Hello everyone
the golden rule in business is: Whoever has the gold makes the rules. Good to see with the Swiss SoftwareOne, which many people probably know as a reseller. SoftwareOne’s revenue has shrunk in recent quarters. Why?
Microsoft has lowered the “rebates” to the list prices, i.e. de facto margins on resale, and is increasingly converting the Enterprise Agreement (EA) contracts to direct sales . Before that, so-called Licensing Solution Providers (LSP) could expect a margin of ~1.5% on the EA volume.
Although external sales (gross billings) with Microsoft products increased by more than 10%, less of it remained with the reseller. SoftwareOne does about 1/3 of the business with Microsoft and, according to its own statements, is one of the world’s largest MS channel partners. The UK competitor Bytes Technology Group has exactly the same problem.
While resellers are looking down the tube, market observers assume that Microsoft’s additional profit from the change in licensing and increasing direct sales will be ~$2.5 billion from 2026.
Surely the Crowdstrike managers are taking a good look at this script and are already testing it in isolated cases. Among the pure security players, Crowdstrike has by far the strongest brand, coupled with a good product. CS no longer has to be pushed from the channel to the customer for major customers – the customer asks on his own initiative. Thus, the Crowdstrike resellers are increasingly losing their market power and the margins are moving from the system house/integrator to the manufacturer (not to the customer, of course). Crowdstrike is also the only alternative to MS Defender in the MDR/MSOC market, where you have more than a handful of independent MSSP vendors who know how to use it.
Nevertheless, no one has to worry about our system houses: Most providers are somewhat smaller than MS or CS (or, like Fortinet , have a hardware share) and inevitably still pay commissions for the channel partners to do the hard work for the customer. But the fact remains that we in Europe will transfer steadily increasing compulsory levies to the USA as long as we do not free ourselves from the self-inflicted blackmail.
Anyone who has ever dealt with Microsoft contract types knows of course that this is not just a full-time job. EA, EAS, MCA, MCA-E, NCE, MPSA, etc. offer more substance for a habilitation than most social sciences, despite the abolition of volume discounts (A-D) on online services. So if anyone has more insights or other experiences: Always welcome. The current feature sets can be found in the ingenious M365Maps by Aaron Dinnage.
Netskope (CASB / SASE) is planning the IPO, aiming for a valuation of ~5 billion USD – let’s take a look at the stock market prospectus (SEC Filing S1):
- 13 years after foundation ~4300 B2B customers
Growth✅:
- Revenue has increased by ~32% to approximately USD 540 million in the last 12 months, and the number of customers has increased by ~20%.
- Realistic assessment of risk factors: “We expect our revenue growth rate to decline in the future”
- EMEA accounts for a quarter of the revenue pie and is the fastest-growing region
Profit:
- “We have experienced net losses in each period since inception”, as they rightly write. Despite the higher sales, the loss has even risen slightly, to USD 350 million. To be fair, the gross margin is increasing. For this, the overhead costs are added.
- Overheads? ~52% of sales were spent on marketing and sales. For development, almost as much.
- Free Cash Flow: The symbol here would not only be red flags 🚩🚩🚩, but also a pyre on which banknotes are burned.
- Ongoing dilution: In the last year, 11% of new shares have been added. Experience has shown that this does not decrease once the company is listed on the stock exchange. Caveat emptor.
- The total market for network and cloud security is currently estimated at around USD 100 billion (which is less than the market capitalization of PAN). The market including AI boosters is expected to grow by ~20% per year. This already shows that the market will not be big enough even in 5 years to meet the current valuation of all players in it. All the same.
- “The market is intensively competitive. … Our primary competitors include companies such as Broadcom, Cisco, Fortinet, Palo Alto Networks, and Zscaler”.
- At this point, a project example from Germany as a further indication of the brutal competition (thanks, Mark!): ~8,500 user SASE project, replacement of the existing provider, list price approx. 9 million EUR, conclusion at the end of FY: 900 thousand EUR customer price (i.e. 90% discount)
- Technical challenges:
- DLP is much more difficult for video, image, and audio than it is for text (and even text doesn’t work very well in practice)
- Gen AI enables slightly modified copies of real-world data that are not detected by DLP inspection mechanisms
- Agentic AI enables new methods of unintentional and intentional data leakage through API interfaces and logs
- Encrypted scripts via HTTPs, dynamic Javascript, copy/paste data exfiltration can effectively only be detected in the browser, not via proxies/SWG/CASB. Netskope has an alternative to LayerX / Island / PaloAlto Prisma / Talon etc. in its portfolio
- Very cool: More than 220 patents approved. For comparison: Crowdstrike is in the order of about 350, Palo Alto at about 1300. With these figures, applications for the same invention in different countries or variants are also counted several times
- The bottom line is a great achievement to build up such a company. Great recognition for the founder/CEO Sanjay Beri and his team
- With a 100% probability, it will fall on my feet again that I will not be part of the IPO due to my incurable value disposition, and people will then mockingly send me their neon green gleaming portfolio statements.
Finally, a joint cybersecurity guideline from BSI, CISA/FBI and 4 other countries, namely on the topic of OT asset inventory. I love when concrete recommendations are given on “how does good look like”. They actually exist here, e.g. on the question of which data fields should actually be recorded (a recurring topic of discussion), or how granular the network schema with zones and conduits should be. Experts are already getting upset about some philosophical details, but I think the directive is a step in the right direction.
M&A Corner:
- Okta buys Axiom (PAM for everything in the cloud from Israel)
- Accenture acquires CyberCX (Australian MSSP, approx. 1400 MA)
- In the first 8 months of this year, there was already more funding for security companies (> $14 billion) than in 2024 combined, reports ReturnonSecurity. Once again, the appeal on our own behalf: If you know a good European team that could grow faster with more funding, then we look forward to hearing from you.
Notes from Vendor Briefings:
Adva Network Security:
- German provider of encryption modules (“Connect Guard”, used by Genoa, among others) and security services (originally a spin-off of Adva Optical / Adtran), approx. 80 employees
- Development and production in D. Approved by the BSI for encryption processes Layer 1 (optical) to VS-Confidential, L2 and L3 then to VS-NfD
- Customers esp. from critical infrastructure and defence
- Of course, also expertise in quantum-safe encryption
- NOC (for your own devices) and SOC services (15 min guaranteed response time for critical alarms) are provided together with Dacoso from Germany. All analysts (~40) are Ü2 security checked + German-speaking. Preferred Tech Stack:
- SIEM: MS Sentinel or Logpoint
- EDR: Crowdstrike oder MS Defender
- NDR: Darktrace or Corelight
- SOAR: D3
- Vulnerability Scan: Qualys
- Intel Threat: SOCRadar
- IT and OT pen testing with expertise in testing zone transitions and demilitarized zones
Conducttr (Update):
- Provider of a crisis simulation platform (not only cyber), competition to e.g. Immersive Labs. In other words, the digital version of a table-top exercise. Special feature: German subsidiary is a JV with the British parent company, but majority in German hands.
- Approx. 45 customers, including NATO, Vodafone, UEFA, Coca-Cola, some of the Big 4
- SaaS or on prem installation possible
- Not only can it simulate shitstorms on various social media channels (the AI probably has enough training data), but also hidden signals in high noise volume => This can then be analyzed as an exercise to recognize patterns
- In addition, cool features are, of course, website defacement, messenger app for communication in the crisis team and dynamic adaptation of scenarios depending on how the role players make decisions
Databee:
- Belong to Comcast (major US telco)
- Security Data Pipeline Management, i.e. the same playing field as Cribl, Tenzir or Databahn
- Approx. 10 external customers, so far all from the USA, now want to expand to EU (hosted on AWS in Frankfurt)
- Objective: Reduce SIEM costs, but also pre-structure data for AI applications
- Still looking for channel partners
Oligo:
- Application Security / Cloud Detection & Response Startup aus Israel
- Approx. 50 paying customers, including security providers such as Armis or Cato Networks
- For each endpoint, a profile of normal executions and calls is created for each monitored application in the transient phase
- eBPF sensors for detecting anomalies such as unusual network connections during runtime => For high-security applications, another line of defense
- In addition, the vulnerabilities are filtered according to dependencies and functions that are actually loaded/executed. This supposedly reduces vulnerabilities found in SCA by 99% compared to them (it would be interesting to hear practical examples from users)
As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.
For the people who have received the market commentary for the first time: Here you can register if you are interested or search in the archive for the colleagues we have transferred there as a punishment (greetings to Mr. Pelkmann! 😉).
Regards
Jannis Stemmann
