Fortinet Stock Analysis & Deep Dive
How you can profit from cyber crime (without being a criminal)
Intro
Since I already own shares of Palo Alto, Crowdstrike, Qualys and Sentinel One I was screening the market for more interesting cyber security companies. These companies profit strongly from the underlying industry trends and I believe cyber security will turn into an insurance like business for many companies: You can’t just live without it. So lets dig into a company which for me as an industry outsider was a tough nut to crack.
The Company
Fortinet employs as of September 2023 13.600 employees of which 30% are based in the US and is headquartered in Sunnyvale, California.
Fortinet describes itself as a global leader in cyber security and networking solutions with customers ranging from small and medium sized businesses all the way to governments. In contrast to many other providers in this space, Fortinet offers both hardware and software. To quote the annual report: “Our product offerings consist of our Core Platform network security products and our Enhanced Platform Technology (previously referred to as Platform Extension) products, which are offered in a broad range of form factors spanning physical appliances, virtual appliances, software and cloudhosted services. This enables us to protect customers across all edges and deployment scenarios including users, devices, networks, cloud and virtual data center. Our cloud- and hosted- products and services include sandboxing, EDR, email security, web application and API security, cloud networking security and cloud-native protection as well as Fortinet Security Fabric management and analytics. The Fortinet operating system has an open architecture designed to integrate Fortinet solutions with third-party solutions in a single ecosystem, enabling automated detection and response across the attack surface.”
Fortinet itself sells rarely to the end customer but focuses instead on sales to networking security distributors and to managed security service provider (MSSP). The manufacturing of the hardware is outsourced to multiple companies and is mostly being done in Taiwan. To support the global channel and end-customer base, Fortinet has sales professionals in more than 90 countries.
Writing a deep dive takes me 40+ hours to get a proper understanding of the company and the attributes of the industry it is working in. You will support me a great deal if you a) subscribe to this substack and b) recommend this blog to your friends and family. To all existing subscribers: Thank you for your support! :)
The business is geographically well diversified with the Americas contributing 41% of overall revenue, followed by EMEA with 38% and APAC with 21%.
The majority of Fortinet’s billings originate from secure networking, while universal SASE (more on that later) is growing strongly.
The Industry
Cyber security is constantly named in the media as one of the biggest threats to (Western-) civilization. This in turn is great for a company that focuses on exactly that field. As the old saying goes: A rising tide lifts all boats. Choosing a company in a growing industry and then choosing a company that is gaining market share, we make life a lot easier.
If these forecasts are only remotely true, you can expect very elevated costs of cyber crime in the next years. Fortinet and the other cyber security companies will profit handsomely from this trend.
Gartner expects the secure networking market to grow with a CAGR of 9% until 2027 and the security operations market to grow with a CAGR of 14% until 2027.
Some words on the industry in general and how Fortinet is positioned among its competitors. In “classic” network firewalls, Fortinet and Palo Alto are leading the way
Fortinet is leading in the most recent Magic Quadrant for SD-WAN (software-defined wide area network). Wikipedia defines SD-WAN as “a wide area network that uses software-defined networking technology, such as communicating over the Internet using overlay tunnels which are encrypted when destined for internal organization locations”.
With the increase of remote work, SD-WAN became very popular to connect remote workers especially since 2020. SD-WAN is replacing traditional WAN and is expected to grow with a CAGR of 15% for the next years.
Over time SD-WAN is expected to converge with SASE (secure access service edge). SASE delivers WAN and security controls directly at the source of the connection (the user or an IoT device) rather than at the data center. The security is based on the digital identity and with the benefit of verifying it at the source of the connection, rather than the data center, the latency is reduced. To put it in simple terms: The user/computer is being verified at its own location, rather than sending all the data to a central hub, which increases speed. SASE therefore combines SD-WAN with network security.
In terms of SASE, Palo Alto is leading by far in the latest Gartner Magic Quadrant, while Fortinet still has to catch up.
Fortinet shared some further insights in the Q1/23 call: “Fortinet is leading the trend of network and security convergence and cybersecurity consolidation. Gartner expects that by the year 2030, the secure networking market will be larger than traditional networking. Traditional networking lacks awareness and control of content, applications, users, device and location and is still using the same network protocol that was developed 50 years ago.” As well as “Looking to Gartner here again, they note 75% of organizations are pursuing a cybersecurity vendor consolidation strategy in 2022, up from 29% in 2020. Our integrated FortiOS platform allows customers to converge networking functionality with security capabilities while consolidating cybersecurity products and functionality with FortiASIC significant computing power advantage, FortiOS can consolidate more security functions and solutions while maintaining our performance and cost advantage.”
The Business
Part of the hardware are Fortinet’s own processor chips. Fortinet also developed its own Operating system called FortiOS. In its 10K report, Fortinet clusters its business in these focus areas (everything in italics is taken from the 10k), since Fortinet describes its own business best.
Secure Networking
“Our Secure Networking solutions enable the convergence of networking and security across all edges to provide next generation firewall (“NGFW”), software-defined wide area network (“SD-WAN”), LAN Edge (Wi-Fi and switch) and secure access service edge (“SASE”).” Part of this offering is not just hardware bust also software: “A specially designed operating system and security processors work in concert to improve network performance and security posture while decreasing footprint and power consumption.”
Zero Trust Access
“Our Zero Trust Access solutions enable customers to know and control who and what is on their network, in addition to providing security for WFA”
Cloud Security
“We help customers connect securely to and across their individual, hybrid cloud, multi-cloud and virtualized data center environments by offering security through our virtual firewall and other software products and through integrated cloud-native capabilities with major cloud platforms”. Fortinet cloud security offerings are available for deployment in major public and private cloud environments, including Amazon Web Services, Google Cloud, IBM Cloud, Microsoft Azure, Oracle Cloud and VMWare Cloud.
AI-Driven Security Operations
FortiGuard and other security subscription services, endpoint security with endpoint detection and response
FortiGuard Security Services
“FortiGuard security services counter threats in real time with AI-powered, coordinated protection”
Support and Professional Services
“…a per-device support service, which provides customers access to experts to ensure efficient and effective operations and maintenance of their Fortinet capabilities. Global technical support is offered 24x7 with flexible add-ons, including enhanced service level agreements (“SLAs”) and premium hardware replacement through in-country depots.”
Fortinet’s products include among others the FortiAnalyzer for centralized network logging, FortiClient for endpoint protection, FortiGate VM to protect the network between different clouds and in hybrid clouds, FortiMail for secure email gateway solutions, FortiSandbox for proactive detection and mitigation of suspicious code, and FortiToken for two-factor authentication.
Fortinet does not only sell software and hardware but also services to their customers. The FortiGuard Security Subscription Services deliver threat detection and prevention capabilities to the customer. The Fortinet research team detects potential harm and helps the customer to implement security solutions. FortiGuard is sold as a subscription. Further professional services are offered to customers by technical account managers and resident engineers, who act as a single point of contact for the customer and know the customers’ business in detail.
As you can see, Fortinet is delivering a lot of different products, all centered around secure networking.
Fortinet shares some insights into the insane amount of data that is being collected and processed to achieve maximum security: “Today, our platform ingests and analyzes, on average, more than 100 billion events every day to deliver over 1 billion security updates daily across the Fortinet security fabric and ecosystem”
Writing a deep dive takes me 40+ hours to get a proper understanding of the company and the attributes of the industry it is working in. You will support me a great deal if you a) subscribe to this substack and b) recommend this blog to your friends and family. To all existing subscribers: Thank you for your support! :)
The Management
The founder of Fortinet, Ken Xie has been involved in the cyber security space for decades. As a co founder of NetScreen Technologies he made a fortune, selling the company to Juniper Networks for $4bn. He left Juniper Networks in 2000 to start his new company Fortinet with his brother Michael Xie (the CTO). Together they own ~16% of all outstanding shares. The CFO Keith Jensen joined Fortinet in 2014 and was named CFO in May 2018.
I like to see this continuity and at the same time it seems that the managers have the long term view. I like the aggressive share repurchase program, the low debt of the company and the fact, that the company is spending significant CapEx on real estate in order to have lower running costs in the future. As stated in the Q3/23 call:“Capital expenditures were $70 million, including $50 million of real estate investments. “…” owning critical real estate assets tends to have a better payback than leasing them over an extended period of time”
Risks
If Fortinet would fail to detect a major security breach, this could lead to negative press about the company itself. Likewise new technology trends could affects Fortinet’s current standing as one of the leaders in the market.
With an 88% share of hardware manufactured in Taiwan, Fortinet would suffer (as well as most other high-tech companies) from a potential China-Taiwan escalation.
The Fundamentals
First I want to mention, that Fortinet has been profitable every single year since the IPO in 2009. A lot of up and coming software companies can’t state the same. Taking the long-term view shows the outstanding development of Fortinet as a company. Revenue, operating income and also net income all have grown strongly, while the margins increased. At the same time, the share count has been going down due to opportunistic share buybacks.
By looking at the billings (amounts that have been invoiced but that have not yet been recognized as revenue), it becomes visible how fast Fortinet is growing. These billings include multi-year contracts and the revenue growth is lagging behind, but will eventually follow. The increase in deferred revenue confirms this. Most of the deferred revenues come from the unrecognized service revenue from the FortiGuard security subscription and the FortiCare technical support.
Fortinet’s revenue is categorized in Product (physical and virtual machine appliances) and Service (primarily from FortiGuard security subscription services and FortiCare technical support services). The cost of revenue for the Service category is significantly lower and therefore the service category has way higher margins (85%) compared to the product category (62% gross margin).
The slowdown in billings since Q1/23 has been addressed in the Q2/23 call and Fortinet expects the billings to pick up again: “But on the industry, we do see some company, especially large companies, a little bit more tight on the budget, and also kind of take a little bit long time to closing. It's not just that this quarter, basically pretty much starting early this year, there is some sign of that one. How long will last? It's tough to say, but it's -- nearly the security is basically an underspend, then they probably will be starting to go back up after probably a few quarters.”
Another factor were supply shortages for hardware, which led many customers to place larger orders in 2021 and 2022 compared to a stable supply chain situation. This inflated the billings in these two years and led to a slowdown in 2023. To quote the management: “Billings growth of 18% leads to more normalized product revenue growth of 18%. We believe our billing performance reflects large enterprise concerns with the macro environment, in addition to some inventory digestion after 2 years of elevated 30-plus percent product billing growth during the supply chain shortage.”
When you hear the management of a company talking like this, you expect that the results must have been awful. “With execution and continued investment in the SASE and SecOps markets, we believe we can return to delivering mid-to-high teens top level growth -- top line growth and while continuing to deliver operating margins of 25% or greater. In other words, a return to balance growth and profitability”. The truth is, Fortinet has been consistently profitable.
The management sees higher growth starting in the second half of 2024. “we anticipate growth returning to double digits by the second half of 2024. We remain committed to generating healthy operating margin of 25% or greater in 2024 and 2025.”
Valuation
Fortinet is not cheap in the traditional sense. Considering further expected growth on the top line and increasing margins, this relatively expensive looking stock (based on EV/net income) can be quite attractive. Looking back in a couple of years, I believe we would be happy to get the company at this price again.
Summary
So what I do make of Fortinet? A company which is currently facing some minor growing pains. While the market was pushing the shares until late 2022 and expected eternal growth, the tougher comps to the strong years led to a slowdown in growth, which is fully normal. We are still looking at a very healthy, growing company.
Just look at this chart: Service revenue with its higher margins has been growing a lot faster than product revenue. In the last ten years, both have been growing every single year (!).
If we get lucky, we might see the 50$ stock price again.
Writing a deep dive takes me 40+ hours to get a proper understanding of the company and the attributes of the industry it is working in. You will support me a great deal if you a) subscribe to this substack and b) recommend this blog to your friends and family. To all existing subscribers: Thank you for your support! :)
Please subscribe to my substack and follow me on twitter if you like my work: https://twitter.com/41investments
If you like this post, check out my previous deep dives on
Adobe: https://41investments.substack.com/p/adobe-fundamental-deep-dive
American Express: https://41investments.substack.com/p/american-express-deep-dive
Evolution: https://41investments.substack.com/p/evolution-ab-deep-dive
Expedia: https://41investments.substack.com/p/expedia-deep-dive
Fortinet: https://41investments.substack.com/p/fortinet-stock-analysis-and-deep
InMode: https://41investments.substack.com/p/inmode-deep-dive
Markel: https://41investments.substack.com/p/markel-deep-dive
MercadoLibre: https://41investments.substack.com/p/mercadolibre-deep-dive
Texas Pacific Land: https://41investments.substack.com/p/texas-pacific-land-deep-dive
British American Tobacco: https://41investments.substack.com/p/british-american-tobacco
Amadeus FiRe: https://41investments.substack.com/p/amadeus-fire-deep-dive
Datagroup: https://41investments.substack.com/p/datagroup-deep-dive
Invest at your own risk, this is not financial advice! This is not a recommendation to buy or sell any securities discussed in the article.
41