Cybersecurity the Ideas Engine Series Showcases Credit Suisse’S Unique Insights and Investment Ideas

5 September 2017 Americas/United States Equity Research Technology

Cybersecurity The Ideas Engine series showcases Credit Suisse’s unique insights and investment ideas. INITIATION Research Analysts Brad Zelnick The Cloud Has No Walls 212 325-6118 [email protected] Initiate on Firewall (PANW, FTNT, CHKP) with a Negative Category View William Lunn While we consider cybersecurity to be a secular growth theme, as the 212 325 4392 corporate network disintegrates we anticipate spend will be redistributed away [email protected] from the network to the detriment of incumbent firewall vendors. Syed Talha Saleem, CFA 212 538 1428 ■ Cybersecurity Is a Secular Growth Theme: We believe the value of data [email protected] to firms is rising, as is the threat of its compromise. As long as malicious Kevin Ma innovation outpaces benevolent, the cybercrime wave will endure, putting 212 325 2694 upward pressure on budgets for data defense. [email protected] ■ Architectural Shift Deprioritizes the Perimeter: Traditional centralized methods of IT delivery lend themselves to a walled garden defense: build high, strong walls at the perimeter and defend them carefully. The cloud, being by its very nature distributed, dissolves the concept of network perimeter. As workloads move out of data centers, it becomes less clear at what point the bounds of the corporate network begin and where they end. ■ Agile Compute Demands Agile Security: The new security paradigm should mirror the cloud compute paradigm in that it is (1) on-demand, (2) borderless, (3) without hardware, (4) dynamically priced, and (5) scalable. An appliance-based approach fails on each account, thus we expect spend to be redistributed to other controls and cloud-first innovators. ■ Multiple Structural Headwinds Face the Firewall: Even if the firewall retains its relevance in the cloud, the space will continue to face multiple structural headwinds, in our view. The most notable headwinds include increasing competition, pricing challenges, the diminishing tailwind of TAM expansion, and the shift in spend from prevention to detection and response. ■ Stocks: Most at risk and with the highest market expectations, we initiate on PANW (TP:$125) and FTNT (TP:$33) with Underperform ratings. Less optimistically priced and of higher quality, we rate CHKP (TP:$110) Neutral.

Figure 1: The Cloud Security Spending Disconnect 25% Spend on Cloud (IaaS, PaaS & SaaS) as % of IT budget 19.2% 20% Spend on Cloud security as % of security budget 17.0% 14.4% 15% 11.8% 9.3% 10% 7.1% 11.3% 9.8% 10.6% 5% 7.8% 8.8% 6.7% 0% 2015 2016 2017 2018 2019 2020 Source: Gartner, Credit Suisse Research.

DISCLOSURE APPENDIX AT THE BACK OF THIS REPORT CONTAINS IMPORTANT DISCLOSURES, ANALYST CERTIFICATIONS, LEGAL ENTITY DISCLOSURE AND THE STATUS OF NON-US ANALYSTS. US Disclosure: Credit Suisse does and seeks to do business with companies covered in its research reports. As a result, investors should be aware that the Firm may have a conflict of interest that could affect the objectivity of this report. Investors should consider this report as only a single factor in making their investment decision.

5 September 2017

Table of Contents

Executive Summary 5

Structural Thesis 21 Cybersecurity is Secular Growth ...... 21 Data Are of Enormous Value, and Thus Deserving of Expensive Protection ...... 21 Data Are Increasingly Valuable to the Firm ...... 22 The Cyber Crime Wave Continues Unabated...... 24 Why Are the Attackers Winning the Cyber War? ...... 27 Securing the Cloud ...... 31 The Cloud Holds Great Promise, and Great Security Risk ...... 31 Spend Unlikely to Continue to Coalesce Around the Network ...... 35 Agile Compute Demands Agile Security ...... 35 Beware Disaggregation ...... 36 Firewall—The Security Mainframe? ...... 46

Sector Thesis 49 Other NGFW Tailwinds to Slow ...... 49 Competition to Reaccelerate ...... 52 Cloud Transition ...... 64 TAM Expansion Is Limited ...... 77 SSL Decryption Less of a Tailwind ...... 81 Shift from Prevention to Detection ...... 84 Firewall Stocks ...... 86 Relative Exposure to Sector Headwinds ...... 86 Relative Valuation ...... 89 Relative HOLT® Perspective ...... 91

Stock Calls 97 Palo Alto Networks: Lost in Palodise ...... 97 Key Charts ...... 100 Supports for Our Thesis ...... 113 Risks to Our Thesis ...... 117 Fortinet: Fortinet & Unfortified = Underperform ...... 135 Key Charts ...... 138 Supports for Our Thesis ...... 139 Risks to Our Thesis ...... 149 Check Point Software Technologies: Without a Box… Check! ...... 171 Key Charts ...... 174 Company Positives ...... 175 Company Negatives ...... 182 Valuation ...... 188

Cybersecurity 2 5 September 2017

Appendices 195 Appendix I: The HOLT® Framework ...... 195 Cash Flow Return on Investment (CFROI®) ...... 195 HOLT Valuation ...... 197 Appendix II: Additional Drivers of Security Spending ...... 200 Regulation Is Catalyzing Action ...... 200 Attacks Move Down Market ...... 204 Connected Security ...... 210 Appendix III: Who Are Those Guys?...... 212 Black Hats: Know Thy Enemy ...... 212 White Hats ...... 216

Cybersecurity 3 5 September 2017

How Are We Differentiated? Primary Work the Key Drive of Our Differentiation In formulating our counter-consensus firewall thesis and broader industry view, we have engaged in differentiated primary data collection and leveraged Credit Suisse HOLT® to sense check our conclusions:

■ Counter-Consensus: We present two highly anti-consensus stock calls, with Underperform ratings on Palo Alto Networks and Fortinet. On FTNT, we are the only Underperform rating, and on PANW, we are the second. On CHKP, 43% of analysts have Outperform ratings, and we initiate with a Neutral rating.

■ Software SoundBytes: This report contains over 100 software SoundBytes: anonymized quotes from our 50+ interactions with industry figures. These interactions have been broad-based, from salespeople, resellers, and technical evangelists to founders and CEOs (past and present) of start-ups, unicorns, and public companies. In a sector in which data points are hard to come by, our proprietary SoundBytes offer insight to what leaders and those with feet-on-the-street are seeing in the market and envisaging for its future.

■ HOLT®: Using Credit Suisse HOLT, we back-stop and sense check our relative valuation. We find HOLT to be reflective of our views, particularly CHKP's quality; egregious stock-based compensation at PANW and FTNT; and high market-implied expectations for PANW, both in terms of the top line and returns on capital.

■ Interviews: We include two interviews 1 designed to shed some light on hard to penetrate cybersecurity topics including what motivates hackers, how should hackers collaborate with security professionals, and what should boards and senior leaders be asking themselves about cybersecurity. − Dr. Gráinne Kirwan: Chartered Psychologist and Lecturer in Cyberpsychology and Forensic Psychology at Dun Laoghaire Institute of Art, Design, and Technology, to better understand the psychology of cybercrime and how criminological and forensic psychological theories explain what motivates and characterizes offenders. − Keren Elazari: Senior Researcher at the Balvatnik Interdisciplinary Cyber Research Center at Tel Aviv University and featured speaker at international events including TED, RSA Conference, TEDMED, TEDx, DLD, DEFCON, NATO, and WIRED. Objective: Better understand the evolution of the hacking community.

Figure 2: We present two highly counter consensus stock calls on PANW and FTNT

Neutral, TP$110 Underperform, TP$125 Underperform, TP$33 Preferred Firewall Play Top disaggregation pick Top disaggregation pick

Source: Company data, Credit Suisse estimates

1 Kind thanks to Richard Kersley, the Credit Suisse Global Thematic Team and the Credit Suisse Research Institute for facilitating and providing these interviews

Cybersecurity 4 5 September 2017

Executive Summary IT Security Is a Secular Theme The modern day enterprise is first and foremost an agglomeration of digital assets that demand defense. From a structural standpoint, the enterprise demand for protection increases as a function of the following variables: (1) the volume of digitized data, (2) the value of that data, and (3) the threat of its compromise. We believe each of these to be increasing.

■ Volume: The volume of data continues to increase as connected devices proliferate and the sensors they contain multiply; the data exhaust of an increasingly connected society, unstructured data, is the key driver of data volume growth.

■ Value: We believe data to be a fundamental component of competitive advantage in the information age and think both traditional and Big Data are increasing in their value to the enterprise. The former is due to its undisruptable characteristics as a barrier to entry, and the latter is due to the amplifying cycle of (1) data creation, (2) data storage, (3) data transmission, and (4) data analytics.

■ Threat of Compromise: It stands to reason that as the volume and value of digital assets grow, all else equal, the yield on cybercrime increases. However, should the resultant increase in sophistication and deployment of threats be met with an equivalent increase in defenses, it follows the number of successful breaches should remain static. Our analysis supports a concerning conclusion: records lost to breaches are rising exponentially and the sophistication and deployment of cybercriminals is outpacing the defense; the bad guys are winning.

Figure 3: The Number of Records Lost to Data Breaches Is Increasing at an Exponential Rate

Expon. (Total Data Breaches) Hacking Accident Insider 10,000,000,000

River City 1,000,000,000 Yahoo Media

Yahoo Massive Friend Finder American Voter Network Heartland business Database VK TK / TJ hack Ebay Dailymotion 100,000,000 AOL US Anthem Maxx Sony PSN Military Tumblr Home Cardsystems Depot Adobe Fling Solutions Inc. US dpt Steam Ashley RockYou! UK Revenue of Vet Korea Madison and Customs Sony Yahoo Credit Mail.ru AOL Affairs Experian Japan Bureau Sony Zomato 178.com Mossack Data Processors International Dai GS Apple 10,000,000 Caltex Premera Fonseca FNIS Nippon Virginia Dept. Lynda Printing Of Health NHS Minecraft Facebook VTech Tricare Gmail Texas Clinton Citi KDDI campaign Gawker State Sanrio JPM Betfair AOL Kissinger Bell Cables Adult Friend Finder RBS Sega Brazzers Snapchat 1,000,000 Stratfor

Medicaid NASDAQ Slack Nintendo Ameritrade Inc. Hewlett Packard Twitter Apple Syrian government PayAsUGym Citigroup Wonga Three Automatic Data Processing AT&T AT&T TalkTalk 100,000 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Source: Company data, Credit Suisse estimates.

Cybersecurity 5 5 September 2017

Cybercrime Is Costly to the Real Economy… Studies place the annual cost of cybercrime in the range of $500bn, just under the global cost of narcotic crime, and extracting roughly 15-20% of the Internet’s annual economic value. In contrast, CISOs deemed the aggregate value of digital assets worthy of spending ~75bn on their defense in 2016. We think the delta between cost to economy and spend is likely to narrow and expect continued increases in the volume and value of data to drive an unabating cybercrime wave. Combined, we believe these forces will drive sustained secular growth in security software spending that will outpace prevailing forecasts of the market and industry analysts alike.

Figure 4: Cybercrime Represents a Similar % of Global GDP as Drug Crime, Piracy, and Car Crashes as Well as Just over Half That of Global Theft

Cybercrime 0.80%

Counterfeiting/Piracy 0.89%

Narcotics 0.90%

Car Crashes 1.00%

Transnational Crime 1.20%

Pilferage 1.50%

Source: MIT Technology Review, Credit Suisse Research.

Additional Drivers of Secular Growth in Security Spending Include…

■ Regulation Catalyzing Action: We expect GDPR, billed as the largest change to data privacy laws in 20 years, to catalyze a review of firms' security postures across the spectrum. We imagine this will span governance, control, organization, processes, sourcing, and technology.

■ Attacks Moving Down-Market: Blind, agnostic threats such as ransomware are increasing the risk of cyber-attack for small and medium-sized enterprises. This space has historically been an under-penetrated market segment but is now crowded and price competitive.

■ Connectivity: Increased connectivity creates added risk exposure for corporations, governments, and individuals. As a result, enterprises will need to invest in IT security technologies to mitigate the potential cost of IT security incidents.

Cybersecurity 6 5 September 2017

Securing the Cloud Dissolution of the Network Perimeter Traditional methods of IT delivery are internally oriented; applications run on an internal datacenter and are accessed by a workforce sitting inside offices. The nature of this architecture lends itself to a walled garden defense: build tall strong walls at the perimeter and defend those walls carefully. The cloud, being by its very nature distributed, dissolves the concept of network perimeter. As workloads move out of data centers to cloud environments, it becomes less clear at what point the bounds of the corporate network begin and where they end.

Figure 5: How We Conceptualize the Evolution of IT and Security Architectures

On-Premise Perimeter Defined Security architechure 1995-2005 Enterprise data is mainly stored in on-premise datacenters Internet Regional offices are connected to HQ via hub-and-spoke East-West traffic tends to dominate North-South traffic The workforce is internal, immobile and sedentary Perimter centric hardware oriented security infrastructure Mostly everything sits behind the corporate firewall

Hybrid Cloud Point Solution Security architechure 2005-2015 Some enterprise data is stored on- premise, some in the cloud Branches access cloud data via IaaS backhauling to secure network East-West traffic and North-South SaaS are equally important Internet The workforce is increasingly mobile, there are more endpoints Hardware and software oriented security infrastructure Network perimter less defined as cloud/mobility increases Point solutions addresses perimiter breaks for cloud and mobility Multi-cloud, cloud-first Cloud Defined Security architechure Internet 2015- 2025 A majority of enterprise data is stored in the cloud PaaS Regional offices access enterprise data via the cloud IaaS North-South traffic dominates East-

SaaS West traffic The workforce is extremely mobile and multi-device is the norm Software, rather than appliances, dominate the security infrastructure Security as a Service means security is built into the edge of the network

Source: Credit Suisse Research.

Cybersecurity 7 5 September 2017

Security Spend unlikely to remain coalesced around the network Historically enterprise security spending has focused on the network perimeter. This is well exemplified by the success of the largest and most investible public cybersecurity plays – Firewall vendors Check Point Technologies, Palo Alto Networks, and Fortinet.

Figure 6: Spend has historically coalesced around the perimeter, as reflected by the cumulative market capitalization of the three key firewall vendors Publically listed Firewall Vendors cumulative market capitalization

$40bn Palo Alto Networks Fortinet Check Point

$30bn

$20bn

$10bn

$0bn 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 Source: Thomson Reuters Datastream, Credit Suisse Research

We believe many investors and industry analysts expect spend to continue to coalesce around the network, and firewall to retain its relevance as an integral part of the security stack. Gartner, for example, forecasts Network Security to grow 9% through 2020.

Figure 7: Industry analysts (and we believe the market) expects security spend in the network and its perimeter to remain buoyant through 2020 Gartner market forecast CAGR to 2020

Security and vulnerability 12% management

Network security 9%

Identity and access 8% management

Web security 6%

Endpoint security 4%

Other security 4%

Messaging security 2%

Source: Gartner, Credit Suisse Research

We believe agile IT requires a new agile security approach, and anticipate a reallocation of spend away from the perimeter. In fact it already appears there is somewhat of a disconnect between forecasted enterprise cloud spend (as a percent of total IT budget), and enterprise spend on cloud security (as a percent of total security budget).

Cybersecurity 8 5 September 2017

Figure 8: The Cloud Security Spending Disconnect

25% Spend on Cloud (IaaS, PaaS & SaaS) as % of IT budget

Spend on Cloud security as % of security budget 19.2% 20% 17.0% 14.4% 15% 11.8% 9.3% 10% 7.1% 11.3% 9.8% 10.6% 8.8% 7.8% 5% 6.7%

0% 2015 2016 2017 2018 2019 2020

Source: Gartner, Credit Suisse Research.

Agile Compute Demands Agile Security In our view, the new security paradigm should mirror the new cloud computing paradigm in that it is (1) on-demand, (2) borderless, (3) without hardware, (4) consumption model pricing, and (5) scalable. Traditional hardware approaches to security (appliances) fail on each of these accounts. Appliances require capacity planning, aren’t on-demand or scalable, are predicated on rigid hardware, and assume the existence of defined borders. We think a sub-set of innovative vendors stand to benefit; as enterprises shift from physical to virtual IT, whether public or hybrid cloud, the priorities become scalability, managing who is granted entry in and dynamically protecting workloads. Ultimately, there is a need to secure applications and data, and consumers of them, regardless of where either resides. Security sub-sectors we expect will remain relevant include the following.

■ Security as a Service: We believe cloud-based security offerings that enforce policy as an intermediary between the enterprise and the Internet via points-of-presence in the network edge offer great promise to expand their capabilities to offer the entire security stack as a service. Representative vendors include Zscaler, Cato Networks Cloudflare, and Akamai. ■ Cloud Workload Protection Platforms (CWPP): Recognizing that server workloads differ fundamentally from end-facing endpoints, CWPPs offer network segmentation, traffic visibility, configuration and vulnerability measurement, application control, exploit prevention, and memory protection. Representative innovators include vArmour, Illumio, Dome9, CloudPassage, and Carbon Black. ■ Identity and Access: Once considered a mature market, we think identity will become increasingly instrumental and something that many emerging cloud security vendors will be wary of taking responsibility for themselves. Representative disruptive vendors include Okta, CyberArk, SailPoint, BeyondTrust, and ForgeRock. ■ Security Analytics: Regardless of paradigm, we believe security event data still need to be collected, stored, and correlated, and therefore we see security analytics as architecture agnostic. We are positive on Splunk, having initiated with an Outperform rating, $80 target price, representing 19% upside potential. ■ Application Security: If the programmatic code itself is well constructed without vulnerabilities, the surface area for attack is greatly reduced. As application workloads are increasingly transient, it is important security be embedded within the apps themselves. We see value in companies such as CA’s Veracode, Qualys, and WhiteHat Security.

Cybersecurity 9 5 September 2017

Ultimately, we would argue that should there be a current opportunity to, with a clean slate, reimagine IT security in what is rapidly becoming a cloud-first world, appliance-centric perimeter defense is unlikely to be the conclusion drawn. We therefore wonder if the $11bn (forecast to rise to $16bn by 2020) network security market is ripe for displacement.

Other Firewall Tailwinds to Slow In addition to the overarching architectural challenges we believe face the firewall industry as the world transitions to cloud, we consider five further meaningful headwinds to the category:

■ Competition Is Set to Reaccelerate: A long-running theme has been easy competitive wins for new entrants versus legacy competitors. Now that Juniper has no share left to give, Cisco is getting its act together, and product parity is upon us, we expect competition to meaningfully intensify.

Figure 9: Juniper Has Little Share Left to Donate Figure 10: Cisco Is Growing Security Rapidly 4Q rolling sum as share of total UTM and Firewall market Cisco Firewall & UTM y/y, quarterly, %

80% 60%

70% Others 40% 60% Juniper 23% 50% 20% 40% 0% 30% Cisco Fortinet 20% -20% 10% Palo Alto -40% 0% Check Point 2002 2004 2006 2008 2010 2012 2014 2016 2003 2005 2007 2009 2011 2013 2015 2017 Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

■ Changing Dynamics in the Cloud: Cloud transitions mean short-term revenue headwinds that hold value for investors in terms of greater Customer Lifetime Value (CLTV). We are concerned network security investors are unprepared for a revenue headwind, and moreover, we expect this transition to be deflationary. While transitions that consolidate adjacencies can be price accretive, we worry that virtualizing firewall disaggregates adjacencies and expect price pressure in the transition to a metered model (greater price transparency, opportunity for better capacity utilization, and lowered switching costs).

Cybersecurity 10 5 September 2017

Figure 11: Virtualizing Firewall Disaggregates the Figure 12: Consuming firewall either by subscription Combined Hardware/Software Model or on-demand reduces excess capacity Traditional revenue model (not to scale, for illustrative purposes only) Conceptual traffic patterns and savings, for illustrative purposes only

Maintenance/support Subscription Saved in Subscription pricing model

front Saved in cloud virtual pricing model

Up product costproduct

Hardware portion of product Year 1 2 3 4 5 Jan Jan Mar Apr Source: Credit Suisse Research Source: Credit Suisse Research

■ TAM Expansion Is Finite: The revenue preservation strategy of platforming is limited by what remains to be consolidated onto the next-generation firewall and the ceiling for consolidated product demand. We believe years of easy consolidation are likely at an end and, therefore, so are the vendor benefits of feature consolidation: (1) TAM expansion, (2) attach tailwind, (3) unit gravity. In addition, the relative scale of whatever might be consolidated is much smaller than in the past due to the overall TAM having already become significantly larger.

Figure 13: Many Point Solutions Have Already Been Figure 14: UTM/NGFW already Accounts for in Consolidated onto NGFW Excess of 50% of the Security Appliance Market Size of bubble represents size of TAM (not to scale, for illustrative Security appliance market share by revenues purposes only)

Firewall

Number of features consolidated 18% Core Firewall Unified Threat & VPN Management Core & WAF (includes Next & IDP IPS 12% Generation Firewall 52% Core & VPN & AV Firewall) Firewall & WAF & DLP Core & VPN & IDP Firewall & WAF 16% Core & VPN Firewall Content Management Time

VPN Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

■ SSL Decryption Is Not the Tailwind People Anticipate: Enterprises have been upsizing to appliances with higher throughput in order to decrypt rising levels of SSL encrypted traffic. We expect this tailwind to taper as the rate of increase in encrypted traffic decelerates. Furthermore, we expect an increasing amount of decryption to be done off-box by visibility appliances available from the likes of Gigamon and Metronome (now Symantec).

Cybersecurity 11 5 September 2017

Figure 15: Around 75% of browsing time is spent on Figure 16: The Majority of Traffic Occurs Within the SSL encrypted sites on Chrome Same Datacenter and Doesn't Require Encryption Chrome browsing patterns Traffic distribution

Data center to user Percentage of pages loaded 90% 83% over HTTPS in Chrome 81% 78% 80% 75% Time spent browsing SSL 73% 14% encrypted sites on Chrome 70% Data center to data 70% center 74% 71% 70% 9% 68% 60% 66% 60% 50% 57% 57% 54% 77% 40% 45% 46%

30% Within data center Mar '15 Jul '15 Nov '15 Mar '16 Jul '16 Nov '16 Mar '17 Jul '17

Source: Google, Credit Suisse estimates. Source: Cisco VNI, Credit Suisse estimates.

■ Shifting Spend from Protection to Detection and Response: As enterprises have been conditioned to accept the inevitability of breaches despite investment in protection, there has been a shift in security budgets to detection and remediation capabilities. We expect that this shift continues and will be a disproportionate headwind for network security players despite many having elements of detection and response in their portfolios.

Figure 17: Enterprise Security Spend Shifting Figure 18: EDR Market Forecast to Grow ~17x the Rapidly to Detection & Response EPP Market % of Enterprise IT Security Budget Dedicated to Detection & Endpoint Detection and Response (EDR) market vs Endpoint Response Protection Market (EPP)

70% 6,000 2013-2020 CAGR = 29.2% 60% 60% 5,000 50% 1,540 EDR 50% 1,236 4,000 993 39% 238 797 40% 640 30% 3,000 30% 23% 2,000 18% 3,509 3,600 EPP 20% 13% 3,166 3,249 3,333 3,420 10% 1,000 10%

0% 0 2015 2016 2017 2018 2019 2020 2013 2014 2015 2016 2017 2018 2019 2020 Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research. Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research.

Cybersecurity 12 5 September 2017

Stock Calls Ratings Driven by Negative Category View Given our negative category view is a significant driver of our stock ratings, PANW (Underperform, TP:$125, 14% downside), FTNT (Underperform, TP:$33, 14% downside), CHKP (Neutral, TP:110, 1% downside), we have attempted to contextualize the exposure to each headwind that results in heterogeneous risk. This analysis highlights the differentiated exposure to each risk factor. On an aggregated basis, we believe Check Point to be the best positioned, and Fortinet the worst, to deal with the sector headwinds we have isolated.

Figure 19: Relative Exposure to Sector Risks Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Architectural Shift to Cloud ◔ ◑ ◕ Cisco increasingly competitive ○ ◕ ◑ Juniper has little share left to give ○ ● ◔ Cloud transitionary headwinds ◔ ◑ ◑ TAM expansion ◑ ◑ ● Competition in the mid market ◑ ○ ● Carrier Exposure ◔ ◑ ● Total ◔ ◑ ◕

Source: Credit Suisse Research.

Substantial Nuance in Firewall Valuation Broad conclusions from our deep-dive, holistic valuation work are as follows:

■ PANW Looks Misleadingly Cheap: On EV/UFCF, both Palo Alto Networks and Fortinet appear inexpensive. Given higher relative growth expectations for PANW & FTNT, the fact they trade in-line with CHKP is optically attractive. However, adjusting out SBC (broadly accounting for the fact some cash would have had to have paid in lieu of stock to retain talent) and adjusting for the change in LT deferred revenue shows FTNT and particularly PANW to be more expensive than CHKP.

Cybersecurity 13 5 September 2017

Figure 20: Valuation Matrix

CHKP PANW FTNT Absolute Valuation Analysis NTM CY18 NTM CY18 NTM CY18 Absolute Valuation Analysis CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples Cash Flow Statement Multiples EV/UFCF 13.0x 12.5x 11.6x 10.6x 14.5x 12.7x EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x EV/UFCF Adjusted for SBC 14.2x 13.6x 41.3x 38.4x 25.8x 21.6x EV/UFCF Adjusted for LT Deferred 13.6x 13.2x 18.0x 15.0x 23.2x 19.8x EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x EV/UFCF Adjusted for SBC & LT Deferred 14.9x 14.5x n/a n/a 78.5x 56.4x Income Statement Multiples EV/Sales 7.0x 6.7x 4.7x 4.3x 3.2x 2.9x EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x EV/Non-GAAP Operating Income 13.0x 12.4x 8.1x 7.3x 18.3x 16.1x Non-GAAP P/E 19.4x 18.9x 40.6x 36.0x 33.1x 29.8x EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x GAAP P/E 21.3x 20.1x -48.2x -46.9x 70.7x 60.0x Recurring Revenue Multiples Income Statement Multiples EV/Recurring Revenue 10.2x 9.7x 7.2x 6.3x 5.1x 4.6x EV/Subscription Revenue 25.9x 23.2x 14.0x 13.4x n/a n/a EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x EV/Maintenance Revenue 16.9x 16.7x 16.5x 15.2x n/a n/a

EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x

Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x

GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x

EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x

Source: Company data, Credit Suisse estimates.

Cybersecurity 14 5 September 2017

PANW: Our Take on the Key Debates Initiating Coverage with Underperform Rating and $125 Target Price Despite being one of the most disruptive innovators of the security industry, we believe investors are overly optimistic regarding Palo Alto Networks’ ability to sustain above- market top-line growth rates. We believe this is a great company with great management but not a great stock at current levels.

Key Debates: ■ How Long Can PANW Outgrow the Market? At present, consensus expectations call for PANW to outgrow the firewall market by a factor of 2x. Can this be sustained at scale?

■ How Big of a Growth Driver Can Subscription & Support Be? With a compelling platform strategy, subscription is an important revenue driver. As share gains contribute less at scale, how large is the attached and unattached subscription opportunity?

■ How Material Is the Refresh Opportunity? Management guidance and model mechanics point toward a refresh opportunity in 2H17 and FY18. We think sizing this opportunity is an important debate for investors.

Our Takes: ■ Growth Expectations Are Too Optimistic: Past performance isn’t an indicator of future success. We think PANW enjoyed a perfect storm of tailwinds as it grew; now these

tailwinds are abating, or becoming headwinds. In addition, PANW appears highly exposed to the sector headwinds (architectural and otherwise) we believe face firewall incumbents.

■ Remaining Subscription Headroom Unclear: Attached products (e.g., Global Protect, WildFire) appear highly penetrated, but there remains headroom for unattached. However, we think subscription is largely tied to physical box sales, and unattached is too small to move the needle.

■ The Refresh Cycle Is Less Supportive than Some Presume: We think the refresh cycle is potentially less of a support (20-30% vs 50% of product) than some in the market believe and believe a bull case constructed off the refresh dynamic to be overly optimistic.

Risks to Our Takes: ■ Substantial Balance Sheet Capacity: PANW has substantial balance sheet capacity and has showed willingness to deploy it in a transformational manner when reportedly bidding upward of $3 billion for Tanium in fall 2015.

■ Strength and Resilience of Financial Model: The overall execution of the transition to a subscription-based model may prove more successful than anticipated and could provide access to the >$8 billion CLTV expansion opportunity that management estimates.

■ Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could become a potential target for a strategic buyer seeking to consolidate the market.

Estimates: ■ Revenue and EPS: We forecast FY18E/FY19E revenue growth at 21%/17% vs the consensus at 22%/19% and EPS of $3.29/$4.09 vs the Street at $3.30/$4.12.

■ Cash Flow: We forecast 7.5% FCF 10 year FCF CAGR through 2027E.

■ Refresh Cycle: We model a ~5.5 year refresh cycle.

Valuation: ■ DCF: Our $125 target price is based on our DCF analysis, implying 15% downside and 20x post-tax SBC adjusted EV/uFCF (CY2019) vs CHKP at 16x and FTNT at 18x.

Cybersecurity 15 5 September 2017

Key Charts

Figure 21: PANW Benefited from a Perfect Storm of Figure 22: ...The Market Expects PANW Billings to Factors and Has Taken Substantial Market Share… Continue to Outgrow Competitors and the Market …

80% 80% PANW CHKP FTNT Others 70% 60% 60% Juniper Fortinet 50% 40% 40% Check Point 30%

20% Cisco 20% 10% Palo Alto 0% 0% Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018 2002 2006 2010 2014 Source: IDC, Credit Suisse Research. Source: Factset, Credit Suisse Research.

Figure 23: …However, Management Guidance Figure 24: …Refresh Cycle and Rate Assumptions Implies Its Refresh Cycle Has Lengthened… Sensitivity Show Diminished Refresh Opportunity… 8 Refresh cycle guidance range Refresh rate assumption (%) Midpoint 80% 85% 90% 95% 100% 7 38% 40% 42% 45% 47% 4.0 31% 33% 35% 37% 39% 6 4.5 27% 29% 30% 32% 34% 5 5.0 23% 25% 26% 28% 29% 5.5 4 19% 21% 22% 23% 24% 6.0 3 15% 16% 17% 17% 18% 6.5 2 9% 10% 11% 11% 12% Average Refresh (y) 7.0 2013 2014 2015 2016 2017 2017 Source: Company Management, Credit Suisse Research. Source: Credit Suisse Research.

Figure 25: …The Tailwind from Support Is Challenging to Increase at the Same Rate… Figure 26: …with Valuation Highest (Adj. for SBC)

FTNT PANW CHKP 40x EV/UFCF, NTM 37.8x 50% EV/UFCF Adjusted for SBC, NTM 30x 45% 19.2x 20x 16.4x 40% 14.9x 12.2x 13.8x 10x 35%

30% 0x 2008 2009 2010 2012 2013 2015 2016 CHKP FTNT PANW

Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse estimates.

Cybersecurity 16 5 September 2017

FTNT: Our Takes on the Key Debates Initiating Coverage with Underperform Rating and $33 Target Price We respect Fortinet as an innovative vendor that provides exceptional products and an integrated platform offering few competitors can match. Successes in hardware, however, may not translate into the cloud, and FTNT faces the most risk from sector headwinds.

Key Debates: ■ Is Exposure to SMB a Positive? The SMB market is growing rapidly as agnostic attacks threaten SMBs more than ever (e.g., ransomware) and regulation enforces greater controls and accountability (GDPR for instance). Is FTNT's exposure here attractive?

■ How Does Competitive Advantage Translate to Cloud? As the virtual form factor becomes an increasingly important method of consumption, debates surround whether FTNT will retain its silicon-based competitive advantage in the cloud.

■ Is Carrier Market Exposure a Blessing or Curse? FTNT's success in the carrier market has been a blessing in the past, while now investors are debating if this will continue.

Our Takes: ■ Despite Growth, Competitive Pressures Render SMBs Unattractive: In addition to lower renewal rates, the SMB market is increasingly fragmented and competitive, and we

think these dynamics apply pricing pressure to vendors operating in this end of the market.

■ Silicon Isn’t a Competitive Advantage Anymore: We struggle to see how the competitive advantage bestowed by superior silicon can be sustained as successfully in the cloud.

■ Carrier Market Rapidly Virtualizing: We are concerned FTNT's ~20% carrier billings may mature into a curse. Our field conversations underline that the carrier market is virtualizing rapidly, and we think this may cannibalize appliance demand.

Risk to Our Takes: ■ Legendary Leadership: We view the dual leadership of Fortinet by Ken and Michael Xie, CEO and CTO, respectively, to be a key strength. Given the brothers' track record of disruptive innovation in the space, we don’t count out their ability to re-adapt FTNT's strategy beyond the successful formula of the past five years.

■ Transformative M&A: We estimate FTNT could deploy as much as $4bn for transformative M&A, albeit lower than peers (60% less than CHKP and 20% less than PANW). This still represents non-trivial balance sheet capacity.

■ Becomes a Strategic Target: Given its relatively small market cap, FTNT could represent a potential target for a strategic buyer.

recognize Estimates: ■ Revenue and EPS: We forecast FY17E/FY18E revenue growth at 17%/11% vs the consensus at 17%/15%, with EPS of $0.94/$1.10 in FY17E/ FY18E vs Street estimates at

$0.95/$1.14.

Valuation: ■ DCF: Our discounted cash flow analysis yields a target price of $33, implying 14% downside risk and an FY18E EV/uFCF (SBC adj.) of 13.5x.

■ Relative Valuation: Expensive on an absolute basis but less so once adjusted for growth, we think of PANW as in between CHKP (best) and PANW (worst) on valuation.

Cybersecurity 17 5 September 2017

Key Charts

Figure 27: Highly Exposed to the SMB Market… Figure 28: ...Which Remains the Most Competitive Fortinet 2016 Revenue Exposure by server class Herfindahl-Hirschman Index, 4Q moving average

0.25 High-end High-end Midrange 0.20 Volume 20%

0.15

FTNT 56% 0.10 Volume 24% Midrange 0.05

0.00 2002 2005 2008 2011 2014 Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

Figure 29: FTNT Most Exposed to Sector Risks…. Figure 30: …with an Elongating Refresh Cycle US$ in millions, unless otherwise stated US$ in millions, unless otherwise stated

Check Point Palo Alto Networks Fortinet Who is best equipt to deal with… 35% 4 years CHKP PANW FTNT 4.5 years Architectural Shift to Cloud 30% ◔ ◑ ◕ 5 years Cisco increasingly competitive ○ ◕ ◑ 5.5 years 25% Juniper has little share left to give ○ ● ◔ 6 years 20% 6.5 years Cloud transitionary headwinds ◔ ◑ ◑ 7 years TAM expansion ◑ ◑ ● 15%

Competition in the mid market ◑ ○ ● 10% Carrier Exposure ◔ ◑ ● 5% Total ◔ ◑ ◕ 2008 2010 2012 2014 2016 Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Figure 31: Less Balance Sheet Capacity… Figure 32: …Valuation in Middle vs Firewall Peers US$ in millions, unless otherwise stated EV/uFCF adjusted for SBC, and Non-GAAP P/E 50x $12bn EV/uFCF Adjusted for SBC, NTM 44.2x Non-GAAP P/E, NTM $9.9bn 38.8x $10bn 40x 37.8x

$8bn 30x $6bn $5.4bn 20.5x 19.2x $4.0bn 20x 16.4x $4bn

$2bn 10x

$0bn 0x CHKP PANW FTNT CHKP FTNT PANW Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Cybersecurity 18 5 September 2017

CHKP: Our Take on the Key Debates Initiating Coverage with a Neutral rating and an $110 Target Price While we view transitionary challenges as a negative influence on the category as a whole, Check Point excels over peers in nearly every major identifiable headwind and is thus our preferred firewall play.

Key Debates: ■ Is the Product Line-up Competitive? How does Check Point's solution stand up to those of PANW, which has aggressively grown share?

■ Where Are Margins Heading? While Gross Margins have held up, operating margins have been trending downward since 2012, with sales & marketing spend rising.

■ How Prepared Is CHKP for the Architectural Shift? As security shifts from physical appliances to virtual ones, uncertainty surrounds the scalability and performance of legacy security companies and their products in cloud architecture.

■ What’s the Value of CHKP’s Substantial Idle Cash Balance? CHKP’s total cash & equivalents are 20% of its market cap, which, undistributed or reinvested, may appear to be lost opportunity for greater returns.

Our Take: ■ Recognized Offerings, with a Fully Integrated Management Console: We believe Check Point's solutions in the Enterprise Network Firewall and UTM space are among the

best, while CHKP management console's ability to implement a unified policy across the entire infrastructure provides a point of differentiation against rivals.

■ Margins Are Optimized: While we recognize management's long-term value creation and superlative discipline against competitive pricing pressures, we see Check Point's margin structure at peak and see limited opportunities to expand it further.

■ Management Has Adapted Successfully in the Past: We take confidence in the fact that CHKP already transitioned from software to hardware in the mid-2000s, and we believe that the experience will prove advantageous in the reverse as the industry moves away from hardware and toward cloud-based solutions.

■ Large Acquisition Capacity Will Be Major Strategic Advantage: We estimate CHKP has $9.7 billion of total firepower (2.3x FTNT’s capacity and 1.8x PANW’s), which we believe is strategically significant.

Risks: ■ Successful Transition Not Guaranteed: Strong management notwithstanding, CHKP has ceded 337bps of market share since its peak in 2012 of ~12%. ■ Management May Be Conservative with Cash: We note that management has amassed a cash pile and not yet unleashed it for transformative acquisitions, which might indicate conservativeness and unwillingness for relatively large deals.

Estimates: ■ Revenue: We forecast FY17E/FY18E revenue growth at 7.5%/7.5% vs the consensus at 7.5 %/7.0%, respectively.

■ EPS: We forecast FY17E/18E EPS of $5.18/$5.66 in-line with Street estimates at $5.18/$5.67, respectively.

Valuation: ■ DCF: Our discounted cash flow analysis suggests a target price of $110, implying 1% downside potential and 14.5x EV/uFCF (2018).

Cybersecurity 19 5 September 2017

Key Charts

Figure 33: CHKP Has Lost Share Since 2012… Figure 34: ...but Margins Have Remained High 4Q rolling sum as share of total UTM and Firewall market Reported Adjusted Operating margin

80% 65% Adjusted operating margin 70% Others

60% 60% Juniper 50%

40% Cisco Fortinet 55%

30% Palo Alto 20% 50%

10% Check Point

0% 45% 2002 2004 2006 2008 2010 2012 2014 2016 2003 2009 2015

Source: IDC, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

Figure 35: Better Placed for Sector Risks Figure 36:Significant Cash Balance Exposure to Sector Headwinds Cash (onshore and offshore) as a % of market capitalization

Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Cisco Systems Inc 44% Architectural Shift to Cloud ◔ ◑ ◕ Apple Inc 29% Cisco increasingly competitive ○ ◕ ◑ Oracle Corp 27% Juniper has little share left to give ○ ● ◔ Check Point 23% Cloud transitionary headwinds ◔ ◑ ◑ Microsoft Corp 20% TAM expansion ◑ ◑ ● Intel Corp 18% Competition in the mid market ◑ ○ ● Alphabet Inc 14% Carrier Exposure ◔ ◑ ● Qualcomm Inc 4%

Total ◔ ◑ ◕ 0% 10% 20% 30% 40% 50%

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Figure 37: Balance Sheet Can Be Unleashed.. Figure 38: …Valuation Cheapest vs Peers Assuming 3x leverage, Balance Sheet capacity vs Peers Valuation Analysis on EV/FCF basis

$12bn 40x EV/UFCF, NTM 37.8x $9.9bn EV/UFCF Adjusted for SBC, NTM $10bn 30x $8bn 19.2x 20x 16.4x $5.4bn 14.9x $6bn 12.2x 13.8x $4.0bn $4bn 10x

$2bn 0x

$0bn CHKP FTNT PANW CHKP PANW FTNT

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Cybersecurity 20 5 September 2017

Structural Thesis Cybersecurity is Secular Growth Data Are of Enormous Value, and Thus Deserving of Expensive Protection This is not a new phenomenon; consider the Domesday book2, the perceived value of the data it contained was such that when not travelling with the King, it was housed in the royal treasury in Winchester, arguably the most secure location in the British Isles. Later it was kept in an iron clad chest with three locks, the keys to which were divided amongst three officials such that its opening required mutual consent. As data have increasingly become stored in soft, rather than hard form, the security surrounding it has naturally moved from physical walls and guards to their digital equivalent. A digitized Domesday book should exist encrypted and backed up in a hardened Oracle database with security controls activated, in a server located behind a NGFW, segmented from east-west traffic on the corporate network via internal firewalls, separate from the web server (which itself should be protected with a WAF to protect against the injection of SQL queries), there should be honeypots to throw off potential attackers and a full-time security monitoring team should be ensuring the health of the network at all times. Of course, the point is that the modern day enterprise is an agglomeration of digitized assets, and is therefore in need of protection. From a structural standpoint, the enterprise demand for protection increases as a function of three variables: (1) the volume, (2) the value of digitized data, and (3) the threat of its compromise. In 2016, CISOs deemed the aggregate value of digital assets such that c$75bn was spent on its protection.3 We are of the view that continued increases in the volume and value of data and an unabating cybercrime wave drive a secular increase in Security Software spending that will outpace the prevailing forecasts of the market and industry analysts.

Figure 39: IDC Forecast IT Security Vendor Revenue to Grow 7.6% Through 2020

2016-2020 7.6% $48,525m CAGR

Messaging 1.7% 2,732 Security

5.9% $36,240m 7,471 Web 5.7% Security

2,190 9,141 Identity and Access 8.4% $26,663m 5,410 Management

5,914 1,738 10,064 Security and 11.5% 3,618 Vulnerability

2,889 8,652 Endpoint 3.9% 7,715 Security 16,072 11,297 Network 6,713 Security 9.2%

2010 2016 2020 Source: Gartner, Credit Suisse Research

2 A manuscript comprising a great inventory of England and Wales commissioned by William I and completed in 1086. The Saxon Chronicle explained this exhaustive 'great survey' 'there was no single hide, nor yard of land nor indeed … one ox nor one cow nor one pig which was there left out, and not put down in his record.' 3 IDC Semiannual Security Spending Guide, Oct 12; includes software, hardware and services

Cybersecurity 21 5 September 2017

Data Are Increasingly Valuable to the Firm Increasingly, the firm's most valuable asset is its data. As recognition of this continues to take hold, we think firms will measure the value of their data more rigorously, learning not only it is more valuable than they currently perceive but also that it is increasing in value more rapidly than they appreciate. A greater enterprise understanding of the value of its data assets will result, we think, in greater propensity to spend on its protection. CEO Ginni Rometty of IBM eloquently connected data and cybercrime earlier this year at the Security Summit in New York, where she said, “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world." The HBR agree, describing most modern organizations as data-driven to some degree and seeing data becoming 'a centerpiece of corporate value creation more generally' (Do you know what your company's data is worth? HBR). We believe there are two common components to a company's data assets:

■ Traditional Data: Customer lists, patents, budgets, plans, ideas, and other IP: these are data that for the most part existed in hard form prior to the information age, and have now been digitized. As a rule of thumb, we think about this as being stored in legacy databases, analyzed using legacy tools, and creating value in traditional ways. The IP traditional data represent are increasingly valuable. We believe that barriers to compete are decreasing across the spectrum as a result of a confluence of disruptive factors, not least the agility of cloud architecture and level of connectivity enabling immense scalability. Consider IHG and Airbnb. Originally founded in 1777, the multinational hotel group IHG operates c770k rooms globally, while Airbnb was founded in 2008 and lists in excess of 2m. In our view, proprietary IP represents an undisruptable barrier, and therefore, against a background of decreasing barriers to compete, IP will increase in value. ■ Big, Fast Data: Consider the rising volume of data (both structured and unstructured) coupled with improving availability and ability of tools to store, analyze, and ultimately monetize larger and larger amounts of data. We think about this as data existing as a result of digitization; it’s the digital exhaust of the information age. We define Big Data simply as datasets so large and unstructured that their storage, management, and analysis is beyond traditional databases and tools. We believe the amplifying cycle of (1) data creation, (2) data storage, (3) data transmission, and (4) data analytics maps onto the determinants of Big Data value. We believe this virtuous data cycle as one of the most unifying themes across the global technology space.

Figure 40: The Virtuous Cycle of Big Data Figure 41: Big Data Value Determinants

Scale/amount Data Data Different forms Analytics Creation of data of data Volume Variety The Virtuous Cycle of Big Data Big Data VALUE Velocity Veracity Data Data Data Transmission Storage Analysing streaming data uncertainty

Source: Credit Suisse Research. Source: Gartner, IBM, Credit Suisse Research.

Cybersecurity 22 5 September 2017

Putting this virtuous cycle another way, as data storage and management follows Moore's law to increasing affordability, the necessary yield from analysis of that data to justify its storage decreases; as analytics become more advanced, and transmission faster, the insight yield gained from the data increases while the exponential increase in data creation supports an ever expanding pool of potential insight. Therefore, at its most fundamental, the value proposition to the enterprise of Big Data-derived insights increases as infrastructure costs decline, the amount of data grows and analytics improves.

Figure 42: Forecast Growth in Figure 43: Unstructured Data Growth Connected Devices Greatly Outpaces Structured Data

Unstructured Data Growth 15bn +11% 28bn Growth of Data M2M: Non-cellular 2.6 +27% 10.7 Driven by Unstructured Data 88 300 % M2M and consumer electronics; cellular 0.4 +25% 1.5 Unstructured Exabytes Data Consumer electronics; non-cellular 1.6 +12% 3.1 PC/laptop/tablet 2.4 +3% 2.8

Mobile phones 7.1 +3% 8.7 80 Exabytes 12% Fixed phones 1.3 +1% 1.4 Structured Data 2015 2021

2013 2015 Source: Company Data, Credit Suisse Research. Source: Oracle, ESG Digital, Credit Suisse estimates.

We thus believe two of the three key determinants of enterprise demand for protection, the volume and value of digitized data, are rapidly growing. In addition, we believe the third determinant, threat of compromise, is also increasing.

Cybersecurity 23 5 September 2017

The Cyber Crime Wave Continues Unabated It stands to reason that as the volume and value of digital assets grow, all else equal, the yield on cybercrime increases. On the dark web, you can sell 100 credit card records for more than you can ten, and the greater the value of data encrypted, the higher the ransomware victims marginal propensity to pay for decryption. Of course there are additional variables, including the sophistication and deployment of threats and defenses. Should both of these rise in lockstep with the growth in volume and value of digital assets, it follows that the amount of successful breaches will remain static. However, upon examination, available data support a concerning conclusion: sophistication and deployment of cybercriminals is outpacing the defense; the bad guys are winning.

Figure 44: The Number of Records Lost to Data Breaches Is Increasing at an Exponential Rate

Expon. (Total Data Breaches) Hacking Accident Insider 10,000,000,000

River City 1,000,000,000 Yahoo Media

Source: Credit Suisse Research.

We make the following key observations: (1) the absolute number of records breached appears to be increasing at an exponential rate, (2) which is driven by a 21% CAGR increase in successful data breaches4 since 2011 that is accelerating (up 40% from 2015 to 2016), and (3) hacking, skimming, and phishing are behind this rapid increase (up 105% from 2015 to 2016). The balance of power appears heavily tilted toward the offense, and we continue to live in the midst of a cybercrime wave.

4 'The Identity Theft Resource Center (ITRC) defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will also capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of compromised records included in the cumulative total.'

Cybersecurity 24 5 September 2017

Figure 45: Successful Breaches Are Increasing at Figure 46: … Primarily by Breaches Due to Hacking an Accelerating Rate, Up 40% from 2015 to 2016… / Skimming / Phishing, Up 105% from 2015 to 2016 Total number of breaches Breaches by cause, %

1,200 1,093 100% Other 1,000 80% 783 781 800 656 662 60% 614 Accidental Email /Internet 600 498 471 Data on the Move 446 421 40% 400 321 Insider Theft

157 20% 200 Hacking / Skimming / Phishing

0 0% 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Source: ITRC Breach Statistics 2005-2015, Credit Suisse Research. Source: ITRC Breach Statistics 2005-2015, Credit Suisse Research.

How Much Does Cybercrime Cost the Real Economy? In aggregate, several studies have pegged the cost of cybercrime at around half a trillion USD per annum5. This extraordinary number is roughly 0.8% of global GDP, only 10bps less than the annual cost of narcotic crime, and extracts roughly 15-20% of the annual economic value generated by the Internet (estimated at 2-3trn annually). Perhaps more extraordinary than the current cost is a recent report6 suggesting that, by 2019, data breaches will cost $2.1trn, a quintupling from today.

Figure 47: Cybercrime Represents a Similar % of Global GDP as Drug Crime, Piracy, and Car Crashes as Well as Just over Half That of Global Theft

Cybercrime 0.80%

Counterfeiting/Piracy 0.89%

Narcotics 0.90%

Car Crashes 1.00%

Transnational Crime 1.20%

Pilferage 1.50%

Source: MIT Technology Review, Credit Suisse Research.

According to Gartner, the global market for IT security software, hardware, and services reached approximately $76 billion in 2015. Although this level of spending has increased meaningfully in recent years, $76 billion in annual spending accounts for less than 20% of the $400 billion in total damage inflicted from hackers each year, a price most people, companies, and governments are willing to pay. As a result, we expect the increase in IT security spending to continue to outpace overall IT budget growth, given these solutions can reduce the potential financial losses stemming from breaches of critical systems and the loss of valuable data and information.

5 Net Losses: Estimating the Global Cost of Cyber Crime (see here) 6 The Future of Cybercrime & Security: Financial and Corporate Threats & Mittigation (see here)

Cybersecurity 25 5 September 2017

Which Country Gets Hacked the Most? As indicated in research from security firm mi2g Intelligence, the United States is the most hacked country in the world, and the scale of international theft of U.S. intellectual property (IP) alone is unprecedented and is estimated at hundreds of billions of dollars per year, in the order of the size of U.S. exports to Asia. On September 24, 2015, Chet Nagle, a former CIA agent and current vice president of M- CAM, wrote an article in the Daily Caller, stating, “At FBI headquarters in July, the head of FBI counterintelligence, Randall Coleman, said there has been a 53% increase in the theft of American trade secrets, thefts that have cost hundreds of billions of dollars in the past year. In an FBI survey of 165 private companies, half of them said they were victims of economic espionage or theft of trade secrets—95% of those cases involved individuals associated with the Chinese government.” The effect of IP theft is twofold:

■ Lost Revenue: Rewards that should have accrued to innovators, or those who have purchased licenses to provide goods and services based on them, as well as of the jobs associated with those losses, and,

■ Incentive Misalignment: Illegal theft of intellectual property undermines both the means and the incentive for entrepreneurs to innovate, which could slow the development of new technologies and industries.

How Much Does Cybercrime Cost the Enterprise? Perhaps more digestible than big numbers is to think about the average cost per breach to the enterprise. Studies such as the Ponemon Institute's Cost of Data Breach survey show the average breach cost to be around $4m, comprised of detection, response, notification, and (the lion's share) lost business.

Figure 48: A Breach Costs an Average of $4m

7.01 Notification costs Ex-post response costs 5.01 4.98 Detection and escalation 4.72 4.61 3.95 Lost business costs 3.31 3.27 2.49 1.93

1.87 1.6

Italy

USA

India

Brazil

Japan

France

Canada

Australia

Germany

Middle East SouthAfrica

Source: Ponemon Institute 2016, Credit Suisse Research.

It’s interesting to note the substantial regional skew; the average breach in the United States costs more just in lost business costs than the aggregate average breach in the United Kingdom. Globally, the average data breach costs $160k in notification costs, just over $1m for ex-post response, just over $1m for detection and escalation, and c$1.5m in lost business costs.

Cybersecurity 26 5 September 2017

Ponemon annual survey data are consistent with our thesis that as the value of data continues to increase, the costs of breaches are rising (up 29% to $4m in 2016 from 2013). Also consistent with our thesis that data volume is also increasing, per capita cost increased 15% from 2013, implying the average number of records breached is increasing. Encouragingly, however, it appears that the organization can take steps that have a measurable impact on the cost of cybercrime. Research by the Ponemon Institute suggests that good security practices, such as appointing a CISO, having an incident response team in place, and using encryption reduce the average cost per compromised record.

Figure 49: Organizations Can Take Actions to Reduce the Cost of Breaches Degree to which the cost per data record breached is decreased by…

Average cost per Average cost breached record: Average cost decreased $158 increased

Incident response team -10% Extensive use of encryption -8% Employee training -6% Participation in threat sharing -6% BCM involvement -6% Extensive use of DLP -5% CISO appointed -4% Board-level involvement -4% Data classification schema -3% Insurance protection -3% Provision of ID protection 2% Consultants engaged 3% Lost or stolen devices 3% Rush to notify 4% Extensive cloud migration 8% Third party involvement 9%

Source: Ponemon Institute 2016, Credit Suisse Research.

Why Are the Attackers Winning the Cyber War? We think a war is won by the weapons used (think of the atomic bomb), or as a result of the landscape changing (think of the Germans dealing with the onset of Russian winter on the Eastern front). The cyber war is no different, except the weapons are in bits and bytes and the landscape is the IT architecture. In our view, the cyber arms race is being won by cybercriminals, and the shifting landscape increases the cyber-attack surface they can target.

■ Weapons Arms Race Simply the fact that attacks are increasing in size and frequency even as security spend increases implies malicious innovation is outpacing benevolent innovation. We think a confluence of factors are contributing to the success of cybercrime: − Increasing Yield Translates to Increasing Sophistication: We believe the value of volume of data is increasing, meaning the yield on investment in malicious innovation is rising. We think this results in enhanced investment, increasing the volume of attempted attacks (Symantec witnessed a two-fold increase in attempted attacks against IoT devices over 2016, and at times of peak activity, the average IoT device was attacked once every two minutes) and increasing attack sophistication. (In-memory attacks are rapidly increasing in incidence.)

Cybersecurity 27 5 September 2017

− Barriers to Entry Decreasing: The cost of developing code and technology to mount attacks has fallen from millions of dollars to the tens of thousands; this significantly reduces the barriers to entry for conducting such attacks. Internet security firm Trend Micro reports this trend in its Russian Underground 2.0 research paper: the cost of spreading malware to 1,000 computers in the United States had reportedly fallen from $100-150 in 2011 to as low as $40 by 2015. − Attack Velocity Increasing: The lifespan of 82% of malware is less than an hour, and 72% of threats surface but once, according to FireEye. This is the result of inexpensive crypting services available on the dark web that can take pieces of malware, scan them against all available signature-based detection agents, and iteratively perform custom encryption routines until the malicious nature of the code becomes all-but undetectable. This state is known on the dark-web as fully undetectable, or FUD for short, ironic given the fear, uncertainty, and doubt (FUD) marketing tactics employed by so many in the security industry. We think a greater payoff combined with diminishing barriers to entry and increasing velocity explains the efficacy of cyber defenses being outpaced by volume and sophistication and volume of attackers. It seems clear, both from a logical and anecdotal standpoint, that pernicious attacks that attract substantial publicity are likely to act to increase budgets. We believe that as long as the problem set outpaces the solution set, the aggregate market will remain in growth mode. For more information on hacking, hackers, and cyber threats, please refer to Appendix III, ‘Who are those guys?’

Figure 50: Anecdotal Evidence Suggests Attacks Figure 51: Barriers to Entry Diminishing—Cost per Such as Wannacry Positively Affect Security Budgets Malware Click Through Is Decreasing

300

$250 250

$200 200

$150 $150 150

$100 100 $120 $100 $100 $90 50 $40 0 2011 2012 2013 2014 2015

Source: Linkedin.com. Source: Trend Micro, Credit Suisse Research.

Cybersecurity 28 5 September 2017

Figure 52: Software SoundBytes Regarding Cybercrime

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] Cybercrime

“People are realizing that there is no silver bullet. All these different threat detection techniques solve some problems, and not others”

“You have an explosive growth in devices that need protecting within the network. Incidents are increasing – ransomware increased 300% from 2015-2016 with nearly 4k attacks each day…”

“Very basic tactics continue to be used – many attacks aren’t at all sophisticated! All it takes is basic blocking to prevent 99.9% of attacks.”

“The key is you need to know what is on the network to protect the network. Tanium’s hygiene checks found the average environment had 12-20% more endpoints than previously known; 5-20% of these had failing or non-existent endpoint agents, 60% were missing critical patches, and 90% missing at least one patch.”

“Hacking is a multi-billion dollar per year business– its industrialized … they can buy top of the line stuff”

“Hackers are getting more strategic, initially they spent the most of their time focusing on large institutions, now they are industrializing and automating themselves into smaller businesses, and we are seeing lots of ransomware attacks infecting SMBs.”

Source: Credit Suisse Research.

■ Landscape Is Changing The conventional approach to network security has been to build a tall, thick wall around the corporate network, in which sat the corporation’s valuable data. Currently, virtually every enterprise defense begins with this strong first line; the walls have been built high with on-premise bricks of NGFW, SWG, and IPS. This IT architectural paradigm had a defined attack surface (the sum of attack vectors), which generally could be understood and defended. As workloads are moved into the cloud, the corporate network inverts and becomes hard to define. The growing reliance on cloud services should be an area of substantial concern for enterprises, as ultimately it results in a rapidly expanding attack surface. − Attack Surface Expanding: Cybersecurity Ventures forecasts the cyber-attack surface will grow an order of magnitude larger through 2021. (See here.) As workloads move to the public cloud, data are stored outside the enterprise datacenter; as mobile devices and remote working proliferate, the centrality of the corporate network decreases. Ultimately, the attack surface expands, presenting a greater space in which adversaries can maneuver. − Information Asymmetry: Securing the environment must be predicated on an understanding of the environment. Thus it is of concern that Symantec found the average organization is using ~900 cloud applications (up 10% y/y) but the average CIO believes their organization uses between 30 and 40. The information asymmetry of shadow IT results in unknown unknowns makes accurate risk assessment challenging and reduces the purview of the information security team.

Cybersecurity 29 5 September 2017

Figure 53: Software SoundBytes Regarding the Move to Cloud

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] Cloud transition

“It’s the third time in my career I have seen this shift—first it was mainframe, then ASP, now cloud.”

“On the cloud more generally, we don’t see the Fortune 500 decommissioning data centers. Instead, their adoption of cloud is mostly adding compute rather than displacing existing workloads.”

“For us, public cloud is not necessarily a replacement; often it's an addition. So now what's in question is how the company is managing its data flow.”

“No company wants to buy hardware or software anymore. So the majority of companies predominantly are extremely hesitant to commit to a solution. They are okay with purchasing as an operational expense—subscription.”

“It is not necessarily true that running workload on Amazon is very cheap, for example if you are running substantial DevOps workloads on Amazon once a day the cost saving is more a perception.

“The fundamental change has been the mindset, for a very long time people looked at their infrastructure like: I have these segments in my network, so I need these pieces and then I’m done. People understand you aren’t set, because of the speed of change; the cycle is much shorter than typical refresh, so this drives mindset of not buying solutions that will be obsolete in 5 years.”

“Everyone is doing something in the public cloud… In the public cloud you have to build from bottom up, rather than try to retrofit… Everything is becoming virtualized, think about software defined networking, software defined data center, et cetera”

“Everyone is using their own data centers and also using AWS … everyone has a multi-cloud strategy… they have to play AWS off against GCP and GCP against Azure for pricing reasons.”

“Cloud a few years ago was a VM, some storage, maybe a virtual database, maybe a load balancer – now look at what the amazon menu looks like – Try taming this tornado!”

'There is no such thing as hybrid cloud – this is something VMware and Dell and Cisco coined to fool enterprise buyers, most security vendors followed their tune and 'cloudwashed' their solutions.”

“Our experience over last few years with our very largest customers (large financials, media customers etc) is that they all have multicloud strategies – some say it’s to prevent lock-in: having already been burned once by Oracle they are fearful of being tied to one vendor. That’s one justification, but oftentimes people also want to hedge their bets when figuring out which vendor is best suited for certain use-cases, for certain apps AWS is best, for others, where there are machine learning objectives for example, GCP provides great out-of-box functionality.”

Source: Credit Suisse Research

Cybersecurity 30 5 September 2017

Securing the Cloud The Cloud Holds Great Promise, and Great Security Risk Traditional methods of IT delivery are internally oriented. (Applications run on an internal datacenter and are accessed by a demarcated sedentary workforce.) The nature of this architecture lends itself to a walled garden defense; build tall strong walls at the perimeter and defend those walls carefully.

Figure 54: Traditional Methods of IT Delivery Have an Easily Identifiable, and Therefore Defensible, Perimeter

Internet

Intranet HQ

Internal Internal Users Datacenter

Branch Office Endpoint

Source: Credit Suisse Research.

The traditional IT architecture visualized above is rapidly giving way to cloud-oriented distributed computing. Workloads are moving from defined processes executed within the on-premise datacenter to transient and abstracted virtual activities; there is less ownership, less visibility, and ultimately less control. However, the benefits are manifold; as we discuss in our Industry piece (Software: Buy Aggregation, Avoid Aggravation), we expect cloud adoption is likely to remain rapid, perhaps even surprising us by the speed at which the enterprise transitions. Gartner forecasts that 25% of corporate data traffic will bypass the corporate network entirely by 2021, enabled primarily by cloud applications and infrastructure, in addition to greater mobility (off-network work, corporate-owned laptops, branch offices, mobile devices, etc.).

Cybersecurity 31 5 September 2017

The cloud, being by its very nature distributed, starts to dissolve the concept of network perimeter. The traditional corporate network has a clearly defined, and therefore defensible, perimeter. As workloads move out of data centers to cloud environments, it becomes less clear at what point the bounds of the corporate network begin, and where they end.

Figure 55: The Perimeter Becomes More Difficult to Define in a Hybrid Cloud World

Internet

PaaS

IaaS

SaaS

Internal Internal Users Datacenter

Branch Office Endpoint

Source: Credit Suisse Research.

This has not gone entirely unnoticed by CIOs and CISOs. In our recent survey, 63% of respondents indicated they believed that public cloud environments are less secure than their internal data centers. Of the respondents, approximately 64% indicated that they would increase their security spending as they move workloads to public cloud environments. We imagine some of the opex and capex cost savings associated with the public cloud transition would shift toward IT security budget.

Cybersecurity 32 5 September 2017

Figure 56: 63% of Respondents Figure 57: 64% of Respondents Consider Public Cloud Environments Expect to Increase Their IT Spending Less Secure than Internal Data-Centers as Workloads Move to the Cloud Do you consider public cloud environments as Do you expect to increase your IT Security more secure than your internal data centers? spending if you move workloads to a public cloud?

Yes No 37% 36%

No Yes 63% 64%

Source: Credit Suisse CIO/CISO Survey. Source: Credit Suisse CIO/CISO Survey.

Our survey's findings are corroborated by Gartner, which found in its 2015-16 Security and Risk survey that security in the cloud occupies pole positions in terms of both mind and wallet share.

Figure 58: Cloud Security Holds Both Mind-Share and Wallet-Share with Enterprise Customers

Invest

Interest

Source: Gartner Security and Risk Management Summit, June 2016, “Top Take-Aways: 2015-2016 Security and Risk Surveys “, Khushbu Prata.

Cybersecurity 33 5 September 2017

Figure 59: Software SoundBytes Regarding Security in the Cloud

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] Security in the Cloud

“I believe everything moves to cloud, and believe in Google’s BeyondCorp security model.”

“The paradigm is breaking, resources can be spun up and then down again before the firewall is even up and running in the cloud.”

“Typically when talking about total client security in the cloud, there are a number of security exposures that you either don’t know exist, or don’t need to worry about on premise, and vice versa.“

“I believe there will continue to be a place for firewalls in security architecture, but the definition of Next Generation Firewall will have to evolve to include microsegmentation, with capabilities from companies like Illumio and vArmour.”

“2-years ago we saw 90-95% physical appliances, today adoption of virtual appliances in small and medium sized enterprises is as much as 30-35%”

“The world is moving to ‘infrastructure as code’, and I don’t believe there is a need for Firewall or Next-Generation Firewall going forward.”

“Identity is key to security. It’s important because it drives security policy… don’t believe that Microsoft will ever cede its position in identity.”

“Like for like units are less expensive when consumed virtually … Even so, the cost of firewall vs infrastructure on smaller deployments can sometimes be a multiple of infrastructure. This is highly dependent on what workloads you are running, and where you are running them”

“Amazon works on a shared responsibility model: It takes control of the infrastructure from the Hypervisor down; everything up is customer’s responsibility. If you are ever compromised in an Amazon environment, you can’t hold Amazon accountable, but should anything go wrong that is Amazon’s fault then they aren’t allowed to sue at all. They have a Teflon view of putting legality around security. They will work with and certify third party security that can be brought into the Amazon world but only hypervisor up.”

“There is volatility in the consumption model … some of our customers don’t think that they need as much security on their premise”

“We generally recommend extending the same security controls [customers] have in place, but they’re not always fully comprehensive, so we also push for next generation solutions to fill the holes. The most common solution here is CASB.”

“What I like about public cloud is that workloads don’t need application protection. Plus the inbuilt firewalls provided by Azure and AWS are good enough for most people”

Source: Credit Suisse Research.

Cybersecurity 34 5 September 2017

Spend Unlikely to Continue to Coalesce Around the Network The question naturally becomes, where does this expanded budget manifest itself? Many expect it to remain coalesced around the network and that firewall will remain an integral part of the security stack. However, we believe that agile IT requires a new agile security approach and that a reallocation of spend away from the perimeter is likely.

Figure 60: Spend Has Historically Coalesced Around the Perimeter, as Reflected by the Cumulative Market Capitalization of the Three Key Firewall Vendors Cumulative Market Capitalization over time

$40bn Palo Alto Networks Fortinet Check Point

$30bn

$20bn

$10bn

$0bn 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 Source: Thomson Reuters Datastream, Credit Suisse estimates.

As enterprise data centers shift from rigid structures, with clearly defined perimeters and boundaries, to become perimeter-less and software-defined, we believe traditional security fails to address the agility, elasticity, and dynamism implicit to the cloud paradigm. If you can deliver an application and run it in five minutes, you need to have the same flexibility with the security surrounding the application; you can’t wait for the InfoSec team to write custom rules and deploy a firewall. Netflix, for example, spins up 4,000-5,000 new servers every Friday night. We believe it has to be able to protect these workloads in an agile fashion that seamlessly scales and is priced in the same way as it buys its compute: on-demand. In this environment, we struggle to see how appliances maintain their historical relevance. In addition, as Gary Newe, F5’s director of systems engineering, has pointed out, there is a blatant mismatch between the destination of security spend and the real world attack vector. “Ninety percent of security budget is focused on the network perimeter, although only 25 percent of the attacks are focused on that point in the network.” - Gary Newe, F5’s director of systems engineering

Agile Compute Demands Agile Security In our view, the new security paradigm should mirror the new cloud computing paradigm in that it is (1) on-demand, (2) borderless, (3) without hardware, (4) consumption model pricing, and (5) scalable. Traditional hardware approaches to security (appliances) fail on each of the above accounts. Appliances require capacity planning, aren’t on-demand or scalable, are predicated on rigid hardware, and assume the existence of defined borders. We think a sub-set of innovative vendors stand to benefit; as enterprises shift from physical to virtual IT, whether public or hybrid cloud, the priorities become scalability,

Cybersecurity 35 5 September 2017

managing who is granted entry in, and dynamically protecting workloads. Ultimately, there is a need to secure applications and data and consumers of them, regardless of where either resides. Security sub-sectors we expect will remain relevant include:

■ Cloud Workload Protection Platforms (CWPP): Recognizing that server workloads differ fundamentally from end-facing endpoints, CWPPs offer network segmentation, traffic visibility, configuration and vulnerability measurement, application control, exploit prevention, and memory protection. Representative innovators include vArmour, Illumio, Dome9, CloudPassage, and Carbon Black.

■ Identity and Access: Once considered a mature market, we think identity will become increasingly instrumental and something many emerging cloud security vendors will be wary of taking responsibility for themselves. Representative disruptive vendors include Okta, CyberArk, SailPoint, BeyondTrust, and Foregerock.

■ Security Analytics: Regardless of paradigm, we believe security data still need to be collected, stored, and correlated and therefore see security analytics as architecture agnostic. We are positive on Splunk, having initiated with an Outperform rating and $80 target price, representing 19% upside potential.

■ Application Security: If the programmatic code itself is well constructed without vulnerabilities, the surface area for attack is greatly reduced. As application workloads are increasingly transient, it is increasingly important security be embedded within the apps themselves. We see value in companies such as CA’s Veracode, Qualys, and WhiteHat Security. Ultimately, we would argue that should there be a current opportunity to, with a clean slate, reimagine IT security in what is rapidly becoming a cloud-first world, an appliance-centric perimeter defense is unlikely to be the conclusion drawn. We therefore wonder if the $11bn (forecast to rise to $16bn by 2020) Network Security market is ripe for displacement.

Beware Disaggregation We are concerned by the risk of disaggregation faced by legacy vendors. (We explain how this concept underpins our thinking at length in our industry report, Software: Buy Aggregation, Sell Aggravation.) Given legacy vendors’ business models are grounded in the premise of box sale with software attach, we fear the pressures involved in disaggregating hardware from software will be painful and believe this will be a deflationary architectural shift.

Cybersecurity 36 5 September 2017

Figure 61: How We Conceptualize the Evolution of IT and Security Architecture

Source: Riverbed, Cato Networks, Zscaler, Credit Suisse Research.

We Think This Transformation Is Yet to Be Clearly Understood by the Market Our wide-ranging discussions suggest the security implications of the cloud remain to be fully understood. We generally believe Gartner offers a view into the industry consensus: 'No useful level of consensus exists on what constitutes best practices for cloud security, and as a result organizations struggle to determine which cloud control processes they should apply' (G00296116)

Cybersecurity 37 5 September 2017

Figure 62: Cloud Spend Is Forecast to Grow Rapidly Market IT Spend, US$ in billions

$350 Software as a Service (SaaS) $300 Platform as a Service (PaaS) $286bn $249bn $250 Cloud as a Service (CaaS) $206bn Infrastructure as a Service (IaaS) $200 $163bn $150 $124bn $93bn $100 $61bn $41bn $50 $28bn

$0 2012 2013 2014 2015 2016 2017 2018 2019 2020

Source: I.H.S. Markit, Credit Suisse estimates.

However, as cloud grows as a percentage of forecast IT spend, the forecast for cloud security spend share of security budget is not forecast to rise as much.

Figure 63: The Cloud Security Spending Disconnect

25% Spend on Cloud (IaaS, PaaS & SaaS) as % of IT budget

Spend on Cloud security as % of security budget 19.2% 20% 17.0% 14.4% 15% 11.8% 9.3% 10% 7.1% 11.3% 9.8% 10.6% 8.8% 7.8% 5% 6.7%

0% 2015 2016 2017 2018 2019 2020

Source: Gartner, Credit Suisse Research.

What seems clear, however, is that as the cloud continues to be adopted at an exceptional rate, the debate about how to ensure security in the cloud will only increase in volume.

Endpoint Renaissance Reflects the Dissolution of the Perimeter As of a few years ago, the corporate endpoint market has enjoyed a renaissance of sorts. Very largely the result of cloud and mobile proliferation and the expansion/dissolution of the network perimeter, endpoint security became more critical, as this is the point at which the data reside unencrypted and are prone to poor user behavior such as clicking on malicious links, and corporate data is more so than ever on devices connected to unprotected networks. In a case of motive meeting opportunity, several disruptors in the market advanced newer techniques for securing endpoints, seemingly one-upping the traditional likes of Symantec, McAfee, and Trend Micro.

Cybersecurity 38 5 September 2017

Figure 64: Innovators Have Enjoyed Revenue Figure 65:… and Substantial VC Funding on a Growth… Cumulative Basis Endpoint Security Revenues Aggregate VC investment

140 1,000 Palo Alto FireEye Carbon Black Tanium MalwareBytes Cylance Crowdstrike 120 800 100

600 80

60 400

40 200 20

0 0 2012 2013 2015 2015 2016 2011 2013 2015 2017 Source: IDC, Credit Suisse Research. Source: CBInsights, Credit Suisse Research.

Okta’s Valuation Reflects Market Hunger for Security Disruptors Okta listed at, and has maintained, an average EV/12m fwd sales multiple of 8x. We think this market optimism around one of the few listed disruptive security vendors reflects public market hunger for cybersecurity names away from firewall.

Figure 66: Okta Has Traded at an Average EV/Sales Ratio of 8x Since Listing Okta, EV/12m fwd Sales, x 10.0 Okta, EV/Sales Average, +/- 1stdev 9.5 9.0 8.5 8.0 7.5 7.0 6.5 6.0 May 2017 Jun 2017 Jul 2017 Aug 2017 Source: Thomson Reuters Datastream, Credit Suisse estimates.

Release of Cloud Products from Traditionally On-Prem Vendors Traditionally on-premise vendors have released a slew of cloud-based products aimed at the hybrid audience. Examples include BlueCoat, Forcepoint (Websense), and most recently Palo Alto Networks (GlobalProtect cloud service). We think this is reflective of the reality of the architectural shift underfoot.

Venture Investment into Cybersecurity Cyber security venture investments have been buoyant since 2013 with over 4bn USD expected to be invested this year. The buoyancy shows no sign of abating; 1Q17 was the highest Q1 on record in dollar terms and the highest quarter ever in terms of deals signed.

Cybersecurity 39 5 September 2017

Figure 67: $4bn Is Forecast to Be Spent on Financing Figure 68: 1Q17 Was the Highest Q1 on Record in Private Cybersecurity Companies This Year Dollar Terms and Highest Ever in Deals Signed Cybersecurity Annual Global Financing History Cybersecurity Quarterly Global Financing History

Source: CBinsights, Credit Suisse Research. Source: CBinsights, Credit Suisse Research.

A Number of Scaled Private Companies There are now a number of scaled private companies in the space that have received press attention suggesting intentions to come to market. Should these disruptors become public, we imagine their messaging during the listing process, and once public, will have an edifying impact on investors.

Cybersecurity 40 5 September 2017

Figure 69: Software SoundBytes on The Relevance of Network Security

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] Relevance of Network Security

“Currently you still need a firewall for compliance reasons… Regulators are typically 5-7 years behind what is going on – they all say there should be a firewall - therefore firewalls are still a driver of spend, but the utility of them will reduce, it’s just the capacity conversation that will continue.”

“We see security spend leaking into different areas. For example, NGFW had good growth last year, but dropped off from 30-35% to the low 20s this year. The Next Generation Firewall is no longer a key priority, and is becoming somewhat of a commodity.”

“I really don’t think the Fortinets, Palo’s etc will be the key winners: Our customers struggle with buying security in a utility model or consumption model, their security guys don’t do well in hourly usage models”

“How you look at internal traffic is just as important as your edge traffic – for example some may have Fortinet for edge but use Palo Alto Networks for internal.”

“Is there an existing brownfield opportunity to rip out an old firewall and put in a next generation one? No that is very unlikely”

“I think pricing pressure could increase, we are seeing longer refresh cycles and pricing pressure in this refresh, primarily resulting from competition”

“The hardware/software refresh cycle will diminish overtime but it will still be around.”

“Azure/AWS [security] is good enough for some of our customers.”

“What I like about public cloud is that workloads don’t need application protection. Plus the inbuilt firewalls provided by Azure and AWS are good for most people”

“The downside risks to industry forecasts are competitive pressure, the extending refresh cycle, transitioning to hourly consumption models and workloads increasingly being protected by ‘good enough’ offerings from AWS/Azure.”

“The key areas to look at to talk about are analytics and endpoint, I have seen a clear shift away from the pure play network security conversation”

“We will never not need some degree of network capabilities … the network will become the Achilles heel to the enterprise, you still need to make sure your network is secure in a cloud world”

“We definitely think identity and encryption are higher priority than pure firewall – more of our workloads in the cloud are transactional and don’t have same user component“

Source: Credit Suisse Research.

Cybersecurity 41 5 September 2017

Specific Challenges The specific challenges faced from a security architecture standpoint depend on the type of cloud strategy employed by the firm: Hybrid Cloud – Combining Physical and Cloud Data-Centers If an organization pursues a hybrid cloud strategy in which a portion of workloads will be run on premise and a portion in the cloud, there is a need to connect the physical hardware to cloud data-center. Two main architectural options exist:

Figure 70: Hybrid Cloud Adoption Is Significant According to Gartner

40% 36%

16%

7% 1%

Yes, using since Plan to be using by Plan to be using by No plans to use Don't know 2015 or earlier year-end 2015 year-end 2017

Source: Gartner, March 2016, n=1037.

(1) Connecting a physical firewall (open IPSEC VPN connection) to a native cloud gateway (you VPN from your own premise to the cloud). This causes issues when you have datacenters in multiple locations; you need to manage multiple policies, and the on-premise firewall was not designed ground up to do this. (2) Another option is to run a physical firewall on premise and then run the same instance virtually in the cloud, connecting a VPN tunnel between the two. Most vendors (Palo, CHKP, and FTNT) allow you to run this (but it's expensive, as you need to pay for the firewall on premise and the firewall in the cloud. Again, these firewalls weren't designed to run in this environment. There is also the challenge of unpredictable Internet routing; if your physical datacenter is in the United States and it needs to connect to an AWS datacenter in Europe, substantial latency can be introduced.

Figure 71: There Is a Connectivity Trade-off in Datacenter to Cloud Connectivity

Source: Credit Suisse Research

Cybersecurity 42 5 September 2017

Multi-Cloud: Connecting One Cloud Datacenter to Another Enterprises engaged in a multi-cloud strategy are presented with the challenge of securely connecting different vendors to each other or datacenters hosted by the same vendor in different regions. You can think about multi-cloud as connecting two data centers from one cloud provider across regions or as connecting two datacenters hosted by separate cloud vendors. Neither is simple, the built-in management to the cloud instances isn't intuitive, cross-region VPC peering isn't supported, and the VPN mesh configuration is difficult. Even more complex is the true-multicloud environment, connecting cloud to cloud among multiple vendors. Here there are multiple policies to manage, fragmented point solutions from the native cloud tools, and a lack of consolidated visibility.

Figure 72: Connecting Cloud Data-Centers Figure 73: Connecting Different Cloud Vendors

Source: Cato Networks, Credit Suisse estimates. Source: Cato Networks, Credit Suisse estimates.

Connecting Branch Offices and Mobile Users to the Cloud Another challenge, particularly for multinational corporations, is securely enabling branch office connectivity. Trombone routing, in which the remote user, no matter their global location, needs to VPN into the corporate network to access the Internet through the organization's on-premise firewall. Naturally a solution enabling direct access is highly preferable, and an increasing number of vendors offer cloud-based services that act as an intermediary to enable secure connectivity with reduced latency for the user and fewer potential choke points in the security stack.

Cybersecurity 43 5 September 2017

Figure 74: Software SoundBytes regarding The Future of Security

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] The Future of Security

“Over the next 7-10 years traditional firewalls will cease to exist. If you can embed security around workloads you don't need a firewall, there will be no more refresh cycles.”

“AMZN offers you a free of charge virtual networking –firewalling is built into this network. Azure and Google also copied thesame concept.”

“The old world security model is to build castle, put guards on battlements, and dig moats. The New world security model is to place bodyguards around critical workloads. Then have the solution scale with workloads (add more bodyguards) and in the same way as body guards travel with the president, have security follow the workload across physical, virtual, cloud and container environments”

“All cloud providers offer security functionality - but it’s not ready for enterprise consumption.”

“We had a well-defined market in terms of endpoint, network and cloud, these now seem to be merging.”

“You need to spend about 10-15% of total cloud spend on security”

“Datacenters need to be segmented like a nuclear submarine. You need to be very careful to segment nuclear warheads, and ensure they are separated from your bedroom. Equally your toilet easily accessible from your bedroom, but not from your kitchen.”

Source: Credit Suisse Research.

The Last Transition in the Stack… Thinking about enterprise IT architecture simply in terms of storage/compute, applications, and perimeter, it's clear the traditional stack has been disrupted by AWS and other cloud vendors and that the large applications vendors have been somewhat displaced by SaaS offerings (Siebel to Salesforce). Without mincing words, it appears as if it’s the perimeter's turn next.

Cybersecurity 44 5 September 2017

Figure 75: Security Moving into the Edge of the Network

Hardware/Software - Capex Services/Cloud - Opex

Network Edge Network

Applications Store/Compute

Source: Cloudflare, Credit Suisse Research.

Cybersecurity 45 5 September 2017

Firewall—The Security Mainframe? We Do Not View the Network Security Market as Growth While our outlook for network security is less sanguine than the consensus view, we believe that, like the mainframe, it is a platform that has durability and will be around for years if not decades to come. We appreciate the analogy has its limitations, but the thrust of our argument is that firewalls are reliable workhorses and can be good businesses but are of declining relevance as they become supplanted by other techniques and technologies. Bottom line, we do not see the network security market en masse as a growth industry. This is much the way the mainframe has been around for decades, is largely mature yet very sticky, and today is a flat to declining business. There is cyclicality to both mainframes and firewalls (product cycles and refresh cycles), and today the mainframe is acknowledged to be a flat-to-declining business although with strong margins and customer lifetime value.

Figure 76: CA's Mainframe Business Has Been in Decline, but Operating Margins Remain Strong CA Mainframe Solutions Segment, quarterly

Expenses Operating Profit Operating Margin 700 100% 600 80% 500 400 60%

300 40% 200 20% 100 0 0% 2010 2011 2012 2013 2014 2015 2016 Source: CA, Credit Software Research.

To be clear, we are comparing the future of firewalls (inclusive of UTM, NGFW, etc.) to IBM’s System z mainframe business from the post dot.com era until today when it has seen compounded annualized mid-single-digit losses (adjusted for cyclicality). To be clear, we do not see this as the fate of firewalls in the near or even medium term but also appreciate the firewall has been in existence for about 25 years vs. the mainframe, which has been around for over 50 years.

Cybersecurity 46 5 September 2017

Figure 77: IBM z Systems Revenue Has Been in Decline for Two Decades

5,000 $4.4bn System z mainframe revenue 4,500 $4.1bn $3.9bn 4,000 $3.6bn $3.3bn 3,500 $3.9bn $3.6bn 3,000 $2.7bn $3.1bn $3.2bn $2.3bn 2,500 $2.9bn $2.9bn $2.3bn $2.6bn $2.5bn 2,000 $2.3bn $1.7bn

1,500 $1.8bn $1.6bn 1,000 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016

Source: IBM, Credit Suisse Hardware Research.

We further qualify our analogy to distinguish the firewall market from the mainframes of the early 1990s when the category faced intense competition from distributed client/server challengers and companies such as Compaq, Dell and, HPQ benefited greatly. While we don’t foresee a similar precipitous decline in mainframe, we acknowledge this as illustrative of what it can mean for being on the wrong side of a technology paradigm shift. Is the shift to public cloud comparable to the adoption of distributed computing in the early 1990s? It’s a fair debate with compelling arguments on both sides.

Figure 78: IBM z Systems Revenues in the 1990s Illustrate the Ferociousness of Being on the Wrong Side of a Paradigm Shift in the Technology Industry

14,000

12,000 IBM System z Revenues

10,000

8,000

6,000

4,000

2,000

0 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000

Source: IBM, Credit Suisse Research.

Rather than take a firm stand, we instead acknowledge that IBM still exists today, and while perhaps not a compelling investment in recent years, the company has stood the test of time and has diversified very well away from the mainframe since the early 90s. Many decades ago, the mainframe market was served by IBM and the seven dwarfs, which included names such as Burroughs, Amdahl, and Honeywell. The only one left standing is IBM, and while the revenue line for the mainframe might appear frightening, the overall company diversified to drive growth, pretax income, and shareholder value quite nicely from 1990 to 2015. The point being is that we expect companies such as Check Point, Palo Alto, and Fortinet to evolve beyond what currently represents a very high concentration of revenue for each. In fact they are all already moving in that direction, but in our view, perhaps not quickly enough.

Cybersecurity 47 5 September 2017

Figure 79: IBM Has Not Been an Attractive Investment Relative Technology as a Whole Figure 80: IBM Relative to the S&P 500 IT IBM = absolute, S&P = rebased to IBM at 01/01/1990 in millions, unless otherwise stated

140 IBM relative S&P 500 Information IBM S&P 500 Information Technology S&P 500 Technology 400 120 350 100 300

250 80

200 60 150 40 100 20 50

0 0 1990 1993 1996 1999 2002 2005 2008 2011 2014 2017 1990 1993 1996 1999 2002 2005 2008 2011 2014 2017 Source: Thomson Reuters Datastream, Credit Suisse Research. Source: Thomson Reuters Datastream, Credit Suisse Research.

Cybersecurity 48 5 September 2017

Sector Thesis Other NGFW Tailwinds to Slow In addition to the overarching architectural challenges we believe face the firewall industry as the world transitions to cloud, we consider five further meaningful headwinds to the category:

Figure 81: Juniper Has Little Share Left to Donate Figure 82: Cisco Is Growing Security Rapidly 4Q rolling sum as share of total UTM and Firewall market Cisco Firewall & UTM y/y, quarterly, %

80% 60%

Figure 83: Virtualizing Firewall Disaggregates the Figure 84: Consuming firewall either by subscription Combined Hardware/Software Model or on-demand reduces excess capacity Traditional revenue model (not to scale, for illustrative purposes only) Conceptual traffic patterns and savings, for illustrative purposes only

Maintenance/support Subscription Saved in Subscription pricing model

front Saved in cloud virtual pricing model

Up product costproduct

Hardware portion of product Year 1 2 3 4 5 Jan Jan Mar Apr Source: Credit Suisse Research Source: Credit Suisse Research

Cybersecurity 49 5 September 2017

Figure 85: Many Point Solutions Have Already Been Figure 86: UTM/NGFW already Accounts for in Consolidated onto NGFW Excess of 50% of the Security Appliance Market Size of bubble represents size of TAM (not to scale, for illustrative Security appliance market share by revenues purposes only)

Firewall Number of features consolidated 18% Core Firewall Unified Threat & VPN Management Core & WAF (includes Next & IDP IPS 12% Generation Firewall 52% Core & VPN & AV Firewall) Firewall & WAF & DLP Core & VPN & IDP Firewall & WAF 16% Core & VPN Firewall Content Management Time VPN Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Figure 87: Around 75% of browsing time is spent on Figure 88: The Majority of Traffic Occurs Within the SSL encrypted sites on Chrome Same Datacenter and Doesn't Require Encryption Chrome browsing patterns Traffic distribution

Percentage of pages loaded Data center to user 90% 83% over HTTPS in Chrome 81% 78% 80% 75% Time spent browsing SSL 73% 14% encrypted sites on Chrome 70% Data center to data 70% center 74% 71% 70% 9% 68% 60% 66% 60% 50% 57% 57% 54% 77% 40% 45% 46% Within data center 30% Mar '15 Jul '15 Nov '15 Mar '16 Jul '16 Nov '16 Mar '17 Jul '17 Source: Google, Credit Suisse estimates. Source: Cisco VNI, Credit Suisse estimates.

Cybersecurity 50 5 September 2017

Figure 89: Enterprise Security Spend Shifting Figure 90: EDR Market Forecast to Grow ~17x the Rapidly to Detection & Response EPP Market % of Enterprise IT Security Budget Dedicated to Detection & Endpoint Detection and Response (EDR) market vs Endpoint Response Protection Market (EPP)

70% 6,000 2013-2020 CAGR = 29.2% 60% 60% 5,000 50% 1,540 EDR 50% 1,236 4,000 993 39% 238 797 40% 640 30% 3,000 30% 23% 2,000 18% 3,509 3,600 EPP 20% 13% 3,166 3,249 3,333 3,420 10% 1,000 10%

0% 0 2013 2014 2015 2016 2017 2018 2019 2020 2015 2016 2017 2018 2019 2020 Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research. Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research.

Cybersecurity 51 5 September 2017

Competition to Reaccelerate Cisco Is Getting Its Act Together, and Juniper Has No Share Left to Give When thinking about competition in the firewall space, five key players hold the largest revenue share of combined Firewall and Unified Threat Management (our preferred method of considering the market). Check Point, Cisco, Palo Alto Networks, Fortinet, and Juniper together share approximately two-thirds of the market and are also (with the exception of Juniper) considered highly in Gartner's Enterprise Network Firewall Magic Quadrant.

Figure 91: CHKP, CSCO, PANW, FTNT, and JNPR Figure 92: … and Occupy Prime Positions in Share Around Two-Thirds of the Market… Gartner's Enterprise Network Firewall Firewall and UTM Revenue by Vendor 2015 Red arrows indicate directional 2y momentum

Check Point Other

18% 22% Leadsec 2% WatchGuard Worldwide Firewall 2% and UTM Revenue 16% Cisco Huawei $7.6bn 2% 4% Dell 4% 5% Sophos 14% 11% Juniper Palo Alto Networks

Fortinet

Source: IDC, Credit Suisse estimates. Source: Gartner, Credit Suisse Research.

Cisco and Juniper have ceded share to the market over the past several years. This trend has been a clear tailwind for FTNT and PANW, which have benefited from easy competitive wins upon refresh against uncompetitive product offerings. While Check Point's market share has remained remarkably stable through this period, industry commentary suggests it has likely lost some of its installed base to PANW, which seems to have been made up for by winning old JNPR and CSCO business. Using the annual position on Gartner's magic quadrant as a proxy for product quality momentum, it seems market share trends have been driven, at least to some extent, by product differentiation. From first inclusion in the magic quadrant as a visionary in 2010, PANW has seen significant upward momentum, leading the quadrant on completeness of vision each year to 2015 (when it was overtaken by CHKP). Interestingly, there has been some downward momentum, notably from 2016 to 2017. Through the same time period, JNPR has slipped from best to worst among the five, and CSCO suffered significant negative momentum before ticking up this year (in-line with our thesis). FTNT has seen positive momentum to be recognized as a leader this year, and CHKP is the only vendor to have maintained a leadership position each year since the Magic Quadrant was first introduced over a decade ago in 2006.

Cybersecurity 52 5 September 2017

Figure 93: Of the Major Players, Cisco and Juniper Have Been Share Donors to Check Point, Fortinet, and Most Noticeably Palo Alto Networks 4Q rolling sum as share of total UTM and Firewall market

80%

70% Others

60% Fortinet

50% Check Point 40% Cisco 30% Palo Alto 20%

10% Juniper 0% 2002 2004 2006 2008 2010 2012 2014 2016

Source: IDC, Credit Suisse Research.

Figure 94: Product Quality Has Tracked Share Figure 95: CHKP Is the Only Vendor to Have Transitions, with PANW Gaining MQ Momentum as Maintained a Leadership Position, While FTNT Has JNPR and CSCO's Dwindled Enjoyed Increasing MQ Momentum Estimated based on 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Estimated based on 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Magic Quadrants Magic Quadrants

Cisco Check Point Juniper Palo Alto Fortinet

Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research

Cybersecurity 53 5 September 2017

We think this tailwind for PANW, FTNT and CHKP is set to significantly slow for the following key reasons: (1) Juniper has no NetScreen share left to give, and its SRX line is now competitive; (2) Cisco is getting its act together in its security portfolio; and (3) we think the market is at product parity, meaning pricing may have to come down.

(1) Juniper Has No NetScreen Share Left to Give, and SRX Is Competitive Juniper bought NetScreen for $4bn in stock in 2004. Founded by Ken Xie in 1996, NetScreen was the original (and then only) vendor of high throughput ASIC-based appliances. Mr. Xie left the company in 2000 to found ASIC-based competitor Fortinet. Under the stewardship of Juniper, underinvestment in R&D and lack of strategic direction resulted in multiple quarters of revenue declines in a growing industry, resulting in substantial market share loss.

Figure 96: Juniper's Security Business Has Figure 97: … and If We Look at Cumulative Share, It Declined over 50% from Its Peak in Revenue Terms Appears There Is Little Left for Juniper to Donate Revenue, 4Q rolling sum, $m Cumulative share, 4Q rolling sum, %

VPN UTM IDP Firewall VPN UTM IDP Firewall 800 50%

700 40% 600

500 30% 400

300 20%

200 10% 100

0 0% 2002 2004 2006 2008 2010 2012 2014 2016 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

NetScreen specifically has seen precipitous declines; after reaching a peak share of 7% market in late 2008, Netscreen now accounts for only 0.07% of combined Firewall and UTM sales.

Figure 98: Netscreen Revenue Has Fallen Figure 99: … Driven by Sustained Periods of -50% Precipitously from Its 2010 Peak… Growth, Reflecting the Refresh Dynamic Revenue, 4Q rolling sum, $m Quarterly revenue growth, y/y, %

200 140% Netscreen 180 Netscreen 120% 160 100% 140 80% 120 60% 100 40% 80 20% 60 0% -20% 40 -40% 20 -60% 0 2004 2006 2008 2010 2012 2014 2016 2004 2006 2008 2010 2012 2014 2016 Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

Cybersecurity 54 5 September 2017

Periods of very significant decline in 2010 and 2013-14 are reflective of how the refresh dynamic can present an opportunity for competitors, in this case Fortinet and Palo Alto Networks, to take share during the cycle. As evidenced below, the NetScreen brownfield opportunity is now much reduced. Gartner suggests that, despite serving incumbent Juniper infrastructure customers well, SRX is displaced more often than it enjoys competitive wins (Enterprise Network Firewall Magic Quadrant 2017). While this suggests SRX is uncompetitive, we don't expect Juniper to remain a material share donor via SRX in the coming refresh cycle for three reasons:

■ SDSN Message: Juniper's evolving message of Software-Defined Secure Threat Protection, which aims to integrate security into the network, resonates with us given our view of shifting sands in best-practice security architecture.

■ Network Clients Are Sticky: Despite a perception that Juniper lags competitors in innovation and new feature releases, the synergy for some enterprises between network and security integration should result in some stickiness.

■ Commitment to Security: We think that Juniper appears to be following a Cisco- esque path in its messaging around the security business. Mather Hurley, VP of Global Channels, said recently 'Juniper is completely committed to the security business. We are open to competing again with the industry vendors. We take pride in Juniper's innovations across networking and security solutions over the years. We have relaunched a brand new roadmap in the security space, from low end firewalls that goes right up the stack.' (CSO India, see here.)

Figure 100: Juniper's SDSN Ecosystem

Source: Juniper Networks.

Cybersecurity 55 5 September 2017

(2) Cisco Is Getting Its Act Together in Security Security has been a focal point within Cisco's strategy for the past several years, and we believe its investments are starting to yield meaningful results.

How Has Cisco Changed Direction in Its Security Business? David Goeckeler (SVP, GM Networking & Security) said in late February 2017 that he was charged around five years ago (early 2012) with taking a look at the security business, as Cisco wanted to 'invest more in this space. [Understand] what's the architecture going to be? … [and] build out a best-of-breed portfolio.' Perhaps following Mr. Goeckler's review, it was widely reported in December 2012 that John Chambers (then CEO) had given Chris Young (then head of security) a blank check to turn around the security business. This check was written in mid-2013 when Cisco paid $2.7bn in cash to purchase Sourcefire (a premium of c30% to the pre-announcement closing price).

Figure 101: Sourcefire Revenue by Product Brand Pre-Acquisition SourceFire revenue by product brand, 4Q rolling sum, $m

200 Sourcefire 3D Sensor RNA 3D8000 Series 3D7000 Series IPSx

160

120

0 2002 2003 2004 2005 2006 2007 2008 2009 2010

Source: IDC, Credit Suisse Research.

Following this integration, Cisco has focused heavily on a re-alignment of its security strategy. Messaging and product offerings alike have increasingly focused on moving security beyond the firewall and questioning the notion of perimeter-based security in a cloud-first world with a dissolving network edge. Cisco has positioned itself as the natural security vendor in this world of expanding attack surface area; by virtue of seeing the network, Cisco arguably has an enhanced ability to capture holistic information, therefore better understanding where threats exist and pushing targeted policy to address them back into the infrastructure. "the network's never been more relevant. I talked about how they're building up their infrastructure, very distributed in ways. We're managing hundreds of thousands of devices today, and they have to be ready to manage a million or more by 2020. And I think that, that is why this automation and analytics capability in the security built into the network is so important. The third is we continue to have our customers looking for us to help them really build out the secure intelligent platform that spans across this multi-cloud environment for their digital business. And I think that our security results, all the number of new customers embracing the technology, I think, is indicative of how they're buying in this new architecture.” – Chuck Robbins, CEO, 16th August 2017

Cybersecurity 56 5 September 2017

An analysis of CSCO's evolving acquisition strategy gives credence to our view that the security segment is viewed as strategically significant and that product has pivoted away from the perimeter toward the cloud.

■ Strategic Significance: Cisco's acquisition history shows cumulative total disclosed expenditure of $6.8bn across 20 deals in the security segment since 1995. Roughly 80% of the disclosed dollar activity and 43% of the deal activity have been in what we call the blank check era, speaking to the strategic significance of the segment.

■ Pivot Toward the Cloud: The most recent acquisitions of CASB CloudLock, OpenDNS with its suite of cloud security products, Lancope with its Stealthwatch network visibility and enforcement capabilities, and most recently security analytics firm Observable Networks underline the shifting focus toward Cloud Security at Cisco.

Figure 102: Cisco Has Acquired Heavily in the Cyber Security Space, Especially During What We Call the Blank Check Era

Date Name Business Cost ($) 27 Oct 1995 Network Translation Firewall $30 24 Jun 1997 Global Internet Software Group Firewall $40 18 Feb 1998 WheelGroup Intrusion detection $124 12 Mar 2004 Twingo SSL & VPN $5 22 Mar 2004 Riverhead Networks Distributed denial of service $39 21 Oct 2004 Perfigo Network endpoint security $74 20 Dec 2004 Protego Networks Network security $65 27 Feb 2005 Netsift Network security $30 26 May 2005 FineGround Networks Enterprise web security $70 29 Nov 2005 Intellishield Security reporting - 14 Jun 2005 M.I. Secure Corporation VPN $13 06 Jul 2006 Meetinghouse Network access control $44 04 Jan 2007 IronPort Email and web security gateway $830 27 Oct 2009 ScanSafe Malware analysis $183 05 Jan 2010 Rohati Systems Datacenter security - 16 Jul 2012 Virtuata Software security - 20 Nov 2012 Meraki Cloud-based security $1,200 29 Jan 2013 Cognitive security AI for threat detection - 07 Jul 2013 Sourcefire Network security and intrusion detection $2,700 21 May 2014 ThreatGRID Malware analysis - 10 Dec 2014 Neohapsis Security consulting - 13 Apr 2015 Embrane Firewall, VPN, SSL, LB - 30 May 2015 OpenDNS Cloud-delivered enterprise security service $635 30 Sep 2015 Portcullis Enterprise and government security - 15 Oct 2015 Pawaa Integrated file encryption - 27 Oct 2015 Lancope Threat detection and response $453 28 Jun 2016 CloudLock Cloud-Security Provider $293 17 Jul 2017 Observable Networks Network Behavior Monitoring - Total disclosed $6,827 'Blank Check' era total disclosed $5,281

Source: Crunchbase, Credit Suisse Research.

The increasing depth of Cisco's security offerings is a key part of the strategic roadmap, and we also believe a tax reform scenario could see major balance sheet unleashed. In a repatriation environment (assuming 10% repatriation tax) and allowing for tuck-in M&A and an incremental buyback, as much as $10-20bn may be available for transformative M&A.

Cybersecurity 57 5 September 2017

Figure 103: Cisco Has Among the Figure 104: …and Offshore Cash as a Highest Absolute Levels of Offshore Percent of Market Cap Is Among the Cash… Highest Too 250 40% 200 30% 150

100 20%

50 10%

0 0%

IBM

HPE

HPQ

INTC

AAPL

NTAP

MSFT

ORCL

AMZN

CSCO

QCOM

QCOM GOOGL GOOGL Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse Research.

Cisco Firewall Offering Specifically in Firewall, Cisco now has three key product lines: the Cisco Firepower NGFW that includes all new releases, the older ASA (Adaptive Security Appliance), and the Meraki range for SMBs. In sum, these appliances account for around two-thirds (c.$1.2bn LTM revenue) of Cisco's security revenue on IDC data.

Figure 105: Firewall and UTM Appliance Sales Stood Figure 106: Firewall and UTM Constitute 65% of at $320m Last Quarter, a c.$1.3bn Run Rate Cisco's Security Business's Revenues Cisco Firewall & UTM quarterly revenues Cisco revenue, 4Q rolling sum, $m

350 2,000

1,800 300 1,600 VPN IDP 250 1,400

1,200 200 1,000 150 800

100 600 UTM

400 50 Firewall 200

0 0 2002 2004 2006 2008 2010 2012 2014 2016 2002 2004 2006 2008 2010 2012 2014 2016

Source: IDC, Credit Suisse Research. Source: Company data, Credit Suisse estimates.

We also see Cisco expanding its offerings and moving toward software and cloud-based solutions, as it continues to do tuck-in acquisitions in the space (such as the recently completed acquisition of Observable Networks).

Investment on the Brink of Payback We think there are multiple signs to suggest that Cisco's five-year investment in its security business is on the cusp of paying dividends.

■ Better Product: Cisco has enjoyed excellent momentum toward the leader's quadrant on Gartner's Enterprise Network Firewall magic quadrant over the past five years. We think this reflects genuine product improvement and note other corroborative data points; for example, Cisco stated it has successfully reduced time to detection from 46 hours two years ago to 8.5 this year. We think this measure of how long does it take to find a threat actor who got past all other defenses is increasingly important in the context of mandated reporting periods enforced by regulation such as GDPR.

Cybersecurity 58 5 September 2017

Figure 107: Cisco Has Seen Momentum Toward the Leaders Quadrant

Source: Gartner, Credit Suisse Research.

■ Growth & Share Gain: Cisco has achieved two quarters of >20% growth. This growth has been sufficiently in excess of the market that Cisco has regained 3.2p.p. of market share relative to 1Q16. Over the past 15 years, we have observed only four instances in which Cisco has grown its security offerings at this pace, with the last time being over five years ago in 2012.

■ Channel Momentum: Our field conversations corroborate that Cisco's product offerings are increasingly successful in competitive situations. In addition, Gartner sees Cisco firewalls on an increasing number of shortlists, and sees continued momentum for the Cisco Security Enterprise License Agreement (ELA). While a security or collaboration ELA has been traditionally offered, consolidating these silos (security, network infrastructure, computing and storage, and collaboration and video conferencing) in a single ELA was first introduced in May 2017.

Cybersecurity 59 5 September 2017

Figure 108: Cisco Has Achieved Two Quarters of Figure 109: … This Above-Market Growth Has >20% Growth in Its Firewall and UTM Segments… Resulted in a Tick-up in UTM/Firewall Market Share Cisco Firewall & UTM y/y, quarterly, % Cisco market share, Firewall and UTM, %

60% 30%

40% 25% 23% 1Q17 growth saw market 20% share tick up to 20% 2015 levels

15% -20%

-40% 10% 2007 2009 2011 2013 2015 2017 2007 2009 2011 2013 2015 2017

Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

Ultimately, we think that Cisco's five-year investment in its security product suite is likely to be a driver of increased competition in the network security market for the foreseeable future. This view appears to be shared (and relished) by management at Cisco; David Ulevitch (SVP/GM of Cisco's Security Business, previously CEO of OpenDNS) has remarked on the record that he views the refresh cycle referenced by Fortinet and Palo Alto Networks as a clear opportunity for Cisco: '…We think that their [PANW’s] refresh, which is their first refresh at scale that they've ever gone through, is our refresh opportunity. And so, we're focused on making sure that our partners and our channel are really able to understand exactly the benefits of the Cisco's architectural advantage and that where our product portfolio is to be as extraordinarily competitive as possible. They are squarely in our crosshairs.' - David Ulevitch, 06/06/2017

Cybersecurity 60 5 September 2017

Figure 110: Software SoundBytes Regarding Cisco

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] Cisco competition

“We recommend Cisco more than CHKP. They have done a great job with their acquisitions.”

“Palo Alto are facing their first major product refresh now, and it is an opportunity for Cisco as well”

“Cisco gave a 58% discount and 2 years of free SmartNet on a deal worth over 20m dollars”

“We are selling umbrella, and we are selling SourceFire. But we are doing it not at CHKPs expense, we haven’t replaced a CHKP. However we have replaced Palo and Fortinet.”

“In my opinion a lot of people don’t realize how comprehensive Cisco’s cyber security offering is—they have threat intelligence, firewall, etc. Cisco recently also announced integration on almost all of their cyber products together. They can bring in solutions for switching, routing right through to cyber security. Because it’s Cisco, they can bundle it all together.”

“We think of Check Point as number one, although we have a bigger base in Cisco, we don’t care for its products – they don’t stack up well to Check Point and Palo Alto, but they remain kind-of-the-turf, and its their datacenter at the end of the day. Overall we would rank Check Point first, followed by Palo Alto, then Cisco and Fortinet last.”

“We never used to have Cisco as part of a true security strategy, now we do and are waiting to see this play out. I think there will be some serious showdowns between Cisco and Vmware, with VMware partnering up with Palo Alto. We are seeing it in enterprise accounts, there is a competitive bake off. Lots of companies want to do network segmentation and use SDN to do that, and then it becomes a security play.”

“Cisco are self-aware on the health of their core business, and think about Security as a big driver of all of it. At a high level they expect security to be increasingly outsourced, and solved as a managed service over time, coupled with cyber insurance”

“Acquisition of SourceFire and open DNS has really changed things. Open DNS has been more impactful than probably anything else, it is a very hot topic of conversation, they call it an umbrella now. They also claim that nobody else can do this, I personally don’t believe that, there is rarely a product that nobody else can imitate. Our Cisco security business has grown substantially.”

Source: Credit Suisse research.

(3) Product Parity Is Upon Us; Does Price Competition Come Next? The firewall market is saturated and thus driven by refresh cycles of roughly five years. This results in linear, as opposed to lumpy, share transitions. We think of the last refresh cycle as characterized by remarkable share gains from innovators, most notably Palo Alto Networks. This was very much a result of product differentiation, Palo Alto Network's highly innovative granular application control in particular enabling a successful land-and- expand market approach. Since then, the product offerings of most major vendors have, in our view, converged. Our field conversations and broader research suggest that Fortinet and Check Point have caught up with, if not over-taken, Palo Alto.

Cybersecurity 61 5 September 2017

NSS Labs corroborates our view, and Gartner now believes that, 'in effect, all vendors in the enterprise firewall market have ... next-generation firewalls (NGFWs); in essence, there is no longer a next-generation in the firewall market' (Enterprise Network Firewall Magic Quadrant 2017, Gartner).

Figure 111: NSS Labs Next-Generation Firewall Security Value Map

Source: NSS Labs. In terms of consolidated feature capabilities, there is also parity among the major vendors.

Figure 112: In Terms of Consolidated Features, There Appears to Be Parity Among the Major Vendors Feature Product FW VPN IPS AV WF App Email DLP Checkpoint a a a a a a a a Cisco a a a a a a a a Fortinet a a a a a a a a Juniper a a a a a a a ✕ Palo Alto a a a a a a ✕ a Sonicwall a a a a a a a a Watchguard a a a a a a a a

Source: Anitian, Credit Suisse Research.

We agree with David Goeckeler (Cisco SVP/GM Networking and Security) that IT security is going to always remain a market driven by innovation due to the active nature of the adversary. However, we struggle to imagine the next generation of security innovation to be firewall, or even appliance focused. Should competition continue to increase, and product parity endure, the natural conclusion is increased potential for commoditization and price pressure.

Cybersecurity 62 5 September 2017

Figure 113: Software SoundBytes Regarding Product Parity

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] Product Parity

“It used to be that 'my tools are better than yours' and this would drive the competitive process, now the product is commoditized and so we are reaching a place where vendors will compete on price rather than product.”

“It’s all getting commoditized, now it’s all about SLAs… I don't care whose labels are at my perimeter”

“There is undoubtedly less product differentiation… The key differentiation is on the platform side”

Source: Credit Suisse Research.

Cybersecurity 63 5 September 2017

Cloud Transition Transitionary Challenges Await Incumbents in a Successful Adaption Scenario Even if we imagine the incumbent vendors strategically align themselves successfully with what, in our view, represents the future of security infrastructure, we still expect them to face transitionary challenges.

■ Top Line: Firstly, and perhaps most obviously, we don't think investors are prepared for the large firewall names to face the revenue headwind inherent in a transition to cloud.

■ Pricing: Secondly, and less obviously, we don't believe the market to be fully cognizant of the deflationary pressures we expect cloud to exert on firewall. We believe this to primarily result from this being one of the few examples of a cloud transition that disaggregates (rather than aggregates) adjacencies.

Contextualizing a Traditional Cloud Transition ■ Short-Term Revenue Headwind Due to ACV Decline: The transition from a license/maintenance business model to subscription cloud model is well known to result in a short-term revenue headwind. This is a result of selling new customers, and transitioning renewing customers, onto subscription contracts that tend to have a lower annual contract value (ACV) but a greater customer lifetime value (CLTV). It is argued there is value for shareholders who look through the near-term top-line pressure to enhanced CLTV. Oracle's comments around its most recent quarter highlight this: 'Total cloud revenues totaled $4.7 billion, growing 68%. On-premise software declined 1% to $25.6 billion as the 3% growth rate in software support was offset by cloud-related declines in new software license, which were down 11%... Over the full year of FY '18, I expect continued high growth in cloud revenues, with cloud revenues materially surpassing new software license revenues.' – Safra Catz, Oracle 4Q17 Earnings Call, 6/21/2017

Figure 114: Adobe's Guide to Its Cloud Transition’s Figure 115: … and the Actual Results as Reported Near-Term Revenue Headwind in 2013… Showing Successful Execution Adobe 2013 Analyst Day Creative Product Family Revenue guide Adobe reported Creative Product Family Revenue Guide

$3.2bn ~$2bn ADBE share price $2.3bn $2.3bn $103

$1.9bn $1.8bn

Revenue Subscription

$28

Perpetual Revenue FY12A FY13A FY14A FY15A FY16A FY12A FY13E FY14E FY15E FY16E Source: Adobe, Credit Suisse Research. Source: Adobe, Credit Suisse Research.

Cybersecurity 64 5 September 2017

■ Consolidating Adjacencies Results in Greater CLTV: Cloud transitions tend to consolidate adjacencies. Taking Oracle Database as a Service (DBaaS) as an example, traditionally the enterprise would have bought a database license to host the software on its own infrastructure; purchasing DBaaS shifts the responsibility for hardware, power, cooling, maintenance, etc. to the vendor, therefore consolidating the various total cost elements. From a price perspective, this drives the greater CLTV that delivers value to the customer and ultimately shareholder. '…When a customer who's on-prem paying us support moves to the cloud, they pay us more money. They don't pay us 1:1, they don't pay us 2:1, they pay us more like 3:1. In some cases, more than 3:1. In some cases, we also get the attach of platform … and that is not included in the 3:1 that I'm giving you.' – Mark Hurd, Oracle 4Q17 Earnings Call, 6/21/2017

Why We Are Concerned That Firewall Might Not Be as Successful… We think that the key value component for investors in a cloud transition strategy is the ability to look through the near-term revenue headwind toward the potential for CLTV enhancement and revenue visibility implicit in subscription. The CLTV enhancement itself results from adjacency consolidation and TAM expansion. We (1) struggle to believe investors are yet fully prepared to look through a short-term transitionary revenue headwind for incumbent firewall vendors, and (2) struggle further to be convinced that this transition would be accretive to CLTV rather than deflationary.

The Market Is Underprepared for Any Revenue Headwind Previous successful cloud transitions have relied on clear messaging from management to the investment community. As yet, we have seen no signs of this; instead, management at Check Point, Palo Alto Networks, and Fortinet continue to communicate that the market should expect cloud to be incremental rather than cannibalistic.

Check Point Comments Around Its vSec Virtual Edition Credit Suisse Interpretation of CHKP Messaging: (1) Cloud is incremental in most cases; (2) there will always be a physical network and therefore demand for appliances; and (3) cloud means more traffic, meaning you need more aggregate throughput.

'… I haven't seen that the cloud is changing a lot of customers' behavior of their physical network. We still have physical network, we still need to secure them, sometimes they need to connect them to cloud, which means that they need some appliances or some devices to do the VPN through the cloud. The cloud in most cases, again not all of them, but in 99% of the cases is an extension and expansion for the existing network.' – Gil Shwed, CEO, 04/27/2017 'It's additive in most of the cases… So, just like you have if you had the 4,000 offices around the world, now you have 4,001. You need another gateway, right? It might not be physical one. It might be a virtual one. You still need to manage it.' – Tal Payne, CFO, 11/15/2016 'We see it as an incremental long-term and short-term.… once you start going up into the cloud, there's many different ways you can get your employees up to the cloud to use those applications. Sometimes it's going through a direct connect through your data center, so you still have to have a data center, or you're going to have to do SSL connections from your perimeter. And in that case, you're going to need bigger boxes because you're going to have more traffic, and that's not going to stop. So, besides that, and then having it in the cloud, everything that we come up with is incremental.' – Kip Meintzer, VP Investor Relations, 03/06/2017

Cybersecurity 65 5 September 2017

Palo Alto Comments Around Its VM-Series Product Credit Suisse Interpretation of PANW Messaging: (1) Cloud is additive, (2) customers want feature parity and consistency between virtual products and on-premise appliances, and (3) more workloads moving to the cloud mean more opportunities to sell virtual firewalls.

'… So far, and we think this will continue into the future. We've seen the cloud in general and then our VM-Series and other cloud aspects like Aperture be additive. So we think that's a lead provider for us and a growth provider for us for new use cases' – Mark McLaughlin 05/31/2017 …we view the cloud as additive to us. We are helping our customers work through architectural decisions that are both on-prem and cloud and we view this as positive. - Steffan Tomlinson, 12/07/2016 'We view moving workloads to the cloud as incremental for our business. The fact that companies want to have a consistent security policy to manage on-prem devices, plus their cloud workloads, accrues to our benefit. Because we have virtualized our firewall a number of years ago to have full feature and functionality of a next-generation firewall but in a virtual form factor.' – Steffan Tomlinson, 09/14/2016 'So when you think of a cloud, there is the going to and coming from the cloud infrastructure that we deliver, but also what goes on in that cloud itself. Now, this is typically big [iron]. That's a big machine that sits between the cloud and target. But in that cloud, you have thousands of little machines that have to be protected, which is a great opportunity for us to sell thousands of virtual firewalls, VM-Series firewalls, into those infrastructures.' – Rene Bonavanie 09/28/2016 '… our VM-Series [delivers] the traditional form factor of hardware in a software model for deployment in virtual either public, private, or hybrid models. And that's also a mid eight- figure business growing roughly the same rate as Traps. …If anyone could find an industry analyst who actually has sized that market, let me know. It is still very early stage and I think the industry itself is watching a slow evolution of adoption of cloud, but that will be an important contributor.' - Kelsey Turcotte, VP Investor Relations, 09/08/2016

Fortinet Comments Around Their Virtual Product Credit Suisse Interpretation of FTNT Messaging: (1) Virtual is the fastest growth segment at FTNT and will be the largest segment of revenues in three to four years, (2) hybrid model is the way forward, and (3) there is pressure on the product line from virtual product adoption.

'Definitely the cloud; starting to grow faster than real appliance' [in response to question about how physical vs virtual will unfold over the next three to four years] . – Ken Xie, Founder, Chairman of the Board & CEO, 02/02/2017 [That's more] incremental and also interesting, I also see -- I think we wrote a comment about almost maybe a year ago we move lot of data to the Cloud. You actually need to secure the access and also increase the bandwidth to -- for the -- whether encryption, whatever, to access the data there. At the same time, even the data in the Cloud, you also need to protect that, right? So, that's actually -- I believe, when some data application move to the Cloud, they actually need the most security. - Ken Xie, Fortinet Inc – CEO 2/28/2017

Cybersecurity 66 5 September 2017

'Our cloud and virtual business more than doubled year over year in the fourth quarter. Although this is from a small base, it continues to represent the fastest-growing segment of our total business… We are really trying to weight the money -- we're really to drive to higher customer lifetime value, and the way you do that is attribute more to the recurring higher profitability side of the business.' - Drew Del Matto, CFO, 02/02/2017 'Where we are seeing the most uptick really is what I would call the hybrid model and what we call that actually is BYOL, Bring Your Own License or Bring Your Own Device, and so someone, a customer is generally buying a device and they are installing it in someone else's cloud environment where they are managing it for them. Now, the other thing we're seeing, I mean we're actually seeing an uptick in the virtual licenses being downloaded, the metered models, the utility models. But the problem is, it's so small, right. [It's not] necessarily a bad thing because if that's going to grow, I think it really give us a kind of a nice path to growth without the risk of cratering the revenue line, the topline as you transition. Look, investors are worried about or people are often worried about is that it's going to be like Adobe going from perpetual to subscription and you get this cratering effect on the P&L and the topline and what we hope is that this thing just grows nice at a nice curve and a nice rate, we continue to take share and we kind of sail through the transition.' - Drew Del Mato – 9/07/2016 'There is a beneficial impact from the cloud. I think the non-beneficial impact could be something like Drew was saying is that it extends the sales cycles. As customers are planning their next-generation networks, perhaps shifting some to the cloud in the hybrid model, it does slow things down in the decision making process. But we feel from a competitive standpoint we are very well positioned.' - Michelle Spolver, Chief Communications Officer, 10/27/2016 'Yes. The thing I would add, too, to what Drew said, is that product revenue, you see an acceleration from most companies. And Drew talked about it being an overall opportunity. We definitely see that, probably more in the long term than the short term. But in Q3, for us, we had about 200 to 300 basis points of product revenue that moved into services, and that was primarily accounting for sales of virtual products through AWS and Azure. And so, that's something that, it's an incremental opportunity, but you get lower upfront product revenue. We are selling it in that fashion. It certainly -- it helps on the gross margin line, but it brings product revenue down a little bit.' - Michelle Spolver, Chief Communications Officer, 11/09/2016

Complacency Is Evident in the Numbers We illustrate potential unpreparedness via revenue revisions data. It is clear that when analysts expect a cloud transition (generally following management communication to market), they revise their forward revenue forecasts downwards. Naturally, we recognize the market can react positively despite downward top-line revisions, generally when investors applaud cloud transitions and look through the revenue headwind to enhanced CLTV. While we argue strongly below a firewall cloud transition disaggregates adjacencies, and is therefore unlikely to be CLTV accretive, we appreciate this as a risk to our thesis.

Cybersecurity 67 5 September 2017

Figure 116: Revenue Revisions Data Show Analysts Figure 117: … After Messaging About a Cloud Revised Down Their Top-Line Forecasts… Transition Began at ORCL and ADBE Oracle revenue revisions Adobe revenue revisions

48,000 Larry Ellison announced Oracle 11,000 Public Cloud in late 2011 10,000 19Y 46,000 9,000 Adobe announced their 44,000 cloud intentions in 18Y 8,000 November 2011 42,000 19Y 7,000 17Y 6,000 40,000 16Y 18Y 5,000 12Y 15Y 15Y 38,000 13Y 14Y 14Y 16Y 17Y 4,000 11Y 12Y 13Y 36,000 10Y 3,000

34,000 2,000 2010 2011 2012 2013 2014 2015 2016 2017 2007 2009 2011 2013 2015 2017 Source: Bloomberg, Credit Suisse Research. Source: Bloomberg, Credit Suisse Research.

Looking at revisions data for the incumbent firewall vendors, we believe the Street continues to model virtual firewall as entirely incremental in nature.

Figure 118: PANW, CHKP, and FTNT Have Not Experienced Material Sell-Side Downward Revisions to Forward Revenue Estimates

Palo Alto Networks, $m Fortinet, $m Check Point, $m

2,000 19Y 2,100 3,000 19Y 18Y 19Y 1,700 18Y 2,400 1,900 18Y 17Y 17Y 1,400 1,800 17Y 16Y 16Y 1,700 16Y 1,200 1,100 15Y 1,500 600 15Y 800 15Y 13Y 14Y 13Y 14Y 13Y 14Y 0 500 1,300 2012 2013 2014 2015 2016 2012 2013 2014 2015 2016 2012 2013 2014 2015 2016 2017 Source: Bloomberg, Credit Suisse Research.

Is a Messaging Shift Already Under Way? We have analyzed the messaging from Palo Alto Networks regarding its virtual business and wonder if there is a subtle messaging shift under way. In September 2016, Palo Alto Networks CFO Steffan Tomlinson described shifting workloads to cloud as unequivocally incremental for PANW. 'We view moving workloads to the cloud as incremental for our business. The fact that companies want to have a consistent security policy to manage on-prem devices, plus their cloud workloads, accrues to our benefit. Because we have virtualized our firewall a number of years ago to have full feature and functionality of a next-generation firewall but in a virtual form factor.' – Steffan Tomlinson, 09/14/2016

In December 2016, Mr. Tomlinson offered greater detail about the economics of cloud and accepted that different transitions result in different economics. However, the message remained consistent that cloud is additive and incremental.

Cybersecurity 68 5 September 2017

'Well, the operative engagement model that we're seeing today is really a hybrid one, where we're seeing a combination of on-prem and cloud. And by the way we define cloud as public cloud, private cloud and SaaS applications. Depending on how the customer actually goes to market with their cloud strategy will determine the outcome around the economics of the deal. As an example, in one flavor, you could have a customer who has a public cloud or private cloud infrastructure, but they're still routing their traffic back through their data center. In that case, they will be actually buying high-speed chassis from us, physical product-related revenue for us and they will be buying virtual firewalls from us for both the public and private cloud options. If they were just to go down the private or public cloud route, they'll be buying our virtual firewalls. And the economics are favorable in both areas. The unit economics are different because you have a physical firewall, which has a lot of hardware and throughput capability. The virtual firewall has less throughput capability, because it doesn't have the hardware component. But the cost per megabit within the same zip codes for both on-prem equipment and virtual firewall.' – Steffen Tomlinson, 12/07/2016

In June 2017, Mr. Tomlinson injected some measured caution around earlier statements that cloud is unequivocally incremental, suggesting the transition to cloud is a long game where the margin and revenue impacts remain to be seen. '…what we've seen is lots of companies are moving workloads to the cloud, but it's not moving everything to the cloud right now. We view the cloud as an incremental opportunity. It remains to be seen. This is a long game. It remains to be seen, the margin impacts, the revenue impacts, et cetera. But I can tell you right now, there's not a one-for-one correlation between one physical firewall and one virtual firewall because from the way that most firewalls are scoped out is it's based off of throughput. If you have a 20-gig firewall and you're buying one appliance, you're going to need to buy probably at least 20 if not more virtual firewalls, depending on the network setup that you have. And so there's going to be an evolution of what the revenue model looks like. But right now, we're not seeing any negative effect of public cloud. We're seeing it is an incremental benefit.' – Steffan Tomlinson, 06/06/2017

Having One's Cake and Eating It? We think there may be a level of cognitive dissonance among management of CHKP, PANW, and FTNT applauding growth in their respective virtual businesses and simultaneously messaging cloud is entirely additive. Especially in the context of Symantec's clarity in messaging around the economics of physical vs hybrid vs pure virtual/cloud, we struggle to understand how virtual firewall cannot be cannibalistic on some level.

Cybersecurity 69 5 September 2017

Figure 119: Symantec's Accepts That Virtual Appliances Are Not Necessarily Always Accretive to CLTV

Physical Appliance Hybrid Solution Virtual Appliance

Product/Support Product/Support & Subscription Subscription CLTV $1,480 CLTV $1,930 CLTV $1,645 $391 $269 $391 $380 $269 $391 $380 $269 $380 $269 $391 $380 $600 $640 $380 ~4 year breakeven

Year 1 Year 2 Year 3 Year 4 Year 5 Year 1 Year 2 Year 3 Year 4 Year 5 Year 1 Year 2 Year 3 Year 4 Year 5 * CLTV assumes an annual 5% discount factor

Source: Symantec, Credit Suisse Research.

Can Cloud Be Accretive to CLTV? As discussed above, we are concerned that the market is not cognizant of the potential revenue headwind in a cloud transition scenario. However, why should investors not just look through the short-term headwind to the greater CLTV opportunity that cloud security promises? We are concerned that a cloud transition is likely to be deflationary for pricing, regardless of consumption model. We are cognizant of multiple factors that we think may impact the ability of firewall vendors to maintain the tight control over pricing they have historically enjoyed.

Figure 120: Pricing for High-End Units Has Remained Within a Relatively Tight Band High end ASP, adjusted for inflation by US PPI from most recent quarter

100,000

80,000

60,000

40,000 High end ASP, inflation adjusted (US PPI)

20,000 Average, +/- 1stdev

0 2003 2005 2007 2009 2011 2013 2015 2017 Source: IDC, Credit Suisse Research.

Cybersecurity 70 5 September 2017

Consumption Models There are two main consumption models for virtualized firewall: (1) as a license to install in one's own private cloud, or (2) via AWS and other public cloud vendors on a metered basis. Of the below factors, we think that disaggregating adjacencies and the lowering of switching costs represent potential pricing headwinds for both consumption models, while the price transparency, deconsolidation, and capacity utilization arguments are more specific to metered models.

■ Disaggregation of Adjacencies: NGFW/UTM/Firewall moving from a physical to virtual form-factor actually disaggregates the value proposition of hardware with software attach. The value delivered via product purchase is currently triplicate, (1) the physical hardware itself, (2) the software platform that requires maintenance payments, and (3) attendant attach optionality paid for via subscription. Virtualizing product decomposes the product/support/attach model into software subscription excluding hardware (product) and associated maintenance. All else equal, the revenue (and profit to a lesser extent) opportunity should actually be lower for virtualized product by virtue of the removal of hardware components, assembly, and development. Put another way, why would the customer pay the same when they have to provide their own hardware? Therefore, assuming virtual is priced at parity (i.e., excluding the hardware component) on a discounted basis, and assuming no growth, there is a sustained haircut to the aggregate vendor revenue opportunity. This said, we recognize that the gross margin on the software component of product is substantially higher than the hardware piece.

Figure 121: A Portion of the List Price Represents the Cost of Hardware Traditional revenue model (not to scale, for illustrative purposes only) Maintenance/support

Subscription

front

Up product costproduct

Hardware portion of product Year 1 2 3 4 5

Source: Credit Suisse Research.

■ Switching Costs Lowered: The physicality of hardware lends it gravity (both literally and figuratively) in the IT infrastructure. It's expensive to rip and replace during the deployment life cycle (we think about the average refresh as five years), as your sunk costs greatly outweigh your variable costs. Virtualized firewall paid for on a subscription basis implies no irrecoverable costs and therefore would greatly reduce the economic imperative of delaying switching until the refresh. We recognize the residual switching cost of policy gravity, which is the migration of firewall policy from one vendor to another being challenging, but believe this to represent only a portion of aggregate switching costs.

Cybersecurity 71 5 September 2017

Figure 122: The Figurative Gravity of Hardware (with Figure 123: … Subscription Reduces the Economic Its Upfront Costs) Results in High Switching Costs… Imperative of Switching Upon the Refresh Traditional revenue model (not to scale, for illustrative purposes only) Cloud revenue model (not to scale, for illustrative purposes only)

Sunk Sunk costs = high switching costs No No sunk costs = lower switching costs cost Sunk Maintenance/support cost Subscription

Subscription

front product cost product front

- Up

Year 1 2 3 4 5 Year 1 2 3 4 5

Source: Credit Suisse Research. Source: Credit Suisse Research.

■ Price Transparency: While the above are pricing headwinds for virtual firewall sold under a subscription model, we expect there will be significant demand for metered pricing. The popularity of on-demand pricing is unlikely to pass by virtual firewall additions; indeed Fortinet, Palo Alto, and Check Point's virtual solutions can all already be consumed via public cloud vendors. Moving to a metered pricing model results in greatly enhanced price transparency; vendors can be compared more easily. We question whether this may expose an historically price-opaque and insensitive business model to the whimsy of dynamic pricing.

Cybersecurity 72 5 September 2017

Figure 124: Fortinet, Palo Alto, and Check Point All Have Virtual Offerings Available on a Metered Basis on the AWS Market Place

Source: AWS.

■ Capacity Utilization Is Deflationary: When the InfoSec team plans a firewall purchase, it is making capacity decisions to ensure performance not just during max- throughput occasions but also in the context of its forecast traffic growth during the intended life of the appliance. We think that virtualized pricing models, in addition to the ephemeral nature of workloads, will result in more efficient capacity utilization.

Cybersecurity 73 5 September 2017

Figure 125: Currently, Firewall Throughput Capacity Figure 126: Buying Firewall Either by Subscription Is Planned Such That the Network Will Remain or on a Metered Basis Will Reduce Excess Capacity Performant During High-Traffic Events Relative to the Hardware Pricing Model Conceptual, for illustrative purposes only Conceptual, for illustrative purposes only

Refresh cycle max traffic assumption Saved in Subscription pricing model Max historical traffic

Illustrative daily traffic patterns Saved in cloud virtual pricing model

Jan Jan Mar Apr Jan Jan Mar Apr Source: Credit Suisse Research. Source: Credit Suisse Research.

As we have attempted to illustrate in Figure 127, should a virtual firewall be consumed via subscription, on a per-hour basis, on a per-seat basis, or on a throughput basis, we expect it to be deflationary. This is because the delta between what you purchase and what you consume decreases as a function of the granularity of pricing paradigm.

Figure 127: Illustration of Capacity Saved Under Different Pricing Models Conceptual, for illustrative purposes only

Hardware pricing

Subscription pricing

Actual traffic Metered Max historical traffic pricing Refresh cycle max traffic assumption

Source: Credit Suisse Research.

■ Less Imperative to Consolidate: As we have referenced, consolidation has been a beneficial trend for firewall vendors. These companies have continued to add incremental controls and network security features onto their boxes and have done a great job expanding TAM and simplifying the solution set for customers. NGFW has been a consolidation story for the past several years and contributed to stock outperformance during that time.

Cybersecurity 74 5 September 2017

Figure 128: Underlining Firewall Stock Outperformance During the Period of Product Consolidation – the Aggregation Trade Rebased to 100 on PANWs first trading day

400

350 CHKP PANW FTNT 300

250

200

150

100

0 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Source: Thomson Reuters Datastream, Credit Suisse Research.

We posit the potential for a public cloud deployment and marketplace model to challenge what has been the norm for the past several years. With the ephemeral nature of cloud workloads, it might very well make sense for practitioners to more nimbly mix and match different control from different vendors, perhaps even to vary the use of such controls by workload instead of having more static one-size-fits-all solutions.

Cybersecurity 75 5 September 2017

Figure 129: Software SoundBytes Regarding Pricing of Security in the Cloud

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] Pricing Security in the cloud

“If I look at the virtual firewall market it is not more than10% of the overall firewall market. 45% of that is public cloud related, so only 3.5% - 4% of the firewall market is in the public cloud today.”

“If its BYOL model, it works great but the marketplace has been trending towards hourly usage pricing models. Security guys have never done that and it’s challenging to achieve any predictability. That’s working against the virtual firewall market.”

“Our customers struggle with buying security on a utility model”

“From a reseller perspective, the pricing on physical vs victual is still unclear – and presence on AWS clearly alienates the channel – but does it mean that network security players can recoup the channel margin?”

“Security needs to be aligned with cloud consumption economics – pay as you go… People buy excess capacity to not deal with refresh cycles – this will go away.”

“Legacy vendors are not comfortable selling in a utility model; it goes counter to what the trend has been, even with virtual FW on the private side the security guys really struggle with how to do an on-demand security model. A lot of organizations are looking at security in cloud more holistically, shifting spend to other areas like identity and encryption.”

Source: Credit Suisse Research.

Cybersecurity 76 5 September 2017

TAM Expansion Is Limited Feature Consolidation Is Limited, and So Is the Share Consolidated Solutions Can Take A multi-year theme in the firewall space has been the consolidation of point solutions onto the firewall. We believe this has been a genuine response to the frustration of customers (of all sizes) with an ever growing plethora of disparate solutions, but it has also been a convenient revenue protection and enhancement strategy. We argue there is a limit to what can be consolidated, as well as a limit to the share consolidated products can enjoy in the marketplace. The Problem with Point Solutions (for the Customer) Separate Firewalls, intrusion detection/prevention (IDP) appliances, secure Web gateways (SWG), SSL VPNs, and advanced threat prevention (ATP) sewn together by a large IT services vendor are admittedly suitable for some very large sophisticated enterprises. However, given the expense (both upfront and ongoing; you need an extensive security team) and time to implement; this complexity limits broader demand for pastiche solutions. Instead, the majority of enterprises would prefer a single platform from which to identify, manage, and control security threats. Even if each constituent component is less strong than a best-in-class point product, a platform solution tends to deliver greater functionality via the integration inherent in consolidation, as well as better throughput and significant cost savings. Cisco's Marty Roesch (Vice President and Chief Architect of Cisco’s Security Business Group, previously founder and CTO of Sourcefire) talks about the complexity trap of point products. Each time a point product is added to one's security apparatus, the complexity increases exponentially, while the value generated increases only linearly. This implies that, at some point, the complexity of point solutions, even if they are best-of-breed, overwhelms their utility.

Figure 130: Increasing Use of Point Products Increases System Complexity 200 Value Complexity *

150

100

0 0 2 4 6 8 10 12 14 16 18 20

Source: Credit Suisse Research, * System complexity proxy is number of connections necessary between point products should each be connected with every other.

The Benefits of Feature Consolidation (for the Vendor) We believe there are three key vendor incentives to consolidate features onto a single appliance: (1) synthetic TAM expansion, (2) the opportunity to increase attached subscription and (3) enhanced unit gravity.

■ TAM Expansion: The more features consolidated onto a single box, the greater the market addressable by that product. We visualize this phenomenon in Figure 131 and see this as a top-line growth strategy in a saturated market.

Cybersecurity 77 5 September 2017

Figure 131: The More Point Solutions That Are Consolidated, the Greater the TAM for Firewall Vendors Becomes Size of bubble represents size of TAM (not to scale, for illustrative purposes only)

CASB? Number of features consolidated

Core Firewall & VPN Core & WF Firewall & IDP Core & VPN & AV Firewall & WF & DLP Core & VPN & IDP Firewall & WAF Core & VPN Firewall

Time

Source: Credit Suisse Research.

■ Tailwind for Attach: The more that can be consolidated onto a firewall, the more features that can be sold attached to the box. We view this as a revenue protection strategy in a saturated market. When the only incremental revenue opportunity is a competitive (or defended) win on the refresh, the consolidation of adjacent products offers an opportunity to both grow, and de-risk, the top line by the addition of sticky recurring subscription revenues.

Figure 132: If We Look at the Five-Year Thru-Cycle Attach Rate, We Can See the Financial Result of Feature Consolidation Annualized subscription and support/maintenance as a percentage of 5y trailing product revenue

50% CHKP FTNT PANW 48%

46%

44%

42%

40%

38%

36%

34%

32% 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Source: Company data, Credit Suisse estimates.

■ Greater Unit Gravity: The more attached to a single box, the heavier that appliance is. That is, the more the enterprise relies on it as a single-point solution, the stickier the appliance becomes. In addition, the more attaches per box, the more throughput consumed, and therefore the greater capacity demanded. This, we think, ultimately results in greater unit gravity, better price leverage, and heightened capacity demand.

Cybersecurity 78 5 September 2017

In summary, customers wish to take a platform approach to lower costs and increase efficacy and vendors to consolidate features as a revenue protection strategy. Given this incentive alignment between customers and vendors alike to rationalize their security infrastructure, the multi-year trend toward feature consolidation is unsurprising.

Figure 133: Looking at the Share of the Market by Product Type Shows the Trend Toward Consolidation Revenue by product as share of total market, %

100% Unified Threat Management/ Next Generation Firewall 80% VPN

60% Content Management

40% Intrusion Detection and Prevention

20%

Firewall 0% 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Source: IDC, Credit Suisse Research.

Consolidation Tailwind Unlikely to Sustain While feature consolidation has been a sustained tailwind for at least two refresh cycles, we believe the benefits accruing to vendors from platform strategies are likely to be less pronounced.

■ Ceiling for Consolidated Product Demand: Chief security officers are often concerned by the unsystematic risk inherent in a single-vendor platform approach. Security silos are vulnerable, and the generally accepted wisdom of defense in depth means that those with the budget and sophistication are likely to continue to demand the best-of-breed point products necessary for an integrated layered approach. In our view, this results in a demand ceiling for unified products (UTM/NGFW).

■ Significant Proportion of the Market Already Consolidated: Given c52% of the market is already comprised of UTM/NGFW (50% in the high end of the market), we think there is a limit to the second derivative rate of change in UTM share, especially in the context of our view around consolidated product demand ceiling.

■ Little Left to Consolidate: A push-back to the above is, of course, that innovation in the market itself grows new point products that can then be consolidated at a faster rate than we expect. While a legitimate risk to our thesis, we see the speed of consolidation of innovations such as CASB as reflecting what little is left to be consolidated. Barracuda acquired the Sookasa CASB, CHKP has partnered with multiple CASB providers (Firelayers, Avanan, and Microsoft), Cisco bought Cloudlock, and Fortinet has the FortiCASB. Given the nascent nature of the CASB market, we think the extent to which it has already been consolidated reflects the vendor appetite for new platform additions; deduction would therefore suggest there is little left to consolidate. Furthermore, akin to the law of large numbers, we note the simple mathematical argument that as additional features are consolidated into the NGFW, it becomes increasingly difficult to move the needle on existing TAM.

Cybersecurity 79 5 September 2017

Figure 134: UTM Accounts for in Excess of 50% of the Security Appliance Market

Firewall 19%

IPS 10% IPS Unified 12% Threat Management 52% IDS Content 1.3% Messaging Management Security 16% 5% VPN 2% Web Security 10%

WAM 0.4% SSL Hybrid VPN VPN Ipsec VPN 0.3% 2% 0.3%

Source: IDC, Credit Suisse Research.

Cybersecurity 80 5 September 2017

SSL Decryption Less of a Tailwind The argument made by many students of the firewall industry, not least Gartner, is that as more traffic is encrypted, firewall capacity will need to increase. The logic is that decrypting SSL traffic (so that it can be inspected) and then re-encrypting it is roughly 50% more computationally taxing than a simple inspection of unencrypted inbound and outbound traffic.

Figure 135: The Performance Loss Resulting from an Inspection of SSL Encrypted Traffic On-box Is Substantial

NSS Labs (512b Cipher) NGFW Performance loss by Vendor Forcepoint 3202 -54% Palo Alto 5020 -66% SourceFire 8250 -77% Check Point -87% Fortinet -93%

Source: NSS Labs, Credit Suisse Research.

Many NGFWs have the ability to pose as the recipient of the SSL session, decrypt and inspect the content of the packet, and then impersonate the sender by creating a new SSL session with the intended recipient.

Figure 136: The Decryption Process

Decrypted packet

Content Scanning

Decryption Re-encryption

User Firewall Appliance Server

HTTPS session HTTPS session

Encrypted Packet Encrypted Packet

Source: Fortinet, Credit Suisse Research.

In Gartner's words: 'The vendors in the firewall space will be challenged over time by the maturing of the cloud service providers' (CSPs') solutions. But in the near term, Gartner predicts that more firewalls will be deployed to deal with the growth of encrypted traffic, so this can be a source of near-term incremental demand for firewall vendors.' – Gartner Event Summary: Gartner Security & Risk Management Summit 2017, 13th July 2017

Cybersecurity 81 5 September 2017

Figure 137: SSL Encryption Has Grown Rapidly, but the Rate of Acceleration Is Forecast to Decrease

80% Ponemon data (enterprise deployment of encryption) 70% 75% 70% Letsencrypt.org data (percentage of web pages Loaded by Firefox Using HTTPS) 65% 59% NSS Labs 2019 forecast (interpolated) 60% 46% 50% 39% 34% 40% 30% 25% 27% 30% 20% 22% 23% 23% 16% 19% 20%

10%

0% 2005 2007 2009 2011 2013 2015 2017 2019

Source: Google, Credit Suisse estimates.

While the argument is not without apparent logic (SSL encrypted traffic is growing, and SSL encrypted traffic requires more processing power to inspect), we think there are three key reasons for this trend to be less of a tailwind than the market expects:

■ The Lion’s Share of Growth in Encrypted Traffic Has Already Occurred: As of February 2017, the EFF reported that more than half of all Internet traffic was protected by HTTPS. This data are corroborated by statistics from Google that suggest SSL encryption is in place on more than half of the pages loaded by desktop users and that the same users spend more than two-thirds of their time on HTTPS websites. When we look at data from Chrome (the most popular web browser), we find that as of September 2017, 83% of pages were loaded over HTTPS and 74% of time was spent browsing HTTPS websites. Ultimately, this suggests that the second derivative growth in encrypted traffic is likely to be less significant, and therefore less of a near-term tailwind, than industry analysts suggest and the market believes.

Figure 138: Chrome Is the Most Popular Web Figure 139: Nearly 80% of Time Is Spent Browsing Browser, with over 60% of Web Traffic SSL Encrypted Sites on Chrome

Percentage of pages loaded 90% 83% over HTTPS in Chrome 81% Chrome 62% 78% 75% 80% Time spent browsing SSL 73% encrypted sites on Chrome 70% Safari 14% 70% 74% 71% 70% 68% Internet Explorer 9% 60% 66% 60% 50% 57% 57% Firefox 8% 54% 40% 45% 46% Opera 3% 30% Mar '15 Jul '15 Nov '15 Mar '16 Jul '16 Nov '16 Mar '17 Jul '17 Source: w3counter.com, Credit Suisse Research. Source: Google, Credit Suisse Research.

■ Point Solutions Are Cheaper: While some argue the computational weight of traffic decryption must result in greater aggregate firewall throughput demand, others argue for a scale-out, rather than scale-up, model. Indeed our field work validates the cost and security efficacy of using NGFW alongside stand-alone decryption devices from vendors such as Gigamon or Symantec’s SSL Visibility Appliance (FKA Metronome acquired by Blue Coat).

Cybersecurity 82 5 September 2017

■ Trade-Down Effect Accounts for Some of This Step Increase: Should we hypothetically assume a higher volume of encrypted traffic as a material short-term driver of incremental physical firewall demand, some of this will likely be accounted for by the trade-down effect. That is, upon the refresh, it's common for new offerings at price parity with your retired boxes to have higher throughput capacity than the retired appliance. Therefore some customers will ‘trade down’ to cheaper boxes with equivalent throughput.

■ IP Traffic Volume Is Surging, but It Isn't Leaving the Datacenter: Traffic within the data center makes up ~75% of the data center traffic and usually between same-stack components (server, converged, storage, switching, and routing hardware). IP traffic volume is surging, but it isn’t all leaving the data center, therefore there is no need to encrypt all of it. In addition, when interconnection is in place to put a cross connect in place, let’s say Credit Suisse Low Latency trading and NYSE, that traffic is secured using one fiber optic cable with no other parties using the same sockets; so as long as there is mutual trust between both parties, the need to SSL encrypt is ameliorated.

Figure 140: 77% of All Traffic Occurs Within the Figure 141: … and This Is Forecast to Grow at a 23% Same Data-Center… CAGR Through 2020 Traffic distribution, 2016, % Traffic in Exabyte’s per year

Data center to 18,000 Data center to data center user 16,000 Data center to user 14,000 14% Within data center Data center to 12,000 data center 10,000 9% 8,000 6,000 11,770 10,016 4,000 8,391 77% 6,728 2,000 5,074 Within data center - 2016 2017E 2018E 2019E 2020E Source: Cisco, Credit Suisse Research. Source: Cisco, Credit Suisse Research.

Cybersecurity 83 5 September 2017

Shift from Prevention to Detection “Are you planning for resilience in the face of cyber-attack? I would counsel all large organisations to assume that they are being attacked, and that this will be both from the outside and inside. In fact, it may make no sense to distinguish between the two in the short-term future. Therefore, if you cannot keep all the attacks out you must assume that you need to plan to be resilient in the face of them existing.” – Dr. Sadie Creese, Director of the Global Cyber Security Capacity Centre at the Oxford Martin School and a member of the Coordinating Committee for the Cyber Security Oxford network Enterprise Investment Shifting from Prevention to Detection It is increasingly accepted by practitioners that information security isn’t capable of predicting or preventing targeted attacks, particularly in the context of an innovating attacker and a mercurial attack surface. In countering the increasing speed, sophistication, scale, and variety of attacks, we believe companies are more likely to invest in enhancing detection and response capabilities, as well as data origination and endpoint monitoring as opposed to prevention-centric security measures. Gartner estimates that 60% of enterprise security budgets will be allocated for detection and response by 2020, up from 10% in 2013, and that 80% of endpoint protection platforms will include user activity monitoring by 2018, up from less than 5% in 2013.

Figure 142: Enterprise Security Spend Shifting Rapidly to Dedication & Response % of Enterprise IT Security Budget Dedicated to Detection & Response

70% 2013-2020 CAGR = 29.2% 60% 60% 50% 50% 39% 40% 30% 30% 23% 18% 20% 13% 10% 10%

0% 2013 2014 2015 2016 2017 2018 2019 2020 Source: Gartner, Credit Suisse estimates.

Verizon notes in its 2016 Data Breach Investigation Report the average time taken to exfiltrate data is a matter of days, although a nontrivial 21.2% of reported cases occur in minutes. In addition, the vast majority of data, typically some form of credentials, is compromised within minutes, if not seconds.

Cybersecurity 84 5 September 2017

Figure 143: Time to Threat Discovery Is Improving, but Disparity Between Time to Compromise vs. Time to Discover Continues to Widen % of Breaches Compromised in “Days or Less” vs. Detection in “Days or Less” (Source: CS est, Verizon)

100% Time to Compromise Time to Discover

80%

60%

40%

20%

0% 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Source: Company data, Credit Suisse estimates.

Meanwhile, although an increasing number of breaches are discovered within days or less (albeit still <25% of cases), the proportion of incidences that takes days or less to compromise data is nearing 100% and is increasing at a relatively greater pace. In addition, according to a 2015 report by Mandiant, the average targeted malware compromise was present for 205 days before detection, and 69% of discoveries were made by external parties rather than by internal IT security divisions. With a need for rapid detection, the market for endpoint detection and response (EDR) in particular will likely see rapid growth. At present, EDR has roughly 40 million endpoints installed (less than 6% of the total PC and tablet install base). Gartner estimates that aggregate end-user spending on endpoint detection and response will grow from $238 million in 2015 to $1.5 billion in 2020 at a CAGR of 45.3%, markedly faster than the 2.6% CAGR forecast for the endpoint protection market as well as the 7.0% forecast for the overall IT security market.

Figure 144: Endpoint Detection & Response Market Will Likely See Growth ~17x Greater than Endpoint Protection Market EDR vs. EPP Revenue

6,000

5,000 1,540 EDR 1,236 4,000 993 238 640 797 3,000

2,000 3,600 EPP 3,166 3,249 3,333 3,420 3,509 1,000

0 2015 2016 2017 2018 2019 2020 Source: Gartner, Credit Suisse estimates.

In consideration of not only the magnitude and increasing sophistication of security threats that enterprises face, but also the ongoing systemic migration of enterprise network infrastructures to managed cloud services, we believe that allocation of enterprise security spending will continue to see an increasingly dramatic shift toward endpoint detection, monitoring, and diagnosis and away from prevention-based systems.

Cybersecurity 85 5 September 2017

Firewall Stocks Relative Exposure to Sector Headwinds Ratings Driven by Negative Category View Given our negative category view is a significant driver of our stock ratings, PANW (Underperform, TP:$125, 14% downside), FTNT (Underperform, TP:$33, 14% downside), CHKP (Neutral, TP:$110, 1% downside), we have attempted to contextualize the exposure to each headwind that results in heterogeneous risk. This analysis highlights the differentiated exposure to each risk factor. On an aggregated basis, we believe Check Point to be the best positioned, and Fortinet the worst, to deal with the sector headwinds we have discussed.

Figure 145: Relative Exposure to Sector Risks Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Architectural Shift to Cloud ◔ ◑ ◕ Cisco increasingly competitive ○ ◕ ◑ Juniper has little share left to give ○ ● ◔ Cloud transitionary headwinds ◔ ◑ ◑ TAM expansion ◑ ◑ ● Competition in the mid market ◑ ○ ● Carrier Exposure ◔ ◑ ● Total ◔ ◑ ◕

Source: Credit Suisse Research.

Explanation of Rankings Network Architectural Shift

Figure 146: CHKP Best Positioned, FTNT Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Architectural Shift to Cloud ◔ ◑ ◕

Source: Credit Suisse Research.

Check Point has the most substantial firepower (we estimate ~$10bn vs PANW with ~$5bn and FTNT ~$4bn), and therefore the path of least resistance to acquire their way into the future. It is followed by PANW, with the second most transformative firepower, and a convincing forward-leaning product suite (VM-Series, Global Connect, etc.). FTNT is, in our view, the most exposed given its historical competitive advantage generation via hardware.

Cybersecurity 86 5 September 2017

Cisco Increasingly Competitive

Figure 147: CHKP Best Positioned, PANW Most Exposed Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Cisco increasingly competitive ○ ◕ ◑

Source: Credit Suisse Research.

Cisco has been explicit about its intentions to compete for refreshing customers. Given management expects imminent refresh cycles at PANW and FTNT, we therefore see these names as the most exposed on a relative basis. PANW's refreshed product is expected to account for more than FTNT in our model; we thus rank PANW as the most exposed. Check Point's maturity results both in a more linear refresh, as well as greater salesforce experience with competitive defenses. Therefore, we believe them to be the least exposed to Cisco's investments in its security portfolio.

Juniper Has Little Share Left to Give

Figure 148: PANW Highly Exposed, FTNT and CHKP Well Positioned Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Juniper has little share left to give ○ ● ◔

Source: Credit Suisse Research.

PANW has derived roughly much of its growth via share gain, and we therefore think that Juniper's lack of share left to donate is likely a disproportionate negative for PANW. Given CHKP derives less of its growth from share gain than we believe the younger FTNT to do, we see CHKP the least exposed to this risk.

Cloud Transitionary Headwinds

Figure 149: PANW and FTNT Equally Exposed, CHKP Well Positioned Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Cloud transitionary headwinds ◔ ◑ ◑

Source: Credit Suisse Research.

While we recognize to some extent each name is equally exposed to this risk, we believe CHKP to be the best positioned to weather a transition for the following reasons: (1) this is not CHKP's first rodeo, as it has weathered a software to hardware in the past; (2) top-line consensus growth expectations are lowest for Check Point at ~7% NTM y/y growth vs PANW at ~20% and FTNT at ~15%; and (3) CHKP has shown great price discipline in the past, most notably when PANW aggressively entered the market in the early 2010s.

Cybersecurity 87 5 September 2017

TAM Expansion

Figure 150: CHKP & PANW Least Exposed, FTNT Most Exposed Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT TAM expansion ◑ ◑ ●

Source: Credit Suisse Research.

Again, somewhat of a homogenous risk; each incumbent has greatly expanded the security pain points they address, and therefore it becomes incrementally harder to move the TAM needle. However, we believe FTNT to have the most complete product suite with its security fabric offering. While a clear positive historically, we believe it will make it incrementally harder for FTNT to move the needle on its own TAM.

Competition in the Mid-Market

Figure 151: PANW Least Exposed, FTNT Most Exposed Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Competition in the mid market ◑ ○ ●

Source: Credit Suisse Research.

The mid-market is highly competitive and saturated. We therefore rank exposure to this risk simply as a function of exposure. PANW has principally enterprise customers, while FTNT reports ~70% of billings to be derived from the entry-level and mid-range segments. IDC data corroborate this, showing FTNT to have 56% exposure to the volume market vs CHKP at 27% and PANW at only 14%. Comparing this against IDC data for high-end deployments where FTNT has only 20% while PANW and CHKP have 59% and 53%, respectively, informs our ranking.

Carrier Exposure

Figure 152: FTNT Highly Exposed to Carrier Customers Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Carrier Exposure ◔ ◑ ●

Source: Credit Suisse Research.

While historically a positive, we now view carrier exposure as a risk due to the higher speed of virtualization of carrier customers. As above, we rank this simply based on our view of percent of billings derived from carrier customers. FTNT has ~20% and is known as the leader in this vertical. While neither PANW nor CHKP report their carrier exposure, we view CHKP's installed base to be more diversified and therefore less exposed to carrier virtualization relative to PANW.

Cybersecurity 88 5 September 2017

Relative Valuation Substantial Nuance in Firewall Valuation Broad conclusions from our valuation work are as follows:

■ PANW Looks Misleadingly Cheap: On EV/uFCF, both Palo Alto Networks and Fortinet appear inexpensive. Given higher relative growth expectations for PANW & FTNT, the fact they trade in-line with CHKP is optically attractive. However, adjusting out SBC (broadly accounting for the fact some cash would have had to have paid in lieu of stock to retain talent) and adjusting for LT deferred revenue change (as yet un- earned, and therefore expenses unpaid, revenue) shows PANW and FTNT to be much more expensive than CHKP.

■ Only CHKP Trades on an Earnings Multiple: Looking at income statement multiples, particularly non-GAAP P/E, reveals only CHKP to be trading within a reasonable range on P/E, while both PANW and CHKP trade on revenues and cash flows. While we appreciate higher growth expectations beget growth valuations, on a metric-specific growth-adjusted basis, CHKP looks expensive and in-line on revenue growth.

■ Recurring Revenues Favor Fortinet: Fortinet is attractive on a recurring revenue basis. While we think of recurring revenue multiples as more reflective of floor value than intrinsic value; nonetheless recurring revenues provide more support to FTNT than either PANW or CHKP. But some of this is discount is to be expected given its greater mix of typically-higher-churn SMB customers.

Figure 153: Valuation Matrix Absolute Valuation Analysis CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x Income Statement Multiples EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x

Source: Company data, Credit Suisse estimates.

Figure 154: Growth Rates Used in Adjusted Valuation (2Y CAGR) Growth CHKP PANW Fortinet 2Y CAGR TTM-NTM FY18-FY17 2Y CAGR TTM-NTM FY18-FY17 2Y CAGR TTM-NTM FY18-FY17 uFCF 9% 9% 6% 18% 15% 31% 28% 29% 42% Revenue 7% 7% 7% 21% 21% 18% 14% 14% 11% Operating Income 6% 6% 7% 27% 27% 28% 23% 9% 22% Non-GAAP EPS 9% 7% 9% 27% 22% 23% 22% 7% 17% GAAP EPS 9% 6% 9% -32% -45% -40% 85% 13% 26% Recurring Revenue 10% 10% 9% 32% 31% 26% 20% 21% 16% Source: Company data, Credit Suisse estimates.

Cybersecurity 89 5 September 2017

Figure 155: Valuation Matrix Adjusted for Metric Specific 2Y CAGR Growth adjusted (metric specific) CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 1.75 1.70 0.77 0.67 0.44 0.41 EV/UFCF Adjusted for SBC 1.92 1.87 2.12 1.69 0.69 0.65 EV/UFCF Adjusted for LT Deferred 1.84 1.81 1.19 0.95 0.60 0.55 EV/UFCF Adjusted for SBC & LT Deferred 2.04 2.00 n/a n/a 1.21 1.07 Income Statement Multiples EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22 EV/Non-GAAP Operating Income 2.32 2.24 0.94 0.83 0.87 0.76 Non-GAAP P/E 2.19 2.09 1.65 1.48 1.75 1.57 GAAP P/E 2.45 2.33 n/a n/a 1.09 0.87 EV/Recurring Revenue 1.10 1.06 0.26 0.23 0.25 0.24

Source: Company data, Credit Suisse estimates.

Figure 156: Valuation Matrix Adjusted for Top-Line 2Y CAGR Growth adjusted (revenue growth) CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82 EV/UFCF Adjusted for SBC 2.25 2.19 1.79 1.42 1.38 1.30 EV/UFCF Adjusted for LT Deferred 2.16 2.12 1.01 0.80 1.20 1.10 EV/UFCF Adjusted for SBC & LT Deferred 2.39 2.35 n/a n/a 2.42 2.14 Income Statement Multiples EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22 EV/Non-GAAP Operating Income 1.97 1.90 1.21 1.07 1.42 1.24 Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49 GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32 EV/Recurring Revenue 1.50 1.44 0.40 0.36 0.37 0.34

Source: Company data, Credit Suisse estimates.

Cybersecurity 90 5 September 2017

Relative HOLT® Perspective HOLT Is Reflective of Our Views on Quality and SBC Reflecting our fundamental view that Check Point is a high-quality wealth creator, in HOLT it has succeeded in maintaining >15% CFROI® for ten years and has actually increased returns from its 2013-14 nadir, which incidentally coincided with PANW's entry to the market.

Figure 157: Check Point Has Maintained High and Stable Returns on Capital (CFROI®); Adjusting Out SBC Has a de Minimis Impact on Returns and Forecast Check Point HOLT CFROI profile 25 20 15

(5 ) CFROI Forecast CFROI CFROI adjusted to exclude SBC 2007 2009 2011 2013 2015 2017 Source: HOLT, Credit Suisse Research.

Returns are materially lower for FTNT, and worst for PANW, although when adjusting CFROI to exclude stock-based compensation (approximating non-GAAP), they are more comparable (10% vs 7.4% LFY for CHKP and PANW, respectively).

Figure 158: Fortinet Has Seen Depressed Returns Figure 159: Including SBC Palo Alto Networks Is Not on Capital in Recent Years as It Has Sacrificed a Positive Spread Business; ex-SBC Returns in Margin for Investment in Sales and Marketing FY16 Were ~7.5%... Fortinet HOLT CFROI profile Palo Alto Networks HOLT CFROI profile

CFROI 25 CFROI 25 Forecast CFROI 20 Forecast CFROI 20 CFROI adjusted to exclude SBC 15 CFROI adjusted to exclude SBC 15 10 10 5 5 0 0 (5 ) (5 ) 2007 2009 2011 2013 2015 2017 2007 2009 2011 2013 2015 2017 Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

The gap between returns on capital with, and without, accounting for stock-based compensation expense has been broadening materially for FTNT, and even more so for PANW over the last several years. This corroborates the conclusions of our relative-adjusted multiple-based valuation method, which also depicts PANW as less attractive than FTNT on UFCF ex SBC and FTNT in turn to be less attractive than CHKP.

Cybersecurity 91 5 September 2017

Figure 160: The CFROI Spread Inclusive and Exclusive of SBC Shows the Impact on PANW, Then FTNT's Returns to Be the Most Penal; CHKP's CFROI® Exhibits Limited Sensitivity to Its Stock-Based Compensation Expense Spread between HOLT CFROI including, and excluding Stock Based Compensation expense

8% CHKP PANW FTNT

0% 2007 2009 2010 2012 2013 2014 2016

Source: HOLT, Credit Suisse Research.

Implied Expectations Are Highest for PANW on a Relative Basis Check Point has the lowest market-implied expectations (the Green dot, based on a reverse DCF, shows the future level of returns required to validate today's price) relative to FY2 CFROI (Pink bars: CFROI as implied by IBES consensus expectations). However, while embedded expectations appear conservative at 18% market-implied returns vs 22% FY2 CFROI forecast, on an absolute basis, they remain substantially above market expectations for FTNT and PANW (at 8.5% and 10%, respectively). In addition, the market expects CHKP to sustain high returns for a long period. CHKP has sustained high and stable returns for a sufficient period to be awarded an eCAP, and an eCAP is rewarded by lengthening the fade window to ten years (reflective of high-quality companies tending to be more successful at generating excess returns for longer), thus expectations for returns on capital in excess of 18% are embedded through 2026.

Figure 161: Check Point Has Maintained High Relative Returns on Capital, and the Market Is Pricing for These Returns to Sustain over a Ten-Year Time Horizon Check Point returns on capital (CFROI) & Discount rate (%) 25 CFROI 20 15 Forecast CFROI

10 Discount rate 5 Historical median 0 Market implied (5 ) CFROI 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2026

Source: HOLT, Credit Suisse Research.

Embedded expectations for FTNT imply a recovery in CFROI to 8.5% in 2021 from 5.2% in 2016. This improvement is consistent with 2014 CFROI levels and suggests the market is comfortable with the margin improvement guidance from management following investment in sales capacity and marketing over the past several years having depressed margins.

Cybersecurity 92 5 September 2017

Figure 162: The Market Is Pricing CFROI® to Improve to 2014 Levels Fortinet returns on capital (CFROI) & Discount rate (%) 25 CFROI 20

15 Forecast CFROI

10 Discount rate 5 Historical median 0

(5 ) Market implied CFROI 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 Source: HOLT, Credit Suisse Research.

PANW has the highest embedded market expectations of its peers, with an implied recovery from sub-discount rate returns in 2016 to 10% CFROI in 2021. Interestingly the market implied is equivalent to CFROI adjusted to exclude SBC in the forecast years, suggesting the market appears somewhat prepared to look-through high levels of stock based compensation expense at PANW.

Figure 163: Market Implied CFROI Calls for PANW CFROI Improvement to as Yet Unachieved Levels Palo Alto returns on capital (CFROI) & Discount rate (%)

25 CFROI 20 Forecast CFROI 15 10 Discount rate

5 Historical median 0 Market implied (5 ) CFROI 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 Source: HOLT, Credit Suisse Research.

Sales Growth Expectations Are Highest for PANW We sense check our belief that top-line growth expectations are the highest for PANW in our valuation scenarios (included individually in the following company reports). Through margin improvement driven scenarios, we can derive a long-term sales CAGR required to justify the current share price. Via simplistic margin scenarios, it becomes clear that, even when credited with unlikely margin improvement, PANW's top-line growth expectations (in this case, >10% CAGR to 2026) are in excess of FTNT's (7.3%) and greatly in excess of CHKP (4.2%).

Cybersecurity 93 5 September 2017

Figure 164: Assuming Stable Margins, the Market Figure 165: Should Margins Rise to the Historical Embeds a Long-Term Sales CAGR of 4% to Achieve Peak, the Market Embeds a Long-Term Sales CAGR CHKP's Current Share Price of 7.3% to Achieve FTNT's Current Share Price CHKP: Operating projections implied by current price: $111 per share FTNT: Operating projections implied by current price: $38 per share

Consensus 32 60 49.9 49.9 1 1 Assumed long term 24 21.5 Assumed long term Consensus margins to rise from 40 margins of 50% 16 9.5 9.5% to historical 20 8 peak of 21.5% 0 0 1996 2000 2004 2008 2012 2016 2020 2024 2007 2011 2015 2019 2023 Historical margins Forecast Historical margins Forecast Margins w/o SBC Margins w/o SBC

30 2 Solved for the long 30 Consensus 2 Solved for the long 16.9 term sales CAGR 20 term sales CAGR 20 Consensus required to get to required to get to 7.7 10 8.0 10 5.0 current price of $111 current price of $38 0 0

(10) (10) 1996 2000 2004 2008 2012 2016 2020 2024 2007 2011 2015 2019 2023 Historical growth Forecast Historical growth Forecast Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

Figure 166: Assuming Margins Rise from Consensus Levels of (15%) to FTNT’s Peak of 22%, PANW’s Current Price of $131 Implies a Sales CAGR of 11% over the Next Ten Years PANW: Operating projections implied by current price: $146 per share

30 Consensus 21.5 1 20 (14.6) Assumed long term margins 10 to rise from -14.6% to 0 21.5% based on historical (10) peak of FTNT (20) 2007 2011 2015 2019 2023 Historical margins Forecast Margins w/o SBC

80 2 Solved for the long term 60 sales CAGR required to get Consensus to current price of $146 40 26.2 20 11.8

0 2007 2011 2015 2019 2023 Historical growth Forecast Source: Company data, Credit Suisse estimates.

Sales, Margins, and SBC CHKP’s high returns are driven by high and stable margins vs. FTNT and PANW. PANW’s stock option expense has increased dramatically in the past years.

Cybersecurity 94 5 September 2017

Figure 167: Sales, Margins, and Stock-Based Compensation Expense as a % of Sales CHKP FTNT PANW Sales growth (%)

60 Sales growth Historical CAGR 60 60

40 40 40

20 20 20

0 0 0 2007 2010 2013 2016 2007 2010 2013 2016 2007 2010 2013 2016 EBITDA margins (%) 60 60 60 EBITDA margins 40 40 Historical median 40 EBITDA margins w/o SBC 20 20 20 0 0 0 (20 ) (20 ) (20 ) 2007 2010 2013 2016 2007 2010 2013 2016 2007 2010 2013 2016 Stock option expense as % of sales

SBC as % of sales Historical median 29 30 30 30 24

20 20 20 17 9 10 11 7 8 10 5 5 5 10 6 6 10 5 4 3 3 3 3 4 4 3 3 3 4 4 0 0 0 2 0 0 0 2007 2010 2013 2016 2007 2010 2013 2016 2007 2010 2013 2016

Source: HOLT, Credit Suisse Research.

What Is HOLT? The HOLT methodology uses a proprietary performance measure known as Cash Flow Return on Investment (CFROI®). This is an approximation of the economic return, or an estimate of the average real internal rate of return, earned by a firm on the portfolio of projects that constitute its operating assets. A firm's CFROI can be compared directly with its real cost of capital (the investors' real discount rate) to see if the firm is creating economic wealth. By removing accounting and inflation distortions, the CFROI allows for global comparability across sectors, regions, and time and is also a more comprehensive metric than the traditional ROIC and ROE.

Cybersecurity 95 5 September 2017

Figure 168: How to Read a HOLT CFROI® Chart

Market Derived Discount Rate Superior performance metric Market-calibrated valuation Competitive Lifecycle & fade

. The HOLT discount rate is forward- . CFROI is a cash-based return on . Forecasted FCF calibrated to current . Empirically derived terminal value looking, derived from observed capital metric that improves market values through observed, recognises competitive life-cycle of market valuation, and accurately comparability of corporate market implied discount rate returns and growth (mean reverting reflects current investors’ risk performance across companies, . Calibrate future CFROI and growth fade concept) appetite geographies and time rates embedded in the current stock . Cumulative probability approximates price the likelihood of achieving future returns given the past return profile

Discount Historical Future performance implied by Future value Turnaround? Forecast Forecast rate returns today’s stock price Growth Fading Mature CFROI Discount Cash flows rate Total Market = FCF CFROI Value (1 + DR)

Reinvestment Solve Capital investment

Historical CFROI

Adjusted historical returns on CFROI Forecast capital based on HOLTs Market derived proprietary framework T+1 and T+2 returns on discount rate capital forecasts based on IBES consensus estimates Country market implied discount rate adjusted for company’s leverage and size

Market implied CFROI

Long-term level of returns on capital required to validate today’s market value

1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

Source: Credit Suisse HOLT.

Cybersecurity 96 5 September 2017

Stock Calls Palo Alto Networks: Lost in Palodise Americas/United States Software

Palo Alto Networks, Inc. (PANW) Rating UNDERPERFORM Price (01-Sep-17, US$) 146.67 Target price (US$) 125.00 52-week price range (US$) 164.15 - 108.01

Market cap(US$ m) 13,468 Lost in Palodise Target price is for 12 months.

Initiating Coverage with Underperform Rating and $125 Target Price Research Analysts

Despite being one of the most disruptive innovators in the security industry, we Brad A Zelnick believe investors are overly optimistic in Palo Alto Networks’ ability to sustain 212 325-6118 [email protected] over 2x market growth rates. We truly believe this is a great company with great Jobin Mathew management, but not a great stock at current levels. 212 325 9676 [email protected] ■ What Comes After the Perfect Storm? Past performance is no indicator of Syed Talha Saleem, CFA future success. The market view that PANW continues to outpace market 212 538 1428 growth by a factor of 2x is overly sanguine, in our view. We believe PANW’s [email protected] past outperformance was the result of a perfect storm of tailwinds that are now subsiding and believe the current product cycle, while technologically compelling, remains a source of disruption for longer than many anticipate. ■ Competitive Refresh Cycle: We believe a refresh cycle is indeed coming, but may be less impactful than many anticipate. PANW's refresh is an opportunity that invites competition at a time when products in the category are less differentiated than ever. Meeting Street expectations relies on defense as much as offense for the first time in PANW’s history. ■ Structural Limitations: Cloud mania is not just an issue for firewall companies because of a ratable revenue transition, in our view. We believe the entire category will face pressures of disaggregation as well as an architectural shift that relies far less on perimeter-based security. ■ Valuation: Our $125 target price is based on our DCF analysis, which assumes an 7.3% FCF CAGR over the next 10 years. While seemingly inexpensive on FCF multiples, adjusting for stock comp expense and long- term deferred revenues tells a completely different story. If we instead consider simple P/E (CY2018), PANW trades at ~40x vs. CHKP at ~20x and FTNT at ~35x. Upside risks to our target price include better unattached subscription growth including cloud/virtual and endpoint adoption and a more powerful refresh cycle. Share price performance Financial and valuation metrics

Year 7/16A 7/17A 7/18E 7/19E NON-GAAP EPS (CS adj., ) 1.89 2.71 3.29 4.09 Prev. EPS (CS adj., US$) P/E (CS adj.) (x) 77.5 54.1 44.6 35.9 P/E rel. (CS adj., %) - 256 234 209 Revenue (US$ m) 1,379 1,762 2,129 2,485 Non-GAAP Operating Income 271 355 451 570 Net(US$ Debt m) (US$ m) -1,438 -1,640 -2,029 -2,531 Unlevered Free Cash Flow 610 732 844 958 On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55 P/uFCF(US$) (x) 24.1 20.0 17.4 15.3

Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$145.18 Number of shares (m) 91.82 Price/Sales (x) 7.66

Quarterly EPS Q1 Q2 Q3 Q4 Net debt (Next Qtr., US$ m) -1,692.6 Dividend (current, US$) - 2017A 0.55 0.63 0.61 0.92 Dividend yield (%) - 2018E 0.68 0.80 0.84 1.00 Source: Company data, Thomson Reuters, Credit Suisse estimates

2019E 0.88 0.99 0.97 1.25

Cybersecurity 97 5 September 2017

Palo Alto Networks, Inc. (PANW) Price (01 Sep 2017): US$146.67; Rating: UNDERPERFORM; Target Price: US$125.00; Analyst: Brad Zelnick Income Statement 7/16A 7/17A 7/18E 7/19E Company Background Revenue (US$ m) 1,378.5 1,761.6 2,129.0 2,484.6 Palo Alto Networks is a leading provider of enterprise security. Core EBITDA 313.6 414.5 520.3 651.3 expertise in advanced firewalls that have advanced granular control Operating profit 270.8 354.7 451.2 569.8 over activity based on application and on user context have been Recurring profit 278.8 367.3 463.8 586.5 extended to a platform NGFW approach. Cash Flow 7/16A 7/17A 7/18E 7/19E Cash flow from operations 659 871 922 1,056 Blue/Grey Sky Scenario CAPEX (73) (163) (100) (120) Free cashflow to the firm 586 708 822 936 Cash flow from investments (339) (473) (149) (132) Net share issue(/repurchase) 45 (365) (385) (385) Dividends paid 0 0 0 0 Issuance (retirement) of debt 0 0 0 0 Other (255) 189 2 (37) Cashflow from financing activities (209) (176) (383) (422) Effect of exchange rates 0 0 0 0 Changes in Net Cash/Debt 110 201 390 501 Net debt at end (1,438) (1,640) (2,029) (2,531) Balance Sheet ($US) 7/16A 7/17A 7/18E 7/19E Assets Other current assets 691 800 853 893 Total current assets 1,774 1,976 2,522 3,130 Total assets 2,858 3,438 4,176 5,035 Liabilities Short-term debt 0 0 0 0 Total current liabilities 847 1,201 1,471 1,770 Long-term debt 0 0 0 0 Total liabilities 1,963 2,679 3,276 3,845 Shareholder equity 895 760 900 1,189 Total liabilities and equity 2,858 3,438 4,176 5,035

Net debt (1,438) (1,640) (2,029) (2,531) Our Blue Sky Scenario (US$) 168.00 Per share 7/16A 7/17A 7/18E 7/19E Our Blue Sky scenario assumes a strong refresh cycle and No. of shares (wtd avg) 91 93 97 99 upgrades driven by recent software innovation as well as continued CS adj. EPS 1.89 2.71 3.29 4.09 success in growing the attached and non-attached subscription Prev. EPS (US$) businesses. Dividend (US$) 0.00 0.00 0.00 0.00 Free cash flow per share 6.42 7.58 8.45 9.45 Earnings 7/16A 7/17A 7/18E 7/19E Our Grey Sky Scenario (US$) 113.00 Sales growth (%) 48.5 27.8 20.9 16.7 Our Grey sky scenario assumes high levels of competition on the EBIT growth (%) 80.5 31.0 27.2 26.3 refresh, in addition to pricing challenges and demand pauses Net profit growth (%) 84.1 46.6 26.3 26.5 against a backdrop of declining firewall relevance. EPS growth (%) 76.1 43.4 21.3 24.2 EBIT margin (%) 19.6 20.1 21.2 22.9 Share price performance Valuation 7/16A 7/17A 7/18E 7/19E EV/Sales (x) 8.73 6.71 5.37 4.40 EV/EBIT (x) 44.4 33.3 25.4 19.2 P/E (x) 77.5 54.1 44.6 35.9 Quarterly EPS Q1 Q2 Q3 Q4 2017A 0.55 0.63 0.61 0.92 2018E 0.68 0.80 0.84 1.00 2019E 0.88 0.99 0.97 1.25

On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55 Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$145.18

Source: Company data, Thomson Reuters, Credit Suisse estimates

Cybersecurity 98 5 September 2017

Key Debates: ■ How Long Can PANW Outgrow the Market? At present, consensus expectations call for PANW to outgrow the firewall market by a factor of 2x. Can this be sustained at scale?

Our Takes: ■ Growth Expectations Are Too Optimistic: Past performance isn’t an indicator of future success. We think PANW enjoyed a perfect storm of tailwinds as it grew; now these

tailwinds are abating, or becoming headwinds. In addition, PANW appears highly exposed to the sector headwinds (architectural and otherwise) we believe face firewall incumbents.

■ Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could become a potential target for a strategic buyer seeking to consolidate the market.

Estimates: ■ Revenue and EPS: We forecast FY18E/FY19E revenue growth at 21%/17% vs the consensus at 22%/19% and EPS of $3.29/$4.09 vs the Street at $3.30/$4.12.

■ Cash Flow: We forecast 7.3% FCF 10 year FCF CAGR through 2027E.

■ Refresh Cycle: We model a ~5.5 year refresh cycle.

Valuation: ■ DCF: Our $125 target price is based on our DCF analysis, implying 14% downside and 11x EV/uFCF (CY2019) vs CHKP at 14.5x and FTNT at 11.5x.

Cybersecurity 99 5 September 2017

Key Charts

Figure 169: PANW Benefited from a Perfect Storm of Figure 170: ...The Market Expects PANW Billings to Factors and Has Taken Substantial Market Share… Continue to Outgrow Competitors and the Market …

80% 80% PANW CHKP FTNT Others 70% 60% 60% Juniper Fortinet 50% 40% 40% Check Point 30%

20% Cisco 20% 10% Palo Alto 0% 0% Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018 2002 2006 2010 2014 Source: IDC, Credit Suisse Research. Source: Factset, Credit Suisse Research.

Figure 171: …However, Management Guidance Figure 172: …Refresh Cycle and Rate Assumptions Implies Its Refresh Cycle Has Lengthened… Sensitivity Show Diminished Refresh Opportunity… 8 Refresh cycle guidance range Refresh rate assumption (%) Midpoint 80% 85% 90% 95% 100% 7 38% 40% 42% 45% 47% 4.0 31% 33% 35% 37% 39% 6 4.5 27% 29% 30% 32% 34% 5 5.0 23% 25% 26% 28% 29% 5.5 4 19% 21% 22% 23% 24% 6.0 3 15% 16% 17% 17% 18% 6.5 2 9% 10% 11% 11% 12% Average Refresh (y) 7.0 2013 2014 2015 2016 2017 2017 Source: Company Management, Credit Suisse Research. Source: Credit Suisse Research.

Figure 173: …The Tailwind from Support Is Challenging to Increase at the Same Rate… Figure 174: …with Valuation Highest (Adj. for SBC) 40x 37.8x FTNT PANW CHKP EV/UFCF, NTM 50% 30x EV/UFCF Adjusted for SBC, NTM 45% 20x 16.4x 17.4x 14.9x 13.8x 40% 12.2x 10x 35% 0x 30% CHKP FTNT PANW 2008 2009 2010 2012 2013 2015 2016 Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse estimates.

Cybersecurity 100 5 September 2017

Key Debates

■ How Long Can PANW Outgrow the Market? Past performance is no indicator of future success. We believe the conventional logic that Palo Alto Networks will continue to outgrow its competitors, and the market, for years to come is overly sanguine.

Figure 175: PANW Consensus Estimates Imply it will Continue to Outgrow the Firewall Market By a Factor of 2x... US$ in millions, unless otherwise stated

PANW Revenue PANW y/y change (%) Firewall Market (Gartner) $13bn $14bn $12bn 60% $12bn $12bn $11bn $10bn $9bn 40% $8bn

$6bn 20% $4bn

$2bn

$bn 0% 2016 2017E 2018E 2019E 2020E

Source: Company data, Thomson Reuters Datastream, Gartner, Credit Suisse research.

Figure 176: Company Messaging at Ignite 2016 Implies Long-Term Growth in Excess of the Market

High growth Growth Long Term

Revenue growth >30% 20% - 30% >Market

Source: Palo Alto Networks, Ignite 2016, Credit Suisse Research.

In our view, past outperformance of market growth is a function of a perfect storm of positive factors, including (but not limited to): − Surge in Industry Spending: Landmark breaches such as the Target credit card hack (2013), Sony Pictures (2014), Ashley Madison (2015), and the Office of Personnel Management (2015) drove a broad-based enterprise re-evaluation of security posture. The benefits of the resulting increase in spending and accelerated refresh accrued disproportionately, we think, to Palo Alto. − Disruptive Message and Products: PANW got its proverbial foot in the door at many enterprises due to the truly disruptive nature of its granular application control capabilities. It then proceeded to expand its landing with an inspired platform vision, very effectively messaged through the enticing narrative of Next-Generation Firewall (NGFW) and single-pass architecture.

Cybersecurity 101 5 September 2017

− Share Donation: As we have discussed at length, weak product offerings from Juniper and Cisco left swathes of exposed brownfield opportunity. In addition, other more competitive vendors (CHKP and FTNT) lacked the platform vision that PANW leveraged to its success. − Size Benefits: Small scale translated into a greater degree of nimbleness than the large incumbents and endowed PANW with an ability to drive growth via expansion into new channels, geographies, and product categories. − Recurring Revenue Growth: PANW has been the ultimate aggregation play in network security and security software more broadly. The consolidation of multiple adjacencies into a single-platform approach created extraordinary value for customers and generated shareholder value by propelling an ever increasing and highly recurring subscription and support stream.

Figure 177: Palo Alto Networks Has Outgrown the Market and Taken Substantial Share Since Its Entry in Late 2009 Revenue market share, Firewall and UTM,

80%

70% Others

60% Juniper Fortinet 50%

40% Check Point 30% Cisco 20%

10% Palo Alto 0% 2002 2004 2006 2008 2010 2012 2014 2016

Source: IDC, Credit Suisse Research.

We expect the majority of these tailwinds are now subsiding. Taking each in turn: − Industry Spending: We still consider security spend to be an area of secular growth, but while in 2014-15 accelerating spend coalesced around the network, we now perceive the focus to be shifting toward areas more relevant in a cloud-first architecture: identity, cloud based proxy, micro segmentation, etc. − Product Convergence: While Palo Alto appliances remain undeniably of exceptional quality, the competitive gap has materially closed in recent years. Anecdotal evidence from our field conversations reflects the convergence evident on Gartner's magic quadrant. Gartner’s statement that 'all vendors [now have]… NGFWs… in essence there is no longer a 'next generation' in the firewall market' (Enterprise Network Firewall Magic Quadrant 2017, Gartner) tempers the gravitas of PANW's NGFW distinction.

Cybersecurity 102 5 September 2017

Figure 178: PANW Remains an Unequivocal Leader, but Has Lost Some Momentum While Others Have Gained Estimated based on 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Magic Quadrants

PANW

Source: Gartner, Credit Suisse Research.

− Share Donation Reversal: Instead of easy brownfield wins, Palo Alto now faces its first refresh cycle at scale as defender, not aggressor. We think this defense is going to be made more challenging as a result of (1) product convergence, (2) Cisco's focus on competing for share, and (3) execution risk inherent in PANW weathering its first refresh cycle. − Victim of Success: Each year PANW grows in scale, the more difficult it becomes to maintain the same growth in the next. Now that Palo is greater in scale than any of its pure-play peers, second only to Cisco, we believe that to maintain 20%-plus growth, competitive share gain as a vehicle is limited; it requires PANW to grow the category itself. − How Much Attach Headroom Is Left? PANW has been extraordinarily successful at growing the subscription and support segment of its business. Although partly a function of an upward trend in support rate, it is primarily driven by subscription attach. The addition of unattached subscriptions (Traps, AutoFocus, Aperture, and VM-Series) in particular drove combined services as a percentage of thru-refresh cycle (5y trailing) product from sub-40% in 2012 to just under 52% as of the last print. We applaud its success here but wonder how much headroom remains.

Cybersecurity 103 5 September 2017

Figure 179: PANW Has Two Options to Continue to Figure 180: PANW Has Attached more Rapidly and Outgrow the Market: Take Share, or Grow the Market to a Greater Extent than Competitors 2017E revenue (CSCO and FTNT are Security revenue), y/y growth 5 year through cycle attach rates. Annualized subscription and support as a percentage of 5 year trailing product

2,500 $2.3bn CY17 Revenues FTNT PANW CHKP $1.9bn 60% 2,000 $1.9bn Growth 50%

$1.5bn 45% 1,500 45%

30% 1,000 23% 40% 17% 500 $0.3bn 15% 8% 5% 35% 0 0% -10% -500 -15% 30% 2008 2009 2010 2012 2013 2015 2016 CSCO PANW CHKP FTNT JNPR Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Ultimately, given some of the tailwinds that have helped Palo Alto Networks achieve such extraordinary success appear to be abating, or have already turned, we find ourselves somewhat more cautious on PANW's ability to meet growth expectations.

■ To What Extent Will the Refresh Cycle Be a Tailwind? It has long been a cornerstone of the PANW bull case that a refresh cycle is nigh. Upon arrival, the refresh will bring many positives, particularly less dependence on net new business to drive product growth and up-sell opportunities on the refresh sale. Contrary to conventional refresh cycle wisdom, we perceive risk to the construction of a bull case upon an unequivocally positive view of the internal refresh opportunity. Not only do we contend a refresh cycle doesn't de-risk the product revenue line as much as the market might think, but also we see several other question marks: − Trade-Down Effect: Refresh cycle bulls assume PANW customers will renew, upgrade, and attach at high rates; in the context of other factors, we think there is risk to these assumptions. − Competition: Palo's refresh is Cisco's opportunity; it has said as much, and we think its scale now means meeting Street expectations relies upon defense as much as offense for the first time in PANW's history. − Execution Risk: This represents PANW's first refresh, and thus requires a different playbook. Despite our confidence in the execution ability of an exceptional management team, we perceive a level of residual execution risk as PANW enters this refresh.

The Refresh of Yore Cycle Is Nigh… Management has communicated strongly that it expects a refresh cycle affecting H2 fiscal 2017 and FY2018. CFO Steffen Tomlinson said in late 2016 '… we look at the refresh cycles that are intended to happen in the second half of the fiscal year', adding in June 2017 that '… into '18 the refresh would be building in significance and momentum.' We recognize there is some history around refresh cycle anticipation; in late 2013, CEO Mark McLaughlin explained that although it's hard to come by hard data 'around the

Cybersecurity 104 5 September 2017

refresh cycles [he'd] heard a number of anecdotal points that [suggested] a big refresh cycle … in the next 12 to 15 months.' He went on to justify this from a pipeline perspective: ‘We think we can see that from what we're seeing from a pipeline perspective, close rates. I mean, it all points that direction that there is a big refresh cycle in front of us.’ – Mark D. McLaughlin, CEO, November 25th 2013 While investors have before been disappointed by guided refresh cycles failing to materialize, this time we recognize may be different. There is an organic mechanical element given the sheer size of Palo's FY2010-13 cohort (~12,000 net customer additions). In addition, there is also an inorganic inducement element given Palo's February launch of PAN-OS v.8.0 (with 70 new features), three new virtual firewalls, and new hardware products across the performance spectrum.

It Appears the Refresh Cycle Has Lengthened Management and market understanding of the PANW refresh dynamic's shape and cadence have proved elusive in the past. It seems apparent to us that early cohorts of Palo customers have not refreshed quite as rapidly as initially expected. When we aggregate senior management commentary around the expected refresh cycle, duration has both lengthened and widened. CEO Mr. McLaughlin described a typical refresh cycle as between three and four years in late 2013, implying a mid-point of 3.5 years. Progressive increases were communicated by various executives before settling on a floor of four years (the same as the 2013 ceiling assumption) and a ceiling of seven years, implying a mid-point around 5.5 years. We illustrate the progression in Figure 181 and Figure 182.

Figure 181: Analysis of Palo Alto Networks Figure 182: … Suggests Their View of Refresh Cycle Executive's Commentary Around Refresh Cycles… Duration Has Lengthened Significantly

Refresh cycle commentary Years 8 Refresh cycle guidance range Name Position Date Floor Ceiling René Bonvanie CMO Mar 2013 3 5 7 Midpoint Mark D. McLaughlin CEO Nov 2013 3 4 Mark D. McLaughlin CEO Feb 2014 3 5 6 Mark D. McLaughlin CEO Mar 2015 4 5 Steffan C. Tomlinson CFO May 2015 4 5 5 Kelsey D. Turcotte VP IR Jun 2015 3 5 4 René Bonvanie CMO Apr 2016 4 7 Mark D. McLaughlin CEO Nov 2016 4 6 3 Kathy Bonanno VP Finance Jan 2017 4 7 Mark D. McLaughlin CEO May 2017 4 7 Illustrative 2 Steffan C. Tomlinson CFO Jun 2017 4 7 2013 2014 2015 2016 2017 2017 Source: Thomson Reuters Eikon, Credit Suisse Research. Source: Thomson Reuters Eikon, Credit Suisse Research.

'…firewall … is characterized by first of all, a refresh cycle that is three to five years.' - René Bonvanie, Chief Marketing Officer, March 21st 2013 '…It's hard to be mathematically exact in this, but a number of sources of the refresh that comes up every three or four years, really big ones. We think we're at the beginning of one of those.' – Mark D. McLaughlin, CEO, November 25th 2013 '…if you think about the history of the Company and size or magnitude of the revenue base of the Company and a refresh cycle generally being three to five years' - Mark D. McLaughlin, CEO, February 24th 2014

Cybersecurity 105 5 September 2017

'Refreshes generally occur [every] 4 or 5 years'. I think there was a lag on that on what should have been the most recent refresh cycle because of the 2008 recession.' - Mark D. McLaughlin, CEO, March 4th 2015 '… We are seeing our own customers starting to refresh in the earlier cohorts. And that's not surprising given four- to five-year refresh cycles.' – Steffan Tomlinson, CFO, 27th May 2015 'Firewall typically has a useful life of anywhere three, four, five years. And so that's where this concept of refresh comes in. - Kelsey Turcotte, VP Investor Relations, June 3rd 2015 'Device refresh occurs somewhere, in the security business, occurs somewhere between four and seven years.' – René Bonvanie, Chief Marketing Officer, April 4th 2016 '…It's a little hard to call those, but generally four to six years, but that seems to be the case still.' - Mark D. McLaughlin, CEO, November 21st 2016 '… refresh cycle being between four years to seven years with a sort of bell curve peaking around, let's call it 5.5 years.' - Kathy Bonanno, SVP Finance, January 10th 2017 1/10/2017 '…if you think of like 4-to 7-year average refresh cycle, somewhere in there, the big, big, big part of our customer base is going to be in refresh cycles … we think that that's something that should provide a tailwind for us in the go forward. – Mark D. McLaughlin, CEO, May 31st 2017 '…customers typically run firewalls for 4-7 years kind of range, so that FY'09-FY'13 cohort is ripe for refresh … well over 10,000 customers)' - Steffan Tomlinson, CFO, June 6th 2017

Figure 183: PANW Now Suggests an Average 5.5-Year Refresh Cycle Implies 5.5-year average refresh cycle

4 years 7 years LIFESPAN

Source: Company data, Credit Suisse estimates.

This Refresh Is Real Assuming this 5.5-year refresh rate, and a (potentially conservative) 90% dollar renewal rate on replacement hardware, we illustrate the mechanical nature of refresh in Figure 184.

Cybersecurity 106 5 September 2017

Figure 184: Assuming a 5.5-Year Refresh Rate and 90% Renewal Rate, We Can See the Rising Impact of Refresh Product as a Percentage of the Product Line Refreshed product as a % of our total product estimates (assuming 5.5 year refresh rate and 90% renewal rate)

40% Estimated Reported 38% 35% 31% 32% 31% 30% 28% 25% 25% 25% 23% 23%

20% 16% 16% 15% 12% 9% 10% 7% 8% 5% 6% 4% 5% 2% 3%

0% 2014 2015 2016 2017 2018 Source: Palo Alto Networks, Credit Suisse Research, Credit Suisse Estimates.

Many argue, with good reason, this dynamic acts to support the product line, especially in instances where customers can be upsold. Mechanically, the larger and larger cohorts of 2009-2013 become evident in the back half of FY17 and into FY18. If we subtract our renewed product calculation from total product revenue to arrive at a new product estimate, it becomes clear that consensus expectations for incremental product are very low. This, it has been argued, is a reason to own the stock (i.e., greater refreshing product supports product revenue, meaning new product estimates are handily achievable). While we remain cognizant of the argument, we would argue that refresh isn’t necessarily the support many assume.

Figure 185: Our (Somewhat Crude) Calculation of New-Product Shows Expectations for Incremental Business are Low New product (using consensus and assuming 5 year refresh rate and 90% renewal rate) y/y growth, % 60%

50% Forecast New Product, y/y, % 40%

30%

20%

10%

-10%

-20% 2013 2014 2015 2016 2017 2018 Source: Palo Alto Networks, Credit Suisse Research, Credit Suisse Estimates.

From a mechanical perspective, the risk to refresh revenue being a true support is two-fold. Either the refresh cycle continues to lengthen (that is, Figure 183 exhibits greater negative skewness), or alternatively the dollar refresh rate is lower than we model.

Cybersecurity 107 5 September 2017

Figure 186: Positive vs Negative Skewness

Source: Credit Suisse research.

We are concerned the refresh cycle could lengthen due to: − Execution Risk: Already Palo Alto Networks has experienced some level of refresh pause due to the introduction of mandatory PAN-OS 8.0, a brand new OS release, on all new product shipped. Large enterprises will typically wait to adopt a new major release until a version X.1 or X.2. While bulls argue this is simply a speed bump and that the new lineup will drive customers to refresh, we are concerned this exemplifies the execution risk of PANW facing its first refresh at scale. − Trade-Down Effect: PANW products are of the utmost quality, and one of the reasons for the increasing refresh length may be greater-than-expected product life. A corollary of the trade-down effect we discuss below, we posit whether this has the potential to result in continued cycle-lengthening. The disclosure in mid-2016 that the '2009 cohort was 65% refreshed and there was dollar increase' (René Bonvanie, Chief Marketing Officer, April 4th 2016) implies a long refresh tail. − Architectural Shifts Delaying Decision-Making: We have noted management at Fortinet cite service provider cloud transitions as creating a demand pause as decisions are delayed by architectural discussions. We recognize PANW’s lower relative exposure to the carrier market, but should this become a broader trend, we believe it could result in further refresh lengthening. '…the AWS/Azure piece is growing fast. And also, the traditional service provider also starting consider offer the cloud solution now. So that may delay some of their decision whether what kind of an architecture or infrastructure they may moving forward….' – Ken Xie, Fortinet Chairman CEO

We are concerned dollar renewal could not be as strong as expectations: − Competition: Cisco has explicitly stated it intends to take share from PANW upon the refresh opportunity. We doubt it is the only incumbent who has lost share to PANW since 2009 to have this view, and therefore expect PANW to face intense refresh competition. This could be a headwind to customer renewals if competitors succeed in their share attrition intentions. Given our view on trends toward product parity, we consider this to be a greater risk than we perceive are built into the Street's renewal assumptions. − Execution Risk: The sales effort to defend against competitive refresh bids is not only expensive but requires a different playbook. We believe this creates some level of execution risk in customer retention and up-sell/cross-sell relative to a more mature competitor, seasoned in retentive sales tactics.

Cybersecurity 108 5 September 2017

− Trade-Down Effect: Check Point is well known to have experienced a trade-down effect in 2012 following a major product line revamp in late 2011. In the revamp, it had tripled the performance of its boxes but left pricing comparable. This led a portion of customers to choose lower price boxes rather than renew like-for-like. ‘the trade-down effect … because we introduced boxes at the same price level, but with 3 times the performance around this time last year. What that led to was a combination of that macro environment, the increasing strength of the dollar on the FX side, leading to shrinking budgets, which has resulted in folks, instead of buying the same level of box trading down to something that was 2 times the power than the 3 times that we had anticipated, or hoped for.’ – Kip Meintzer, VP IR, 11/07/2012 To quantify the potential impact of greater-than-expected risk to refresh rate and cycle length, we have stress tested our model's assumptions below. We believe PANW bulls are underwriting a scenario that assumes 40-50% of fiscal year 2018 product revenue derives from refresh. We believe this is ambitious, as it implies a higher dollar refresh rate, shorter average refresh cycle length, or combination of both. Every percentage point of consensus product revenue growth not accounted for by refreshing boxes is a point of net new product sale that must be captured.

Figure 187: If We Flex Refresh Cycle and Rate Assumptions, the New Product Support/Tailwind from Refresh Reduces Dramatically Percentage of FY18E new product accounted for by refreshed product Refresh rate assumption (%) 80% 85% 90% 95% 100% 4.0 36% 39% 41% 43% 45% 4.5 30% 32% 34% 36% 38% 5.0 26% 28% 29% 31% 33% 5.5 22% 24% 25% 27% 28% 6.0 19% 20% 21% 22% 23% 6.5 14% 15% 16% 17% 18%

Average Refresh (y) 7.0 9% 10% 10% 11% 11%

Source: Palo Alto Networks, Credit Suisse Research.

■ Services SaaS Transition as Growth Driver 2.0? Linked but distinct, we consider the final over-arching debate in the stock to be around the extent to which subscription growth can mature into a convincing growth engine. Palo Alto Networks offers four attached (Wildfire, URL filtering, Threat prevention, and Global Connect) and five unattached (Aperture, VM-Series, AutoFocus, Traps, and LightCyber) subscription options.

Cybersecurity 109 5 September 2017

Figure 188: PANW Product, Subscription, and Support Revenue Breakdown

Product Recurring subscription and support revenue

Attached Non-attached Hardware Perpetual Support subscriptions subscriptions

Threat Prevention Traps URL Filtering VM-Series Support Appliances Panorama GlobalProtect AutoFocus Professional Services Accessories VM-Series WildFire Aperture LightCyber*

Renewals

Source: Palo Alto Networks, Credit Suisse Research.

Figure 189: Palo Alto Networks' Platform Offering Figure 190: … Penetration Rates Would Imply There Offers Attached and Unattached Subscriptions… Remains Expansion Opportunity Orange represents attached, blue represents unattached subscription Penetration rates in customer base for PANW subscriptions options

100% Q2FY15 Q2FY16 Q4FY17

75%

Aperture WildFire 50% Threat Prevention URL Filtering

AutoFocus Traps 25% VM-Series

0% GlobalProtect Traps VM Global WildFire URL Threat Protect Filtering Prevention Source: Palo Alto Networks, Ignite 2016. Source: Palo Alto Networks, Credit Suisse Research.

It is argued that as penetration rates of these subscriptions (particularly the unattached) increase, there exists an >$8bn install base expansion opportunity.

Figure 191: PANW's Assessment of Its CLTV Customer Expansion Opportunity CLTV install base expansion opportunity. Upside CLTV equals the potential value of future orders from existing install base, assuming all customers acquired between 2010 and 2015 eventually purchase 11.8x the value of their initial purchase, less their total purchases through 2015 11.8 9.3 FY15 FY14

5.6 >$8bn opportunity 3.7 8.6 3 7.2 2.1 4.2 2.7 1.3 1.9 1.3 FY09 FY10 FY11 FY12 FY13 FY14 FY15 Source: Palo Alto Networks, Credit Suisse Research.

Cybersecurity 110 5 September 2017

We understand the attraction of SaaS-esque revenue streams; mix-shifting toward subscription results in better gross margins, better operating margins, and stronger free cash flow generation.

Figure 192: Palo Has Increased Its Attach per Figure 193: Therefore We Prefer to Look at Services Device to 2.6, Although This Loses Some Relevance Attach Through the Refresh Cycle, Which PANW Given Unattached Subscriptions Has Grown Ahead of Competitors PANW reported attach per device, disclosed biannually (excludes 5 year through cycle attach rates unattached subscriptions)

2.8 FTNT PANW CHKP Subscriptions per device 2.6 2.6 50% 2.5 2.3 2.2 2.2 45% 2.2 2.1 1.9 40% 1.9 1.7 1.6 1.6 1.5 35%

1.3 30% 2008 2009 2010 2012 2013 2015 2016 2012 2013 2014 2015 2016 Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse Research.

Given the above, we understand the expectations around unattached subscription growth, which has the potential to be gross margin positive. As we show in Figure 194, the mix- shift toward subscription has been helpful in bringing up the GM from ~73% to 78% from FY12 to FY15. We also note that in the short term, the mix-shift affects the operating margin basis, as commissions are recognized earlier but over the long run are incrementally beneficial. We note further room to grow these margins as the unattached subscriptions increase their portion of revenue mix.

Figure 194: Mix Shift Driving GM Improvement… Figure 195: ..as Well as Operating Margin Gross Margin improvement driven by mix shift Mix shift depressing near term margins, but net positive over time

80% Gross Margin (%) 77.7%

75% Revenue to be recognized in future quarters 72.7%

70% FY12 FY15 Services Billings Revenue Commission

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Despite this, we assert that PANW is still a box-driven business, where subscription and support upsell is only possible with continued product growth, while unattached subscription revenue remains very small ($100mn run rate as of 1Q17).

Cybersecurity 111 5 September 2017

" So those 4 nonattached subscription services as of our fiscal Q2 are north of $100 million run rate in terms of what we call billings and growing at triple digits, and we plan on updating those metrics semiannually." – Steffan C. Tomlinson, CFO, 06 June 2017 We also emphasize that PANW has saturated most options with regard to the subscriptions it can add to its box and leverage its platform. This, in turn, indicates that it will have limited opportunities in expanding PANW's TAM.

Cybersecurity 112 5 September 2017

Supports for Our Thesis Company Negatives

■ Substantial Exposure to Sector Risks We rank Palo Alto as more exposed to sector risks than Check Point but slightly less than Fortinet. Areas of specific concern for PANW are the potential for increasing competition from Cisco and the decreasing brownfield opportunity.

Figure 196: Relative Exposure to Sector Risks Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Architectural Shift to Cloud ◔ ◑ ◕ Cisco increasingly competitive ○ ◕ ◑ Juniper has little share left to give ○ ● ◔ Cloud transitionary headwinds ◔ ◑ ◑ TAM expansion ◑ ◑ ● Competition in the mid market ◑ ○ ● Carrier Exposure ◔ ◑ ● Total ◔ ◑ ◕

Source: Credit Suisse Research.

■ Valuation – Expensive While on traditional EV/uFCF, PANW appears inexpensive, this multiple is flattered by both its billings duration and stock-based compensation. Indeed, when we adjust for these factors, PANW begins to look expensive, even on a growth-adjusted basis.

Figure 197: Valuation Matrix Absolute Valuation Analysis CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x Income Statement Multiples EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x

Source: Company data, Credit Suisse estimates.

Cybersecurity 113 5 September 2017

■ Stock-Based Compensation Is High Palo Alto Network has high levels of stock-based compensation in absolute terms as well as relative to peers. We note that on a percentage of revenue basis, PANW's stock--based compensation is over one-third of revenues, while the peer group average is just ~10%.

Figure 198: PANW Stock-Based Compensation Much Higher than Peers Stock Based Compensation/Revenue, LFY, %

30% 29% SBC as % of Revenues Average

20%

11% 10% 10% 5% 5% 4% 3%

0% Palo Alto Symantec Fortinet Check Point Juniper Oracle Cisco

Source: Thomson Reuters Datastream.

We emphasize that high levels of stock-based compensation are not just dilutive to investors but that they also negatively affect the economic return produced by the company. In Figure 199, we illustrate this point using CFROI®, (a proxy for the company’s economic return. (Refer to Appendix I for more details about the CFROI metric.) We show the spread between PANW's CFROI including and excluding stock-based compensation substantially reduces returns on capital.

Figure 199: Including and Excluding Stock-Based Figure 200: … Pales in Comparison with Check Compensation PANW's CFROI… Point, with Returns Around 20% Palo Alto Networks HOLT CFROI profile Check Point HOLT CFROI profile

25 CFROI 25 Forecast CFROI 20 20 CFROI adjusted to exclude SBC

15 15

10 10

5 5

0 0

CFROI Forecast CFROI CFROI adjusted to exclude SBC (5 ) (5 ) 2007 2009 2011 2013 2015 2017 2007 2009 2011 2013 2015 2017

Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

■ Is There a Residual Go-to-Market Issue Aside from Refresh Pause?

Cybersecurity 114 5 September 2017

PANW has retooled its sales strategy after a disappointing miss earlier in the year. We believe that PANW is struggling with its go-to-market strategy and that, while the company is spending increasing amounts of money on sales & marketing, the efficiency of that spend in terms of attracting new business is trending downward, as highlighted in Figure 201. At the same time, we find that job posting trends suggest continued spending. (See Figure 203.) We note here that that the company already trails the peer average for revenues per employee and that continued headcount increase will continue to pressure this down.

Figure 201: Despite Ticking Up Recently, S&M Figure 202: …While Revenue per Employee Already Efficiency Has Trended Down… Below Peer Group Average Product/ Sales & Marketing and New business / Sales & Marketing Revenue/Employees, LFY, $

120% New business/S&M $800k Revenue per Employee ($ k) Product/S&M Average 110% $600k 100%

90% $400k 80%

70% $200k

60% $0k 50% Cisco Juniper Check Palo Alto Symantec Oracle Fortinet Point 1Q15 1Q16 1Q17 Source: Company data, Credit Suisse estimates. Source: Thomson Eikon.

Figure 203: Matching Job Posting Trend for Palo Figure 204: ...While Job Seeker Interest Also in Alto Networks Rising... Uptrend Palo Alto Job posting matches indicates recent uptick Palo Alto Job seeker interest has also rebounded

0.060% 0.00070% Job Postings Jobseeker Interest

0.050% 0.00060%

0.00050% 0.040% 0.00040% 0.030% 0.00030% 0.020% 0.00020%

0.010% 0.00010%

0.000% 0.00000% 2014 2015 2016 2017 2014 2015 2016 2017

Source: Indeed. Source: Indeed.

Cybersecurity 115 5 September 2017

■ Expectations Remain the Highest Ultimately, billings expectations remain the highest for PANW relative to CHKP and FTNT. As we have discussed, in the face of structural industry challenges alongside numerous idiosyncratic risks (as discussed in the ‘Can PANW continue to outgrow the market’ debate), we (perhaps crudely) believe the asset with the highest inbuilt expectations to be most at risk.

Figure 205: PANW Has Overtaken Its Competitors Figure 206: … While Consensus Builds in a Billings on a Billings Basis… Recovery Through 2018 Billings (Revenue + Δ Deferred Revenue), $m, 4Q rolling average Billings (Revenue + Δ Deferred Revenue), y/y, % 3,500 80% PANW CHKP FTNT PANW CHKP FTNT 3,000 70% 60% 2,500 50% 2,000 40% 1,500 30% 1,000 20% 500 10%

0 0% Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018 Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018

Source: FactSet, Company data, Credit Suisse estimates. Source: FactSet, Company data, Credit Suisse estimates.

We also analyze expectations for PANW in terms of billings and note that, while PANW has already overtaken its rivals in billings (absolute $ amounts, 4Q rolling average), the consensus estimates indicate a recovery and re-acceleration (well ahead of the market growth rate).

Cybersecurity 116 5 September 2017

Risks to Our Thesis Company Positives

■ Significant Balance Sheet Capacity and Willingness to Use It While we estimate PANW to have just over half the firepower of CHKP to be used for M&A, we believe both companies have a very measured track record and propensity to make smaller, tuck-in acquisitions. Cumulatively, PANW has used approximately $300 million in acquiring companies, the largest of which was the most recent deal to buy LightCyber for $105 million. The measured, disciplined approach is somewhat understandable given what have been lofty valuations in security for the past several years, although we believe that is changing given what some suggest are as many as 3,000 cybersecurity companies in the world today. About a year ago, a CRN magazine article suggested PANW had unsuccessfully bid over $3 billion for Tanium in fall 2015. Assuming this is true, it would seem to suggest a need to acquire something transformative, which aligns with our view of the company’s opportunity more generally. We can envision several private companies strategically aligning with PANW and are open-minded to changing our view on the stock should that eventuality occur.

Figure 207: We Estimate PANW Has ~$5bn of Figure 208: … This Is Substantially Less than CHKP Balance Sheet Capacity… but Still Represents Significant Capacity Assuming 3x leverage, Total capacity for M&A Potential Balance Sheet Capacity for M&A

Firepower analysis CHKP PANW FTNT $12bn Earnings, NTM basis $9.9bn EBITDA 1,083 409 257 $10bn Δ Deferred Revenue 178 397 234 Cash EBITDA 1,261 805 491 $8bn Deal related accretion (15% return) 774 460 365 Theoretical lending EBITDA 2,035 1,265 855 $6bn $5.4bn Cash, Next quarter Liquid cash & investments* 1,380 1,170 959 $4.0bn $4bn Cash & investments 3,588 1,889 1,217

Theoretical debt capacity (3x)** 6,106 3,278 2,566 $2bn Liquid firepower 7,486 4,448 3,526 Total firepower 9,694 5,167 3,783 *Cash and ST investments adjusted for offshore cash (20% repatriation assumption) $0bn and 10% of NTM revenue CHKP PANW FTNT

** 3x theoretical lending EBITDA excluding outstanding debt

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

■ Phenomenal Innovator and Category Creator Without any doubt, PANW should be applauded as key innovator and the creator of the NGFW category. PANW entered the market with true product and technology differentiation. Of particular note, we think, was the tripartite identification technologies at the core of PANW's NGFW: − App-ID: Identification techniques that can classify all traffic, on all ports, at all times, irrespective of protocol, encryption, or evasive tactics. − User-ID: Integrates the platform with a variety of enterprise user directories (Active Directory, Exchange, ZENworks, etc.) as opposed to only IP addresses.

Cybersecurity 117 5 September 2017

− Content-ID: Combines a real-time threat prevention engine with cloud-based analytics and a comprehensive URL categorization database to block a variety of threats.

Figure 209: Core Identification Technologies

Source: Palo Alto Networks.

■ Single-Pass Architecture Palo Alto also utilizes a single-pass architecture in its design framework for its NGFWs. The single-pass parallel processing (SP3) architecture reduces the latency that is associated with daisy-chained point product solutions to perimeter security. Single-pass architecture is comprised of two complimentary technologies: − Single-Pass Software: Performs operations once per packet, scanning content in a stream-based fashion, avoiding latency and enabling high throughput. − Parallel Processing Hardware: Separates the data and control planes to reduce interdependence in combination with discrete, function-specific processing at the hardware level.

Figure 210: Single Pass… Figure 211: …with Parallel Processing Hardware Single-pass software performs operations once per packet Hardware acceleration for each major functionality block

Control Plane MANAGEMENT configuration | logging | reporting CPU RAM SSD

Data Plane

SIGNATURE MATCH Single Pass IPS | CC# | SSN RAM

RAM SECURITY PROCESSING Report & Enforce session setup | SSL| IPSec | Decompression Policy CPU

Network Processing flow control | route | ARP | MAC lookup | QoS | NAT

Source: Palo Alto Networks. Source: Palo Alto Networks, Credit Suisse Research.

While the SP3 architecture (and more specifically, single-pass software) has been a perceived differentiator in the market, for which we give the company a lot of credit, our view is that it’s a religious argument and not universally better than multi-pass. Continuing Innovation with PAN-OS 8.0 Earlier in the year, Palo Alto Networks also rolled out major updates to its PAN-OS, adding new features across its entire technology platform from upgrades for cloud security, multi-

Cybersecurity 118 5 September 2017

method threat detection, credential threat prevention, as well new hardware. We note that the early feedback on the products has been positive and could potentially be a risk to our thesis if it drives an upgrade cycle. Platform Success We also credit Palo for succeeding in consolidating multiple adjacencies and offering attached subscription services, creating a recurring subscription and support stream. We also note that the company has been relatively successful in upselling non-attach subscriptions (such as Aperture, Autofocus and LightCyber) after landing the customer. We also appreciate the vision to offer a cloud-based offering such as WildFire, as the market is clearly moving in that direction. "Our ability over the next 3 years to expand within that customer base, to sell, not only our next-generation firewall with our attached subscription services but the 4 unattached subscription services led by our endpoint solution called Traps; our virtual firewall, Aperture; AutoFocus. We're coming out with user-behavior analytics, subscription service by an acquisition that we did with LightCyber. We're continuing to add meaningful subscriptions to the platform" - Steffan C. Tomlinson, CFO

On the other hand, we recognize that the company has not been wholly successful in its strategy in offering a unified security platform with end-to-end security. We specifically note the lukewarm response to its Advanced Endpoint protection solution, Traps. While we believe that consolidation spurred by PANW’s early adoption of an integrated platform strategy has so far provided significant acceleration to recurring revenue growth, we see this as a theme that has largely played out. ■ Wonderful Go-to-Market – Land and Expand PANW also implemented a very effective go-to-market strategy, utilizing multiple deployment mechanisms to substantially widen the prospective customer base. Rather than boldly attempting to take share head-to-head with well entrenched competitors, PANW enabled prospective clients to deploy alongside an extant firewall, widening sales opportunities to IDP, web filtering, and other refreshes. PANW offered three different deployment methods: (1) Firewall Replacement: Deployed as a replacement for an enterprise's extant firewall and other point products; (2) Transparent In-line: Deployed via virtual wire mode in-line as a transparent compliment to the existing perimeter architecture; and, (3) Tap Mode: Giving administrator’s network visibility without the disruption of in-line deployment.

Cybersecurity 119 5 September 2017

Figure 212: Original Deployment Options

Source: Palo Alto Networks.

Once PANW had gained a foot inside the datacenter, it was able to both accelerate firewall refresh cycles and upsell as customers realized the rationalization advantages of the PANW platform. That is, it can replace other daisy-chained point solutions and lower overall cost while increasing efficacy. The success of this land-and-expand motion is evident not only in PANWs market share gain but also as shown in Figure 213.

Figure 213: The 2009 Cohort’s Land-and-Expand Motion

Renewals 14.4x Support Subscription 11.8x Product 8.6x 6.3x 5.1x 3.5x 2.0x 1.0x 1.2x

Land 2009 2010 2011 2012 2013 2014 2015 2016

Source: Palo Alto Networks.

Superlative Marketing Palo Alto Networks has captured as much (if not more) mind-share than it has market share. We believe René Bonvanie, PANW's chief marketing officer, and the third most highly compensated CMO in America in 2014 (Forbes, see here) to be integral to PANW's mind-share gain. The disruptive messaging of ‘Next-Generation Firewall,’ with a strong, simple narrative of single-pass architecture has proven very effective with decision-makers and technology workers in general.

Cybersecurity 120 5 September 2017

Figure 214: PANW Marketing Dollars Emphasize Their Narrative...

Source: Credit Suisse Research.

As of early last year, PANW's marketing team under Mr. Bonvanie was 150 strong (8% of total sales & marketing headcount), with 10% of his team focused on operationalizing data-driven models. Mr. Bonvanie’s predilection with prescriptive analytics means PANW captures data on every customer interaction it can, which includes its social media platforms such as Twitter and Linked as well as its user community group and blog. " …I want to talk about what it takes to drive a machine where we acquire that many customers, where we grow our business that fast, and how we apply science, data and relentless focus and alignment with our sales teams, with our channel partners, with our hosting partners, to get to these results." - Rene Bonvanie, CMO, Ignite 2016

Figure 215: Positioning to Be a Thought Leader… Figure 216: …Several Venues to Gain Mind-Share

>80% more pipeline

>100% more EBC visits

>70% more marketing events Blog Traffic Up >100% y/y Up >80% y/y >5 million > 300% increase in social media

Up >200% y/y >35,000 Founding Member

Source: Palo Alto Networks. Source: Palo Alto Networks.

■ Large TAM Palo Alto Networks puts its own TAM at $24bn in 2020, rising from ~$19bn currently at a CAGR of ~8%, with most of the TAM increase coming from the network security products. This is constructed of IDC's 2020 network security, web security, and commercial endpoint security forecast. We note that a large TAM gives Palo Alto more room to navigate the hurdles we lay out in our thesis, such as the shifting security model from prevention to detection.

Cybersecurity 121 5 September 2017

Figure 217: Palo Alto Sees a Rising TAM for Itself…

2017 2020

$19.1bn TAM $24bn TAM

$14.7bn Network, $18.8bn Network, $4.4bn Endpoint $5.2bn Endpoint

Source: Company data, Credit Suisse estimates.

■ Leverage in the Model Palo Alto Networks also benefits from inherent leverage in the subscription model, as we have discussed earlier, and as Figure 194 and Figure 195 depict.

■ Partnerships and Joint Solutions PANW has also built up a string of partnerships to address security in a cloud-centric world. One example would be the Palo Alto Networks and VMware partnership in which a uniform security approach across physical, virtualized, and cloud environments can be implemented using a joint solution. PANW and VMWare joint solution is built on the following main components: (1) VMware NSX platform (2) Palo Alto Networks VM-Series (Virtual NGFW) (3) Palo Alto Networks Panorama (Centralized Management Platform)

Figure 218: PANW and VMW Joint Security Solution for Virtualized Datacenters… VMware NSX and Palo Alto Networks VM-Series Integrated Solution

Panorama registers the VM-Series with NSX manager Cloud Admin Security Admin

Manager Real-time contextual updates on VM-Series changes

VM-Series deployed automatically by NSX; policies Automated licensing then steer select traffic to VM- policy and deployments Series for inspection Web App DB

NSX vSwitch

VMware ESG Source: Vmware, Credit Suisse Research.

Cybersecurity 122 5 September 2017

VMware NSX network virtualization platform provides the network virtualization layer, while the joint solution works to deploy the Virtual appliance over each ESXi server, with traffic inserted into the path of the virtual security appliance. The VM-Series natively analyzes all traffic in a single pass to determine the application identity, the content within, and the user identity. At the same time, context is shared between VMware NSX and Panaroma so that whenever applications are deployed and moved from server to server, security policies can continue to be enforced and there is separation of duty between security and virtualization administrators.

The joint solution provides several significant benefits such as: − Visibility into East-West Traffic: Deploying the VMware and PANW joint solution has the additional benefit of offering visibility into server-to-server traffic within the data center (which represents 80% of overall data center traffic). NSX's native security capability, including kernel-based distributed firewalling, enables traffic flow between ESXi servers to be automatically steered to the Palo Alto Virtual security appliance (VM-Series) for granular inspection based on applications, content, and users. Unlike current network security solutions built on a perimeter-based security model, the VMware-PANW solution gives full visibility into data center traffic flows. − Automation: Palo Alto's security management platform (Panoroma) works with the NSX manager to automate the deployment and provisioning of security services. Panorama registers the virtual PANW security device (VM-Series) with the NSX manager, which then deploys the VM-Series on every ESXi Server in automated fashion. − Seamless Traffic Steering: The stateful, in-kernel NSX distributed firewall steers traffic to PANW VM-Series via NSX APIs without needing to manually make configuration changes to virtual networking elements.

■ A Strategic Asset We appreciate the importance and role of PANW as an innovator in the NGFW space and note that it remains a strategic asset (with interest from large-cap companies such as CSCO). While we believe that both PANW and CSCO have significant portfolio overlap, we do believe that it will bring scale to CSCO's security business, helping it transition faster toward one of its strategic areas. “...key priority areas such as security, the Internet of Things (IoT), collaboration, next generation data center and cloud.” Cisco 10-Q, February 2017 “…..first priority will be strategic investments that we will make, and then, obviously, followed with a focus on continued capital allocation and our commitment to returning capital to shareholders. It would be a combination” Chuck Robbins, CEO – 15th February 2017 We, however, do point out that any M&A involving PANW will be a large-sized deal and present material integration risk (with ~4,340 employees).

Cybersecurity 123 5 September 2017

Management and Board Management Palo Alto has plenty of impressive figures from the cybersecurity space on its management team. Nir Zuk, the company founder, occupies the CTO role, and Rick Howard, the chief security officer, brings 30 years of experience with US Army cyber intelligence to Palo Alto. In Figure 219, we present a table of key management figures.

Figure 219: PANW Management

Name Compensation Beneficial ownership C-Suite Experience Position Year Prior Experience Age Joined Salary ($) Bonus ($) Stock($) Number of Value of shares shares Mark McLaughlin 2011 $575,000 $632,500 $4,715,436 508,864 $74,650,349 ■ Chairman and CEO, Palo Alto Networks: 2011-Present CEO & Chairman ■ President and CEO, VERISIGN: 2009-2011 51 ■ Executive Vice President, VERISIGN: 2000-2007 ■ JD: Seattle University School of Law, BS: United States Military Academy Nir Zuk 2005 $400,000 $200,000 $25,804,377 1,958,676 $287,337,769 ■ Founder and Chief Technology Officer, Palo Alto Netoworks: 2005-2017 Founder, CTO and Director ■ Chief Technology Officer, NetScreen: 2002-2004 45 ■ Founder and Chief Technology Officer, OneSecure: 1999-2002 ■ BA: Tel Aviv University Steffan Tomlinson 2012 $400,000 $240,000 $12,902,119 115,984 $17,014,853 ■ Chief Financial Officer, Arista Networks: 2011-2012 Chief Financial Officer ■ Chief Financial Officer, Aruba Networks: 2005-2011 44 ■ Vice President, Peribit Networks: 2000-2005 ■ MBA: Santa Clara University, BA: Trinity College - Hartford Rene Bonvanie 2009 $350,000 $175,000 $10,321,723 107,136 $15,716,851 ■ Vice President, Worldwide Marketing, Palo Alto Networks: 2009-2011 Chief Marketing Officer ■ SVP Marketing, SaaS and Information Technology, Serena Software: 2007-2009 55 ■ Senior Vice President of Global Marketing, SAP AG: 2006-2007 ■ BA: Vrije Universiteit Amsterdam Mark Anderson 2012 $700,000 $420,000 $30,105,176 208,419 $30,575,067 ■ Senior Vice President, Worlwide Field Operations, Palo Alto: 2012-2016 President ■ Various Roles including Executive Vice President: F5 Networks: 2004-2012 54 ■ Executive Vice President, North American Sales, Lucent Technologies: 2003-2004 ■ BA: York University, Toronto Rick Howard 2013 NA NA NA NA NA ■ Chief Information Security Officer, TASC, Inc: 2012-2013 Chief Security Officer ■ iDefense General Manager and Intelligence Director, Verisign: 2006-2012 ■ US Army Computer Emergency Response Team Chief: 2002-2004 ■ MS: United States Naval Postgraduate School, BS: United States Military Academy Lee Klarich 2006 NA NA NA 385,807 $56,597,887 ■ Executive Vice President, Palo Alto: 2006-Present EVP, Product Management ■ Director, Product Management, Juniper Networks: 2004-2006 42 ■ Product Line Manager, NetScreen Technologies: 2000-2004 ■ BS: Cornell University

Source: Proxy Statement, FactSet, Credit Suisse estimates.

Interestingly, PANW’s management has less experience in the C-Suite than most. Part of this can be attributed to the extensive military careers of some of its executives. The total management experience per executive is closer to average when compared with our coverage universe. Given the average age of a Palo Alto executive is only 55, this makes sense.

Cybersecurity 124 5 September 2017

Figure 220: PANW Executives Have Less C-Suite Figure 221: But Their Overall Experience Is Closer Experience than Most… to Average Management C-Suite PANW SYMC Board Experience Experience Per HDP Per Director SYMC Executive NOW INTU CEO/CFO HDP VP RHT Other Executive FTNT CEO PANW Relevant Industry AKAM CFO FTNT Other Industry MSFT NOW Finance RHT ADBE INTU VMW SPLK MSFT ADBE SPLK VMW ORCL CHKP CRM ORCL CHKP CRM AKAM 0 5 10 15 20 25 30 35 40 0 5 10 15 20 Source: Proxy Statement, FactSet, Credit Suisse estimates. Source: Proxy Statement, FactSet, Credit Suisse estimates.

Board PANW’s board is a collection of impressive industry and venture capital figures. Alumni from Red Hat, VMware, and VeriSign make up the backbone of the directorate, and they are joined by venture capital veterans such as Asheem Chandra of Greylock and James Goetz of Sequoia.

Cybersecurity 125

Cybersecurity Figure 222: Palo Alto Networks (PANW) Board of Directors

Name Beneficial ownership of shares Committee memberships C-Suite Experience

Position Director Independent Other Board Prior Experience and Principal occupation Age Since? Director? Affiliations? Number of shares Value of shares Audit Comp. Gov.

Mark McLaughlin 2011 No 0 508,864 $74,650,349 ■ Chairman and CEO, Palo Alto Networks: 2011-Present CEO & Chairman ■ President and CEO, VERISIGN: 2009-2011 51 ■ Executive Vice President, VERISIGN: 2000-2007 ■ JD: Seattle University School of Law, BS: United States Military Academy Nir Zuk 2005 No 0 1,958,676 $287,337,769 ■ Founder and Chief Technology Officer, Palo Alto Netoworks: 2005-2017 Founder, CTO and Director ■ Chief Technology Officer, NetScreen: 2002-2004 46 ■ Founder and Chief Technology Officer, OneSecure: 1999-2002 ■ BA: Tel Aviv University Asheem Chandna 2005 Yes 8 108,223 $15,876,314 a a ■ Partner, Greylock Partners: 2003-2017 Director Chair ■ Director, Imperva: 2003-2013 53 ■ Vice President, Business Development, Check Point Software: 1996-2003 ■ MS, BS: Case Western Reserve University James Goetz 2005 Yes 11 286,259 $41,994,195 a a ■ Managing Parter, Sequoia Capital Operations: 2005-2017 Director ■ Partner, Accel Partners: 2000-2004 50 ■ Cofounder, Vital Signs: 1996-1999 ■ MS: Stanford University, BS: University of Cincinnati Frank Calderoni 2016 Yes 0 9,228 $1,353,748 a ■ President and CEO, Anaplan: 2017-Present Director ■ Executive Vice President and CFO, Red Hat: 2015-2017 52 ■ Executive Vice President and CFO, Cisco: 2004-2015 ■ MBA: Pace University, BS: Fordham University Carl Eschenbach 2013 Yes 1 5,191 $761,520 a a ■ Partner, Sequoia Capital Operation, 2016-Present Director ■ President and COO, Vmware: 2011-2016 49 ■ Executive Vice President of WW Field Operations ■ BA: DeVry University Daniel Warmenhoven 2012 Yes 1 23,517 $3,449,944 a a ■ Lead Independent Director, Palo Alto Networks: 2012-Present Director Chair ■ Chief Executive Officer, NetApp: 1994-2009 65 ■ Chairman and CEO, N.E.T: 1989-1993 ■ BS: Princeton University John Donovan 2012 Yes 0 22,598 $3,315,127 a ■ Chief Technology Officer or Chief Strategy Officer: 2012-2017 Director ■ Chief Technology Officer, AT&T: 2008-2012 56 ■ Executive Vice President, Product, Sales, and Marketing, Verisign: 2006-2008 ■ MBA: University of Minnesota, BS: University of Notre Dame Stanley Meresman 2014 Yes 4 15,504 $2,274,437 a ■ Director, Snap Inc: 2015- Present Director Chair ■ General Partner and COO, Technology Crossover Ventures 69 ■ Senior Vice President and CFO, Silicon Graphics ■ MBA: Stanford University, BS: University of California, Berkeley Mary Pat McCarthy 2016 Yes 2 6,480 $950,616 a ■ Director, Palo Alto Networks: 2016-Present Director ■ Director, Tesoro: 2012-Present 61 ■ Partner, KPMG: 1977-2011 ■ BS: Creighton University

5 September 2017 September 5 Source: Proxy Statement, FactSet, Credit Suisse estimates.

126

5 September 2017

Valuation We use Discounted Cash Flows to estimate the intrinsic value for FTNT at $125/share, representing 14% downside. This informs our Underperform Rating, and is supported by our multiples based relative valuation work. In addition, we have constructed blue-sky and grey-sky scenarios. The Blue Sky assumes a 2.5% terminal growth rate, and the grey assumes 0%, reflecting our view on the outlook for the space as a whole.

Figure 223: Blue-Sky/Grey-Sky Pricing Figure 224: Blue-Sky/Grey-Sky Scenarios Current Price $147 23.4x FY19E uFCF (SBC adj.) Blue Sky

Target Price $125 -14% 19.6x FY19E uFCF (SBC adj.) $168 Our Target Price scenario assumes the firewall market decelerates broadly in line with our expectations (we model a 1% terminal growth rate from 2027E), and PANW experiences enhanced competition from peers through its refresh cycle. Current Blue Sky $168 15% 27.2x FY19E uFCF (SBC adj.) Price Our Blue Sky scenario assumes a strong refresh cycle and upgrades driven by recent $147 software innovation as well as continued success in growing the attached and nonattached subscription businesses.

Grey sky $113 -23% FY19E uFCF (SBC adj.) 17.4x Target Price Our Grey sky scenario assumes high levels of competition on the refresh, in addition to pricing challenges and demand pauses against a backdrop of declining firewall $125 relevance. Grey Sky

$113 Source: Company Data, Credit Suisse estimates. Source: Company Data, Credit Suisse estimates.

Target Scenario Our base case assumes a five-year transition period with FCF growth declining smoothly from an estimated 9% in 2021. This scenario assumes the firewall market decelerates broadly in line with our expectations (we model a 1.5% terminal growth rate from 2027E), and PANW experiences enhanced competition from peers through its refresh cycle.

Blue-Sky Scenario For our blue-sky scenario, we again model a five-year transition period but drive higher free cash growth, which assumes a strong refresh cycle and upgrades driven by recent software innovation as well as continued success in growing the attached and nonattached subscription businesses. Our blue-sky scenario yields a $168 warranted price, which represents 15% upside potential.

Grey-Sky Scenario In the grey-sky scenario, we use a five-year transition period and lower free cash flow growth assumption. Our Grey sky scenario assumes high levels of competition on the refresh, in addition to pricing challenges and demand pauses against a backdrop of declining firewall relevance.

Cybersecurity 127 5 September 2017

Figure 225: Share Price Sensitivity to Cost of Equity and UFCF Growth Rate Share price sensitivity to cost of equity and UFCF growth rate

Unlevered Free Cash Flow FY3 growth rate 125.466 10.0% 12.5% 15.0% 17.5% 20.0% 22.5% 25.0% 27.5% 30.0% 8.0% $154 $163 $174 $185 $196 $209 $222 $235 $250 8.5% $147 $156 $165 $176 $187 $198 $210 $223 $237 9.0% $140 $149 $158 $168 $178 $189 $201 $213 $226 9.5% $135 $143 $152 $161 $171 $181 $192 $204 $216 Terminal 10.0% $130 $138 $146 $155 $165 $174 $185 $196 $207 Cost of 10.5% $126 $134 $142 $150 $159 $168 $178 $189 $200 Equity 11.0% $123 $130 $137 $145 $154 $163 $172 $182 $193 11.5% $119 $126 $133 $141 $149 $158 $167 $176 $187 12.0% $116 $123 $130 $137 $145 $153 $162 $171 $181 12.5% $113 $120 $126 $134 $141 $149 $158 $166 $176 13.0% $111 $117 $123 $130 $138 $145 $154 $162 $171 13.5% $109 $114 $121 $127 $135 $142 $150 $158 $167 14.0% $106 $112 $118 $125 $132 $139 $147 $155 $163 14.5% $104 $110 $116 $122 $129 $136 $143 $151 $160

Source: Company data, Credit Suisse estimates.

Figure 226: PANW Valuation Matrix

Valuation Matrix FY2016 (A) FY2017 (A) FY2018 (E) FY2019 (E) NTM LTM Sales $1,379 $1,762 $2,129 $2,485 2 $2,039 $1,653 EBITDA $807 $1,017 $1,233 $1,427 3 $1,162 $967 EPS $1.89 $2.71 $3.29 $4.09 4 $3.24 $2.45 CFO $659 $871 $922 $1,056 5 $911 $816

Estimates FCF $586 $708 $822 $936 6 $785 $686 UFCF $610 $732 $844 $958 7 $801 $702

EV/Sales 7.3x 5.7x 4.7x 4.1x 4.9x 6.1x EV/EBITDA 12.5x 9.9x 8.2x 7.1x 8.7x 10.4x P/E 77.5x 54.1x 44.6x 9.0x 11.3x 14.9x EV/CFO 15.3x 11.6x 10.9x 9.5x 11.0x 12.3x

Target EV/FCF 17.2x 14.2x 12.2x 10.8x 12.8x 14.7x EV/UFCF 16.5x 13.7x 11.9x 10.5x 12.6x 14.3x

EV/Sales 8.7x 6.8x 5.7x 4.8x 5.9x 7.3x EV/EBITDA 14.9x 11.8x 9.8x 8.4x 10.4x 12.5x P/E 77.5x 54.1x 44.6x 35.9x 45.2x 59.8x EV/CFO 18.3x 13.8x 13.1x 11.4x 13.2x 14.8x

Current EV/FCF 20.6x 17.0x 14.7x 12.9x 15.3x 17.6x EV/UFCF 19.8x 16.4x 14.3x 12.6x 15.0x 17.2x

y/y, % y/y, % y/y, % y/y, % 2016-2019 CAGR Revenue 48.5% 27.8% 20.9% 16.7% 21.7% EBITDA 41.4% 26.1% 21.2% 15.7% 21.0% EPS 76.1% 43.4% 21.3% 24.2% 29.3% CFO 86.7% 32.3% 5.8% 14.5% 17.0%

Growth FCF 83.8% 20.8% 16.1% 13.8% 16.9% UFCF 78.6% 20.2% 15.2% 13.5% 16.3% Source: Company data, Credit Suisse estimates.

Cybersecurity 128 5 September 2017

Figure 227: PANW DCF Scenarios

Target Price

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL TP Value distribution 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E 2027E Perpetuity

Period 1 2 3 4 5 6 7 8 9 10 Current risk-free rate of return 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% Beta 1.30 1.30 1.30 1.30 1.30 1.30 1.30 1.30 1.25 1.20 1.15 1.10 1.05 1.00 Equity Risk Premium 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2% FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 10.0% 9.0% 7.8% 6.5% 5.3% 4.0% 2.8% 1.5% Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81

Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,053 1,148 1,237 1,317 1,387 1,442 1,482 1,504 17,208 Stock Based Compensation Expense 70.9 163.2 285.3 342.2 372.6 434.8 SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 39.0% 32.6% 26.2% 19.8% 13.4% 7.0% FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 575.0 626.8 754.5 887.9 1,023.3 1,156.5 1,283.2 1,398.7 17,208.2

NPV of Free cash flow ($M) 420.3 437.4 429.2 417.3 449.3 474.3 491.6 501.2 503.0 6,119.0 Cumulative NPV of FCF ($M) 420.3 857.7 1,286.9 1,704.1 2,153.5 2,627.7 3,119.3 3,620.5 4,123.5 10,243

Cumulative NPV of FCF ($M) $ 10,243 Shares outstanding (M) 93 NPV/Share of FCF $ 110 (Net Cash) / Share $ 15.69 Total NPV/ Share 125 Current price / Share $147 Upside / Downside Potential -14%

Blue Sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value distribution 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E 2027E Perpetuity

Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2% FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 16.0% 16.0% 13.8% 11.5% 9.3% 7.0% 4.8% 2.5% Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81

Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,111 1,288 1,466 1,634 1,785 1,910 2,001 2,051 26,500 Stock Based Compensation Expense 70.9 163.2 285.3 342.2 372.6 434.8 SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 39.5% 33.6% 27.7% 21.8% 15.9% 10.0% 0% FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 606.4 703.4 886.6 1,085.0 1,290.7 1,493.8 1,682.9 1,846.0 26,499.8

NPV of Free cash flow ($M) 420 437 453 468 528 580 620 647 660 9,423 Cumulative NPV of FCF ($M) 420 858 1,310 1,779 2,307 2,886 3,506 4,154 4,813 14,236

Cumulative NPV of FCF ($M) $ 14,236 Shares outstanding (M) 93 NPV/Share of FCF $ 153 (Net Cash - 10% of Revenues) / Share $ 15.69 Total NPV/ Share 168 Current price / Share $147 Upside / Downside Potential 15%

Grey sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value distribution 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E 2027E Perpetuity

Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2% FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 10.0% 10.0% 8.3% 6.7% 5.0% 3.3% 1.7% 0.0% Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81

Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,053 1,159 1,255 1,339 1,406 1,453 1,477 1,477 14,423 Stock Based Compensation Expense 70.9 163.2 285.3 342.2 372.6 434.8 SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 41.2% 36.9% 32.7% 28.5% 24.2% 20.0% 0% FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 575.0 632.5 738.4 844.3 946.0 1,039.1 1,119.0 1,181.5 14,422.6

NPV of Free cash flow ($M) 420 437 429 421 440 451 455 450 439 5,128 Cumulative NPV of FCF ($M) 420 858 1,287 1,708 2,148 2,599 3,053 3,503 3,942 9,071

Cumulative NPV of FCF ($M) $ 9,071 Shares outstanding (M) 93 NPV/Share of FCF $ 97 (Net Cash - 10% of Revenues) / Share $ 15.69 Total NPV/ Share 113 Current price / Share $147 Upside / Downside Potential -23% Source: Company data, Credit Suisse estimates.

Cybersecurity 129 5 September 2017

HOLT® PANW – HOLT Market-Implied Scenario and Sensitivity Analysis Assuming margins rise from consensus levels of 15% to its historical peak of 22%, PANW’s current stock price of $146 implies a sales CAGR of 12% over the next ten years.

Figure 228: CFROI (%) Figure 229: Valuation Sensitivity Analysis

30 2018 - 2026 Sales CAGR 23.5 26E EBITDA - 600 bps - 400 bps - 200 bps 0 bps +200 bps +400 bps 20 Margins v 5.8% 7.8% 9.8% 11.8% 13.8% 15.8%

- 1500 bps 6.5% $19 $26 $36 $49 $66 $88 10 - 1200 bps 9.5% $29 $39 $52 $69 $90 $119

0 - 900 bps 12.5% $39 $51 $68 $88 $115 $149

(5.3) - 600 bps 15.5% $49 $63 $83 $107 $139 $180 (10 ) 2007 2011 2015 2019 2023 - 300 bps 18.5% $59 $76 $99 $127 $163 $210

0 bps 21.5% $69 $88 $114 $146 $188 $241 Historical CFROI Forecast Discount Rate

Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research. Assumptions and Methodology ■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4 onward they are assumed to rise up to 21.5% based on historical peak levels

■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, solved for the implied CAGR required to reach the respective values per share

■ Asset Efficiency: Assumed constant from LFY levels

■ Fade Window: Used ten years of explicit forecasts for comparison with CHKP

■ Fade: After year ten, the HOLT methodology calculates the terminal value by fading returns on capital and growth toward cost of capital and GDP growth, respectively

Figure 230: Assuming Margins Rise to 21.5% in the Figure 231: …Indicates PANW's Current Price Long Term from Consensus Levels of -15%... Implies a CAGR of 11% over Ten Years

30 Solved for the long term 21.5 80 2 1 Assumed long term margins sales CAGR required to 70 20 to rise from (14.6%) to get to current price of $146 21.5% (14.6) 60 10 50 40 Consensus 0 30 26.2 (10) 20 11.8 10 (20) 2007 2011 2015 2019 2023 0 2007 2011 2015 2019 2023

Historical margins Forecast Margins w/o SBC Historical growth Forecast

Source: HOLT®, Credit Suisse Research. Source: HOLT®, Credit Suisse Research.

Cybersecurity 130

Cybersecurity Figure 232: PANW Income Statement US$ in millions, except per share items

Research Analysts Brad Zelnick (212) 325 6118 [email protected] Jobin Mathew (212) 325 9676 [email protected] Palo Alto Networks (PANW) Syed Talha Saleem, CFA (212) 538 1428 Income Statement [email protected] $ in Millions except per share items Fiscal year end: July 31st 2016 (A) Oct '16 Jan '17 Apr '17 Jul '17 2017 (A) Oct '17 Jan '18 Apr '18 Jul '18 2018 (E) Oct '18 Jan '19 Apr '19 Jul '19 2019 (E) Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year 1Q19E 2Q19E 3Q19E 4Q19E Full Year Non-GAAP Income Statement Total Revenue 1,378.5 398.1 422.6 431.8 509.1 1,761.6 486.7 514.6 528.3 599.5 2,129.0 572.7 598.5 604.8 708.7 2,484.6 y/y change 49% 34% 26% 25% 27% 28% 22% 22% 22% 18% 21% 18% 16% 14% 18% 17%

Product 670.8 163.8 168.8 164.2 212.3 709.1 171.5 178.9 175.7 222.9 749.0 178.4 186.1 181.0 234.1 779.5 y/y change 36% 11% -1% 1% 11% 6% 5% 6% 7% 5% 6% 4% 4% 3% 5% 4%

Subscription & Support 707.7 234.3 253.8 267.6 296.8 1,052.5 315.2 335.7 352.6 376.6 1,380.0 394.4 412.4 423.8 474.6 1,705.2 y/y change 63% 57% 54% 46% 42% 49% 35% 32% 32% 27% 31% 25% 23% 20% 26% 24%

Total cost of revenue 301.1 81.9 90.5 101.7 115.6 389.7 104.5 110.9 110.7 118.5 444.6 109.9 117.9 123.5 136.3 487.6

Gross profit, non-GAAP 1,077.4 316.2 332.1 330.1 393.5 1,371.9 382.2 403.7 417.6 481.0 1,684.5 462.8 480.6 481.2 572.4 1,997.0 Gross margin 78% 79% 79% 76% 77% 78% 79% 78% 79% 80% 79% 81% 80% 80% 81% 80%

Research & development 146.7 45.4 47.3 47.7 50.4 190.8 47.2 49.9 51.2 58.1 206.5 55.6 58.1 58.7 68.7 241.0 % of total revenue 11% 11% 11% 11% 10% 11% 10% 10% 10% 10% 10% 10% 10% 10% 10% 10% Sales & marketing 584.9 175.3 175.0 178.9 197.1 726.3 214.1 214.6 220.3 250.0 899.0 252.1 248.7 251.4 284.9 1,037.1 % of total revenue 42% 44% 41% 41% 39% 41% 44% 42% 42% 42% 42% 44% 42% 42% 40% 42% General & administrative 75.0 23.7 26.7 24.2 25.5 100.1 29.2 30.9 31.7 36.0 127.7 34.4 35.9 36.3 42.5 149.1 % of total revenue 5% 6% 6% 6% 5% 6% 6% 6% 6% 6% 6% 6% 6% 6% 6% 6%

Total operating expenses, non-GAAP 806.6 244.4 249.0 250.8 273.0 1,017.2 290.6 295.4 303.2 344.1 1,233.3 342.0 342.7 346.3 396.2 1,427.2 % of total revenue 59% 61% 59% 58% 54% 58% 60% 57% 57% 57% 58% 60% 57% 57% 56% 57%

Operating income, non-GAAP 270.8 71.8 83.1 79.3 120.5 354.7 91.6 108.3 114.4 136.9 451.2 120.8 138.0 134.9 176.2 569.8 Operating margin 19.6% 18.0% 19.7% 18.4% 23.7% 20.1% 18.8% 21.0% 21.7% 22.8% 21.2% 21.1% 23.1% 22.3% 24.9% 22.9%

Interest income (expense), net -0.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Other income (expense), net 8.1 2.3 3.3 3.5 3.5 12.6 2.9 3.0 3.2 3.5 12.6 3.7 4.1 4.3 4.6 16.7 Interest & other income (expense), net, non-GAAP 8.0 2.3 3.3 3.5 3.5 12.6 2.9 3.0 3.2 3.5 12.6 3.7 4.1 4.3 4.6 16.7

Pretax income, non-GAAP 278.8 74.1 86.4 82.8 124.0 367.3 94.5 111.3 117.6 140.4 463.8 124.5 142.0 139.2 180.8 586.5 Pretax margin 20% 19% 20% 19% 24% 21% 19% 22% 22% 23% 22% 22% 24% 23% 26% 24%

Tax expense, non-GAAP 106.0 22.9 26.8 25.7 38.5 113.9 29.3 34.5 36.5 43.5 143.8 38.6 44.0 43.2 56.0 181.8 Effective tax rate 38% 30.9% 31.0% 31.0% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31%

Net Income, non-GAAP 172.8 51.2 59.6 57.1 85.5 253.4 65.2 76.8 81.1 96.9 320.0 85.9 98.0 96.1 124.8 404.7 2017 September 5

EPS, non-GAAP $1.89 $0.55 $0.63 $0.61 $0.92 $2.71 $0.68 $0.80 $0.84 $1.00 $3.29 $0.88 $0.99 $0.97 $1.25 $4.09 Fully diluted shares 91.4 93.2 93.9 93.3 93.3 93.4 95.2 95.9 96.6 97.3 97.2 98.0 98.6 99.3 100.0 99.0 Source: Company data, Credit Suisse estimates.

131

Cybersecurity Figure 233: PANW Balance Sheet US$ in millions, except per share items

Research Analysts

Brad Zelnick (212) 325 6118 [email protected] Jobin Mathew

(212) 325 9676 [email protected] Palo Alto Networks (PANW) Syed Talha Saleem, CFA (212) 538 1428 Balance Sheet [email protected] $ in Millions except per share items Fiscal year end: July 31st 2016 (A) Oct '16 Jan '17 Apr '17 Jul '17 2017 (A) Oct '17 Jan '18 Apr '18 Jul '18 2018 (E) Oct '18 Jan '19 Apr '19 Jul '19 2019 (E) Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year 1Q19E 2Q19E 3Q19E 4Q19E Full Year Current Assets Cash and Equivalents 734.4 839.4 761.4 692.0 744.3 744.3 797.3 893.1 1,016.7 1,134.0 1,134.0 1,290.4 1,401.4 1,565.7 1,635.4 1,635.4 Short-Term Investments 551.2 550.6 593.0 680.0 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 Accounts Receivable - net 348.7 346.5 386.1 364.1 432.1 432.1 414.8 480.1 458.0 535.3 535.3 495.8 543.2 511.1 601.8 601.8 Prepaid Expenses and Other 139.7 129.4 139.9 159.1 169.2 169.2 170.0 178.3 194.2 221.8 221.8 211.9 221.4 223.8 262.2 262.2 Total Current Assets 1,774.0 1,865.9 1,880.4 1,895.2 1,976.3 1,976.3 2,012.8 2,182.3 2,299.7 2,521.8 2,521.8 2,628.8 2,796.8 2,931.2 3,130.1 3,130.1

Non-current Assets Property Plant & Equipment - Net 117.2 125.0 154.1 192.3 211.1 211.1 256.8 296.8 337.4 380.2 380.2 429.1 478.8 528.6 581.7 581.7 Long Term Investments 652.8 708.4 790.5 719.1 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 Goodwill 163.5 163.5 163.5 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 Other Intangible Assets 44.0 41.7 39.5 56.5 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 Other Noncurrent Assets 106.7 103.7 146.6 148.2 169.1 169.1 144.6 171.6 170.9 191.8 191.8 159.7 203.6 201.6 240.9 240.9 Total assets 2,858.2 3,008.2 3,174.6 3,250.1 3,438.3 3,438.3 3,496.0 3,732.5 3,889.7 4,175.6 4,175.6 4,299.4 4,561.0 4,743.2 5,034.5 5,034.5

Current Liabilities Accounts Payable - Trade 30.2 29.2 28.0 33.2 35.5 35.5 32.0 39.5 37.6 42.7 42.7 37.7 45.9 43.1 50.5 50.5 Accrued Compensation 73.5 59.0 78.8 76.4 117.5 117.5 79.3 102.7 89.8 124.1 124.1 89.1 115.5 104.9 127.6 127.6 Accrued Expenses and Other 39.2 48.4 58.8 60.1 79.9 79.9 61.4 69.6 71.2 76.4 76.4 68.7 83.8 84.7 70.9 70.9 Deferred Revenue (Short-Term) 703.9 758.1 828.0 885.0 968.4 968.4 1,016.8 1,082.9 1,147.9 1,228.2 1,228.2 1,301.9 1,380.1 1,449.1 1,521.5 1,521.5 Convertible Debt 0.0 506.2 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Total Current Liabilities 846.8 1,400.9 993.6 1,054.7 1,201.3 1,201.3 1,189.6 1,294.7 1,346.5 1,471.4 1,471.4 1,497.4 1,625.3 1,681.7 1,770.4 1,770.4

Non-current Liabilities Convertible Debt (Long-Term) 500.2 0.0 512.3 518.4 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 Deferred Revenue (Long-Term) 536.9 601.5 670.6 726.8 805.1 805.1 861.5 934.7 1,004.8 1,100.2 1,100.2 1,155.2 1,213.0 1,273.7 1,337.3 1,337.3 Other Noncurrent Liabilities 79.4 80.2 127.5 137.1 147.6 147.6 144.6 171.6 170.9 179.4 179.4 171.8 179.5 181.4 212.6 212.6

Stockholder Equity Additional Paid In Capital 1,515.5 1,543.1 1,613.3 1,615.8 1,599.7 1,599.7 1,653.6 1,714.4 1,779.6 1,862.4 1,862.4 1,942.1 2,029.9 2,119.5 2,236.6 2,236.6 Accumulated Other Comprehensive Income 1.0 -1.9 -5.1 -4.2 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 Retained Earnings (Accumulated Deficit) -621.6 -677.0 -737.6 -798.5 -836.7 -836.7 -874.5 -904.2 -933.4 -959.1 -959.1 -988.5 -1,008.0 -1,034.4 -1,043.7 -1,043.7 Total Shareholders Equity 894.9 864.2 870.6 813.1 759.6 759.6 775.7 806.8 842.8 899.9 899.9 950.2 1,018.5 1,081.7 1,189.5 1,189.5 Total Liabilities & Shareholders Equity 2,858.2 3,008.2 3,174.6 3,250.1 3,438.3 3,438.3 3,496.0 3,732.5 3,889.7 4,175.6 4,175.6 4,299.4 4,561.0 4,743.2 5,034.5 5,034.5 Source: Company data, Credit Suisse estimates.

5 September 2017 September 5

132

Cybersecurity Figure 234: PANW Statement of Cash Flow US$ in millions, except per share items

Research Analysts Brad Zelnick (212) 325 6118 [email protected] Jobin Mathew (212) 325 9676 [email protected] Palo Alto Networks (PANW) Syed Talha Saleem, CFA (212) 538 1428 Statement of Cash Flows [email protected] $ in Millions except per share items Fiscal year end: July 31st 2016 (A) Oct '16 Jan '17 Apr '17 Jul '17 2017 (A) Oct '17 Jan '18 Apr '18 Jul '18 2018 (E) Oct '18 Jan '19 Apr '19 Jul '19 2019 (E) Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year 1Q19E 2Q19E 3Q19E 4Q19E Full Year Cash From Operating Activities Net Income (192.7) (56.9) (60.6) (60.9) (38.2) (216.6) (37.8) (29.7) (29.2) (25.7) (122.4) (29.4) (19.5) (26.4) (9.3) (84.6) Stock-based Compensation 392.8 113.3 127.3 116.2 117.7 474.5 121.7 128.6 132.1 149.9 532.3 143.2 149.6 151.2 177.2 621.2 Tax Benefit From Exercise of Stock Options ------Depreciation and Amortization 42.8 13.6 14.4 15.1 16.7 59.8 15.7 16.7 17.2 19.5 69.1 18.9 19.7 19.8 23.1 81.5 Other Amortization of Non-Cash Expenses/Gains 3.0 0.7 0.7 0.7 0.6 2.7 0.6 0.6 0.6 0.6 2.4 0.6 0.6 0.6 0.6 2.4 Amortization of debt discount & issuance costs 23.4 6.0 6.1 6.2 6.2 24.5 5.5 5.5 5.5 5.5 21.9 5.5 5.5 5.5 5.5 21.9 Other - - - 20.9 20.9 ------Changes in working capital & other assets/liabilities Accounts Receivable (136.4) 2.2 (39.5) 22.4 (68.0) (82.9) 17.3 (65.3) 22.2 (77.3) (103.2) 39.5 (47.4) 32.2 (90.7) (66.5) Prepaid Expenses (31.2) 10.1 (51.7) (8.0) 1.5 (48.1) 23.7 (35.3) (15.2) (48.5) (75.3) 42.0 (53.4) (0.3) (77.8) (89.5) Accrued Compensation/Payroll Expense (6.3) (14.5) 19.8 (3.6) 41.1 42.8 (38.2) 23.4 (12.9) 34.3 6.6 (35.0) 26.4 (10.6) 22.7 3.4 Accounts Payable 15.1 1.8 (1.6) 2.6 3.1 5.9 (3.5) 7.5 (1.8) 5.1 7.2 (5.0) 8.3 (2.8) 7.4 7.8 Accrued and Other Liabilities 21.0 8.4 60.4 8.2 (23.8) 53.2 (21.4) 35.2 0.9 13.6 28.2 (15.2) 22.8 2.8 17.4 27.8 Deferred Revenue 527.1 118.8 139.0 112.3 161.7 531.8 104.8 139.3 135.1 175.8 555.0 128.7 135.9 129.7 136.1 530.4 Other Non-Cash Items - - - - 2.8 2.8 ------Cash from Operations 658.6 203.5 214.3 211.2 242.3 871.3 188.2 226.5 254.3 252.9 921.8 293.7 248.4 301.5 212.0 1,055.6 y/y change 87% 39% 39% 24% 29% 32% -8% 6% 20% 4% 6% 56% 10% 19% -16% 15%

Cash From Investing Activities Net proceeds (purchases) of investments (266.4) (50.3) (128.4) (27.5) (12.3) (218.5) (12.3) (12.3) (12.3) (12.3) (49.2) (12.3) (12.3) (12.3) (12.3) (12.3) Capital Expenditures (72.5) (20.9) (44.7) (48.6) (49.2) (163.4) (30.0) (23.3) (23.3) (23.3) (100.0) (30.0) (30.0) (30.0) (30.0) (120.0) Acquisition of Business - (90.7) - (90.7) ------Cash From Investing Activities (338.9) (71.2) (173.1) (166.8) (61.5) (472.6) (42.3) (35.6) (35.6) (35.6) (149.2) (42.3) (42.3) (42.3) (42.3) (132.3)

Cash from Financing Sales of shares through employee equity incentive plans 45.3 22.7 0.9 22.2 0.6 46.4 ------Tax Benefit From Stock Based Compensation - - - (11.0) (10.4) ------Repurchase of Common Stock - (50.0) (120.1) (125.0) (115.9) (411.0) (95.0) (95.0) (95.0) (100.0) (385.0) (95.0) (95.0) (95.0) (100.0) (385.0) Total Cash Flows From Financing 38.9 (27.3) (119.2) (113.8) (125.7) (364.6) (95.0) (95.0) (95.0) (100.0) (385.0) (95.0) (95.0) (95.0) (100.0) (385.0)

FX impact on cash ------

Cash balance, beginning of period 375 734 839 761 691 734 746 797 893 1,017 746 1,134 1,290 1,401 1,566 1,134 Net change in cash 359 105 (78) (69) 55 13 51 96 124 117 388 156 111 164 70 501 Cash balance, end of period 734 839 761 691 746 746 797 893 1,017 1,134 1,134 1,290 1,401 1,566 1,635 1,635 Source: Company data, Credit Suisse estimates.

5 September 2017 September 5

133

5 September 2017

Credit Suisse PEERs PEERs is a global database that captures unique information about companies within the Credit Suisse coverage universe based on their relationships with other companies – their customers, suppliers and competitors. The database is built from our research analysts’ insight regarding these relationships. Credit Suisse covers over 3,000 companies globally. These companies form the core of the PEERs database, but it also includes relationships on stocks that are not under coverage.

Figure 235: Palo Alto PEERs

Source: Company data, Credit Suisse estimates

Cybersecurity 134 5 September 2017

Fortinet: Fortinet & Unfortified = Underperform Americas/United States Software

Fortinet, Inc. (FTNT) Rating UNDERPERFORM Price (01-Sep-17, US$) 38.30 Target price (US$) 33.00 52-week price range (US$) 41.10 - 28.61

Market cap(US$ m) 6,734 Unfortified Target price is for 12 months.

Initiating Coverage with Underperform Rating and $33 Target Price Research Analysts

We respect FTNT as a highly innovative company with differentiated hardware, Brad A Zelnick superb product offerings, and a world-class founder-led executive team; 212 325-6118 [email protected] however, we remain convinced the weight of potential headwinds facing FTNT Jobin Mathew tilts the relative risk/reward balance negatively. 212 325 9676 [email protected] ■ Most Highly Exposed to Category Risks: Our analysis of sector headwinds Syed Talha Saleem, CFA implies FTNT faces the greatest risk of the three firewall names. With the 212 538 1428 least firepower and apparent willingness to strategically acquire as perimeter [email protected] security loses relevance, FTNT's outsized exposure to the SMB market and carrier vertical are additional concerns. ■ Hardware Increasingly Irrelevant in the Cloud: Like Netscreen before it, Ken Xie founded FTNT on the premise of ASIC architecture. Performant, cost-effective hardware has differentiated FTNT in the past, particularly in the carrier vertical (performance focused) and SMB segment (price sensitive); however, we struggle to see how competitive advantage bestowed by superior silicon can sustain as successfully in the cloud. ■ Outsized SMB Exposure: Fortinet should trade at a discount to CHKP and particularly PANW given its substantially lower enterprise exposure (56% vs PANW at 14% volume, respectively, on IDC data). We prefer enterprise exposure on balance due to its higher renewal rates, and while some consider the SMB market attractive given a recent a spending cycle, we believe it to be increasingly competitive (50% more concentrated on the Herfindahl-Hirschman Index, an indicator of competition) vs the high end. ■ Valuation: We see FTNT as expensive on an absolute basis but less so once adjusted for growth; we think of FTNT as in-between CHKP (best) and PANW (worst) on valuation. Our DCF valuation implies a $33 TP. Risks to our target include an ability to gain significant share, stronger than expected midmarket spending cycle, and acquisition of the company. Share price performance Financial and valuation metrics

Year 12/15A 12/16A 12/17E 12/18E NON-GAAP EPS (CS adj., ) 0.51 0.74 0.94 1.10 Prev. EPS (CS adj., US$) P/E (CS adj.) (x) 74.9 51.6 40.6 34.8 P/E rel. (CS adj., %) - 244 213 202 Revenue (US$ m) 1,009 1,275 1,493 1,657 Non-GAAP Operating Income 133 193 238 292 Net(US$ Debt m) (US$ m) -1,164 -1,311 -1,515 -1,802 Unlevered Free Cash Flow (US$) 242 268 309 439 On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55 P/uFCF (x) 15.8 14.3 12.4 8.7

Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$36.83 Number of shares (m) 175.84 Price/Sales (x) 4.82

Quarterly EPS Q1 Q2 Q3 Q4 Net debt (Next Qtr., US$ m) -1,475.3 Dividend (current, US$) - 2016A 0.12 0.14 0.18 0.30 Dividend yield (%) - 2017E 0.17 0.27 0.23 0.27 Source: Company data, Thomson Reuters, Credit Suisse estimates

2018E 0.22 0.26 0.27 0.34

Cybersecurity 135 5 September 2017

Fortinet, Inc. (FTNT) Price (01 Sep 2017): US$38.3; Rating: UNDERPERFORM; Target Price: US$33.00; Analyst: Brad Zelnick Income Statement 12/15A 12/16A 12/17E 12/18E Company Background Revenue (US$ m) 1,009.3 1,275.4 1,492.8 1,657.0 Fortinet is a cybersecurity company selling appliances, software, EBITDA 164.9 241.6 307.6 375.8 and services. Fortinet has a platform approach to security called the Operating profit 133.3 193.1 238.2 291.6 Fortinet Security Fabric which enables third-party devices to share Recurring profit 135.5 193.3 251.3 303.6 information with Fortinet appliances. Cash Flow 12/15A 12/16A 12/17E 12/18E Cash flow from operations 283 340 466 541 Blue/Grey Sky Scenario CAPEX (37) (67) (150) (93) Free cashflow to the firm 245 273 316 447 Cash flow from investments (1) (74) (163) (93) Net share issue(/repurchase) 7 (66) (108) (160) Dividends paid 0 0 0 0 Issuance (retirement) of debt - - - - Other (116) (54) 9 (0) Cashflow from financing activities (109) (120) (99) (160) Effect of exchange rates 0 0 0 0 Changes in Net Cash/Debt 173 146 204 287 Net debt at end (1,164) (1,311) (1,515) (1,802) Balance Sheet ($US) 12/15A 12/16A 12/17E 12/18E Assets Other current assets 36 33 46 55 Total current assets 1,271 1,539 1,782 2,128 Total assets 1,791 2,140 2,569 2,981 Liabilities Short-term debt 0 0 0 0 Total current liabilities 679 829 1,015 1,221 Long-term debt 0 0 0 0 Total liabilities 1,035 1,302 1,624 1,940 Shareholder equity 755 838 945 1,041 Total liabilities and equity 1,791 2,140 2,569 2,981

Net debt (1,164) (1,311) (1,515) (1,802) Our Blue Sky Scenario (US$) 44.00 Per share 12/15A 12/16A 12/17E 12/18E For our blue sky scenario we again model a 5-year transition period, No. of shares (wtd avg) 175 175 181 187 but drive higher free cash growth, which assumes Fortinet enjoys a CS adj. EPS 0.51 0.74 0.94 1.10 stronger than expected appliance refresh cycle tailwind in addition to Prev. EPS (US$) virtual firewall retaining more relevance than we expect, and FTNT Dividend (US$) 0.00 0.00 0.00 0.00 successfully selling into this virtual market. Our blue sky scenario Free cash flow per share 1.40 1.56 1.75 2.39 yields a $42 warranted price. Earnings 12/15A 12/16A 12/17E 12/18E Sales growth (%) 31.0 26.4 17.0 11.0 EBIT growth (%) 9.2 44.9 23.3 22.4 Our Grey Sky Scenario (US$) 30.00 Net profit growth (%) 10.6 44.9 31.9 20.8 In the grey sky scenario, we use a 5-year transition period and lower EPS growth (%) 7.0 45.2 27.3 16.6 free cash flow growth assumption. The scenario results in a share EBIT margin (%) 13.2 15.1 16.0 17.6 price of $29. In this scenario, Fortinet struggles to attain significant virtual share, this is against a backdrop of declining firewall Valuation 12/15A 12/16A 12/17E 12/18E relevance and significant price pressures. EV/Sales (x) 5.52 4.25 3.50 2.98 EV/EBIT (x) 41.8 28.1 21.9 16.9 Share price performance P/E (x) 74.9 51.6 40.6 34.8 Quarterly EPS Q1 Q2 Q3 Q4 2016A 0.12 0.14 0.18 0.30 2017E 0.17 0.27 0.23 0.27 2018E 0.22 0.26 0.27 0.34

On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55 Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$36.83

Source: Company data, Thomson Reuters, Credit Suisse estimates

Cybersecurity 136 5 September 2017

■ Is Carrier Market Exposure a Blessing or Curse? FTNT's success in the carrier market has been a blessing in the past, while now investors are debating if this will continue.

Our Takes: ■ Despite Growth, Competitive Pressures Render SMBs Unattractive: In addition to lower renewal rates, the SMB market is increasingly fragmented and competitive, and we

think these dynamics apply pricing pressure to vendors operating in this end of the market.

■ Silicon Isn’t a Competitive Advantage Anymore: We struggle to see how the competitive advantage bestowed by superior silicon can be sustained as successfully in the cloud.

■ Becomes a Strategic Target: Given its relatively small market cap, FTNT could represent a potential target for a strategic buyer.

recognize Estimates: ■ Revenue and EPS: We forecast FY17E/FY18E revenue growth at 17%/11% vs the consensus at 17%/15%, with EPS of $0.94/$1.10 in FY17E/ FY18E vs Street estimates at

$0.95/$1.14.

Valuation: ■ DCF: Our discounted cash flow analysis yields a target price of $33, implying 14% downside risk and 10x FY18E EV/uFCF; 13.5x when adjusted for SBC.

■ Relative Valuation: Expensive on an absolute basis but less so once adjusted for growth, we think of PANW as in between CHKP (best) and PANW (worst) on valuation.

Cybersecurity 137

5 September 2017

Key Charts

Figure 236: Highly Exposed to the SMB Market… Figure 237: ...Which Remains the Most Competitive Fortinet 2016 Revenue Exposure by server class Herfindahl-Hirschman Index, 4Q moving average

0.25 High-end High-end Midrange 0.20 Volume 20%

0.15

FTNT 56% 0.10 Volume 24% Midrange 0.05

0.00 2002 2005 2008 2011 2014 Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

Figure 238: FTNT Most Exposed to Sector Risks…. Figure 239: …with an Elongating Refresh Cycle Our sector risk exposure ranking Refresh cycle impact on product at different lengths

Figure 240: Less Balance Sheet Capacity… Figure 241: …Valuation in Middle vs Firewall Peers Our estimates for balance sheet capacity EV/uFCF adjusted for SBC, and Non-GAAP P/E 50x $12bn EV/uFCF Adjusted for SBC, NTM 44.2x Non-GAAP P/E, NTM $9.9bn 38.8x $10bn 40x 37.8x

$8bn 30x $6bn $5.4bn 20.5x 19.2x $4.0bn 20x 16.4x $4bn

$2bn 10x

$0bn CHKP PANW FTNT 0x CHKP FTNT PANW Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Cybersecurity 138

5 September 2017

Supports for Our Thesis Company Negatives

■ Most Exposed to Sector Risks In our ranking of relative exposure to category risks, Fortinet appears the most exposed. We believe it to be at substantial risk as the architectural shift to cloud accelerates via both its hardware-based competitive advantage and carrier exposure. (Carriers are rapidly virtualizing.) In addition, we believe exposure to the highly competitive mid-market, along with limited ability to further expand TAM, are all incremental relative negatives.

Figure 242: Relative Exposure to Sector Risks Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Architectural Shift to Cloud ◔ ◑ ◕ Cisco increasingly competitive ○ ◕ ◑ Juniper has little share left to give ○ ● ◔ Cloud transitionary headwinds ◔ ◑ ◑ TAM expansion ◑ ◑ ● Competition in the mid market ◑ ○ ● Carrier Exposure ◔ ◑ ● Total ◔ ◑ ◕

Source: Credit Suisse Research.

■ Less Relative Firepower Makes Deployment of Strategic Capital Challenging We estimate FTNT could deploy ~$4bn for transformative M&A. This is ~60% less than CHKP and ~25% less than PANW. Given our views on the market direction and declining relevance of perimeter security, we see Fortinet's more limited ability to make transformative acquisitions as a relative negative. We believe management is liklely less willing to make a transformative acquisition just given past tuck in deal activity.

Cybersecurity 139

5 September 2017

Figure 243: We Estimate FTNT Has ~$4bn in Figure 244: … This Is ~60% Less than CHKP and Aggregate Firepower… ~25% Less than PANW US$ in millions, unless otherwise stated US$ in millions, unless otherwise stated

Firepower analysis CHKP PANW FTNT $12bn Earnings, NTM basis $9.9bn EBITDA 1,083 394 279 $10bn Δ Deferred Revenue 178 412 250 Cash EBITDA 1,261 806 529 Deal related accretion (15% return) 774 460 383 $8bn Theoretical lending EBITDA 2,035 1,266 912 $6bn $5.4bn Cash, Next quarter Liquid cash & investments* 1,380 1,170 964 $4.0bn Cash & investments 3,588 1,889 1,222 $4bn Theoretical debt capacity (3x)** 6,106 3,281 2,735 $2bn Liquid firepower 7,486 4,450 3,699 Total firepower 9,694 5,170 3,957 $0bn *Cash and ST investments adjusted for offshore cash (20% repatriation assumption) and 10% of NTM revenue CHKP PANW FTNT

** 3x theoretical lending EBITDA excluding outstanding debt

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

■ Hardware-Based Competitive Advantage, Does It Translate to the Cloud? Fortinet has, we think, generated substantial competitive advantage via its ASIC-based architecture, which is highly performant and offers excellent cost/throughput ratios and substantial power savings. These performance advantages have, in turn, contributed to FTNT's success in the carrier and telecommunications market (where performance is key) and the SMB market (where there’s cost sensitivity). While in the past it has been easy to interpret Fortinet's hardware differentiation as a competitive advantage, it seems logical to us that any advantage bestowed by superior silicon will diminish as virtualization increases.

■ Absolute Valuation Is Unattractive, Except on EV/Sales Fortinet isn’t noticeably cheap relative to PANW or CHKP on any absolute adjusted cash flow or income statement multiple, excepting EV/Sales, which appears to be a function of depressed margins, and a different business mix. FTNT trades ~54% less expensive than CHKP and ~28% less expensive than PANW on CY18 recurring revenues. This would seem to be due to lower renewal rates given greater SMB exposure, which reduces the value to investors of this revenue stream relative to higher renewal rate competitors. We calculate that a 5% reduction in renewal rate (from 95-90%) erases 25% of the recurring revenue stream’s NPV. While intuitively, PANW's higher renewal rates should result in a higher recurring revenue multiple than that of CHKP, we would note CHKP's substantially higher operating margin. FTNT trades at a discount to CHKP and PANW on recurring revenue, which we largely attribute to its depressed margins (18% in CY18 vs 22% and 53% for PANW and CHKP, respectively). Even normalizing for margin, and certainly growth for that matter, we would expect FTNT to be less expensive on recurring revenue given its significant SMB exposure (56% for FTNT vs 14% and 27% for PANW, and CHKP, respectively7). We estimate. To put this in perspective, we calculate a reduction in renewal rate from 95-90%

7 IDC ‘volume’ pricing bands used as a proxy Cybersecurity 140

5 September 2017

would erode 25% of the NPV of the intrinsic value of a recurring revenue stream in a runoff scenario.

Figure 245: Relative Valuation, Absolute Multiples Absolute Valuation Analysis CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x Income Statement Multiples EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x

Source: Company data, Credit Suisse estimates.

■ Fortinet Is More an SMB than an Enterprise Focused Vendor Despite the lumpier sales cycles, we prefer exposure to enterprise customers. Firms serving enterprise customers in general enjoy far superior renewal rates relative to those with SMB customers.

Figure 246: The Impact of Renewal Rates on Valuation Is Clear When We Look at the Financial NPV of Recurring Revenues with Varying Renewal Rates Impact of varying renewal rates on a floor value analysis of recurring revenue as % of FTNT EV. Assumes a 75% runoff margin on cash recurring revenues

90% 82% FTNT 80%

70% 67% 59% 60% 53% 49% 46% 50% 43% 41% 40% 39% 37% 40%

30% EV% of RevenueaccountedRecurringforFloor by Renewal rate 95% 90% 85% 80% 75% 70% 65% 60% 55% 50% 45%

Source: Company data, Credit Suisse estimates.

Fortinet has the least exposure to enterprise customers of the firewall names we are initiating upon. Using IDC data (which splits appliance sales into server class: volume, mid-range, and high end) as a proxy exhibits this. Only 20% of 1Q17 appliance revenue was generated via high-end server deployments, or 40% less than Palo Alto Networks.

Cybersecurity 141

5 September 2017

Figure 247: Fortinet Has Lower Share in the Figure 248: Fortinet Has High Share in the Volume High-End, and the Market Is Less Fragmented Market, but It Is Fragmented High-end server class market share (FTNT bottom in red) Volume server class market share (FTNT bottom in red)

70% 70%

60% 60%

50% 50%

40% 40%

30% 30%

20% 20%

10% 10%

0% 0% 2006 2008 2010 2012 2014 2016 2002 2004 2006 2008 2010 2012

Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

Figure 250: …Relative to Competitors Such as Figure 249: Fortinet Has Low High-End Exposure… PANW Fortinet 2016 Revenue Exposure by server class Palo Alto Networks 2016 Revenue Exposure by server class

High-end Volume

20% 14%

FTNT PANW 56% 27% Volume 24% Midrange 59% High-end RenewalMidrange rate

Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

Looking at Fortinet's own reported billings metrics gives some credence to the IDC data. High-end units account for just under 40% of billings on a trailing 12-month basis. Assuming the high end is somewhat flattered in billings as opposed to revenue (enterprise customers are more likely to pay in advance), a similar picture emerges – Fortinet is more SMB than enterprise focused.

Cybersecurity 142

5 September 2017

Figure 251: Fortinet’s High-End Billings Have Grown Slightly in Recent Years Percent of Reported Billings by Product Segment

100%

80% Entry-Level

60% Mid-Range 40%

20% High-End 0% 2009 2010 2011 2012 2013 2014 2015 2016 2017

Source: Company data, Credit Suisse Research.

While it seems plain that FTNT's primary success is not in the enterprise, we do credit it with having grown high-end billings substantially faster (35% vs 25%) than entry and mid-range billings. This corroborates Gartner’s assertion that ‘Fortinet is present in an increasing number of these [enterprise firewall] deals visible to Gartner, often because it offers “good enough” features at a significantly lower price.’ (G00294631)

Figure 252: High-End Billings Have Grown on Average Faster Than Entry and Mid-Level, Albeit with More Volatility

80% Entry Level Mid-Range High-End 70%

60%

50%

40% 35% 30% 25% 20%

10%

0% 2010 2011 2012 2013 2014 2015 2016 2017

Source: Company data, Credit Suisse estimates.

The Low End Is Substantially More Competitive than High End Not only are renewal rates less attractive outside the enterprise segment of the market, but the lower end is also substantially more competitive. Using IDC revenue data to estimate the Herfindahl-Hirschman Index (an indicator of competition) for each segment IDC tracks reveals substantially more competition in the mid-range and volume segments of the market. Not only are there more players, but we have been hearing of more competitiveness as players such as WatchGuard and SonicWALL have made significant strides more recently. Cybersecurity 143

5 September 2017

Figure 253: The Midrange and Volume Segment of the Market Are Substantially Less Consolidated (and Therefore Competitive) than the High End Herfindahl-Hirschman Index, 4Q moving average

0.25 High end, 4Qma Midrange, 4Qma Volume, 4Qma

0.20

0.15

0.10

0.05

0.00 2002 2004 2006 2008 2010 2012 2014 2016

Source: IDC, Credit Suisse Research.

Competition Tends to Translate into Price Pressure… We believe consolidation translates to pricing power, and vice-versa. Therefore, we expect higher levels of competition in the mid- and volume markets to translate into higher-price competitiveness. Looking at the volume market ASP relative to the five largest market players suggests that while there hasn’t been broad-based pressure, pricing has come down for the five largest in aggregate.

Figure 254: Pricing for the Five Largest Players Appears to Have Been Slightly More Pressured Relative to the Market as a Whole ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)

2,200 Volume ASP Volume ASP (CHKP, PANW, FTNT, JNPR, CSCO) 2,800 2,000 2,500 1,800 2,200 1,600 1,900

1,400 1,600

1,200 1,300

1,000 1,000 2003 2005 2007 2009 2011 2013 2015 2017

Source: iDC, Credit Suisse Research.

If we look at pricing across the product spectrum for the five largest players since 2010, it seems clear there has been weakness in volume relative to the high end. While the mid-range hasn’t been weak, per se, it has been weaker than the high end since 2014.

Cybersecurity 144

5 September 2017

Figure 255: Pricing Has Been Strongest in the High End, Slightly Weaker in the Mid-Range, and Weakest in Volume CHKP, PANW, FTNT, JNPR, CSCO ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)

1.2 Top-5 High-End ASP Top-5 Mid-range ASP Top-5 Volume ASP

1.1

1.0

0.9

0.8

0.7

0.6 2010 2011 2012 2013 2014 2015 2016 2017

Source: iDC, Credit Suisse Research.

■ Carrier Exposure, a Challenge as They Virtualize Fortinet's highly performant products have previously given the company an edge in the telecom service provider vertical. Anecdotally, we believe FTNT to be the leader in this vertical, and over the last 12 months, it has generated ~20% of billings from service providers. While this has reduced slightly as a percent of total billings as other verticals have grown faster, it remains a material part of FTNT's business and has slowed substantially from 2015 highs in recent quarters; last quarter it was described by FTNT CFO Mr. Del Matto as 'the most disappointing part of the business…' (Q2 2017 Fortinet Earnings Call, Q&A Session).

Figure 256: Service Provider Has Grown in Dollar Figure 257: Growth Has Substantially Retreated Terms, but Reduced as a % of Billings from 2015 Peaks and Was Weak Last Quarter Service provider as a % of total billings, reported Service provider growth, implied from reported, y/y, %

Service provider share of billings 35% 50% Service provider vertical growth, y/y, % 40% 30% 30% 25% 20% 20% 10%

15% 0%

10% -10% 2011 2012 2013 2014 2015 2016 2012 2013 2014 2015 2016

Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse estimates.

We believe from conversations in the field that the service provider vertical is virtualizing network infrastructure at an increasing rate. Discussions on FTNT's 2Q Q&A call, we think, give credence to our view that carrier exposure is a risk.

Cybersecurity 145

5 September 2017

'…the AWS/Azure piece is growing fast. And also, the traditional service provider also starting consider offer the cloud solution now. So that may delay some of their decision whether what kind of an architecture or infrastructure they may moving forward… Before, it's kind of a separate team for cloud and service provider. Now it's one team, so we feel that's also helping, like make future trend or direction.' – Ken Xie, Chairman CEO '… I mentioned there is a cloud trend. So that also may take a little bit long time to evaluate. And also we started to offer the new 7000 series, and that also takes a long time to evaluate. So we have the new platform and especially in the bigger enterprise service provider, they take a longer time and whether using the new one or the old one, also takes some time. So we do see a lot of test and interesting discussion…' – Ken Xie, Chairman CEO 'They [telecom carriers] are more focused on cash flow […] and they do more pay-as- you-go. I think that’s a shift in their business.' - Andrew Del Matto, CFO, 7/26/2017 'What's happening now is that really, large service providers and large enterprises, some of them are trying to design and think about their next generation network… that's not a trend that we saw in 2012 or 2013. It's not just a matter of refreshing gear, what they bought how many years ago. It's really in strategic discussions on how they move forward for the future years. ' – Michelle Spolver, Chief Communications Officer, 10/27/2016

Fortinet's exposure to the service provider vertical is significant, and thus any deferred spending patterns or competitive threats with the segment bring material risk. As we show in Figure 258, lumpy service provider demand (which we proxy through service provider billings growth) has manifested in the company's reported product growth.

Figure 258: Service Provider Demand Patterns Have Material Impact on FTNT 60% Product Growth y/y (%)

Service Provider Billings Growth (%) 40%

20%

-20% 2013 2014 2015 2016 2017

Source: Company data, Credit Suisse Research.

■ Refresh Cycle Unlikely to Be a Near-Term Tailwind Fortinet has started to speak about a refresh opportunity that it anticipates will contribute to 2018 product revenues. We expect the impact of this refresh cycle to be somewhat muted as the average refresh appears to be elongating to some degree. 'When you get into '18, that's 4 years ago roughly from that happening and then spending started to happen in '14, early '14. So I think probably somewhere in '18, you would begin to see that click…' - Andrew Del Matto, CFO, 04/27/2017

Cybersecurity 146

5 September 2017

Figure 259: Assuming a Five-Year Refresh Cycle Implies 2013 Was the Peak of the Last Refresh Cycle… Refreshed product as a % of total new product (assuming 5 year refresh rate and 75% renewal rate) 4QMA 30%

25%

20%

15%

10% 2009 2010 2011 2012 2012 2013 2014 2015 2016

Source: IDC, Credit Suisse Research.

'The refresh cycle. Most people, generally, the products are deployed for 3 to 5 years. I mean, the life of the product, they can go beyond 5 years. And I think some customers probably stretch it a little bit. But generally speaking, think about 3 to 5 years. You can all look at the models. If you go back in history, it looks like '14 and '15 were pretty good years. So maybe if you walk forward some average of the 3 to 5 year, you'll probably get a sense. I don't -- when we talk about it internally, we're not thinking '17 or as much as we're thinking somewhere beyond that. '17's probably a bit early.' - Andrew Del Matto, CFO, 06/07/2017 '… I would probably say the deal in the cycles are elongated more than they were then, because it's sort of a dynamic shift that's happening …it takes a lot longer. It's not just a matter of refreshing gear, what they bought how many years ago. It's really in strategic discussions on how they move forward for the future years. So I would probably say that the cycles are longer now than they were four years ago'. – Michelle Spolver, Chief Communications Officer, 10/27/2016 Management have spoken about the previous refresh cycle as having begun in 'late '13, that was really the kickoff for the last big, I think, spike, if you will, in spending. And then it went on for a couple of years…' (Andrew Del Matto, CFO, 04/27/2017) If we try and back that out via our (admittedly somewhat crude) new product calculation, it appears that to fit into this time frame, the average refresh would have been between five- and-a-half and seven years in length.

Cybersecurity 147

5 September 2017

Figure 260: Cycle Elongation Appears Evident When We Try to Back Out Fortinet's Internal Refresh Cycle Refreshed product as a % of total product (assuming varying refresh cycle and 75% renewal rate) smoothed via 5Q centralized average

35% 4 years 4.5 years 30% 5 years 5.5 years 25% 6 years 20% 6.5 years 7 years 15%

10%

5% 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Source: Company data, Credit Suisse estimates.

■ High Levels of Earnings Volatility Remain a Question Mark Fortinet exhibits rather high levels of volatility around earnings announcements. While not the foremost risk we have discussed, an average relative move of 7.4% since 2012 on earnings is, we believe, worth investor cognizance. It would seem the business is more difficult to forecast over the past couple of years, perhaps the result of a broader shift to cloud and virtual infrastructure.

Figure 261: Fortinet an Average 7.4% Relative One-Day Move Following Earnings Stock price movement the day after earnings were reported

25% 21%

13% 15% 11% 9% 7% 8% 4% 4% 4% 5% 1% 2%

-5% -1% -1% -3% -4% -4% -6% -8% -15% -17% -20% -25% 2013 2014 2015 2016 2017

Source: FactSet, Credit Suisse Research.

Cybersecurity 148

5 September 2017

Risks to Our Thesis Company Positives

■ ASIC Hardware Is a Relative Advantage Under the leadership of Ken Xie, we believe Fortinet has become the industry leader in ASIC (application-specific integrated circuit) based firewall appliances. Ken Xie said in February 2017 that this endows Fortinet with a seven- to ten-year hardware advantage compared with competitors. 'But on the cost base -- on the performance base, the ASIC definitely have a huge advantage over the CPU. It can be 10x to 100x, more like computing advantage and also the cost advantage there. But the virtual edition environments really, they can leverage some of the free computing power…' – Ken Xie, Founder, Chairman & CEO, 10/22/2015 ASIC architectures mean the hardware chips are specifically designed for select use-cases. The use-case-specific nature of these processors results in substantial cost advantages on a throughput basis, in addition to power saving relative to general purpose hardware. Gartner notes, in particular, it accelerates packet processing for deep packet inspection. Ken Xie pioneered the use of ASIC technology for security appliances with his first company, NetScreen, and has continued in the same vein with Fortinet. Fortinet was the first company to increase firewall speed to one terabit per second in 2014, and our field conversations and broader research confirm Fortinet is renowned for performance in high-traffic conditions. We believe performance and cost – the true benefits of custom hardware – have been key contributors to FTNT's success in the carrier market where performance is key, and also in the SMB market where cost is of primary import. In competitive situations, ‘feedback from Gartner clients indicates that Fortinet wins when value (dollar per protected MB) is a strong part of the evaluation. [Fortinet] has intrinsic pricing advantages due to the way it produces its hardware.’ (G00294631)

Figure 262: Fortinet Offers Attractive Cost per Protected Packet According to NSS Labs 2017 Firewall Test Total Cost of Ownership per Protected Mbps

Fortinet 6000 Sophos Watchguard Forcepoint Fortinet 32000 Check Point Palo Alto Networks Cisco SonicawallSonicwall Barracuda Networks 0 5 10 15 20 25 30 35 40 45

Source: NSS Labs, Credit Suisse Research.

Cybersecurity 149

5 September 2017

We also believe the ASIC architecture enhances Fortinet's competitive advantage when it comes to the internal segmentation firewall use-case. The higher speed of internal networks requires high-speed, low-latency appliances, which in turn is best achieved via purpose-built hardware. We believe internal segmentation demand to be incremental, and given it tends to be enterprises looking to implement these sorts of network architectures, the trend also offers FTNT an opportunity to increase its high-end mix and market share. '… the traditional firewall protection, even at the perimeter … is no longer enough. There are so many ways you can bypass that… So that's where we see the big enterprise … starting evaluating and consider all of this internal segmentation there … most of the internal segmentation is all high end. They need high speed, like 40 gig, 100 gig, minimal 10 gig in the space, and also the same through port wire speed. Because the internal network is much, much faster 10 to 100X faster than the Internet connection. So without high speed, without low latency, they cannot deploy internally to do the segmentation.' - Ken Xie, Founder, Chairman & CEO, 2Q2015 earnings call While we expect internal segmentation demand to be incremental in nature, our field conversations suggest customers aren’t yet segmenting their networks to the same granularity needed to offset the rate at which network perimeters are dissolving. Additionally, some enterprises eschew using security appliances, instead looking further down the stack in their network topology and relying on the inherent security of products such as VMware’s NSX to achieve their internal segmentation security goals.

■ Security Fabric Differentiates the Firm Through Product Integration Fortinet emphasizes that its products are differentiated via their integration into a security fabric. This unified end-to-endpoint approach to address all threats an enterprise might face yields what we perceive to be a cohesive and comprehensive platform offering. The fabric weaves together enterprise firewall, cloud security, advanced threat protection, connected UTM, application security, secure access, and security operations.

Figure 263: Fortinet’s Goal Is to Create a Security 'Fabric' to Provide End-to-End Enterprise Security Advanced Threat Intelligence NOC/SOC

Client Cloud

Network

Access Application

Partner API

Source: Fortinet.

Cybersecurity 150

5 September 2017

Customers demand strong integrated platforms, as they tend to outperform disparate best-of-breed products in terms of efficacy, efficiency, and cost. We have addressed this at length in section ‘TAM Expansion is Limited’. The platform approach aggregates a number of adjacencies and is therefore accretive to security appliance vendors’ TAMs. We believe this theme of aggregation to have been an attractive security play over the last several years and FTNT to have been one of the most successful consolidators, with products addressing a multiplicity of security pain points. A recent example from June of 2016 is the acquisition of AccelOps, which adds the ~$2bn SIEM (security information and event management) market to Fortinet’s TAM. As a result, however, we think it will be even more difficult for FTNT relative to other vendors to move the needle on its TAM. Additionally, given the majority of FTNT's value proposition to customers is via consolidation and hardware, we are concerned by the pressures it faces with disaggregation of adjacencies as workloads increasingly move to the cloud.

■ Highly Rated Products Fortinet products are highly rated. Whether during our conversations in the field, by Gartner, NSS Labs, or other third-party reviews, Fortinet repeatedly stands out for the depth, breath, integration, and particularly price performance of its security product portfolio. In the Enterprise Network Firewall (NGFW) market, the FortiGate offering has enjoyed positive momentum over the last five years as it progressed from a challenger to leader in Gartner’s magic quadrant. Prior to this, Fortinet had enjoyed five years of positive momentum as it transitioned from the visionaries to challengers quadrants.

Figure 264: Fortinet Has Enjoyed Year-on-Year Figure 265: Despite Slight Negative Momentum, in Positive Momentum Toward the Leadership Quadrant Its Key Competency, UTM, Fortinet Has Been a on Gartner's Enterprise Network Firewall MQ Leader Every Year Since Inception Estimated based on 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, Estimated based on 2009, 2010, 2012, 2013, 2014, 2015, 2016 and 2016 and 2017 Enterprise Network Firewall Magic Quadrants 2017 UTM (SMB multifunction firewall) Magic Quadrants

Fortinet Fortinet

Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research.

Cybersecurity 151

5 September 2017

Not only is Fortinet a leader in the Enterprise Network Firewall market, but it also the only vendor to have remained a leader every year since 2009 on Gartner's Unified Threat Management (UTM) magic quadrant. If we look on a pure performance basis, NSS Labs (an independent security analysis and testing firm) consistently ranks Fortinet highly relative to competitors on TCO per protected Mbps and effectiveness in blocking simulated threats.

Figure 266: NSS Labs Consistently Ranks Fortinet Highly on Efficacy and Cost

Source: NSS Labs, Credit Suisse estimates.

Fortinet has substantially expanded its cloud offerings to help the security fabric scale to the cloud. FortiGate VM integrates Fortinet and VMware products to help Fortinet scale to software-defined networks, and Fortinet products are also available in both AWS and Azure. More broadly, Fortinet also offers FortiMail, which enables email screening and FortiWeb for web application scanning and behavioral attack detection. Fortinet also provides secure switching and access control solutions for network authentication. The company offers single sign-on identity management with FortiAuthenticator and multi-factor tokens. Fortinet allows customers to monitor the entire system with its FortiSIEM (security information and event management) product. FortiSIEM allows customers to monitor their security on a “single pane of glass” with cross-correlated analytics that can scale to IoT devices and the cloud.

Cybersecurity 152

5 September 2017

It also offers enterprises the ability to integrate third-party products with its fabric as “Fabric-Ready partners.” Fortinet recently added Microsoft as a partner to better expand its cloud security capabilities. Fortinet currently counts 27 total partners. Fortinet’s wide product offerings are designed to integrate all aspects of network security. Ken Xie says that “our view is that if the network is involved, then we are there to protect it.”

■ Vision of the Xie Brothers Should Not Be Under-Estimated We view the dual leadership of Fortinet by Ken and Michael Xie, CEO and CTO, respectively, to be a key strength. We see the brothers' track record of innovation in the space as supportive, and Ken Xie's commentary around the 'fourth era of firewall' (see here) as evidence that Fortinet recognizes and is prepared (or preparing) to adapt its strategy beyond its successful formula of the past five years. The Xie brothers are legendary figures in the security industry. Ken has been the CEO of Fortinet since the company’s inception in 2000. He started his first security company, SIS, designing software firewalls while he was still studying for his second master’s degree at Stanford. Ahead of their time in understanding the limitations of selling software-only firewalls, Ken and Michael founded one of the security industry's first aggregation plays – Netscreen – in 1996. Here, they developed and sold the industry's first ASIC-based firewall appliances. Ken’s brother Michael has tended to hold technical positions, serving as chief architect for NetScreen, and then chief technology officer since 2010 at Fortinet. In his tenure at Fortinet, he has overseen execution of the brothers' consolidative vision for “unified threat management,” the guiding tenet behind the Fortinet security fabric. Michael holds multiple patents and is the author of several books. While the benefits of founder-led technology companies are sometimes hard to quantify, we look to Credit Suisse HOLT research, which shows since late 2014 founder-led have substantially outperformed both S&P500 tech.

Figure 267: Founder-Led Technology Companies Have Outperformed Their Non-Founder Led Peers and the S&P 500 Tech Index 140 Founder Led Tech Non-Founder Led Tech SP500 Tech

130

120

110

100

90 Aug 2014 Feb 2015 Aug 2015 Feb 2016 Aug 2016

Source: Credit Suisse HOLT.

Founder-led firms also generally place more emphasis on innovation, as evidenced by increased cash deployed in R&D and capex, with greater research efficiency, as evidenced by higher R&D turnover.

Cybersecurity 153

5 September 2017

Figure 268: Founder-Led Firms Deploy Figure 269: Founder-Led Firms Are More of Their Cash Toward R&D and Also More Efficient in R&D, with Capex Higher Turnover R&D + Capex as a percentage of cash deployed Sales/Capitalized R&D

70% 62.8% 2.2 60% 2.1 2.1 50% 40.3% 2.0 40% 1.9 30% 1.8 1.8 20%

10% 1.7

0% 1.6 Founder Ran Non-Founder Ran Founder Ran Non-Founder Ran

Source: Credit Suisse HOLT. Source: Credit Suisse HOLT.

It's worth noting that with Gil Shwed at Check Point and Nir Zuk at Palo Alto, it appears almost a pre-requisite for success that at-scale NGFW vendors have retained a founder technologist executive. Therefore, while it remains a benefit, we don't think this represents a material advantage on a relative basis. Illustrating this, CHKP has the best R&D efficiency of the peer group (software >5bn in market cap) followed by FTNT and PANW, both in the top-third.

Figure 270: PANW & FTNT Have Above Average R&D Efficiency Sales / Capitalized R&D (R&D Efficiency), Software >5bn in market capitalization

ADSK 0.7 WDAY 0.9 TEAM 0.9 DATA 1.2 GWRE 1.2 VMW 1.3 SYMC 1.3 SPLK 1.3 RHT 1.5 INTU 1.5 CA 1.5 ORCL 1.6 CTXS 1.6 ADBE 1.6 MSFT 1.7 NOW 1.9 PANW 2.0 LOGM 2.0 FTNT 2.0 ULTI 2.1 OTEX 2.1 CRM 2.2 VEEV 2.3 CHKP 2.9

Source: Credit Suisse HOLT, Credit Suisse Research.

Additionally, while FTNT devotes the most to R&D as a percentage of revenue, both PANW and CHKP spend more in dollar terms.

Cybersecurity 154

5 September 2017

Figure 271: Palo Alto Spends the Most on R&D in Figure 272: … FTNT Spends 180bps More than Absolute Dollar Terms… PANW and 370bps More than CHKP as % of Revenue Non-GAAP R&D Expense, quarterly, $m Non-GAAP R&D Expense, % of revenue, 4Q rolling average

60 21% FTNT PANW CHKP CHKP FTNT PANW 19% 50 17% 40 15%

30 13%

20 11%

9% 10 7% 0 5% 2010 2011 2012 2013 2014 2015 2016 2010 2011 2012 2013 2014 2015 2016 Source: Company data, Credit Suisse Research, Credit Suisse Estimates. Source: Company data, Credit Suisse Research, Credit Suisse Estimates.

■ Fully Ramped Sales Capacity Fortinet has invested heavily in its go-to-market engine, which has more recently stabilized and ramped to productivity. The company sees additional tailwinds from its 'fork-lift' investments in its sales and marketing model, guiding for operating margin improvement of 150bps to 200bps per year, aiming for 25% OM by 2022, and long-term OM of 25%.

"We feel like we've made a lot of the forklift investments we needed to make to just get the marketing team, the business, the process in place for the lead generation and giving them information to expand our footprint within the installed base." - Andrew H. Del Matto, CFO, 7th August 2017

"And then we've also made big investments in our sales and marketing go-to-market engine in the enterprise over the last really 3 or 4 years. And that's a forklift investment that we're pretty much through. And so now we're basically focused on just productivity -- driving productivity and sales, which drives a lower cost of sales and marketing. And again, that's how -- the combination of that, the lower sales and marketing costs through the higher productivity, scaling that out along with the higher gross margin drives an expanded margin" - Andrew H. Del Matto, CFO, 13th June 2017 We see indications of a productivity ramp, as shown in Figure 273, with a recovering billings per S&M employee as well as revenues per S&M employee. Also, we do point out that product revenue metrics as well as new business metrics seem to be stabilizing.

Cybersecurity 155

5 September 2017

Figure 273: Billings Indicates Recovery… Figure 274: ...Product and New Business Stabilizing Billings in US$ thousand Product and Overall revenues in US$ thousands

$250k $1000k $250k Product/(S+M employees) Revenues/(S+M employees) $200k $800k $200k

$150k $600k $150k

$100k $400k $100k

$50k $200k $50k Current Billings/ (S+M employees) Billings TTM/ (S+M employees) $k $k $k Jun-14 Jun-16 Jun-14 Jun-16

Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse Research.

■ Leverage from Rising Subscriptions Fortinet is also benefiting from a rising subscription mix, up ~5% over the last two years, with GM rising from 71% to 75%. We see the rising mix of high-margin subscription as a tailwind for GM, combined with investments made in go-to-market resulting in a higher OM profile. "We feel like we've built that go-to-market model out. … we guided operating margin improvement after 2017 of 150 to 200 basis points per year, with the goal of reaching 25% operating margins by 2022. So the goal is 25% operating margins by 2022. And then we want to remain in the range of 25% to 30% thereafter…. the way you get there, again, is drive the higher-margin recurring revenue streams, expand the gross margin" - Andrew H. Del Matto, CFO, 13th June 2017

Figure 275: Subscription Mix Rising… Figure 276: …with a Rising Corp. Gross Margin Fortinet Billings Mix Fortinet Gross Margin, %

100% 77.5%

Professional 75% Services 75.0% 51% 50% 55%

50% Subscription, 72.5% Support & Maintenance 25% 47% 47% 43% 70.0% Product 0% Gross Margin (%) 2014 2015 2016 67.5% 2014 2015 2016 2017

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Cybersecurity 156

5 September 2017

■ International Exposure and Diversified Customer Verticals Fortinet also has a large international business, with ~60% of LTM revenues outside of the Americas. In terms of customer verticals, service providers, governments and financial services remain the biggest verticals (in terms of Billings). We do highlight that the exposure to international markets also comes with potential FX impact as well as inherent lumpiness from high exposure to a service provider. "We are a little more exposed than other companies are to Europe because of our globally distributed business." - Kelly Blough, IR, 26 July 2017

Figure 277: International Business Accounts for Figure 278: ..with Service Providers, Govt, and Majority of Sales… Financials Verticals Largest for Billings Revenue by Geography LTM Verticals by bookings, LTM

Service Provider APAC

21% Others 20.5% Americas 33.5% 42% 42 FTNT FTNT % 15.6% Government

37% 8.2% 12.0% 10.1% EMEA Retail Financial Education Services

Source: Company data. Source: Company data.

■ Appears Less Expensive on a Growth-Adjusted Basis On a growth-adjusted basis, FTNT appears less expensive, almost across the board. We would highlight that on a recurring revenue basis, it trades almost exactly in-line with PANW. (Given FTNT's lower recurring rates, perhaps investors slightly undervalue PANW's subscription and maintenance revenue stream?)

Figure 279: Valuation Matrix Metric Specific Growth Adjusted Growth adjusted (metric specific) CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 1.75 1.70 0.77 0.67 0.44 0.41 EV/UFCF Adjusted for SBC 1.92 1.87 2.12 1.69 0.69 0.65 EV/UFCF Adjusted for LT Deferred 1.84 1.81 1.19 0.95 0.60 0.55 EV/UFCF Adjusted for SBC & LT Deferred 2.04 2.00 n/a n/a 1.21 1.07 Income Statement Multiples EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22 EV/Non-GAAP Operating Income 2.32 2.24 0.94 0.83 0.87 0.76 Non-GAAP P/E 2.19 2.09 1.65 1.48 1.75 1.57 GAAP P/E 2.45 2.33 n/a n/a 1.09 0.87 EV/Recurring Revenue 1.10 1.06 0.26 0.23 0.25 0.24

Source: Company data, Credit Suisse estimates.

Cybersecurity 157

5 September 2017

Figure 280: Valuation Matrix Revenue Growth Adjusted Growth adjusted (revenue growth) CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82 EV/UFCF Adjusted for SBC 2.25 2.19 1.79 1.42 1.38 1.30 EV/UFCF Adjusted for LT Deferred 2.16 2.12 1.01 0.80 1.20 1.10 EV/UFCF Adjusted for SBC & LT Deferred 2.39 2.35 n/a n/a 2.42 2.14 Income Statement Multiples EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22 EV/Non-GAAP Operating Income 1.97 1.90 1.21 1.07 1.42 1.24 Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49 GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32 EV/Recurring Revenue 1.50 1.44 0.40 0.36 0.37 0.34

Source: Company data, Credit Suisse estimates.

■ Becomes a Strategic Asset in a Consolidating Sector We do appreciate the strategic value of Fortinet, the smallest of three firewall names analyzed herein. One potential suitor for the company might be Symantec, which might see value in combining firewall and Bluecoat proxy solutions in a consolidation play. This becomes especially true if proxy becomes integrated into NGFW even more and Symantec realizes that it has to offer a complete solution to be competitive. On the other hand, Fortinet itself developed organically for the most part as a founder-led company. Any potential strategic play would have material integration risk, in terms of retaining top talent (including the founders). We note the debacle of the Juniper-Netscreen acquisition, where the business struggled to survive as part of a larger organization and lost share to rivals.

Cybersecurity 158

5 September 2017

Management and Board Management Fortinet remains a founder-led company. Brothers Ken and Michael Xie, who founded the company together in 2000, serve as CEO and CTO, respectively. Other senior management have a range of technical and industry experience. Philip Quade, the chief security officer, previously led the Cyber Task Force at the NSA, for example.

Figure 281: FTNT Executive Management

Name Compensation Beneficial ownership of shares C-Suite Experience Position Year Prior Experience Age Joined Salary ($) Bonus ($) Stock($) Number of Value of Shares Shares Ken Xie 2000 $437,750 $301,689 $1,474,006 12,481,891 $478,056,425 ■ Founder and Chief Executive Officer, Fortinet: 2000-2017 CEO and Chairman ■ Founder, President and Chief Executive Officer, NetScreen Technologies:1996-2000 54 ■ Founder, SIS: 1993-1996 ■ MS: Stanford University, MS, BA: Tsinghua University Michael Xie 2000 $386,250 $133,138 $1,343,805 12,432,000 $476,145,600 ■ Founder and Chief Technology Officer, Fortinet: 2000-2017 President, CTO, and Director ■ Former Vice President of Engineering, ServGate Technologies 48 ■ Former Software Director and Architech, NetScreen ■ MS: Tsinghua University, MS: University of Manitoba Andrew Del Matto 2014 $403,143 $206,555 $975,303 31,541 $1,208,020 ■ Chief Financial Officer, Fortinet: 2014-2017 Chief Financial Officer ■ Various Executive Positions, including Chief Accounting Officer, Symantec: 2005-2013 58 ■ Senior Finance Leadership Roles, Inktomi ■ MBA: Golden Gate University, BS: Ohio University John Whittle 2006 $354,868 $170,086 $975,303 64,158 $2,457,251 ■ Vice President and General Counsel, Fortinet: 2006-Present VP, Corporate Development, ■ Vice President and General Counsel, Corio: 2000-2005 General Counsel ■ Attorney, Wilson Sonsin Goodrich & Rosati: 1996-2000 48 ■ JD: Cornell University, BA: University of Virginia Philip Quade 2017 NA NA NA NA NA ■ Former NSA Director's Special Assistant for Cyber Chief Information Security Officer ■ Former Chief of the NSA Cyber Task Force, with White House Relationship Responsibility ■ Former Chief Operating Officer, NSA Information Assurance Directorate ■ BS: University of Maryland Patrice Perche 2004 NA NA NA NA NA ■ Executive Vice President, Fortinet: 2005-Present Sr. EVP, Worldwide Sales ■ Co-Founder and CEO, Risc Group ■ Over 20 Years of IT Industry Experience ■ MS: Insa Lyon John Maddison 2012 NA NA NA NA NA ■ Vice President, Fortinet: 2012-Present SVP, Products and Solutions ■ Former General Manager and Senior Vice President, Trend Micro ■ Former Senior Director of Product Management, Lucent Technologies ■ BS: Plymouth University, United Kingdom Lisa McGill 2016 NA NA NA NA NA ■ Former Senior Vice President, Brocade Communications SVP, People ■ Former Senior Vice President, Foundry Networks ■ Held Various Senior Human Resources Positions at Alcatel and PricewaterhouseCoopers ■ MBA: Pepperdine University, BS: University of Phoenix Stacey Wu 2016 NA NA NA NA NA ■ Former Vice President, Marketing and Demand Generation, Avaya SVP, Global Marketing ■ Former Vice President, Strategic Marketing and Planning, Symantec ■ Held Various Marketing Leadership Positions at Check Point, NEC, and HP ■ MBA: Massachusetts Institute of Technology, BS: San Francisco State University

Source: Company data, Credit Suisse estimates.

Fortinet management scores near the median on most of the metrics we track. C-Suite experience is distributed mostly across CEO and VP level positions, with few former CFOs. There is also limited financial services experience on the Fortinet management team.

Cybersecurity 159

5 September 2017

Figure 282: Fortinet Scores Toward the Middle of Figure 283: It Also Is Close to Average in C-Suite the Pack in Overall Experience Experience Management Experience Management C-Suite Experience CHKP Per Executive NOW Per Executive

HDP Relevant Industry PANW VP CEO CFO

NOW Other Executive SYMC CEO/CFO SYMC HDP Other Industry PANW Finance FTNT

FTNT AKAM

SPLK SPLK

RHT RHT

AKAM VMW

VMW CHKP

ORCL ORCL

0 5 10 15 20 25 30 35 0 5 10 15 20

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Board Ken Xie and Michael Xie form the backbone of the board, but figures from outside tech, such as Gary Locke, the former US ambassador to China, and William Neukom, the former president of the American Bar Association, are also represented.

Cybersecurity 160

Cybersecurity

Figure 284: FTNT Board

Name Beneficial ownership of shares Committee memberships C-Suite Experience Position Director Independent Other Board Prior Experience and Principal occupation Age Since? Director? Affiliations? Number of Value of Audit Comp. Gov.

Shares Shares Ken Xie 2000 No 1 12,481,891 $478,056,425 ■ Founder and Chief Executive Officer, Fortinet: 2000-2017 CEO and Chairman ■ Founder, President and Chief Executive Officer, NetScreen Technologies:1996-2000 54 ■ Founder, SIS: 1993-1996 ■ MS: Stanford University, MS, BA: Tsinghua University Michael Xie 2001 No 0 12,432,000 $476,145,600 ■ Founder and Chief Technology Officer, Fortinet: 2000-2017 President, CTO, and Director ■ Former Vice President of Engineering, ServGate Technologies 48 ■ Former Software Director and Architech, NetScreen ■ MS: Tsinghua University, MS: University of Manitoba Ming Hsieh 2013 Yes 1 5,332 $204,216 a a a ■ Chairman and Chief Executive Officer, Fulgent Therapeutics: 2012-Present Director ■ President, 3M Cogent: 2010-2012 61 ■ Founder, President, and Chief Executive Officer, Cogent: 1990-2010 ■ MS, BS: University of Southern California Gary Locke 2015 Yes 2 13,750 $526,625 a ■ Chairman, Locke Global Strategies Director Chair ■ United States Ambassador to China: 2011-2014 67 ■ United States Secretary of Commerce: 2009-2011 ■ JD: Boston University, BA: Yale University William Neukom 2013 Yes 1 39,275 $1,504,233 a a ■ Founder, President, and Chief Executive Officer, World Justice Project: 2006-Present Director Chair ■ President, American Bar Association: 2007-2008 75 ■ Managing General Partner and Chief Executive Officer, San Francisco Baseball Associates: 2008-2011 ■ LL.B: Stanford University, BA: Dartmouth College Christopher Paisley 2004 Yes 5 68,275 $2,614,933 a a ■ Dean's Executive Professor of Accounting, Leavey School of Business: 2001-Present Director Chair ■ Former Chief Financial Officer, 3Com: 1985-2000 64 ■ Director, Equinix ■ MBA: Universicle of California, Los Angeles, BA: University of California, Santa Barbara Judith Sim 2015 Yes 0 15,000 $574,500 a ■ Chief Marketing Officer, Oracle: 2005-Present Director ■ Various Marketing and Customer-Related Positions, Oracle: 1991-2005 48 ■ BS: University of California, Davis

Source: Company data, Credit Suisse estimates.

5 September 2017 September 5

161

5 September 2017

As with management, the board scores near average on most of the metrics on our scorecard. Experience per director is close to the median, though the breadth of different backgrounds is wider than most. In the aggregate, experience is slightly below average since the board is small.

Figure 285: Fortinet Has a Wide Spectrum of Figure 286: Due to the Smaller Size, Aggregate Experience on Its Board Experience Is Lower Board Experience Aggregate SYMC Per Director HDP Board Experience

HDP Relevant Industry FTNT Relevant Industry

PANW Other Executive RHT Other Executive CEO/CFO CEO/CFO RHT VMW Other Industry Other Industry FTNT Finance SPLK Finance

NOW PANW

VMW SYMC

SPLK CHKP

ORCL NOW

CHKP ORCL

AKAM AKAM

0 5 10 15 20 25 30 35 40 0 50 100 150 200 250 300 350 400

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Fortinet has two law degrees on its board, more on a per-director basis than any other company in our coverage. Gary Locke received a JD from Boston University and William Neukom achieved an LLB from Stanford.

Figure 287: Fortinet Has More Law Degrees than Any Other Company in Our Coverage Universe Degrees Per Director VMW BA/BS

SPLK MBA

PANW MS

CHKP JD

HDP PhD

NOW

AKAM

FTNT

RHT

ORCL

SYMC

0 0.5 1 1.5 2

Source: Company data, Credit Suisse estimates.

Cybersecurity 162 5 September 2017

Valuation We use Discounted Cash Flows to estimate the intrinsic value for FTNT at $33/share, representing 14% downside. This informs our Underperform Rating, and is supported by our multiples based relative valuation work. In addition, we have constructed blue-sky and grey-sky scenarios. The Blue Sky assumes a 2.5% terminal growth rate, and the grey assumes 0%, reflecting our view on the outlook for the space as a whole.

Figure 288: Blue-Sky/Grey-Sky Pricing Figure 289: Blue-Sky/Grey-Sky Schematic Current Price $38 16.4x FY18E uFCF (SBC adj.) Blue Sky

Target Price $33 -14% 13.5x FY18E uFCF (SBC adj.) $44 This scenario assumes the firewall market decelerates broadly in line with our expectations (we model a 1% terminal growth rate from 2026E), and Fortinet is disproportionately impacted due to its exposure to Service providers. Current Blue Sky $44 14% 19.3x FY18E uFCF (SBC adj.) Price Fortinet enjoys a stronger than expected appliance refresh cycle tailwind in addition to $38 virtual firewall retaining more relevance than we expect, and FTNT successfully selling into this virtual market.

FY18E uFCF (SBC adj.) Grey sky $30 -23% 11.7x Target Price Fortinet struggles to attain significant virtual share, this is against a backdrop of $33 declining firewall relevance and significant price pressures.

Grey Sky

$30

Source: Check Point, Credit Suisse estimates. Source: Check Point, Credit Suisse estimates.

Target Scenario Our base case assumes a five-year transition period, with FCF growth declining smoothly from an estimated 5% in 2020. This scenario assumes the firewall market decelerates broadly in-line with our expectations (we model a 1.5% terminal growth rate from 2026E), and Fortinet is disproportionately impacted due to its exposure to service providers.

Blue-Sky Scenario For our blue-sky scenario, we again model a five-year transition period but drive higher free cash growth, which assumes Fortinet enjoys a stronger-than-expected appliance refresh cycle tailwind, in addition to virtual firewall retaining more relevance than we expect, and FTNT successfully sells into this virtual market. Our blue-sky scenario yields a $44 warranted price, which represents 14% upside potential.

Grey-Sky Scenario In the grey-sky scenario, we use a five-year transition period and lower free cash flow growth assumption. The scenario results in a share price of $30, implying 23% downside risk to the current share price. In this scenario, Fortinet struggles to attain significant virtual share; this is against a backdrop of declining firewall relevance and significant price pressures.

Cybersecurity 163 5 September 2017

Figure 290: Share Price Sensitivity to Cost of Equity and UFCF Growth Rate Share price sensitivity to cost of equity and UFCF growth rate

Unlevered Free Cash Flow FY3 growth rate 33.46557 5.0% 7.0% 9.0% 11.0% 13.0% 15.0% 17.0% 19.0% 21.0% 8.0% $38 $40 $42 $44 $46 $48 $50 $52 $54 8.5% $37 $39 $40 $42 $44 $46 $48 $50 $52 9.0% $36 $37 $39 $40 $42 $44 $46 $48 $50 9.5% $35 $36 $38 $39 $41 $42 $44 $46 $48 Terminal 10.0% $34 $35 $37 $38 $40 $41 $43 $45 $46 Cost of 10.5% $33 $34 $36 $37 $39 $40 $42 $43 $45 Equity 11.0% $32 $34 $35 $36 $38 $39 $41 $42 $44 11.5% $32 $33 $34 $35 $37 $38 $40 $41 $43 12.0% $31 $32 $33 $35 $36 $37 $39 $40 $42 12.5% $30 $32 $33 $34 $35 $37 $38 $39 $41 13.0% $30 $31 $32 $33 $35 $36 $37 $39 $40 13.5% $30 $31 $32 $33 $34 $35 $36 $38 $39 14.0% $29 $30 $31 $32 $33 $35 $36 $37 $39 14.5% $29 $30 $31 $32 $33 $34 $35 $37 $38

Source: Company data, Credit Suisse estimates.

Figure 291: Fortinet Valuation Matrix

Valuation Matrix 2015 (A) 2016 (A) 2017 (E) 2018 (E) NTM LTM Sales $1,009 $1,275 $1,493 $1,657 2 $1,539 $1,331 EBITDA $133 $193 $238 $292 3 $253 $206 EPS $0.51 $0.74 $0.94 $1.10 4 $0.99 $0.80 CFO $283 $340 $466 $541 5 $505 $369

Estimates FCF $283 $340 $466 $541 6 $505 $369 UFCF $242 $268 $309 $439 7 $335 $313

EV/Sales 4.7x 3.8x 3.2x 2.9x 3.1x 3.6x EV/EBITDA 35.9x 24.8x 20.1x 16.4x 18.9x 23.2x P/E 72.2x 49.7x 39.1x 8.4x 9.3x 11.6x EV/CFO 16.9x 14.1x 10.3x 8.9x 9.5x 13.0x

Target EV/FCF 16.9x 14.1x 10.3x 8.9x 9.5x 13.0x EV/UFCF 19.8x 17.8x 15.5x 10.9x 14.3x 15.3x

EV/Sales 5.3x 4.2x 3.6x 3.2x 3.5x 4.0x EV/EBITDA 40.4x 27.9x 22.6x 18.4x 21.3x 26.1x P/E 72.2x 49.7x 39.1x 33.5x 37.3x 46.4x EV/CFO 19.0x 15.8x 11.5x 10.0x 10.7x 14.6x Current EV/FCF 19.0x 15.8x 11.5x 10.0x 10.7x 14.6x EV/UFCF 22.3x 20.1x 17.4x 12.2x 16.1x 17.2x

y/y, % y/y, % y/y, % y/y, % CAGR Revenue 31.0% 26.4% 17.0% 11.0% 18.0% EBITDA 9.2% 44.9% 23.3% 22.4% 29.8% EPS 7.0% 45.2% 27.3% 16.6% 29.2% CFO 43.7% 20.4% 37.1% 15.9% 24.2%

Growth FCF 43.7% 20.4% 37.1% 15.9% 24.2% UFCF 50.2% 10.9% 15.1% 42.4% 22.0%

Source: Company data, Credit Suisse estimates.

Cybersecurity 164 5 September 2017

Figure 292: Fortinet DCF Scenarios

Target Price

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL TP Value distribution 2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity

Period 1 2 3 4 5 6 7 8 9 10 Current risk-free rate of return 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% Beta 1.40 1.40 1.40 1.40 1.40 1.40 1.40 1.40 1.33 1.26 1.20 1.13 1.07 1.00 Market rate of return 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2% FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 6.5% 5.0% 4.4% 3.8% 3.3% 2.7% 2.1% 1.5% Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80

Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 468 491 513 533 550 565 576 585 6,694 Stock Based Compensation Expense 31.1 41.3 66.6 87.1 99.8 111.9 SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5% FCF adjusted for SBC 98.8 119.6 178.6 181.0 208.8 327.4 348.7 366.1 398.5 430.6 462.0 492.2 520.7 547.0 6,693.7

NPV of Free cash flow ($M) 196.7 281.9 266.4 248.2 240.6 232.4 223.6 214.5 205.1 2,391.7 Cumulative NPV of FCF ($M) 196.7 478.7 745.1 993.3 1,233.9 1,466.2 1,689.9 1,904.4 2,109.5 4,501

Cumulative NPV of FCF ($M) $ 4,501 Shares outstanding (M) 178 NPV/Share of FCF $ 25 (Net Cash) / Share $ 8.22 Total NPV/Share 33 Current price / Share $38 Upside / Downside Potential -13%

Blue Sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value distribution 2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity

Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2% FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 15.0% 12.0% 10.4% 8.8% 7.3% 5.7% 4.1% 2.5% Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80

Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 505 566 625 680 729 771 802 822 10,622 Stock Based Compensation Expense 31.1 41.3 66.6 87.1 99.8 111.9 SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5% 0% FCF adjusted for SBC 98.8 119.6 178.6 181.0 208.8 327.4 376.5 421.7 485.4 549.8 612.7 671.8 724.6 768.7 10,622.0

NPV of Free cash flow ($M) 196.7 281.9 287.7 285.9 293.0 296.7 296.6 292.8 285.4 3,795.3 Cumulative NPV of FCF ($M) 196.7 478.7 766.3 1,052.2 1,345.3 1,641.9 1,938.5 2,231.3 2,516.7 6,312

Cumulative NPV of FCF ($M) $ 6,312 Shares outstanding (M) 178 NPV/Share of FCF 35 (Net Cash - 10% of Revenues) / Share $ 8.22 Total NPV/Share 44 Current price / Share $38 Upside / Downside Potential 14%

Grey sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value distribution 2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity

Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2% FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 6.0% 3.0% 2.5% 2.0% 1.5% 1.0% 0.5% 0.0% Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80

Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 466 480 492 501 509 514 517 517 5,046 Stock Based Compensation Expense 31.1 41.3 66.6 87.1 99.8 111.9 0.0 0 0 0 0 0 0 0 0 SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5% 0% FCF adjusted for SBC 98.8 119.6 178.6 181.0 208.8 327.4 347.0 357.5 381.9 405.4 427.6 448.2 466.7 483.1 5,045.6

NPV of Free cash flow ($M) 197 282 265 242 231 219 207 195 184 1,803 Cumulative NPV of FCF ($M) 197 479 744 986 1,217 1,436 1,643 1,838 2,022 3,825

Cumulative NPV of FCF ($M) $ 3,825 Shares outstanding (M) 178 NPV/Share of FCF 21.5 (Net Cash - 10% of Revenues) / Share $ 8.22 Total NPV/Share 29.669834 Current price / Share $38 Upside / Downside Potential -23%

Source: Company data, Credit Suisse estimates.

‘

Cybersecurity 165 5 September 2017

HOLT FTNT – HOLT Market-Implied Scenario and Sensitivity Analysis Assuming margins rise from consensus levels of 10% to historical peak of 22%, FTNT’s current price of $38 implies a sales CAGR of 8% over the next ten years

Figure 293: CFROI® (%) Figure 294: Valuation Sensitivity Analysis

2018 - 2026 Sales CAGR

18 16.8 26E EBITDA -200 bps 0 bps +200 bps +400 bps +600 bps +800 bps Margins ˅ 15 6.0% 8.0% 10.0% 12.0% 14.0% 16.0%

12 - 1200 bps 9.5% $17 $20 $23 $27 $33 $40

9 - 900 bps 12.5% $21 $24 $29 $35 $42 $52 5.9 6 - 600 bps 15.5% $25 $29 $35 $42 $51 $64 3 - 300 bps 18.5% $28 $34 $41 $49 $61 $75 0 2007 2011 2015 2019 2023 0 bps 21.5% $32 $38 $46 $57 $70 $87

Historical CFROI Forecast Discount Rate + 300 bps 24.5% $36 $43 $52 $64 $79 $98

Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

Assumptions and Methodology ■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4 onward are assumed to rise up to 21.5% based on historical peak levels

■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, we solved for the implied CAGR required to get to the respective values per share

■ Asset Efficiency: assumed constant from LFY levels

■ Fade Window: Used ten years of explicit forecasts for comparison with CHKP

■ Fade: After year ten, the HOLT methodology calculates the terminal value by fading returns on capital and growth toward cost of capital and GDP growth, respectively

Figure 295: Operating Projections Implied by Current Price: $37 per Share 1 Assumed long term margins to rise from 2 Solved for the long term sales CAGR 9.5% to historical peak of 21.5% required to get to current price of $38 32 30 Consensus 24 21.5 Consensus 20 16.9 16 9.5 10 8.0 8 0 0 2007 2011 2015 2019 2023 (10) Historical margins Forecast 2007 2011 2015 2019 2023 Margins w/o SBC Historical growth Forecast

Source: HOLT, Credit Suisse Research.

Cybersecurity 166

Cybersecurity

Figure 296: Fortinet Income Statement, Non-GAAP

Research Analysts Brad Zelnick (212) 325 6118 [email protected]

Jobin Mathew (212) 325 9676 [email protected] Fortinet (FTNT) Syed Talha Saleem, CFA (212) 538 1428 Income Statement [email protected] $ in Millions except per share items Fiscal year end: December 31 2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E) Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18 2Q18 3Q18 4Q18 Full Year Pro-Forma Income Statement Product Revenue 476.8 124.6 136.6 128.0 158.9 548.1 135.3 142.7 138.2 168.5 584.6 138.0 148.4 142.4 175.2 603.9 Services and Other Revenue 532.5 160.0 174.8 188.7 203.9 727.3 205.3 220.8 232.9 249.2 908.2 248.9 257.7 267.2 279.3 1,053.1

Total Revenues 1,009.3 284.6 311.4 316.6 362.8 1,275.4 340.6 363.5 371.1 417.7 1,492.8 386.8 406.1 409.6 454.5 1,657.0 y/y change 31% 34% 30% 22% 22% 26% 20% 17% 17% 15% 17% 14% 12% 10% 9% 11%

Total Cost of Revenue, non-GAAP 274.0 74.1 79.8 79.4 85.3 318.6 85.6 90.6 92.2 105.6 374.1 94.5 100.1 99.0 114.6 408.2

Cost of Product Revenue 184.7 47.9 50.2 47.1 53.3 198.5 52.7 58.2 58.0 69.1 238.0 57.9 62.3 59.8 73.6 253.6 % product gross margin 61% 62% 63% 63% 66% 64% 61% 59% 58% 59% 59% 58% 58% 58% 58% 58% Cost of Services and Other Revenue 89.3 26.2 29.6 32.3 32.0 120.1 33.0 32.4 34.2 36.6 136.1 36.5 37.8 39.2 41.0 154.5 % services gross margin 83% 84% 83% 83% 84% 83% 84% 85% 85% 85% 85% 85% 85% 85% 85% 85%

Non-GAAP Gross Profit 735.3 210.5 231.6 237.2 277.6 956.9 255.0 272.9 278.9 312.0 1,118.7 292.4 305.9 310.6 339.9 1,248.8 % Non-GAAP Gross Margin 73% 74% 74% 75% 76% 75% 75% 75% 75% 75% 75% 76% 75% 76% 75% 75%

Research and Development, non-GAAP 133.6 37.6 38.0 39.6 37.7 153.0 43.3 42.9 47.9 56.0 190.0 47.2 48.7 50.8 58.2 204.9 % of total revenue 13% 13% 12% 13% 10% 12% 13% 12% 13% 13% 13% 12% 12% 12% 13% 12% Sales and Marketing, non-GAAP 420.9 130.3 145.7 137.5 144.9 558.4 151.4 146.6 155.9 167.1 620.9 170.0 170.6 170.0 172.7 683.2 % of total revenue 42% 46% 47% 43% 40% 44% 44% 40% 42% 40% 42% 44% 42% 42% 38% 41%

General and Administrative, non-GAAP 50.4 12.9 12.1 14.4 13.8 53.2 17.3 17.7 17.1 17.5 69.6 17.7 17.7 16.8 16.8 69.1 % of total revenue 5% 5% 4% 5% 4% 4% 5% 5% 5% 4% 5% 5% 4% 4% 4% 4% Other non-GAAP Adjustments 2.9 0.4 0.3 0.2 0.0 0.8 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Total Operating Expenses, non-GAAP 602.0 180.4 195.6 191.3 196.4 763.8 212.0 207.2 220.8 240.6 880.5 235.0 237.0 237.6 247.7 957.2 y/y change 41% 37% 35% 23% 15% 27% 17% 6% 15% 22% 15% 11% 14% 8% 3% 9% % of total revenue 60% 63% 63% 60% 54% 60% 62% 57% 60% 58% 59% 61% 58% 58% 55% 58%

Non-GAAP Operating Income 133.3 30.1 36.0 45.9 81.1 193.1 43.0 65.7 58.1 71.5 238.2 57.4 68.9 73.0 92.2 291.6 % Non-GAAP Operating Margin 13% 11% 12% 15% 22% 15% 13% 18% 16% 17% 16% 15% 17% 18% 20% 18%

Total Other Income (Expense), GAAP 2.1 0.4 0.4 1.1 -1.7 0.2 2.7 4.4 3.0 3.0 13.1 3.0 3.0 3.0 3.0 12.0 Income Before Taxes 135.5 30.5 36.3 47.0 79.4 193.3 45.7 70.1 61.1 74.5 251.3 60.4 71.9 76.0 95.2 303.6 Income Taxes 46.1 10.4 12.4 14.9 26.2 63.8 14.6 22.4 19.5 23.8 80.4 19.3 23.0 24.3 30.5 97.1 Effective Tax Rate 34% 34% 34% 32% 33% 33% 32% 32% 32% 32% 32% 32% 32% 32% 32% 32%

5 September 2017 September 5 Non-GAAP Net Income 89.4 20.1 24.0 32.2 53.2 129.5 31.0 47.7 41.5 50.6 170.9 41.1 48.9 51.7 64.8 206.4 TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE

Diluted Non-GAAP EPS $0.51 $0.12 $0.14 $0.18 $0.30 $0.74 $0.17 $0.27 $0.23 $0.27 $0.94 $0.22 $0.26 $0.27 $0.34 $1.10 Diluted Shares Outstanding 174.9 174.3 172.1 177.9 176.7 174.6 178.3 179.7 181.6 184.3 181.0 185.6 186.8 188.1 189.3 187.4

167 Source: Company data, Credit Suisse estimates.

Cybersecurity

Figure 297: Fortinet Balance Sheet

Research Analysts Brad Zelnick (212) 325 6118 [email protected] Jobin Mathew (212) 325 9676 [email protected] Fortinet (FTNT) Syed Talha Saleem, CFA (212) 538 1428 Balance Sheet [email protected] $ in Millions except per share items Fiscal year end: December 31 2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E) Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18 2Q18 3Q18 4Q18 Full Year Current Assets Cash and cash equivalents 543.3 568.0 596.4 647.5 709.0 709.0 823.2 853.1 863.5 903.0 903.0 1,005.9 1,104.6 1,176.3 1,190.5 1,190.5 Short-term investments 348.1 384.6 388.4 382.9 376.5 376.5 375.4 354.2 354.2 354.2 354.2 354.2 354.2 354.2 354.2 354.2 Accounts receivable, net 259.6 220.1 254.4 239.0 313.0 313.0 270.1 274.5 271.4 352.9 352.9 302.4 307.4 303.7 370.1 370.1 Inventory 83.9 78.2 81.2 93.7 106.9 106.9 105.0 86.4 92.8 125.3 125.3 119.9 105.6 122.9 159.1 159.1 Prepaid expenses and other current assets 35.8 34.7 33.5 31.7 33.3 33.3 42.3 36.4 44.7 46.3 46.3 55.7 47.6 46.1 54.5 54.5 Deferred cost of revenues Total Current Assets 1,270.5 1,285.7 1,353.9 1,394.9 1,538.7 1,538.7 1,616.1 1,604.6 1,626.5 1,781.7 1,781.7 1,838.1 1,919.4 2,003.2 2,128.4 2,128.4

Non-Current Assets Long-term investments 273.0 241.9 237.2 240.2 225.0 225.0 242.3 257.6 257.6 257.6 257.6 257.6 257.6 257.6 257.6 257.6 Property and equipment, net 91.1 115.8 125.6 126.1 137.2 137.2 155.5 238.5 253.8 250.5 250.5 256.7 259.2 257.6 265.1 265.1 Deferred cost of revenues Deferred tax assets 119.2 131.7 180.8 189.4 182.7 182.7 199.2 207.0 216.7 227.1 227.1 228.2 235.4 241.7 281.8 281.8 Goodwill 4.7 4.7 14.2 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 Intangible assets, net 17.6 16.5 31.5 27.8 24.8 24.8 22.5 20.3 18.3 16.5 16.5 14.9 13.5 12.1 11.0 11.0 Other assets 14.4 15.3 16.9 17.1 16.9 16.9 17.2 18.0 20.1 20.8 20.8 20.2 21.1 21.9 22.7 22.7 Total Assets 1,790.5 1,811.5 1,960.2 2,010.2 2,139.9 2,139.9 2,267.4 2,360.7 2,407.7 2,568.9 2,568.9 2,630.3 2,720.8 2,808.6 2,981.1 2,981.1

Current Liabilities Accounts payable 61.5 48.0 56.9 57.5 56.7 56.7 48.7 42.2 43.4 62.4 62.4 55.8 47.3 48.3 68.0 68.0 Accrued liabilities 33.0 33.5 32.9 37.3 35.6 35.6 43.4 41.2 40.8 45.9 45.9 42.5 44.7 45.1 50.0 50.0 Accrued payroll and compensation 61.1 58.2 70.8 65.6 78.1 78.1 73.2 80.3 70.5 79.4 79.4 73.5 77.2 77.8 86.4 86.4 Income taxes payable 8.4 9.2 8.2 7.8 13.6 13.6 14.1 15.2 15.2 15.2 15.2 15.2 15.2 15.2 15.2 15.2 Deferred revenue 514.7 538.4 563.2 582.1 645.3 645.3 677.1 706.7 738.5 812.3 812.3 848.9 891.3 935.9 1,001.4 1,001.4 Total Current Liabilities 678.7 687.3 732.0 750.4 829.4 829.4 856.6 885.5 908.4 1,015.2 1,015.2 1,035.9 1,075.6 1,122.3 1,220.9 1,220.9

Non-Current Liabilities Deferred revenue, net of current 276.7 298.7 340.8 352.6 390.0 390.0 420.9 454.8 473.0 510.8 510.8 538.9 568.6 585.6 620.8 620.8 Income taxes payable 60.6 65.2 66.3 68.0 68.6 68.6 73.0 81.7 81.7 81.7 81.7 81.7 81.7 81.7 81.7 81.7 Other long-term liabilities 19.2 17.9 16.5 16.1 14.3 14.3 18.6 16.5 16.5 16.5 16.5 16.5 16.5 16.5 16.5 16.5 Total Liabilities 1,035.1 1,069.1 1,155.6 1,187.1 1,302.3 1,302.3 1,369.1 1,438.6 1,479.6 1,624.3 1,624.3 1,673.1 1,742.4 1,806.1 1,939.9 1,939.9

Total Stockholders' Equity 755.4 742.4 804.6 823.1 837.7 837.7 898.2 922.1 928.1 944.6 944.6 957.2 978.4 1,002.5 1,041.2 1,041.2

Total Liabilities + Stockholders' Equity 1,790.5 1,811.5 1,960.2 2,010.2 2,139.9 2,139.9 2,267.4 2,360.7 2,407.7 2,568.9 2,568.9 2,630.3 2,720.8 2,808.6 2,981.1 2,981.1

Source: Company data, Credit Suisse estimates.

2017 September 5

168

Cybersecurity

Figure 298: Fortinet Statement of Cash Flows

Research Analysts

Brad Zelnick (212) 325 6118 [email protected] Jobin Mathew (212) 325 9676

[email protected] Fortinet (FTNT) Syed Talha Saleem, CFA (212) 538 1428 Statement of Cash Flows [email protected] $ in Millions except per share items Fiscal year end: December 31 2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E) Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18 2Q18 3Q18 4Q18 Full Year

Net Income 8.0 -3.4 -1.4 6.3 25.2 26.6 10.7 23.0 16.7 23.7 74.1 14.4 21.6 24.8 35.9 96.7 y/y change

Depreciation and amortization 31.6 10.6 11.3 13.1 13.6 48.5 13.5 14.0 20.1 21.8 69.4 20.6 21.3 21.3 20.9 84.2 Amortization of investment premiums 7.5 1.5 1.3 1.0 1.0 4.8 1.0 0.5 0.0 0.0 1.4 0.0 0.0 0.0 0.0 0.0 Stock based compensation expense 95.1 30.9 28.4 31.1 32.1 122.4 33.3 35.1 35.3 38.8 142.5 38.2 39.6 39.3 42.7 159.9 Other non-cash items, net 3.4 -0.4 1.6 3.7 -2.2 2.6 1.5 0.2 0.0 0.0 1.7 0.0 0.0 0.0 0.0 0.0

Changes in Assets and Liabilities: 137.0 61.5 21.3 21.0 31.4 135.2 69.8 71.9 17.8 17.9 177.3 94.9 78.5 44.7 -18.1 199.9 Accounts receivable -66.5 38.9 -36.9 10.8 -70.7 -57.9 42.4 -4.5 3.1 -81.5 -40.5 50.5 -5.1 3.8 -66.4 -17.2 Inventory -19.1 -0.5 -7.5 -16.5 -18.5 -43.0 -3.5 13.3 -6.3 -32.5 -29.1 5.4 14.3 -17.3 -36.2 -33.8 Deferred cost of revenues 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Deferred tax assets -29.9 -13.1 -14.0 -7.9 7.2 -27.8 -16.6 -7.8 -9.7 -10.4 -44.5 -1.1 -7.2 -6.2 -40.1 -54.7 Prepaid expenses and other current assets -2.6 1.0 1.4 1.9 -1.7 2.6 -8.3 5.0 -8.3 -1.6 -13.2 -9.4 8.1 1.5 -8.4 -8.2 Other assets 0.7 -0.9 -1.5 -0.2 0.2 -2.4 0.7 0.1 -2.1 -0.7 -2.0 0.6 -0.9 -0.8 -0.8 -1.9 Accounts payable -2.5 -11.4 11.3 -1.5 1.6 0.0 -8.3 -11.6 1.2 19.0 0.4 -6.6 -8.6 1.0 19.7 5.6 Accured liabilities 0.9 0.3 -6.7 7.0 -3.8 -3.2 2.9 -1.2 -0.4 5.1 6.5 -3.4 2.1 0.4 4.9 4.1 Accrued payroll and compensation 11.3 -2.9 11.6 -5.4 12.4 15.7 -5.3 6.8 -9.8 8.9 0.6 -5.9 3.7 0.7 8.5 7.0 Other liabilities 2.0 -1.3 -1.5 -0.3 -1.9 -5.0 -1.1 -1.6 0.0 0.0 -2.7 0.0 0.0 0.0 0.0 0.0 Deferred revenues 222.3 46.1 65.0 31.8 100.1 243.0 61.8 63.6 50.0 111.7 287.1 64.7 72.1 61.6 100.6 299.0 Income taxes payable 20.4 5.4 0.1 1.3 6.3 13.1 5.0 9.8 0.0 0.0 14.8 0.0 0.0 0.0 0.0 0.0 Cash Flow from Operations 282.5 100.6 62.4 76.1 101.0 340.2 129.7 144.8 89.8 102.2 466.4 168.1 161.0 130.1 81.4 540.7

Investments, net 74.4 -4.2 -0.1 0.5 19.0 15.1 -17.8 4.5 0.0 0.0 -13.3 0.0 0.0 0.0 0.0 0.0 Purchase of property and equipment -37.4 -30.0 -14.4 -5.9 -16.9 -67.2 -13.5 -86.4 -33.4 -16.7 -150.0 -25.1 -22.3 -18.4 -27.3 -93.2 Acquisitions, net of cash acquired -38.0 0.0 -20.7 -1.4 0.0 -22.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Other 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Cash Flow from Investing -1.0 -34.2 -35.2 -6.8 2.1 -74.1 -31.3 -81.8 -33.4 -16.7 -163.3 -25.1 -22.3 -18.4 -27.3 -93.2

Proceeds from issuance/(repurchase) of stock/options, net 67.3 17.8 5.2 19.3 2.6 44.9 29.5 12.3 0.0 0.0 41.8 0.0 0.0 0.0 0.0 0.0 Proceeds from exercise of stock options 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Taxes paid related to net share settlement of equity awards -28.9 -9.4 -7.9 -12.5 -8.4 -38.3 -13.7 -12.2 0.0 0.0 -25.9 0.0 0.0 0.0 0.0 0.0 Excess tax benefit from stock-based compensation 0.0 0.0 -1.6 0.0 0.0 -1.6 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Repurchase of preferred stock 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Repurchase of common stock -60.0 -50.0 0.0 -25.0 -35.8 -110.8 -25.0 -33.2 -46.0 -46.0 -150.2 -40.0 -40.0 -40.0 -40.0 -160.0 Cash Flow from Financing -21.6 -41.6 -4.4 -18.2 -41.6 -105.9 -9.2 -33.0 -46.0 -46.0 -134.2 -40.0 -40.0 -40.0 -40.0 -160.0

Cash and cash equivalents, beginning of period 286.2 546.2 571.0 593.8 644.9 546.2 706.4 795.6 825.5 835.9 706.4 875.4 978.3 1,077.0 1,148.7 875.4

Foreign exchange translation impact on cash 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2017 September 5 Net increase (decrease) in cash 260.0 24.8 22.8 51.1 61.5 160.2 89.2 29.9 10.4 39.5 169.0 103.0 98.7 71.7 14.1 287.5 Cash and cash equivalents, end of period 546.2 571.0 593.8 644.9 706.4 706.4 795.6 825.5 835.9 875.4 875.4 978.3 1,077.0 1,148.7 1,162.8 1,162.8

Source: Company data, Credit Suisse estimates.

169

5 September 2017

Figure 299: Fortinet PEERs

Source: Company data, Credit Suisse estimates

Cybersecurity 170 5 September 2017

Check Point Software Technologies: Without a Box… Check! Americas/United States Software

Check Point Software Technologies Ltd. (CHKP) Rating NEUTRAL Price (01-Sep-17, US$) 110.89 Target price (US$) 110.00 52-week price range (US$) 115.72 - 74.81 Best of the Rest Market cap(US$ m) 19,395 Target price is for 12 months. We initiate coverage of Check Point with a Neutral rating and a $110 target price,

reflecting 1% downside potential and 19.5x our 2018 earnings estimate. While Research Analysts we are negative on the category as a whole, Check Point is our preferred firewall Brad A Zelnick 212 325-6118 play on a relative basis. [email protected] ■ Best Placed to Weather Category Risks: Our analysis of category risks Jobin Mathew 212 325 9676 suggests CHKP is substantially better placed to weather sector headwinds [email protected] compared with PANW and FTNT. We do not believe CHKP is the most at risk Syed Talha Saleem, CFA on any single headwind we have identified. 212 538 1428 [email protected] ■ Maturity & Discipline an Advantage: Ultimately, we expect the future firewall market to be one in which the wisdom of age will trump the exuberance of youth. CHKP is a highly disciplined wealth creator focused on the long term. It is one of only 6% of >20k companies in Credit Suisse HOLT to achieve an eCAP quality award. In addition, it benefits from abnormal levels of incentive alignment and has exceptional price discipline. ■ Not Its First Rodeo: We take confidence in the fact CHKP has once already traversed the transition from software to hardware in the mid-2000s. As the hardware box & software attach trend reverses direction and this model disaggregates, we expect the experience of a long-tenured management team to be a distinct, albeit unquantifiable, advantage. ■ Firepower for Transformative M&A: We estimate Check Point could deploy $10bn for transformative M&A. This is 80% more than PANW, and 130% more than FTNT. In a market where we believe CHKP's core product to be declining in relevance, the firepower to make strategically significant and transformative acquisitions is a distinct competitive advantage. ■ Valuation: Our relative valuation shows CHKP to be substantially more attractive than FTNT and CHKP on both cash flow and income statement multiples. Value is most clearly discerned when adjusting uFCF for SBC (16x vs PANW at 30x and FTNT at 18x CY18 EV/uFCF). Share price performance Financial and valuation metrics

Year 12/15A 12/16A 12/17E 12/18E NON-GAAP EPS (CS adj., ) 4.18 4.72 5.18 5.66 Prev. EPS (CS adj., US$) P/E (CS adj.) (x) 26.5 23.5 21.4 19.6 P/E rel. (CS adj., %) - 111 112 114 Revenue (US$ m) 1,630 1,741 1,871 2,004 Non-GAAP Operating Income 927 948 1,003 1,069 Net(US$ Debt m) (US$ m) -3,615 -3,669 -3,731 -3,784 Unlevered Free Cash Flow 873 865 958 1,020 On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55 P/uFCF(US$) (x) 12.7 12.8 11.6 10.9

Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$77.98 Number of shares (m) 174.90 Price/Sales (x) 10.22

Quarterly EPS Q1 Q2 Q3 Q4 Net debt (Next Qtr., US$ m) -3,774.8 Dividend (current, US$) - 2016A 1.06 1.09 1.13 1.46 Dividend yield (%) - 2017E 1.20 1.26 1.24 1.48 Source: Company data, Thomson Reuters, Credit Suisse estimates

2018E 1.31 1.37 1.38 1.60

Cybersecurity 171 5 September 2017

Check Point Software Technologies Ltd. (CHKP) Price (01 Sep 2017): US$110.89; Rating: NEUTRAL; Target Price: US$110.00; Analyst: Brad Zelnick Income Statement 12/15A 12/16A 12/17E 12/18E Company Background Revenue (US$ m) 1,629.9 1,741.3 1,870.5 2,003.8 Check Point is a leading security software company. The first EBITDA 937.6 959.0 1,015.1 1,080.4 company to commercialize stateful firewall and VPN, Check Point Operating profit 927.3 948.1 1,002.9 1,068.8 now provides a wide range of security products across the Network, Recurring profit 961.4 992.5 1,045.1 1,110.0 Endpoint, and Cloud security markets. Cash Flow 12/15A 12/16A 12/17E 12/18E Cash flow from operations 917 925 1,022 1,085 Blue/Grey Sky Scenario CAPEX (17) (24) (30) (32) Free cashflow to the firm 900 901 992 1,053 Cash flow from investments (114) (24) (30) (32) Net share issue(/repurchase) (883) (859) (932) (1,000) Dividends paid 0 0 0 0 Issuance (retirement) of debt - - - - Other 24 15 (4) 0 Cashflow from financing activities (859) (844) (936) (1,000) Effect of exchange rates (11) (4) 6 0 Changes in Net Cash/Debt (68) 54 62 53 Net debt at end (3,615) (3,669) (3,731) (3,784) Balance Sheet ($US) 12/15A 12/16A 12/17E 12/18E Assets Other current assets 86 41 92 97 Total current assets 1,781 1,892 2,188 2,264 Total assets 5,070 5,218 5,506 5,638 Liabilities Short-term debt 0 0 0 0 Total current liabilities 1,057 1,166 1,297 1,432 Long-term debt 0 0 0 0 Total liabilities 1,538 1,727 1,990 2,205 Shareholder equity 3,532 3,491 3,516 3,434 Total liabilities and equity 5,070 5,218 5,506 5,638

Net debt (3,615) (3,669) (3,731) (3,784) Our Blue Sky Scenario (US$) 126.00 Per share 12/15A 12/16A 12/17E 12/18E In our Blue Sky Scenario, Check Point unleashs balance sheet for No. of shares (wtd avg) 183 173 167 162 transformative strategic M&A, which successfully enhances its ability CS adj. EPS 4.18 4.72 5.18 5.66 to compete in a cloud-first world. Our blue sky scenario implies Prev. EPS (US$) CHKP would trade on 16.8x 2018 UFCF. Dividend (US$) 0.00 0.00 0.00 0.00 Free cash flow per share 4.91 5.20 5.96 6.50 Earnings 12/15A 12/16A 12/17E 12/18E Our Grey Sky Scenario (US$) 96.00 Sales growth (%) 9.0 6.8 7.4 7.1 Check Point is unable to adapt in a world where enterprises EBIT growth (%) 7.0 2.2 5.8 6.6 transition to the cloud faster than we expect, and traditional network Net profit growth (%) 7.1 6.8 5.4 6.2 security is less relevant in cloud-first security architectures than we EPS growth (%) 12.3 13.0 9.7 9.2 anticipate. EBIT margin (%) 56.9 54.4 53.6 53.3 Share price performance Valuation 12/15A 12/16A 12/17E 12/18E EV/Sales (x) 9.68 9.03 8.37 7.79 EV/EBIT (x) 17.0 16.6 15.6 14.6 P/E (x) 26.5 23.5 21.4 19.6 Quarterly EPS Q1 Q2 Q3 Q4 2016A 1.06 1.09 1.13 1.46 2017E 1.20 1.26 1.24 1.48 2018E 1.31 1.37 1.38 1.60

On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55 Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$77.98

Source: Company data, Thomson Reuters, Credit Suisse estimates

Cybersecurity 172 5 September 2017

Key Debates: ■ Is the Product Line-up Competitive? How does Check Point's solution stand up to those of PANW, which has aggressively grown share?

■ Where Are Margins Heading? While Gross Margins have held up, operating margins have been trending downward since 2012, with sales & marketing spend rising.

Our Take: ■ Recognized Offerings, with a Fully Integrated Management Console: We believe Check Point's solutions in the Enterprise Network Firewall and UTM space are among the

best, while CHKP management console's ability to implement a unified policy across the entire infrastructure provides a point of differentiation against rivals.

Estimates: ■ Revenue: We forecast FY17E/FY18E revenue growth at 7.5%/7.5% vs the consensus at 7.5 %/7.0%, respectively.

■ EPS: We forecast FY17E/18E EPS of $5.18/$5.66 in-line with Street estimates at $5.18/$5.67, respectively.

Valuation: ■ DCF: Our discounted cash flow analysis suggests a target price of $110, implying 1% downside potential and 14.5x EV/uFCF (2018).

Cybersecurity 173

5 September 2017

Key Charts

Figure 300: CHKP Has Lost Share Since 2012… Figure 301: ...but Margins Have Remained High 4Q rolling sum as share of total UTM and Firewall market Reported Adjusted Operating margin

80% 65% Adjusted operating margin 70% Others

60% 60% Juniper 50%

40% Cisco Fortinet 55%

30% Palo Alto 20% 50%

10% Check Point

0% 45% 2002 2004 2006 2008 2010 2012 2014 2016 2003 2009 2015

Source: IDC, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

Figure 302: Better Placed for Sector Risks Figure 303:Significant Cash Balance Exposure to Sector Headwinds Cash (onshore and offshore) as a % of market capitalization

Total ◔ ◑ ◕ 0% 10% 20% 30% 40% 50%

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Figure 304: Balance Sheet Can Be Unleashed.. Figure 305: …Valuation Cheapest vs Peers Assuming 3x leverage, Balance Sheet capacity vs Peers Valuation Analysis on EV/FCF basis

$12bn 40x 37.8x EV/UFCF, NTM $9.9bn $10bn 30x EV/UFCF Adjusted for SBC, NTM $8bn 19.2x $6bn $5.4bn 20x 16.4x 14.9x 13.8x $4.0bn 12.2x $4bn 10x

$2bn 0x $0bn CHKP FTNT PANW CHKP PANW FTNT

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Cybersecurity 174

5 September 2017

Company Positives

■ Check Point Has the Most Significant Fire Power Our analysis of potential debt capacity shows that CHKP has substantial firepower. With the highest EBITDA margin, liquid cash balance, and highest total cash & investments, CHKP enjoys (by our estimation) 2.3x greater firepower than FTNT and 1.8x that of PANW. In a market where we believe CHKP's core product to be declining in relevance (see Security as the mainframe), we view the firepower to make strategically significant and transformative acquisitions as a distinct competitive advantage

Figure 306: We Estimate CHKP Has ~$10bn in Figure 307: … 2.3x the Capacity of FTNT, and More Aggregate Firepower… than 1.8x Palo Alto Networks US$ in millions, unless otherwise stated US$ in millions, unless otherwise stated

Firepower analysis CHKP PANW FTNT capc Earnings, NTM basis $12bn EBITDA 1,083 394 279 2.3x Δ Deferred Revenue 178 412 250 $10bn Cash EBITDA 1,261 806 529 Deal related accretion (15% return) 774 460 383 Theoretical lending EBITDA 2,035 1,266 912 $8bn

Cash, Next quarter $6bn 1.4x Liquid cash & investments* 1,380 1,170 964 1x Cash & investments 3,588 1,889 1,222 $4bn Theoretical debt capacity (3x)** 6,106 3,281 2,735 Liquid firepower 7,486 4,450 3,699 $2bn Total firepower 9,694 5,170 3,957 *Cash and ST investments adjusted for offshore cash (20% repatriation assumption) $0bn and 10% of NTM revenue ** 3x theoretical lending EBITDA excluding outstanding debt CHKP PANW FTNT

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Figure 308: Check Point Has a Large Cash Balance Figure 309: … as a Percent of Market Cap This Is and No Debt… Greater than Microsoft in USD millions, unless otherwise stated Cash (onshore and offshore) as a % of market capitalization

4,000 ST Marketable securities Cisco Systems Inc 44% 3,500 Apple Inc 29% 3,000 LT Marketable securities Oracle Corp 27% 2,500 Cash & cash equivalents Check Point 23% 2,000 Microsoft Corp 20% 1,500 Intel Corp 18% 1,000 Alphabet Inc 14% 500 Qualcomm Inc 4% 0 2003 2005 2007 2009 2011 2013 2015 2017 0% 10% 20% 30% 40% 50%

Source: Company data, Credit Suisse estimates. Source: Credit Suisse HOLT, Credit Suisse Research.

Cybersecurity 175

5 September 2017

■ Best Positioned to Face Category Risks In our ranking of relative exposure to category risks, Check Point appears the least exposed. In fact, in no single measure have we ranked CHKP the most exposed on a relative basis.

Figure 310: Relative Exposure to Sector Risks Check Point Palo Alto Networks Fortinet Who is best equipped to deal with… CHKP PANW FTNT Architectural Shift to Cloud ◔ ◑ ◕ Cisco increasingly competitive ○ ◕ ◑ Juniper has little share left to give ○ ● ◔ Cloud transitionary headwinds ◔ ◑ ◑ TAM expansion ◑ ◑ ● Competition in the mid market ◑ ○ ● Carrier Exposure ◔ ◑ ● Total ◔ ◑ ◕

Source: Credit Suisse Research.

■ Valuation On valuation, we see Check Point as relatively better priced compared to firewall peers, which currently trade at 14.5x CY18 EV/uFCF. We note that it looks even cheaper than rivals, when adjusting for SBC & LT Deferred and similarly on a P/E basis (GAAP and Non-GAAP).

Figure 311: Relative Valuation, Absolute Multiples Absolute Valuation Analysis CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x Income Statement Multiples EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x

Source: Company data, Credit Suisse estimates.

Cybersecurity 176

5 September 2017

Figure 312: Valuation Matrix Revenue Growth Adjusted Growth adjusted (revenue growth) CHKP PANW FTNT NTM CY18 NTM CY18 NTM CY18 Cash Flow Statement Multiples EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82 EV/UFCF Adjusted for SBC 2.25 2.19 1.79 1.42 1.38 1.30 EV/UFCF Adjusted for LT Deferred 2.16 2.12 1.01 0.80 1.20 1.10 EV/UFCF Adjusted for SBC & LT Deferred 2.39 2.35 n/a n/a 2.42 2.14 Income Statement Multiples EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22 EV/Non-GAAP Operating Income 1.97 1.90 1.21 1.07 1.42 1.24 Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49 GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32 EV/Recurring Revenue 1.50 1.44 0.40 0.36 0.37 0.34

Source: Company data, Credit Suisse estimates.

■ Check Point Is a Firm of Exceptional Quality Highly Disciplined Capital Allocators Check Point is both highly optimized and runs with superlative discipline. We think Credit Suisse HOLT8 particularly well illustrates the quality of the business; having achieved over ten years of ~20% CFROI returns, CHKP attains an eCAP award. Only 6% of the ~20,000 companies tracked by HOLT achieve the conditions necessary to be awarded an eCAP. It is awarded to those companies that have high economic return (>8% CFROI), low volatility in returns (<30% CFROI variation), a favorable trend (>-0.10), and sustainable levels of growth (<30%).

Figure 313: Quality Is Reflected in High and Figure 314: Only 6% of Companies in HOLTs Sustained CFROI®, and eCAP Qualification Database of 20,000 Companies Achieve an eCAP Check Point CFROI How many companies attain HOLT value awards

Super-eCAPs Historical CFROI Forecast Discount Rate CFROI > 8% for at least 10 years 40 Low CFROI variation (<15%) Super Favourable CFROI trend (>-0.02) eCAPs 35 2% Sustainable levels of growth (<40%) 30 25 eCAPs CFROI > 8% for at least 5 years 20 Low CFROI variation (<30%) 15 Favourable CFROI trend (>-0.10) Sustainable levels of growth (<30%) 10 Investible Universe

5 Wonderful Companies 0 Top 25% Sector-relative CFROI for 3 consecutive years

1996 2000 2004 2008 2012 2016 2020 2024

Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

Philosophy of Long-Term Value Creation We think Check Point exhibits characteristics of a firm run for long-term shareholder value creation. This discipline is evident in many metrics, not least operating margins, which are both high and have remained remarkably stable despite tumultuous market forces.

8 Credit Suisse HOLT is a proprietary valuation tool that aims to convert income statement and balance sheet information into a Cash Flow Return on Investment (CFROI®). The goal is to help assess a company's underlying economics. A firm's CFROI can be compared directly with its real cost of capital (the investors' real discount rate) to see if the firm is creating economic wealth. By removing accounting and inflation distortions, the CFROI allows for global comparability across sectors, regions and time. Cybersecurity 177

5 September 2017

A cornerstone of this margin stability has been exceptional levels of price discipline. This is particularly evident when we use IDC data to proxy ASP for CHKP through the period (2009-2015) in which Palo Alto entered the market and proceeded to aggressively compete for share. While a shorter-term, less disciplined operator may have responded to this aggression by competing on price, CHKP instead appears to have increased its ASP in the mid- and high-end (where PANW competes) from 2012 to present.

Figure 316: Even in the Period Which Saw Figure 315: In Addition to High and Sustained Aggressive Competition from PANW, CHKP Did Not HOLT-Adjusted Operating Margin Appear to Have Offered Substantial Discounts HOLT-adjusted operating margin Check Point ASP (revenue/units)

120,000 23,000 High-end ASP Mid-range ASP Historical margins Forecast Margins w/o SBC 110,000 22,000 60 21,000 100,000 20,000 40 90,000 19,000 80,000 20 18,000

70,000 17,000 0 1996 2000 2004 2008 2012 2016 2020 2024 60,000 16,000 2009 2010 2011 2012 2013 2014 2015 2016

Source: HOLT, Credit Suisse Research. Source: IDC, Credit Suisse Research.

True Shareholder Alignment with Management We believe Check Point to benefit from an abnormal level of incentive alignment. CEO and co-founder Gil Shwed is the largest shareholder, with ~25 million shares (15.4% of the firm) as of the end of 2016. Marius Nacht, another co-founder, is the third largest shareholder, with ~11 million shares (6.7% of the firm), and has been Check Point's non-executive chairman since September 2015 after serving as its vice chairman from 2001. In general, we believe the ~20% ownership by founders to be an almost undisputable positive. As we note elsewhere, founder-led companies enjoy well-documented advantages; they tend to outperform, deploy more cash toward R&D and capex, and enjoy more efficient R&D. We accept there remains a residual question mark over Marius Nacht's 40% reduction in his CHKP stake through 2016.

Less Volatile than Peers… CHKP shares have traded with lower volatility than both PANW and FTNT since both were first publically traded, in 2012 and 2010, respectively.

Cybersecurity 178

5 September 2017

Figure 317: CHKP Has Experienced the Lowest Volatility 100 day rolling volatility of daily returns

0.05 CHKP PANW FTNT

0.04

0.03

0.02

0.01

2010 2011 2012 2013 2014 2015 2016 2017 Source: Thomson Reuters Datastream, Credit Suisse estimates.

■ Track Record of Innovation Check Point practically created the firewall category in 1993 with the introduction of FireWall-1. This was the first commercialized 'stateful' firewall, and Check Point is credited with coining the term 'stateful'. By 1996, IDC had named Check Point the leader in firewall market share with over 40% of the market. Indeed FireWall-1 debuted just as the Internet was truly taking off, and 'that and subsequent Check Point offerings are credited with helping define the nascent markets for network security and virtual private networks.' (CIO, October 1st 2002, see here) In 2006, Check Point created an innovative unified management console, and in 2009, it completed the acquisition of Nokia's security appliance business as well as FaceTime communications and launched its extensible Software Blade architecture. Not Its First Rodeo… Originally a software only vendor, Check Point's move to sell integrated appliances represented one of the original security software aggregation plays. Combining the hardware and software adjacencies enabled (at the time) Check Point to substantially expand its TAM, increase its average price point (appliance price points were 1.5-2.0x that of the underlying software). As we have discussed, we now believe the opposite to be occurring; hardware and software adjacencies are disaggregated as enterprises shift to the cloud. Given CHKP is in some ways returning to its roots, this gives us some comfort that it may be more capable than peers of weathering this transition.

■ High, If Not Superior, Quality of Product Offerings Check Point has been a leader of Gartner's Enterprise Network Firewall Magic Quadrant from 1999 to 2002, and then from 2004 to present. In addition to strength in enterprise offerings, Check Point has also been a leader in Gartner's Unified Threat Management (UTM) Magic Quadrant (SMB focused) since 2010. In addition to recognition from Gartner, Check Point has been a recipient of 'Recommend' ratings from NSS Labs for Next Generation Firewall (2011-2016), Network Firewall (2011-2013), IPS (2011-2013), and Breach Detection Systems (2015-2016).

Cybersecurity 179

5 September 2017

Figure 318: CHKP Has Maintained a Leadership Figure 319: With the Exception of 2009, CHKP Has Position in Gartner's Magic Quadrant for Enterprise Also Maintained a Leadership Position in the Magic Network Firewall's Since Before 2006 Quadrant for Unified Threat Management Estimated based on 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, Estimated based on 2009, 2010, 2012, 2013, 2014, 2015, 2016 and 2016 and 2017 Enterprise Network Firewall Magic Quadrants 2017 UTM (SMB multifunction firewall) Magic Quadrants

Check Point Check Point

Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research.

As a result of our field work and broader research, we are convinced the single management console approach is a generator of competitive advantage. The consistency inherent in the ability to implement unified policy across the entire infrastructure in a single pane of glass, unified and fully integrated console appears preferred by customers.

Figure 320: Check Point Seems to Have a More Figure 321: …PANW VM Pricing Strategy in the Thoughtful Pricing Strategy in the Cloud Cloud Takes a One Size Fits All Approach Check Point AWS Pricing Palo Alto Networks AWS Pricing

Source: AWS, Company data, Credit Suisse estimates. Source: AWS, Company data, Credit Suisse estimates.

Cybersecurity 180

5 September 2017

We also note that Check Point appears to have a much more thoughtful VM pricing strategy for the cloud, with hourly software costs rising with more demanding workloads. On the other hand, Palo has a one-size-fits all approach with the same hourly pricing irrespective of workload or AWS instance. We see Check Point's approach as more suitable and capturing greater value.

Cybersecurity 181

5 September 2017

Company Negatives

■ Empirically CHKP Have Lost Market Share CHKP has empirically lost market share in the Palo Alto era; from a peak share of ~21% of the combined firewall and UTM market in mid-2012, CHKP has ceded 337bps of share. While not egregious share loss by any measure, we recognize this as a risk should attrition sustain. Going forward, we note that competitive losses will pressure company's ability to attach and cross-sell further services.

Figure 323: … When It Began to Under-Grow the Figure 322: CHKP Has Lost Share Since 2012… Market 4Q rolling sum as share of total UTM and Firewall market Total UTM and Firewall Market revenue growth, y/y %

80% 70% Others Market, y/y, % Check Point, y/y, % 70% 60%

60% 50% Juniper 50% 40% 40% Cisco Fortinet 30% 30% Palo Alto 20% 20% 10% 10% Check Point

0% 0% 2002 2004 2006 2008 2010 2012 2014 2016 2010 2011 2012 2014 2015 2017

Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.

■ Is Conservatism a Risk? Check Point has maintained a cash balance of around $3.5bn since 2013, in part due to tax constraints that have since been lifted as of 2015. While we address this specifically as a company positive, the fact it has amassed this cash pile and not yet unleashed it for transformative acquisitions raises a question mark for us. Might Check Point be too conservative to use its firepower to acquire its way out of a market position challenged by architectural changes? We believe there are a number of assets for purchase that can propel Check Point’s position in cloud and virtual security and diversify itself from declining relevance of core firewall.

Cybersecurity 182

5 September 2017

Figure 324: Check Point Has Maintained Substantially More Cash on Its Balance Sheet as a % of Market Cap than the Average Across the S&P500 US$ in millions, unless otherwise stated

Cash on balance sheet as a % of market cap, US Check Point cash as % of market cap

40%

30%

20%

10%

0% 2003 2005 2007 2009 2011 2013 2015 2017

Source: Thomson Reuters Datastream, Credit Suisse Research.

■ Margin Erosion Remains a Risk Check Point achieves excellent operating margins on an absolute basis and remarkable margins on a relative basis. If we look at adjusted operating margin across the software universe, Check Point has the highest margin of the 50 largest software companies by market capitalization. We use HOLT-adjusted operating margin for our analysis. Unlike the traditional operating margin metrics, HOLT's operating margins are not reduced by expenses for stock options, R&D, or rent to better reflect the cash generation of the operating entity.

Figure 325: Check Point Has the Highest HOLT Operating Margins of the 50 Largest Software Companies

HOLT adjusted Operating Margin, LFY, %

60.4%

56.4%

53.9%

49.4%

48.0%

47.8%

46.9%

45.7%

44.8%

44.5%

44.3%

43.8%

43.1%

42.7%

42.4%

39.8%

39.3%

38.8%

37.0%

36.0%

35.3%

35.2%

32.2%

30.9%

30.5%

30.3%

30.1%

29.9%

29.6%

25.4%

23.5%

23.3%

21.0%

20.0%

19.3%

19.1%

16.3%

16.2%

16.0%

15.4%

13.9%

13.5%

13.4%

10.4%

7.0%

6.4%

5.5%

2.9%

2.3%

1.7%

0.4%

0.9%

2.8%

2.9%

11%

ZEN

SAP

RHT

TDC

BOX

RPD

NSR

PRO

ULTI

RNG

CRM

INTU

NICE

IMPV

NOW

VMW

FTNT

SPLK

PFPT

FEYE

TLND

BNFT

MIME

CALD

PCTY

DATA

VEEV

QLYS

CTXS

ADSK

PAYC

VRNT

MSFT

ADBE

OTEX

HUBS

EGHT

PEGA

CYBR

TEAM

ORCL

CHKP

CUDA

NUAN

SNCR

MSTR

PRGS

CSOD

SYMC

TWLO

MANH

LOGM

PANW

WDAY

NEWR GWRE

Source: Credit Suisse HOLT®, Credit Suisse Research.

Cybersecurity 183

5 September 2017

Adjusted operating margin has been in a band of 50-60% since 2003, although it has come down slightly since 2012 (~60% to ~54%) before stabilizing in recent quarters. Although we recognize CHKP has successfully weathered investor concern around the margin for more than a decade, there remains risk should the margin erode. Quite frankly, there is equal risk as well in CHKP’s willingness to invest and reduce margins; leading industry margins, while a very enviable distinction, poses some risks. Given our arguments around price pressures in a cloud transition, we think this risk may be somewhat increased relative to history. At the same time, we appreciate Check Point has always solved for profit and cash flow growth, not necessarily margin percentage, and has managed well.

Figure 326: CHKP Has Maintained Remarkably High Adjusted Operating Margins of >50%... Reported Adjusted Operating Margin, %

65% Adjusted operating margin

60%

55%

50%

45% 2003 2005 2007 2009 2011 2013 2015 2017

Source: Company data, Credit Suisse Research.

■ Limited Disclosure Check Point as an Israeli-domiciled company is subject to less transparent disclosure requirements relative to US-based companies. The foreign private issuer status enjoyed by CHKP means, among other things, it is exempt from proxy rule and from filing beneficial ownership reports and may use 'particular registration and reporting forms designed specifically for them'. For full details regarding these disclosure rules, section III of the SEC foreign issuers overview should be referenced. (See here.)

Cybersecurity 184

5 September 2017

Management and Board Management Check Point remains very much a founder-led organization, with Gil Shwed serving as CEO since he founded the company in 1993. Dorit Dor, the vice president of products, serves in the firm's highest level technical role. She holds a Ph.D. in computer science from Tel Aviv University and was the 1995 recipient of the Israeli National Defense Prize.

Figure 327: Check Point Executive Management

Name Compensation Beneficial ownership of shares C-Suite Experience Position Year Prior Experience Age Joined Salary ($) Bonus ($) Stock($) Number of shares Value of shares

Gill Shwed 1993 $14,800 NA $35,531,800 30,823,912 $3,513,925,968 ■ Founder and Chief Executive Officer, Check Point Founder and CEO ■ Considered the Inventor of the Modern Firewall 48 ■ Honorary Doctor of Science, Tel Aviv University ■ MS: Tel Aviv University, BS: Hebrew University of Jerusalem Amnon Bar-Lev 2005 $393,200 $89,400 $4,786,100 NA NA ■ President, Checkpoint: 2005-2017 President ■ Chief Executive Officer, Xpert Integrated System ■ Distinguished service in Israeli Air Force ■ BA: Tel Aviv University Dorit Dor 1995 $325,100 $76,200 $3,550,000 NA NA ■ Various Research and Development Roles, Check Point: 1995-2017 Vice President of Products ■ Published in several scientific journals ■ 1993 Recipient of the Israeli National Defense Prize ■ PhD, MS, BS: Tel Aviv University Tal Payne 2008 $213,300 $90,500 $3,196,000 NA NA ■ Chief Financial Officer, Check Point: 2008-2017 CFO and COO ■ Chief Financial Officer and Vice President of Finance, Gilat Satellite Networks 45 ■ CPA, PricewaterhouseCoopers ■ MBA, BA: Tel Aviv University Sources: Check Point 2017 Proxy Statement, Company Website, Bloomberg

Source: Company data, Credit Suisse Research.

Board of Directors The influence of the founders is also very apparent on the board, with co-founder Marius Nacht serving as chairman. The board also has its fair share of impressive industry veterans, with ample Israeli and American venture capital and tech experience represented.

Cybersecurity 185

Cybersecurity

Figure 328: CHKP Board

Marius Nacht 1993 No 1 11,214,986 $1,278,508,404 ■ Founder and Chairman, Check Point Technologies Founder and Chairman ■ Senior Vice President, Check Point: 1999-2005 55 ■ Vice President of International Operations, Check Point: 1993-1999 ■ MS: Tel Aviv University, BS: Hebrew University of Jerusalem Gill Shwed 1993 No 1 30,823,912 $3,513,925,968 ■ Founder and Chief Executive Officer, Check Point Founder and CEO ■ Considered the Inventor of the Modern Firewall 48 ■ Honorary Doctor of Science, Tel Aviv University ■ MS: Tel Aviv University, BS: Hebrew University of Jerusalem Jerry Ungerman 2005 No 0 NA NA ■ Vice Chairman, Check Point Vice Chairman ■ Various Executive Positions, including President and Executive Vice President, Check Point: 2001-2005 72 ■ Former Executive Vice President, Hitachi Data Systems ■ BS: University of Minnesota Dan Propper 2006 Yes 2 NA NA ■ Chairman and CEO, Osem Group: 1981-2006 Director ■ President, Israeli Manufacturer's Association 76 ■ Honorary Doctorate: Technion - Israel Institute of Technology ■ BS: Technion - Israel Institute of Technology Ray Rothrock 1995 Yes 2 NA NA a a a ■ Chairmand and CEO, RedSeal Networks: 2014-Present Director ■ General Partner, Venrock: 1988-2013 60 ■ Participant in White House Cybersecurity Summit ■ MBA: Harvard Business School, MS: Massachusetts Institute of Technology, BS: Texas A&M University David Rubner 1999 Yes 4 NA NA a a ■ Chairman and CEO, Rubner Technology Ventures Director ■ General Partner, Hyperion Israel Advisors 77 ■ President and CEO: ECI Telecommunications: 1991-2000 ■ BS: Quuen Mary College, University of London, MS: Carnegie Mellon University Tal Shavit 2000 Yes 0 NA NA a ■ Organizational Consultant Specializing in Israeli-American Collaboration Director ■ Consults with Companies Undergoing Structural Change ■ Work Emphasized Mergers and Acquisitions

Yoav Chelouche 2006 Yes 5 NA NA a a ■ Managing Partner, Aviv Venture Capital: 2000-Present Director ■ President and CEO, Scitex: 1994-2000 62 ■ Various Managerial Positions, Scitex: 1979-1994 ■ MBA: INSEAD, BA: Tel Aviv University Irwin Federman 1995 Yes 3 NA NA a a a ■ General Partner, US Venture Partners: 1990-2017 Director ■ President and CEO, Monolithic Memories: 1981-1988 81 ■ Chairman, Mellanox Technologies ■ BA: Brooklyn College Guy Gecht 2006 Yes 1 NA NA a a ■ Chief Executive Officer, Electronics for Imaging: 2000-2017 Director ■ Various Positions, including President, Electronics for Imaging: 1995-2000 52 ■ Director of Engineering, Interro Systems: 1993-1995 ■ BS: Ben Gurion University Sources: Check Point 2017 Proxy Statement, Company Website, Bloomberg

Source: Company data, Credit Suisse estimates.

5 September 2017 September 5

186

5 September 2017

Check Point has the most finance-oriented board in our coverage universe. Notably, all of this finance experience comes from venture capital.

Figure 329: Check Point’s Board Has Disproportionate Venture Capital Representation Average Financial Experience FTNT Per Board Member ORCL

VMW

NOW

AKAM VC PANW Banking HDP PE RHT

SPLK

SYMC

CHKP

0 2 4 6 8 10

Source: Company data, Credit Suisse estimates.

In contrast with the executive team, the board is actually the most experienced group of directors for any company in our coverage universe besides Oracle. While the management team is relatively young, the board is second oldest, also to Oracle.

Figure 330: CHKP’s Board Is Second Oldest and… Figure 331: Second Most Experience, Both to Oracle

Board Age Deviation from Average Board Experience SYMC Per Director

HDP HDP Relevant Industry

PANW PANW Other Executive SYMC CEO/CFO RHT Other Industry NOW FTNT Finance VMW NOW SPLK VMW FTNT SPLK RHT ORCL AKAM CHKP CHKP

ORCL AKAM

0 5 10 15 20 25 30 35 40

-10 -8 -6 -4 -2 0 2 4 6 8 10

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Cybersecurity 187 5 September 2017

Valuation Discounted Cash Flows We use Discounted Cash Flows to estimate the intrinsic value for CHKP at $110/share, representing 1% downside. This informs our Neutral Rating, and is supported by our multiples based relative valuation work. In addition, we have constructed blue-sky and grey-sky scenarios. The Blue Sky assumes a 2.5% terminal growth rate, and the grey assumes 0%, reflecting our view on the outlook for the space as a whole.

Figure 332: Blue-Sky/Grey-Sky Pricing Figure 333: Blue-Sky/Grey-Sky Schematic Current Price $111 15.7x FY18UFCF (adj for SBC) Blue Sky

Target Price $110 15.5x FY18UFCF (adj for SBC) -1% $126 The firewall market decelerates broadly in line with our expectations, and Check Point successfully weathers the transition, but is then, more than ever, a lower growth, true 'legacy' vendor.

Blue Sky $126 18.4x FY18UFCF (adj for SBC) 14% Current In our Blue Sky Scenario, Check Point unleashs balance sheet for transformative Price Target Price strategic M&A, which successfully enhances its ability to compete in a cloud-first world. $111 Our blue sky scenario implies CHKP would trade on 16.7x 2018 UFCF. $110 Grey sky $96 13.0x FY18UFCF (adj for SBC) -13% Check Point is unable to adapt in a world where enterprises transition to the cloud faster than we expect, and traditional network security is less relevant in cloud-first security architectures than we anticipate. Grey Sky

$96

Source: Check Point, Credit Suisse estimates. Source: Check Point, Credit Suisse estimates.

Target Scenario Our base case assumes a five-year transition period with FCF growth declining smoothly from an estimated 7.5% in 2020. This scenario assumes the firewall market decelerates broadly in-line with our expectations and Check Point successfully weathers the transition, but is then, more than ever, a lower growth, true legacy vendor. This scenario results in a target price of $110, implying downside of 1%.

Blue-Sky Scenario For our blue-sky scenario, we again model a five-year transition period but drive higher free cash growth, assuming Check Point unleashes its balance sheet for transformative strategic M&A, which is ultimately successful. Our blue-sky scenario yields a $126 warranted price, which represents 14% upside potential.

Grey-Sky Scenario In the grey-sky scenario, we use a five-year transition period and lower free cash flow growth assumption. The scenario results in a share price of $96, representing 13% downside risk to the current share price. In this scenario, Check Point is unable to adapt in a world where enterprises transition to the cloud faster than we expect, and traditional network security is less relevant in cloud-first security architectures.

Cybersecurity 188 5 September 2017

Figure 334: Check Point Software Discounted Cash Flow (DCF) Analysis

Target Price

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL TP Value distribution 2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity

Period 1 2 3 4 5 6 7 8 9 10 Current risk-free rate of return 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% Beta 0.72 0.72 0.72 0.72 0.72 0.72 0.72 0.72 0.77 0.81 0.86 0.91 0.95 1.00 Market rate of return 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2% FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 8.0% 7.5% 6.5% 5.5% 4.5% 3.5% 2.5% 1.5% Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25

Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,101 1,184 1,261 1,330 1,390 1,438 1,474 1,497 17,123 Stock Based Compensation Expense 41.3 50.5 60.8 68.2 72.0 76.2 SBC as % of FCF 6.4% 7.0% 7.0% 7.9% 7.5% 7.5% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5% FCF adjusted for SBC 604.1 666.4 812.2 797.3 885.6 943.4 1,018.9 1,095.3 1,168.5 1,234.9 1,292.8 1,340.3 1,376.2 1,399.3 17,123.2

NPV of Free cash flow ($M) 850.3 852.0 848.1 840.4 824.2 798.6 764.3 722.7 674.9 7,617.1 Cumulative NPV of FCF ($M) 850.3 1,702.3 2,550.4 3,390.8 4,215.0 5,013.5 5,777.9 6,500.6 7,175.4 14,793

Cumulative NPV of FCF ($M) $ 14,793 Shares outstanding (M) 168 NPV/Share of FCF $ 88 (Net Cash) / Share $ 21.62 Total NPV/Share 110 Current price / Share $111 Upside / Downside Potential -1%

Blue Sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value distribution 2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity

Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2% FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 10.0% 10.0% 8.8% 7.5% 6.3% 5.0% 3.8% 2.5% Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25

Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,122 1,234 1,342 1,442 1,532 1,609 1,669 1,711 22,107 Stock Based Compensation Expense 41.3 50.5 60.8 68.2 72.0 76.2 SBC as % of FCF 6% 7% 7% 8% 8% 7% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5% 0% FCF adjusted for SBC 604.1 666.4 812.2 797.3 885.6 943.4 1,037.7 1,141.5 1,243.6 1,339.2 1,425.3 1,499.2 1,558.1 1,599.9 22,106.9

NPV of Free cash flow ($M) 850.3 852.0 863.8 875.8 877.1 865.9 842.7 808.3 764.1 9,834.0 Cumulative NPV of FCF ($M) 850.3 1,702.3 2,566.1 3,442.0 4,319.1 5,185.0 6,027.8 6,836.1 7,600.2 17,434

Cumulative NPV of FCF ($M) $ 17,434 Shares outstanding (M) 168 NPV/Share of FCF 104 (Net Cash - 10% of Revenues) / Share $ 21.62 Total NPV/Share 126.00 Current price / Share $111 Upside / Downside Potential 14%

Grey sky

HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value distribution 2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity

Equity Risk Premium 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2% FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 7.0% 5.0% 4.2% 3.3% 2.5% 1.7% 0.8% 0.0% Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25

Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,091 1,145 1,193 1,233 1,264 1,285 1,296 1,296 12,652 Stock Based Compensation Expense 41.3 50.5 60.8 68.2 72.0 76.2 0.0 0 0 0 0 0 0 0 0 SBC as % of FCF 6% 7% 7% 8% 8% 7% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5% 0% FCF adjusted for SBC 604.1 666.4 812.2 797.3 885.6 943.4 1,009.4 1,059.9 1,106.0 1,144.9 1,175.5 1,197.2 1,209.3 1,211.4 12,652.1

NPV of Free cash flow ($M) 850 852 840 813 780 740 695 646 593 5,628 Cumulative NPV of FCF ($M) 850 1,702 2,543 3,356 4,136 4,876 5,571 6,217 6,810 12,438

Cumulative NPV of FCF ($M) $ 12,438 Shares outstanding (M) 168 NPV/Share of FCF 74.2 (Net Cash - 10% of Revenues) / Share $ 21.62 Total NPV/Share 96.00 Current price / Share $111 Upside / Downside Potential -13%

Source: Company data, Credit Suisse estimates.

Cybersecurity 189 5 September 2017

HOLT CHKP – HOLT Market-Implied Scenario and Sensitivity Analysis Assuming stable margins at 50%, CHKP’s current price of $111 implies a sales CAGR of 5% over the next 10 years

® Figure 335: CFROI (%) Figure 336: Valuation- 400 bps Sensitivity- 200 bps 0 bps Analy+200 bpssis+400 bps +600 bps 25 21.1 21.1 2018 - 2026 Sales CAGR 20E-26E EBITDA 20 - 400 bps - 200 bps 0 bps +200 bps +400 bps +600 bps Margins ˅ 1.0% 3.0% 5.0% 7.0% 9.0% 11.0% 15 - 400 bps 45.9% $80 $91 $104 $121 $141 $168

10 - 200 bps 47.9% $82 $93 $107 $125 $146 $174

5 0% 49.9% $84 $96 $111 $129 $151 $180

+ 200 bps 51.9% $86 $99 $114 $133 $156 $186

0 margins EBITDA

1996 2000 2004 2008 2012 2016 2020 2024 Incrementalchanges in + 400 bps 53.9% $89 $102 $117 $137 $161 $192 Historical CFROI Forecast Discount Rate

Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.

Assumptions and Methodology ■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4-FY10 assumed at 50% based on FY3 IBES estimates

■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, we solved for the implied CAGR required to get to the respective values per share

■ Asset Efficiency: assumed constant from LFY levels

■ Fade Period: CHKP earns an eCAP (empirical competitive advantage), hence extending explicit forecasts to ten years before the fade

■ Fade: After year ten, the HOLT methodology calculates the terminal value by fading returns on capital and growth toward cost of capital and GDP growth respectively

Figure 337: Operating Projections Implied by Current Price: $108 per Share

1 Assumed long term margins of 50% 2 Solved for the long term sales CAGR Consensus required to get to current price of $111 60 49.9 49.9 30

40 20 Consensus 7.7 20 10 5.0 0 0 1996 2000 2004 2008 2012 2016 2020 2024 Historical margins Forecast (10) Margins w/o SBC 1996 2000 2004 2008 2012 2016 2020 2024 Historical growth Forecast

Source: HOLT, Credit Suisse Research.

Cybersecurity 190

Cybersecurity

Figure 338: Check Point Income Statement

Research Analysts Brad Zelnick (212) 325 6118 [email protected] Jobin Mathew (212) 325 9676 [email protected]

Check Point Software (CHKP) Syed Talha Saleem, CFA (212) 538 1428 Income Statement [email protected] $ in Millions, except per share items Fiscal Year End: December 31 2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E) Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17A 2Q17A 3Q17E 4Q17E Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year Income Statement (Pro Forma) Products and licenses 555.8 122.7 136.2 136.9 177.1 573.0 126.3 138.3 129.4 185.4 579.4 130.1 141.8 137.2 183.5 592.6 y/y change 6.5% 7.4% 3.0% 1.3% 1.8% 3.1% 2.9% 1.5% -5.5% 4.7% 1.1% 3.0% 2.5% 6.0% -1.0% 2.3%

Software Blade subscriptions 318.6 88.1 92.7 98.6 110.5 389.9 112.1 117.9 123.2 137.0 490.2 137.8 140.4 145.4 158.9 582.5 y/y change 20.9% 18.5% 21.0% 23.8% 25.5% 22.4% 27.2% 27.2% 25.0% 24.0% 25.7% 23.0% 19.0% 18.0% 16.0% 18.8%

Software updates and maintenance 755.5 193.4 193.8 192.1 199.2 778.5 197.1 202.3 197.3 204.3 800.9 203.5 208.4 205.1 211.6 828.7 y/y change 6.3% 5.2% 4.0% 1.6% 1.6% 3.0% 1.9% 4.4% 2.7% 2.6% 2.9% 3.3% 3.0% 4.0% 3.6% 3.5% Total revenue 1,629.9 404.3 422.7 427.6 486.7 1,741.3 435.5 458.6 449.9 526.6 1,870.5 471.5 490.6 487.7 554.0 2,003.8 y/y change 9.0% 8.5% 6.9% 5.9% 6.3% 6.8% 7.7% 8.5% 5.2% 8.2% 7.4% 8.3% 7.0% 8.4% 5.2% 7.1%

Cost of products and licenses 101.1 23.0 25.1 25.2 32.5 105.9 23.9 26.2 24.2 34.9 109.1 24.6 26.8 25.8 34.0 111.1 GM on product and license 81.8% 81.2% 81.6% 81.6% 81.6% 81.5% 81.1% 81.1% 81.3% 81.2% 81.2% 81.1% 81.1% 81.2% 81.5% 81.2% Cost of software blade subscriptions 7.6 1.8 1.9 3.0 4.1 10.8 4.1 5.3 4.1 5.8 19.4 5.4 6.3 5.1 5.2 21.9 GM on software blade Subscriptions 97.6% 97.9% 98.0% 96.9% 96.2% 97.2% 96.4% 95.5% 96.6% 95.7% 96.0% 96.1% 95.5% 96.5% 96.7% 96.2% Cost of software updates and maintenance 76.9 19.2 20.0 20.8 20.9 80.9 20.2 20.6 22.0 22.5 85.3 21.2 21.3 22.8 23.3 88.5 GM on updates and maintenance 89.8% 90.1% 89.7% 89.2% 89.5% 89.6% 89.7% 89.8% 88.9% 89.0% 89.4% 89.6% 89.8% 88.9% 89.0% 89.3% Total cost of revenue 185.7 44.0 47.0 49.0 57.6 197.7 48.2 52.1 50.3 63.2 213.8 51.1 54.4 53.6 62.4 221.6

Gross profit 1,444.2 360.2 375.8 378.5 429.1 1,543.6 387.3 406.4 399.5 463.5 1,656.7 420.3 436.2 434.0 491.6 1,782.3 Gross margin 88.6% 89.1% 88.9% 88.5% 88.2% 88.6% 88.9% 88.6% 88.8% 88.0% 88.6% 89.2% 88.9% 89.0% 88.7% 88.9%

Sales and marketing 340.2 88.7 101.2 98.0 110.1 398.0 102.6 108.1 107.1 122.2 440.0 112.2 118.7 118.0 131.9 480.8 % of Revenue 20.9% 21.9% 23.9% 22.9% 22.6% 22.9% 23.6% 23.6% 23.8% 23.2% 23.5% 23.8% 24.2% 24.2% 23.8% 24.0% Research and development 131.6 37.6 38.5 39.6 42.4 158.1 40.5 40.6 39.8 47.0 167.8 44.3 45.1 44.9 48.2 182.5 % of Revenue 8.1% 9.3% 9.1% 9.3% 8.7% 9.1% 9.3% 8.8% 8.8% 8.9% 9.0% 9.4% 9.2% 9.2% 8.7% 9.1% General and administrative 45.2 10.3 8.7 10.3 10.2 39.4 11.0 9.5 13.5 12.0 46.0 11.8 12.3 12.2 13.9 50.1 % of Revenue 2.8% 2.5% 2.1% 2.4% 2.1% 2.3% 2.5% 2.1% 3.0% 2.3% 2.5% 2.5% 2.5% 2.5% 2.5% 2.5% Total operating expenses 516.9 136.5 148.3 147.9 162.7 595.5 154.1 158.1 160.4 181.2 653.8 168.3 176.1 175.1 193.9 713.4 Operating income (loss) 927.3 223.7 227.4 230.6 266.4 948.1 233.2 248.3 239.2 282.3 1,002.9 252.0 260.1 259.0 297.7 1,068.8 Operating margin 56.9% 55.3% 53.8% 53.9% 54.7% 54.4% 53.5% 54.1% 53.2% 53.6% 53.6% 53.5% 53.0% 53.1% 53.7% 53.3%

Interest income (expense) 34.1 9.9 11.8 12.1 10.5 44.4 10.4 11.3 10.3 10.2 42.1 10.1 10.4 10.3 10.3 41.1

Pre-tax income 961.4 233.7 239.2 242.7 276.9 992.5 243.5 259.6 249.5 292.5 1,045.1 262.1 270.5 269.3 308.0 1,110.0 Income taxes 195.1 46.6 48.8 49.2 29.7 174.3 42.0 47.6 43.7 49.7 183.0 45.9 47.3 47.1 53.9 194.2 Effective tax rate 20.3% 19.9% 20.4% 20.3% 10.7% 17.6% 17.3% 18.3% 17.5% 17.0% 17.5% 17.5% 17.5% 17.5% 17.5% 17.5%

Net income (PF) 766.3 187.1 190.4 193.5 247.2 818.2 201.5 212.0 205.8 242.8 862.1 216.2 223.2 222.2 254.1 915.7

Net margin 47.0% 46.3% 45.0% 45.3% 50.8% 47.0% 46.3% 46.2% 45.7% 46.1% 46.1% 45.9% 45.5% 45.6% 45.9% 45.7% 2017 September 5

PF EPS $4.18 $1.06 $1.09 $1.13 $1.46 $4.72 $1.20 $1.26 $1.24 $1.48 $5.18 $1.31 $1.37 $1.38 $1.60 $5.66 Fully diluted shares 183.4 177.0 174.8 171.9 169.6 173.3 168.5 167.7 165.8 164.0 166.5 164.7 162.8 161.0 159.2 161.9

Source: Company data, Credit Suisse estimates.

191

Cybersecurity Figure 339: Check Point Balance Sheet

Research Analysts Brad Zelnick (212) 325 6118 [email protected] Jobin Mathew (212) 325 9676 [email protected] Check Point Software (CHKP) Syed Talha Saleem, CFA (212) 538 1428

Balance Sheet [email protected] $ in Millions, except per share items Fiscal Year End: December 31 2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E) Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17A 2Q17A 3Q17E 4Q17E Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year Current assets Cash & cash equivalents 192.3 244.0 209.7 224.3 187.4 187.4 230.3 278.9 247.3 203.2 203.2 326.7 305.4 293.7 256.0 256.0 Marketable securities 1,091.9 1,127.0 1,117.1 1,005.9 1,185.5 1,185.5 1,237.6 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 Trade receivables 410.8 246.7 272.6 254.7 478.5 478.5 279.1 334.0 299.0 572.5 572.5 327.1 355.5 337.3 591.0 591.0 Other receivables and prepaid expenses 85.8 47.9 44.4 44.5 41.0 41.0 69.7 87.6 86.2 91.8 91.8 75.5 93.7 93.5 96.6 96.6 Total current assets 1,780.8 1,665.6 1,643.8 1,529.4 1,892.5 1,892.5 1,816.8 2,020.6 1,952.6 2,187.6 2,187.6 2,049.3 2,074.6 2,044.5 2,263.7 2,263.7

Marketable securities 2,331.2 2,358.2 2,381.2 2,477.6 2,296.1 2,296.1 2,328.9 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 Property & equipment, net 48.7 50.7 54.0 58.0 61.9 61.9 66.8 69.9 74.8 79.7 79.7 85.1 90.3 95.2 100.1 100.1 Goodwill & Intangible assets, net 838.0 837.0 836.1 835.1 834.2 834.2 833.2 832.3 832.3 832.3 832.3 832.3 832.3 832.3 832.3 832.3 Deferred income taxes, net 20.8 56.5 58.5 62.0 94.6 94.6 168.9 153.7 150.7 163.3 163.3 165.0 174.2 173.2 199.5 199.5 Severance pay fund 5.3 5.2 4.7 4.8 4.6 4.6 4.9 5.1 5.1 5.1 5.1 5.1 5.1 5.1 5.1 5.1 Other 45.2 40.3 37.8 36.3 33.8 33.8 31.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4 Total assets 5,069.9 5,013.6 5,016.0 5,003.3 5,217.6 5,217.6 5,250.9 5,319.4 5,253.4 5,505.8 5,505.8 5,374.6 5,414.4 5,388.1 5,638.5 5,638.5

Liabilities & shareholders' equity Trade payables and other accrued liabilities 339.3 310.8 334.3 323.6 351.4 351.4 300.7 334.8 334.9 368.7 368.7 309.1 343.4 352.2 384.8 384.8 Deferred revenue 717.5 695.2 687.9 677.8 814.4 814.4 802.4 792.8 777.0 928.5 928.5 909.9 914.5 898.9 1,047.2 1,047.2 Current liabilities 1,056.9 1,006.0 1,022.2 1,001.4 1,165.9 1,165.9 1,103.2 1,127.6 1,111.9 1,297.1 1,297.1 1,219.0 1,257.9 1,251.1 1,432.0 1,432.0

Long-Term Deferred Revenue 188.3 188.2 204.5 210.8 251.2 251.2 260.5 271.8 271.8 319.4 319.4 319.4 324.2 333.9 380.7 380.7 Income tax accrual 283.2 302.1 306.9 324.4 300.5 300.5 317.1 341.7 335.2 363.0 363.0 343.4 365.6 363.4 381.8 381.8 Accrued severance pay 9.5 9.8 9.1 9.2 9.0 9.0 9.7 10.0 9.7 10.0 10.0 10.0 10.0 10.0 10.0 10.0 Shareholders' equity 3,531.9 3,507.3 3,473.4 3,457.5 3,491.1 3,491.1 3,560.4 3,568.2 3,524.7 3,516.3 3,516.3 3,482.8 3,456.7 3,429.6 3,434.0 3,434.0 Total liabilities & shareholders' equity 5,069.9 5,013.6 5,016.0 5,003.3 5,217.6 5,217.6 5,250.9 5,319.4 5,253.4 5,505.8 5,505.8 5,374.6 5,414.4 5,388.1 5,638.5 5,638.5

Source: Company data, Credit Suisse estimates.

5 September 2017 September 5

192

Cybersecurity Figure 340: Check Point Statement of Cash Flows

Research Analysts Brad Zelnick (212) 325 6118 [email protected] Jobin Mathew

(212) 325 9676 [email protected] Check Point Software (CHKP) Syed Talha Saleem, CFA (212) 538 1428 Statement of Cash Flows [email protected] $ in Millions, except per share items Fiscal Year End: December 31 2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E) Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17A 2Q17A 3Q17E 4Q17E Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year Net income 685.9 167.4 165.8 169.7 222.0 724.8 182.6 188.4 181.5 215.2 767.6 192.6 196.9 196.0 226.8 812.3 D&A of property, plant and equipment 10.4 2.7 2.7 3.1 2.4 10.9 3.0 3.0 3.1 3.1 12.2 2.7 2.7 3.1 3.1 11.6 Share-based compensation expense 76.3 18.2 22.0 20.8 21.7 82.7 19.1 23.4 21.8 23.1 87.3 20.7 23.8 23.6 24.3 92.3 Realized gain on marketable securities 0.0 0.3 -1.4 -1.7 -0.1 -3.0 0.1 0.1 0.0 0.0 0.1 0.0 0.0 0.0 0.0 0.0 Amortization of intangible assets 3.6 1.0 1.0 1.0 1.0 3.9 0.9 0.9 3.3 3.3 8.4 3.3 3.3 3.3 3.3 13.0 Deferred income taxes -15.8 1.3 -2.5 -0.7 -31.6 -33.5 11.4 15.6 2.9 -12.5 17.4 -1.8 -9.2 1.0 -26.3 -36.2 Excess tax benefit from stock-based compensation -19.4 -1.1 -3.7 -3.4 -9.2 -17.4 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Decrease (increase) in trade and other receivables, net -64.8 162.9 -21.6 20.3 -218.0 -56.5 191.2 -49.2 36.4 -279.1 -100.8 261.8 -46.6 18.4 -256.8 -23.2 Increase in deferred revenues, trade payables, and other accrued expenses241.0 and liabilities-28.9 42.8 4.9 194.7 213.5 -52.8 44.1 -22.5 260.9 229.8 -97.7 65.9 0.8 246.0 215.0 Changes in operating assets & liabilities 176.2 134.0 21.2 25.2 -23.4 157.0 138.4 -5.1 13.9 -18.3 128.9 164.1 19.3 19.2 -10.8 191.8 Net cash provided by operating activities 917.1 323.7 205.0 213.9 182.7 925.4 355.4 226.3 226.4 213.9 1,022.0 381.5 236.7 246.3 220.4 1,084.8

Purchase of property, plant and equipment -17.3 -4.7 -5.9 -7.1 -6.3 -24.1 -8.0 -6.1 -8.0 -8.0 -30.1 -8.0 -8.0 -8.0 -8.0 -32.0 Net cash used by investing activities -113.9 -4.7 -5.9 -7.1 -6.3 -24.1 -8.0 -6.1 -8.0 -8.0 -30.1 -8.0 -8.0 -8.0 -8.0 -32.0

Proceeds from issuance of shares upon exercise of options 102.9 16.2 17.4 46.3 49.4 129.2 24.4 39.3 63.7 0.0 Purchase of treasury shares -985.7 -247.3 -245.7 -247.0 -248.0 -987.9 -247.9 -248.0 -250.0 -250.0 -995.8 -250.0 -250.0 -250.0 -250.0 -1,000.0 Excess tax benefit on stock options 19.4 1.1 3.7 3.4 9.2 17.4 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 Payments related to shares withheld for taxes -2.6 -0.2 -3.9 Net cash used by financing activities -863.5 -230.0 -227.2 -197.3 -189.4 -841.3 -223.7 -212.5 -250.0 -250.0 -932.1 -250.0 -250.0 -250.0 -250.0 -1,000.0

Unrealized gain on marketable securities, net -11.4 24.7 6.9 -9.6 -25.9 -3.9 4.0 2.0 0.0 0.0 6.0 0.0 0.0 0.0 0.0 0.0

Net increase/decrease in cash and cash equivalents -71.7 113.8 -21.2 -0.1 -38.8 56.2 127.7 9.6 -31.6 -44.1 65.7 123.5 -21.3 -11.7 -37.6 52.8

Ratios Depreciation and amortization % of previous Q PPE on BS 5.3% 5.0% 5.3% 3.9% 4.5% 4.3% 4.3% 4.3% 4.3% 4.3% 4.3% 4.3%

Free Cash Flow FCFE 899.7 319.0 199.1 206.8 176.5 901.4 347.5 220.2 218.4 205.9 991.9 373.5 228.7 238.3 212.4 1,052.8 Interest income (expense), net 34.1 9.9 11.8 12.1 10.5 44.4 10.4 11.3 10.3 10.2 42.1 10.1 10.4 10.3 10.3 41.1 Effective Tax rate 22% 21% 23% 22% 12% 19% 17% 19% 19% 19% 19% 19% 19% 19% 19% 19% UFCF 873.0 311.2 189.9 197.4 167.2 865.5 338.9 211.0 210.1 197.6 957.7 365.3 220.3 229.9 204.1 1,019.6 Diluted shares outstanding 183.4 177.0 174.8 171.9 169.6 173.3 168.5 167.7 165.8 164.0 166.5 164.7 162.8 161.0 159.2 161.9 UFCF per share $4.76 $1.76 $1.09 $1.15 $0.99 $4.99 $2.01 $1.26 $1.27 $1.21 $5.75 $2.22 $1.35 $1.43 $1.28 $6.30

5 September 2017 September 5

Source: Company data, Credit Suisse estimates.

193

5 September 2017

Figure 341: Check Point PEERs

Source: Company data, Credit Suisse estimates

Cybersecurity 194 5 September 2017

Appendices Appendix I: The HOLT® Framework Overview The HOLT Valuation Framework is based on two fundamental principles:

■ The market pays for economic (cash) performance and not accounting performance.

■ The value of a company is determined by its discounted future cash flows over its life cycle. The HOLT methodology uses a proprietary performance measure known as Cash Flow Return on Investment (CFROI®). HOLT uses CFROI to estimate future cash flows and applies a unique notion of life cycle fade to reflect the position of any individual company on its industrial life cycle.

Figure 342: HOLT metrics Accounting Cash Value . Income Statement . Cash Flow Return on . CFROI . Balance Sheet Investment (CFROI) . Asset Growth . EPS, ROE, ROCE . Economic Performance . Life Cycle Fade . Discount Rate

Source: Credit Suisse HOLT.

Cash Flow Return on Investment (CFROI®) Why use CFROI? Accounting statements often present a distorted view of underlying economic performance. In order to better define a cash measure, HOLT's economic CFROI corrects for the distortions found in traditional accounting-based measures of performance by adjusting for inflation, off-balance sheet assets (e.g., leased property), depreciation, LIFO & FIFO accounting, asset mix, asset holding gains or losses, asset life, acquisition accounting, deferred taxes, pensions, investments, revaluations, special reserves, research & development, and others. As a result, CFROI provides comparability over time, among companies, and across industries and national borders. This proprietary measure focuses on the cash economics of businesses. Once the economics of the company are understood, we can more accurately determine value by taking into account expected future cash flows, asset growth rates, discount rates, and life cycles. HOLT's CFROI is calculated in two steps. First, compare the inflation-adjusted (current dollar) cash flows available to all capital owners in the company to the inflation-adjusted (current dollar) gross investment made by those capital owners. Next, translate the ratio of gross cash flow to gross investment to an internal rate of return (IRR) by recognizing the finite economic life of depreciating assets and the residual value of non-depreciating assets such as land and working capital. The process is identical to calculating the yield to maturity for a bond. As a percent per year IRR, CFROI is directly comparable to the return investors expect to receive (i.e., the cost of capital or discount rate).

Cybersecurity 195 5 September 2017

Figure 343: CFROI® Captures Economic Performance

Source: Credit Suisse HOLT.

Figure 344: CFROI® Formula in Detail

Source: Credit Suisse HOLT.

Cybersecurity 196 5 September 2017

Value Creation Companies can create wealth for shareholders by making the right decisions with respect to CFROI and asset growth. Wealth is created when companies:

■ Improve CFROI

■ Grow assets when CFROI is above the discount rate (positive spread) Shrink assets when CFROI is below the discount rate (negative spread)

Figure 345: Managing for Shareholder Value

Source: Credit Suisse HOLT.

Economic Profit The economic profit formula underpins the value creation principle. Economic profit (EP) is the amount of value a firm creates over a specified period, typically annual. It is proportional to the spread between a company’s return on capital and cost of capital. If a firm is meeting its cost of capital, its EP is zero. Growth into projects that earn below the cost of capital destroys shareholder value, and these projects should be rejected. Growth at the cost of capital is value neutral. The HOLT EP is simply the economic spread multiplied by assets if CFROI is specified as the return on capital.

Economic Profit = (return on capital – cost of capital) x invested capital HOLT Economic Profit is calculated as = (CFROI® – HOLT discount rate) x inflation adjusted gross investment

HOLT Valuation The HOLT valuation model, at its foundation, is a type of DCF (discounted cash flow) model. Among the model’s distinguishing features, along with the CFROI metric, is the way by which the forecast stream of net cash receipts (NCRs) is generated and the method by which the firm’s discount rate (DR) is estimated. From a beginning asset base, key variables that drive the forecast NCR stream are variables that actually generate cash flows namely, economic returns (CFROIs), reinvestment rates (growth), and their expected patterns of change over time due to competition (fade). The competitive life cycle is covered below.

Cybersecurity 197 5 September 2017

The discount rate is the rate of return investors demand for making their funds available to the firm. DRs used in our model are real rates, not nominal rates, so they are consistent with CFROIs. The DRs are also consistent with other aspects of our model, since base DRs are mathematically derived from known market values and from NCR streams consistent within our model. Adjustments (positive or negative) to the base rate are made for company-specific financial and liquidity risk characteristics. The result of discounting the NCRs at the market-derived DR is what is referred to as a warranted value or warranted price. Essentially, this is the valuation that results (or is "warranted"), given the default (or users’ own) assumptions built into the forecast and the resulting present value of the NCRs plus the value of any non-operating investments.

Figure 346: Major Components of the HOLT Valuation Model Operating Margins Asset Base

n Net Cash Receipts CFROI Asset Turns NPV of Existing Assets = Σ creates + NPV of Future Invests t=1 (1+Disc. Rate) t Growth NPV of Net Cash Receipts Country Base Rate + MV of Non-Op. Assets Fade Total Enterprise Value Revenue Growth – MV of Debt Size Differential Total Equity Value – Minority Interest Leverage Differential Common Equity Value Warranted ÷ Adjusted Shares Price Com Equity / Share

Source: Credit Suisse HOLT.

Cybersecurity 198 5 September 2017

Figure 347: How to Read a HOLT CFROI Chart

Market Derived Discount Rate Superior performance metric Market-calibrated valuation Competitive Lifecycle & fade

Reinvestment Solve Capital investment

Historical CFROI

Market implied CFROI

Long-term level of returns on capital required to validate today’s market value

1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

Source: Credit Suisse HOLT.

Cybersecurity 199 5 September 2017

Appendix II: Additional Drivers of Security Spending Regulation Is Catalyzing Action GDPR, and Its Ramifications, Is Top of Mind A firm's security postures are increasingly in the regulatory spotlight. From existing and well understood federal regulations such as HIPPA and FISMA, to the New York Cybersecurity Regulations for Financial Institutions that recently entered into effect and the General Data Protection Regulation that will enter into law in Europe next year, regulators are focused on cyber safety. At the top of many investors' minds is GDPR, which has been billed as the biggest change to data privacy laws in 20 years. We think GDPR is worthy of specific examination, as its attempts to enforce data privacy and empower citizens as custodians of their own data are considered by some commentators (LA Times) as leading and, therefore, may act as a guide toward potential future regulation more broadly. Professor Daniel Solove, for example, has written 'the EU has been leading the debate on data protection. Nobody ignores the EU … [which] has established itself as a formidable thought leader in this area, and its regulation really does have a significant impact … Global companies follow EU privacy law, using EU definitions of personal data more than US definitions. Other countries pattern their laws much more on the EU than on the US.' GDPR comes into law on the 28th of May 2018 – note that the text was actually first proposed in 2012, and the regulation has been 'in force' since 25th May 2016. This is customary with EU legislation, where there is a two-year period between when the regulation is agreed and published in full, and when it becomes binding for member states.

Figure 348: GDPR Implementation Timeline

Council Agreement

European Commission Separate negotiations Negotiations and EP reaches Adoption of Two-year Regulation in publishes the within Parliament and approval among agreement regulation implementation effect legislative proposal European Council the 3 institutions

Spring Spring 2016 2012 2015 2018 2014 2016 2017

Source: Credit Suisse Research.

While this does mean that the full details of GDPR have been available to organizations and the market for some time, it does not mean that enterprises are ready for the regulation to become binding. Transitionary periods often result in lack of action. Examples of this historically include PSD2 – The European Payments Directive – which our European counterpart Charlie Brennan notes is still surrounded by great uncertainty,

Cybersecurity 200 5 September 2017

despite the fact that it entered into force more than six months prior to GDPR (on the 12th January 2016). Another example, even closer to home for the global investment community, is MIFID2 – The Markets in Financial Instruments Directives – which will mandate the unbundling of research and commission spending. Both the buy- and sell-side continue to be engaged in unresolved pricing discussions despite the fact MIFID2 will enter into force in early January next year.

Figure 349: Google Trends Interest in PSD2 May Indicate Lack of Preparedness

Source: Company data, Credit Suisse estimates.

In the context of these comparisons its actually important to note that that a regulation (like GDPR) is actually more severe than a directive (MIFID and PSD2). This is because a regulation becomes immediately applicable to all EU member states without the need for a nationally implemented legislation

GDPR Preparedness Remains Low NetApp's survey of 750 CIOs, IT managers, and C-suite executives in April 2017 gives some indication as to the level of preparedness for GDPR. The findings suggest that preparedness for GDPR remains relatively low. Only 34% of respondents believed themselves to have a good, or full, understanding of GDPR – this was reflected in the 35% of respondents who considered themselves to be fully complaint; interestingly, this implies that some senior decision makers in complaint organizations lacked a full understanding of GDPR. Perhaps most extraordinary, 10% of respondents were fully unaware of GDPR.

Cybersecurity 201 5 September 2017

Figure 350: Understanding of GDPR Among Figure 351: Only 35% of Respondents Believed Respondents Was Surprisingly Low Themselves to Be Fully Complaint

66% of respondents do We have made preparations and are 35% I do not know what GDPR is 9% not have a good compliant understanding of GDPR We have made preparations but are 49% I have some understanding of GDPR 47% not compliant

I have a good understanding of GDPR 29% We have not made any preparations 14%

I don't know what preparations we 2% 65% of respondents are I fully understand GDPR 15% need to make not compliant withGDPR

Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

Key Aims of GDPR The key aims of GDPR focus around creating a unified regulatory approach to data security and consent. The ultimate aim of returning control of their personal data to the citizens of the EU is to be achieved by both procedural standards for activities such as breach reporting, increasing oversight by mandating the appointment of data protection officers, as well as empowering the individual by enforcing a right to erasure. The scope of the regulation is 'all EU citizens', this means there is no territorial scope, all organizations resident in the EU are subject to these regulations, as are any organizations outside of the EU that are in possession of the data of EU subjects. Thus, this captures non-EU businesses with websites directed toward EU (advertisers, ecommerce, social networks etc.). Anyone offering goods or services, even for free, will be subject to GDPR. The key changes that will be enforced are as follows:

■ Increase Security Breach Reporting: Any security breach must be flagged to the supervisory body within 72hrs.

■ Mandatory Data Protection Officer: All public bodies and businesses that meet some criteria (handle lots of personal data) must appoint a data protection officer (chief privacy officer).

■ Data Processors & Vendor Management: There are increased obligations for processors that makes them more liable for breaches, including more detailed records of processing activities.

■ Elevate the Threshold for Consent: THIS will make it harder to collect data from individuals, as it requires consent to be more explicit – ‘specific, informed, freely given, unambiguous’.

■ Enhanced Individual Rights: Individuals have a right to be forgotten; it also allows for data portability and restriction of processing. Those in breach of these new rules following the regulations entry into force will be subject to material penalties. For serious breaches, firms will be liable for €10 million, or 2% of total worldwide annual turnover (whichever is greater), and for very serious breaches €20 million, or 4% of total worldwide annual turnover (again, whichever is greater). The only bodies exempt are law enforcement and intelligent agencies.

Cybersecurity 202 5 September 2017

Data from the Ponemon Institute's 2016 cost of data breach study show how much progress needs to be made before firm's are capable of complying with GDPR's security breach reporting standards. On average, their sample took an average of c200 days to identify a data breach, with a range of between 20 and 569 days.

Figure 352: The Mean Time to Identity Figure 353: A Breach Costs More If It a Breach Is over Six Months… Takes Longer to Identify Time, days Cost given mean time to identify, $

201 $4.38

$3.23

Mean time to identify Mean time to contain >100 <100 days

Source: Ponemon institute, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.

The Key Impacts of GDPR GDPR is likely to catalyze a review of firm's security posture across the spectrum – we imagine this review will span governance, control, organization, processes, sourcing, and technology. As has been demonstrated, preparedness and the level of understanding and knowledge around GDPR is mediocre at best, but we expect the key impacts to be:

■ A Mindset Shift in Data Compliance/Security Budgets Will this change budgetary thinking in enterprises both large and small? It would seem logical there may be more resources to chief data officers, chief privacy officers, etc. The large penalties for data breaches may enhance the fear of breach at the firm level and change perspectives around security budgets; the potential for higher investment in security across the network would seem a logical conclusion.

■ Onus on the Processors – Impact on Cloud? While data creators used to carry burden of legal compliance, GDPR expands the scope to processors as well. Until now, some cloud deals have been characterized by the data creator/controller failing to exert controls over how the data is processed by the processor. GDPR shares responsibility equally with the processor, making them more accountable; this may raise the cost of compliance for processors, and may change some firm’s cloud strategy:

Cybersecurity 203 5 September 2017

Figure 354: The Impact of GDPR on Public Cloud Investment

43% of respondents suggested that GDPR would 50% result in a scale back of Public Cloud investment 37%

25% 21% 18%

We do not think GDPR has We have already started We have hired specific We are considering scaling We are investing more We will continue to invest been or will be a major lowering our public cloud personnel with expertise in back our public cloud resources into data into public cloud services influence on our cloud services investment data protection services investment regulation compliance and ensure compliance strategy with data regulation requirements like GDPR

Source: Company data, Credit Suisse estimates.

■ SME Impact, Likely to Catalyze Spend Larger organizations tend to have grappled with issues around data privacy and security more than smaller firms simply by virtue of having been targeted more by malicious actors. This seems to be changing. Recent attacks such as Wannacry hit SMEs too and are reflective of the rise of ransomware attacks – which really scare the average SME. This pressure together with GDPR may be a catalyst to fundamentally change the SME mindset toward data privacy and security. Safe Harbor Invalidation – What Does This Mean for US/EU Data Sharing? More Strict Safe Harbor 2.0 Likely – This Will Impact US Firms Both the GDPR and the regulation it supersedes have stipulations around the level of protection countries must mandate for data to be transferred out of the EU. Neither legislation deemed the US to provide an adequate level of protection under EU law. (The US was considered too focused on self-regulation and too fragmented in approach to privacy law by EU regulators.) The solution historically was the Safe Harbor Arrangement that was negotiated to continue to allow personal data flows between the EU and US, but that was invalidated earlier this year. The bottom line here is that a Safe Harbor 2.0 must be negotiated at some point. Experts seem to think this is likely to involve concessions on the US side (the EU is considered thought leader in data privacy/protection), and therefore, Safe Harbor 2.0 is likely to be stricter, involving higher costs for firm’s to comply.

Attacks Move Down Market Driving Mid-Market Spend, Increasing Competition and Pricing Pressure While breaches of global banks, government entities, and other high-profile institutions receive the most media attention, smaller businesses and individuals are increasingly being targeted. According to Microsoft, more than 20% of small to mid-sized businesses have been targets of cybercrime, and Barclaycard research suggested that 48% of SMBs fell victim to at least one cyber-attack in 2015, and 10% were targeted more than once. We think this phenomenon is here to stay and will have a significant impact on the shape of a market that has historically been underpenetrated at the small and mid-sized enterprise level.

Cybersecurity 204 5 September 2017

In an analysis of the UK cyber security market, a UK government paper written by Pierre Audoin Consultants identified SMEs as a market with low IT security penetration but with significant barriers to entry. Without sufficient security adoption, preventative internal procedures, or experience to provide in-depth understanding of online threats, smaller businesses must often rely on relatively simplistic but notably low- or no-cost bundled soft These weaknesses are increasingly exploited by targeted ransomware: in a 2016 report by PhishMe analyzing over 2,500 phishing attacks, ransomware composed 90% of all identified malware payload URLs, costing victims more than $1 billion. Moreover, the average ransom demanded in 2016 grew to $1,077, up from just under $300 only a year before. The number of new ransomware families tripled to 101, while SYMC logged a 36% increase in ransomware infections.

Figure 355: The Number of Ransomware Variants— Figure 356: Average Ransom Paid Has Spiked as Historically Fairly Stable—Increased 30-Fold in 2016 Variants, Volumes and Victims of Ransomware Rise Average Ransom Paid Per Victim ($) Cumulative Ransomware Variants

1,200 $1,077

1,000

800

600

$373 400 $294

200

0 2016 2017 2014 2015 2016

Source: Proofpoint 2016 Q4 Threat Summary, Credit Suisse estimates. Source: Symantec, Credit Suisse.

This increase in average ransoms may be due to the increasing sophistication of malware delivery. Notably, a significant portion of phishing attacks in 2016 still used longstanding, time-tested tactics such as remote-access Trojans and keyloggers—methods that are not difficulty to eliminate, per se. What has changed, however, is that ransomware approaches have increasingly adopted a quiet malware strategy, which involves infiltrating the victim to assess their behavior for a period of time and subsequently tailoring ransoms based on their individual abilities to pay for re-access to critical data. Given the above-mentioned behaviors and growth trends of ransomware, we believe that small and medium businesses are especially susceptible and will be an area of relative growth for security spending. A June 2017 survey conducted by Osterman Research and sponsored by Malwarebytes found that, among more than 1,000 SMB respondents, 35% were victims of ransomware. More importantly, more SMBs stated that ransomware prevention should rely on technology than those who prefer personnel training. Yet, as previously mentioned, the popularity of bundled security software as the primary defense for SMB users may explain the preference for technology over education and protocols. This further suggests, however, that a growing need for more sophisticated security technology is forthcoming. While about 33% of SMBs in the Malwarebytes survey claimed to have been using anti-ransomware technologies, roughly 33% have also experienced a ransomware attack in the past year—of which 27% did not know the endpoint source of the ransomware at the time of attacks, but results of later investigations often turn out to be malicious emails. According to Proofpoint’s 2016 Threat Report, 15% of documented business email

Cybersecurity 205 5 September 2017

compromises (BECs) occur businesses employing less than 5,000 people, due to fewer resources to mitigate such threats. Although a need for greater security technology and procedures may be apparent among SMBs, what suggests that they will actually spend more? Of ransomware infections, 90% resulted in more than one hour of downtime, while 16% caused 25 hours or more of downtime—a result of either an understandable stubbornness to pay ransoms, an inability to identify and contain breaches, or both. Results from a 2017 Imperva survey indicate that downtime from ransomware can cost anywhere from $5,000 to $20,000 in lost business and damages, with 27% believing that the amount could be over $20,000 a day.

Figure 357: Increase Costs of Ransomware May Drive Significant Increase in Security Needs for SMBs Estimated Aggregate Annual Costs to SMBs of Ransomware-Induced Downtime, Varied by Daily Cost of Downtime ($billions)

16.0

14.0

12.0

10.0

8.0 $20,000/day

6.0 $12,500/day 4.0

2.0 $5,000/day 0.0 2016 2017 2018 2019

Source: Gartner, Imperva Rise of Ransomware Survey, Malwarebytes State of Ransomware Among SMBs Survey, U.S. Census Bureau, Credit Suisse estimates.

A Growing Need for Security Among SMBs Brings Heightened Competition… Using IDC revenue data to estimate the Herfindahl-Hirschman Index (an indicator of competition) for each segment (defined by price band) that IDC tracks reveal substantially more competition in the mid-range and volume segments of the market. Not only are there more players, but we have been hearing of more competitiveness as players such as WatchGuard and SonicWALL have made significant strides more recently.

Cybersecurity 206 5 September 2017

Figure 358: The Midrange and Volume Segment of the Market Are Substantially Less Consolidated (and Therefore Competitive) than the High End Herfindahl-Hirschman Index, 4Q moving average

0.25 High end, 4Qma Midrange, 4Qma Volume, 4Qma

0.20

0.15

0.10

0.05

0.00 2002 2004 2006 2008 2010 2012 2014 2016

Source: IDC, Credit Suisse Research.

…and Competition Brings Pricing Pressure We believe consolidation translates to pricing power, and vice-versa. Therefore, we expect higher levels of competition in the mid-end and volume markets to translate into higher price competitiveness. Looking at the Volume market ASP relative to the five largest market players suggests that while there hasn’t been broad based pressure, pricing has come down for the five largest in aggregate.

Figure 359: Pricing for the Five Largest Players Appears to Have Been Slightly More Pressured Relative to the Market as a Whole ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)

2,200 Volume ASP Volume ASP (CHKP, PANW, FTNT, JNPR, CSCO) 2,800 2,000 2,500 1,800 2,200 1,600 1,900

1,400 1,600

1,200 1,300

1,000 1,000 2003 2005 2007 2009 2011 2013 2015 2017

Source: iDC, Credit Suisse Research.

If we look at pricing across the product spectrum for the five largest vendors since 2010, a weakness in volume is apparent relative to the high end. While the mid-range hasn’t been weak, per se, it has been weaker than the high end since 2014.

Cybersecurity 207 5 September 2017

Figure 360: Pricing Has Been Strongest in the High End, Slightly Weaker in the Mid-Range, and Weakest in Volume CHKP, PANW, FTNT, JNPR, CSCO ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)

1.2 Top-5 High-End ASP Top-5 Mid-range ASP Top-5 Volume ASP

1.1

1.0

0.9

0.8

0.7

0.6 2010 2011 2012 2013 2014 2015 2016 2017

Source: iDC, Credit Suisse Research.

Cybersecurity threats are especially of concern for small and mid-size businesses, with insufficient endpoint security and preventive personnel training. Although smaller business are relatively—albeit only slightly—less concerned about such threats, the rapid increase in sophistication and sheer volume of malware will likely create greater urgency for security spending among SMBs.

Cybersecurity 208 5 September 2017

Figure 361: Software SoundBytes on Attacks Moving Down Market

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] SMB security

“Hackers are getting more strategic, initially they spent the most of their time in large institutions, now they are industrializing themselves and automating themselves into smaller businesses and we are seeing lots of ransomware at SMBs.”

“The cheaper lines (850s and 220s) are selling very well into mainly net new customers, but also branches… The 220 is 1700 USD, and only costs 46USD after year one.”

“The mid-market in Asia is largely not migrated from FW to NGFW (outside of Tokyo the majority of Asia is MM) in his view 70-80% are on firewall not NGFW”

“Ransomware is agnostic and blind, and therefore attacks SMEs with impunity”

“2-years ago we saw 90-95% physical appliances, today adoption of virtual appliances in small and medium sized enterprises is as much as 30-35%”

Source: Credit Suisse Research.

Cybersecurity 209 5 September 2017

Connected Security Continued Increases in Connectivity to Drive Threats During the initial stages of data networking, organizations adopted data networks to connect a limited number of computers within close proximity, allowing users to share simple, common services (e.g., file servers and printers). In these local area networks (LANs), the majority of traffic resided within the network and remain local to a specific part of the organization. However, with widespread Internet usage, the proliferation of client-server, Web-tier, and SaaS applications; distributed architectures; and the adoption of new bandwidth-intensive applications, the majority of traffic traverses the boundaries of the LAN to networks outside of the LAN, thereby increasing the risk exposure of enterprise networks. The pervasiveness of computing by businesses, organizations, and individuals, as well as the Internet’s ability to interconnect computing devices to enable widespread communication, has given rise to immense growth in data communications. For example, Cisco Systems estimates that the number of connected devices worldwide will rise from 15 billion today to 50 billion by 2020. Intel is even more aggressive, claiming that over 200 billion devices will be connected by 2020. Although smartphones are the most visible connected device, the number of cars connected to the Internet worldwide is expected to grow more than six fold to 152 million in 2020, smart thermostats are expected to have 43% adoption in the next five years, and nearly half of U.S. consumers plan to buy wearable technology by 2019. Each application, operating system, and device introduced to a network contains additional vulnerabilities that may be exploited by an unauthorized user. To adequately secure a network, IT managers must have the resources to not only correctly configure the security measures in each system but also to understand the risks created by any change to existing systems on the network. Exacerbating this situation is the limited supply of personnel knowledgeable in information security issues. These factors create a need for enterprises to protect the information stored in their open computing environment and also to protect the information when transmitted via the Internet. A failure to protect such information could result in business disruption and significant financial loss. Adding to the challenge of the sheer volume of Internet-connected devices, the majority of the new technological devices operate across shared platforms and systems—meaning a single security flaw can affect a wider range of technologies than ever before. In addition to providing network connectivity through a corporate campus LAN, remote network connectivity is increasingly viewed as a mission-critical function for enterprises, and we believe that corporations will increasingly look toward technologies that enable mobile workers to securely gain access to a full array of corporate resources. In fact, the remote worker population has been increasing dramatically. For example, IDC estimates the US mobile worker population will continue to grow over the next five years, increasing from 96.2 million in 2015 to 105.4 million mobile workers in 2020, which would account for three quarters (72.3%) of the total US workforce. In the end, increased connectivity creates added risk exposure for corporations, governments, and individuals. As a result, enterprise will need to invest in IT security technologies to mitigate the potential cost of IT security incidents due to this increased connectivity. We therefore believe that IT security companies that can successfully mitigate risks to enterprise, government, and home systems are poised to benefit, as attention to IT security driven by the exponential growth in connectivity increases.

Cybersecurity 210 5 September 2017

Figure 362: Software SoundBytes Regarding Connected Devices

Brad Zelnick Software SoundBytes (212) 325 6118 [email protected] Connected Devices

“Connected refrigerator manufacturers know all there is to know about the science of cooling, but what do they know about security – why should they?”

“How often are connected devices inspected? Not often. What function do they perform? Limited. So the fact half their processing power is taken over isn’t important or noticeable.”

“The key difference between a connected device and a computer is that if your computer becomes infected you are motivated to do something, if your connected refrigerator gets infected, but it still keeps food cool, do you care about your refrigerator being part of a DDOS attack?”

“I had a security team come to inspect my home, and it had been totally breached… my Wi-Fi enabled wine cooler was breached… When you come home you have nobody watching your walls… When I was compromised cost me 37,000 dollars to re-secure”

“Connected device manufacturers buy off the shelf hardware and off the shelf software; and they cobble it together fast, because they want to be first out the door with the product. So we have all these companies putting unprotected computers out into the wild.”

“In this battlefield there is a deadly and ignorant opponent – these IOT devices, and no way to make the owners even interested in discovery.”

Source: Credit Suisse Research.

Cybersecurity 211 5 September 2017

Appendix III: Who Are Those Guys? Hackers play a central role in the IT security landscape, are a diverse population, and engage in hacking for a variety of reasons. Some hack out of criminal motives; some hack to satisfy their egos or gain peer recognition; and others hack out of curiosity and for intellectual stimulation. Some hack alone, and some hack in groups, and they do so from all over the world. Interestingly, there appears to be some regional roots in hacking preferences—with Vietnamese often targeting ecommerce, Eastern Europeans predominantly attacking financial institutions, and Chinese focusing on intellectual Property. (A Look Into the Hacker Landscape, Debraj Ghosh, PhD, MBA, Senior Product Marketing Manager, Threat Protection, Office 365 at Microsoft.) Regardless of motives or characteristics, hackers tend to be classified into two groups: (1) black hats (malicious hackers) and (2) white hats (ethical hackers).

Black Hats: Know Thy Enemy In The Art of War, Sun Tzu, the renowned Chinese military strategist, opined, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” While the underlying intention of this quote is likely to remind the reader that knowing one’s own strengths and weaknesses is of critical import, cognizance of one’s enemy is also vital. Within the context of cybersecurity, not only are number, sophistication, and cost of breaches increasing, but the threat to critical IT systems is emanating from an increasing number of “enemies,” including hostile governments, terrorist groups, disgruntled employees, and malicious intruders. The following table is an excerpt from NIST 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security provides a description of various threats to control system networks:

Figure 363: United States Government Accountability Office (GAO) Threat Table

Threat Description Bot-network operators Bot-network operators are hackers; however, instead of breaking into systems for the challenge or bragging rights, they take over multiple systems in order to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available in underground markets (e.g., purchasing a denial-of-service attack, servers to relay spam, or phishing attacks, etc.).

Criminal groups Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups are using spam, phishing, and spyware/malware to commit identity theft and online fraud. International corporate spies and organized crime organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent.

Foreign intelligence services Foreign intelligence services use cyber tools as part of their information-gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power - impacts that could affect the daily lives of U.S. citizens across the country.

Hackers Hackers break into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage.

Source: Government Accountability Office (GAO), “Department of Homeland Security’s (DHS’s) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434.”

Cybersecurity 212 5 September 2017

Figure 364: United States Government Accountability Office (GAO) Threat Table continued

Threat Description Insiders The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes outsourcing vendors as well as employees who accidentally introduce malware into systems.

Phishers Individuals, or small groups, who execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware/malware to accomplish their objectives.

Spammers Individuals or organizations who distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations (i.e., denial of service). Spyware/malware authors Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several destructive computer viruses and worms have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster.

Terrorists Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather sensitive information.

Source: Government Accountability Office (GAO), “Department of Homeland Security’s (DHS’s) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434.”

Regardless of threat classification, the black hat hacker is the most fundamental element in any IT security breach. Therefore, in order to better understand the nature of cyber threats, we believe hackers’ motives and phycology profiles must be better understood.

Expert SoundBytes Interview with Dr. Gráinne Kirwan Q: Could you walk through how criminological and forensic psychological theories have evolved to explain what motivates and characterizes offenders? A: We are fortunate to have a wide range of existing theories in both criminology and forensic psychology which can help us to understand cybercriminal offenders. As many of these theories were developed with a wide range of criminal activities in mind, some are easily adapted to cybercrime. For example, while the specific traits of cybercriminals can vary, the broad facets of trait theories are still applicable to online crime. Social learning theory is also still expected to have a significant role in explaining the motivations of offenders, although it must be considered that the others who the potential offender is learning from may not be part of their offline lives, and the potential offender may not even know their true identities. Other types of criminological theories, such as geographical theories, have needed greater adaptation to online crime, due to the lack of physical borders and geographical constructs online. Nevertheless, we can still see how related theories, such as Routine Activity Theory, may have applicability to cybercrime based on the types of online activities and ‘locations’ which offenders may regularly engage in or attend. Finally, it is also possible to draw on many other theories from psychology, such as cognitive theories, which can provide insights into many aspects of human behavior, including cybercrime.

Q: According to your research, there are multiple factors influencing offenders. Could you highlight the most important factors and why these variables have the most influence?

Cybersecurity 213 5 September 2017

A: The factors influencing offenders can vary according to the type of offender. For example, peer influence in the form of social learning is thought to have an important influence on some types of offending, such as copyright infringement. However, this may have less influence on other types of offences. It is possible that offenders may feel less inhibited online than offline, and may not identify the boundary between criminal and non-criminal behavior as clearly when using Internet technologies as when they are offline. It can be easy for an individual to employ cognitive distortions to persuade themselves that what they are doing is not really criminal in nature, or to consider a criminal action to be acceptable when they cannot identify their victim or see their victim’s reaction. While popular television programs often portray psychodynamic or personality traits as being key to influencing offenders, in reality it can be difficult to determine a close relationship between these factors and offending behaviors – many who exhibit these factors do not offend, while many who offend do not exhibit these factors. In practice, it can be more useful to consider the cognitive reasoning of offenders – how do they make decisions; what influences them when deciding to commit a crime or not; what factors do they consider; what errors do they make in perception/decision making/problem solving. Not only are these more reliable indicators of potential offending behavior, but they also permit an organization to design systems which are less appealing targets, or which are more difficult to infiltrate.

Q: How should other factors, such as the socio-economic status, family status, peer relationships, and biology, be considered? A: There are many factors which have broadly been identified with higher risk of criminality – these include family composition, socio-economic status, peers, and biological factors, including neural structures, neurotransmitters, genetics, and hormones. At the moment, it is unclear how much many of these factors contribute toward cybercriminal activity. Nevertheless, peer factors, particularly in relation to social learning, has been identified as important in activities such as copyright infringement and hacktivism. At a very high level, relative deprivation on a global scale has been linked to online fraud, particularly advance fee fraud. As so many of these factors have been closely linked to criminality generally, it would be prudent to consider them as potentially important factors in cybercriminality, even if exact links have not been consistently identified or examined for all types of cybercrime.

"Criminals have been required to evolve and change in order to Q: In the late 1990s, the activities of hackers were often characterized as the digital survive, in the same version of spray-painting (“tagging”) a wall or teenage rebelliousness. Since way that those in many this time, how has the emergence of even more-malicious bad actors, other careers have been such as criminal organizations, hacktivists, and nation-states, required to adapt to altered the psychology and motives of offenders? emerging technologies." A: It is often tempting to reminisce about earlier times as being less dangerous than contemporary life. Across many aspects of criminology, it has been noted that people perceive the world of approximately 20 years ago to be considerably safer than today’s world, while for most types of crime, the available data contradicts this perception. Nevertheless, technology of the 1990s was less advanced, and less widely used than technology today, and the potential impact of cybercrime is considerably higher today. However, it should be remembered that even in the relatively early days of the Internet, malicious behavior occurred.

Cybersecurity 214 5 September 2017

As Internet technologies have become part of daily society, organized crime has naturally gravitated to it as a way of achieving goals. To not do so would be to ignore how banking, commerce, and communication has changed, and while the Internet provides additional methods of attack, any organization that maintained offline only approaches would likely find their targets diminishing in number. Criminals have been required to evolve and change in order to survive, in the same way that those in many other careers have been required to adapt to emerging technologies. Similarly, we can consider the motives and actions of nation-states to be an adaptation to changing society. So it may not be that the psychology and motivations underlying these actions have changed – these are likely to be the constant. Instead, it is the method of achieving the goal which might have changed. Finally, when considering hacktivists, it must be remembered that not all of these individuals conduct criminal acts. But the actions of these individuals may be more interesting from a psychological perspective – here the availability and affordances of the Internet have allowed individuals with a strong opinion on a topic to have a voice and engage in action which they may not have previously been able to do, either because of geographical distance, social or cultural repercussions, or risk to personal safety. The inhibition mentioned earlier may also be a factor here, as well as a reduced perception of risk of apprehension or punishment. Moral reasoning, neutralization of offending behavior, cognitive distortions and empathy may all be factors in the rise of hacktivism in recent years.

Q: How can we to counter the motivations of both professional and “recreational” offenders? A: When looking to counter the motivations of offenders, it is very important to realize that these can be very disparate. In the same way that any group of individuals might engage in the same activity for very different reasons, a selection of cybercriminals may have varying motivations for their actions. If their motivations relate to potential financial benefit, an appropriate approach would consider increasing the potential offender’s perceptions regarding the certainty of punishment (severity of punishment has relatively little impact, but if an offender believes that it is highly likely that they will be apprehended and punished, even if that punishment is mild, this can be an effective deterrent). To reduce future offending, celerity is also important – the punishment should follow swiftly after the offence. Rational Choice Theory suggests that if a potential offender can identify high risk or low reward when engaging in an activity, then they will likely avoid it. Similarly, reducing the attractiveness of a target can also help to reduce motivation to offend. While this is less straightforward to achieve in cybercriminal cases than in offline cases, target-hardening can dissuade less-experienced offenders from attacks. More experienced and skilled offenders may actually find such targets to be more attractive, and so other techniques should be employed to counter their motivations. For example, offering ‘bug for bounty’ programs may dissuade those who are motivated to test their abilities from criminality. Increasing the public perception of the organization as being generally benevolent can counter neutralizations and cognitive distortions employed by offenders, resulting in an inefficacy of such approaches in justifying the criminal behavior.

Cybersecurity 215 5 September 2017

White Hats Is the Enemy of My Enemy My Friend? Not all hackers have malicious intentions. Ethical hacking is a term coined by IBM meant to refer to a broad category of actions taken by computer security experts to ensure the security of information systems. Contrasted with a black hat, the term white hat comes from Western films, where heroic and antagonistic cowboys traditionally wore white and black hats, respectively. Some of the earliest white hat hackers were three Polish cryptologists (Marian Rejewski, Henryk Zygalski, and Jerzy Różycki) who helped defeat Nazi Germany during World War II by cracking the Enigma code. In 1932. In 1939, mathematicians Alan Turing and Gordan Welchman, along with engineer Harold Keen, leveraged the work of the Poles and designed the Bombe, an electromechanical device used to decipher Enigma’s transmissions. By 1981, The New York Times described white hat activities as part of a “mischievous but perversely positive ‘hacker’ tradition.” Today, while hackers are too often stereotyped as destructive cyber villains, many devote their skills to security research and fighting cybercrime. In fact, many IT security experts argue that the vulnerabilities of systems will be corporations’ or government’s key concerns and, therefore, suggest that addressing the constant tide of security flaws will require these organizations to embrace the hacker culture in collectively seeking out and fixing these vulnerabilities. A prime example of this unique dynamics, Google has long enjoyed a close relationship with the security research community and has maintained a Vulnerability Reward Program (VRP) for Google-owned Web properties, which has run continuously since November 2010. In January 2015, Google also launched the Vulnerability Research Grants (VRG) initiative to complement the company’s long-running Vulnerability Reward Program, with the goal of rewarding security researchers that look into the security of Google products and services even in the case when no vulnerabilities are found. In 2014 alone, Google paid more than $1.5 million to white hat hackers who reported vulnerabilities in Google’s Web properties and software. The largest single reward Google paid out was $150,000 to a “researcher” who then joined the company for an internship. Rewards for qualifying bugs range from $100 to $20,000.

Cybersecurity 216 5 September 2017

Figure 365: Rewards for Qualifying Bugs Range from $100 to $31,337. The Following Table Outlines the Usual Rewards Chosen for the Most Common Classes of Bugs:

Source: Google Vulnerability Reward Program (VRP) Rules.

Google isn’t the only major organization that participates in the burgeoning gray market where hackers and security researchers sell tools for breaking into computers and unknown vulnerabilities. In fact, according to a special report by Reuters, the largest buyer of zero-day exploits— vulnerabilities that are taken advantage of a on the same day that they become generally known—is the U.S. government, which used knowledge of some of these vulnerabilities as part of America’s offensive cyber-warfare strategy to create the Stuxnet virus in 2010, which disrupted Iran’s nuclear-research program. The buying and selling of exploits is a complicated matter, however, given most of the organizations and people paying sellers are on the offensive side of cybercrime, cyber-spying, and cyber-weapons.12 We interviewed Dr. Gráinne Kirwan, Chartered Psychologist and Lecturer in Cyberpsychology and Forensic Psychology at Dun Laoghaire Institute of Art, Design, and Technology, to better understand the psychological aspects of cybercrime and how criminological and forensic psychological theories explain what motivates and characterizes offenders. Dr. Kirwan has co-authored/co-edited four books in this area: (1) Cybercrime: The Psychology of Online Offenders, (2) Cyberpsychology and New Media: A Thematic Reader, (3) The Psychology of Cyber Crime: Concepts and Principles, and (4) An Introduction to Cyberpsychology. She is the Managing Editor of the International Journal of Cyber Criminology.

Cybersecurity 217 5 September 2017

"The question of when Interview with Keren Elazari an organization knows that a breach has taken Q: Do you classify yourself as a hacker? place, and how it A: Yes, I am proud to call myself a hacker and I’ve always felt this was my calling. Ever happened, is the most since I was 14 years' old and saw the film “Hackers” with Angelina Jolie. critical thing and we see that many incidents go by My idea of a hacker is somewhat romantic, but I consider the friendly and ethical hackers un-noticed until an out there in the world as a vital part of culture, society, and the economy, pushing forward outside party like makes the evolution of technology and acting as a much needed “immune system” for the everyone realize what information age. happened." I wear many professional hats: strategic advisor, business analyst, academic researcher and author. I’ve worked as a security architect, risk management consultant and product manager, yet throughout any role and in any organization, I’ve always held that hacker – hero ethos at heart.

Q: How has the threat landscape changed in terms of the emergence of even more- malicious bad actors, such as criminal organizations, hacktivists, and nation-states? A: In my opinion, the most important element of today’s threat landscape is not who. It’s when. The question of when an organization knows that a breach has taken place, and how it happened, is the most critical thing, and we see that many incidents go by unnoticed until an outside party like a law enforcement agency, a media outlet, or a data leak (sometimes also called “dump”) makes everyone realize what happened – that’s much too late for any organization to prevent the damages and revert back to normal operations. That’s why I think today’s businesses must develop both adaptability and resilience – that comes from investing in security know how, training, human resources and not just from the latest technologies on the market. Threat intelligence is one element that could help prepare an organization of a coming attack, but it’s far from a cure to all the problems. Another important aspect is to remember that no organization stands alone. Cybercriminals know exactly how to find the low-hanging fruits, the weaknesses, and opportunities represented by a third-party supplier, a partner, a customer, or even an unhappy, or simply naïve, employee within the enterprises so called “secured” perimeter. Prevention is better than any cure, and to achieve security resilience organizations must wake up and smell the coffee to understand cyber security affects every aspect of the business, in every industry, and security is a constant journey – not a destination you can reach and then forget about.

"Today’s businesses must develop both Q: In your speaking tours, you have argued that hackers offer an opportunity to boost adaptability and cybersecurity and have advocated for greater collaboration between resilience – that comes security professionals and hackers. Please explain your from investing in security position and thought process, especially in the know how, training, context of your response to our human resources and first two questions. not just from the latest technologies on the A: It’s my personal belief that the global hacker community has many friendly and ethical market." hackers within it, and I see this in person every year when I attend the annual “hackers convention”, DEFCON, where 20 thousand people converge in Las Vegas for a weekend of hacking and learning – are they call criminals? I don’t think so.

Cybersecurity 218 5 September 2017

One simple way for any organization to become safer is to actively encourage your security teams to go forth and participate in the events run by the global hacker community. You would be surprised, how many local hacking events happen everywhere – maybe even in your neighborhood! By going to such an event, you can meet hackers in person and hear their valuable security research insights in real time – there’s a global network of such events called Security Bsides, for example – even in Zurich (see here) or Tel Aviv (see here) where I host it. An even more important aspect is to participate in the conversations that take place online – all the time, in chat rooms, twitter, and mailing lists. You’ll find thousands of passionate contributors each seeking advice, sharing knowledge, and sometimes even “dropping a zero day”, which means releasing details of a never-before-seen software vulnerability. I think it’s vital to be a part of that conversation, and if you can’t find your way, you should trust a friendly hacker to lead the way, as we are the digital natives of the online underground.

Q: Google has been a long-standing, vocal advocate of the white hat community? Have other companies and industries started to take note of collaboration with white hats, and could you walk through some examples of the benefits captured? A: The topic of fruitful collaboration between established companies and institutions and global hacker & individual security research community is the focus of my academic research in the past two years. I’ve looked at the data behind some of the biggest “bug bounty” programs out there – these are the business frameworks that allow companies like Google, Facebook, and even Tesla or Western Union to actively engage and encourage the vital security research work done by hackers, rewarding reports of important bugs and vulnerabilities found by individual hackers. These programs have already created incredible value to the companies that operate them: Facebook has paid out more than $4.3 million to 800+ researchers in the five years of operating their program. They received details about thousands of bugs affecting more than 1 billion users worldwide. For reference, consider that the budget to recruit, hire, and employ a single security engineer for a full time position at Facebook HQ in Menlo Park, California would probably be around $200,000 for one year. So for the average cost of hiring five more engineers per year, this global giant of social media and messaging was able to support and harness the work of hundreds of ethical hackers, all over the world, and make the FB platform that much safer. That’s the primary benefit of these programs, but it doesn’t stop there. Data from the Google VRP program shows that in the year 2014 many of the important bugs discovered were reported by hackers in the Africa and Asia regions. Looking at other programs, I’ve learned that ethical hackers in certain countries are getting the first-ever opportunity to be legitimately paid for security research work. To me, this presents a potential force of disruption and an alternative to the underground, criminal pathways of hacker life. That’s why I’m hopeful and excited about more such programs, and you can see why traditional companies like Mastercard and Fiat Chrysler USA are adopting these models too.

Cybersecurity 219 5 September 2017

Companies Mentioned (Price as of 01-Sep-2017) 3M (MMM.N, $203.56) 8x8 (EGHT.OQ, $13.95) AOL, Inc. (AOL.N^F15) AOL, Inc. (AOL.N^F15) AOL, Inc. (AOL.N^F15) Airbnb (Unlisted) Akamai Technologies, Inc. (AKAM.OQ, $47.08) Alphabet (GOOGL.OQ, $951.99) Altaba Inc. (AABA.OQ, $64.05) Amazon com Inc. (AMZN.OQ, $978.25) Anthem, Inc. (ANTM.N, $197.43) Apple Inc (AAPL.OQ, $164.05) Arista Networks (ANET.N, $177.49) Autodesk Inc. (ADSK.OQ, $113.71) Benefitfocus (BNFT.OQ, $30.8) Betfair Group PLC (BETF.L^B16) Betfair Group PLC (BETF.L^B16) Betfair Group PLC (BETF.L^B16) CA Inc. (CA.OQ, $33.26) Callidus (CBL.TO, C$11.08) Callidus Software Inc. (CALD.OQ, $25.0) Champion Tech (0092.HK, HK$0.089) Check Point Software Technologies Ltd. (CHKP.OQ, $110.89, NEUTRAL, TP $110.0) Cisco Systems Inc. (CSCO.OQ, $32.3) Citigroup Inc. (C.N, $68.58) Citrix Systems Inc. (CTXS.OQ, $78.52) Compaq Computer (CPQ.NÊ02) Compaq Computer (CPQ.NÊ02) Compaq Computer (CPQ.NÊ02) Cornerstone OnDemand, Inc. (CSOD.OQ, $35.86) Cyberark Softwr (CYBR.OQ, $41.45) Dell Inc. (DELL.OQ^J13) Dell Inc. (DELL.OQ^J13) Dell Inc. (DELL.OQ^J13) Equinix, Inc. (EQIX.OQ, $465.96) Experian (EXPN.L, 1550.0p) F5 Networks (FFIV.OQ, $118.57) Facebook Inc. (FB.OQ, $172.02) Fiat Chrysler Automobile (FCHA.MI, €13.34) FireEye (FEYE.OQ, $14.89) Fortinet, Inc. (FTNT.OQ, $38.3, UNDERPERFORM, TP $33.0) Foundry Networks (FDRY.OQ^L08) Foundry Networks (FDRY.OQ^L08) Foundry Networks (FDRY.OQ^L08) Gateway (GTW.N^J07) Gateway (GTW.N^J07) Gateway (GTW.N^J07) Gigamon (GIMO.N, $43.65) Guidewire (GWRE.N, $75.8) Home Depot (HD.N, $150.78) Honeywell International Inc. (HON.N, $137.63) Hortonworks, Inc. (HDP.OQ, $17.28) HubSpot (HUBS.N, $73.15) Imperva (IMPV.OQ, $44.9) Intel Corp. (INTC.OQ, $35.09) Intercontinental Hotels (IHG.L, 3867.0p) International Business Machines Corp. (IBM.N, $144.08) Intuit Inc. (INTU.OQ, $141.9) JPMorgan Chase & Co. (JPM.N, $91.7) KalugaPutMash (KPMGI.RTS^C16) KalugaPutMash (KPMGI.RTS^C16) KalugaPutMash (KPMGI.RTS^C16) LogMeIn (LOGM.OQ, $116.5) Manhattan Assoc (MANH.OQ, $42.85) MasterCard Inc. (MA.N, $133.24) McAfee Inc. (MFE.N^C11) McAfee Inc. (MFE.N^C11) McAfee Inc. (MFE.N^C11) MicroStrategy (MSTR.OQ, $128.5) Microsoft (MSFT.OQ, $73.94) Mimecast (MIME.OQ, $26.31) Netflix, Inc. (NFLX.OQ, $174.74) NeuStar Inc. (NSR.N^H17) NeuStar Inc. (NSR.N^H17) NeuStar Inc. (NSR.N^H17) New Relic (NEWR.N, $47.98) Nice (NICE.OQ, $78.57) Nintendo (7974.T, ¥36,800) Nokia (NOK.N, $6.22) Nokia (NOKIA.HE, €5.24) Okta (OKTA.OQ, $26.59) Open Text Corporation (OTEX.OQ, $32.36) Palo Alto Networks, Inc. (PANW.N, $146.67, UNDERPERFORM, TP $125.0) Paylocity Hldg (PCTY.OQ, $48.49) Pegasystems (PEGA.OQ, $57.65) Progress Sftw (PRGS.OQ, $33.46)

Cybersecurity 220 5 September 2017

Proofpoint (PFPT.OQ, $91.7) QUALCOMM Inc. (QCOM.OQ, $52.05) Qualys (QLYS.OQ, $48.25) Rapid7 (RPD.OQ, $17.24) RealPage, Inc. (RP.OQ, $43.3) Red Hat, Inc. (RHT.N, $107.46) Right Management (RHT.NÂ04) Right Management (RHT.NÂ04) Right Management (RHT.NÂ04) RingCentral, Inc. (RNG.N, $42.35) Royal Bank of Scotland (RBS.L, 252.8p) SAP (SAPG.F, €88.549) Salesforce.com (CRM.N, $96.01) Sony (6758.T, ¥4,376) Sophos Group (SOPH.L, 532.5p) Splunk, Inc. (SPLK.OQ, $67.4) Symantec Corporation (SYMC.OQ, $29.86) TDC (TDC.CO, Dkr37.17) Tableau Software, Inc. (DATA.N, $72.66) Talend (TLND.OQ, $39.71) TalkTalk (TALK.L, 200.7p) Team (TISI.N, $12.6) Teradata Corp (TDC.N, $32.19) Tesla Motors Inc. (TSLA.OQ, $355.4) The TJX Companies, Inc. (TJX.N, $72.38) Thomson Reuters Corporation (TRI.N, $45.47) Trend Micro (TMIC.OQÊ07) Trend Micro (TMIC.OQÊ07) Trend Micro (TMIC.OQÊ07) Trend Micro (TMIC.OQÊ07) Twilio (TWLO.N, $28.96) Ultimate Software (ULTI.OQ, $199.81) VMware Inc. (VMW.N, $107.48) Veeva Systems (VEEV.N, $59.72) VeriSign Inc. (VRSN.OQ, $103.94) Watchguard Tech (WGRD.OQ^J06) Watchguard Tech (WGRD.OQ^J06) Watchguard Tech (WGRD.OQ^J06) Western Union (WU.N, $18.79) Workday Inc (WDAY.N, $108.84) Zendesk (ZEN.N, $27.48) eBay Inc. (EBAY.OQ, $36.35)

Disclosure Appendix Analyst Certification I, Brad Zelnick, certify that (1) the views expressed in this report accurately reflect my personal views about all of the subject companies and securities and (2) no part of my compensation was, is or will be directly or indirectly related to the specific recommendations or views expressed in this report.

3-Year Price and Rating History for Check Point Software Technologies Ltd. (CHKP.OQ)

CHKP.OQ Closing Price Target Price Date (US$) (US$) Rating 23-Oct-14 71.00 77.50 O 29-Jan-15 78.50 85.00 20-Apr-15 85.88 95.00 07-Jul-16 81.86 NC * Asterisk signifies initiation or assumption of coverage. Effective July 3, 2016, NC denotes termination of coverage.

OUTPERFORM NOT COVERED

Cybersecurity 221 5 September 2017

3-Year Price and Rating History for Nokia (NOKIA.HE)

NOKIA.HE Closing Price Target Price Date (€) (€) Rating 24-Oct-14 6.63 7.75 O 30-Jan-15 6.84 8.00 16-Apr-15 7.27 8.10 N 01-May-15 6.04 6.80 31-Jul-15 6.43 7.00 01-Dec-15 6.96 9.00 O 12-Feb-16 5.22 8.20 11-May-16 4.64 7.30 13-Jul-16 5.31 7.25 05-Aug-16 4.92 6.75 OUTPERFORM NEUTRAL 01-Nov-16 3.97 5.50 16-Nov-16 3.84 5.35 28-Apr-17 5.25 5.75 28-Jul-17 5.39 6.00 * Asterisk signifies initiation or assumption of coverage.

3-Year Price and Rating History for Palo Alto Networks, Inc. (PANW.N)

PANW.N Closing Price Target Price Date (US$) (US$) Rating 09-Sep-14 89.28 110.00 O 24-Nov-14 113.26 135.00 02-Mar-15 145.98 165.00 27-May-15 160.65 190.00 09-Sep-15 165.17 215.00 23-Nov-15 172.02 225.00 07-Jul-16 121.63 NC * Asterisk signifies initiation or assumption of coverage.

Effective July 3, 2016, NC denotes termination of coverage. OUTPERFORM NOT COVERED

The analyst(s) responsible for preparing this research report received Compensation that is based upon various factors including Credit Suisse's total revenues, a portion of which are generated by Credit Suisse's investment banking activities As of December 10, 2012 Analysts’ stock rating are defined as follows: Outperform (O) : The stock’s total return is expected to outperform the relevant benchmark* over the next 12 months. Neutral (N) : The stock’s total return is expected to be in line with the relevant benchmark* over the next 12 months. Underperform (U) : The stock’s total return is expected to underperform the relevant benchmark* over the next 12 months. *Relevant benchmark by region: As of 10th December 2012, Japanese ratings are based on a stock’s total return relative to the analyst's coverage universe which consists of all companies covered by the analyst within the relevant sector, with Outperforms representing the most attractiv e, Neutrals the less attractive, and Underperforms the least attractive investment opportunities. As of 2nd October 2012, U.S. and Canadian as well as European ratings are based on a stock’s total return relative to the analyst's coverage universe which consists of all companies covered by the analyst withi n the relevant sector, with Outperforms representing the most attractive, Neutrals the less attractive, and Underperforms the least attractive investment opportunities. For Latin Ame rican and non-Japan Asia stocks, ratings are based on a stock’s total return relative to the average total return of the relevant country or regional benchmark; prior to 2nd October 2012 U.S. and Can adian ratings were based on (1) a stock’s absolute total return potential to its current share price and (2) the relative attractiv eness of a stock’s total return potential within an analyst’s coverage universe. For Australian and New Zealand stocks, the expected total return (ETR) calculation includes 1 2-month rolling dividend yield. An Outperform rating is assigned where an ETR is greater than or equal to 7.5%; Underperform where an ETR less than or equal to 5%. A Neutral may be assigned where the ETR is between -5% and 15%. The overlapping rating range allows analysts to assign a rating that puts ETR in the context of associated ris ks. Prior to 18 May 2015, ETR ranges for Outperform and Underperform ratings did not overlap with Neutral thresholds between 15% and 7.5%, wh ich was in operation from 7 July 2011. Restricted (R) : In certain circumstances, Credit Suisse policy and/or applicable law and regulations preclude certain types of communications, including an investment recommendation, during the course of Credit Suisse's engagement in an investment banking transaction and in certain other circumstances. Not Rated (NR) : Credit Suisse Equity Research does not have an investment rating or view on the stock or any other securities related to the company at this time. Not Covered (NC) : Credit Suisse Equity Research does not provide ongoing coverage of the company or offer an investment rating or investment view on the equity security of the company or related products.

Cybersecurity 222 5 September 2017

Volatility Indicator [V] : A stock is defined as volatile if the stock price has moved up or down by 20% or more in a month in at least 8 of the past 24 months or the analyst expects significant volatility going forward. Analysts’ sector weightings are distinct from analysts’ stock ratings and are based on the analyst’s expectations for the fundamentals and/or valuation of the sector* relative to the group’s historic fundamentals and/or valuation: Overweight : The analyst’s expectation for the sector’s fundamentals and/or valuation is favorable over the next 12 months. Market Weight : The analyst’s expectation for the sector’s fundamentals and/or valuation is neutral over the next 12 months. Underweight : The analyst’s expectation for the sector’s fundamentals and/or valuation is cautious over the next 12 months. *An analyst’s coverage sector consists of all companies covered by the analyst within the relevant sector. An analyst may cover multiple sectors. Credit Suisse's distribution of stock ratings (and banking clients) is:

Global Ratings Distribution Rating Versus universe (%) Of which banking clients (%) Outperform/Buy* 44% (64% banking clients) Neutral/Hold* 40% (60% banking clients) Underperform/Sell* 14% (52% banking clients) Restricted 2% *For purposes of the NYSE and FINRA ratings distribution disclosure requirements, our stock ratings of Outperform, Neutral, a nd Underperform most closely correspond to Buy, Hold, and Sell, respectively; however, the meanings are not the same, as our stock ratings are determined on a relative bas is. (Please refer to definitions above.) An investor's decision to buy or sell a security should be based on investment objectives, current holdings, and other individual factors. Important Global Disclosures Credit Suisse’s research reports are made available to clients through our proprietary research portal on CS PLUS. Credit Suisse research products may also be made available through third-party vendors or alternate electronic means as a convenience. Certain research products are only made available through CS PLUS. The services provided by Credit Suisse’s analysts to clients may depend on a specific client’s preferences regarding the frequency and manner of receiving communications, the client’s risk profile and investment, the size and scope of the overall client relationship with the Firm, as well as legal and regulatory constraints. To access all of Credit Suisse’s research that you are entitled to receive in the most timely manner, please contact your sales representative or go to https://plus.credit-suisse.com . Credit Suisse’s policy is to update research reports as it deems appropriate, based on developments with the subject company, the sector or the market that may have a material impact on the research views or opinions stated herein. Credit Suisse's policy is only to publish investment research that is impartial, independent, clear, fair and not misleading. For more detail please refer to Credit Suisse's Policies for Managing Conflicts of Interest in connection with Investment Research: https://www.credit- suisse.com/sites/disclaimers-ib/en/managing-conflicts.html . Credit Suisse does not provide any tax advice. Any statement herein regarding any US federal tax is not intended or written to be used, and cannot be used, by any taxpayer for the purposes of avoiding any penalties. Credit Suisse has decided not to enter into business relationships with companies that Credit Suisse has determined to be involved in the development, manufacture, or acquisition of anti-personnel mines and cluster munitions. For Credit Suisse's position on the issue, please see https://www.credit-suisse.com/media/assets/corporate/docs/about-us/responsibility/banking/policy-summaries-en.pdf .

Target Price and Rating Valuation Methodology and Risks: (12 months) for Check Point Software Technologies Ltd. (CHKP.OQ) Method: Our base case assumes a 5 year transition period with FCF growth declining smoothly from an estimated 6% in 2020. This scenario assumes the firewall market decelerates broadly in line with our expectations, and Check Point successfully weathers the transition, but is then, more than ever, a lower growth, true 'legacy' vendor. This scenario results in a target price of $110 and a Neutral rating. Risk: If market conditions deteriorate, competition in the firewall/VPN market increases, and pricing pressure increases, the assumptions for achieving our $110 target price, and thus our Neutral rating, for CHKP may be affected. We are also cautious on its long-term ability to sustain strong year-over-year growth rates while maintaining, and possibly improving, margins, given the long-term slower growth profile of the firewall/VPN market and an increasing competitive environment. Target Price and Rating Valuation Methodology and Risks: (12 months) for Fortinet, Inc. (FTNT.OQ) Method: In addition to substantive relative valuation work, which informs our Underperform rating, we estimate the intrinsic value for Fortinet at $33/share. Our base case assumes a 5 year transition period with FCF growth declining smoothly from an estimated 6% in 2020. This scenario assumes the firewall market decelerates broadly in line with our expectations (we model a 1.0% terminal growth rate from 2026E). Risk: The key risk to our $33/share price target and Underperform rating are that FTNT transitions organically via innovation, or inorganically via acquisition, into a successful cloud first vendor. Another risk is its becoming a strategic target, FTNT is smaller in terms of EV than CHKP or PANW therefore this risk is more pronounced, but beware a Netscreen repeat. Target Price and Rating Valuation Methodology and Risks: (12 months) for Palo Alto Networks, Inc. (PANW.N) Method: Our $125 target price and Underperform rating are based on our DCF analysis, which assumes an 8% FCF CAGR over the next 10 years. This assumes a five-year transition period with FCF growth declining smoothly from an estimated 11% in 2021. This scenario assumes the

Cybersecurity 223 5 September 2017

firewall market decelerates broadly in line with our expectations (we model a 1% terminal growth rate from 2027E), and PANW experiences enhanced competition from peers through its refresh cycle. Risk: There are three key risks to our $125 target price and underperform rating. (1) Substantial Balance Sheet Capacity: PANW has substantial balance sheet capacity and has showed willingness to deploy it in a transformational manner when reportedly bidding upward of $3 billion for Tanium in fall 2015. (2) Strength and Resilience of Financial Model: The overall execution of the transition to a subscription-based model may prove more successful than anticipated and could provide access to the >$8 billion CLTV expansion opportunity that management estimates. (3) Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could become a potential target for a strategic buyer seeking to consolidate the market.

Please refer to the firm's disclosure website at https://rave.credit-suisse.com/disclosures/view/selectArchive for the definitions of abbreviations typically used in the target price method and risk sections. See the Companies Mentioned section for full company names Credit Suisse currently has, or had within the past 12 months, the following as investment banking client(s): PANW.N, FTNT.OQ, NOKIA.HE Credit Suisse currently has, or had within the past 12 months, the following issuer(s) as client(s), and the services provided were non-investment- banking, securities-related: NOKIA.HE Credit Suisse expects to receive or intends to seek investment banking related compensation from the subject company (PANW.N, FTNT.OQ, NOKIA.HE) within the next 3 months. Within the last 12 months, Credit Suisse has received compensation for non-investment banking services or products from the following issuer(s): NOKIA.HE A member of the Credit Suisse Group is party to an agreement with, or may have provided services set out in sections A and B of Annex I of Directive 2014/65/EU of the European Parliament and Council ("MiFID Services") to, the subject issuer (PANW.N, FTNT.OQ, NOKIA.HE) within the past 12 months. For date and time of production, dissemination and history of recommendation for the subject company(ies) featured in this report, disseminated within the past 12 months, please refer to the link: https://rave.credit-suisse.com/disclosures/view/report?i=319017&v=-43wat4pxqbc0fkklbuyxqsywc . Important Regional Disclosures Singapore recipients should contact Credit Suisse AG, Singapore Branch for any matters arising from this research report. The analyst(s) involved in the preparation of this report may participate in events hosted by the subject company, including site visits. Credit Suisse does not accept or permit analysts to accept payment or reimbursement for travel expenses associated with these events. Restrictions on certain Canadian securities are indicated by the following abbreviations: NVS--Non-Voting shares; RVS--Restricted Voting Shares; SVS--Subordinate Voting Shares. Individuals receiving this report from a Canadian investment dealer that is not affiliated with Credit Suisse should be advised that this report may not contain regulatory disclosures the non-affiliated Canadian investment dealer would be required to make if this were its own report. For Credit Suisse Securities (Canada), Inc.'s policies and procedures regarding the dissemination of equity research, please visit https://www.credit- suisse.com/sites/disclaimers-ib/en/canada-research-policy.html. Principal is not guaranteed in the case of equities because equity prices are variable. Commission is the commission rate or the amount agreed with a customer when setting up an account or at any time after that. This research report is authored by: Credit Suisse Securities (USA) LLC ...... Brad Zelnick ; Jobin Mathew ; Syed Talha Saleem, CFA Important Credit Suisse HOLT Disclosures With respect to the analysis in this report based on the Credit Suisse HOLT methodology, Credit Suisse certifies that (1) the views expressed in this report accurately reflect the Credit Suisse HOLT methodology and (2) no part of the Firm’s compensation was, is, or will be directly related to the specific views disclosed in this report. The Credit Suisse HOLT methodology does not assign ratings to a security. It is an analytical tool that involves use of a set of proprietary quantitative algorithms and warranted value calculations, collectively called the Credit Suisse HOLT valuation model, that are consistently applied to all the companies included in its database. Third-party data (including consensus earnings estimates) are systematically translated into a number of default algorithms available in the Credit Suisse HOLT valuation model. The source financial statement, pricing, and earnings data provided by outside data vendors are subject to quality control and may also be adjusted to more closely measure the underlying economics of firm performance. The adjustments provide consistency when analyzing a single company across time, or analyzing multiple companies across industries or national borders. The default scenario that is produced by the Credit Suisse HOLT valuation model establishes the baseline valuation for a security, and a user then may adjust the default variables to produce alternative scenarios, any of which could occur. Additional information about the Credit Suisse HOLT methodology is available on request. The Credit Suisse HOLT methodology does not assign a price target to a security. The default scenario that is produced by the Credit Suisse HOLT valuation model establishes a warranted price for a security, and as the third-party data are updated, the warranted price may also change. The default variable may also be adjusted to produce alternative warranted prices, any of which could occur. CFROI®, HOLT, HOLTfolio, ValueSearch, AggreGator, Signal Flag and “Powered by HOLT” are trademarks or service marks or registered trademarks or registered service marks of Credit Suisse or its affiliates in the United States and other countries. HOLT is a corporate performance and valuation advisory service of Credit Suisse. Important disclosures regarding companies or other issuers that are the subject of this report are available on Credit Suisse’s disclosure website at https://rave.credit-suisse.com/disclosures or by calling +1 (877) 291-2683.

Cybersecurity 224 5 September 2017

This report is produced by subsidiaries and affiliates of Credit Suisse operating under its Global Markets Division. For more information on our structure, please use the following link: https://www.credit-suisse.com/who-we-are This report may contain material that is not directed to, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or which would subject Credit Suisse or its affiliates ("CS") to any registration or licensing requirement within such jurisdiction. All material presented in this report, unless specifically indicated otherwise, is under copyright to CS. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of CS. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of CS or its affiliates.The information, tools and material presented in this report are provided to you for information purposes only and are not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. CS may not have taken any steps to ensure that the securities referred to in this report are suitable for any particular investor. CS will not treat recipients of this report as its customers by virtue of their receiving this report. The investments and services contained or referred to in this report may not be suitable for you and it is recommended that you consult an independent investment advisor if you are in doubt about such investments or investment services. Nothing in this report constitutes investment, legal, accounting or tax advice, or a representation that any investment or strategy is suitable or appropriate to your individual circumstances, or otherwise constitutes a personal recommendation to you. CS does not advise on the tax consequences of investments and you are advised to contact an independent tax adviser. Please note in particular that the bases and levels of taxation may change. Information and opinions presented in this report have been obtained or derived from sources believed by CS to be reliable, but CS makes no representation as to their accuracy or completeness. CS accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that such liability arises under specific statutes or regulations applicable to CS. This report is not to be relied upon in substitution for the exercise of independent judgment. CS may have issued, and may in the future issue, other communications that are inconsistent with, and reach different conclusions from, the information presented in this report. Those communications reflect the different assumptions, views and analytical methods of the analysts who prepared them and CS is under no obligation to ensure that such other communications are brought to the attention of any recipient of this report. Some investments referred to in this report will be offered solely by a single entity and in the case of some investments solely by CS, or an associate of CS or CS may be the only market maker in such investments. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a judgment at its original date of publication by CS and are subject to change without notice. The price, value of and income from any of the securities or financial instruments mentioned in this report can fall as well as rise. The value of securities and financial instruments is subject to exchange rate fluctuation that may have a positive or adverse effect on the price or income of such securities or financial instruments. Investors in securities such as ADR's, the values of which are influenced by currency volatility, effectively assume this risk. Structured securities are complex instruments, typically involve a high degree of risk and are intended for sale only to sophisticated investors who are capable of understanding and assuming the risks involved. The market value of any structured security may be affected by changes in economic, financial and political factors (including, but not limited to, spot and forward interest and exchange rates), time to maturity, market conditions and volatility, and the credit quality of any issuer or reference issuer. Any investor interested in purchasing a structured product should conduct their own investigation and analysis of the product and consult with their own professional advisers as to the risks involved in making such a purchase. Some investments discussed in this report may have a high level of volatility. High volatility investments may experience sudden and large falls in their value causing losses when that investment is realised. Those losses may equal your original investment. Indeed, in the case of some investments the potential losses may exceed the amount of initial investment and, in such circumstances, you may be required to pay more money to support those losses. Income yields from investments may fluctuate and, in consequence, initial capital paid to make the investment may be used as part of that income yield. Some investments may not be readily realisable and it may be difficult to sell or realise those investments, similarly it may prove difficult for you to obtain reliable information about the value, or risks, to which such an investment is exposed. This report may provide the addresses of, or contain hyperlinks to, websites. Except to the extent to which the report refers to website material of CS, CS has not reviewed any such site and takes no responsibility for the content contained therein. Such address or hyperlink (including addresses or hyperlinks to CS's own website material) is provided solely for your convenience and information and the content of any such website does not in any way form part of this document. Accessing such website or following such link through this report or CS's website shall be at your own risk. This report is issued and distributed in European Union (except Switzerland): by Credit Suisse Securities (Europe) Limited, One Cabot Square, London E14 4QJ, England, which is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Germany: Credit Suisse Securities (Europe) Limited Niederlassung Frankfurt am Main regulated by the Bundesanstalt fuer Finanzdienstleistungsaufsicht ("BaFin"). United States and Canada: Credit Suisse Securities (USA) LLC; Switzerland: Credit Suisse AG; Brazil: Banco de Investimentos Credit Suisse (Brasil) S.A or its affiliates; Mexico: Banco Credit Suisse (México), S.A. (transactions related to the securities mentioned in this report will only be effected in compliance with applicable regulation); Japan: by Credit Suisse Securities (Japan) Limited, Financial Instruments Firm, Director-General of Kanto Local Finance Bureau ( Kinsho) No. 66, a member of Japan Securities Dealers Association, The Financial Futures Association of Japan, Japan Investment Advisers Association, Type II Financial Instruments Firms Association; Hong Kong: Credit Suisse (Hong Kong) Limited; Australia: Credit Suisse Equities (Australia) Limited; Thailand: Credit Suisse Securities (Thailand) Limited, regulated by the Office of the Securities and Exchange Commission, Thailand, having registered address at 990 Abdulrahim Place, 27th Floor, Unit 2701, Rama IV Road, Silom, Bangrak, Bangkok10500, Thailand, Tel. +66 2614 6000; Malaysia: Credit Suisse Securities (Malaysia) Sdn Bhd; Singapore: Credit Suisse AG, Singapore Branch; India: Credit Suisse Securities (India) Private Limited (CIN no.U67120MH1996PTC104392) regulated by the Securities and Exchange Board of India as Research Analyst (registration no. INH 000001030) and as Stock Broker (registration no. INB230970637; INF230970637; INB010970631; INF010970631), having registered address at 9th Floor, Ceejay House, Dr.A.B. Road, Worli, Mumbai - 18, India, T- +91-22 6777 3777; South Korea: Credit Suisse Securities (Europe) Limited, Seoul Branch; Taiwan: Credit Suisse AG Taipei Securities Branch; Indonesia: PT Credit Suisse Sekuritas Indonesia; Philippines:Credit Suisse Securities (Philippines ) Inc., and elsewhere in the world by the relevant authorised affiliate of the above. Additional Regional Disclaimers Hong Kong: Credit Suisse (Hong Kong) Limited ("CSHK") is licensed and regulated by the Securities and Futures Commission of Hong Kong under the laws of Hong Kong, which differ from Australian laws. CSHKL does not hold an Australian financial services licence (AFSL) and is exempt from the requirement to hold an AFSL under the Corporations Act 2001 (the Act) under Class Order 03/1103 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Act). Research on Taiwanese securities produced by Credit Suisse AG, Taipei Securities Branch has been prepared by a registered Senior Business Person. Australia (to the extent services are offered in Australia): Credit Suisse Securities (Europe) Limited (“CSSEL”) and Credit Suisse International (“CSI”) are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority (“FCA”) and the Prudential Regulation Authority under UK laws, which differ from Australian Laws. CSSEL and CSI do not hold an Australian Financial Services Licence (“AFSL”) and are exempt from the requirement to hold an AFSL under the Corporations Act (Cth) 2001 (“Corporations Act”) under Class Order 03/1099 published by the Australian Securities and Investments Commission (“ASIC”), in respect of the financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). This material is not for distribution to retail clients and is directed exclusively at Credit Suisse's professional clients and eligible counterparties as defined by the FCA, and wholesale clients as defined under section 761G of the Corporations Act. Credit Suisse (Hong Kong) Limited (“CSHK”) is licensed and regulated by the Securities and Futures Commission of Hong Kong under the laws of Hong Kong, which differ from Australian laws. CSHKL does not hold an AFSL and is exempt from the requirement to hold an AFSL under the Corporations Act under Class Order 03/1103 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). Credit Suisse Securities (USA) LLC (CSSU) and Credit Suisse Asset Management LLC (CSAM LLC) are licensed and regulated by the Securities Exchange Commission of the United States under the laws of the United States, which differ from Australian laws. CSSU and CSAM LLC do not hold an AFSL and is exempt from the requirement to hold an AFSL under the Corporations Act under Class Order 03/1100 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). Malaysia: Research provided to residents of Malaysia is authorised by the Head of Research for Credit Suisse Securities (Malaysia) Sdn Bhd, to whom they should direct any queries on +603 2723 2020. Singapore: This report has been prepared and issued for distribution in Singapore to institutional investors, accredited investors and expert investors (each as defined under the Financial Advisers Regulations) only, and is also distributed by Credit Suisse AG, Singapore Branch to overseas investors (as defined under the Financial Advisers Regulations). Credit Suisse AG, Singapore Branch may distribute reports produced by its foreign entities or affiliates pursuant to an arrangement under Regulation 32C of the Financial Advisers Regulations. Singapore recipients should contact Credit Suisse AG, Singapore Branch at +65-6212-2000 for matters arising from, or in connection with, this report. By virtue of your status as an institutional investor, accredited investor, expert investor or overseas investor, Credit Suisse AG, Singapore Branch is exempted from complying with certain compliance requirements under the Financial Advisers Act, Chapter 110 of Singapore (the “FAA”), the Financial Advisers Regulations and the relevant Notices and Guidelines issued thereunder, in respect of any financial advisory service which Credit Suisse AG, Singapore Branch may provide to you. UAE: This information is being distributed by Credit Suisse AG (DIFC Branch), duly licensed and regulated by the Dubai Financial Services Authority (“DFSA”). Related financial services or products are only made available to Professional Clients or Market Counterparties, as defined by the DFSA, and are not intended for any other persons. Credit Suisse AG (DIFC Branch) is located on Level 9 East, The Gate Building, DIFC, Dubai, United Arab Emirates. EU: This report has been produced by subsidiaries and affiliates of Credit Suisse operating under its Global Markets Division In jurisdictions where CS is not already registered or licensed to trade in securities, transactions will only be effected in accordance with applicable securities legislation, which will vary from jurisdiction to jurisdiction and may require that the trade be made in accordance with applicable exemptions from registration or licensing requirements. Non-US customers wishing to effect a transaction should contact a CS entity in their local jurisdiction unless governing law permits otherwise. US customers wishing to effect a transaction should do so only by contacting a representative at Credit Suisse Securities (USA) LLC in the US. Please note that this research was originally prepared and issued by CS for distribution to their market professional and institutional investor customers. Recipients who are not market professional or institutional investor customers of CS should seek the advice of their independent financial advisor prior to taking any investment decision based on this report or for any necessary explanation of its contents. This research may relate to investments or services of a person outside of the UK or to other matters which are not authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority or in respect of which the protections of the Prudential Regulation Authority and Financial Conduct Authority for private customers and/or the UK compensation scheme may not be available, and further details as to where this may be the case are available upon request in respect of this report. CS may provide various services to US municipal entities or obligated persons ("municipalities"), including suggesting individual transactions or trades and entering into such transactions. Any services CS provides to municipalities are not viewed as "advice" within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. CS is providing any such services and related information solely on an arm's length basis and not as an advisor or fiduciary to the municipality. In connection with the provision of the any such services, there is no agreement, direct or indirect, between any municipality (including the officials,management, employees or agents thereof) and CS for CS to provide advice to the municipality. Municipalities should consult with their financial, accounting and legal advisors regarding any such services provided by CS. In addition, CS is not acting for direct or indirect compensation to solicit the municipality on behalf of an unaffiliated broker, dealer, municipal securities dealer, municipal advisor, or investment adviser for the purpose of obtaining or retaining an engagement by the municipality for or in connection with Municipal Financial Products, the issuance of municipal securities, or of an investment adviser to provide investment advisory services to or on behalf of the municipality. If this report is being distributed by a financial institution other than Credit Suisse AG, or its affiliates, that financial institution is solely responsible for distribution. Clients of that institution should contact that institution to effect a transaction in the securities mentioned in this report or require further information. This report does not constitute investment advice by Credit Suisse to the clients of the distributing financial institution, and neither Credit Suisse AG, its affiliates, and their respective officers, directors and employees accept any liability whatsoever for any direct or consequential loss arising from their use of this report or its content. Principal is not guaranteed. Commission is the commission rate or the amount agreed with a customer when setting up an account or at any time after that. Copyright © 2017 CREDIT SUISSE AG and/or its affiliates. All rights reserved. Investment principal on bonds can be eroded depending on sale price or market price. In addition, there are bonds on which investment principal can be eroded due to changes in redemption amounts. Care is required when investing in such instruments. When you purchase non-listed Japanese fixed income securities (Japanese government bonds, Japanese municipal bonds, Japanese government guaranteed bonds, Japanese corporate bonds) from CS as a seller, you will be requested to pay the purchase price only.

Cybersecurity 225