Convequity's Bi-Annual Review (Pt.1)
We discuss where the alpha lies in the theses for Fortinet, SentinelOne, and Palo Alto Networks
Summary
The valuation overview (Mar-25) identifies high-performing stocks with low multiples using Rule of X (inc. SBC), spotlighting opportunities across sectors like Chinese equities, semiconductors, and consumer tech amid geopolitical and market influences.
It includes initial thesis recaps and updated DCF valuations for FTNT, S, and PANW, offering a preview of long-term investment perspectives.
Further detailed analysis and updated valuations will be provided in Parts 2 and 3.
Valuation Overview
The table below is designed to highlight stocks with strong financial performance yet low valuation multiples, sorted by their Rule of X (inc. SBC) as a key indicator of financial health. We’ve percentile-ranked these stocks based on their Rule of X (inc. SBC) and paired this with their valuation percentiles to identify "low-hanging fruit" — stocks with a high Rule of X but undervalued multiples. Note that stocks with a negative EV/(FCF-SBC) have been assigned a multiple of 10,000, resulting in an "NA" percentile rank for valuation.
Source: Convequity - March 2025
Several stocks stand out as attractive opportunities. Chinese stocks PDD (Pinduoduo) and LI (Li Auto), operating in e-commerce and consumer tech respectively, exhibit impressive financial performance with notably low multiples. Despite the People’s Bank of China’s stimulus efforts in late 2024, lingering pessimism and uncertainty around Chinese equities have driven steep discounts. For PDD, the company behind Temu, investor concerns about incoming Trump tariffs are likely weighing on its valuation, yet at an EV/(FCF-SBC) of just 7x, the stock appears to be a compelling bargain.
In the semiconductor space, TSM, KLAC, LRCX, RMBS, ASM, and ASML also present above-average financial performance paired with below-average valuations. This undervaluation may stem from supply chain uncertainties tied to the Trump 2.0 agenda, as well as market speculation about reduced GPU demand following DeepSeek’s innovations, which could challenge the need for expensive LLMs if cheaper alternatives gain traction. While not a semiconductor company, ANET (Arista Networks) shares similar characteristics and can be grouped with these stocks for this analysis, given its role in networking solutions for data centers.
Additionally, consumer tech stocks are trading at lower multiples than their enterprise tech counterparts while still delivering strong financial results. MELI (Mercado Libre), OSCR (Oscar Health), HIMS (Hims & Hers), UPST (Upstart), SE (Sea Limited), and GRAB (Grab Holdings) all appear attractive based on their financials and valuations. The discounts for MELI, SE, and GRAB are likely influenced by their non-US status, a factor that continues to suppress valuations. Meanwhile, OSCR and HIMS may be out of favor due to the heavily regulated industries they operate in — healthcare and telehealth, respectively — where uncertainty under the new U.S. administration adds risk to investor sentiment.
Check out the following charts if you prefer scatter plots for this type of valuation analysis. Due to the number of stocks, it's not possible to attach all the names to each dot. Therefore, click the link for a closer look - you can see the stocks by hovering the cursor over the dot. Note that the x-axis is the Rule of X (inc. SBC) for the EV/(FCF-SBC) multiple and is Rule of X for the EV/FCF multiple.
Click the following link to access the updated DCF valuations. Note that only FTNT, S, and PANW have been updated thus far. In Part 2 and Part 3 we shall have updated all the valuations.
Now we will provide a recap and update on the long-term theses for FTNT, S, and PANW.
Fortinet (FTNT)
Reaffirming Our Thesis Amid Cyclical Recovery
As we anticipated in late 2023/early 2024, FTNT has rebounded from its product revenue slowdown, which was exacerbated by supply chain distortions. The 2021/22 period saw an aggressive 40%+ growth in product revenue, driven by pent-up refresh cycles, heightened security spending, and pandemic-induced liquidity. But the revenue recognition that fueled this surge — stemming from a backlog of orders accumulated during those distorted years — created tough comparisons, leading to the slowdown we saw in 2023/24. At its lowest point, growth dipped to 7% in 1Q24, a moment when Wall Street’s short-termism, fixated solely on the next 1-2 quarters, spurred overly bearish sentiment.
We’ve been clear on this cyclical overhang for well over a year. The Historical Price Target chart below highlights how consensus targets fell below $70 in late 2023, with even the highest dropping under $80. Yet, our valuation framework has consistently pegged intrinsic value at ~$100+, with upside potential contingent on long-term execution.
Beyond SASE – Why the Market Still Undervalues FTNT’s Strategy
A major disconnect we continue to see is that investors are still viewing FTNT’s strategy through a narrow SASE lens. But as we outlined in our SASE, SASO, & Beyond report and Themes: SD-WAN & SASE Industry Review 2024 (Pt.1), FTNT's ambitions are far broader.
Their latest Investor Day presentation finally drew a line between their vision and Gartner’s strict SASE definition — a distinction we’ve long argued was necessary. As we outlined in our SASO Impulse nearly two years ago, FTNT’s approach isn’t just about delivering Gartner's definition, and securing the First Mile (from user to first security inspection). They have been investing aggressively to develop converged networking and security that can be deployed anywhere (cloud PoP, on-prem, remote, etc.). They are also investing aggressively in the Middle Mile, which remains a critical and often overlooked bottleneck in enterprise networking.
FTNT’s Push into the Middle Mile – A Key Long-Term Advantage
Most SASE vendors focus primarily on optimizing the First Mile, assuming a cloud-first world where users primarily access SaaS applications. But the reality is that many enterprises still operate a mix of cloud and private applications, with substantial workloads residing in their own data centers. The challenge? Efficiently routing traffic to these on-prem resources has traditionally required MPLS — an expensive, rigid solution. This is where WAN-as-a-Service (WANaaS) presents an opportunity.
The Middle Mile is the critical link between the first and last security checkpoints. The problem is that most ISPs operating in this segment are regional or, at best, bi-continental, meaning packets must traverse multiple carriers, adding complexity, potential congestion, and cost inefficiencies. Unlike the First Mile, which can be optimized by SD-WAN overlays, the Middle Mile requires numerous peering agreements between operators to ensure low-latency and cost-effective traffic routing.
FTNT is actively working toward solving this bottleneck through its Middle Mile strategy. FTNT aims to build a vertically integrated PoP network, similar to how Cloudflare and Netskope have expanded their global presence. By owning and operating more of its Middle Mile infrastructure, FTNT can directly manage traffic flows, reducing reliance on third-party carriers, lowering latency, and improving overall network performance.
This approach not only enhances the user experience but also creates long-term cost advantages. As FTNT scales its proprietary PoPs, it can bypass hyperscaler and colocation markups (~66% and ~50% gross margins, respectively) and optimize network transit at a fraction of the cost of competitors that remain dependent on leased infrastructure. This, in turn, strengthens FTNT’s ability to deliver secure, high-performance networking while structurally improving its gross and FCF margins.
Four-Pronged PoP Strategy
FTNT has a four-pronged strategy to quickly expand their global coverage in the short-term, while positioning themselves for global secure networking superiority in the longer term. Their four-pronged approach includes:
Hyperscaler PoPs (Short-Term Expansion Tactic) – FTNT is leveraging Google Cloud’s network to quickly expand its PoP footprint. This mimics PANW’s approach but is only a temporary measure.
Colocation PoPs (Equinix & Others) – A middle-ground approach that allows FTNT to deploy its FortiGate ASICs, but with space constraints.
Service Provider (SP) PoPs – A unique GTM strategy where FTNT enables SPs to build private SASE offerings using Fortinet’s hardware and software (marketed as Sovereign SASE). This is a vastly underserved segment, giving FTNT a cost advantage over premium-priced alternatives like ZS or PANW. A further note is that this sub-strategy really reduces the latency of the first mile of networking, as typically SPs are already closest to end users (able to serve process requests in under 5ms).
Wholly-Owned Proprietary PoPs (Long-Term Goal) – The ideal end state, where FTNT fully controls the infrastructure, optimizing for cost, performance, and integration with its ASIC stack.
FTNT's orchestrator layer is key to enabling FTNT to offer such varied implementations, as it provides 1) a centralized control plane that abstracts away infrastructure differences, 2) automates integration with hyperscaler and SP environments via APIs, and 3) enables multi-tenant policy delegation for service providers looking to offer private SASE solutions.
FTNT's Private SASE is another implementation whereby FTNT provides the hardware and software for enterprises to operate SASE in their own data center for their internal requirements only (in contrast to Sovereign SASE whereby SPs are using FTNT's SASE in multi-tenant scenarios to provide secure networking for their customers).
Number 4 — FTNT’s goal of fully owning its PoPs — is the natural extension of its deep-rooted vertical integration strategy. Ken Xie and FTNT’s engineering leadership recognize the immense value that can be unlocked by bringing network infrastructure entirely in-house. The clearest advantage? A structurally lower cost base that significantly improves competitiveness against SASE rivals reliant on colocation (e.g., Cloudflare on Equinix) or hyperscaler IaaS (e.g., Palo Alto Networks on GCP).
For reference, Equinix operates at a ~48% gross margin, meaning FTNT could save 48 cents on every dollar by bypassing third-party colocation. But the bigger efficiency gain comes from FTNT’s ASIC-driven cost structure.
ASIC Efficiency – FTNT’s custom silicon is designed for high throughput at a fraction of the power and compute costs of general-purpose x86-based security processing. Relative to PANW’s reliance on software-based appliances running in GCP, we estimate 10x cost savings in compute and energy.
Proprietary PoPs vs. Hyperscaler IaaS – Public cloud infrastructure carries heavy markups, with hyperscaler gross margins around 66%. By replacing these hyperscaler-hosted PoPs with proprietary ones, FTNT avoids these IaaS costs, translating to a 3x reduction in raw infrastructure expenses.
COGS Breakdown – The Competitive Gap
We estimate that compute and energy costs account for ~70% of total COGS, with the remaining 30% attributed to networking and storage. Applying FTNT’s 10x ASIC efficiency to this 70% share results in a 7x reduction in total COGS from compute/energy savings alone. When combined with the 3x reduction from moving off hyperscalers (due to removing the 66% gross margin), the total COGS savings stack up as follows:
Final COGS Reduction Estimate:
7x from compute/energy efficiency
3x from proprietary PoPs replacing hyperscaler IaaS
Net impact: ~10x lower COGS vs. PANW
These structural savings don’t just enhance FTNT’s pricing power — they also translate into significantly higher cash flow conversion and stronger long-term shareholder returns. While most SASE competitors are locked into third-party infrastructure with no path to vertical integration, FTNT’s model allows it to scale more profitably while delivering superior network performance.
The Valuation Perspective – Where We See Alpha
Despite a cyclical recovery and an underappreciated Middle Mile strategy, we don’t anticipate FTNT’s revenue growth reaccelerating past the mid-teens. Instead, our thesis centers on margin expansion, specifically an eventual FCF margin of ~45% (vs. LTM 32%). Management's 3-5 year guidance includes mid-to-high 30s FCF margin, and if you play around with the DCF valuation, it seems as the market predicts FTNT's terminal FCF margin is around 40%. But as FTNT’s proprietary PoPs scale, we see a clear pathway to higher terminal margins, plausibly to 45%.
Our updated valuation model reflects this, placing intrinsic value at $131/share, assuming a 15% CAGR for FY27-FY30 and a structurally improved cost base. At the time of writing, this presents a potential 30% upside.
FTNT stands apart by expanding horizontally beyond the First Mile (unlike Zscaler), to optimize the Middle Mile, where network performance and cost inefficiencies are most pronounced. At the same time, it’s integrating vertically by owning its PoPs and running custom ASIC-powered FortiGates, unlike Cloudflare and Netskope, which rely on colocation providers and COTS hardware.
This dual strategy gives FTNT a structural cost advantage and superior performance, positioning it as a hybrid-optimized secure networking leader rather than just another SASE vendor.
SentinelOne (S)
Unlocking Alpha Through AI-Driven Cybersecurity
Note: S reports 4Q25 after the market close on 12th March 2025.
The valuation gap between S and CrowdStrike (CRWD) remains one of the most compelling inefficiencies in cybersecurity investing today. Both companies share a similar trajectory — starting as endpoint security players, offering MDR to varying degrees, and later expanding into cloud security and identity protection. The primary distinction is that S is roughly three years behind CRWD in GTM maturity, not in technology or execution potential.
Over time, we see S reaching, if not exceeding, CRWD’s profitability profile. SentinelOne has placed a greater emphasis on autonomous software and automation-first security, whereas CRWD’s business model still leans heavily on human labor for identifying and stopping threats. This suggests that in a mature-stage scenario, S should be structurally more profitable, with higher gross and FCF margins than CRWD. Despite this, their multiples are poles apart, creating substantial alpha for investors who recognize SentinelOne’s long-term cost advantages.
The Power of a Unified Data Architecture
S' architectural advantage lies in its foundational data layer, which has allowed it to scale security capabilities more effectively than rivals. Unlike most competitors that rely on third-party SIEMs (e.g., Splunk) or hyperscaler infrastructure, S owns its data ingestion, storage, and retrieval stack — a crucial differentiator in an era where AI-driven security requires seamless access to vast amounts of structured and unstructured data.
The 2022 Scalyr acquisition was a pivotal moment, equipping SentinelOne with a high-performance, flexible, and cost-efficient data lake — later rebranded as DataSet. This strategic move gave S the control needed to pioneer XDR, allowing for:
Seamless ingestion of third-party data (crucial for enterprise-wide threat visibility).
Faster queries and analysis, reducing response times.
A highly scalable, AI-ready foundation, enabling next-gen security applications like Purple AI.
Unlike most EDR vendors, S has built an expansive and unified data layer that allows security AI models to operate effectively across an enterprise’s entire environment. This is what gives Purple AI an edge — it can analyze threats across third-party tools with minimal integration friction, while competitors struggle with fragmented architectures. Ultimately, this advantage can be traced back to S' strategic objective from its early days of being more open and interoperable, which has led to smooth third-party integrations, which in turn has led to third-party data ingestion and compatibility, which has given them an advantage to lead in XDR and now in AI-assisted security.
Scaling AI Beyond XDR – AI SIEM & AI-SPM for GenAI Workflows
SentinelOne is leveraging its data-first strategy to expand beyond endpoint security, evolving into a full-stack cybersecurity platform. The launch of AI SIEM is a prime example. While it builds on DataSet’s existing capabilities, AI SIEM is designed for real-time detection, streaming data analysis, and autonomous investigation, positioning SentinelOne to lead in autonomous security operations.
Key developments:
AI SIEM has already achieved FedRAMP High, a crucial milestone for U.S. government adoption.
MSSPs are expanding platform adoption with S, leveraging AI-driven capabilities to reduce costs and improve visibility.
Enterprise traction is growing, with a major federal agency selecting AI SIEM alongside SentinelOne’s endpoint security for unified threat visibility.
Beyond SIEM, SentinelOne has launched AI-SPM (Security Posture Management) — a solution designed specifically for securing GenAI applications and workflows. Unlike traditional CSPM (cloud security posture management) or SSPM (SaaS security posture management), AI-SPM focuses on protecting AI-driven infrastructures. This includes:
Monitoring and securing LLM APIs and GenAI-powered applications.
Preventing prompt injection attacks, unauthorized model access, and adversarial manipulation.
Ensuring governance, compliance, and risk mitigation across dynamic AI workflows.
Recently, S has also made Purple AI available within AWS Bedrock to enhance AI-driven security operations. Through this integration, SentinelOne taps into Bedrock’s foundation models to power real-time threat detection and response for AI-driven applications, reinforcing security visibility across enterprise AI workflows.
This positions SentinelOne at the forefront of securing enterprise AI adoption, giving it a strategic advantage as LLMs and AI-powered workflows become embedded across industries.
Cloud Security Growth & Differentiation vs. CrowdStrike
SentinelOne’s non-endpoint business has now grown to ~$200 million, reflecting its successful expansion into cloud security. A key differentiator is S’ ability to provide both agent-based and agentless solutions, giving enterprises flexibility in how they secure workloads.
One of SentinelOne’s greatest advantages over CRWD is its deep Linux expertise, dating back to the company’s early days. While CRWD originally focused on Windows-first agent development and only recently began optimizing for Linux, SentinelOne has always treated Linux as a first-class citizen.
This early investment enabled SentinelOne to develop an eBPF-based agent, which is tailor-made for cloud-native security. Unlike traditional agents, eBPF operates efficiently at the kernel level, allowing for deep visibility, high performance, and lightweight enforcement in dynamic cloud environments. This gives S a structural edge over CRWD in cloud workload protection — an area of increasing importance as enterprise workloads shift further into Kubernetes-based and microservices architectures.
MITRE Performance – A Testament to Autonomous Security
SentinelOne’s latest MITRE ATT&CK evaluation further reinforces its autonomous security model. S has achieved 100% detection for five consecutive years, a feat unmatched by any other vendor. More importantly, SentinelOne’s detection and response do not require heavy fine-tuning or manual configuration (check out our recent note for a detailed review of MITRE's latest test for endpoint security vendors).
CRWD, by contrast, relies more on manual tuning and SOC expertise to optimize its detection stack. This reflects a broader contrast between the two companies:
S’ autonomous-first approach reduces human labor costs and enables out-of-the-box functionality.
CRWD’s model still relies on significant human intervention, particularly within Falcon Complete MDR, where analysts continuously refine detection models.
As security teams seek more automation and fewer operational burdens, S’ model is becoming increasingly attractive.
Market Dynamics & the Path to Profitability
S reports 4Q25 and FY25 results after the market closes on 12th March. In 3Q25, it appears SentinelOne’s strategic execution is beginning to translate into financial improvements:
Net new ARR grew 22% QoQ, signaling a return to strong growth.
Approaching non-GAAP breakeven, while maintaining aggressive investment in R&D to sustain long-term innovation.
Revenue per employee remains just $285k, significantly below cybersecurity leaders like PANW, FTNT, and CRWD. This is surprising as it suggests that perhaps the core unit economics are not as scalable as some cybersecurity peers. It's possible the price war with CRWD is keeping this metric on the low side. Alternatively, it could indicate substantial upside potential, as we have seen a number of vendors scale their rev/emp as they have turned themselves into a platform play (e.g., Cloudflare, Tenable, Monday).
CRWD’s July 2024 outage has also provided momentum for S, as enterprise customers continue to evaluate their heavy reliance on CRWD. Combined with strong MITRE ATT&CK results, SentinelOne is proving itself as a stable, enterprise-grade cybersecurity platform.
We're keen to see whether progress in net new ARR and margin improvements continues in the 4Q25 results. Another note for investors is that S is still in the midst of an executive transition, having appointed a new CRO in November 2023 and a new CMO earlier in April 2023. This echoes the transitions we saw at FTNT and Cloudflare when they made assertive S&M shifts to expand beyond SMBs into the larger enterprise market. For both, the process was challenging — marked by upheaval and skepticism before top-line results materialized. We believe SentinelOne is on a similar trajectory, and early signs suggest the company is successfully evolving into an enterprise-grade vendor.
Expanding Beyond Endpoint – The Lenovo Deal
SentinelOne’s Lenovo partnership, targeting 30 million PCs over the next few years, could become a very notable revenue stream. While the impact remains uncertain, it reinforces S' strategy of embedding its platform deeper into global enterprises.
Valuation – The Alpha Opportunity in SentinelOne
S' single-architecture data model has positioned it ahead of legacy security vendors, allowing it to compete aggressively in the AI-driven security era.
The thesis for S is the rate of change in EBIT and FCF margins coupled with durably 20%+ growth for the next few years. We expect S' Rule of 40 will ascend steadily above the threshold mark as the company leverages its platform to deliver 20%+ growth while becoming highly cash generative and profitable.
Based on a 20% CAGR for FY27-FY30 and a 40% terminal FCF margin, we arrive at an estimated intrinsic valuation of ~$40, 2x the price at the time of writing.
With improving profitability metrics and an unjustifiably wide valuation gap versus CRWD, SentinelOne remains one of the most overlooked cybersecurity plays in the market today.
Palo Alto Networks (PANW)
Palo Alto Networks – Platformization Done Right
The Platformization strategy, introduced by Nikesh Arora in early 2024, is reshaping PANW’s business model by consolidating security spend across Network Security (NetSec), SecOps, and Cloud Security. The premise? Expand revenue by deeply embedding PANW’s full-stack security offerings into customer environments, gradually eliminating competing vendors. The execution has been aggressive — customers using only parts of a PANW platform gain extended free access to the rest of the suite, ensuring they become dependent on PANW’s ecosystem before renewal.
This approach differs sharply from traditional legacy platformization, where vendors cross-sell subpar products at discounted rates to drive expansion. Microsoft’s security strategy is the prime example — offering broad but inferior solutions that lock in customers through bundling rather than product superiority. CrowdStrike is following a similar playbook in cloud security, leveraging its EDR reputation to sell cloud offerings at low cost rather than through BoB differentiation.
PANW’s model is different. Instead of simply bundling, it has built and acquired genuine next-gen BoB solutions across its three core segments:
NetSec (mostly homegrown)
SecOps (a mix of homegrown and acquired)
Cloud Security (mostly acquired, but with massive post-M&A success via founder empowerment)
This approach ensures PANW remains competitive in new business acquisition rather than just milking its installed base. Unlike Microsoft or CRWD, PANW actively attracts new customers with BoB offerings, forcing internal teams to stay on the innovation frontier.
The results are evident — as of 2Q25, 1,150 customers have been platformized, up 35% YoY. This model is not only increasing ARR per customer but also strengthening PANW’s leadership across three rapidly transforming security markets.
The Three S-Curves of Growth: NetSec, Cloud Security, and SecOps
PANW’s growth is unfolding across three distinct S-curves:
1st S-Curve: Network Security (NetSec) – Traditional but evolving with SASE.
2nd S-Curve: Cloud Security – An emerging frontier, now demanding real-time protection.
3rd S-Curve: SecOps – The most transformational opportunity, primed for AI-driven automation.
Each of these domains is undergoing structural change, and PANW has positioned itself at the forefront of each shift.
1st S-Curve: NetSec – Strengthening the Moat with SASE & Enterprise Browser
PANW’s Strata & Prisma SASE business is evolving beyond traditional firewall-led security, capturing market share through its best-in-class offerings rather than just leveraging its firewall installed base.
SASE Leadership – PANW has >5,600 active SASE customers, growing +20% YoY, with $1m+ SASE deals up 2.5x YoY.
BoB Enterprise Browser, a Game Changer – PANW’s Talon Security acquisition gave it the only BoB enterprise browser in SASE, now with 1M+ licenses sold and a clear path to $1bn ARR.
Unlike competitors relying on premium pricing or bundling tactics, PANW’s secure enterprise browser provides:
Granular security controls at the endpoint.
Faster, localized security enforcement.
A superior UX, enhancing SASE adoption.
This move is far more than an incremental product play — it’s a strategic bet on the browser as the enterprise’s new security perimeter (for more information check out our previous report). If PANW can continue embedding security into the browser — as OpenAI is rumored to be doing in consumer AI experiences — this could become a multi-billion-dollar opportunity.
2nd S-Curve: Cloud Security – From Agentless to Real-Time Protection
A few years ago, next-gen agentless cloud security (pioneered by Wiz and Orca) emerged as the dominant paradigm. Vendors positioned quick deployment & compliance adherence as the main selling points. In our Cloud Security Series, we anticipated that eventually this alone would not be sufficient, and that demand real-time protection would emerge.
The industry is now demanding real-time cloud protection — favoring vendors that can deliver dynamic, portable agents for live threat detection and response.
PANW has built exactly this capability in Prisma Cloud, enabling it to address the cloud security trilemma, where historically vendors have needed to balance a tradeoff between comprehensiveness, timeliness, and ease of deployment. Now PANW is leading in both agentless and agent-based cloud security:
Comprehensiveness – Covers agent-based & agentless approaches.
Timeliness – Leads in real-time threat mitigation (via Cortex & shift-right capabilities).
Ease of Deployment – Quickly deployable with agentless coverage, quickly supplemented with lightweight, portable agents that can be deployed in a highly scalable manner.
This real-time, shift-right security model has given PANW the edge in Cloud Detection & Response (CDR) — a critical gap that agentless vendors fail to address.
Like S, PANW is also leading in AI-SPM for GenAI Workloads, positioning themselves favorably as enterprises integrate LLMs & AI-powered applications. This ensures that AI applications — which will become central to enterprise security — are governed and protected natively within Prisma Cloud.
3rd S-Curve: SecOps – The Most Transformative Opportunity
SecOps is the most labor-intensive domain in cybersecurity, with SOC analysts drowning in alerts, struggling to separate signal from noise while attackers automate their techniques at scale.
PANW is solving this with XSIAM, which has now surpassed $1bn ARR. SIEM disruption is already happening, and PANW is leading the charge.
XSIAM replaces traditional SIEMs (Splunk, Qradar, ArcSight) with a big-data-driven, AI-powered SOC.
The IBM Partnership accelerates penetration – IBM has exited SIEM, handing its Qradar customer base & IP to PANW.
Automating SOC Operations – PANW already reduced its own SOC workforce by 33% using XSIAM’s AI automation.
The opportunity here is enormous — legacy SIEM solutions are not built for modern security operations, and PANW is capitalizing on this shift at scale.
Valuation – The Security Platform of the Future
PANW is executing on three simultaneous growth curves, each backed by structural market shifts:
NetSec (1st S-Curve) – SASE dominance, fueled by its enterprise browser as a security perimeter.
Cloud Security (2nd S-Curve) – Real-time security via dynamic agents & shift-right capabilities.
SecOps (3rd S-Curve) – SIEM disruption via XSIAM’s AI-powered SOC automation.
With its Platformization strategy, PANW is securing higher spend per customer while continuing to win new business through BoB solutions.
The biggest risk in cybersecurity platformization is stagnation — but PANW has designed its model to prioritize innovation, ensuring it stays ahead of emerging security trends.
For investors, this means PANW isn’t just another vendor bundling solutions — it is building the future of enterprise security.
However, currently our optimisim for the business and the valuation are not exactly aligned. Based on our base case parameter settings, we see PANW as trading in the fair value range at present. Hence, we're waiting for a substantial correction before adding to our position.
However, there are signs that PANW could surprise to the upside and deliver higher growth than the 14% and 15% expected for FY25 and FY26 (PANW's fiscal year ends July 31st). Potentially, the key sign is the return of growth of Net New ARR, as this is a good indicator of new customer acquisition and upsell success. It is very possible that Net New ARR growth is emanating from the platformization strategy - I guess we'll learn more in the coming quarters.
