly and ignorant opponent – these IOT devices, and

no way to make the owners even interested in discovery.”

“The key difference between a connected device and a computer is that if your computer becomes

infected you are motivated to do something, if your connected refrigerator gets infected, but it still

keeps food cool, do you care about your refrigerator being part of a DDOS attack?”

“Connected device manufacturers buy off the shelf hardware and off the shelf software; and they

cobble it together fast, because they want to be first out the door with the product. So we have all

these companies putting unprotected computers out into the wild.”

“I had a security team come to inspect my home, and it had been totally breached…

my Wi-Fi enabled wine cooler was breached… When you come home you have

nobody watching your walls… When I was compromised cost me 37,000 dollars to

re-secure”

5 September 2017

Cybersecurity 212

Appendix III: Who Are Those Guys? Hackers play a central role in the IT security landscape, are a diverse population, and

engage in hacking for a variety of reasons. Some hack out of criminal motives; some hack

to satisfy their egos or gain peer recognition; and others hack out of curiosity and for

intellectual stimulation.

Some hack alone, and some hack in groups, and they do so from all over the world.

Interestingly, there appears to be some regional roots in hacking preferences—with

Vietnamese often targeting ecommerce, Eastern Europeans predominantly attacking

financial institutions, and Chinese focusing on intellectual Property. (A Look Into the

Hacker Landscape, Debraj Ghosh, PhD, MBA, Senior Product Marketing Manager, Threat

Protection, Office 365 at Microsoft.) Regardless of motives or characteristics, hackers tend

to be classified into two groups: (1) black hats (malicious hackers) and (2) white hats

(ethical hackers).

Black Hats: Know Thy Enemy

In The Art of War, Sun Tzu, the renowned Chinese military strategist, opined, “If you know

the enemy and know yourself, you need not fear the result of a hundred battles. If you

know yourself but not the enemy, for every victory gained you will also suffer a defeat. If

you know neither the enemy nor yourself, you will succumb in every battle.” While the

underlying intention of this quote is likely to remind the reader that knowing one’s own

strengths and weaknesses is of critical import, cognizance of one’s enemy is also vital.

Within the context of cybersecurity, not only are number, sophistication, and cost of

breaches increasing, but the threat to critical IT systems is emanating from an increasing

number of “enemies,” including hostile governments, terrorist groups, disgruntled

employees, and malicious intruders. The following table is an excerpt from NIST 800-82,

Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System

Security provides a description of various threats to control system networks:

Figure 363: United States Government Accountability Office (GAO) Threat Table

Source: Government Accountability Office (GAO), “Department of Homeland Security’s (DHS’s) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434.”

Threat Description

Bot-network operators Bot-network operators are hackers; however, instead of breaking into systems for the challenge or bragging rights, they take over multiple systems

in order to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made

available in underground markets (e.g., purchasing a denial-of-service attack, servers to relay spam, or phishing attacks, etc.).

Criminal groups Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups are using spam, phishing, and spyware/malware to

commit identity theft and online fraud. International corporate spies and organized crime organizations also pose a threat to the United States

through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent.

Foreign intelligence services Foreign intelligence services use cyber tools as part of their information-gathering and espionage activities. In addition, several nations are

aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a

significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power - impacts that

could affect the daily lives of U.S. citizens across the country.

Hackers Hackers break into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a

fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim

sites. Thus while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency,

the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the

worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage.

https://www.linkedin.com/pulse/look-hacker-landscape-debraj-ghosh-phd-mba

https://www.linkedin.com/pulse/look-hacker-landscape-debraj-ghosh-phd-mba

5 September 2017

Cybersecurity 213

Figure 364: United States Government Accountability Office (GAO) Threat Table continued

Source: Government Accountability Office (GAO), “Department of Homeland Security’s (DHS’s) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434.”

Regardless of threat classification, the black hat hacker is the most fundamental element

in any IT security breach. Therefore, in order to better understand the nature of cyber

threats, we believe hackers’ motives and phycology profiles must be better understood.

Expert SoundBytes

Interview with Dr. Gráinne Kirwan

Q: Could you walk through how criminological and forensic psychological theories have

evolved to explain what motivates and characterizes offenders?

A: We are fortunate to have a wide range of existing theories in both criminology and

forensic psychology which can help us to understand cybercriminal offenders. As many of

these theories were developed with a wide range of criminal activities in mind, some are

easily adapted to cybercrime. For example, while the specific traits of cybercriminals can

vary, the broad facets of trait theories are still applicable to online crime.

Social learning theory is also still expected to have a significant role in explaining the

motivations of offenders, although it must be considered that the others who the potential

offender is learning from may not be part of their offline lives, and the potential offender

may not even know their true identities.

Other types of criminological theories, such as geographical theories, have needed

greater adaptation to online crime, due to the lack of physical borders and geographical

constructs online. Nevertheless, we can still see how related theories, such as Routine

Activity Theory, may have applicability to cybercrime based on the types of online

activities and ‘locations’ which offenders may regularly engage in or attend.

Finally, it is also possible to draw on many other theories from psychology, such as

cognitive theories, which can provide insights into many aspects of human behavior,

including cybercrime.

Q: According to your research, there are multiple factors influencing offenders.

Could you highlight the most important factors and

why these variables have the most influence?

Threat Description

Insiders The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer

intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal

system data. The insider threat also includes outsourcing vendors as well as employees who accidentally introduce malware into systems.

Phishers Individuals, or small groups, who execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also

use spam and spyware/malware to accomplish their objectives.

Spammers Individuals or organizations who distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes,

distribute spyware/malware, or attack organizations (i.e., denial of service).

Spyware/malware authors Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several

destructive computer viruses and worms have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH

(Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster.

Terrorists Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the

U.S. economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds

or gather sensitive information.

5 September 2017

Cybersecurity 214

A: The factors influencing offenders can vary according to the type of offender. For

example, peer influence in the form of social learning is thought to have an important

influence on some types of offending, such as copyright infringement. However, this may

have less influence on other types of offences.

It is possible that offenders may feel less inhibited online than offline, and may not

identify the boundary between criminal and non-criminal behavior as clearly when using

Internet technologies as when they are offline.

It can be easy for an individual to employ cognitive distortions to persuade themselves

that what they are doing is not really criminal in nature, or to consider a criminal action to

be acceptable when they cannot identify their victim or see their victim’s reaction. While

popular television programs often portray psychodynamic or personality traits as being

key to influencing offenders, in reality it can be difficult to determine a close relationship

between these factors and offending behaviors – many who exhibit these factors do not

offend, while many who offend do not exhibit these factors.

In practice, it can be more useful to consider the cognitive reasoning of offenders – how

do they make decisions; what influences them when deciding to commit a crime or not;

what factors do they consider; what errors do they make in perception/decision

making/problem solving. Not only are these more reliable indicators of potential offending

behavior, but they also permit an organization to design systems which are less

appealing targets, or which are more difficult to infiltrate.

Q: How should other factors, such as the socio-economic status, family status, peer

relationships, and biology, be considered?

A: There are many factors which have broadly been identified with higher risk of

criminality – these include family composition, socio-economic status, peers, and

biological factors, including neural structures, neurotransmitters, genetics, and hormones.

At the moment, it is unclear how much many of these factors contribute toward

cybercriminal activity. Nevertheless, peer factors, particularly in relation to social learning,

has been identified as important in activities such as copyright infringement and

hacktivism.

At a very high level, relative deprivation on a global scale has been linked to online fraud,

particularly advance fee fraud. As so many of these factors have been closely linked to

criminality generally, it would be prudent to consider them as potentially important factors

in cybercriminality, even if exact links have not been consistently identified or examined

for all types of cybercrime.

Q: In the late 1990s, the activities of hackers were often characterized as the digital

version of spray-painting (“tagging”) a wall or teenage rebelliousness. Since

this time, how has the emergence of even more-malicious bad actors,

such as criminal organizations, hacktivists, and nation-states,

altered the psychology and motives of offenders?

A: It is often tempting to reminisce about earlier times as being less dangerous than

contemporary life. Across many aspects of criminology, it has been noted that people

perceive the world of approximately 20 years ago to be considerably safer than today’s

world, while for most types of crime, the available data contradicts this perception.

Nevertheless, technology of the 1990s was less advanced, and less widely used than

technology today, and the potential impact of cybercrime is considerably higher today.

However, it should be remembered that even in the relatively early days of the Internet,

malicious behavior occurred.

"Criminals have been required to evolve and

change in order to survive, in the same

way that those in many other careers have been

required to adapt to emerging technologies."

5 September 2017

Cybersecurity 215

As Internet technologies have become part of daily society, organized crime has naturally

gravitated to it as a way of achieving goals. To not do so would be to ignore how banking,

commerce, and communication has changed, and while the Internet provides additional

methods of attack, any organization that maintained offline only approaches would likely

find their targets diminishing in number.

Criminals have been required to evolve and change in order to survive, in the same way

that those in many other careers have been required to adapt to emerging technologies.

Similarly, we can consider the motives and actions of nation-states to be an adaptation to

changing society. So it may not be that the psychology and motivations underlying these

actions have changed – these are likely to be the constant. Instead, it is the method of

achieving the goal which might have changed.

Finally, when considering hacktivists, it must be remembered that not all of these

individuals conduct criminal acts. But the actions of these individuals may be more

interesting from a psychological perspective – here the availability and affordances of the

Internet have allowed individuals with a strong opinion on a topic to have a voice and

engage in action which they may not have previously been able to do, either because of

geographical distance, social or cultural repercussions, or risk to personal safety. The

inhibition mentioned earlier may also be a factor here, as well as a reduced perception of

risk of apprehension or punishment. Moral reasoning, neutralization of offending

behavior, cognitive distortions and empathy may all be factors in the rise of hacktivism in

recent years.

Q: How can we to counter the motivations of both professional and “recreational”

offenders?

A: When looking to counter the motivations of offenders, it is very important to realize

that these can be very disparate. In the same way that any group of individuals might

engage in the same activity for very different reasons, a selection of cybercriminals may

have varying motivations for their actions.

If their motivations relate to potential financial benefit, an appropriate approach would

consider increasing the potential offender’s perceptions regarding the certainty of

punishment (severity of punishment has relatively little impact, but if an offender believes

that it is highly likely that they will be apprehended and punished, even if that punishment

is mild, this can be an effective deterrent). To reduce future offending, celerity is also

important – the punishment should follow swiftly after the offence. Rational Choice

Theory suggests that if a potential offender can identify high risk or low reward when

engaging in an activity, then they will likely avoid it.

Similarly, reducing the attractiveness of a target can also help to reduce motivation to

offend. While this is less straightforward to achieve in cybercriminal cases than in offline

cases, target-hardening can dissuade less-experienced offenders from attacks. More

experienced and skilled offenders may actually find such targets to be more attractive,

and so other techniques should be employed to counter their motivations. For example,

offering ‘bug for bounty’ programs may dissuade those who are motivated to test their

abilities from criminality. Increasing the public perception of the organization as being

generally benevolent can counter neutralizations and cognitive distortions employed by

offenders, resulting in an inefficacy of such approaches in justifying the criminal behavior.

5 September 2017

Cybersecurity 216

White Hats

Is the Enemy of My Enemy My Friend?

Not all hackers have malicious intentions. Ethical hacking is a term coined by IBM meant

to refer to a broad category of actions taken by computer security experts to ensure the

security of information systems. Contrasted with a black hat, the term white hat comes

from Western films, where heroic and antagonistic cowboys traditionally wore white and

black hats, respectively.

Some of the earliest white hat hackers were three Polish cryptologists (Marian Rejewski,

Henryk Zygalski, and Jerzy Różycki) who helped defeat Nazi Germany during World War

II by cracking the Enigma code. In 1932. In 1939, mathematicians Alan Turing and Gordan

Welchman, along with engineer Harold Keen, leveraged the work of the Poles and

designed the Bombe, an electromechanical device used to decipher Enigma’s

transmissions. By 1981, The New York Times described white hat activities as part of a

“mischievous but perversely positive ‘hacker’ tradition.”

Today, while hackers are too often stereotyped as destructive cyber villains, many devote

their skills to security research and fighting cybercrime. In fact, many IT security experts

argue that the vulnerabilities of systems will be corporations’ or government’s key

concerns and, therefore, suggest that addressing the constant tide of security flaws will

require these organizations to embrace the hacker culture in collectively seeking out and

fixing these vulnerabilities.

A prime example of this unique dynamics, Google has long enjoyed a close relationship

with the security research community and has maintained a Vulnerability Reward Program

(VRP) for Google-owned Web properties, which has run continuously since November

2010.

In January 2015, Google also launched the Vulnerability Research Grants (VRG) initiative

to complement the company’s long-running Vulnerability Reward Program, with the goal of

rewarding security researchers that look into the security of Google products and services

even in the case when no vulnerabilities are found.

In 2014 alone, Google paid more than $1.5 million to white hat hackers who reported

vulnerabilities in Google’s Web properties and software. The largest single reward Google

paid out was $150,000 to a “researcher” who then joined the company for an internship.

Rewards for qualifying bugs range from $100 to $20,000.

5 September 2017

Cybersecurity 217

Figure 365: Rewards for Qualifying Bugs Range from $100 to $31,337. The

Following Table Outlines the Usual Rewards Chosen for the Most Common

Classes of Bugs:

Source: Google Vulnerability Reward Program (VRP) Rules.

Google isn’t the only major organization that participates in the burgeoning gray market

where hackers and security researchers sell tools for breaking into computers and

unknown vulnerabilities.

In fact, according to a special report by Reuters, the largest buyer of zero-day exploits—

vulnerabilities that are taken advantage of a on the same day that they become generally

known—is the U.S. government, which used knowledge of some of these vulnerabilities as

part of America’s offensive cyber-warfare strategy to create the Stuxnet virus in 2010,

which disrupted Iran’s nuclear-research program. The buying and selling of exploits is a

complicated matter, however, given most of the organizations and people paying sellers

are on the offensive side of cybercrime, cyber-spying, and cyber-weapons.12

We interviewed Dr. Gráinne Kirwan, Chartered Psychologist and Lecturer in

Cyberpsychology and Forensic Psychology at Dun Laoghaire Institute of Art, Design, and

Technology, to better understand the psychological aspects of cybercrime and how

criminological and forensic psychological theories explain what motivates and

characterizes offenders. Dr. Kirwan has co-authored/co-edited four books in this area: (1)

Cybercrime: The Psychology of Online Offenders, (2) Cyberpsychology and New Media: A

Thematic Reader, (3) The Psychology of Cyber Crime: Concepts and Principles, and (4)

An Introduction to Cyberpsychology. She is the Managing Editor of the International

Journal of Cyber Criminology.

5 September 2017

Cybersecurity 218

Interview with Keren Elazari

Q: Do you classify yourself as a hacker?

A: Yes, I am proud to call myself a hacker and I’ve always felt this was my calling. Ever

since I was 14 years' old and saw the film “Hackers” with Angelina Jolie.

My idea of a hacker is somewhat romantic, but I consider the friendly and ethical hackers

out there in the world as a vital part of culture, society, and the economy, pushing forward

the evolution of technology and acting as a much needed “immune system” for the

information age.

I wear many professional hats: strategic advisor, business analyst, academic researcher

and author. I’ve worked as a security architect, risk management consultant and product

manager, yet throughout any role and in any organization, I’ve always held that hacker –

hero ethos at heart.

Q: How has the threat landscape changed in terms of the emergence of even more-

malicious bad actors, such as criminal organizations,

hacktivists, and nation-states?

A: In my opinion, the most important element of today’s threat landscape is not who. It’s

when. The question of when an organization knows that a breach has taken place, and

how it happened, is the most critical thing, and we see that many incidents go by un-

noticed until an outside party like a law enforcement agency, a media outlet, or a data

leak (sometimes also called “dump”) makes everyone realize what happened – that’s

much too late for any organization to prevent the damages and revert back to normal

operations.

That’s why I think today’s businesses must develop both adaptability and resilience – that

comes from investing in security know how, training, human resources and not just from

the latest technologies on the market. Threat intelligence is one element that could help

prepare an organization of a coming attack, but it’s far from a cure to all the problems.

Another important aspect is to remember that no organization stands alone.

Cybercriminals know exactly how to find the low-hanging fruits, the weaknesses, and

opportunities represented by a third-party supplier, a partner, a customer, or even an

unhappy, or simply naïve, employee within the enterprises so called “secured” perimeter.

Prevention is better than any cure, and to achieve security resilience organizations must

wake up and smell the coffee to understand cyber security affects every aspect of the

business, in every industry, and security is a constant journey – not a destination you can

reach and then forget about.

Q: In your speaking tours, you have argued that hackers offer an opportunity to boost

cybersecurity and have advocated for greater collaboration between

security professionals and hackers. Please explain your

position and thought process, especially in the

context of your response to our

first two questions.

A: It’s my personal belief that the global hacker community has many friendly and ethical

hackers within it, and I see this in person every year when I attend the annual “hackers

convention”, DEFCON, where 20 thousand people converge in Las Vegas for a weekend

of hacking and learning – are they call criminals? I don’t think so.

"The question of when an organization knows

that a breach has taken place, and how it

happened, is the most critical thing and we see that many incidents go by

un-noticed until an outside party like makes

everyone realize what happened."

"Today’s businesses must develop both

adaptability and resilience – that comes

from investing in security know how, training,

human resources and not just from the latest

technologies on the market."

5 September 2017

Cybersecurity 219

One simple way for any organization to become safer is to actively encourage your

security teams to go forth and participate in the events run by the global hacker

community. You would be surprised, how many local hacking events happen everywhere

– maybe even in your neighborhood! By going to such an event, you can meet hackers in

person and hear their valuable security research insights in real time – there’s a global

network of such events called Security Bsides, for example – even in Zurich (see here) or

Tel Aviv (see here) where I host it.

An even more important aspect is to participate in the conversations that take place online

– all the time, in chat rooms, twitter, and mailing lists. You’ll find thousands of passionate

contributors each seeking advice, sharing knowledge, and sometimes even “dropping a

zero day”, which means releasing details of a never-before-seen software vulnerability. I

think it’s vital to be a part of that conversation, and if you can’t find your way, you should

trust a friendly hacker to lead the way, as we are the digital natives of the online

underground.

Q: Google has been a long-standing, vocal advocate of the white hat community? Have

other companies and industries started to take note of collaboration with white hats,

and could you walk through some examples of the benefits captured?

A: The topic of fruitful collaboration between established companies and institutions and

global hacker & individual security research community is the focus of my academic

research in the past two years. I’ve looked at the data behind some of the biggest “bug

bounty” programs out there – these are the business frameworks that allow companies like

Google, Facebook, and even Tesla or Western Union to actively engage and encourage

the vital security research work done by hackers, rewarding reports of important bugs and

vulnerabilities found by individual hackers. These programs have already created

incredible value to the companies that operate them: Facebook has paid out more than

$4.3 million to 800+ researchers in the five years of operating their program.

They received details about thousands of bugs affecting more than 1 billion users

worldwide. For reference, consider that the budget to recruit, hire, and employ a single

security engineer for a full time position at Facebook HQ in Menlo Park, California would

probably be around $200,000 for one year.

So for the average cost of hiring five more engineers per year, this global giant of social

media and messaging was able to support and harness the work of hundreds of ethical

hackers, all over the world, and make the FB platform that much safer. That’s the primary

benefit of these programs, but it doesn’t stop there. Data from the Google VRP program

shows that in the year 2014 many of the important bugs discovered were reported by

hackers in the Africa and Asia regions.

Looking at other programs, I’ve learned that ethical hackers in certain countries are getting

the first-ever opportunity to be legitimately paid for security research work. To me, this

presents a potential force of disruption and an alternative to the underground, criminal

pathways of hacker life. That’s why I’m hopeful and excited about more such programs,

and you can see why traditional companies like Mastercard and Fiat Chrysler USA are

adopting these models too.

https://bsideszh.ch/

http://www.bsidestlv.com/#!agenda/znf1i

5 September 2017

Cybersecurity 220

Companies Mentioned (Price as of 01-Sep-2017) 3M (MMM.N, $203.56) 8x8 (EGHT.OQ, $13.95) AOL, Inc. (AOL.N^F15) AOL, Inc. (AOL.N^F15) AOL, Inc. (AOL.N^F15) Airbnb (Unlisted) Akamai Technologies, Inc. (AKAM.OQ, $47.08) Alphabet (GOOGL.OQ, $951.99) Altaba Inc. (AABA.OQ, $64.05) Amazon com Inc. (AMZN.OQ, $978.25) Anthem, Inc. (ANTM.N, $197.43) Apple Inc (AAPL.OQ, $164.05) Arista Networks (ANET.N, $177.49) Autodesk Inc. (ADSK.OQ, $113.71) Benefitfocus (BNFT.OQ, $30.8) Betfair Group PLC (BETF.L^B16) Betfair Group PLC (BETF.L^B16) Betfair Group PLC (BETF.L^B16) CA Inc. (CA.OQ, $33.26) Callidus (CBL.TO, C$11.08) Callidus Software Inc. (CALD.OQ, $25.0) Champion Tech (0092.HK, HK$0.089) Check Point Software Technologies Ltd. (CHKP.OQ, $110.89, NEUTRAL, TP $110.0) Cisco Systems Inc. (CSCO.OQ, $32.3) Citigroup Inc. (C.N, $68.58) Citrix Systems Inc. (CTXS.OQ, $78.52) Compaq Computer (CPQ.NÊ02) Compaq Computer (CPQ.NÊ02) Compaq Computer (CPQ.NÊ02) Cornerstone OnDemand, Inc. (CSOD.OQ, $35.86) Cyberark Softwr (CYBR.OQ, $41.45) Dell Inc. (DELL.OQ^J13) Dell Inc. (DELL.OQ^J13) Dell Inc. (DELL.OQ^J13) Equinix, Inc. (EQIX.OQ, $465.96) Experian (EXPN.L, 1550.0p) F5 Networks (FFIV.OQ, $118.57) Facebook Inc. (FB.OQ, $172.02) Fiat Chrysler Automobile (FCHA.MI, €13.34) FireEye (FEYE.OQ, $14.89) Fortinet, Inc. (FTNT.OQ, $38.3, UNDERPERFORM, TP $33.0) Foundry Networks (FDRY.OQ^L08) Foundry Networks (FDRY.OQ^L08) Foundry Networks (FDRY.OQ^L08) Gateway (GTW.N^J07) Gateway (GTW.N^J07) Gateway (GTW.N^J07) Gigamon (GIMO.N, $43.65) Guidewire (GWRE.N, $75.8) Home Depot (HD.N, $150.78) Honeywell International Inc. (HON.N, $137.63) Hortonworks, Inc. (HDP.OQ, $17.28) HubSpot (HUBS.N, $73.15) Imperva (IMPV.OQ, $44.9) Intel Corp. (INTC.OQ, $35.09) Intercontinental Hotels (IHG.L, 3867.0p) International Business Machines Corp. (IBM.N, $144.08) Intuit Inc. (INTU.OQ, $141.9) JPMorgan Chase & Co. (JPM.N, $91.7) KalugaPutMash (KPMGI.RTS^C16) KalugaPutMash (KPMGI.RTS^C16) KalugaPutMash (KPMGI.RTS^C16) LogMeIn (LOGM.OQ, $116.5) Manhattan Assoc (MANH.OQ, $42.85) MasterCard Inc. (MA.N, $133.24) McAfee Inc. (MFE.N^C11) McAfee Inc. (MFE.N^C11) McAfee Inc. (MFE.N^C11) MicroStrategy (MSTR.OQ, $128.5) Microsoft (MSFT.OQ, $73.94) Mimecast (MIME.OQ, $26.31) Netflix, Inc. (NFLX.OQ, $174.74) NeuStar Inc. (NSR.N^H17) NeuStar Inc. (NSR.N^H17) NeuStar Inc. (NSR.N^H17) New Relic (NEWR.N, $47.98) Nice (NICE.OQ, $78.57) Nintendo (7974.T, ¥36,800) Nokia (NOK.N, $6.22) Nokia (NOKIA.HE, €5.24) Okta (OKTA.OQ, $26.59) Open Text Corporation (OTEX.OQ, $32.36) Palo Alto Networks, Inc. (PANW.N, $146.67, UNDERPERFORM, TP $125.0) Paylocity Hldg (PCTY.OQ, $48.49) Pegasystems (PEGA.OQ, $57.65) Progress Sftw (PRGS.OQ, $33.46)

5 September 2017

Cybersecurity 221

Proofpoint (PFPT.OQ, $91.7) QUALCOMM Inc. (QCOM.OQ, $52.05) Qualys (QLYS.OQ, $48.25) Rapid7 (RPD.OQ, $17.24) RealPage, Inc. (RP.OQ, $43.3) Red Hat, Inc. (RHT.N, $107.46) Right Management (RHT.NÂ04) Right Management (RHT.NÂ04) Right Management (RHT.NÂ04) RingCentral, Inc. (RNG.N, $42.35) Royal Bank of Scotland (RBS.L, 252.8p) SAP (SAPG.F, €88.549) Salesforce.com (CRM.N, $96.01) Sony (6758.T, ¥4,376) Sophos Group (SOPH.L, 532.5p) Splunk, Inc. (SPLK.OQ, $67.4) Symantec Corporation (SYMC.OQ, $29.86) TDC (TDC.CO, Dkr37.17) Tableau Software, Inc. (DATA.N, $72.66) Talend (TLND.OQ, $39.71) TalkTalk (TALK.L, 200.7p) Team (TISI.N, $12.6) Teradata Corp (TDC.N, $32.19) Tesla Motors Inc. (TSLA.OQ, $355.4) The TJX Companies, Inc. (TJX.N, $72.38) Thomson Reuters Corporation (TRI.N, $45.47) Trend Micro (TMIC.OQÊ07) Trend Micro (TMIC.OQÊ07) Trend Micro (TMIC.OQÊ07) Trend Micro (TMIC.OQÊ07) Twilio (TWLO.N, $28.96) Ultimate Software (ULTI.OQ, $199.81) VMware Inc. (VMW.N, $107.48) Veeva Systems (VEEV.N, $59.72) VeriSign Inc. (VRSN.OQ, $103.94) Watchguard Tech (WGRD.OQ^J06) Watchguard Tech (WGRD.OQ^J06) Watchguard Tech (WGRD.OQ^J06) Western Union (WU.N, $18.79) Workday Inc (WDAY.N, $108.84) Zendesk (ZEN.N, $27.48) eBay Inc. (EBAY.OQ, $36.35)

Disclosure Appendix

Analyst Certification I, Brad Zelnick, certify that (1) the views expressed in this report accurately reflect my personal views about all of the subject companies and securities and (2) no part of my compensation was, is or will be directly or indirectly related to the specific recommendations or views expressed in this report.

3-Year Price and Rating History for Check Point Software Technologies Ltd. (CHKP.OQ)

CHKP.OQ Closing Price Target Price

Date (US$) (US$) Rating

23-Oct-14 71.00 77.50 O

29-Jan-15 78.50 85.00

20-Apr-15 85.88 95.00

07-Jul-16 81.86 NC

* Asterisk signifies initiation or assumption of coverage.

Effective July 3, 2016, NC denotes termination of coverage.

O U T PERFO RM

N O T CO V ERED

5 September 2017

Cybersecurity 222

3-Year Price and Rating History for Nokia (NOKIA.HE)

NOKIA.HE Closing Price Target Price

Date (€) (€) Rating

24-Oct-14 6.63 7.75 O

30-Jan-15 6.84 8.00

16-Apr-15 7.27 8.10 N

01-May-15 6.04 6.80

31-Jul-15 6.43 7.00

01-Dec-15 6.96 9.00 O

12-Feb-16 5.22 8.20

11-May-16 4.64 7.30

13-Jul-16 5.31 7.25

05-Aug-16 4.92 6.75

01-Nov-16 3.97 5.50

16-Nov-16 3.84 5.35

28-Apr-17 5.25 5.75

28-Jul-17 5.39 6.00


3-Year Price and Rating History for Palo Alto Networks, Inc. (PANW.N)

PANW.N Closing Price Target Price

Date (US$) (US$) Rating

09-Sep-14 89.28 110.00 O

24-Nov-14 113.26 135.00

02-Mar-15 145.98 165.00

27-May-15 160.65 190.00

09-Sep-15 165.17 215.00

23-Nov-15 172.02 225.00

07-Jul-16 121.63 NC


Effective July 3, 2016, NC denotes termination of coverage.

The analyst(s) responsible for preparing this research report received Compensation that is based upon various factors including Credit Suisse's total revenues, a portion of which are generated by Credit Suisse's investment banking activities

As of December 10, 2012 Analysts’ stock rating are defined as follows: Outperform (O) : The stock’s total return is expected to outperform the relevant benchmark* over the next 12 months. Neutral (N) : The stock’s total return is expected to be in line with the relevant benchmark* over the next 12 months. Underperform (U) : The stock’s total return is expected to underperform the relevant benchmark* over the next 12 months. *Relevant benchmark by region: As of 10th December 2012, Japanese ratings are based on a stock’s total return relative to the analyst's coverage universe which consists of all companies covered by the analyst within the relevant sector, with Outperforms representing the most attractiv e, Neutrals the less attractive, and Underperforms the least attractive investment opportunities. As of 2nd October 2012, U.S. and Canadian as well as European ratings are based on a stock’s total return relative to the analyst's coverage universe which consists of all companies covered by the analyst withi n the relevant sector, with Outperforms representing the most attractive, Neutrals the less attractive, and Underperforms the least attractive investment opportunities. For Latin Ame rican and non-Japan Asia stocks, ratings are based on a stock’s total return relative to the average total return of the relevant country or regional benchmark; prior to 2nd October 2012 U.S. and Can adian ratings were based on (1) a stock’s absolute total return potential to its current share price and (2) the relative attractiv eness of a stock’s total return potential within an analyst’s coverage universe. For Australian and New Zealand stocks, the expected total return (ETR) calculation includes 1 2-month rolling dividend yield. An Outperform rating is assigned where an ETR is greater than or equal to 7.5%; Underperform where an ETR less than or equal to 5%. A Neutral may be assigned where the ETR is between -5% and 15%. The overlapping rating range allows analysts to assign a rating that puts ETR in the context of associated ris ks. Prior to 18 May 2015, ETR ranges for Outperform and Underperform ratings did not overlap with Neutral thresholds between 15% and 7.5%, wh ich was in operation from 7 July 2011. Restricted (R) : In certain circumstances, Credit Suisse policy and/or applicable law and regulations preclude certain types of communications, including an investment recommendation, during the course of Credit Suisse's engagement in an investment banking transaction and in certain other circumstances. Not Rated (NR) : Credit Suisse Equity Research does not have an investment rating or view on the stock or any other securities related to the company at this time. Not Covered (NC) : Credit Suisse Equity Research does not provide ongoing coverage of the company or offer an investment rating or investment view on the equity security of the company or related products.

O U T PERFO RM

N EU T RA L

O U T PERFO RM

N O T CO V ERED

5 September 2017

Cybersecurity 223

Volatility Indicator [V] : A stock is defined as volatile if the stock price has moved up or down by 20% or more in a month in at least 8 of the past 24 months or the analyst expects significant volatility going forward.

Analysts’ sector weightings are distinct from analysts’ stock ratings and are based on the analyst’s expectations for the fundamentals and/or valuation of the sector* relative to the group’s historic fundamentals and/or valuation: Overweight : The analyst’s expectation for the sector’s fundamentals and/or valuation is favorable over the next 12 months. Market Weight : The analyst’s expectation for the sector’s fundamentals and/or valuation is neutral over the next 12 months. Underweight : The analyst’s expectation for the sector’s fundamentals and/or valuation is cautious over the next 12 months. *An analyst’s coverage sector consists of all companies covered by the analyst within the relevant sector. An analyst may cover multiple sectors.

Credit Suisse's distribution of stock ratings (and banking clients) is:

Global Ratings Distribution

Rating Versus universe (%) Of which banking clients (%) Outperform/Buy* 44% (64% banking clients) Neutral/Hold* 40% (60% banking clients) Underperform/Sell* 14% (52% banking clients) Restricted 2% *For purposes of the NYSE and FINRA ratings distribution disclosure requirements, our stock ratings of Outperform, Neutral, a nd Underperform most closely correspond to Buy, Hold, and Sell, respectively; however, the meanings are not the same, as our stock ratings are determined on a relative bas is. (Please refer to definitions above.) An investor's decision to buy or sell a security should be based on investment objectives, current holdings, and other individual factors.

Important Global Disclosures Credit Suisse’s research reports are made available to clients through our proprietary research portal on CS PLUS. Credit Suisse research products may also be made available through third-party vendors or alternate electronic means as a convenience. Certain research products are only made available through CS PLUS. The services provided by Credit Suisse’s analysts to clients may depend on a specific client’s preferences regarding the frequency and manner of receiving communications, the client’s risk profile and investment, the size and scope of the overall client relationship with the Firm, as well as legal and regulatory constraints. To access all of Credit Suisse’s research that you are entitled to receive in the most timely manner, please contact your sales representative or go to https://plus.credit-suisse.com . Credit Suisse’s policy is to update research reports as it deems appropriate, based on developments with the subject company, the sector or the market that may have a material impact on the research views or opinions stated herein. Credit Suisse's policy is only to publish investment research that is impartial, independent, clear, fair and not misleading. For more detail please refer to Credit Suisse's Policies for Managing Conflicts of Interest in connection with Investment Research: https://www.credit-suisse.com/sites/disclaimers-ib/en/managing-conflicts.html . Credit Suisse does not provide any tax advice. Any statement herein regarding any US federal tax is not intended or written to be used, and cannot be used, by any taxpayer for the purposes of avoiding any penalties. Credit Suisse has decided not to enter into business relationships with companies that Credit Suisse has determined to be involved in the development, manufacture, or acquisition of anti-personnel mines and cluster munitions. For Credit Suisse's position on the issue, please see https://www.credit-suisse.com/media/assets/corporate/docs/about-us/responsibility/banking/policy-summaries-en.pdf .

Target Price and Rating Valuation Methodology and Risks: (12 months) for Check Point Software Technologies Ltd. (CHKP.OQ)

Method: Our base case assumes a 5 year transition period with FCF growth declining smoothly from an estimated 6% in 2020. This scenario assumes the firewall market decelerates broadly in line with our expectations, and Check Point successfully weathers the transition, but is then, more than ever, a lower growth, true 'legacy' vendor. This scenario results in a target price of $110 and a Neutral rating.

Risk: If market conditions deteriorate, competition in the firewall/VPN market increases, and pricing pressure increases, the assumptions for achieving our $110 target price, and thus our Neutral rating, for CHKP may be affected. We are also cautious on its long-term ability to sustain strong year-over-year growth rates while maintaining, and possibly improving, margins, given the long-term slower growth profile of the firewall/VPN market and an increasing competitive environment.

Target Price and Rating Valuation Methodology and Risks: (12 months) for Fortinet, Inc. (FTNT.OQ)

Method: In addition to substantive relative valuation work, which informs our Underperform rating, we estimate the intrinsic value for Fortinet at $33/share. Our base case assumes a 5 year transition period with FCF growth declining smoothly from an estimated 6% in 2020. This scenario assumes the firewall market decelerates broadly in line with our expectations (we model a 1.0% terminal growth rate from 2026E).

Risk: The key risk to our $33/share price target and Underperform rating are that FTNT transitions organically via innovation, or inorganically via acquisition, into a successful cloud first vendor. Another risk is its becoming a strategic target, FTNT is smaller in terms of EV than CHKP or PANW therefore this risk is more pronounced, but beware a Netscreen repeat.

Target Price and Rating Valuation Methodology and Risks: (12 months) for Palo Alto Networks, Inc. (PANW.N)

Method: Our $125 target price and Underperform rating are based on our DCF analysis, which assumes an 8% FCF CAGR over the next 10 years. This assumes a five-year transition period with FCF growth declining smoothly from an estimated 11% in 2021. This scenario assumes the

https://plus.credit-suisse.com/

https://www.credit-suisse.com/sites/disclaimers-ib/en/managing-conflicts.html

https://www.credit-suisse.com/sites/disclaimers-ib/en/managing-conflicts.html

https://www.credit-suisse.com/media/assets/corporate/docs/about-us/responsibility/banking/policy-summaries-en.pdf

5 September 2017

Cybersecurity 224

firewall market decelerates broadly in line with our expectations (we model a 1% terminal growth rate from 2027E), and PANW experiences enhanced competition from peers through its refresh cycle.

Risk: There are three key risks to our $125 target price and underperform rating. (1) Substantial Balance Sheet Capacity: PANW has substantial balance sheet capacity and has showed willingness to deploy it in a transformational manner when reportedly bidding upward of $3 billion for Tanium in fall 2015. (2) Strength and Resilience of Financial Model: The overall execution of the transition to a subscription-based model may prove more successful than anticipated and could provide access to the >$8 billion CLTV expansion opportunity that management estimates. (3) Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could become a potential target for a strategic buyer seeking to consolidate the market.

Please refer to the firm's disclosure website at https://rave.credit-suisse.com/disclosures/view/selectArchive for the definitions of abbreviations typically used in the target price method and risk sections.

See the Companies Mentioned section for full company names Credit Suisse currently has, or had within the past 12 months, the following as investment banking client(s): PANW.N, FTNT.OQ, NOKIA.HE Credit Suisse currently has, or had within the past 12 months, the following issuer(s) as client(s), and the services provided were non-investment-banking, securities-related: NOKIA.HE Credit Suisse expects to receive or intends to seek investment banking related compensation from the subject company (PANW.N, FTNT.OQ, NOKIA.HE) within the next 3 months. Within the last 12 months, Credit Suisse has received compensation for non-investment banking services or products from the following issuer(s): NOKIA.HE A member of the Credit Suisse Group is party to an agreement with, or may have provided services set out in sections A and B of Annex I of Directive 2014/65/EU of the European Parliament and Council ("MiFID Services") to, the subject issuer (PANW.N, FTNT.OQ, NOKIA.HE) within the past 12 months.

For date and time of production, dissemination and history of recommendation for the subject company(ies) featured in this report, disseminated within the past 12 months, please refer to the link: https://rave.credit-suisse.com/disclosures/view/report?i=319017&v=-43wat4pxqbc0fkklbuyxqsywc .

Important Regional Disclosures Singapore recipients should contact Credit Suisse AG, Singapore Branch for any matters arising from this research report. The analyst(s) involved in the preparation of this report may participate in events hosted by the subject company, including site visits. Credit Suisse does not accept or permit analysts to accept payment or reimbursement for travel expenses associated with these events. Restrictions on certain Canadian securities are indicated by the following abbreviations: NVS--Non-Voting shares; RVS--Restricted Voting Shares; SVS--Subordinate Voting Shares. Individuals receiving this report from a Canadian investment dealer that is not affiliated with Credit Suisse should be advised that this report may not contain regulatory disclosures the non-affiliated Canadian investment dealer would be required to make if this were its own report. For Credit Suisse Securities (Canada), Inc.'s policies and procedures regarding the dissemination of equity research, please visit https://www.credit-suisse.com/sites/disclaimers-ib/en/canada-research-policy.html. Principal is not guaranteed in the case of equities because equity prices are variable. Commission is the commission rate or the amount agreed with a customer when setting up an account or at any time after that. This research report is authored by: Credit Suisse Securities (USA) LLC ................................................................................... Brad Zelnick ; Jobin Mathew ; Syed Talha Saleem, CFA

Important Credit Suisse HOLT Disclosures With respect to the analysis in this report based on the Credit Suisse HOLT methodology, Credit Suisse certifies that (1) the views expressed in this report accurately reflect the Credit Suisse HOLT methodology and (2) no part of the Firm’s compensation was, is, or will be directly related to the specific views disclosed in this report. The Credit Suisse HOLT methodology does not assign ratings to a security. It is an analytical tool that involves use of a set of proprietary quantitative algorithms and warranted value calculations, collectively called the Credit Suisse HOLT valuation model, that are consistently applied to all the companies included in its database. Third-party data (including consensus earnings estimates) are systematically translated into a number of default algorithms available in the Credit Suisse HOLT valuation model. The source financial statement, pricing, and earnings data provided by outside data vendors are subject to quality control and may also be adjusted to more closely measure the underlying economics of firm performance. The adjustments provide consistency when analyzing a single company across time, or analyzing multiple companies across industries or national borders. The default scenario that is produced by the Credit Suisse HOLT valuation model establishes the baseline valuation for a security, and a user then may adjust the default variables to produce alternative scenarios, any of which could occur. Additional information about the Credit Suisse HOLT methodology is available on request. The Credit Suisse HOLT methodology does not assign a price target to a security. The default scenario that is produced by the Credit Suisse HOLT valuation model establishes a warranted price for a security, and as the third-party data are updated, the warranted price may also change. The default variable may also be adjusted to produce alternative warranted prices, any of which could occur. CFROI®, HOLT, HOLTfolio, ValueSearch, AggreGator, Signal Flag and “Powered by HOLT” are trademarks or service marks or registered trademarks or registered service marks of Credit Suisse or its affiliates in the United States and other countries. HOLT is a corporate performance and valuation advisory service of Credit Suisse.

Important disclosures regarding companies or other issuers that are the subject of this report are available on Credit Suisse ’s disclosure website at https://rave.credit-suisse.com/disclosures or by calling +1 (877) 291-2683.

https://rave.credit-suisse.com/disclosures/view/selectArchive

https://rave.credit-suisse.com/disclosures/view/report?i=319017&v=-43wat4pxqbc0fkklbuyxqsywc

https://rave.credit-suisse.com/disclosures

5 September 2017

Cybersecurity 225

This report is produced by subsidiaries and affiliates of Credit Suisse operating under its Global Markets Division. For more information on our structure, please use the following link: https://www.credit-suisse.com/who-we-are This report may contain material that is not directed to, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or which would subject Credit Suisse or its affiliates ("CS") to any registration or licensing requirement within such jurisdiction. All material presented in this report, unless specifically indicated otherwise, is under copyright to CS. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of CS. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of CS or its affiliates.The information, tools and material presented in this report are provided to you for information purposes only and are not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. CS may not have taken any steps to ensure that the securities referred to in this report are suitable for any particular investor. CS will not treat recipients of this report as its customers by virtue of their receiving this report. The investments and services contained or referred to in this report may not be suitable for you and it is recommended that you consult an independent investment advisor if you are in doubt about such investments or investment services. Nothing in this report constitutes investment, legal, accounting or tax advice, or a representation that any investment or strategy is suitable or appropriate to your individual circumstances, or otherwise constitutes a personal recommendation to you. CS does not advise on the tax consequences of investments and you are advised to contact an independent tax adviser. Please note in particular that the bases and levels of taxation may change. Information and opinions presented in this report have been obtained or derived from sources believed by CS to be reliable, but CS makes no representation as to their accuracy or completeness. CS accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that such liability arises under specific statutes or regulations applicable to CS. This report is not to be relied upon in substitution for the exercise of independent judgment. CS may have issued, and may in the future issue, other communications that are inconsistent with, and reach different conclusions from, the information presented in this report. Those communications reflect the different assumptions, views and analytical methods of the analysts who prepared them and CS is under no obligation to ensure that such other communications are brought to the attention of any recipient of this report. Some investments referred to in this report will be offered solely by a single entity and in the case of some investments solely by CS, or an associate of CS or CS may be the only market maker in such investments. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a judgment at its original date of publication by CS and are subject to change without notice. The price, value of and income from any of the securities or financial instruments mentioned in this report can fall as well as rise. The value of securities and financial instruments is subject to exchange rate fluctuation that may have a positive or adverse effect on the price or income of such securities or financial instruments. Investors in securities such as ADR's, the values of which are influenced by currency volatility, effectively assume this risk. Structured securities are complex instruments, typically involve a high degree of risk and are intended for sale only to sophisticated investors who are capable of understanding and assuming the risks involved. The market value of any structured security may be affected by changes in economic, financial and political factors (including, but not limited to, spot and forward interest and exchange rates), time to maturity, market conditions and volatility, and the credit quality of any issuer or reference issuer. Any investor interested in purchasing a structured product should conduct their own investigation and analysis of the product and consult with their own professional advisers as to the risks involved in making such a purchase. Some investments discussed in this report may have a high level of volatility. High volatility investments may experience sudden and large falls in their value causing losses when that investment is realised. Those losses may equal your original investment. Indeed, in the case of some investments the potential losses may exceed the amount of initial investment and, in such circumstances, you may be required to pay more money to support those losses. Income yields from investments may fluctuate and, in consequence, initial capital paid to make the investment may be used as part of that income yield. Some investments may not be readily realisable and it may be difficult to sell or realise those investments, similarly it may prove difficult for you to obtain reliable information about the value, or risks, to which such an investment is exposed. This report may provide the addresses of, or contain hyperlinks to, websites. Except to the extent to which the report refers to website material of CS, CS has not reviewed any such site and takes no responsibility for the content contained therein. Such address or hyperlink (including addresses or hyperlinks to CS's own website material) is provided solely for your convenience and information and the content of any such website does not in any way form part of this document. Accessing such website or following such link through this report or CS's website shall be at your own risk.

This report is issued and distributed in European Union (except Switzerland): by Credit Suisse Securities (Europe) Limited, One Cabot Square, London E14 4QJ, England, which is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Germany: Credit Suisse Securities (Europe) Limited Niederlassung Frankfurt am Main regulated by the Bundesanstalt fuer Finanzdienstleistungsaufsicht ("BaFin"). United States and Canada: Credit Suisse Securities (USA) LLC; Switzerland: Credit Suisse AG; Brazil: Banco de Investimentos Credit Suisse (Brasil) S.A or its affiliates; Mexico: Banco Credit Suisse (México), S.A. (transactions related to the securities mentioned in this report will only be effected in compliance with applicable regulation); Japan: by Credit Suisse Securities (Japan) Limited, Financial Instruments Firm, Director-General of Kanto Local Finance Bureau ( Kinsho) No. 66, a member of Japan Securities Dealers Association, The Financial Futures Association of Japan, Japan Investment Advisers Association, Type II Financial Instruments Firms Association; Hong Kong: Credit Suisse (Hong Kong) Limited; Australia: Credit Suisse Equities (Australia) Limited; Thailand: Credit Suisse Securities (Thailand) Limited, regulated by the Office of the Securities and Exchange Commission, Thailand, having registered address at 990 Abdulrahim Place, 27th Floor, Unit 2701, Rama IV Road, Silom, Bangrak, Bangkok10500, Thailand, Tel. +66 2614 6000; Malaysia: Credit Suisse Securities (Malaysia) Sdn Bhd; Singapore: Credit Suisse AG, Singapore Branch; India: Credit Suisse Securities (India) Private Limited (CIN no.U67120MH1996PTC104392) regulated by the Securities and Exchange Board of India as Research Analyst (registration no. INH 000001030) and as Stock Broker (registration no. INB230970637; INF230970637; INB010970631; INF010970631), having registered address at 9th Floor, Ceejay House, Dr.A.B. Road, Worli, Mumbai - 18, India, T- +91-22 6777 3777; South Korea: Credit Suisse Securities (Europe) Limited, Seoul Branch; Taiwan: Credit Suisse AG Taipei Securities Branch; Indonesia: PT Credit Suisse Sekuritas Indonesia; Philippines:Credit Suisse Securities (Philippines ) Inc., and elsewhere in the world by the relevant authorised affiliate of the above. Additional Regional Disclaimers Hong Kong: Credit Suisse (Hong Kong) Limited ("CSHK") is licensed and regulated by the Securities and Futures Commission of Hong Kong under the laws of Hong Kong, which differ from Australian laws. CSHKL does not hold an Australian financial services licence (AFSL) and is exempt from the requirement to hold an AFSL under the Corporations Act 2001 (the Act) under Class Order 03/1103 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Act). Research on Taiwanese securities produced by Credit Suisse AG, Taipei Securities Branch has been prepared by a registered Senior Business Person. Australia (to the extent services are offered in Australia): Credit Suisse Securities (Europe) Limited (“CSSEL”) and Credit Suisse International (“CSI”) are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority (“FCA”) and the Prudential Regulation Authority under UK laws, which differ from Australian Laws. CSSEL and CSI do not hold an Australian Financial Services Licence (“AFSL”) and are exempt from the requirement to hold an AFSL under the Corporations Act (Cth) 2001 (“Corporations Act”) under Class Order 03/1099 published by the Australian Securities and Investments Commission (“ASIC”), in respect of the financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). This material is not for distribution to retail clients and is directed exclusively at Credit Suisse's professional clients and eligible counterparties as defined by the FCA, and wholesale clients as defined under section 761G of the Corporations Act. Credit Suisse (Hong Kong) Limited (“CSHK”) is licensed and regulated by the Securities and Futures Commission of Hong Kong under the laws of Hong Kong, which differ from Australian laws. CSHKL does not hold an AFSL and is exempt from the requirement to hold an AFSL under the Corporations Act under Class Order 03/1103 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). Credit Suisse Securities (USA) LLC (CSSU) and Credit Suisse Asset Management LLC (CSAM LLC) are licensed and regulated by the Securities Exchange Commission of the United States under the laws of the United States, which differ from Australian laws. CSSU and CSAM LLC do not hold an AFSL and is exempt from the requirement to hold an AFSL under the Corporations Act under Class Order 03/1100 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). Malaysia: Research provided to residents of Malaysia is authorised by the Head of Research for Credit Suisse Securities (Malaysia) Sdn Bhd, to whom they should direct any queries on +603 2723 2020. Singapore: This report has been prepared and issued for distribution in Singapore to institutional investors, accredited investors and expert investors (each as defined under the Financial Advisers Regulations) only, and is also distributed by Credit Suisse AG, Singapore Branch to overseas investors (as defined under the Financial Advisers Regulations). Credit Suisse AG, Singapore Branch may distribute reports produced by its foreign entities or affiliates pursuant to an arrangement under Regulation 32C of the Financial Advisers Regulations. Singapore recipients should contact Credit Suisse AG, Singapore Branch at +65-6212-2000 for matters arising from, or in connection with, this report. By virtue of your status as an institutional investor, accredited investor, expert investor or overseas investor, Credit Suisse AG, Singapore Branch is exempted from complying with certain compliance requirements under the Financial Advisers Act, Chapter 110 of Singapore (the “FAA”), the Financial Advisers Regulations and the relevant Notices and Guidelines issued thereunder, in respect of any financial advisory service which Credit Suisse AG, Singapore Branch may provide to you. UAE: This information is being distributed by Credit Suisse AG (DIFC Branch), duly licensed and regulated by the Dubai Financial Services Authority (“DFSA”). Related financial services or products are only made available to Professional Clients or Market Counterparties, as defined by the DFSA, and are not intended for any other persons. Credit Suisse AG (DIFC Branch) is located on Level 9 East, The Gate Building, DIFC, Dubai, United Arab Emirates. EU: This report has been produced by subsidiaries and affiliates of Credit Suisse operating under its Global Markets Division In jurisdictions where CS is not already registered or licensed to trade in securities, transactions will only be effected in accordance with applicable securities legislation, which will vary from jurisdiction to jurisdiction and may require that the trade be made in accordance with applicable exemptions from registration or licensing requirements. Non-US customers wishing to effect a transaction should contact a CS entity in their local jurisdiction unless governing law permits otherwise. US customers wishing to effect a transaction should do so only by contacting a representative at Credit Suisse Securities (USA) LLC in the US. Please note that this research was originally prepared and issued by CS for distribution to their market professional and institutional investor customers. Recipients who are not market professional or institutional investor customers of CS should seek the advice of their independent financial advisor prior to taking any investment decision based on this report or for any necessary explanation of its contents. This research may relate to investments or services of a person outside of the UK or to other matters which are not authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority or in respect of which the protections of the Prudential Regulation Authority and Financial Conduct Authority for private customers and/or the UK compensation scheme may not be available, and further details as to where this may be the case are available upon request in respect of this report. CS may provide various services to US municipal entities or obligated persons ("municipalities"), including suggesting individual transactions or trades and entering into such transactions. Any services CS provides to municipalities are not viewed as "advice" within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. CS is providing any such services and related information solely on an arm's length basis and not as an advisor or fiduciary to the municipality. In connection with the provision of the any such services, there is no agreement, direct or indirect, between any municipality (including the officials,management, employees or agents thereof) and CS for CS to provide advice to the municipality. Municipalities should consult with their financial, accounting and legal advisors regarding any such services provided by CS. In addition, CS is not acting for direct or indirect compensation to solicit the municipality on behalf of an unaffiliated broker, dealer, municipal securities dealer, municipal advisor, or investment adviser for the purpose of obtaining or retaining an engagement by the municipality for or in connection with Municipal Financial Products, the issuance of municipal securities, or of an investment adviser to provide investment advisory services to or on behalf of the municipality. If this report is being distributed by a financial institution other than Credit Suisse AG, or its affiliates, that financial institution is solely responsible for distribution. Clients of that institution should contact that institution to effect a transaction in the securities mentioned in this report or require further information. This report does not constitute investment advice by Credit Suisse to the clients of the distributing financial institution, and neither Credit Suisse AG, its affiliates, and their respective officers, directors and employees accept any liability whatsoever for any direct or consequential loss arising from their use of this report or its content. Principal is not guaranteed. Commission is the commission rate or the amount agreed with a customer when setting up an account or at any time after that. Copyright © 2017 CREDIT SUISSE AG and/or its affiliates. All rights reserved.

Investment principal on bonds can be eroded depending on sale price or market price. In addition, there are bonds on which investment principal can be eroded due to changes in redemption amounts. Care is required when investing in such instruments. When you purchase non-listed Japanese fixed income securities (Japanese government bonds, Japanese municipal bonds, Japanese government guaranteed bonds, Japanese corporate bonds) from CS as a seller, you will be requested to pay the purchase price only.

https://www.credit-suisse.com/who-we-are

cybersecurity - credit suisse

Documents