CrowdStrike and Palo Alto Networks Are Underappreciated AI Cybersecurity Bets
The Takeaway
- Cybersecurity spending to increase significantly due to AI model risks.
- CrowdStrike and Palo Alto Networks valuations remain underappreciated.
- Established firms hold advantage with installed sensors and proprietary data.
If there was ever a time to be buying cybersecurity stocks such as CrowdStrike and Palo Alto Networks, this would be it.
A spate of hacks has hit high-flying startups this month, including data-labeling firm Mercor and software development company Vercel. Also this month, Anthropic announced it had developed an AI model, Mythos, that it deemed “too powerful” for a full public release. Mythos identified thousands of previously unknown cybersecurity risks across widely used operating systems and browsers.
CrowdStrike and Palo Alto Networks, along with another cybersecurity firm, ZScaler, are among the 50 or so companies that got early access to Mythos so they can beef up their own cyberdefenses. For the security firms, that positions them to benefit from any surge in demand arising out of a wider release of Mythos, sparked either by attacks or worries about attacks.
CrowdStrike’s and Palo Alto Networks’ stocks have each risen 20% or so in the past month, beating the 10% appreciation in BlackRock’s IGV index, which tracks the software sector broadly. Even after that rally, though, they’re trading at the same valuation multiples they were a year ago, when we last recommended the stocks. CrowdStrike is at nearly 19 times next year’s estimated sales and Palo Alto Networks is at 11 times.
That suggests investors are still underappreciating cybersecurity firms’ unique promise, given their potential for outsize growth, which has become clearer in the past few weeks.
Businesses are going to increase their spending on cybersecurity “as a direct result of the risk that Mythos presents,” said Eric Heath, an equity analyst at KeyBanc Capital Markets who covers cybersecurity and has been routinely polling chief information security officers at various companies to gauge their spending appetite. “We think the security spending environment is going to be much healthier than it has been.”
That’s a change from the last two years, during which companies’ spending on cybersecurity was relatively lackluster, Heath said. Indeed, CrowdStrike’s revenue growth slowed to 21.7% in the year to January from 29.4% the year before. Palo Alto Networks—which is nearly twice CrowdStrike’s size by revenue—has grown at around 15% for the past two fiscal years, which end in July
Analysts expect Palo Alto Networks’ revenue growth to accelerate to 22.5% growth this year, partly as a result of its recent acquisitions, including AI security startup Koi, according to Koyfin. CrowdStrike’s growth rate is also expected to pick up a bit.
They’re “the blue chips in cyber. So if the security environment is healthy, it should benefit both of them,” Heath said.
CrowdStrike and Palo Alto Networks both sell a variety of different security products, including solutions for securing networks, preventing hackers from using stolen usernames and passwords and AI-powered agents ot help companies find and address cyber threats.
ZScaler, which is about two-thirds the size of CrowdStrike, is growing at a 20%-plus clip, but it trades at the lowest valuation multiple of the three, in large part because it is the least diversified and therefore the most vulnerable to competition.
And competition is a key issue for the sector. What is likely holding back investors from pushing up CrowdStrike’s and Palo Alto Networks’ valuations further is the worry that both could be undercut by AI firms developing their own cybersecurity products.
Competition With AI Model Makers
Rustam Kanga, an analyst at Citizens Bank who is bullish on the cybersecurity stocks, thinks they have advantages over the AI model makers. For one thing, they have already established widespread trust among chief information security officers.
“Anthropic has now had several public security failures,” Kanga said, citing the company’s accidental leak of its AI coding tool’s source code in March as well as recent reporting from Bloomberg stating that unauthorized groups may have accessed the Mythos model. Those incidents won’t inspire confidence among senior information security executives at companies, he said.
In their current form, Anthropic’s and OpenAI’s cybersecurity-focused models are “not comprehensive enough,” according to Kanga, because they can only help identify, not address, cyberthreats.
That probably won’t change, Kanga argues, because of the two other key advantages the established providers enjoy relative to the AI model builders: the sensor software they have already installed on corporate devices they are responsible for securing, and the troves of proprietary data they have collected using that software.
That sensor software is “relatively easy to build,” said Tomasz Tunguz, general partner at investment firm Theory Ventures. But, he continued, “it’s a total pain to replace. Imagine you have a 100,000-person organization.…All those people have to come into IT, and it has to go and delete the CrowdStrike agent and then put on the Anthropic agent. What a pain. I’m not going to go through and spend six months of my security team’s time replacing this bit of software, especially if the gain is nothing. So that’s why I think there’s some defensibility. It’s just inertia.”
Another reason it’s unlikely companies will axe their existing cybersecurity providers is that the sensor software is what enables a vendor to help its customer identify and address a threat in real time rather than reviewing data periodically in batches.
The model makers’ cybersecurity businesses already seem to be growing fast enough on the heels of their recent launches. Said Tunguz, “Why complicate things?”