SecureWorks Corp. (NASDAQ: SCWX) Q4 2022 earnings call dated Mar. 17, 2022
Corporate Participants:
Andrew Storm — Vice President Investor Relations
Wendy Thomas — President and Chief Executive Officer
Paul Parrish — Chief Financial Officer
Analysts:
Mike Cikos — Needham & Company — Analyst
Sterling Auty — JPMorgan — Analyst
Hamza Fodderwala — Morgan Stanley — Analyst
Saket Kalia — Barclays — Analyst
Unidentified Participant — — Analyst
Prepared Remarks:
Operator
Good morning and welcome to the SecureWorks Fourth Quarter and Full-Year Fiscal 2022 Financial Results Conference Call. [Operator Instructions]
I will now turn the call over to Andrew Storm, Vice President of Investor Relations. You may begin.
Andrew Storm — Vice President Investor Relations
Thanks, everyone for joining us. I’m Andrew Storm, VP of Investor Relations at SecureWorks and with me are Wendy Thomas, our CEO, and Paul Parrish, our CFO. During this call unless otherwise indicated, we will reference non-GAAP financial measures. You will find the reconciliations between these GAAP and non-GAAP measures in the press release and presentation posted on our website earlier today. Please also note that all growth percentages refer to year-over-year changes unless otherwise specified.
Finally, I’d like to remind you that all statements made during this call that relate to future results and events are forward-looking statements based on current expectations. Actual results and events could differ materially from those projected due to a number of risks and uncertainties which are discussed in our press release, web deck and SEC filings. We assume no obligation to update our forward-looking statements.
Now, I’ll turn it over to Wendy.
Wendy Thomas — President and Chief Executive Officer
Thank you, Andrew and welcome everyone. Just 2.5 years since initial launch, Taegis reached $165 million in ARR, up $42 million sequentially accelerating our business model transition. We added a record 400 customers in Q4, to finish the year with 1200 total Taegis customers of which over a third are now software-only. Our focus remains on transforming the company to higher value security solutions and driving scale and operational efficiencies in the business.
As we actively exited non-strategic lower margin services in fiscal ’22, total revenues declined by $26 million, while non-GAAP gross profits increased by $0.5 million. We invested in engineering and marketing talent with head count in those areas increasing in the high teens, while our shift away from non-strategic services enabled us to reduce total headcount by 13% versus year end last year. As a result, revenue per employee increased 10% and gross profit per employee was up nearly 15%.
Our transformation will accelerate in fiscal ’23 as we increased investments in Taegis to capitalize on the market transition to XDR and manage down our non-strategic services. And the shift to XDR is happening because it has to the existing spall of point solutions operating independently and noise generated through legacy SIEMs is too much for overworked security analyst to address, leaving the adversary free to weave between existing controls and until now no prior security solution has brought everything together properly, without that you end up with billions in ransomware payouts. It’s been clear to us that the way to defeat the adversary is a security first approach with a single big data platform architected for holistic prevention, detection and response and while others are catching on, building a true XDR platform is not easy. We spent over five years building this vision into Taegis, creating effective analytics beyond a single control like the endpoint of firewall requires a Data Lake with substantial volume, diversity and span of data. Our data lake and just endpoint network, email cloud and other forms of telemetry from thousands of customers every single day. That’s the foundation we’ve built on. Endpoint only providers however don’t have the comprehensive visibility into a customer’s network cloud or email. Architecture is not designed to ingest and correlate all the disparate data across vendors.
Without comprehensive data, the detection capabilities are incomplete or unnecessarily noisy. In short, you don’t have a scalable XDR solution. Even with the data, it takes a fully operational dedicated threat intelligence team, working with data scientist to research behavioral threat patterns and develop the detection analytics and rules that make XDR so powerful. Taegis is further supplemented with the intelligence gleaned from our incident response and security operations teams not just by buying intelligence from third parties.
As an example, we recently filed a patent for our new Hands on Keyboard detector, which uses machine learning to detect threat actors, not using malware, but local tools and malicious ways that would be too noisy for signatures to detect. We started with a single true positive incident and went back through 3.3 trillion process events in our data lake to find more examples. We built a machine learning model, trained at with this data and develop a detector with a true positive rate of over 99%. This patent pending approach brings unrivaled capabilities of detection in the market and as soon as we release the detector, we found multiple intrusions or the existing security point solutions we’re not raising alerts. This is extended detection.
The second key part of XDR is the response. Our purpose-built XDR platform pulls together all relevant information and provides an embedded security orchestration layer, with automated response capabilities. These capabilities were designed at Taegis from day one, it’s not a third party software bolt-on or an after the fact acquisition and we constantly enhance our embedded workflow and response playbooks, driving increasing levels of automation for customers, with practices informed by our managed security services and incident response teams. And our customers know we are in the fight with them every day available when needed most, with one of the top incident response practices in a world that handles over 1400 engagements annually. Our customers know they have access to the right people whenever they need it.
The final component of a true XDR platform is active prevention. Vulnerability management is long been akin to exercising to prevent health problems. The solution to most vulnerabilities is patching, yet organizations still don’t do it. And the reason is simple like exercising patching can be time consuming and hard. We’ve taken the pain away and brought a step change in automation, enabling a more hands off approach with comprehensive vulnerability detection and response, Taegis delivers a complete security program at a lower total cost of ownership.
Bringing this together a true XDR platform provide the prevention, detection and response that extends well beyond the endpoint that marries big data, intelligence security analytics, live threat context and the best of human engineering and SecOps, without unifying prevention detection and response for the entire ecosystem onto a purpose-built data and automation architecture, if you’re not doing XDR no matter how much the marketing says otherwise.
When we began building Taegis over five years ago, the XDR market didn’t exist and until more recently wasn’t viewed by industry analysts as a category. Now we’re consistently recognized for our clear leadership and the unique solutions we’ve built, with a leading product in a growth market, excellent NPS scores and a roster of customers advocating on our behalf. This is our time to capitalize on the market shift to XDR.
We are investing further in marketing and product in the year ahead to capture that opportunity and maintain our leadership position. It’s a testament to our team and the value of Taegis that we’ve historically spent significantly less on sales and marketing and public peers, yet delivered one of the highest growth rates in XDR customers in ARR last year.
Looking ahead, we see multiple drivers of long-term organic growth, including a continued shift toward XDR and away from standalone point product based approaches to security, the upsell of additional solutions, increased demand from targeted marketing investments, the shift of sales talent from re-solutioning existing customers as that work winds down this year to hunting for new logos and accelerating sales through our partner program. We are at the tipping point year of our transition. We’ve been building to this moment. We began the re-solutioning program just over a year ago and we expect to exit fiscal ’23 with a substantial majority of our ARR on Taegis.
Underneath the noise of our transition, we are building a higher quality business, with a strong position in one of the highest growing segments of the cyber security industry. And I want to thank all of our customers and partners for their support and our teammates for their hard work and commitment to get us where we are and to fuel the year ahead.
With that, I’ll turn the call over to Paul Parrish, our CFO.
Paul Parrish — Chief Financial Officer
Thanks, Wendy. 4Q Taegis ARR increased $42 million sequentially, our largest quarter ever and 34% sequential growth rate. This resulted in ARR of $165 million, $10 million higher than guidance, a 200% growth from last year and we had a record 400 Taegis customer adds in Q4 to end our year at 1200 total Taegis customers. Following our end-of-sales announcement, customer resolution accelerate. As a result, Taegis ARR ended the year around a 60/40 mix of resolution versus organic.
Taegis subscription revenue was $85.6 million for the year, up 165% year-over-year, reflecting continued strong growth, but was below our expectations for two reasons. First, the majority of re-solutioning deals closed toward the end of the quarter, pushing revenue out slightly. Second, we continue to see a timing impact from customer delays and turning down their CTP security services. As noted last quarter, we recognized revenue proportionately as customers migrate, but we will continue to allocate a portion of other revenue to other MSS subscription revenues as long as customers have CTP services in place.
Average revenue per Taegis customer was approximately $135,000, continuing to be at a premium to our non-Taegis customers, which averaged $93,000. Increased re-solutioning of some smaller customers led to a modest decline in average revenue per Taegis customer, as we ended the year. As we shed non-strategic businesses, full-year total revenue declined $26 million, yet gross profits were higher by $0.5 million.
We continued to manage our cost structure and solution mix, leading to improving gross margins of 62.6%, up 300 basis points from FY ’21. Sales and marketing costs were flat compared to FY ’21 on an absolute dollar basis, although we shifted the mix of investment toward the channel. We continue investing to drive innovation on Taegis and maintain our lead in the threat intelligence and research reflected in a 15% increase in R&D last year.
G&A expenses were down modestly from last year. Adjusted EBITDA was $19 million down from $33 million last year, reflecting better gross margins offset by investments in R&D. Cash flow provided of operations in FY ’22 was $17 million, with CapEx of $8 million. We finished the year with a record $221 million of cash, no debt and an untapped credit facility.
Turning to our guidance for FY ’23. First, keep in mind, we have a 53-week year in FY ’23 compared to 52-weeks in FY ’22. We expect Taegis ARR to end FY ’23 over $265 million compared to $165 million this year. We expect organic growth to contribute approximately $50 million of the incremental ARR and sales should accelerate through the year, as we get the full benefit of our investments, carrying through to FY ’24.
For Taegis in FY ’23, we’re accelerating investments in brand awareness and global distribution with returns expected to be more meaningful in the back half of the year and into FY ’24. We expect other MSS ARR to end FY ’23 below $80 million compared to $224 million this year. Per our end of cell announcement, we have stopped selling these services with a few exceptions. As a result, we expect $90 million to $100 million of ARR in FY ’23 to be either transition the partners, move in-house with customers our churn.
For the $80 million of ARR remaining at year-end, we expect a significant portion to be eligible for re-solutioning with most done in FY ’24 enabling us to aggressively manage out the excess cost.
We expect full-year total revenue to be $475 million to $490 million, with first quarter revenue of $120 million to $122 million. For modeling, you can assume approximately $9 million of revenue for the 53rd week. Full-year adjusted EBITDA is expected to be between negative $58 million to $68 million as we invest for growth. This guidance reflects the following expectations.
Increased investments in sales and marketing by approximately $30 million, our investment in R&D is expected to increase approximately $20 million this year to maintain our market lead. G&A is expected to grow slightly to $2 million. We estimate there is approximately $30 million of duplicate fixed and transition related costs that we are incurring with $15 million of cost of revenues and $15 million in opex.
As we turn down our other MSS services, we will manage the related cost out positively impacting FY ’24 and FY ’25. Taegis subscription gross margins are expected to increase in FY ’23 and beyond, though total margins will be impacted by the duplicative fixed and transition cost, resulting in overall FY ’23 gross margins being approximately flat. Operating expenses in FY ’24 should increase on absolute basis, but we will expect them to grow a lower rate than FY ’23, delivering operating leverage that brings us toward our long-term model.
Finally, EPS loss is expected to be in the $0.61 to $0.70 range. In summary, we’re making consistent progress against our transformation, with continued improvement in our business mix and growth potential. The end of our business model transition is now inside and we believe that it’s increasingly clear we have the right product at the right time to lay the foundations for growth and profitability for the company.
Wendy will now join us again as we begin our Q&A. Operator, can you please introduce the first question?
Questions and Answers:
Operator
[Operator Instructions] We’ll take our first question from Mike Cikos with Needham & Company. Your line is open.
Mike Cikos — Needham & Company — Analyst
Hey guys, thanks. Thanks for taking the question here. I wanted to circle up, I think in the prepared comments, you had mentioned that the Taegis revenue may have been slightly below would you guys were anticipating? And the two reasons being the resolution deals maybe closing more of those at the end of the quarter, as well as the timing impact from customers turning down their CTP services. Could you delve further into both those dynamics, just wanted to unpack that a bit?
Paul Parrish — Chief Financial Officer
Yeah. So we built our expectations. We forecasted some improvement in the speed at which those customers would come off their own services. And so that additional improvement didn’t occur, as well as we had a larger amount occur later in the quarter, which is impacting the timing of the revenue recognized as Taegis we still have the revenue in our business.
Wendy Thomas — President and Chief Executive Officer
Yes, just a little color to that. The contracts or they are the customers are committed to Taegis, it’s just a matter of the revenue being recognized by the company and other MSS versus Taegis. So if you think about this, this is more of a transition challenge, not a value creation one.
Mike Cikos — Needham & Company — Analyst
Right, right. So I guess the question on the other services turning down, right? So can you remind us again like what would cause a customer to hold on to those other services longer than expected? And I guess a follow-up would be, when you provided this guidance and as we look to think about fiscal ’23, is there some element of assumption as far as customers may be turning those off slower than expected?
Paul Parrish — Chief Financial Officer
Sure. So I can speak to the — some of the examples of the customers. So in most cases, these are some of the larger customers who are transitioning. And so the pace at which they are essentially turning off their counter threat platform monitoring was slower than expected. There is a couple of things behind there, one they’re often just sort of checking twice to make sure there’s absolutely no gaps in transition on their end.
The second piece that we’ve seen is really some of them are struggling with staffing particularly IT staffing, which is often required and supporting the security team and making this type of transition, particularly for larger customers. And so that’s definitely been something that we saw in fourth quarter with overall sort of staffing challenges in the economy.
And then for some in a few cases as you know, we’ve been working with them to transition certain services to partners or in-house. And so there has been some examples where that transition again just dotting the I’s and crossing the T’s that transition that’s just taken a little bit longer.
Mike Cikos — Needham & Company — Analyst
Got it, got it. And one more if I could, I know that you guys did provide a good amount of color when we’re thinking about opex in the upcoming year. The investments that you guys are calling out, whether it’s accelerating those investments in brand awareness, I think the other comment might have been around sales and marketing initiatives or partners. Can you give more granular on either one of those items, just wanted — want to see how those dollars are expected to be deployed and is it, is the thought that it will be relatively evenly spread through the year or should we expect it to be more heavily front year focused, back half focused anything there again with incremental. Thank you.
Wendy Thomas — President and Chief Executive Officer
Sure, well, I’ll speak to the business side and then I’ll have Paul speak to the spread piece. So for us this is really about doing the right thing at the right time. So we are in an ideal position to start to categorize on. Finally the market recognition of the sort of secular shift to XDR beginning and with us having clear product market fit, customer advocates, the third party recognition both XDR space and our leadership in it, now is really the time to lean. And what we’ve seen is as we get into conversations and do a proof of value, we win the clear majority of those deals. And so frankly given our lower sales and marketing investments to date, this is a proof point of the value of the product when it’s — when it’s in the customers hands or the prospects hands. And so this marketing spend is about investing to get ourselves into every single deal conversation that we possibly can because when the doors open we’re going to win.
So for us this is also hand-in-hand with doing this with our partners right, the XDR market education, supporting them in their go-to-market. And so as you think about the spend pieces, this is primarily around demand generation and what I’ll call brand response as opposed to sort of broad brand awareness and the partner support pieces of that are absolutely integrated into that. And then to a lesser extent, what I would call that continued XDR education of where is the right security solution and to some extent some of third-party recognition and customer advocacy support work.
So really very targeted. The majority of the spend very targeted to the areas where we’ve seen increasing win rather than what I would call sort of broad generic brand awareness.
And then I’ll turn it to you Paul.
Paul Parrish — Chief Financial Officer
And we step into the spend in Q1 and so we believe in this and we believe is the right thing to do at this time. So we step into that and there’s a slight increase in Q2, but consider equally split during the rest of the quarters beyond that.
Mike Cikos — Needham & Company — Analyst
Thank you, I’ll see the progress. Thank you very much.
Wendy Thomas — President and Chief Executive Officer
Thank you.
Operator
Our next question comes from Sterling Auty with JPMorgan. Your line is open.
Sterling Auty — JPMorgan — Analyst
Yeah, thanks. Hey, guys. So I’m wondering.
Wendy Thomas — President and Chief Executive Officer
Good morning.
Sterling Auty — JPMorgan — Analyst
The 60/40 split that you talked about now, what should we think about that split being as you exit this new fiscal year?
Wendy Thomas — President and Chief Executive Officer
As we exit fiscal ’23, so definitely safe to use that 60/40 split for the organic growth in fiscal ’22, right? So still a pretty healthy balance between the two, but as we accelerated the transformation with the end of life and frankly just the ability to have had more customer conversations that’s how we ended the year.
In Paul’s remarks in terms of FY ’23, we’ve guided that organic growth piece should continue to expand, that $50 million or more organic guide implies basically a 30% growth rate on the current total base for organic and we’re confident in that guidance. And all of that is still buoyed by tailwinds from partner program traction, obviously the marketing things we just spoke about and this continuing shift of the puck moving to XDR in the broader market.
Sterling Auty — JPMorgan — Analyst
And then the one follow-up would be, all right, with that under $80 million of MSS ARR that’s left exiting fiscal ’23, what’s going to be the thought process in terms of what type of carrots versus what kind of sticks that you can use to kind of motivate that tail to finally convert over?
Wendy Thomas — President and Chief Executive Officer
So for a piece of that, there — it’s based in Asia where we are deploying some market-specific platform capabilities. So a big chunk of that is really our timing choice not to engage a section of customers if you will. But for the remainder it’s really a — we’re having all of those conversations now. It’s really about planning with them in terms of their overall business priorities to make that transition as opposed to needing to provide particular carrots where we are now in the conversations, it’s more about timing of transition than whether to transition or that need for a special incentive.
Sterling Auty — JPMorgan — Analyst
Understood. Thank you.
Wendy Thomas — President and Chief Executive Officer
Thank you.
Operator
Our next question comes from Hamza Fodderwala with Morgan Stanley. Your line is open.
Hamza Fodderwala — Morgan Stanley — Analyst
Yeah, good morning. Thank you for taking my question. Wendy, a question for you on the XDR strategy. So one of the things you mentioned was the data ingestion and the data lake component, it seems to me with XDR one of the issues is not only how do you ingest the data from multiple vector within your organization from a network, endpoint, cloud, etc, but also how do you standardize that so that you can analyze it properly and action upon it from a security standpoint.
So I’m just curious, how you’re going about doing that, because it seems like in security we’re just really far away from having open telemetry models. So when you think about the analysis portion, is that where your threat analysts and your threat intel experts come in and provide that human-level assistance or is there some other secret sauce that you guys had that we’re not aware of?
Wendy Thomas — President and Chief Executive Officer
It’s a great question and thanks for it because you’re right, part of the importance here is, one, having that broad dataset in the data lake for us that means cutting across the entire ecosystem. I mean if you look at our telemetry that we’re processing, the market really talks a lot about endpoint, but that’s probably only about 40% of the events that we’re processing day-to-day, because there is a way that the adversary weaves through the environment that is — that is important to have a holistic perspective.
So it is absolutely the case that we leverage our experience, our teams into response, adversarial testing, our security operations teams to basically understand penetration techniques and then how to reverse-engineer them for defense and basically make those learnings machine readable if you will across this big data platform, but the foundational piece as you mentioned at the start is it’s not just ingesting that data and then generating a bunch of alerts, it is very easy to detect anomalies, but it is hard to not bury those anomalies in a massive haystack of noise.
And the way that we do that because of our experience working across every point product in the industry as a service provider, historically, our understanding of that telemetry and normalization of that telemetry to then apply these techniques to the detection across that telemetry is the secret sauce that lets us have not just detections, but high-fidelity detections that have high probabilities of potential damage that lets us really get to remediation quickly, leveraging the automation on top of that, of course, to speed time to remediation.
That is the answer that a true XDR platform should be providing using relevant big data that is leveraged in a way with detection understanding, that is based on a knowledge of a threat actor’s techniques.
Hamza Fodderwala — Morgan Stanley — Analyst
Got it. I’ll keep it at one. Thank you.
Wendy Thomas — President and Chief Executive Officer
Sure.
Operator
Thank you. Our next question comes from Saket Kalia with Barclays. Your line is open.
Wendy Thomas — President and Chief Executive Officer
Good morning, Saket.
Saket Kalia — Barclays — Analyst
Okay. Great. Hey, good morning, Wendy. Thanks for taking my questions here. Maybe just to start with you, Wendy and apologies if this was asked, I joined a little late, but with all the focus on XDR, can you just talk a little bit about how much you are displacing traditional SIEM instances, right or installations, let’s say, versus perhaps co-existing with a traditional SIEM inside your customer base?
Wendy Thomas — President and Chief Executive Officer
So it’s a good question and it is an evolving answer to that over time, right, as both the understanding of XDR grows and frankly customers come up for renewal or replacement of that SIEM based on their contract lengths with that knowledge of XDR now getting more clear. So there was in the beginning much more sort of a coexistence, let’s see how this goes, let’s use the data from where we are. But very much now, the understanding that you can essentially address all of the use cases of SIEM plus do it better at a more reasonable cost of ownership with an XDR platform like Taegis, we increasingly see that as an opportunity to shift share of wallet, while giving customers better ROI and frankly better security outcomes from it.
Because if you think about what you’re looking at here it’s about the ability to ingest relevant data, but again to make it information not just data to enrich that with user and asset context. And for our customers, the fact that we are really helping to build and maintain those detectors or work with them to build those makes that XDR platform much more relevant on an ongoing real-time basis than a SIEM that could be very difficult to maintain and frankly could be expensive from a data perspective.
Saket Kalia — Barclays — Analyst
Got it. Got it. Paul maybe for my follow-up for you and again apologies if this was mentioned earlier, but either quantitatively or qualitatively can you — as you look at sort of your — maybe looking backwards, as you look at your traditional MSS space, what percentage of them chose to resolution with Taegis versus maybe explore other options?
And I think you’ve already talked about sort of average revenue per customer earlier, I wasn’t sure if that was on a total basis, but the second part of that question is, when an MSS customer does choose to resolution, what’s the typical uplift you see after that event takes place?
Paul Parrish — Chief Financial Officer
Yeah, so I think all of our customers are excited about the Taegis products. So when you ask about that, all of them are listening, all interested, all trying to determine for their — where they are in their walk, is this the right time for them? And so we see interest across the board. So if you’re asking the interest level, very high across all our customers.
The actual plays into effect when a customer either resolutions or not, where are they in their walk on their technology.
On your average revenue per customer, we’re seeing roughly that a resolution customer is coming in at roughly where we’re selling new logos out. And we’re very happy with the average revenue per customer.
Wendy Thomas — President and Chief Executive Officer
Yeah and for comparison, the $135,000 on Taegis compares to low 90s. So I think its $93,000 on the CTP platform. So we continue to see higher average spend with the — again the same situation, they’re up-shifting their entire posture for full coverage of their estate and are able in some cases to displace other standalone spend, which is now a feature of the platform. So that trend continues.
Saket Kalia — Barclays — Analyst
Got it. Helpful. Thank you.
Wendy Thomas — President and Chief Executive Officer
Thank you.
Operator
Thank you. We’ll now take our final question from Brian Essex with Goldman Sachs. Your line is open
Unidentified Participant — — Analyst
Hi. This is Charlotte on for Brian. Quick question. It’s nice to see the record number of Taegis customers in 4Q of 400. Can you talk about how many of these logos were net new logos versus conversion of your existing base? Thank you.
Wendy Thomas — President and Chief Executive Officer
Yeah, we talked about on the call that in terms of our growth for the year, the base of Taegis ARR is about a 60/40 split. We haven’t seen a material shift in the average revenue per customer and so those have generally been following the same mix shift.
Unidentified Participant — — Analyst
Got you. And another question on Taegis. Now that you have — with your endpoint partnership that you announced last year, have you seen a shift in the competitive landscape or what have you — have you seen any changes?
Wendy Thomas — President and Chief Executive Officer
In terms of the — I’m not sure exactly which — in terms of the endpoint, next-gen AV is what you’re referring to?
Unidentified Participant — — Analyst
Yeah, exactly.
Wendy Thomas — President and Chief Executive Officer
We’ve got quite a few endpoint partnerships. Yes, absolutely, we’ve seen a nice traction from that. Again the whole strategy behind that is giving customers the option for one-stop shop. We do find that customers in the lower end of the mid-market tend to want simplicity, simplicity in pricing, vendor engagement and capabilities where customers on the larger end of the market sometimes want to select individual security controls and then bring them together with Taegis XDR. So for us that again is just about capturing share of wallet, making things simple and easy for customers to partner with us and just makes a ton of sense for the capabilities of a holistic XDR platform.
Unidentified Participant — — Analyst
Great. Thank you for the insight.
Wendy Thomas — President and Chief Executive Officer
Thank you.
Operator
There are no other questions in the queue. I’d like to turn the call back to Andrew for closing remarks.
Andrew Storm — Vice President Investor Relations
Great. Well, that ends the Q&A in today’s call. A replay of this webcast will be available on our Investor Relations page at secureworks.com, along with our Q4 web deck and additional financial tables. Thank you again for joining us today.
Wendy Thomas — President and Chief Executive Officer
Thank you.
Operator
[Operator Closing Remarks]