Darktrace: a leading light in cyber security?
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Artificial intelligence now ranks at the top of life’s enduring realities. AI, we are told, is everywhere. And it is accompanied by increasingly sophisticated and hard-to-detect cyber crime.
Ignore the comic book names that cybercriminals give themselves — Slippy Spider, Deadeye Hawk or Clop, the Russian for bedbug. Hacking, malware, ransomware and the rest is serious business. Hackers now sell AI-enabled malware as a service to customers, whether hostile states or organised crime syndicates.
Last year, McKinsey calculated that damage from cyber attacks will amount to about $10.5tn annually by 2025 — a 300 per cent increase on 2015, with organisations spending more than $150bn a year on cyber security.
Still, one company’s threat is another’s opportunity, specifically for cyber security groups set up to defend companies from attack.
One such is Cambridge-based Darktrace, which has just celebrated its tenth birthday. The arrival of AI into the mainstream “is the moment we’ve been preparing for,” says Cathy Graham, chief financial officer.
Darktrace’s boffins “were first to develop autonomous AI that could identify a potential attack and stop its dead in its tracks”, says an industry specialist. Others have followed, but Darktrace, which floated its shares in London in 2021 at 250p a pop, remains the UK’s only listed AI-cyber security business. And even its US quoted rivals don’t do it quite like Darktrace, the company says.
Most competitors, explains Graham, use “supervised AI”, overseen by teams of people, to pull data together and identify threats. Darktrace’s AI is “unsupervised”, sitting inside a customer’s digital systems, watching emails, internal networks or the cloud, teaching itself what is usual or abnormal and scanning for vulnerabilities. In essence, it patrols a customer’s systems, blocking anything suspicious before the heads of IT have switched off their alarm clocks.
The group now has close to 9,000 subscribers on multiyear contracts, spending about $70,000 a year. “That’s mainstream,” says a tech investor. Few businesses in the sector have achieved anything like that, he adds.
The US is Darktrace’s largest market, accounting for 35 per cent of revenues, according to Goodbody analysts, against the UK’s 15 per cent. Much rides on the group penetrating further into the lucrative American market. Nonetheless, Graham is quietly confident that Darktrace will have as many as 150,000 big corporate customers and profit margins will be in the mid-20s within a few years.
Why then does Darktrace look so cheap compared with its US fellows? Its shares, trading at about 352p each, are around five times this year’s revenues. That’s small beer compared with bigger, older US rivals such as Palo Alto and CrowdStrike.
CrowdStrike, which uncovered Russian hackers inside the US Democratic National Committee servers trying to influence the US election in 2016 and this year introduced Charlotte, its AI security analyst, floated in 2019 at $34 a share. The shares now trade at about $160. Its enterprise value is 13 times sales forecast for 2024. The sector average is six and a half times expected sales. Darktrace’s EV is nearer four times expected revenues.
Despite higher revenue multiples, strategic and private equity are flocking to the sector in the US. Just last month Cisco agreed to buy Splunk, another US AI-cyber security software group, for about $28bn or seven times recurring revenues. Of the five cyber security enterprises that debuted on stock markets in 2021, ForgeRock has already been taken out by Thoma Bravo, the buyout group.
Yet investors are skittish around Darktrace. Thoma Bravo expressed an interest last year, but only fleetingly.
It’s doubly puzzling since Darktrace, unlike many of its more jejune rivals, is expanding profitably.
Annual recurring revenues, which are five-plus times what they were five years ago, are still growing at 25 per cent and more a year, despite general economic caution. Profit margins (adjusted earnings before interest and tax) last year touched 15 per cent. Even CrowdStrike, which many regard as the industry leader, is only just turning profitable.
Will Wallis, analyst at broker Numis, says: “Darktrace’s growth has remained more resilient than many during the recent market slowdown” and the group “remains one of the more efficient growers in the sector”, scoring highly against peers in “the trade-off between growth and profitability”. He argues Darktrace’s discount to its listed peer group is “unwarranted”.
The big “but” is Darktrace’s long and close association with Autonomy, the IT group bought by Hewlett-Packard. Its founder Mike Lynch has since been accused of fraudulently inflating revenues. The Lynch family backed Darktrace from the beginning and still has shares. Lynch denies wrongdoing.
However, short sellers, such as Quintessential Capital Management, have seized on the link, knocking Darktrace shares from 2021 highs of close to £10, and variously questioned the group’s revenues, churn rates and accounting methods, declaring that Darktrace spends what they dub an unhealthy amount on acquiring customers at the expense of R&D.
Consultants EY, commissioned by Darktrace, this summer concluded it had identified some errors and inconsistencies in systems, processes and controls, but nothing material to worry about.
Darktrace buffs add the group spends plenty on R&D, just not as much as other cyber security groups that must devise new weapons every time they identify a new type of attack. Darktrace’s AI, which sits at the core of all its products, constantly learns to recognise new types of threats, evolving defences as it goes along.
However, UK investors are famously, often rightly, wary of tech start-ups and stock market newbies, with a history of exuberant accounting and inadequate systems. Revenue recognition is a frequent flashpoint between over-optimistic founders and more conservative public market investors and regulators.
Short sellers are quick to exploit the tension, concedes Graham, who has overseen several US tech IPOs and was brought in by Darktrace founders to groom the company for maturity and the public market. Short seller attacks “are almost a rite of passage in the US”, she says.
The Autonomy link will continue to unsettle investors. However, I reckon the power of short seller attacks to hurt the company will diminish. Shares have wobbled over the past two months, dropping, rebounding and then dropping again after the company conceded customers were being more cautious, growth in annual recurring revenues had tailed off and announced accounting changes that would have a one-off impact on cash and margins. Darktrace reassured the market that sales growth will return to previous levels and reaffirmed its medium-term margin target in the mid-20s.
To my mind, Darktrace may not be a dead cert but it is worth a punt, as long as it displays consistency and durability.
Comments