© Read Finance Original/Produced

From 2014 to 2016, the vast expanse of land from Zhongguancun to Xierqi was always filled with investors' research buses parked outside the gates, and conference rooms were always packed, simply because China's top cybersecurity companies were gathered here.

After the Snowden incident, cybersecurity rose to the strategic height of national security, and cybersecurity companies became the hottest segment in the software industry. Some company founders even boldly claimed trillion-dollar market values.

However, in recent years, cybersecurity companies have faded from investors' radar, with top companies experiencing significant declines. In the past three years, QiAnXin has plummeted by 70%, and Sangfor by 80%.

It wasn't until the recent Microsoft blue screen incident that reignited attention on cybersecurity, leading to a long-awaited collective surge in cybersecurity companies. However, this was just a one-day rally, and the gains were mostly erased the following day.

Why are cybersecurity companies, which once held a highly strategic position, no longer favored by investors? This article holds the following views:

1. The issue of specialization has been magnified. The majority of cybersecurity companies' revenue comes from government and state-owned enterprises. However, in recent years, local governments have faced financial constraints, leading to lower-than-expected investments in cybersecurity, and the growth rates of cybersecurity companies have significantly declined. In 2023, QiAnXin and Sangfor's revenue growth rates were both below 4%.

2. B-end business has been usurped by clients. Most B-end companies with cybersecurity needs are large enterprises, which prefer to develop their core cybersecurity capabilities in-house. In recent years, many cybersecurity product innovations have come from clients' internal teams, leading to low barriers to entry and product homogenization in the cybersecurity industry, which has resulted in price wars and meager profits.

3. Cybersecurity companies have reached a value watershed. In the past, cybersecurity products were primarily used to pass inspections, and projects were won through business acumen. With the commercialization of ransomware, cybersecurity companies have returned to the competition of solving customers' problems through technology. The increased investment in technology by cybersecurity companies has further strained their already thin profits, but it also presents an opportunity for the industry to escape homogenization and obtain technology premiums.

/ 01 / Corporate value does not match strategic value

At QiAnXin's first annual meeting after its IPO in 2021, Qi Xiangdong mentioned, "If we are still the 'cybersecurity leader' in 10 years, with our current market value of 60 billion yuan, multiplying by 20 times the average market growth rate, we'll reach 1.2 trillion yuan. Even with a discount, we'll still reach a trillion-dollar market value in 10 years."

Qi Xiangdong's vision of a trillion-dollar market value is not entirely unfounded, given the strategic importance of cybersecurity, which concerns information and even national security.

Just look at the recent mistake made by Microsoft supplier CrowdStrike, which caused a blue screen of death IT failure on Microsoft computers, leading to the cancellation of over 1,000 flights in the US for three consecutive days, and even government services in some countries coming to a halt.

The high strategic value of cybersecurity should lead to a vast market space, and cybersecurity companies should enjoy high valuations. Indeed, cybersecurity companies were once sought after, with top companies like Sangfor experiencing an eightfold surge in value over three years.

However, in recent years, cybersecurity companies have taken a sharp turn for the worse. In the past three years, top companies like QiAnXin have plummeted by 60%, Sangfor by 80%, and VenusTech has also seen significant declines. With their market values plummeting, domestic cybersecurity companies have a significant valuation gap with their overseas counterparts. Even after CrowdStrike's 30% decline, its market value is still 23 times that of QiAnXin.

The downfall of domestic cybersecurity companies stems from issues in their growth logic.

US cybersecurity companies rely on the increasing penetration of information technology across various industries for growth, resulting in stable growth rates. In the past three years, CrowdStrike's revenue has grown at a compound annual growth rate of 51%.

Domestic cybersecurity companies, on the other hand, are somewhat specialized, with government and enterprise clients accounting for nearly half of their share. For example, in 2023, QiAnXin's revenue from state-owned enterprises in energy, finance, telecommunications, as well as government, public security, and judiciary sectors, exceeded 56%.

As we all know, recent pandemic restrictions and real estate market regulations have put pressure on local governments' finances, affecting their IT expenditures on cybersecurity. In 2023, the revenue growth rates of QiAnXin, Sangfor, and VenusTech were all below 4%.

So, why are domestic cybersecurity companies specialized in the G-end but unable to excel in the B-end?

/ 02 / Business is being usurped by clients

If we compare domestic and international cybersecurity companies, an interesting phenomenon emerges.

In recent years, almost all new cybersecurity companies in China that have embraced new concepts and created new products have originated from the security teams of large clients. For example, Shuying Planet comes from Alibaba's data security team, and many other security companies come from Baidu, Huawei, etc. However, the opposite is true for their overseas counterparts, most of whom come from third-party security companies.

This phenomenon reflects the lack of a suitable B-end environment for domestic cybersecurity companies compared to their overseas counterparts.

As third-party cybersecurity service products, their popularity relies on clients' network infrastructure and willingness to pay. Overseas, B-end enterprises are willing to cooperate with cybersecurity companies; even powerful companies like Microsoft have chosen to work with the vertical cybersecurity company CrowdStrike.

However, in China, B-end enterprises are reluctant to adopt third-party products. Especially financially strong internet companies tend to develop their cybersecurity products in-house, dreaming of exporting their internal IT products externally.

The differences between Chinese and American cybersecurity companies stem from clients' business logic.

Simply put, compared to China, American businesses have relatively fixed operations. This can be seen in the performance of internet giants, most of which have deep roots in a particular field, while domestic enterprises have diverse business lines. The reason behind this is that American companies operate globally and prefer to refine their core businesses.

As a result, American companies have relatively fixed processes and infrastructure. Cybersecurity products only need to be embedded as standard products based on these fixed business processes.

In contrast, domestic enterprises often chase trends, and their business processes and IT facilities are frequently adjusted according to business needs. Moreover, due to the lack of a robust software foundation in China, many large enterprises prefer to build their own IT facilities such as private clouds. These factors make it difficult for domestic cybersecurity companies to fully adapt their products to clients' needs. Therefore, for large B-end enterprises with technical capabilities, developing their cybersecurity products in-house is a better choice.

Even for some B-end enterprises with relatively weaker technical capabilities, cybersecurity companies' products need to be adjusted according to clients' requirements. For example, relatively standard "zero-trust" products in foreign countries become terminal sandboxes that can be adjusted according to different business requirements when implemented domestically.

The reason is that domestic enterprises prefer to do things their own way, and many external products require redevelopment. This also leads to the gross profit margins of the top domestic cybersecurity companies being at least 10 percentage points lower than those of their overseas counterparts.

Despite these challenges, the highly strategic cybersecurity industry must continue to develop. Now, cybersecurity companies are facing an industry change that is both a risk and an opportunity.

/ 03 / Reaching a Value Watershed

Domestic cybersecurity companies are still in a state of meager profits, with QiAnXin and Sangfor's net profit margins in 2023 being only 2.6% and 0.9%, respectively.

From a financial perspective, these meager profits are not due to high R&D costs but rather high sales costs. In 2023, the largest expense for QiAnXin and Sangfor was sales expenses, with sales expense ratios of 29.7% and 35.3%, respectively, which were 4.9 and 6.7 percentage points higher than their respective R&D expense ratios.

This reflects the severe product homogenization of domestic cybersecurity companies in the past, where projects were won more through business acumen than product capabilities.

Zhang Feng, Director of the China Information Security Evaluation Center, commented that domestic cybersecurity products lag significantly behind international advanced levels, mainly due to severe product homogenization and low-level repetitive competition, resulting in frequent security vulnerabilities and "insecure security products."

Product homogenization is not due to a lack of effort by domestic cybersecurity companies but rather related to clients' purchasing logic.

Within most enterprises, security practitioners have limited influence, and their limited budgets can only afford traditional security products that help avoid responsibility. These are industry-recognized products that everyone uses, allowing for escape from responsibility if problems arise. Additionally, some special fields previously had a graded protection system, where clients could pass inspections by purchasing a product.

Under this business logic, business relationships are, to some extent, more important than technical capabilities for cybersecurity companies. If this situation persists, domestic cybersecurity companies will resemble sales-driven software factories with low technical barriers, limiting their imagination space.

However, the situation has changed. With technological advancements, cyberattacks have transformed from infrequent showcases of skill to a high-frequency business model, exemplified by ransomware, which leverages IT system intrusions for financial gain.

Ransomware has affected nearly a hundred countries, including the UK's healthcare system, FedEx, and Russia's Megafon telecommunications company. Chinese university networks, energy companies, and government agencies have also fallen victim, being forced to pay high ransoms to decrypt and restore files.

The commercialization of ransomware has shifted the business logic of cybersecurity companies from passing inspections to genuinely solving customer problems.

Cybersecurity companies must maintain high investments in R&D to address frequent cybersecurity issues. This change is reflected in the increase in R&D investment by cybersecurity companies. Sangfor's R&D expense ratio, which was around 25% for many years, has now risen to 30%.

Increasing R&D investment will further strain the already thin profits of cybersecurity companies, but in the long run, it is the optimal choice for them to escape homogenization and obtain high technology premiums. Thus, cybersecurity companies have arrived at a value watershed.