Investing analysis of the software companies that power next generation digital businesses

Elastic (ESTC) Q1 Recap

Elastic announced Q1 FY2021 (May – July) earnings on August 26th. The results were favorable, with significant beats on both revenue and EPS. They also delivered a large increase in FCF margin to 17% as well as a 24% improvement in operating margin. Next quarter and full year guidance were raised slightly, reflecting ongoing concerns around COVID-19 headwinds. The market reaction was muted, with a slight decline in share price the next day. On the earnings call, the leadership team provided other updates on customer wins and their broader go-to-market strategy. During the four months before earnings, Elastic delivered three major point releases with meaningful product improvements across all solution categories. Highlights included the new Workplace Search product and a Unified Agent with malware protection.

Additionally, Elastic held an Analyst Meeting on October 14th, which included further updates to their broader strategy. While no new financial targets were revealed, leadership provided interesting insights into large customer growth and expansion across multiple solution categories. This customer motion highlights the potential for Elastic’s long term growth, as some enterprise customers value the breadth of Elastic’s solutions and their unified pricing model. In this post, I review Elastic’s Q1 earnings and other business updates that occurred during the quarter. I also examine product enhancements and Elastic’s general competitive positioning. For additional background on the Elastic investment thesis, interested readers can review my past quarterly updates and original deep-dive.

Headline Financial Results

  • Q1 FY2021 Revenue of $128.9M, up 43.7% year/year (45% in constant currency). This compares to the consensus estimate of $120.9M, representing growth of about 34.8%, and the company’s own guidance from Q1 of $119-122M. This compares to the prior quarter revenue growth rate of 53%.
  • Q1 Non-GAAP EPS was $0.06 versus ($0.18) expected, for a beat of $0.24. However, on the earnings call, the CFO clarified that “an accounting-related benefit from certain unrealized foreign currency exchange gains favorably impacted Non-GAAP earnings per share by $0.11.” Accounting for this, EPS would have been ($0.05), still representing a substantial beat. Q4 EPS was ($0.12) and Q1 FY2020 was ($0.32).
  • Q1 Non-GAAP operating loss was $4.3M, generating an operating margin of -3.3%. This compares to an operating margin of -10.3% in Q4 and -27.1% in Q1 FY2020.
  • Q1 FCF was $21.6M for a FCF margin of 16.7%. This compares to a FCF margin of -5.5% in Q4 and -4.0% in Q1 FY2020.
  • Q2 FY2021 (October end) revenue guidance of $129-131M, for annual growth of 28.6% at the midpoint. This compares to analyst estimates for $129M, or 27.6% growth.
  • Q2 Non-GAAP EPS estimate of ($0.22) to ($0.20), compared to the analyst consensus for ($0.24).
  • Non-GAAP operating margin is expected to be between -11.5% and -10.5%.
  • FY2021 (end April 2021) Revenue target raised to $544-550M, representing growth of 27.9%. This compares to the analyst consensus for $537.3M or 25.6% growth. The company’s prior guidance from Q4 results was for $530-540M, so this represented a raise of about $12M at the midpoint. Management noted on the earnings call that this was greater than the sum of the Q1 beat and Q2 raise.
  • FY2021 Non-GAAP EPS estimate was raised to ($0.83) to ($0.69), from the company’s prior guidance of ($0.98) to ($0.85) and the analyst consensus for ($0.91).
  • FY 2021 Non-GAAP operating margin is expected to be between -13.5% and -11.5%. This is an improvement from -15% to -13% last quarter.
  • Ended Q1 with cash and cash equivalents of $350M. On the Q4 earnings call, management mentioned that they were not planning a capital raise.
Elastic Q1 FY2021 Earnings Deck

Other Performance Indicators

  • Q1 Non-GAAP gross margin of 76.6%, compared to 73.3% in Q1 FY2020 and 75.8% last quarter.
  • SaaS revenue was $32.6M, representing an increase of 86% year/year. SaaS revenue is associated with Elastic’s Cloud offering. SaaS now makes up 25.3% of total revenue with this result. In Q4, SaaS revenue grew by 110% year/year and contributed 23% of total revenue. In Q1 FY2020, SaaS revenue was 20% of the total.
  • Calculated billings was $130.0M, an increase of 45% year/year, or 47% on a constant currency basis. This is down slightly from 52% billings growth in Q4.
  • Deferred revenue was $277.5M, an increase of 63% year/year.
  • In terms of geographic distribution of sales activity, the Americas grew the fastest. This was supported by strong performance in the federal business. Next was EMEA and then APJ.
  • RPO was $576M, up 59% year/year.
  • Contract lengths were slightly longer compared to a year ago. They continue to be roughly one and a half years on average.
  • Breaking down Q1 FY2021 Non-GAAP expenses by category, we see a substantial reduction in y/y percentage of revenue spend in S&M and some reduction in R&D and G&A. The operational leverage in S&M is encouraging to see, while continuing to grow revenue at a high rate.
    • R&D = 29.1% (versus 32.8% in Q1 FY2020 and 31.4% in Q4)
    • S&M = 36.7% (versus 52.4% in Q1 FY2020 and 40.9% in Q4)
    • G&A = 14.0% (versus 15.0% in Q1 FY2020 and 12.9% in Q4)
  • Ended the quarter with 1,962 employees.
Elastic Q1 FY2021 Earnings Deck

Head of Sales Hire

In conjunction with the Q1 earnings release, Elastic announced the hiring of Paul Appleby as President, Worldwide Field Operations. He will lead all go-to-market functions for Elastic, responsible for enhancing the customer journey, driving global revenue growth, and developing strategies for addressing the large market opportunity for Elastic. He is replacing long time sales head Justin Hoffman, who has been leading sales since 2012, when Elastic was much smaller. This transition is not a surprise and had been telegraphed by Elastic leadership in prior quarters.

Appleby was most recently the CEO of Kinetica, which is a large scale data analytics company. Prior to Kinetica, he was president of worldwide sales and marketing at BMC. He also served in senior leadership roles at Salesforce, Siebel Systems, C3 AI, Travelex and SAP. He obviously has deep experience in sales leadership at enterprise software companies. The recent experience as a CEO makes him more compelling in this critical role. He will bring a broad operating perspective and should provide a great sounding board for long-time founder and CEO Shay Banon.

The CFO discussed the intent of this hire in more detail during the Jefferies Software Conference interview on Sept 14th. He said that Elastic has the potential to become a significantly larger business. While the existing sales leader has performed well over the last 7 years, they wanted to bring in a new leader who had experience operating at scale, with the goal to put processes and team in place to grow Elastic revenue to “$1B and beyond.” The CFO mentioned that Paul had already hit the ground running over the past several weeks. They expect he will “accelerate growth over the medium term”.

I thought this choice of words was interesting, to “accelerate growth”. Arguably at 44% revenue growth, Elastic is performing well, but with guidance in the high 20% range for the full year, it would be encouraging to see a re-acceleration of revenue to the prior growth rates for Elastic consistently over 40% a year. At an annual run rate of $550M and a large market, there is still room for a couple more years of high revenue growth.

I think this is a great hire by Elastic. I am excited to see the impact that a new sales head will have on the velocity of the organization. I also like to hear the ambitious growth plan confirmed by Elastic leadership, as they see a $1B+ revenue opportunity. While the prior head of sales did a great job building up Elastic, a new head of sales will bring fresh energy and broader perspective to the role. Also, he would be incentivized to drive incremental growth and has reputation risk if sales underperforms.

Customer Activity

  • Total subscription customer count was over 12,100 at the end of Q1. This compared to over 11,300 in Q4 (up 7.1% sequentially), and over 8,800 in Q1 FY20 (up 37.5% year/year).
  • Total customer count with Annual Contract Value (ACV) greater than $100k was over 630, compared to over 610 in Q4 (up 3.3%), and over 475 in Q1 FY2020 (up 32.6%).
  • Subscription revenue represented 94% of total revenue.
  • Net Expansion Rate continued to be greater than 130%. This is similar to Q4’s rate, although management did note that it ticked down a few percent due to slower expansions from some customers due to COVID-19. Elastic does not report the exact value for NER, but anything over 130% is best in class.
Elastic – Analyst Meeting Presentation, Oct 2020

In the prepared remarks and through the earnings call, the Elastic leadership team discussed the impact of the COVID-19 situation on their customers and the quarter’s results. It created both headwinds and tailwinds for customer demand. One headwind was extension in the time some customers reviewed deals, resulting in longer sales cycles to close new business. This reflected the additional spending constraints imposed by many companies due to the economic environment. The other impact was on some customers in distressed industries, like hospitality and transportation. As these customers experienced less demand for their business services, they correspondingly dialed back their usage of Elastic.

In the Analyst Meeting on October 14th, the CFO revealed that about half of Cloud customers are on a prepaid contract with committed capacity targets. These contracts are typically one year or longer, and billed annually in advance. The other half of Cloud customers are on a monthly model, where they are billed in arrears based on their prior month’s usage. This bucket also includes any overage from customers on a prepaid contract. Coming back to Q1 results, for customers that needed to dial back their usage of Elastic to reduce costs temporarily or minimize any overage risk, this would be easy to do on the monthly plan. I suspect this flexibility did contribute to slower revenue growth.

On the other hand, some industries benefitted from the COVID-19 environment, like e-commerce and food delivery. These customers actually increased usage of Elastic solutions. The bump in prioritization that certain solutions gained, particularly around security, also helped drive some increased demand. At the same time, I wouldn’t be surprised if these customers still tried to be conservative in minimizing overage fees to preserve cash.

Elastic Q1 FY2021 Earnings Deck

The impact of lengthening sales cycles and dampened usage in impacted verticals is likely contributing to conservative guidance for the remainder of the year, in spite of strong revenue and billings performance in Q1. The CFO addressed this on the earnings call.

On the other hand, customers are also responding to the broader macro conditions, adapting their businesses and scrutinizing or reducing their spending against the backdrop of sharp reduction in overall economic activity. As we expected, sales cycles have been lengthening. We see that in both new and renewal business as customers scrutinize spending more carefully and deals go to higher levels of approval than before.

Elastic Q1 FY2021 Earnings Call

The leadership team also highlighted some other broader themes around Elastic’s product suite and pricing model that they feel are resonating with customers. Large customers value the ability to apply more use cases to Elastic, without needing to negotiate a new contract based on different pricing parameters or adding new SKUs. For example, a customer might be charged per host for APM on a competitive solution, and then per event for SIEM. With Elastic, they simply pay for increased resource usage, regardless of solution used. The pricing calculator for Elastic’s Cloud offering is primarily driven by cluster capacity. This allows customers to start with one use case like logging or app search, and later expand to security monitoring and APM later simply by expanding the capacity of their cluster.

Leadership feels these factors are driving larger customer expansions and new enterprise business. Recall from Q4 that leadership shared a metric of customers with ACV greater than $1M. In Q4, this passed 50 customers, up from 30 in the year prior. Some investors have expressed concern in the past that Elastic was challenged to land enterprise spend. However, this metric would indicate that they can ramp up some customers to a significant spending commitment. In Q4 commentary, leadership additionally mentioned the top end of the spending range for large customers around multi-million dollars annually.

I will discuss how Elastic’s product suite and pricing model affect its competitive positioning later. For now, leadership highlighted a number of customer wins during the past quarter that are worth reviewing.

  • A U.S. online marketplace for beverage delivery operating across 60 markets adopted Elastic Cloud. They are using Enterprise Search to power their marketplace application, which is undergoing a surge in usage.
  • A leading managed healthcare customer experienced volume growth from an average of 700 to 20,000 appointments per day. They adopted Elastic’s Observability solution for log, metric and APM monitoring. 
  • Expanded business with one of the largest global beverage companies to provide endpoint protection for remote employees. This supplemented their existing Observability use case and established Elastic “as a new standard over point solution incumbents.”
  • A major U.S. provider of high-speed satellite broadband services adopted Workplace Search to power their new company-wide content search experience.
  • One of the big three U.S. automakers renewed with Elastic to power application search for internal and public-facing sites and apps.
  • The government for one of the largest U.S. cities uses Elastic to search through its databases to derive insights for government-wide initiatives.
  • A leading German automaker expanded business in Q1. They ingest and store terabytes of vehicle logs and metrics into Elastic from 100-plus vehicle components, like the heads-up display or in-car entertainment systems. Their developers use this internal monitoring service to quickly identify vehicle issues and maintain customer satisfaction. Elastic’s unified pricing and differentiated features were key drivers for this customer to expand their usage of Elastic. 
  • Another automaker, Audi, spoke at one of Elastic’s virtual events last quarter about how they run observability workloads on Elastic Cloud. They shared how Elastic helps them deliver a service that’s easy to use with lower operational costs.
  • Additionally, a top 10 global logistics provider of supply chain solutions renewed business with Elastic in Q1.
  • A U.S.-based global financial services company closed new business with Elastic to address Observability and Security use cases. They cited the flexible pricing model as the reason they chose Elastic over other incumbents. 
  • Additionally, one of the largest global system integrators committed to build a managed security practice on top of Elastic. Although it is still early days for this relationship, this win further strengthens Elastic’s ties with a global strategic partner that can provide Elastic the opportunity to present their value to C-level audiences around the world.
  • Elastic also saw continued traction in the public sector with a defense information system agency, where Elastic’s Security solution empower analysts to discover and mitigate cyber threats quickly.
  • Etsy, who spoke at one of Elastic’s virtual events in Q1, runs their observability workloads on the Elastic Cloud on the Google Cloud Platform (GCP). In addition to reducing time spent on infrastructure management, ease of use was a deciding factor for them and has played a role in helping them scale to meet greater online engagement this year.
  • Developer software company, JFrog (recent IPO of FROG), closed new business with Elastic in Q1. They chose Elastic over other incumbent security solutions because the unified pricing model and Elastic Cloud scalability helped them save time and streamline costs.
Elastic – Analyst Meeting Presentation, Oct 2020

In the past, investors have expressed concern over whether Elastic could land enterprise business. At the Analyst Meeting in mid-October, leadership shared the slide above, demonstrating Elastic’s penetration within large companies. Primarily, these engagements represent a single use case within one department. The big opportunity for Elastic going forward will be to expand these initial footholds into a much larger share of business. Their 130%+ DBNER and cross-sell motion should provide a long tail of revenue growth within existing lands.

The Elastic leadership team also highlighted government business as a source of strength for Elastic. Interestingly, the initial use case for these customers was around security monitoring. Elastic products were being used by federal agencies for security use cases before Elastic even ramped up their security product focus. Additionally, it’s notable that many of Endgame’s large customers were federal agencies and they started by providing security solutions for the U.S. military.

Analyst Reactions

Following Elastic’s Q1 earnings results, a number of analysts published updated coverage ratings. Of these, all analysts raised their price targets. 10 analysts currently have a Buy rating and 3 have a Hold equivalent. The average price target for these updates is about $131, representing a 18% increase from the closing price after earnings of nearly $111 on August 27th. Additionally, following Elastic’s Analyst Meeting on October 14, several analysts raised their price targets further.

DateAnalystRatingPrice Target
10/15CanaccordBuyRaised from $130 to $145
10/15RBCOutperformRaised from $130 to $140
10/15JefferiesBuyRaised from $130 to $145
9/24BairdNeutralInitiated at $120
8/27FBNRaised from $95 to $125
8/27DA DavidsonBuyRaised from $100 to $130
8/27B of ABuyRaised from $95 to $130
8/27StifelHoldRaised from $84 to $125
8/27OppenheimerOutperformRaised from $100 to $125
8/27Monness CrespiBuyRaised from $100 to $142
8/27CitigroupBuyRaised from $126 to $146
8/27Piper SandlerOverweightRaised from $94 to $127
8/27Goldman SachsNeutralRaised from $100 to $114
8/27BarclaysOverweightRaised from $120 to $124
Ratings Assembled from MarketBeat, YCharts

Following the earnings report, Citi issued the highest price target of $146. Analyst Tyler Radke provided the following commentary.

Citi analyst Tyler Radke raised the firm’s price target on Elastic to $146 from $126 and keeps a Buy rating on the shares. The company reported “strong” Q1 results with leading indicators pointing to mid-to-high 40’s year-over-year constant currency growth, which is well above the Street’s mid-20’s estimate, Radke tells investors in a research note. While guidance and the tone of the earnings call “struck a more conservative tone than we thought necessary,” it should continue to provide an “attractive set-up” for quarters to come, says the analyst.

Thefly.com, August 27, 2020

After the Analyst Meeting in mid-October, Jefferies set the highest price target amongst that set of updates. Analyst Brent Thill provided the following guidance.

Jefferies analyst Brent Thill raised the firm’s price target on Elastic to $145 from $130 and keeps a Buy rating on the shares after the company hosted its first analyst day at its ElasticON Global virtual conference. While Thill said limited financial updates were provided at the event, he added that he believes the company’s current guidance seems conservative given Elastic’s fundamental tailwinds and supportive end markets.

Thefly.com, October 15, 2020

Product Development Activity

Elastic is fundamentally a “search” company. However, the scope of search has dramatically expanded since the early days of simply powering a text search box on a content web site. Applications of the Elastic platform now extend into many types of data processing use cases, where the foundational requirement is to structure a very large data set in a way that allows querying to occur lightening fast. If you think about Elastic through this lens, then its application to a variety of IT use cases makes sense – log analysis, security (which is mainly sorting through log data and events), application performance, analytics, fraud detection, equipment failure monitoring, etc.

Elastic – Analyst Meeting Presentation, Oct 2020

Background and Strategy

To address all of these types of search experiences, Elastic created the Elastic Stack. Specifically, the stack is composed of Elasticsearch, Kibana, Beats and Logstash. It allows developers to take data in any format from any source, and then transform, index, analyze and visualize it in a rapid and scalable manner.

Elastic’s solutions can be deployed in three different configurations, depending on customer preferences and their existing infrastructure foundation. Traditionally, customers hosted and managed the Elastic Stack themselves. The Cloud offering is newer and provides a managed service for customers on all the major cloud hosting providers. This option is becoming particularly popular for customers and is financially beneficial for Elastic, as they generate revenue even if the customer is using the “free” version of the Elastic distribution. This varied deployment model provides customers with flexibility in their hosting approach and recognizes that many enterprises haven’t fully migrated to the cloud (nor immediately plan to).

The Elastic Stack is open source. This means that all the source code is publicly available for developers to view and extend. As a result, over the years, many other software solution providers have built applications on top of the Elastic Stack. This created a useful pipeline of acquisitions for Elastic, as integration of the acquired company’s solutions was pretty straightforward. Here is a list of prior acquisitions as examples:

  • Swiftype – Site Search and App Search services
  • Opsbeat – APM solution
  • Prelert – Machine learning features
  • Packetbeat – Beats product
  • Found – Cloud offering
  • Endgame – SIEM and Endpoint Security solutions
Elastic – Analyst Meeting Presentation, Oct 2020

We can expect this motion to continue. Acquisition represents a powerful mechanism for rapidly expanding Elastic’s product solution coverage, in addition to their own internal development team’s efforts. Elastic’s open source model has created an ecosystem of adjacent software providers. As these gain traction with strategically aligned product roadmaps, Elastic can opportunistically bring them in the fold. Integration is trivial as they both run on the same underlying data platform.

In addition to enabling an ecosystem of independent software providers, the open source nature of Elastic allows developers at customer organizations to extend the platform to address their own unique uses cases. This started with application search when founder and CEO Shay Banon created the first version of Elasticsearch to power a recipe search application for his wife.

Because of the versatility of the platform, customers began extending it in new ways. First, they used it to capture and analyze server logs for infrastructure monitoring. Then, they expanded that to application performance monitoring. Since the same server logs also provided signals for malicious activity, some customers (like in government agencies) began using Elastic for security monitoring. And the list goes on.

In fact, if we look at the observability space, we see Elastic customers extending the platform to address use cases that go beyond standard monitoring of Internet-delivered applications.  Customers are repurposing this notion of “observability” to different domains, where monitoring a system for expected performance is needed in a generic sense. This customization through programmability (as a consequence of the open source posture) ensures that Elastic will always have some demand from customers with use cases that fall between the cracks of traditional observability and monitoring. Examples of this extended observability to non-standard contexts include:

  • Sky for monitoring OTT video delivery
  • Volvo for tracking service issues for a fleet of 1M connected vehicles
  • John Deere for a service that allows farmers to monitor and optimize the performance of their agriculture operations
  • Walmart to monitor gift card usage for fraud
  • Cox to track video on demand delivery through their own cable network
  • Verizon for wireless network service monitoring and outage tracking

The Elastic team observed this activity and received feedback from customers about capabilities to add to the core Elastic Stack to further enable their use cases. This feedback from customer activity is how Elastic’s three core solution groups of Enterprise Search, Observability and Security were born. I imagine there may be others in the future, or additional segments within each to address clusters of new customer use cases. Some investors shy away from Elastic because they feel that Elastic is trying to do too much. To be fair, these solutions do cover a lot of ground. However, it is important to appreciate that the solutions motion was initiated by customer demand and their own skunkworks projects, not in an Elastic leadership brainstorming session.

When this product expansion beyond enterprise search for Elastic was materializing over the course of 2018 and 2019, some industry analysts questioned this strategy and pointed out that the observability and security markets seemed far apart. However, as the observability market is maturing, DevOps has pulled the once eschewed security team into the DevSecOps movement. Now, it makes sense for application and security monitoring to be addressed by the same toolset and from the same vendor. As comparisons, Splunk had focused on log analysis and security initially, and later expanded into full observability. Datadog rapidly addressed the three pillars of observability and is now extending into security monitoring.

Elastic’s Security category provides packaged solutions for SIEM (Security Information and Event Management) and Endpoint Security. SIEM is the older offering from Elastic, as it was developed as an extension of infrastructure logging after Elastic observed several logging customers customizing the Elastic Stack for security monitoring. Elastic then formalized the solution by adding common exploit pattern detection and other features. Endpoint security is a more recent addition to the security suite. This was enabled by the acquisition of Endgame in June 2019. Endpoint security was launched as a complement to SIEM in October 2019. Both SIEM data collection and endpoint security are now combined into a single agent, providing both centralized monitoring and proactive response to security exploits. In addition to endpoint capabilities, the Endgame acquisition brought over 100 engineers with security expertise to the Elastic team, which will further drive the monitoring side of security.

And this brings us to what I think is the most interesting aspect of Elastic’s product strategy. By offering a full suite of observability and security capabilities, IT operations personnel can both “observe and protect” server-side infrastructure through a single agent, a single vendor and a unified, resource-based pricing model. In theory, this could supplant the need for separate vendor relationships for point solutions in each area, like observability (Datadog, New Relic, Dynatrace, etc.), SIEM (Splunk, Datadog) and endpoint protection (Crowdstrike).

How this tug-of-war between a platform approach and the best-of-breed point solutions will play out remains to be seen. Elastic leadership contends that they have many customers excited about the opportunity to simplify these vendor relationships and cite several examples of large customers who expand into all three solution categories (Enterprise Search, Observability and Security) with Elastic. In the Analyst Meeting, the Elastic CFO revealed that 45% of Elastic’s large customers spending more than $1M in ACV (of which there are now more than 50) use all three of Elastic’s solutions. Further, this generally represents a gradual progression from one to two solutions and then all three.

At the same time, Elastic’s packaged solutions in each of these categories are generally not as comprehensive or deep as the point solution providers. Before DDOG, SPLK and CRWD bulls dismiss Elastic’s strategy outright, I agree that it doesn’t apply to all customer segments and has its risks. The most discerning, digital native customers will likely always select the leading point solution. But, this isn’t where Elastic’s customer base is centered. While they do attract the digital natives, they also have 46% of the Fortune 500 as customers, as mentioned previously. More mainstream companies may be satisfied with a second tier solution in each category, where the simplicity of maintenance and pricing leverage provide more compelling value.

Elastic – Analyst Meeting Presentation, Oct 2020

I will cover this further in the Competitive section, but wanted to lay the groundwork before reviewing Elastic’s product release activity over the past several months. This background will help provide context for the product release discussion, which reflects rapid progression of capabilities in all three solution areas, along with improvements to the core platform functionality and features available through the Cloud offering.

Product Releases

The cadence of Elastic’s product development from May through August continued at a rapid pace. The ability to deliver an aggressive and accelerated product release cycle can create a competitive moat, in my opinion. While I agree that any large legacy software provider can spend enormous sums to launch a competitive offering, if they can’t execute a rapid fire product development, test and release cycle, they will fall behind smaller, more nimble players. Entrenched legacy providers usually maintain a methodical, measured product cycle as a consequence of their size and customer requirements. This notion of competitive moat through short product iteration cycles applies not just to Elastic, but to other engineering-focused independent players, like Datadog, Cloudflare, Twilio, Okta, MongoDB, etc.

Elastic delivered three separate major releases during the four month period from May through August, ranging from version 7.7 to 7.9. While these are labelled as point releases, Elastic packs multiple feature additions across all solution categories into each release. In some cases, these include whole new product offerings. Because of Elastic’s pricing model, consumption of new products and features will generally result in increases in usage, which drives up revenue.

Here is a summary of the releases and major product features launched during the period. I won’t cover each extensively, but will call out those that increase Elastic’s competitive position or customer appeal in a significant way.

Version 7.7 Release

Elastic Stack v7.7 was released on May 13. This included several enhancements to existing solution categories. The big contributor from a revenue point of view was the addition the Workplace Search solution as a generally available offering. This represents a stand-alone product under the Enterprise Search category. Here is a list of the main features that were part of the 7.7 release:

  • Workplace Search. Enables content search across multiple common business applications in a single interface. This allows organizations using many SaaS-based productivity applications to consolidate all their content on a single topic. This content could be pulled from email systems, CRM, document repos, ticket tracking systems, etc. Examples of tool integrations are Microsoft 365, G Suite, Salesforce, Zendesk, Dropbox, GitHub, Jira/Confluence, ServiceNow, SharePoint, etc.
  • Alerting. Delivers a consolidated toolset for setting up alerts for all monitoring solutions, including metrics, uptime, application performance and security. Users can apply logic to trigger an alert and then send that information to popular communication and ticketing tools, like Slack, PagerDuty or just email. This brings Elastic to better feature parity with other monitoring solutions.
  • Asynchronous search. Allows the user to designate long-running queries to execute in the background. This can reduce load spikes on the search tier. The user can periodically check the progress of the query or even review partial results as they are generated.
  • Service Maps in APM. This was the last major gap in Elastic’s Observability solution. Service maps provide a graphical view of the dependencies between instrumented applications and external services. These can be used to identify bottlenecks at a system level in application performance.
  • Embedded case management in SIEM. Security analysts can open new cases for security incidents, that are fully integrated with external ticket tracking systems with built-in case workflows. These can be tagged, commented, updated and closed without leaving the Elastic security monitoring interface.
  • Native integration with ServiceNow ITSM. The new case management feature in Elastic SIEM directly integrates with ServiceNow ITSM. This allows analysts to forward information from Elastic SIEM to the ServiceNow platform for cross-org ticket tracking and remediation. 
Version 7.8 Release

Elastic released version 7.8 on June 18, a little over a month after 7.7. Like all point releases, this also delivered enhancements across multiple Elastic solutions. The highlights included:

  • New side navigation. Simplified the user interface to make it easier for users to locate the tools they commonly use. Observability and security solutions were given dedicated sections in the side navigation.
  • Dashboard enhancements. Added dashboard-to-dashboard drill down capability. Streamlined the process to add or update visualizations and metrics.
  • Search tools. Enhanced access controls down to the document level in Workplace Search and provided support for SAML-based authentication. Also added ability to search and filter content as it is ingested for validation.
  • Certificate validity monitoring. Monitors TLS/SSL certificates for validity and expiration dates on monitored hosts and services. Warns users pre-emptively to replace certificates before they expire. Security certificate expiration is a common, yet easily preventable, source of downtime.
  • Health status indicators for Service Maps. Powered by machine learning, labels services with severity scores of green/yellow/red to provide users with a visual summary of the state of monitored systems.
  • Security case management integration with Jira. Introduces a new integration with Jira Core, Jira Service Desk and Jira Software that streamlines workflows and reduces context switching.
  • New threat detection rules. Out-of-the-box rules for detecting security threats targeting Linux systems. The new rule set detects various Linux attack techniques that emphasize evasion where attackers attempt to hide malicious activity through deletion of system artifacts, disabling services and using local tools to spawn a new terminal.
  • More security data ingest. Data from network security devices by Fortinet and Check Point can be ingested to analyze network activity, while endpoint data from CrowdStrike Falcon EDR provides access to host telemetry.
  • Programmatic access to admin functions. Elasticsearch clusters can be deployed, managed and scaled with a new Elasticsearch Service REST API, command-line interface and language SDKs.   
Version 7.9 Release

On August 19th, Elastic released software version 7.9. Keeping with their rapid product development cadence, this follows the release of version 7.8 in mid-June by two months and includes a few major additions. Here are some highlights:

  • Launched a new Elastic Agent, Ingest Manager and Fleet tool to simplify the collection of data from hosts in a centralized way, including logs, metrics, APM and endpoint security.  Elastic Agent provides a single software agent for system operators to deploy onto servers that addresses the collection of all data types. Ingest Manager similarly controls ingestion from all types of systems and third-party services. Fleet allows users to manage all of their deployed agents in one tool. Most large software infrastructure installations will span thousands of servers – having a tool to manage agents from a single interface creates efficiencies for DevOps personnel.
  • Moved Workplace Search into the free distribution tier for Elastic Cloud and self-managed environments. This lowers the barrier to entry for organizations to get started. Elastic offers additional capabilities and support under the Platinum subscription. v7.9 also added a connector for ingestion of Gmail content into Workplace Search.
  • Launch of 50 new security detection rules that allow DevOps teams and security analysts to identify risky behavior across the full spectrum of monitored systems.
  • Free one-click install malware prevention for Windows and MacOS, as well as advanced detections and deep visibility into vulnerabilities for all major operating systems including Windows, MacOS and Linux. This is included as part of the new Elastic Agent – combining data collection with security protection. These are being offered through the free distribution tier in order to help protect the remote workforce. The offering also includes access to more than 200 pre-built adversary behavior pattern finders mapped directly to the MITRE ATT&CK framework.
  • A number of other smaller enhancements – faster page loads in Kibana, new wildcard data type for search, public preview of the Event Query Language (EQL), which provides search language tailored to security context.

The new consolidated agent will help observability and security customers simplify the management of their environments. This represents a significant step forward. The free malware prevention and vulnerability monitoring for enterprise customer devices is very interesting and represents Elastic’s first step in extending protection to monitoring within the same agent. These enhancements are designed to provide customers with a complete platform to address both observability and security of servers from a single solution set.

Unified Agent and Endpoint Security

As mentioned above, the version 7.9 release significantly bolsters the capabilities of the Elastic agent. This line of reasoning makes sense. If an IT organization has to deploy a software agent to every server, having maximum coverage in a single agent would drive maintenance simplicity and efficiency. Elastic is attempting to preempt the consideration set for both server monitoring and endpoint protection by building the case that those can be accomplished from one software agent and backing platform.

The development I’m most excited about is the beta release of our proprietary unified agent, which enables one-click data onboarding for log, metric, and endpoint security data. We are delivering a magical experience for our users. I’d like to say that it’s the one agent to rule them all.

This is a massive movement toward our vision of radically simplifying data onboarding and ingest management. This release enhances ease of use and decreases time to value for operators. It also enables customers to up-level their usage and expand to new use cases. This is because anywhere this agent is running to collect observability data, a customer can also install endpoint security.

This illustrates the power play we have of building on a single stack, build it once, use it everywhere. We’re making it easier to capture all your data with a single agent, whether a customer is running on-premises or in the cloud because, while you observe, why not protect?

Elastic CEO, Q1 FY2021 Earnings Call

This is a very interesting move, which could put pressure on the DevSecOps ecosystem. Similar to the consolidation of the observability space, from separate tools for log analysis, APM and infrastructure monitoring, into a single platform that addressed the “three pillars of observability”, Elastic is trying to pull security into the same scope. While addressing SIEM is a natural extension of observability that both Splunk and Datadog support, endpoint protection is new. The logic in the simplest sense is sound – if observability and endpoint protection solutions all require the installation of a software agent, why can’t one agent address all use cases?

For Elastic, this expansion is possible due to the Endgame acquisition from 2019. While this seemed orthogonal to Elastic’s product suite at the time, viewed within the context of a single agent, it could be prescient. A segment of customers, perhaps less sophisticated enterprises from mainstream industries, seem to be interested in reducing vendor sprawl and may value a single solution. This would presumably lower their costs, training and management overhead. Of course, some set of customers will demand the best-of-breed providers for each category. These tend to be the digital-first, born on the internet companies with large engineering and IT operations teams.

In parallel, the enterprise security landscape is evolving. Endpoint protection companies are partnering with network security and identity providers to enable new Zero Trust environments. Elastic would want to ensure that their endpoint security strategy can be integrated into these newer frameworks. How Elastic’s security strategy plays out over the next year will be an important indicator to watch.

Cloud Expansion

Elastic continues to add new markets to its Cloud offering. With each new combination of cloud vendor and location, we can expect some incremental business for Elastic. This is similar to a SaaS business launching their product in a new country, as some international customers require data residency. Elastic Cloud is now available in 41 cloud regions, which represents a 3x increase over FY2019 (roughly 1.5 years ago).

Elastic – Analyst Meeting Presentation, Oct 2020

Elastic added 17 new locations in FY2020 and has added 11 more so far in FY2021. Over the last few months, this expansion of the Cloud offering continued with each release.

  • Version 7.8: Finland, London, Netherlands, São Paulo, Singapore, South Carolina, Taiwan, and Tokyo. 
  • Version 7.9: Canada, France and Korea.

In addition to new locations, Elastic delivered two highly requested features for Elastic Cloud recently. Integration with AWS PrivateLink provides private network connectivity between AWS virtual private clouds (VPCs) and the Elastic Cloud instance. IP filtering enables users to specify network access to their Elastic Cloud deployment based on IP addresses, address blocks, or ranges.

Elastic’s relationship with the Cloud vendors themselves is evolving and resembles co-opitition. On one hand, some of the cloud vendors offer their own hosted services that address search use cases. In the case of AWS, they famously began hosting open source Elasticsearch themselves for a fee in 2018, in direct competition to Elastic. That was the genesis for Elastic’s open core model, in which most value-add features are bundled in the proprietary distributions (whether free or paid). Since 2018, this licensing change has increased the gap between the AWS solution and Elastic’s, given Elastic’s pace and complete focus on Elastic Stack development. At this point, Elastic’s Cloud solution is far ahead of the comparable offering from AWS in terms of feature breadth and capabilities.

GCP and Azure have been more cooperative. While Elastic Cloud is available through the marketplaces of all three large cloud vendors, GCP and Azure have gone further, offering integrated billing, use of pre-committed spend and collaboration on training. The CEO of Google Cloud, Thomas Kurian, even spoke at the most recent ElasticON user conference on October 14th.

As multi-cloud deployments become more prevalent, CXO’s at large companies are trying to avoid cloud vendor lock-in. Use of a particular cloud vendor’s search solution would make it harder to switch providers in the future if needed, or to support a multi-cloud configuration. With Elastic Cloud, applications can be built to a single interface that remains the same on any cloud installation.

The benefit for the cloud vendors in supporting the Elastic Cloud is that it generates compute and storage revenue for them. This probably explains why the large cloud vendors support and even actively promote Elastic’s solution on their cloud offerings. While they might prefer to also grab the service revenue, they still benefit without it.

Government Activity

Elastic also announced FedRAMP Moderate authorization and their general availability on AWS GovCloud on July 29th. FedRAMP authorization allows users from federal agencies and other industries in regulated environments to manage Controlled Unclassified Information (CUI) on Elastic’s stack. FedRAMP streamlines the procurement process for U.S. federal customers by standardizing security requirements across federal agencies. Once a vendor reaches an authorization level, each new federal agency customer doesn’t need to repeat their security assessment. The FedRAMP Moderate authorization is important, as Elastic is gaining many customers in government agencies.

AWS GovCloud provides a dedicated cloud environment for government agencies. Having the Elastic Cloud solution available within this environment further simplifies the deployment process for a government agency, as they likely already have a substantial footprint in this AWS environment. This further expands Elastic’s reach with government customers, particularly for the Cloud solution. Many government agencies self-hosted in the past, which generates less revenue for Elastic, particularly if they utilized the free tier.

Competitive Landscape

I covered Elastic’s competitive landscape in depth in my prior quarter recap in June. This included an extensive review of Elastic’s offerings in each solutions category, spanning Enterprise Search, Observability and Security. For each, I described Elastic’s solution in detail, its relationship to competitive products and reviewed relative positioning from industry analysts like Forrester and Gartner. I won’t repeat that exercise here as most of the information is still relevant and timely. No new major industry analyst reports have been released since last quarter. Competitive offerings continue to expand, but along the same lanes as discussed previously. Investors should read through that coverage for background on the competitive landscape.

This quarter, I will focus on Elastic’s product and go-to-market strategy and how leadership is positioning Elastic’s suite of solutions relative to competitors in general. At a high level, I think Elastic represents a bet on a long-term platform play that offers both out-of-the-box capabilities for customers who want a plug-and-play solution to common use cases, along with full programmability that allows their developers to create a custom solution to address use cases unique to their business context. If Elastic can provide “good enough” solutions across multiple solution categories, an argument for consolidation of tooling onto a single platform can be made. This is underpinned by the ability to extend and customize any aspect of a solution if needed, given the open source nature of the code. This combination could offer a compelling alternative to competitors offering best-of-breed point solutions.

However, this strategy and the sales execution behind it are still developing. It also assumes some degree of commoditization (diminishing returns for incremental features) for solutions in observability and security over time. One avenue for investors to participate would be to simply pick the leader in each category that Elastic competes in.  In observability this is Datadog (DDOG), in SIEM it’s Splunk (SPLK) and endpoint protection (EDR/EPP) it is Crowdstrike (CRWD). For application and site search, Elastic is the leader.

The big question for investors to consider around Elastic’s strategy for all these solution categories is whether having a second tier position in each will ultimately be deemed “good enough” by a sufficient number of enterprises. In that case, Elastic leadership’s argument stands that a unified platform with a flexible, resource-based pricing model would drive efficiencies for customers looking to address multiple use cases across search, observability and security with a single vendor relationship.

Elastic is rapidly improving their coverage in each solution category with their cadence of major releases every 1-2 months. The number of substantial features across all solution categories in the version 7.7 – 7.9 releases detailed previously is impressive. That spanned just 4 months of time, yet represented pretty substantial steps towards closing feature gaps relative to competitors. With this development pace, it is likely that Elastic solutions will begin appearing on Gartner and Forrester reports and moving up and to the right.

The programmability of the Elastic Stack is also an important consideration. Enterprises with a strong developer mindset are free to create their own custom solutions, either by starting from scratch or extending an existing solution’s source code. These can address use cases that fall outside of the standard pre-packaged offerings. These use cases generally represent business functions that are critical to a particular company’s operations, for which a packaged commercial solution is not available. The Elastic customer page lists a number of these. I highlighted a few examples previously. Walmart uses the Elastic Stack to detect fraudulent gift card activity. Volvo tracks service issues for a fleet of 1M connected vehicles. At a prior user conference, Home Depot  cited so many example uses for the Elastic Stack in their organization that they described the Elastic platform as their “Swiss Army Knife”. 

Customization also creates stickiness. Once a company builds a critical business function through a customized implementation of the Elastic Stack, it is very unlikely they would swap that out for a competing technology. The switching costs in this case are high. On the other hand, swapping out a proprietary, packaged observability solution is fairly straightforward. The technology team would just deploy the new vendor’s data collection agents on all relevant infrastructure, using an automated configuration management tool. Security solutions can also be swapped out with a little more effort.

Elastic leadership highlights four general themes which they believe create a competitive advantage in terms of positioning Elastic products, relative to other offerings on the market. As these themes materialize, we could see an inflection point in customer adoption and expansion for Elastic. This would drive an acceleration of revenue growth for Elastic, which could lead to expansion of valuation multiples over the next year or two.

Developer Led Model – Programmability

Fundamental to the Elastic thesis relative to competitive offerings is its inherent openness and programmability. Compared to competitors in most solution sets, Elastic offers the only platform in which all source code is open. This implies that developers at customer organizations can extend aspects of the platform to build a custom solution for any use case.

It also underscores the developer led model. Most enterprise customer relationships for Elastic begin with a single use case addressed by a developer. From there, use cases often expand across teams and solution categories. Over time, large customers form an internal Elastic practice team, which provides standard configurations, training and support to other teams interested in Elastic. The transparency of open source and Elastic’s own developer evangelism enable these efforts. Also, as developers move from one company to another, they often bring their preferences for tooling with them.

Elastic – Analyst Meeting Presentation, Oct 2020

While Elastic embraces open source, they do have a thoughtful monetization strategy. They created an open core model which makes some features free to use, but proprietary. This prohibits other cloud vendors from providing a hosted version of the full open source distribution. Elastic has three levels of software licensing:

  • Open Source: Free to use, with non-proprietary features
  • Basic: Free to use, but features are proprietary
  • Subscription (Gold, Platinum, Enterprise): Paid and proprietary
Elastic – Analyst Meeting Presentation, Oct 2020

In this structure, only the open source version of the code can be hosted by another party (like AWS). The Basic and Subscription versions include many of the value-add features that Elastic has built on top of the open source distribution. Examples are Kibana Lens, Searchable Snapshots, Schema on Read and the new Elastic Agent. Going forward, Elastic leadership said that all new, large innovations on the Elastic Stack will at least be in one of the proprietary distributions (whether Basic or Subscription). This by itself will continue to increase the gap between Elastic’s distribution (even the Basic, but free version) and the forked distribution that AWS hosts, which is based on the open source distribution. This means that subscribers of the AWS Elasticsearch service would not have access to any of the new, value-add features. Elastic leadership recently published that greater than 90% of all Elastic downloads include the Basic distribution.

The other significant consideration for this software distribution model is that any distribution hosted on the Elastic Cloud offering is paid. That means Elastic generates revenue even from customers that do not choose one of the Subscription plans but want Elastic to host the installation for them. As with many managed cloud services, customers will pay to have a vendor host the service for them. This reduces their operational overhead, ensures that best practices are followed and provides access to system experts for support issues.

Elastic’s Cloud offering is the fastest growing segment of their business. As mentioned previously, it grew by 86% percent year/year in the most recent quarter and now makes up 25% of total revenue. Once on Cloud, the upgrade for customers into additional paid packages is seamless.

As a measure of the appeal of Elasticsearch to developers, Stack Overflow (popular online resource for developers) conducts an annual survey in which they ask 65,000 developers about their preferences across a number of technology types. Included is input on programming languages, frameworks, tools and platforms. Elasticsearch is lumped into the databases category. Developers rank it as the third most “loved” data store. Elasticsearch has the highest ranking amongst solutions for search.

Stack Overflow Developer Survey, Feb 2020

Broadest Set of Solutions – Observe and Protect

Another competitive differentiation has to do with the breadth of the Elastic solutions. This is particularly relevant for the combination of observability and security. With the emergence of DevSecOps, enterprises are beginning to prefer a single toolset that can perform both application and security monitoring. Because activity on network and server instances is the primary source of signals for malicious behavior, it makes sense to deliver security threat monitoring from the same system that is performing application performance monitoring. This provides the benefit of having both the DevOps and Security teams looking at the same data. It also simplifies the deployment overhead, as a single agent can be distributed onto all monitored hardware.

Elastic – Analyst Meeting Presentation, Oct 2020

This combination of application observability and security monitoring is not unique to Elastic. Splunk offers both a SIEM solution as well as recently added support for all three pillars of observability. Datadog started in observability and recently added security monitoring.

Yet, Elastic is the only vendor that has added endpoint protection to the mix, as a result of their Endgame acquisition in 2019. Not only did this bring a packaged endpoint protection solution, but also added 100 engineers with security expertise to the technology team. These resources are being leveraged for both supporting the endpoint protection offering and contributing incremental capabilities to SIEM. The Endgame solution was built on the Elastic Stack, even prior to acquisition, providing an easy glide path to code integration. Elastic’s plan is to integrate it into the full Elastic Stack, like other packaged solutions.

Elastic Web Site

This integration is off to a solid start. As discussed in the version 7.9 release, Elastic moved to a single agent and added malware protection. The plan is to continue to add additional layers of endpoint protection in upcoming releases. This puts Elastic on the path to fulfill the CEO’s rhetorical question “If we observe, why not protect?”

Currently, endpoint protection is the domain of other enterprise security vendors, like Crowdstrike and VMware Carbon Black. While Elastic hadn’t been included in prior industry reports on EDR, Forrester did add them in the March 2020 Forrester Wave for Enterprise Detection and Response (EDR). In it, they named Crowdstrike as a leader and Elastic as a Strong Performer.

Forrester Wave for EDR, Q1 2020

Crowdstrike has the leading EDR solution due to its superior threat detection capabilities. These are supplemented by Crowdstrike’s OverWatch product which provides a threat hunting service. This data, combined with Crowdstrike’s other threat intelligence services, is fed back into threat detection rules in real-time. Due to Crowdstrike’s expanding client base and centralized platform, their threat detection capabilities are constantly improving and are best positioned to identify bleeding-edge attacks.

Forrester provides an interesting mix of complimentary and critical commentary about Elastic’s EDR solution. I will paraphrase the salient points:

  • Excited about the potential for combining an EDR solution with a security analytics platform.
  • Very negative on the Elastic licensing model that is based on consumption rather than number of endpoints being protected. Forrester thinks this will limit adoption by customers as usage-based billing is less predictable than licensing a set number of devices to protect. (Of course, this is counter to what Elastic leadership contends their customers are requesting)
  • Product feels disjointed. There is good vision, but seems like a cobbling together of several advanced concepts.
  • Client feedback is very positive about detection capabilities and the ability to customize the solution and the data that is being collected.

What is notable is that Elastic’s EDR solution may be considered “good enough”. It will not win endpoint protection deals from companies looking for the best-of-breed solution. However, there may be a set of enterprises to whom a good solution that checks most of the boxes will suffice. These may choose the Elastic platform, because they desire a full observability solution, that also includes security monitoring and protection, as well as enterprise search. Additionally, Elastic is continually improving these capabilities. While Forrester has them in the Strong Performer category now, it’s possible this will improve further over time.

Single usage and pricing model

Underlying Elastic’s entire commercial model is the concept of resource-based pricing. This means that once a subscription level is selected, the customer can apply their allocated usage to any use case desired – some processing cycles for observability, some for security, some for enterprise search, some for custom use cases. Elastic doesn’t try to charge on a per machine/document/log/user/endpoint basis. This flexibility in usage is presented as a competitive advantage by management. Elastic is pushing this notion of unified pricing in its marketing strategy.

Elastic – Analyst Meeting Presentation, Oct 2020

The Elastic sales team also promotes the notion of usage based pricing with customers. The benefits to customers are no hidden costs, a simple billing statement and a transparent path to adding new solutions. If the customer needs to limit expense in a period, they know they have the ability to simply prioritize certain workloads. Of course, this can result in some lumpiness in revenue generation for Elastic, particularly in distressed times (like now), because customers can quickly ramp down usage. However, the Elastic leadership team contends that this flexibility will promote more growth under normal circumstances and lowers the barrier for initial sales and expansions.

Cross-sell Solutions from a Single Platform

Elastic leadership feels the strongest growth opportunity is driven by the expansion opportunity after they land a large customer. The initial installation is usually developer-initiated, to address a single use case in one business unit. From there, usage often expands to more teams and use cases. Then, if the company started with a single solution, like logging, they will expand into full observability and then add security. Or, they will start with enterprise search and expand into observability (or vice versa).

Elastic – Analyst Meeting Presentation, Oct 2020

Elastic contends that this expansion is enabled by their simple usage-based pricing model and seamless upgrade process to additional paid features. This is even easier on Elastic Cloud, as users don’t have to worry about provisioning additional servers and billing is integrated with the cloud providers.

With the release of the single, unified agent in version 7.9, Elastic has enabled simple installation and “one-click on-boarding of new data sets”. Further, they are leveraging the unified agent to get further into the security domain. If a single agent can both observe and protect, it dramatically simplifies management overhead for the DevSecOps team. This will be a reality when endpoint security is fully bundled into the same agent that collects observability data for logs and APM.

The implications of this could be compelling. If server endpoints (containers) can be protected as a by-product of monitoring, then why would an enterprise need to spend money on licenses from other endpoint protection vendors, at least for these endpoints? I realize this is a tricky assertion, though, as many customers would bias towards a provider that focuses exclusively on enterprise security and presumably has a better solution.

Yet, Elastic leadership claims this expansion across multiple solutions is already happening. On the earnings call, the CEO highlighted a recent meeting with a major customer, in which they were “super excited about the vision that we’re painting when it comes to our Observability solution, and they’re even more excited about the ability to fold Security into the same team and the same efforts.” Leadership also called out a customer expansion in the Q1 earnings report with one of the largest global beverage companies to use Elastic to provide endpoint protection for remote employees.

Further, during the recent Analyst Meeting, the CFO discussed how 75% of Elastic’s largest customers (>$1M in spend) are already utilizing more than two solutions. By solutions, they mean a use case in each category of Enterprise Search, Observability or Security. Two use cases in one category, like APM and logging, would count as one solution (Observability) in this context.

Elastic – Analyst Meeting Presentation, Oct 2020

During the Analyst Meeting, Elastic’s head of sales described several examples of customers that landed with Elastic on a single solution and then expanded over time to add others. The examples provided were for a large U.S. financial services company, an EU telecomm provider and a large U.S. retailer. In all cases, spend started around $0.1M several years ago and then expanded over 3-4 years to a range of $1.7M to $4.7M. All customers are using all three solutions today.

He provided the following progression, as an example, for the Financial Services company:

  • Started with Enterprise Search for a client application.
  • Wanted to observe the same application for performance and availability. Chose to apply Elastic Observability for this purpose. Also noteworthy is that the broader organization was already a Splunk customer.
  • More use cases for Elastic emerged. The company created a centralized platform team around supporting Elastic solutions in 2018.
  • The centralized team conducted training, offered support and ran hack-a-thons for the Elastic Stack.
  • Most recently, the company began using Elastic for Security use cases.
Elastic – Analyst Meeting Presentation, Oct 2020

Seeing examples like this, it is easy to imagine how Elastic has been able to maintain such a high Net Expansion Rate (still over 130% in the most recent quarter). As the customer example illustrated with Splunk, there are likely opportunities to displace other technology providers in observability and security in consideration of the simplicity of the single platform, billing, agent deployment and vendor relationship. During the Analyst Meeting, the CFO mentioned that Elastic now has hundreds of APM customers and is winning in some contested deals for APM.

This provides a competitive strategy that investors should monitor. On one hand, Elastic solutions in Observability and Security still lag the leading competitive offerings. But, the gap is closing as Elastic continues their rapid release cadence, at least for the major expected basic features (like adding Service Maps and Alerting over the past quarter). As the Observability and Security markets mature, it is possible that we see some commoditization of features, where most vendors can check the majority of boxes. In that case, a platform approach like Elastic’s with unified, resource-based billing and open, extensible source code, may appeal to a subset of enterprise customers looking to simplifying their maintenance overhead and number of vendor relationships.

Elastic Take-Aways

Elastic’s revenue continues to grow at a favorable clip, but annualized growth has been decelerating over the last two quarters. The challenge for investors is to understand if this is a result of COVID-19 impact or competitive encroachment. Forward guidance for the remainder of 2020 doesn’t provide much reassurance either, with Q2 (October end) revenue projected to grow 29% and full year guidance (April 2021 end) raised to 28% growth. Even with a similar beat as Q1, Q2 revenue would land in the high 30% range, down from 44% this past quarter.

Elastic – Analyst Meeting Presentation, Oct 2020

Looking forward, while calculated billings remained inline with revenue this quarter, management still expects COVID-19 headwinds to impact billings in future quarters over the remainder of the year. On the earnings call, the CFO did talk to linearity in Q1. Top -of-funnel sales activity has been consistent through the quarter at a high rate. The challenge is in determining when that business will close, due to lengthening sales cycles with customers.

With slowing revenue growth, though, profitability measures continue to improve. Operating margin ticked up to -3% in Q1, up roughly 24% from -27% a year ago. FCF margin offered another surprise, jumping to 17% this past quarter, from -4% a year ago. Granted, the CFO discussed the fact that FCF can vary from quarter to quarter, but Q1 represented a nice jump to positive $21.6M, versus a loss of $3.3M a year ago. This was driven by strong collections and general business improvement. The CFO expects free cash flow margin of approximately -2% to -4% this fiscal year, with the goal of achieving positive FCF margin next year. Lack of improvement in profitability measures was a common gripe against the Elastic investment thesis last year. This year’s results show meaningful progress.

Elastic – Analyst Meeting Presentation, Oct 2020

Customer growth provides another bright spot. While revenue growth may be depressed as some customers cut back on usage and new deals take longer to close, Elastic has still been able to expand customer counts. Total subscription customer count ended Q1 over 12,100, up 7% sequentially and 38% year/year. Growth in large customers with ACV greater than $100k did slow slightly in Q1, with sequential growth of 3% and annual growth of 33%. This may provide some insight into overall revenue deceleration as existing customers likely cut back on spend or were more cautious with add-ons. This is consistent with reported activity from other software providers, like AYX and DDOG.

Even with this slowdown, the NER remained above 130%. The good news is that total customer growth has been consistent, which diminishes concerns over competitive encroachment. In the Analyst Meeting, leadership provided data on customer expansion by cohort going back to FY2013. This demonstrates the gradual increase in spend that large customers exhibit as they continue to apply Elastic to more use cases across teams and solution categories.

Elastic – Analyst Meeting Presentation, Oct 2020

As discussed in the competitive section, it is this expansion motion across multiple solution categories that represents the biggest opportunity for Elastic. With 75% of $1M+ ACV customers using two or more solution categories, Elastic has evidence that some set of large enterprises will apply Elastic to span Enterprise Search, Observability and Security use cases. Given that they have a foothold in 620 of the Forbes Global 2000, but only 50 current customers with ACV over $1M, there is a lot of room to expand in their existing large customer set. By itself, this expansion could provide a long tail of revenue growth over several years.

All-in-all, I think Elastic represents an interesting opportunity for investor alpha in 2021. While revenue growth has been decelerating for the past 2 quarters and probably the remainder of this year, I think COVID-19 and its impact on enterprise IT spend likely drove a lot of this. As COVID-19 stabilizes and enterprise IT spend increases again in 2021, we could see a re-acceleration of revenue growth. Elastic’s product offering, spanning multiple solutions, coupled with their friendly resource-based, unified pricing model could drive renewed customer demand.

At a 21 P/S ratio, Elastic is reasonably priced relative to peers. This likely reflects expectations for lower revenue growth going through this year into the 30% range. If Elastic can return to 40% revenue growth in 2021 (aided by lower comps this year and pent-up demand) and they achieve their goal of inflecting to positive FCF next year, then we could see multiple expansion and share appreciation as models adjust for 2021 revenue targets. This underscore the opportunity for investors to find a name with a strong foundation that can reach a new (or renewed) revenue growth phase after some consolidation. We have observed several names in 2020, like BAND, TWLO and DOCU, that are demonstrating accelerating revenue growth and delivered YTD share appreciation over 200%.

Investment Plan

I first initiated coverage of Elastic in March 2020, when it was trading at about $49 a share and set a 5-year price target of $170. Most recently, ESTC hit a peak near $128. While it has appreciated nicely off of March lows, it is up about 87% year to date. Given the uncertainty around revenue growth for the remainder of the year, I will keep my price target intact for now and will revisit this in early 2021, once we have a better view into the IT spending environment and another couple quarters of results for ESTC.

In the meantime, I have about a 4-5% allocation to ESTC in my personal portfolio. This is roughly inline with my allocation coming out of Q4 results. I plan to maintain this for now, and may add to it if I see signals emerging confirming that Elastic’s revenue growth is beginning to pick back up. Once the 2021 picture becomes clear, I could ramp this up to a larger position if I think Elastic will benefit from the multiple expansion discussed earlier.

NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.

7 Comments

  1. dmg

    Another excellent and exceedingly thorough update/commentary, Peter. Thank you very much. Me being me, I still have a few questions, which I will limit to the core topics…
    01. You state many times that almost all of Elastic’s product offerings are 2nd best. Do company execs have any aspirations (or pretensions) of being best in any of their product categories? Or is their argument forevermore that the platform/unified account and billing IS their best solution? This item is important to me because I choose to invest exclusively in companies that offer the best solutions — that also sell well. (What use is a great product if you prove unable to sell it? What use is the best conception if you cannot execute? etc.) I sold Splunk/SPLK to buy Elastic/ESTC almost 2 years ago because I heard scuttlebutt that Elastic, at that time, won competitive bids from Splunk. Since then, both companies are vastly different… Perhaps it is time to re-think my Elastic holding?
    02. In your interview with Austin Lieberman, you mentioned the stock that most excites you for 2021, after the two edge companies, is Elastic/ESTC. You mention above your hesitation about why you have yet to increase your investment. What exactly are the signals or tripwires that that would convince you to buy more shares? It cannot be a recrudescence of growth – or not solely – because by the time those earnings numbers are revealed Elastic/ESTC shares would be materially higher than today’s price.
    03. You mention the headwind that is Covid, that an abatement of that headwind could provide an impetus for Elastic as 2020 expires and 2021 begins. And yet, sadly, Covid instead resurges. It seems to me that we all around the globe (at least the northern hemisphere) are in for a world of hurt over the coming 3-4 months: more infections, more hospitalizations, more dead people. How would that new(-er) reality help or hurt Elastic? From your former position in C-Suites (not solely as an investor), how will company execs react? (Everyone is human, after all.) Perhaps as they did in the initial WFH paradigm, with a further quickening of the Digital Transformation? Or …? I apologize for the hypothetical but we, as investors, must game all possible outcomes so we know precisely what to do when our preferred outcome is not the one that transpires.
    04. You sold ~ 50% of your Fastly/FSLY position in the past few days. I can guess your motivation but prefer to know with certainty. Perhaps an appetizer of your likely future and more meaty post?
    05. I note you used only a fraction of the FSLY proceeds to increase your Cloudflare/NET position… Is this a vote of lessening confidence in the entire Edge paradigm consequent to Fastly’s S3? Or a separate worry about increased risk/lessened reward in the market in general?
    06. Cloudflare/NET is NOT included on your “coverage” page with a “5-year target.” What is your expectation for Cloudflare/NET’s share price destiny?

    I wanted to post questions 4-6 in their proper threads but those post’s comments threads are closed, I think?

    Thank you again for the excellent commentary above AND in advance for your answers to my questions.
    David

    • poffringa

      Sure, no problem. Thanks for the feedback. I will give brief answers here. If you want to discuss in more detail, feel free to email me at analysis@softwarestackinvesting.com.

      1. I think Elastic leadership intends to continually improve their solutions in each category. They make progress with each release. I think the key question isn’t whether they need to be the best (let’s say defined by the most extensive features) in each category, but whether they can reach the threshold of “good enough”. We can think of other products that have more features than are needed for 80% of users (like Excel vs. Google Sheets). I think Elastic is approaching “good enough” in each category (really applies to Observability and Security, not Search), as evidenced by the fact that 45% of customers spending > $1M ACV use all three solutions.
      2. I have added a little to my ESTC position since I published the article. From here, to continue increasing, I would like to see where revenue growth stabilizes, as it has been decelerating over the past couple of quarters. That would mean seeing two quarters with roughly the same revenue growth. Then, I would be comfortable leaning in, as the other factors I discussed should help with re-acceleration. I don’t worry that I might miss this inflection.
      3. I use the COVID label as a headwind, but more specifically, I would like to see meaningful IT spending allocated towards application development projects (call it digital transformation). I think COVID created a few waves of IT spend prioritization. First wave was to enable remote work immediately (ZM). Second wave was to secure the enterprise because of that (CRWD). Third wave will be building better customer experiences. That is where we should see spend for Elastic (and others like DDOG) pick back up.
      4. My portfolio allocation to FSLY went from roughly 40% to about 20%. Half of that was due to the drop in price from $120 to $80. The other half was re-allocation to NET, DOCU, TWLO and ESTC. I needed to balance my portfolio for FSLY’s size, but wanted to avoid a large capital gains hit. At the lower price, this was possible. Not ideal, but more palatable. If FSLY recovers to ATH, it will be my largest position again.
      5. Between FSLY and NET allocations, I am now at about a 40% allocation to edge networks. I think both will benefit. I really like how NET is executing and think the two will compete in some areas and diverge in others. There is a large market opportunity IMO. Of course, I am very much looking forward to the Q3 reports for both.
      6. I plan to publish a deep dive on NET after earnings and will set a 5-year PT at that time. In advance of that, I did start building a position in NET in August after Serverless Week and Q2 results. I kept increasing that through Birthday Week and Zero Trust.

  2. Jason R Emery

    In you recent email update, at the end of the Twilio section when you wrote,, “While performance can vary from quarter to quarter, I think Twilio offers a reasonable bet on the need for enterprises to improve the effectiveness and reach of their customer communications.”. My being a big fan of Slack, I immediately thought of the many ways Twilio also work in B to B also.
    I’ve noticed in your writing in many places in you fantastic write up that you often include how Slack fits in to your assessments. What do you think about what Slack has to offer compared to Twilio in the Enerprise space? Do think you might include Slack in the companies you cover?

    • poffringa

      Slack and Twilio target different markets with their services. Slack provides a system for internal company communications and collaboration. It falls into the same customer spending category as business productivity tools. Twilio enables developers to add communications services to their software applications and spend is managed by the VP Eng/CTO. I don’t think the two will intersect any time soon.

      My coverage focuses on tooling for software development, so I would likely not add coverage for Slack.

  3. Samuel1

    Thanks for the incredibly thorough analysis. When do you plan on writing an article regarding fastlys q3 results? Would like you thoughts on the massive drop in share price

    • poffringa

      Hi – thanks for the feedback. I am waiting for Fastly’s user conference to be held on Nov 10-12 before publishing my full analysis. That will include the Q3 results, but more importantly to me, what is discussed at the user conference regarding the product roadmaps for Compute@Edge and Secure@Edge. Also, we should get a peak at some actual customer use cases for edge compute.

      • Samuel1

        Thank you for the response.