Investing analysis of the software companies that power next generation digital businesses

Elastic (ESTC) Q2 Recap

Elastic announced Q2 FY2021 (Aug – Oct) earnings on December 2nd. The results were well ahead of expectations, with significant beats on both revenue and EPS. They also delivered a meaningful improvement to profitability measures, with non-GAAP gross margins ticking up 2.5% and operating margin almost at break-even. Next quarter and full year guidance were raised about 5-6% as well, but still reflect some conservatism due to the macro environment. The market reaction to the results was positive, with the stock spiking 12.6% on December 3rd and climbing another 6.1% the day after. On the earnings call, the leadership team provided updates on customer wins and their broader go-to-market strategy. Elastic’s rapid product development cadence continued with a major release in November, that included searchable snapshots, RUM, synthetics and Kibana Lens.

Additionally, Elastic held their annual user conference ElasticON in mid-October. The event was packed with over 300 sessions and 25,000 user registrations. Most interesting were the many customer presentations, revealing the depth and breadth of usage of Elastic solutions within large enterprises. This underscored Elastic’s product strategy of usage expansion across multiple solution categories from a single platform with a unified, resource-based pricing model. In this post, I review Elastic’s Q2 earnings and other business updates that occurred during the quarter. I also examine product enhancements and Elastic’s general competitive positioning. For additional background on the Elastic investment thesis, interested readers can review my past quarterly updates and original deep-dive.

Headline Financial Results

  • Q2 FY2021 Revenue of $144.9M, up 43.3% year/year (40% in constant currency) and 12.4% sequentially from Q1. This compares to the consensus estimate for $130.5M, which would have represented growth of about 29.1%, and the company’s own guidance from Q1 of $129-131M. Prior quarter revenue growth in Q1 was 43.7%. Revenue growth appears to be stabilizing in the low 40% range, after decreasing notably over the past several quarters.
  • Q2 Non-GAAP EPS was ($0.03) versus ($0.20) expected, for a beat of $0.17. Q1 Non-GAAP EPS was ($0.05), after adjusting for a one-time accounting-related benefit. Q2 FY2020 was ($0.22). Earnings upside was attributed to revenue outperformance.
  • Q2 Non-GAAP operating loss was $1.7M for an operating margin of -1.2%. This is an improvement from Q1’s loss of $4.3M and operating margin of -3.3%. It also compares to an operating margin of -18.2% in Q2 FY2020.
  • Q2 FCF was -$18.6M for a FCF margin of -12.8%. In Q1, FCF was $21.6M for a FCF margin of 16.7%. In Q2 FY2020, FCF margin was -1%. On the earnings call, the CFO commented that FCF is very variable quarter to quarter due to payments collection and should be judged on an annualized basis. The target for this fiscal year is to deliver FCF margin of -2 to -4%. For next fiscal year (starts in May 2021), elastic intends to deliver positive FCF margin.
  • Q3 FY2021 (January end) revenue guidance of $145-147M, for annual growth of 29.0% at the midpoint. This compares to analyst estimates for $139.9M, or 23.6% growth. Interestingly, the annualized estimated growth rate of 29% for Q3 is about the same as the original estimate for Q2, which called for 28.6% growth. This further supports the notion that revenue growth is stabilizing. A beat of the same magnitude in Q3 would put actual revenue growth in the low 40% range again, representing rough linearity in annualized revenue growth from Q1 through Q3.
  • Q3 Non-GAAP EPS estimate of ($0.16) to ($0.14 ), compared to the analyst consensus for ($0.28).
  • Q3 Non-GAAP operating margin estimate is expected to be between -8.5% to -7.5%. The original estimate for Q2 was for operating margin of -11% at the midpoint, with the actual at -1.2%. A similar beat in Q3 would push operating margin to slightly positive.
  • FY2021 (end April 2021) Revenue target raised to $568 – $572M, representing growth of 33.3% at the midpoint. The company’s prior guidance from Q1 was $544 – $550M for growth of 27.9%. Analysts had estimated $549M on average for growth of 28.4%. So, Elastic raised the full year revenue growth estimate by about 5% of annualized growth. This also puts the company on a path towards delivering roughly 40% revenue growth for the full year.
  • FY2021 Non-GAAP EPS estimate was raised to ($0.40) to ($0.32), up from the company’s prior guidance of ($0.83) to ($0.69) and the analyst consensus for ($0.71). The magnitude of the loss has been improving rapidly as the year progresses.
  • FY 2021 Non-GAAP operating margin is expected to be between -7.0% to -6.0%. This is an improvement from -13.5% to -11.5% last quarter and -15% to -13% at year’s start.
  • Ended Q2 with cash and cash equivalents of $349M, down just $1M from Q1.
Elastic Q2 FY2021 Earnings Deck

Other Performance Indicators

  • Q2 Non-GAAP gross margin of 76.9%, compared to 74.4% in Q2 FY2020 and 76.6% last quarter. The expansion of Elastic Cloud will temper further gross margin improvement as it grows in revenue contribution.
  • Q2 SaaS revenue was $37.4M, representing an increase of 81% year/year and 14.7% sequentially. In Q1, SaaS revenue was $32.6M and grew 86% year/year and 12.4% sequentially. SaaS revenue is associated with Elastic’s Cloud offering. SaaS now makes up 25.8% of total revenue, as compared to 20.3% a year ago.
  • Q2 Calculated billings was $177.7M, increasing 42% year/year. This compares to Q1 billings of $130.0M, representing an increase of 45% year/year.
  • At the end of Q2, total deferred revenue was $309.2 million, up 54% year over year. Deferred revenue was $277.5M in Q1, increasing 63% year/year.
  • In Q2, Remaining performance obligations (RPO) totaled approximately $644 million, up 57% year over year. In Q1, RPO was $576M, up 59% year/year.
  • In terms of geographic distribution of sales activity, 45% of revenue was generated outside the United States. Billings growth was strongest in EMEA this quarter, followed by the Americas and then APJ. Within the Americas, Elastic also experienced strong performance in the U.S. federal business.
  • Contract lengths were slightly longer compared to a year ago and were a little over 1.5 years on average.
  • Breaking down Q2 FY2021 Non-GAAP expenses by category, we see a substantial reduction in y/y percentage of revenue spend in S&M and some reduction in R&D and G&A. The operational leverage in S&M is encouraging to see, while continuing to grow revenue at a high rate. Some of the improvement can be attributed to reduced levels of travel.
    • R&D = 26.6% (versus 31.4% in Q2 FY2020 and 29.1% in Q1)
    • S&M = 37.6% (versus 46.5% in Q2 FY2020 and 36.7% in Q1)
    • G&A = 13.9% (versus 14.7% in Q2 FY2020 and 14.0% in Q1)
  • Ended the quarter (October 2020) with 2,029 employees, versus 1,962 at end of Q1 (July 2020) and 1,936 at end of Q4 (April 2020). This represents sequential growth of 3.4% last quarter versus sequential growth of 1.3% in the prior quarter. At the end of October 2019, the company had 1,886 employees. This represents annualized growth of 7.6%. Hiring has re-accelerated in Q2 after a slowdown in first half of the year, due to COVID-19.
Elastic Q2 FY2021 Earnings Deck

Analyst Reactions

Following Elastic’s Q2 earnings results, a number of analysts published updated coverage ratings. Of these, all analysts raised their price targets. Six analysts set a Buy rating and 3 maintained a Hold equivalent. The average price target for these updates is about $145, representing a 7.4% increase from the closing price after earnings of $135 on December 3rd. It is notable that Canaccord and RBC had just updated their price targets in mid-October, following Elastic’s Investor Day event.

DateAnalystRatingPrice Target
12/3CanaccordBuyRaised from $145 to $150
12/3RBCOutperformRaised from $140 to $155
12/3BarclaysOverweightRaised from $140 to $151
12/3Piper SandlerOverweightRaised from $127 to $145
12/3StifelHoldRaised from $125 to $145
12/3Monness CrespiBuyRaised from $142 to $156
12/3Goldman SachsNeutralRaised from $114 to $130
12/3JP MorganNeutralRaised from $120 to $125
12/3DA DavidsonBuyRaised from $130 to $150
Ratings Assembled from MarketBeat, YCharts

Following the earnings report, Monness Crespi issued the highest price target of $156. Analyst Brian White provided the following commentary.

Monness Crespi analyst Brian White raised the firm’s price target on Elastic to $156 from $142 and keeps a Buy rating on the shares. The company reported “exceptional” fiscal Q2 results and issued a “strong” Q3 outlook while raising its fiscal 2021 guidance, White tells investors in a research note. The analyst believes Elastic will continue to benefit from “strong secular tailwinds,” expanded capabilities and accelerated digital transformation initiatives.

Thefly.com, December 3,2020

RBC analyst Matthew Hedberg set the next highest price target and with commentary about relative valuation. I think this echos a similar observation I will make that Elastic’s valuation lags that of peers.

RBC Capital analyst Matthew Hedberg raised the firm’s price target on Elastic to $155 from $140 and keeps an Outperform rating on the shares. The company delivered “strong” results with “marked” revenue and billings outperformance, the analyst tells investors in a research note, adding with its SaaS revenue rising 81% to 26% of the total, he would expect the stock to start to close its 25%-30% valuation gap relative to its similarly-growing peers.

Thefly.com, december 3,2020

Customer Activity

Total customer count was 12,900 at the end of Q2. This is up sequentially 6.6% from 12,100 in Q1 and 33% from 9,700 at the end of Q2 FY2020. The absolute increase of 800 new customers in Q2 was the same as the 800 added in Q1 (which was up 7.1% sequentially from 11,300 at end of Q4). Extrapolating out further, Elastic had 10,500 total customers at end of Q3 FY2020. This means that the company has added about 800 new customers consistently per quarter for the past year.

Customers with Annual Contract Value (ACV) over $100k increased by 20 to 650 in Q2. In Q1, this count increased by 20 as well from 610 at end of Q4. This customer count was 525 at end of Q2 FY2020 for annualized growth of 23.8%, down from 32.6% last quarter. Looking further back, Elastic had 570 of these customers at end of Q3 FY2020. This means the rate of increase in these larger customers has been decreasing in the last four quarters, with adds of 45, 40, 20, 20.

This is reflective of broader IT spending scrutiny due to COVID-19 and softness in impacted verticals. The CFO has commented in the last two quarters that customer sales cycles are lengthening and larger deals require higher levels of approvals. These drags on large deal closure are consistent with commentary from peers, like Splunk and Datadog. We will want to watch large customer growth as COVID-19 abates and generalized IT spending levels recover. The fact that total customer adds have been consistent over the past 4 quarters indicates these are not competitive losses.

Net Expansion Rate continued to be greater than 130%. This is similar to Q1’s rate, although management did note that it ticked down a few percent because of slower expansions from some customers due to COVID-19. The rate is now “modestly above” 130%. Elastic does not report the exact value for NER, but anything over 130% is considered best in class.

Leadership highlighted a number of customer wins during the past quarter that are worth reviewing.

  • At the ElasticON Global event in mid-October, several large, existing Elastic customers spoke, including Cisco, Audi, Rocket Homes, and Wells Fargo. In his opening remarks on the earnings call, the CEO mentioned that all of these renewed business with Elastic in Q2.
  • A prominent U.S. government entity closed a new multi-year contract with Elastic in Q2 for the enterprise search product. In this case, the agency needed granular security controls to manage content access by user type for both public and internal applications.
  • A leading U.S. aerospace company renewed business with Elastic for enterprise search within their aircraft maintenance program. Elastic powers search for an internal application that provides employees with access to aircraft parts, schematics and other documentation for repairs.
  • Grab, the leading ride-hailing and food delivery service in Southeast Asia, expanded business with Elastic in Q2. They utilize the Elastic Stack for operational observability, including log analytics to monitor pickup and drop-off logistics, cost analysis for waiting times and search latency across their taxi, ride-sharing, and food and grocery delivery services.
  • A global payment company renewed a multi-year contract with Elastic to power multiple use cases from log analytics to APM to real-time business monitoring across high volumes of global transactions. They value the unified technology stack and consolidated, resource-based pricing.
  • A large U.S. financial services company renewed a multi-year contract for log analytics. They appreciated Elastic’s recent investment in searchable snapshots, allowing them to maintain more log history for a lower cost. They also see opportunity to expand into APM.
  • A global online travel agency for lodging and reservations expanded Elastic business for security. They wanted a unified security solution that allows for internal compliance and auditing, but manages total cost of ownership.
  • Bell Canada renewed a multi-year contract for both operations observability and network security.
  • A large property, casualty and auto insurer in the U.S. closed a new multi-year business contract that adds security to their usage. This complements their existing enterprise search and observability workloads, further reinforcing Elastic’s strategy of addressing multiple solutions with one technology stack and pricing model.
  • Rocket Homes (part of Rocket Companies) renewed and expanded business on the Elastic Cloud. They use Elastic to power application search across all their property data. They value the speed and programmability of Elastic’s search at high scale.

The big take-away from these customer wins and expansions is that they underscore the trajectory of use case extensions into other solution categories. Elastic’s offering is oriented around three main solutions – enterprise search, observability and security. Customers will often start their use of Elastic on one of these solutions, like app search for their e-commerce service or log analysis as part of observability. Over time, they discover how easy it is to extend their use of Elastic towards other use cases and solutions. They might add APM to log analysis within observability and then take advantage of SIEM within the security solution, since the event data is already loaded into the Elastic Stack. They might later need a solution to search for content across their many enterprise SaaS apps, and add Workplace Search. All Elastic solutions can be leveraged through a single resource-based pricing model, preventing the need to revisit the original vendor contract in order to add-on a new use case.

At Elastic’s Analyst Meeting in mid-October, leadership shared metrics around this solution expansion motion for large customers. For customers that spend greater than $1M in ACV, over 75% use two or more Elastic solutions. More than 45% of these customers use all three. In this context, a solution only counts if there is a use case in each distinct category. APM and log analysis would still only count as one solution in observability. APM and SIEM would count as two solutions, one for observability and one for security.

Elastic Q2 FY2021 Earnings Deck

At end of FY2020 in April, Elastic reported that they had over 50 customers spending more than $1M ACV, up from 30 at the end of FY2019 period. It is the solution expansion motion that is driving growth in these types of customers. Further, the percentages of multiple solution adoption are lower for the smaller >$100k ACV customers. This implies that the primary expansion motion for large customers is to adopt multiple use cases across solution categories using Elastic’s single stack and pricing model, and that this motion is continuing.

This trend directly reinforces Elastic’s strategic value proposition as espoused by leadership. That is that large customers like the idea of applying the Elastic platform towards addressing multiple use cases. They prefer the simplicity of maintaining a single technology stack for all these solutions (training benefit) over utilization of separate point solutions from different vendors. The other dimension of Elastic’s value proposition is their resource-based pricing model. The consolidation of use cases allows the customer to address all these solutions through one bill. Additionally, they can shift usage around by use case to optimize their spend in a particular period if needed. This is an advantage over having duplicated cost overhead through multiple vendor relationships.

Elastic Analyst Meeting Presentation, October 2020

At Elastic’s Analyst Meeting in October 2020, leadership shared several examples of large customers who went through this expansion cycle through all three Solutions across multiple years. In the example above, a large U.S. financial services company started with an initial purchase of Elastic in 2014 for about $100k in log analysis. They subsequently expanded their usage and adoption to add other Observability use cases and then Security and Enterprise Search. Last fiscal year, they spent $4.7M.

Two other examples were for a major European telecommunications company that increased spend from $100k to $3.1M over 5 years and large U.S. retailer who grew spend from $250k in 2016 to $1.7M last year. In these cases as well, the customers adopted all three solutions of observability, security and enterprise search.

Head of Sales

Elastic’s enterprise sales efforts should start to benefit going forward from the efforts of the new Head of Sales. As investors will recall, in conjunction with the Q1 earnings release, Elastic announced the hiring of Paul Appleby as President, Worldwide Field Operations. He will lead all go-to-market functions for Elastic, responsible for enhancing the customer journey, driving global revenue growth, and developing strategies for addressing the large market opportunity for Elastic. He is replacing long time sales head Justin Hoffman, who had been leading sales since 2012, when Elastic was much smaller.

Appleby was most recently the CEO of Kinetica, which is a large scale data analytics company. Prior to Kinetica, he was president of worldwide sales and marketing at BMC. He also served in senior leadership roles at Salesforce, Siebel Systems, C3 AI, Travelex and SAP. He obviously has deep experience in sales leadership at enterprise software companies. The recent experience as a CEO makes him more compelling in this critical role. He will bring a broad operating perspective and should provide a great sounding board for long-time founder and CEO Shay Banon.

Elastic’s CFO discussed the intent of this hire in more detail during the Jefferies Software Conference interview on Sept 14th. He said that Elastic has the potential to become a significantly larger business. While the existing sales leader has performed well over the last 7 years, they wanted to bring in a new leader who had experience operating at scale, with the goal to put processes and team in place to grow Elastic revenue to “$1B and beyond.” The CFO mentioned that Paul had already hit the ground running over the past several weeks. They expect he will “accelerate growth over the medium term”.

Product Development Activity

Elastic is fundamentally a “search” company. However, the scope of search goes far beyond simply powering a text search box on a content web site. Applications of the Elastic platform now extend into most types of data processing use cases, where the foundational requirement is to structure a very large data set in a way that allows querying to occur lightening fast. If you think about Elastic through this lens, then its application to a variety of IT use cases makes sense – log analysis, security (which is mainly sorting through log data and events), application performance, analytics, fraud detection, equipment failure monitoring, etc.

Background and Strategy

To address all of these types of search experiences, Elastic created the Elastic Stack. Specifically, the stack is composed of Elasticsearch, Kibana, Beats and Logstash. It allows developers to take data in any format from any source, and then transform, index, analyze and visualize it in a rapid and scalable manner.

Elastic Analyst Meeting Presentation, October 2020

Elastic’s solutions can be deployed in three different configurations, depending on customer preferences and their existing infrastructure foundation. Traditionally, customers hosted and managed the Elastic Stack themselves. The Cloud offering is newer and provides a managed service for customers on all the major cloud hosting providers. This option is becoming particularly popular for customers and is financially beneficial for Elastic, as they generate revenue even if the customer is using the “free” version of the Elastic distribution. This varied deployment model provides customers with flexibility in their hosting approach and recognizes that many enterprises haven’t fully migrated to the cloud (nor immediately plan to).

The Elastic Stack is open source. This means that all the source code is publicly available for developers to view and extend. As customers began adopting the Elastic Stack, they applied it to solve a variety of problems. Often these were customized for their environment or unique business case. As the Elastic team observed this behavior, clusters of use cases began to materialize, which gave rise to Elastic’s extension into offering pre-built solutions.

ElasticON User Conference, October 2020

Solutions represent packaged functionality built on the Elastic Stack to address specific use cases. While the source code is open source, the licensing model places limits on the ability for other cloud vendors to host the Elastic Stack for profit. Most solutions features are proprietary, meaning that only Elastic the company can host them for resale.

However, customers are free to access, modify and extend the source code however they wish. This allows developers at customer organizations to create custom solutions that match a data retrieval use case unique to their business. While customers may apply a packaged solution to address one set of use cases, like in observability, they might code a custom solution to meet their unique needs for fraud detection. Elastic’s list of customer stories on its site provides a whole series of examples like this.

Additionally, as a consequence of the open source nature of Elastic, many other software solution providers have built applications on top of the Elastic Stack. This has created a pipeline of acquisition candidates for Elastic over the years. Since their solutions were built on the same technology stack as Elastic, integration of the acquired company’s solutions was pretty straightforward, much easier than acquisitions for other software companies. Here is a list of prior Elastic acquisitions as examples:

  • Swiftype – Site Search and App Search services
  • Opsbeat – APM solution
  • Prelert – Machine learning features
  • Packetbeat – Beats product
  • Found – Cloud offering
  • Endgame – SIEM and Endpoint Security solutions
Elastic – Analyst Meeting Presentation, Oct 2020

Elastic has long enjoyed a broad and diverse customer set. What is notable about Elastic’s customer base is the penetration across both digital natives (Etsy, Instacart, Lyft, Shopify) as well as mainstream enterprises (VW, P&G, HEB, Barclays, USAA, T-Mobile). Elastic currently enjoys 46% penetration in the Fortune 500. As the prior expansion examples showed, spend in these accounts usually starts around $0.1M in year one and then grows more than 10x over subsequent years.

Elastic Analyst Meeting Presentation, October 2020

Because of the openness and programmability of the Elastic platform, customers often extend it in unique ways. Since the core of the Elastic Stack enables the ingestion, indexing and retrieval of large datasets from an easily extensible platform, developers at enterprises can apply their creativity to create their own bespoke solutions. This is often out of necessity, as off-the-shelf commercial observability and security solutions usually cluster their functionality around common needs, like web site activity monitoring or network security. However, popular commercial solutions generally don’t provide the programmability needed to extensively modify the functionality and don’t share source code for the core platform.

We often see Elastic customers extending the platform to address use cases that go beyond standard monitoring of Internet-delivered applications. Elastic customers repurpose the notion of “observability” or “security” to apply to their own business context, which may be different from running a standard online e-commerce or social application. This customization through programmability (as a consequence of their open source posture) ensures that Elastic will always have some demand from customers with use cases that fall between the cracks of traditional observability and security solutions. Examples of this extended functionality to non-standard contexts include:

  • Sky. Monitors OTT video delivery through their systems.
  • Volvo. Tracks service issues for a fleet of 1M connected vehicles.
  • John Deere. Built a service on Elastic that allows farmers to monitor and optimize the performance of their agriculture operations.
  • Walmart. Monitors gift card usage for fraud.
  • Cox. Tracks video on demand delivery through their own cable network.
  • Verizon. Modified Elastic to monitor wireless network service reliability and outage issue tracking.

Some investors shy away from Elastic because they feel that Elastic is trying to do too much. To be fair, these solutions do cover a lot of ground. However, it is important to appreciate that the solutions motion was initiated by customer demand and their own skunkworks projects, not in an Elastic leadership brainstorming session. This product strategy reminds me of Twilio and how their contact center solution, Flex, was built on top of the core Twilio communications APIs after observing customers doing the same.

This tug-of-war between a platform approach and the best-of-breed point solutions will continue to play out. Elastic leadership contends that they have many customers excited about the opportunity to simplify their vendor relationships through consolidation onto the Elastic Stack. On the earnings call, they referenced several examples of large customers who expanded into all three solution categories (Enterprise Search, Observability and Security). As mentioned previously, 45% of Elastic’s large customers spending more than $1M in ACV (of which there are now more than 50) use all three of Elastic’s solutions. Based on past experience leading engineering teams, I can see the appeal for this. If an Elastic solution can meet the requirements for a use case, and is extensible through customization if needed, addressing that through an extension of Elastic’s utilization, versus bringing in another vendor would be both simpler and cheaper.

At the same time, a limitation in the past has been that Elastic’s packaged solutions in each of these categories are generally not as comprehensive or deep as the point solution providers. The full observability suite of a Datadog is more extensive and feature-rich at this point than Elastic’s offering, for example. The most discerning, digital native customers will likely select the leading point solution in each area. In these cases, each individual team (even senior developers) have significant sway over choices of tooling. But, this isn’t where Elastic’s customer base is centered. While they do attract the digital natives, they also have 46% of the Fortune 500 as customers, as mentioned previously. More mainstream companies would likely be satisfied with a “good enough” solution in each category, where the simplicity of maintenance and pricing leverage provide more compelling value.

Elastic – Analyst Meeting Presentation, Oct 2020

This is an important point to consider from a competitive and growth perspective for Elastic. First, as I will cover below, their solutions in each category are continually improving, as a consequence of their rapid product release cadence. For example, they recently added service maps, alerting, RUM and synthetics to the observability offering, which were large feature gaps as compared to other commercial observability products. Second, if a customer has unique requirements for a solution, their developers can view the open source code and make modifications to meet their unique needs. As mentioned above, this often happens in observability and security, and is the case almost by definition for application search.

With that set-up, let’s take a look at what the Elastic product development team has delivered over the past several months. This will include a major point release, advances in cloud and government business and highlights from the ElasticON conference.

Product Releases

The cadence of Elastic’s product development in Q2 (August – October) continued at a rapid rate. Elastic’s ability to deliver an aggressive and accelerated product release cycle creates a competitive moat in itself. While I agree that any large legacy software provider can spend enormous sums to launch a competitive offering, if they can’t execute a rapid fire product development, test and release cycle, they will fall behind smaller, more nimble players. Entrenched legacy providers usually maintain a methodical, measured product cycle as a result of their size and customer requirements. This notion of competitive moat through short product iteration cycles applies not just to Elastic, but to other engineering-focused independent players. Cloudflare’s sprint through multiple Release Weeks this year comes to mind.

Over the period of May through November (about 6 months), Elastic conducted 4 major releases. These were labelled as Elastic versions 7.7 to 7.10. Each release was packed with new features and integrations spanning the core Elastic Stack and each solution category. As a quick review, we had the following before 7.10, which I covered in detail in the Q1 recap:

  • Version 7.7 (May): Added Workplace Search (a stand-alone product), Alerting, Service Maps for APM and Embedded Case Management for SIEM.
  • Version 7.8 (June): Navigation and Dashboard overhaul, SSL certificate monitoring, Health Status Indicators for Service Maps and new threat detection rules.
  • Version 7.9 (August): Unified Agent, Ingest Manager, Fleet Tool, One-click Malware protection.
ElasticON User Conference, October 2020

Following version 7.9, Elastic held their next release for an extra month. This culminated with the release of version 7.10 on November 11th. The version 7.10 release didn’t disappoint. It included several major enhancements to the core infrastructure of the Elastic Stack and extensions to existing solutions bringing them to closer parity with other best-of-breed commercial offerings. This continued expansion of use case coverage within each solution is an important aspect of the Elastic investment thesis. As solutions categories like observability and security mature in the marketplace, incremental feature adds beyond the baseline will have diminishing returns. Feature parity for Elastic with competitive offerings is achievable, shifting customer considerations to other factors like pricing models, platform leverage and customization.

With each subsequent release, Elastic is filling out their coverage of expected observability use cases. In the version 7.10 release, they added two more capabilities that are expected in a core offering, user experience monitoring and synthetics. These are sold as add-ons as part of competitive solutions like Datadog. By including these features as part of Elastic’s observability solution, but not charging incrementally, Elastic offers a reasonable alternative for enterprises looking for a solution that checks all the feature boxes and allows them to leverage the same stack to address other needs in search, security, custom analytics and log analysis.

This feature completeness across solutions provides the leverage that is driving large Elastic customers to address multiple solution categories (observability, security, enterprise search) with one stack and one unified pricing model. This has advantages in maintenance, training and cost. The approach may not appeal to engineering-led digital natives, but certainly provides sufficient capabilities for mainstream enterprises. Additionally, the programmability of the Elastic stack allows companies to customize solutions to meet their exact requirements.

Version 7.10 Release

As mentioned, Elastic launched version 7.10 on November 11. This followed the 7.9 release in August. Given that this release was held for almost three months, versus the normal 1-2 month release cadence, it was packed with enhancements across the Elastic stack. These were the noteworthy items in my opinion:

  • Searchable Snapshots. Allows data to be searched from a lower cost, external storage tier like Amazon S3, Azure Storage or Google Cloud Storage. This can lower the cost of maintaining this data by up to 50%.
  • User Experience Monitoring. Extends observability by providing a dashboard that reports on metrics specific to a positive user experience, like page load and render times tracked by core Web Vitals. It also reports on user device attributes like connection type, browser, operating system, etc. This is a common feature of other commercial observability platforms.
  • Synthetics Monitoring. Adds multi-step user journeys to the Elastic Uptime solution to ensure application users can navigate through complex workflows. Developers can create these test paths as scripts that are then executed by Elastic against QA or production environments. Adding this capability to Elastic’s observability offering brings it to closer parity with other commercial observability solutions.
  • Kibana Lens. Made Lens generally available. Kibana Lens provides an intuitive drag-and-drop interface for users to easily set up visualizations of any data in the Elastic system. This latest version of Lens added a number of new features for display and formatting.

The 7.10 release also included several enhancements to security monitoring and protection. Elastic continues to close the feature gap with point solutions offered by competitors for search, observability and security use cases. Large enterprises may consider the Elastic feature set to be complete enough for their needs to leverage Elastic across multiple IT categories, reducing their vendor sprawl and realizing cost savings. This probably explains why 75% of Elastic’s customers with >$1M ACV utilize more than one Elastic solution (Enterprise Search, Observability or Security).

Cloud Expansion

Elastic continues to add new markets to its Cloud offering. With each combination of cloud vendor and location, we can expect some incremental business for Elastic. This is similar to a SaaS business launching their product in a new country, as some international customers require data residency. Elastic Cloud is now available in 42 cloud regions across AWS, Azure and GCP. This represents a 3x increase over FY2019 (roughly 1.5 years ago).

Elastic – Analyst Meeting Presentation, Oct 2020

Elastic added 17 new locations in FY2020 and has added 11 more so far in FY2021. Over the last few months, this expansion of the Cloud offering continued with each release.

  • Version 7.8: Finland, London, Netherlands, São Paulo, Singapore, South Carolina, Taiwan, and Tokyo. 
  • Version 7.9: Canada, France and Korea.
  • Version 7.10: Mumbai (AWS), Iowa (Azure), New South Wales (Azure)

In addition to new locations, Elastic delivered the highly requested feature that Elastic Cloud on Kubernetes will soon be a Red Hat OpenShift-Certified Operator.

Elastic’s relationship with the Cloud vendors themselves is evolving and resembles co-opitition. On one hand, some of the cloud vendors offer their own hosted services that address search use cases. In the case of AWS, they began hosting open source Elasticsearch themselves for a fee in 2018, in direct competition to Elastic. That was the genesis for Elastic’s open core model, in which most value-add features are bundled in the proprietary distributions (whether free or paid). Since 2018, this licensing change has increased the gap between the AWS solution and Elastic’s, given Elastic’s pace and complete focus on Elastic Stack development. At this point, Elastic’s Cloud solution is far ahead of the comparable offering from AWS in terms of feature breadth and capabilities. In fact, during the recent Barclay’s TMT Conference on Dec 9th, Barclay’s analyst Raimo Lenschow commented that all the buzz associated with the AWS offering appears to have died down since 2018.

GCP and Azure have been more cooperative. While Elastic Cloud is available through the marketplaces of all three large cloud vendors, GCP and Azure have gone further, offering integrated billing, use of pre-committed spend and collaboration on training. The CEO of Google Cloud, Thomas Kurian, even spoke at the most recent ElasticON user conference on October 14th. Microsoft was a Platinum Sponsor of the event.

As multi-cloud deployments become more prevalent, CXO’s at large companies are trying to avoid cloud vendor lock-in. Use of a particular cloud vendor’s search solution would make it harder to switch providers in the future if needed, or to support a multi-cloud configuration. With Elastic Cloud, applications can be built to a single interface that remains the same on any cloud installation.

During a customer panel at the ElasticON conference, speakers from two different consulting firms that work with large public sector clients described how they often use Elastic as a data collection destination for user activity and system log data from disparate sources across multiple cloud installations. For example, a customer might be running one type of workload on AWS and another on Azure. They then stream event data to a centralized Elastic cluster. This is facilitated by the Elastic Common Schema, which allows users to convert disparate data sets into a common format for analysis.

Government Activity

Elastic has a pretty significant penetration within government agencies and military functions. At ElasticON in October, they had customer presentations from the UK’s Driver and Vehicle Licensing Agency (like U.S. states’ DMVs), the Defense Logistics Agency, South Dakota Bureau of Information and Telecommunications and several major U.S. universities. The U.S. Air Force, Oak Ridge National Labs, U.S. Army, JPL and USGS are all customers.

Elastic achieved FedRAMP Moderate authorization and has general availability on AWS GovCloud. FedRAMP authorization allows users from federal agencies and other industries in regulated environments to manage Controlled Unclassified Information (CUI) on Elastic’s stack. FedRAMP streamlines the procurement process for U.S. federal customers by standardizing security requirements across federal agencies. Once a vendor reaches an authorization level, each new federal agency customer doesn’t need to repeat their security assessment. The FedRAMP Moderate authorization is important, as Elastic is gaining many customers in government agencies.

ElasticON Global User Conference

Elastic held their annual user conference, ElasticON, from October 13-15. Like other technology providers, the event was held virtually for the first time. By holding the event virtually, participation exploded. They had over 25,000 registrations, more than 300 individual presentations and participants from over 80 countries. Presentation highlights included leadership at partners Google Cloud and Microsoft Azure, as well as technology leaders at a number of customers like Audi, Cisco, Honeywell, Cerner, Rocket and Wells Fargo. There were many more granular customer sessions and demos in individual solution categories.

Elastic Q2 FY2021 Earnings Deck

The keynotes and customer stories provided a great deal of insight into Elastic’s product strategy, competitive positioning and customer use cases. I won’t rehash the entire conference and I encourage investors interested in ESTC to at least listen to CEO Shay Banon’s keynote, which includes commentary from Google Cloud, Cerner and Wells Fargo.

Thomas Kurian, the CEO of Google Cloud, spoke during the keynote. He highlighted the strong partnership with Elastic, launched at Google Next a few years back. Elastic Cloud is now available globally on GCP through 16 individual regions (and counting). They have a deep integration into Google Cloud Marketplace, which streamlines the purchase experience for GCP customers. The partnership also extends to native integrations between GCP service offerings and data ingest for the Elastic Stack. Mr. Kurian said that many of these integrations were driven by customer requests, citing Etsy as a great example of a joint customer.

The keynote highlighted several long-time customer relationships with testimonials from each. Wells Fargo and Cerner were featured presenters, both of whom rely heavily on Elastic for monitoring solutions. Other highlights from customers including these testimonials and presentation comments.

  • Shopify:  “We have two important things – a fast, powerful search engine from Elastic and the right content.”
  • Etsy:  “Elastic makes a huge difference in isolating our stream of data.”
  • Adobe:  “Elasticsearch resilience and stability are very high.”
  • Microsoft:  “Microsoft and Elastic bring our customers flexible, innovative solutions to grow and scale.”
  • Barclays:  “Elastic made it possible to build our cyber security and defense platform – and protect us form real-time threats.”
  • UC Davis:  “Elastic Security is backed by the security community’s continuing contributions, which means we can handle the latest attacks.”
  • Google Cloud:  “Together, Google Cloud and Elastic provide seamless integration to a fully managed service.”
  • Cisco. Cisco has a very large Elastic footprint and has been using the stack for many years. They presented a unique use case for Elastic Stack to track customer “entitlements”, which is a web of varied customer history data reflecting device purchases, service contracts, subscriptions, licenses, utilization rates, etc. They chose Elastic for fast search across multiple data sources, support for rank-based and type-ahead search, flexible aggregations on many filters, custom data ingestion and attribute tagging. Their Elastic cluster for this application handles about 20-40M change events a day, peaking at 10k docs/sec.  It contains a total of 40TB of data with 6.3B documents.  Other use cases for Elastic include powering site search on Cisco.com site and app search for their e-commerce buying portal. They are planning to expand these use cases to address new ones in transactional and business insights. 
  • Audi. Their central platform team provides cloud infrastructure tools for all internal development teams across Audi’s operating divisions, which include VW, Porsche and Audi. They built a centralized log analysis service on Elastic Stack that is used by a variety of payment, personalization, customer service and ordering applications.  The deployment spans 42 Elastic clusters and currently has about 29TB of log data. They are also evaluating expanding to offering Elastic APM to app development teams from the same deployment.
  • Various roundtable participants. Honeywell, ASB Bank (NZ), Societe Generale, Square Enix, Cerner, Wells Fargo, Barrett Steel, Zebra Technologies, UK DVLA, U.S. government DOD/DLA, South Dakota BIT, Tufts, Indiana University, University Nevada at Reno, EU Anti-Fraud Organization.

In one customer presentation about Elastic’s security offering, the CISO of Barrett Steel was featured. Barrett is a large manufacturer in the UK that generates about $400M in annual revenue, with 1,100 employees. The CISO brought in Elastic several years ago to replace their legacy SIEM solution. After applying the Elastic solution to gathering activity data across network devices and infrastructure to identify malicious behavior, the IT team realized that they could extend the same observability to their manufacturing operations. They are now utilizing Elastic to collect, track and alert on operations continuity for their manufacturing production line. He said that once “you bring in Elastic and start using it, it becomes an addiction”. He was referring to his team’s constant stream of ideas for new use cases for Elastic.

This is similar to comments made at a past user conference by Home Depot, where the speaker cited so many example uses for the Elastic Stack in their organization that they described the Elastic platform as their “Swiss Army Knife”. 

ElasticON Tour 2015, Home Depot Presentation

Along a similar vein, the Engineering Team Lead for Cloud Engineering for the UK’s DVLA (Driver and Vehicle Licensing Agency), which is the equivalent of the DMV in the U.S., presented at ElasticON. They maintain over 80M driver and vehicle records and handle payments in the billions for various fees and taxes. In the past couple of years, they have been moving their systems to the cloud. As part of that, they migrated individual apps to a new infrastructure platform that utilized Kubernetes and AWS Lambda for serverless. For the back-end logging and monitoring solution, they use the Elastic Stack. This provided standardized log format and re-usable logging libraries that all app teams could use.

The presentation was rather technical and the Team Lead demonstrated deep knowledge of managing large data sets on the cloud and how to handle log streaming, index tuning and efficient storage. He went into a lot of detail about how his team leverages features of Logstash and Elasticsearch to manage this. At the end of the presentation, he highlighted several new capabilities of Elastic that he is very excited about.

ElasticON User Conference, October 2020

First, he called the machine learning accessibility that has been built into Kibana “brilliant”. It offers easy ways to set up machine learning through the click of a few buttons. He highlighted the log category analysis tool, which automatically segments a stream of logs into discrete groups and then analyzes those logs for anomalies. Then, he talked about the SIEM app that is built into Elastic and how that has been enhanced by the endpoint capabilities brought through the Endgame acquisition. He is excited to make use of both capabilities, expanding the relationship into another solution category.

Finally, he highlighted the advantages of using the Elastic Cloud offering. This allows his team to offload the implementation details of the infastructure to the Elastic team. This makes management tasks like their hot/warm data architecture easy to deploy. The DVLA is actively migrating their hosted Elastic solution to the Elastic Cloud.

Competitive Landscape

I covered Elastic’s competitive landscape in depth in my prior quarterly recaps for Q4 and Q1 results. These included an extensive review of Elastic’s offerings in each solutions category, spanning Enterprise Search, Observability and Security. For each, I described Elastic’s solution in detail, its relationship to competitive products and reviewed relative positioning from industry analysts like Forrester and Gartner. I won’t repeat the full exercise here as most of the information is still relevant and timely. Investors should read through that coverage for background on the competitive landscape.

One item we can consider from a competitive comparison is relative performance of different providers during the prior two quarters of revenue growth. The Barclays analyst commented during the TMT conference about how Elastic appears to be less impacted than peers from the COVID-19 environment. This refers to Elastic’s linearity of revenue growth versus some competitors whose revenue growth stepped down noticeably over the past two quarters. Most significant was Splunk (SPLK), which missed their Q3 revenue target by about 10% and delivered incrementally negative sequential revenue growth. Splunk attributed their miss to delays in closing several large deals.

Elastic has experienced similar macro effects, as described by their CFO. Their impact has been in spend reduction for affected verticals (travel/hospitality) and extended sales cycles for larger customers. Yet, Elastic was able to exceed expectations markedly over the past two quarters. Relative to Splunk, this could reflect positive competitive positioning for Elastic. More broadly, it signals that growth should continue as the macro environment improves in 2021.

DevSecOps Consolidation

There were a few updates to offerings by competitors, primarily in the observability and security space. We are seeing traditional observability providers expanding into security. Splunk has done this from the beginning. In 2019, Datadog announced they would add security monitoring. And just this month, Dynatrace entered the fray. As mentioned previously, Elastic has been in the security monitoring space for several years and recently added endpoint protection with their Endgame acquisition and the launch of the Unified Agent. With the Unified Agent release, malware protection is available through single-click activation once the agent is installed on a device (which is usually already the case with observability).

Another development outside of security monitoring and observability is the evolution of the network and device security ecosystem. Edge network providers, most notably Zscaler and Cloudflare, are evolving their network security offerings to shield enterprise traffic and their assets (employees, devices, data centers, offices) from intrusions at the network layer. Zscaler and Cloudflare have been offering point capabilities to replace VPNs and other network perimeter devices at enterprises, and the two recently consolidated their offerings into a broader suite of services. For Zscaler, this has been through their ZIA and ZPA offerings, and the addition of their Cloud Protection product portfolio to “simplify and automate protection for workloads on and between any cloud platform.”

For Cloudflare, in October, they launched Cloudflare One, which consolidated several existing offerings into a single suite that “brings together how users connect, on-ramps for branch offices, secure connectivity for applications, and controlled access to SaaS, into a single platform.” They are enhancing this offering with two upcoming capabilities to further protect users and traffic. Magic Firewall provides a network-level firewall that allows administrators to set policies for their network traffic. IDS inspects all traffic traversing an enterprise’s global network and identifies malicious behavior. Operators can be alerted and even choose to automatically block the source of the activity (through the integration with Magic Firewall and other network blocking services, like DDOS).

How does this relate to Elastic? Played to their logical conclusion, these new network-based services could mitigate the need for SIEM and endpoint protection. Unless an attacker has physical access to an employee’s device or a company’s application server, hacking activity has to traverse across a network. If an intrusion attempt can be detected at the network level, it might not even make it to the endpoint. If network-level security evolves to the point where it catches most attack attempts, then the weight of protection shifts from the device or endpoint to the network.

The need for endpoint security will likely not be eliminated, but becomes less important. Endpoint security emerged as a critical point of enforcement over the last decade because network security through firewalls and network perimeters couldn’t be trusted. If network-based security suites like Zscaler and Cloudflare are able to build out sophisticated intrusion detection capabilities, then the nexus of enterprise security could shift (back) to the network and away from the device.

This might play favorably for Elastic and their security offerings. By including endpoint protection for “free” through their unified agent, enterprise security teams can protect their end user devices and application servers as an add-on to the same agent that is handling observability. In a similar vein, SIEM would be integrated into the same observability motion. The need for stand-alone point solutions to deliver sophisticated SIEM and EPP could be mitigated by enhanced network-level protections provided by the Zsclalers and Cloudflares.

I realize this sounds far-fetched and disruptive. I am not advocating a short on Crowdstrike (I actually just opened a position), as they are rapidly evolving their platform and services towards workloads and managed security. I think these trends do provide some other implications for investors. First, the edge network providers will gain gravity in the IT landscape over time. This favors companies like Cloudflare, Fastly, and Zscaler, which are all well-positioned with a global web of PoPs, software-defined networking and extensive compute resources at the edge.

Second, it makes Elastic’s platform of services more palatable, particularly for security. As Elastic’s security offering for both SIEM and EPP evolves, it will likely be considered “good enough”, as compared to competitive offerings. If an enterprise moves their traffic onto an edge network for traversal and cleansing, then security teams could apply basic “just in case” endpoint protection and security monitoring through Elastic’s solution. Because of Elastic’s resource-based pricing model, customers get these capabilities as cost-effective add-ons (not free per se, but not charged incrementally). This will likely satisfy the requirements of many mainstream enterprises or financially limited public-sector entities, that are looking to leverage existing investments in log analysis or enterprise search. Through this lens, the commentary at ElasticON from the lead cloud engineer at the UK’s DMV makes sense. If he is already using Elastic for application log analysis, why not bolt on the security capabilities for protection?

Security Ecosystem

With that said, one risk to Elastic’s security strategy is its lack of participation in the broader ecosystem of partnerships. To supplement their offerings, the leading network security providers, like Zscaler and Cloudflare, are forming partnerships with other security providers to offer an integrated solution to enterprise security customers. These go beyond simple data ingestion integrations and encompass the go-to-market motion through product co-marketing relationships.

For example, as part of ZScaler’s (ZS) recent Cloud Protection announcement, they highlight a partnership with Crowdstrike. If Zscaler’s cloud security platform detects an attack, it identifies which endpoints would be impacted and sends a notification to Crowdstrike Falcon to remediate the issue on those endpoints. This is accomplished through a series of secure API calls.

Zscaler Web Site

In a similar vein, as part of Cloudflare One and the creation of a full spectrum Zero Trust solution, Cloudflare announced partnerships with the major identity management providers (Okta, Ping, etc.) and endpoint security vendors (Crowdstrike, Carbon Black, Tanium, etc.). Elastic was not featured in these partnership ecosystems.

To be fair, Elastic’s endpoint security solution is still nascent, having been introduced through the acquisition of Endgame in late 2019. The first set of malware protection capabilities were just introduced through the unified agent in August. At ElasticON, Elastic leadership spoke to the ecosystem of technology relationships forming around the Elastic security offering, but these are primarily data integrations.

ElasticON User Conference, October 2020

While these data integrations provide an important foundation, Elastic does need to beef up their business development efforts and participate in these ecosystem building activities on the go-to-market front. They will help build perception of Elastic’s position in the marketplace and generate sales leads. The recent addition of the new Head of Global Operations would have this responsibility under his scope.

Emergence of General Purpose Data Platforms

Another trend to watch in the competitive consideration set is the emergence of cloud-based general purpose data platforms. The largest of these is Snowflake (SNOW) , which advertises themselves as “a global platform for all your data and all your essential workloads, with boundless and seamless data collaboration”. This can be applied to a variety of workloads, ranging from data warehousing, data science, data-oriented applications, sharing and others. On the surface, this general-purpose data cloud posture appears to overlap with Elastic.

Snowflake Web Site

Going forward, we can expect that Snowflake encroaches on some Elastic use cases and potentially those of any other technology service provider with a foundation in data processing. However, I think that at least for now, Snowflake is positioned in the data warehousing category, which in traditionally IT context has certain implications. Primarily, this means it wouldn’t be suitable for transactional workloads (OLTP versus OLAP), in which querying is synchronous and response times need to be in milliseconds even at high load. This prohibits it from being suitable for workloads like application search (find the closest Uber driver or Tinder match in real-time). Snowflake even acknowledges this in reference architecture diagrams within the Developer section of their site. For analytical processing that generates insights that feed an app, they still recommend a standard OLTP database to support the “transactional workloads of the application”.

Second, while it provides a superior solution for generalized analytical workloads, it currently lacks context needed to inform domain specific functions. This would apply to observability and security. Snowflake would serve as an adequate store for a large amount of event and log data, but relies on operators to create the appropriate queries to surface relevant information and actionable insights. In this case, their reference architecture diagram for application health and security analytics relies on outside systems (for SIEM) or operators to add context to the application log data.

This partially explains why Elastic evolved towards the creation of their solutions offerings. They acknowledged that a general purpose platform for search is very useful for the DIY technology organizations that might want to completely customize their own solution for observability or security. But, as customers began creating these bespoke solutions, Elastic realized they could broaden their market appeal by meeting customers half-way and providing packaged solutions for specific use cases out of the box. They have been doing this for Observability and Security for several years.

This isn’t to say that Snowflake couldn’t develop the same specialization in the future. Following a similar path as Elastic, they could build solutions in-house or acquire them. Their current network of technology partners focuses on the target market of data analytics and machine learning. However, these partnerships certainly could encompass some future set of observability or security vendors that build their commercial solutions on top of Snowflake.

For these reasons, Snowflake is certainly a company to watch. However, for the near to medium term, enterprises will be awash in data and there will be plenty of market share for many technology vendors with data processing at their core to pursue.

As an aside, Elastic has strong roots in NLP, as a consequence of being a search solution. Fundamentally, the Lucene search framework, upon which Elastic was built, has broad support for text ingestion, indexing and search retrieval. Other data platforms are not geared for this. Not saying they can’t do it, but it is outside their current scope. NLP is important for some data ingestion use cases. Several of these were highlighted at ElasticON in customer presentations from Honeywell, Cisco and the EU Anti-Fraud Organization.

Elastic’s Differentiation

At a high level, Elastic provides a platform that offers both out-of-the-box capabilities for customers who want a plug-and-play solution to common use cases, and the full programmability that allows their developers to create a custom solution to address use cases unique to their business context. This theme was highlighted over and over by customer presentations at the ElasticON user conference. Digital transformation across all aspects of our lives will drive more and more of these non-standard use cases which require processing of bespoke data sets.

As Elastic’s rapid product development cadence delivers “good enough” solutions across multiple categories, IT leaders will consider consolidation of tooling onto a single platform. Elastic’s expansion into security use cases, multiple facets of observability beyond log analysis and workplace search provide good examples of this. At ElasticON, we heard from the team lead at the UK DVLA about excitement for adding security monitoring and endpoint protection. Audi is evaluating extending their heavy investment in Elastic for log analysis to also provide centralized APM services to all internal development teams. As highlighted earlier, 75% of Elastic’s 50+ customers spending more than $1M ACV have already expanded to at least two solution categories.

However, this strategy and the sales execution behind it are still developing. It also assumes some degree of commoditization (diminishing returns for incremental features) for solutions in observability and security over time. Competitors in observability and security are not standing still and often offer a more complete solution for typical use cases in observing and securing standard workloads, like a large web site that drives e-commerce or social experiences.

Looking at anecdotal evidence from customer activity and Elastic’s ability to maintain linear revenue growth (and increasing profitability) through this period of constrained IT spending indicates that their product strategy is working. Elastic’s revenue growth in the low 40% range is not being driving by a usage spike from COVID-19. Rather, the effect is mixed, perhaps more similar to the experience of Twilio. Some customers are seeing increased usage, and others in impacted industries are cutting back.

Back in early June, when Elastic reported Q4 (April 2020 end) results, they set preliminary 2021 revenue guidance for 25% growth. Elastic leadership attributed this to conservatism given the macro environment. Yet, some analysts tried to read between the lines and conclude that it reflected unstated competitive encroachment. Fast forward two quarters and the year-end target has been raised by 8% and Elastic just delivered 43% revenue growth. Additionally, they are continuing to add new customers at the same rate and NER remains over 130%. If competition from other observability and security vendors were going to squeeze out Elastic, it would have happened by now. If anything, it appears that Elastic’s competitive position is improving.

To help investors understand this momentum, I think there are several general themes to Elastic’s product strategy and positioning which create a competitive advantage. As these themes continue to affect customer buying decisions and Elastic formalizes their go-to-market under new leadership, we could see continued growth in customer adoption and expansion for Elastic. I have presented some of these themes in previous recaps, and offer them below, along with relevant updates.

Programmability and Access to Raw Data

The programmability, versatility and transparency of the Elastic Stack are important considerations. Enterprises with a strong developer motion are free to create their own custom solutions, either by starting from scratch or extending an existing solution’s source code. These can address use cases that fall outside of the standard pre-packaged commercial offerings. These use cases generally represent business functions that are critical to a particular company’s operations, but go outside of standard clusters of functionality around monitoring large web site operations. The Elastic customer page lists a number of these bespoke applications of the Elastic Stack. I highlighted a few examples previously. Walmart uses the Elastic Stack to detect fraudulent gift card activity. Volvo tracks service issues for a fleet of 1M connected vehicles. Home Depot  cited so many example uses for the Elastic Stack in their organization that they described the Elastic platform as their “Swiss Army Knife”. 

This trade-off was further highlighted during a presentation at ElasticON from the Security Manager of Square Enix, the $3B Japanese game developer that has delivered popular titles like Final Fantasy and Dragon Quest. He discussed how Square Enix came to select Elastic as the centralized solution for all their security analytics. They had used a traditional SIEM provider, but found limitations in meeting the requirements of their system design. Elastic appealed to them due to its programmability and direct visibility into data storage.

This appeal was driven by Square Enix’s unique technology architecture. They built their own gaming application delivery infrastructure, which includes many non-standard activity logs. These are customized for the unique nature of gaming activity, and don’t meet standards for log ingestion supported by other SIEM solutions. Elastic allows Square Enix to customize log ingestion process to match their bespoke format. Also, they can access the raw data in Elastic, without having to work through a proprietary interface or API.

ElasticON User Conference, October 2020

In parallel, they ingest data from other standard sources, like enterprise systems for customer service and SaaS applications. Having packaged data connectors for these applications from Elastic saves them time, versus having to roll their own ingestion tool for a standard app. In this way, Elastic gives them the best of both worlds and demonstrates Elastic’s unique position in the marketplace to support both DIY and off-the-shelf use cases. As final benefit, the Squre Enix security team has extended their Elastic installation to create a sophisticated “cheat monitor” for gamer activity. This is unique to their application and would not be available through an off-the-shelf solution.

Further, this customization by customers creates stickiness. Once a company builds a critical business function through a customized implementation of the Elastic Stack, it is unlikely they would swap that out for a competing technology. The switching costs in this case are high. On the other hand, swapping out a proprietary, packaged observability solution is fairly straightforward. The technology team would just deploy the new vendor’s data collection agents on all relevant infrastructure, using an automated configuration management tool. Standardized security solutions can also be swapped out with a little more effort.

Full Platform of Services – Observe and Protect

As Elastic’s product expansion beyond enterprise search was materializing over the course of 2018 and 2019, some industry analysts questioned their strategy and pointed out that the observability and security markets seemed far apart. However, as the observability market is maturing, DevOps has pulled security into the fold to form the DevSecOps movement. Now, it makes sense for application and security monitoring to be addressed by the same toolset and from the same vendor. As comparisons, Splunk had focused on log analysis and security initially, and later expanded into full observability. Datadog rapidly addressed the three pillars of observability and is now extending into security monitoring. Dynatrace just entered the security space in early December, announcing the addition of a new Application Security Module.

Elastic’s Security Solution takes this a step further by providing packaged solutions for SIEM (Security Information and Event Management) and Endpoint Security. SIEM is the older offering from Elastic, as it was developed as an extension of infrastructure logging after Elastic observed several logging customers customizing the Elastic Stack for security analytics. Elastic formalized the solution by adding common exploit pattern detection and support for threat hunting. Endpoint security is a more recent addition to the security suite. This was enabled by the acquisition of Endgame in June 2019. Endpoint security was launched as a complement to SIEM in October 2019. Both SIEM data collection and endpoint security are now combined into a single agent, providing both centralized monitoring and proactive response to security exploits. In addition to endpoint capabilities, the Endgame acquisition brought over 100 engineers with security expertise to the Elastic team, which will further drive the monitoring side of security.

And this brings us to one of the primary outcomes of Elastic’s evolving security product strategy. By offering a full suite of observability and security capabilities, IT operations personnel can both “observe and protect” enterprise infrastructure through a single agent. This allows customers to simplify their relationship management and training overhead to a single vendor, and reduce cost redundancies through a unified, resource-based pricing model. In theory, this could supplant the need for separate vendor relationships for point solutions in each product category, like observability, SIEM and endpoint protection.

ElasticON User Conference, October 2020

In the Security Keynote at ElacticON, the director of product for security presented the evolution of Elastic’s security offering. He walked us through their progression from a SIEM offering to the acquisition of Endgame. In October 2019, Elastic eliminated pricing on a per endpoint basis, diverging from competitive offerings. And most recently with the 7.9 release, they began adding endpoint protection through the Unified Agent. This allows hundreds of pre-built endpoint protections to be applied through a single click. He also underscored the broad participation Elastic gets through the security community, as a consequence of their open posture.

ElasticON User Conference, October 2020

As a result, many large customers have adopted Elastic’s solution as the foundation of their own security practice, as highlighted in the slide above. These span both commercial companies and some of the most sensitive government agencies. In many cases, these customers started with a use case outside of security, like observability or app search, and later expanded into security as Elastic’s capabilities evolved.

Simplified Pricing Model

Underlying Elastic’s entire commercial model is the concept of resource-based pricing. This means that once a subscription level is selected, the customer can apply their allocated usage to any use case desired – some processing cycles for observability, some for security, some for enterprise search, some for custom use cases. Elastic doesn’t charge on a per machine/document/log/user/endpoint basis.

This flexibility in usage is presented as a competitive advantage by management. Elastic is pushing this notion of unified pricing throughout its marketing strategy. This pricing model differs from competitors like Datadog, that have different pricing for each type of workload and use case. In their defense, Datadog leadership contends that their customers prefer the granularity of their model.

Elastic – Analyst Meeting Presentation, Oct 2020

The benefits to customers under the Elastic model are a simple billing statement and a transparent path to adding new solutions. If the customer needs to limit expense in a period, they know they have the ability to simply prioritize certain workloads. Of course, this can result in some limits to revenue generation for Elastic during distressed periods (like now), because customers can easily manage usage and offload some workloads. However, the Elastic leadership team feels that this flexibility will promote more growth under normal circumstances and lowers the barrier for initial sales and expansions.

Developer-first Go To Market

Fundamental to the Elastic thesis relative to competitive offerings is its inherent openness and programmability. Compared to commercial competitors in most solution sets, Elastic offers the only platform in which all source code is open. This implies that developers at customer organizations can extend aspects of the platform to build a custom solution for any use case.

It also underscores the developer-led model. Most enterprise customer relationships for Elastic begin with a single use case addressed by a developer, who downloads the Elastic Stack to their laptop and does some experimentation. From there, use cases often expand across teams and solution categories. Over time, large customers form an internal Elastic practice team, which provides standard configurations, training and support to other teams interested in Elastic. The transparency of open source and Elastic’s own developer evangelism enable these efforts. Also, as developers move from one company to another, they often bring their preferences for tooling with them.

At ElasticOn, the presenter from Audi discussed that they chose Elastic because many of their developers already had experience working with it through personal projects or schooling. The engineering team lead for the EU’s Anti-Fraud Organization talked about how he has brought Elastic to two different government agencies so far. This is because as an individual developer, he has built on top of the framework since version 2.0.

In the same talk, the VP of Engineering for a consulting company with U.S. government clients like the GSA, described how his team values the community around Elastic as a source of advice and answers on technical questions. His team often posts to Elastic community forums and is surprised by the quality of insights from other users.

As a measure of the appeal of Elasticsearch to developers, Stack Overflow (popular online resource for developers) conducts an annual survey in which they ask 65,000 developers about their preferences across a number of technology types. Included is input on programming languages, frameworks, tools and platforms. Elasticsearch is lumped into the databases category. Developers rank it as the third most “loved” data store. Elasticsearch has the highest ranking amongst solutions for search.

Stack Overflow Developer Survey, Feb 2020

Rapid Product Development Cadence

If Elastic’s solution set doesn’t fully meet the needs of customers now, we can expect it to shortly. This confidence is a result of their rapid product development and release cadence, with major releases every 1-2 months. The number of substantial feature additions in the last 6 months, representing versions 7.7 – 7.10, has been phenomenal. They added a whole new product in Workplace Search. For observability, they filled out major feature gaps with service maps, alerting, RUM, synthetics, a unified agent and SSL cert monitoring. Security added embedded case management, one-click malware protection and new threat detection rules. For the underlying stack, they introduced searchable snapshots, the Fleet tool, Kibana Lens and a navigation overhaul.

This is possible due to Elastic’s single platform. Improvements made in one part of the Stack can be re-used to address features in another. Elastic leadership contends this is a big driver of their accelerated product development pace. Also, the majority of new feature releases are under the proprietary (but open) licensing model, which is rapidly extending the feature gap with competitive solutions that were based on re-use of the original version of Elasticsearch (like the service from AWS). Those offerings are pinned to an older version of Elasticsearch and would not include any of the features highlighted above.

Elastic Take-Aways

Investors have struggled with the Elastic story.  To be fair, until Q2 earnings, ESTC generally underperformed most other SaaS peers in YTD returns.  Annual revenue growth decelerated noticeably from Q4 to Q1, and the initial full year 2020 revenue estimate (FY 2021) was for 25% revenue growth. The product strategy appeared scattered and analysts were concerned that the low full year estimate reflected competitive encroachment.

However, the Q2 earnings report demonstrates these concerns are not materializing. Annualized revenue growth stabilized in the low 40% range, nearly linear with Q1’s rate and up 12.4% sequentially. Calculated billings growth also falls in this range, implying that this revenue growth is sustainable going forward. Other growth metrics were favorable, like deferred revenue up 54% year/year and RPO up 57%. Elastic’s Cloud offering is growing even faster at 81% annually, now making up almost 26% of total revenue.

Profitability measures are improving as well, which was an investor complaint in 2019, when high revenue growth didn’t seem to generate leverage on the bottom line. Non-GAAP gross margin was 77% in Q2, up 250 basis points from the prior year. Operating margin almost reached break-even at -1%, versus -18% in the year ago period. EPS was ($0.03), beating estimates by $0.17. Looking forward to next fiscal year, the CFO is projecting positive FCF margin.

Elastic – Analyst Meeting Presentation, Oct 2020

Customer growth also reflects continued adoption of the Elastic solution. Total number of customers grew by another 800 in Q2, which has been about the same absolute rate for the past four quarters. Customers with ACV over $100k did slow down in the last two quarters, but is still up 24% annually. This also manifested in the customer net expansion rate (NER), which is still above 130%, but ticked down a few percent.

Elastic – Analyst Meeting Presentation, Oct 2020

The CFO attributed this to extended sales cycles due to the spending environment. I think this is expected and peers in observability reflected similar challenges with some customers in impacted verticals and a requirement for higher level approvals for large contracts.

On the product front, Elastic appears well positioned. With the addition of endpoint protection on top of a mature SIEM offering, they occupy a sweet spot of DevOps meeting Security.  These solutions keep getting better with each release and are approaching the point in which they “check all the boxes” for most enterprises.  That posture, coupled with their resource-based pricing, allows enterprises to apply Elastic to many use cases around search, monitoring and security, generating savings and simpler deployments.  Home Depot called Elastic a “Swiss army knife”. The most important slide from Elastic’s analyst day in October showed that 75% of their >$1M spend customers use two or more solutions.

Given their momentum, I think Elastic has a nice set-up for 2021.  The revenue comps to 2020 are not too bad and Elastic is still a relatively small company. As COVID-19 stabilizes and enterprise IT spend rebounds in 2021, Elastic could continue revenue growth in the 40% range.  With NER around 130% and annualized customer count increases in the 20-30% range, high revenue growth should follow.

Yet, the market is not reflecting this. While I certainly respect the wisdom of the crowds, the shadow hanging over ESTC stock should recede at some point. At a current P/S ratio of 23, Elastic’s valuation lags peers growing at the same low 40% range. This could result in a multiple correction over the next few quarters, similar to what occurred suddenly with other names like APPN, after the market grasped the story.

Investment Plan

I first initiated coverage of Elastic in March 2020, when it was trading at about $49 a share and set a 5-year price target of $170. Most recently, ESTC hit a peak near $147. It has appreciated nicely off of the March lows and is now up about 120% year to date. While a doubling of price in a year would normally be an accomplishment, this increase hasn’t been as acute as for other software peers. That might offer further upside in 2021. Given the uncertainty around macro conditions for the remainder of this year, though, I will keep my price target intact for now and will revisit this in early 2021, once we have a better view into the IT spending environment and another couple quarters of results for ESTC.

Given Elastic’s momentum, I had been increasing my allocation to ESTC in my personal portfolio. That is now up to 11% and is about twice the level coming out of the prior quarter. I plan to maintain this for now, and may add to it if the multiple expansion discussed earlier begins to materialize.

NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.

15 Comments

  1. Liberty

    Thank you for writing this, Peter. Very comprehensive.

  2. Gary Pheasant

    Thanks Peter. Very informative and comprehensive. I plan to add to my ESTC holdings as I move funds from selling some of other holdings.

  3. Ronnie MacCall

    Hi Peter, Thank you for your amazing work! Every time I read your articles I am completely blown away by how comprehesive they are any by how well written they are.
    In the “coverage” section of your webpage you mention “Smartsheet” (SMAR) – I was wondering if you will be writing any analysis on SMAR ? The results from their last reported quater seem to be impressive; given their current valuation and results it seems like a good time to revisit the SMAR.

    • poffringa

      Thanks for the feedback. Yes – I have written a couple of articles on SMAR in the past. I put SMAR coverage on hold following their disappointing Q1 results in June. I agree that their most recent Q3 results in early December show evidence of recovery from the COVID-19 impact. I still have concerns about the competitive landscape, but will likely revisit Smartsheet and the Collaborative Work Management (CWM) space in early 2021. There have been some other developments worth covering, like entry of ASAN and sale of WORK.

      • Ronnie MacCall

        Thank you very much.

  4. Sarath Sunku

    I really appreciate all your time and research.
    Quick Question: What’s the best resource to get the info like consensus for Billings?

    • poffringa

      Thanks for the feedback. For analyst estimates of revenue and earnings in future periods, I use Y-Charts. However, that has a license fee. Seeking Alpha also offers this data. For estimates on metrics outside of revenue/earnings, like billings, these are usually published on Seeking Alpha in advance of the earnings report. I am sure there are other places to find to that data.

  5. Robert

    Peter – thank you so much for the time and effort you devote to this blog. It has definitely been a bright spot in 2020 and I appreciate and look forward to your perspective with each new post. A few comments on Elastic’s competitive position that would be great to get your thoughts on…

    I worry that Elastic’s position is more tenuous. I owned shares after the IPO ~$60-$80 range and regrettably sold, for many of the risks you describe above – ultimately felt like the product strategy was too jumbled and the market would have a hard time grasping the vision to ever expand ESTC’s multiple to catch up to peers. Here are a few off-the-cuff assumptions I’d love for you to comment on:

    I worry ESTC is in a “sandwich spot” with the cloud hyperscalers on one side and the market-leading point solutions on the other. Most lagging IT shops will just gravitate to the cloud provider solutions (however sub-optimal, they are low-friction and easier to justify) or go all-in on a point solution to club a specific use case to death. The hardcore, digitally-native engineering-cultures will always gravitate towards the market-leading point solutions, especially when many are starting to offer development platforms and SDKs to customize and allow for experimentation. ESTC may have no trouble getting in the door because of their developer-first approach and wonderful community, but I worry that if they aren’t easily able to get traction quickly ESTC just becomes low-hanging fruit for cost optimization and vendor rationalization exercises of CFO, Procurement, etc. which won’t understand the value proposition (the swiss army knife). They could then get switched off in a heartbeat due to their pricing model. If these are valid assumptions (they may not be!) then it seems like a bet on ESTC is a bet that they can continue to thread this needle of being better than the cloud hyperscalers, finding a compelling use-case with a team with the engineering chops to deploy it, able to articulate the value proposition of the spend to internal IT department leaders, and also able to compete well-enough with the market-leading point solutions.

    That’s a lot of ifs and makes me hesitant to own anything but a small position. I will hand it to ESTC they have been executing wonderfully and I agree with you that all it takes is one high-value use case deployed that is very sticky and they are off to the races….the water just seems more murky here than it does for a TWLO, NET, or DOCU which seem like no-brainers over the next 5+ years.

    Sorry about the ramble…Merry Christmas and a Happy New Year to you!

    • poffringa

      Thanks. Those are fair concerns, most of which have overshadowed the Elastic investment thesis for a while. I don’t think Elastic has fully moved past them, which is why I am maintaining my allocation to ESTC as a mid-sized position. At the same time, I think an objective comparison of Elastic’s current revenue growth rate and profitability to peers at the same levels makes it clear that ESTC’s valuation is lagging by a fair amount. This kind of dislocation in the market reflects risk, but also presents an upside opportunity for 2021.

      Specific to the concerns you raise, here are a few points to consider. I acknowledge that the ESTC thesis isn’t as mature as for the comparable names you mention, but feel they have made demonstrable progress over the past 12 months with their strategy.
      – The cost optimization risk you mention should have happened by now, and certainly during COVID with increased IT spending pressure (outside of the obvious beneficiaries). Yet, Elastic has maintained roughly 40+% year/year revenue growth for two quarters and DBNER is still over 130%.
      – I don’t agree that large customers would switch off Elastic “in a heartbeat”. Actually, the opposite would occur. In many cases, large customers have invested significant resources in customizing their Elastic deployment for unique use cases and embedded it deep in their stack. Some have even built “Elastic practices” internally to help internal development teams utilize Elastic solutions (e.g. Cisco, Audi, Wells Fargo)
      – Elastic’s product position and feature set is evolving rapidly. Each release (roughly every 2 months) has added significant new features and capabilities to round out their offerings in the point solutions and extend the usefulness of the core platform. I think they are approaching parity in observability and certainly have a leading solution for search. Security is developing nicely beyond SIEM. The unified agent with malware protection is an interesting first step towards a broader security solution. This seems to be resonating – reference all the security customers shared at ElasticON. This product development progress extends their advantage over comparable solutions from the hyperscalers and make their platform approach and resource pricing model more appealing relative to point solutions.

      I think the biggest demonstration of their traction and expansion motion with large customers, counter to your concern regarding get cost optimized out, is the stat around large customer usage across multiple solutions. I was surprised to learn at their recent Investor Event that more than 45% of their > $1M ACV customers (of which they have 50+) utilize all three Elastic solutions (search, observability, security). That tells me that the argument to apply a programmable platform with a clear pricing model to multiple use cases is resonating with large customers. I encourage you to listen to some of the customer sessions at ElasticON (registration is free) to get a better sense for their product positioning.

  6. Vassilis Tziouris

    It is great all the info and DD that you provide. Noticed that position at CRWD was also initiated. Have you got any TP, as well how it fits (correct me if I misunderstood) that you are not positive to create positions at cybersecurity companies. Thanks a lot and looking forward for further coverage and info at CRWD since I am also long and happy with their performance.

    • poffringa

      Thanks for the feedback. Yes – I initiated a position in CRWD recently. I have generally been hesitant in invest in pure-play cyber security companies in the past, based on my experience managing an IT budget. I always viewed security spending as a necessary cost that I also wished to minimize. Put another way, a CIO/CTO wouldn’t generate more revenue for their company by overspending on security. For that reason, I prefer investing in software companies where there is a more direct line to driving revenue. That is always easier to defend in a budget review.

      With that said, building new digital experiences is driving high, non-linear growth in two areas. First, new application architectures with micro-services are causing the number of hosting containers to increase dramatically. Second, IoT and 5g will spike the number of devices connected to the network. These containers and devices will need to be protected. This creates an opportunity for Crowdstrike, as the most advanced provider of endpoint protection. The same argument applies to other application security providers (like NET and FSLY) where usage of the security service would scale up with the delivery of new digital experiences.

      If the security provider delivers services that are more tied to the enterprise and scales with the number of employees, then I think the opportunity is less interesting. In those cases, the growth would be proportional to the number of employees and is often displacing an existing solution. The one caveat is the network security providers that are leveraging their edge networks to bring enterprise security to customers, which is now being called SASE. That could be particularly disruptive, as it represents more of a paradigm shift. I like NET’s positioning here, with Cloudflare One, along with their other suite of products.

  7. JD

    Thank you so much, Peter.

    Are you worried about an overall SaaS multiple contraction? If so, wouldn’t there be a better entry point for names like ESTC, AYX? Thanks.

    • poffringa

      Fair question. I agree that SaaS multiples are at a high point now. I am generally fully invested in my portfolio and don’t maintain a cash balance to play swings in the market. I have tried that strategy before and personally wasn’t great at it. I generally performed better by just picking my favorites and staying invested. I do consider valuation multiples relative to earnings performance sometimes. For example, I reduced my OKTA position earlier this year as revenue growth slowed down, but the multiple was still very high.

      If I were putting new money into the market, I might consider trying to get a better entry point. I think the simplest (and probably most effective) approach is to break up the new investment into portions and spread across scheduled time periods. I think the key is to set the schedule in advance and not deviate from it.

      • JD

        Thanks Peter. Very fair points. Happy new year!

  8. blog

    golikov1r@mail.ru

    Heya i’m for the first time here. I found this board and I find It
    really useful & it helped me out much. I hope to give something back and help others
    like you helped me.