Intrusion Inc (INTZ) 2014 Q3 法說會逐字稿

Good afternoon. My name is Caitlin and I will be your conference operator today. At this time, I would like to welcome everyone to the Intrusion Inc. Q3 2014 financial conference call. (Operator Instructions)

Thank you. Michael Paxton, Chief Financial Officer, you may begin your conference.

Okay, thanks. Welcome to this afternoon's call to review Intrusion's third-quarter 2014 financial results and discuss our business. On the call today will be Ward Paxton, Chairman, Cofounder, President, and CEO; Joe Head, Vice President, Cofounder of the Company.

Ward will give a business update, I will discuss financial results, and Joe will give an ongoing projects update. We will be glad to answer questions following the prepared remarks.

We distributed the earnings release at around 3:05 today. A replay of today's call will be available at approximately 6:30 PM Central tonight for a one-week period. The replay conference call number is 855-859-2056. At the replay prompt, enter the conference ID number 31791974. In addition, a live and archived audio webcast of the call is available on our website, intrusion.com.

Please be reminded that during this call, including the question-and-answer session, we may make forward-looking statements with respect to financial results, business strategies, industry trends, and certain other matters. Forward-looking statements are based on management's current expectations and are subject to risk and uncertainties.

We may be discussing our current outlook for the current quarter and fiscal year 2014. These discussions are based on our own internal projections and could change prior to the end of the period discussed. Actual results might differ substantially from projections.

The information in this conference call related to financial results, projections, and other forward-looking statements is based on current expectations and we are not responsible to update forward-looking statements. Many factors could cause our projections not to be achieved, including current economic and market conditions and other factors which can be found in our most recent filing with the SEC, including our most recent annual report on Form 10-K filed in March 2014. Our most recent 10-Q was filed today.

Now we'll turn the call over to CEO and President, Ward Paxton.

Thank you, Mike. Welcome to Intrusion's third-quarter 2014 conference call. It's good to be with you today to discuss our progress and results.

Our net income in the third quarter improved slightly to about $150,000 compared to a near breakeven in the second quarter. Third-quarter revenue increased to just over $2 million, up by $225,000 from the second quarter.

Savant revenue in the third quarter was about $500,000 compared to $40,000 in the second quarter. Total orders in the third quarter were $3.3 million compared to $1.7 million in the second quarter. Included in the $3.3 million of orders was $700,000 of Savant orders.

Savant is our newest product family and it's focused in the new security market segment, which is called advanced persistent threat. A lot of players in the network security business have some sort of an APT product. Of course, we think that ours is the best and I'm sure you will share our view.

Now Mike Paxton, our Chief Financial Officer, will review our third-quarter financial results that we released a little over an hour ago. Mike?

Okay, I apologize for some of this being repetitive. Revenue for the third quarter was $2 million compared to $2 million in third quarter of 2013 and sequentially, $1.8 million for the second quarter 2014. Savant sales were at $500,000 this quarter, continuing to be far too low.

We will continue to see slow movement in Savant sales this quarter. It has been a frustratingly slow process, but I continue to believe in the product and its need by customers to support their security applications.

Gross profit margin was at 65% for the quarter compared to 60% in the third quarter of last year. Gross profit margin can be greatly affected by sales product mix of orders delivered in the quarter. In general, our goal is 65%, but it will be directly attributable to the mix of product shift.

Intrusion's third-quarter 2014 operating expenses were $1.2 million compared to $1 million for the comparable quarter in 2013 and $1.2 million in the second quarter 2014. Operating expenses should remain consistent and future growth will be determined by decisions to invest more in sales and marketing and/or research and development.

Net income for the third quarter was $147,000 compared to a net income of $173,000 for the third quarter 2013 and $22,000 loss in the sequential period of seven -- the second quarter 2014. Breakeven will generally be at $1.8 million to $1.9 million in quarterly sales.

To summarize, we increased sales sequentially. We now must continue to work with our sales team to increase sales of our commercial Savant APT product line. We hope to add new customers during the fourth quarter of 2014. Back to Ward.

Thanks, Mike. After the $270,000 loss in the first quarter and the near breakeven in the second quarter, the $150,000 profit in the third quarter continues a nice trend. Improvement is too slow, but we're moving in the right direction.

Now Joe Head, my partner, Cofounder, and Senior Vice President, will discuss our products and markets. Joe?

This quarter, we were happy to report new orders for both TraceCop and Savant. On our last call at the beginning of Q3, we booked initial orders for three new customers for TraceCop at just over $1 million. Those three contracts alone will increase our billings by $1.65 million per year.

In the rest of the third quarter, orders added up to $3.3 million. Best of all was two initial orders from new Savant threat analysis customers for $310,000 and $356,000, respectively. In these, we installed Savant at two initial campuses and have submitted monthly reports to the customers on numerous compromises we discovered.

Our sales presentation continues to be refined and is getting simpler. At a security conference two weeks ago, I said if what you heard today is true, I am wrong. If I'm right, every other speaker has it wrong.

I actually heard an FBI guy talk about a study where they were trying to train employees not to click on emails that might be suspicious to prevent infection with malware. This is insane.

Doesn't the FBI know about source links? You don't have to click on something to have it automatically [affect] and executed. It is as naive as a three-year-old proposing that NASA land on the sun at night when it's cooler.

Spearfishing is an art. If you receive malware in the mail, you can't overcome the threat with user training. Security is no longer credible if you base your defense on keeping malware out. Every adversary that is worth their salt uses zero-day compromises.

And just for the new folks on the call, a zero day is defined as a custom-designed never-seen-before attack. And they use those to prevent these new attacks from ever being detected. That means if you know everything that's possible to know about targets compromised, this knowledge would not lead you to better protect PF Chang, Harbor Freight, Home Depot, or JP Morgan against compromises by the same adversary, because not one hostname, not one IP address, not one infectious file checksum found that any one of these compromises was used at any other.

Today, the adversaries are well funded and nimble. They build fresh tools for every victim and they steal or lease fresh drop boxes for every new victim's secrets to be infiltrated to.

To another customer, I explained it this way. It's a matter of looking in the wrong direction. I said what -- for example, what if Dallas-Fort Worth Airport had a rash of thefts from the terminals? Stuff stolen from the gates, from the airplanes, and from the airport shops.

If you ask the TSA to clamp down harder with their security, that would be ludicrous, because they are looking in the wrong direction. The problem ain't what the passenger and employees are bringing in that's the problem. Theft as the exit through unmonitored doors is the problem. Same with the networks we watch.

Incoming inspection to look at the signatures of malware is looking the wrong way. Everything the Chinese want installed on your phone or your computer was installed by them at the factory before you bought it.

The key is looking outbound. Thus my comment about the industry. Everybody still is talking outside in. We are the inside out guys. We watch and make recommendations based on data leaving your network.

And this is the common denominator in security breaches, regardless of how the compromise was made -- either at the factory by a user making a mistake or by installing a software package with malware or by an employee who is intentionally leaking secrets. Savant threat analysis will see the outflow of data.

A key part of our analysis is finding flows that don't make business sense and don't match the patterns of employees goofing off, either. Over this in the last quarter, our TraceCop business has picked up a few new customers.

Our Savant business was below expectations last quarter, but starting to turn around now. We have had two nice wins, landing two Savant customers in the third quarter. We expect one of these to add another campus this month. Rumor has it that we've also won our first international customer, but we are waiting this order from a resale partner.

In addition, we expect another $310,000 order for Savant this month to replace inventory for a previous customer installation, so that the partner has additional Savants for customer evaluations and quick response installations.

Our large reseller partner reports a number of additional prospects they are working, but it's too early to tell if this represents an uptick in their energy level. But the good news is that they are getting orders and doing so with internal talent that we have trained months ago.

They handed additional new customers for Savant, and as our partner gains more confidence in their ability to win and engages a larger portion of their sales force to reach a larger portion of their customer base with Savant, it will be good for us. It's been over a year to reap the first few customers, but we're glad to see their momentum increase.

As we reported, we felt that our Savant product has a bigger market than we can reach with our internal sales force, so we've been working through that large partner for the last year. The order we hoped to get last quarter was booked and installed and they surprised us with another customer win last quarter that we didn't see coming.

So as Mike said, that channel has developed slower than expected, but our partner's customers remain interested and they continue to present new quotes and updated offers all the time. Our partner continues to put a healthy amount of effort into Savant sales efforts with large accounts, so we are happy to report that they are turning prospects into orders now.

The first of these two major Savant customers just got their second monthly report. On the first customer, our report was briefed at the customer's Board of Directors meeting with our reseller's CEO in attendance. The customer was ecstatic with the results, so much so that our reseller has elevated the Savant product offering to number one on their security presentation slide deck.

Just yesterday, they elevated their expectations for growth and told us to get ready. We are ready and we've been waiting on their uptick for a year now. If they really turn on, that will be measurable for us, but we will see how this uptick in excitement translates into orders as we go forward. With thousands of salesmen, it takes a large ripple of excitement to stir all of them up.

We've also engaged with a number of additional representatives for which we have two goals. One is direct sales to end-users. And two, to identify additional players in the security industry who need what we have.

In the third quarter, we got our first small order from this new channel. The new team consists of three representatives which work as reps for us. In their initial month of connections, they now have a number of security and solutions providers that are quoting Savant threat analysis to end-users.

I'm making a few sales calls a week with this expanded sales team and their pace is accelerating. Vijay has also moved into this area and is spending full time focused on selling Savant threat analysis to end-users through new resale channels and getting new types of referral and payment schemes for Savant security to high threat customers globally.

TraceCop continues to be a strong product. We've been briefing some old customers about TraceCop enhancements that they do not subscribe to, with a view to expanding this business for some of our oldest customers.

With our newest employee sales guy, we've also -- looking to put an analyst working on more cyber problem sets. He got his first order last quarter and is working four more prospects for new business.

Our model so far has been to provide analysts to use all of our TraceCop product suites and reference data sets here in Dallas and to produce reports we deliver to the customer. We plan on new business from a few new customers that will increase that work.

Our Savant plus TraceCop offerings detect the advanced persistent threat and how we have -- and I've told you in the past about how we have two levels of offering in this space. Reflecting on this, we believe that the advanced persistent threat isn't the right turn, but rather defending against sophisticated adversaries is a more correct statement. APT only addresses a minor subpart of the challenge.

Our first step is a threat report, which gives the customer a report card on the number of scary connections that indicate the presence of compromises in a network. This report has not failed once to find compromises in every customer.

This opened doors by way of a low-cost engagement, typically of $15,000 to $50,000, and points the way to deploying Savant within enrichment at one or more of the customer's campuses or datacenters. People have suspected the presence of deeper compromises, which evade detection by firewalls, IDS systems, and the like, but have been unable to see them.

One industry report showed that the average time to find a new compromise averages 243 days from the breach to its discovery. In our work, we've yet to find a customer with more than 90 days of network traffic logs. Most have less than 30 days.

This means that once you have a breach or the FBI calls notifying you of one, we haven't found the customer that has logs that allow them to trace back and see which hosts were infected first and what systems the hackers breached with that first beachhead.

At Target, Neiman Marcus -- as Target, Neiman Marcus, and others continue to make the news, the inability to detect long-term compromises on well-managed and well-run networks is now firmly established. These networks were severely compromised, where the theft of millions of people's private data was not detected at all for months, if not years.

Savant makes it easy to keep 10 years of logs, a huge improvement over the industry's typical 30 days. That's because of our patents, where we can store a record of every single connection in a novel way, letting us keep more details than others for a much longer time.

Customers are beginning to understand our polarity shift. Many old-line security solutions focus on outside in, meaning they are trying to recognize compromises as they enter the network for the initial compromise.

Intrusion is focused in the opposite direction than our analysis. We assume the enterprise is already compromised and we look for signs that your data is leaving the network, which we call inside out. We're focused on initial sales to very large corporations through our direct sales force, representative, and resale partners.

Our traditional business, of which TraceCop remain steady, and the new accounts for TraceCop business continue to progress as we have forecasted, so I view the new Savant threat analysis commercial sales as a huge upside in the commercial space, while our traditional business remains steady and growing slowly.

All the renewals we were expecting in TraceCop have either renewed or remained in the budget for renewal when the current funds expire. And now we've seen a few new projects place first-time TraceCop orders while we await several new project starts to be awarded.

This gives us comfort in our stable base, as we have seen over the past several years, with some upside in our historical customer base as we continue to invest in the security value-added reseller channel, where we think there's more upside opportunity.

The commercial security space is ripe for solutions that don't leave companies like Target naively happy with the industry's previously accepted technical approaches. You can't overcome new threats trying to use tools that don't work, even if you try really hard.

Savant is all about visibility of all flows. While everybody else is talking signatures and keeping threats out, we are the inside out guys. All the recent massive compromises were done against networks with huge security budgets and all of those massive compromises remain undetected for prolonged periods of time. It's an obvious conclusion that outside in-oriented defenses didn't work for JP Morgan, Target, Home Depot, Harbor Freight, Neiman Marcus, and others.

Savant finds compromises exfiltrating secrets where other solutions don't. My focus is on expanding sales, to tell more people our story, get orders and grow the business. We have high-level meetings with our large reseller scheduled for the next few weeks, plus scores of end-user customer meetings through our other new reps scheduled.

We will sell hard to a wider audience and be ready to scale our efforts here as soon as we see more acceleration in our success selling Savant to the larger commercial market. Ward?

Thanks, Joe. We have a lot of new potential customers for both Savant Advanced Persistent Threat business and the TraceCop business. Our expectations for growth in both business segments are significant. The whole Intrusion team is excited about the potential of our business and are working hard to achieve our expected results.

We thank you for joining our call today and for your interest. Mike?

Okay, operator, can you remind the participants on how to ask questions?

(Operator Instructions) Walter Schenker.

Well, progress is better than no progress, I guess, even if it's a little disappointing. I went back and looked at the transcript from three months ago -- this is to Joe more than Michael.

Both because we had a discussion last quarter about TraceCop and the fact that we expect -- you expected, I just listen -- TraceCop to accelerate in the September quarter. Joe thought -- you said you had some new customers and that TraceCop should be running at a level basically to cover the $1.8 million, $1.9 million, not using it.

And I went back and looked and I tried to get you well above $2 million. And Michael said no, about $2 million, and Joe said somewhere in that order and hopefully we'll get some more.

TraceCop continues to run at $1.5 million. Did some stuff get pushed out? Were we too optimistic? When do we see TraceCop actually show some growth?

Some of those, Walter, that were in -- will renew this quarter, I think fulfills that thing. So our hedging of a little above, a little below had to do with how quickly did they come in -- the things that have expired and get renewed, but it's all -- I had no dropouts.

But we have no growth either. It's $1.5 million for the quarter just ended. It is -- if I had to go back over two years, there are better quarters, there are worse quarters, but $1.5 million is -- we had some $1.8 millions, we had some $1.2 millions, but that's basically running with some quarter-to-quarter variability sideways.

But therefore, I'm supposed to take away that looking forward, you expect that to move up to a higher level.

Right. I think with the 3.3 million orders, that wasn't -- that we didn't book 2 million and sell 2 million, we booked 3.3 million and shipped 2 million. So it's up a bit.

Okay. Could you just -- two other things. First, you -- the people you made a positive comment about your Savant installations, it is doing -- as you look at it, which is the highest level -- you are very -- you are happy, very happy. It's really doing what you thought it was capable of doing in a real commercial installation?

Yes. That was what I was really looking for is we can do our best, think it's a great, and the customer can go ho ho hum. Sort of like showing somebody ColdFusion for the first time. They can say wow, that's the biggest breakthrough ever. They can say so what, it glows.

And so the nice thing is at the board -- the customers' board meeting, they came back and said they are just completely happy. They used a colloquialism that about a pig in something or other --

Okay.

That they were happier than that, so it enthused our resell customer to increase their effort to sell more, which is good. That's not just us thinking it, but our reseller and the end customer really love it.

So that's from one of our two big installations. The second one, we haven't gotten ecstatic reports. I hadn't really gotten any meaningful feedback yet, other than yes, we got it and we fixed the stuff you told us.

Okay. And when you have moved beyond your big -- your secret big reseller and you indicated you've added some smaller people, they are operating at a different level of customer or they are just looking at the areas that the big guy hasn't gotten to? And so they are not looking at Fortune 100 or 200 companies or they are looking at (multiple speakers)

The reseller so far have been looking at government -- state and federal government and international customers that are shippers, banks, insurance companies, and things like oil fields and harbors. So it's a different market than our reseller has been looking at so far.

And they have history in the security area?

Correct. These guys -- one of them is a supplier of datacenters. They are sort of an integrator of big datacenters and they are adding security on top of it, which they've done in the past, but it hadn't been very effective. It's just typical firewalls and IDSs, so they are adding to Savant to differentiate themselves from other suppliers.

Okay. And you directly are also marketing the product?

Through them, mostly.

Okay.

But yes, I'm going -- as my name -- Intrusion, directly to the customer with them.

Okay. So away from the big customer, the client knows that Intrusion's [behind this much--]

Correct.

Not your reseller.

That's correct.

Okay. And --

That gives us a little bit faster sales cycle.

And we would expect -- I know you said $700,000 of Savant was sold in the last quarter. Hopefully this quarter, we would sell more than that?

I would hope so. Currently, I've got a little less than that in the queue for immediate orders. I think you have about $530,000 or something in the queue right now.

But with the --

Yes, Walter, you have to keep in mind, the fourth quarter is kind of a squeaky quarter for orders. Sometimes you get things that get delayed into the first quarter. It's not unusual.

I'm not asking revenues. Sometimes, you can see that people make [inclusions] on sales.

Same thing with orders and revenues. Fourth quarter frequently is your smallest quarter of the year.

Yes, people get into the Christmas spirit early.

Okay. I will follow up with you on the next couple of days with that. Trying to move Joe to the big city one day.

I'm sending -- I'm doing in-customer calls a couple days a week, so that's -- it's a good uptake for me.

I know. Good. Okay, thank you.

Next question, operator?

(Operator Instructions) [Keith Kramer]

Yes, hi. With APT, your sales ramp, if I'm understanding it right, is now starting to accelerate because the reseller is rolling Savant out to their sales force compared to before, where it was just the beta test clients who saw it worked great and they wanted to buy. Is that kind of a good summary?

Yes, you said --

I mean, compared to three months ago, the reseller is moving into the initial innings of the sales force promoting Savant compared to before, where the sales force wasn't even really involved, because it was the biggest --

Yes, that's correct. So our reseller, they had a small specialty security branch that was selling our stuff, that was a dozen or so specialists. In this last quarter, they've incentivized the whole sales force to sell it.

But that's -- they're still in the state where they don't all know about. But now they have a trained person in every region. A couple hundred folks that have been trained on it, have the slide decks, and supposedly know how to sell it.

Okay.

So -- but like anything else, it will grow from a smaller group to the larger group.

The last conference call discussed forms of bad guy communications -- DNS, I believe, malware that's invisible to the virtualization machines, but it is visible to Savant and lights up with Savant.

Yes.

The companies like FireEye and Symantec, Cisco, Palo Alto -- which of those are able to detect that new DNS APT attack that you described in the last conference call?

I would say all of them theoretically could, if they would, but the way they would do it would be a little bit cumbersome. So for all of those guys that you named, if I was working at them, I would take the DNS -- the internal DNS resolvers and create a DNS log and then sort of scrub that and start analyzing it.

But I'm not aware that any of those guys have such a product. And it would be sort of a sucky thing to have to do, because you get so many billion DNS queries a day. I don't think it would scale well without patents. So I'm not trying to dodge the question, but anybody could look for such of a thing, but I don't know that they would find it.

I think we're saying theoretically, they have the capability, but they really can't do it.

Correct.

So all those security companies are allowing that APT DNS threat to get through and the stolen data goes back to the hacker. That's what's happening right now?

That is correct. There is a few guys along the way that do some DNS sinkholing, which they basically go to the DNS server and they say here is a list of things to block. And of the names that you listed, I believe Hewlett-Packard and Cisco are the two that do some DNS sinkholing.

The problem is my comment, like I said about Target, Neiman Marcus, and the rest of them, if the comms made from this campus are different than have been made anywhere else in the world, they don't know what to put on their list. And so we're basically doing behavior profiling and discovering those.

So if you -- to put it in perspective, if I look at the last month's reports from our existing Savant customers, I believe about one in five or -- probably one in seven things we reported had DNS exfil. The rest were other, more traditional comms using FTP or mail or something else to get the data out.

But you're right, the newest ones are DNS. And in fact, a new killer one got announced today.

So for your team, the Home Depot, the JP Morgan breaches news, that was not a surprise?

No.

Because you've been seeing that these bad guy communications are being let through the virtualization machines every day because you've seen the -- some of the potential clients sharing their log with you and you see how they get through -- all these bad communications?

Correct. And they don't even have to potentially share. We have -- we have had Savants install sort of at Internet backbone level for years now. And so we've got a pretty good representative sample of the world's comms.

So unless there are other choices, every Fortune 500 company would require Savant in order to be safe against this new style of APT attack. Is that correct?

Yes. I would say yes, that's a qualified yes. Are there alternates if we were to fall in our face? Yes, you could start looking at traffic analysis on top of net flow or something on top of some kind of communication log to do it another way.

But yes, we have a ripe big market and that's why I focused in the last paragraph of my comments about it's my job to get our sales pitch out to all of the guys that are in the value-added security -- the big security integration groups.

My intention is to go pitch each of those guys that says name all of the security value-added resellers in the world. I intend to see them all this quarter and say here's what we can do for you and here's -- I think it closes the blindside that you all have. Would you like some?

Last conference call, you mentioned that in a head-to-head competition, Mandiant -- I'm sorry, Savant beat out Mandiant.

Correct.

Also in the last conference call, it was mentioned you had 6 to 8 likely clients to be signed out of the 15 to 20 that were in discussions. How many are likely to be signed up [reasonably] now and in discussions with, etc.?

Well, I think we're still working on the group that we talked about at the last conference call. As Joe indicated, we've gotten two of the clients now with the installations and expecting those to grow, so the overall set of customers is growing.

Yes. I think what -- your summary. I was sort of saying when you were asking that question, because as the sales force is growing, we have lost some visibility about all the quotes that they are doing.

So I've got the same 15 or so on my list. They are a short list of things that they expect orders from. I believe it was five or seven as of two days ago at the big reseller. But then on the other hand, I've got another dozen with the new channel as well. So it's net doubled.

How many would I expect to order this quarter? I don't know the answer to that. [Sug right] has the right answer, but I would hope for -- I think I got three in the bag and looking for another four.

That's this quarter? Out of those --

Correct. Yes.

Okay. So the number of sales people and security experts that the reseller is using for the sales ramp at Savant has increased the last three months?

Correct. They've gone from a dozen -- originally 3 security experts to then 19 and now they've added another 200. They are the regional guys and then those support a sales force of lots of thousands. The number that have actually engaged is still small. But if the boss says hey, dang it.

So the one that we beat Mandiant at is the one that came back from the Board meeting and said they were happier than a pig in something or other with our results. And so that's -- my comment about ripples in a big pond.

If they really turn on, it will be incredible for us. But we've been watching them mess around for a year with not a groundswell of change, so big places accelerate slowly. But I think the trend is at least positive rather than ho-hum, we don't care.

But I didn't quite get all that. So last quarter, there were about 3 experts and now there are 19 or 200 or --

Yes, from second quarter, we had 3 and in the third quarter, they had trained 19. And then at the beginning of this quarter, they'd expand it and they have 200 regional security specialists that they trained. And so now all of their global sales force have a regional security guy that's been trained on Savant.

Okay. So that's why you feel like you could get three customers this quarter?

No, that's -- I think -- when those guys turn on, we're going to be seeing a lot a week. The question is when will they actually start getting orders. Will they actually make that turn on?

And I'm not attempting to be negative, other than just to be realistic. Is it big places like that. If it was a small place, you'd expect reaction in a month and big places ramp slowly. When those turn on, then the numbers I quote will be wrong, grossly, on the small side.

All right. Final question, Keith?

Yes. The -- what preceded the comment by the -- was it the reseller that said get ready for -- what preceded that optimism or comment? Was that from -- I didn't quite catch that on the --

That was their comment back from our -- their first customer, which was one of the two install last quarter. They got such a positive response, because the CEO of their company was at the end customer's Board of Directors meeting and he got such a positive response for what we had been able to find that no one else had that had closed real security breaches they had, that they were saying get ready for lots of orders, because we are pushing you.

Okay. That was the resellers telling you get ready for a lot of orders?

Correct.

Yes.

Okay. Thank you.

Operator, do we have any other questions?

There are no further questions at this time.

Okay. At this time, we will wrap up the call. Thank you for participating in today's call. If you did not receive a copy the press release or if you have further questions, you can contact me at 972-301-3658 or email mpaxton@intrusion.com. Thanks a lot.

This concludes today's conference call. You may now disconnect.