All SaaS, No Cyber Hype?

Explaining the Valuation Gap in Public Markets Cyber

As early-stage Cyber investors, we are often asked by founders and stakeholders about our view on trends in the space, like recent innovation, potential headwinds, and exit opportunities. With respect to the latter, one trend that we believe is under-appreciated by many is the public market activity in the space, and what it means for early-stage founders and investors.

More specifically, the idea that public cybersecurity companies, despite being some of the fastest-growing names in technology, seem to have faced (in recent history at least) a significant valuation gap between themselves and other SaaS companies. This phenomenon has significant ramifications for even early-stage cybersecurity founders, especially given the impact this has on public market exits, later-stage valuations, and the longer-term prospects of the space. Yet, we believe there has been relatively limited analysis published to understand its scale- and why it exists.

In this article, we will discuss our research to understand the comparative performance of Cyber after their IPO, with an eye towards exploring gaps in valuation, and analysing whether those gaps are justifiable through the lens of growth or profitability.

Our take: Cyber’s valuation gap demonstrably exists, despite a strong similarity to SaaS in relevant metrics- highlighting both the market dynamic and relative perception of Cyber- and potentially demonstrating overlooked opportunities in the sector. On the other hand, it may well be that the hype around many SaaS companies have yet to permeate Cyber specifically, which may well mean public Cyber companies will fare better in the stormy seas ahead.

Our Findings

We began by analysing ~40 technology companies in cybersecurity, SaaS, and Big Tech, ranging from the fastest-growing public companies to the largest and most established incumbent players in their space. (See Postscript)

What we ultimately discovered was somewhat surprising. While recent macroeconomic headwinds have not spared Cyber, on the face of it, our set of Cyber companies seemed to be performing substantially better than other SaaS companies. Last year (as of November), the median YTD performance of our set was -34.5%, compared to -33.1% for the 11 largest technology companies, and a whopping -52.9% in our comparative cohort of fast-growing SaaS companies.

Cyber stocks have performed much better than many SaaS names, with relatively similar sales growth. A cohort of Big Tech companies listed on the right for comparison.

Median sales growth in our 3 cohorts was also the highest in our list of Cyber names, with YoY sales in the most recent quarter at 31.9%. This was significantly higher than the largest technology names (at 14.8%) and comparable to our SaaS cohort (at 30.0%).

However, despite the fact that Cyber had fallen less than other SaaS names, this seemed not to be a result of lower growth over this time period, but instead to a fall in trading multiples. Valuation multiples for our Cyber cohort seemed relatively low: the median enterprise value was trading at just 6.0x annual sales. While this was roughly equivalent to that of the largest technology companies, it was substantially lower than our SaaS cohort, where the median company traded at a hefty 9.4x enterprise value to sales. So, despite the fact that SaaS and Cyber companies were both growing rapidly (Cyber slightly edging out SaaS), Cyber companies faced a significant valuation discount for similar growth. In other words, the recent outperformance in fast-growing Cyber companies was only so because they were already trading at lower multiples. SaaS companies fell more because their stratospheric multiples had merely come closer to earth.

Simply less to fall: Cyber multiples have been discounted less heavily compared to SaaS, but only because SaaS multiples were already stratospheric.

A Search for Answers

Given comparable sales growth across our cohorts, we also looked to control for profitability as a potential cause for the valuation difference. This was somewhat difficult, primarily because ~half of the SaaS and Cyber cohorts were not profitable on even an EBITDA basis. For the remaining companies however, the valuation multiple between Cyber and SaaS shrunk to nearly nothing- with a median enterprise value to EBITDA multiple of 50.9x for Cyber vs 51.4x for SaaS. For comparison, the median multiple for our big tech cohort was a relatively low 15.8x, so on a profitability basis, both Cyber and SaaS companies seem to be treated similarly by the market. Yet, at this point we would only be comparing a handful of SaaS and Cyber companies with each other, and the range of multiples in this smaller set varied widely, limiting the usefulness of this result. Further, it does not explain why the gap between the rest of the SaaS and Cyber companies continues to persist. Thus overall, the valuation gap in Cyber does not seem to be well-explained purely by financial metrics. After all, Cyber and SaaS are both growing their sales very quickly, but Cyber converges in value only when it achieves profitability.

I suspect there may be other, structural reasons as to why public market investors have not yet warmed up to Cyber in the same way they have to SaaS despite the many similarities.

One potential reason to consider is scale: note that the average market cap of the Cyber company in our cohort was a relatively small $13.1Bn, compared to the average $47.4Bn market cap of the SaaS set. No Cyber company in our cohort had a market cap of larger than $50Bn, but more than ~40% of the SaaS cohort did. Public market investors may be wary about the smaller size and absolute profitability of Cyber relative to SaaS, given that there have not been as many large-scale Cyber companies as SaaS ones. We’ve noticed that scalability and a cap to growth appear to be common concerns for some Cyber investors. Yet, just as not all SaaS companies are going to be decacorn behemoths, not all Cyber businesses will be relatively meagre unicorns- it seems unfair to judge the sector (and its companies) so early.

The final reason might simply be that the market has had longer to get comfortable with and understand the SaaS business model and growth profile — but maybe also to get slightly carried away with the opportunity. Infinitely scalable software is an incredible growth hack, and it’s been a core theme that has pushed the ecosystem forward for the last two decades. Yet, the recent market correction may reflect a dampening of that enthusiastic hype. Cyber is always going to be a bit more of a specialist domain, which is going to be a barrier to hype and a moderating force on valuation. Yet, this may also explain the better performance of Cyber recently; less hype brings less volatility on the way up and the way down.

For the record: at Osney, we don’t share many of those concerns. In fact, we believe our findings underscore the opportunity at the end of this bull run in SaaS. Cyber founders need to keep building and communicating their ideas well- investors will come around when they develop familiarity and skill in this space.

Unlike domains in SaaS, a single Cyber firm monopolising the market is unlikely, but this is going to be an advantage: for innovation, competition, and a superior product or service. Furthermore, even subdomains in Cyber are rapidly growing to be multi-billion dollar markets in their own right. A recent McKinsey report argues that global Cyber may be worth a staggering $1.5–2 trillion in the near future. The need for Cyber will only continue to grow. As the space matures, the players, who we believe in, will have to refute these present and future doubts with their own resounding successes.

Conclusions

Right now, I’m not sure if there are good, definitive answers for why the valuation gap persists between large Cyber and SaaS companies today. As I discussed, there are issues like comparative profitability overall and long-term worries about scale. Still, the most intuitive explanation for me seems to be the lack of familiarity and relative novelty of many of these companies — it’s just a bit harder for investors (and many CTOs!) to understand Cyber in the same way they understand SaaS. The lack of consolidation in Cyber and the speed of new innovation requires high velocity work from everyone involved — founders, investors, and stakeholders.

What is undeniable is that the gap exists (for now). As our work demonstrates, the fundamentals of many Cyber companies are comparatively sound, and undervalued next to their peers in many SaaS domains. But every challenge represents opportunity. Viewed another way, the time it’ll take for public investors to appreciate Cyber is a compelling opportunity for early-stage founders and investors to start now — and take advantage.

Osney Capital

Osney Capital is a sector specialist venture capital firm, focussed exclusively on the early-stage Cyber sector in the UK. Everything that we do is geared around supporting UK Cyber founders and companies that we invest in, during the very early stages of their growth. Reach out to us at www.osneycapital.com.

Postscript:

We split into three cohorts: our list of 15 notable Cyber companies, a comparative set of 12 fast-growing SaaS companies, and a final set of the 11 largest technology companies. The average market capitalization of our Cyber cohort was $13.1Bn, so we are benchmarking mature and sizable companies (although they are quite minor compared to the largest technology names, who have an average market cap of $664Bn, or ~51x greater). These names were all public companies listed in the US and the UK, with easily available and audited quarterly financials. This helped us make comparisons of each of these sets over the same period (in our case, over the last year), allowing us to highlight underperformance and outperformance in these sectors relative to the wider market and each other. Data is accurate as of November 2022.

All SaaS, No Cyber Hype? was originally published in Osney Capital on Medium, where people are continuing the conversation by highlighting and responding to this story.