I am a huge fan of European tech and am very excited about the Darktrace IPO. I am writing this post as a way to better understand the company myself and hope it is of some use to other people. It represents my personal views and is for education purposes only.
The deep dive is primarily based on Darktrace’s IPO filing (“registration document”) and I have pulled out the most important bits. Furthermore, it is supplemented with external research and market data. I highly recommend that you read the actual registration document to gain a comprehensive understanding of the business. I should note that a lot of blood and sweat from junior bankers and lawyers went into drafting the document. :)
“Darktrace was founded in Cambridge in 2013 out of a collaboration of cyber experts from various government intelligence backgrounds and mathematicians who were experts in machine learning. Together, they realized that mathematics could be applied to protect against cyber-security threats, leading to the inception of Darktrace.”
Darktrace’s product portfolio, inspired by the biological immune system, is effective in anomaly detection and serves as a weapon to discover and combat cyber threats that have successfully bypassed traditional cybersecurity products. The company’s product vision is to provide autonomous security (closed-loop solution) that offers autonomous detection, investigation, and response.
The company has grown significantly and generated c.$200m in revenues in FY20 (JuneFYE) with 45% y-o-y growth. It has received c. $346m in external funding and has only “burnt” c. $115m (adjusted for the $163m secondary convertible deal and cash balance of $104m as of Dec-20). The company has over 4,700 clients and currently employs c. 1,500 people across the world.
It is rumoured to IPO in May-21 at a c.£3bn valuation, implying c.11xEV/Revenue 22E multiple. It should be noted that there are several risk factors, including inherent product limitations and potential legal concerns around Mike Lynch’s involvement and minority ownership of the business.
What problem does Darktrace address?
There is a widely held notion that all large networks are infected. While traditional cybersecurity software solutions filter attacks at the perimeter and in the network, they can’t catch everything. Darktrace pioneered an approach that learns the normal behaviour of users, based on unsupervised Machine Learning, and detects outlier activity (similar to the biological immune system). Use cases include (a) insider threat and account takeover, (b) attacks on cloud, IoT and (c) Zero-Days, malware and ransomware.
Current Product Portfolio
According to the registration document, Darktrace’s key products include:
- “Enterprise Immune System: Darktrace’s flagship AI technology solution, with individual Enterprise and Industrial focused products, provides self-learning technology for detecting cyber-threats and vulnerabilities. The average setup time is one hour and the machine learning gains visibility through software sensors that analyze raw, real-time data.
- Darktrace Antigena: first proven Autonomous Response technology for the enterprise. The system operates as an AI decision-making framework that neutralizes fast-moving and unpredictable attacks in seconds while sustaining normal operations by design. Detailed product brief available here.
- Cyber AI Analyst: automatically triages, interprets, and reports on a broad scope of security incidents, addressing a shortage of cyber professionals by augmenting human cybersecurity teams. It reduces triaging time by up to 92% and automatically writes reports in executive-friendly language.”
Vikram Singh summarises Darktrace’s USP very well here. Excerpt below:
“What really sets Darktrace apart is the fact that it does not need periodic threat signature updates unlike most other cyber security systems. Rather than learning to identify abnormal behavior, it learns to identify normal behavior. Hence the lack of need for downloading signatures. It classifies anything outside normal behavior as a potential threat and lets system operators decide on how to respond to it. This makes it capable of addressing a wider array of threats. This also enables it to address novel threats before they can cause quantifiable damage. The system relies on no prior knowledge of threats as it does not look for threats in a conventional manner.”
Long term Product Vision
The long-term product vision is focused on providing a “closed-loop” solution to customers, already including detection and response, with remediation and prevention under development. Darktrace believes that the closed-loop approach creates a virtuous cycle in which each component feeds the next.
Darktrace’s cybersecurity products use sensors placed in customer systems. These sensors can be delivered virtually (in software) or physically (using an appliance) and are commonly used in combination. In fact, c.$76m worth of appliances are recognized as assets under PP&E on the Balance Sheet as of Dec-20. These sensors collect network traffic that is analyzed using unsupervised Machine Learning. However, network protocols are increasingly encrypted so that Darktrace is only able to read the metadata, reducing the accuracy of the ML algorithms deployed and so making the solution potentially less effective. However, Darktrace is aware of the limitations and hence has developed an endpoint agent that can collect unencrypted data.
Furthermore, some IT teams have historically complained about the number of false positives that are picked up by the system (Source 1, Source 2). These issues may have been fixed over time as the reviews/articles are 1–2 years old. Recent Gartner reviews are indeed very positive.
“Darktrace’s primary approach to acquire new customers is through the Proof of Value (“POV”) trials of its technology. POVs require limited scoping and minimal set-up and thus can demonstrate Darktrace’s substantial value proposition to potential customers. The POV typically consists generally of a 2 week trial of Darktrace’s products. In 2020, c. 74% of POVs identified serious vulnerabilities in a prospective customer’s digital estate, providing a clear demonstration of Darktrace’s value proposition.”
Direct vs. Indirect channel strategy
“Darktrace generates c.65% of its revenue through its direct sales force but also relies on its channel partners to sell and support its Cyber AI Platform, particularly in parts of APAC, LATAM and the Middle East. Approximately 35% of the Group’s revenues involve channel partners and the Group expects that channel partners will represent a substantial portion of its revenues for the foreseeable future. The Group has over 370 active channel partners and includes Atos, BT, Reply, SHI, Bytes, Computacenter, Eurofins, Telstra, ConvergeOne.”
Firstly, Darktrace estimates that the current bottom-up TAM amounts to $40bn and can be disaggregated as shown below.
Secondly, from a top-down TAM perspective, “Darktrace considers the overall Information Security and Risk Management market. Gartner estimates that it amounts to approximately $125 billion in 2020. The total market is expected to grow at a compound annual growth rate of 8.2% from 2019 to 2024 on a constant currency basis.”
Current Customer base
Darktrace serves over 4,700 customers (implying a 3% market share based on 150k total addressable companies). In H2–20, the Group generated 18.1%, 20.5%, 39.4%, and 22.0% of its billings from customers in the UK, Europe (excluding the UK), the US and Canada, and the rest of the world, respectively. Average contract ARR was $60k with c.53% of total contracts below $100,000 ARR.
The competitive landscape for Darktrace is multi-layered as it addresses various use cases and hence competes with various products in a fragmented cybersecurity market. However, it should be noted that buyers regard Darktrace as a complementary offering to strengthen their existing defences rather than replacing existing products.
For anomaly detection and behavioural analyses use cases, Darktrace directly competes with Vectra, Palo Alto Networks (LightCyber), F-Secure (Countercept), who represents direct competitors.
For insider threat use cases, Darktrace competes with Forcepoint (RedOwl Analytics).
Larger SIEM players such as LogRhythm, Rapid7, and Splunk also offer network anomaly detection capabilities.
Full P&L (in appendix)
Key Metrics vs. Peers
The table above provides a high-level financial comparison with other high-growth companies. Key observations include:
A) Darktrace’s growth is in line with Okta and Zscaler albeit Darktrace is at a significantly smaller scale. The key question is whether revenue growth will decelerate as the company scales
B) Darktrace’s net retention rate (which includes upsell) of 98.4% is significantly lower than peers, driven by a combination of higher gross churn (6.9%) and lack of up-sell opportunities due to a smaller product portfolio than peers
C) Average contract ARR per customer of $61k is lower than while 47% of all customers generate more than >$100k, which is significantly higher than peers. I think it indicates exposure to SMEs and lack of larger ($1m+) deals.
Darktrace’s Revenue Growth vs. Selected Players
Starting at c.$50m revenue as Year 1 for the companies, the chart shows the progression towards $500m. Darktrace has historically shown a revenue growth profile that closely aligns with Zscaler’s revenue trajectory. However, Darktrace’s revenue growth (as per the registration document) is expected to decelerate in the next 2 years so that it falls behind Zscaler in terms of growth profile.
Operating Cost Base Over Time and Long term Margin Framework
The chart above shows (a) the operating expenses and margin over the last 3 years as well as (b) the long-term margin framework (as outlined in the registration document). The improvement in operating margin, from (51%) in FY18 to (13%) in FY 20, demonstrates high operating leverage. It is primarily driven by Sales & Marketing expenses (decreasing from 115% of revenue in FY 18 to 82% of revenue in FY20). In the long-term, Darktrace expects operating margins in the 20s, which is in line with the long-term margin framework of other SaaS companies.
I have created a very simplified P&L (10y forecasts) just to play with the drivers and get a feel of the business. Feel free to reach out in case you would like access to it.
Illustrative Analysis at Various Prices
The table above shows the market cap, enterprise value, and the corresponding revenue multiples for various share prices. It should be noted that the share price corresponds to the internal share price (pre-IPO) and will be different from the actual IPO price range. According to the Guardian, Darktrace plans to IPO at c.£3bn, (highlighted via the green box), implying an 11.33x EV / 22E revenue multiple. In the next section, we will put it into the context of where listed comparables are trading.
Putting Valuation Into Context — Valuation Multiple vs. Revenue Growth
The scatterplot shows EV / 22E revenue multiple vs, revenue growth (21–22E) for selected cybersecurity players. Firstly, there is a positive correlation between revenue growth and valuation multiples (R² of 0.81). Secondly, there is a distinction between (a) hyper-growth cyber-security players (Okta, Zscaler, and Crowdstrike) and (b) medium growth cyber-security players (<25% growth). Darktrace is between these two sub-sets. Assuming Darktrace trades on the trend line, it would be trading at 20x EV/22E Revenue based on 30% growth, which would imply a c.$7bn / c.£5bn market cap. For context, Darktrace is rumoured to be IPO at c.$4bn / c.£3bn, implying 11x EV / Revenue 22E multiple.
The ownership structure is shown above and discloses entities with >3% interest. Existing financial investors include KKR, Summit and Deep Defence (which I presume is Vitruvian Partners but not sure). Interestingly, Insight Venture Partners led the Series D in 2017 but are not disclosed as an investor.
Furthermore, Mike Lynch and affiliates own c.18.5% of Darktrace on a fully diluted basis. His involvement reflects one of the key risk factors and source of “controversy” around Darktrace, casting shadows over the IPO. A lot has been written in the press (FT, The Times) so I will not focus on the details. Key excerpt from an FT article below.
“Lynch was indicted in the US in November 2018 for allegedly artificially inflating revenues at Autonomy, the software company he founded and ran before selling it to HP in 2011 for $11bn. He has always strenuously denied any wrongdoing.”(…) “Darktrace disclosed in its registration document that in 2018 it was subpoenaed by US authorities for information about Invoke, warning there was a risk Lynch’s investment through Invoke could give rise to money laundering claims if the funds included cash from the Autonomy sale.” (FT).
Having read the registration document, the worst-case scenario (from a financial perspective) is still unclear to me.
According to the registration document “However, the consequences of liability under the Proceeds of Crime Act 2002 or similar U.S. laws could be significant for the Group and could include: financial penalties, forfeiture, management time and expense dealing with an investigation and defence, a criminal conviction and future debarment from public procurement. If any of the foregoing occurs, it could result in a material adverse effect on the Group’s business, financial condition, results of operations and prospects.”
A forced divestiture of his stake should not have any long-term material impact on the company itself. In fact, financial investors typically sell their stake post-IPO. Darktrace could also face “potential debarment from public procurement” in the US and financial penalties (amount unclear), which are tougher pills to swallow but not the end for the company.
It should be noted that the IPO process itself was affected by legal issues, which shows that the legal issues can manifest themselves in many ways. Several large underwriters, including Goldman Sachs, reportedly decided not to seek an IPO role. UBS, which was appointed in Nov-20 to advise on the IPO, resigned in Feb-21 as “its compliance department had decided it could not file the Suspicious Activity Reports (SARs) required to fulfil its role.” (Sky News)
- Darktrace Registration Document
- Koyfin, Market Research
This post and the information presented are intended for informational purposes only. The views expressed herein are the author’s alone and do not constitute an offer to sell, or a recommendation to purchase, or a solicitation of an offer to buy, any security, nor a recommendation for any investment product or service. While certain information contained herein has been obtained from sources believed to be reliable, neither the author nor any of his employers or their affiliates have independently verified this information, and its accuracy and completeness cannot be guaranteed. Accordingly, no representation or warranty, express or implied, is made as to, and no reliance should be placed on, the fairness, accuracy, timeliness or completeness of this information. The author and affiliated persons and companies assume no liability for this information and no obligation to update the information or analysis contained herein in the future.