Editing Darktrace

[[File:Darktrace logo.jpg|thumb]]

'''Path to sustainable profitable growth unclear; initiate with UW'''

== Summary ==
Darktrace is a provider of AI-led cybersecurity solutions. Today, Darktrace leads the Network Detection and Response market and has seen good early success with its email product; however, against the backdrop of '''1)''' high competition and potential commoditization of security solutions addressing similar use-cases and '''2)''' relatively low platform lock-in and customer stickiness, JP Morgan expects customer acquisition and retention to become more challenging for Darktrace going forward. With ARR growth tied to new customer acquisition, JP Morgan believes that higher customer acquisition and retention costs are likely to challenge the company’s ability to deliver profitable growth. Accordingly, JP Morgan initiates coverage with an Underweight rating and Dec-23 price target of 400p.

* Darktrace’s addressable markets are characterized by low barriers to entry and high competition. With relatively low barriers to entry and increased competition, JP Morgan sees a risk of commoditization of solutions targeting the use-cases addressed by Darktrace. A growing list of vendors that seek to combine different point security solution offerings into an eXtended Detection and Response (XDR) fabric will only increase the competitive intensity for Darktrace, whose offerings are a complement (rather than a replacement) for other point security tools. In addition, there is risk from public cloud vendors such as Microsoft, Google and Amazon making a big push in the areas of cloud traffic and email security.
* Shifting the focus to profitability. High competition and low customer stickiness will likely translate to higher customer acquisition costs and prompt Darktrace to increase investments in existing and new product development – both of which will limit margin leverage going forward, in JP Morgan's view. JP Morgan expects the sum of revenue growth and FCF margin (‘Rule of 40’) to dip and remain below 40% over the next couple of years. Eventually, this is likely to reflect in Darktrace’s valuation compared to other cybersecurity peers that consistently beat this 40% benchmark. With ARR growth tied to new customer acquisition, JP Morgan believes that higher customer acquisition costs and lower customer retention are likely to challenge the company’s ability to deliver profitable growth. JP Morgan's adj. EBITDA estimates are 22%/4% below consensus for FY23/24, respectively.
* Initiating at UW. JP Morgan initiates coverage on Darktrace with an Underweight rating and Dec-23 price target of 400p (~10% downside vs. current spot). JP Morgan's price target is based on 5.5x ’23E EV/sales (calendarized), ~35% discount to the peer group median (comprising a targeted list of product-led threat detection and response and cyber exposure management/user behavior analytics vendors).

== Executive Summary‌ ==
Founded in Cambridge (UK) in 2013, Darktrace is a provider of AI-led threat detection and response security solutions covering on-premises network, cloud, SaaS, email, endpoints and OT (Operational Technology) environments. Further, Darktrace will roll out solutions tackling preventative security and remediation post attacks as part of its continuous AI security loop. According to Darktrace, its cyber AI platform does not rely on a historical signatures-based detection / rules-based response playbook; instead, its technology aims to learn the ‘patterns of life’ for an enterprise, creating a constantly evolving baseline for ‘normal’ behavior, and detects and responds to deviations from the normal.

Darktrace competes in market segments characterized by relatively low barriers to entry and high competition. Today, Darktrace leads the Network Detection and Response (NDR) market and has seen good early success with its email product; however, against the backdrop of '''1)''' high competition and potential commoditization of security solutions addressing similar use-cases, '''2)''' relatively low platform lock-in and '''3)''' growing enterprise awareness of competing vendors, JP Morgan expects customer acquisition and retention to become more challenging for Darktrace, going forward. With ARR (annualized recurring revenue) growth tied to new customer acquisition, JP Morgan believes that higher customer acquisition and retention costs are likely to challenge the company’s ability to deliver profitable growth. This will reflect in Darktrace’s valuation compared to its peer group, in JP Morgan's view. '''Accordingly, JP Morgan initiates coverage on Darktrace with an Underweight rating and Dec-23 price target of 400p (~10% downside vs. current spot).''' JP Morgan's price target is based on 5.5x ’23E EV/sales (calendarized), ~35% discount to the peer group (comprising a targeted list of product-led threat detection and response and cyber exposure management/user behavior analytics vendors).

=== Shifting the focus to profitability ===
Darktrace has delivered ‘beat and raise’ results in its short reporting history since IPO in Apr-21. In the near term, JP Morgan expects demand for AI-led detection and response solutions to remain high – this coupled with Darktrace’s brand awareness (a function of its high marketing spend), investment in additional salesforce hiring and the roll- out of the new ‘Prevent’ product offering should translate to healthy new customer acquisition and thus ARR growth, in JP Morgan's view. That said, unless the quality and stickiness of the customer base acquired is high, focus on new customer acquisition will not translate to sustainable profitable growth, in JP Morgan's view, even though the company may deliver healthy growth in the near term. JP Morgan also notes the overhang from pre IPO shareholders who may dispose of shares, with the next lock-up expiry on 25th April, as per Bloomberg.

In JP Morgan's view, Darktrace needs to demonstrate a decoupling between ARR growth and new customer acquisition & investment in sales headcount – this will be a function of a sustained increase in average contract ARR per new customer and continued improvement in net ARR retention rate (a function of lower churn and higher upsell/cross-sell). Sustained improvement in these metrics would allow the market to be more convinced of the company’s competitive positioning and moat.

JP Morgan's estimates for 2022/23/24 revenue stand 1%/2%/5% higher than Bloomberg consensus estimates; JP Morgan expects the company to deliver adjusted EBITDA margin at the high end of its guidance range in 2022; however, JP Morgan's estimates for 2023/24 adjusted EBITDA stand 22%/4% below consensus estimates.

{| class="wikitable"
|+Table 1: Darktrace Revenue and adjusted EBITDA: FY22-24E - JPMe vs. consensus<ref>Source: J.P. Morgan estimates, Bloomberg Finance L.P.</ref>
!FY ends in Jun
! colspan="3" |FY22
! colspan="3" |FY23
! colspan="3" |FY24
|-
!$ (m)
!JPMe
!Cons.
!Diff. (%)
!JPMe
!Cons.
!Diff. (%)
!JPMe
!Cons.
!Diff. (%)
|-
|Revenue
|415.5
|409.6
|1.4%
|548.1
|536.5
|2.2%
|701.5
|670.2
|4.7%
|-
|Adj. EBITDA
|49.2
|48.6
|1.3%
|47.2
|60.4
|<nowiki>-21.9%</nowiki>
|81.0
|84.6
|<nowiki>-4.3%</nowiki>
|-
|margin (%)
|11.8%
|11.9%
|<nowiki>-2bps</nowiki>
|8.6%
|11.3%
|<nowiki>-265bps</nowiki>
|11.5%
|12.6%
|<nowiki>-108bps</nowiki>
|}

=== Market for AI-led threat detection and response security solutions marked by low barriers to entry and high competition ===
Today, Darktrace leads the Network Detection and Response (NDR) market and has seen good early success with its email product. However, with relatively low barriers to entry and increased competition, JP Morgan sees a risk of commoditization of solutions targeting the use-cases addressed by Darktrace. A growing list of vendors that seek to combine different point security solution offerings into an eXtended Detection and Response (XDR) fabric will only increase the competitive intensity for vendors such as Darktrace, whose offerings are a complement (rather than a replacement) for other point security tools such as Endpoint Detection and Response (EDR), in JP Morgan's view. In addition, JP Morgan believes that there is a real competitive threat from public cloud vendors such as Microsoft, Amazon and Google making a big push into proactive threat detection and response solutions for cloud traffic and email as enterprise workloads transition to the cloud.

=== ARR growth tied to new customer acquisition ===
A significant portion of Darktrace’s total addressable market opportunity depends on the company’s ability to grow its ARR independent of new customer acquisition. However, despite reporting higher platform adoption stats in the last couple of years, the company has not reported any meaningful uptick in average contract ARR (Dec- 21 level approx. flat vs. Jun-19). This is partly explained by Darktrace’s focus on acquiring new customers, SMB/mid-market skew in customer base and impact from new product launches. It remains to be seen whether Darktrace can decouple ARR growth from new customer acquisition, which will only get tougher with high competition and growing enterprise awareness of competing vendors. Unless the quality and stickiness of the customer base acquired is high, focus on new customer acquisition will not translate to sustainable profitable growth, in JP Morgan's view, even though the company may deliver healthy growth in the near term.

=== Risks to profitability ===
With low barriers to entry and high competition in the markets Darktrace operates in, JP Morgan believes that customer acquisition and retention will get tougher going forward. This may lead to higher customer acquisition costs and prompt Darktrace to increase investments in existing and new product development. While Darktrace may report healthy near-term growth, the eventual success of the company will be determined based on how the company balances growth and profitability. Assessing this development through the lens of ‘Rule of 40’ (revenue growth + FCF margin) is a good indicator of the progress the company is making to sustain profitable growth. JP Morgan expects the sum of revenue growth and FCF margin to dip and remain below 40% over the next couple of years. Eventually, this is likely to reflect in Darktrace’s valuation compared to other cybersecurity peers that consistently beat this 40% benchmark, in JP Morgan's view.

=== Risks to JP Morgan's view‌ ===

* Competition risks may take time to play out: While JP Morgan  believes that the market for AI-led threat detection and response solutions remains highly competitive, Darktrace’s brand awareness (supported by high marketing spend) may continue to support new customer acquisition without incurring higher costs. XDR vendor solutions may take time to mature; in addition, enterprises may likely be wary of getting locked-in to any particular XDR vendor’s ecosystem, potentially diluting the competitive threat from XDR vendors. Mid-term competitive threat from public cloud vendors may not materialize within a reasonable timeframe.
* Broader platform adoption across larger enterprise customers: Darktrace’s customer base is skewed towards SMB/mid-market enterprises (~85% of customers generate sub-$100k ARR); however, growing adoption in larger enterprises and the subsequent shift in customer mix, may drive higher average contract ARR per customer and lower gross ARR churn – factors that may help the company scale up profitability over the coming years.
* A '''sustained decoupling between ARR growth and new customer acquisition'''  / investment in new sales headcount might prompt us to revisit JP Morgan's UW thesis, as this would put the company on path towards sustainable profitable growth.
* Regulatory/compliance laws (or cyber insurance requirements) mandating the use of AI-led threat detection and response solutions could boost demand for Darktrace’s offering, potentially lowering new customer acquisition costs.
* M&A: Darktrace may appear a candidate for acquisition by larger cybersecurity vendors looking to acquire AI-driven detection and response solutions. This expectation may offer downside support to Darktrace’s share price, in JP Morgan's view.
* Near-term support from healthy ‘beat and raise’ results: JP Morgan's concerns on profitable growth may not play out over the next few quarters, which may result in the company delivering consistent strong performance in the near-term.

=== Summary of key financials ===
{| class="wikitable"
|+Table 2: Darktrace: Summary of key financial items<ref>Source: Company data, J.P. Morgan estimates; *includes share-based comp and associated employer tax charges.</ref>
|$ (m), FY ends in Jun
|2018
|2019
|2020
|2021
|2022E
|2023E
|2024E
|-
|Revenue
|79.4
|137.0
|199.1
|281.3
|415.5
|548.1
|701.5
|-
|YoY
|
|72.5%
|45.3%
|41.3%
|47.7%
|31.9%
|28.0%
|-
|Gross profit
|71.2
|124.8
|181.6
|252.9
|369.7
|483.5
|613.9
|-
|as % of revenue
|89.6%
|91.1%
|91.2%
|89.9%
|89.0%
|88.2%
|87.5%
|-
|Key opex items as % of revenue*
|
|
|
|
|
|
|
|-
|Sales & marketing
|114.7%
|95.3%
|81.9%
|67.2%
|63.2%
|63.8%
|62.0%
|-
|R&D
|9.5%
|7.1%
|6.0%
|10.2%
|10.5%
|12.9%
|13.4%
|-
|G&A
|15.8%
|14.8%
|13.5%
|20.1%
|23.2%
|22.8%
|21.0%
|-
|Operating profit
|(40.6)
|(36.2)
|(24.9)
|(38.5)
|(32.5)
|(62.4)
|(62.1)
|-
|as % of revenue
|<nowiki>-51.1%</nowiki>
|<nowiki>-26.4%</nowiki>
|<nowiki>-12.5%</nowiki>
|<nowiki>-13.7%</nowiki>
|<nowiki>-7.8%</nowiki>
|<nowiki>-11.4%</nowiki>
|<nowiki>-8.9%</nowiki>
|-
|Adjusted EBIT
|(37.3)
|(28.9)
|(14.6)
|0.1
|11.5
|(4.2)
|12.1
|-
|as % of revenue
|<nowiki>-47.0%</nowiki>
|<nowiki>-21.1%</nowiki>
|<nowiki>-7.3%</nowiki>
|0.0%
|2.8%
|<nowiki>-0.8%</nowiki>
|1.7%
|-
|Adjusted EBITDA
|(27.0)
|(11.3)
|8.9
|29.7
|49.2
|47.2
|81.0
|-
|as % of revenue
|<nowiki>-34.0%</nowiki>
|<nowiki>-8.2%</nowiki>
|4.5%
|10.6%
|11.8%
|8.6%
|11.5%
|-
|Net cash
|12.0
|33.1
|18.4
|307.1
|328.0
|348.6
|388.3
|-
|FCF
|(35.1)
|(9.0)
|(3.8)
|34.6
|44.8
|33.1
|52.3
|-
|LTM FCF as % of LTM revenue
|<nowiki>-44.2%</nowiki>
|<nowiki>-6.5%</nowiki>
|<nowiki>-1.9%</nowiki>
|12.3%
|10.8%
|6.0%
|7.5%
|-
|LTM revenue growth + FCF margin (%)
|
|66.0%
|43.4%
|53.6%
|58.4%
|38.0%
|35.4%
|}

== Valuation‌ ==
JP Morgan initiates coverage on Darktrace with an Underweight rating and Dec-23 price target of 400p. JP Morgan's price target is based on 5.5x ’23E EV/sales (calendarized), ~35% discount to the peer group median (comprising a targeted list of product-led threat detection and response and cyber exposure management/user behavior analytics vendors). Darktrace is likely to report healthy near-term momentum – a function of strong demand for AI-led threat detection and response solutions, brand awareness (driven by its high marketing spend), investments in adding salesforce capacity and roll-out of the new ‘Prevent’ product suite. However, the stickiness of Darktrace’s customer base may be challenged by commoditization of offerings targeting similar security use-cases, low switching costs and as enterprise awareness of competing vendor offerings increases. This could eventually translate to higher customer churn, in JP Morgan's view. With ARR growth tied to new customer acquisition, JP Morgan believes that higher customer acquisition costs and lower customer retention are likely to challenge the company’s ability to deliver profitable growth. This is likely to reflect in Darktrace’s valuation compared to its peer group, in JP Morgan's view.

Rather than looking at a blanket list of all listed cybersecurity companies, JP Morgan includes a targeted list of product-led detection and response, threat/user-behavior analytics and cyber exposure/vulnerability management vendors as part of Darktrace’s peer group. JP Morgan excludes from JP Morgan's peer group services-led companies such as Mandiant and SecureWorks, network equipment companies such as Arista and Cisco and managed security service providers (see Table 3 for details).

JP Morgan takes the following points into consideration while benchmarking Darktrace’s multiple vs. its peer group:

* Darktrace currently leads the network detection and response (NDR) market; however, this segment is characterized by relatively low barriers to entry and high competition. Providers of network security, Endpoint Detection and Response (EDR) and SIEM/SOAR systems are entering the NDR market, as part of their eXtended Detection and Response (XDR) strategy – this will further increase the competitive intensity for Darktrace, in JP Morgan's view (note that Darktrace does not have a strong standalone EDR, SIEM or network security offering and works as a complement to these point security tools). In addition, there is potential risk from public cloud vendors such as Microsoft, Google and Amazon making a big push in the areas of cloud traffic monitoring and email security, in JP Morgan's view. Darktrace has seen good early success with its products, but with growing enterprise awareness of different vendors addressing similar use-cases and low customer stickiness, JP Morgan believes that customer acquisition and retention is likely to get tougher for Darktrace, going forward.

* A significant portion of Darktrace’s total addressable market opportunity depends on the company’s ability to grow its ARR independent of new customer acquisition. Despite reporting higher platform adoption stats in the last couple of years, the company has not reported any meaningful uptick in average contract ARR (Dec-21 level approx. flat vs. Jun-19). This is partly explained by Darktrace’s focus on acquiring new customers, SMB/mid-market skew in customer base (and relatively higher churn as a result) and impact from new product launches. It remains to be seen whether Darktrace can decouple ARR growth from new customer acquisition, which will only get tougher with high competition and growing enterprise awareness of competing vendors. For sustainable profitable growth longer term, high customer retention will be key, in JP Morgan's view.

* Early success in the AI-driven threat detection and response market and investment in marketing has helped Darktrace scale rapidly, delivering above- average growth (52% 2018-21 revenue CAGR); however, the eventual success will be determined based on how the company balances growth and profitability. Assessing this development through the lens of ‘Rule of 40’ (revenue growth + FCF margin) is a good indicator of the progress the company is making to sustain profitable growth. JP Morgan expects the sum of revenue growth and FCF margin to dip and remain below 40% over the next couple of years. Eventually, this is likely to reflect in Darktrace’s valuation compared to other cybersecurity peers that consistently beat this 40% benchmark.

Darktrace made its market debut in Apr-21 at 9x 1-yr forward EV/sales (calendarized). The stock has de-rated since then and currently trades at 6x ’23E EV/sales (calendarized) compared to the peer group median at 9x. JP Morgan believes the multiple de-rating reflects increased awareness of the highly competitive nature of the market Darktrace operates in. In the near term, JP Morgan expects demand for AI-led detection and response solutions to remain high – this coupled with Darktrace’s brand awareness (a function of its high marketing spend), investment in additional salesforce hiring and the roll-out of the new ‘Prevent’ product offering will likely translate to healthy new customer acquisition and thus ARR growth. However, the stickiness of Darktrace’s customer base is likely to be challenged by commoditization of offerings targeting similar security use-cases and as enterprise awareness of competing vendor offerings increases. This could eventually translate to higher customer churn, in JP Morgan's view. With ARR growth tied to new customer acquisition, JP Morgan believes that higher customer acquisition costs and lower customer retention are likely to challenge the company’s ability to deliver profitable growth. This will likely reflect in Darktrace’s valuation compared to its peer group.

JP Morgan acknowledges that this may take some time to play out, especially in the current environment, where demand for proactive security solutions is likely to remain high. JP Morgan does not see Darktrace’s discount to its peer group narrowing unless the company is able to demonstrate a sustained decoupling between ARR growth and new customer acquisition (which will be a function of a sustained increase in average contract ARR per customer, lower churn and continued improvement in net ARR retention rate).

Accordingly, JP Morgan initiates coverage on the stock with an Underweight rating and set JP Morgan's Dec-23 price target at 400p, based on 5.5x ’23E EV/sales (calendarized), ~35% discount to its peer group median (vs. YTD average of ~25% discount). JP Morgan's choice of a higher discount vs. peer median reflects JP Morgan's view of increased competition and limited visibility on the path to achieve sustained profitable growth. On a relative basis, JP Morgan believes that there are better opportunities elsewhere to play the proactive cybersecurity theme – such as CrowdStrike (leading disruptor in endpoint security), CyberArk (Privileged Access Management leader), Tenable (leader in vulnerability management) and Varonis (user and entity behaviour analytics).


'''Figure 1: 1-yr forward EV/sales (calendarized): Darktrace vs. peer group median: 2017-present<ref name=":1">Source: Bloomberg Finance L.P.</ref>'''



'''Figure 2: 1-yr forward EV/sales (calendarized): Darktrace vs. peer group median: Jul-21-present<ref name=":1" />'''

{| class="wikitable"
|+Table 3: Darktrace: Peer valuation comparison<ref>Source: Bloomberg Finance L.P., J.P. Morgan; calendarized data presented; priced intraday as of 4th April.</ref>
!
!Price
!Mkt. cap.
!EV
!EV/sales
!
! colspan="2" |FCF margin (%)
! colspan="3" |Revenue growth (%) Rule of 40*
|-
!
!LC
!$, m
!$, m
!2022E
!2023E
!2022E
!2023E
!2022E
! colspan="2" |2023E
|-
|Darktrace
|451.0
|4,133.6
|3,805.1
|7.9
|6.1
|11%
|13%
|38%
|30%
|43%
|-
|Check Point Software
|140.9
|18,716.3
|14,932.9
|6.5
|6.2
|51%
|51%
|6%
|5%
|56%
|-
|CrowdStrike
|228.3
|52,675.1
|51,465.0
|24.6
|18.1
|29%
|31%
|50%
|36%
|67%
|-
|Fortinet
|344.7
|55,437.9
|53,958.1
|12.6
|10.4
|35%
|38%
|28%
|20%
|58%
|-
|Palo Alto Networks
|625.9
|61,645.5
|62,261.5
|10.5
|8.6
|34%
|35%
|25%
|22%
|57%
|-
|Qualys
|144.3
|5,631.4
|5,274.6
|10.9
|9.3
|36%
|34%
|18%
|17%
|51%
|-
|Rapid7
|114.2
|6,631.4
|7,320.5
|10.7
|8.7
|6%
|10%
|28%
|22%
|32%
|-
|SentinelOne
|41.3
|11,018.1
|9,377.5
|26.4
|16.2
|<nowiki>-42%</nowiki>
|<nowiki>-6%</nowiki>
|82%
|62%
|57%
|-
|Splunk
|147.2
|23,660.7
|25,353.0
|7.9
|6.4
|11%
|14%
|23%
|23%
|37%
|-
|Tenable
|59.8
|6,566.0
|6,475.8
|9.7
|8.1
|15%
|17%
|23%
|20%
|37%
|-
|Varonis
|49.4
|5,306.9
|4,803.6
|9.8
|8.1
|3%
|6%
|25%
|22%
|28%
|-
|Median
|
|
|
|10.6
|8.7
|22%
|24%
|25%
|22%
|54%
|}
{| class="wikitable"
|+Table 4: Darktrace: Fair value per share (GBp) - sensitivity to discount vs. peer group median<ref>Source: J.P. Morgan.</ref>
|Discount to peer median (%)
|0%
|5%
|10%
|15%
|20%
|25%
|30%
|35%
|40%
|-
|Fair value per share (GBp)
|605
|576
|548
|519
|490
|462
|433
|404
|375
|}
'''Figure 3: Valuation comparison: Darktrace vs. peer group: 2023 revenue growth + FCF margin vs. 2023 EV/sales (calendarized)'''<ref>Source: Bloomberg Finance L.P.; priced intraday as of 4th April.</ref>


== Company Overview‌ ==
Darktrace is a provider of proactive, AI-led threat detection and response security solutions covering on-premises network, cloud, SaaS, email, endpoints and Industrial IoT/OT environments. Darktrace’s threat detection and response approach assumes that cyber threats will succeed in breaching the organization (unlike perimeter defence technologies that seek to prevent threats from entering the organization’s digital estate) and detects and responds to these threats from within the enterprise.

Darktrace does not rely on historical signatures-based detection / rules-based response playbook; instead, its technology aims to learn the ‘patterns of life’ for an enterprise (using unsupervised machine learning), creating a constantly evolving baseline for ‘normal’ behavior, and detects & responds to deviations from the normal. By learning the organization’s ‘self’, Darktrace’s approach promises to weed out subtle, previously unseen patterns and emerging threats that would otherwise go unnoticed. Darktrace was founded in Cambridge, UK, in 2013. Today, Darktrace serves >6.5k customers (across all industries, from providers of critical public services such as healthcare and energy through to banks, retailers and manufacturers) in over 110 countries and has more than 1.7k employees globally.

=== Product overview‌ ===
Darktrace’s cyber AI platform provides coverage across an enterprise’s network (on- premises, cloud and SaaS), email and endpoints. Further, Darktrace will roll out solutions tackling preventative security and remediation/healing post attacks as part of its continuous AI security loop. Given its breadth of offerings and platform approach, Darktrace does not fit neatly into any particular cybersecurity sub- segment. The use-cases targeted by Darktrace’s product overlap with NDR (Network Detection and Response), XDR (eXtended Detection and Response), EDR (Endpoint Detection and Response) and SIEM (Security Incident and Event Management) solutions.

Darktrace’s self-learning technology underpins its Cyber AI platform which includes the following core product families:

* Immune System (Detection): This product forms the basis of Darktrace’s “detection” offering. Darktrace offers two variations of the Immune System – the Enterprise Immune System and the Industrial Immune System (for OT environments). The Immune System learns from the organization’s data (from across cloud, SaaS, networks, client devices, industrial/IoT and email) to form a bespoke and constantly evolving understanding of a business’s digital environment. Darktrace creates this bespoke model of normal behavior for an organization by monitoring and analyzing network traffic across the organization’s digital estate. To monitor and analyze on-premises network traffic, Darktrace will deploy a physical device (appliance) that ingests real-time network traffic via a SPAN port or network tap. Darktrace’s vSensors (and OS-sensors) provide visibility into traffic between virtual machines in cloud deployments (these virtual sensors in turn feed network traffic data to a master appliance, either located on-premises or cloud-hosted, to create a holistic picture of an organization’s activity). Similarly, for endpoints, Darktrace’s cSensors provide visibility into and map the behavior of endpoints that are off the VPN. Darktrace Immune System integrates with other security tools via an open and extensible architecture, enabling ingestion of new forms of telemetry from other security tools (such as firewalls and EDRs).
* Antigena (Response): The Antigena product family forms the basis of Darktrace’s autonomous response capabilities. The Antigena product works in two modes, i.e. the autonomous mode and the human confirmation mode. In autonomous mode, Antigena automatically takes action against a flagged attack to enforce normal business operations (e.g. by interrupting connections via TCP resets and integrations with other point security solutions such as network access control, firewalls or EDR tools); in the human confirmation mode, the customer must decide manually how to respond to the flagged attack. Beyond the enterprise network (Antigena for Network), Darktrace’s offerings also include coverage for email (Antigena Email) and endpoints (Antigena for Endpoint).
* Cyber AI analyst (Investigation): This product offering is aimed at augmenting the capabilities of cybersecurity analyst teams by automating threat investigation at machine speed. Cyber AI analyst automatically triages, interprets and reports on security incidents. Darktrace claims that Cyber AI analyst reduces triage time by up to 92%. Cyber AI analyst can also be integrated with tools across an enterprise’s security stack, allowing investigations to be triggered based on telemetry data from security tools such as CrowdStrike or Carbon Black. The incident reports generated by Cyber AI analyst can be exported to an SIEM, SOAR or ticketing system.
* ‘Prevent’ and ‘Heal’ product families to round out the continuous AI security loop: In addition to the detection, response and investigation capabilities offered through the above product families, Darktrace is trialing (with early adopters) proactive security technology via its ‘Prevent’ product family. The idea underpinning the Prevent product suite is to identify and strengthen vulnerable attack pathways (which lead to key assets). The company plans to roll out its Prevent product suite more broadly to customers by mid-CY22. Darktrace announced the acquisition (first since inception) of Cybersprint, an attack surface management company that brings an ‘outside-in’ view of an organization’s security posture (complementing Darktrace’s ‘inside-out’ view of the organization) to eliminate blind spots and detect risks. Darktrace will pay €47.5m for Cybersprint, corresponding to 12.5x ARR – the amount will be paid approx. 75% in cash and 25% in equity. An attack surface is essentially the sum total of an organization’s assets (hardware, software, cloud, SaaS) that store, process or transmit sensitive data. Attack surface management involves the discovery, inventory, prioritization and security monitoring of an organization’s internet- exposed assets. The acquisition of Cybersprint complements Darktrace’s foray into proactive cyber security (with the ‘Prevent’ product suite). Darktrace highlighted that Attack Surface Management will be available as a new module in the Prevent product family. In addition to Detect, Respond, Investigate and Prevent product families, Darktrace is researching AI-driven healing as a means to aid human teams in the remediation process in the aftermath of an attack.

==== Sensors ====
Darktrace’s cybersecurity products utilize sensors placed within the enterprise’s digital infrastructure – these sensors can be delivered physically (using an appliance) or virtually (in software). Darktrace has two primary distribution centers for its physical appliances: one based at its HQ in Cambridge, which focuses on shipments outside of Europe and the other in Dublin, which focuses on shipments throughout Europe. The physical appliances use standard components that are built into server units by Darktrace suppliers at its distribution sites. Darktrace receives pre-built server units and will then load software onto the appliance, including customer specific pre-configurations. Each Darktrace physical appliance is encoded such that it can only be used in conjunction with Darktrace products. The company can prepare hundreds of appliances a day that are ready to be shipped to customer sites. In some regions, Darktrace utilizes channel partners for onward transport and installation of the appliances. In addition, Darktrace has its own technical team (including cyber technicians and engineers) who will perform site visits and installations, where possible.

=== Customer base‌ ===
Darktrace’s customer base has expanded from 1,659 in 2018 (period ending in Jun- 18) to 6,531 as of Dec-21 (growing 40% YoY during 1H22), with products deployed in more than 110 countries. The customers span all industries and sizes – Financial Services, Darktrace’s biggest industry vertical by number of customers, represented 19% of total customers as of Feb-21.

No single customer accounted for more than 10% of revenue in 1H22, 2021 and 2020. By geography (based on contractual location), US and Canada account for the biggest portion of total revenue (38% in 1H22, of which US was 34%), followed by Europe (24%), UK (17%) and Rest of the World (21%). Some Darktrace customers include City of Las Vegas, FarFetch, McLaren Group, Micron, Samsung, Ted Baker, Kohl’s, Coca Cola, NHS, Serco, Funding Circle, etc.

'''Figure 4: Customer split % (by volume) by industry vertical (as of Feb-21)'''<ref name=":2">Source: Company data.</ref>

'''Figure 5: Period-end number of customers<ref>Source: Company data; FY ends in Jun.</ref>'''

'''Figure 6: Revenue split by geography (%)<ref>Source: Company data; revenue from customers has been attributed to the geographic market based on contractual location; FY ends in Jun.</ref>'''

==== Churn ====
The majority of Darktrace customers fall in the SMB/mid-market category, with ~85% of customers with contract size up to $100k in ARR. This portion has remained fairly consistent in recent years. Customers with contract size less than $100k in ARR contributed 51% of total ARR during 1H22.

The company has demonstrated a track record of driving higher platform adoption across new and existing customers. The portion of customers purchasing more than one product has increased from 47% in 2019 to 88% in 1H22 (with the portion of customers purchasing four or more products (out of a possible 10 currently) rising from 5% in 2019 to 43% in 1H22). The majority of Darktrace customers buy multiple products at the initial point of purchase.

'''Figure 7: Customer split by contract ARR size<ref>Source: Company data; FY ends in Jun.</ref>'''


'''Figure 8: % of customers using more than one Darktrace product<ref>Source: Company data; FY ends in Jun.</ref>'''



Darktrace reported 1-year gross ARR churn of 6.4% as of end-1H22 (six-month period ending in Dec-21) vs. 7.6% exiting Jun-21. As expected, Darktrace sees higher churn among customers with contract size less than $100k in ARR. Darktrace’s 1-yr gross ARR churn is higher compared to other cybersecurity vendors (such as Crowdstrike, which reported 1-yr gross ARR churn of ~2% in FY21) given its SMB/mid-market heavy customer base. Darktrace reported net ARR retention rate of 105.1% in 1H22 (increasing from 99.1% in 2020 and 102.9% in 2021) – the increase in net ARR retention rate is a function of higher product upsell/cross-sell and stabilizing churn. Darktrace is investing in its customer success function, which should help stabilize churn and drive higher upsells/cross-sells at the point of renewal. That said, given the SMB/mid-market heavy customer base (which is characterized by higher churn compared to larger enterprise customers) and multiple products purchased at the initial point of sale (which limits the scope of cross-sells), Darktrace does not expect to see a significant improvement in net ARR retention rate going forward (the improvement, if any, is likely to be more gradual).

'''Figure 9: Period-end 1-year gross ARR churn (%)<ref>Source: Company data; one-year gross ARR churn rate is defined as the ARR value of customers lost from the existing customer cohort one year prior to the measurement date, divided by the total ARR value of that existing customer cohort (this metric reflects only customer losses and does not reflect expansions or contractions); FY ends in Jun.</ref>'''



'''Figure 10: Period-end net ARR retention rate (%)<ref>Source: Company data; net ARR retention rate is defined as the current ARR value for all customers that were customers one year prior to the measurement date, divided by their ARR one year prior to the measurement date (this metric reflects customer losses, expansions and contractions); FY ends in Jun.</ref>'''


=== Go-to-market ===
Darktrace sees its offerings as complementary to an enterprise’s existing security investments. The company sees a large greenfield opportunity for its products (a potential addressable customer base of >150k across industries) – accordingly, Darktrace remains focused on acquiring new customers and driving high platform adoption at the initial point of purchase.

Darktrace’s lead generation comes from different sources including:

* Inside sales;
* Marketing events;
* Partner channel;
* Self-prospecting;
* Inbound enquiries.

Post lead generation, Darktrace primarily relies on ‘highly replicable and scalable’ POV (Proof of Value) trials of its technology to acquire new customers. The POV trials require minimal set-up and scoping and allow a potential new customer to evaluate Darktrace’s Cyber AI platform on its own digital estate free of charge. The trials typically run over a 30-day period. Darktrace notes that its Cyber AI platform detects serious threats that other security tools have missed in 77% of POV trials – according to Darktrace, this drives a high conversion rate post trials. The figure below summarizes Darktrace’s POV playbook – the company highlights that the average length of the sales cycle from session 1 to contract completion is 84 days.

Given Darktrace’s strategic focus on acquiring new customers, its ARR growth is dependent on the scaling of its POV trials. This in turn is dependent on hiring of new account executives (AEs). Darktrace has indicated that ~24% of its POVs were generated exclusively by its inside sales team. The inside sales teams are incentivized based on the number of qualified meetings booked as % of closed deals. Around 28% of Darktrace’s POVs come from the partner channel.

'''Figure 11: Snapshot of Darktrace's POV-led sales cycle'''<ref name=":2" />'''<br />'''

Darktrace sells its platform both directly to customers and through its channel partners (including resellers and managed security service providers). A majority of Darktrace’s sales (~65%) are generated via its direct sales personnel.

==== Direct sales ====
Darktrace’s approach to building its direct sales team relies on hiring and training fresh graduates from universities (Darktrace does not hire tenured enterprise salespeople). New account executives hired by Darktrace deliver first POV and sales in their third and fifth months of employment, respectively. Thus, Darktrace considers a salesperson to be productive only in their fifth month of employment. The salesperson is subject to quotas and targets that scale with the duration of employment. The incentive structure for salespeople includes a formal commission on sales (including uncapped commission on new deals, upsells and renewals). Approx. 50% of the commission is paid on accepted bookings and approx. 50% upon successful account management, over the first year.

==== Channel partners ====
Darktrace sees its partner channel primarily as a source of lead generation, rather than a channel to offload services/implementation, as Darktrace’s technology is relatively easy to set up, according to the company. Darktrace’s partners consist of value-added resellers, managed security service providers and technology partners that offer solutions complementary to Darktrace’s offering. Darktrace has more than 370 active channel partners including Atos, BT, Reply, SHI, Bytes, Computacenter, Eurofins, Telstra, Sis, Nth Generation and ConvergeOne. Darktrace does not rely on any single partner for a significant portion of its sales, with its largest partner accounting for ~2% of 1H21 sales. In terms of commercial arrangement, Darktrace works with its channel partners on a margin sharing basis (5-30%, depending on the involvement in the deal).

== Competition landscape‌ ==
Growing demand for proactive threat detection and response solutions (across network, cloud, email and endpoint) has underpinned Darktrace’s rapid customer- base and ARR growth in recent years. However, with relatively low barriers to entry and increased competition, JP Morgan sees a risk of commoditization of solutions targeting the use-cases addressed by Darktrace. A growing list of vendors that seek to combine different point security solution offerings into an eXtended Detection and Response (XDR) fabric will only increase the competitive intensity for vendors such as Darktrace, whose offerings are a complement (rather than a replacement) for other point security tools such as Endpoint Detection and Response (EDR), in JP Morgan's view. Today, Darktrace leads the Network Detection and Response (NDR) market and has seen good early success with its email product; however, against the backdrop of commoditization, high competition, growing enterprise awareness of vendors addressing proactive detection and response use-cases and relatively low switching costs, JP Morgan believes that customer acquisition and retention is likely to get tougher for Darktrace, going forward. In addition, there is a real competitive threat from public cloud vendors such as Microsoft, Amazon and Google making a big push into proactive threat detection and response solutions for cloud traffic and email as enterprise workloads transition to the cloud.

Darktrace’s approach to threat detection and response does not rely on a historical signatures-based detection / rules-based response playbook; instead, its technology aims to learn the ‘patterns of life’ for an enterprise, creating a constantly evolving baseline for ‘normal’ behavior, and detects and responds to deviations from the normal. Darktrace’s cyber AI platform provides coverage across an enterprise’s network (on-premises, OT, cloud and SaaS), email and endpoints. Further, Darktrace will roll out solutions tackling preventative security and remediation/healing post attacks as part of its continuous AI security loop. Given its breadth of offerings and platform approach, Darktrace does not fit neatly into any particular cybersecurity sub-segment.

Darktrace notes that it does not compete with the vast majority of cybersecurity vendors as it sees its offering as complementary to an enterprise’s existing layered security stack. However, enterprise purchasing decisions are business-problem- driven and the use-cases addressed by Darktrace today are targeted by point security solution vendors such as EDR (Endpoint Detection and Response), NDR (Network Detection and Response), SIEM (Security Information and Event Management) / SOAR (Security Orchestration, Automation and Response) system and secure email gateway/cloud email security vendors. Over the mid-term, competition may also come from vendors combining multiple point solutions as part of an eXtended Detection and Response (XDR) platform. With visibility into a growing portion of enterprise traffic, public cloud vendors and zero trust/secure service edge providers such as Zscaler and Fortinet may choose to offer an integrated threat detection and response solution, potentially trimming the available opportunity for Darktrace, in JP Morgan's view.

Below, JP Morgan provides an overview of Darktrace’s competitors across different categories based on the product offering/use-case.

=== Competition remains intense in the network detection and response market‌ ===
The security industry is seeing a shift from legacy prevention-based security approaches to proactive detection and response technologies. Endpoint security has already undergone this transition, with organizations moving from antivirus (AV) to next-generation AV to Endpoint Detection and Response (EDR) solutions. The move to Network Detection and Response (NDR) is a similar shift on the network, i.e. the next step in the transition from traditional prevention-only security solutions such as Intrusion Detection Systems (IDS) and Intrusion Detection and Prevention Systems (IDPS). NDR vendors offer an integrated set of network traffic monitoring, threat detection, investigation and response capabilities – these vendors provide a broad visibility into an enterprise’s internal network by monitoring and analyzing traffic among users/devices across the enterprise’s digital estate (on-premises, SaaS and cloud).

NDR approach to security has gained traction in recent years as this provides an added layer of network visibility without requiring agents to be installed on devices and is invisible to attackers. NDR tools augment the capabilities of security teams by monitoring network traffic in real-time (or near real-time), detecting and prioritizing threats and syncing (via APIs) with other point security solutions (firewalls, network access control, EDR, SIEM/SOAR systems) either to initiate an automated customized response (especially for high-risk incidents/breaches) or for further investigation and threat hunting.

Put simply, NDR tools employ unsupervised machine learning to establish a baseline for ‘normal’ network activity and flag deviations from the normal as alerts for further monitoring; supervised machine learning and other tools can then be applied on the flagged alerts to categorize possible threats or malicious activity. NDR tools do not rely only on past threat signatures or indicators of compromise for threat detection and can monitor both north-south and east-west traffic (with proper design of NDR deployments), making these tools a good complement to traditional security solutions such as firewalls and IDS/IPS (which primarily rely on historical threat signatures for detection).

NDR vendor offerings overlap with Darktrace’s network portfolio (Enterprise Immune System, Antigena for Network and Cyber AI analyst) – in fact, prior to rolling out solutions for email and endpoint, Darktrace was primarily an NDR vendor. According to Gartner, the NDR market stood at $1.3bn in 2021 (+27% YoY) and is expected to grow at a 4-yr CAGR of 16% reaching $2.4bn by 2025. Darktrace is the leading vendor in this market with 25% share, followed by Cisco (14%), ExtraHop (13%) and Vectra AI (9%). Some other key NDR vendors include FireEye (Trellix), Fidelis, Gigamon, IronNet and RSA Netwitness.

'''Figure 12: Network Detection & Response (NDR) market ($. m): CY19-25'''<ref name=":3">Source: Gartner.</ref>



'''Figure 13: Network Detection & Response: CY21 Market share<ref name=":3" />'''


Demand for NDR solutions will likely remain high as enterprises introduce an added layer of network traffic visibility to their layered security stack; however, competition in this space remains intense. There are more than 20 vendors offering NDR solutions ranging from early-/mid-stage start-ups to large, established cybersecurity companies. NDR vendor offerings have also matured with basic capabilities and on-premises/cloud/SaaS coverage provided by most vendors.

Further, as enterprises increasingly incorporate NDR as part of their security stack, enterprise awareness of different vendor offerings in this space is likely to increase.

In addition, with visibility into a growing portion of enterprise traffic, NDR vendors may face competition from zero trust/secure service edge providers such as Zscaler and Fortinet that may add network traffic analytics as part of an integrated cloud security stack (today, NDR vendors offer integrations to zero trust architectures to capture logs for added visibility). Public cloud players such as Amazon, Microsoft and Google may also make a big push addressing real-time cloud traffic analysis and threat response solutions – Today, these public cloud vendors offer packet mirroring, which allows third-party network traffic analysis tools such as Darktrace to monitor traffic to/from virtual machines. However, given the importance of cloud traffic visibility, this may be brought into the fold of in-built cloud security offered by public cloud vendors in the future.

=== The future of NDR is XDR‌ ===
As stated previously, endpoint security has undergone a transition from basic AV solutions to next-generation AV and Endpoint Protection Platforms (EPPs) to Endpoint Detection and Response (EDR) solutions. However, there is a growing realization that the siloed approach to security is not enough to combat modern-day cyber threats. In fact, EDR tools face limitations when it comes to visibility into cloud workloads, IoT and unmanaged devices. This security gap is now being filled by tools such as NDR, cloud workload protection platforms, and user behavior analytics. This development has only added more siloed point security tools to an enterprise’s security arsenal.

These tools don’t usually work well together and, even when they do, security analysts have to sift through a high number of alerts. These issues are giving rise to a new approach termed eXtended Detection and Response (XDR).

XDR vendors seek to integrate telemetry from multiple sources such as endpoint, network, cloud, identity, etc. to offer contextually rich and targeted threat analysis and incident response systems. This is akin to SIEM systems; however, XDR offerings tend to be less open, with the use-case limited to threat detection and response. Eventually, JP Morgan believes that EDR, NDR, user behavior analytics and some SIEM/SOAR functionality will be brought into the fold of XDR. JP Morgan is already seeing integration of NDR capabilities from point solution vendors as part of their XDR strategy. Some key XDR vendors include Cisco, Palo Alto Networks, Crowdstrike, Sophos, IBM, Microsoft, Trend Micro, Rapid7 and SentinelOne.

In JP Morgan's view, the growing list of XDR vendors will only increase the competitive intensity for vendors such as Darktrace, which does not have a strong standalone offering for endpoint, SIEM or network security (Darktrace solutions work as a complement to these point security tools). Larger enterprises using best-of-breed security vendors are more likely to license additional modules from these XDR vendors to improve network visibility and threat analytics. Smaller enterprises (with a limited security budget) may choose to outsource threat detection and response to Managed Detection and Response (MDR) vendors or other MSSPs (Managed Security Service Providers) given the high cost and complexity of managing NDR appliances and alerts. Some key MDR / managed SOC vendors include SecureWorks, Arctic Wolf, Rapid7, Sophos, eSentire, etc.

Against the backdrop of commoditization of basic NDR capabilities, increased competition from XDR vendors, growing vendor awareness and relatively low switching costs, JP Morgan believes that customer acquisition and retention will likely get tougher for Darktrace, going forward.

JP Morgan acknowledges that the shift toward integrated XDR solutions will not happen overnight and these solutions may take some time to mature. However, with vendors already aggressively pursuing such strategies, JP Morgan believes that the convergence between EDR, NDR, cloud workload protection platforms and user behavior analytics tools is inevitable.

=== Pure-play NDR specialists are good acquisition candidates‌ ===
Given the prospect of commoditization and eventual convergence with XDR offerings, JP Morgan expects some consolidation in the NDR market; JP Morgan sees pure-play NDR vendors as good acquisition candidates. Deal activity in the NDR market is picking up pace – as examples, Blackstone-backed Vectra AI raised $130m at a post money valuation of $1.2bn in Apr-21; ExtraHop was acquired by Bain Capital and

Crosspoint Capital for $900m in Jun-21. Existing network equipment vendors are also making a play in this market (Arista acquired Awake Security in 2020 and Cisco has been developing its Stealthwatch offering).

In addition, vendors are adding NDR capabilities as part of their integrated XDR platform; these vendors are either buying pure-play NDR specialists or organically building NDR capabilities – as examples, Check Point Software introduced its NDR offering in 2021, Crowdstrike acquired a strategic stake in Corelight in Sep-21, Sophos acquired Braintrace in Jul-21, LogRhythm acquired MistNet in Jan-21 and VMware acquired Lastline in Jun-20.

Darktrace is a not a pure NDR specialist and offers an XDR-like approach to security (across network, email and endpoint). Thus it does not look a strong acquisition candidate in this context, especially from vendors that have an established EDR or email security offering. Having said this, JP Morgan would not rule out the possibility of Darktrace being acquired by a larger security vendor (looking to add AI-driven threat detection and response capabilities) in the future.

{| class="wikitable"
|+Table 5: Deal activity in the NDR market is picking up pace<ref>Source: Company releases, J.P. Morgan.</ref>
|NDR vendor
|Deal type
|Acquired by
|Date
|Comment
|-
|Bricata
|Acquisition
|OpenText
|Nov-21
|
|-
|Corelight
|Series D
|
|Sep-21 
|Raised $75m in Series D investment led by Energy Impact Partners, With strategic investment from Crowdstrike Falcon Fund
|-
|Braintrace
|Acquisition
|Sophos
|Jul-21
|
|-
|ExtraHop
|Acquisition
|Bain Capital and Crosspoint Capital
|Jun-21
|Purchase price of $900m.
|-
|Vectra AI
|Series F
|
|Apr-21
|Led by Blackstone, raised $130m at $1.2bn valuation (post-money).
|-
|MistNet
|Acquisition
|LogRhythm
|Jan-21
|
|-
|Awake Security
|Acquisition
|Arista
|Sep-20
|
|-
|Lastline
|Acquisition
|VMware
|Jun-20
|
|-
|ProtectWise
|Acquisition
|Verizon
|Mar-19
|
|-
|LightCyber
|Acquisition
|Palo Alto Networks
|Mar-17
|Acquired for $105m.
|}

=== Email security moving beyond secure email gateway solutions; however, competition is heating up‌ ===
Similar to the trends discussed above for endpoint and network, email security is seeing a transition from traditional gateway-led protection approaches to AI-led cloud email security supplement solutions that scan the entire email system for anomalies. These solutions link to cloud email systems (Microsoft/Google) via APIs to provide a contextually richer understanding of email activity (analyzing user behavior, senders, links and attachments in the context of normal “patterns of life”) – adding an additional line of defence on top of built-in capabilities offered by email providers such as Microsoft and Google.

In JP Morgan's view, mature enterprises are not likely to replace existing secure email gateway solutions in favor of integrated cloud email security offerings (just as these enterprises are not likely to forgo investments in IDS/IDPS in favor of NDR); rather these solutions will likely supplement existing secure gateway investments. Smaller enterprises may choose integrated cloud email security solutions (working in conjunction with built-in security from cloud email providers such as Microsoft’s Defender) over secure email gateway offerings. JP Morgan expects integrated cloud email security solutions to gain traction in the coming years. However, like in the NDR space, JP Morgan does see pure-play cloud email security specialists as good acquisition candidates – either by secure email gateway vendors or XDR vendors (e.g. Check Point’s acquisition of Avanan in Aug-21).

Darktrace’s Antigena Email (launched in 2019) has seen good early success in the market for integrated cloud email security solutions. Here, the company competes with vendors such as Avanan, Abnormal Security (raised $50m at $500m+ valuation in Nov-20), Tessian ($500m valuation as of May-21), Vade and Ironscales. In addition, competition (especially, in the SMB/mid-market segment) may come from secure email gateway vendors such as Proofpoint and Mimecast.

=== Breach and attack simulation vendors‌ ===
Although still in the early stages of product roll-out, Darktrace’s foray into preventative cybersecurity (breach and attack simulation) puts the company in competition with vendors such as CyCognito, Mandiant, Qualys and AttackIQ. Darktrace plans to roll out its ‘Prevent’ product suite more broadly by mid-CY22.

== Customer survey feedback‌ ==
JP Morgan commissioned Guidepoint to conduct a survey of CISOs/CTOs across 30 current and past Darktrace customers (13 current and 17 past customers). Darktrace has 6,531 active customers as of Dec-21. Hence, JP Morgan notes that this survey only covers a subset of active and previous customers, albeit should provide some insights on the customer perspective. JP Morgan summarizes JP Morgan's key takeaways from the survey below:

=== Product-market fit and competition‌ ===
Enterprise purchasing decisions are business problem-driven. JP Morgan asked survey participants to highlight the key business problems and decision criteria that prompted the consideration/purchase of Darktrace products. Answers to this question help gain insights to Darktrace’s product-market fit and value proposition, i.e. the problems that the market perceives the company’s products to solve. Darktrace sees its offerings as complementary to an organization’s existing security stack and does not see any cybersecurity vendor as its direct competitor, given its coverage and breadth of offerings. However, the business problems that prompted an enterprise to consider/purchase Darktrace products and the alternatives it considered in evaluating Darktrace’s products present a more realistic picture of what enterprises view as alternatives to Darktrace in the fight for cybersecurity wallet-share.

JP Morgan summarizes key themes from the survey responses below:

'''Business problems that led to the consideration of Darktrace’s products:'''

* Need for an expanded layer of network monitoring, better network traffic analysis and cloud security;
* Lack of security resources to monitor threats and need for a SIEM/SOAR solution for analytics and threat hunting;
* Need for an AI-driven solution to secure against internal threats and APT (Advanced Persistent Threats) that does not rely on past indicators of compromise;
* Need for anomaly detection and autonomous blocking of threats; and
* Improved email protection against spear/whale phishing.  
'''Key survey responses to the question “Which business problem prompted the consideration of Darktrace products?”'''
* “Overall IT/Network security and staffing bandwidth. We didn’t have enough resources to monitor the previous systems we had in place and respond in a timely fashion to events that could be incidents. We looked to Darktrace to minimize the number of resources required to monitor our security and increase our visibility.”
* “Initially the thought of a silent hacker sitting in our system gathering data or information about our security systems. AI was the only thing that could spot this. At the time we only had traditional layers of protection that were not good enough.”
* “The initial idea was to utilize AI and Automation and reduce manual efforts in our day-to-day SOC operations.”
* “Increased threats, sophistication and resources applied to cyberattacks required more diligence on our part. We have our clients’ PHI data so critical we are protected.”
* “Need for Security Operations Center but with limited resources. We also needed a way to watch both on-premises and cloud networks.”
* “Improved email protection was required to reduce spear and whale phishing issues we [were] seeing in addition to [an] ML-based solution for SaaS logins.”  
'''Key decision criteria that led to the purchase of Darktrace products:'''  

Survey responses to the question ''“What were the key criteria that led to the purchase of Darktrace products?”'' highlight key customer expectations and value demonstrated or promised by Darktrace during/post a Proof of Value (POV) trial.  

The responses can be summarized in the following key buckets:
* Product performance (includes metrics such as accuracy of detection, scalability and ease of deployment & use);
* Coverage (especially for cloud/OT environments);
* AI capabilities/non-reliance on known threat signatures;
* Vendor reputation (includes peer reviews and recommendation from SIs);
* Total cost of ownership;
* Interoperability with existing security stack;
* Other product features (such as full packet capture and user interface);
* Service & Support.  
'''Alternatives considered'''  

Unsurprisingly, network detection and response (NDR) vendors surfaced as the biggest competitor category, followed by Endpoint/eXtended Detection & Response (EDR/XDR) vendors, Secure Email Gateway providers and SIEM/managed SOC system vendors.
* NDR vendors: ExtraHop, Vectra AI, Cisco Stealthwatch, RSA Netwitness, Corelight;
* EDR/XDR vendors: Crowdstrike, Cylance, Palo Alto Networks, FireEye, SentinelOne, Carbon Black, Sophos, Skout;
* Secure Email Gateway vendors: Mimecast;
* SIEM/managed SOC system vendors: Splunk, SecureWorks, Arctic Wolf.
'''Figure 14: Alternatives considered in the evaluation of Darktrace products (number of mentions)<ref>Source: J.P. Morgan; based on survey responses from 30 current/past Darktrace customers.</ref>'''



Another striking point from the survey is the lack of broader awareness of vendors providing similar solutions targeting use-cases such as network traffic monitoring, autonomous response or integrated cloud email security solutions. As an example, several survey respondents that highlighted ‘APT/internal threats’ and ‘network traffic visibility’ as key business problems were unaware of NDR vendors beyond Darktrace and instead cited endpoint security platforms or managed SIEMs as alternatives in the evaluation process. Similarly, none of the survey respondents highlighted integrated cloud email security competitors to Darktrace in evaluation of Darktrace’s email product. This clearly demonstrates the value of Darktrace’s marketing efforts; however, JP Morgan does not see this as a sustainable differentiator going forward. With growing vendor awareness, the security vendor selection criteria are likely to shift from “the business problems addressed” to “product experience and price”.

=== Experience with using Darktrace products ===
JP Morgan asked survey participants to rate their experience (on a scale of 1 = extremely dissatisfied to 5 = extremely satisfied) with using Darktrace products across the

following different dimensions:

* Ease of deployment (e.g. time to deploy/set-up period and resources required);
* Integration with other security tools and data sources;
* Ease of use (manageability of alerts);
* Customization/configurability of the platform;
* Scalability;
* Service & Support; and
* Performance (overall platform usefulness, ability to detect and respond to threats/attacks).

In addition, JP Morgan asked survey participates to highlight the key factors that they like/dislike about Darktrace’s products. JP Morgan summarize the quantitative and qualitative feedback below.

'''Figure 15: Darktrace: Weighted-average rating across key dimensions (aggregate)<ref>Source: J.P. Morgan; average values based on survey conducted across 30 current/past Darktrace customers; 1=extremely dissatisfied, 2=somewhat dissatisfied, 3=neither satisfied nor dissatisfied, 4=somewhat satisfied, 5=extremely satisfied.</ref>'''

'''<br />Figure 16: Darktrace: Weighted-average rating across key dimensions (past customers)<ref>Source: J.P. Morgan; average values based on inputs from 17 past Darktrace customers (out of a total of 30).</ref>'''

'''<br />Figure 17: Darktrace: Weighted-average rating across key dimensions (current customers)<ref>Source: J.P. Morgan; average values based on inputs from 13 current Darktrace customers (out of a total of 30).</ref>'''
{| class="wikitable"
|+Table 6: Responses to the question "What do you most like/dislike about Darktrace products?" by current Darktrace customers (n=13)<ref>Source: J.P. Morgan. Survey comments have been reproduced in their original form and have not been edited except as indicated. Survey comments should not be attributed to J.P. Morgan and are not representative of its views.</ref>
|#
| colspan="3" |Likes
| colspan="3" |Dislikes
|-
|1
|Network detection
|Dashboard
|Detection capabilities
|Complexity
|High total cost of

ownership
|Limited to network

visibility
|-
|2
|Integrates with our

existing security stack
|Excellent detection and

configurability
|Low false positive and

great reporting
|Configuration requires

time/learning
|Tuning/customization

non-trivial
|Initial setup took longer

than [expected]
|-
|3
|Good price
|Good features
|Good support
|Limited function
|Not best of breed
|Can be difficult to use
|-
|4
|AI feature
|Automation
|Machine learning
|N/A
|N/A
|N/A
|-
|5
|System management
|Ability to detect threats
|Reliability
|Can be time consuming

in managing log reports
|Time to build skills
|Lack of overall portfolio
|-
|6
|User interface
|Ability to give actionable info
|Always improving functionality
|It’s expensive
|Need a path to cloud only solution
|Antigena email will sometimes not filter out email until after it hits

the mailbox
|-
|7
|Rich in product features that are specific to our business

needs
|Road map for future technology that aligns to our needs
|Engineering support and service is above other vendors
|Can be quite costly when you add all the licenses and feature

sets
|N/A
|N/A
|-
|8
|Usability
|Effectiveness
|Price
|Learning curve
|Integration into data sources (separate

reporting)
|External source coverage
|-
|9
|Dashboard and ease of use
|Machine learning models
|Ease of customisation
|Cost is a little high
|Expanding the solution will be costly
|Feature requests need to be submitted via the

customer portal
|-
|10
|Comfort blanket
|Solves unique problem
|[Threat hunt]
|V expensive
|[Marketing]
|
|-
|11
|UI and ease of use
|Ability to apply

exceptions
|Behavioral based

scoring
|New endpoint agent

[requires] AI analyst
|Models are hard to

create
|No archiving capability
|-
|12
|Performance at

spotting strange or undesirable behaviour
|User-friendly interface
|The way it interrogates

logs and allows network traffic playback
|Cost
|Lack of HTTPS inspection
|
|-
|13
|Clever AI engines
|[Continuously] improving & adopting to

new emerging threats
|Can work with human in the loop
|Cost
|Time to deploy
|Lack of compatibility with some older

hardware
|}
{| class="wikitable"
|+Table 7: Responses to the question "What do you most like/dislike about Darktrace products?" by past Darktrace customers (n=17)<ref>Source: J.P. Morgan. Survey comments have been reproduced in their original form and have not been edited except as indicated. Survey comments should not be attributed to J.P. Morgan and are not representative of its views.</ref>
|#
| colspan="3" |Likes
| colspan="3" |Dislikes
|-
|1
|Easy to work with, once you know how
|AI
|Unsupervised machine learning
|Price
|Integration
|Wanted endpoint

protection for remote workers
|-
|2
|Scalable
|Cost
|Somewhat ease of use
|Interoperability with

other security products
|False positives
|Admin overhead
|-
|3
|Product options
|Coverage specifics
|AI
|Cost
|False positive
|Deployment
|-
|4
|Suite of products
|Focus on industrial

segment
|Coverage areas email,

IT, OT etc.
|Niche product
|Not tightly coupled with

public clouds
|Skills
|-
|5
|AI capabilities
|Easy deployment
|TCO
|Integration with legacy

systems
|Scalability
|Roadmap
|-
|6
|Hard to say at this point. The visualization tool they have is pretty slice
|N/A
|N/A
|Not a lot of value for the money
|Other security tools provided similar alerting and sometimes they alerted on things

Darktrace did not
|Tool was not the most intuitive.
|-
|7
|Ease of use
|Cost
|Strong security
|Poor support
|Better alternatives emerged
|Not great [integration]
|-
|8
|Cost
|Support
|Customer Success
|[Configurability]
|Difficult to read manual
|Cost Performance
|-
|9
|Customisation
|Detection capability
|Logging and UI
|Scalability
|Not many integrations
|Hard to deploy
|-
|10
|Ease of deployment
|Detection of threats - I did say we had a lot of false positives but it did also catch things we most likely wouldn’t

have
|Speed to operations from start of deployment
|False positives - tuning seemed continuous and appeared to never end
|Pricing - Other alternatives that cost less have since become available
|Resources required to manage
|-
|11
|Ease of use
|Scalability
|Detection capabilities
|Cost
|Ease of integration
|Skillset to operate
|-
|12
|Ease of implementation
|Performance
|Antigena [autonomous

response]
|Complexity of resolution
|Limited training
|Lack of customer focus

as they grew
|-
|13
|Industry standard
|Meets needs of its use
|User friendly
|Price
|False positive rate
|Technical material
|-
|14
|Efficacy
|Integrations
|Ease of use
|Price
|N/A
|N/A
|-
|15
|Ease of implementation
|Support
|Cost
|N/A
|N/A
|N/A
|-
|16
|UI
|Ease of use
|Price
|Performance
|Capability
|Deployment
|-
|17
|Intelligence
|GUI
|Feature Rich
|Complicated
|Sometimes UI masks the advanced features
|Data Visualization
|}
A majority of survey respondents (50%) – including customers who have discontinued the use of Darktrace products – indicated that Darktrace ''met expectations'' in terms of overall product performance. 30% of survey respondents (9 out of 30) reported that Darktrace products performed ''lower-than-expectations'', while 20% reported that Darktrace ''exceeded expectations'' in terms of performance.

Qualitative feedback submitted by current and past Darktrace customers indicates that “high price” and “platform complexity” are among the top disliked factors. Several respondents either discontinued or indicated their willingness to discontinue Darktrace solutions due to availability of cheaper alternatives (such as Vectra AI and ExtraHop) and limited value-add from Darktrace products. Separate interviews with customers indicate that switching costs to alternatives are relatively low (3-6 months of training time/model tuning with a new solution). A majority of current Darktrace customers JP Morgan surveyed (7 out of 13) plan to keep spending with Darktrace unchanged, with 2 current customers indicating their willingness to discontinue usage of Darktrace products.

=== Factors driving churn‌ ===
A total of 17 out of 30 surveyed participants are past Darktrace customers. JP Morgan asked these respondents the top reasons for discontinuing the use of Darktrace products to gauge the key factors driving churn in customer base. JP Morgan summarize the responses in Figure 18 below. “High Price” and “Poor product performance” (here “poor product performance” refers to high number of false positives and associated admin burden in managing the alerts, inability to detect serious threats/attacks), poor integration with other security solutions and availability of better alternatives were the commonly cited reasons for discontinuing Darktrace products.

'''Figure 18: Top reasons for discontinuing Darktrace products<ref>Source: J.P. Morgan; A total of 17 out of 30 respondents indicated that they discontinued the use of Darktrace products – survey participants were given the option of selecting multiple reasons; *poor product performance includes factors such as high number of false positives, failure to detect serious threats, etc.</ref>'''


== ARR growth tied to new customer acquisition‌ ==



A significant portion of Darktrace’s total addressable market opportunity depends on the company’s ability to grow its ARR independent of new customer acquisition. However, despite reporting higher platform adoption stats in the last couple of years, the company has not reported any meaningful uptick in average contract ARR (Dec- 21 level approx. flat vs. Jun-19). This is partly explained by Darktrace’s focus on acquiring new customers, SMB/mid-market skew in customer base and impact from new product launches. It remains to be seen whether Darktrace can decouple ARR growth from new customer acquisition, which JP Morgan believes will only get tougher with high competition and growing enterprise awareness of competing vendors. Unless the quality (in terms of stickiness) of the customer base acquired is high, focus on new customer acquisition will not translate to sustainable profitable growth, in JP Morgan's view, even though the company may deliver healthy growth in the near term.

Darktrace sees its total addressable market to be ~$41bn. The company calculates this TAM using a bottom-up approach by multiplying its 2021 ARR of $343m (FY ending in Jun) by the following factors:

* 27x – to reflect 150k addressable customers (27x installed base as of Jun-21); Darktrace considers any company in any region excluding Russia and China, industry and of any size (> 250 employees) as an addressable customer;
* 2x to reflect the cross-sell opportunity within Darktrace’s existing product offering;
* 1.5x to reflect the up-sell opportunity to deploy Darktrace’s products across the entire digital estate of its customers; and
* 1.5x to reflect the potential adoption of planned future product offerings (including ‘Prevent’ and ‘Heal’ product families).

While Darktrace’s addressable opportunity seems sizable, the company continues to grow its ARR primarily via new customer additions, with limited contribution from average contract ARR uplift. Darktrace reported constant currency (cc) ARR of $427m as of Dec-21, up from $177m as of Jun-19 (~140% over this period). ARR growth during this period was primarily driven by new customer acquisition, which grew ~140% from 2,731 as of Jun-19 to 6,531 as of Dec-21.

=== Limited uptick in average contract ARR despite higher platform adoption‌ ===
Average contract ARR (defined as period-end ARR divided by period-end number of customers) stood at $65k as of Dec-21 and is roughly flat vs. the level as of Jun-19. The limited increase in average contract ARR over this period is despite the higher platform adoption the company has delivered in recent years (number of customers purchasing more than one product up from 47% in 2019 to 88% in 1H22).

According to Darktrace, the limited increase in average contract ARR is driven by the following factors:

* Impact of new product cycles on average contract ARR;
* Limited uplift in net ARR retention rate.

==== Impact from new product cycles ====
SMB/mid-market customers (with shorter sales cycles) tend to adopt new products first, causing a temporary dip in average contract ARR; this is followed by a gradual increase in ARR as larger enterprise deals are closed – the dip in average contract ARR during 2019-1H21 (see Figure 20) is explained by the roll-out of new product modules (Cyber AI analyst, Antigena Email, etc.) in 2019. With Darktrace expected to roll out the ‘Prevent’ product suite around Jun-22, the company expects average contract ARR to go through a similar transition (dip followed by gradual increase) from early FY23.

==== Limited uplift in net retention rate ====
Darktrace reported net ARR retention rate of 105.1% as of Dec-21, up from 99.9% as of Dec-20 and 101.7% as of Jun-19. The improvement in net ARR retention rate is a function of stabilizing 1-yr gross ARR churn (which declined to 6.4% as of Dec-21, from 8% as of Dec-20 and 8.8% as of Jun-19) and some higher upsell and cross-sell across Darktrace’s installed customer base. These results are driven by a recovery in Darktrace’s SMB/mid-market customer base post pandemic and the positive impact from the scaling of customer success function (created in 2H20). Having said this, Darktrace does not expect net ARR retention rate to move up significantly from the current level – this is due to:

* Darktrace’s SMB/mid-market heavy customer base (~85% of Darktrace customers generate sub-$100k in contract ARR) that is characterized by relatively higher churn vs. larger enterprise customers; Darktrace sees normalized 1-yr gross ARR churn at ~6% level;
* A significant portion of the platform being sold upfront, leaving limited room for upsells and cross-sells; and
* The company’s focus on acquiring new customers to capture the sizable addressable opportunity (150k+ potential addressable customers) – i.e. higher emphasis on “land, land, land” over “land & expand”.

'''Figure 19: Evolution of period-end constant currency ARR ($, m)<ref>Source: Company data; rates established at the start of each year; for FY22, constant currency rates were 1.3835 and 1.1878 for GBP and EUR, respectively; FY ends in Jun.</ref>'''

'''Figure 20: Period-end cc average contract ARR ($, '000s)<ref>Source: Based on company data; calculated as period-end cc ARR divided by period-end number of customers; FY ends in Jun.</ref>'''

'''Figure 21: One-year gross cc ARR churn (%)<ref>Source: Company data; FY ends in Jun.</ref>'''

'''Figure 22: Net ARR retention rate (%)<ref>Source: Company data; FY ends in Jun.</ref><br />'''

While weJP Morgan acknowledges the skew in Darktrace’s customer base towards SMB/mid- market enterprises, the above factors do not entirely explain why the company has not delivered any significant uplift in average contract ARR.



Darktrace operates in a highly competitive market with broadly similar offerings available from competing vendors. This likely limits the company’s ability to price its products at a premium and increases retention costs. This could partly explain why the company has not seen a meaningful contract ARR uplift despite selling more product modules to its customer base (additional features bundled together to drive retention). This will not impact gross margin necessarily as providing a new product module such as AI analyst or Antigena autonomous response does not require shipping an additional appliance (for on-premises deployments) and may not result in a commensurate increase in hosting costs for cloud-delivered solutions.

In addition, JP Morgan believes that larger enterprises that have well-resourced security teams and know-how are less likely to use Darktrace solutions as a replacement for a standalone EDR, SIEM or network security solutions; these enterprises will likely continue to stitch together best-of-breed point security solutions or license additional modules from existing XDR vendors to add specific network visibility / threat analytics use-cases. Broader Darktrace platform adoption is more likely across price- conscious and budget-constrained SMB/mid-market customers characterized by lower deal values. These factors may likely limit the increase in average contract ARR values, in JP Morgan's view.

JP Morgan acknowledges that it is likely too early to judge the success of Darktrace’s cross- sell strategy as the company continues to prioritize new customer acquisition and has a relatively young customer success function. However, in the absence of data that demonstrates the company’s strong up-sell and cross-sell potential, JP Morgan continues to model a modest increase in average contract ARR going forward.

Thus, ARR growth, in JP Morgan's view, will continue to be driven by new customer acquisition. JP Morgan believes that high competition in the markets Darktrace operates in will likely make new customer acquisition and retention tougher going forward. This will likely result in either higher gross logo/ARR churn or higher customer incentives needed (to drive retention) and continued high spend on sales and marketing expenses to hunt for new customers to offset churn.

=== Near-term customer acquisition will likely remain healthy driven by salesforce hiring and new product launch‌ ===
JP Morgan models constant currency ARR to grow 39% to $498m in 2022 (fiscal-year ends in Jun), in-line with the midpoint of company guidance. JP Morgan models constant currency ARR (measured as of July-21 exchange rates) growth to slow to 29%/25% in 2023/24, respectively. JP Morgan's estimates are underpinned by the following assumptions.

* The roll-out of new ‘Prevent’ product suite around mid-CY22, strong enterprise demand for AI-driven network and email threat detection and response tools and increase in salesforce hiring will likely translate to healthy new customer acquisition in the near term, in JP Morgan's view. Having said this, high competition in the markets Darktrace operates in will make new customer acquisition and retention tougher going forward, in JP Morgan's view. Taking these two factors into account, JP Morgan models a modest increase (up ~2% p.a.) in net new customer adds in 2023/24 from a base of ~7.5k customers exiting Jun-22.
* JP Morgan models a slight decline in average contract ARR per net new customer added during 1Q-3Q23 (impacted by early uptake by SMB/mid-market customers following the roll-out of the ‘Prevent’ product suite), followed by a gradual increase during 4Q23-4Q24.
* JP Morgan estimates net ARR retention rate to remain constant at 105% throughout JP Morgan's forecast horizon.

'''Figure 23: Period-end constant-currency ARR ($, m): 2019-24E'''<ref>Source: Company data, J.P. Morgan estimates. Constant currency rates: 1.3835 and 1.1878 for the British Pound and the Euro, respectively; FY ends in Jun.</ref>

'''Figure 24: Period-end number of customers and net new customers added: 2019-24E'''<ref>Source: Company data, J.P. Morgan estimates; FY ends in Jun.</ref>

Darktrace generates revenue almost exclusively (99%+) from subscription contracts (with an average contract term of ~3 years). Revenue from these subscription contracts is recognized ratably over the contract period. Darktrace has high revenue visibility, with ~80% of annual revenue underpinned by the backlog at the beginning of the period. Based on JP Morgan's ARR assumptions highlighted above, JP Morgan models revenue to grow 48% YoY to $415m in 2022; JP Morgan's revenue growth estimate of 48% stands slightly above Darktrace’s guided range of 44.5%-46.5%. JP Morgan models revenue growth to slow to 32%/28% in 2023/24, mimicking the trend in ARR growth during these periods.

'''Figure 25: Revenue ($, m): 1H20-2H24E'''<ref name=":4">Source: Company data, J.P. Morgan estimates; FY ends in Jun.</ref>

'''Figure 26: Revenue ($, m): 2018-24E'''<ref name=":4" />

== Risks to profitability‌ ==
Given that new customer acquisition will be the key pillar of Darktrace’s ARR growth going forward, the efficiency of customer acquisition and the quality of customers added are key drivers of Darktrace’s profitability. The barriers to entry in segments Darktrace operates in are low, in JP Morgan's view, with several start-ups and established cybersecurity vendors targeting similar use-cases. Darktrace currently leads the network detection and response market and has seen good early success with its email product. However, given the competitive backdrop, there is a risk that customer acquisition and retention may get tougher going forward. If this were to happen, it would translate to higher customer acquisition costs and drive increased investments in existing and new product development – both of which will limit margin leverage, in JP Morgan's view. Early success in the AI-driven threat detection and response market and investment in marketing have helped Darktrace scale rapidly, delivering above-average growth (52% 2018-21 revenue CAGR); looking ahead, JP Morgan believes investor focus will shift towards how the company balances growth and profitability. Assessing this development through the lens of the ‘Rule of 40’ (revenue growth + FCF margin) is a good indicator of the progress the company is making to sustain profitable growth. JP Morgan expects the sum of revenue growth and FCF margin to dip and remain below 40% over the next couple of years, which would weigh on Darktrace's valuation compared to other cybersecurity peers that consistently beat this 40% benchmark.

=== Higher cloud deployments likely to pressure gross margins‌ ===
This cost bucket primarily includes costs associated with deploying Darktrace software – either via physical appliances or via cloud. Costs associated with providing customer support and supplementary monitoring and response capabilities (‘concierge’ services). Darktrace does not earn any material revenue from selling physical appliances – the company considers physical appliances as its assets, with the corresponding depreciation logged either as cost of sales (for appliances deployed at contracted customer sites) or as sales and marketing expenses (for appliances used in customer acquisition, i.e. as part of the POV process). With a growing portion of cloud-hosted product sales, the portion of hosting costs will increase. The company expects the increase in hosting costs to be partly offset by a decline in appliance depreciation (substitution effect). JP Morgan models Darktrace’s cost of sales as % of revenue to increase gradually from 10% in 2021 to 12.5% in 2024.

'''<br />Figure 27: Darktrace: Cost of sales as % of revenue: 2019-24E'''<ref>Source: Company data, J.P. Morgan estimates; FY ends in Jun.</ref>

=== Sales & Marketing expenses likely to remain elevated‌ ===
Darktrace has reported scale efficiencies in its core non-T&E operating costs (excluding share-based comp and associated employer tax charges) in recent years, with total non-T&E operating expenses as a % of revenue declining from 86% in 2020 to 74% in 1H22. This is primarily a function of some scale efficiencies the company has reported in its marketing function. Adding back share-based comp and associated charges, non-T&E opex as % of revenue declined from 91% in 2020 to 84% in 1H22. Margin performance in 1H22 was helped by the following one-off components (these costs will likely return through 2H22/2023):

* Impact from pandemic-related sales hiring delays; Darktrace is still getting back to its normal cadence of salesforce hiring and expects a catch-up in employee costs over the coming months;
* Lower facilities/office costs as the return to office was delayed.  
While the company has not quantified the impact from these factors, it notes seeing some scale efficiencies, driven by a more efficient marketing function. The majority of sales and marketing expenses (salaries + 50% sales commissions) associated with revenue generated in a given period are incurred in prior periods (during contract acquisition) – this coupled with some improvement in marketing efficiency has translated to scale efficiencies. Darktrace sees a healthy pipeline of potential new customer opportunities and stable POV conversion rates (although the company has not disclosed this metric). However, JP Morgan believes it is too early to extrapolate this trend to outer years, given the increase in competitive intensity. Wage inflation is another factor to be considered in assessing the evolution of margin going forward.

'''<br />Figure 28: Non-T&E operating expenses* (total) as % of revenue<ref name=":5">Source: Company data *includes share-based comp and associated employer tax charges; FY ends in Jun.</ref>'''

'''Figure 29: Non-T&E S&M expenses* as % of revenue<ref name=":5" />'''

=== R&D intensity needs to pick up to create a sustainable moat‌ ===
Non-T&E R&D expenses grew as % of revenue from 6% in 2020 to 8% in 1H22 (although this metric declined from 12% in 2H21). This was partly aided in 1H22 due to capitalization of share-based comp and related tax charges associated with development projects that met the capitalization criteria. One criticism of the Darktrace model has been the low R&D spend, both absolute and as % of revenue, compared to US cybersecurity peers. According to Darktrace, this is due to low R&D employee costs (given the company’s R&D function is primarily based in Cambridge, UK) and relatively lower development expenses needed for maintaining the self-learning cyber AI platform. The argument is that, unlike other cybersecurity companies that rely on historical threat signatures, Darktrace does not need to constantly update its platform to account for new detected threat signatures; accordingly, the company’s R&D dollars are primarily spent on new product development and research.

While there is substance to this argument, JP Morgan believes that new product development and platform enhancements will be increasingly important in an environment where technical and product differentiation vs. the competition narrows. This may necessitate higher R&D investment (as % of revenue), going forward, if Darktrace is to maintain its edge over competition. JP Morgan believes R&D expenses as % of revenue should tick up in 2H22 following the Cybersprint acquisition.

=== Margin leverage likely to be limited through JP Morgan's forecast horizon‌ ===
Non-T&E G&A expenses as % of revenue grew from 13% in 2020 to 20% in 1H22 as a result of higher public company costs post IPO. Darktrace expects G&A to tick up in 2H22 followed by decline from 2023.

'''Figure 30: Non-T&E R&D expenses* as % of revenue'''<ref name=":5" />

'''Figure 31: Non-T&E G&A expenses* as % of revenue<ref name=":5" /><br />'''

Darktrace reported total T&E expenses of $1.8m in 2021, down from $21m in 2020 (normalized 2020 T&E expense is $27-28m). The company reported a lower-than- expected T&E expense in 1H22 of $2.7m – with economies opening up and travel returning to normal, Darktrace expects a steep ramp in T&E expenses in 2H22, returning to a more normalized run-rate.

Factoring-in these assumptions, JP Morgan models total opex (incl. share-based comp and associated tax charges) as % of revenue to tick up slightly from 97% in 2022 to 100% in 2023 (driven by the full year impact of normalized T&E expenses and normalized salesforce hiring), followed by a decline to 96% in 2024. JP Morgan models share-based comp and associated employer tax charges to be ~11% of revenue throughout JP Morgan's forecast period.

'''Figure 32: Total opex as % of revenue: 2019-24E'''<ref name=":6">Source: Company data, J.P. Morgan estimates; FY ends in Jun.</ref>

'''Figure 33: Total opex (excl. charges associated with share-based comp) as % of revenue: 2019-24E<ref name=":6" />'''

Given JP Morgan's assumptions on opex, JP Morgan models continued operating loss throughout JP Morgan's forecast horizon. Even after excluding share-based comp and associated employer tax charges, JP Morgan does not model any significant improvement in adjusted EBIT margin during JP Morgan's forecast horizon.

=== Long-term steady-state model‌ ===
Darktrace targets steady-state adjusted EBIT margins in the mid-20s% range in the long term. This will be a function of opex components as % of revenue in the following ranges:

* Cost of sales: 10-13%
* Sales and marketing: 40-43%
* R&D: 10-13%
* G&A: 10-13%

The company does not expect to hit these steady-state margin levels in the foreseeable future as it continues to prioritize new customer acquisition.

'''Figure 34: Adj. EBIT margin (%): 2019-24E'''<ref name=":7">Source: Company data, J.P. Morgan estimates; FY ends in Jun.</ref>

'''Figure 35: Adj. EBIT margin (%): Long-term steady-state model'''<ref name=":8">Source: Company data.</ref>

=== The pursuit of growth will likely limit margin improvement‌ ===
Adjusted EBITDA is calculated as EBITDA plus share-based comp and associated employer tax charges less appliance depreciation incurred as part of cost of sales (i.e. depreciation of appliances deployed at customer sites). JP Morgan models adjusted EBITDA of ~$50m in 2022 with ~12% margin, at the high end of Darktrace’s guided range of 10-12%. Darktrace expects a steep dip in adjusted EBITDA margin in 2H22 following 24% margin in 1H22. This is driven by the following factors:

* Ramp in T&E expenses;
* Significant increase in facilities and office costs in 2H;
* Return to normal cadence of salesforce hiring;

JP Morgan expects Darktrace’s adjusted EBITDA margin to improve from 1H23 following the dip in 2H22; however, the pace of improvement is likely to be gradual as the company will continue to invest in sales and marketing to acquire new customers and in new product development as it seeks to build on its platform strategy with ‘Prevent’ and ‘Heal’ product suites.

'''Figure 36: Adjusted EBITDA ($, m) and margin (%): 2019-24E<ref name=":7" />'''

'''Figure 37: Adjusted EBITDA margin (%): 1H20-2H24E<ref name=":7" />'''

Early success in the AI-driven threat detection and response market has helped Darktrace scale rapidly, delivering above-average growth (52% 2018-21 revenue CAGR); however, the eventual success of the company will be determined by how the company balances growth and profitability. Assessing this development through the lens of the ‘Rule of 40’ is a good indicator of the progress the company is making to sustain profitable growth. The Rule of 40 is the principle that the sum of revenue growth and profitability measure for successful business models should exceed 40%. JP Morgan uses the sum of revenue growth and free cash flow margin (FCF calculated as cash flow from operations less tangible and intangible capex) as a gauge of the success of Darktrace’s business model. With growing competition and commoditization in the AI-driven threat detection and response market, the sum of revenue growth and free cash flow margin is likely to dip and remain below 40% over the next couple of years, in JP Morgan's view (JP Morgan models 38%/35% in 2023/24, down from 58% in 2022). JP Morgan believes that this outcome will be reflected in Darktrace’s valuation compared to other cybersecurity peers that consistently beat the 40% benchmark.

'''Figure 38: Revenue growth (%) + FCF growth (%)'''<ref name=":9" />

== Shifting the focus to profitability‌  ==
Darktrace has delivered ‘beat and raise’ results in its short reporting history since IPO in Apr-21. The company has raised its:
* 2022 (FY ending in Jun) revenue growth guidance 5 times since IPO from 27- 30% to 44.5-46.5%;
* 2022 ARR growth guidance 4 times from 26.5-28.5% to 38.5-40% and
* 2022 adjusted EBITDA margin guidance 3 times from 1-4% to 10-12%.

In the near term, JP Morgan expects demand for AI-led detection and response solutions to remain high – this coupled with Darktrace’s brand awareness (supported by its high marketing spend), investment in additional salesforce hiring and the roll-out of the new ‘Prevent’ product offering will likely translate to healthy new customer acquisition and thus ARR growth, in JP Morgan's view. JP Morgan estimates constant currency ARR and revenue growth of 39%/48% in ’22, respectively.

However, Darktrace’s customer stickiness is likely to be low, in JP Morgan's view – a function of high competition and potential commoditization of offerings targeting similar security use-cases and as enterprise awareness of competing vendor offerings increases. This could eventually translate to higher customer churn, in JP Morgan's view.

With ARR growth tied to new customer acquisition, JP Morgan believes that higher customer acquisition costs and lower customer retention are likely to challenge the company’s ability to deliver profitable growth. JP Morgan acknowledges that this may take some time to play out, especially in the current environment, where demand for proactive security solutions is likely to remain high.

In JP Morgan's view, in order to see a sustained improvement in share price performance, Darktrace needs to demonstrate a decoupling between ARR growth and new customer acquisition & investment in sales headcount – this will be a function of a sustained increase in average contract ARR per new customer, lower churn, and continued improvement in net ARR retention rate (a function of higher upsell/cross- sell).

Our estimates for 2022/23/24 revenue stand 1%/2%/5% higher than Bloomberg consensus estimates; JP Morgan expects the company to deliver adjusted EBITDA margin at the high end of its guidance range in 2022; however, JP Morgan's estimates for 2023/24 adjusted EBITDA stand 22%/4% below consensus estimates.

{| class="wikitable"
|+Table 8: Darktrace Revenue and adjusted EBITDA: FY22-24E - JPMe vs. consensus<ref>Source: J.P. Morgan estimates, Bloomberg Finance L.P.</ref>
!FY ends in Jun
! colspan="3" |FY22
! colspan="3" |FY23
! colspan="3" |FY24
|-
!$ (m)
!JPMe
!Cons.
!Diff. (%)
!JPMe
!Cons.
!Diff. (%)
!JPMe
!Cons.
!Diff. (%)
|-
|Revenue
|415.5
|409.6
|1.4%
|548.1
|536.5
|2.2%
|701.5
|670.2
|4.7%
|-
|Adj. EBITDA
|49.2
|48.6
|1.3%
|47.2
|60.4
|<nowiki>-21.9%</nowiki>
|81.0
|84.6
|<nowiki>-4.3%</nowiki>
|-
|margin (%)
|11.8%
|11.9%
|<nowiki>-2bps</nowiki>
|8.6%
|11.3%
|<nowiki>-265bps</nowiki>
|11.5%
|12.6%
|<nowiki>-108bps</nowiki>
|}

== Management ==
{| class="wikitable"
|+Table 9: Leadership Team<ref name=":8" />
!Name
!Position
!Biography
|-
|Poppy Gustafsson OBE
|Chief Executive Officer
|
* CEO of Darktrace since 2016. Previously served as the company’s CFO
* Joined Darktrace in November 2014
* Previously worked for Autonomy (Corporate Controller)
* Qualified chartered accountant
|-
|Catherine Graham
|Chief Financial Officer
|
* CFO of Darktrace since February 2020
* Previously CFO at 2U and CFO and Executive Vice President of Online Resources Corp
* Education: MBA from Loyola University Maryland and a BA in Economics from the University of Maryland
|-
|Jack Stockdale OBE
|Chief Technology Officer
|
* Joined Darktrace at founding
* Chief Architect at Invoke during 2012-13 and at blinkx (acquired by Autonomy) from 2006-11
* Technical director at Autonomy during 2002-06
* Education: degree in Computer Science from Lancaster University
|-
|Eloy Avila
|Chief Technology Officer, Americas
|
* Over 14 years’ experience in enterprise software
* Previously VP sales engineering at Imperva and CTO at Autonomy
* Education: degree in Electrical Engineering from Stanford University, California
|-
|Nicole Eagan
|Chief Strategy Officer, AI Officer
|
* Joined Darktrace in November 2014. Previously served as the company’s CEO
* Previously worked for Autonomy (CMO), Oracle, and early to late-stage growth companies
|-
|Emily Orton
|Chief Marketing Officer
|
* One of the founding members of Darktrace
* Previously Head of Marketing EMEA at Autonomy
* Education: MA in Modern Languages from the University of Cambridge
|-
|Nick Trim
|Chief Operations Officer
|
* Part of the founding team at Darktrace. Became Chief Operations Officer in 2020, prior to which he was responsible for the commercial team
* Previously led a cyber security consultancy and a speaker and coach on the topic of economic espionage
* He had a long and distinguished career in the intelligence community
|-
|Mike Beck
|Global CISO
|
* Joined Darktrace in 2014. Previously developed the cyber analyst operation
* 18 years working in technology, security and risk operations
* Previously held various roles at GCHQ and ran cyber defensive operations for UK government
* Education: first-class degree in Computer Science from the University of Plymouth
|-
|Dave Palmer
|Chief Product Officer
|
* Over 13 years’ experience at the forefront of government intelligence operations
* Previously worked across UK intelligence agencies GCHQ and MI5, where he was responsible for delivering mission-critical infrastructure services
* Advisor to cyber security start-ups and growth-stage companies from the UK Government’s Cyber Security Accelerator and CyLon
* Education: first-class degree in Computer Science and Software Engineering from the University of Birmingham
|-
|James Sporle
|General Counsel
|
* Previously worked at Linklaters, BP, Just Eat plc  Education: Law degree from St Catharine’s College, Cambridge, and a Law Diploma from Nottingham Law School
|-
|Al Martin
|SVP, Customer Success
|
* Prior to Darktrace, worked at HP where he was responsible for the creation and growth of the HP Professional Services Solutions organization
* Previously worked at Autonomy
* Education: first-class degree in Computer Science from the University of Sheffield
|}

=== Reputational risks and potential liability due to links to Autonomy/Invoke ===
JP Morgan refers readers to the Darktrace prospectus (available here) [note that this document is only available to certain persons and in certain jurisdictions] for a detailed overview of the key risks associated with Darktrace’s links to Autonomy/Invoke. JP Morgan presents some excerpts below:

HP completed the acquisition of Autonomy in Oct-11 (purchase price ~$11bn). In Nov-12, HP wrote off a significant portion of the value of Autonomy ($8.8bn) and announced allegations that ‘Autonomy artificially inflated its reported revenues, revenue growth and gross margins.’ Mike Lynch (founder and former CEO, Autonomy), Sushovan Hussain (former CFO, Autonomy) and Stephen Chamberlain (former VP Finance, Autonomy) have been charged in the US for their role in unlawful activities related to the sale of Autonomy to HP in 2011 and subsequent related matters (Mr. Hussain was convicted at trial in Apr-18, while Mr. Lynch will file an appeal against his extradition to the US (source).

Invoke Capital, founded in 2012 by Mr. Lynch, Mr. Hussain and other former Autonomy executives, invested in Darktrace upon inception and funded its operations during 2013-15 by way of loans. Mr. Lynch, Mr. Hussain and other Invoke employees provided management advice to Darktrace, pursuant to a Supply of Services agreement between Invoke and Darktrace (which was terminated at IPO in Apr-21). Mr. Lynch was a non-executive director at Darktrace, member of Darktrace’s Advisory Council and until recently was part of Darktrace’s Science and Technology Council (Mr. Lynch stepped down from this role in Feb-22). Mr. Hussain resigned as the non-executive director of Darktrace in Nov-16. Mr. Chamberlain joined Darktrace as an employee in 2016 and is currently on administrative paid leave.

A number of current senior executives at Darktrace (including CEO, CTO, CMO and CSO) are ex Autonomy/Invoke employees. As noted in the Darktrace IPO prospectus, the company may face reputational risk arising out of unlawful, and allegedly unlawful, activities in connection with the sale of Autonomy and related matters. In addition, Darktrace noted that it may face potential liability arising out of its historical funding by Invoke.

== Board of Directors ==
{| class="wikitable"
|+Table 10: Board of Directors<ref name=":8" />
!Name
!Position
!Biography
|-
|Gordon Hurst
|Independent Chair
|
* Joined Darktrace July 2019, appointed to the Board in April 2021
* Previously held several roles at Capita plc, including Group Finance Director on its board since 1996
* Served as non-executive chair of the board of Featurespace since November 2014
* Currently serves as non-executive chair of Marston Holdings, and Azets Ltd
|-
|Poppy Gustafsson OBE
|Chief Executive Officer
|
* See biography above
|-
|Catherine Graham
|Chief Financial Officer
|
* See biography above
|-
|Vanessa Colomar
|Non-Executive Director
|
* Partner and Co-Founder of Invoke Capital, where she is responsible for Communications and Investor Relations and oversees these functions for portfolio companies including Luminance, where she also sits on the Board of Directors
* Previously held senior positions at agency Edelman and Burson Marsteller, and served as SVP of Communications at Autonomy
* Education: First-Class BA in Modern European Languages from Durham University, and MA in Journalism from Universidad Autónoma de Madrid.
|-
|Stephen Shanley
|Non-Executive Director
|
* Joined KKR in 2014; head of KKR’s Technology Growth Equity business in Europe
* Involved with KKR’s investments in Darktrace, OutSystems, KnowBe4, GetYourGuide, Ivalua, Trainline, ClickTale, Optimal+, and Travelopia
* Previously was with Technology Crossover Ventures, the TMT investment banking group of Needham & Company, and the transaction services group of KPMG
* Education: BS and BSc from Santa Clara University
|-
|Han Sikkens
|Non-Executive Director
|
* Joined Summit Partners in 2004 and manages the firm’s London office
* Currently a director at Darktrace, Flow Traders, Masternaut, OnRobot, Red Points, RELEX Solutions, Siteimprove and Syncron, and actively involved in the Summit’s investment in Avast
* Previous board and investment experience includes 360T Group, Acturis Limited, Multifonds, SafeBoot and Welltec International
* Education: BS in business administration from the University of Groningen, MSc in international business from the University of Groningen, and MSc in international finance from the CERAM Graduate School of Management & Technology
|-
|Lord David Willetts
|Independent Non-

Executive Director
|
* Served as a Member of Parliament from 1992 to 2015; he was Minister for Universities and Science within the Department for Business, Innovation and Skills from 2010 to 2014, and previously held roles within HM Treasury and the No. 10 Policy Unit.
* Current roles include President of the Resolution Foundation and Chair of the Foundation for Science and Technology
* Serves on several company boards
|-
|Paul Harrison
|Independent Non-

Executive Director
|
* Chief Operating Officer and Executive Director at Ascential plc
* Held senior positions at several high growth, public technology companies in the UK and internationally
* Previous roles include CFO of Just Eat plc, Group CFO of The Sage Group plc, and CFO of WANdisco plc
* Served as a Senior Independent Director on the Board of Hays plc
|-
|Sir Peter Bonfield
|Independent Non-

Executive Director
|
* More than 50 years’ experience in the international technology sector
* Currently is Chairman of NXP, Director and Chair of Audit at TSMC, on the Board of Imagination Technologies and on the US Board of the EastWest Institute
* Member of The Longreach Group Advisory Board, Senior Advisor to Alix Partners and Board Mentor for CMi
* Prior positions include CEO of BT Group, Chairman and CEO of ICL plc and Deputy CEO of STC plc
* Has served on the boards of 12 international companies including Sony, Ericsson and AstraZeneca
* Elected Fellow of The Royal Academy of Engineering
* Knighted in 1996 and awarded the CBE in 1989
|}

=== Board history ===

* Elizabeth Harris, an Invoke employee, was the initial director of Darktrace Holdings Limited. In August 2014, Robert Webb QC was appointed as chair, and in September 2014, Nicole Eagan was appointed to the board as the CEO.
* In February 2015, in relation to Darktrace’s Series A funding, Vasile Foca (nominated by Talis Capital), and Sushovan Hussain and Michael Lynch (both nominated by Invoke) joined the board of directors. Elizabeth Harris resigned as a director following the funding.
* In July 2015, in relation to Darktrace’s Series B funding, Johannes Sikkens (nominated by Summit Partners) and Vanessa Colomar (nominated by Invoke) joined the board of directors.
* In July 2016, in relation to Darktrace’s Series C funding, Stephen Shanley (nominated by KKR) joined the board of directors. Vasile Foca resigned as a director following the funding.
* In October 2016, Poppy Gustafsson was appointed as a Co-CEO of Darktrace. In November 2016, Andrew Kanter (nominated by Invoke) joined the board as Sushovan Hussain voluntarily resigned as a director.
* In November 2018, Philip Pearson (nominated by Invoke) joined the board as a director as Michael Lynch voluntarily resigned as a director.
* In July 2019, Gordon Hurst joined the board as an independent director.
* In May 2020, Poppy Gustafsson joined the board as an executive director (CEO), and Nicole Eagan resigned as a director and CEO, but she remained as Chief Strategy Officer, AI Officer.
* In July 2020, in relation to convertible loan note funding, Mark Hatfield (nominated by the convertible loan note holders) joined the board.
* In April 2021, Mark Hatfield, Andrew Kanter and Philip Pearson ceased to be directors of Darktrace.

== Financial statements ==
{| class="wikitable"
|+Table 11: Darktrace: Income statement<ref name=":9">Source: Company data, J.P. Morgan estimates.</ref>
!$ (m); FY ends in

Jun
!1H21
!2H21
!1H22
!2H22E
!1H23E
!2H23E
!1H24E
!2H24E
!2020
!2021
!2022E
!2023E
!2024E
|-
|Revenue
|126.5
|154.8
|192.6
|222.8
|255.3
|292.8
|329.8
|371.7
|199.1
|281.3
|415.5
|548.1
|701.5
|-
|YoY
|38.9%
|43.4%
|52.3%
|43.9%
|32.5%
|31.4%
|29.2%
|26.9%
|45.3%
|41.3%
|47.7%
|31.9%
|28.0%
|-
|Cost of sales
|(12.4)
|(16.1)
|(20.7)
|(25.1)
|(29.6)
|(35.0)
|(40.6)
|(47.0)
|(17.5)
|(28.5)
|(45.7)
|(64.6)
|(87.6)
|-
|as % of revenue
|<nowiki>-9.8%</nowiki>
|<nowiki>-10.4%</nowiki>
|<nowiki>-10.7%</nowiki>
|<nowiki>-11.3%</nowiki>
|<nowiki>-11.6%</nowiki>
|<nowiki>-12.0%</nowiki>
|<nowiki>-12.3%</nowiki>
|<nowiki>-12.7%</nowiki>
|<nowiki>-8.8%</nowiki>
|<nowiki>-10.1%</nowiki>
|<nowiki>-11.0%</nowiki>
|<nowiki>-11.8%</nowiki>
|<nowiki>-12.5%</nowiki>
|-
|Gross profit
|114.1
|138.8
|172.0
|197.8
|225.7
|257.8
|289.2
|324.7
|181.6
|252.9
|369.7
|483.5
|613.9
|-
|as % of revenue
|90.2%
|89.6%
|89.3%
|88.8%
|88.4%
|88.1%
|87.7%
|87.4%
|91.2%
|89.9%
|89.0%
|88.2%
|87.5%
|-
|Sales & marketing
|(86.7)
|(102.2)
|(107.9)
|(154.8)
|(167.2)
|(182.7)
|(204.0)
|(231.1)
|(163.1)
|(188.9)
|(262.7)
|(349.9)
|(435.1)
|-
|YoY
|0%
|33%
|24%
|52%
|55%
|18%
|22%
|27%
|25%
|16%
|39%
|33%
|24%
|-
|as % of revenue
|<nowiki>-68.6%</nowiki>
|<nowiki>-66.0%</nowiki>
|<nowiki>-56.0%</nowiki>
|<nowiki>-69.5%</nowiki>
|<nowiki>-65.5%</nowiki>
|<nowiki>-62.4%</nowiki>
|<nowiki>-61.8%</nowiki>
|<nowiki>-62.2%</nowiki>
|<nowiki>-81.9%</nowiki>
|<nowiki>-67.2%</nowiki>
|<nowiki>-63.2%</nowiki>
|<nowiki>-63.8%</nowiki>
|<nowiki>-62.0%</nowiki>
|-
|R&D
|(10.7)
|(18.2)
|(15.7)
|(28.1)
|(32.9)
|(38.0)
|(43.6)
|(50.3)
|(12.0)
|(28.8)
|(43.8)
|(70.9)
|(93.9)
|-
|YoY
|91%
|181%
|47%
|55%
|110%
|35%
|33%
|33%
|24%
|140%
|52%
|62%
|33%
|-
|as % of revenue
|<nowiki>-8.4%</nowiki>
|<nowiki>-11.7%</nowiki>
|<nowiki>-8.1%</nowiki>
|<nowiki>-12.6%</nowiki>
|<nowiki>-12.9%</nowiki>
|<nowiki>-13.0%</nowiki>
|<nowiki>-13.2%</nowiki>
|<nowiki>-13.5%</nowiki>
|<nowiki>-6.0%</nowiki>
|<nowiki>-10.2%</nowiki>
|<nowiki>-10.5%</nowiki>
|<nowiki>-12.9%</nowiki>
|<nowiki>-13.4%</nowiki>
|-
|G&A
|(21.5)
|(34.9)
|(40.6)
|(55.9)
|(60.9)
|(64.3)
|(70.9)
|(76.2)
|(26.9)
|(56.4)
|(96.5)
|(125.2)
|(147.1)
|-
|YoY
|54%
|170%
|89%
|60%
|50%
|15%
|17%
|19%
|33%
|110%
|71%
|30%
|18%
|-
|as % of revenue
|<nowiki>-17.0%</nowiki>
|<nowiki>-22.6%</nowiki>
|<nowiki>-21.1%</nowiki>
|<nowiki>-25.1%</nowiki>
|<nowiki>-23.8%</nowiki>
|<nowiki>-22.0%</nowiki>
|<nowiki>-21.5%</nowiki>
|<nowiki>-20.5%</nowiki>
|<nowiki>-13.5%</nowiki>
|<nowiki>-20.1%</nowiki>
|<nowiki>-23.2%</nowiki>
|<nowiki>-22.8%</nowiki>
|<nowiki>-21.0%</nowiki>
|-
|IPO costs
|0.0
|(15.3)
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|(15.3)
|0.0
|0.0
|0.0
|-
|Exp. cr. loss charge
|(0.4)
|(2.9)
|(0.1)
|0.0
|0.0
|0.0
|0.0
|0.0
|(5.3)
|(3.3)
|(0.1)
|0.0
|0.0
|-
|Other op. income
|0.3
|1.0
|0.8
|0.0
|0.0
|0.0
|0.0
|0.0
|0.8
|1.4
|0.8
|0.0
|0.0
|-
|Operating profit
|(4.9)
|(33.6)
|8.6
|(41.1)
|(35.2)
|(27.1)
|(29.2)
|(32.9)
|(24.9)
|(38.5)
|(32.5)
|(62.4)
|(62.1)
|-
|as % of revenue
|<nowiki>-3.9%</nowiki>
|<nowiki>-21.7%</nowiki>
|4.5%
|<nowiki>-18.5%</nowiki>
|<nowiki>-13.8%</nowiki>
|<nowiki>-9.3%</nowiki>
|<nowiki>-8.9%</nowiki>
|<nowiki>-8.9%</nowiki>
|<nowiki>-12.5%</nowiki>
|<nowiki>-13.7%</nowiki>
|<nowiki>-7.8%</nowiki>
|<nowiki>-11.4%</nowiki>
|<nowiki>-8.9%</nowiki>
|-
|Finance costs
|(43.0)
|(66.1)
|(1.4)
|(1.4)
|(1.4)
|(1.4)
|(1.4)
|(1.4)
|(2.4)
|(109.2)
|(2.7)
|(2.7)
|(2.7)
|-
|Finance income
|0.1
|(0.0)
|0.1
|0.1
|0.1
|0.1
|0.1
|0.1
|0.4
|0.1
|0.1
|0.1
|0.1
|-
|Profit before tax
|(47.9)
|(99.8)
|7.4
|(42.4)
|(36.5)
|(28.4)
|(30.5)
|(34.2)
|(26.9)
|(147.6)
|(35.1)
|(65.0)
|(64.7)
|-
|Tax
|(0.5)
|(1.4)
|(1.4)
|(1.5)
|(1.5)
|(1.5)
|(1.5)
|(1.5)
|(1.7)
|(2.0)
|(2.9)
|(3.0)
|(3.0)
|-
|Net profit
|(48.4)
|(101.2)
|5.9
|(43.9)
|(38.0)
|(29.9)
|(32.0)
|(35.7)
|(28.7)
|(149.6)
|(38.0)
|(68.0)
|(67.7)
|}
{| class="wikitable"
|+Table 12: Darktrace: Adjusted EBITDA calculation<ref>Source: Company data, J.P. Morgan estimates.</ref>
!$ (m); FY ends in

Jun
!1H21
!2H21
!1H22
!2H22E
!1H23E
!2H23E
!1H24E
!2H24E
!2020
!2021
!2022E
!2023E
!2024E
|-
|Operating profit
|(4.9)
|(33.6)
|8.6
|(41.1)
|(35.2)
|(27.1)
|(29.2)
|(32.9)
|(24.9)
|(38.5)
|(32.5)
|(62.4)
|(62.1)
|-
|D&A
|19.1
|22.2
|26.2
|27.6
|31.8
|36.0
|40.8
|46.0
|32.9
|41.3
|53.8
|67.8
|86.7
|-
|as % of revenue
|15.1%
|14.3%
|13.6%
|12.4%
|12.5%
|12.3%
|12.4%
|12.4%
|16.5%
|14.7%
|12.9%
|12.4%
|12.4%
|-
|EBITDA
|14.3
|(11.5)
|34.8
|(13.6)
|(3.5)
|8.8
|11.5
|13.0
|8.0
|2.8
|21.3
|5.4
|24.6
|-
|margin (%)
|11.3%
|<nowiki>-7.4%</nowiki>
|18.1%
|<nowiki>-6.1%</nowiki>
|<nowiki>-1.4%</nowiki>
|3.0%
|3.5%
|3.5%
|4.0%
|1.0%
|5.1%
|1.0%
|3.5%
|-
|Appliance depreciation in cost of sales
|(5.8)
|(5.8)
|(7.0)
|(7.4)
|(7.8)
|(8.0)
|(8.4)
|(8.9)
|(9.4)
|(11.6)
|(14.4)
|(15.8)
|(17.3)
|-
|Share-based payment charges
|5.8
|11.2
|13.1
|16.7
|19.1
|22.0
|24.7
|27.9
|10.4
|17.0
|29.8
|41.1
|52.6
|-
|Employer-related tax charges
|6.5
|15.0
|5.8
|6.7
|7.7
|8.8
|9.9
|11.2
|(0.1)
|21.5
|12.5
|16.4
|21.0
|-
|Adjusted EBITDA
|20.8
|8.9
|46.7
|2.5
|15.6
|31.6
|37.8
|43.2
|8.9
|29.7
|49.2
|47.2
|81.0
|-
|margin (%)
|16.4%
|5.8%
|24.2%
|1.1%
|6.1%
|10.8%
|11.5%
|11.6%
|4.5%
|10.6%
|11.8%
|8.6%
|11.5%
|}
{| class="wikitable"
|+Table 13: Darktrace: Balance sheet<ref name=":0">Source: Company data, J.P. Morgan estimates.</ref>
|$ (m); FY ends in Jun
|1H21 
|2H21
|1H22
|2H22E
|1H23E
|2H23E
|1H24E
|2H24E
|2020
|2021
|2022E
|2023E
|2024E
|-
|Non-current assets
|110.8 
|118.8
|121.8
|139.0
|153.1
|169.3
|187.1
|207.0
|106.5
|118.8
|139.0
|169.3
|207.0
|-
|Intangible assets
|8.6 
|7.1
|7.4
|8.4
|9.6
|11.0
|12.6
|14.5
|6.0
|7.1
|8.4
|11.0
|14.5
|-
|PP&E
|48.3
|52.9
|54.3
|60.7
|64.9
|70.6
|77.6
|85.8
|49.5
|52.9
|60.7
|70.6
|85.8
|-
|Right-of-use assets
|32.5
|29.4
|27.3
|29.5
|31.4
|33.1
|34.6
|36.0
|31.4
|29.4
|29.5
|33.1
|36.0
|-
|Capitalized commission
|16.3
|22.7
|26.3
|33.9
|40.8
|48.1
|55.9
|64.2
|14.7
|22.7
|33.9
|48.1
|64.2
|-
|Deferred tax asset
|0.0 
|0.5
|0.7
|0.7
|0.7
|0.7
|0.7
|0.7
|0.0
|0.5
|0.7
|0.7
|0.7
|-
|Deposits
|5.2
|6.1
|5.7
|5.7
|5.7
|5.7
|5.7
|5.7
|4.9
|6.1
|5.7
|5.7
|5.7
|-
|Current assets
|186.5 
|436.6
|453.2
|465.9
|477.7
|510.8
|530.9
|571.3
|126.5
|436.6
|465.9
|510.8
|571.3
|-
|Trade and other receivables
|69.0
|76.9
|66.1
|78.0
|72.8
|87.9
|82.4
|92.9
|60.4
|76.9
|78.0
|87.9
|92.9
|-
|Capitalized commission
|12.3 
|16.3
|19.5
|22.6
|27.2
|32.1
|37.3
|42.8
|10.9
|16.3
|22.6
|32.1
|42.8
|-
|Tax receivable
|1.3
|1.1
|1.8
|1.8
|1.8
|1.8
|1.8
|1.8
|1.3
|1.1
|1.8
|1.8
|1.8
|-
|Cash and cash equivalents
|103.9 
|342.4
|365.8
|363.5
|375.9
|389.0
|409.4
|433.7
|53.9
|342.4
|363.5
|389.0
|433.7
|-
|Total assets
|297.3 
|555.4
|575.0
|604.9
|630.7
|680.0
|718.0
|778.2
|232.9
|555.4
|604.9
|680.0
|778.2
|-
|Current liabilities
|173.8 
|236.1
|248.5
|296.7
|334.1
|382.1
|420.3
|478.3
|152.7
|236.1
|296.7
|382.1
|478.3
|-
|Trade and other payables
|59.8 
|51.1
|49.8
|55.7
|57.4
|58.6
|61.0
|65.1
|50.5
|51.1
|55.7
|58.6
|65.1
|-
|Deferred revenue
|108.7 
|158.3
|168.0
|203.6
|231.5
|269.6
|295.5
|338.3
|96.8
|158.3
|203.6
|269.6
|338.3
|-
|Lease liabilities
|5.2 
|4.3
|4.5
|4.5
|4.5
|4.5
|4.5
|4.5
|4.9
|4.3
|4.5
|4.5
|4.5
|-
|Tax payable
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.5
|0.0
|0.0
|0.0
|0.0
|-
|Provisions
|0.0 
|22.4
|26.3
|33.0
|40.6
|49.4
|59.3
|70.5
|0.0
|22.4
|33.0
|49.4
|70.5
|-
|Non-current liabilities
|269.2 
|61.1
|59.6
|68.5
|75.9
|85.1
|92.1
|102.2
|56.4
|61.1
|68.5
|85.1
|102.2
|-
|Deferred revenue
|30.2
|29.6
|29.5
|35.9
|40.9
|47.6
|52.1
|59.7
|25.8
|29.6
|35.9
|47.6
|59.7
|-
|Lease liabilities
|33.5 
|31.0
|28.5
|31.0
|33.5
|35.9
|38.4
|40.9
|30.6
|31.0
|31.0
|35.9
|40.9
|-
|Provisions
|0.0 
|0.5
|1.6
|1.6
|1.6
|1.6
|1.6
|1.6
|0.0
|0.5
|1.6
|1.6
|1.6
|-
|Convertible loan, host

contract
|98.6 
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|-
|Convertible loan, embedded derivative
|106.9 
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|-
|Total liabilities
|442.9 
|297.2
|308.1
|365.2
|410.0
|467.2
|512.4
|580.5
|209.1
|297.2
|365.2
|467.2
|580.5
|-
|Equity
|(145.6)
|258.3
|266.9
|239.7
|220.8
|212.8
|205.5
|197.7
|23.9
|258.3
|239.7
|212.8
|197.7
|-
|Share capital
|0.0
|9.8
|9.8
|9.8
|9.8
|9.8
|9.8
|9.8
|0.0
|9.8
|9.8
|9.8
|9.8
|-
|Share premium
|43.6
|224.8
|0.3
|0.3
|0.3
|0.3
|0.3
|0.3
|170.4
|224.8
|0.3
|0.3
|0.3
|-
|Merger reserve
|0.0 
|305.8
|305.8
|305.8
|305.8
|305.8
|305.8
|305.8
|0.0
|305.8
|305.8
|305.8
|305.8
|-
|Foreign currency translation reserve
|(4.4) 
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|(4.4)
|-
|Stock compensation reserve
|26.7 
|35.7
|51.5
|68.2
|87.3
|109.3
|134.0
|161.9
|20.9
|35.7
|68.2
|109.3
|161.9
|-
|Treasury shares
|0.0 
|(0.8)
|(14.3)
|(14.3)
|(14.3)
|(14.3)
|(14.3)
|(14.3)
|0.0
|(0.8)
|(14.3)
|(14.3)
|(14.3)
|-
|Retained loss
|(211.5) 
|(312.6)
|(81.8)
|(125.7)
|(163.8)
|(193.7)
|(225.7)
|(261.4)
|(163.0)
|(312.6)
|(125.7)
|(193.7)
|(261.4)
|-
|Total Equity + liabilities
|297.3 
|555.4
|575.0
|604.9
|630.7
|680.0
|718.0
|778.2
|232.9
|555.4
|604.9
|680.0
|778.2
|}
{| class="wikitable"
|+Table 14: Darktrace: Cash flow statement<ref name=":0" />
|$ (m); FY ends in Jun
|1H22
|2H22E
|1H23E
|2H23E
|1H24E
|2H24E
|2020
|2021
|2022E
|2023E
|2024E
|-
|Loss for the period after tax
|5.9
|(43.9)
|(38.0)
|(29.9)
|(32.0)
|(35.7)
|(28.7)
|(149.6)
|(38.0)
|(68.0)
|(67.7)
|-
|Depreciation of PPE and RoU assets
|13.2
|14.3
|15.5
|16.6
|18.0
|19.5
|21.1
|24.5
|27.5
|32.1
|37.5
|-
|Amortization of intangible assets
|3.1
|1.9
|2.1
|2.4
|2.7
|3.1
|1.4
|2.7
|5.0
|4.5
|5.9
|-
|Amortization of capitalized commission
|9.8
|11.4
|14.1
|17.0
|20.1
|23.3
|10.4
|14.1
|21.2
|31.1
|43.4
|-
|Impairment of capitalized commission
|0.7
|0.0
|0.0
|0.0
|0.0
|0.0
|0.0
|1.1
|0.7
|0.0
|0.0
|-
|Operating cash flow before movements in working capital
|54.3
|3.2
|15.7
|30.8
|36.3
|40.9 
|23.1
|20.6
|57.5
|46.5
|77.2
|-
|Working capital changes
|4.2
|20.5
|22.0
|10.4
|15.2 
|17.9
|(6.7) 
|40.8
|24.8
|32.4 
|33.1
|-
|Increase in trade and other receivables
|8.9
|(11.9)
|5.2
|(15.1)
|5.4
|(10.5)
|(25.6) 
|(17.7)
|(2.9)
|(9.9)
|(5.1)
|-
|Increase in capitalized commission
|(17.2)
|(22.3)
|(25.5)
|(29.3)
|(33.0) 
|(37.2) 
|(19.1) 
|(28.7)
|(39.5)
|(54.8) 
|(70.2)
|-
|(Decrease)/Increase in trade and other payables
|(1.8)
|5.9
|1.7
|1.1
|2.4 
|4.0 
|10.8 
|(1.2)
|4.2
|2.9 
|6.5
|-
|Increase in Provisions
|4.7
|6.7
|7.7
|8.8
|9.9
|11.2
|0.0
|22.9
|11.4 
|16.4 
|21.0
|-
|Increase in deferred revenue
|9.6
|42.0
|32.9
|44.9
|30.4
|50.4
|27.3
|65.3 
|51.6
|77.7
|80.8
|-
|Net cash flow from operating activities before tax
|58.6
|23.7
|37.7
|41.2
|51.5
|58.8 
|16.5
|61.3 
|82.2 
|78.9
|110.3
|-
|Tax (paid)/received
|(1.4)
|(1.5)
|(1.5)
|(1.5)
|(1.5)
|(1.5)
|2.9 
|(1.4)
|(2.9)
|(3.0)
|(3.0)
|-
|Net cash flow from operating activities
|57.1
|22.2
|36.2
|39.7
|50.0
|57.3 
|19.4
|59.9 
|79.3 
|75.9 
|107.3
|-
|Development costs, capitalized
|(0.6)
|(2.8)
|(3.3)
|(3.8)
|(4.4)
|(5.0)
|(2.8)
|(2.7) 
|(3.4)
|(7.1)
|(9.4)
|-
|Purchase of property, plant and equipment
|(13.3)
|(17.8)
|(16.6)
|(19.0)
|(21.4)
|(24.2) 
|(20.4) 
|(22.6) 
|(31.1) 
|(35.6) 
|(45.6)
|-
|Finance income
|0.1
|0.1
|0.1
|0.1
|0.1
|0.1
|0.1
|0.1
|0.1
|0.1
|0.1
|-
|Cash flow from investing activities
|(13.8)
|(20.6)
|(19.8)
|(22.8)
|(25.7)
|(29.1)
|(22.8)
|(25.3)
|(34.4) 
|(42.6) 
|(54.9)
|-
|Cash flow from financing activities
|(16.9)
|(3.9)
|(3.9)
|(3.9)
|(3.9)
|(3.9)
|(6.8)
|250.6 
|(20.8) 
|(7.8) 
|(7.8)
|-
|Net change in cash
|26.4
|(2.3)
|12.5
|13.0
|20.4
|24.3
|(10.2) 
|285.2
|24.1
|25.5 
|44.7
|-
|Cash at the beginning of the year
|342.4
|365.8
|363.5
|375.9
|389.0
|409.4 
|64.4 
|53.9 
|342.4 
|363.5 
|389.0
|-
|FX impact
|(3.0)
|0.0
|0.0
|0.0
|0.0
|0.0
|(0.3) 
|3.2 
|(3.0) 
|0.0
|0.0
|-
|Cash at the end of the year
|365.8
|363.5
|375.9
|389.0
|409.4
|433.7
|53.9
|342.4
|363.5
|389.0
|433.7
|}

==Notes==