Pre-IPO: Netskope - Better Quality Than ZS
Foreword
As a cybersecurity specialist research house, we stick to lesser known names like FTNT and PANW. This has been fruitful as the two continue to deliver high growth whilst the low valuation continues to offer upside for investors.
As you may notice, we step away from crowded names like CRWD and ZS as we hold contrarian negative views over their long-term competitiveness.
In the field of public market analysts, this is pretty controversial as CRWD and ZS are viewed as the BoB [best-of-breed] vendors with strong moats and durable growth prospects. We believe this sharp difference in opinion comes from our in-depth research that covers the real users and the competitive landscape more holistically. As a result, we often find emergent private startups to be more promising than existing listed companies in terms of the technology roadmap and cultural aspects.
For CRWD, it is S. We have been waiting for S's IPO for a long-time as our proprietary market research found that S is technically more visionary and more likely to be a holding for investors who want to invest in endpoint security for next 3-5 years.
For ZS, the competition is even more aggressive. We believe PANW has a better and newer next-gen SWG product called Prisma SASE. PANW also has the most comprehensive and cutting edge cloud security portfolio that leads ZS by a wide margin. From many sources, PANW’s next-gen security product is as visionary as other startups.
At the same time, FTNT's FortiSASE, and NET's Cloudflare One are also based on newer architectures and will soon take over ZS's market share. Adding to that is ZS's founder, who lacks many attributes we would expect from a great Silicon Valley CEO. The micromanagement, subpar culture, and chaotic management that induced than 5 CMO turnovers within five years, are worrisome signals for ZS in the long-term.
Putting this aside, we acknowledge ZS's momentum and marketing hype that the CEO is able to create to deliver stellar recent growth. Therefore, we still believe that ZS is a short-term buy but a long-term short/avoid.
For the pure cloud security and SASE theme, our highest conviction company is Netskope. The company is the typical stellar Silicon Valley startup. It has a great founder who is highly deliberative in nurturing the best possible culture, technology roadmap, and GTM. In many ways, this is the ideal form of ZS and we are way more comfortable in being long-term bullish .
As the company is still private, the objective for this article is to:
1) Help readers understand that there is a strong pure play competitor to ZS;
2) Better prepare for the future IPO [which could very possibly be in 2022] - being able to understand the company earlier is a source of alpha as is shown with the post-IPO performance of PLTR, ASAN, and S.
This Pre-IPO series brings a new perspective to public investors by covering late stage startups with deep moats and near-term IPO prospects. We hope you appreciate the value of this research.
What is Netskope?
Netskope was founded in 2012 by a group of security veterans. The vision is to build a platform for cloud security. Put simply, Netskope was building SASE before the term came out. Netskope is ZS’s newer twin that started its niche in CASB [Cloud Access Security Broker], a core cloud security technology, with a way better culture and management.
CASB
Netskope started with building a solution for companies to secure SaaS, which had just begun to see mass adoption across all tool chains in the early 2010s. The solution was later coined CASB, or Cloud Access Security Broker.
There are two types of CASB. The out-of-band CASB sits in the background and monitors user activity on SaaS platforms via APIs. This is very similar to what the EDR component does for endpoint security.
The inline CASB works like proxies - the traffic is first directed to CASB vendor’s PoPs for inspection and then sent to the SaaS platforms. As you may notice, this looks very much like proxy-based network security products like Secure Web Gateway [SWG] or VPN, except that only SaaS, or cloud, related traffic will be examined.
The most important - and the original form - of CASB is API-based out-of-band CASB as it has more granular control over the SaaS platform whereas inline CASB looks at the network traffic only.
Source: https://www.netskope.com/products/casb
Over time, Netskope has successfully secured its leadership position in CASB, while others opted for a quick exit via M&A. The best CASB vendor before 2016, was CloudLock. CSCO, in 2016, as it has done so numerous times, spotted this nascent market and bought CloudLock. However, much like other M&As, CSCO ended up destroying another great company. With the founders leaving the firm and an ensuing reorganization of the unit, CloudLock ceased to be the CASB leader. The second best vendor, Skyhigh Networks was acquired by another legacy cybersecurity company, MCFE. We were surprised to see MCFE is able to maintain Skyhigh Networks’ technical leadership years after the acquisition. And this is part of our original bullish thesis on MCFE when the firm returned to public marketsin Oct-20 as we believed that the new private equity owner, Thoma Bravo, had successfully transformed MCFE into an up-to-date visionary vendor.
Source: 2020 Gartner CASB Magic Quadrant
As of now, we believe the CASB market has highly matured. And putting MCFE's enterprise business aside, Netskope is the best standalone CASB vendor.
At the core of CASB, there are two functions: 1) is data loss protection, and 2) is settings control. DLP [Data Loss Protection] is the most important function that CISOs are looking for when buying CASB solutions. Netskope leads the competition by a wide margin as it has the best DLP technology and settings control, thanks to its longstanding development and network effect. Similar to OKTA’s leadership in the identity space, Netskope tremendously benefits from being the first mover and standard setter. It also has the deepest know-how in working with DLP for SaaS in both the number of apps supported and in the amounts of data protected, making it the most mature solution out there in the market. And this has in large part been achieved via the highly agnostic and interoperability of their software.
Next-Gen SWG
As you may notice, inline CASB looks very much like SWG that ZS has long been disrupting. From the opposite end of Netskope, ZS started with Next-Gen SWG, or cloud-delivered SWG, and later in 2020 expanded into inline CASB and then out-of-band CASB in 2021.
Legacy SWG vendors like Blue Coat competes with NGFW vendors directly. Both SWG and NGFW require physical dedicated hardware to be installed on premise and managed by the client. SWG differs from NGFW in that all traffic will be examined and loaded to the proxy server before being sent to its destination. NGFW on the other hand, has greater flexibility as it allows traffic for specific ports to pass through without a heavy duty and high latency proxy. Furthermore, SWG only supports HTTP traffic routing to ports 80 and 443. NGFW was eventually proven to be more efficient and more comprehensive and in effect NGFWs subsumed SWG by incorporating the tech into NGFW modules - such as the likes of CHKP, PANW, and FTNT did.
ZS, however, imagined a new way to deliver SWG solutions. Instead of clients paying hefty upfront capex for hardware and needing to manage the hardware by themselves, ZS uses colocation data centres to host hardware for traffic screening. The idea is to allow multiple clients to share the same hardware, in a similar vein to the multitenancy of IaaS. By sharing resources, clients can buy the security solution as a service. ZS can also offer a lower price as multitenancy enables higher capacity utilization. However, the major problem is the network performance. As the outbound traffic from a user device now needs to be routed to PoPs managed by ZS, users lose the optimal latency and network performance received from on-premise NGFWs. ZS counters this latency issue by reducing the physical proximity via building as many PoPs as possible.
Netskope approaches this another way. With the foundations of a strong out-of-band CASB product, Netskope expanded into inline CASB, and then onto NG-SWG. It has two notable differences from ZS:
1) Netskope has greater cloud-native security product expertise.
2) Netskope is able to hire the best infrastructure talent to build highly performant PoPs, which are together called the NewEdge.
The first point is easy to understand - ZS has strong know-how in cloud-delivered security, but not cloud-native security. The difference between the two is a bit confusing. Cloud-delivered means the vendor is able to leverage the multitenancy structure to deliver better products at a lower price. Cloud-native means the vendor builds security solutions for cloud infrastructure and SaaS. To our analysis, ZS’s capability to deliver cloud-native security, or security for SaaS and IaaS to be more specific, is way weaker than Netskope's, as ZIA [Zscaler Internet Access] and ZPA [Zscaler Private Access] are focused on traditional network traffic inspection and control only.
NewEdge
The second point is also very tricky. For industry practitioners, a decentralized, high performance and high reliability infrastructure is really hard to build. Only a very limited number of engineers have the talent to turn this into reality. Therefore, it isn’t a surprise to us that vendors who can make it have a strong moat. This includes guys like AMZN, GOOGL, NET, and FSLY. Surprisingly, in 2018, Netskope managed to hire Joe DePalo to realize this vision for a highly performant network of PoPs. He was previously the global head of internet services for AWS, responsible for the Global Network and Carrier strategy.
Why isn’t everyone taking this approach? “It’s very, very hard,” Joe DePalo, senior vice president of platform engineering and operations at Netskope, told me. “Maybe 200 people in the world can build an edge infrastructure like this. We have the expertise and the IP.” Netskope has a head start in this regard. But as networking and security become more closely intertwined, I’m betting that this will be the security architecture of the future.
With DePalo, Netskope launched its global edge infrastructure, NewEdge, within a year. According to Netskope, it is able to deliver a SLA [Service Level Agreement] with five 9s [99.999%] availability, with 15ms latency and more than 100Tb/s in total capacity - not far off FSLY which reached that capacity in July 2020.
The typical cloud service has SLA around 99.99% and a 50ms latency - this is the case for ZS. We are surprised that Netskope, or any vendor, is able to bring this higher performance and higher reliability within such a short period of time. ZS in contrast, spent more than 12 years building its infrastructure but the end result is considerably lower performance. This performance disparity will widen as we delve deeper into the hyperconnected era and will eventually become more of a well-known competitive advantage for Netskope.
Furthermore, this infrastructure is based on newer microservice architecture that allows Netskope to roll out new products to the existing platforms more rapidly. This is the new standard as NET and PANW also have similar architectures. ZS on the other hand, is based on FreeBSD and the software is tightly coupled to hardware, making us believe that its infrastructure may not evolve as smoothly.
Below we show some commentary from Netskope founder Sanjay Beri and NewEdge Chief Architect Joe DePalo.
Enterprises are ill-equipped to effectively secure the cloud and web and struggle to understand performance bottlenecks and sources of latency, as they often cannot recruit and staff teams with the requisite carrier and cloud networking expertise, let alone spend the capital to build such a large performant and available cloud. Netskope NewEdge is filling this gap by interconnecting users, cloud services, commercial providers and carriers, using performance and availability-optimized routing to provide higher performance and a secure, undisrupted experience.
“Netskope NewEdge mitigates the shortcomings and limitations of using the internet to deliver inline security, providing a distributed, carrier-grade, next-generation global infrastructure based on advanced network, content and application optimization technologies and processes. This enhances the overall user experience and reduces delay and disruption while enabling customers with optimized performance and maximized security
“Besides FAANG [Facebook, Amazon, Apple, Netflix, and Google], the cloud guys, we’re the largest, most interconnected security infrastructure on the internet,” said Joe DePalo, senior VP of platform engineering and operations at Netskope.
Netskope marries the two, he added. In addition to “the most performant, interconnected network of any security vendor out there,” Netskope provides visibility and real-time data and threat protection across cloud services, websites, and private apps, Beri said. This visibility, which he calls Layer 8 visibility or Cloud XD, stems from the company’s cloud access security broker (CASB) roots.
Typically, adding a security product increases network complexity and latency and decreases network performance. Netskope’s distributed edge infrastructure solves this problem because it deploys compute at every service point for inline traffic processing, which means no performance trade-offs, DePalo explained. “By ensuring highly performant networking and interconnection, we offset the trade-off being made by adding a security appliance, so the customer doesn’t not have to suffer,” he said. “The NewEdge topology eliminates the trade-off.”
SASE and the Platform
Powered by NewEdge, Netskope is able to build a cloud security platform that the founder envisioned back in 2012. In many ways, Netskope wants to be the Network Security Cloud, much like how OKTA wants to be the Identity Cloud. In this regard, we believe Netskope’s architecture is very cutting edge and holds heaps of promise.
The Netskope Cloud Security Platform
Source: IDC MarketScape for Cloud Security Gateways
Netskope's core differentiators compared to other SASE platforms are:
1)The best data-centric protection. Due its CASB roots that centres around DLP, Netskope has the best understanding of data attributes to better protect things. As ransomware becomes the biggest concern to CISOs, the ability to protect data becomes the killer feature for Netskope’s SASE platform.
2) The best visibility from a cloud-native perspective. This is very similar to S’s XDR. By combining various sources of information together, XDR is able to have greater visibility and contextual enrichment, allowing for better threat detection and prevention. Netskope coined the term Cloud XD. Cloud XD is the XDR for cloud network security. Netskope has built up the most comprehensive threat intelligence sharing exchange with vendors like CRWD to deliver the best visibility for cloud native security. We believe this will be Netskope’s core competitive edge in SASE for years to come. This is a very promising technology that shows Netskope’s vision and we are also surprised to see that the industry was dragged to XDR for endpoint security without recognizing the potential for Cloud XD. Cloud XD
3) An organically developed platform. Similar to NET, Netskope’s SASE offerings are built from the ground up with a unified console and UI.
4) One of the best infrastructure. It's highly impressive that Netskope is able to develop a comprehensive and mature SASE platform in such a short period of time, which is very similar to what NET has achieved. Furthermore, unlike NET, Netskope has its roots in enterprise software, enabling it to spot the latest emerging demand from CISOs and execute GTM faster.
Netskope also has a direct comparison with ZS page (Netskope vs Zscaler Unlike CRWD’s comparison page to S, however, we believe these points are pretty valid and less exaggerated. In essence, Netskope’s CASB heritage gives it an edge over ZS in regards to cloud visibility, API, DLP, and risk rating.
ZS’s primary advantage centres around web filtering. Though, we agree with Netskope that the future of SASE lies in a better understanding of the true intents behind the network traffic. And vendors can get that better understanding by working on contextual data higher up the software/networking stack - that is, at the application layer. ZS only started building these cloud-native security capabilities in 2020, pretty much upon the start of COVID-19 when lots of clients requested for these features, instead of investing in building and maturing these capabilities years before. Therefore, we view Netskope as having a substantial competitive advantage over ZS in delivering SASE over the long-term.
The Future
We believe the future demand for Netskope’s product is very strong. COVID-19 has expedited 3-5 years of digital transformation into a timeline of months. Lots of enterprises adapted to SaaS applications and to new ways of managing IT infrastructure. The subsequent demand for tools to secure these new ways of using IT services will only grow. The long term penetration of SaaS will continue, and we are in the very early innings of this trend.
According to Beri, the average company with over a thousand employees uses over 1,000 cloud apps made from hundreds of different vendors. They use over two plus public clouds. They access billions of websites. “You wouldn't want to deal with this app by app or cloud by cloud or website by website. To make it manageable, you'd want one system or layer that no matter what you do or where you go, you can protect yourself,” says Beri.
Netskope would develop a solution that didn’t involve hardware that sat in corporate campuses and branches, and instead build a security system built in the cloud that had data protection at its core. “It would protect your data. It would find your data; it would stop people from stealing. It would stop people from putting your data at risk,” says Beri. “I kind of want to know, for example, did that guy go to salesforce.com and dump the entire contact list two weeks before he left the company, upload it to his personal Dropbox and then share it with a competitor.” And with Netskope, you can, according to Beri.
Source: Sanjay Beri Builds Netskope Into World's Fastest-Growing Private Cybersecurity Firm
Founder - Sanjay Beri
Netskope was founded in 2012 by a team of security veterans. The co-founder and CEO, Sanjay Beri, has a valuable blend of corporate and entrepreneurial experience, having worked in engineer and/or managerial roles at MSFT, MCFE, and JNPR, and also founding Ingrian Networks [subsequently sold to Safenet in 2008] and then Netskope.
Such a blend of experience is common for a visionary tech founder - someone who always wanted to create their own venture and spends a long time beforehand in successful organizations to accumulate management and technology experience. As a side note, JNPR is a typical legacy company that fails to keep great talent in-house - FTNT, PANW, Netskope, Pulse, and other founders all once worked at JNPR.
Beri started Netskope as the entrepreneur-in-residence [EIR] at Greylock, who seeded the startup, helped hire great engineers, and offered the office space in the early days. We view Beri as one of the strongest founders in the cybersecurity space with a good mix of business acumen, technology understanding, and long-term thinking.
A Laser Focus on Culture
The foundation of Netskope's differentiation is its culture. This factor is also the main component underscoring our long-term conviction of “long Netskope and short/avoid ZS” as the security landscape evolves. Beri has a singular focus on making the culture great. From numerous interviews, Beri always started with talking about culture first, and then the technology and business aspects.
“ Our tremendous growth is a direct reflection of hiring world-class individuals who are not only great at what they do but also enhance our corporate culture, which is extremely important to me. I empower my team to think creatively and strategically, without micromanaging them. I like to let my employees do what I know they can do, and be their own entrepreneurs.
“ By providing my team with the freedom and support to unlock their true potential, innovative thinking has become a cornerstone of our business and is illustrated in each department.
Beri understands that to make the company sustain growth over the long term, domain specific capability isn’t the most important thing. This is a very rare and contrarian insight, showing Beri’s deep managerial capability and unique approach in building a long-term software business.
“ While some startups will go out of their way to hire those with a 10 out of 10 in domain expertise, but a 7 out of 10 in culture, Netskope looks to do the opposite. While domain expertise and experience is vitally important, culture outweighs both. Without a healthy culture, we would not have the company we have.”
He also noticed that openness requires actions, including working with multiple departments and learning about their challenges.
“ Culture is very important at Netskope and something I think about often. While there are a lot of leaders who operate from an ivory tower, it is important to realize that people do not want to go to war with those leaders. As a CEO, if you can facilitate an environment of openness, transparency, and collaboration, your business is far more likely to succeed. Personally, I like to sit with a different department every day to ensure all employees feel valued and heard. It also provides an opportunity to learn about the challenges that different departments face so we can work together to find the best possible solutions.
On staying ahead of the game, he stresses the importance of communication with CISOs and sticking with the long-term trend of cloud security. And by channeling Netskope to be the best at data protection and delivering the best possible user experience, they are the optimal vendor for enterprises shifting to as-a-Service frameworks whereby they don't own the infrastructure anymore.
“ First, we spend a lot of time sitting with CISOs to fully understand the challenges they are facing, and where they would like to evolve as an organization.
“ Organizations are at a point where 90% of devices are mobile and off the network more than 50% of the time, which is not protected by legacy on-prem security. Large companies now have over 1000+ SaaS apps that on-prem security does not protect. Because of these gaps, Netskope is evolving security by moving the legacy perimeter security controls to the cloud so that it follows the users, data, and devices wherever they go while providing real-time protection.
“ As we moved the controls to the cloud we decided to heavily focus on being the best at data protection, making the user experience better/faster. By getting these things right and building the Netskope platform to be not only open but also scalable, we have the ability to integrate fully into where security programs are going, driving constant innovation to our platform on a monthly basis to stay ahead of the challenges our clients face.”
Finally, Beri’s focus on culture has already proved to be highly fruitful. It allows Netskope to hire a number of talented executives in a short period of time. Veterans like DePalo joined Netskope not because of salaries but the culture and the opportunity to build new things freely. Beri focuses on the culture that empowers people to build new things with impact, thus resulting in rapid growth. He also understands that if a security vendor doesn't innovate then their demise will ensue rather quickly. And the reason why Netskope haven't opted for a quick IPO is because it wants to spend more time on R&D to continue the innovation. Ironically, these are all in a sharp contrast to ZS, who focuses on cost control and micromanagement with a highly questionable culture.
Being able to attract veterans like Del Matto, Wu and DePalo shows the lure of innovation and a fast-growing company, Beri said.
" I am a believer that the right people come for a few reasons," he said. "Do they come because they need salaries that are reasonable and good and fair? Yes. But the best people come because they want to work in the culture and with the technology that you have built."
" We have a killer culture that empowers people and they want to be part of a rocket ship that’s growing and they want to have an impact," he said. "We don’t micromanage them."
With $340 million in new funding, Beri said he is in no hurry to take Netskope public.
"In security, you innovate or you die. You can't do that if you spend 15 percent of your capital on R&D, which is what many public security companies out there do," he said. " I’m a believer that as long as we can stay independent, we can spend the money we think we need to innovate. It’s easier to do that as a private company."
To summarize, Netskope seems like the type of ideal company we are looking for - great product, great technology roadmap, great execution, great investors, and great founders and culture. Culture has been the missing component for lots of successful companies that later turned legacy and stopped growing. It is very rare to find a company with a great culture. ABNB is a strange outlier in the hospitality space, whereby the founders are obsessed with building the best culture. Netskope’s founder is a deep thinker and a extremely long-term strategist who has been working in the industry for more than two decades. We believe his insights are super important for a successful long-term cybersecurity company that won’t repeat the legacy stories of MCFE, Symantec, CSCO and others. Netskope, along with various visionary competitors like PANW, NET, and FTNT stepping up to the game, we believe ZS is not a easy long-term winner in the ZTNA, SWG, cloud security, and SASE space.
Fundraising & Future IPO
Netskope has more than 1500 customers, up 80% YoY. It services a quarter of the Fortune 100, and it is achieving triple-digit revenue growth. Its latest valuation is $7.5bn, up from $3bn last year. It raised $300m in the latest funding round from multiple investors. The deal was oversubscribed and the company is stuffed with excess cash.
From a broader business perspective, Beri will be working towards his goal of building "the most impactful cybersecurity company in the world". The executive noted this is the firm's last private investment round and that an IPO is well on the horizon.
" The reality is that we could go public today, however we don't need to do that for capital reasons. Our brand awareness has been growing increasingly, but it is our path to be a public company in the future", said the entrepreneur, adding he is yet to decide whether to list on Nasdaq or NYSE: "It will be whichever has the largest implementation of Netskope".
We believe Netskope will go public sometime in the next 1-2 years as the company has gone through 11 rounds of financing, including 3+ rounds of secondary financing whereby employees sell shares to outside institutional investors. Beri has insisted that staying private for longer will continue to allow Netskope to focus on R&D and growth without the short-termism profit taking. We believe this is another sign from founders looking to build a great company. However, given the CFO and various chief executives having been appointed, in regards to corporate governance, Netskope seems to be ready for the IPO. Furthermore, as the company ages, the liquidity demand from employees will inevitably grow stronger. Thus, we believe Netskope should be a sure cloud security winner with a deep moat, and it is a core name for cybersecurity investors to watch in the future.