Decoding Success in Cybersecurity SaaS: Your Guide to Essential Metrics

Earlier this year at RSAC 2023, I delivered a talk on strategic activity, trends, and predictions in cybersecurity, which included a discussion of the pivotal SaaS metrics that acquirers and investors weigh heavily during potential transactions. In light of the numerous follow-up inquiries related to that segment, I decided to write a short article to explore the topic further.

While there is no single "right" answer regarding which metrics matter most, or the results companies must achieve concerning those metrics, the following can serve as a valuable reference for founders and boards to keep in mind.

ARR Growth

Annual Recurring Revenue (ARR) quantifies the predictable, subscription-based revenue a company can expect to earn on an annual basis. ARR Growth speaks to the change in ARR over a specified period (often annual, as shown in the table above), and typically expressed as a percentage. It's a key metric for subscription-based businesses, reflecting the company's capacity to expand its customer base or enhance the value derived from existing customers through upsells or expanded offerings.

Gross Margin

Gross Margin represents the difference between a company’s revenue and the cost of goods sold (COGS), which is the cost of delivering and maintaining its software-based product. Costs may include hosting, infrastructure, 3rd party software licenses, support, maintenance, direct labor related to the delivery of the product, possibly even depreciation of capitalized software development costs. Gross Margin is often expressed as a percentage of revenue, Gross Margin % = (Revenue - COGS) / Revenue * 100%.

Burn Multiple

Burn Multiple offers insight into the relationship between a company's net cash burn and its net new revenue in any given period, typically calculated as Burn Multiple = Net Burn / Net New ARR. This metric serves as a snapshot of the company’s financial sustainability, providing an indication of how efficiently a company is utilizing its capital relative to its revenue. In other words, how many dollars will the company burn to generate $1 of additional ARR? A lower Burn Multiple implies a more efficient utilization of capital for the company.

Gross Revenue Retention (GRR)

Gross Revenue Retention (GRR) gauges the percentage of recurring revenue retained from existing customers within a specified period (typically last twelve months (LTM), as shown in the table above), excluding expansion or upsell revenue. It's indicative of a company's ability to maintain existing revenue streams, offers insights into customer satisfaction and product market fit, and helps assess the stability of a company's revenue from its current customer base.

Net Revenue Retention (NRR)

Net Revenue Retention (NRR) gauges the percentage of recurring revenue generated from existing customers within a specified period (typically LTM). Unlike GRR, NRR factors in not only downsells and churn but also upsells and cross-sells. This metric provides a more comprehensive view of customer revenue retention and expansion, and is indicative of a company’s ability to not only maintain but also grow revenue within its existing customer cohort. Naturally, the higher the revenue retention rate, the greater the contribution existing customers will make to the company's growth.

LTV/CAC

The Lifetime Value to Customer Acquisition Cost (LTV/CAC) ratio illustrates the relationship between the lifetime value of a customer and the cost to acquire them. The ratio serves as a key indicator of the long-term profitability and sustainability of a company's customer acquisition strategies, and helps assess whether the company is securing enough value from customers to justify the associated costs.

LTV: Lifetime Value estimates the total profit a company expects to earn from a customer throughout their entire relationship with the company. LTV quantifies the customer's value by factoring in both the expected revenue and the costs associated with serving them. While companies may calculate LTV in a few different ways, we typically see LTV = (Average ARR Per Customer) * (Gross Margin %) / (Revenue Churn Rate).

CAC: Customer Acquisition Cost calculates the total cost incurred by a company to land a new customer, including marketing, sales, and related expenses. CAC is often calculated as CAC = (Cost of Sales and Marketing) / (Number of New Customers) within a specified period.

Magic Number

Similar to the LTV/CAC Ratio, the Magic Number metric assesses the efficiency of a company's sales and marketing spend in generating new subscription revenue. The higher the Magic Number, the more effectively a company is utilizing its sales and marketing spend to facilitate growth. The Magic Number is typically calculated as Magic Number = (Current Quarter ARR - Prior Quarter ARR) / (Prior Quarter Sales & Marketing Spend)

Rule of 40

The "Rule of 40" frequently surfaces in SaaS discussions as a metric that evaluates a company's balance between growth and profitability. For a SaaS company to be considered "healthy," the sum of its growth rate percentage and its profit margin percentage should be equal to or greater than 40%. While some companies use revenue growth rates, we typically see ARR Growth used when calculating this metric. Regarding profit margin, the most commonly used metric is EBITDA Margin %.

Additional Considerations

It is important to note that the metrics discussed above showcase industry benchmarks for cybersecurity product (SaaS) companies. Cybersecurity services businesses typically target slightly different performance indicators.

Moreover, a company might intentionally deviate from these industry benchmarks at various stages, particularly in the early years. For instance, a company may prioritize accelerating growth, developing infrastructure, or making significant investments in R&D — strategic decisions that could naturally skew the aforementioned metrics.

If you'd like to discuss any of the above, or other insights into the Cybersecurity industry, drop me a line.

Best // Dino