The Ultimate Investor Guide To Zero Trust (NASDAQ:PANW)

Zero Trust Security.

Olivier Le Moal/iStock via Getty Images

About this Article

In this article we aim to outline the cybersecurity threat landscape and explain how a ZTA [Zero Trust Architecture] is the only overarching approach that will radically reduce the number and magnitude of security breaches. We also aim to democratize much of the technical knowledge pertaining to threats and security whilst interspersing the read with stock recommendations.

ZTA has been discussed for a long while, and it has come to the fore in recent times as a solution to maintain security amid the pandemic-induced IT dispersion, remote working, and increasingly worrying threat environment. However, it’s astounding how few organizations are actually implementing the security philosophy which indicates ZTA will be driving a vibrant cybersecurity industry for at least the next decade. This article aims to help investors navigate this nascent but instrumental philosophical approach to security.

Threat Landscape

There are not many industries, in the tens of billion of dollars, that have an almost guaranteed double-digit growth runway for the next several years. Most readers will be familiar with the heightened security risks created by the dispersion of IT infrastructure and the sudden shift to distributed workforces, both of which have been greatly induced by the pandemic. However, even before enterprises have fully secured themselves in the new landscape, there are a confluence of emerging trends that are further exacerbating their ability to secure their systems and data.

Below we depict the main high-level catalysts that are driving the cybersecurity industry – we’ll elaborate on each except for IT dispersion and distributed workforces – as these topics have been extensively covered since the pandemic – and work our way round anti-clockwise from (1) to (4). Specifically, these catalysts are generating the demands listed inside the circle; and this article will predominantly focus on ZTA [Zero Trust Architecture], but as the topic overlaps with the others we won’t hold back on briefly discussing those as well.

Figure 1 – High-Level Catalysts Driving Cybersecurity

High-Level Catalysts Driving Cybersecurity


1. Sophistication + Scale

A few years ago, the most sophisticated cyberattacks were confined to a relatively small percentage of the corporate and institutional world. However, now these highly skilled bad actors are receiving even more funding from nation states so they can invest in more automation to complement their advanced malware with extended reach and scale – including automation to detect optimal attack targets and automation for dissemination. Collectively, they are also conducting specialization whereby some actors design the malware and others specialize in distributing the malware. In essence, this has led to the imitation of the hugely successful SaaS model in which Cybercrime-as-a-Service has emerged, allowing the highly skilled actors to rent out their malware to amateur actors for a win-win – the skilled achieve maximum chaos whilst adding a protective layer between themselves and law enforcement, and the unskilled can earn a living as a cybercriminal.

The funding >>> automation technologies >>> software stack specialization >>> and ultimately the aaS model, has enabled these skillful criminals to achieve increasingly greater scale. Therefore, whereas in the past only a tiny portion of organizations were being targeted, now the problem is so much bigger.

This cascading effect, whereby the most sophisticated threats are trickling down from the fewer state-sponsored highly skilled actors down to the more abundant less skilled actors means that all organizations now need to consider the best possible security software. That is, software that is embedded with high amounts of AI/ML and autonomy, and has proven to be highly effective against attacks by state-sponsored criminal groups such as APT29, Carbanak, and FIN7. The performances by SentinelOne (S) and Palo Alto Networks (PANW) in the recent MITRE ATT&CK security testing provides a strong indication that they have the ability to establish solid moats in the XDR [Extended Detection & Response] arena whereby the skill in detecting and eliminating these threats on endpoints will be key. And as we’ll show later, XDR is/will be hugely important for effective ZTA because a significant component in determining the ultimate level of trust per connection request is the status of the device making the request.

In October 2021, S launched RSO [Remote Scripting Orchestration] that empowers in-house security teams to customize threat responses and disseminate them at scale across all endpoints. Many vendors have some level of scripting [writing code inside a program to achieve a particular outcome – usually to automate things] capability for enterprise security analysts, though this is certainly a big step up by S. The announcement got us thinking about S’ holistic approach which we’ve attempted to describe in the diagram below.

Figure 2 – SentinelOne’s Multilayered Strategy



The only component involved in the MITRE evaluations, was S’ autonomous software. However, to cover all bases and equip SecOps teams to be ultra-dynamic, S has introduced RSO to complement their autonomous software and MDR services. In our opinion, this is very different to CRWD’s strategy which is predominantly reliant on the MDR component to eliminate [emphasis added because detection is autonomous] the threat from the endpoint.

Driven by the aforementioned dynamics, ransomware has become a very popular type of cyberattack – in 2021, the number of ransomware attacks more than doubled compared to 2020. In chronological order, successful ransomware is dependent on 1) an easy entry point, 2) the ability to move laterally inside a network to find valuable data, and then 3) encrypting or exfiltrating the located valuable data. We’ll briefly discuss each step.

  1. As bad actors scan for vulnerabilities as part of their reconnaissance, more often than not they will discover improperly configured endpoints, network settings, servers, etc., belonging to a less modernized enterprise. Also, possibly an older NGFW without the latest patch for removing critical vulnerabilities. Here are a few scans available with Google Dork to find vulnerable web servers.

Figure 3 – Using Google Dork to Find Vulnerable Websites

Google Dork

Once an improperly configured machine is identified, it becomes their target entry point. Phishing is actually the most common entry technique for ransomware, though with the growing IT sprawl targeting vulnerable devices is quickly gaining popularity among attackers.

2. Because most enterprises’ networks are inadequately segmented, most of the time Step 2 is easy for bad actors. And it’s quite astonishing that many IT professionals still rank the importance of Zero Trust and segmentation below that of VPNs [Virtual Private Networks] – a protocol that when compromised gives attackers access to the whole network. Good news for ZTA investors.

3. Whilst at a higher level the automation and specialization investments are helping execute ransomware, additionally or more specifically, the nation-state funding is being spent on file servers or third-party file sharing applications, and FTP [File Transfer Protocol] knowhow in order to exfiltrate voluminous data at speed. Moreover, the criminals are hugely benefitting from the boom in global bandwidth investment since the pandemic, thus enabling them to piggy back on faster connections to speedily exfiltrate data. And this perfectly dovetails into the Cybercrime-as-a-Service model because it makes it easier for the less skilled actors – they don’t necessarily need to encrypt the data, they can just exfiltrate the data. Although oftentimes Ransomware-as-a-Service like Lockbit will encrypt system files and exfiltrate data.

This last point really touches on a major driving factor for the number of ransomware attacks increasing to the hundreds of millions per annum. In yesteryear, ransomware relied on encrypting the data/files located on the victim’s systems, and as before prepackaged encryption this was a highly skilled undertaking, ransomware was confined to only the most advanced actors.

However, now because of file server investments by cybercriminal groups plus the as-a-Service model adoption plus high-performance encryption code conveniently packaged for easy execution plus global bandwidth quadrupling since 2016, the data can be swiftly exfiltrated to another location and/or high amounts of data can be quickly encrypted at the victim’s location [e.g., nowadays elite encryption packages can encrypt a whole PC within 3-5 minutes and such packages are widely available]. This makes the success of ransomware way more accessible to lesser skilled actors.

And this may now come across as scaremongering, though we genuinely see this new landscape as an ideal breeding ground for more and more wannabe cybercriminals. It’s like the aaS model is giving less skilled/experienced criminals an opportunity for on-the-job training – an apprenticeship whereby you get paid, receive training, and guidance from a mentor, whilst making the hacker’s work more specialized as they can spend most of the time vulnerability hunting with advanced automation tools and then aaS-ize the infiltration part of the ransomware operation.

And this is way beyond the scope of the article, though we wouldn’t be surprised if the global anti-establishmentarianism that seems to have bumped up a few notches since the pandemic, was also some underlying impetus for people to turning to cybercrime.

Here is a diagram that attempts to summarize the above. There is no question that all types of organizations are at risk, though the less modernized verticals are undoubtedly the most vulnerable as such companies are rapidly digitalizing with security as an afterthought.

Figure 4 – How the Most Sophisticated Attacks are Funneling Down to Hurt the Most Vulnerable Organizations

How the Most Sophisticated Attacks are Funneling Down to Hurt the Most Vulnerable Organizations


The overarching security philosophy that needs to be adopted to thwart ransomware is one that pertains to Zero Trust principles. If a company doesn’t have the best XDR to detect and quickly eliminate the threat, then making it nigh-on impossible for threats to move once inside the network is absolute paramount. In fact, this is imperative even with the best XDR.

Currently, in the high majority of enterprises, once a hacker has infiltrated the network perimeter defenses, they have pretty much free rein to move laterally across the IT systems. This is because machines that aren’t located at the perimeter are treated differently – in theory, they are only reachable by trusted machines on the internal network, and hence security is less of a consideration. Evidently, this needs to change which is why security vendors that can add great value to a ZTA [Zero Trust Architecture] are going to be winners over the course of the next several years.

Specifically, in respect to preventing lateral movement via the variations of segmentation [whether it be network segmentation or microsegmentation] we recommend the following companies to consider as an investment:

Fortinet (FTNT): because network-based segmentation requires internal firewalls [physical and/or VM] positioned to segment the network, and hence this is a costly undertaking and will also add a degree of latency. Thanks to its unique and long-enduring hardware and software focus, FTNT has the market-leading TCO [Total Cost of Ownership] and 3x-10x more computing power vs firewall rivals – both attributes that mitigate the cost and latency issues.

Particularly, we view FTNT as having even greater appeal to the less modernized verticals that will continue to have a large portion of infrastructure on-prem, hence making firewalls very much needed. Valuation-wise, among a 109-stock peer group FTNT’s Rule of 40 is in the top 4% whilst it’s forward EV/FCF is in the bottom 8%.

PANW: because after having acquired a BoB startup called Aporeto in 2020 and integrating their technology into Prisma Cloud, PANW now has a market-leading microsegmentation solution. Microsegmentation is an ideal form of segmentation for the cloud whereby the environment [new workloads, new services, new containers, new machines, replacements, decommissions, etc.] is frequently changing. This is because microsegmentation is software-defined and is therefore applied as an abstraction away from Layer 3 [network layer] and Layer 4 [TCP/IP layer], and hence doesn’t depend on IP addresses.

So, PANW uses microsegmentation to assign identities to all workloads and associated hosts and containers, and SecOps can then use a single-pane-of-glass to decide upon and implement policy – e.g., workload ABC executing on server XYZ can only connect with service DEF on server UVW. Focusing on identities as a superset is the key to gaining visibility within the inherently opaque nature of the cloud, because there are way more non-person identities than actual user identities – mistakenly focusing on the latter means enterprises aren’t seeing most of the connections in their environment. This capability is a core reason for their leadership in cloud security – acquiring a few thousand customers in just two years, including over a quarter of the Global 2000.

Valuation-wise, we have done various valuation exercises on PANW and each one indicates a significant mispricing. One quick back-of-the-envelope [sum-of-parts] relative valuation consideration would be to add up the market caps of CHKP, ZS, and CRWD to get a total.

  • Most of CHKP’s business is network security,
  • most of ZS’ business is SASE [Secure Access Service Edge],
  • most of CRWD’s business is cloud security and XDR,
  • and most of PANW’s business is all three of these categories.

If one can say that CHKP, ZS, and CRWD are at least fairly valued right now, then the upside for PANW looks to be c. 2x.

Figure 5 – Back-of-the-Envelope Relative Valuation for PANW

Back-of-the-Envelope Relative Valuation for PANW


If you want to examine the validity of this sum-of-parts relative valuation then below is further data [if not then skip past the next two figures]. The split of total revenue across network security, SASE, and cloud security & XDR are estimates and we’re fairly confident in their accuracy [maybe less so for ZS]. For readers with little time, just focus on the circled numbers. The revenue total for CHKP/ZS/CRWD is similar to PANW’s TTM revenue which supports the market cap approach above. Yet PANW’s growth-adjusted P/S is much lower than the weighted average of CHKP/ZS/CRWD.

Figure 6 – PANW Sum-of-Parts Relative Valuation (1)

PANW Sum-of-Parts Relative Valuation (1)


A similar mispricing can be drawn from reviewing FCF in the same way. The closeness in FCF between CHKP/ZS/CRWD and PANW supports the market cap approach above. And PANW’s growth-adjusted P/FCF is less than half of the weighted average of CHKP/ZS/CRWD.

Figure 7 – PANW Sum-of-Parts Relative Valuation (2)

PANW Sum-of-Parts Relative Valuation (2)


Illumio: because of their leadership in microsegmentation. Illumio is a late-stage startup that we expect will launch an IPO, possibly in 2022, or highly probable by 2023. Their microsegmentation is different to PANW’s, however, in that they have a host-based version which means it allows enterprises to control the built-in OS firewall that is pre-installed on each device. With a nifty software-defined abstraction, customers can centrally control the really underutilized OS firewalls and apply highly granular policy – such as, only allow machine XYZ to send and receive communication with application ABC from server cluster D. The innovativeness of this is really next-level because OS firewalls don’t typically work that well because they are based on hard/stubborn rules. With a cloud brain, Illumio controls these OS firewalls and can update policies in a dynamic manner.

No architectural changes are needed to implement Illumio and the software works across cloud and on-prem. They really are one of the most modern software-defined vendors around and can be trialed in parts of the organization before taking on a full installation. And some really cool tools include 1) their asset and vulnerability mapping, which is paramount before embarking on a ZTA journey, and 2) allowing SecOps to simulate policy changes retrospectively or in real-time to see the effectiveness before taking real action.

As can be seen in the following table, Illumio is currently one or two rounds behind some of the well-known multibagger SaaS stocks in recent memory; however, Illumio has raised a relatively high amount of funding.

Figure 8 – Pre-IPO Funding and Revenue Estimates of Multibagger SaaS Stocks

Pre-IPO Funding and Revenue Estimates of Multibagger SaaS Stocks


As we’re aware, the pandemic has accelerated the need for ZTA, and the additional wave of ransomware threats is creating the urgent need for network segmentation. To service this demand, from both Illumio and its investors’ perspectives, it would probably be more effective to launch an IPO sooner rather than later.

Based on the Series F round in June 2021 which valued the firm at $2.75bn, and an estimation that TTM revenue was around $92m at that point, we estimate the EV/S was already at a whopping 30x. However, Illumio is growing c. 100% YoY, so in the above table if one year later [c. June 2022] revenue transpires to be close to $200m, then relatively speaking the valuation doesn’t look so rich – possibly even interpreted as a bargain.

In 2020, just 11% of respondents in a Forrester Security Survey expressed that they plan to initiate microsegmentation. We presume this will be notably higher since the ransomware surge in 2021; however, clearly the upside for such vendors is still huge. With BoB vendors it’s easy to implement, cost effective, absolutely necessary to prevent ransomware, and only a tiny percentage of the corporate world are currently doing it. Note, we shall be diving deeper into network segmentation in a soon-to-be released ATI member exclusive.

2. Hardware Provisioning Risks

Modern cloud architectures provide a variety of benefits for enterprises, such as reduced costs, greater reliability, innovation, and faster time to market. However, the proliferation of apps, each with their own set of interdependencies and APIs loosely connected within microservices architectures sprawled across multiple clouds, makes managing all this highly burdensome.

Consequently, enterprises have this dispersed computing environment with bucket loads of stuff that needs manually configuring which leads to the frequent human errors that have led to the innumerable data breaches that I’m sure you’ve seen in the news. CSPMs [Cloud Security Posture Management] are solutions to help IT professionals ensure things are correctly configured, and whilst they are an absolute foundational necessity, they pertain to the more generic stuff related to the hyperscalers. It’s the case, however, that each app and its lifecycle have unique characteristics and hence can’t be legislated for with CSPM software alone. A study by ORCL in early 2021 revealed the following statistic. And this is in spite of CSPMs now being in place across a significant portion of the cloud-using organization population.

Figure 9 – Oracle Study Regarding Data Loss in the Cloud

Oracle Study Regarding Data Loss in the Cloud

A presentation by Sonrai Security on BrightTALK

As previously alluded to, CSPM is a baseline requirement but it lacks the scope to be the complete panacea. Developers ready to test and then deploy their new apps/services, still need to manually configure the underlying infrastructure provided by the hyperscaler – stuff relating to servers, network connections, databases, storage, etc. And given the pressure from cloud environments and the expectation for speed, naturally developers make mistakes when configuring the hardware.

This has given birth to IaC [Infrastructure-as-Code] in recent years which has become highly popular with developers. IaC is a template to configure hardware that can be reused and thus saves lots of time which is a big win for developers and their enterprises. This poses a very significant problem, however. If someone is doing something manually and doing it incorrectly, and then you give them an automation tool, then logically you should expect their mistakes to be scaled across the organization. Of course, it’s not this black and white in reality but it’s a point worth thinking about.

So, in essence this is the problem >>> one misconfigured IaC template will likely lead to thousands of security alerts which when are very difficult to troubleshoot when the root cause is infrastructure. Though, you may wonder how this ties into the article topic of ZTA – well it links back to privileges. Improperly configured machines will lead to machines connecting to one another with excessive access. For example, Machine A should only be allowed to read on Machine B, though the misconfiguration now means Machine A can also write [change settings/code] on Machine B. In this example, a hacker that managed to gain access to Machine A, will be able to move to Machine B and then change things in order to perhaps gain higher privileges and more access to the rest of the computing environment – they may even be able to assume the role of root/administrator of a system, which is ultimately what they’re aiming to do.

Again, microsegmentation [both workload identity-based and host-based] are simple to implement solutions to greatly limit such consequences of improperly configured hardware. However, we like PANW even more because they also have [acquired] the technology to build security into IaC right from the outset. This ensures that the templates are properly configured even when developers might not see their errors. The philosophy of IaC security could be compared to catching defects in an assembly line of a manufacturing facility as early on as possible to minimize costs by preventing them reaching the late production stages. And all of this IaC security mindset fits into broader approaches such as DevSecOps and CI/CD [continuous integration, continuous deployment].

So, IaC and PANW is a great solution, is still in its nascent stage, there isn’t a ton of competition [main players are Ansible by Red Hat, CloudFormation by AWS, and Terraform by HCP], and our preliminary research indicates they have the edge in the automated scanning of these IaC templates. And for those who may not fully appreciate how big the IaC security market could be, then consider the following chart showing the thousands of new apps released per month – each one that could have its infrastructure set by an IaC template.

Figure 10 – Number of New Android App Releases via Google Play per month

Number of New Android App Releases via Google Play per month

3. Cybersecurity Skills Shortage and the Ramifications

Currently, there are c. 3.5 million unfilled cybersecurity jobs across the globe. There are just 950k cybersecurity workers in the U.S., and 465k jobs waiting to be filled. The shortage can be attributed to 1) the pace of IT sprawl and the progression in attack sophistication, 2) deep-seated factors pertaining to the educational system which is not generating enough interest in cybersecurity, and computing in general, and 3) cybersecurity candidates not having the requisite baseline certifications. And there is evidence that the situation is worsening rather than getting better.

Figure 11 – Survey Conducted with 489 Security & IT Professionals

Survey Conducted with 489 Security & IT Professionals

The shortage of appropriately qualified personnel has resulted in excessive point solution implementations. As the burden of security has fallen into the hands of IT generalists, invariably security has been handled in a piecemeal manner, whereby when a new threat vector has emerged, a new point solution has been purchased and implemented. This has led to the average enterprise having 75 security tools, each sounding off hundreds of alerts each day, and causing alert fatigue and creating extremely complex systems to operate, which ultimately leads to vulnerabilities that attackers can exploit. And it’s no surprise that it’s pretty much impossible to orchestrate an enterprise-wide ZTA approach with this much fragmentation.

Therefore, investors should look for vendors that offer a platform of integrated solutions to enterprises, which can be easily managed by a single-pane-of-glass. Though, switching from a multi-vendor to a singular platform vendor isn’t easy, and therefore vendors that can provide comprehensive visibility for IT admins to map out their asset inventory, workflows, and incumbent point solutions will offer the greatest value. Furthermore, as the skills shortage will persist, software that has a high degree of autonomy and/or provides IT admins with the ability to automate certain security-related tasks will become increasingly demanded. Additionally, System Integrators [SI] can be invaluable in helping enterprises manage the transition. It is only after such a transition that organizations will be able to install a ZTA strategy that will be effective and maintainable.

With this in mind, we recommend investors consider the following companies that can give enterprises the 1) easy to manage all-in-one platform, 2) full visibility of their IT infrastructure, and a 3) high degree of software autonomy and the ability to automate:

FTNT – one of the two broadest security platforms available. From Gartner reports and Reddit IT discussions, it appears that deploying and managing FTNT’s software is surprisingly easy for a platform with such breadth. And we put this down to FTNT’s in-house/home-grown ethos whereby they aim to build capabilities themselves rather than acquire. Resultingly, FTNT’s solutions integrate with one another a lot more smoothly compared to other platform vendors. So, FTNT definitely ticks the box of a broad platform that is easy to manage that can replace the multitude of pre-existing vendors, and by virtue of their smoother solution interoperability, they also provide that much-needed visibility [which also comes from the context enrichment from their sheer presence across global networks]. We’ll also add that FTNT has a very good ability relating to automation thanks to their SOAR [Security, Orchestration, Automation & Response] offering that helps SecOps automate certain threat responses.

PANW – Alongside FTNT, PANW has the broadest security platform. PANW’s method of creating such a broad platform has been via aggressive acquisition and less in-house, however. Usually, such an aggressive acquisitive strategy [CSCO is a classic example] leads to shareholder value destruction, however, Arora, Lee Klarich [Chief Product Officer], and Nir Zuk [CTO] have cleverly leveraged PANW’s best-in-class security principles to effectively integrate new software into the broader platform. On top of that, PANW’s exceptional sales and marketing results in the acquired BoB technologies benefitting from a significant surge in adoption to help with the evolution of the software. Arora & PANW have really cultivated a secret sauce for highly effective M&A, part of which can be attributed to how they treat the incoming founders [high majority have stayed after being acquired]. As well as having the broadest of platforms, PANW has the edge in providing visibility which has been greatly enhanced since their acquisition of Xpanse in 2020, and they also have superiority in regards to software autonomy.

Netskope – in regards to gaining full cloud visibility there is probably no vendor better than Netskope. Netskope is a late-stage startup with roots in out-of-band CASB [Cloud Access Security Broker], which is software that monitors and governs user access to SaaS apps with an API-based architecture. In recent years, they have progressed into becoming a broad data-centric platform that can also deliver a SASE [Secure Access Service Edge] solution. With a predominant security philosophy centred around securing data [in the cloud and on-prem], Netskope has a great chance to really differentiate themselves against other platform vendors as we delve deeper into both the era of big data and the era of ever-increasing data breach risks. If enterprises can focus on locating where data resides and then securing that data, then in theory they can be dispersed as they want with the comfort of knowing they’re safe from ransomware attacks.

We view Netskope’s philosophy as highly effective but different to Illumio’s. Both are novel ways to do security in the distributed landscape though the former focuses on preventing unauthorized data access and data movement, and the latter focuses on restricting actor movement inside the network. We expect Netskope will launch IPO proceedings this year. The latest round of funding in July 2021 unveiled a valuation of $7.5bn, and given the CFO and various chief executives having been appointed, in regards to corporate governance, Netskope seems to be ready for the IPO. To summarize, Netskope has a broad platform, and via its data discovery and mapping capabilities they can provide the necessary visibility before an enterprise embarks on a ZTA initiative. As a sidenote, we’ll add that we view Netskope as having greater agility than close rival ZS – we dived into this in an ATI exclusive we published in December.

S – the notion that S [and PANW] performed the best in the MITRE ATT&CK evaluations and were the only two vendors that didn’t make any configuration changes in preparation for the testing, indicates that the marketing around S’ autonomous software is backed up by results. S’ level of autonomy is enabled by their hybrid endpoint security focus. Whereas CRWD’s approach to endpoint security is to have a very lightweight agent on the endpoint that only sends telemetry to the cloud for labour-intensive investigation and remediation, S has a more capable endpoint agent that can detect, contain, and eliminate the threats autonomously, and the small percentage of threats not caught by the agent will be dealt with by the cloud operations. From this, one can infer the reasons for CRWD’s 25 config changes vs S zero config changes in the most recent MITRE testing – the autonomy built into S’ agent means it can pretty much work out-the-box, whereas in using CRWD there appears to be more tuning needed in large part because of the greater human component.

We would say both S and CRWD can add huge amounts of value to IT admins and SecOps by providing the endpoint visibility, though in regards to software autonomy S has the advantage. Furthermore, as touched on briefly earlier in the report, by introducing RSO [Remote Scripting Orchestration] S is now giving SecOps way more ability to automate than CRWD. It appears that the Scalyr acquisition has been instrumental in the recent RSO launch, because Scalyr provides the back-end power query functionality, to allow SecOps to do tons of automation and complex analytics to further automate things that are repetitive and redundant.

Illumio – for this section we’ll add a bit more colour about what Illumio does. So, it allows IT admins/SecOps to map out all of the organization’s IT assets, and then will collaborate with vulnerability software [like QLYS and TENB] in order to map out all the vulnerable pathways. For example, if a piece of software has not yet had a vulnerability patched over on server ABC, then Illumio will alert IT admin of the connected pathways, and enable them to swiftly cutoff or limit connections to read only. Furthermore, Illumio will rate the severity of the vulnerability based on the vulnerability itself and how many pathways are connected to it.

Figure 12 – Illumio’s Vulnerability Maps



Once the vulnerabilities are known, it is easy and quick to change policy and order the OS-based firewalls to block/limit connections/privileges relating to vulnerable assets. We view that Illumio could be the missing piece that when combined with NGFWs [PANW, FTNT] and NGAVs [S, CRWD] could well and truly stop all ransomware and the most advanced attacks around today and in the future.

Others – honourable mentions of vendors that can help understaffed security teams tackle the complexity of their environment are NET, DDOG, and SPLK. Each of these vendors can provide security teams with better visibility of their network, IT infrastructure, and the threat landscape, which we’ll reiterate, is an absolute necessity before beginning a ZTA project.

4. Cybersecurity’s Own Technical Debt

The industry started with stateless firewalls and signature-based AV, then statefull firewalls, then NGFW [Next-Gen Firewalls], then WAF [Web Application Firewalls], then SWG [Secure Web Gateway], then vulnerabilities management, then SIEM, then EPP [Endpoint Protection Platforms], then EDR [Endpoint Detection & Response], and then XDR that aims to blend EPP and EDR together. These things have been developed independently of each other leading to unmanageable numbers of point solutions. The end result for the high majority of companies is an overarching cybersecurity architecture that is incredibly messy without a dominant platform or architecture. Ironically, over the decades as the industry has done its best to stop cybercrime, it has simultaneously made the threat landscape worse – the wonders of hindsight.

So, this gives ZTA a great last mover advantage to leverage experience and past lessons on multiple cybersecurity point products, philosophy, architectures and think about how to deliver the best practice to combine them together to enhance security, simplify management, maintain/improve user experience, and unburden SecOps from alert fatigue.

Zero Trust Architecture

Below is a diagram showing the steps following a user [or machine] making a request to access an enterprise resource [app, system, etc.]. The diagram is based on an agent/gateway ZT model as we think it’s very likely that this version will prevail as the most popular due to the amount of contextual data [time, location, user behaviour patterns, device’s configurations, etc.] that can be delivered by having an agent on the endpoint. As can be seen, a ZT model is software-defined, as on the network device [i.e., the router] the control plane is separated from the data plane, thus meaning the policy for all network devices can be centrally controlled.

This software abstraction also provides an additional layer of security because the control functionality is no longer located on the router. When a resource request has been made, the data pertaining to the user and device is sent from the PEP [Policy Enforcement Point, i.e., the router/switch] to the PA [Policy Administrator] and then to the PE [Policy Engine] – in fact, most of the time the PA and PE are combined together as one. The PE will analyze the user and device data in conjunction with global and internal threat intelligence, throw all the data into the Trust Algorithm, and then make an access decision accordingly [full or limited access, or reject]. Once access has been granted by the PE, the PA will construct the pathway between requester and the gateway of the resource [which will likely be a specialized VM-based firewall].

Figure 13 – The Flow of a Zero Trust Access Model

The Flow of a Zero Trust Access Model


So, the above flow of initiating a connection applies to requesters wherever they are – inside the network or remote location. It also applies whether the enterprise resource is located in a data centre on-prem or in the cloud. And therefore, the default assumption for any connection request is that the requester is a threat and hence the authentication/authorization needs to be conducted before a level of access is granted or further authentication is required [MFA] – which in a nutshell is the philosophy of ZT.

You may probably infer that there are multiple angles of protection in this architecture – the resource only communicates with the gateway >>> which only communicates with a requester that has been authenticated and authorized by the PA/PE >>> though the PA/PE is abstracted away from the PEP thus making it very difficult for a hacker to compromise things >>> and furthermore, the agent will be programmed to only communicate with a PEP. So, a hacker would need to infiltrate the endpoint agent, but then the chances of success at accessing the resource are still very slim because they would also need to fool the PE. Also note that continuous tracking occurs even after the initial access is granted – checking context stuff such as time of using resource and user geolocation. And the advances in technology in recent years is what has enabled this type of continuous verification to take place and make ZTA a viable solution.

As alluded to previously, before ZTA can be implemented as per the above diagram, companies need to gain full visibility into their assets, workflows, users, and user privileges. Either concurrently or subsequent to this mapping stage, they would most likely need to consult with a SI. The SI will then help them review the networking/security vendor landscape for implementing their ZTA, and then help them do the installations. Once the ZTA is live, supporting operations include vulnerability software, XDR/MDR, compliance [HIPAA, PCI-DSS, GDPR, etc.], and disaster recover/data backup software.

In the following diagram, we attempt to depict the ZTA stages and list the vendors that enterprises will probably consider.

ZTA stages and vendors


As we’ve outlined throughout this article, zero trust needs to be the default stance for any connection request. However, from there, the processes of authentication and authorization lead to the decision on the appropriate level of trust. This is why IAM [Identity & Access Management], IGA [Identity, Governance, & Administration], and PAM [Privileged Access Management] are so critical to the success of a ZTA. In essence, IAM involves the PE/Trust Algo that collates all the user/device data and makes a decision in real-time; IGA relates to establishing the privileges per user and making the governance of all that easier for IT admins; and PAM focuses on securing the highly privileged accounts and thus protecting the critical systems that they have access to.

Okta (OKTA): In our opinion, the best and most complete vendor in regards to IAM/IGA/PAM is OKTA. Specifically, in regards to IAM, they are the leader with probably the most sophisticated Trust Algos, and last year they moved into IGA and PAM with an attractive cloud-native alternative to the incumbent leaders in these spaces – SAIL and CYBR. And because OKTA will likely be needed early on in an enterprises ZTA journey in order for them to take stock of all users, roles, and privileges, OKTA has an added advantage versus some other vendors. With respect to IAM, we also think PANW and FTNT can pretty much do all that OKTA can – by now you can probably see the breadth of PANW’s and FTNT’s moat – though OKTA has that SSO [Single Sign-On] superiority which gives them the overall edge.

A big advantage for OKTA is that they were the first to do identity and access from the cloud which enabled them to do IAM better than then-incumbent on-prem solutions. And by initially keeping their focus very narrow by just focusing on IAM, being the first to deliver highly productive SSO for the enterprise world, and making onboarding incredibly easy for organizations and users, OKTA has accrued thousands of enterprise customers [c 14,000] each with thousands of employees accessing numerous apps. This has given them immense network effects as they have been applying machine learning to analyze the billions of identities and millions of daily authentications/authorizations and in turn develop arguably the best PE around. And we see this moat only getting stronger.

A very important point that long-term investors should consider with respect to OKTA, is that they are very unlikely to ever get [overly] bogged down in technical debt – a fate that has rendered many once-modern software firms as legacy ones. This is because OKTA takes the use of open standard protocols to the nth degree. Conversely, firms that become legacy do so in large part because they’ve focused on developing their own source code from the ground up and creating customized connections to third-party apps/systems. Then, as the technological landscape changes, the excessive customization makes it extremely difficult to pivot and evolve.

OKTA and vendors like NET, on the other hand, make great use of open standard protocols like SAML, OpenID, and OAuth which are extremely popular, rich in API connectivity, and most importantly extensible. When tech evolves, the open-source developer communities for SAML, OpenID, and OAuth will collectively improve the foundational underpinnings of the protocols [relatively easy because of the extensibility], and then it will be down to individual vendors to customize the upper layer of the protocol for their own needs. So, in our opinion, the likes of OKTA will avoid the legacy fate, probably in the same way GOOGL has. This understanding of OKTA will also help in the assessment as to whether they will achieve dominance in the recently entered IGA and PAM – two identity spaces currently dominated by legacy-ish vendors, SAIL and CYBR.

The whole deep-seated open standard protocol approach has also empowered OKTA to be about as vendor-agnostic as a firm can get. And in exploiting SAML and OAuth they can seamlessly authenticate and authorize across thousands of apps, and maintain security at all times with continual verification techniques whilst not impacting the user experience and ensuring the user only accesses data according to their privileges.

OKTA’s vision is also highly differentiated. The vision is to have users utilize an Identity Wallet that seamlessly merges personal and work-related identities. For example, the wallet will have all of a person’s ID verification relating to government, driving license, healthcare, etc., and sharing these plus medical history with the likes of doctors/pharmacies/insurance will be super effortless and puts the user in control – likely to be very valuable amid the growing awareness surrounding data privacy.

If OKTA can execute this strategy, it will be the centre of the digital evolution. Just imagine using OKTA in this way to give you easy and secure onboarding and access to whatever things you need to sign up to and use, without needing to remember username and passwords, and to have your data always secure by continual and frictionless verification. I think about my recent experience hiring a car in Dubai from a car rental firm I had used twice in the past 12 months. Despite, having logged into the website and selecting the car I wanted, there was a lot of time wasted and confusion back and forth when I was submitting the ID documentation. Anything that can improve this experience would be very welcome for all.

Identity is becoming the glue that connects ZT, privileges, data governance, and data protection amid the distributed world. And for customer and workforce identity needs, OKTA is tightening relationships with developers so firms can create specialized identity solutions to meet their specific desires. On the whole, the importance of identity as it relates to cybersecurity and productivity is only going to grow, though it is our sense that this is something most investors are not fully aware of.

Valuation-wise, we like OKTA’s TAM [Total Addressable Market] potential by virtue of identity becoming increasingly the centre of cybersecurity, productivity, and anything CX-related. Plus the stable 120%+ DBNR [Dollar-Based Net Retention] and very strong customer growth should secure 30%+ growth for a few years.

OKTA isn’t a bargain like PANW but relatively speaking they are not excessively priced. Among a 115-stock peer group, OKTA has a Rule of 40 in the top 11%, whilst its forward EV/FCF is bang on the upper quartile and its forward EV/GP is near the median. We would veer more toward the forward EV/GP as an insight to the stock’s future potential given the 60%+ growth, its very high 60%+ S&M/revenue expense, and its replacement and greenfield market opportunities.

Figure 14 – OKTA Relative Valuation & Rule of 40 [as of 8th Jan]

OKTA Relative Valuation & Rule of 40 [as of 8th Jan]


Jamf (JAMF): in regards to device, aka endpoint, security, in addition to the vendors we’ve already discussed [S, PANW, and CRWD] we would say JAMF has a very bright future. JAMF is an Apple-focused MDM [Mobile Device Management] vendor that has expanded into security.

  • Firstly, JAMF removes the difficulties associated with having Apple in the enterprise. IT admins instantly reduce vulnerability risk because JAMF automates the provisioning of new Apple devices and provides very quick patch management [fixing bugs/vulnerabilities in software] – in fact, JAMF is one of the rare vendors that can deliver zero-day support for new Apple OS releases [most vendors need several weeks, if not months, before they are able to become fully airtight compatible with new OS releases]. So, it’s very unlikely that users’ Apple devices will be misconfigured and hence this is at least one path made extra difficult for attackers.
  • Secondly, JAMF has good malware detection capabilities by virtue of them knowing Apple devices better than any other vendor – thus they will detect suspicious things very quickly if the malware attempts to make changes on the device in order to escalate privileges and connect to a machine where they can do more damage.
  • Thirdly, JAMF is an API-rich vendor with hundreds of third-party integrations, and within that they have very good integrations with identity providers such as OKTA.
  • Fourthly, they have a ZT capability following their BoB [best-of-breed] acquisition of Wandera in 2021 which appears to have been effectively integrated with JAMF’s pre-existing skill in understanding device status.
  • Fifthly, managing a fleet of Apple devices [even a mix of BYOD and COPE devices] is a breeze for IT admin teams when using JAMF. So, the reduced complexity and increased inventory visibility empowers more effective security postures.

JAMF will benefit tremendously from the tailwind that is Apple increasingly penetrating the business world – in 2019 macOS enterprise penetration was 17%, and just two years later has reached 23%+.

In terms of JAMF’s valuation, we see a great alpha opportunity since the market’s misunderstanding pertaining to Apple’s move to introduce its own MDM solution. We’ve long had an intrinsic valuation range of $60-$70 and when it reached $48/share, we thought that it was on the way to our target. Then, Apple unveiled Business Essentials which is a basic MDM service, and then JAMF plummeted to $30/share driven by an incorrect understanding by the market, in our opinion. JAMF is one of our highest conviction holdings and is relatively mispriced, especially compared to other BoB software vendors. We recommend investors look into JAMF.

Figure 15 – JAMF Falls on Apple Misunderstanding

JAMF chart


ForgeRock (FORG): We’ve not done any deep-dive research into FORG but very preliminary findings indicate it looks very attractive based on our EV/TTM-GP/ NTM-Growth calculation of $1,250m / c. $129m / c. 30% = 0.32.

FORG appears to be leading the market in regards to passwordless authentication and MFA [Multi-Factor Authentication] but what is most impressive and differentiated in the marketplace is the notion that they’ve developed homegrown IAM, IGA, PAM, and CIAM [Customer IAM] with zero acquisitions [except for a minor one in 2011].

Our only concerns relate to the ease of use in deploying and managing FORG. Back in June-21, as part of an OKTA report for our ATI members, we did a fair bit of competitor analysis and found that a common gripe from IT admins when using FORG was the software was quite buggy – whereas we found using OKTA is a breeze for IT admins – and a few linked the cause back to FORG’s Sun Microsystems origins.

When Sun Microsystems was acquired by Oracle in 2009, six Sun employees resigned and then founded ForgeRock in 2010, and built the code using Sun’s open-source software. Sun’s open-source software was phased out by Oracle in favour of an in-house alternative, therefore, its developer community dwindled. By connecting the dots, it appears that subsequently interoperating open-source OAuth and OpenID with what turned into closed Sun software, is the cause of excessive bugs and a disappointing IT admin experience.

It’s also worth noting that compared to OKTA, FORG has a much bigger sales emphasis on SIs. In isolation, this is nothing for investors to worry about, but combined with the buggyness reports, it indicates a good degree of technical debt preventing IT generalists from deploying it successfully. And then – whilst making this inference is debatable – having zero pricing [per user, or whatever] displayed on their website, again when combined with the other evidence, signals it may not be a software-defined elite vendor.

So, by putting this altogether,

  • Reports of buggyness
  • The notion that over the years the software has been intertwined with both legacy and open standard protocols leading to a non-negligible amount of technical debt.
  • The complete reliance on SIs.
  • And the zero website pricing

It indicates to us that they aren’t the most modernized SaaS vendor, and whilst they have a great platform right now, how will the company evolve in years to come, especially if this is the starting point?

Cloudflare (NET): In the past two years, NET has radically transformed into a ZT-led security vendor to accompany their networking roots. So, they can now provide comprehensive security and networking. Though, we would say their real differentiation comes from the networking side.

ZTA, with it’s back and forth between PEP and PA/PE, and the need for continual verification, does add some latency. So, enterprises deciding to go with NET to use their global private network – greatly limiting the use of the less secure and higher latency public internet – will be able to deploy a ZTA with NET without worrying about user experience and productivity.

With respect to the valuation, having NET fall c. 50% from its all-time high makes it look attractive in some ways but the multiples are still sky high. Though, the relative discrepancy may take many years to close, because at the end of the day it is an amazing company and its disruptiveness is now well-known across investor communities, retail and institutional alike. With that in mind, we’re considering scaling in a small position in the near-term.

FTNT: We’ve touched on FTNT’s security prowess but they also have a market-leading and home-grown SD-WAN [Software-Defined Wide Area Network] technology that is becoming increasingly attractive to service providers as they prep for the 5G-induced connectivity evolution. 5G is bringing in way more cell towers and hence way more complexity and SD-WAN is a remedy to ease the management burden and maximize user experience. They’ve also built out their own global network which adds more speed. So, by going with FTNT, not only are enterprises getting elite ZTA and the best TCO, they are also getting the best SD-WAN solution powered by their superior computing and specialized global network.

Netskope: Just a quick note on Netskope in regards to their networking capabilities. Back in 2018, they brought on board one of the best network architects around – Joe DePalo, former AWS chief architect. Since then, Netskope has launched the NewEdge which is a global network of PoPs [Points of Presence] with blazing speed. The SLA [Service Level Agreement] delivers 9s [99.9999999%] of availability, with 15ms latency and more than 100Tb/s in total capacity – not far off FSLY which reached that capacity in July 2020. In comparison, the average SaaS vendor delivers about 99.99% of availability and the SASE sweetheart ZS delivers 99.999%. Given Netskope’s differentiated data-centric philosophy and modern architecture they are a great ZTA candidate and we look forward to their eventual IPO.

S, CRWD, MNDT, PANW: All four of these vendors have very good MDR [Managed Detection & Response] capabilities. Given the ever-evolving nature of the threat landscape, it makes sense to accompany the best software with the best human expert teams, even with a best-in-class ZTA software solution. PANW potentially has the edge because of their native network visibility bestowing them to see the fuller picture with perhaps more clarity.

As a value type play, we like MNDT. Since splitting from FireEye in 2021, MNDT has been growing revenues c. 20% YoY and improving its margin profile. The company is an expert in threat hunting and remediation and the vendor uncovered the highly advanced 2020 SolarWinds supply chain breach, among various others. Now it has split from FireEye, it is completely product-agnostic, meaning they can work with any software vendor. At an EV/TTM GP/Growth of 0.28 with the importance of MDR amid the current and future landscape, we think it’s worth a portfolio allocation.


Zero Trust is still in the infancy stages and is really the only philosophy and architecture to make sure enterprises are secure. Vendors that can provide 1) great security, 2) product breadth, 3) high levels of software autonomy, 4) the ability to let SecOps automate things, 5) easy-to-use management console, and 6) a holistic approach, whilst also not degrading user experience, will likely be winners during the next several years. If we had to pick just one stock, then we would go with PANW – mainly because of their breadth and BoB solutions and the fact that the stock is really mispriced, in our opinion. However, all of the stocks mentioned are worth conducting further due diligence on.

Leave a Comment