Microsoft’s $15 billion cybersecurity business is giving investors new reason for optimism

In January 2021, Microsoft CEO Satya Nadella revealed the size of the software company’s security business for the first time. The number was big.

Nadella told analysts on an earnings call that the operation had reached $10 billion in annual revenue and was “up more than 40%” year over year. In other words, it was outpacing every other major Microsoft product.

The remarks were revelatory. Nadella was known for reviving Microsoft, overseeing a fivefold expansion in market cap by that point in his seven years at the helm. That growth was largely based on turning Microsoft’s cloud business into a more serious threat to Amazon Web Services in a giant market.

By letting investors in on the enormity of Microsoft’s security business, Nadella was casually uncovering a powerful growth engine. Total revenue across the company was up just 14% from the prior year. And by way of comparison, Palo Alto Networks, one of the largest pure-play security software companies, delivered 21% revenue growth over roughly the same period, on a base smaller than $4 billion.

“Nobody had any idea it was a $10 billion business,” said Andrew Rubin, CEO of cybersecurity software start-up Illumio, speaking of Microsoft’s security revenue. Rubin, whose company was valued last year at $2.75 billion, was surprised by the growth and scale of what Microsoft had assembled, spanning several markets and all three reporting segments.

Microsoft is scheduled to report fiscal third-quarter results on Tuesday, and investors might get another glimpse into what’s happening inside the company’s security unit. Ransomware attacks have only increased of late, leading to a surge in spending by enterprises, smaller companies and the public sector. And the U.S. government has warned of greater cybersecurity threats following Russia’s invasion of Ukraine earlier this year.

Security is proving to be a competitive advantage for Azure over AWS because the largest enterprises have always been big Microsoft customers and there’s a trust factor, Rubin said.

Like Rubin, Gregg Moskowitz, an analyst covering Microsoft at Mizuho Securities, was surprised when he first heard Nadella disclose the size and growth rate of the security business.

“I would have guessed somewhere between $5 billion and $10 billion,” said Moskowitz, who recommends buying the stock.

In January 2022, Nadella issued an update, showing that momentum was continuing to accelerate. Security was now growing at almost 45%, with help from some small acquisitions, and revenue had topped $15 billion a year. Nadella said more than 15,000 customers were using Azure Sentinel, a cloud-based Splunk alternative for poring over security data that Microsoft introduced in 2019.

Microsoft’s security portfolio also includes products to keep workers’ devices safe, track the use of cloud applications and provide secure access to corporate resources, making it a rival to CrowdStrike, Okta, Palo Alto Networks and others.

When asked for a comment on this story, a Microsoft spokesperson pointed CNBC to prior statements from Nadella, in which he focused on the company’s “cross-cloud, cross-platform” products, which “integrate more than 50 different categories across security, compliance, identity, device management, and privacy.”

Gauging just how much Microsoft is elbowing aside smaller rivals isn’t easy, because the company doesn’t provide more granular details. That leaves market players to speculate.

“There is a very large sector which is growing in high single digits, possibly north of that,” Palo Alto Networks CEO Nikesh Arora told Morgan Stanley analyst Hamza Fodderwala at a conference last month. “There are not many players who are consolidators in that sector. It’s still – I think that 3.5% was still the largest market share, depending on how you count Microsoft Security’s revenue.”

Research firm Gartner estimates that Microsoft controlled about 8.5% of the entire security software market in 2021, a larger share than any other firm.

One thing the security ecosystem knows is that hackers have successfully exploited vulnerabilities in Microsoft’s Exchange Server email and calendar software. That presented an opening for challengers.

Microsoft’s customers have been enduring “a crisis of trust,” CrowdStrike CEO George Kurtz said on his company’s earnings call in March 2021, after the initial revenue disclosure.

Microsoft clients were looking at the hacks and saying they would need to derisk and get another security provider, said Kurtz. He invoked the idiom of the fox guarding the henhouse — the notion that the entity responsible for protection is actually harmful.

Now Microsoft must find ways to be an even larger player in security. Moskowitz said the company might start more frequently releasing tidbits about security revenue or growth, but not each quarter. The regularity might be similar, he said, to announcements about usage of its Teams communication app. Nadella said in January that Teams had 270 million monthly active users in the fourth quarter after not giving a comparable number for six months.

Moskowitz isn’t counting on further acceleration for security revenue growth, but he said he wouldn’t be surprised to see the company drop tens of billions of dollars on an acquisition in the space.

“We think, strategically speaking, they are going to be far more interested in potentially acquiring strong cloud security assets, as opposed to a company that may have a heritage in the on-premise world,” Moskowitz said.

It wouldn’t come cheap. Even after the market correction to start the year, cloud security companies trade at some of the highest multiples in the tech industry, a reflection of how much businesses are spending to protect their data.

 — CNBC’s Ari Levy contributed to this report.

WATCH: Microsoft ‘is a real durable grower,’ says Evercore’s Materne