Initial Research List
Tree Key
Expandable — has sub-topics
475Local Id for node
a1b2c3d4Click to see full UUID
5Sub-topics in this branch
1.6k wordsResearch depth
5Open node
Candidate Universe — 23 IT/Web Security Players
Initial Research List — Candidate Universe
Thesis: AI-driven demand for web/IT security; oversold names from the SaaS-apocalypse drawdown.
The candidate universe of US-listed pure-play web/IT security companies. Grouped here by read priority (tier) rather than alphabetically — start at the top and work down. Goal: narrow this list to 2–3 stand-outs using value-investing rigor on the candidates uniquely positioned for the AI-attack era.
> _Data pulled May 2026 via FMP. 10 of 23 names have been through the full 18-step pipeline; the rest carry triage-level verdicts only._
Tier legend
| Tier | Meaning |
|---|---|
| T1 (2) | Read first — Pipeline says potentially undervalued |
| T2 (1) | Quality compounder — Pipeline says reasonable premium |
| T3 (5) | Active watchlist — Pipeline says high-conviction required (specific triggers to watch) |
| T5 (2) | Pipeline: not actionable now — Priced for perfection or unclear setup |
| T6 (13) | Triage WATCH — Not yet deep-dived; legitimate setup, no near-term catalyst |
Candidates ranked by read priority
| Read | Ticker | Verdict | Bucket | Price | Mcap | β | P/E | EV/S | GM | Rev YoY | Drawdown | Why |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| T1 · Read first — Pipeline says potentially undervalued | ||||||||||||
| 1 | CHKP | Potentially Undervalued (+110%) | Network / Firewall | $115.56 | $12.0B | 0.43 | 11.4 | 4.7x | 85.4% | 6.3% | -50.6% | Composite fair value: $215.40 → signal-adjusted: $242.89 vs current price $11… |
| 2 | QLYS | Potentially Undervalued (+108%) | Vulnerability / Risk | $94.97 | $3.3B | 0.58 | 16.8 | 4.5x | 82.8% | 10.1% | -38.9% | Composite fair value: $152.46 → signal-adjusted: $182.23 vs current price $87… |
| T2 · Quality compounder — Pipeline says reasonable premium | ||||||||||||
| 3 | CVLT | Reasonable Premium | Data Security / Backup | $103.38 | $4.5B | 0.77 | 63.0 | 3.9x | 80.3% | 18.9% | -48.5% | Commvault is priced for a successful-but-not-spectacular transition from lega… |
| T3 · Active watchlist — Pipeline says high-conviction required (specific triggers to watch) | ||||||||||||
| 4 | NTSK | High Conviction Required | Network / SASE | $11.40 | $4.6B | 2.86 | n/m | 6.8x | 68.1% | 31.7% | -59.3% | Netskope is priced for strong execution and category leadership, but NOT pric… |
| 5 | VRNS | High Conviction Required | Data Security | $28.68 | $3.4B | 0.80 | n/m | 5.6x | 79.1% | 13.2% | -55.1% | Varonis sits at the razor's edge between a successful SaaS transition story a… |
| 6 | SAIL | High Conviction Required | Identity & Access | $12.19 | $6.9B | 1.08 | n/m | 6.1x | 64.5% | 24.4% | -51.1% | SailPoint at $12 (6.4x P/S) is NOT priced for perfection, but it IS priced fo… |
| 7 | RBRK | High Conviction Required | Data Security / Backup | $61.49 | $12.4B | 0.63 | n/m | 10.0x | 80.1% | 48.5% | -40.3% | Rubrik sits in the interesting middle ground between 'reasonable growth story… |
| 8 | PANW | High Conviction Required | Network / SASE | $196.53 | $133.9B | 0.77 | 106.6 | 13.2x | 73.4% | 14.9% | -12.1% | Palo Alto Networks sits in the uncomfortable middle ground between 'Priced fo… |
| T5 · Pipeline: not actionable now — Priced for perfection or unclear setup | ||||||||||||
| 9 | RPD | Disconnected from Fundamentals | Vulnerability / Risk | $6.71 | $448M | 0.89 | 19.8 | 1.2x | 70.3% | 1.9% | -75.2% | Rapid7 presents one of the most extreme disconnects between business fundamen… |
| 10 | FTNT | Potentially Overvalued (-34%) | Network / Firewall | $107.97 | $79.9B | 0.92 | 40.8 | 11.0x | 80.8% | 14.2% | -3.9% | Composite fair value: $46.92 → signal-adjusted: $54.36 vs current price $82.3… |
| T6 · Triage WATCH — Not yet deep-dived; legitimate setup, no near-term catalyst | ||||||||||||
| 11 | ZS | Triage WATCH | Network / SASE | $152.79 | $24.6B | 0.96 | n/m | 8.4x | 76.9% | 23.3% | -54.7% | ZS operates mission-critical zero-trust security infrastructure with strong s… |
| 12 | ESTC | Triage WATCH | SIEM / Observability | $51.62 | $5.3B | 0.89 | n/m | 3.1x | 74.4% | 17.0% | -46.3% | Elastic is a leader in open-source search and observability—high-growth, stic… |
| 13 | TENB | Triage WATCH | Vulnerability / Risk | $21.54 | $2.5B | 0.88 | n/m | 2.7x | 78.1% | 11.0% | -39.6% | Tenable owns category-defining vulnerability management and cloud-native secu… |
| 14 | OKTA | Triage WATCH | Identity & Access | $80.88 | $13.7B | 0.59 | 61.0 | 4.5x | 77.4% | 11.8% | -36.6% | Okta owns a defensible identity platform used across enterprises; identity/IA… |
| 15 | CLBT | Triage WATCH | Forensics / Specialty | $13.81 | $3.4B | 1.15 | 46.9 | 7.0x | 84.2% | 18.6% | -32.5% | Cellebrite owns a quasi-monopoly position in law enforcement digital forensic… |
| 16 | S | Triage WATCH | Endpoint / EDR | $15.92 | $5.3B | 0.79 | n/m | 5.2x | 73.2% | 21.9% | -25.6% | SentinelOne's unified XDR platform (endpoint + cloud + IoT in one stack) addr… |
| 17 | CYBR | Triage WATCH | Identity & Access | $408.85 | $20.6B | 0.93 | n/m | 15.6x | 74.3% | 36.0% | -22.3% | CyberArk dominates PAM (privileged access management), a mission-critical, hi… |
| 18 | CRWD | Triage WATCH | Endpoint / EDR | $505.72 | $128.3B | 1.06 | n/m | 25.7x | 74.6% | 21.7% | -10.8% | CrowdStrike dominates endpoint protection and cloud security with sticky, hig… |
| 19 | ATEN | Triage WATCH | DDoS / Network | $27.27 | $2.0B | 1.17 | 43.8 | 7.1x | 79.3% | 11.0% | -4.6% | A10 Networks owns defensible ADC/DDoS protection IP in growing API/microservi… |
| 20 | AKAM | Triage WATCH | Edge / WAF / DDoS | $116.69 | $17.2B | 0.45 | 37.2 | 5.5x | 54.7% | 5.4% | -4.5% | Akamai is a duopolist in edge computing and content delivery with recurring S… |
| 21 | NTCT | Triage WATCH | DDoS / Network Perf | $38.29 | $2.8B | 0.61 | 28.7 | 3.3x | 79.4% | 4.5% | -2.4% | NetScout is a pure-play network visibility and service assurance platform wit… |
| 22 | BB | Triage WATCH | Endpoint (Cylance) | $6.10 | $3.6B | 1.47 | 67.3 | 6.4x | 74.1% | 4.3% | -2.2% | BlackBerry has pivoted from devices to enterprise security (Cylance AI, EDR, … |
| 23 | NET | Triage WATCH | Edge / WAF / DDoS | $257.05 | $90.8B | 1.67 | n/m | 43.2x | 74.4% | 29.8% | -1.1% | Cloudflare operates in a structural growth market (edge security, bot managem… |
How to read
- Read — your priority order. The deep-dived names (T1–T4) have full 18-step pipeline analyses on their company-detail pages — click through to read.
- Verdict — pipeline result for T1–T4 (with composite upside), triage result otherwise.
- Why / Action — first-sentence summary of the verdict detail. Full reasoning lives on the company-detail page or the per-ticker tree node.
- Bucket — where in the security stack the company sits.
- β — beta to S&P. Higher = more move per market move; flag for who gets hit hardest in drawdowns.
- GM — gross margin. SaaS-shaped businesses live above 70%; below flags hardware/services drag.
- EV/S — enterprise value / sales (TTM). The cleanest cross-vendor comparable for cyber names.
- Drawdown — % from 52-week high. More negative = closer to the SaaS-apocalypse-drag part of the thesis.
Next steps (down-selection — applied per name on the deep-dived ones)
1. Market-share trajectory — multi-year share data per bucket (vendor share, NRR, customer counts). 2. Valuation — P/S, P/E, EV/Sales relative to peer median. Filter for fair-to-affordable, not priced for perfection. 3. AI-era unique positioning — which names are leading on AI-driven defense vs. catching up. Specific products, not just slideware. 4. Nimble specialist vs. platform incumbent — does the bucket reward speed or scale? Decide per bucket. 5. Fundamentals — FCF positive (or credible <12mo path), gross margin >65%, net debt sane.
Stand-outs surfaced through these filters become per-company nodes under this tree (see sibling nodes under Initial Research List for the deep-dived names).