UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 10‑K

 

Commission File Number 001‑38478

CARBON BLACK, INC.

(Exact name of registrant as specified in its charter)

 

Registrant’s telephone number, including area code: (617) 393‑7400

Securities registered pursuant to Section 12(b) of the Act:

 

Securities registered pursuant to Section 12(g) of the Act: None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. YES ☐ NO ☒

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Act. YES ☐ NO ☒

Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. YES ☒ NO ☐

Indicate by check mark whether the registrant has submitted electronically, if any, every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and such files). YES ☒ NO ☐

Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K (§229.405) is not contained herein, and will not be contained, to the best of registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10‑K or any amendment to this Form 10‑K. ☐

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or a smaller reporting company. See the definition of “large accelerated filer”, “accelerated filer”, and “smaller reporting company” in Rule 12b‑2 of the Exchange Act. (Check one):

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☒

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b‑2 of the Exchange Act). YES ☐ NO ☒

As of June 30, 2018, the aggregate market value of the registrant’s voting common stock held by non-affiliates of the registrant, based on a closing price of $26.00 per share of the registrant’s common stock as reported on The NASDAQ Global Select Market on June 30, 2018, was approximately $1,154,962,250. For purposes of this computation, all officers, directors and 10% beneficial owners of the registrant are deemed to be affiliates. Such determination should not be deemed to be an admission that such officers, directors or 10% beneficial owners are, in fact, affiliates of the registrant.

The number of shares of registrant’s common stock outstanding as of March 5, 2019 was 70,785,001.

DOCUMENTS INCORPORATED BY REFERENCE

Portions of the registrant’s definitive Proxy Statement for its 2019 Annual Meeting of Stockholders to be filed with the Securities and Exchange Commission pursuant to Regulation 14A not later than 120 days after the end of the fiscal year covered by this Annual Report on Form 10‑K are incorporated by reference in Part III of this Annual Report on Form 10‑K. Except with respect to information specifically incorporate by reference in this Form 10-K, the Proxy Statement is not deemed to be filed as part of this Form 10-K.

 

 

CARBON BLACK, INC.

TABLE OF CONTENTS

 

 

SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10‑K contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995, including but not limited to, statements regarding our financial outlook and market positioning. These forward-looking statements are made as of the date they were first issued and were based on current expectations, estimates, forecasts and projections as well as the beliefs and assumptions of management. The words "anticipate," "believe," "could," "estimate," "expect," "intend," "may," "might," "plan," "predict," "project," "will," "would," or the negative of these words or other similar terms or expressions are intended to identify forward-looking statements, although not all forward-looking statements contain these identifying words. These forward-looking statements include, among other things, statements about:

 

These forward-looking statements are subject to a number of risks, uncertainties and assumptions, including those described in "Risk Factors" elsewhere in this Annual Report on Form 10‑K. Moreover, we operate in a very competitive and rapidly changing environment, and new risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ materially from those contained in any forward-looking statements we may make. In light of these risks, uncertainties and assumptions, the forward-looking events and circumstances discussed in this Annual Report on Form 10‑K may not occur and actual results could differ materially and adversely from those anticipated or implied in the forward-looking statements and you should not place undue reliance on our forward-looking statements.

The forward-looking statements made in this Annual Report on Form 10‑K relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this Annual Report on Form 10‑K to reflect events or circumstances after the date of this Annual Report on Form 10‑K or to reflect new information or the occurrence of unanticipated events, except as required by law.

 

Unless the context requires otherwise, references in this Annual Report on Form 10-K to the “Company,” “Carbon Black,” “we,” “us,” and “our” refer to Carbon Black, Inc. and our subsidiaries, unless the context indicates otherwise.

 

 

PART I.

Item 1. Business

Overview

Carbon Black is a leading, global provider of cloud-delivered, next-generation endpoint security solutions. As an innovator in the Endpoint Protection Platform (EPP) market, our technology enables customers to address the complete endpoint security lifecycle and stay ahead of advanced cyberattacks.

 

Our big data and analytics platform, the CB Predictive Security Cloud (PSC), consolidates endpoint security and IT operations into an extensible cloud platform that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analyzing billions of security events per day across the globe, Carbon Black has key insights into attackers’ behavior patterns, enabling customers to detect, respond to and prevent emerging attacks.

 

We believe the depth, breadth and real-time nature of our unfiltered endpoint data, combined with the analytic power of our Predictive Security Cloud platform, provides customers with world-class security efficacy and operational efficiency.

 

Organizations globally are re-platforming their IT operations by investing in cloud computing and workforce mobility, which has resulted in enterprise environments that are more open, interconnected, and vulnerable to cyber attacks. Today, an increasingly mobile workforce and the explosion of enterprise data and applications in the cloud have expanded the attack surface beyond the traditional network perimeter. In response, attackers have adapted their methods and tools to directly target the endpoint. In short, the endpoint is the new perimeter.

 

Endpoints are the primary focus of attacks because they store valuable data that attackers seek to steal; perform critical operations that attackers seek to disrupt; and are the interface where attackers can target humans through email, social engineering and other tactics. Endpoints are the physical and virtual locations where sensitive data resides and include desktops, laptops, servers, virtual machines, cloud workloads (services running on cloud servers), containers, fixed‑function devices such as ATMs, point of sale systems, and control and data systems for power plants and other industrial assets.

 

Our approach to solving these endpoint security challenges focuses on leveraging our big data and our security analytics platform in the cloud (the CB Predictive Security Cloud) to better detect and prevent the behaviors and specific techniques used by attackers. Based on our experience and investment in next‑generation solutions designed to address the full endpoint security lifecycle, we have developed a highly differentiated technology approach with four main pillars:

 

1.   Unfiltered data collection: Our technology uniquely collects complete, “unfiltered” endpoint data by continuously recording endpoint activity and centrally storing the collected data for advanced analytics. Other vendors take a “filtered” approach whereby a subset of data is captured at select points in time. Unfiltered data is more comprehensive, provides greater visibility and we believe offers more effective security capabilities.

2.   Proprietary data shaping technology: Our unfiltered data approach required us to overcome several difficult technical challenges, which we refer to as the “edge-to-cloud data pipeline problem.” These challenges centered on how to reliably collect and cost effectively analyze and store massive amounts of data from edge devices (i.e., endpoints) in the cloud. To address those challenges, we have developed proprietary data shaping technology that smooths bursts of endpoint data activity; optimizes bandwidth demands to move massive amounts of endpoint data; compresses data at a high ratio to reduce the cost of storing massive amounts of data; and leverages a graph‑like custom model for endpoint data that allows analysis of the data in multiple ways for multiple use cases.

3.   Streaming analytics: We analyze endpoint data at massive scale by leveraging event stream processing technology, which evaluates and classifies a continuously updated stream of events based on their risk level.

4.   Extensible and open architecture: Our open architecture is designed to integrate with leading security technologies and IT products used by our customers. Moreover, endpoint data is the fuel that powers multiple security products across an organization’s security stack. Our open architecture, when combined with the value of our data, positions our Predictive Security Cloud platform to serve as the hub of security activity in a customer’s IT organization and enables deep customer relationships.

We have a strong heritage of innovative technology leadership in multiple Endpoint Protection Platform (EPP) categories, including: application control, endpoint detection and response, or EDR, and next‑generation antivirus, or NGAV. Our flagship solutions are technology leaders in each of these categories, and we are integrating each with the CB Predictive Security Cloud. Unlike legacy security products that install an agent and collect data specific to its domain or use case, our cloud platform  provides a single sensor that that can collect unfiltered endpoint data both continuously and on-demand to address the entire endpoint security lifecycle, which today is addressed by multiple point products. We believe that we are well positioned to capture a significant share of the endpoint security market.

 

Our customers include many of the world’s largest, security‑focused enterprises and government agencies that are among the most heavily targeted by cyber adversaries, as well as small-to-mid‑sized organizations. We serve more than

5,000 customers globally across multiple industries, including 34 of the Fortune 100. Our solutions address the needs of a diverse range of customers. More than 100 security companies leverage our open application program interfaces, or APIs, to enable additional capabilities and intelligence using the unfiltered endpoint data we provide.

 

We primarily sell our products through a channel go‑to‑market model, which significantly extends our global market reach and ability to scale our sales efforts. Our inside sales and field sales representatives work alongside an extensive network of value‑added resellers, or VARs, distributors, managed security service providers, or MSSPs, and incident response, or IR, firms.

 

Our MSSP and IR partners both use and recommend our products to their clients. In the year ended December 31, 2018, 80% of our new and add‑on business was closed in collaboration with a channel partner.

 

Industry Background

Cyber security is critical to organizations as they face an increasingly hostile threat environment with a growing number of cyber adversaries launching stealthy, sophisticated and targeted attacks. The following major trends are driving strong and growing demand for our products:

 

Endpoints are the new front line in the cyber war, and organizations are shifting their defenses as a result

 

The attack surface is expanding

 

Workforce mobility is increasing the number of connected devices that operate outside the traditional corporate network perimeter, expanding the potential “attack surface.” Moreover, enterprises are increasing their use of public clouds for a broad range of services. As a result, enterprises’ critical data and operations have increasingly shifted outside of their traditional network defenses, and the importance of protecting their endpoint devices has become paramount.

 

Endpoints are the primary target of cyber attacks

 

Endpoint devices are the primary targets of attacks because these devices store valuable data and intellectual property such as authentication credentials (e.g., usernames, account IDs, passwords), personal information (e.g., Social Security numbers, health records), financial data (e.g., credit card account data), digital assets (e.g., proprietary software code, movies, blueprints, product plans) and trade secrets. Endpoints are also the interface where attackers can target humans through email, social engineering techniques (e.g., phishing), keylogging and other tactics.

 

Endpoint data is critical to an effective cyber security program

Effective security critically depends on having complete visibility into what is happening on each endpoint. Skilled attackers are now easily able to evade traditional, signature-based antivirus products and blend into the normal activity on a company's network or endpoints by leveraging known-good software to perform malicious actions. By collecting unfiltered data about the activities occurring on their endpoints, companies are able to combat these techniques, uncover advanced attacks, and more quickly remediate potential data breaches.

Organizations are shifting their defenses to focus on next‑generation endpoint security solutions

 

Because network‑centric security is no longer adequate and traditional, passive, prevention-only endpoint security technologies are ineffective against today’s advanced cyber attacks, organizations are increasingly shifting their security budgets toward next‑generation endpoint security solutions which provide a holistic and active security approach that is predicated on predicting, preventing, detecting and responding to today’s advanced cyber attacks. As organizations shift away from a prevention‑only approach, they increasingly require next‑generation technologies that rely on rich endpoint data as part of a more proactive approach to cyber security.

 

The cyber threat is large, sophisticated and growing and requires new and more advanced approaches to combat it

Cyber security is a board-level issue and a focal point for governments worldwide

In a recent study, Cybersecurity Ventures predicted that cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. A single data breach, on average, costs the breached entity $3.86 million according to a 2018 study by the Ponemon Institute and IBM Security, or the Ponemon Study. The ongoing occurrence and devastating consequences of high profile cyber attacks have elevated cyber security to a top priority for executives.

The rise of ransomware has made every organization a potential target

In the past, cyber attackers tended to target entities that held commercially valuable data that could be stolen and used for financial gain, such as credit card data, authentication credentials and trade secrets. However, with the emergence and proliferation of ransomware in recent years, cyber attackers now target organizations regardless of type or size to extort money by holding computers and data hostage. According to a study conducted by Cybersecurity Ventures, global ransomware damages are now predicted to cost the world $11.5 billion in 2019, and $20 billion in 2021. In fact, according to the 2018 Verizon Data Breach Investigations Report, 76% of breaches were financially motivated and 58% of breach victims are categorized as small businesses.

Today’s attacks are stealthy, sophisticated and targeted

Today’s organizations face a complex threat landscape with a broad range of well-funded cyber attackers that include criminal syndicates, state-sponsored agents, international hacking collectives and nation states. Advanced attackers use techniques designed to circumvent traditional security approaches, including custom malware and zero-day attacks, social engineering through targeted spear phishing, polymorphic malware and infected USB keys. Advanced attackers are also evolving to remain undetected, using techniques such as lateral movement (using native operating system tools during attacks in an attempt to remain undetected), island hopping (targeting smaller organizations within the supply chain to ultimately attack a larger enterprise) and counter incident response to stay invisible.

Once an organization has been breached, attackers can move unseen for months or even years, exfiltrating a larger amount of data and intellectual property. The longer these invisible breaches remain undetected, the greater the costs and reputational damage they can cause. According to the Ponemon study, the mean time to identify a malicious or criminal cyber attack is 197 days and the mean time to contain such an attack, once identified, is an additional 69 days.

The shortage of security talent creates a need for next-generation solutions

The continuous growth in the number and sophistication of cyber attacks and the expansion of the attack surface is driving the need for more security professionals with deeper expertise. The number of security professionals has not kept pace with total demand. Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity positions by 2021. Organizations are increasingly turning to next-generation solutions, advanced analytics and automation tools to empower their security professionals to increase their efficiency and focus on the highest value cyber security tasks.

 

Our Market Opportunity

 

We believe that our Predictive Security Cloud addresses a significant capability gap in the evolving Endpoint Protection Platform (EPP) landscape in which the endpoint is the new perimeter. Legacy endpoint products employ “scanning” technology to periodically scan and pull data from endpoints at various points in time in order to identify potential cyber threats. In contrast, our PSC platform enables organizations to improve the efficacy of, and reduce the overhead associated with, managing security systems and teams through the collection of continuous and unfiltered endpoint data. Our extensible cloud platform consolidates security and enables organizations to utilize unfiltered endpoint data and advanced analytics to better predict, prevent, detect, respond to and remediate cyber attacks when compared to traditional endpoint security solutions.

 

Our Platform and Solutions

 

Powered by the CB Predictive Security Cloud, our solutions provide best-in-class security by collecting and analyzing unfiltered data from the endpoint, where attacks and breaches are increasingly focused, and by integrating seamlessly with leading third-party security solutions.

 

Addressing the entire security lifecycle, our solutions are designed to predict, prevent, detect, respond to and remediate the maximum number of attacks for our customers, and to enable our customers to continuously improve their security posture by proactively detecting and responding to threats, and remediating potential vulnerabilities. Our solutions can be quickly deployed by customers to realize immediate benefits, are easily scaled and tailored to fit their needs, and allow our customers to consolidate multiple point solutions into a single, cloud-based platform.

 

Our customers use our products to:

 

 

Benefits of Our Platform and Solutions

Decreased risk of breach by protecting against known and unknown endpoint attacks

By leveraging the benefits of unfiltered data, analytics and the cloud, we believe our solutions extend beyond legacy antivirus solutions to detect and stop the widest possible array of cyber attacks. These encompass both previously identified and novel attacks never seen before, including file-based attacks such as malware and ransomware, as well as more advanced fileless attacks, such as memory-based, PowerShell and script-based attacks. Our solutions apply a full

spectrum of technologies including application whitelisting and advanced analytics techniques—such as behavioral analysis, reputation analysis, artificial intelligence and machine learning—to analyze attack patterns in the cloud using richer and more complete endpoint data than any other vendor. According to an MRG Effitas Ltd. efficacy assessment commissioned by us, CB Defense has a 100% prevention rate against known and unknown ransomware samples. We believe the increased security efficacy from the use of our solutions results in a decreased risk of breach for our customers.

Ability to identify root cause of attacks and quickly respond to security incidents

Modern cyber adversaries routinely exploit known and newly discovered vulnerabilities in their targets’ infrastructure and operations. As long as those vulnerabilities remain, adversaries have a potential path to reach their goal. Our next-generation detection and response capabilities enable organizations and incident responders to rapidly identify the root cause of an attack and the scope of compromise on the network, helping them remediate the attack and close gaps in their security posture to better protect against future attacks. The CB Predictive Security Cloud provides full visibility into potential threats, both proactively as well as retroactively after a threat is blocked or identified, providing complete details of what happened and what was impacted.

Security efficacy without blocking legitimate activity

Customers require security products that are highly effective in detecting and preventing attacks (i.e., that have a low rate of “false negatives”), while also minimizing the number of “false positive” alerts that interrupt legitimate end‑user activity. In order to achieve these dual requirements, we apply an approach that combines endpoint‑based prevention models that are optimized for low false positives, with cloud‑based detection algorithms that are optimized for low false negatives. As a result, we are able to deliver maximum endpoint security efficacy without blocking legitimate activity.

Automated remediation and threat containment

Using the unfiltered continuously collected data from each endpoint where our solutions are deployed, our users can launch automated remediation and threat containment actions, such as terminating processes, deleting files and isolating endpoints on the network. These automated capabilities enable organizations to respond to attacks as they happen and minimize the impact and cost of an attack.

Continuous enhancement by leveraging intelligence from across the security community

Our solutions allow organizations to continuously improve their security posture, benefiting from ongoing refinement of endpoint hardening and the latest threat intelligence. Our solutions unite the Carbon Black community of security experts, our network of partners and our internal threat research team, and deliver shared intelligence through the CB Predictive Security Cloud, which elevates the security expertise of each community member.

Seamless integration with other best‑of‑breed security solutions

Our next‑generation endpoint security solutions are designed to integrate seamlessly with other security technologies deployed in an organization’s IT environment. Our open architecture and API framework allows organizations to integrate our platform with other best‑of‑breed security solutions, such as network security and security information and event management, or SIEM, solutions, to provide a unified security strategy where data is shared across the environment. Our emphasis on open architecture and integration with partners at all layers of the security stack enhances an enterprise’s security posture, reduces incident response times and increases overall operational efficiency.

Increased security operations efficiency and less reliance on scarce security talent

Organizations are under pressure to drive greater efficiencies across their security operations, driven in part by a global shortage of trained security professionals. By providing customers with automated security solutions, streamlined workflow management and access to the collective expertise available on the CB Predictive Security Cloud, our

solutions enable our customers to significantly improve the efficiency of their security operations and reduce their reliance on additional security professionals.

Greater ability to meet compliance requirements

Our solutions enable organizations to comply with numerous regulatory requirements for data collection, analysis, reporting, archival and retrieval, while also optimizing the overall enterprise cyber security posture. Our solutions allow our customers to consolidate compliance costs and help them comply with regulations such as the General Data Protection Regulation, or GDPR, the 2014 Framework for Improving Critical Infrastructure Cybersecurity, Health Insurance Portability and Accountability Act, PCI DSS, NERC‑CIP and the Sarbanes‑Oxley Act.

Ability to deploy endpoint security at any scale and grow and evolve their defenses

Carbon Black products are used by customers of all sizes, from small and medium sized businesses, or SMBs, to large global enterprises with hundreds of thousands of endpoint under protection. Carbon Black products are designed to deploy in minutes, with no adverse impact on end users or endpoint performance. Moreover, we have designed the CB Predictive Security Cloud to enable customers to easily grow and evolve their defenses. Customers can start by deploying whichever solutions best match their immediate needs and then extend and enhance their deployment over time.

 

Our Competitive Strengths

 

We believe a number of competitive advantages enable us to maintain and extend our leadership position, including:

Differentiated technology and intellectual property

Our predictive security approach continuously captures unfiltered endpoint activity for real‑time and retrospective analysis using our analytics technology that incorporates event stream processing, dynamic and static behavioral analysis, machine learning and reputation analysis and scoring. Our solutions provide a complete system of record, immediate root cause discovery and precise attack scope and impact assessment as well as an historical data set which organizations can continually analyze using newly discovered indicators and patterns of attacker behavior.

Extensible next‑generation security cloud platform

The CB Predictive Security Cloud Platform is designed to address a wide range of next‑generation security requirements and use cases by leveraging our unfiltered data to deliver a broad set of security offerings for customers of all types and sizes. The extensible architecture of our platform positions us to continue enhancing and expanding our offerings in order to address additional requirements and use cases, as customers’ needs evolve and as the landscape of cyber threats changes over time.

Powerful ecosystem based on unfiltered endpoint data and open platform

In the security ecosystem, endpoints yield the most valuable security data because they are the primary target of modern cyber attacks. Through a combination of our continuous recording that captures unfiltered endpoint data, along with our customer base of industry leaders that are among the world’s most heavily targeted organizations, we believe the endpoint data that we capture is considered the “gold standard” for the industry and is preferred by leading security vendors. Leveraging our open platform that integrates with our customers’ existing security architecture, we are well‑positioned to provide the core platform on which a growing ecosystem of partners can build complementary offerings.

Partnerships with leading incident response firms

We have established contractual relationships with more than 100 IR firms, including many industry leaders such as Kroll Inc. and Ernst & Young LLP. These firms engage with companies that have experienced a security incident and provide services to investigate the incident and remediate the situation. We provide our IR partners with our solutions at no charge, and we train and certify their personnel in using our software to support their IR engagements. We benefit from this arrangement because our IR partners recommend the use of our solutions to their client companies and refer them to us as prospective customers. In 2018, our IR partners leveraged our platform in more than 500 incident response engagements. We believe our IR partnerships are a significant competitive strength that extends our ability to build sales pipeline and acquire new customers.

Deep security DNA

Our management and technical leadership teams are comprised of cyber security leaders who have deep expertise from leading corporations and government organizations, such as the National Security Agency, the Department of Defense and the Central Intelligence Agency. Our extensive background in offensive and defensive cyber security positions us to respond to new threats and innovate products that protect against the most dangerous cyber attacks.

 

Our Growth Strategy

 

The key elements of our growth strategy include:

 

Drive new customer growth 

      

We operate in a large, growing market that offers substantial opportunities to grow our customer base. We believe most organizations, regardless of industry, size or location, would benefit from our next‑generation endpoint security platform and solutions, as cyber attacks continue to evade legacy security defenses. We believe we have a significant opportunity to increase our global market penetration in terms of customer type, market segment and geography.

 

Expand the use of our solutions by our existing customer base

 

With more than 5,000 customers across industries and geographies, we believe we have a significant opportunity to sell additional Carbon Black solutions to our existing customers. Our sales organization includes a dedicated Customer Success Team, which focuses exclusively on customer engagement and education to drive loyalty and increased purchases. During 2018, we launched four new solutions on the CB Predictive Security Cloud Platform: CB ThreatSight, CB Defense for VMWare, CB LiveOps and CB ThreatHunter. We see significant opportunity to cross‑sell and upsell these products to existing customers.

 

Strengthen relationships with channel distributors and strategic partners

 

Our relationships with our channel partners are a significant strength for our company. We have established a formidable channel composed of more than 520 of the world’s leading MSSPs, IR firms, distributors and VARs. In the year ended December 31, 2018, 80% of our new and add‑on business was closed in collaboration with our channel partners. We plan to drive operating leverage and greater sales by continuing to expand our sales channel, particularly in international regions where we can benefit from the local expertise and existing relationships of these partners.

 

Grow our international business

 

In 2018, we generated approximately 17% of our revenue from customers located outside of the United States. We believe there is significant opportunity to grow our international business, and we have expanded our international operations to include Europe, the Middle East, Asia Pacific (primarily Japan) and Australia. We intend to continue our international expansion model of entering new markets through our channel partners and then incubating growth through field sales teams in select countries and inside sales teams based in regional hubs.

 

Continue to innovate and add new offerings to our PSC platform

 

We will continue to make investments in research and development to enhance our PSC platform and product functionality. Our extensible cloud platform allows us to develop new solutions rapidly and at low cost. In 2016 and 2017, we released major enhancements to the CB Predictive Security Cloud platform, including innovations in our streaming analytics technology and investments in our open architecture, to support a larger ecosystem of partners.

 

During 2018, we launched four new products on the CB Predictive Security Cloud Platform: CB ThreatSight, CB Defense for VMWare, CB LiveOps and CB ThreatHunter. Leveraging the CB Predictive Security Cloud Platform, we intend to build and deliver new offerings that enable us to expand beyond endpoint security to adjacent security markets. As we develop and deploy additional security offerings, we see significant additional opportunity to cross‑sell and upsell as customers benefit by addressing multiple security requirements through a single cloud platform.

 

Increase sales to the United States Federal government

 

We have a dedicated federal subsidiary and federal sales team, focused on selling our solutions to departments and agencies of the United States, or U.S., Federal government. We have established significant traction by winning major deals with various branches of the U.S. Federal government and we believe we are well positioned to increase sales to the U.S. Federal government.

 

Selectively pursue acquisitions of complementary businesses, technologies and assets

         

We believe we have established a successful track record of identifying, acquiring and integrating strategic businesses, technologies and assets, including our acquisitions of Carbon Black, Inc. in 2014, Objective Logistics Inc. and VisiTrend, Inc. in 2015 and Confer Technologies, Inc. in 2016. We will continue to seek opportunistic acquisitions that complement and expand the functionality of our products and services, add to our technology or security expertise, or bolster our leadership position by gaining access to new customers or markets.

 

CB Predictive Security Cloud Platform and Our Software Solutions

 

Powered by the CB Predictive Security Cloud Platform, our software solutions are designed to address a broad set of use cases and customer requirements, providing what we believe is the most complete next-generation security offering on the market. Our customers deploy our software solutions across physical and virtual endpoints, including servers, desktops, laptops, and fixed-function devices, to augment or replace traditional signature-based antivirus solutions on their endpoints.

The CB Predictive Security Cloud Platform is an open, multi-tenant, scalable, and extensible cloud-based platform. It provides a set of core platform capabilities—including endpoint data collection, streaming analytics, collective intelligence and open APIs—as well as a set of security services that leverage these core capabilities to power Carbon Black products: Unfiltered endpoint data collection; Proprietary data-shaping technology; Streaming analytics and collective intelligence; Extensible and open architecture.

Our software solutions include:

Cloud Solutions delivered from the CB Predictive Security Cloud platform utilizing a common endpoint sensor and unified console:

 

On-premise and single-tenant cloud hosted software solutions:

 

 

CB Defense.  CB Defense is a cloud-delivered solution that combines NGAV and endpoint detection and response, or EDR, capabilities. Built as a native offering on the CB Predictive Security Cloud platform, it is lightweight, fast to deploy, and easy to manage. CB Defense is designed to deliver the best endpoint security with the least amount of administrative effort, protecting against the full spectrum of modern cyber attacks, including the ability to detect and prevent both known and unknown attacks through the use of event stream processing technology. In addition, CB Defense provides a suite of response and remediation tools, including “Live Response,” which allows security personnel to perform remote live investigations, intervene in ongoing attacks and instantly remediate endpoint threats. Customers deploy CB Defense either to augment or replace legacy antivirus products. CB Defense leverages the powerful capabilities of the CB Predictive Security Cloud, applying our unique streaming analytics to unfiltered endpoint data in order to predict, detect, prevent, respond to and remediate cyber threats.

CB ThreatHunter. CB ThreatHunter is an advanced threat hunting and incident response solution delivering unfiltered visibility for top security operations centers and incident response teams. As the next generation of our market-leading technology, CB Response, CB ThreatHunter continuously records and stores every event that occurs on protected endpoints, allowing security professionals to proactively search for threats in real time, create watchlists and integrate additional threat intelligence feeds to customize threat detection, visualize every step of the attack, and remotely remediate endpoints. CB ThreatHunter provides immediate access to the complete picture of an attack at all times, which can reduce investigation time and empower teams to proactively hunt for threats, uncover suspicious behavior, disrupt active attacks, and address gaps in defenses before attackers can. CB ThreatHunter is delivered through the CB Predictive Security Cloud and uses the same lightweight sensor and cloud-based console as CB Defense, CB Defense for VMware, and CB LiveOps, allowing security teams to consolidate endpoint security in the cloud.

CB LiveOps.  CB LiveOps is a real-time security operations solution that enables organizations to query all endpoints in their environment and take action to promptly remediate issues. Using CB LiveOps, customers can directly query their endpoints on-demand to gain access to more than 1,500 unique security artifacts from their endpoints during vulnerability assessments, incident response, or compliance audits. CB LiveOps is built on the CB Predictive Security Cloud and closes the gap between security analysis and IT operations by giving administrators visibility into precise details about the current state of all endpoints, enabling them to make timely decisions to reduce risk.

CB ThreatSight.  CB ThreatSight solves the problems related to shortages of skilled security professionals, resources and data by providing subscription-based monitoring for CB Defense customers, validating and prioritizing alerts, uncovering new threats, and accelerating investigations with capabilities such as predictive root cause reporting. CB ThreatSight is staffed by threat experts who keep watch over the customer’s environment 24x7 and advise customers on security issues.

CB Defense for VMware.  Pre-integrated with VMware’s AppDefense, CB Defense for VMware is an offering jointly developed as part of our strategic partnership with VMware.  The integrated solution is designed to stop threats to applications inside the virtualized data center. VMware has more than 500,000 customers globally who use its products to operate virtualized data and is the infrastructure platform choice of 100% of the Fortune 500. Protecting assets from cyber attacks in these virtualized environments has specific requirements that are uniquely addressed by our joint solution. The solution combines the ability to lock down applications and infrastructure in a “least privilege” model; behavioral threat detection and prevention; and automated response, including the ability to suspend or quarantine a compromised virtual machine.

CB Response.  CB Response is a market-leading incident response and threat hunting solution designed for security operations center, or SOC, teams. CB Response continuously records and captures unfiltered endpoint data so that security professionals can hunt threats in real time and visualize the complete attack kill chain. It provides advanced tools enabling users to understand the current state of an endpoint, perform remote live investigations, intervene with ongoing attacks and instantly remediate endpoint threats. CB Response leverages the CB Predictive Security Cloud’s aggregated threat intelligence capability, for evidence of known threats and malicious patterns of behavior. In addition, we are able to apply new behavioral patterns and indicators to historical endpoint data to identify previously unknown attacks. Top SOC teams, IR firms and MSSPs have adopted CB Response as a core component of their detection and response capability stack. Customers that augment or replace legacy antivirus solutions with CB Response do so because those legacy solutions lack visibility and context, leaving customers blind to attacks. CB Response is available via MSSP or directly via on-premise deployment, virtual private cloud or public cloud.

CB Protection.  CB Protection is the market-leading application control solution, used by organizations to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates. Leveraging the CB Predictive Security Cloud, CB Protection utilizes a combination of cloud reputation services, IT-based trust policies and multiple sources of threat intelligence to ensure that only trusted and approved software is allowed to execute on an organization’s critical systems and endpoints. IT, compliance, infrastructure and security teams use CB Protection to establish automated software execution controls and protection policies that safeguard corporate and customer data. CB Protection works with existing software distribution systems and reputation services to automate approval of trusted software and eliminate whitelist management. Customers often deploy CB Protection to replace ineffective legacy antivirus products. CB Protection is available through MSSPs or directly through on-premise or virtual private cloud deployment.

Our Technology

Our core technologies are purpose‑built to combat advanced threats and enable greater efficiency for security operations personnel. These technologies (several of which are patented or patent pending), which serve as the foundation for our Predictive Security Cloud and product offerings, are:

 

Unfiltered Data Collection. Our innovative approach to unfiltered endpoint data collection powers all of our capabilities. The granularity and fidelity of the data we collect enables more accurate and comprehensive endpoint protection across the entire security lifecycle.

Cloud‑based, Big Data Processing. Our unfiltered endpoint data approach, when aggregated across all of our customers in our cloud platform, results in big data at a massive volume, variety and velocity. To support our cutting‑edge cyber security use cases, we have built a proprietary system that allows us to collect, index, search and transform this data at low latency and cost while maintaining a level of flexibility that supports future expansion of capabilities.

Streaming Analytics Engine. Our detection and prevention engine leverages event stream processing technology to continuously analyze unfiltered endpoint data. It tracks the state of each potential attack and updates the associated risk as additional operations occur, such as the launching of additional processes, copying of files or creation of network connections. This stateful behavior detection uses advanced analytics techniques—such as behavioral analysis, reputation analysis, artificial intelligence and machine learning—and allows our system to identify complex, multi‑step attack patterns, whether they are file‑based or file‑less in origination, that evade traditional detection and prevention engines.

Zero Trust Prevention Engine. This “Zero Trust” approach is used to lock down servers and critical systems by enabling organizations to approve or deny various behaviors, on a policy basis, including registry changes, file system operations, script execution, device usage (such as USB keys) and memory manipulation. This empowers customers to allow or restrict individual applications entirely or limit their ability to perform particular actions. Examples include allowing web browsers to run, but restricting them from loading particular plugins or performing memory operations should those browsers become exploited. In addition, we have the capability to deny specific behaviors associated with malicious intent. This is a critical capability against attacks that leverage known-good software to perform malicious activities or zero‑day threats that are unknown by the entire security community and thus bypass traditional tools.

Extensible Detection. We have designed a syntax engine for patterns of attacker behavior that allows for easy sharing across customers and partners, easy ingesting of third‑party feeds and easy exporting into industry standard formats such as Structured Threat Information Expression and Trusted Automated Exchange of Indicator Information. These patterns are primarily sourced from four groups: (i) vendors and commercial providers who showcase common malicious patterns, (ii) expert users who share data with the CB Predictive Security Cloud via the CB User Exchange, our online community of security professionals across our customer and partner network, (iii) advanced analytics on our customer endpoint data provided by the CB Predictive Security Cloud and (iv) our in‑house threat intelligence team. This sharing system does not impact endpoint performance and allows alerts to be emailed, sent to SIEM systems, fed into our proprietary automation engine and sent to a correlation or orchestration engine that may exist in a customer’s environment.

Live Response. We provide proactive recovery, remediation and deep investigation capabilities during all stages of an incident. Our technology provides an incident responder with real‑time access to the suspected endpoints, regardless of location. From a central console, live response enables operational efficiency, including the uploading of additional forensics tools, downloading of more data, isolating of network access and terminating of malicious activity. Alternatively, these operations can be automated based on enterprise‑specific rules.

Open APIs. Our solutions provide organizations with an open platform for seamless integration and extensibility, improving the economics of security operations by enabling automation and reporting. Our open APIs also facilitate faster security response times by easily integrating endpoint data with third‑party security products such as firewalls, detonation tools and exploit mitigation tools, thereby multiplying the value of the customer’s existing security technology investments. Our APIs allow response personnel to both “pull in” capabilities from other security solutions and threat intelligence, as well as expose and “push out” the data captured by our software. As of December 31, 2018, more than 140 integrations with products from over 100 technology partners have been developed.

Reputation Scoring Engine. Our reputation scoring algorithm encompasses a comprehensive catalog of executables, drivers and patches found in commercial applications and software packages. Malware and other unauthorized software that affect Windows, Mac and Linux computers are also indexed. Our reputation scoring engine uses a number of data points, such as age, prevalence, size, source, publisher, community actions, and the relationship to other diagnosed patterns and files to provide our customers with an analysis of the likelihood that the file poses a threat. To ensure that relevant new data is included in our reputation scoring and is marked for dissemination, we have developed internal systems to update our dataset and analytics when new patches, operating system versions and malicious software are discovered.

Customers

Our customer base, which includes both direct sale customers and customers with one or more subscriptions to our platform through channel partners, has grown from approximately 3,700 customers as of December 31, 2017 to more than 5,000 as of December 31, 2018. We have experienced strong growth in the number of customers who use our cloud‑based solutions, from 49 customers in 2015 to nearly 3,000 customers in 2018.

 

Our customer base includes many leading Fortune 1000 companies, including 34 of the Fortune 100. Our solutions are used by organizations of various sizes and types including large and small businesses, universities, and government entities. Our solutions are also industry‑agnostic—our current customer base spans a broad range of industry verticals, including financial services, retail, technology, manufacturing, services, utilities, healthcare, oil and gas, education and government. Our revenue is not dependent on any single customer; however, sales to customers through the reseller agreement with Optiv Security, Inc. accounted for approximately 19%, 27%, and 31%, of our revenue in the years ended December 31, 2018, 2017 and 2016, respectively. See the section titled “Business—Our Partners—Channel Partners” for additional information about our reseller relationship with Optiv Security, Inc. and other channel partners.

 

Our Partners

Technology Partners

Our Carbon Black Integration Network, or CBIN, is a robust partner program designed to improve cybersecurity through collective defense and vendor interoperability. The CBIN is powered by our open APIs and the CB Predictive Security Cloud, providing a network of integrated solutions that help customers increase visibility, efficiency and speed across their security ecosystem. Open APIs enable partners and customers to custom-build their security stack with integrated solutions that amplify the benefits they’ve received from Carbon Black and other security solutions.

Siloed security solutions make it challenging to understand and react to attacks, and without endpoint data, other security tools lack the visibility and context required to prevent, detect and respond quickly and efficiently. By leveraging Carbon Black’s high-value unfiltered endpoint data through seamless, pre-built integrations, customers gain clarity into attack patterns, speeding investigation and analysis, leading to identification and remediation of more attacks.

More than 100 industry-leading security companies are members of our technology partner network, including analytics and SIEM solutions providers, network security providers, IT and security operations solutions providers, and threat intelligence providers. Together, we help customers strengthen their security postures, gain increased visibility into security events, and simplify operations while achieving end-to-end advanced threat protection across their environment.

Carbon Black is committed to open standards and open source: to demonstrate that commitment, we publish full API documentation on our Carbon Black Developer Network website and provide sample code for all our product APIs to our GitHub repository. Leveraging GitHub and the Carbon Black User Exchange, we foster an active community of customers who create and share their own efforts to drive automation and communication across the security stack.

Channel Partners

Our go‑to‑market strategy leverages channel partners, including MSSPs, IR firms and security‑focused VARs, to drive adoption of our products. These partners are an important driver of new business opportunities through their recommendations of our platform and direct sales referrals. In 2018, approximately half of our new customers originated from partner referrals.

Managed Security Service Providers.  MSSPs serve as trusted advisors to their customers, and provide an outsourced and managed security solution, including security hardware, security software and security operations. As the global shortage of security professionals continues to grow, we believe MSSPs will increasingly become a preferred solution for enterprises across industries, as they provide a level of security expertise and resources that organizations may not be able to procure and maintain on their own. We have entered into partnership agreements with more than 100 MSSP partners globally, including IBM, SecureWorks and Trustwave, who utilize our solutions in their delivery of their broader managed service offerings.

Incident Response Firms.  IR firms work with enterprise customers on compromise assessment and data breaches in order to respond to and mitigate the operational, financial and reputational risks associated with these events. Our IR partners utilize the CB Predictive Security Cloud to deploy a Carbon Black sensor into an enterprise environment to assist in their investigation and incident response service engagements. We have entered into partnership agreements with more than 100 IR firms including many of the industry leaders such as International Business Machines Corporation, Kroll Inc., Trustwave Holdings, Deloitte Touche Tohmatsu Limited, Grant Thornton LLP, Ankura Consulting Group, Optiv Security, Inc., Rapid7, Inc., and Ernst & Young LLP. To date, we have trained more than 3,000 partner personnel on our solution. Our IR partners serve as a powerful lead engine for new customers as they demonstrate the effectiveness and value of our solutions during the course of their investigation and remediation engagements.

VARs and Distribution.  Our channel strategy also extends our reach by utilizing leading distributors and security-focused VARs, as well as a wide range of traditional software resellers on a global level. To date, we have partnerships with more than 500 leading security-focused VARs, such as Optiv Security, Inc., CDW Corporation, Dimension Data

Holding Plc and SHI International, and global distributors, such as Arrow Electronics, Inc. Optiv Security, Inc., one of our channel partners, accounted for approximately 19%, 27%, and 31% of our revenue in the years ended December 31, 2018, 2017 and 2016 respectively.

Sales and Marketing

Sales

 

We sell our products through a channel sales model that leverages various partners, including security‑focused VARs, distributors, MSSPs and IR firms. By utilizing a channel model, we are able to generate increased volumes of sales leads, expand our geographic sales reach to key markets such as Europe, the Middle East, Africa and Asia‑Pacific and sell to customers that prefer to outsource some or all of their security needs to MSSPs. Our sales team collaborates with our channel partners to identify new sales prospects, renew expiring contracts and sell additional products and services to existing customers. Our sales team works closely with our end‑user customer prospects at every stage of the sales cycle, regardless of whether the prospect is sourced directly or indirectly. This approach allows us to leverage the benefits of the channel while also building long‑term, trusted relationships with our customers. In the year ended December 31, 2018, 80% of our new and add‑on business was closed in collaboration with our channel partners.

 

Our sales team is organized by customer segment. Larger, enterprise customers (greater than 5,000 employees) are addressed through a field sales organization and we use an inside sales force to sell to SMBs (less than 500 employees) and corporate (500‑5,000 employees) markets. We have a Customer Success Team that focuses exclusively on customer value and education to drive retention and increased sales of our solutions. Our sales representatives are supported by sales engineers with deep technical domain expertise. Our sales engineers act as the liaison between customers and our marketing and product development organizations. Our sales organization includes a dedicated channel team that is responsible for monitoring the effectiveness of our existing channel partners, including VARs, distributors, MSSPs and IR firms, and for sourcing and qualifying new channel partners.

 

Our sales cycle varies by industry and size of company, but can often last multiple months. However, some deals close in only a few weeks due to the shorter time required to provide a product demonstration rather than perform a full “proof of concept.” In addition, organizations that have experienced security breaches typically have shorter sales cycles due to the relative urgency to implement our products to remediate breaches and prevent future attacks.

 

Marketing

Our marketing is focused on building our brand reputation, increasing market awareness of our PSC platform, driving customer demand and a strong sales pipeline and collaborating with our channel partners around the globe. We use a data science driven, multi‑channel approach to deliver thought leadership in security, to drive interest in our platform and to generate leads and opportunities for our sales organization.

 

We engage with our customers, our partners and our greater community to promote education and awareness of the threat landscape and to promote effective and expanded use of our software within our community. We work with our own security experts and researchers, as well as the broader security community, to share important information about vulnerabilities and threats. We share that information through the CB User Exchange, our active online community, our public website, social media and traditional public relations. In addition, we attend and host regional and national events to engage both customers and prospects, deliver product training and foster community collaboration.

 

Our marketing team consists primarily of corporate marketing, product marketing, channel marketing, field marketing, account and lead development, operations and corporate communications. Marketing activities include demand generation, advertising, managing our corporate website and partner portal, attending trade shows and conferences, press and analyst relations and increasing customer awareness.

 

Research and Development

 

Our research and development organization works to plan, build, deliver and maintain our current multi‑product offerings across our customer base while driving innovation with new enhancements, features, and products. We consider our innovative approach to product development to be an asset to our business. We believe our investments in products, our R&D talent and our security community are vital to furthering our leadership and competitive advantage in the security space.

Our engineers, product managers, designers and threat researchers have an extensive reach into the security and cloud platform communities, among both practitioners and developers. We work closely with our customers to continuously develop new functionality while enhancing and maintaining our existing solutions. We utilize agile software development techniques, in combination with a cloud‑based delivery model, which allows us to deliver enhanced software features across our customer base on a frequent basis. Through our agile product development process, our delivery teams are kept closely aligned with customer needs while maintaining flexibility to react to changing market demands. Research and development expense was $64.6 million, $52.0 million, and $36.5 million, during the years ended December 31, 2018, 2017 and 2016, respectively.

 

Competition

 

We operate in the highly competitive cyber security market that is characterized by constant technological innovation, shifting customer requirements and fragmented approaches. The state of our market and the pace of innovation are highly correlated to the ever evolving and equally competitive threat landscape.

 

Within the endpoint security market, we observe the following four general categories of competitors:

 

As the market for next-generation endpoint security grows and IT budgets are either created or expanded to support the procurement of advanced threat protection solutions, we believe the cyber security space will attract more highly specialized niche vendors as well as larger providers with the ability to acquire additional capabilities and market their products more effectively on a global scale. The dimensions of competition include, but are not limited to:

 

We believe we compete favorably on these factors due, in large part, to the features and functionality of our products, our open architecture, our broad community of security professionals and our deep security expertise.

Intellectual Property

Our success depends in part upon our ability to protect our core technology and intellectual property. We rely on, among other things, patents, trademarks, copyrights and trade secret laws, confidentiality safeguards and procedures and employee non‑disclosure and invention assignment agreements to protect our intellectual property rights.

We have 23 U.S. patents and patent applications, and approximately 40 foreign counterpart patents and patent applications. We cannot be certain that any of our patent applications will result in the issuance of a patent or that the examination process will result in patents of valuable breadth or applicability. In addition, any patents that may be issued may be contested, circumvented, found unenforceable or invalidated, and we may not be able to detect or prevent third parties from infringing them. We also license software from third parties for integration into our products, including open source software and other software available on standard terms.

 

We have registered the “Carbon Black” name and logos in the U.S. and certain other countries. We have registrations and/or pending applications for additional marks in the U.S. and other countries; however, we cannot be certain that any future trademark registrations will be issued for pending or future applications that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights.

 

We are the registered holder of a variety of domestic and international domain names that include www.carbonblack.com, as well as similar variations on those names.

 

We control access to and use of our proprietary software, technology and other proprietary information through the use of internal and external controls, including contractual protections with employees, contractors, end customers and partners. Our software is protected by U.S. and international copyright laws and aspects of our software are also protected by patent and trade secret laws. Despite our efforts to protect our software, technology and other proprietary information, unauthorized parties may still copy or otherwise obtain and use our software, technology and other proprietary information. In addition, we intend to expand our international operations, and effective patent, copyright, trademark and trade secret protection may not be available or enforceable or may be limited in foreign countries.

 

If we become more successful, we believe that competitors will be more likely to try to develop solutions and services that are similar to ours and that may infringe our proprietary rights. It may also be more likely that competitors or other third parties will claim that our platform infringes their proprietary rights.

 

Patent and other intellectual property disputes are common in our industry and we have been involved in such disputes from time to time in the ordinary course of our business. Some of our competitors have many more patents than we do, and this asymmetry may provide them with an advantage over us in the event of a patent dispute. See “Risk Factors—Risks Related to Government Regulation, Data Collection, Intellectual Property and Litigation—Our intellectual property rights are valuable and any inability to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.” and “Risk Factors—Risks Related to Government Regulation, Data Collection, Intellectual Property and Litigation—Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.”

 

Employees

 

As of December 31, 2018, we had 1,138 full‑time employees worldwide. None of our U.S. employees are covered by collective bargaining agreements. We believe our employee relations are good and we have not experienced any work stoppages.

 

Corporate Information

 

We were incorporated in the State of Delaware in December 2002 as Bit 9, Inc. In April 2005, we changed our name to Bit9, Inc. In February 2014, Bit9, Inc. acquired Carbon Black, Inc., and in January 2016, we changed our name to Carbon Black, Inc. Our principal executive offices are located at 1100 Winter Street Waltham, Massachusetts 02451, and our telephone number is (617) 393‑7400. Our website address is www.carbonblack.com. Information contained on, or that can be accessed through, our website does not constitute part of this Annual Report on Form 10‑K.

 

Available Information

 

Our Annual Report on Form 10‑K, Quarterly Reports on Form 10‑Q, Current Reports on Form 8‑K, and all amendments to these filings, are available free of charge from our investor relations website (https://investors.carbonblack.com/financial-information/sec-filings) as soon as reasonably practicable following our filing with or furnishing to the Securities and Exchange Commission, or SEC, of any of these reports. The SEC maintains and Internet website (https://www.sec.gov) that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC.

 

Carbon Black investors and others should note that we announce material information to the public about our company, products and services and other issues through a variety of means, including our website (https://www.carbonblack.com/), our investor relations website (https://investors.carbonblack.com/), our blogs (https://www.carbonblack.com/blog/), press releases, SEC filings, public conference calls, and social media, in order to achieve broad, non-exclusionary distribution of information to the public. We encourage our investors and others to review the information we make public in these locations as such information could be deemed to be material information. Please note that this list may be updated from time to time.

 

The contents of any website referred to in this Annual Report on Form 10‑K are not intended to be incorporated into this Annual Report on Form 10‑K or in any other report or document we file with the SEC, and any references to our websites are intended to be inactive textual references only.

 

Item 1A. Risk Factors

A description of the risks and uncertainties associated with our business and industry is set forth below. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report on Form 10‑K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10‑K. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of may also become important factors that adversely affect our business. If any of the following risks actually occur, our business, financial condition, results of operations and future prospects could be adversely affected. In that event, the market price of our stock could decline, perhaps significantly.

Risks Related to Our Business and Industry

We are a rapidly growing company, which makes it difficult to evaluate our future prospects.

We are a rapidly growing company. Our ability to forecast our future operating results is subject to a number of uncertainties, including our ability to plan for and model future growth. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly evolving industries. If our assumptions regarding these uncertainties, which we use to plan our business, are incorrect or change in reaction to changes in our markets, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations, our business could suffer and the trading price of our stock may decline.

We have not been profitable historically and may not achieve or maintain profitability in the future.

We have incurred net losses in each year since inception, including net losses of $82.1 million in 2018 and $53.2 million in 2017. As of December 31, 2018, we had an accumulated deficit of $537.5 million. While we have experienced significant revenue growth in recent periods, we are not certain whether or when we will obtain a high enough volume of sales of our products to sustain or increase our growth or achieve or maintain profitability in the future. We also expect our costs to increase in future periods, which could negatively affect our future operating results if our revenue does not increase. In particular, we expect to continue to expend substantial financial and other resources on:

 

These investments may not result in increased revenue or growth in our business. We expect to continue to devote research and development resources to our on-premise solutions; if our customers and potential customers shift their information technology, or IT, infrastructures to the cloud faster than we anticipate, we may not realize our expected return from the costs we incur. If we are unable to increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability over the long term. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed, and we may not achieve or maintain profitability in the future.

If we are unable to sustain our revenue growth rate, we may not achieve or maintain profitability in the future.

Our revenue grew from $160.8 million in 2017 to $209.7 million in 2018, representing a 30% annual growth rate. Although we have experienced rapid growth historically and currently have high customer retention rates, we may not continue to grow as rapidly in the future and our customer retention rates may decline. Any success that we may experience in the future will depend in large part on our ability to, among other things:

 

If we are unable to maintain consistent revenue or revenue growth, our stock price could be volatile, and it may be difficult to achieve and maintain profitability. You should not rely on our revenue for any prior quarterly or annual periods as any indication of our future revenue or revenue growth.

Our quarterly financial results, including our billings and deferred revenue, may fluctuate for a variety of reasons, including our failure to close significant sales before the end of a particular quarter.

A meaningful portion of our revenue is generated by significant sales to new customers and sales of additional products to existing customers. Purchases of our solutions often occur during the last month of each quarter, particularly in the

last quarter of the year. In addition, our sales cycle can last several months from proof of concept to contract negotiation, to delivery of our solution to our customers, and this sales cycle can be even longer, less predictable and more resource-intensive for larger sales. Customers may also require additional internal approvals or seek to test our products for a longer trial period before deciding to purchase our solutions. As a result, the timing of individual sales can be difficult to predict. In some cases, sales have occurred in a quarter subsequent to those we anticipated, or have not occurred at all, which can significantly impact our quarterly financial results and make it more difficult to meet market expectations.

In addition to the sales cycle-related fluctuations noted above, our financial results, including our billings and deferred revenue, will continue to vary as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including:

 

Any of the above factors, individually or in the aggregate, may result in significant fluctuations in our financial and other operating results from period to period. These fluctuations could result in our failure to meet our operating plan or the expectations of investors or analysts for any period. If we fail to meet such expectations for these or other reasons, the trading price of our common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.

We recognize substantially all of our revenue ratably over the term of our agreements with customers and, as a result, downturns or upturns in sales may not be immediately reflected in our operating results.

We recognize substantially all of our revenue ratably over the terms of our agreements with customers, which generally occur over a one- or three-year period. As a result, a substantial portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products, and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers generally will be recognized over the term of the applicable agreement.

We also intend to increase our investment in research and development, sales and marketing and general and administrative functions and other areas to grow our business. These costs are generally expensed as incurred (with the exception of sales commissions), as compared to our revenue, substantially all of which is recognized ratably in future periods.

We are likely to recognize the costs associated with these increased investments earlier than some of the anticipated benefits and the return on these investments may be lower, or may develop more slowly, than we expect, which could adversely affect our operating results.

We face intense competition in our market, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.

Our market is large, highly competitive, fragmented and subject to rapidly evolving technology, shifting customer needs and frequent introductions of new solutions. We expect competition to increase in the future from both established competitors and new market entrants. Our current competitors include legacy antivirus solution providers, such as McAfee and Symantec Corporation, established network security providers, such as Palo Alto Networks, Inc., FireEye, Inc. and Cisco Systems, Inc., and privately held companies, such as Crowdstrike and Cylance. New startup companies, as well as established public and private companies, have entered or are currently attempting to enter the next-generation endpoint security market, some of which are or may become significant competitors in the future. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages such as:

 

In addition, some of our larger competitors have substantially broader and more diverse product offerings and leverage their relationships based on their installed products or incorporate functionality into existing products to gain business in a manner that discourages users from purchasing our products, including by selling their products at zero or negative margins, product bundling or closed technology platforms. Potential customers may also prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance or features. These larger competitors often have broader product lines and market focus and may therefore not be as susceptible to downturns in a particular market. Some of our smaller competitors that specialize in providing point solutions focused on narrow security problems are able to deliver these specialized security solutions to the market on a faster cadence than a typical enterprise class solution. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors or continuing market consolidation. New start-up companies that innovate and large competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our products and technology. Our current and potential competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their resources.

Some of our competitors have made acquisitions of businesses that may allow them to offer more directly competitive and comprehensive solutions than they had previously offered. As a result of such acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of acquisition or other opportunities more readily, or develop and expand their product and service offerings more quickly than we do. For various reasons, organizations may be more willing to incrementally add our competitors’ products to their existing security infrastructure instead of incorporating our products. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margins, and loss of market share. Any failure to meet and address these factors could seriously harm our business and operating results.

The next-generation endpoint security market is new and evolving, and may not grow as expected.

We believe our future success will depend in large part on the growth, if any, in the market for next-generation endpoint security products. This market is new and evolving, and as such, it is difficult to predict important market trends, including its potential growth, if any. To date, enterprise and corporate cyber security budgets have allocated a majority of dollars to prevention-centric threat protection solutions, such as network, endpoint and web security products designed to stop threats from penetrating corporate networks. Organizations that use these security products may be satisfied with such existing security products and, as a result, these organizations may not adopt our solutions in addition to, or in lieu of, security products they currently use.

Further, sophisticated cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive business data, and changes in the nature of advanced cyber threats could result in a shift in IT budgets away from products such as ours. In addition, while recent high visibility attacks on prominent enterprises and governments have increased market awareness of the problem of cyber attacks, if cyber attacks were to decline, or enterprises or governments perceived that the general level of cyber attacks has declined, our ability to attract new customers and expand our sales to existing customers could be materially and adversely affected. If products such as ours are not viewed by organizations as necessary, or if customers do not recognize the benefit of our products as a critical element of an effective cyber security strategy, our revenue may not grow as quickly as expected, or may decline, and the trading price of our stock could suffer.

In addition, it is difficult to predict customer adoption and retention rates, customer demand for our products, the size and growth rate of the market for next-generation endpoint security, the entry of competitive products or the success of existing competitive products. Any expansion in our market depends on a number of factors, including the cost, performance and perceived value associated with our products and those of our competitors. If these products do not achieve widespread adoption or there is a reduction in demand for products in our market caused by a lack of customer acceptance, technological challenges, competing technologies, products, decreases in corporate spending, weakening economic conditions or otherwise, it could result in reduced customer orders, early terminations, reduced customer retention rates or decreased revenue, any of which would adversely affect our business operations and financial results. You should consider our business and prospects in light of the risks and difficulties we encounter in this new and evolving market.

Forecasts of our market and market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no assurance that our business will grow at similar rates, or at all.

Growth forecasts that we disclose relating to our market opportunities, including our primary endpoint security market and adjacent security markets, and the expected growth thereof are subject to significant uncertainty and are based on assumptions and estimates which may prove to be inaccurate. Even if these markets meet our size estimate and experience the forecasted growth, we may not grow our business at a similar rate, or at all. Our growth is subject to many factors, including our success in implementing our business strategy and ability to penetrate adjacent security markets, which is subject to many risks and uncertainties. Accordingly, the forecasts of market growth that we disclose should not be taken as indicative of our future growth.

If our products fail or are perceived to fail to detect cyber attacks, or if our products contain undetected errors or defects, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.

If our products fail or are perceived to fail to detect cyber attacks, including advanced attacks that have never been seen before, in our customers’ endpoints and cyber security infrastructure, or if our products fail to identify and respond to new and increasingly complex methods of cyber attacks, our business and reputation may suffer. There is no guarantee that our products will detect all cyber attacks, especially in light of the rapidly changing security landscape to which we must respond. For example, in August 2017, a blog post alleged a product defect in our CB Response product. We issued a press release stating that the allegation was incorrect, but in the course of evaluating the alleged defect, we uncovered and fixed another defect in our product. We cannot guarantee that our products will not contain undetected errors or defects in the future. Additionally, our products may falsely detect cyber attacks or threats that do not actually exist. For

example, our products rely on third-party reports of identified security threats and information provided by an active community of security professionals. If the information from these third parties is inaccurate, the potential for false indications of security cyber attacks increases. These false positives, while typical in the industry, may impair the perceived reliability of our products, and may therefore adversely impact market acceptance of our products, and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem.

Our products, which are complex, may also contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or defects in the past in connection with new products and product upgrades. We expect that these errors or defects will be found from time to time in the future in new or enhanced products after commercial release. Defects may cause our products to be vulnerable to attacks, cause them to fail to detect cyber attacks, or temporarily interrupt customers’ networking traffic. Any errors, defects, disruptions in service or other performance problems with our products may damage our customers’ business and could hurt our reputation. If our products fail to detect cyber attacks for any reason, we may incur significant costs, the attention of our key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew or other significant customer relations problems may arise.

We may also be subject to liability claims for damages related to errors or defects in our products. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our products may harm our business and operating results. Although we have limitation of liability provisions in our terms and conditions of sale, they may not fully or effectively protect us from claims as a result of federal, state, or local laws or ordinances, or unfavorable judicial decisions in the U.S. or other countries. The sale and support of our also entails the risk of product liability claims. We maintain insurance to protect against certain claims associated with the use of our products, but our insurance coverage may not adequately cover any claim asserted against us. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation, divert management’s time and other resources, and harm our business and reputation.

We rely on channel partners, such as managed security service providers, incident response firms and security-focused value added resellers, to generate a significant portion of our revenue. If we fail to maintain successful relationships with our channel partners, or if our channel partners fail to perform, our ability to market, sell and distribute our products will be limited, and our business, financial position and results of operations will be harmed.

In addition to our direct sales force, we rely on our channel partners to sell our products. A majority of our revenue is generated by our channel partners, including managed service security providers, incident response firms and value added resellers. In addition, in 2018, 80% of our new and add-on business was closed in collaboration with our channel partners. We expect to continue to focus on generating sales to new and existing customers through our channel partners as a part of our growth strategy.

We provide our sales channel partners with specific training and programs to assist them in selling our products, but there can be no assurance that these steps will be effective. In addition, our channel partners may be unsuccessful in marketing, selling and supporting our products. If we are unable to develop and maintain effective sales incentive programs for our third-party channel partners, we may not be able to incentivize these partners to sell our products to customers and, in particular, to large enterprises. Our agreements with our channel partners are generally non-exclusive and these partners may also market, sell and support products that are competitive with ours and may devote more resources to the marketing, sales and support of such competitive products. These partners may have incentives to promote our competitors’ products to the detriment of our own or may cease selling our products altogether. Our channel partners may cease or deemphasize the marketing of our products with limited or no notice and with little or no penalty. Our agreements with our channel partners may generally be terminated for any reason by either party with advance notice prior to each annual renewal date. We cannot be certain that we will retain these channel partners or that we will be able to secure additional or replacement channel partners. The loss of one or more of our significant channel partners or a decline in the number or size of orders from them could harm our operating results. In addition, any new sales channel partner requires extensive training and may take several months or more to achieve productivity. Our channel partner sales structure could subject us to lawsuits, potential liability and reputational harm if, for example, any of our channel partners misrepresent the functionality of our products, subscriptions or services to customers or violate laws or our corporate policies.

If we fail to effectively manage our existing sales channels, or if our channel partners are unsuccessful in fulfilling the orders for our products, or if we are unable to enter into arrangements with, and retain a sufficient number of, high quality channel partners in each of the regions in which we sell products and keep them motivated to sell our products, our ability to sell our products and operating results will be harmed. The termination of our relationship with any significant channel partner may also adversely impact our sales and operating results.

If we are unable to acquire new customers, our future revenues and operating results will be harmed.

Our success depends on our ability to acquire new customers, including large enterprise customers. If we are unable to attract a sufficient number of new customers, we may be unable to generate revenue growth at desired rates. Many enterprise customers operate in increasingly complex IT environments and require additional features and functionality, as well as higher levels of support than smaller customers. If our solutions are perceived as insufficient to meet the needs of large enterprises, we may be limited in our ability to acquire large enterprise customers. The next-generation endpoint security market is competitive and many of our competitors have substantial financial, personnel and other resources that they utilize to develop solutions and attract customers. As a result, it may be difficult for us to add new customers to our customer base. Competition in the marketplace may also lead us to win fewer new customers or result in us providing discounts and other commercial incentives. Additional factors that impact our ability to acquire new customers include the perceived need for next-generation endpoint security, the size of our prospective customers’ IT budgets, the utility and efficacy of our existing and new products, whether proven or perceived, and general economic conditions. These factors may have a meaningful negative impact on future revenues and operating results.

If we are unable to sell additional products to our customers and maintain and grow our customer retention rates, our future revenue and operating results will be harmed.

Our future success depends, in part, on our ability to expand the deployment of our products with existing customers by selling them additional products. This may require increasingly sophisticated and costly sales efforts and may not result in additional sales. In addition, the rate at which our customers purchase additional products depends on a number of factors, including the perceived need for additional next-generation endpoint security as well as general economic conditions. If our efforts to sell additional products to our customers are not successful, our business may suffer.

Further, to maintain or improve our operating results, it is important that our customers renew their agreements with us when the existing term expires. Our customers have no obligation to renew their agreements upon expiration of the applicable contract term, and we cannot provide assurance that customers will renew subscriptions or support agreements. The rate of customer retention may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction or dissatisfaction with our products, the effectiveness of our customer support services, our pricing, the prices of competing products, subscriptions or services, mergers and acquisitions affecting our customer base, or reductions in our customers’ budgets and spending levels. If our end-use customers do not renew their agreements, or renew on less favorable terms, our revenue may decline, our business may suffer, and we may not realize improved operating results from our customer base.

If we do not successfully anticipate market needs and enhance our existing products or develop new products that meet those needs on a timely basis, we may not be able to compete effectively and our ability to generate revenues will suffer.

Our customers operate in markets characterized by rapidly changing technologies and business plans, which require them to adapt to increasingly complex IT infrastructures that incorporate a variety of hardware, software applications, operating systems and networking protocols. As our customers’ technologies and business plans grow more complex, we expect them to face new and increasingly sophisticated methods of attack. We face significant challenges in ensuring that our products effectively identify and respond to these advanced and evolving attacks without disrupting the performance of our customers’ IT infrastructures. As a result, we must continually modify and improve our products in response to changes in our customers’ IT infrastructures.

We cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to develop product enhancements or new products to meet such needs or opportunities in a timely manner, if at all. Even if we are

able to anticipate, develop and commercially introduce enhancements and new products, there can be no assurance that enhancements or new products will achieve widespread market acceptance.

New products, as well as enhancements to our existing products, could fail to attain sufficient market acceptance for many reasons, including:

 

If we fail to anticipate market requirements or fail to develop and introduce product enhancements or new products to meet those needs in a timely manner, it could cause us to lose existing customers and prevent us from gaining new customers, which would significantly harm our business, financial condition and results of operations.

While we continue to invest significant resources in research and development to ensure that our products continue to address the cyber security risks that our customers face, the introduction of products embodying new technologies could also render our existing products or services obsolete or less attractive to customers. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected.

If our products do not effectively integrate with our customers’ IT infrastructure, or if our technology partners no longer support our products or allow us to integrate with their programs, our business could suffer.

Our products must effectively integrate with our customers’ existing or future IT infrastructure, which often has different specifications, utilizes multiple protocol standards, deploys products from multiple vendors and contains multiple generations of products that have been added over time. As a result, when problems occur in a network, it may be difficult to identify the sources of these problems. If we find errors in the existing software or defects in the hardware used in our customers’ infrastructure or problematic network configurations or settings, we may have to modify our software or hardware so that our products will integrate with our customers’ infrastructure. In such cases, our products may be unable to provide significant performance improvements for applications deployed in our customers’ infrastructure. These issues could cause longer installation times for our products and could cause order cancellations, either of which would adversely affect our business, results of operations and financial condition. Additionally, any changes in our customers’ IT infrastructure that degrade the functionality of our products or services or give preferential treatment to competitive software could adversely affect the adoption and usage of our products.

Further, if our technology partners no longer support our products or allow us to integrate with customers’ IT infrastructure, or if we do not maintain these integrations, the functionality of our products may be reduced and our products may not be as marketable to certain existing and potential customers.

If our products are late in achieving or fail to achieve compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations and financial condition.

If our products fail to help our customers achieve and maintain compliance with regulations and/or industry standards, our revenue and operating results could be harmed.

We generate a portion of our revenue from our product offerings that help organizations achieve and maintain compliance with regulations and industry standards both domestically and internationally. For example, many of our customers subscribe to our product offerings to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that process, transmit or store cardholder data. In addition, our product and service offerings are used by customers in the healthcare industry to help them comply with numerous federal and state laws and regulations related to patient privacy. In particular, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, and the 2009 Health Information Technology for Economic and Clinical Health Act include privacy and data security standards that protect individual privacy by limiting the uses and disclosures of individually identifiable health information and implementing data security standards. The foregoing and other state, federal and international legal and regulatory regimes may affect our customers’ requirements for, and demand for, our products and professional services. Governments and industry organizations, such as the PCI Council, may also adopt new laws, regulations or requirements, or make changes to existing laws or regulations, that could impact the demand for, or value of, our products. If we are unable to adapt our products to changing legal and regulatory standards or other requirements in a timely manner, or if our products fail to assist with, or expedite, our customers’ cyber security defense and compliance efforts, our customers may lose confidence in our products, and could switch to products offered by our competitors or threaten or bring legal actions against us. In addition, if laws, regulations or standards related to data security, vulnerability management and other IT security and compliance requirements are relaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our products. In any of these cases, our revenue and operating results could be harmed.

In addition, government and other customers may require our products to comply with certain privacy and security regulations, or other certifications and standards. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations and financial condition.

As a cyber security provider, we have been, and expect to continue to be, a target of cyber attacks that could adversely impact our reputation and operating results.

We will not succeed unless the marketplace is confident that we provide effective next-generation endpoint security protection. Because we sell next-generation endpoint security solutions, we may be an attractive target for attacks by cyber attackers or other data thieves, since a breach of our system could provide information regarding us or our customers. Accordingly, we have been, and expect to continue to be, a target of cyber attacks designed to interrupt or impede the performance of our products or the security of our cloud platform, penetrate our network security or our internal systems, or those of our customers, or to misappropriate proprietary information. For example, in 2012, we were subject to an unauthorized breach of one of our computer systems that was not protected by our platform. As a result of this attack, which we discovered in January 2013, a malicious third party gained temporary access to one of our digital code-signing certificates. This third party then used this certificate to sign malware that would not be blocked by our CB Protection security software. That malware was installed on the computers of several of our customers. While we have undertaken substantial remedial efforts to prevent similar incidents from occurring in the future, we cannot guarantee that we will not be the target of additional cyber attacks and that future cyber attacks will not be successful.

We have experienced increased visibility as a public company, which could have the effect of attracting the attention of more cyber attackers than would otherwise target us. If our systems are breached, attackers could learn critical information about how our products operate to help protect our customers’ endpoints, thereby making our customers more vulnerable to cyber attacks. In addition, if actual or perceived breaches of our platform occur, they could adversely affect the market perception of our products, negatively affecting our reputation, and may expose us to the loss of our proprietary information or information belonging to our customers, investigations or litigation and possible liability, including injunctive relief and monetary damages. Such security breaches could also divert the efforts of our technical

and management personnel. In addition, such security breaches could impair our ability to operate our business and provide products to our customers. If this happens, our reputation could be harmed, our revenue could decline and our business could suffer.

Our business and operations are experiencing rapid growth, and if we do not appropriately manage our future growth, or are unable to scale our systems and processes, our operating results may be negatively affected.

We are a rapidly growing company. To manage future growth effectively, and in connection with our transition to being a public company, we will need to continue to improve and expand our internal IT systems, financial infrastructure and operating and administrative systems and controls, which we may not be able to do efficiently, in a timely manner or at all. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth effectively could result in increased costs, harm our results of operations and lead to investors losing confidence in our internal systems and processes.

If we are not successful in our continued international expansion, our operating results may be negatively affected.

We have a limited history of marketing, selling and supporting our products internationally. In 2018, we generated approximately 17% of our revenue from customers located outside of the U.S. Our growth strategy is dependent, in part, on our continued international expansion. We expect to conduct a significant amount of our business with organizations that are located outside the U.S., particularly in Europe and Asia. As a result, we must hire and train experienced personnel to staff and manage our foreign operations. To the extent that we experience difficulties in recruiting, training, managing and retaining international employees, particularly managers and other members of our international sales team, we may experience difficulties in sales productivity in, or market penetration of, foreign markets. We also enter into strategic distributor and reseller relationships with companies in certain international markets where we do not have a local presence. If we are not able to maintain successful strategic distributor relationships with our international channel partners or recruit additional channel partners, our future success in these international markets could be limited. Business practices in the international markets that we serve may differ from those in the U.S. and may require us to include non-standard terms in customer contracts. To the extent that we enter into customer contracts in the future that include non-standard terms related to payment or performance obligations, our results of operations may be adversely impacted.

Our business, including the sales of our products by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to comply with these laws and policies, there can be no assurance that our employees, contractors, channel partners and agents have complied, or will comply, with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products, and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.

Additionally, our international sales and operations are subject to a number of risks, including the following:

 

These and other factors could harm our ability to generate future international revenue and, consequently, materially impact our business, results of operations and financial condition.

We provide service level commitments for cloud-based delivery of our products and support. Any future service disruption could obligate us to provide service credits and we could face subscription or support agreement terminations, which could adversely affect our revenue.

Our agreements with customers provide certain service level commitments, including with respect to uptime requirements for cloud-based delivery of our services and response time for support. If we are unable to meet the stated service level commitments or suffer extended periods of downtime that exceed the periods allowed under our customer agreements, we could be required to provide service credits or face subscription terminations, either of which could significantly impact our revenue.

Our customers depend on our customer support team to resolve technical issues relating to our products. We may be unable to respond quickly enough to accommodate short-term increases in customer demand for support services. Increased customer demand for these services, without corresponding revenue, could increase costs and adversely affect our operating results. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality support, could adversely affect our reputation and our ability to sell our products to existing and prospective customers, or could result in terminations of existing customer agreements.

We are dependent on the continued services and performance of our senior management and other key employees, as well as on our ability to successfully hire, train, manage and retain qualified personnel, especially those in sales and marketing and research and development.

Our future performance depends on the continued services and contributions of our senior management, particularly Patrick Morley, our President and Chief Executive Officer, and other key employees to execute on our business plan and to identify and pursue new opportunities and product innovations. We do not maintain key man insurance for any of our executive officers or key employees. From time to time, there may be changes in our senior management team resulting from the termination or departure of our executive officers and key employees. Our senior management and key employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of the services of our senior management, particularly Mr. Morley, or other key employees for any reason could significantly delay or prevent our development or the achievement of our strategic objectives and harm our business, financial condition and results of operations.

Our ability to successfully pursue our growth strategy will also depend on our ability to attract, motivate and retain our personnel, especially those in sales and marketing and research and development. We face intense competition for these employees from numerous technology, software and other companies, especially in certain geographic areas in which we operate, and we cannot ensure that we will be able to attract, motivate and/or retain additional qualified employees in the

future. If we are unable to attract new employees and retain our current employees, we may not be able to adequately develop and maintain new products, or market our existing products at the same levels as our competitors and we may, therefore, lose customers and market share. Our failure to attract and retain personnel, especially those in sales and marketing, research and development and engineering positions, could have an adverse effect on our ability to execute our business objectives and, as a result, our ability to compete could decrease, our operating results could suffer and our revenue could decrease. Even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity and they may not become productive as quickly as we would like, or at all.

If we do not effectively expand, train and retain qualified sales and marketing personnel, we may be unable to acquire new customers or sell additional products to successfully pursue our growth strategy.

We depend significantly on our sales force to attract new customers and expand sales to existing customers. As a result, our ability to grow our revenue depends in part on our success in recruiting, training and retaining sufficient numbers of sales personnel to support our growth, particularly in the U.S., Europe, the Middle East, Africa and Asia Pacific. We expect to continue to expand our sales and marketing personnel significantly and face a number of challenges in achieving our hiring and integration goals. There is intense competition for individuals with sales training and experience. In addition, the training and integration of a large number of sales and marketing personnel in a short time requires the allocation of significant internal resources. We invest significant time and resources in training new sales force personnel to understand our products, platform and our growth strategy. Based on our past experience, it takes approximately six to twelve months before a new sales force member operates at target performance levels, depending on their role. However, we may be unable to achieve or maintain our target performance levels with large numbers of new sales personnel as quickly as we have done in the past. Our failure to hire a sufficient number of qualified sales force members and train them to operate at target performance levels may materially and adversely impact our projected growth rate.

If the general level of advanced cyber attacks declines, or is perceived by our current or potential customers to have declined, our business could be harmed.

Our business is substantially dependent on enterprises and governments recognizing that advanced cyber attacks are pervasive and are not effectively prevented by legacy security products. High visibility attacks on prominent enterprises and governments have increased market awareness of the problem of advanced cyber attacks and help to provide an impetus for enterprises and governments to devote resources to protecting against advanced cyber attacks, such as testing our products, purchasing them and broadly deploying them within their organizations. If advanced cyber attacks were to decline, or enterprises or governments perceived that the general level of advanced cyber attacks has declined, our ability to attract new customers and expand sales of our products to existing customers could be materially and adversely affected. A reduction in the threat landscape could increase our sales cycles and harm our business, results of operations and financial condition.

Organizations have been and may continue to be reluctant to purchase cyber security offerings that are cloud-based due to the actual or perceived vulnerability of cloud solutions.

Some organizations, particularly in certain geographies and industries, such as defense and financial services, have been and may continue to be reluctant to use cloud solutions for cyber security because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with this solution. If we or other cloud service providers experience security incidents, breaches of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole may be negatively impacted.

If we cannot maintain our company culture as we grow, we could lose the innovation, teamwork, passion and focus on execution that we believe contribute to our success and our business may be harmed.

We believe that a critical component to our success has been our company culture, which we believe fosters innovation, teamwork, passion for customers and focus on execution, and facilitates critical knowledge transfer, knowledge sharing and professional growth. We have invested substantial time and resources in building our team within this company

culture. Any failure to preserve our culture could negatively affect our ability to retain and recruit personnel and to effectively focus on and pursue our corporate objectives. As we grow and develop the infrastructure of a public company, we may find it difficult to maintain these important aspects of our company culture. If we fail to maintain our company culture, our business may be adversely impacted.

Fluctuating economic conditions make it difficult to predict revenue for a particular period, and a shortfall in revenue may harm our operating results.

Our revenue depends significantly on general economic conditions and the demand for products in the next-generation endpoint security market. Economic weakness, customer financial difficulties and constrained spending on cyber security may result in decreased revenue and earnings. Such factors could make it difficult to accurately forecast our sales and operating results and could negatively affect our ability to provide accurate forecasts of our costs and expenses. In addition, concerns regarding continued budgetary challenges in the U.S. and Europe, geopolitical turmoil and terrorism in many parts of the world, and the effects of climate change have and may continue to put pressure on global economic conditions and overall spending on cyber security. Currently, most enterprises and governments have not allocated a fixed portion of their budgets to protect against next-generation advanced cyber attacks. If we do not succeed in convincing customers that our products should be an integral part of their overall approach to cyber security and that a fixed portion of their annual security budgets should be allocated to our products, general reductions in security spending by our customers are likely to have a disproportionate impact on our business, results of operations and financial condition. General economic weakness may also lead to longer collection cycles for payments due from our customers, an increase in customer bad debt, restructuring initiatives and associated expenses and impairment of investments. Furthermore, the continued weakness and uncertainty in worldwide credit markets, including the sovereign debt situation in certain countries in the European Union, or EU, may adversely impact the ability of our customers to adequately fund their expected capital expenditures, which could lead to delays or cancellations of planned purchases of our products.

Uncertainty about future economic conditions also makes it difficult to forecast operating results and to make decisions about future investments. Future or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness, customer financial difficulties and reductions in spending on cyber security could have a material adverse effect on demand for our products, and consequently on our business, financial condition and results of operations.

If we are not able to maintain and enhance our brand or reputation as an industry leader, our business and operating results may be adversely affected.

We believe that maintaining and enhancing our reputation as a leader in next-generation endpoint security is critical to our relationship with our existing end-use customers and channel partners and our ability to attract new customers and channel partners. The successful promotion of our brand will depend on a number of factors, including our marketing efforts, our ability to continue to develop high-quality features for our products and our ability to successfully differentiate our products from those of our competitors. Our brand promotion activities may not be successful or yield increased revenue. In addition, independent industry analysts often provide reports of our solutions, as well as the solutions of our competitors, and perception of our solutions in the marketplace may be significantly influenced by these reports. If these reports are negative, or less positive as compared to those of our competitors’ products, our reputation may be adversely affected. Additionally, the performance of our channel partners may affect our brand and reputation if customers do not have a positive experience with our products as implemented by our channel partners or with the implementation generally. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new geographies and vertical markets and as more sales are generated through our channel partners. To the extent that these activities yield increased revenue, this revenue may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand and reputation, our business and operating results may be adversely affected.

Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and infrastructure.

Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of, and the ability of our existing customers and new customers to access and use, our solutions and infrastructure. We have experienced, and may in the future experience, disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, equipment failure, human or software errors, capacity constraints and fraud or security attacks. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time.

We operate and maintain our infrastructure at our headquarters and by using third-party data centers located in the Boston, Massachusetts area. We also utilize Amazon Web Services, or AWS, for the delivery of our cloud-based products. In addition, our ability to access certain third-party software-as-a-service, or SaaS, solutions, such as Salesforce, is important to our operations and our ability to execute sales. Some elements of this complex system are operated by third parties that we do not control and that could require significant time to replace. We expect this dependence on third parties to continue. Interruptions in our systems or the third-party systems on which we rely, whether due to system failures, computer viruses, physical or electronic break-ins, or other factors, could affect the security or availability of our products, network infrastructure, cloud infrastructure and website.

Prolonged delays or unforeseen difficulties in connection with adding capacity or upgrading our network architecture when required may cause our service quality to suffer. Problems with the reliability or security of our systems could harm our reputation. Damage to our reputation and the cost of remedying these problems could negatively affect our business, financial condition and operating results.

Additionally, our existing data center facilities and third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and certain of the agreements governing these relationships may be terminated by either party at any time. If we are unable to maintain or renew our agreements with these providers on commercially reasonable terms or if in the future we add additional data center facilities or third-party hosting providers, we may experience costs or downtime as we transition our operations.

Any disruptions or other performance problems with our products could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenue, cause us to issue credits to customers, subject us to potential liability and cause customers to not renew their purchases or our products.

In deploying our cloud-based SaaS products, we rely upon AWS to operate our cloud-based offerings; any disruption or interference with our use of AWS would adversely affect our business, results of operations and financial condition.

AWS is a third-party provider of cloud infrastructure services. We outsource substantially all of the infrastructure relating to our cloud offerings to AWS. Our Predictive Security Cloud resides on hardware owned or leased and operated by us at the AWS data centers. Customers of our cloud-based SaaS products need to be able to access our platform at any time, without interruption or degradation of performance, and we provide them with service level commitments with respect to uptime. Our cloud-based SaaS products depend on protecting the virtual cloud infrastructure hosted in AWS by maintaining its configuration, architecture, features and interconnection specifications, as well as the information stored in these virtual data centers and which third-party internet service providers transmit. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake or other natural disasters, cyber attacks, terrorist or other attacks, and other similar events beyond our control could negatively affect our cloud-based SaaS products. For example, in September 2015 and February 2017, AWS suffered significant outages that had a widespread impact on cloud-based software and services companies. Although our customers were not affected by that outage, a similar outage could render our cloud-based offerings inaccessible to customers. A prolonged AWS service disruption affecting our cloud-based offerings for any of the foregoing reasons would negatively impact our ability to serve our customers and could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We

may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the AWS services we use.

In addition, AWS may terminate the agreement with us by providing two years’ prior written notice, and may terminate the agreement for cause with 30 days’ prior written notice, including any material breach of the agreement by us that we do not cure within the 30‑day cure period. In the event that our AWS service agreements are terminated, or there is a lapse of service, elimination of AWS services or features that we utilize, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform as well as significant delays and additional expense in arranging or creating new facilities and services and/or re-architecting our cloud offering for deployment on a different cloud infrastructure service provider, which may adversely affect our business, operating results and financial condition.

If we fail to manage our operations infrastructure, our customers may experience service outages and/or delays.

Our future growth is dependent upon our ability to continue to meet the expanding needs of our customers and to attract new customers. As existing customers gain more experience with our products, they may broaden their reliance on our products, which will require that we expand our operations infrastructure as well as our dependence on third parties to support that infrastructure. We also seek to maintain excess capacity in our operations infrastructure to facilitate the rapid provision of new customer deployments. In addition, we need to properly manage our technological operations infrastructure to support changes in hardware and software parameters and the evolution of our solutions, all of which require significant lead time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages that may subject us to financial penalties, financial liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as we seek to obtain additional capacity, which could adversely affect our reputation and our revenue.

If our customers are unable to implement our products successfully, customer perceptions of our products may be impaired or our reputation and brand may suffer.

Our products are deployed in a wide variety of IT environments, including large-scale, complex infrastructures. Some of our customers have experienced difficulties implementing our products in the past and may experience implementation difficulties in the future. If our customers are unable to implement our products successfully, customer perceptions of our products may be impaired or our reputation and brand may suffer.

In addition, for our products to achieve their functional potential, our products must effectively integrate into our customers’ IT infrastructures, which have different specifications, utilize varied protocol standards, deploy products from multiple different vendors and contain multiple layers of products that have been added over time. Our customers’ IT infrastructures are also dynamic, with a myriad of devices and endpoints entering and exiting the customers’ IT systems on a regular basis, and our products must be able to effectively adapt to and track these changes.

Any failure by our customers to appropriately implement our products or any failure of our products to effectively integrate and operate within our customers’ IT infrastructures could result in customer dissatisfaction, impact the perceived reliability of our products, result in negative press coverage, negatively affect our reputation and harm our financial results.

We have in the past completed acquisitions and may acquire or invest in other companies or technologies in the future, which could divert management’s attention, fail to meet our expectations, result in additional dilution to our stockholders, increase expenses, disrupt our operations or otherwise harm our operating results.

We have in the past acquired, and we may in the future acquire or invest in, businesses, products or technologies that we believe could complement or expand our platform, enhance our technical capabilities or otherwise offer growth opportunities. For example, in February 2014, we acquired Carbon Black (our name at the time was Bit9, Inc.), a threat detection and response software company; in 2015, we acquired Objective Logistics Inc., a software company, and VisiTrend, Inc., a security analytics company; and in 2016, we acquired Confer Technologies, Inc., a next-generation antivirus software company. We may not be able to fully realize the anticipated benefits of these or any future

acquisitions. The pursuit of potential acquisitions may divert the attention of management and cause us to incur various expenses related to identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated.

There are inherent risks in integrating and managing acquisitions. If we acquire additional businesses, we may not be able to assimilate or integrate the acquired personnel, operations, products, services and technologies successfully or effectively manage the combined business following the acquisition and our management may be distracted from operating our business. We also may not achieve the anticipated benefits from the acquired business due to a number of factors, including, without limitation:

 

Acquisitions also increase the risk of unforeseen legal liability, including for potential violations of applicable law or industry rules and regulations, arising from prior or ongoing acts or omissions by the acquired businesses that are not discovered by due diligence during the acquisition process. Generally, if an acquired business fails to meet our expectations, our operating results, business and financial condition may suffer. Acquisitions could also result in dilutive issuances of equity securities or the incurrence of debt, which could adversely affect our business, results of operations and financial condition.

In addition, a significant portion of the purchase price of companies we acquire may be allocated to goodwill and other intangible assets, which must be assessed for impairment at least annually. If our acquisitions do not ultimately yield expected returns, we may be required to take charges to our operating results based on our impairment assessment process, which could harm our results of operations.

The failure of our customers to correctly use our products, or our failure to effectively assist customers in installing our products and provide effective ongoing support, may harm our business.

Our customers depend in large part on customer support delivered by us to resolve issues relating to the use of our products. However, even with our support, our customers are ultimately responsible for effectively using our products, and ensuring that their IT staff is properly trained in the use of our products, and complementary security products. The failure of our customers to correctly use our products, or our failure to effectively assist customers in installing our products and provide effective ongoing support, may result in an increase in the vulnerability of our customers’ IT infrastructures and sensitive business data. We are also in the process of expanding our certification program and professional service organization. It can take significant time and resources to recruit, hire and train qualified technical support and service employees. We may not be able to keep up with demand, particularly if the sales of our products exceed our internal forecasts. To the extent that we are unsuccessful in hiring, training and retaining adequate support resources, our ability to provide adequate and timely support to our customers may be negatively impacted, and our customers’ satisfaction with our products may be adversely affected. Additionally, in unusual circumstances, if we were to need to rely on our sales engineers to provide post-sales support while we are growing our service organization, our

sales productivity may be negatively impacted. Accordingly, our failure to provide satisfactory maintenance and technical support services could have a material and adverse effect on our business and results of operations.

The sales prices of our products and services may decrease, which may reduce our gross profits and adversely impact our financial results.

The sales prices for our products and services may decline for a variety of reasons, including competitive pricing pressures, discounts, a change in our mix of products and services, anticipation of the introduction of new products or promotional programs. Competition continues to increase in the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increased pricing pressures. Larger competitors with more diverse product and service offerings may reduce the price of products that compete with ours or may bundle them with other products and services. Additionally, currency fluctuations in certain countries and regions may negatively impact prices that partners and customers are willing to pay in those countries and regions. Furthermore, we anticipate that the sales prices and gross profits for our products will decrease over product life cycles. We cannot be certain that we will be successful in developing and introducing new products with enhanced functionality on a timely basis, or that our new product offerings, if introduced, will enable us to maintain our prices and gross profits at levels that will allow us to maintain positive gross margins and achieve profitability.

We incorporate technology from third parties into our products, and our inability to obtain or maintain rights to the technology could harm our business.

We incorporate technology from third parties into our products. We cannot be certain that our suppliers and licensors are not infringing the intellectual property rights of third parties or that the suppliers and licensors have sufficient rights to the technology in all jurisdictions in which we may sell our products. We may not be able to rely on indemnification obligations of third parties if some of our agreements with our suppliers and licensors may be terminated for convenience by them. If we are unable to obtain or maintain rights to any of this technology because of intellectual property infringement claims brought by third parties against our suppliers and licensors or against us, or if we are unable to continue to obtain such technology or enter into new agreements on commercially reasonable terms, our ability to develop and sell products, subscriptions and services containing such technology could be severely limited, and our business could be harmed. Additionally, if we are unable to obtain necessary technology from third parties, including certain sole suppliers, we may be forced to acquire or develop alternative technology, which may require significant time, cost and effort and may be of lower quality or performance standards. This would limit and delay our ability to offer new or competitive products, and increase our costs of production. If alternative technology cannot be obtained or developed, we may not be able to offer certain functionality as part of our products, subscriptions and services. As a result, our margins, market share and results of operations could be significantly harmed.

Our products contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products.

Our products contain software licensed to us by third parties under so-called “open source” licenses. Open source software is typically freely accessible, usable and modifiable. Certain open source software licenses require a user who intends to distribute the open source software as a component of the user’s software to disclose publicly part or all of the source code to the user’s software. In addition, certain open source software licenses require the user of such software to make any derivative works of the open source code available to others on unfavorable terms or at no cost. This can subject previously proprietary software to open source license terms. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms.

Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. The terms of certain open source licenses require us to release the source code of our applications and to make our applications available under those open source licenses if we combine or distribute our applications with open source software in a certain manner. In the event that portions of our applications are determined to be subject to an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all, or a portion of, those applications or otherwise be limited in the licensing of our applications. Disclosing our proprietary source code could allow our competitors to create similar products with lower development effort and time and ultimately could result in a loss of sales for us. Disclosing the source code of our proprietary software could also make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our products, which could result in our products failing to provide our customers with the security they expect. Any of these events could have a material adverse effect on our business, operating results and financial condition.

We therefore could also be subject to claims alleging that we have not complied with the restrictions or limitations of the applicable open source software license terms. In that event, we could incur significant legal expenses, be subject to significant damages, be enjoined from further sale and distribution of our products or solutions that use the open source software, be required to pay a license fee, be forced to reengineer our products and solutions or be required to comply with the foregoing conditions of the open source software licenses (including the release of the source code to our proprietary software), any of which could adversely affect our business. Even if these claims do not result in litigation or are resolved in our favor or without significant cash settlements, the time and resources necessary to resolve them could harm our business, results of operations, financial condition and reputation.

Our sales cycles can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, our sales and revenue are difficult to predict and may vary substantially from period to period, which may cause our results of operations to fluctuate significantly.

Our results of operations may fluctuate, in part, because of the resource intensive nature of our sales efforts, the length and variability of our sales cycle and the short-term difficulty in adjusting our operating expenses. Our results of operations depend in part on sales to large organizations. The length of our sales cycle, from proof of concept to delivery of and payment for our platform, is typically three to nine months but can be more than a year for large enterprise customers. To the extent our competitors develop solutions that our prospective customers view as equivalent to ours, our average sales cycle may increase. Because the length of time required to close a sale varies substantially from customer to customer, it is difficult to predict exactly when, or even if, we will make a sale with a potential customer. As a result, large individual sales have, in some cases, occurred in quarters subsequent to those we anticipated, or have not occurred at all. The loss or delay of one or more large transactions in a quarter could impact our results of operations for that quarter and any future quarters for which revenue from that transaction is delayed. As a result of these factors, it is difficult for us to forecast our revenue accurately in any quarter. Because a substantial portion of our expenses are relatively fixed in the short term, our results of operations will suffer if our revenue falls below our or analysts’ expectations in a particular quarter, which could cause the price of our common stock to decline.

A portion of our revenue is generated by sales to government entities, which are subject to a number of challenges and risks.

Selling to government entities can be highly competitive, expensive and time-consuming, and often requires significant upfront time and expense without any assurance that we will win a sale. Government demand and payment for our solutions may also be impacted by changes in fiscal or contracting policies, changes in government programs or applicable requirements, the adoption of new laws or regulations or changes to existing laws or regulations, public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions. Government entities also have heightened sensitivity surrounding the purchase of cyber security products due to the critical importance of their IT infrastructures, the nature of the information contained within those infrastructures and the fact that they are highly visible targets for cyber attacks. Accordingly, increasing sales of our products to government entities may be more challenging than selling to commercial organizations, especially given

extensive certification, clearance and security requirements. Government agencies may have statutory, contractual or other legal rights to terminate contracts with us or channel partners. Further, in the course of providing our solutions to government entities, our employees and those of our channel partners may be exposed to sensitive government information. Any failure by us or our channel partners to safeguard and maintain the confidentiality of such information could subject us to liability and reputational harm, which could materially and adversely affect our results of operations and financial performance. Governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit may cause the government to shift away from our solutions and may result in a reduction of revenue, fines or civil or criminal liability if the audit uncovers improper or illegal activities, which could adversely impact our results or operations.

Our efforts to expand our international sales and operations may increasingly expose us to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Our reporting currency is the U.S. dollar, and we generate a substantial majority of our revenue and expenses in U.S. dollars. In 2018, approximately 12% of our revenue was generated in foreign currencies from customers located outside of the U.S. Additionally, in 2018, we incurred approximately 8% of our expenses outside of the U.S. in foreign currencies, primarily the British pound, principally with respect to salaries and related personnel expenses associated with our sales operations. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. Accordingly, as we continue with our anticipated international expansion, changes in exchange rates may have an increasingly adverse effect on our business, operating results and financial condition. To date, we have not engaged in any hedging strategies, and any such strategies, such as forward contracts, options and foreign exchange swaps related to transaction exposures that we may implement to mitigate this risk may not eliminate our exposure to foreign exchange fluctuations.

Changes in or interpretations of financial accounting standards may cause an adverse impact to our reported results of operations.

We prepare our consolidated financial statements in conformity with generally accepted accounting principles in the U.S., or GAAP. These principles are subject to interpretation by the Securities and Exchange Commission, or SEC, and various bodies formed to interpret and create appropriate accounting standards. It is possible that future requirements could change our current application of GAAP, resulting in a material adverse impact on our reported results of operations or financial position, and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may harm our operating results or the way we conduct our business.

We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.

We intend to continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.

Our existing credit agreement contains operating and financial covenants that may adversely impact our business and the failure to comply with such covenants could prevent us from borrowing funds and could cause any outstanding debt to become immediately payable.

We are a party to a line of credit with Silicon Valley Bank. Borrowings under this line of credit are secured by substantially all of our assets, excluding certain intellectual property rights. We are also subject to various financial reporting requirements and financial covenants under the line of credit, including maintaining specified liquidity measurements. In addition, there are negative covenants restricting our activities, including limitations on dispositions, mergers or acquisitions; encumbering intellectual property; incurring indebtedness or liens; paying dividends and redeeming or repurchasing capital stock; making certain investments; and engaging in certain other business transactions. The obligations under the line of credit are subject to acceleration upon the occurrence of specified events of default, including a material adverse change in our business, operations or financial or other condition. These restrictions and covenants, as well as those contained in any future financing agreements that we may enter into, may restrict our ability to finance our operations and to engage in, expand or otherwise pursue our business activities and strategies. Our ability to comply with these covenants may be affected by events beyond our control, and breaches of these covenants could result in a default under the credit agreement and any future financial agreements that we may enter into. If not waived, defaults could cause our outstanding indebtedness under our credit agreement and any future financing agreements that we may enter into to become immediately due and payable.

Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by manmade problems such as terrorism.

A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. In addition, natural disasters could affect our channel partners’ ability to perform services for us on a timely basis. In the event we or our channel partners are hindered by any of the events discussed above, our ability to provide our products to customers could be delayed.

In addition, our facilities and those of our third-party data centers and hosting providers are vulnerable to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a natural disaster, power failure or an act of terrorism, vandalism or other misconduct, a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence of any of the foregoing events could damage our systems and hardware or could cause them to fail completely, and our insurance may not cover such events or may be insufficient to compensate us for the potentially significant losses, including the potential harm to the future growth of our business, that may result from interruptions in our platform as a result of system failures.

All of the aforementioned risks may be exacerbated if the disaster recovery plans for us and our third-party data centers and hosting providers prove to be inadequate. To the extent that any of the above results in delayed or reduced customer sales, our business, financial condition and results of operations could be adversely affected.

Risks Related to Government Regulation, Data Collection, Intellectual Property and Litigation

Failure to comply with governmental laws and regulations could harm our business.

Our business is subject to regulation by various federal, state, local and foreign governments. In certain jurisdictions, these regulatory requirements may be more stringent than those in the U.S. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory product recalls, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, injunctions or other collateral consequences. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations and financial condition.

We are subject to governmental export controls and economic sanctions regulations that could impair our ability to compete in international markets and/or subject us to liability if we are not in compliance with applicable laws.

Like other U.S.-origin cyber security products, our products are subject to U.S. export control laws and regulations, including the U.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Exports of these products must be made in compliance with these laws and regulations. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil and criminal penalties, including fines for our company and responsible employees or managers, and, in extreme cases, incarceration of responsible employees and managers and the possible loss of export privileges. Complying with export control laws and regulations, including obtaining the necessary licenses or authorizations, for a particular sale may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Changes in export or sanctions laws and regulations, shifts in the enforcement or scope of existing laws and regulations, or changes in the countries, governments, persons or products targeted by such laws and regulations, could also result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers. A decreased use of our products or limitation on our ability to export or sell our products could adversely affect our business, financial condition and results of operations.

Further, our products incorporate encryption technology. These encryption products may be exported outside of the U.S. only with the required export authorizations, including by a license, a license exception or other appropriate government authorizations; such items may also be subject to certain regulatory reporting requirements. Further, U.S. export control laws and economic sanctions prohibit the shipment or provision of certain products to U.S.-embargoed or sanctioned countries, governments or persons as well as the exposure of software code to nationals of embargoed countries. Although we take precautions to prevent our products from being provided or exposed to those subject to U.S. sanctions, such measures may be circumvented or inadvertently violated.

In addition, various countries regulate the import and domestic use of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our customers’ ability to implement our products in those countries.

Multinational efforts are currently underway as part of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, or the Wassenaar Arrangement, to impose additional restrictions on certain cyber security products. To implement the controls under the Wassenaar Arrangement in the U.S., on May 20, 2015, the U.S. Department of Commerce’s Bureau of Industry and Security, or BIS, published a proposed rule for public comment that would amend the Export Administration Regulations with regard to exports, reexports and transfers (in-country) of specified intrusion software, surveillance items and related software and technology. Under the proposed rule, intrusion software and surveillance items were defined broadly and would have established an export license requirement for all countries other than the U.S. and Canada for many commercially available penetration testing and network monitoring products. The proposed rule was ultimately withdrawn due to wide public objection, and the U.S. has agreed to renegotiate the breath of the language under the Wassenaar Arrangement. Should the U.S. adopt an onerous policy, this could affect our business and could result in loss of potential market in certain countries, increased administrative costs and delays or loss of sales opportunities.

Failure to comply with applicable anti-corruption legislation could result in fines, criminal penalties and materially adversely affect our business, financial condition and results of operations.

We are required to comply with anti-corruption and anti-bribery laws in the jurisdictions in which we operate, including the Foreign Corrupt Practices Act, or FCPA, in the U.S., the UK Bribery Act, or the Bribery Act, and other similar laws in other countries in which we do business. As a result of doing business in foreign countries, including through channel partners and agents, we will be exposed to a risk of violating anti-corruption laws. Some of the international locations in which we will operate have developing legal systems and may have higher levels of corruption than more developed nations. The FCPA prohibits providing anything of value to foreign officials for the purposes of obtaining or retaining business or securing any improper business advantage. We may deal with both governments and state-owned business enterprises, the employees of which are considered foreign officials for purposes of the FCPA. The provisions of the

Bribery Act extend beyond bribery of foreign public officials and are more onerous than the FCPA in a number of other respects, including jurisdiction, non-exemption of facilitation payments and penalties.

Although we have adopted policies and procedures designed to ensure that we, our employees and third-party agents will comply with such laws, there can be no assurance that such policies or procedures will work effectively at all times or protect us against liability under these or other laws for actions taken by our employees, channel partners and other third parties with respect to our business. If we are not in compliance with anti-corruption laws and other laws governing the conduct of business with government entities and/or officials (including local laws), we may be subject to criminal and civil penalties and other remedial measures, which could harm our business, financial condition, results of operations, cash flows and prospects. In addition, investigations of any actual or alleged violations of such laws or policies related to us could harm our business, financial condition, results of operations, cash flows and prospects.

Because our products may collect and store user and related information, domestic and international privacy and cyber security concerns, and other laws and regulations, could result in additional costs and liabilities to us or inhibit sales of our products.

We, our channel partners and our customers are subject to a number of domestic and international laws and regulations that apply to online services and the internet generally. These laws, rules and regulations address a range of issues including data privacy and cyber security, breach notification and restrictions or technological requirements regarding the collection, use, storage, protection, retention or transfer of data. The regulatory framework for online services, data privacy and cyber security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, use, storage and disclosure of information, web browsing and geolocation data collection, data analytics, cyber security and breach response and notification procedures. Interpretation of these laws, rules and regulations and their application to our products in the U.S. and foreign jurisdictions is ongoing and cannot be fully determined at this time.

In the U.S., these include rules and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, Computer Fraud and Abuse Act, HIPAA, the Gramm Leach Bliley Act and state breach notification laws, other state laws and regulations applicable to privacy and data security, as well as regulator enforcement positions and expectations reflected in federal and state regulatory actions, settlements, consent decrees and guidance documents.

Internationally, virtually every jurisdiction in which we operate and have customers and/or have prospective customers to which we market has established its own data security and privacy legal frameworks with which we, our channel partners or our customers must comply. Further, many federal, state and foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations. If passed, we will likely incur additional expenses and costs associated with complying with such laws, as well as face heightened potential liability if we are unable to comply with these laws.

Laws in the European Economic Area, or EEA, regulate transfers of EU personal data to third countries, such as the U.S., that have not been found to provide adequate protection to such personal data. We have in the past relied upon adherence to the U.S. Department of Commerce’s U.S.-EU Safe Harbor Framework which established a means for legitimating the transfer of personal data from the EEA to the U.S. However, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor Framework in October 2015 and, in February 2016, EU and U.S. negotiators agreed to a new framework, the EU-U.S. Privacy Shield, which came into effect in July 2016. However, there are recent regulatory concerns about this framework, as well as litigation challenging other EU mechanisms for adequate data transfer (i.e., the standard contractual clauses). We are certified under the EU-U.S. Privacy Shield, and rely on a mixture of mechanisms to transfer EU personal data to the U.S. We could be impacted by changes in law as a result of the current challenges to these mechanisms by regulators and in the European courts which may lead to governmental enforcement actions, litigation, fines and penalties or adverse publicity, which could have an adverse effect on our reputation and business.

On April 27, 2016, the European Union adopted the General Data Protection Regulation 2016/679, or GDPR, that took effect on May 25, 2018 replacing the current data protection laws of each EU member state. The GDPR applies to any company established in the EU as well as to those outside the EU if they collect and use personal data in connection with the offering of goods or services to individuals in the EU or the monitoring of their behavior (for example, through email monitoring). The GDPR enhances data protection obligations for processors and controllers of personal data, including, for example, expanded disclosures about how personal information is to be used, limitations on retention of information, mandatory data breach notification requirements and onerous new obligations on services providers. Non-compliance with the GDPR can trigger steep fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Given the breadth and depth of changes in data protection obligations, preparing to meet the GDPR’s requirements before its application on May 25, 2018 required time, resources and a review of our technology and systems against the GDPR’s requirements. We have engaged a third party to assist us in undertaking a data protection review, and have implemented remedial changes towards GDPR compliance. Separate EU laws and regulations (and member states’ implementations thereof) govern the protection of consumers and of electronic communications and these are also evolving. For instance, the current European laws that cover the use of cookies and similar technology and marketing online or by electronic means are under reform. A draft of the new ePrivacy Regulation extends the strict opt-in marketing rules with limited exceptions to business-to-business communications, alters rules on third-party cookies, web beacons and similar technology and significantly increases penalties. We cannot yet determine the impact such future laws, regulations, and standards may have on our business. Such laws and regulations are often subject to differing interpretations and may be inconsistent among jurisdictions. We have incurred and may continue to incur substantial expense in complying with the new obligations to be imposed by the GDPR and we may be required to make significant changes in our business operations and product and services development, all of which may adversely affect our revenues and our business.

We and our customers are at risk of enforcement actions taken by certain EU data protection authorities until such point in time that we may be able to ensure that all transfers of personal data to us from the EEA are conducted in compliance with all applicable regulatory obligations, the guidance of data protection authorities and evolving best practices. We may find it necessary to establish systems to maintain personal data originating from the EU in the EEA, which may involve substantial expense and may cause us to need to divert resources from other aspects of our business, all of which may adversely affect our business.

Because the interpretation and application of privacy and data protection laws are still uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing practices or the features of our products. We may also be subject to claims of liability or responsibility for the actions of third parties with whom we interact or upon whom we rely in relation to various products, including but not limited to vendors and business partners. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our products, which could have an adverse effect on our business. Any inability to adequately address privacy and/or data concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.

The costs of compliance with, and other burdens imposed by, the laws, rules, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our software. Even the perception of privacy concerns, whether or not valid, may harm our reputation, inhibit adoption of our products by current and future customers, or adversely impact our ability to attract and retain workforce talent. Our failure to comply with applicable laws and regulations, or to protect such data, could result in enforcement action against us, including fines, imprisonment of company officials and public censure, claims for damages by customers and other affected individuals, damage to our reputation and loss of goodwill (both in relation to existing customers and prospective customers), any of which could have a material adverse effect on our operations, financial performance and business.

Our intellectual property rights are valuable and any inability to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.

Our future success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright and trade secret laws and contractual protections in the U.S. and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage. We maintain a program of identifying technology appropriate for patent protection. Our practice is to require employees and consultants to execute non-disclosure and proprietary rights agreements upon commencement of employment or consulting arrangements. These agreements acknowledge our exclusive ownership of all intellectual property developed by the individuals during their work for us and require that all proprietary information disclosed will remain confidential. Such agreements may not be enforceable in full or in part in all jurisdictions and any breach could have a negative effect on our business and our remedy for such breach may be limited.

We have 23 U.S. patents and patent applications relating to our products. We cannot be certain that any patents will issue from any patent applications, that patents that issue from such applications will give us the protection that we seek or that any such patents will not be challenged, invalidated, or circumvented. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the “Carbon Black, ”CB Collective Defense Cloud,” “Arm Your Endpoints” and “Bit9” names and logos in the U.S. and certain other countries. We have registrations and/or pending applications for additional marks in the U.S. and other countries, including “CB Predictive Security Cloud” and “CB LiveOps”; however, we cannot be certain that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. We also license software from third parties for integration into our products, including open source software and other software available on commercially reasonable terms. We cannot be certain that such third parties will maintain such software or continue to make it available.

In order to protect our unpatented proprietary technologies and processes, we rely on trade secret laws and confidentiality agreements with our employees, consultants, channel partners, vendors and others. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the U.S. and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our products, technologies or intellectual property rights.

From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others, to defend against claims of infringement or invalidity or to prevent the misappropriation of our intellectual property. Such litigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition.

Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.

Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, some of whom have substantially more resources and have been developing relevant technologies for much longer than us, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties have in the past and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or channel partners,

whom we typically indemnify against claims that our products infringe, misappropriate or otherwise violate the intellectual property rights of third parties. If we do infringe a third party’s rights and are unable to provide a sufficient workaround, we may need to negotiate with holders of those rights to obtain a license to those rights or otherwise settle any infringement claim as a party that makes a claim of infringement against us may obtain an injunction preventing us from shipping products containing the allegedly infringing technology. As the number of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business. For example, in 2018 we paid $3.9 million pursuant to a settlement agreement with a non-practicing entity that claimed we infringed upon certain patents held by such entity. See Note 15 to our consolidated financial statements included in this Annual Report on Form 10‑K.

The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.

An adverse outcome of a dispute may require us to:

 

In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations.

Confidentiality arrangements with employees and others may not adequately prevent disclosure of trade secrets and other proprietary information.

We have devoted substantial resources to the development of our technology, business operations and business plans. In order to protect our trade secrets and proprietary information, we rely in significant part on confidentiality arrangements with our employees, licensees, independent contractors, advisors, channel partners and customers. These arrangements may not be effective to prevent disclosure of confidential information, including trade secrets, and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. In addition, if others independently discover trade secrets and proprietary information, we would not be able to assert trade secret rights against such parties. Effective trade secret protection may not be available in every country in which our products are available or where we have employees or independent contractors. The loss of trade secret protection could make it easier for third parties to compete with our products by copying functionality. In addition, any changes in, or unexpected interpretations of, the trade secret and employment laws in any country in which we operate may compromise our ability to enforce our trade secret and intellectual property rights. Costly and time-consuming litigation could be necessary to enforce and determine

the scope of our proprietary rights, and failure to obtain or maintain trade secret protection could adversely affect our competitive business position.

We may be subject to damages resulting from claims that our employees or contractors have wrongfully used or disclosed alleged trade secrets of their former employers or other parties.

We could in the future be subject to claims that employees or contractors, or we, have inadvertently or otherwise used or disclosed trade secrets or other proprietary information of our competitors or other parties. Litigation may be necessary to defend against these claims. If we fail in defending against such claims, a court could order us to pay substantial damages and prohibit us from using technologies or features that are essential to our products, if such technologies or features are found to incorporate or be derived from the trade secrets or other proprietary information of these parties. In addition, we may lose valuable intellectual property rights or personnel. A loss of key personnel or their work product could hamper or prevent our ability to develop, market and support potential products or enhancements, which could severely harm our business. Even if we are successful in defending against these claims, such litigation could result in substantial costs and be a distraction to management.

Our operating results may be harmed if we are required to collect sales and use or other related taxes for our products in jurisdictions where we have not historically done so.

Taxing jurisdictions, including state, local and foreign taxing authorities, have differing rules and regulations governing sales and use or other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. While we believe that we are in material compliance with our obligations under applicable taxing regimes, one or more states, localities or countries may seek to impose additional sales or other tax collection obligations on us, including for past sales by us or our channel partners. It is possible that we could face sales tax audits and that such audits could result in tax-related liabilities for which we have not accrued. A successful assertion that we should be collecting additional sales or other taxes on our products in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our products or otherwise harm our business and operating results.

In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made.

Comprehensive tax reform legislation could adversely affect our business and financial condition.

The U.S. government has recently enacted comprehensive tax legislation that includes significant changes to the taxation of business entities, referenced herein as the Tax Reform Act. These changes include, among others, a permanent reduction to the corporate income tax rate, limiting interest deductions, adopting elements of a territorial tax system, assessing a repatriation tax or “toll-charge” on undistributed earnings and profits of U.S.-owned foreign corporations, and introducing certain anti-base erosion provisions. The overall impact of this tax reform is uncertain, and our business and financial condition, including with respect to our non-U.S. operations, could be adversely affected. The overall impact of the Tax Reform Act on stockholders is uncertain, and this report does not address, other than as expressly addressed herein, the manner in which it may affect holders of our common stock. We urge investors to consult with their legal and tax advisors with respect to any such legislation and the potential tax consequences of investing in our common shares.

We may not be able to utilize a significant portion of our net operating loss carryforwards and research and development tax credit carryforwards.

As of December 31, 2018, we had federal and state net operating loss carryforwards of $283.9 million and $193.0 million, respectively, which if not utilized will begin to expire in 2023 and 2019, respectively, and federal and state research and development tax credit carryforwards of $6.6 million and $2.9 million, respectively, which if not utilized will begin to expire in 2026 and 2021, respectively. These net operating loss and tax credit carryforwards could expire unused and be unavailable to offset our future income tax liabilities. In addition, under Section 382 of the Internal Revenue Code of 1986, as amended, or the Code, and corresponding provisions of state law, if a corporation undergoes an “ownership change,” which is generally defined as a greater than 50% change, by value, in its equity ownership over a three-year period, the corporation’s ability to use its pre-change net operating loss carryforwards and other pre-change tax attributes to offset its post-change income may be limited. We have not determined if we have experienced Section 382 ownership changes in the past and if a portion of our net operating loss and tax credit carryforwards is subject to an annual limitation under Section 382. In addition, we may experience ownership changes in the future as a result of subsequent shifts in our stock ownership, some of which may be outside of our control. If we determine that an ownership change has occurred and our ability to use our historical net operating loss and tax credit carryforwards is materially limited, it would harm our future operating results by effectively increasing our future tax obligations.

Risks Related to Our Common Stock

Our stock price may be volatile, and you may lose some or all of your investment.

Since shares of our common stock were sold in our initial public offering in May 2018 at a price of $19.00 per share, our stock price has ranged from $35.00 to $11.80 through December 31, 2018. The market price of our common stock has been and may continue to be highly volatile and may fluctuate substantially as a result of a variety of factors, some of which are related in complex ways, including:

 

The stock markets are subject to extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We may be the target of this type of litigation in the future, which could result in substantial costs and divert our management’s attention.

If securities or industry analysts do not continue to publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline.

The trading market for our common stock depends, in part, on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If our financial performance fails to

meet analyst estimates or one or more of the analysts who cover us downgrade our shares or change their opinion of our shares, our share price would likely decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our share price or trading volume to decline.

The issuance of additional stock in connection with financings, acquisitions, investments, our stock incentive plans or otherwise will dilute all other stockholders.

Our amended and restated certificate of incorporation authorizes us to issue up to 500,000,000 shares of common stock and up to 25,000,000 shares of preferred stock with such rights and preferences as may be determined by our board of directors. Subject to compliance with applicable rules and regulations, we may issue our shares of common stock or securities convertible into our common stock from time to time in connection with a financing, acquisition, investment, our stock incentive plans or otherwise. Any such issuance could result in substantial dilution to our existing stockholders and cause the trading price of our common stock to decline.

We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.

We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the development of our business and for general corporate purposes. In addition, our ability to pay cash dividends is currently limited by the terms of our credit agreements, and any future credit agreements may contain terms prohibiting or limiting the amount of dividends that may be declared or paid on our common stock. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.

Concentration of ownership among our directors, executive officers and holders of 5% or more of our outstanding common stock may prevent new investors from influencing significant corporate decisions.

Our directors, executive officers and holders of more than 5% of our common stock, some of whom are represented on our board of directors, together with affiliates control a significant portion of our outstanding capital stock. As a result, these stockholders will be able to determine the outcome of matters submitted to our stockholders for approval. Some of these persons or entities may have interests that are different from yours, and this ownership could affect the value of your shares of common stock if, for example, these stockholders elect to delay, defer or prevent a change in corporate control, merger, consolidation, takeover or other business combination. This concentration of ownership may also adversely affect the market price of our common stock.

We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our common stock less attractive to investors.

We are an “emerging growth company,” as defined in the JOBS Act, and we may take advantage of certain exemptions from various reporting requirements that are applicable to other public companies that are not “emerging growth companies” including, but not limited to, the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements, and exemptions from the requirements of holding a non-binding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. We cannot predict if investors will find our common stock less attractive if we choose to rely on these exemptions. If some investors find our common stock less attractive as a result, there may be a less active trading market for our common stock and our stock price may be more volatile.

We will incur increased costs as a result of operating as a public company, and our management will be required to devote substantial time to compliance with our public company responsibilities and corporate governance practices.

As a public company, and particularly after we are no longer an “emerging growth company,” we will continue to incur significant legal, accounting and other expenses that we did not incur as a private company. The Sarbanes-Oxley Act, the

Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of The Nasdaq Global Select Market and other applicable securities rules and regulations impose various requirements on public companies. Our management and other personnel will need to devote a substantial amount of time to compliance with these requirements. Moreover, these rules and regulations will increase our legal and financial compliance costs and will make some activities more time-consuming and costly. For example, we expect that these rules and regulations may make it more difficult and more expensive for us to obtain directors’ and officers’ liability insurance, which could make it more difficult for us to attract and retain qualified members of our board of directors. We cannot predict or estimate the amount of additional costs we will incur as a public company or the timing of such costs.

As a result of becoming a public company, we are obligated to develop and maintain proper and effective internal controls over financial reporting and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our common stock.

We will be required, pursuant to Section 404 of the Sarbanes-Oxley Act, or Section 404, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting for the first fiscal year beginning after the effective date of the IPO. This assessment will need to include disclosure of any material weaknesses identified by our management in our internal control over financial reporting. Our independent registered public accounting firm will not be required to attest to the effectiveness of our internal control over financial reporting until our first annual report required to be filed with the SEC following the date we are no longer an “emerging growth company,” as defined in the JOBS Act. We will be required to disclose significant changes made in our internal control procedures on a quarterly basis.

We have commenced the costly and challenging process of compiling the system and processing documentation necessary to perform the evaluation needed to comply with Section 404, and we may not be able to complete our evaluation, testing and any required remediation in a timely fashion. Our compliance with Section 404 will require that we incur substantial accounting expense and expend significant management efforts. We currently do not have an internal audit group, and we may need to hire additional accounting and financial staff with appropriate public company experience and technical accounting knowledge and compile the system and process documentation necessary to perform the evaluation needed to comply with Section 404.

During the evaluation and testing process of our internal controls, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective. We cannot be certain that there will not be material weaknesses or significant deficiencies in our internal control over financial reporting in the future. Any failure to maintain internal control over financial reporting could severely inhibit our ability to accurately report our financial condition or results of operations. If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm determines we have a material weakness or significant deficiency in our internal control over financial reporting, we could lose investor confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by The Nasdaq Global Select Market, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.

Anti-takeover provisions in our charter documents and Delaware law may delay or prevent an acquisition of our company, limit attempts by our stockholders to replace or remove our current management and limit the market price of our common stock.

Our amended and restated certificate of incorporation, amended and restated bylaws and Delaware law contain provisions that may have the effect of delaying or preventing a change in control of us or changes in our management. Our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:

 

These provisions, alone or together, could delay or prevent hostile takeovers and changes in control or changes in our management.

In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us in certain circumstances.

Any provision of our amended and restated certificate of incorporation, amended and restated bylaws or Delaware law that has the effect of delaying or deterring a change in control could limit the opportunity for our stockholders to receive a premium for their shares of our common stock, and could also affect the price that some investors are willing to pay for our common stock.

Our amended and restated bylaws designate the Court of Chancery of the State of Delaware or the United States District Court for the District of Massachusetts as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.

Pursuant to our amended and restated bylaws, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware is the sole and exclusive forum for state law claims for (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of or based on a breach of a fiduciary duty owed by any of our current or former directors, officers or other employees to us or our stockholders, (3) any action asserting a claim against us or any of our current or former directors, officers, employees or stockholders arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated bylaws or (4) any action asserting a claim governed by the internal affairs doctrine. Our amended and restated bylaws will further provide that the United States District Court for the District of Massachusetts will be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act. In addition, our amended and restated bylaws provide that any person or entity purchasing or otherwise acquiring any interest in shares of our common stock is deemed to have notice of and consented to the foregoing provisions. We have chosen the United States District Court for the District of Massachusetts as the exclusive forum for such causes of action because our principal executive offices are located in Waltham, Massachusetts. On December 19, 2018, the Court of Chancery of the State of Delaware issued a decision declaring that federal forum selection provisions purporting to require claims under the Securities Act be brought in federal court are ineffective and invalid under Delaware law. On January 17, 2019, the decision was appealed to the Delaware Supreme Court.  While the Delaware Supreme Court recently dismissed the appeal on jurisdictional grounds, we expect that the appeal will be re-filed after the Court of Chancery issues a final judgment.  Unless and until the Court of Chancery’s decision is reversed by the Delaware Supreme Court or otherwise abrogated, we do not intend to enforce our federal forum selection provision designating the District of Massachusetts as the exclusive forum for Securities Act claims.  In the event that the Delaware Supreme Court affirms the Court of Chancery’s decision or otherwise determines that federal forum selection provisions are invalid, our board of directors intends to amend promptly our amended and restated by-laws to remove our federal forum selection bylaw provision.  As a result of the Court of Chancery’s decision or a decision by the Delaware Supreme Court affirming the Court of Chancery’s decision, or if the federal forum selection provision is otherwise found inapplicable to, or unenforceable in respect of, one or more of the specified

actions or proceedings, we may incur additional costs, which could have an adverse effect on our business, financial condition or results of operations. We recognize that the federal district court forum selection clause may impose additional litigation costs on stockholders who assert the provision is not enforceable and may impose more general additional litigation costs in pursuing any such claims, particularly if the stockholders do not reside in or near the Commonwealth of Massachusetts. Additionally, the forum selection clauses in our amended and restated bylaws may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.  The Court of Chancery of the State of Delaware and the United States District Court for the District of Massachusetts may also reach different judgments or results than would other courts, including courts where a stockholder considering an action may be located or would otherwise choose to bring the action, and such judgments may be more or less favorable to us than our stockholders.

Item 1B. Unresolved Staff Comments

None.

Item 2. Properties

We currently lease approximately 81,991 square feet of space for our corporate headquarters in Waltham, Massachusetts under a lease agreement that expires on April 30, 2022, unless sooner terminated or extended as provided in the lease. We maintain additional offices in Boulder, Colorado; Boston, Massachusetts; Southborough, Massachusetts; Hillsboro, Oregon; San Antonio, Texas; Australia; England; Japan; and Singapore. We also utilize third‑party data centers located in the Boston, Massachusetts area. We lease all of our facilities and do not own any real property.

We believe that our current facilities are adequate to meet our ongoing needs, and that, if we require additional space, we will be able to obtain additional facilities on commercially reasonable terms.

Item 3. Legal Proceedings

From time to time, we may become involved in legal proceedings or be subject to claims arising in the ordinary course of business. Although the results of litigation and claims cannot be predicted with certainty, we currently believe that the final outcome of these ordinary course matters will not have a material adverse effect on our business, operating results, financial condition or cash flows. Regardless of the outcome, litigation can have an adverse impact because of defense and settlement costs, diversion of management resources and other factors.

Item 4. Mine Safety Disclosures

Not applicable.

PART II.

Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

Market Information for Common Stock

Our common stock began trading publicly on The Nasdaq Global Select Market, or Nasdaq, under the ticker symbol "CBLK" on May 4, 2018. Prior to that time, there was no public market for our common stock.

Holders of Record

As of December 31, 2018, we had 207 holders of record of our common stock reported on Nasdaq. The actual number of stockholders is greater than this number of record holders and includes stockholders who are beneficial owners but whose shares are held in street name by brokers and other nominees. We are unable to estimate the total number of stockholders represented by these record holders.

Dividend Policy

We have never declared or paid cash dividends on our common stock. We currently intend to retain all available funds and any future earnings for use in the operation of our business and do not anticipate paying any dividends in the foreseeable future. Any future determination to declare dividends will be made at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, operating results, capital requirements, general business conditions and other factors that our board of directors may deem relevant.

Securities Authorized for Issuance under Equity Compensation Plans

The information required by this item with respect to our equity compensation plans is incorporated by reference to our Proxy Statement for the 2018 Annual Meeting of Stockholders to be filed with the Securities and Exchange Commission within 120 days of the year ended December 31, 2018.

Stock Performance Graph

The graph below compares the cumulative total stockholder return on our common stock between May 4, 2018, the date of our initial public offering, and December 31, 2018, with the cumulative return of (a) S&P 500 Index and NASDAQ-100 Technology Sector Index, over the same period. This graph assumes the investment of $100 on May 4, 2018 in our common stock, S&P 500 and NASDAQ-100 Technology Sector and assumes the reinvestment of dividends, if any. The graph assumes our closing sales price on May 4, 2018 of $23.94 per share as the initial value of our common stock and not the initial offering price to the public of $19.00 per share.

The comparisons shown in the graph below are based upon historical data. We caution that the stock price performance shown in the graph is not necessarily indicative of, nor is it intended to forecast, the potential future performance of our common stock. Information used in the graph was obtained from the NASDAQ Stock Market LLC, a financial data provider and source believed to be reliable. The NASDAQ Stock Market LLC is not responsible for any errors or omissions in such information 

 

 

 

Recent Sales of Unregistered Equity Securities and Use of Proceeds

(a) Sale of Unregistered Equity Securities

Not applicable.

(b) Use of Proceeds from Public Offering of Common Stock

On May 3, 2018, the SEC declared our registration statement on Form S‑1 (File No. 333‑224196) for our IPO effective. There have been no material changes in the planned use of proceeds from our IPO as described in our final prospectus filed with the SEC on May 4, 2018.

Issuer Purchases of Equity Securities

 

Under the Confer Technologies, Inc. 2013 Stock Plan (the “Confer Plan”), certain participants may exercise options prior to vesting, subject to a right of a repurchase by us. In January 2018, we repurchased 3,453 shares of our common stock resulting from the early exercise of unvested stock options under the Confer Plan at a price equal to the original option exercise price of $0.22 per share. During the year ended December 31, 2018 we made no other repurchases of our common stock.

Item 6. Selected Financial Data

The selected consolidated statements of operations data presented below for 2018, 2017 and 2016 and the consolidated balance sheet data as of December 31, 2018 and 2017, are derived from our audited consolidated financial statements that are included elsewhere in this Annual Report on Form 10‑K. Our historical results are not necessarily indicative of the results that may be expected in the future. The selected consolidated financial data and other data set forth below should be read in conjunction with the section entitled "Management’s Discussion and Analysis of Financial Condition

and Results of Operations" and our consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10‑K.

 

Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations

The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10‑K. As discussed in the section titled "Special Note Regarding Forward-Looking Statements," the following discussion contains forward-looking statements that involve risks and uncertainties. Our actual results could differ materially from those discussed below. Factors that could cause or contribute to such difference include, but are not limited to, those identified below and those discussed in the section titled "Risk Factors" and elsewhere in this Annual Report on Form 10‑K.

Overview

Carbon Black is a leading, global provider of cloud-delivered, next-generation endpoint security solutions. As an innovator in the Endpoint Protection Platform (EPP) market, our technology enables customers to address the complete endpoint security lifecycle and stay ahead of advanced cyberattacks.

Our big data and analytics platform, the CB Predictive Security Cloud (PSC), consolidates endpoint security and IT operations into an extensible cloud platform that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analyzing billions of security events per day across the globe, Carbon Black has key insights into attackers’ behavior patterns, enabling customers to detect, respond to and prevent emerging attacks.

We believe the depth, breadth and real-time nature of our unfiltered endpoint data, combined with the analytic power of our Predictive Security Cloud platform, provides customers with world-class security efficacy and operational efficiency.

Organizations globally are re-platforming their IT operations by investing in cloud computing and workforce mobility, which has resulted in enterprise environments that are more open, interconnected, and vulnerable to cyber attacks. Today, an increasingly mobile workforce and the explosion of enterprise data and applications in the cloud have expanded the attack surface beyond the traditional network perimeter. In response, attackers have adapted their methods and tools to directly target the endpoint. In short, the endpoint is the new perimeter.

Endpoints are the primary focus of attacks because they store valuable data that attackers seek to steal; perform critical operations that attackers seek to disrupt; and are the interface where attackers can target humans through email, social engineering and other tactics. Endpoints are the physical and virtual locations where sensitive data resides and include desktops, laptops, servers, virtual machines, cloud workloads (services running on cloud servers), containers, fixed‑function devices such as ATMs, point of sale systems, and control and data systems for power plants and other industrial assets.

Our approach to solving these endpoint security challenges focuses on leveraging our big data and our security analytics platform in the cloud (the CB Predictive Security Cloud) to better detect and prevent the behaviors and specific techniques used by attackers. Based on our experience and investment in next‑generation solutions designed to address the full endpoint security lifecycle, we have developed a highly differentiated technology approach with four main pillars: (1) unfiltered data collection, (2) proprietary data shaping technology, (3) streaming analytics, and (4) extensible open architecture.

We began selling our initial product in 2005, which was the precursor to CB Protection. Our initial product focused on delivering endpoint protection for desktops and servers through application control. In February 2014, we acquired Carbon Black, whose solution was the precursor to CB Response. The acquisition of Carbon Black strengthened our position as a leader in advanced threat detection and incident response management solutions, and was an important event for us as it enabled us to provide our customers with solutions designed to address the full endpoint security lifecycle. We believe that our ability to address the full lifecycle of an attack is a critical differentiator versus other endpoint security technologies that address only a portion of the attack lifecycle.

In more recent periods, we have focused on satisfying the increasing demand for cloud‑based software from our customers and prospects and intend to continue to expand our cloud‑based product offerings. In August 2015, we released a cloud‑based version of CB Response to our customers under a software‑as‑a‑service, or SaaS, model. In June 2016, we acquired Confer Technologies, Inc., or Confer, whose solution is currently sold to customers as CB Defense. The acquisition of Confer was an important event for us as it added key capabilities in the areas of cloud‑based, multi‑tenant, big‑data processing and streaming detection and prevention. With this acquisition, we also entered the next‑generation antivirus market. The technology that we acquired in this acquisition is foundational to our predictive security cloud platform, which is designed to address the full endpoint security lifecycle, and to our strategy. For more information regarding the Confer acquisition, see Note 3 to our consolidated financial statements at the end of this Annual Report on Form 10-K. The percentage of our total revenue generated by sales of our cloud‑based solutions was 29% in 2018, 16% in 2017 and 6% in 2016. We have experienced growth in the number of customers who purchase our cloud‑based solutions, with 2,851 customers in 2018, up from 1,605 customers in 2017, and 398 customers in 2016.

A substantial majority of our customers purchase our solutions under a subscription license. Our subscription licenses include: access to and the right to utilize the threat intelligence capabilities of the CB Predictive Security Cloud; ongoing support, which provides our customers with telephone and web‑based support, bug fixes and repairs; and software updates on a when‑and‑if‑available basis. Additionally, a substantial amount of those customers who purchase licenses on a perpetual basis also purchase an agreement for access to and the right to utilize the threat intelligence capabilities of the CB Predictive Security Cloud. Subscription (i.e. term-based) revenue is recognized on a ratable basis over the contract term beginning on the date the software is delivered to the customer. Revenue for cloud-based subscriptions is recognized on a ratable basis over the term of the subscription beginning on the date the customer is given access to the platform. Maintenance services and customer support revenue related to subscription licenses is recognized ratably over the term of the maintenance and support arrangement as this performance obligation is satisfied. Revenue from the infrequent sales of perpetual software licenses is recognized ratably over the customer’s estimated economic life, which we have estimated to be five years, beginning on the date the software is delivered to the customer. Maintenance services and customer support revenue related to perpetual licenses is recognized ratably over the term of the maintenance and support arrangement as this performance obligation is satisfied. Revenue from perpetual licenses represented less than 5% of our $198.5 million of subscription, license and support revenue in 2018. Due to our revenue recognition model, all of our subscription, license and support revenue is recognized on a ratable basis, providing us with strong visibility into future revenue.

We primarily sell our products through a channel partner go‑to‑market model, which significantly extends our global market reach and ability to rapidly scale our sales efforts. Our inside sales and field sales representatives work alongside an extensive network of value‑added resellers, or VARs, distributors, managed security service providers, or MSSPs, and incident response, or IR, firms. Our MSSP and IR firm channel partners both use and recommend our products to their clients. We have established significant relationships with leading channel partners, including Optiv Security, Inc., a leading VAR and MSSP; CDW Corporation, one of the world’s largest software VARs; Arrow Electronics, Inc., a major global distributor; SecureWorks, Inc., a leading MSSP; and Kroll, a leading IR firm. For the three months and year ended December 31, 2018, 83% and 80%, respectively, of our new and add‑on business was closed in collaboration with a channel partner. We expect to continue to focus on generating sales to new and existing customers through our channel partners as a part of our growth strategy. When we transact with a channel partner, our contractual arrangement is with the channel partner and not with the end‑use customer. However, whether we receive the order from a channel partner or directly from an end‑use customer, our revenue recognition policy and resulting pattern of revenue recognition for the order are the same.

Our sales team works closely with our end‑use customer prospects at every stage of the sales cycle regardless of whether the prospect is sourced directly or indirectly—from initial information meetings through the implementation of our products with our end‑use customers. We believe this coordinated approach to sales allows us to leverage the benefits of channel partners as well as maintain face‑to‑face connectivity and build long‑term, trusted relationships with our customers.

Our customers include many of the world’s largest, security‑focused enterprises and government agencies that are among the most heavily targeted by cyber adversaries, as well as mid‑sized organizations. As of December 31, 2018, we serve over 5,000 customers globally across multiple industries, including 34 of the Fortune 100.

We have experienced revenue growth, with revenue increasing to $209.7 million in 2018, up from $160.8 million in 2017, and $112.9 million in 2016. This represents a 36% compound annual growth rate over the same period. We have a subscription‑based revenue model that provides visibility into future revenue. Recurring revenue, a non-GAAP financial measure, represented 92%, 89% and 84% of our total revenue in 2018, 2017 and 2016, respectively. Annual recurring revenue, or ARR, was $217.0 million, $174.2 million and $124.2 million as of December 31, 2018, 2017 and 2016, respectively. We define ARR, a non-GAAP financial measure, as the annualized value of all active subscription contracts as of the end of the period. ARR excludes revenue from perpetual licenses and services. The portion of ARR related to our cloud‑based subscription contracts was $81.3 million, $46.0 million, and $15.1 million as of December 31, 2018, 2017 and 2016, respectively. The percentage of our total recurring revenue generated by sales of our cloud‑based solutions was 31%, 18%, and 7% in 2018, 2017 and 2016, respectively. We incurred net losses of $82.1 million, $53.2 million, and $44.7 million in 2018, 2017, and 2016, respectively, as we continued to invest for growth to address the large market opportunity for our platform.

 

In May 2018, we closed our initial public offering, or IPO, of 9,200,000 shares of common stock inclusive of the underwriters’ option to purchase additional shares that was exercised in full. The price per share to the public was $19.00 per share. We received aggregate proceeds of $162.6 million from the IPO, net of underwriters’ discounts and commissions, and before deducting offering costs of $4.9 million.

 

Effective January 1, 2018, we adopted the requirements of Accounting Standards Update, or ASU, No. 2014-09, Revenue from Contracts with Customers (Topic 606), or ASC 606 on a full retrospective basis as discussed in detail in Note 2 to our unaudited consolidated financial statements. All amounts and disclosures set forth in this Annual Report on Form 10-K have been updated to comply with ASC 606.

 

We believe that the growth of our business and our operating results will be dependent upon many factors, including our ability to capitalize on the market shift from legacy prevention offerings to next‑generation endpoint security solutions, our success in growing our customer base and expanding deployments of our platform within existing customers, our ability to enhance our platform and product offerings, and our focus on maintaining strong retention rates. While these areas present significant opportunities for us, they also pose challenges and risks that we must successfully address in order to sustain the growth of our business and improve our operating results.

We have experienced rapid growth and increased demand for our products over the last few years. To manage any future growth effectively, we must continue to improve and expand our information technology and financial infrastructure, our operating and administrative systems and controls, and our ability to manage headcount, capital and processes in an efficient manner. Additionally, we face intense competition in our market, and to succeed, we need to innovate and offer products that are differentiated from legacy antivirus products, established network security products and point solutions provided by smaller security providers. We must also effectively hire, retain, train and motivate qualified personnel and senior management. If we are unable to successfully address these challenges, our business, operating results and prospects could be adversely affected. Our marketing is focused on building our brand reputation, increasing market awareness of our platform, driving customer demand and a strong sales pipeline, and collaborating with our channel partners around the globe.

Key Factors Affecting Our Performance

Our historical financial performance has been, and we expect our financial performance in the future to be, primarily driven by the following factors:

Market Adoption.     We believe our future success will depend, in large part, on the market for next‑generation endpoint security. Because network‑centric security is no longer adequate, organizations must focus on securing the endpoint. However, while organizations have made significant investments in upgrading to advanced network security solutions, the majority of endpoint security technology in use today relies on multiple agents and uses ineffective, traditional signature‑based antivirus software. As a result, organizations are increasingly shifting their security budgets toward next‑generation endpoint security solutions. We believe that we are well positioned as a market leader to capitalize on this investment cycle and that our ability to address the full lifecycle of a cyber attack will help to drive our market adoption. Additionally, the number of security professionals has not kept pace with total demand. As the number of

threats multiplies, legacy solutions either miss threats or produce more alerts than security teams are able to process and investigate. Organizations are increasingly turning to next‑generation solutions, advanced analytics and automation tools to empower their security professionals to increase their efficiency and focus on the highest value cyber security tasks, thereby reducing the need for additional security headcount. Organizations are also addressing the talent gap by relying more on security‑focused VARs and trusted partners to augment their internal teams of security experts.

Add New Customers.     Our ability to add new customers is a key indicator of our increasing market adoption and future revenue potential. Our customer count, which includes both direct sale customers and customers with one or more subscriptions to our platform through channel partners, grew to 5,025 in 2018, up from 3,739 in 2017, and 2,516 in 2016, representing year‑over‑year increases of 34% in 2018 and 49% in 2017. We expect this trend to continue in future periods as we focus on adding new customers and renewing existing customers through our channel partners. We are focused on continuing to grow our customer base. We have continuously enhanced our endpoint security platform and product offerings, and we have expanded both our domestic and international sales force to drive new customer acquisition. However, our ability to continue to grow our customer base is dependent on a number of factors, including our ability to compete within the increasingly competitive markets in which we participate.

Maintain Strong Retention Rates.     An important component of our revenue growth strategy is to have our existing customers renew their agreements with us. To assess our performance against this objective, we monitor the retention rate of our existing customers. We calculate retention rate by comparing the annual recurring subscription and support revenue from our customers at the beginning of a measurement period to the annual recurring subscription and support revenue from those same customers at the end of a measurement period. We divide the ending annual recurring revenue by the beginning annual recurring revenue to arrive at our retention rate metric. We exclude the impact of any add‑on purchases from these customers during the measurement period; accordingly, our retention rate cannot exceed 100%. In addition, the metric reflects the loss of customers who elected not to renew contracts expiring during the measurement period. Our retention rate was 87% in 2018, 93% in 2017, and 92% in 2016.

 

Increase Sales to Existing Customers.     Our current customer base provides us with a significant opportunity to drive incremental sales. Our extensible platform allows us to develop new solutions rapidly and at lower cost over time. As we develop and deploy additional security offerings on the CB Predictive Security Cloud platform, we see significant additional opportunity to cross‑sell as customers benefit by addressing multiple security requirements through a single platform. Our ability to increase sales to existing customers will depend on a number of factors, including customers’ satisfaction or dissatisfaction with our solutions, our ability to develop new products, pricing, economic conditions or overall reductions in our customers’ spending levels.

Invest in Growth.    We will continue to focus on long‑term revenue growth. We believe that our market opportunity is large and we will continue to invest significantly in research and development to enhance our technology platform and product functionality. We also expect to continue to invest in sales and marketing to grow our customer base, both domestically and internationally. In addition to our ongoing investment in research and development, we may also pursue acquisitions of businesses, technologies and assets that complement and expand the functionality of our products and services, expand the functionality of our solutions, add to our technology or security expertise, or bolster our leadership position by gaining access to new customers or markets.

Key Metrics

We regularly monitor a number of financial and operating metrics, including the following key metrics, in order to measure our current performance and estimate our future performance, as follows:

 

Billings.     We define billings, a non-GAAP financial measure, as total revenue plus the change in deferred revenue during the period, excluding acquired deferred revenue. Our deferred revenue consists of amounts that have been invoiced to customers but that have not yet been recognized as revenue. Our deferred revenue balance primarily consists of the portion of products and support revenue that will be recognized ratably over the term of the subscription as the performance obligation is satisfied.

Most of our revenue is derived from subscriptions to our products with a duration of one or three years. For our subscription arrangements, we typically bill our customers the fee on an annual basis for the upcoming year. For 2017, we changed our policy to require customers with multi-year contract commitments to agree to multi-year upfront billing for the total contract fee. In 2018, we reverted to our former standard practice to bill multi-year contracts on an annual basis, which resulted in lower upfront multi-year billings as compared to 2017.

Some of our revenue is derived from perpetual licenses of our products sold with a maintenance and support agreement. For our perpetual licenses, we bill our customers the entire license fee upon delivery of the software, and for support, we typically bill our customers the support fee on an annual basis for the upcoming year.

For services sold on a fixed-price basis, we bill customers in advance. For services sold on a time-and-materials basis, we bill customers as such services are performed.

We use billings as one factor to evaluate our business because billings is an indicator of current period sales activity and provides visibility into corresponding future revenue growth due to our subscription-based revenue model. Accordingly, we believe that billings provides useful information to investors and others in understanding and evaluating our operating results in the same manner as our management. However, it is important to note that billings, in any period, may be impacted by the timing of customer renewals, including early renewals, and customers’ preferences for multi-year upfront or annual billing terms, which could favorably or unfavorably impact year-over-year comparisons. While we believe that billings is useful in evaluating our business, billings is a non-GAAP financial measure that has limitations as an analytical tool, and billings should not be considered as an alternative to, or substitute for, total revenue recognized in accordance with GAAP. In addition, other companies, including companies in our industry, may calculate billings differently or not at all, which reduces the usefulness of billings as a tool for comparison. We recommend that

you review the reconciliation of billings to total revenue, the most directly comparable GAAP financial measure, provided below, and that you not rely on billings or any single financial measure to evaluate our business.

 

 

Short‑term billings.      We define short-term billings, a non-GAAP financial measure, as total revenue plus the change in current deferred revenue during the period, excluding acquired deferred revenue. We believe that short-term billings provides useful information to investors and others in evaluating our operating performance because it excludes the impact of upfront multi-year billings, which can vary from period to period depending on the timing of large, multi-year customer contracts and customer preferences for annual billing versus multi-year upfront billing. However, it is important to note that short-term billings, in any period, may be impacted by the timing of customer renewals, including early renewals, which could favorably or unfavorably impact year-over-year comparisons. While we believe that short-term billings is useful in evaluating our business, short-term billings is a non-GAAP financial measure that has limitations as an analytical tool, and short-term billings should not be considered as an alternative to, or substitute for, total revenue recognized in accordance with GAAP. In addition, other companies, including companies in our industry, may calculate short-term billings differently or not at all, which reduces the usefulness of short-term billings as a tool for comparison. We recommend that you review the reconciliation of short-term billings to total revenue, the most directly comparable GAAP financial measure, provided below, and that you not rely on short-term billings or any single financial measure to evaluate our business.

 

Recurring revenue.      We define recurring revenue, a non-GAAP financial measure, as subscription, license and support revenue (which includes revenue relating to support for perpetual licenses) less perpetual license revenue for the period. We use recurring revenue as one factor to evaluate our business because we believe that recurring revenue provides visibility into the revenue expected to be recognized in the current and future periods. Accordingly, we believe that recurring revenue provides useful information to investors and others in understanding and evaluating our operating results in the same manner as our management. While we believe that recurring revenue is useful in evaluating our business, recurring revenue is a non-GAAP financial measure that has limitations as an analytical tool, and recurring revenue should not be considered as an alternative to, or substitute for, subscription, license and support revenue recognized in accordance with GAAP. In addition, other companies, including companies in our industry, may calculate recurring revenue differently or not at all, which reduces the usefulness of recurring revenue as a tool for comparison. We recommend that you review the reconciliation of recurring revenue to subscription, license and support revenue, the

most directly comparable GAAP financial measure, provided below, and that you not rely on recurring revenue or any single financial measure to evaluate our business.

 

The percentage of our total recurring revenue generated by sales of our cloud‑based solutions was 31% in 2018, 18% in 2017, and 7% in 2016.

Free cash flow and free cash flow margin.      We define free cash flow, a non-GAAP financial measure, as net cash used in operating activities less purchases of property and equipment and capitalized internal-use software. We define free cash flow margin as free cash flow divided by total revenue. For the 2016 free cash flow calculation, we have also excluded the impact of the management incentive liability payment as this payment was not part of our core operating results. See Note 15 to our consolidated financial statements included in this Annual Report on Form 10‑K.

We monitor free cash flow as one measure of our overall business performance, which enables us to analyze our future performance without the effects of non-cash items and allow us to better understand the cash needs of our business. While we believe that free cash flow is useful in evaluating our business, free cash flow is a non-GAAP financial measure that has limitations as an analytical tool, and free cash flow should not be considered as an alternative to, or substitute for, net cash used in operating activities in accordance with GAAP. The utility of free cash flow as a measure of our liquidity is further limited as it does not represent the total increase or decrease in our cash balance for any given period. In addition, other companies, including companies in our industry, may calculate free cash flow differently or not at all, which reduces the usefulness of free cash flow as a tool for comparison. A summary of our cash flows from operating, investing and financing activities is provided below. We recommend that you review the reconciliation of free cash flow to net cash used in operating activities, the most directly comparable GAAP financial measure, and the reconciliation of free cash flow margin to net cash used in operating activities (as a percentage of revenue), the most directly comparable GAAP financial measure, provided below, and that you not rely on free cash flow, free cash flow margin or any single financial measure to evaluate our business.

As discussed above, beginning in 2018, we reverted to our former policy of offering customers who make multi-year contract commitments the option to be billed the total contract fee upfront or to be billed on an annual basis. During 2018, many customers who made a multi-year contract commitment selected to be billed on an annual basis, which resulted in less benefit to free cash flow in 2018 compared to 2017.