On August 27, Fastly announced their intent to acquire Signal Sciences. An outcome of the acquisition will be to combine the security capabilities of both companies into a new product offering called Secure@Edge. This significantly bolsters Fastly’s existing security product line, providing an accretive blending of existing offerings with new ones provided by Signal Sciences into a comprehensive solution designed to protect modern web applications and APIs at scale. I don’t normally dedicate a blog post to every acquisition, but I think this one will deliver an oversized contribution to the trajectory for Fastly and provides more justification for bullishness going into 2021. In this post, I will dig into Signal Sciences, synergies with Fastly and how the combined company is positioned for rapid growth. Interested investors can review my prior coverage of Fastly for more detail on the investment thesis.
Background
Signal Sciences was founded in 2014 by Andrew Peterson, Nick Galbreath and Zane Lackey. These three worked together at Etsy, where they addressed difficult technology and security problems as that site was scaling rapidly. For investors not familiar with the Etsy story, many of today’s software engineering and DevOps best practices were conceived by that technology organization. Some of the greats who worked as CTO at Etsy included Chad Dickerson and John Allspaw. Chad Dickerson even recognized the early work of the three Signal Sciences co-founders at Etsy in a tweet celebrating the acquisition.
Frustrated by the limitations of existing security solutions to protect web applications, the Signal Sciences co-founders decided that they could build a better offering. They approached the redesign of legacy Web Application Firewall (WAF) technologies from the ground up, focusing on making them work for modern software delivery paradigms like APIs and micro-services, as well as integrating with emerging development and deployment practices like DevOps and CI/CD. Sound familiar? This is the same impetus that drove Artur Bergman to found Fastly out of frustration with existing CDN solutions.
Etsy has been a pioneer in the adoption of new technologies and software development processes like DevOps and CI/CD. Once we started building the security practice from the ground up, it was clear that legacy approaches to protecting our customer data were not going to work. Specifically, the legacy Web Application Firewall (WAF) technology that was designed to protect websites from the late 90s did not address the challenges facing the modern engineering teams we were working with.
It became clear that it wasn’t just forward-thinking startups like Etsy going through this technology shift, it was everyone. So we decided to take the lessons learned at Etsy and turn them into a technology company to help the industry with these same problems.
LA TechWatch Interview with Andrew Peterson, FEb 2019
Signal Sciences distinguishes their next generation WAF technology from competitors (Imperva, Akamai, etc.) in several ways:
- They have attained a higher level of accuracy in identifying a wide array of attack types and malicious behavior. This is made possible by their unique agent/code module configuration that derives signals directly from the running web application.
- Because of this level of accuracy, Signal Sciences is able to automate the response behavior, lowering operating costs. 95% of their customers run the product in the fully automated mode.
- The technology is designed with flexibility and modularity to address any type of hosting environment (multi-cloud, containers, on-prem) and delivery architecture (web site, APIs, micro-services).
The high automation level is an important validation of the efficacy of the Signal Sciences solution. Most companies don’t trust their legacy WAF to operate autonomously. This is because misdiagnosed attack behavior could block legitimate user activity, resulting in a bad user experience and lost revenue for their customers. Running in fully automated mode allows their customers to reduce operating overhead and focus attention elsewhere.
From these beginnings, Signal Sciences developed into the fastest growing web application security company. In a July 2019 blog post and accompanying press release, celebrating the fifth anniversary of the company, Signal Sciences’ CEO Andrew Peterson highlighted several company milestones at that time:
- Protects over 25,000 web applications.
- Processes over a trillion production requests per month.
- Increased revenue by 100%+ year-over-year with 98% customer retention.
- More than doubled customer count year/year.
Signal Sciences currently claims that their solutions protect over 40,000 applications and APIs, processing over 2 trillion production requests every month. This represents a doubling of production requests and 60% increase in protected applications in about a year.
For five years we have been reimagining and reinventing how to protect web sites, mobile sites, APIs and microservices. Web application protection tools like Web Application Firewalls (WAFs) have been around for over 20 years and websites have been around much longer than that! In an industry that seems to be captivated by the newest exploits and cutting edge buzz words, we chose the far less glamorous path of taking a stale, pre-existing technology that has been written off by most as an ineffective compliance checkbox and making it actually work.
Web apps are now a series of APIs and microservices built into containers and service mesh environments that enable new functionality that WAFs were never intended to protect. We’re in a devops and agile world where our development teams have to move at an ever-increasing pace to win at business and security is fighting to keep up.
Signal Sciences CEO, Blog Post, July 2019
As part of the acquisition announcement, Fastly published an investor deck and conducted an analyst call sharing details of Signal Sciences’ performance and plans for the combined company. From these, we can glean several data points relevant for investors about Signal Sciences’ current business performance.
- ARR of $28M as of close of June 30th quarter.
- Revenue growth rate higher than Fastly’s 62% annual growth rate in Q2.
- 85%+ gross margin, versus Fastly’s most recent 62%
- Total of 265 customers, with 60+ defined at the enterprise level (more than $100k in revenue over prior 12 months). At end of Q2, Fastly reported 304 enterprise customers.
- Claim to have 5 of the top e-commerce companies, 5 top software companies, 4 top broadcast companies, 5 top financial institutions and 3 of the top media companies as customers.
- Of their 60 enterprise customers, 70% (or about 42) are new to Fastly.
- 96% gross retention of customers (percent of customers retained over prior 12 months)
- Top 20 customers make up 35% of revenue, with no single customer over 5%.
- Net promoter score over 80 (best in class is 70)
Signal Sciences’ technologies have also been recognized with industry awards:
- InfoWorld – 2018 Technology of the Year
- Computing – DevOps Excellence Awards 2020 for Best DevOps Security Tool
- 451 Research – 451 Firestarter Award, October 2019
In May 2020, Forbes recognized Signal Sciences as one of the 25 fastest-growing venture-backed start-ups most likely to reach a $1B valuation. They asked 300 VC firms for nominations and researched 100 start-ups themselves. Then, the Forbes team analyzed the prospects for the top 140, including finances and founder interviews. Of these, Signal Sciences made it to the top 25.
The addressable market for Signal Sciences’ solutions is large. A 2018 Verizon Data Breach Investigations Report listed web application attacks as the number one source of successful breaches. According to an LA TechWatch article in early 2019, the application security market was estimated at $7B and is the fastest growing segment of information security.
Protecting mobile and website data (known as application security) is estimated at $7B market today, and it is the fastest growing segment of the security industry. We help any company who runs a web or mobile site and has information they’d like to protect- making the market almost any company today. We target large to mid-market companies across any vertical, including financial services, retail, healthcare, media and entertainment who need real-time visibility and protection against cyber threats, including web attacks, bots, scrapers, account take over and injection attacks, among others.
Signal Sciences CEO, Interview with LA TechWatch, Feb 2019
Signal Sciences’ business model is SaaS based. They also provide professional services to assist customers with set-up or training, if needed. On the analyst call following the acquisition, Fastly’s CFO said that as part of the company’s integration, they would be looking at how to blend Signal Sciences’ revenue model with the more usage-based approach that Fastly uses.
Deal Points
Fastly is paying $775M for the acquisition, consisting of $575M in stock and $200M in cash. There is also a $50M stock allocation for future grants. Using the ARR value of $28M, this implies about a 29 P/S ratio, which is below the current ratio for FSLY. Issuing $575M in stock would create about 6% dilution. The deal still needs to go through approvals, but is expected to close in 2020. Fastly leadership committed to providing updated forward guidance that includes the contribution from Signal Sciences in the Q3 earnings report.
I like fact that the majority of the deal is being funded by Fastly stock, making the Signal Sciences leaders and employees Fastly shareholders. The Fastly CEO referenced this co-ownership several times on the acquisition call, expressing how pleased he was that Signal Sciences’ founders would now become part owners of the combined company. Reflecting this sentiment, the Signal Sciences CEO posted a bullish Tweet following the announcement.
Product Strategy
Fastly currently offers a basic set of cloud security products, including DDOS (Distributed Denial of Service), WAF (Web Application Firewall), TLS termination (Transport Layer Security) and bot mitigation. However, customer uptake has been mixed. Most customer case studies reference content delivery use cases, with some additions of TLS and DDOS. WAF adoption to date appears limited. Additionally, bot mitigation and rate limiting services have been outsourced to partners, like PerimeterX. In fact, on the Q1 earnings call, a sell-side analyst even asked why Fastly doesn’t build out its own bot mitigation product. Well, now we have an answer.
Signal Sciences brings dedicated offerings for rate limiting, bot mitigation and API protection. For WAF and DDOS, they have a broad and deep set of filters, that are more sensitive than those in Fastly’s DDOS solution. Fastly’s CEO even highlighted this on the acquisition review call with analysts. He noted the strengths that each company brings to the combined solution – Fastly has enormous network capacity to absorb the largest DDOS attacks. These are referred to as volumetric attacks, in which the goal is to overwhelm the victim’s servers by simply sending a very large number of the same type of requests.
Signal Sciences, on the other hand, has vulnerability detection capabilities applied at a very granular level. These would be useful in identifying more surgical denial of service attacks. Since volumetric DDOS attacks can be a blunt instrument, sophisticated hackers often probe a web application for costly operations, like performing a product search on an e-commerce site. They then write scripts to request variants of the product search in succession from bots at different IP addresses. These types of attacks are more difficult to identify, as they can appear like normal user traffic and don’t match standard patterns. Yet, the impact can be the same as a volumetric attack on user experience. If the product database is overloaded, the user will not be able access large parts of the web application.
Signal Sciences examines web application request patterns at a more detailed level, looking for both data extraction behaviors (SQL injection, cross-site scripting) as well as denial of service attempts. Their standard rule set is extensive and kept up to date. These static patterns are supplemented by machine learning algorithms that monitor actual user behavior over time and can then apply additional insights to intelligently separate legitimate traffic from malicious.
What allows Signal Sciences to really take their application security to the next level is their RASP (Runtime Application Self-Protection) capabilities. Most legacy WAF solutions deploy a monitoring layer in front of the customer’s application tier, with no integration to the actual application itself. Signal Sciences can deploy in this mode as well if needed. However, their RASP technology can go a step further by embedding a code module into the application itself and deploying an agent onto each application server. These two components work hand-in-hand. The agent analyzes incoming traffic requests, identifies malicious behavior and enforces blocking actions. The module gathers additional signals within the application itself, adds logging for more insight or modifies behavior to deal with an attack appropriately.
Signal Sciences also provides a cloud-hosted back-end that communicates with the agents. It collects anonymized telemetry data and sends back updated detection logic. The agent is designed to be highly scalable and currently protects some of the largest web properties without introducing performance issues. The code module is available for most common web servers (NGINX, Apache, IIS, etc.) and application language (Java, Python, PHP, node.js, .NET, etc.)
The plan is to integrate the application security capabilities from both companies together into a single new product offering called Secure@Edge. This will complement the Compute@Edge platform, but also be a key component within it. Secure@Edge will be built on top of the Compute@Edge platform, using the same development tooling as any other edge compute application. This architecture approach reinforces the notion that Compute@Edge is a platform for building applications. It also encourages dogfooding of the serverless platform for Fastly’s own engineering teams. This approach is similar to the strategy employed by Cloudflare in building the Teams product on top of Workers.
Building Secure@Edge into Compute@Edge also ensures that the application security capabilities are available to new edge compute applications by default. These wouldn’t need a separate layer in front of the application runtime to provide WAF or DDOS protection, which isn’t feasible at the edge. This is a powerful combination and completely changes the previous web application deployment paradigm, which used a layered approach to application security. The result for customers will be lower operational costs, simpler maintenance and more effective response. Release cycles will be faster, as they won’t need to be coordinated with application security configuration changes and will automatically integrate with existing CI/CD pipelines. The Signal Sciences’ platform includes more than 30 integrations into the most common DevOps and security tools – such as Slack, Jira, PagerDuty, Datadog, Splunk, and Cisco Threat Response.
These synergies between providing a compact, fast, serverless runtime deployed on the network edge and the inherent security gained by embedding the Signal Sciences RASP capabilities into those applications will be significant. In addition, Fastly now has access to a performant, universal agent and back-end data plane that could be deployed onto origin servers (or other endpoints) to further improve the effectiveness and management of customer applications running within Fastly’s environment. This topology provides a strong foundation for other future product offerings.
Competitive Position
Signal Sciences has a strong position relative to competitive solutions in WAF. Due to their technical innovation and focus on usability, they have achieved some of the highest ratings from third-party industry analysts. In many ways, this parallels Fastly’s approach. Both founders of both companies took a largely ignored, but critical, technology component that frustrated them personally and set out to re-design it for modern customer needs. This story has repeated before, not just with Fastly and Signal Sciences, but Zoom, Slack and other innovators.
In my own past discussions with Signal Sciences, they highlight the following limitations of competitive solutions:
- They require extensive ongoing tuning.
- They cannot be operated in full blocking mode. The WAF is often turned down to avoid blocking legitimate user traffic.
- They are difficult to scale in multi-cloud and serverless environments. They are not well-suited to modern DevOps practices.
- Visibility and reporting are limited. The blocking decisions and performance impact are opaque.
These limitations were highlighted in a customer case study from DoorDash, who transitioned from AWS WAF to Signal Sciences. They point out the following challenges with the AWS WAF solution, which would generally apply to other competitive offerings as well:
- High maintenance costs due to a requirement to configure web access control lists (ACLs) and then apply filtering rules for each.
- Ongoing rule tuning and tweaking over time to prevent new types of attacks.
- Doesn’t work across multi-cloud or hybrid configurations.
- Limited integration with other popular DevOps tools for monitoring and CI/CD.
In Feb 2020, Gartner published its Voice of the Customer report for Web Application Firewalls (WAF). This report compiles reviews from actual customers of WAF products in order to help IT managers make purchase decisions. These reviews give insight into not only how satisfied existing customers are with a vendor’s product, but also their experience in negotiating with the vendor, getting support for the product and their overall implementation effort. Of the 14 WAF vendors in the report, Signal Sciences, along with Akamai and F5, were recognized with the Customer’s Choice award. Among these, Signal Sciences had the highest overall rating of 4.9 (out of 5.0). The next highest score was 4.7, with Akamai and F5 receiving a 4.6 and 4.5.
Even examining the ratings by category, we see consistent high marks for Signal Sciences in product capabilities, ease of deployment and customer services. You’ll notice that competitive offerings underperformed in at least one of these categories.
I think these high marks are reflective of both Signal Sciences’ high quality product and their customer-focused culture. This disposition will align well with Fastly’s strengths in these areas.
Brain Trust
A big part of my bullishness around the Fastly investment thesis centers on the talent base they are building. As investors, I think we sometimes overlook the power of assembling a strong team of highly motivated engineering talent that includes the leading minds in their fields. We tend to focus on the tangible metrics in front of us, like financials or customer growth, as talent is harder to assess and speaks more to future potential for a company’s growth than current performance. We celebrate strong founders/CEOs of software companies, and when they have the technical chops to deliver the first prototype of their product, even better (Yuan, Lawson, McKinnon, Banon). Yet, there is an equally important organizational layer to build in the technology team that drives innovation and leadership long into the future.
In this regard, Fastly has been assembling a brain trust of leading thinkers in networking, content delivery, programming languages and now security. While larger technology companies and cloud vendors have talent, it is dispersed across many product initiatives. Fastly, on the other hand, has concentrated creative thinkers into one problem space. In order to create a disruptive technology, it is necessary to engage a set of individuals who have deep domain knowledge and have demonstrated a drive to innovate. Indications of these behaviors are participation in standards bodies, starting new open source projects, speaking at industry events and publishing books. These kinds of individuals are not finding comfy roles at big companies where they can “rest and vest”.
As I have discussed in a previous post, Fastly first took this approach of addressing hard engineering problems in innovative ways with their complete overhaul of POP design for content delivery. This enabled them to disrupt incumbent Akamai, who had been delivering CDN solutions since 2000. Fastly’s customer list is a testament to the benefits of their forward-thinking approach and their ability to build a better CDN solution.
They have repeated this innovation with Compute@Edge, which delivers the most impressive benchmarks in terms of a compact, fast and secure runtime environment for serverless. To accomplish this, they built a new solution from the ground up into Lucet, while competitors took the pragmatic and predictable approach of re-using the V8 engine popularized by Google Chrome. The Fastly technology team was given the latitude to fully explore options (arguably ignoring typical business constraints like time to market) in order to deliver a fundamentally better solution for their customers.
These technical feats by such a small team are impressive. Keep in mind that Fastly had just 630 employees at the end of Q2. The secret to Fastly’s success, in my opinion, is the creation of a separate “research” team housed under the CTO, Tyler McMullen. This is often referred to as the “Office of the CTO”. In a recent GCP Podcast, Tyler described his job as CTO to “run a small applied research team that sits beside engineering. They work on things that are highly likely to fail, but if they don’t, it would be pretty cool. They have had a few of these projects that have turned out to be pretty interesting.” A bit of an understatement – I appreciate his modesty.
This latitude of maintaining a separate “research” team housed under the CTO, which has a more open-ended mandate to rethink the constraints of current infrastructure approaches, not constrained by the immediacy of sprint deadlines, enables these large technology leaps. This isn’t to say that Fastly doesn’t have product delivery goals – it’s just that these are owned by the separate engineering organization. Fastly recently hired Nick Rockwell (previously CTO of the New York Times) and Laura Thomson (previously led engineering teams at Mozilla) to run Fastly’s engineering efforts for Compute@Edge and other products. These teams would be charged with ingesting working prototypes from the research team and fleshing them out into a full product offering to take to market.
If Fastly’s mission is to fundamentally evolve how software applications are delivered to end users, in a highly efficient, fast and secure manner, then they are assembling the best team to do so. Below is a sample of team members, both from organic hires and recent acquisitions, that illustrates the point. These individuals are viewed as leaders in their respective fields, contributing to the foundational protocols and languages that drive the Internet. They speak at conferences attended by other engineers and literally “wrote the book” on best practices in their domains. (Some bios are copied verbatim)
Fastly Office of CTO
- Patrick McManus, Distinguished Engineer. Patrick McManus is a Fastly Distinguished Engineer, major contributor to the Firefox Networking stack, co-chair of the IETF Dispatch Working Group, and co-author of several Internet Standards including DNS over HTTPS. He has 20 years of experience blending applications, networks, and people into interoperable solutions. Along with Fastly, Patrick has previously worked with Mozilla, IBM, Datapower, AppliedTheory and NYSERNet.
- Mark Nottingham, Principal Engineer. He’s had a role in developing the web and the internet since the late 90s. Mark has written, edited or substantially contributed to more than 20 IETF RFCs and W3C Recommendations about topics like HTTP, caching, linking, web architecture, and security. He has also chaired the HTTP Working Group since 2007 and the QUIC Working Group since 2016, and has been a member of the Internet Architecture Board since 2017. Before that, he served on the W3C Technical Architecture Group. Beyond standards work, Mark helped deploy a precursor to “enterprise” CDNs in 1998, designed HTTP APIs and owned a caching platform at Yahoo!, and has contributed to several Open Source projects. Currently, he’s part of the Office of the CTO at Fastly.
- Peter Bourgon, Principal Engineer. Peter Bourgon is currently leading research and development on a global infrastructure for state at the edge at Fastly. He is the author of Go kit, the preeminent toolkit for microservices in Go; and several large-scale coordination-avoiding distributed systems, including Roshi (stream index) and OK Log (log aggregation). Here is a recent tech talk at QCon in which Peter discusses the challenges with managing state in a distributed edge network and how CRDTs might provide a solution.
Tesuto Acquisition
The three co-founders joined the Fastly team, bringing more than 45 years of combined experience in network design and operation.
- Jay Sakata, Tesuto co-founder. Prior to Tesuto, co-founded EdgeCast Networks in 2006, a content delivery network that provided web acceleration for some of the world’s most demanding web properties. EdgeCast Networks was acquired by Verizon in 2013. Note the 14 patents listed on his LinkedIn profile.
- Chris Bradley, Tesuto co-founder. Worked alongside Sakata at EdgeCast Networks as the principal engineer and brings more than 20 years of experience building and managing network-focused applications, with a special focus on anti-DDoS software.
- Hossein Lotfi, Tesuto co-founder. Worked on Google’s data center fabrics and SD-WAN before co-founding Tesuto.
Signal Sciences Acquisition
Like Tesuto, the three co-founders of Signal Sciences are joining the Fastly team. They have deep experience in application security, based on practices honed at Etsy and codified in some of the most popular books on the subject.
- Andrew Peterson, Signal Sciences CEO. Prior to founding Signal Sciences, Peterson has been building leading edge, high performing product and sales teams across five continents for over fifteen years with such companies as Etsy, Google, and the Clinton Foundation. In 2016, O’Reilly published his book “Cracking Security Misconceptions” to encourage non-security professionals to take part in organizational security.
- Nick Galbreath, Signal Sciences CTO. For 25 years, Nick has held leadership positions in number of high growth startups in e-commerce (Etsy, UPromise and Open Market) and programmatic AdTech (Right Media, AppNexus, IPONWEB). Along the way he has frequently spoken on the intersection of engineering, operations and security. He is the author of “Cryptography for Internet and Database Applications,” (Wiley) and was awarded a number of patents in the area of social networking, data structures, and system architecture.
- Zane Lackey, Signal Sciences Chief Security Officer. Author of “Building a Modern Security Program” (O’Reilly Media). He serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane led a security team at the forefront of the DevOps/Cloud shift as CISO of Etsy. He is a frequent speaker at top industry conferences such as BlackHat, RSA, Velocity, OWASP, DevOpsDays, and has also given lectures at Facebook, Goldman Sachs, IBM, Microsoft, Carnegie Mellon University, and the Federal Trade Commission.
Customers
Like Fastly, Signal Sciences targets and attracts innovative, internet-first companies as customers. This is a consequence of the disruptive nature of their product and reflects the benefits in operational efficiency that progressive players would seek as early adopters. A sampling of brand names listed on their web site includes Under Armor, Datadog, Duo, One Medical, O’Reilly, DoorDash, Onelogin, Airtable, Chef, Postmates, Remitly, Procore, Twilio and WeWork.
Additionally, through my own research, I am aware of customer relationships with several other notable brands, which represent even larger footprints. These names further underscore the penetration that Signal Sciences has achieved. For a company with 150 employees, this level of adoption and trust is impressive.
Signal Sciences has also attracted customers from mainstream industries that are trying to innovate their online presence as part of digital transformation. Chick-fil-A is a good example of this.
Chick-fil-A needed a flexible and effective web application security solution to protect key assets of their digital transformation strategy, including consumer-facing mobile and web apps that improve customer satisfaction and drive revenue growth.
Chick-fil-A, Inc. operates 2,400 restaurants in the United States with combined annual revenues of over $10 billion. Mobile and web applications that allow customers to place food orders are critical to both improving customer satisfaction and Chick-fil-A’s growth. But the incumbent legacy WAF that depends on pattern matching rulesets was not up to the task in a development lifecycle where distributed software design and deployments are the norm.
This meant finding a future-ready Web Application Firewall that installs easily across distributed architecture and effectively prevents account takeover (ATO) attempts and other attacks on those public-facing apps in production.
Signal Sciences Case Study with Chick-fil-a
This provides a great testament of the value that Signal Sciences brings to customers looking to update their existing WAF solution to take advantage of more advanced capabilities offered. Additionally, in the testimonial, they describe Chick-fil-A’s hosting environment: “Apache, NGINX, Tomcat, and IIS. Within AWS, they use Cloudfront CDN in front of their APIs and put Signal Sciences at the network edge to inspect and decision on web requests before they reach application origin.” It is important to note that Fastly’s CDN solution is often viewed as an upgrade to Cloudfront by other Internet-first customers, where performance is paramount. It is a reasonable assumption that Fastly could upsell Chick-fil-A to their content delivery solutions as part of the sales integration with Signal Sciences.
This example highlights the large cross-sell and customer expansion opportunity available to the combined company. Signal Sciences brings 265 total customers, of which 60 are at the enterprise level (defined as spending more than $100k in the prior 12 months). Of these, 70% (about 42) are new to Fastly. At the end of Q2, Fastly reported 304 enterprise customers, with an average spend of $716k. Signal Sciences’ 42 new enterprise customers would increase Fastly’s count by 14% and could add about $30M in incremental revenue over time, if they could all be cross-sold up to the average Fastly enterprise customer spend.
From the Gartner Voice of the Customer results and Signal Sciences reported retention rate of 96%, we know that Signal Sciences’ existing customers love their solutions. Given the clear parallels with Fastly in product innovation and customer focus, it is reasonable to assume that these existing customers will maintain their relationship with Signal Sciences through the acquisition and be interested in extending their product consumption to other Fastly services, like content delivery and Compute@Edge.
Investor Take-aways
While many investors rightfully question the rationale behind acquisitions, I think this one is both pragmatic and strategic on several levels. First, it is immediately accretive to revenue following the close. Signal Sciences brings $28M of ARR, growing at an annual rate higher than Fastly’s 62% from Q2. In 2019, the Signal Sciences’ CEO reported that revenue had doubled from the prior year in various interviews, so their current revenue growth rate could be somewhere between 62-100%. Due to the nature of their product, Signal Sciences also delivers much higher gross margin at 85%. On the analyst call following the announcement, Fastly’s CFO stated that he expects this to accelerate Fastly’s gross margin improvement trajectory.
Another notable outcome from the acquisition will be in customer expansion and cross-sell opportunities. Signal Sciences brings 265 total customers, of which 60 are at the enterprise level. Of these, 70% (about 42) are new to Fastly. This would increase Fastly’s total enterprise customer count by 14% and could add about $30M in incremental revenue over time, if they could all be cross-sold Fastly products at the average enterprise customer spend. Most impressive, though, is the list of customers from Signal Sciences, which reflects the same caliber of discerning innovators that Fastly attracts.
Given these developments, I have become even more bullish on Fastly’s potential going into 2021. Coming out of Q2, I was anticipating them to deliver at least $300M in revenue for 2020, representing growth exceeding 50% year/year. For 2021, I felt that 40-50% growth was achievable over 2020, based on continued momentum in content delivery uptake and the introduction of Compute@Edge, yielding revenue approaching $450M. With the addition of Signal Sciences and the new Secure@Edge product line, we could see an additional $30-50M in revenue for 2021, based on Signal Sciences’ existing ARR of $28M as of June 30th, continued high growth of their product sales and future cross-sell opportunities. This could bring total revenue for 2021 of $500M. Investors can apply their own multiple to this target, but I am optimistic the market cap for the combined company could surpass $15-20B by end of 2021.
Investment Plan
I think this acquisition significantly improves the investment thesis for Fastly. By adding new product revenue streams, enterprise customers for cross-sell and enhanced capabilities for Compute@Edge, Fastly’s future is looking even brighter as we transition into 2021. They are well-positioned to further disrupt legacy offerings in content delivery, application security and distributed computing. With a seasoned team of thought leaders, we could see even more product innovation down the road, as they rethink the foundational underpinnings of modern application delivery infrastructure.
Given this, I have increased the allocation of FSLY in my personal portfolio to over 30%, and may add more. Of all the stocks I cover, I am most confident in Fastly’s ability to increase in value over the next 12-18 months.
Hi Peter, thanks for all these great posts! Wondering if you don’t invest in $CRWD because it’s a security company? Then why do you invest in $NET which is also a security company?
Thanks. The difference is subtle, but important to me personally. I cover software providers where the Development leader (CTO / VP Eng) makes the buying decision. This includes application security, which is bundled into decisions about development stack, coding practices, deployment process and content delivery for the applications built by the engineering team. Crowdstrike’s products mainly secure the enterprise, its employees, their equipment, corporate data, communications tools, etc. These buying decisions are typically evaluated by the CISO / CIO. My expertise is on the CTO / VP Eng side, and am not as strong in enterprise security decisions. Cloudflare has a blend of both types of security offerings, but more than half of the product suite is developer oriented.
I tend to invest along the same lines. It is easier for me to build conviction around a researched software name where I intimately understand the value proposition.
Signal Sciences’ Glassdoor reviews (if legitimate, which I’m guessing most of them are) show a company with great technology but a poorly managed sales organization. Fastly’s sales team is a work in progress. Seems like a top priority for Fastly’s CEO Joshua Bixby will be to hire a superstar to lead the combined sales team. I think he is resourceful enough to accomplish this. If he succeeds, there could be additional upside to the combined company.
Peter, thanks as always for sharing your expertise.
Sure – good feedback. A strong sales leader should provide more direction for the integrated sales teams. I like that Fastly’s CEO is being thoughtful around the best way to approach this. Once in place, I agree that a new sales leader could provide a catalyst for further growth.
Indeed, good feedback. I have never seen a company with such a low Glassdoor score. Let’s be clear here: finding a great sales leader for a highly technical product is going to be extremely hard. Almost impossible. I am bullish on Fastly, but let’s not trivialize the issue.
Peter, thanks for the great write as always. You talked in your weekly newsletter about workloads shifting to serverless compute and the implications for endpoint security vendors. As a CRWD investor this peeked my interests on how it could possibly affect them. Could you please comment on this as I’m not technically smart enough to understand what this means to CRWD. Could this shift pull customers or disrupt CRWD?
Thanks, Chris.
Hi Chris – Thanks for the feedback. The question I raised in the newsletter (as you point out) is what are the implications of increased adoption of distributed serverless compute on endpoint security vendors. Specifically, I posit that as more compute workloads shift to run in a serverless environment on the edge, then there will be fewer stand-alone servers or containers at the origin. Security companies that orient around protecting “endpoints”, specifically on the server-side, may be impacted in the long run. Endpoints, of course, include a wide array of devices, most of which are in the hands of consumers, or in the future, will proliferate as IoT devices. However, where endpoints are servers or containers in a central data center, we may see fewer of these to protect in the future, or at least a flatline in their growth. CRWD provides endpoint protection across many devices, but did highlight on their earnings call that they protect over 1B containers. I can’t say that CRWD will be directly impacted, as the migration from centralized containers to distributed serverless runtimes will take a while to play out, but is something that we should watch that could limit TAM in protecting discrete server-side workloads running on containers or stand-alone servers.
Thanks for the clarity Peter! Will definitely try and keep an eye on this.
Hi Peter, what do you make of the following, especially the last three paragraphs:
https://hhhypergrowth.com/what-are-edge-networks/
That is a great overview of edge networks and is recommended reading. I know the author (Muji) personally and we often share insights privately. I agree with his reasoning that both Cloudflare and Fastly are well-positioned to capitalize on these trends. I own both names in my portfolio.
Another great article. Honestly, the content on this site is absolutely outstanding. I learn so much with every piece I read. Hopefully when this site is monitized I can afford it. SSI is helping me make much better decisions regarding the covered tickers I invest in. I’d love to see the site cover TTD, its another SaaS company that is not written about widely, although I do understand it might be outside the scope of this site.
Thanks for the feedback. I own TTD personally, but do not feel comfortable covering it. I know a bit about AdTech, but am not enough of an expert to perform a deep dive analysis that is incrementally better than other coverage out there.
Thanks for the feedback. Do you know a website or an analyst with quality coverage of TTD? I just can’t seem to find anything close to the caliber of coverage on this site.
Great deep dive as usual. I think w this acquisition, Fsly will outgrow net in enterprise. Slightly different offerings but Fsly’s more robust security should compete favorably now.
Question : will you do a write up for snow? IPO next week. I believe CIOs make purchasing decisions for their service , no? Huge hype, huge growth.
Thanks for the feedback and I agree with you on Fastly.
Regarding SNOW, I may cover it in the future, but do tend to shy away from new IPOs for a quarter or two. However, my colleague Muji over at Hhhypergrowth, just released a great write-up on Snowflake that is recommended reading: https://hhhypergrowth.com/a-snowflake-deep-dive/.
Wow, thanks for all of the great insights and the time researching this. Especially the backgrounds of the Development team Fastly is building. No one else focuses this much attention to the team. 100% agree. You buy the minds behind the company, not the company.
Hi Peter, thanks for the great write! I’m curious if you have any thoughts on $BAND?
Thanks, I touched on BAND in a competitive analysis as part of my recent review of Twilio: https://softwarestackinvesting.com/twilio-twlo-q2-recap/.
Hi Peter, Thank you for such a deep dive analysis and a great insight on the merger of Fastly with Signal Sciences. As a software architect myself, I could not find better than this one to understand better. It is a clear win-win for both of them.
Thank you for your time ,expertise and generosity in sharing the knowledge.
Kudos Peter !
Thanks for your thoughtful feedback. I agree with the win-win sentiment.