Palo Alto Network: The Long Thesis in Q2'25

Palo Alto Network: The Long Thesis in Q2'25
A deep dive into Palo Alto Networks' strategy and how they are positioned to evolve alongside trends reshaping the cybersecurity landscape.

Palo Alto Networks (PANW) is the world’s largest pure-play cybersecurity company with a market cap of ~$120B. PANW leverages its broad integrated product suite (Next-Gen Firewall, Cortex XSIAM, Prisma Cloud) to dominate the growing platformization trend, driving upsell, cross-sell, and stickier customer relationships.

PANW is growing faster than the broader cybersecurity market with a ~14% YoY revenue growth and 20% YoY ARR growth. Maintaining an industry-leading 77% gross margins and 28% operating margins, they are positioned for further margin expansion by cutting S&M spending while maintaining substantial R&D investments.

The success of Cortex XSIAM (AI-driven security platform) and strategic acquisitions (e.g., IBM QRadar assets) positions PANW to gain significant market share as mid-cap cybersecurity firms struggle with product fragmentation and platformization pressures.

With $3B+ in annual free cash flow and $3B net cash on the balance sheet, PANW has the firepower to pursue further acquisitions, fund innovation, and weather macro uncertainty better than its smaller, more vulnerable competitors. PANW continues to be an active player in M&A, as they have completed 21 acquisitions throughout its life cycle to maintain and grow its market share.

Competition from other cloud-native players, such as Wiz and Crowdstrike, poses a potential risk to PANW’s success. Wiz has taken the cybersecurity market by storm and put pressure on PANW’s Prisma Cloud product. While this could lead to PANW losing market share in the cloud cyberspace, PANW continues to demand market share in the Next-Generation Firewall and platformization space.

Another risk is a slowdown in IT security spending, which could modestly pressure growth in the short term. Additionally, PANW’s assortment of acquisitions drives success by acquiring the best-in-class products, but it faces risks with properly integrating all of these companies and tools.

Palo Alto Networks is the emerging cybersecurity platform leader with best-in-class retention (125% NRR), superior AI-powered products, strong financials, and a compelling valuation relative to growth. PANW is positioned to dominate and push out other players in a consolidating, hyper-growth market.

Overview:

In this teardown, we will analyze product offerings, market position, competitors, and financial outlook:

  • What Palo Alto Networks does, including product offerings and new tool development
  • An overview of competitors
  • Review 2024 financials and future growth expectations
  • Why the company is positioned to keep growing and continue gaining market share

Palo Alto Networks (PANW) was founded in 2005 and went public on the NYSE in 2012. It currently trades at a ~$120 B market cap with a price per share of ~$175. PANW’s CEO is Nikesh Arora (Google, SoftBank), and the CFO is Dipak Golechha (Procter & Gamble). PANW is the world’s largest cybersecurity pure play and operates in over 150 countries.

Products:

PANW sells and supports over 20 discrete enterprise-class cybersecurity products. The company’s first product, Next Generation Firewall, came to market in 2007. After years of innovation and expanding its product portfolio, it offers a cluster of integrated and market-leading cybersecurity products. One of their fastest-growing products is the Cortex XSIAM platform, which came to market in 2022 and is on a rapid and similar growth projection to its initial Next-Gen Firewall product. XSIAM is a unique offering that tracks and correlates data from multitudinous sensors to identify threats and proactively respond.

To provide a more complete picture of PANW offerings, below are descriptions of key product offerings:

Next-Generation Firewall:

PANW’s Next-Generation Firewall (NGFW) provides comprehensive protection against cyber threats, enabling secure application usage. The introduction of NGFW supplanted traditional firewalls, which relied on port-based filtering. It introduced deep packet inspection and, over time, machine learning and AI-driven threat intelligence to identify and control applications, users, and content in real time. Other features include intrusion prevention and malware analysis to detect and block sophisticated attacks that traditional firewalls struggle to recognize.

NGFW uses automation and cloud-based intelligence to adapt to emerging threats, ensuring organizations maintain a strong security posture across on-premises, cloud, and hybrid environments. PANW’s current top-of-the-line firewall, PA-7500, maintains a market-leading threat prevention throughput of 1.44 TPS (terabytes per second), which is the rate at which a firewall can process network traffic while still running security services like antivirus and intrusion prevention. NGFW’s 1.44 TPS capability significantly outperforms competitors like Fortinet and Cisco, with throughputs of 0.52 and 0.05 TPS.

Cortex XSIAM:

Cortex XSIAM (Extended Security Intelligence and Automation Management) is an advanced security operations platform designed to prevent and mitigate impairment during active cyberattacks by unifying disparate Security Operations Center (SOC) tools and protections into a single, AI-driven solution. This platform amalgamates AI and cybersecurity professionals to continuously monitor and respond to security threats in real-time. XSIAM revolutionizes threat detection and response by leveraging AI models to analyze and correlate security events from various data sources, presenting a comprehensive view of incidents and prioritizing risks. The platform enhances efficiency by automating security workflows and optimizing resource allocation while minimizing manual intervention. XSIAM automates threat response, significantly reducing Mean Time to Resolution (MTTR) and enabling organizations to neutralize threats in minutes rather than days.

Another key capability of XSIAM is its ability to track and proactively blacklist malicious IP addresses to automate response actions, ensuring that threats are mitigated before they can cause harm. This reflects the growing trend in cybersecurity of shifting left, which works to anticipate threats before they become an issue. The XSIAM platform provides comprehensive security coverage across both cloud and enterprise environments by ingesting data from endpoints, networks, cloud services, and third-party products to reduce the number of cybersecurity tools to manage threats on a single pane of glass.

Prisma Cloud:

Prisma Cloud is a comprehensive cloud security platform that provides visibility and threat detection across cloud environments, including AWS, Azure, and Google Cloud (GCP). It leverages APIs (Application Programming Interfaces) to integrate directly with these cloud providers. APIs are a set of rules that allow software applications to communicate with each other and collect and correlate security data across workloads, applications, and infrastructure.

By analyzing this data, Prisma Cloud identifies potential vulnerabilities, misconfigurations, and compliance risks, ranking threats based on severity and impact, enabling organizations and cybersecurity analysts to proactively address security issues by prioritizing, modifying, and enforcing compliance policies. Prisma Cloud strengthens the overall cloud security efficacy in a dynamic and scalable manner that is critical for enterprises due to the continued shift to cloud assets to enhance their business.

Other Products:

Cortex XDR (Extended Detection and Response) is a security operations center (SOC) tool that analyzes network and cloud data to detect and investigate breaches efficiently. It separates extraneous data to focus on real threats and allows security teams to define indicators of compromise for proactive defense. PAN‑OS is the operating system for Palo Alto Networks' next-generation firewalls and integrates key security technologies like App‑ID, Content‑ID, Device-ID, and User‑ID, providing complete visibility and control across an organization. PANW’s Enterprise IoT Security system applies automated policies to protect all internet-connected devices, ensuring seamless security for enterprises managing diverse IoT environments. While these products do not directly draw customers onto PANW’s platform, they are critical for organic growth, providing an opportunity to cross-sell customers.

Growth Outlook:

In the past decade, PANW effectively utilized a mix of internally developed programs, such as its AI development and effective sales & marketing, as well as astute acquisitions in existing or adjacent markets to expand its portfolio and stay ahead of competitors to remain the cybersecurity market leader. PANW’s growth and future success can be broken down into two buckets: organic growth driven by upselling customers to additional products and boosting margins, and inorganic growth from acquired product offerings.

Organic Growth:

With a 28% market share in the firewall space and 22% in cloud security, PANW leverages its extensive product portfolio to increase market penetration through cross-selling and upselling strategies. Cybersecurity is a highly fragmented sector; PANW’s large market share reflects its success and sector leadership. Successful organic growth efforts are reflected in PANW’s 125% Net Revenue Retention Rate (NRR), primarily driven by cross-selling, but also include price increases. This strong NRR demonstrates the substantial customer uptake of existing and new products. The high NRR metric also reflects PANW’s land and expand strategy, in which new customers begin with a single or small number of discrete products, then later upgrade to additional products or the complete suite of PANW solutions.

A key driver of customer conversion to the PANW platform is rapid product updates and dynamic integration of artificial intelligence into products, which reduce MTTR. Focusing on automated threat prevention is a significant driver of growth, enabling customers to anticipate new and evolving security threats while maintaining high visibility. Cortex AI technology applies machine learning models to analyze security events across endpoints, networks, and cloud environments, allowing organizations to automate threat detection and response with minimal human intervention.

Inorganic Growth:

Palo Alto Networks is an active and strategic acquirer in the security space, completing 17 acquisitions in the past decade to expand its footprint, enter new markets, and fuel growth. These 17 acquisitions totaled $5.5 billion, with a typical deal size in the $300 to $800 million range. PANW’s acquisition of IBM’s QRadar Assets in September 2024 for $500 million is a notable transaction, significantly expanding PANW’s reach as a platform solution provider. Additionally, acquiring QRadar added a large cache of customers that PANW converted to its XSIAM platform, which is a more dynamic and comprehensive solution on which it can sell add-on solutions to former IBM customers.​

Palo Alto Networks and IBM are working together to help global customers across industries seize the opportunity to seamlessly shift from QRadar to Cortex XSIAM with no-cost migration services through IBM Consulting for eligible customers. QRadar, a Security Information and Event Management (SIEM) system, provides threat prevention, investigation, and response. By incorporating QRadar's advanced analytics and threat detection capabilities into its Cortex XSIAM, PANW expanded the platform’s ability to provide comprehensive security and more accurate threat assessments while improving response times. Importantly, the acquisition also enables PANW to offer seamless migration for QRadar customers and strengthens PANW’s presence in the SIEM market. PANW’s success in identifying, analyzing, and integrating complementary technologies is likely a harbinger of additional acquisitions, including potential targets such as Trellix and SolarWinds.

Landscape Overview/Competitors:

The cybersecurity space is highly fragmented and competitive, with over 3,000 companies globally. This high fragmentation is driven by the vast number of products required for protection in the cyber landscape. Cyber products range from endpoint management to identity and access management, cloud security, and post-quantum cryptography, among others. Below is an overview of other leading cybersecurity vendors.

Crowdstrike (CRWD):

CrowdStrike’s Falcon platform is an advanced Endpoint Detection & Response (EDR) solution that detects, prevents, and eliminates threats in real time. It monitors internet activity and oversees file access to identify suspicious behavior and stop attacks before they cause damage. With a lightweight agent, Falcon simplifies security management while using AI-driven automation to respond instantly to threats. Falcon is designed for speed and efficiency in EDR and is competitive with PANW because of its speed capabilities. Crowdistike is a public pure-play cybersecurity company with a market cap of $80B and follows a similar growth trajectory to Palo Alto Networks.

Wiz:

Wiz, based in Israel, is a cloud security provider specializing in Cloud Native Application Protection Platform (CNAPP) solutions that integrate CSPM, CWP, and runtime threat detection. Its products compete with PANW’s Prisma Cloud offerings, relying on its agentless technology that enables rapid deployment and real-time visibility. Wiz also focuses on ease of use, which helps organizations lacking internal cybersecurity professionals to identify vulnerabilities and compliance risks without disrupting operations. Wiz’s platform includes CNAPP for cloud security, Wiz Code for software development security, and Wiz Defend for real-time threat detection. Wizz’s agentless CNAPP platform, which does not require users to download anything, boosts their gross margins and makes them popular among SMB and Enterprise customers.

With a SaaS model, Wiz scales across businesses of all sizes, SMB, and a subset of the Enterprise market, offering fast deployment, seamless integrations, and a user-friendly interface compared to vendors of comprehensive enterprise solutions like PANW and CRWD. Wiz has grown rapidly, due to its ease of use and cloud-focused software; however, it could face potential market pressure as IT cost-cutting is limiting the number of products being used by different providers. Wiz rejected Google’s $23 billion acquisition offer in June 2024, but was acquired less than a year later for $32 billion by Google. Wiz aims to grow ARR from $700M to $1B and is one of the fastest-growing cybersecurity firms.

Wiz and Palo Alto Networks Prisma Cloud each offer unique strengths. Prisma Cloud integrates well into broader enterprise security operations (SOC teams, SIEM tools like Cortex XSIAM, and existing Palo Alto Networks NGFWs), making it easier for large companies to manage security in hybrid cloud environments. Contrasty, Wiz is agentless, so companies can deploy it across their cloud environments in minutes without installing anything on workloads, which is faster than Prisma Cloud (which often uses a mix of agents and APIs). Wiz is praised for its clean, user-friendly interface that makes it easy for security teams to quickly identify and prioritize real threats without getting overwhelmed by false positives. One G2 reviewer said, “Wiz was quick and easy to set up. There was a quick realization of value.” Wiz has challenged Palo Alto Networks’ share in cloud security, but PANW remains strong, retaining most of its position while continuing to outperform rivals in other cybersecurity areas. Many customers stick with PANW for its broad product suite and integrated, end-to-end security approach. I will dive deeper into Wiz’s strategy in my next article.

Fortinet (FTNT):

Fortinet specializes in network security, offering a comprehensive range of solutions, including firewalls, endpoint security, and intrusion detection systems. Its flagship product, FortiGate Next-Generation Firewall, is a top choice for organizations seeking cost-effective, high-performance security. PANW and FTNT are direct competitors in the firewall space; however, FTNT focuses on SMBs while PANW focuses on enterprise customers.

Additionally, Fortinet’s FortiGuard Labs monitors the global attack surface and leverages AI-powered threat intelligence to identify and respond to new threats, ensuring organizations stay ahead of cyber risks. Their offerings, including next-generation firewalls, secure web gateways, and secure SD-WAN, provide end-to-end protection with advanced threat detection, response capabilities, and robust multi-cloud support, setting them apart from competitors. Fortinet is focusing on its ability to profit from the platformization trend; however, due to its SMB-oriented customer base, it is at increased risk of the volatility of IT spending in the SMB market.​

Zscaler (ZS):

Zscaler specializes in cloud-based network security, primarily protecting cloud workloads by controlling access. Its Zscaler Cloud Security Platform utilizes Zscaler Secure Access Service Edge (SASE), offering a single pane of glass visibility and control across its key services, Zscaler Private Access and Zscaler Internet Access. The platform follows a zero-trust approach and its inline security cloud is popular amongst cybersecurity customers. Their Zero Trust Exchange eliminates the need for point products, reducing complexity and business risk.

Zscaler’s AI-powered threat protection is fueled by an immense amount of data, processing 500 trillion daily signals and 320 billion transactions. By consolidating security tools into one integrated cloud platform, Zscaler provides efficient, scalable, and comprehensive protection across modern enterprise networks. PANW and ZS directly compete in the network security and cloud space; however, they offer different products in these niches.

Hyperscalers:

Palo Alto Networks also faces pressure from hyperscalers, including Amazon, Microsoft, and Google. These players all compete in cybersecurity; however, it is not their primary business function. Customers often choose PANW over Google, Amazon (AWS), and Microsoft (Azure) for cybersecurity because PANW is a dedicated, best-in-class security company, while the cloud providers are general-purpose platforms with security as one of many offerings. AWS offers a broad suite of native security tools, designed primarily to protect assets within the AWS cloud. Azure’s security services are deeply integrated with Microsoft’s ecosystem (Office 365, Defender, and Entra ID). Google emphasizes a zero-trust architecture and offers security tools with strong threat detection and analytics capabilities. These hyperscalers’ security tools primarily focus on securing their own cloud environments, limiting their total product offerings compared to Palo Alto Networks.

Financial Review:

Revenue & ARR:

Palo Alto Networks generated ~$8.5B in 2024 revenue, including an ARR of ~$5B. Total revenue growth was 14% y/y, while ARR grew ~20% y/y. PANW added roughly $150M of ARR per quarter throughout 2024. Despite being an established and multi-billion-dollar company, PANW’s growth rate tracks above industry growth of ~12%, indicating modest market share expansion.

Gross Margin & Operating Margin:

PANW generated 77% gross and 28% operating margin (non-GAAP) in Q2F25, both impressive metrics given the company’s continued focus on expanding both product offerings and market share. PANW's margins are comparable to those of its closest competitor in revenue, CRWD, despite CRWD offering primarily cloud-based solutions compared to PANW’s sizable on-premise offerings. With this shift to AI as well as the cloud, Palo Alto Networks’ margins will expand as it does not rely as much on SOC teams and MDR.

PANW’s 2024 R&D expense of 24% has remained constant, and I don’t expect this number to shift substantially in the coming years. Palo Alto Networks' sales and marketing (S&M) spending of 34% is a key focus as the company aligns with market trends by gradually reducing these expenses. CEO Nikesh Arora has emphasized that near-term growth and success will come from margin expansion, indicating a continued decline in S&M spending. While no specific target has been announced, I expect S&M spending to decrease to around 27% in the coming years, reflecting a temporary dip in IT spending before rebounding in line with broader consumer spending trends. This margin expansion will drive net income, leading to a higher net income growth rate in the coming years.

Net Revenue Retention:

Palo Alto Networks’ impressive 125% Net Revenue Retention (NRR) rate is one of the highest in the cybersecurity space, reflecting notable success in renewing and expanding its product footprint among current customers. As the Cybersecurity market matures, enterprise and SMB customers may consolidate solutions among a smaller number of vendors for lower cost and ease of management, which often rewards established segment leaders like PANW.​

Free Cashflow:

With annual FCF in excess of $3B and net cash of $3B on the balance sheet, Palo Alto Networks possesses a war chest of cash to freely pursue any target in current or adjacent security segments. With 17 acquisitions in the past decade and dynamic technology trends in the sector, we expect PANW to continue its opportunistic strategy of adding both tuck-in and market-expanding acquisitions.

Why PANW Is Positioned To Succeed:

Before diving into why I am bullish on Palo Alto Networks, it is important to first address some key risks. The cybersecurity market is highly competitive, and while PANW has performed well so far, it faces growing pressure from emerging players like Wiz. As mentioned earlier, Wiz has gained momentum through its top-of-the-line cloud cybersecurity tool. Their partnership with Google and significant capital backing could further allow them to capture market share from PANW. If Wiz successfully converts PANW’s customers to its platform, it could limit PANW’s ability to cross-sell its broad product portfolio, negatively impacting overall growth.

Additionally, broader macroeconomic risks — including the potential for a recession and rising geopolitical tensions — could affect the entire market. Economic uncertainty often correlates with an increase in cyber threats, making cybersecurity solutions even more critical. While cybersecurity tends to remain a priority even during downturns, as companies are less likely to cut spending in this area, this still poses a risk to PANW. Lastly, the growing threats of quantum computing pose an increasing threat to the broader cyber landscape. Significant losses will occur if companies, including PANW, do not adapt and prepare against the increasing threat of quantum hacking. In a bear case, if PANW loses market share to competitors like Wiz and struggles to evolve in the ever-changing market, its stock price would likely suffer.

While cross-selling and upselling contribute to Palo Alto Networks' success, its Cortex XSIAM platform will be a key growth driver in the near term. 25% of Palo Alto Networks' customers use five or more of its products, highlighting the company’s success in cross-selling and the significant opportunity to expand product adoption across its customer base further. As I have emphasized throughout this article, platformization is significantly altering the cybersecurity landscape, and I believe that Palo Alto Networks is well-positioned to capture market share. The question is no longer whether platformization will dominate, but rather which platform will become the industry standard in the coming years.

Given Palo Alto Networks' strong customer retention (NRR), robust product offerings, revenue growth, and deep penetration in large enterprises, I believe it will emerge as the preferred platform for enterprises. While cost-cutting may seem counterintuitive for cybersecurity, it actually benefits large and small players as customers consolidate with large players and small companies become ideal targets for large-cap companies looking to fill the gaps in their product offerings. On the other hand, mid-cap cybersecurity companies are being pushed out, putting a strain on cyber investors because, with limited product portfolios and high market caps, they will struggle to align with platformization and are less attractive targets for acquirers. With PANW’s growing cash reserves and established customer base, the company is well-positioned to pursue strategic acquisitions and capitalize on greenfield opportunities, driving long-term growth and solidifying its industry leadership.

Palo Alto Network is well-positioned for continued growth, and see them as a deep-value investment. With equity research analysts setting a price target of $210 per share, the market is currently undervaluing the success of their platform. I am always interested in investing in dominant companies in hyper-growth markets and believe Palo Alto Networks is well-positioned.


Thank you for reading!

Views expressed in these emails are ours and ours alone and don’t represent those of our previous or current employers. Public Comps provides financial and industry information regarding public software companies as part of our weekly dashboard, our blog, and emails. Such information is for general informational purposes only and should not be construed as investment advice or other professional advice.