S-1/A 1 f28075a4sv1za.htm AMENDMENT TO FORM S-1 sv1za
Table of Contents

As filed with the Securities and Exchange Commission on December 7, 2007
Registration No. 333-145974
 
UNITED STATES SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
 
 
 
 
Amendment No. 4
to
Form S-1
Registration Statement Under The Securities Act of 1933
 
 
 
 
 
ArcSight, Inc.
(Exact name of Registrant as specified in its charter)
 
         
Delaware
(State or other jurisdiction of
incorporation or organization)
  7372
(Primary Standard Industrial
Classification Code Number)
  52-2241535
(I.R.S. Employer
Identification Number)
 
 
ArcSight, Inc.
5 Results Way
Cupertino, California 95014
(408) 864-2600
(Address, including zip code, and telephone number, including area code, of Registrant’s principal executive offices)
 
 
Robert W. Shaw
Chief Executive Officer and
Chairman of the Board
ArcSight, Inc.
5 Results Way
Cupertino, California 95014
(408) 864-2600
(Name, address, including zip code, and telephone number, including area code, of agent for service)
 
 
Please send copies of all communications to:
 
         
David A. Bell, Esq.
Daniel J. Winnike, Esq.
Yoonie Y. Chang, Esq.
Michael J. Hopp, Esq.
Fenwick & West LLP
801 California Street
Mountain View, California 94041
(650) 988-8500
  Trâm T. Phi, Esq.
Vice President and General Counsel
ArcSight, Inc.
5 Results Way
Cupertino, California 95014
(408) 864-2600
  Bruce K. Dallas, Esq.
Davis Polk & Wardwell
1600 El Camino Real
Menlo Park, California 94025
(650) 752-2000
 
Approximate date of commencement of proposed sale to the public:  As soon as practicable after this registration statement becomes effective.
 
If any of the securities being registered on this Form are to be offered on a delayed or continuous basis pursuant to Rule 415 under the Securities Act, check the following box:  o
 
If this Form is filed to register additional securities for an offering pursuant to Rule 462(b) under the Securities Act, please check the following box and list the Securities Act registration statement number of the earlier effective registration statement for the same offering.  o
 
If this Form is a post-effective amendment filed pursuant to Rule 462(c) under the Securities Act, check the following box and list the Securities Act registration statement number of the earlier effective registration statement for the same offering.  o
 
If this Form is a post-effective amendment filed pursuant to Rule 462(d) under the Securities Act, check the following box and list the Securities Act registration statement number of the earlier effective registration statement for the same offering.  o
 
The Registrant hereby amends this Registration Statement on such date or dates as may be necessary to delay its effective date until the Registrant shall file a further amendment which specifically states that this Registration Statement shall thereafter become effective in accordance with Section 8(a) of the Securities Act of 1933 or until the Registration Statement shall become effective on such date as the Commission, acting pursuant to said Section 8(a), may determine.
 


Table of Contents

The information in this prospectus is not complete and may be changed. We may not sell these securities until the registration statement filed with the Securities and Exchange Commission is effective. This prospectus is not an offer to sell these securities and we are not soliciting offers to buy these securities in any state where the offer or sale is not permitted.
 
 
PROSPECTUS (Subject to Completion)
Issued December 7, 2007
               Shares
 
(ARCSIGHT LOGO)
 
 
COMMON STOCK
 
 
 
 
ArcSight, Inc. is offering                shares of its common stock and the selling stockholders are offering           shares of common stock. We will not receive any of the proceeds from the sale of shares of common stock by the selling stockholders. This is our initial public offering and no public market exists for our shares. We anticipate that the initial public offering price will be between $      and $      per share.
 
 
 
 
We have applied to have our common stock listed on The NASDAQ Global Market under the symbol “ARST.”
 
 
 
 
Investing in the common stock involves risks. See “Risk Factors” beginning on page 8.
 
 
 
PRICE $      A SHARE
 
 
 
                                 
          Underwriting
          Proceeds to
 
    Price to
    Discounts and
    Proceeds to
    Selling
 
    Public     Commission     ArcSight     Stockholders  
 
Per Share
    $           $           $           $      
Total
    $              $                 $              $         
 
We and the selling stockholders have granted the underwriters the right to purchase an additional           shares of common stock to cover over-allotments.
 
The Securities and Exchange Commission and state securities regulators have not approved or disapproved these securities, or determined if this prospectus is truthful or complete. Any representation to the contrary is a criminal offense.
 
Morgan Stanley & Co. Incorporated expects to deliver the shares of common stock to purchasers on          , 2007.
 
 
 
 
MORGAN STANLEY LEHMAN BROTHERS
 
WACHOVIA SECURITIES RBC CAPITAL MARKETS
 
, 2007


Table of Contents

(GRAPHIC)
Stolen Online Applicant Data Put to Bad Use The Trojan horse used to steal personal data from Online Applicant sends targeted spam seeking recruits for money-laundering jobs The Trojan responsible for stealing more than 1.6 million personal records from Online Applicant uses that infor—mation to build targeted spam that offers recipients lucrative, but illegal, money laundering jobs, effectively turning some victims into criminal accomplices said spokesperson Wednesday job search site. Criminals then used the stolen names, e-mail addresses, home address, phone numbers and resume identification numbers to create convincing e-mail   contained malicious   those messages inclu   password-stealing Tro   monitored the infecte   to online banking ac   sniffed a log-on in p   recorded the usernam   then transmitted the   hacker server that M   tered Wednesday. ArcSight Pharmaceutical firm confirms third breach involving employee data since June As many as 34,000 workers may be vulnerable to ID theft Pharmaceutical company appears to be having an especially hard time of late keeping its employee data secure. many as 34,000 of its employees may be at risk of
Computer viruses seek out your cell phone As cell phones get smarter, they also become a target for malicious code. Here’s how to protect yourself When it comes to cell phones, the smarter they are, the hard for viruses. Almost one phones But these increasingly capable devices are also increasingly vulnerable to mobile viruses. The same computer-like features that make smartphones appealing — an operating system that makes it easy to add new software programs, increased storage, and more powerful processors — also make them a target for hackers. “Mobile viruses worse,” say tech
Are you protecting your business?
Employee Walks Away With $400 Million In Trade Secrets Company scientist downloaded 22,000 sensitive documents and accessed 16,000 others as he got ready to take a job with a competitor The U.S. Attorney’s office in Delaware last week revealed a massive insider data breach at Company in which a scientist stole $400 million worth of trade secrets from the chemical company and now faces up to 10 years in prison, a fine of $250,000, and restitu- in March. ng Min, pleaded guilty to stealing
Estonia Computers Blitzed, Possibly by the Russians The computer attacks, apparently originating in Russia, first hit the Web site of Estonia’s prime minister on April 27, the day the country was mired in protest and violence. The president’s site went down, too, and soon so did those of several departments in a wired country that touts its paperless government and likes to call itself E-stonia. Then the attacks, coming in waves, began to strike newspapers and televi—sion stations, then schools and finally banks, raising fears that The attacks have peaked and tapered off since then, but they have not ended, prompting officials there to declare Estonia the first country to fall victim to a virtual war. “If you have a missile attack against, let’s say, an airport, it is an act of war,” a spokesman for the Estonian Defense Ministry, Madis Mikko, said Friday in a telephone interview. “If the same result is caused by computers, then how else do you describe that kind of attack?”

 


Table of Contents

(GRAPHIC)
Fraud Data Theft Cyber-Crime Frau Policy Viotatto MaIware Identity T
Cyber-Crime
Firewall VPN delware
cyber-Crime
Malware
F28075 02
offices
Platform

 


 

 
TABLE OF CONTENTS
 
         
    Page
 
    1  
    8  
    26  
    27  
    27  
    28  
    30  
    32  
    34  
    59  
    77  
    106  
    107  
    110  
    114  
    116  
    120  
    124  
    124  
    124  
    F-1  
 EXHIBIT 23.1
 
 
You should rely only on the information contained in this prospectus or in any free-writing prospectus we may specifically authorize to be delivered or made available to you. We have not, the selling stockholders have not and the underwriters have not authorized anyone to provide you with additional or different information. We and the selling stockholders are offering to sell, and seeking offers to buy, shares of our common stock only in jurisdictions where offers and sales are permitted. The information in this prospectus or a free-writing prospectus is accurate only as of its date, regardless of its time of delivery or any sale of shares of our common stock. Our business, financial condition, results of operations and prospects may have changed since that date.
 
Until          , 2007 (25 days after the commencement of this offering), all dealers that buy, sell or trade shares of our common stock, whether or not participating in this offering, may be required to deliver a prospectus. This delivery requirement is in addition to the obligation of dealers to deliver a prospectus when acting as underwriters and with respect to their unsold allotments or subscriptions.
 
For investors outside the United States: We have not, the selling stockholders have not and the underwriters have not done anything that would permit this offering or possession or distribution of this prospectus in any jurisdiction where action for that purpose is required, other than in the United States. Persons outside the United States who come into possession of this prospectus must inform themselves about, and observe any restrictions relating to, the offering of the shares of common stock and the distribution of this prospectus outside of the United States.


i


Table of Contents

 
PROSPECTUS SUMMARY
 
This summary highlights information contained elsewhere in this prospectus and does not contain all of the information you should consider in making your investment decision. You should read this summary together with the more detailed information, including our financial statements and the related notes, provided elsewhere in this prospectus. You should carefully consider, among other things, the matters discussed in “Risk Factors.”
 
ARCSIGHT, INC.
 
We are a leading provider of security and compliance management solutions that intelligently mitigate business risk for enterprises and government agencies. Much like a “mission control center,” our ArcSight ESM platform delivers a centralized, real-time view of disparate digital alarms, alerts and status messages, which we refer to as events, across geographically dispersed and heterogeneous business and technology infrastructures. Our software correlates massive numbers of events from thousands of security point solutions, network and computing devices and applications, enabling intelligent identification, prioritization and response to external threats, insider threats and compliance and corporate policy violations. We also provide complementary software that delivers pre-packaged analytics and reports tailored to specific security and compliance initiatives, as well as appliances that streamline threat response, event log archiving and network configuration.
 
We have designed our platform to support the increasingly complex business and technology infrastructure of our customers. As of October 31, 2007, we had sold our products to more than 400 customers across a number of industries and government agencies in the United States and internationally, including companies in the Fortune Top 5 of the aerospace and defense, energy and utilities, financial services, food production and services, healthcare, high technology, insurance, media and entertainment, retail and telecommunications industries, and more than 20 major U.S. government agencies.
 
As enterprises and government agencies increasingly utilize an interconnected information technology and business infrastructure to enhance efficiency, exchange information and conduct business with partners, customers and suppliers, these organizations expose their infrastructure and data to heightened security risks and are subject to increasing compliance requirements. The large number of heterogeneous devices and applications in a geographically distributed corporate infrastructure generates a massive amount of event data that is challenging to monitor or analyze at an enterprise-wide scale for security vulnerabilities and compliance violations. Vendor-specific management consoles and traditional systems management tools are limited in scope or are not equipped to handle a large volume of data. In addition, organizations have difficulty identifying events that are threatening in nature because they are unable to distinguish threats from the “white noise” of normal event activity, to recognize risks by correlating events reported by disparate systems, to understand the context in which the events arise or to appropriately prioritize responses according to risk level or corporate policy.
 
The need for a highly scalable, holistic and intelligent solution that can help organizations address these challenges in real-time is growing. The market for security and compliance management solutions today includes security information and event management, forensics and incident investigation, policy and compliance management and network change and configuration management. According to a report by International Data Corporation, or IDC, the security information and event management, forensics and incident investigation, and policy and compliance management markets are projected to grow, in aggregate, from $993.6 million in 2007 to $2.2 billion in 2011, representing a compound annual growth rate of 22.1%. In separate reports, IDC projects that the network change and configuration management market will grow from $157.1 million in 2007 to $372.6 million in 2011, representing a compound annual growth rate of 24.1%, and the compliance infrastructure software market, in which we also compete, will grow from $6.2 billion in 2007 to $10.6 billion in 2010, representing a compound annual growth rate of 19.5%.
 
Our Solutions
 
Our ESM platform identifies and prioritizes high-risk activity and presents a consolidated view of threats to the business and technology infrastructure in rich, graphical displays. Our platform collects streaming data from event sources, translates the streaming data into a common format, and then processes this data with our correlation


1


Table of Contents

engine in which complex algorithms determine if events taking place conform to normal patterns of behavior, established security policies and compliance regulations. Once threats are identified, our ArcSight TRM (Threat Response Manager) and ArcSight NCM (Network Configuration Manager) appliance products help our customers easily re-configure network devices to remediate threats and prevent recurrence. In addition, through our new ArcSight Logger appliance, we enable efficient and scalable storage, preservation and management of terabytes of enterprise log data for compliance requirements or forensic analysis. Our customers enhance the value of individual security products in their business and technology infrastructure by integrating them with our platform. Key benefits of our solutions include:
 
  •  Enterprise-Class Technology and Architecture.  We design our solutions to serve the needs of even the largest organizations, which typically have highly complex, geographically dispersed and heterogeneous business and technology infrastructures.
 
  •   Interoperability.  We provide off-the-shelf software connectors for over 240 products, including security devices, end-user devices, networking equipment, computing infrastructure, other IP-enabled devices, and enterprise applications and databases, from approximately 100 vendors, allowing our customers to rapidly deploy our platform in their existing business and technology infrastructures.
 
  •   Flexibility.  In addition to providing off-the-shelf connectors, our ESM platform is designed to enable customers to rapidly build interfaces to new products, proprietary applications and legacy systems.
 
  •   Scalability.  Our ESM platform enables customers to collect and correlate millions of events per day from a large number of heterogeneous devices and applications in real-time, and may be expanded by the customer over time to incorporate additional departments, branch offices or geographies, as well as additional categories of devices and applications, while maintaining the overall performance of the platform.
 
  •   Archiving.  Our solution helps customers store event data to satisfy regulatory recordkeeping requirements by providing cost-effective and centralized event log archiving.
 
  •  Intelligent Correlation.  Our correlation engine distills a large number of events occurring daily into intelligence that allows customers to identify, prioritize and respond to specific threats or compliance violations.
 
  •  Streamlined Response and Seamless Workflow.  Our products simplify the management of the broad range of notifications and actions that must take place to remediate a threat and prevent recurrence across the technology infrastructure, thus narrowing the period of vulnerability.
 
  •  Reporting and Visualization.  We present threat information through a rich and intuitive graphical user interface, through which customers can view risk across their organization in a variety of ways, address internal and external compliance requirements and communicate the value and effectiveness of the organization’s security operations.
 
Our Strategy
 
Our objective is to be the leading provider of security and compliance management solutions that intelligently mitigate business risk for enterprises and government agencies. The key elements of our strategy to achieve this objective include:
 
  •  Grow Our Customer Base.  We plan to increase our presence globally by expanding our direct sales force and building additional relationships with channel partners. We also plan to further penetrate the mid-market through an expanded network of channel partners and continued development of appliance-based products.
 
  •  Deepen Our Penetration of Existing Customers.  We intend to facilitate expanded deployments of our products with, and to introduce new solutions to, our existing customers. We expect our appliance-based products to generate opportunities for additional sales to our installed base as customers build on their existing implementations.


2


Table of Contents

 
  •  Extend Our Partner Network.  We have established technology partnering arrangements with companies such as CA, Cisco Systems, IBM, Juniper Networks, McAfee, Oracle, SAP and Symantec to facilitate the ability of our software to collect event data from the many third-party devices and applications that the customer may use in its business and technology infrastructure and to understand emerging customer requirements and use cases for our products. We similarly work with other vendors, such as Check Point Software Technologies, Trend Micro and Websense, without formalized partnering arrangements. We will continue to work with technology partners and other vendors to provide for compatibility between our platform and their latest products.
 
  •  Extend Our Expertise in Security Best Practices.  We will continue to develop pre-packaged software solutions that are tailored to address specific security and regulatory concerns, as we have done with our existing IT governance, Sarbanes-Oxley compliance, Payment Card Industry (PCI) compliance and Insider Threat packages.
 
  •  Extend Our Value Proposition to Additional Event Sources and Business Use Cases Beyond Traditional IT Security.  We intend to create new sales opportunities by developing solutions that address high-value additional use cases for our platform. In addition to using our software to mitigate risk from external or insider threats and to satisfy compliance requirements, we believe that enterprises are increasingly finding value in leveraging our highly scalable, real-time event correlation platform for applications beyond security.
 
Risks Affecting Us
 
Our business is subject to numerous risks. These risks represent challenges to the successful implementation of our strategy and to the growth and future profitability of our business. Some of these risks are:
 
  •  we have a limited operating history and have incurred significant losses since inception, including losses from operations of $16.8 million in fiscal 2006 and $0.3 million in fiscal 2007, and as of October 31, 2007, we had an accumulated deficit of $48.0 million;
 
  •  our quarterly operating results are likely to vary significantly and be unpredictable, in part because of the length and unpredictability of our sales cycle, as well as the purchasing and budgeting practices of our customers;
 
  •  if we are unsuccessful in managing and further developing our distribution channels, our revenues could decline and our growth prospects could suffer;
 
  •  our sales are concentrated in our ESM platform, we have limited experience with the sale, manufacture, delivery, service and support for our appliance products, and we may be unable to successfully develop new products, make enhancements to our existing products or expand our offerings into new markets; and
 
  •  the market in which we operate is highly competitive, and many of our established competitors have significantly greater resources than we do and have other potential advantages; our customers may also choose to develop their own customized solutions rather than purchase products such as ours.
 
For further discussion of these and other risks you should consider before making an investment in our common stock, see “Risk Factors” immediately following the prospectus summary.


3


Table of Contents

Corporate Information
 
We were incorporated in Delaware on May 3, 2000 as Wahoo Technologies, Inc. On March 30, 2001, we changed our name to ArcSight, Inc. Our principal executive offices are located at 5 Results Way, Cupertino, California 95014, and our telephone number is (408) 864-2600. Our website address is www.arcsight.com. The information on, or that can be accessed through, our website is not part of this prospectus.
 
Except where the context requires otherwise, in this prospectus “Company,” “ArcSight,” “Registrant,” “we,” “us” and “our” refer to ArcSight, Inc., and where appropriate, its subsidiaries.
 
“ArcSight” and the ArcSight logo are registered trademarks of ArcSight in the United States and in some other countries. Where not registered, these marks and “ArcSight Console,” “ArcSight Manager,” “ArcSight Web,” “FlexConnector,” “Logger,” “NCM” “SmartConnector” and “TRM” are trademarks of ArcSight. Other service marks, trademarks and tradenames referred to in this prospectus are the property of their respective owners.
 
THE OFFERING
 
Shares of common stock offered by us
           shares
 
Shares of common stock offered by the selling stockholders
           shares
 
Shares of common stock to be outstanding after this offering
           shares
 
Use of proceeds
We plan to use the net proceeds of this offering for general corporate purposes, including working capital and potential acquisitions. We will not receive any of the proceeds from the sale of shares of common stock by the selling stockholders. See “Use of Proceeds” and “Principal and Selling Stockholders.”
 
NASDAQ Global Market Symbol
“ARST”
 
The number of shares of common stock that will be outstanding after this offering is based on 24,941,023 shares of our common stock outstanding as of October 31, 2007, and excludes:
 
  •  6,285,556 shares of common stock issuable upon the exercise of options outstanding as of October 31, 2007, at a weighted-average exercise price of approximately $5.06 per share;
 
  •  no shares of common stock issuable upon the exercise of options granted after October 31, 2007;
 
  •  19,206 shares of common stock issuable upon exercise of warrants outstanding as of October 31, 2007, including a warrant to purchase 6,296 shares of common stock and warrants to purchase an aggregate of 12,910 shares of convertible preferred stock that will convert into warrants to purchase the same number of shares of common stock upon completion of this offering, at a weighted-average exercise price of approximately $0.001338 per share;
 
  •  4,000,000 shares of common stock reserved for future issuance under our 2007 Equity Incentive Plan, which will become effective on the first day that our common stock is publicly traded and contains provisions that will automatically increase its share reserve each year, as more fully described in “Management—Employee Benefit Plans”; and
 
  •  1,000,000 shares of common stock reserved for future issuance under our 2007 Employee Stock Purchase Plan, which will be become effective on the first day that our common stock is publicly traded and contains provisions that will automatically increase its share reserve each year, as more fully described in “Management—Employee Benefit Plans.”


4


Table of Contents

 
Unless otherwise indicated, all information in this prospectus assumes:
 
  •  the conversion of all outstanding shares of our convertible preferred stock into 13,987,540 shares of common stock effective upon the closing of this offering;
 
  •  the conversion of all outstanding warrants to purchase shares of our convertible preferred stock into warrants to purchase an aggregate of 12,910 shares of common stock effective upon closing of this offering; and
 
  •  no exercise by the underwriters of their right to purchase up to an additional           shares of common stock, including           shares offered by us and           shares offered by the selling stockholders, to cover over-allotments.


5


Table of Contents

SUMMARY OF CONSOLIDATED FINANCIAL DATA
 
The following table summarizes our consolidated financial data. We have derived the following summary of our consolidated statements of operations data for the fiscal years ended April 30, 2005, 2006 and 2007 and the six months ended October 31, 2006 and 2007, and the consolidated balance sheet data as of October 31, 2007, from our consolidated financial statements appearing elsewhere in this prospectus. Our historic results are not necessarily indicative of the results that may be expected in the future. The summary of our financial data set forth below should be read together with our consolidated financial statements and the section entitled “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” appearing elsewhere in this prospectus. The pro forma balance sheet data give effect to the conversion of all outstanding shares of convertible preferred stock into common stock effective upon the closing of this offering, and the pro forma as adjusted balance sheet data also reflect the sale by us of           shares of our common stock in this offering at an assumed initial public offering price of $      per share, the midpoint of the range reflected on the cover page on this prospectus, after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us.
 
                                         
          Six Months
 
    Fiscal Year Ended April 30,     Ended October 31,  
    2005     2006     2007     2006     2007  
    (in thousands, except per share data)  
                      (unaudited)  
 
Consolidated Statements of Operations Data:
                                       
Revenues
  $  32,822     $ 39,435     $  69,833     $ 27,719     $ 44,498  
Cost of revenues(1)
    4,494       6,796       9,588       4,583       6,881  
                                         
Gross profit
    28,328       32,639       60,245       23,136       37,617  
                                         
Operating expenses(1):
                                       
Research and development
    7,583       12,154       14,535       6,933       9,107  
Sales and marketing
    14,647       24,309       36,587       15,463       24,607  
General and administrative
    8,725       12,978       9,453       3,861       6,988  
                                         
Total operating expenses
    30,955       49,441       60,575       26,257       40,702  
                                         
Loss from operations
    (2,627 )     (16,802 )     (330 )     (3,121 )     (3,085 )
Other income (expense), net
    (49 )     219       462       184       40  
                                         
Income (loss) before provision for income taxes
    (2,676 )     (16,583 )     132       (2,937 )     (3,045 )
Provision for income taxes
    137       163       389       195       257  
                                         
Net loss
  $ (2,813 )   $ (16,746 )   $ (257 )     (3,132 )     (3,302 )
                                         
Net loss per common share, basic and diluted
  $ (0.46 )   $ (2.24 )   $ (0.03 )   $ (0.32 )   $ (0.31 )
                                         
Shares used in computing basic and diluted net loss per common share
    6,162       7,469       10,042       9,882       10,504  
                                         
Pro forma net loss per common share, basic and diluted (unaudited)
                  $ (0.01 )           $ (0.13 )
                                         
Shares used in computing pro forma basic and diluted net loss per common share (unaudited)
                    24,026               24,492  
                                         
 
(1) Includes stock-based compensation expense as follows:
 
                               
Cost of maintenance revenues
  $ 4   $ 5   $ 3   $ 1   $ 38
Cost of services revenues
    3     5     14     4     46
Research and development
     1,642      1,950      501      222      647
Sales and marketing
    746     210       661     95     1,141
General and administrative
      4,838       5,948     350     172     261
                               
Total stock-based compensation expense
  $ 7,233   $ 8,118   $ 1,529   $ 494   $ 2,133
                               
 
Revenues in fiscal 2006 and prior years excluded revenues related to multiple element sales transactions consummated in that year that were deferred because we did not have vendor-specific objective evidence of fair value, or VSOE, for some product elements that were not delivered in the fiscal year of the transaction. In fiscal 2007, we either delivered such product elements, or we and our customers amended the contractual terms of these sales transactions to remove the undelivered product elements. Fiscal 2007 revenues included a substantial portion


6


Table of Contents

of the revenues so deferred from fiscal 2006, as well as a small amount of revenues similarly deferred from prior years. See “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Sources of Revenues, Cost of Revenues and Operating Expenses” for additional details, including the net amounts involved. We expect that in future periods the comparison of revenues period-to-period will not be favorably impacted to the same extent by similar transactions consummated in fiscal 2007 and prior periods.
 
                         
    As of October 31, 2007  
                Pro Forma
 
    Actual     Pro Forma     As Adjusted(1)  
    (unaudited, in thousands)  
 
Consolidated Balance Sheet Data:
                       
Cash and cash equivalents
  $ 15,869     $ 15,869     $          
Working capital (deficit)
    (8,478 )     (8,478 )        
Total assets
    52,513       52,513          
Current and long-term debt
                 
Convertible preferred stock
    26,758              
Total stockholders’ equity
  $ 4,592     $ 4,592     $  
 
(1) A $1.00 increase (decrease) in the assumed public offering price of $      per share would increase (decrease) each of cash and cash equivalents, working capital, total assets and total stockholders’ equity by $   million, assuming that the number of shares offered by us, as set forth on the cover page of this prospectus, remains the same, and after deducting estimated underwriting discounts and commissions and estimated offering expenses payable by us. The pro forma information discussed above is illustrative only and following the closing of this offering will be adjusted based on the actual public offering price and other terms of this offering determined at pricing. If the underwriters’ option to purchase additional shares to cover over allotments is exercised in full, the pro forma as adjusted amount of each of cash and cash equivalents, working capital, total assets and total stockholders’ equity would increase by approximately $   million.


7


Table of Contents

 
RISK FACTORS
 
Investing in our common stock involves a high degree of risk. You should consider carefully the risks and uncertainties described below, together with all of the other information in this prospectus, including the consolidated financial statements and the related notes appearing at the end of this prospectus, before deciding to invest in shares of our common stock. If any of the following risks occurs, our business, financial condition, results of operations and future prospects could be materially and adversely affected. In that event, the market price of our common stock could decline and you could lose part or even all of your investment.
 
Risk Related to Our Business and Industry
 
We have a limited operating history in an emerging market and a history of losses, and we are unable to predict the extent of any future losses or when, if ever, we will achieve profitability in the future.
 
We launched our ESM products in January 2002, our TRM and NCM products in June 2006 and our Logger product in December 2006. Because we have a limited operating history, and the market for our products is rapidly evolving, it is difficult for us to predict our operating results and the ultimate size of the market for our products. We have a history of losses from operations, incurring losses from operations of $16.8 million and $0.3 million for the fiscal years ended April 30, 2006 and 2007, respectively. As of October 31, 2007, our accumulated deficit was $48.0 million. We expect our operating expenses to increase over the next several years as we hire additional sales and marketing personnel, expand our channel sales program and develop our technology and new products. In addition, as a public company, we will incur significant legal, accounting and other expenses that we did not incur as a private company. If our revenues do not increase to offset these expected increases in operating expenses, we will continue to incur significant losses and will not become profitable. Our historical revenue growth has been inconsistent, reflects fluctuations not related to performance and should not be considered indicative of our future performance. See “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Sources of Revenue, Cost of Revenues and Operating Expenses.” Further, in future periods, our revenues could decline and, accordingly, we may not be able to achieve profitability and our losses may increase. Even if we do achieve profitability, we may not be able to sustain or increase profitability on a consistent basis, which may result in a decline in our common stock price.
 
Our future operating results may fluctuate significantly and may not be a good indication of our future performance.
 
Our revenues and operating results could vary significantly from period to period as a result of a variety of factors, many of which are outside of our control. As a result, comparing our revenues and operating results on a period-to-period basis may not be meaningful, and you should not rely on our past results as an indication of our future performance. For example, revenues in fiscal 2006 and prior years excluded revenues related to multiple element sales transactions consummated in that year that were deferred because we did not have vendor-specific objective evidence of fair value, or VSOE, for some product elements that were not delivered in the fiscal year of the transaction. In fiscal 2007, we either delivered these product elements, or we and our customers amended the contractual terms of these sales transactions to remove the undelivered product elements. Fiscal 2007 revenues included a substantial portion of the revenues so deferred from fiscal 2006, as well as a small amount of revenues similarly deferred from prior years. See “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Sources of Revenues, Cost of Revenues and Operating Expenses.” We expect that in future periods the comparison of revenues period-to-period will not be favorably impacted to the same extent by similar transactions consummated in fiscal 2007 and prior periods. We may not be able to accurately predict our future revenues or results of operations. We base our current and future expense levels on our operating plans and sales forecasts, and our operating costs are relatively fixed in the short term. As a result, we may not be able to reduce our costs sufficiently to compensate for an unexpected shortfall in revenues, and even a small shortfall in revenues could disproportionately and adversely affect financial results for that quarter. In addition, we recognize revenues from sales to some customers or resellers when cash is received, which may be delayed because of changes or issues with those customers or resellers. If our revenues or operating results fall below the expectations of investors or any securities analysts that may choose to cover our stock, the price of our common stock could decline substantially.


8


Table of Contents

In addition to other risk factors listed in this section, factors that may affect our operating results include:
 
  •  the timing of our sales during the quarter, particularly since a substantial majority of our sales occurs in the last few weeks of the quarter and loss or delay of a few large contracts may have a significant adverse impact on our operating results;
 
  •  changes in the mix of revenues attributable to higher-margin revenues from ESM products as opposed to lower-margin revenues from sales of our appliance products;
 
  •  changes in the renewal rate of maintenance agreements;
 
  •  our ability to estimate warranty claims accurately;
 
  •  the timing of satisfying revenue recognition criteria, including establishing VSOE for new products and maintaining VSOE for maintenance and services;
 
  •  the budgeting, procurement and work cycles of our customers, including customers in the public sector, which may cause seasonal variation as our business and the market for security and compliance management software solutions matures; and
 
  •  general economic conditions, both domestically and in our foreign markets.
 
Our sales cycle is long and unpredictable, and our sales efforts require considerable time and expense. As a result, our revenues are difficult to predict and may vary substantially from quarter to quarter, which may cause our operating results to fluctuate.
 
Our operating results may fluctuate, in part, because of the intensive nature of our sales efforts, the length and variability of the sales cycle of our ESM product and the short-term difficulty in adjusting our operating expenses. Because decisions to purchase products such as our ESM product involve significant capital commitments by customers, potential customers generally have our software evaluated at multiple levels within an organization, each often having specific and conflicting requirements. Enterprise customers make product purchasing decisions based in part on factors not directly related to the features of the products, including but not limited to the customers’ projections of business growth, capital budgets and anticipated cost savings from implementation of the software. As a result of these factors, licensing our software products often requires an extensive sales effort throughout a customer’s organization. In addition, we have limited experience with sales of our TRM, Logger and NCM products. In particular, sales of our TRM and NCM products and to some extent our Logger product involve approvals from different functional areas of an organization than our ESM product. As a result, the sales cycle for these products may be lengthy or may vary significantly. Our sales efforts involve educating our customers, who are often relatively unfamiliar with our products and the value of our products, including their technical capabilities and potential cost savings to the organization. We spend substantial time, effort and money in our sales efforts without any assurance that our efforts will produce any sales.
 
The length of our sales cycle, from initial evaluation to delivery of software, tends to be long and varies substantially from customer to customer. Our sales cycle is typically three to six months but can extend to more than a year for some sales. We typically recognize a substantial majority of our product revenues in the last few weeks of a quarter. It is difficult to predict exactly when, or even if, we will actually make a sale with a potential customer. As a result, large individual sales have, in some cases, occurred in quarters subsequent to those we anticipated, or have not occurred at all. The loss or delay of one or more large product transactions in a quarter could impact our operating results for that quarter and any future quarters into which revenues from that transaction are delayed. As a result of these factors, it is difficult for us to accurately forecast product revenues in any quarter. Because a substantial portion of our expenses are relatively fixed in the short term, our operating results will suffer if revenues fall below our expectations in a particular quarter, which could cause the price of our common stock to decline significantly.
 
If we fail to further develop and manage our distribution channels, our revenues could decline and our growth prospects could suffer.
 
We derive a portion of our revenues from sales of our products and related services through channel partners, such as resellers and systems integrators. In particular, systems integrators are an important source of sales leads for


9


Table of Contents

us in the U.S. public sector, as government agencies often rely on them to meet information technology, or IT, needs. We also use resellers to augment our internal resources in international markets and, to a lesser extent, domestically. We may be required by our U.S. government customers to utilize particular resellers that may not meet our criteria for creditworthiness, and revenues from those resellers may not be recognizable until receipt of payment. We also anticipate that we will derive a substantial portion of our TRM, Logger and NCM sales through channel partners, including parties with which we have not yet developed relationships. We expect that channel sales will represent a substantial portion of our U.S. government and international revenues for the foreseeable future and, we believe, a growing portion of our U.S. commercial revenues. We may be unable to recruit additional channel partners and successfully expand our channel sales program. If we do not successfully execute our strategy to increase channel sales, particularly to further penetrate the mid-market and sell our appliance products, our growth prospects may be materially and adversely affected.
 
Our agreements with our channel partners are generally non-exclusive and many of our channel partners have more established relationships with our competitors. If our channel partners do not effectively market and sell our products, if they choose to place greater emphasis on products of their own or those offered by our competitors, or if they fail to meet the needs of our customers, our ability to grow our business and sell our products may be adversely affected, particularly in the public sector, the mid-market and internationally. Similarly, the loss of a substantial number of our channel partners, which may cease marketing our products and services with limited or no notice and with little or no penalty, and our possible inability to replace them, the failure to recruit additional channel partners, or any reduction or delay in their sales of our products and services or conflicts between channel sales and our direct sales and marketing activities could materially and adversely affect our results of operations. In addition, changes in the proportion of our revenues attributable to sales by channel partners, which are more likely than direct sales to involve collectibility concerns at the time of contract execution and product delivery, may cause our operating results to fluctuate from period to period.
 
We have limited experience with sale, manufacture, delivery, service and support of our TRM, Logger and NCM products, and we may be unable to successfully forecast demand or fulfill orders for these appliance products.
 
We introduced our appliance-based products in fiscal 2007. Prior to that time, we offered only software products and related services, and as a result have limited experience with sales of appliance-based products. Fulfillment of sales of our appliance products involves hardware manufacturing, inventory, import certification and return merchandise authorization processes with which we have limited experience. For example, if we fail to accurately predict demand and maintain insufficient hardware inventory or excess inventory, we may be unable to timely deliver ordered products or may have substantial inventory expense. In addition, if our equipment vendor fails to manufacture our appliance products or fulfill orders in required volumes, in a timely manner, at a sufficient level of quality, or at all, we may be unable to fulfill customer orders and our operating results may fluctuate from period to period. If we underestimate warranty claims for our appliance products, our operating expenses may be higher than we anticipate, which in turn may adversely affect our results of operations. In addition, if we change our hardware configuration or manufacturer, some countries may require us to reinitiate their import certification process. Because our appliance products are new, we have limited experience with warranty claims, resulting in limited ability to forecast warranty expense. If we are unable to successfully perform these functions or develop a relationship with a fulfillment partner that does so for us, our sales, operating results and financial condition may be harmed.
 
Because we derive a substantial majority of our revenues from ArcSight ESM and related products and services, any failure of this product to satisfy customer demands or to achieve increased market acceptance will harm our business, operating results, financial condition and growth prospects.
 
We have derived substantially all of our product revenues from ArcSight ESM and related products. We expect this to continue for the foreseeable future. For example, in fiscal 2007, sales of such products represented 89% of product revenues, with the balance coming from transactions that included both our ESM products and our appliance products or included only appliance products. Prior to fiscal 2007, all of our revenues related to our ESM products. As a result, although we introduced our complementary appliance products in fiscal 2007 to more fully serve the enterprise security and compliance management market, our revenues and operating results will continue


10


Table of Contents

to depend substantially on the demand for our ArcSight ESM product. Demand for ArcSight ESM is affected by a number of factors beyond our control, including the timing of development and release of new products by us and our competitors, technological change, and lower-than-expected growth or a contraction in the worldwide market for enterprise security and compliance management solutions or other risks described in this prospectus. If we are unable to continue to meet customer demands or to achieve more widespread market acceptance of ArcSight ESM, our business, operating results, financial condition and growth prospects will be adversely affected.
 
If we are unable to successfully market our recently introduced products, successfully develop new products, make enhancements to our existing products or expand our offerings into new markets, our business may not grow and our operating results may suffer.
 
We introduced our TRM, Logger and NCM products in fiscal 2007 and are currently developing new versions of these products and our ESM platform, as well as new complementary products. Our growth strategy and future financial performance will depend, in part, on our ability to market and sell these products and to diversify our offerings by successfully developing, timely introducing and gaining customer acceptance of new products.
 
The software in our products is especially complex because it must recognize, effectively interact with and manage a wide variety of devices and applications, and effectively identify and respond to new and increasingly sophisticated security threats and other risks, while not impeding the high network performance demanded by our customers. The typical development cycle for a patch to our ESM software is one to three months, a service pack is four to six months and a new version or major sub-version is 12 to 18 months. Customers and industry analysts expect speedy introduction of software to respond to new threats and risks and to add new functionality, and we may be unable to meet these expectations. Since developing new products or new versions of, or add-ons to, existing products is complex, the timetable for their commercial release is difficult to predict and may vary from our historical experience, which could result in delays in their introduction from anticipated or announced release dates. We may not offer updates as rapidly as new threats affect our customers. If we do not quickly respond to the rapidly changing and rigorous needs of our customers by developing and introducing on a timely basis new and effective products, upgrades and services that can respond adequately to new security threats, our competitive position, business and growth prospects will be harmed.
 
Diversifying our product offerings and expanding into new markets will require significant investment and planning, will bring us more directly into competition with software providers that may be better established or have greater resources than we do, may complicate our relationships with channel and strategic partners and will entail significant risk of failure. Sales of our Logger product and other products that we may develop and market may reduce revenues of our flagship ESM product and our overall margin by offering a subset of features or capabilities at a reduced price with a lower gross margin. Moreover, increased emphasis on the sale of our appliance products, add-on products or new product lines could distract us from sales of our core ArcSight ESM offering, negatively affecting our overall sales. If we fail or delay in diversifying our existing offerings or expanding into new markets, or we are unsuccessful competing in these new markets, our business, operating results and prospects may suffer.
 
If we are not able to maintain and enhance our brand, our business and operating results may be harmed.
 
We believe that maintaining and enhancing our brand identity is critical to our relationships with, and to our ability to attract, new customers and partners. The successful promotion of our brand will depend largely upon our marketing and public relations efforts, our ability to continue to offer high-quality products and services, and our ability to successfully differentiate our products and services from those of our competitors, especially to the extent that our competitors integrate or bundle competitive offerings with a broader array of products and services that they may offer. Our brand promotion activities may not be successful or yield increased revenues. In addition, extension of our brand to products and uses different from our traditional products and services may dilute our brand, particularly if we fail to maintain the quality of our products and services in these new areas. Moreover, it may be difficult to maintain and enhance our brand in connection with sales through channel or strategic partners. The promotion of our brand will require us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive and as we expand into new markets. To the extent that these activities yield increased revenues, these revenues may not offset the expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to


11


Table of Contents

competitors with stronger brands, and we could lose customers and channel partners, all of which would harm our business, operating results and financial condition.
 
In addition, independent industry analysts often provide reviews of our products and services, as well as those of our competitors, and perception of our products in the marketplace may be significantly influenced by these reviews. We have no control over what these industry analysts report, and because industry analysts may influence current and potential customers, our brand could be harmed if they do not provide a positive review of our products and services or view us as a market leader.
 
We face intense competition in our market, especially from larger, better-known companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
 
The market for enterprise security and compliance management, log archiving and response products is intensely competitive, and we expect competition to increase in the future. A significant number of companies have developed, or are developing, products that currently, or in the future are likely to, compete with some or all of our products. We may not compete successfully against our current or potential competitors, especially those with significantly greater financial resources or brand name recognition. Companies competing with us may introduce products that are more competitively priced, have greater performance or functionality or incorporate technological advances that we have not yet developed or implemented.
 
Our competitors include large software companies, software or hardware network infrastructure companies, smaller software companies offering more narrowly focused enterprise security and compliance management, log archiving and response products and small and large companies offering point solutions that compete with components of our platform or individual products offered by us. Existing competitors for a security and compliance management software platform solution such as our ESM platform primarily are specialized, privately-held companies, such as Intellitactics and NetForensics, as well as larger companies such as CA and Symantec, and EMC, IBM and Novell, through their acquisitions of Network Intelligence, Micromuse and Consul, and e-Security, respectively. Competitors for sales of our TRM and NCM products include: privately-held companies that provide network configuration management products, such as Alterpoint and Voyence; larger providers of IT automation software products, such as Opsware, which was recently acquired by Hewlett-Packard; and diversified IT security vendors. Current competitors for sales of our Logger product include specialized, privately-held companies, such as LogLogic and Sensage. In addition to these current competitors, we expect to face competition for our appliance products from existing large, diversified software and hardware companies, from specialized, smaller companies and from new companies that may seek to enter this market.
 
A greater source of competition is represented by the custom efforts undertaken by potential customers to analyze and manage the information produced from their existing devices and applications to identify and remediate threats. Many companies, in particular large corporate enterprises, have developed internally software that is an alternative to our enterprise security and compliance management, log archiving and response products. Wide adoption of our Common Event Format, which we are promoting as a standard for event logs generated by security and other products, may facilitate this internal development. It may also allow our competitors to offer products with a degree of compatibility similar to ours or may facilitate new entrants into our business. New competitors may emerge and rapidly acquire significant market share due to factors such as greater brand name recognition, larger installed customer bases and significantly greater financial, technical, marketing and other resources and experience. If these new competitors are successful, we would lose market share and our revenues would likely decline.
 
Mergers or consolidations among these competitors, or acquisitions of our competitors by large companies, present heightened competitive challenges to our business. For example, in recent years IBM has acquired Internet Security Systems, Inc., Micromuse and Consul, Novell acquired e-Security, EMC acquired Network Intelligence and Hewlett-Packard acquired Opsware. We believe that the trend toward consolidation in our industry will continue. These acquisitions will make these combined entities potentially more formidable competitors to us if their products and offerings are effectively integrated. Continued industry consolidation may impact customers’ perceptions of the viability of smaller or even medium-sized software firms and consequently customers’ willingness to purchase from those firms.


12


Table of Contents

Many of our existing and potential competitors enjoy substantial competitive advantages, such as:
 
  •  greater name recognition and longer operating histories;
 
  •  larger sales and marketing budgets and resources;
 
  •  the capacity to leverage their sales efforts and marketing expenditures across a broader portfolio of products;
 
  •  broader distribution and established relationships with distribution partners;
 
  •  access to larger customer bases;
 
  •  greater customer support;
 
  •  greater resources to make acquisitions;
 
  •  lower labor and development costs; and
 
  •  substantially greater financial, technical and other resources.
 
As a result, they may be able to adapt more quickly and effectively to new or emerging technologies and changing opportunities, standards or customer requirements. In addition, these companies have reduced, and could continue to reduce, the price of their enterprise security and compliance management, log archiving and response products and managed security services, which intensifies pricing pressures within our market.
 
Increased competition could result in fewer customer orders, price reductions, reduced operating margins and loss of market share. Our larger competitors also may be able to provide customers with different or greater capabilities or benefits than we can provide in areas such as technical qualifications, geographic presence, the ability to provide a broader range of services and products, and price. In addition, large competitors may have more extensive relationships within large enterprises, the federal government or foreign governments, which may provide them with an advantage in competing for business with those potential customers. Our ability to compete will depend upon our ability to provide better performance than our competitors at a competitive price. We may be required to make substantial additional investments in research, development, marketing and sales in order to respond to competition, and we cannot assure you that we will be able to compete successfully in the future.
 
We may not be able to compete effectively with companies that integrate or bundle products similar to ours with their other product offerings.
 
Many large, integrated software companies offer suites of products that include software applications for security and compliance management. In addition, hardware vendors, including diversified, global concerns, offer products that address the security and compliance needs of the enterprises and government agencies that comprise our target market. Further, several companies currently sell software products that our customers and potential customers have broadly adopted, which may provide them a substantial advantage when they sell products that perform functions substantially similar to some of our products. Competitors that offer a large array of security or software products may be able to offer products or functionality similar to ours at a more attractive price than we can by integrating or bundling them with their other product offerings. The trend toward consolidation in our industry increases the likelihood of competition based on integration or bundling. Customers may also increasingly seek to consolidate their enterprise-level software purchases with a small number of larger companies that can purport to satisfy a broad range of their requirements. If we are unable to sufficiently differentiate our products from the integrated or bundled products of our competitors, such as by offering enhanced functionality, performance or value, we may see a decrease in demand for those products, which would adversely affect our business, operating results and financial condition. Similarly, if customers seek to concentrate their software purchases in the product portfolios of a few large providers, we may be at a competitive disadvantage.
 
We face risks related to customer outsourcing to managed security service providers.
 
Some of our customers have outsourced the management of their IT departments or the network security operations function to large system integrators or managed security service providers, or MSSPs. If this trend continues, our established customer relationships could be disrupted and our products could be displaced by alternative system and network protection solutions offered by system integrators or MSSPs. Significant product


13


Table of Contents

displacements could impact our revenues and have a negative effect on our business. While to date we have developed a number of successful relationships with MSSPs, they may develop or acquire their own technologies rather than purchasing our products for use in provision of managed security services.
 
Our business depends, in part, on sales to the public sector, and significant changes in the contracting or fiscal policies of the public sector could have a material adverse effect on our business.
 
We derive a portion of our revenues from contracts with federal, state, local and foreign governments and government agencies, and we believe that the success and growth of our business will continue to depend on our successful procurement of government contracts. For example, we have historically derived, and expect to continue to derive, a significant portion of our revenues from sales to agencies of the U.S. federal government, either directly by us or through systems integrators and other resellers. In fiscal 2006 and 2007, we derived 38% and 32% of our revenues, respectively, from contracts with agencies of the U.S. federal government. Accordingly:
 
  •  changes in fiscal or contracting policies or decreases in available government funding;
 
  •  changes in government programs or applicable requirements;
 
  •  the adoption of new laws or regulations or changes to existing laws or regulations;
 
  •  changes in political or social attitudes with respect to security issues;
 
  •  potential delays or changes in the government appropriations process; and
 
  •  delays in the payment of our invoices by government payment offices
 
could cause governments and governmental agencies to delay or refrain from purchasing the products and services that we offer in the future or otherwise have an adverse effect on our business, financial condition and results of operations.
 
Failure to comply with laws or regulations applicable to our business could cause us to lose U.S. government customers or our ability to contract with the U.S. government.
 
We must comply with laws and regulations relating to the formation, administration and performance of U.S. government contracts, which affect how we and our channel partners do business in connection with U.S. federal agencies. These laws and regulations may impose added costs on our business, and failure to comply with these or other applicable regulations and requirements, including non-compliance in the past, could lead to claims for damages from our channel partners, penalties, termination of contracts and suspension or debarment from government contracting for a period of time. Any such damages, penalties, disruption or limitation in our ability to do business with the U.S. federal government could have a material adverse effect on our business, operating results and financial condition.
 
Our government contracts may limit our ability to move development activities overseas, which may impair our ability to optimize our software development costs and compete for non-government contracts.
 
Increasingly, software development is being shifted to lower-cost countries, such as India. However, some contracts with U.S. government agencies require that at least 50% of the components of each of our products be of U.S. origin. Consequently, our ability to optimize our software development by conducting it overseas may be hampered. Some of our competitors do not rely on contracts with the U.S. government to the same degree as we do and may develop software off-shore. If we are unable to develop software as cost-effectively as our competitors, our ability to compete for our non-government customers may be reduced and our customer sales may decline, resulting in decreased revenues.
 
Real or perceived errors, failures or bugs in our products could adversely affect our operating results and growth prospects.
 
Because we offer very complex products, undetected errors, failures or bugs may occur, especially when products are first introduced or when new versions are released. Our products are often installed and used in large-scale computing environments with different operating systems, system management software and equipment and networking configurations, which may cause errors or failures in our products or may expose undetected errors,


14


Table of Contents

failures or bugs in our products. Despite testing by us, errors, failures or bugs may not be found in new products or releases until after commencement of commercial shipments. In the past, we have discovered software errors, failures, and bugs in some of our product offerings after their introduction.
 
In addition, our products could be perceived to be ineffective for a variety of reasons outside of our control. Hackers could circumvent our customers’ security measures, and customers may misuse our products resulting in a security breach or perceived product failure. We provide a top-level enterprise security and compliance management solution that integrates a wide variety of other elements in a customer’s IT and security infrastructure, and we may receive blame for a security breach that was the result of the failure of one of the other elements.
 
Real or perceived errors, failures or bugs in our products could result in negative publicity, loss of or delay in market acceptance of our products, loss of competitive position, or claims by customers for losses sustained by them. In such an event, we may be required, or may choose, for customer relations or other reasons, to expend additional resources in order to help correct the problem. Our product liability insurance may not be adequate. Further, provisions in our license agreements with end users that limit our exposure to liabilities arising from such claims may not be enforceable in some circumstances or may not fully protect us against such claims and related liabilities and costs. Defending a lawsuit, regardless of its merit, could be costly and could limit the amount of time that management has available for day-to-day execution and strategic planning or other matters.
 
Many of our end-user customers use our products in applications that are critical to their businesses and may have a greater sensitivity to defects in our products than to defects in other, less critical, software products. In addition, if an actual or perceived breach of information integrity or availability occurs in one of our end-user customer’s systems, regardless of whether the breach is attributable to our products, the market perception of the effectiveness of our products could be harmed. Alleviating any of these problems could require significant expenditures of our capital and other resources and could cause interruptions, delays or cessation of our product licensing, which could cause us to lose existing or potential customers and could adversely affect our operating results and growth prospects.
 
In addition, because we are a leading provider of enterprise security products and services, “hackers” and others may try to access our data or compromise our systems. If we are the subject of a successful attack, then our reputation in the industry and with current and potential customers may be compromised and our sales and operating results could be adversely affected.
 
Incorrect or improper use of our complex products, our failure to properly train customers on how to utilize our products or our failure to properly provide consulting and implementation services could result in customer dissatisfaction and negatively affect our results of operations and growth prospects.
 
Our ESM, TRM and NCM products are complex and are deployed in a wide variety of network environments. The proper use of our products, particularly our ESM platform, requires training of the end user. If our software products are not used correctly or as intended, inadequate performance may result. For example, among other things, deployment of our ESM platform requires categorization of IT assets and assignment of business or criticality values for each, selection or configuration of one of our pre-packaged rule sets, user interfaces and network utilization parameters, and deployment of connectors for the various devices and applications from which event data are to be collected. Our customers or our professional services personnel may incorrectly implement or use our products. Our products may also be intentionally misused or abused by customers or their employees or third parties who obtain access and use of our products. For example, a person obtaining inappropriate access to our TRM product could use it to shut down network resources or open breaches in network security. Because our customers rely on our product, services and maintenance offerings to manage a wide range of sensitive security, network and compliance functions, the incorrect or improper use of our products, our failure to properly train customers on how to efficiently and effectively use our products or our failure to properly provide consulting and implementation services and maintenance to our customers may result in negative publicity or legal claims against us.
 
In addition, if customer personnel are not well trained in the use of our products, customers may defer the deployment of our products or may not deploy them at all. If there is substantial turnover of the customer personnel


15


Table of Contents

responsible for implementation and use of our ESM products, our product may go unused and our ability to make additional sales may be substantially limited.
 
If we are unable to maintain effective relationships with our technology partners, we may not be able to support the interoperability of our software with a wide variety of security and other products and our business may be harmed.
 
A key feature of ArcSight ESM is that it provides out-of-the-box support for many third-party devices and applications that the customer may use in its business and technology infrastructure. To provide effective interoperability, we work with individual product vendors to develop our SmartConnectors, which allow our ESM platform to interface with these products. In addition, we are promoting the adoption of our Common Event Format as a standard way to format system log events. Some of these technology partners are current or potential competitors of ours. If we are unable to develop and maintain effective relationships with a wide variety of technology partners, if companies adopt more restrictive policies with respect to, or impose unfavorable terms and conditions on, access to their products, or if our Common Event Format is not widely adopted, we may not be able to continue to provide our customers with a high degree of interoperability with their existing IT and business infrastructure, which could reduce our sales and adversely affect our business, operating results and financial condition.
 
Our international sales and operations subject us to additional risks that can adversely affect our operating results.
 
In fiscal 2006 and 2007, we derived 21% and 23% of our revenues, respectively, from customers outside the United States, and we are continuing to expand our international operations as part of our growth strategy. We currently have sales personnel and sales and support operations in Canada, China, Germany, Hong Kong, Japan, Singapore, South Korea and the United Kingdom. Our international operations subject us to a variety of risks, including:
 
  •  increased management, travel, infrastructure and legal compliance costs associated with having multiple international operations;
 
  •  longer payment cycles and difficulties in collecting accounts receivable, especially in emerging markets, and the likelihood that revenues from international resellers and customers may need to be recognized when cash is received, at least until satisfactory payment history has been established;
 
  •  the need to localize our products and licensing programs for international customers;
 
  •  differing regulatory and legal requirements and possible enactment of additional regulations or restrictions on the use, import or export of encryption technologies and our appliance-based products, which could delay or prevent the sale or use of our products in some jurisdictions;
 
  •  reduced protection for intellectual property rights in some countries; and
 
  •  overlapping of different tax regimes.
 
Any of these risks could harm our international operations and reduce our international sales, adversely affecting our business, operating results and financial condition and growth prospects.
 
Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities.
 
As we operate and sell internationally, we are subject to the U.S. Foreign Corrupt Practices Act, or the FCPA, and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties by U.S. and other business entities for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental customers in countries known to experience corruption, particularly certain emerging countries in East Asia, Eastern Europe and the Middle East, and further expansion of our international selling efforts may involve additional regions, including Africa and South America. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, sales agents or channel partners that could be in violation of various laws including the FCPA, even


16


Table of Contents

though these parties are not always subject to our control. We have implemented safeguards to discourage these practices by our employees, consultants, sales agents and channel partners. However, our existing safeguards and any future improvements may prove to be less than effective, and our employees, consultants, sales agents or channel partners may engage in conduct for which we might be held responsible. Violations of the FCPA may result in severe criminal or civil sanctions, including suspension or debarment from U.S. government contracting, and we may be subject to other liabilities, which could negatively affect our business, operating results and financial condition.
 
Failure to protect our intellectual property rights could adversely affect our business.
 
Our success depends, in part, on our ability to protect proprietary methods and technologies that we develop under patent and other intellectual property laws of the United States, so that we can prevent others from using our inventions and propriety information. If we fail to protect our intellectual property rights adequately, our competitors might gain access to our technology, and our business might be harmed. In addition, defending our intellectual property rights might entail significant expenses. Any of our patents, copyrights, trademarks or other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. We have two issued patents in the United States, and have 29 patent applications pending, including one provisional application, in the United States, and have three international patent applications and 12 patent applications in foreign countries pending, based on four U.S. patent applications. Our issued patents may not provide us with any competitive advantages or may be challenged by third parties, and our patent applications may never issue at all. Additionally, the process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner. Even if issued, there can be no assurance that these patents will adequately protect our intellectual property, as the legal standards relating to the validity, enforceability and scope of protection of patent and other intellectual property rights are uncertain.
 
Any patents that are issued may subsequently be invalidated or otherwise limited, enabling other companies to better develop products that compete with ours, which could adversely affect our competitive business position, business prospects and financial condition. In addition, issuance of a patent does not guarantee that we have a right to practice the patented invention. Patent applications in the U.S. are typically not published until 18 months after filing, or in some cases not at all, and publications of discoveries in industry-related literature lag behind actual discoveries. We cannot be certain that we were the first to make the inventions claimed in our issued patents or pending patent applications or otherwise used in our products, that we were the first to file for protection in our patent applications, or that third parties do not have blocking patents that could be used to prevent us from marketing or practicing our patented products or technology. Effective patent, trademark, copyright and trade secret protection may not be available to us in every country in which our products and services are available. The laws of some foreign countries may not be as protective of intellectual property rights as those in the United States, and mechanisms for enforcement of intellectual property rights may be inadequate. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our intellectual property.
 
We might be required to spend significant resources to monitor and protect our intellectual property rights. We may initiate claims or litigation against third parties for infringement of our proprietary rights or to establish the validity of our proprietary rights. Any litigation, whether or not it is resolved in our favor, could result in significant expense to us and divert the efforts of our technical and management personnel, which may adversely affect our business, operating results and financial condition.
 
Confidentiality agreements with employees and others may not adequately prevent disclosure of trade secrets and other proprietary information.
 
In order to protect our proprietary technology, processes and methods, we rely in part on confidentiality agreements with our corporate partners, employees, consultants, advisors and others. These agreements may not effectively prevent disclosure of confidential information and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. In addition, others may independently discover trade secrets and proprietary information, and in these cases we would not be able to assert any trade secret rights against those parties. Costly and time-consuming litigation could be necessary to enforce and determine the scope of our


17


Table of Contents

proprietary rights, and failure to obtain or maintain trade secret protection could adversely affect our competitive business position.
 
We may in the future be subject to intellectual property rights claims, which are extremely costly to defend, could require us to pay significant damages and could limit our ability to use certain technologies.
 
Companies in the software, networking and technology industries, including some of our current and potential competitors, own large numbers of patents, copyrights, trademarks and trade secrets and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights. In addition, many of these companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them. The litigation may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our potential patents may provide little or no deterrence. We have received, and may in the future receive, notices that claim we have misappropriated or misused other parties’ intellectual property rights, and, to the extent we gain greater visibility, we face a higher risk of being the subject of intellectual property infringement claims, which is not uncommon with respect to software technologies in general and network security technology in particular. There may be third-party intellectual property rights, including issued or pending patents, that cover significant aspects of our technologies or business methods. Any intellectual property claims, with or without merit, could be very time-consuming, could be expensive to settle or litigate and could divert our management’s attention and other resources. These claims could also subject us to significant liability for damages, potentially including treble damages if we are found to have willfully infringed patents or copyrights. These claims could also result in our having to stop using technology found to be in violation of a third party’s rights. We might be required to seek a license for the intellectual property, which may not be available on reasonable terms or at all. Even if a license were available, we could be required to pay significant royalties, which would increase our operating expenses. As a result, we may be required to develop alternative non-infringing technology, which could require significant effort and expense. If we cannot license or develop technology for any infringing aspect of our business, we would be forced to limit or stop sales of one or more of our products or product features and may be unable to compete effectively. Any of these results would harm our business, operating results and financial condition.
 
We rely on software licensed from other parties, the loss of which could increase our costs and delay software shipments.
 
We utilize various types of software licensed from unaffiliated third parties in order to provide certain elements of our product offering. For example, we license database software from Oracle that we integrate with our ESM product. Our agreement with Oracle permits us to distribute Oracle software in our products to our customers and partners worldwide through May 2009. See “Business—Intellectual Property—Oracle License Agreement.” Any errors or defects in this third-party software could result in errors that could harm our business. In addition, licensed software may not continue to be available on commercially reasonable terms, or at all. While we believe that there are currently adequate replacements for third-party software, any loss of the right to use any of this software could result in delays in producing or delivering our software until equivalent technology is identified and integrated, which could harm our business. Our business would be disrupted if any of the software we license from others or functional equivalents of this software were either no longer available to us or no longer offered to us on commercially reasonable terms. In either case, we would be required to either redesign our products to function with software available from other parties or to develop these components ourselves, which would result in increased costs and could result in delays in our product shipments and the release of new product offerings. Furthermore, we might be forced to limit the features available in our current or future products. If we fail to maintain or renegotiate any of these software licenses, we could face significant delays and diversion of resources in attempting to license and integrate a functional equivalent of the software.
 
Some of our products contain “open source” software, and any failure to comply with the terms of one or more of these open source licenses could negatively affect our business.
 
Certain of our products are distributed with software licensed by its authors or other third parties under “open source” licenses. Some of these licenses contain requirements that we make available source code for modifications or derivative works we create based upon the open source software, and that we license these modifications or derivative works under the terms of a particular open source license or other license granting third parties certain


18


Table of Contents

rights of further use. If we combine our proprietary software with open source software in a certain manner, we could, under certain of the open source licenses, be required to release the source code of our proprietary software. In addition to risks related to license requirements, usage of open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on origin of the software. We have established processes to help alleviate these risks, including a review process for screening requests from our development organization for the use of open source, and we plan to implement the use of software tools to review our source code for potential inclusion of open source, but we cannot be sure that all open source is submitted for approval prior to use in our products or that such software tools will be effective. In addition, open source license terms may be ambiguous and many of the risks associated with usage of open source cannot be eliminated, and could, if not properly addressed, negatively affect our business. If we were found to have inappropriately used open source software, we may be required to re-engineer our products, to release proprietary source code, to discontinue the sale of our products in the event re-engineering could not be accomplished on a timely basis or to take other remedial action that may divert resources away from our development efforts, any of which could adversely affect our business, operating results and financial condition.
 
Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
 
Our agreements with customers and channel partners include indemnification provisions, under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement and, in some cases, for damages caused by us to property or persons. The term of these indemnity provisions is generally perpetual after execution of the corresponding product sale agreement. Large indemnity payments could harm our business, operating results and financial condition.
 
Changes or reforms in the law or regulatory landscape could diminish the demand for our solutions, and could have a negative impact on our business.
 
One factor that drives demand for our products and services is the legal and regulatory framework in which our customers operate. Laws and regulations are subject to drastic changes, and these could either help or hurt the demand for our products. Thus, some changes in the law and regulatory landscape, such as legislative reforms that limit corporate compliance obligations, could significantly harm our business.
 
If we are unable to attract and retain personnel, our business would be harmed.
 
We depend on the continued contributions of our senior management and other key personnel, in particular Robert Shaw and Hugh Njemanze, the loss of whom could harm our business. All of our executive officers and key employees are at-will employees, which means they may terminate their employment relationship with us at any time. We do not maintain a key-person life insurance policy on any of our officers or other employees.
 
Our future success also depends on our ability to identify, attract and retain highly skilled technical, managerial, finance and other personnel, particularly in our sales and marketing, research and development and professional service departments. We face intense competition for qualified individuals from numerous security, software and other technology companies. In addition, competition for qualified personnel is particularly intense in the San Francisco Bay Area, where our headquarters are located. Often, significant amounts of time and resources are required to train technical, sales and other personnel. Qualified individuals are in high demand. We may incur significant costs to attract and retain them, and we may lose new employees to our competitors or other technology companies before we realize the benefit of our investment in recruiting and training them. We may be unable to attract and retain suitably qualified individuals who are capable of meeting our growing technical, operational and managerial requirements, on a timely basis or at all, and we may be required to pay increased compensation in order to do so. If we are unable to attract and retain the qualified personnel we need to succeed, our business would suffer.
 
Volatility or lack of performance in our stock price may also affect our ability to attract and retain our key employees. Many of our senior management personnel and other key employees have become, or will soon become, vested in a substantial amount of stock or stock options. Employees may be more likely to leave us if the shares they own or the shares underlying their vested options have significantly appreciated in value relative to the original purchase prices of the shares or the exercise prices of the options, or if the exercise prices of the options that they


19


Table of Contents

hold are significantly above the market price of our common stock. If we are unable to retain our employees, our business, operating results and financial condition would be harmed.
 
If we fail to manage future growth effectively, our business would be harmed.
 
We operate in an emerging market and have experienced, and may continue to experience, significant expansion of our operations. In particular, we grew from 204 employees as of April 30, 2006 to 308 employees as of October 31, 2007. This growth has placed, and will continue to place, a strain on our employees, management systems and other resources. Managing our growth will require significant expenditures and allocation of valuable management resources. If we fail to achieve the necessary level of efficiency in our organization as it grows, our business, operating results and financial condition would be harmed.
 
Future acquisitions could disrupt our business and harm our financial condition and results of operations.
 
We completed the acquisition of substantially all of the assets of Enira Technologies, LLC in June 2006, and may pursue additional acquisitions in the future, any of which could be material to our business, operating results and financial condition. Our ability as an organization to successfully acquire and integrate technologies or businesses on a larger scale is unproven. Acquisitions involve many risks, including the following:
 
  •  an acquisition may negatively impact our results of operations because it may require us to incur charges and substantial debt or liabilities, may cause adverse tax consequences, substantial depreciation or deferred compensation charges, may result in acquired in-process research and development expenses or in the future may require the amortization, write-down or impairment of amounts related to deferred compensation, goodwill and other intangible assets, or may not generate sufficient financial return to offset acquisition costs;
 
  •  we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel or operations of any company that we acquire, particularly if key personnel of the acquired company decide not to work for us;
 
  •  an acquisition may disrupt our ongoing business, divert resources, increase our expenses and distract our management;
 
  •  an acquisition may result in a delay or reduction of customer purchases for both us and the company acquired due to customer uncertainty about continuity and effectiveness of service from either company; and
 
  •  an acquisition may involve the entry into geographic or business markets in which we have little or no prior experience.
 
Establishing, maintaining and improving our financial controls and the requirements of being a public company may strain our resources and divert management’s attention, and if we fail to establish and maintain proper internal controls, our ability to produce accurate financial statements or comply with applicable regulations could be impaired.
 
As a public company, we will be subject to the reporting requirements of the Securities Exchange Act of 1934, or the Exchange Act, the Sarbanes-Oxley Act of 2002, or the Sarbanes-Oxley Act, and the rules and regulations of The NASDAQ Stock Market. The requirements of these rules and regulations will increase our legal, accounting and financial compliance costs, will make some activities more difficult, time-consuming and costly and may also place undue strain on our personnel, systems and resources.
 
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. Given our history of material weaknesses, achieving and maintaining effective controls may be particularly challenging for us. See “—A material weakness in our internal control over financial reporting was identified during the audit of our most recent annual financial statements that, if not remediated, could affect our ability to prepare timely and accurate financial reports, which could cause investors to lose confidence in our reported financial information and have a negative effect on the trading price of our stock.”
 
While we are in the process of remediating the material weakness identified during the audit of our fiscal 2007 financial statements, we cannot estimate how long it will take to reach a determination that our internal control over


20


Table of Contents

financial reporting is effective. Further, we are in the early stages of developing our disclosure controls and procedures – the controls and other procedures that are designed to ensure that information required to be disclosed by us in the reports that we file with the Securities and Exchange Commission, or SEC, is recorded, processed, summarized and reported within the time periods specified in SEC’s rules and forms. Even if we develop effective controls, these new controls and our currently effective controls may become inadequate because of changes in conditions, and the degree of compliance with the policies or procedures may deteriorate. Further, additional weaknesses in our internal controls may be discovered in the future. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our prior period financial statements. Any failure to implement and maintain effective internal controls also could adversely affect the results of periodic management evaluations and annual auditor attestation reports regarding the effectiveness of our internal control over financial reporting that we will be required to include in our periodic reports filed with the SEC beginning for our fiscal year ending April 30, 2009 under Section 404 of the Sarbanes-Oxley Act. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our common stock.
 
In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we will need to expend significant resources and provide significant management oversight. We have a substantial effort ahead of us to implement appropriate processes, document our system of internal control over relevant processes, assess their design, remediate any deficiencies identified and test their operation. As a result, management’s attention may be diverted from other business concerns, which could harm our business, operating results and financial condition. These efforts will also involve substantial accounting-related costs. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on The NASDAQ Global Market.
 
Implementing any appropriate changes to our internal controls may require specific compliance training of our directors, officers and employees, entail substantial costs in order to modify our existing accounting systems, and take a significant period of time to complete. These changes may not, however, be effective in maintaining the adequacy of our internal controls, and any failure to maintain that adequacy, or consequent inability to produce accurate financial statements on a timely basis, could increase our operating costs and could materially impair our ability to operate our business. In the event that we are not able to demonstrate compliance with Section 404 of the Sarbanes-Oxley Act in a timely manner, that our internal controls are perceived as inadequate or that we are unable to produce timely or accurate financial statements, investors may lose confidence in our operating results and our stock price could decline.
 
We also have not yet implemented a complete disaster recovery plan or business continuity plan for our accounting and related information technology systems. Any disaster could therefore materially impair our ability to maintain timely accounting and reporting.
 
The Sarbanes-Oxley Act and the rules and regulations of The NASDAQ Stock Market will make it more difficult and more expensive for us to maintain directors’ and officers’ liability insurance, and we may be required to accept reduced coverage or incur substantially higher costs to maintain or increase coverage. If we are unable to maintain adequate directors’ and officers’ insurance, our ability to recruit and retain qualified directors, especially those directors who may be considered independent for purposes of The NASDAQ Stock Market rules, and officers may be curtailed.
 
A material weakness in our internal control over financial reporting was identified during the audit of our most recent annual financial statements that, if not remediated, could affect our ability to prepare timely and accurate financial reports, which could cause investors to lose confidence in our reported financial information and have a negative effect on the trading price of our stock.
 
Effective internal control over financial reporting is necessary for us to provide reliable financial reports, to prevent fraud and to operate successfully as a public company. If we cannot provide reliable financial reports or prevent fraud, our operating results may be misstated and our reputation may be harmed.


21


Table of Contents

During the audit of our financial statements for fiscal 2004, 2005, 2006 and 2007, “material weaknesses” in our internal control over financial reporting were identified, and, in the future, we may identify additional material weaknesses or other areas of our internal control over financial reporting that need improvement. The material weakness identified in connection with the preparation of our financial statements for fiscal 2007 relates to internal review, primarily due to failure of the review process of accounting computations and reconciliations prepared by third parties as part of the preparation of our fiscal 2007 financial statements. This weakness led to four adjustments to our financial statements. The largest such adjustment resulted from a failure to detect an overstatement of stock-based compensation expense of $0.3 million under Statement of Financial Accounting Standards No. 123(R), Share Based Payment, in calculations prepared by a third-party service provider.
 
We are in the process of remediating the material weakness identified during the audit of our fiscal 2007 financial statements, but have not yet been able to complete our remediation efforts. See “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Internal Control Over Financial Reporting.” It will take additional time to design, implement and test the controls and procedures required to enable our management to conclude that our disclosure controls and our internal control over financial reporting are effective. We cannot at this time estimate how long it will take to complete our remediation efforts. In addition, we cannot assure you that additional material weaknesses in our internal control over financial reporting will not be identified in the future. Any failure to remediate the material weakness that has been identified or to implement and maintain effective disclosure controls and internal control over financial reporting could cause us to fail to meet our reporting obligations or result in material misstatements in our financial statements.
 
We may not be able to utilize a significant portion of our net operating loss carry-forwards, which could adversely affect our operating results.
 
Due to prior period losses, we have generated significant federal and state net operating loss carry-forwards, which expire beginning in fiscal 2021 and fiscal 2013, respectively. U.S. federal and state income tax laws limit the amount of these carry-forwards we can utilize upon a greater than 50% cumulative shift of stock ownership over a three-year period, including shifts due to the issuance of additional shares of our common stock, or securities convertible into our common stock. We have previously experienced a greater than 50% shift in our stock ownership, which has limited our ability to use a portion of our net operating loss carry-forwards, and we may experience subsequent shifts in our stock ownership. Accordingly, there is a risk that our ability to use our existing carry-forwards in the future could be further limited and that existing carry-forwards would be unavailable to offset future income tax liabilities, which would adversely affect our operating results.
 
Governmental export or import controls could subject us to liability or limit our ability to compete in foreign markets.
 
Our products incorporate encryption technology and may be exported outside the U.S. only if we obtain an export license or qualify for an export license exception. Compliance with applicable regulatory requirements regarding the export of our products, including with respect to new releases of our products, may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products throughout their global systems or, in some cases, prevent the export of our products to some countries altogether. In addition, various countries regulate the import of our appliance-based products and have enacted laws that could limit our ability to distribute products or could limit our customers’ ability to implement our products in those countries. Any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could result in decreased use of our products by existing customers with international operations, declining adoption of our products by new customers with international operations and decreased revenues. If we fail to comply with export and import regulations, we may be denied export privileges, be subjected to fines or other penalties and our products may be denied entry into other countries.


22


Table of Contents

Risks Related to this Offering and Ownership of Our Common Stock
 
There has been no prior market for our common stock, our stock price may be volatile or may decline regardless of our operating performance, and you may not be able to resell your shares at or above the initial public offering price.
 
There has been no public market for our common stock prior to this offering. The initial public offering price for our common stock will be determined through negotiations between the underwriters and us and may vary from the market price of our common stock following this offering. If you purchase shares of our common stock in this offering, you may not be able to resell those shares at or above the initial public offering price. An active or liquid market in our common stock may not develop upon completion of this offering or, if it does develop, it may not be sustainable. The trading prices of the securities of technology companies have been highly volatile. The market price of our common stock may fluctuate significantly in response to numerous factors, many of which are beyond our control, including:
 
  •  actual or anticipated fluctuations in our operating results;
 
  •  the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections;
 
  •  failure of securities analysts to initiate or maintain coverage of us, changes in financial estimates by any securities analysts who follow our company, or our failure to meet these estimates or the expectations of investors;
 
  •  ratings changes by any securities analysts who follow our company;
 
  •  announcements by us or our competitors of significant technical innovations, acquisitions, strategic partnerships, joint ventures or capital commitments;
 
  •  changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
 
  •  price and volume fluctuations in the overall stock market, including as a result of trends in the economy as a whole;
 
  •  lawsuits threatened or filed against us; and
 
  •  other events or factors, including those resulting from war, incidents of terrorism or responses to these events.
 
In addition, the stock markets, and in particular The NASDAQ Global Market on which our common stock will be listed, have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many technology companies. Stock prices of many technology companies have fluctuated in a manner unrelated or disproportionate to the operating performance of those companies. In the past, stockholders have instituted securities class action litigation following periods of market volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business and adversely affect our business, operating results and financial condition.
 
A significant portion of our total outstanding shares may be sold into the market in the near future. If there are substantial sales of shares of our common stock, the price of our common stock could decline.
 
The price of our common stock could decline if there are substantial sales of our common stock, particularly sales by our directors, executive officers and significant stockholders, or if there is a large number of shares of our common stock available for sale. After this offering, we will have outstanding           shares of our common stock, based on the number of shares outstanding as of October 31, 2007. This includes the shares that we and the selling stockholders are selling in this offering, which may be resold in the public market immediately. The


23


Table of Contents

remaining           shares, or     % of our outstanding shares after this offering, are currently restricted as a result of market standoff and/or lock-up agreements but will be able to be sold in the near future as set forth below.
 
     
Date Available for Sale
  Number of Shares and
into Public Market   % of Total Outstanding
 
Immediately after the date of this prospectus
  No shares, or 0%
181 days after the date of this prospectus                shares, or     %, of which             shares, or     %, will be subject to limitations under Rules 144 and 701
 
After this offering, the holders of an aggregate of 12,293,531 shares of our common stock and shares subject to warrants to purchase our common stock outstanding as of October 31, 2007 will have rights, subject to some conditions, to require us to file registration statements covering their shares or to include their shares in registration statements that we may file for ourselves or our stockholders. All of these shares are subject to market standoff and/or lock-up agreements restricting their sale for 180 days after the date of this prospectus. We also intend to register shares of common stock that we have issued and may issue under our employee equity incentive plans. Once we register these shares, they will be able to be sold freely in the public market upon issuance, subject to existing market standoff and/or lock-up agreements. Morgan Stanley & Co. Incorporated may, in its sole discretion, permit our officers, directors, employees and current stockholders who are subject to the 180-day contractual lock-up to sell shares prior to the expiration of the lock-up agreements. The 180-day lock-up period is subject to extension in some circumstances.
 
The market price of the shares of our common stock could decline as a result of sales of a substantial number of our shares in the public market or the perception in the market that the holders of a large number of shares intend to sell their shares.
 
We have broad discretion in the use of the net proceeds from this offering and may not use them effectively.
 
We cannot specify with any certainty the particular uses of the net proceeds that we will receive from this offering. Our management will have broad discretion in the application of the net proceeds, including working capital, possible acquisitions and other general corporate purposes, and we may spend or invest these proceeds in a way with which our stockholders disagree. The failure by our management to apply these funds effectively could harm our business and financial condition. Pending their use, we may invest the net proceeds from this offering in a manner that does not produce income or that loses value. These investments may not yield a favorable return to our investors.
 
If securities or industry analysts do not publish research or publish inaccurate or unfavorable research about our business, our stock price and trading volume could decline.
 
The trading market for our common stock will depend in part on the research and reports that securities or industry analysts publish about us or our business. We currently do not have and may never obtain research coverage by securities analysts, and industry analysts that currently cover us may cease to do so. If no securities analysts commence coverage of our company, or if industry analysts cease coverage of our company, the trading price for our stock would be negatively impacted. In the event we obtain securities analyst coverage, if one or more of the analysts who cover us downgrade our stock or publish inaccurate or unfavorable research about our business, our stock price would likely decline. If one or more of these analysts cease coverage of our company or fail to publish reports on us regularly, demand for our stock could decrease, which might cause our stock price and trading volume to decline.
 
Our directors, executive officers and principal stockholders will continue to have substantial control over us after this offering and could delay or prevent a change in corporate control.
 
After this offering, our directors, executive officers and holders of more than 5% of our common stock, together with their affiliates, will beneficially own, in the aggregate,     % of our outstanding common stock. As a result, these stockholders, acting together, would have the ability to control the outcome of matters submitted to our stockholders for approval, including the election of directors and any merger, consolidation or sale of all or substantially all of our assets. In addition, these stockholders, acting together, would have the ability to control the


24


Table of Contents

management and affairs of our company. Accordingly, this concentration of ownership might harm the market price of our common stock by:
 
  •  delaying, deferring or preventing a change in control of us;
 
  •  impeding a merger, consolidation, takeover or other business combination involving us; or
 
  •  discouraging a potential acquirer from making a tender offer or otherwise attempting to obtain control of us.
 
Delaware law and provisions in our amended and restated certificate of incorporation and bylaws could make a merger, tender offer or proxy contest difficult, thereby depressing the trading price of our common stock.
 
We are a Delaware corporation and the anti-takeover provisions of the Delaware General Corporation Law may discourage, delay or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the person becomes an interested stockholder, even if a change of control would be beneficial to our existing stockholders. In addition, our restated certificate of incorporation and restated bylaws that will become effective immediately following the completion of this offering will contain provisions that may make the acquisition of our company more difficult without the approval of our board of directors, including the following:
 
  •  our board of directors will be classified into three classes of directors with staggered three-year terms;
 
  •  only our chairman of the board, our lead independent director, if any, our chief executive officer, our president or a majority of our board of directors will be authorized to call a special meeting of stockholders;
 
  •  our stockholders will only be able to take action at a meeting of stockholders and not by written consent;
 
  •  vacancies on our board of directors will be able to be filled only by our board of directors and not by stockholders;
 
  •  directors may be removed from office only for cause;
 
  •  our restated certificate of incorporation will authorize undesignated preferred stock, the terms of which may be established, and shares of which may be issued, without stockholder approval; and
 
  •  advance notice procedures will apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders.
 
For information regarding these and other provisions, see “Description of Capital Stock.”


25


Table of Contents

 
SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS AND INDUSTRY DATA
 
This prospectus includes forward-looking statements. All statements contained in this prospectus other than statements of historical fact, including statements regarding our future results of operations and financial position, our business strategy and plans and our objectives for future operations, are forward-looking statements. The words “believe,” “may,” “will,” “estimate,” “continue,” “anticipate,” “intend” and “expect” and similar expressions are intended to identify forward-looking statements. We have based these forward-looking statements largely on our current expectations and projections about future events and financial trends that we believe may affect our financial condition, results of operations, business strategy, short-term and long-term business operations and objectives, and financial needs. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, including those described in “Risk Factors.” In light of these risks, uncertainties and assumptions, the future events and trends discussed in this prospectus may not occur and actual results could differ materially and adversely from those anticipated or implied in the forward-looking statements.
 
Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee future results, levels of activity, performance or achievements. We are under no duty to update any of these forward-looking statements after the date of this prospectus or to conform these statements to actual results or revised expectations.
 
This prospectus also contains estimates and other information concerning our industry, including market size and growth rates of the markets in which we participate, that are based on industry publications, surveys and forecasts generated by International Data Corporation (IDC) and TheInfoPro (TIP). The industry in which we operate is subject to a high degree of uncertainty and risk due to a variety of factors including those described in “Risk Factors.” These and other factors could cause results to differ materially from those expressed in these publications, surveys and forecasts.


26


Table of Contents

 
USE OF PROCEEDS
 
We estimate that our net proceeds from the sale of the common stock that we are offering will be approximately $      million, assuming an initial public offering price of $      per share (the midpoint of the range listed on the cover page of this prospectus), after deducting estimated underwriting discounts and commissions and estimated offering expenses payable by us. A $1.00 increase (decrease) in the assumed initial public offering price of $      per share would increase (decrease) the net proceeds to us from this offering by $      million, assuming the number of shares offered by us, as set forth on the cover page of this prospectus, remains the same, after deducting estimated underwriting discounts and commissions and estimated offering expenses payable by us. We will not receive any proceeds from the sale of shares of common stock by the selling stockholders. If the underwriters’ option to purchase additional shares to cover over allotments is exercised in full, our net proceeds from this offering would increase by approximately $      million. See “Principal and Selling Stockholders” and “Underwriters.”
 
The principal purposes of this offering are to create a public market for our common stock, obtain additional capital, facilitate our future access to the public equity markets, increase awareness of our company among potential customers and improve our competitive position. We intend to use the net proceeds to us from this offering for working capital and other general corporate purposes. Additionally, we may choose to expand our current business through acquisitions of or investments in other complementary businesses, products or technologies, using cash or shares of our common stock. However, we have no negotiations, agreements or commitments with respect to any such acquisitions or investments at this time.
 
Pending use of proceeds from this offering, we intend to invest the proceeds in a variety of short-term, interest-bearing, investment grade securities. Our management will have broad discretion in the application of the net proceeds from this offering to us, and investors will be relying on the judgment of our management regarding the application of the proceeds.
 
DIVIDEND POLICY
 
We have never declared or paid cash dividends on our capital stock. We currently intend to retain any future earnings and do not expect to declare or pay any dividends in the foreseeable future. Any further determination to pay dividends on our capital stock will be at the discretion of our board of directors and will depend on our financial condition, results of operations, capital requirements and other factors that our board of directors considers relevant.


27


Table of Contents

 
CAPITALIZATION
 
The following table sets forth our cash and cash equivalents and capitalization as of October 31, 2007, as follows:
 
  •  on an actual basis;
 
  •  on a pro forma basis to give effect to the automatic conversion of all outstanding shares of our convertible preferred stock into common stock upon the closing of this offering; and
 
  •  on a pro forma as adjusted basis to give effect to (1) the issuance and sale by us of           shares of common stock in this offering, and the receipt of the net proceeds from our sale of these shares at an assumed initial public offering price of $      per share (the midpoint of the range listed on the cover page of this prospectus), after deducting estimated underwriting discounts and commissions and estimated offering expenses payable by us, (2) the automatic conversion of all outstanding shares of our convertible preferred stock into common stock upon the closing of this offering, and (3) the amendment and restatement of our certificate of incorporation immediately following the completion of this offering.
 
You should read this table in conjunction with the sections titled “Selected Consolidated Financial Data” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes included elsewhere in this prospectus.
 
                         
    As of October 31, 2007  
                Pro Forma
 
    Actual     Pro Forma     As Adjusted(1)  
    (in thousands, except share and per share data)  
    (unaudited)  
 
Cash and cash equivalents
  $ 15,869     $ 15,869     $        
                         
Stockholders’ equity:
                       
Convertible preferred stock, par value $0.00001 per share, 21,601,752 authorized and 13,032,497 shares issued and outstanding (actual); 10,000,000 shares authorized, no shares issued or outstanding, pro forma and pro forma as adjusted
                       
Series A: 3,681,913 shares designated; 3,681,909 shares issued and outstanding; $14,439 aggregate liquidation preference, actual; no shares issued or outstanding, pro forma or pro forma as adjusted
  $ 14,439     $     $  
Series B: 8,419,840 shares designated; 7,416,112 shares issued and outstanding; $9,504 aggregate liquidation preference, actual; no shares issued or outstanding, pro forma or pro forma as adjusted
    9,185              
Series C: 2,000,000 shares designated; 1,934,476 shares issued and outstanding; $2,975 aggregate liquidation preference, actual; no shares issued or outstanding, pro forma or pro forma as adjusted
    3,134              
Common stock, par value $0.00001 per share, 32,500,000 shares authorized, 10,953,483 shares issued and outstanding (actual); 150,000,000 shares authorized, 24,941,023 shares issued and outstanding, pro forma; and           shares issued and outstanding, pro forma as adjusted
                   
Additional paid-in capital
    26,128       52,886          
Deferred stock-based compensation
    (290 )     (290 )     (290 )
Accumulated other comprehensive income
    (4 )     (4 )     (4 )
Accumulated deficit
    (48,000 )     (48,000 )     (48,000 )
                         
Total stockholders’ equity
    4,592       4,592          
                         
Total capitalization
  $ 4,592     $ 4,592     $  
                         
 
(footnote appears on following page)


28


Table of Contents

 
(1) A $1.00 increase (decrease) in the assumed public offering price of $      per share would increase (decrease) each of cash and cash equivalents, additional paid-in capital, total stockholders’ equity and total capitalization by $      million, assuming that the number of shares offered by us, as set forth on the cover page of this prospectus, remains the same, and after deducting estimated underwriting discounts and commissions and estimated offering expenses payable by us. The pro forma information discussed above is illustrative only and following the closing of this offering will be adjusted based on the actual public offering price and other terms of this offering determined at pricing. If the underwriters’ option to purchase additional shares to cover over allotments is exercised in full, the pro forma as adjusted amount of each of cash and cash equivalents, additional paid-in capital, total stockholders’ equity and total capitalization would increase by approximately $      million, and we would have           shares of our common stock issued and outstanding, pro forma as adjusted.
 
The table above excludes the following shares:
 
  •   6,285,556 shares of common stock issuable upon the exercise of options outstanding as of October 31, 2007, at a weighted-average exercise price of approximately $5.06 per share;
 
  •   no shares of common stock issuable upon the exercise of options granted after October 31, 2007;
 
  •   19,206 shares of common stock issuable upon exercise of warrants outstanding as of October 31, 2007, including a warrant to purchase 6,296 shares of common stock and warrants to purchase an aggregate of 12,910 shares of convertible preferred stock that will convert into warrants to purchase the same number of shares of common stock upon completion of this offering, at a weighted-average exercise price of approximately $0.001338 per share;
 
  •   4,000,000 shares of common stock reserved for future issuance under our 2007 Equity Incentive Plan, which will become effective on the first day that our common stock is publicly traded and contains provisions that will automatically increase its share reserve each year, as more fully described in “Management—Employee Benefit Plans”; and
 
  •   1,000,000 shares of common stock reserved for future issuance under our 2007 Employee Stock Purchase Plan, which will become effective on the first day that our common stock is publicly traded and contains provisions that will automatically increase its share reserve each year, as more fully described in “Management—Employee Benefit Plans.”


29


Table of Contents

 
DILUTION
 
If you invest in our common stock, your interest will be diluted to the extent of the difference between the initial public offering price per share of our common stock and the pro forma as adjusted net tangible book value per share of our common stock immediately after this offering.
 
Our pro forma net tangible book value as of October 31, 2007 was $      million, or $      per share of common stock. Our pro forma net tangible book value per share represents the amount of our total tangible assets reduced by the amount of our total liabilities and divided by the total number of shares of our common stock outstanding as of October 31, 2007, after giving effect to the automatic conversion of all outstanding shares of our convertible preferred stock into common stock upon the closing of this offering.
 
After giving effect to our sale in this offering of           shares of common stock at an assumed initial public offering price of $      per share (the midpoint of the range set forth on the cover page of this prospectus), after deducting estimated underwriting discounts and commissions and estimated offering expenses payable by us, our pro forma net tangible book value as of October 31, 2007 would have been approximately $      million, or $      per share of common stock. This represents an immediate increase in pro forma net tangible book value of $      per share to our existing stockholders and an immediate dilution of $      per share to investors purchasing shares in this offering. The following table illustrates this per share dilution:
 
                 
Assumed initial offering price per share
                $          
Pro forma net tangible book value per share as of October 31, 2007
  $                  
Increase in pro forma net tangible book value per share attributable to investors purchasing shares in this offering
                     
                 
Pro forma as adjusted net tangible book value per share after this offering
                     
                 
Dilution in pro forma net tangible book value per share to investors in this offering
          $          
                 
 
If the underwriters exercise their over-allotment option in full, the pro forma net tangible book value per share after giving effect to this offering would be approximately $      per share, and the dilution in pro forma net tangible book value per share to investors in this offering would be approximately $      per share.
 
The following table summarizes, as of October 31, 2007, the differences between the number of shares of common stock purchased from us, after giving effect to the conversion of our convertible preferred stock into common stock, the total cash consideration paid and the average price per share paid by our existing stockholders and by our new investors purchasing shares in this offering at the assumed initial public offering price of $      per share (the midpoint of the range set forth on the cover page of this prospectus), before deducting estimated underwriting discounts and commissions and estimated offering expenses payable by us:
 
                                         
    Shares Purchased     Total Consideration     Average
 
    Number     Percent     Amount     Percent     Price Per Share  
 
Existing stockholders
                        %   $                     %   $          
New investors
                                                           
                                         
Totals
  $               100.0 %   $               100.0 %        
                                         
 
A $1.00 increase (decrease) in the assumed public offering price of $      per share would increase (decrease) total consideration paid by new investors by $      million, assuming that the number of shares offered by us, as set forth on the cover page of this prospectus, remains the same.
 
If the underwriters exercise their over-allotment option in full, our existing stockholders would own     % and our new investors would own     % of the total number of shares of our common stock outstanding after this offering.
 
Sales of shares of common stock by the selling stockholders in this offering will reduce the number of shares of common stock held by existing stockholders to          , or approximately     % of the total shares of common stock outstanding after this offering, and will increase the number of shares held by new investors to          , or approximately     % of the total shares of common stock outstanding after this offering.


30


Table of Contents

The table and discussion above exclude the following shares:
 
  •  6,285,556 shares of common stock issuable upon the exercise of options outstanding as of October 31, 2007, at a weighted-average exercise price of approximately $5.06 per share;
 
  •  no shares of common stock issuable upon the exercise of options granted after October 31, 2007;
 
  •  19,206 shares of common stock issuable upon exercise of warrants outstanding as of October 31, 2007, including a warrant to purchase 6,296 shares of common stock and warrants to purchase an aggregate of 12,910 shares of convertible preferred stock that will convert into warrants to purchase the same number of shares of common stock upon completion of this offering, at a weighted-average exercise price of approximately $0.001338 per share;
 
  •  4,000,000 shares of common stock reserved for future issuance under our 2007 Equity Incentive Plan, which will become effective on the first day that our common stock is publicly traded and contains provisions that will automatically increase its share reserve each year, as more fully described in “Management—Employee Benefit Plans”; and
 
  •  1,000,000 shares of common stock reserved for future issuance under our 2007 Employee Stock Purchase Plan, which will become effective on the first day that our common stock is publicly traded and contains provisions that will automatically increase its share reserve each year, as more fully described in “Management—Employee Benefit Plans.”
 
To the extent outstanding options or warrants are exercised, there will be further dilution to new investors.


31


Table of Contents

 
SELECTED CONSOLIDATED FINANCIAL DATA
 
The following selected consolidated financial data should be read in conjunction with “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes included elsewhere in this prospectus. Following the completion of our fiscal year ended December 31, 2002, we changed our fiscal year end to April 30. As a result of the change, the first full fiscal year in which we sold our products and services was the fiscal year ended April 30, 2004. The consolidated statements of operations data for the fiscal years ended April 30, 2005, 2006 and 2007 and the six months ended October 31, 2006 and 2007, and the balance sheet data as of April 30, 2006 and 2007 and October 31, 2007, are derived from our consolidated financial statements appearing elsewhere in this prospectus. The consolidated statements of operations data for the fiscal year ended December 31, 2002, the four months ended April 30, 2003 and the fiscal year ended April 30, 2004, and the balance sheet data as of April 30, 2003, 2004 and 2005, are derived from our audited consolidated financial statements not included in this prospectus. Our historical results are not necessarily indicative of the results to be expected for any future period.
 
                                                                 
    Fiscal Year
  Four Months
       
    Ended
  Ended
      Six Months Ended
    December 31,   April 30,   Fiscal Year Ended April 30,   October 31,
Consolidated Statements of Operations Data:   2002   2003   2004   2005   2006   2007   2006   2007
    (in thousands, except per share data)
                            (unaudited)
Revenues:
                                                               
Products
  $ 152     $ 511     $ 12,442     $ 22,357     $ 22,859     $ 43,989     $ 16,674     $ 27,875  
Maintenance
    27       76       1,931       5,947       11,473       18,762       7,768       12,247  
Services
    16       25       926       4,518       5,103       7,082       3,277       4,376  
                                                                 
Total revenues
    195       612       15,299       32,822       39,435       69,833       27,719       44,498  
Cost of revenues:
                                                               
Products
    64       41       526       1,084       1,769       2,569       1,049       1,814  
Maintenance(1)
          9       207       851       2,085       3,498       1,650       2,627  
Services(1)
          2       565       2,559       2,942       3,521       1,884       2,440  
                                                                 
Total cost of revenues
    64       52       1,298       4,494       6,796       9,588       4,583       6,881  
                                                                 
Gross profit
    131       560       14,001       28,328       32,639       60,245       23,136       37,617  
Operating expenses(1):
                                                               
Research and development
    3,221       1,034       4,068       7,583       12,154       14,535       6,933       9,107  
Sales and marketing
    2,736       1,382       8,041       14,647       24,309       36,587       15,463       24,607  
General and administrative
    2,845       818       3,480       8,725       12,978       9,453       3,861       6,988  
                                                                 
Total operating expenses
    8,802       3,234       15,589       30,955       49,441       60,575       26,257       40,702  
                                                                 
Loss from operations
    (8,671 )     (2,674 )     (1,588 )     (2,627 )     (16,802 )     (330 )     (3,121 )     (3,085 )
Other income (expense), net
    56       19       106       (49 )     219       462       184       40  
                                                                 
Income (loss) before provision for income taxes
    (8,615 )     (2,655 )     (1,482 )     (2,676 )     (16,583 )     132       (2,937 )     (3,045 )
Provision for income taxes
                23       137       163       389       195       257  
                                                                 
Net loss
  $ (8,615 )   $ (2,655 )   $ (1,505 )   $ (2,813 )   $ (16,746 )   $ (257 )     (3,132 )     (3,302 )
                                                                 
Net loss per common share, basic and diluted
  $ (2.05 )   $ (0.55 )   $ (0.28 )   $ (0.46 )   $ (2.24 )   $ (0.03 )   $ (0.32 )   $ (0.31 )
                                                                 
Shares used in computing basic and diluted net loss per common share
    4,201       4,860       5,372       6,162       7,469       10,042       9,882       10,504  
                                                                 
 
(footnote appears on following page)


32


Table of Contents

                                                                 
                                                               
(1) Stock-based compensation expense is included above as follows:
                                                                 
Cost of maintenance revenues
  $     $     $     $ 4     $ 5     $ 3     $ 1     $ 38  
Cost of services revenues
                1       3       5       14       4       46  
Research and development
                143       1,642       1,950       501       222       647  
Sales and marketing
                14       746       210       661       95       1,141  
General and administrative
                425       4,838       5,948       350       172       261  
                                                                 
Total stock-based compensation expense
  $     $     $ 583     $ 7,233     $ 8,118     $ 1,529     $ 494     $ 2,133  
                                                                 
 
Revenues in fiscal 2006 and prior years excluded revenues related to multiple element sales transactions consummated in that year that were deferred because we did not have vendor-specific objective evidence of fair value, or VSOE, for some product elements that were not delivered in the fiscal year of the transaction. In fiscal 2007, we either delivered such product elements, or we and our customers amended the contractual terms of these sales transactions to remove the undelivered product elements. Fiscal 2007 revenues included a substantial portion of the revenues so deferred from fiscal 2006, as well as a small amount of revenues similarly deferred from prior years. See “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Sources of Revenues, Cost of Revenues and Operating Expenses” for additional details, including the net amounts involved. We expect that in future periods the comparison of revenues period-to-period will not be favorably impacted to the same extent by similar transactions consummated in fiscal 2007 and prior periods.
 
                                                 
    As of April 30,     As of October 31,
 
    2003     2004     2005     2006     2007     2007  
    (in thousands)  
                                  (unaudited)  
 
Consolidated Balance Sheet Data:
                                               
Cash and cash equivalents
  $ 6,036     $ 7,976     $ 13,493     $ 16,443     $ 16,917     $ 15,869  
Working capital (deficit)
    3,762       4,990       11,606       5,377       (3,811 )     (8,478 )
Total assets
    8,521       13,162       26,541       32,926       48,990       52,513  
Current and long-term debt
                                   
Convertible preferred stock
    25,602       26,362       26,928       26,758       26,758       26,758  
Common stock and additional paid-in capital
    2,138       2,950       11,301       19,383       23,479       26,128  
Total stockholders’ equity
  $ 4,467     $ 4,460     $ 9,713     $ 1,433     $ 5,130     $ 4,592  

33


Table of Contents

 
MANAGEMENT’S DISCUSSION AND ANALYSIS
OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS
 
You should read the following discussion and analysis in conjunction with the information set forth under “Selected Consolidated Financial Data” and our consolidated financial statements and related notes included elsewhere in this prospectus. The statements in this discussion regarding our expectations of our future performance, liquidity and capital resources, and other non-historical statements in this discussion, are forward-looking statements. These forward-looking statements are subject to numerous risks and uncertainties, including, but not limited to, the risks and uncertainties described under “Risk Factors” and elsewhere in the prospectus. Our actual results may differ materially from those contained in or implied by any forward-looking statements.
 
Overview
 
We are a leading provider of security and compliance management software solutions that intelligently mitigate business risk for enterprises and government agencies. Much like a “mission control center,” our ESM platform delivers a centralized, real-time view of disparate digital alarms, alerts and status messages, which we refer to as events, across geographically dispersed and heterogeneous business and technology infrastructures. Our software correlates massive numbers of events from thousands of security point solutions, network and computing devices and applications, enabling intelligent identification, prioritization and response to external threats, insider threats and compliance and corporate policy violations. We also provide complementary software that delivers pre-packaged analytics and reports tailored to specific security and compliance initiatives, as well as appliances that streamline threat response, event log archiving and network configuration.
 
We were founded in May 2000 and first sold our initial ESM product in June 2002. Our revenues have grown from $32.8 million in fiscal 2005 to $69.8 million in fiscal 2007. Revenues for the six months ended October 31, 2007 were $44.5 million.
 
We achieved positive cash flows from operations in fiscal 2004 through 2007. We generated $3.8 million of cash from our operating activities during the six months ended October 31, 2007, and anticipate that we will continue to generate cash from operating activities for the full fiscal year. We initially funded our operations primarily through convertible preferred stock financings that raised a total of $26.8 million. As of October 31, 2007, we had cash and cash equivalents and accounts receivable of $29.9 million, and an aggregate of $12.6 million in accounts payable and accrued liabilities. In June 2006, we acquired substantially all of the assets of Enira Technologies, LLC, primarily consisting of the predecessors to our TRM and NCM products, for cash and stock consideration with an aggregate value of $8.7 million, including acquisition costs of $0.2 million.
 
Important Factors Affecting Our Operating Results and Financial Condition
 
We believe that the market for our products is in the early stages of development. We have identified factors that we expect to play an important role in our future growth and profitability. These factors are:
 
Sales of ESM Platform and Appliance Products to New Customers.  The market for security and compliance management software solutions is rapidly expanding, with new purchases often driven by corporate compliance initiatives. We typically engage in a proof of concept with our customers to demonstrate the capabilities of our ESM platform in their specific environment. A new sale usually involves the sale of licenses for one or more ESM Managers, a bundle of connectors, depending on the number and type of devices the customer intends to manage with ArcSight ESM, licenses for our console and web interfaces, installation services, training and an initial maintenance arrangement. In many cases, customers will also purchase one of our complementary software modules which enable them to implement specific sets of off-the-shelf rules for our event correlation engine that address specific security and compliance issues and business risks. In addition, customers may purchase our TRM, Logger and NCM appliances to address their threat response, log archiving and network configuration needs. Our growth depends on our ability to sell our products to new customers.
 
Continued Sales to Our Installed Base.  Many customers make an initial purchase from us and then decide whether to use our products with respect to a larger portion of their business and technology infrastructure or buy


34


Table of Contents

additional complementary products from us. Thus, a key component of our growth will be our ability to successfully maintain and further develop the relationships with our existing customers.
 
Development and Introduction of New Products.  We believe it is important that we continue to develop or acquire new products and services that will help us capitalize on opportunities in the security and compliance management market. Examples of new product introductions to date include our TRM, Logger and NCM appliances and our ArcSight Insider Threat Package and ArcSight Compliance Insight Package for PCI products in fiscal 2007, as well as enhancements to our ESM platform such as the May 2007 introduction of features such as identity correlation and role-based management.
 
Development of an Expanded Channel Network for Our Products.  We currently sell our products primarily through our direct sales force, although we do sell to government purchasers and internationally through resellers and system integrators. We believe further development of our sales channel will assist us in penetrating the mid-market, particularly as we expand our appliance-based offerings. In addition, it is likely that new appliance-based products that we develop will be sold more effectively through resellers and, if we are successful in introducing these new products, we will become more dependent on the development of an effective channel network. Further, motivating our channel partners to promote our products will be a key factor in the success of this strategy.
 
Sources of Revenues, Cost of Revenues and Operating Expenses
 
Our sales transactions typically include the following elements: a software license fee paid for the use of our products in perpetuity or, in limited circumstances, for a specified term; an arrangement for first-year support and maintenance, which includes unspecified software updates and upgrades; and professional services for installation, implementation and training. We derive the majority of our revenues from sales of software products. We introduced complementary appliance products in fiscal 2007, and they have not contributed a significant portion of our revenues to date. We sell our products and services primarily through our direct sales force. Additionally, we utilize resellers and systems integrators, particularly in sales to government agencies and international customers.
 
We recognize revenues pursuant to American Institute of Certified Public Accountants, or AICPA, Statement of Position, or SOP, No. 97-2, Software Revenue Recognition, as amended by SOP No. 98-9, Software Revenue Recognition with Respect to Certain Arrangements, or collectively, SOP 97-2, which, if revenues are to be recognized upon product delivery, requires among other things vendor-specific objective evidence of fair value, or VSOE, for each undelivered element of multiple element customer contracts.
 
Fiscal 2007 revenues included revenues related to sales transactions consummated in prior fiscal years for which revenue recognition was deferred as a result of undelivered product elements for which we did not have VSOE. In fiscal 2007, we either delivered these product elements, or we and our customers amended the contractual terms of these sales transactions to remove the undelivered product elements, resulting in recognition of revenues in fiscal 2007. Similarly, but to a lesser extent, revenues related to sales transactions consummated in fiscal 2007 were deferred and will be recognized in future years. The net impact of these transactions was to reduce revenues in fiscal 2006 by $6.3 million and increase fiscal 2007 revenues by $1.8 million. Similarly, the net impact of these transactions reduced revenues in the six months ended October 31, 2006 by $0.8 million and increased revenues in the six months ended October 31, 2007 by $1.5 million. In each case, the net impact caused our fiscal period-to-period revenue growth rate to appear greater than it otherwise would. As of April 30, 2007 and October 31, 2007, deferred revenues included $5.4 million and $3.9 million, respectively, related to transactions such as these.
 
Product Revenues
 
Product revenues consists of license fees for our software products and, beginning in fiscal 2007, also includes revenues for sales of our TRM, Logger and NCM appliance products. License fees are based on a number of factors, including the type and number of devices that our customer intends to monitor using our software as well as the number of users and locations. In addition to our core solution, some of our customers purchase additional licenses for optional extension modules that provide enhanced discovery and analytics capabilities. Sales of our appliance products consist of sales of the appliance hardware and associated perpetual licenses to the embedded software. We first introduced our TRM and NCM appliance products in June 2006 and our Logger appliance product in December 2006, and these products have not represented a significant portion of our total revenues through October 31, 2007.


35


Table of Contents

Appliance fees are based on the number of appliances purchased and, in some cases, on the number of network devices with which our customer intends to use the appliances. We generally recognize product revenues at the time of product delivery, provided all other revenue recognition criteria have been met. We recognize revenues associated with products sold through distribution partners on a sell-through basis once either we or our distribution partner has a contractual agreement in place with the end user, the products have been delivered to the end user, collectibility is probable and all other revenue recognition criteria have been met.
 
Historically, we have engaged in long sales cycles with our customers, typically three to six months and more than a year for some sales, and many customers make their purchase decisions in the last few weeks of a fiscal quarter, following procurement trends in the industry. Further, average deal size can vary considerably depending on our customers’ configuration requirements, implementation plan and budget availability. As a result, it is difficult to predict timing or size of product sales on a quarterly basis. In addition, we may fail to forecast sufficient production of our appliance products due to our limited experience with them, or we may be unable to physically deliver appliances within the quarter, depending on the proximity of the order to the end of the quarter. These situations may lead to delay of revenues until we can deliver products. The loss or delay of one or more large sales transactions in a quarter could impact our operating results for that quarter and any future quarters into which revenues from that transaction are delayed.
 
As of April 30, 2007 and October 31, 2007, deferred product revenues were $10.3 million and $11.2 million, respectively. Included in deferred product revenues as of April 30, 2007 and October 31, 2007 were $4.9 million and $3.5 million, respectively, related to multiple element arrangements where one or more product elements for which we did not have VSOE remained undelivered. The remainder of deferred product revenues as of April 30, 2007 and October 31, 2007 were $5.4 million and $7.7 million, respectively, and primarily related to product revenues to be recognized ratably over the term of the maintenance arrangements, prepayments in advance of delivery and other delivery deferrals.
 
Maintenance Revenues
 
Maintenance includes rights to unspecified software product updates and upgrades, maintenance releases and patches released during the term of the support period and internet and telephone access to maintenance personnel and content. Maintenance revenues are generated both from maintenance that we agree to provide in connection with initial sales of software and hardware products and from maintenance renewals. We generally sell maintenance on an annual basis. We offer two levels of maintenance – standard and, for customers that require 24-hour coverage seven days a week, premium. In most cases, we provide maintenance for sales made through channel partners. In addition, we sell an enhanced maintenance offering that provides frequent security content updates for our software. Maintenance fees are deferred at the time the maintenance agreement is initiated and recognized ratably over the term of the maintenance agreement. As our customer base expands, we expect maintenance revenues to continue to grow. For fiscal 2005, 2006 and 2007, the maintenance renewal rate was 93%, 96% and 96%, respectively.
 
As of April 30, 2007, deferred maintenance revenues were $17.1 million, of which $14.5 million represented current deferred maintenance revenues. As of October 31, 2007, deferred maintenance revenues were $18.6 million, of which $16.1 million represented current deferred maintenance revenues. Deferred maintenance revenues relate to advanced payments for support contracts that are recognized ratably.
 
Services Revenues
 
Services revenues are generated from sales of services to our customers, including installation and implementation of our software, consulting and training. Professional services are not essential to the functionality of the associated software products. We generally sell our services on a time-and-materials basis and recognize revenues as the services are performed.
 
As of April 30, 2007, deferred service revenues were $2.2 million, all of which represented current deferred services revenues. As of October 31, 2007, deferred service revenues were $3.5 million, all of which represented current deferred services revenues. Deferred services revenues relate to customer payments in advance of services being performed.


36


Table of Contents

Cost of Revenues
 
Cost of revenues for our software products consists of third-party royalties and license fees for licensed technology incorporated into our software product offerings. Cost of revenues for appliance products consists of the hardware costs of the appliances and, for certain appliance products, third-party royalties for licensed technology. Sales of our appliance products are generally at a lower margin than sales of our software products.
 
Cost of maintenance revenues consists primarily of salaries and benefits related to maintenance personnel, other out-of-pocket expenses, and facilities and other related overhead.
 
Cost of services revenues consists primarily of the salaries and benefits of personnel, travel and other out-of-pocket expenses, facilities and other related overhead that are allocated based on the portion of the efforts of such personnel that are related to performance of professional services, and cost of services provided by subcontractors for professional services.
 
We intend to increase sales to the mid-market, a goal that we believe will be aided by our recent introduction of our appliance products. We expect the percentage of our mid-market sales made through our distribution channel will be greater than it has been to date. We also expect a high percentage of our international sales to continue to be made through our distribution channel. Sales through the channel tend to be at a lower margin than direct sales. As a result, we may report lower margins in future periods than has been the case for prior periods.
 
Operating Expenses
 
Research and Development Expenses.  Research and development expenses consist primarily of salaries and benefits of personnel engaged in the development of new products, the enhancement of existing products, quality assurance activities and, to a lesser extent, facilities costs and other related overhead. We expense all of our research and development costs as they are incurred. We expect research and development expenses to increase in absolute dollars for the foreseeable future as we continue to invest in the development of our products.
 
Sales and Marketing Expenses.  Sales and marketing expenses consist primarily of salaries, commissions and benefits related to sales and marketing personnel and consultants; travel and other out-of-pocket expenses; expenses for marketing programs, such as for trade shows and our annual users conference, marketing materials and corporate communications; and facilities costs and other related overhead. Commissions on sales of products and initial maintenance are typically earned and expensed when revenue recognition for the respective revenue elements commences and for services when the customer is invoiced. In fiscal 2008, we will also pay commissions for channel sales not only to our direct sales force but also to our channel sales force in an effort to minimize channel conflicts as we develop our channel network. We intend to hire additional sales personnel, initiate additional marketing programs and build additional relationships with resellers, systems integrators and strategic partners on a global basis. Accordingly, we expect that our sales and marketing expenses will continue to increase for the foreseeable future in absolute dollars.
 
General and Administrative Expenses.  General and administrative expenses consist primarily of salaries and benefits related to general and administrative personnel and consultants; accounting and legal fees; insurance costs and facilities costs and other related overhead. We expect that, in the future, general and administrative expenses will increase in absolute dollars as we add personnel and incur additional insurance costs related to the growth of our business and additional legal, accounting and other expenses in connection with our reporting and compliance obligations as a public company.
 
Other Income (Expense), Net.  Other income (expense), net consists of interest earned on our cash investments and foreign currency-related gains and losses. Our interest income will vary each reporting period depending on our average cash balances during the period and the current level of interest rates. Similarly, our foreign currency-related gains and losses will also vary depending upon movements in underlying exchange rates.
 
Provision for Income Taxes.  Provision for income taxes consists of tax expense related to current period earnings, while income tax benefit consists of a recoupment of historical tax expenses due to losses in the then current reporting period. We have previously experienced a greater than 50% shift in our stock ownership, which creates annual limitations on our ability to use a portion of our net operating loss carry-forwards. As a result, our provision for


37


Table of Contents

income taxes and our resulting effective tax rate may be greater than if our net operating loss carry-forwards were available without limitation. In addition, our net operating loss carry-forwards may expire before we fully utilize them.
 
Internal Control Over Financial Reporting
 
We have a history of “material weaknesses” in our internal control over financial reporting as defined by the standards established by the Public Company Accounting Oversight Board. A material weakness is a deficiency or combination of deficiencies in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. During the audits of our financial statements for fiscal 2004, 2005, 2006 and 2007, material weaknesses in our internal control over financial reporting were identified.
 
Specifically, in fiscal 2006 we did not have adequate controls to provide reasonable assurance that revenues were being recorded in accordance with generally accepted accounting principles. The inadequate internal control over financial reporting resulted in the premature recognition of revenues from sales transactions that included undelivered product elements for which we did not have VSOE. As a result of this error, an adjustment was recorded to our financial statements to defer, until later periods, revenues previously recorded. As discussed above in “—Sources of Revenues, Cost of Revenues and Operating Expenses,” we either delivered the applicable product elements, or we and our customers amended the contractual terms of these sales transactions to remove the undelivered product elements, resulting in recognition of the associated revenues in fiscal 2007, and to a lesser extent in future fiscal years. We determined as of April 30, 2007 that we no longer have material weaknesses in the areas identified as material weaknesses in connection with the preparation of our fiscal 2004, 2005 and 2006 financial statements.
 
The material weakness identified during the audit of our fiscal 2007 financial statements relates to internal review, primarily due to failure of the review process of accounting computations and reconciliations prepared by third parties as part of the preparation of our fiscal 2007 financial statements. This weakness led to four adjustments to our financial statements. The largest such adjustment resulted from a failure to detect an overstatement of stock-based compensation expense of $0.3 million under Statement of Financial Accounting Standards, or SFAS, No. 123(R), Share-Based Payment, or SFAS 123R, in calculations prepared by a third-party service provider.
 
We are in the process of remediating the material weakness identified in connection with the preparation of our fiscal 2007 financial statements but have not yet been able to complete our remediation efforts. For example, we recently hired three senior management personnel in our finance and accounting function. In addition, we have implemented or are in the process of implementing additional review procedures. These additional review procedures include:
 
  •  additional journal entry approvals;
 
  •  additional account reconciliations review, including multiple levels of detailed review above specified thresholds;
 
  •  new balance sheet flux analysis for variance detection and related senior review above specified thresholds;
 
  •  new statement of operations flux analysis for variance detection and related senior review above specified thresholds; and
 
  •  new outcome analysis in order to determine root causes of discrepancies found during the aforementioned reviews and analyses and to take appropriate remediative steps.
 
It will take additional time to completely design, implement and test the controls and procedures required to enable our management to conclude that our disclosure controls and our internal control over financial reporting are effective. We cannot at this time estimate how long it will take to complete our remediation efforts or that our efforts will be successful. In addition, we cannot assure you that additional material weaknesses in our internal control over financial reporting will not be identified in the future. Any failure to remediate the material weakness that has been identified or to implement and maintain effective disclosure controls and internal control over financial reporting could cause us to fail to meet our reporting obligations or result in material misstatements in our financial statements.


38


Table of Contents

Critical Accounting Policies, Significant Judgments and Estimates
 
Our consolidated financial statements have been prepared in accordance with accounting principles generally accepted in the United States, which requires us to make estimates and judgments that affect the reported amounts of assets and liabilities and the disclosure of contingent assets and liabilities at the date of the financial statements as well as the reported amounts of revenues and expenses during the reporting period. We base our estimates and judgments on our historical experience, knowledge of current conditions and our beliefs regarding likely occurrences in the future, given available information. Estimates are used for, but are not limited to, revenue recognition, determination of fair value of stock awards, valuation of goodwill and intangible assets acquired in business combinations, impairment of goodwill and other intangible assets, amortization of intangible assets, accounting for uncertainties in income taxes, contingencies and litigation, allowances for doubtful accounts, and accrued liabilities. Actual results may differ from those estimates, and any differences may be material to our financial statements. Further, if we apply different factors, or change the method by which we apply the various factors that are used, in making our critical estimates and judgments, our reported operating results and financial condition could be materially affected.
 
Revenue Recognition
 
We recognize revenues in accordance with SOP 97-2. Accordingly, we exercise judgment and use estimates in connection with the determination of the amount of product and maintenance and services revenues to be recognized in each accounting period.
 
We derive revenues primarily from three sources: (i) sales of our software and hardware products, (ii) fees for maintenance to provide unspecified upgrades and customer technical support, and (iii) fees for services, including professional services for product installation and training. Our appliance products contain software that is more than incidental to the functionality of the product. In accordance with SOP 97-2, we recognize revenues when the following conditions have been met:
 
  •  persuasive evidence of an arrangement exists;
 
  •  the fee is fixed or determinable;
 
  •  product delivery has occurred or services have been rendered; and
 
  •  collection is considered probable.
 
We typically use a binding purchase order in conjunction with either a signed contract or reference on the purchase order to the terms and conditions of our shrinkwrap or end-user license agreement as evidence of an arrangement. We assess whether the fee is fixed or determinable based on the payment terms associated with the transaction and whether the sales price is subject to refund or forfeiture, concession or other adjustment. We do not generally grant rights of return or price protection to our distribution partners or end users, other than limited rights of return during the warranty period in some cases. We use shipping documents, contractual terms and conditions and customer acceptance, when applicable, to verify product delivery to the customer. For perpetual software license fees in arrangements that do not include customization, or services that are not considered essential to the functionality of the licenses, delivery is deemed to occur when the product is delivered to the customer. Services and consulting arrangements that are not essential to the functionality of the licensed product are recognized as revenues as these services are provided. Delivery of maintenance is considered to occur on a straight-line basis over the life of the contract. We consider probability of collection based on a number of factors, such as creditworthiness of the customer as determined by credit checks and analysis, past transaction history, the geographic location and financial viability. We do not request, nor do we require, collateral from customers. If we determine that collectibility is not reasonably assured, we defer the revenues until collectibility becomes reasonably assured, generally upon receipt of cash.
 
Our sales of software products to date have typically been multiple element arrangements, which have included software licenses and corresponding maintenance, and have also generally included some amount of professional services. Our sales of appliance products to date have been multiple element arrangements as well, which included hardware, software licenses and corresponding maintenance, and have also generally included some amount of professional services. We allocate the total arrangement fee among these multiple elements based


39


Table of Contents

upon their respective fair values as determined by VSOE or, if applicable, by the residual method under SOP 97-2. VSOE for maintenance and support services is based on separate sales and/or renewals to other customers or upon renewal rates quoted in contracts when the quoted renewal rates are deemed substantive in both rate and term. VSOE for professional services is established based on prices charged to customers when those services are sold separately. If we cannot objectively determine the fair value of any undelivered element in a multiple element arrangement, we defer revenues for each element until all elements have been delivered, or until VSOE can objectively be determined for any remaining undelivered element. If VSOE for maintenance does not exist, and this represents the only undelivered element, then revenues for the entire arrangement are recognized ratably over the performance period. When VSOE of a delivered element has not been determined, but the fair value for all undelivered elements has, we use the residual method to record revenues for the delivered element. Under the residual method, the fair value of the undelivered elements is deferred and the remaining portion of the arrangement fee is allocated to the delivered element and recognized immediately as revenues.
 
Our agreements generally do not include acceptance provisions. However, if acceptance provisions exist, we deem delivery to have occurred upon customer acceptance.
 
We recognize revenues associated with products and professional services sold through our channel partners once either we or our channel partner has a contractual agreement in place with the end user, delivery has occurred to the end user and all other revenue recognition criteria have been met.
 
We assess whether fees are collectible and fixed or determinable at the time of the sale, and recognize revenues if all other revenue recognition criteria have been met. Our standard payment terms are net 30 days and are considered normal up to net three months, while payment terms beyond three months are considered to be extended terms. Payments that are due within three months are generally deemed to be fixed or determinable based on our successful collection history on these agreements.
 
Stock-Based Compensation
 
The following table summarizes by grant date the number of shares of our common stock subject to options granted since the beginning of fiscal 2006, and the associated per share exercise price. We have determined that the exercise price equaled the fair value of our common stock for each of these grants.
 
                 
    Number
    Per Share Exercise
 
    of Shares
    Price and
 
    Subject to Options
    Fair Value of
 
Grant Date
  Granted     Common Stock  
 
May 26, 2005
    1,007,500     $ 4.00  
June 15, 2005
    30,625       4.00  
July 12, 2005
    67,250       4.00  
August 11, 2005
    56,875       4.00  
August 22, 2005
    107,500       4.00  
September 15, 2005
    259,750       4.00  
October 28, 2005
    122,500       4.00  
March 8, 2006
    462,431       6.08  
June 5, 2006
    379,437       6.08  
June 19, 2006
    104,773       6.08  
December 14, 2006
    359,450       6.80  
January 24, 2007
    1,161,937       6.80  
April 19, 2007
    202,750       9.32  
August 7, 2007
    607,984       10.00  
October 16, 2007
    519,068       10.00  
 
Prior to May 1, 2006, we accounted for our stock-based awards to employees using the intrinsic value method prescribed in Accounting Principles Board Opinion No. 25, Accounting for Stock Issued to Employees, or APB 25 and related interpretations. Under the intrinsic value method, compensation expense is measured on the date of the grant as


40


Table of Contents

the difference between the fair value of our common stock and the exercise or purchase price multiplied by the number of stock options or restricted stock awards granted. We recorded deferred stock-based compensation of $1.1 million related to employee stock options granted in fiscal 2005, because the fair value of our common stock determined in connection with preparation of our financial statements exceeded the fair value of our common stock as had been determined by our board of directors at the time of grant. We had no deferred stock-based compensation for fiscal 2006. We amortize deferred stock-based compensation using the multiple option method as prescribed by Financial Accounting Standards Board, or FASB, Interpretation No. 28, Accounting for Stock Appreciation Rights and Other Variable Stock Option or Award Plans, or FIN 28, over the option vesting period using an accelerated amortization schedule. We amortized employee stock-based compensation of $0.3 million, $0.6 million, $0.3 million, $0.2 million and $0.1 million in fiscal 2005, 2006 and 2007 and the six months ended October 31, 2006 and 2007, respectively.
 
Effective May 1, 2006, we adopted SFAS 123R, which requires companies to expense the fair value of employee stock options and other forms of stock-based compensation. SFAS 123R requires nonpublic companies that used the minimum value method under SFAS No. 123, Accounting for Stock-Based Compensation, or SFAS 123, for either recognition or pro forma disclosures to apply SFAS 123R using the prospective-transition method. As such, we will continue to apply APB 25 in future periods to unvested equity awards outstanding at the date of adoption of SFAS 123R that were measured using the minimum value method. In addition, we are continuing to amortize those awards granted prior to May 1, 2006 utilizing an accelerated amortization schedule. In accordance with SFAS 123R, we will recognize the compensation cost of employee stock-based awards granted subsequent to April 30, 2006 in the statement of operations using the straight-line method over the vesting period of the award.
 
To determine the fair value of stock options granted after May 1, 2006, we have elected to use the Black-Scholes option pricing model, which requires, among other inputs, an estimate of the fair value of the underlying common stock on the date of grant and assumptions as to volatility of our stock over the expected term of the related options, the expected term of the options, the risk-free interest rate and the option forfeiture rate. As there has been no public market for our common stock prior to this offering, we have determined the volatility for options granted in fiscal 2007 based on an analysis of reported data for a peer group of companies that issued options with substantially similar terms. The expected volatility of options granted has been determined using weighted-average measures of the implied volatility and the historical volatility for this peer group of companies for a period equal to the expected life of the option. The expected volatility for options granted during fiscal 2007 was 66%. The expected life of options has been determined considering the expected life of options granted by a group of peer companies and the average vesting and contractual terms of options granted to our employees. The expected life of options granted during fiscal 2007 was 5.25 years. For fiscal 2007, the weighted-average risk-free interest rate used was 5.00%. The risk-free interest rate is based on a zero coupon United States treasury instrument whose term is consistent with the expected life of the stock options. We have not paid and do not anticipate paying cash dividends on our shares of common stock; therefore, the expected dividend yield is assumed to be zero. In addition, SFAS 123R requires companies to utilize an estimated forfeiture rate when calculating the expense for the period, whereas SFAS 123 permitted companies to record forfeitures based on actual forfeitures, which was our historical policy under SFAS 123. As a result, we applied an estimated annual forfeiture rate of 5% in fiscal 2007 in determining the expense recorded in our consolidated statement of operations.
 
For fiscal 2007 and the six months ended October 31, 2006 and 2007, we recorded expense of $0.9 million, $0.2 million and $1.9 million, respectively, in connection with stock-based awards accounted for under SFAS 123R. As of October 31, 2007, unrecognized stock-based compensation expense of non-vested stock options was $11.0 million. As of October 31, 2007, the unrecognized stock-based compensation expense is expected to be recognized using the straight line method over the required service period of the options. We expect stock-based compensation expense to increase in absolute dollars as a result of the adoption of SFAS 123R. The actual amount of stock-based compensation expense we record in any fiscal period will depend on a number of factors, including the number of stock options issued and the volatility of our stock price over time. In future periods, stock-based compensation expense may increase as we issue additional equity-based awards to continue to attract and retain key employees. Additionally, SFAS 123R requires that we recognize compensation expense only for the portion of stock options that are expected to vest. If the actual number of forfeitures differs from that estimated by management, we will be required to record adjustments to stock-based compensation expense in future periods.


41


Table of Contents

Given the absence of an active market for our common stock, our board of directors, the members of which we believe had extensive business, finance or venture capital experience, was required to estimate the fair value of our common stock for purposes of determining exercise prices for the options it granted. Prior to February 1, 2006, our board of directors determined the estimated fair value of our common stock, based in part on an analysis of relevant metrics, including the following:
 
  •  the prices for our convertible preferred stock sold to outside investors in arm’s-length transactions;
 
  •  the rights, preferences and privileges of that convertible preferred stock relative to those of our common stock;
 
  •  our operating and financial performance;
 
  •  the hiring of key personnel;
 
  •  the introduction of new products;
 
  •  our stage of development and revenue growth;
 
  •  the fact that the option grants involved illiquid securities in a private company;
 
  •  the risks inherent in the development and expansion of our products and services; and
 
  •  the likelihood of achieving a liquidity event, such as an initial public offering or a sale of us, for the shares of common stock underlying the options given prevailing market conditions.
 
Commencing on February 1, 2006, Financial Strategies Consulting Group, or FSCG, an unrelated third-party valuation specialist as described by AICPA Practice Aid Valuation of Privately-Held Company Equity Securities Issued as Compensation, performed valuations of our common stock for income tax purposes, which valuations were the primary factor considered by our board of directors in determining the fair value of our common stock for stock options granted subsequent to that date (although the board also independently considered factors such as those described in the paragraph above). The exercise price for all options granted subsequent to February 1, 2006 was established in light of FSCG valuations as of a date not more than five months prior to the date of grant. The dates of the FSCG reports and the respective per share fair values of our common stock as of the respective dates of valuation are as follows:
 
         
        Per Share Fair Value of
As of Date of the Valuation
  Date of the Report   Common Stock
 
February 1, 2006
  March 1, 2006   $6.00 - $6.20
November 1, 2006
  November 7, 2006   $6.80
March 15, 2007
  April 4, 2007   $9.32
June 1, 2007
  June 29, 2007   $10.00
October 1, 2007
  October 3, 2007   $10.00
 
FSCG used the market-comparable approach and the income approach to estimate our aggregate enterprise value at each valuation date. The market-comparable approach estimates the fair market value of a company by applying market multiples of publicly-traded companies in the same or similar lines of business to the results and projected results of the company being valued. When choosing the market-comparable companies to be used for the market-comparable approach, we initially focused on companies providing network and security compliance and management enterprise software solutions, which primarily resulted in the inclusion of larger more mature companies. These market comparables were only changed as companies were acquired and they were no longer included in the FSCG valuations. However, following presentations by the investment banks that were chosen as underwriters for this offering regarding their preliminary views of the market for a potential offering, the comparable companies used in the FSCG valuations were augmented to include companies considered by those underwriters that had made presentations. This resulted in the inclusion of companies that are more recently public with financial profiles more similar to our own. The income approach involves applying an appropriate risk-adjusted discount rate to projected debt-free cash flows based on forecasted revenue and costs.
 
We prepared, as of each valuation date, financial forecasts used in the computation of the enterprise value for both the market-comparable approach and the income approach. The financial forecasts were based on assumed revenue growth rates that took into account our past experience and future expectations. The risks associated with


42


Table of Contents

achieving these forecasts were assessed in selecting the appropriate cost of capital rates, which decreased over time from 22% to 17%.
 
Given that both the market-comparable approach and the income approach provide relevant estimates of fair value, which did not differ significantly, the FSCG valuations applied equal weighting to each of these approaches to determine an initial estimated value. The initial estimated value was then subjected to the probability weighted expected return method which derived the per share value utilizing a probability weighted scenario analysis. The following scenarios were assumed:
 
  •  IPO Scenario:  Estimates the value based on an estimated initial public offering, or IPO, value discounted to the present value based on both risk and timing.
 
  •  Sale Scenario:  Estimates the value assuming the sale of us based on estimates of future value in a potential acquisition transaction discounted to the present value.
 
  •  Private Company Scenario:  Uses the market comparable approach and the income approach to estimate value. The market comparable approach estimates fair value by applying market multiples of publicly traded firms in similar lines of business. The income approach involves applying appropriate risk-adjusted discount rates to estimated debt-free cash flows, based on forecasted revenues and expenses. The projections used in connection with this valuation were based on our expected operating performance over the forecast period. In applying the market comparable and income approaches to reach a valuation, a discount was applied to the resulting value to reach the final valuation by the respective method based on the fact that as a private company there were significant impediments to liquidity (including lack of publicly available information and the lack of a trading market). The size of the discount was determined using quantitative analysis and was in part a function of the estimated time for us to reach a liquidity event.
 
  •  Liquidation Scenario:  Assumes we are dissolved, where the book value less the applicable liquidation preferences represents the amount available to the common stockholders. Given our stage of development and our financial performance, the FSCG valuations applied a zero probability to this scenario.
 
Over time, as we achieved certain milestones, the probabilities were adjusted accordingly, with the probability of a liquidity event such as an IPO or sale increasing over time.
 
We also considered the fact that our stockholders cannot freely trade our common stock in the public markets. The estimated fair value of our common stock at each grant date reflected a non-marketability discount partially based on the anticipated likelihood and timing of a future liquidity event. The non-marketability discount was not applied in the IPO scenario. In addition, the non-marketability discount was not applied to cash in either the market-comparable approach or the income approach. In the valuations used to establish the fair value of our common stock, the non-marketability discount was 27% in February 2006 and November 2006, and decreased over time to 19%, 14% and 14% in March 2007, June 2007 and October 2007, respectively.
 
There is inherent uncertainty in these forecasts and projections and if we had made different assumptions and estimates than those described above, the amount of our stock-based compensation expense, net loss and net loss per share amounts could have been materially different.
 
Following is a discussion of all options we have granted subsequent to May 1, 2006, the first day of fiscal 2007:
 
June 5, 2006 and June 19, 2006.  The options granted on these dates had an exercise price of $6.08 per share, based primarily on the valuation performed by FSCG of our common stock as of February 1, 2006, which estimated that at such time the fair value of the common stock was between $6.00 and $6.20 per share. The valuation used a risk-adjusted discount of 22%, a non-marketability discount of 27% and an estimated time to a liquidity event of six to 12 months. The expected outcomes, considered as a range, were weighted more toward an IPO (70-75%), with lower weights for a sale (12.5-17.5%) and for remaining as a private company (7.5-17.5%), and with no weight given to a liquidation scenario. The FSCG valuation was primarily driven by preliminary estimates of IPO valuations in the most recent discussions we had held prior to that date with potential underwriters, which valuations were discounted based on an expected period of time to complete an IPO. The determination of fair value was also influenced by the value per share ascribed to our common stock in the Enira acquisition on June 5, 2006 from independent third parties, which was also $6.08 per share.


43


Table of Contents

December 14, 2006 and January 24, 2007.  The options granted on these dates had an exercise price of $6.80 per share. This value was based primarily on FSCG’s valuation of our common stock as of November 1, 2006, which estimated that at such time the fair value of the common stock was $6.80 per share. The valuation used a risk-adjusted discount of 20%, a non-marketability discount of 27% and an estimated time to a liquidity event of more than 12 months. The expected outcomes were weighted more toward an IPO (70%), with equal weights for a sale and for remaining as a private company (15%), and with no weight given to a liquidation scenario. The primary factor in the increased valuation between February 1, 2006 and November 1, 2006 was an increase in the assumed value under a sale-of-the-company scenario, driven by merger and acquisition activity in our direct or related markets.
 
April 19, 2007.  The options granted on this date had an exercise price of $9.32 per share, based primarily on FSCG’s valuation of our common stock as of March 15, 2007, which estimated that at such time the fair value of the common stock was $9.32 per share. The valuation used a risk-adjusted discount of 20%, a non-marketability discount of 19% and an estimated time to a liquidity event of three to six months. The expected outcomes were weighted more toward an IPO (75%), with lower weights for a sale (15%) and for remaining as a private company (10%), and with no weight given to a liquidation scenario. The most significant change in events between November 1, 2006 and March 15, 2007 was the decision by our board of directors to commence this IPO process. We interviewed various investment banks for this offering in February 2007, and the preliminary IPO valuations presented by the investment banks in February 2007 were the primary reason for the increase in the estimated value in the March 2007 FSCG valuation. Our decision to pursue this IPO process was made subsequent to the completion of the third quarter of fiscal 2007, during which quarter we achieved very strong sales in the final days of the quarter and substantially improved operating results over the prior year period. The impact of the decision to commence this offering process resulted in the inclusion of companies that are more recently public in the group of market comparable companies. These changes, coupled with the resulting market multiples being applied to financial projections covering a later period with a larger business base, contributed to the substantial increase from the November 1, 2006 valuation.
 
August 7, 2007.  The options granted on this date had an exercise price of $10.00 per share, based primarily on FSCG’s valuation of our common stock as of June 1, 2007, which estimated that at such time the fair value of the common stock was $10.00 per share. The valuation used a risk-adjusted discount of 18%, a non-marketability discount of 14% and an estimated time to a liquidity event of one to three months. The expected outcomes were weighted more toward an IPO (75%), with lower weights for a sale (15%) and for remaining as a private company (10%), and with no weight given to a liquidation scenario. The primary factor in the increase in the valuation between March 15, 2007 and June 1, 2007, was the increase in the net present value calculations to account for the reduced time to liquidity under the assumed IPO scenario. There were no other business or financial considerations that changed in the valuation analysis between March 15, 2007 and June 1, 2007.
 
October 16, 2007.  The options granted on this date had an exercise price of $10.00 per share, based on FSCG’s valuation of our common stock as of October 1, 2007, which estimated that at such time the fair value of the common stock was $10.00 per share. The valuation used a risk-adjusted discount of 18%, a non-marketability discount of 14% and an estimated time to a liquidity event of one to three months. The expected outcomes were weighted more toward an IPO (75%), with lower weights for a sale (20%) and for remaining as a private company (5%), and with no weight given to a liquidation scenario. The valuation was unchanged because there were no material developments in our business and due to uncertainty regarding the timing and other conditions of an initial public offering.
 
We also have incurred stock-based compensation expense related to stock options that were exercised with the proceeds from loans that we made to the employee option holders. Our forgiveness of a portion of one of these employee loans in May 2002 resulted in a requirement to use variable accounting for all other options exercised with outstanding employee loans. As the value of our stock increased in fiscal 2005 and 2006, the impact of the variable accounting treatment resulted in stock-based compensation expense. The stock-based compensation expense resulting from the variable accounting were $7.0 million and $7.5 million in fiscal 2005 and 2006, respectively. The last of these employee loans was repaid in January 2006, which ended the related stock-based compensation expenses.


44


Table of Contents

 
Assuming the sale of shares contemplated by this offering is consummated at $      per share, which is the midpoint of the range set forth on the cover page of this prospectus, the aggregate intrinsic value of vested and unvested options to purchase shares of our common stock outstanding as of October 31, 2007 would be $      million and $      million, respectively.
 
Business Combinations
 
We account for business combinations in accordance with SFAS No. 141, Business Combinations, or SFAS 141, which requires the purchase method of accounting for business combinations. In accordance with SFAS 141, we determine the recognition of intangible assets based on the following criteria: (i) the intangible asset arises from contractual or other rights; or (ii) the intangible asset is separable or divisible from the acquired entity and capable of being sold, transferred, licensed, returned or exchanged. In accordance with SFAS 141, we allocate the purchase price of our business combinations to the tangible assets, intangible assets and liabilities acquired based on their estimated fair values. We record the excess of the purchase price over the total of those fair values as goodwill.
 
Our valuations require significant estimates, especially with respect to intangible assets. Critical estimates in valuing certain intangible assets include, but are not limited to, future expected cash flows from customer contracts, customer lists and distribution agreements and discount rates. We estimate fair value based upon assumptions we believe to be reasonable, but which are inherently uncertain and unpredictable, and, as a result, actual results may differ from our estimates.
 
Goodwill and Intangible Assets
 
In accordance with SFAS No. 142, Goodwill and Other Intangible Assets, or SFAS 142, we do not amortize goodwill or other intangible assets with indefinite lives but rather test them for impairment. SFAS 142 requires us to perform an impairment review of our goodwill balance at least annually and also whenever events or changes in circumstances indicate that the carrying amount of these assets may not be recoverable. The allocation of the acquisition cost to intangible assets and goodwill requires the extensive use of estimates and assumptions, including estimates of future cash flows expected to be generated by the acquired assets and amortization of intangible assets, other than goodwill. Further, when impairment indicators are identified with respect to previously recorded intangible assets, the values of the assets are determined using discounted future cash flow techniques. Significant management judgment is required in the forecasting of future operating results that are used in the preparation of the projected discounted cash flows, and should different conditions prevail, material write-downs of net intangible assets could occur. We review periodically the estimated remaining useful lives of our acquired intangible assets. A reduction in our estimate of remaining useful lives, if any, could result in increased amortization expense in future periods. Future goodwill impairment tests could result in a charge to earnings.
 
Allowance for Doubtful Accounts
 
We maintain an allowance for doubtful accounts based on a periodic review of customer accounts, payment patterns and specific collection issues. Where account-specific collection issues are identified, we record a specific allowance based on the amount that we believe will not be collected. For accounts where specific collection issues are not identified, we record a reserve based on the age of the receivables. As of April 30, 2007, accounts receivable from one customer represented 12% of net accounts receivable, which receivable was fully paid subsequent to the end of fiscal 2007. As of October 31, 2007, accounts receivable from one reseller represented 25% of net accounts receivable, which receivables are expected to be paid within their respective payment terms.
 
Accounting for Income Taxes
 
As part of the process of preparing our consolidated financial statements, we are required to estimate our taxes in each of the jurisdictions in which we operate. We estimate actual current tax exposure and assess temporary differences between our financial reporting and our tax filings resulting from differing treatment of items, such as accruals and allowances not currently deductible for tax purposes. These differences result in deferred tax assets and liabilities. In general, deferred tax assets represent future tax benefits to be received when certain expenses


45


Table of Contents

previously recognized in our consolidated statements of operations become deductible expenses under applicable income tax laws or loss or credit carry-forwards are utilized. Accordingly, realization of our deferred tax assets is dependent on future taxable income against which these deductions, losses and credits can be utilized. We must assess the likelihood that our deferred tax assets will be recovered from future taxable income, and to the extent we believe that recovery is not likely, we must establish a valuation allowance.
 
Provision for income taxes is based on our estimated annual effective tax rate in compliance with SFAS No. 109, Accounting for Income Taxes, or SFAS 109, and other related guidance. We update our estimate of our annual effective tax rate at the end of each quarterly period. We make estimates and judgments in the calculation of tax credits and in the calculation of certain tax assets and liabilities which arise from differences in the timing of recognition of revenue and expense for tax and financial statement purposes. Changes in these estimates may result in significant increases or decreases to our tax provision in a subsequent period, which in turn would affect net income.
 
Management judgment is required in determining our provision for income taxes, our deferred tax assets and liabilities and any valuation allowance recorded against our net deferred tax assets. We recorded a full valuation allowance (net of deferred tax liability) as of April 30, 2007 and October 31, 2007 because, based on the available evidence, we believed at that time it was more likely than not that we would not be able to utilize all of our deferred tax assets in the future. We intend to maintain the full valuation allowances until sufficient evidence exists to support the reversal of all or some portion of these allowances. Should the actual amounts differ from our estimates, the amount of our valuation allowance could be materially impacted.
 
We have previously experienced a greater than 50% shift in our stock ownership, which creates annual limitations on our ability to use a portion of our net operating loss carry-forwards.
 
We adopted FASB Interpretation 48, Accounting for Uncertainty in Income Taxes, an Interpretation of SFAS 109, or FIN 48, on May 1, 2007. As a result of the implementation of FIN 48, we recognized a liability for uncertain tax positions and a cumulative effect adjustment to the beginning balance of accumulated deficit on the balance sheet of $0.1 million. As of October 31, 2007, the liability for uncertain tax positions was $0.2 million. As of the date of adoption, we also recorded a $1.4 million reduction to deferred tax assets for unrecognized tax benefits, all of which is currently offset by a full valuation allowance that had no affect on the beginning balance of accumulated deficit or the net balance sheet. As of October 31, 2007, the unrecognized tax benefit of $1.4 million increased to $1.7 million, all of which is offset by a full valuation allowance. Our total unrecognized tax benefit as of the May 1, 2007 adoption date and as of October 31, 2007 was $1.5 million and $1.9 million, respectively. In addition, as of October 31, 2007, we had $164,000 of unrealized tax benefits, that, if recognized, would affect our effective tax rate for the six months ended October 31, 2007. In addition, we do not expect any material changes to the estimated amount of liability associated with our uncertain tax positions within the next 12 months.
 
We file income tax returns in the U.S. federal jurisdiction, California and various state and foreign tax jurisdictions in which we have a subsidiary or branch operation. The tax years 2001 to 2006 remain open to examination by the U.S. and state tax authorities, and the tax years 2005 and 2006 remain open to examination by the foreign tax authorities.
 
Our policy is that we recognize interest and penalties accrued on any unrecognized tax benefits as a component of income tax expense. As of the date of adoption of FIN 48, we had approximately $21,000 of accrued interest or penalties associated with unrecognized tax benefits.


46


Table of Contents

Results of Operations
 
The following table presents selected items in our consolidated statements of operations in dollars and the percentage change in those items for fiscal 2005, 2006 and 2007 and the six months ended October 31, 2006 and 2007, the first six months of fiscal 2007 and 2008:
 
                                                                 
          Six Months Ended
       
    Fiscal Year Ended April 30,     October 31,     % Increase (Decrease)  
    2005     2006     2007     2006     2007     2005 - 2006     2006 - 2007     6M 07 - 6M 08  
    (unaudited)  
    (dollars in thousands)  
 
                                                                 
Revenues:
                                                               
Products
  $ 22,357     $ 22,859     $ 43,989     $ 16,674     $ 27,875       2.2 %     92.4 %     67.2 %
Maintenance(1)
    5,947       11,473       18,762       7,768       12,247       92.9       63.5       57.7  
Services(1)
    4,518       5,103       7,082       3,277       4,376       12.9       38.8       33.5  
                                                                 
Total revenues
    32,822       39,435       69,833       27,719       44,498       20.1       77.1       60.5  
                                                                 
Cost of revenues:
                                                               
Products
    1,084       1,769       2,569       1,049       1,814       63.2       45.2       72.9  
Maintenance(1)
    851       2,085       3,498       1,650       2,627       145.0       67.8       59.2  
Services(1)
    2,559       2,942       3,521       1,884       2,440       15.0       19.7       29.5  
                                                                 
Total cost of revenues
    4,494       6,796       9,588       4,583       6,881       51.2       41.1       50.1  
                                                                 
Gross profit
    28,328       32,639       60,245       23,136       37,617       15.2       84.6       62.6  
Operating expenses(1):
                                                               
Research and development
    7,583       12,154       14,535       6,933       9,107       60.3       19.6       31.4  
Sales and marketing
    14,647       24,309       36,587       15,463       24,607       66.0       50.5       59.1  
General and administrative
    8,725       12,978       9,453       3,861       6,988       48.7       (27.2 )     81.0  
                                                                 
Total operating expenses
    30,955       49,441       60,575       26,257       40,702       59.7       22.5       55.0  
                                                                 
Loss from operations
    (2,627 )     (16,802 )     (330 )     (3,121 )     (3,085 )     *         *         *    
Other income (expense), net
    (49 )     219       462       184       40       *         111.0       (78.3 )
                                                                 
Income (loss) before provision for income taxes
    (2,676 )     (16,583 )     132       (2,937 )     (3,045 )     *         *         *    
Provision for income taxes
    137       163       389       195       257       19.0       138.7       31.8  
                                                                 
Net loss
  $ (2,813 )   $ (16,746 )   $ (257 )   $ (3,132 )   $ (3,302 )     *         *         *    
                                                                 
                                                                 
                                                               
(1) Stock-based compensation expense is included above as follows:
Cost of maintenance revenues
  $ 4     $ 5     $ 3     $ 1     $ 38                          
Cost of services revenues
    3       5       14       4       46                          
Research and development
    1,642       1,950       501       222       647                          
Sales and marketing
    746       210       661       95       1,141                          
General and administrative
    4,838       5,948       350       172       261                          
                                                                 
Total stock-based compensation expense
  $ 7,233     $ 8,118     $ 1,529     $ 494     $ 2,133                          
                                                                 
 
 
* Percentage change information is not meaningful.


47


Table of Contents

 
The table below presents selected items in our consolidated statements of operations as a percentage of total revenues for the periods indicated:
 
                                         
          Six Months Ended
 
    Fiscal Year Ended April 30,     October 31,  
    2005     2006     2007     2006     2007  
                      (unaudited)  
 
Revenues:
                                       
Products
    68.1 %     58.0 %     63.0 %     60.2 %     62.7 %
Maintenance
    18.1       29.1       26.9       28.0       27.5  
Services
    13.8       12.9       10.1       11.8       9.8  
                                         
Total revenues
    100.0       100.0       100.0       100.0       100.0  
Cost of revenues:
                                       
Products
    3.3       4.5       3.7       3.8       4.1  
Maintenance
    2.6       5.3       5.0       5.9       5.9  
Services
    7.8       7.4       5.0       6.8       5.5  
                                         
Total cost of revenues
    13.7       17.2       13.7       16.5       15.5  
                                         
Gross margin
    86.3       82.8       86.3       83.5       84.5  
Operating expenses:
                                       
Research and development
    23.1       30.8       20.8       25.0       20.5  
Sales and marketing
    44.6       61.7       52.4       55.8       55.3  
General and administrative
    26.6       32.9       13.6       13.9       15.7  
                                         
Total operating expenses
    94.3       125.4       86.8       94.7       91.5  
                                         
Loss from operations
    (8.0 )%     (42.6 )%     (0.5 )%     (11.2 )%     (7.0 )%
                                         
 
Comparison of Six Months Ended October 31, 2007 and 2006
 
Revenues
 
Product Revenues.  Product revenues for the six months ended October 31, 2007 included revenues of $12.0 million from sales to 63 new customers and revenues of $15.9 million from sales to existing customers. New customer revenues for the six months ended October 31, 2007 increased by $5.0 million compared to new customer revenues for the six months ended October 31, 2006. Existing customer revenues for the six months ended October 31, 2007 increased by $6.2 million compared to existing customer revenues for the six months ended October 31, 2006. There was a net deferral of $0.2 million of product revenues in the six months ended October 31, 2006 related to sales transactions that included an undelivered product element for which we did not have VSOE, while for the six months ended October 31, 2007 there was a net recognition of product revenues of $1.4 million from those transactions. As of October 31, 2007, deferred product revenues included $3.5 million related to similar transactions. See the related discussion in “—Sources of Revenues, Cost of Revenues and Operating Expenses.”
 
Maintenance Revenues.  Maintenance revenues increased $4.5 million for the six months ended October 31, 2007, as a result of providing support services to a larger installed base as well as the incremental maintenance revenues from increased product sales. As a result of the timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE, there was a net deferral of $0.6 million of maintenance revenues for the six months ended October 31, 2006, and a net recognition of $0.1 million of maintenance revenues for the six months ended October 31, 2007. See the related discussion in “—Sources of Revenues, Cost of Revenues and Operating Expenses.”
 
Services Revenues.  Services revenues increased by $1.1 million for the six months ended October 31, 2007, as a result of providing services to a larger installed base.


48


Table of Contents

Cost of Revenues and Gross Margin
 
Cost of Product Revenues and Gross Margin.  Product gross margin as a percentage of product revenues remained constant at 93.5% for the six months ended October 31, 2007, compared to 93.7% for the six months ended October 31, 2006.
 
Cost of Maintenance Revenues and Gross Margin.  Maintenance gross margin as a percentage of maintenance revenues remained constant at 78.5% for the six months ended October 31, 2007 compared to 78.8% for the six months ended October 31, 2006.
 
Cost of Services Revenues and Gross Margin.  Services gross margin as a percentage of services revenues increased to 44.0% for the six months ended October 31, 2007 from 42.5% for the six months ended October 31, 2006, due to fewer low-margin transactions for which we used third-party service providers and an increase in our billing rates.
 
Operating Expenses
 
Research and Development Expenses.  The increase in research and development expenses for the six months ended October 31, 2007 of $2.2 million compared to the six months ended October 31, 2006 was primarily attributable to an increase of $1.5 million in compensation expenses, including an increase of $0.4 million in stock-based compensation expense, associated with an increase in research and development personnel from 76 to 96 at the respective period ends, and to an increase of facilities-related expense of $0.4 million as a result of our expansion of our headquarters in Cupertino, California. Research and development expense as a percentage of revenue was 20.5% and for the six months ended October 31, 2007, compared to 25.0% for the six months ended October 31, 2006.
 
Sales and Marketing Expenses.  The increase in sales and marketing expenses for the six months ended October 31, 2007 of $9.1 million compared to the six months ended October 31, 2006, was primarily attributable to an increase of $5.0 million in compensation and related expense associated with an increase in sales and marketing personnel from 83 to 110 at the respective period ends. The increase in compensation and related expense included an increase of $1.0 million as a result of an increase in stock-based compensation expense. In addition, travel and entertainment expenses increased by $0.8 million, marketing program expenses increased by $0.5 million, and facilities expenses increased $0.2 million. Sales and marketing expense as a percentage of revenues remained constant at 55.2% for the six months ended October 31, 2007 compared to 55.8% for the six months ended October 31, 2006.
 
General and Administrative Expenses.  The increase in general and administrative expenses of $3.1 million for the six months ended October 31, 2007, compared to the six months ended October 31, 2006, was primarily associated with an increase of $1.6 million associated with the completion of our historic audits and current accounting, tax and auditing expenses. In addition, an increase of $0.8 million associated with compensation and related expense, and an increase in facilities expense of $0.2 million associated with an increase in personnel from 28 to 40 at the respective period ends contributed to the change. As a result of these factors, general and administrative expense as a percentage of revenues increased to 15.7% for the six months ended October 31, 2007, compared to 13.9% for the six months ended October 31, 2006.
 
Other Income (Expense), Net.  The decrease in other income (expense), net for the six months ended October 31, 2007 is primarily a result of higher interest expense related to capitalized software licenses and, to a lesser extent, foreign currency losses.
 
Provision for Income Taxes.  The provision for income taxes for the six months ended October 31, 2007 and 2006, was primarily related to foreign income taxes.
 
Comparison of Fiscal 2007 and Fiscal 2006
 
Revenues
 
Product Revenues.  Product revenues in fiscal 2007 included revenues of $25.5 million from sales to 120 new customers and revenues of $18.5 million from sales to existing customers. New customer revenues in fiscal 2007


49


Table of Contents

increased by $11.5 million compared to new customer revenues in fiscal 2006. Existing customer revenues in fiscal 2007 increased by $9.6 million compared to existing customer revenues in fiscal 2006. As a result of the timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE, there was a net deferral of $6.0 million of product revenues in fiscal 2006 and a net recognition of $1.7 million of product revenues in fiscal 2007. This accounted for $0.3 million of the increase in product revenues from new customers, and $7.4 million of the increase in product revenues from existing customers, in fiscal 2007 compared with fiscal 2006. As of April 30, 2007, deferred product revenues included $4.9 million related to similar transactions. See the related discussion in “—Sources of Revenues, Cost of Revenues and Operating Expenses.”
 
Maintenance Revenues.  Maintenance revenues increased $7.3 million in fiscal 2007 as a result of providing support services to a larger installed base as well as the incremental maintenance revenues from increased product sales. As a result of the timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE, there was a net deferral of $0.3 million of maintenance revenues in fiscal 2006 and a net recognition of $0.1 million of maintenance revenues in fiscal 2007. This accounted for $0.4 million of the increase in maintenance revenues in fiscal 2007 compared to fiscal 2006. As of April 30, 2007, deferred maintenance revenues included $0.5 million related to similar transactions. See the related discussion in “—Sources of Revenues, Cost of Revenues and Operating Expenses.”
 
Services Revenues.  Services revenues increased by $2.0 million in fiscal 2007 as a result of providing services to a larger installed base.
 
Cost of Revenues and Gross Margin
 
Cost of Product Revenues and Gross Margin.  Product gross margin as a percentage of product revenues increased to 94.2% in fiscal 2007 from 92.3% in fiscal 2006. The increase of 1.9 percentage points in product gross margin as a percentage of product revenues in fiscal 2007 compared to fiscal 2006 was primarily a result of the timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE.
 
Cost of Maintenance Revenues and Gross Margin.  Maintenance gross margin remained essentially constant at 81.4% and 81.8% in fiscal 2007 and 2006, respectively.
 
Cost of Services Revenues and Gross Margin.  Services gross margin increased to 50.3% in fiscal 2007 from 42.3% in fiscal 2006 due to a decreased volume of lower margin services revenues in fiscal 2007, including fewer services for which we used a third-party service provider related to certain government contracts.
 
Operating Expenses
 
Research and Development Expenses.  The increase in research and development expenses in fiscal 2007 of $2.4 million compared to fiscal 2006 was primarily attributable to an increase of $2.8 million in compensation expenses associated with an increase in research and development personnel from 71 to 89 at the respective period ends, and an increase in depreciation of $0.5 million, an increase of $0.3 million for outside service providers and an increase of $0.3 million of compensation-related expenses, including our incurrence of stock-based compensation expense of $0.1 million as a result of our adoption of SFAS 123R in fiscal 2007, offset by the decrease in stock-based compensation of $1.9 million in fiscal 2007 as a result of the repayment of an employee loan in fiscal 2006 and the associated cessation of variable accounting. Research and development expense as a percentage of revenues was 20.8% in fiscal 2007, compared to 30.8% in fiscal 2006. The timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE contributed to 4.8 percentage points of the 10.0 percentage point reduction in research and development expenses as a percentage of revenues.
 
Sales and Marketing Expenses.  The increase in sales and marketing expenses in fiscal 2007 of $12.3 million compared to fiscal 2006 was primarily attributable to an increase of $8.9 million in compensation and related expense associated with an increase in sales and marketing personnel from 74 to 104 at the respective period ends. The increase in compensation and related expense included $0.6 million as a result of our adoption in fiscal 2007 of SFAS 123R. In addition, marketing expenses related to trade shows, public relations and advertising increased by $1.6 million and travel expenses increased by $0.9 million. Sales and marketing expense as a percentage of revenues


50


Table of Contents

was 52.4% in fiscal 2007, compared to 61.7% in fiscal 2006. The reduction in sales and marketing expenses as a percentage of revenues was due to the timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE.
 
General and Administrative Expenses.  The decrease in general and administrative expenses of $3.5 million in fiscal 2007 compared to fiscal 2006 was primarily associated with a decrease in compensation and related expenses of $4.0 million, offset in part by an increase of $0.3 million associated with professional service provider fees. The decrease in compensation and related expenses is primarily a result of the decreased stock-based compensation expense of $5.6 million in fiscal 2007 as a result of the repayment of an employee loan in fiscal 2006, offset by an increase of $1.6 million associated with an increase in personnel from 22 to 32 at the respective period ends. Fiscal 2007 stock-based compensation expense included $0.2 million from our adoption in fiscal 2007 of SFAS 123R. General and administrative expense as a percentage of revenues declined to 13.6% in fiscal 2007, compared to 32.9% in fiscal 2006. The timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE contributed to 4.8 percentage points of the 19.3 percentage point reduction in general and administrative expenses as a percentage of revenues.
 
Other Income (Expense), Net.  The increase in other income (expense), net in fiscal 2007 is primarily a result of higher invested cash balances generated from operations, as our foreign currency related gains and losses remained comparable year over year.
 
Provision for Income Taxes.  The provision for income taxes for fiscal 2006 and 2007 was primarily related to foreign income taxes.
 
Comparison of Fiscal 2006 and Fiscal 2005
 
Revenues
 
Product Revenues.  Product revenues in fiscal 2006 included revenues of $13.9 million from sales to 92 new customers and revenues of $8.9 million from sales to existing customers. New customer revenues in fiscal 2006 remained constant compared to fiscal 2005. Existing customer revenues in fiscal 2006 increased by $0.6 million compared to existing customer revenues in fiscal 2005. Product revenues in fiscal 2005 and 2006 excluded $0.2 million and $6.0 million, respectively, of revenues related to sales transactions consummated in fiscal 2006 and prior years that included undelivered product elements for which we did not have VSOE, resulting in a deferral until future periods. Of the $6.0 million deferral from fiscal 2006, $1.0 million was related to transactions with new customers and $5.0 million was related to transactions with existing customers.
 
Maintenance Revenues.  Maintenance revenues increased $5.5 million in fiscal 2006 as a result of providing support services to a larger installed base as well as the incremental maintenance revenues from increased product sales.
 
Services Revenues.  Services revenues increased by $0.6 million as a result of providing services to a larger installed base.
 
Cost of Revenues and Gross Margin
 
Cost of Product Revenues and Gross Margin.  Product gross margin as a percentage of product revenues decreased to 92.3% in fiscal 2006 from 95.2% in fiscal 2005. The decrease of 2.9 percentage points in product gross margin as a percentage of revenues in fiscal 2006 is primarily a result of the impact from the deferral of $6.0 million of revenues in fiscal 2006 for undelivered product elements for which we did not have VSOE.
 
Cost of Maintenance Revenues and Gross Margin.  Maintenance gross margin decreased to 81.8% in fiscal 2006 from 85.7% in fiscal 2005 as a result of the hiring of additional maintenance personnel to support our growing customer base.
 
Cost of Services Revenues and Gross Margin.  Services gross margin decreased slightly to 42.3% in fiscal 2006 from 43.3% in fiscal 2005.


51


Table of Contents

Operating Expenses
 
Research and Development Expenses.  The increase in research and development expenses in fiscal 2006 compared to fiscal 2005 was primarily attributable to an increase of $4.0 million in compensation and related expenses associated with an increase in research and development personnel from 44 to 71 at the respective period ends. Research and development expense as a percentage of revenues was 30.8% in fiscal 2006, compared to 23.1% in fiscal 2005. The timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE contributed to 3.9 percentage points of the 7.7 percentage point increase in research and development expenses as a percentage of revenues.
 
Sales and Marketing Expenses.  The increase in sales and marketing expenses in fiscal 2006 compared to fiscal 2005 was primarily attributable to an increase of $6.2 million in compensation and related expenses associated with an increase in sales and marketing personnel from 53 to 74 at the respective period ends. In addition, marketing expenses related to trade shows, public relations and advertising increased by $1.0 million and travel expenses increased $1.6 million compared to fiscal 2005. Sales and marketing expense as a percentage of revenues was 61.7% in fiscal 2006, compared to 44.6% in fiscal 2005. The timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE contributed to 8.0% of the 17.1% increase in sales and marketing expenses as a percentage of revenues.
 
General and Administrative Expenses.  The increase in general and administrative expenses in fiscal 2006 compared to fiscal 2005 was primarily a result of an increase of $2.3 million in compensation and related expenses, in connection with the increase in personnel from 14 to 22 at the respective period ends. The $2.3 million includes an increase in stock-based compensation expense of $1.1 million as a result of variable accounting treatment for options exercised with an employee loan and the increase in the value of our common stock in fiscal 2006. In addition, professional service provider fees increased $1.8 million in fiscal 2006. General and administrative expense as a percentage of revenues was 32.9% in fiscal 2006, compared to 26.6% in fiscal 2005. The timing of revenue recognition for sales transactions that included an undelivered product element for which we did not have VSOE contributed to 4.1 percentage points of the 6.3 percentage point increase in general and administrative expenses as a percentage of revenues.
 
Other Income (Expense), Net.  The increase in other income (expense), net in fiscal 2006 was primarily a result of higher invested cash balances generated from operations, as our foreign currency related gains and losses remained relatively flat year over year.
 
Provision for Income Taxes.  The provision for income taxes for fiscal 2006 was primarily related to foreign income taxes. The provision for income taxes for fiscal 2005 was a combination of U.S. federal, state and foreign income taxes.


52


Table of Contents

Quarterly Results of Operations
 
The following table sets forth unaudited quarterly consolidated statements of operations data for fiscal 2006 and 2007 and the first and second quarters of fiscal 2008. We derived this information from our unaudited consolidated financial statements, which we prepared on the same basis as our audited consolidated financial statements contained in this prospectus. In our opinion, these unaudited statements include all adjustments, consisting only of normal recurring adjustments, that we consider necessary for a fair statement of that information when read in conjunction with the consolidated financial statements and related notes included elsewhere in this prospectus. The operating results for any quarter should not be considered indicative of results for any future period.
 
                                                                                 
    Three Months Ended  
    July 31,
    Oct. 31,
    Jan. 31
    April 30,
    July 31,
    Oct. 31,
    Jan. 31,
    April 30,
    July 31,
    October 31,
 
    2005     2005     2006     2006     2006     2006     2007     2007     2007     2007  
    (unaudited, in thousands)  
 
Revenues:
                                                                               
Products
  $ 6,577     $ 5,108     $ 4,922     $ 6,252     $ 7,712     $ 8,962     $ 10,209     $ 17,106     $ 12,205     $ 15,670  
Maintenance
    2,289       2,676       3,022       3,486       3,631       4,137       4,611       6,383       5,630       6,617  
Services
    1,061       1,239       1,171       1,632       1,614       1,663       1,914       1,891       2,035       2,341  
                                                                                 
Total revenues
    9,927       9,023       9,115       11,370       12,957       14,762       16,734       25,380       19,870       24,628  
                                                                                 
Cost of revenues:
                                                                               
Products
    439       423       491       416       657       392       625       895       684       1,130  
Maintenance(1)
    443       479       481       682       807       843       851       997       1,246       1,381  
Services(1)
    526       724       775       917       954       930       847       790       1,078       1,362  
                                                                                 
Total cost of revenues
    1,408       1,626       1,747       2,015       2,418       2,165       2,323       2,682       3,008       3,873  
                                                                                 
Gross profit
    8,519       7,397       7,368       9,355       10,539       12,597       14,411       22,698       16,862       20,755  
                                                                                 
Operating expenses(1):
                                                                               
Research and development
    2,776       2,339       4,074       2,965       3,358       3,575       3,636       3,966       4,260       4,847  
Sales and marketing
    5,433       5,533       6,043       7,300       7,735       7,728       9,226       11,898       11,919       12,688  
General and administrative
    3,229       1,302       6,670       1,777       1,757       2,104       2,125       3,467       3,520       3,468  
                                                                                 
Total operating expenses
    11,438       9,174       16,787       12,042       12,850       13,407       14,987       19,331       19,699       21,003  
                                                                                 
Income (loss) from operations
    (2,919 )     (1,777 )     (9,419 )     (2,687 )     (2,311 )     (810 )     (576 )     3,367       (2,837 )     (248 )
                                                                                 
Interest and other income (expense), net
    (83 )     45       88       169       113       71       131       147       19       21  
                                                                                 
Income (loss) before provision for income taxes
    (3,002 )     (1,732 )     (9,331 )     (2,518 )     (2,198 )     (739 )     (445 )     3,514       (2,818 )     (227 )
Provision for income taxes
    41       41       41       40       98       97       97       97       118       139  
                                                                                 
Net income (loss)
  $ (3,043 )   $ (1,773 )   $ (9,372 )   $ (2,558 )   $ (2,296 )   $ (836 )   $ (542 )   $ 3,417     $ (2,936 )   $ (366 )
                                                                                 
 
(1)  Stock-based compensation expense as included in above:
 
                                                                                 
Cost of maintenance revenues
  $ 2     $ 1     $ 1     $ 1     $     $ 1     $ 1     $ 1     $ 8     $ 30  
Cost of services revenues
    2       2       1             2       2       3       7       8       38  
Research and development
    622       28       1,285       15       91       131       136       143       157       490  
Sales and marketing
    108       30       55       17       41       53       111       456       461       680  
General and administrative
    1,891       91       3,905       61       80       92       97       81       81       180  
                                                                                 
Total stock-based compensation expenses
  $ 2,625     $ 152     $ 5,247     $ 94     $ 214     $ 279     $ 348     $ 688     $ 715     $ 1,418  
                                                                                 


53


Table of Contents

The following table sets forth our historical results, for the periods indicated, as a percentage of our revenues.
 
                                                                                 
    Three Months Ended  
    July 31,
    Oct. 31,
    Jan. 31
    April 30,
    July 31,
    Oct. 31,
    Jan. 31,
    April 30,
    July 31,
    Oct. 31,
 
    2005     2005     2006     2006     2006     2006     2007     2007     2007     2007  
    (unaudited)  
 
                                                                                 
Revenues:
                                                                               
Products
    66.3 %     56.6 %     54.0 %     55.0 %     59.5 %     60.7 %     61.0 %     67.4 %     61.4 %     63.6 %
Maintenance
    23.1       29.7       33.2       30.7       28.0       28.0       27.6       25.1       28.3       26.9  
Services
    10.7       13.7       12.8       14.4       12.5       11.3       11.4       7.5       10.3       9.5  
                                                                                 
Total revenues
    100.0       100.0       100.0       100.0       100.0       100.0       100.0       100.0       100.0       100.0  
                                                                                 
Cost of revenues:
                                                                               
Products
    4.4       4.7       5.4       3.7       5.1       2.7       3.7       3.5       3.4       4.6  
Maintenance
    4.5       5.3       5.3       6.0       6.2       5.7       5.1       3.9       6.3       5.6  
Services
    5.3       8.0       8.5       8.1       7.4       6.3       5.1       3.1       5.4       5.5  
                                                                                 
Total cost of revenues
    14.2       18.0       19.2       17.7       18.7       14.7       13.9       10.6       15.1       15.7  
                                                                                 
Gross margin
    85.8       82.0       80.8       82.3       81.3       85.3       86.1       89.4       84.9       84.3  
Operating expenses:
                                                                               
Research and development
    28.0       25.9       44.7       26.1       25.9       24.2       21.7       15.6       21.4       19.7  
Sales and marketing
    54.7       61.3       66.3       64.2       59.7       52.4       55.1       46.9       60.0       51.5  
General and administrative
    32.5       14.4       73.2       15.6       13.6       14.3       12.7       13.7       17.7       14.1  
                                                                                 
Total operating expenses
    115.2       101.7       184.2       105.9       99.2       90.8       89.6       76.2       99.1       85.3  
                                                                                 
Income (loss) from operations
    (29.4 )     (19.7 )     (103.3 )     (23.6 )     (17.8 )     (5.5 )     (3.4 )     13.3       (14.3 )     (1.0 )
 
 
Due to rounding to the nearest tenth of a percent, totals may not equal the sum of the line items in the table above.
 
Revenues
 
Product Revenues.  Product revenues on a quarterly basis are dependent on the number of new customers acquired in the quarter, the number of sales to existing customers and the numerous factors that impact deal size, such as the configuration requirements, implementation plans and budget availability of our customers. As a result of the significant range of deal sizes and the significant impact of the timing of particularly large transactions, the amount of product revenues varies significantly on a quarterly basis. The impact of this variability was magnified in earlier periods when our aggregate product revenues were smaller and a limited number of transactions significantly impacted the amount of product revenues recognized in any quarter. We believe that our quarterly results of operations may vary significantly in the future and that period-to-period comparisons of our operating results may not be meaningful and should not be relied upon as an indication of future performance.
 
Maintenance Revenues.  Maintenance revenues have increased in absolute dollars in each of the quarters presented as a result of maintenance sold to new customers each quarter and the renewal of maintenance by our existing customers.
 
Services Revenues.  Services revenues have generally increased over time as we have sold and delivered installation and training services to our new customers and continued to sell training and consulting services to our existing customers.
 
There was a significant impact to revenues in the three months ended April 30, 2006 and 2007 related to sales transactions that included an undelivered product element for which we did not have VSOE. The impact in the three months ended April 30, 2006 was a net reduction of revenues of $4.5 million and the impact in the three months


54


Table of Contents

ended April 30, 2007 was an increase in revenues of $4.2 million. The net quarterly impact of these types of sales transactions is detailed in the table below:
 
                                                                                 
    Three Months Ended  
    July 31,
    Oct. 31,
    Jan. 31,
    April 30,
    July 31,
    Oct. 31,
    Jan. 31,
    April 30,
    July 31,
    Oct. 31,
 
    2005     2005     2006     2006     2006     2006     2007     2007     2007     2007  
    (unaudited, in millions)  
 
Product revenues
  $     $ (1.2 )   $ (0.5 )   $ (4.3 )   $     $ (0.2 )   $ (1.2 )   $ 3.1     $ 0.8     $ 0.6  
Maintenance revenues
                (0.1 )     (0.2 )     (0.3 )     (0.3 )     (0.3 )     1.0       0.1        
Services revenues
                                        (0.1 )     0.1              
                                                                                 
Total revenues
  $     $ (1.2 )   $ (0.6 )   $ (4.5 )   $ (0.3 )   $ (0.5 )   $ (1.6 )   $ 4.2     $ 0.9     $ 0.6  
                                                                                 
 
Cost of Revenues and Gross Margin
 
Cost of Product Revenues and Gross Margin.  Cost of product revenues is primarily impacted by the mix of software and appliance products as well as the relative ratio of royalty bearing products included in software sales transactions in any given quarter.
 
Cost of Maintenance Revenues and Gross Margin.  Historical maintenance gross margin has remained relatively constant on a quarterly basis.
 
Cost of Services Revenues and Gross Margin.  Services gross margin has fluctuated on a quarterly basis primarily as a result of periodic changes in our use of third party service providers, rather than our own personnel, to provide services on some of our government contracts, resulting in lower margins for these services.
 
Operating Expenses
 
Research and Development Expenses.  Research and development expenses increased in absolute dollars in each of the quarters presented, excluding the impact of variable stock-based compensation expense in the three months ended July 31, 2005 and January 31, 2006. The increase in research and development expenses is primarily a result of increases in compensation expense associated with the increase in research and development personnel in each of the quarters presented.
 
Sales and Marketing Expenses.  Sales and marketing expenses increased in absolute dollars in each of the quarters presented primarily as a result of an increase in the number of sales personnel in each quarter and the associated increase in both compensation and travel expenses.
 
General and Administrative.  General and administrative expenses remained relatively constant in each of the quarters in fiscal 2006, excluding the impact of variable stock-based compensation expense in the three months ended July 31, 2005 and January 31, 2006 and the expenses associated with our previously proposed initial public offering in the three months ended January 31, 2006. General and administrative expenses increased for each sequential three months in fiscal 2007 as we hired additional general and administrative personnel, with significant increases in the three months ended April 30, 2007, July 31, 2007 and October 31, 2007 compared to the same periods in 2006 as a result of the costs associated with the completion of our historic audits.
 
Liquidity and Capital Resources
 
As of October 31, 2007, we had cash and cash equivalents totaling $15.9 million and accounts receivable of $14.0 million. From our inception in May 2000 through October 2002, we funded our operations primarily through convertible preferred stock financings that raised a total of $26.8 million.
 
Historically our principal uses of cash have consisted of payroll and other operating expenses and purchases of property and equipment to support our growth. In fiscal 2007, we used $7.2 million in cash to purchase the assets of Enira Technologies, LLC and pay acquisition costs.


55


Table of Contents

The following table shows our cash flows from operating activities, investing activities and financing activities for the stated periods:
 
                                         
    Fiscal Year Ended April 30,     Six Months Ended October 31,  
    2005     2006     2007     2006     2007  
    (in thousands)     (unaudited)  
 
Net cash provided by operating activities
  $ 5,922     $ 3,848     $ 11,050     $ 3,417     $ 3,819  
Net cash used in investing activities
    (1,238 )     (1,431 )     (10,233 )     (8,160 )     (2,714 )
Net cash provided (used) by financing activities
    832       538       (359 )     24       (2,136 )
 
Operating Activities
 
Although we have reported net losses in each fiscal year since inception, our operating activities have provided positive cash flows in fiscal 2004, 2005, 2006 and 2007, primarily due to the significant non-cash charges associated with stock-based compensation and depreciation and amortization reflected in operating expenses and cash received from collections from customers. Our cash flows from operating activities in any period will continue to be significantly influenced by our results of operations, these non-cash charges and changes in deferred revenues, as well as changes in other components of our working capital.
 
While we may report negative cash flows from operating activities from time to time in particular quarterly periods, we generally expect to continue to generate positive cash flows from operating activities. Future cash from operations will depend on many factors, including:
 
  •  the growth in our sales transactions and associated cash collections or growth in receivables;
 
  •  the level of our sales and marketing activities, including expansion into new territories;
 
  •  the timing and extent of spending to support product development efforts; and
 
  •  the timing of the growth in general and administrative expenses as we further develop our administrative infrastructure to support the business and our becoming a public company.
 
We generated $3.8 million of cash from operating activities during the six months ended October 31, 2007, primarily as a result of a $1.4 million decrease in accounts receivable due to strong collections, a $1.0 million decrease in prepaid expenses, a $1.0 increase in other accrued liabilities, and a $3.7 million increase in deferred revenues, offset by a $1.8 million decrease in our accrued compensation and benefits as a result of our payment of sales commissions and performance bonuses earned during fiscal 2007, and further offset by a $1.5 million decrease in our accounts payable due to the timing of our payment obligations. In addition, we had a net loss of $3.3 million for this period, which included non-cash charges of $2.1 million for stock-based compensation expense and $1.1 million of depreciation and amortization.
 
We generated $11.1 million of cash from operating activities during fiscal 2007, primarily as a result of a $5.0 million increase in deferred revenue, a $3.3 million increase in our accrued compensation and benefits because sales commissions and performance bonuses accrued under our fiscal 2007 bonus plan were not paid until the first quarter of fiscal 2008 as noted above, a $2.2 million increase in accounts payable resulting from the timing of payment obligations and a $1.4 million increase in other accrued liabilities, offset in part by a $3.4 million increase in accounts receivable associated with the growth in our revenues and a $1.0 million increase in prepaid expenses. In addition, we generated cash from operations because our reported net loss of $0.3 million included $1.5 million of non-cash stock based compensation expense and $1.9 million of non-cash depreciation and amortization charges.
 
We generated $3.8 million of cash from operating activities during fiscal 2006, primarily as a result of the $13.2 million increase in deferred revenues, which was primarily a function of the relatively large portion of our sales during the fiscal year that involved multiple element arrangements where one or more of the product elements for which we did not have VSOE remained undelivered. We used cash in operations to the extent that we incurred a net loss of $16.7 million, although this loss included non-cash stock-based compensation expense of $8.1 million related primarily to variable stock-based compensation awards and non-cash depreciation and amortization charges of $0.9 million. In fiscal 2006, we also used cash of $1.6 million because our accounts receivable grew along with our growth in revenue.


56


Table of Contents

Despite our net loss of $2.8 million during fiscal 2005, we generated $5.9 million of cash from operating activities, because (1) this net loss included non-cash stock based compensation expense of $7.2 million related primarily to variable stock-based compensation awards and $0.6 million of non-cash depreciation expense, (2) we increased our deferred revenue by $4.5 million and (3) our accounts payable and accrued liabilities increased $3.6 million due to the accrual of sales commissions and bonuses for fiscal 2005 that were not paid until fiscal 2006 and the timing of other payment obligations. These changes were offset by the growth in accounts receivable of $7.3 million, as our sales grew significantly from fiscal 2004.
 
Investing Activities
 
During the six months ended October 31, 2007, we used $2.7 million in cash for investing activities, all of which related to capital expenditures associated with computer equipment and furniture and fixtures for the expansion of our infrastructure and work force. Net cash used in investing activities was $1.2 million, $1.4 million and $10.2 million in fiscal 2005, 2006 and 2007, respectively. Investing activities in fiscal 2007 consisted of $7.2 million of cash consideration, including acquisition costs, for the purchase of the assets of Enira Technologies, LLC, $2.2 million in purchases of property and equipment and $0.8 million in a restricted cash account used to secure a standby letter of credit. Investing activities for fiscal 2005 and 2006 consisted of purchases of property and equipment to support our growth.
 
Financing Activities
 
During the six months ended October 31, 2007, cash used by financing activities was $2.1 million, comprised primarily of $1.0 million in payments for capitalized software licenses used as a component in our product sales, and $1.9 million in payments related to initial public offering preparation costs, offset by $0.8 million from net proceeds from the exercise of stock options. Net cash provided (used) by financing activities was $0.8 million, $0.5 million and $(0.1) million in fiscal 2005, 2006 and 2007, respectively. In fiscal 2007, the net cash used by financing activities consisted of costs of $0.6 million incurred in conjunction with this offering, offset by proceeds from the exercise of stock options. In fiscal 2006, the net cash provided by financing activities consisted of proceeds from the repayment of certain stockholder notes and proceeds from the exercise of stock options. In fiscal 2005, the net cash provided by financing activities consisted of proceeds from the exercise of Series C preferred stock warrants, the repayment of stockholder notes and the exercise of stock options.
 
Other Factors Affecting Liquidity and Capital Resources
 
We believe that our cash and cash equivalents and any cash flow from operations will be sufficient to meet our anticipated cash needs, including for working capital purposes, capital expenditures and various contractual obligations, for at least the next 12 months. We may, however, require additional cash resources due to changed business conditions or other future developments, including any investments or acquisitions we may decide to pursue. If these sources are insufficient to satisfy our cash requirements, we may seek to sell debt securities or additional equity securities or to obtain a credit facility. The sale of convertible debt securities or additional equity securities could result in additional dilution to our stockholders. The incurrence of indebtedness would result in debt service obligations and could result in operating and financial covenants that would restrict our operations. In addition, there can be no assurance that any additional financing will be available on acceptable terms, if at all. We anticipate that, from time to time, we may evaluate acquisitions of complementary businesses, technologies or assets. However, there are no current understandings, commitments or agreements with respect to any acquisitions.
 
Off-Balance Sheet Arrangements
 
As of October 31, 2007, we had no off-balance sheet arrangements as defined in Item 303(a)(4) of the SEC’s Regulation S-K.


57


Table of Contents

Contractual Obligations and Commitments
 
We lease facilities for our corporate headquarters, subsidiaries and regional sales offices. We lease our principal facility in Cupertino, California under a non-cancelable operating lease agreement that expires in October 2013. We also have leases for our regional sales offices that are for 13 months or less.
 
The following table is a summary of our contractual obligations as of October 31, 2007:
 
                                         
    Payments Due by Period  
          Remainder
                   
 
  Total     FY 2008     FY 2009-2010     FY 2011-2012     Thereafter  
    (in thousands)  
 
Operating lease obligations
  $ 12,164     $ 1,048     $ 3,791     $ 4,056     $ 3,269  
Accrued contractual obligations
    3,455       1,112       2,339       4        
                                         
Total
  $ 15,619     $ 2,160     $ 6,130     $ 4,060     $ 3,269  
                                         
 
Recent Accounting Pronouncements
 
In February 2006, the FASB issued SFAS No. 155, Accounting for Certain Hybrid Financial Instruments, or SFAS 155, which amends the guidance in SFAS No. 133, Accounting for Derivative Instruments and Hedging Activities, and SFAS No. 140, Accounting for Transfers and Servicing of Financial Assets and Extinguishments of Liabilities. SFAS 155 allows financial instruments that have embedded derivatives to be accounted for as a whole (eliminating the need to bifurcate the derivative from its host) if the holder elects to account for the whole instrument on a fair-value basis. SFAS 155 is effective for all financial instruments acquired or issued after the beginning of an entity’s first fiscal year that begins after September 15, 2006. We do not expect the adoption of SFAS 155 to have a material impact on our consolidated results of operations, financial position or cash flows.
 
In September 2006, the FASB issued SFAS No. 157, Fair Value Measurement, or SFAS 157, which defines fair value, establishes a framework for measuring fair value in generally accepted accounting principles, and expands disclosures about fair value measurements. The statement does not require any new fair value measurements. SFAS 157 is effective for all financial statements issued for fiscal years beginning after November 15, 2007. We are currently assessing the impact, if any, the adoption of SFAS 157 will have on our consolidated results of operations, financial position and cash flows.
 
In February 2007, the FASB issued SFAS No. 159, The Fair Value Option for Financial Assets and Financial Liabilities, or SFAS 159, including an amendment of SFAS No. 115, Accounting for Certain Investments in Debt and Equity Securities, which allows an entity to choose to measure certain financial instruments and liabilities at fair value. Subsequent measurements for the financial instruments and liabilities an entity elects to measure at fair value will be recognized in earnings. SFAS 159 also establishes additional disclosure requirements. SFAS 159 is effective for fiscal years beginning after November 15, 2007, with early adoption permitted provided that the entity also adopts SFAS 157. We are currently evaluating the effect, if any, the adoption of SFAS 159 will have on our consolidated results of operations, financial position and cash flows.
 
Quantitative and Qualitative Disclosures about Market Risk
 
Market risk represents the risk of loss that may impact our financial position due to adverse changes in financial market prices and rates. Our market risk exposure is primarily a result of fluctuations in foreign exchange rates and interest rates. We do not hold or issue financial instruments for trading purposes.
 
Foreign Currency Exchange Risk.  To date, substantially all of our international sales have been denominated in U.S. dollars. We utilize foreign currency forward and option contracts to manage our currency exposures as part of our ongoing business operations. We do not currently expect to enter into foreign currency exchange contracts for trading or speculative purposes.
 
Interest Rate Risk.  We had cash and cash equivalents totaling $15.9 million as of October 31, 2007. These amounts were primarily invested in money market funds and held for working capital purposes. We do not enter into investments for trading or speculative purposes. Due to the short-term nature of these investments, we do not believe that we have any material exposure to changes in the fair value of our investment portfolio as a result of changes in interest rates. Declines in interest rates, however, will reduce future interest income.


58


Table of Contents

 
BUSINESS
 
Overview
 
We are a leading provider of security and compliance management solutions that intelligently mitigate business risk for enterprises and government agencies. Much like a “mission control center,” our ESM platform delivers a centralized, real-time view of disparate digital alarms, alerts and status messages, which we refer to as events, across geographically dispersed and heterogeneous business and technology infrastructures. Our software correlates massive numbers of events from thousands of security point solutions, network and computing devices and applications, enabling intelligent identification, prioritization and response to external threats, insider threats and compliance and corporate policy violations. We also provide complementary software that delivers pre-packaged analytics and reports tailored to specific security and compliance initiatives, as well as appliances that streamline threat response, event log archiving and network configuration.
 
We have designed our platform to support the increasingly complex business and technology infrastructure of our customers. Our platform ships with over 240 pre-built software connectors for products from approximately 100 vendors. It also integrates easily with products for which we do not provide pre-built connectors and with proprietary enterprise applications to ensure that event logs from these products are seamlessly integrated into our platform for intelligent correlation and analysis. As of October 31, 2007, we have sold our products to more than 400 customers across a number of industries and government agencies in the United States and internationally, including companies in the Fortune Top 5 of the aerospace and defense, energy and utilities, financial services, food production and services, healthcare, high technology, insurance, media and entertainment, retail and telecommunications industries, and more than 20 major U.S. government agencies.
 
Our Industry
 
Heightened Risks of a Real-Time Business Architecture
 
Enterprises and government agencies increasingly utilize interconnected IT infrastructure to enhance efficiency and achieve business advantage. As more devices, applications and business processes are integrated into these networks, the power, utility and extensibility of the network grows. Organizations have used these improvements to transform their IT infrastructures into platforms to conduct transactions with customers, suppliers, employees and other partners in real-time. While the adoption of and reliance on this new interconnected IT infrastructure has significantly enhanced productivity and lowered the cost of doing business, it also has exposed organizations to heightened risk. These risks include:
 
  •  External Threats.  Historically, threats from external sources have originated from “hobbyist” hackers who introduce malicious code into the IT infrastructure or deface or disable a corporation’s Web presence. More recently, hackers have increasingly participated in highly sophisticated, well organized and financially motivated crime rings, launching attacks aimed at identity theft, credit card fraud, extortion and industrial espionage. In addition, terrorists and some nation-states engage in espionage or cyberwarfare by targeting key elements of a nation’s infrastructures, such as financial exchanges, power grids and pipeline and transportation networks. In recent years, the sophistication and speed of these attacks have increased. Today, attacks can propagate worldwide in minutes, severely impacting service levels for critical infrastructure applications and business processes, such as voice and electronic communications, enterprise resource planning and financial transactions, and can disrupt entire corporate and civil infrastructures.
 
  •  Insider Threats.  In recent years, the open and distributed nature of corporate and government networks, as well as the rising level of IT sophistication of the average user, have increased the risk of malfeasance or negligence on the part of trusted individuals “within” the network, such as employees, partners or contractors. Malicious insider threats include, for example, misuse by an IT professional of administrative access to attack the corporate network and unauthorized copying of proprietary information by an employee to an external memory device for use by a third party. Organizations also are threatened by employee negligence, such as unauthorized employee downloading of potentially vulnerable or harmful applications. Insider threats account for an increasingly large portion of security attacks, especially in large enterprises. In 2007, a study by the TheInfoPro, an industry publication, revealed that 59% of organizations have


59


Table of Contents

  experienced security losses attributed to insiders, with nearly one in five attributing more than 75% of their security incidents to insiders.
 
  •  Regulatory Non-Compliance and Corporate Policy Violations.   Several new laws and regulatory initiatives mandate that enterprises design, implement, document and demonstrate controls and processes to maintain the integrity and confidentiality of information transmitted and stored on their IT systems. Many of these compliance mandates require enterprises to archive and retrieve data from the significant volume of event logs being generated by IT devices, in some cases for as long as seven years. Examples of these mandates include the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), the Basel II framework for the banking industry, the Payment Card Industry (PCI) Data Security Standard, the Federal Information Security Management Act (FISMA) and the new Federal Rules of Civil Procedure. According to a January 2007 study of Fortune 1000 companies by TheInfoPro, compliance was listed as the top IT security-related “pain point.” In addition to compliance with regulations, enterprises and government agencies require their employees to comply with numerous organizational policies, such as confidentiality guidelines, acceptable use policies and intellectual property protection.
 
The repercussions for enterprises and government agencies from external threats, insider threats and compliance violations continue to increase in severity, causing such adverse effects as prolonged network outages, adverse publicity and damage to organizational reputation and brand, loss of confidential information such as credit card and social security numbers and various legal ramifications. Given the potential severity of such repercussions, these issues increasingly have become an area of focus among the senior-most decision makers, auditors, regulators and even at the board of directors level, and are no longer confined to network administrators and IT security professionals.
 
Challenges Facing Organizations Seeking to Effectively Mitigate These Risks
 
As the following graphic illustrates, a large organization typically employs thousands of devices and applications in its business and technology infrastructure, including:
 
  •  security appliances, such as firewalls, virtual private networks, or VPNs, and intrusion detection and prevention systems, or IDPs;
 
  •  end-user devices, such as personal computers, or PCs, mobile phones and personal digital assistants, or PDAs;
 
  •  network equipment, such as routers, switches and media gateways;
 
  •  storage systems, such as storage area networks, or SANs, and network attached storage, or NAS;
 
  •  computing infrastructure, such as servers and mainframes;
 
  •  other IP-enabled devices that are increasingly supplanting the functionality of traditional offline corporate functions, such as IP-video cameras, badge readers and phone systems;
 
  •  applications and their associated databases, including enterprise resource planning, or ERP, and customer relationship management, or CRM, systems and custom applications; and
 
  •  other systems related to business processes that are performed in real-time by customers, employees and partners such as point-of-sale and inventory control systems, trading exchange platforms, supply-chain management, electronic banking, human resource management and customer record-keeping platforms.
 


60


Table of Contents

(FLOW CHART)
 
The heterogeneous applications and devices in the business and technology infrastructure generate massive amounts of disaggregated event data, challenging organizations to collect this information, identify threats among the “white noise” of normal activity and respond efficiently and effectively to identified threats.
 
Traditional Management Solutions Are Either Limited in Scope or Not Equipped to Handle Event Data in Volume
 
Each of the devices and applications in an organization’s architecture, which we refer to as event sources, generates a log, which is a digital record of all events associated with that device or application. For example, an event is recorded when an e-mail server sends or receives a single e-mail, a database server provides a customer record or an employee swipes his identification badge when entering the corporate headquarters. A single device or application can generate thousands of events in a single day and, in aggregate, the thousands of event sources attached to a global, distributed enterprise can generate millions of events daily.
 
Organizations typically use separate vendor-specific management consoles to collect, monitor and manage the information and events being generated by devices and applications from that vendor. This approach creates multiple, separate and narrow views of the event activity occurring across their business and technology infrastructures. Organizations also attempt to gain a broader, more integrated view of IT activity by using systems management framework tools. However, these tools provide only a basic understanding of the operating parameters of the devices, such as current CPU capacity or available throughput. In addition, these systems management tools are not designed to collect and analyze large volumes of streaming event data.
 
Organizations Are Unable to Distinguish Threats from “White Noise” and Prioritize Them in Real-Time
 
Most of the thousands of streaming events that occur every second in any organization are normal and non-threatening activity. However, there are pieces of valuable information within the event stream related to unusual activity or patterns of behavior that may identify an impending security, compliance or business threat. As a result of

61


Table of Contents

the large volume and siloed view of events, organizations generally have difficulty identifying events that are threatening in nature because they are unable to:
 
  •  distinguish threats from the “white noise” of normal events in the event stream;
 
  •  understand the context in which the events arise, including relationships between events; and
 
  •  appropriately prioritize responses in real-time.
 
Some basic examples of this challenge include:
 
  •  An employee is logged onto the corporate network remotely through a VPN connection, while a physical badge reader simultaneously detects that the employee has entered corporate headquarters. Individually, both of these activities appear normal in nature as they are occurring, although when seen in context identify a potential threat.
 
  •  A threat has targeted two servers, both of which are physically identical and running the same operating system, although one server is a print server and the other is running a critical transaction processing application for customers. Given the similar characteristics, a security analyst, without additional information, must arbitrarily choose to start remediation of the threat on one of the servers. Choosing to begin with the lower priority server could result in significant damage to the enterprise by allowing the critical server to be compromised.
 
  •  An IDP identifies a known threat and generates an alarm that requires investigation by a security analyst. Upon investigation, the analyst learns that the threat was targeting a system that was not vulnerable to that particular threat and therefore wasted effort on a false alarm.
 
The inability of an organization to understand the link between related events and the context in which they arise, including the business value, compliance status and vulnerability status of the targeted assets, makes it very difficult to identify and prioritize those events that represent a security, compliance or business risk.
 
Response Processes Are Slow and Labor-Intensive
 
Effectively responding to identified threats and non-compliance with regulations and organizational policy is challenging because response usually requires coordination among IT security teams, network operations teams, application engineering teams and others. This coordination often triggers a labor intensive workflow, including submitting requests into the trouble ticketing system, identifying all necessary individuals, orchestration of meetings to facilitate discussion of a remediation strategy and documenting the changes that are made. Furthermore, given the increasing complexity of the IT environment, organizations are often slow to shut down or modify the configuration of any device or application, for fear that the remedial action may trigger further vulnerabilities or cause other parts of the IT infrastructure to fail.
 
Organizations Require a Highly Scalable and Intelligent Technology Platform with Real-Time Event Correlation to Effectively Mitigate Business Risk
 
To address these challenges, enterprises and government agencies require a technology platform that can collect, correlate, respond to and archive all of the events across an organization’s business and technology infrastructure in order to provide real-time management of the organization’s vulnerability to external threats, insider threats and compliance and corporate policy violations. This technology platform must:
 
  •  collect event data from devices and applications manufactured by many different vendors as well as proprietary solutions;
 
  •  process and archive streaming data from a globally dispersed network of thousands of event sources as soon as they are captured, or in “real-time”;
 
  •  correlate this event data in order to identify and prioritize threats across the organization;
 
  •  provide a centralized easy-to-understand view of these threats;


62


Table of Contents

 
  •  enable an automated response workflow that conforms to an organization’s policies;
 
  •  store event data for compliance purposes and forensic analysis; and
 
  •  facilitate network configuration changes to isolate threats and prevent recurrence.
 
The market for security and compliance management solutions today includes security information and event management, forensics and incident investigation, policy and compliance management, and network change and configuration management. According to a report by International Data Corporation, or IDC, the security information and event management, forensics and incident investigation, and policy and compliance management markets are projected to grow, in aggregate, from $993.6 million in 2007 to $2.2 billion in 2011, representing a compound annual growth rate of 22.1%. In separate reports, IDC projects that the network change and configuration management market will grow from $157.1 million in 2007 to $372.6 million in 2011, representing a compound annual growth rate of 24.1%, and the compliance infrastructure software market, in which we also compete, will grow from $6.2 billion in 2007 to $10.6 billion in 2010, representing a compound annual growth rate of 19.5%.
 
Our Solutions
 
We are a leading provider of security and compliance management software solutions that intelligently mitigate business risk for enterprises and government agencies. Much like a “mission control center,” our ESM platform delivers a centralized, real-time view of events across geographically dispersed and heterogeneous business and technology infrastructures. Our ESM platform collects streaming data from event sources, translates the streaming data into a common format, and then processes the data with our correlation engine in which complex algorithms determine if events taking place conform to normal patterns of behavior, established security policies and compliance regulations. Our platform identifies and prioritizes high-risk activity and presents a consolidated view of threats to the business and technology infrastructure in rich, graphical displays. Once threats are identified, our recently introduced TRM and NCM appliance products help our customers easily re-configure network devices to remediate threats and prevent recurrence. In addition, through our new Logger appliance we enable efficient and scalable storage, preservation and management of terabytes of enterprise log data for compliance requirements or forensic analysis. Our customers enhance the value of other security products in their business and technology infrastructure by integrating them with our platform.
 
Key benefits of our solutions include:
 
Enterprise-Class Technology and Architecture.  We design our solutions to serve the needs of even the largest organizations, which typically have highly complex, geographically dispersed and heterogeneous business and technology infrastructures. We deliver enterprise-class solutions by providing:
 
  •  Interoperability.  We provide off-the-shelf software connectors for over 240 products, including security devices, end-user devices, networking equipment, computing infrastructure, other IP-enabled devices, and enterprise applications and databases, from approximately 100 vendors, allowing our customers to rapidly deploy our platform in their existing business and technology infrastructures.
 
  •  Flexibility.  In addition to providing off-the-shelf connectors, our ESM platform is designed to enable customers to rapidly build interfaces to new products, proprietary applications and legacy systems.
 
  •  Scalability.  Our ESM platform enables customers to collect and correlate millions of events per day from a large number of heterogeneous devices and applications in real-time. Once customers have installed our ESM platform, our product architecture enables customers to incorporate additional departments, branch offices or geographies, as well as additional categories of devices and applications, while maintaining the overall performance of the platform.
 
  •  Archiving.  Our solution provides organizations with cost-effective long-term storage of and an ability to search across event log data by centralizing event log archiving onto a dedicated hardware appliance. This also helps customers store event data to satisfy regulatory recordkeeping requirements.


63


Table of Contents

 
Intelligent Correlation.  Our correlation engine intelligently distills millions of events occurring daily into information that allows customers to identify, prioritize and respond to specific threats or compliance violations. Our correlation engine accomplishes this by:
 
  •  analyzing common data elements, such as time of occurrence, type of behavior, source, destination and geographic location, contained within multiple events to establish relationships or identify events that, alone or in combination, signify a threat across the infrastructure independent of the device type or device vendor that generated the event;
 
  •  differentiating event sources by their relative level of importance to business or compliance function, enabling the correlation engine to prioritize event sources such as Web or transaction processing applications over print servers, for example;
 
  •  factoring in known security vulnerabilities of targeted assets, such as systems that have not been patched for the relevant threat;
 
  •  establishing a record of user roles and identity, enabling our engine to differentiate, for example, between an intended user, such as a human resources professional, who is accessing a sensitive employee database and a user whose access is more questionable, such as a consultant; and
 
  •  storing and comparing event data over time to capture not only rapidly executing threats but also low-profile, slowly emerging attacks that may unfold over days, weeks or even months.
 
Our correlation engine includes over 100 standard rules that address common security and compliance issues and business risks and enables customers to write customized rules that apply their specific security and compliance policies. Our complementary pattern discovery technology allows users to automatically generate new rules to address patterns of activity specific to their technology infrastructure.
 
Streamlined Response and Seamless Workflow.  Our products simplify the management of the broad range of notifications and actions that must take place to remediate a threat and prevent recurrence across the technology infrastructure, thus narrowing the period of vulnerability. Once our correlation engine has prioritized a security, compliance or business risk and pinpointed the business assets that are exposed, our response technology recommends a precise set of remediation steps, based on the customer’s specific topology and consistent with the customer’s policy directives, designed to minimize the impact on related devices or applications. Based on this knowledge, our products can either automatically implement the recommended network configuration changes or follow pre-determined workflow by generating an incident response ticket that enables our customers to manage the remediation process.
 
Reporting and Visualization.  We present threat information through a rich and intuitive graphical user interface. Our user interface enables customers to perform a variety of tasks to gain insight into threats across their infrastructure, such as monitoring and analyzing overall threats in real-time, drilling down to investigate a single incident, responding to incidents or creating a new policy setting. Our ESM platform contains approximately 350 standard report templates that address common security, compliance and business risk reporting requirements. Our software also allows customers to design their own reports. With our user interface, customers can view risk across their organization in a variety of ways, address internal and external compliance requirements and communicate the value and effectiveness of the organization’s security operations.
 
Our Strategy
 
Our objective is to be the leading provider of security and compliance management software solutions that intelligently mitigate business risk for enterprises and government agencies. The key elements of our strategy to achieve this objective include:
 
Grow Our Customer Base.  We have sold our products to over 400 customers and plan to increase our customer base in the future by:
 
  •  Expanding Our Geographic Coverage.  While we generate most of our revenues from customers based in the United States, and we continue to experience significant domestic growth, a growing portion of our


64


Table of Contents

  revenues are from customers based in Europe, the Middle East, the Asia-Pacific region and elsewhere. We intend to increase our presence globally by expanding our direct sales force and building additional relationships with local and regional value added resellers and distribution partners in these markets.
 
  •  Further Penetrating the Mid-Market.  While our sales to date have primarily been to Global 2000 companies and government agencies, we are increasingly experiencing demand from mid-market customers, predominantly driven by their regulatory compliance needs. We are investing in research and development, sales, marketing, training and other resources to develop products and extend our network of channel partners to market our solutions, particularly our appliance-based products, to this target market.
 
Deepen Our Penetration of Existing Customers.  We intend to further penetrate our customer base by encouraging and facilitating expanded deployments of our products and introducing new solutions. The more broadly enterprises deploy our platform to manage their security, compliance and business risk, the more our platform becomes an integral component of their infrastructure. We expect our TRM, Logger and NCM appliances to generate opportunities for additional sales to our installed base as customers build on their existing implementation. We are investing in in-house sales professionals and strategic account managers to focus on selling more products into our existing installed base. We are also growing our dedicated Customer Success team to help customers realize more value from and potentially expand their implementations of our products.
 
Extend Our Partner Network.  We work with a wide range of technology partners, including CA, Cisco Systems, IBM, Juniper Networks, McAfee, Oracle, SAP and Symantec, and other vendors, such as Check Point Software Technologies, Trend Micro and Websense. We plan to continue to work with these and other technology vendors to provide for compatibility between our platform and their latest products. To facilitate the independent development of connectors by our partners and customers, we publish an open event format standard called Common Event Format, or CEF. As the adoption of CEF increases, the value of this standard increases and drives additional sales opportunities by expanding our event feeds and the range of risks that our platform can address.
 
Extend Our Expertise in Security Best Practices.  We maintain significant in-house expertise in security best practices and intend to leverage and expand our expertise into other areas of risk. We plan to continue to help our customers realize faster time to risk reduction by providing additional pre-packaged software solutions that are tailored to address specific security and regulatory concerns, as with our existing IT governance, Sarbanes-Oxley and Payment Card Industry (PCI) compliance, and Insider Threat packages. For example, we plan to develop packages that address the Basel II Framework and the Gramm-Leach-Bliley Act.
 
Extend Our Value Proposition to Additional Event Sources and Business Use Cases Beyond Traditional IT Security. We intend to create new sales opportunities by developing solutions that address high-value additional use cases for our platform. In addition to using our software to mitigate risk from external or insider threats and to satisfy compliance requirements, we believe that enterprises are increasingly finding value in leveraging our highly scalable, real-time event correlation platform for applications beyond security to mitigate additional risks associated with their specific business practices. Two examples of potential uses of our ESM platform beyond traditional IT security include:
 
  •  a financial services company using our products to monitor online stock transactions to detect likely cases of fraud and abuse; and
 
  •  an energy company using our products to monitor and prevent attacks on their pipeline control systems by correlating information from conventional network threat detection systems and process control logs, such as event data from supervisory control and data acquisition (SCADA) systems.
 
We believe that other organizations face similar business risks that threaten the efficiency or effectiveness of their business or the integrity of the product or service that they provide to their customers. As more enterprises use our platform to mitigate these risks in addition to addressing traditional network security risks and compliance issues, our products will become an even more strategic part of our customers’ technology infrastructure.


65


Table of Contents

Products
 
(FLOW CHART)
 
ArcSight ESM.  ArcSight ESM, our flagship product, is designed specifically to address the security, compliance and business risk concerns of large, geographically-distributed organizations with complex, heterogeneous IT environments. ArcSight ESM serves as the “mission control center” for managing risks across an organization’s entire business and technology infrastructure. The key elements within ArcSight ESM include:
 
  •  ArcSight Connectors.  Connectors are software that collect event data streams from sources across an organization’s business and technology infrastructure. We recently also made our connector software products available as an appliance. These connectors implement extensive normalization capabilities to restructure event data into a common taxonomy so events from hundreds of different sources can be compared meaningfully and queried systematically irrespective of which device is reporting the information. The normalized event data stream is then intelligently aggregated and compressed to eliminate irrelevant and duplicate messages and reduce bandwidth and storage consumption. Our SmartConnectors receive and translate event data streams from over 240 different devices and applications from approximately 100 vendors and in more than 30 different solution categories. Further, using our FlexConnector toolkit, our customers can create custom connectors tailored to their environment, such as for new products, proprietary applications and mainframe and other legacy systems. Our connectors can be deployed on intermediate collection points, such as third-party management consoles, where available, avoiding the requirement to provision our connectors directly onto end devices.
 
  •  ArcSight Manager.  ArcSight Manager is server-based software that manages event aggregation and storage, controls the various elements of our platform and provides the engine for high-speed real-time correlation and incident response workflow. ArcSight Manager comes with over 100 standard rules that address common security and compliance issues and business risks. It also provides an intuitive system that enables customers to write customized rules that apply an organization’s security and compliance policies into the real-time analytics of the correlation engine as well as seamless integration with rules generated by our Pattern Discovery product. ArcSight Manager enables real-time collaboration and case management among security analysts, to track risk-prioritized response and remediation. In addition, it provides case resolution metrics to demonstrate security and compliance process and control effectiveness. Our case management system also can integrate with third-party trouble ticketing systems, such as BMC Software. Our architecture was designed to allow customers to scale from a single centralized deployment to a distributed, global deployment by deploying additional Managers that work in concert.


66


Table of Contents

 
  •  ArcSight Console and ArcSight Web.  ArcSight Console is the primary user interface to interact with and control the ArcSight ESM platform. Through its intuitive interface, the Console provides administrators, analysts and operators with graphical data summaries and an intuitive interface to perform tasks ranging from real-time monitoring and analysis to incident investigation and response to system administration and authoring of new content. The Console is highly configurable to reflect individual customer environments and can display threat and risk information in a wide variety of formats including by geography, by division or line of business, by type of threat, and by compliance or policy initiative. With ArcSight Console, customers can run a wide variety of reports to answer internal and external compliance audits and communicate the value and effectiveness of the organization’s security operations. We also provide an authoring system that customers can use to create new reports to meet their specific business needs. Our ESM platform contains approximately 350 standard report templates that immediately address common security, compliance and business risk reporting requirements. To facilitate remote access for IT administrators as well as provide a portal for line-of-business viewing of status summaries and scheduled reports, our ArcSight Web product provides browser-based access to all Console functions and content, except administration and authoring.
 
ArcSight Compliance Insight and Insider Threat Packages.  We offer pre-packaged software solutions that enable our ESM platform and our Logger product to provide technical-and business-level checks on corporate compliance with regulatory and policy requirements for perimeter security, protection of key business processes, threat management and incident response. These packages, which are tailored to address specific regulatory or policy concerns, comprise relevant rules and reports to accelerate implementation by our customers and can be customized or extended by the customer:
 
     
Package
 
Application
 
ArcSight Compliance Insight Package for IT Governance   Monitoring, assessing and reporting of compliance with the updated ISO-17799:2005 and the NIST 800-53 standards. Available for ArcSight ESM.
     
ArcSight Compliance Insight Package for Sarbanes-Oxley   Monitoring, assessing and reporting applicable to IT-related internal controls for financial reporting. Available for ArcSight ESM and ArcSight Logger.
     
ArcSight Compliance Insight Package for PCI   Monitoring, assessing and reporting IT-related risks in accordance with the 12 requirements of the PCI standard. Available for ArcSight ESM.
     
ArcSight Insider Threat Package   Monitoring, assessing and reporting suspicious activities common to insider threats, such as inappropriate access or transmission of sensitive data, or the internal use or presence of hacking tools. Available for ArcSight ESM.
 
ArcSight Discovery Modules.  Our ArcSight Discovery modules, which provide additional advanced analytics and visualization on our ESM platform, include:
 
  •  Our ArcSight Pattern Discovery software is a powerful complement to our correlation engine. It is an advanced pattern identification engine that retrospectively examines large amounts of security events previously collected and processed by ArcSight ESM to discover patterns of activity that may be characteristic of threats, such as emerging worms, new worm variants, self-concealing malware, and low profile, slowly developing attacks. Pattern Discovery proactively alerts the security operations analyst about existing or emerging patterns that are not comprehended by any rules in our correlation engine, and provides the customer the option to classify the patterns and also to optionally or automatically generate new rules for our ESM platform that will detect and respond to similar threatening patterns in the future.


67


Table of Contents

 
  •  Our ArcSight Interactive Discovery visualization software helps IT security professionals pan, zoom and switch perspectives across complex technical data to perform in-depth analysis of security data as well as featuring visuals and drill-down capabilities that enable non-technical employees to see relevant threat information in a non-technical format.
 
In addition to our software products, we have a suite of appliances that enable automated network response, event log archiving, and configuration capabilities.
 
ArcSight TRM (Threat Response Manager).  ArcSight TRM enables customers to quickly and precisely reconfigure network control devices to remediate security, compliance and business risks, consistent with an organization’s policy directives. TRM profiles a network’s topology through communication with devices without the need to install a software agent on the device. Through advanced algorithms, it can identify the exact location of any node (wireless, wired or VPN) on the network, analyze, recommend and, at the customer’s option, execute specific, policy-based actions in response to a threat, attack or other out-of-policy situation. TRM can block, quarantine or filter undesirable users and systems at the individual port level. The user account control feature in ArcSight TRM defines task groups, allowing control and restricted access rights in accordance to individual job tasks and descriptions. ArcSight TRM integrates seamlessly with ArcSight ESM to accelerate incident response by facilitating the coordination between the security and networking groups, thus improving the effectiveness of the response and acute remediation function.
 
ArcSight Logger.  ArcSight Logger enables organizations to collect and store event data in support of security and compliance requirements. Logger provides customers with an easily searchable log data repository that can be leveraged across networking, security and IT operations teams. Access controls and intelligent search technology enable customers to interact with historical raw event data for insight into specific events. ArcSight Logger provides approximately 10:1 compression capability of event data. Multiple ArcSight Loggers can be deployed to linearly scale both storage and performance. Logger can flexibly and selectively forward security events to ESM for real-time, cross-device correlation, visualization and threat detection. In turn, ESM can send correlated alerts back to Logger for archival and subsequent retrieval. As with our ESM platform, Logger is also the basis for its own add-on Compliance Insight Packages, such as our Logger Compliance Insight Package for Sarbanes-Oxley.
 
ArcSight NCM (Network Configuration Manager).  ArcSight NCM automates the definition, implementation and audit of network topology. NCM provides a wizard-based interface to define the desired configuration, reconfigure out-of-policy devices, and maintain protected records of all prior configurations for purposes of rollback, audit and compliance reporting. NCM presents network topology in a visual format, allowing organizations to identify mis-configurations, redundant links and multiple wide area network (WAN) access routes. NCM dynamically compares existing device configuration and highlights discrepancies from desired configuration policies that generally map to regulatory requirements, operational guidelines and business rules.
 
Maintenance and Professional Services
 
We offer a range of services after a sale occurs, principally installation and implementation, project planning, advice on business use cases and training services that complement our product offerings. Initial implementation of our ESM platform typically is accomplished within two to four weeks. On an ongoing basis, we offer consulting services and training related to application of our ESM platform and associated complementary products to address additional or customer-specific security and compliance issues and business risks. Following deployment, our technical support organization provides ongoing maintenance for our products. We provide standard and, for customers that require 24-hour coverage seven days a week, premium tiers of maintenance and support, which cover telephone- and web-based technical support and updates to our software during the period of coverage. Our three major support centers are located in Hong Kong, London and Cupertino, California. In addition, we sell an enhanced maintenance service that provides regular security content updates for our software. These content updates reflect emerging threats and risks in the form of signature categorization, vulnerability mapping and knowledge base articles on an ongoing basis.


68


Table of Contents

Case Studies
 
Examples of deployments of our flagship ESM platform include:
 
  •  Traditional External Threat.  A Fortune 100 financial services firm noticed that its efforts to remedy worm infestations were taking weeks and consuming excessive time and resources. As worms evolved faster than defense mechanisms like anti-virus solutions, firewalls and intrusion detection systems, their ability to penetrate the company’s infrastructure and propagate rapidly was increasing. The customer turned to our ESM platform to utilize the event data coming from a diverse set of existing security devices to provide an early warning system that identified the location and propagation mechanism of worm-like behavior. The customer now employs ArcSight ESM to coordinate and enhance its virus detection solutions and over time has reduced the time between worm detection and eradication from days to hours while reducing the number of affected systems by a similar margin.
 
  •  Emerging External Threat.  A major international telecommunications operator was concerned that mobile malware was propagating rapidly through its wireless networks, potentially impacting quality of service by reducing bandwidth and disrupting handset operation. The customer utilized our ESM platform to collect and monitor event data on its 3G systems to identify malware behavior profiles and gain a clear understanding of the impact of malware on its network. By implementing our software, the company was able to assess the risk from mobile malware and its potential impact on service level agreement non-compliance and protect against damage to its networks.
 
  •  Insider Threat.  A large aerospace company operates under a number of government regulations concerning use of its network, actions of partners and protection of sensitive information. The organization turned to us to significantly enhance monitoring of user privilege access control and data flow. The customer used our ESM platform to implement custom rules to identify intellectual property leak risks such as alerting the customer whenever a sensitive file was accessed and then subsequently sent to an external location. Our solution allowed the customer to assign priority levels to various files across its infrastructure, in order to facilitate a response and remediation workflow that matches the urgency of the threat. After implementing our software, the customer was able to increase its ability to monitor intellectual property leakage incidents and non-U.S. access to its network.
 
  •  Compliance.  To comply with Section 404 of the Sarbanes-Oxley compliance framework, enterprises must monitor access and configuration changes to critical financial reporting and accounting systems, including ERP systems, databases and the associated operating systems. A customer did not have centralized log review to support these tasks, and lacked necessary detective controls. The customer deployed our ESM platform to help manage its compliance efforts by collecting event data from these systems and correlating them in real-time against predefined corporate policies. Our software provided the customer with an efficient platform for Sarbanes-Oxley compliance while improving efficiency and satisfying both internal and external auditors with a demonstrable, repeatable process.
 
  •  Application Beyond Traditional Security.  A leading online broker was experiencing significant increases in fraud and account misuse resulting in customer dissatisfaction and intensified regulatory scrutiny. New forms of identity theft continued to outpace the customer’s ability to catch fraud at the point of user authentication, which meant that it needed a mechanism to detect fraudulent behavior after user sign-on. The customer now uses our ESM platform to monitor and analyze transactions as they occur as part of its overall fraud management system. As a result, the customer’s fraud oversight group is now seeing a real-time view of abnormal activity.
 
Product Development and Technology
 
We have developed and continue to enhance technologies that underlie three core features incorporated into one or more of our products.


69


Table of Contents

Multi-Vector Correlation
 
The strengths of our correlation engine are its contextual analysis, mathematical correlation, identity correlation and timestamp and time window analysis techniques.
 
  •  Contextual Analysis.  A core strength of our correlation engine is its ability to separate “white noise” from actionable events. Our correlation engine evaluates, among other considerations, whether the targeted device or application actually exists in the infrastructure, known vulnerabilities of the targeted device or application, the business value of the targeted device or application, whether the potential attack is from a known malicious device and prior history of the source or target.
 
  •  Mathematical Correlation.  Our platform implements classical mathematical correlation models in the context of security events. This allows arbitrary security attributes to be tracked to determine whether they are positively or negatively covariant or independent and allows moving average analyses to be used to flag behavior that has anomalous deviations from a cyclical norm. Moving average analysis compares events to a baseline that automatically adjusts for normal deviations in patterns of activity, eliminating the problem of comparing data for anomalies against an incorrect or fixed baseline.
 
  •  Identity Correlation.  Our correlation engine, using our session list management capabilities, automates identity-related investigations that would normally require exhaustive manual labor to perform. Logged events generally report only low level identifying information, such as a source IP address and a target IP address. In a typical network environment, addresses are constantly reassigned as sessions are initiated and terminated, which makes it difficult, if not impossible, to know which user was using a specific IP address over time. Our correlation engine solves this problem by collecting records from the systems that are performing the dynamic assignments of these addresses, such as dynamic host configuration protocol (DHCP) server logs or VPN logs, and then using that information to analyze the logs from other reporting systems, such as firewalls. This allows our correlation engine to attribute actions originating from a specific device to its owner. For example, our session list manager can track which users accessed a given network node at a given time or over time by tracing events that originated from each relevant device to the user who was logged in at that time, and can list all users logged onto a particular system or accessing a particular asset at the time of an attack.
 
  •  Timestamp and Time Window Analysis.  Event sources typically have wide variations in clock settings, and distributed and complex networking environments can introduce lags in the transmission of event data prior to its receipt by our correlation engine. In order to overcome the varying amounts of delay or latency in the release or receipt of data from event sources, and the clock drift or inaccuracy in the timestamps reported, our software captures multiple timestamps for every received event and normalizes them to a standard time zone, while also retaining the original timestamp. It then applies proprietary time discrepancy detection techniques, and performs both manual and automatic clock drift corrections, as necessary, to align the events for more accurate correlation. Our correlation engine is designed to accurately match time-bounded sequences of events that occur across sliding time windows, such as a specified number of failed logins within a specified period.
 
Scalable Architecture
 
We designed the architecture of our ESM platform so that it can scale and adjust to the ongoing needs of an organization.
 
  •  Cross-Platform.  Our products operate on multiple operating system platforms, including multiple versions of the Linux, UNIX, Windows, Solaris and AIX operating systems.
 
  •  Modular Connector Design.  We have used a modular framework in the design of our connectors, separating the information that describes the unique features of each data source from the components that provide functionality that can be shared across multiple connectors, such as encryption or compression capabilities. This allows for efficient development of new connectors or modification of existing connectors, since any new functionality added to new or existing connectors can be concurrently propagated to all connectors.


70


Table of Contents

 
  •  Multi-Manager Scaling.  We designed our ESM architecture to allow multiple instances of ArcSight Manager to be deployed on servers centrally located or distributed across an enterprise where the geographic distribution of infrastructure assets or the number of event sources and resulting volume of event data warrants in order to achieve the desired level of performance. These can then communicate with each other in either a peer-to-peer or hierarchical configuration to perform correlation, for instance allowing geographically dispersed ArcSight Managers to act as concentrators and forward information to one or more central ArcSight Managers. Consistent with this architectural approach, our connectors can communicate with multiple ArcSight Managers simultaneously, locally cache events if an ArcSight Manager is not available, and switch primary ArcSight Managers in the event of a failure. Further, decentralizing the work of translation, categorization and normalization to our connectors allows our architecture to be more scalable, since ArcSight Manager is shielded from the incremental data preparation work as the number of event sources increases.
 
  •  In-Memory Correlation and Flexible Storage.  We built an architecture that takes incoming event data as it arrives and performs real-time correlation directly in system memory, while simultaneously sending both the original event stream and the correlated output to persistent storage for archiving purposes. This allows us to correlate, display and store thousands of incoming events per second, while also retaining huge volumes of event data, and allowing quick availability to support forensic investigation. Our ESM platform also has been designed to allow a user to input a start time and end time to select events from an archive, such as ArcSight Logger, and then re-stream the selected events back through our correlation engine, applying any subsequently introduced correlation rules, and display the resulting analysis as if the events were occurring in real-time. Our Logger product employs a storage management system designed to improve disk utilization for long term storage and the speed of data retrieval for pattern analysis or investigative purposes by eliminating the disk fragmentation that typically accompanies the storage and archiving of large volumes of data on standard disk drives. Through the use of proprietary technology, disk space that is made available by data that has been deleted or archived is automatically reused without the need to execute disk “cleanup” or other administrative tools.
 
Vendor Agnostic
 
We have developed proprietary technologies that are designed to enable deployment of our products in business and technology infrastructures with a wide range of event sources.
 
  •  Translation, Categorization and Normalization.  Our connectors, which are used by both our ESM and Logger products, analyze dozens of fields or attributes in the event data and translate this data into a common taxonomy. In addition, we use this data to create six additional fields with our categorized threat taxonomy information, including the type of object being acted upon, the type of behavior being performed, what is known about the outcome of the reported event, the priority level of the event, the type of event source reporting the activity and the significance of the activity. Additionally, different vendors often will use different scales or vocabulary to describe values for the same type of data. As a result, once data has been categorized, where relevant, our connectors convert the data into a common scale, for example, harmonizing the severity level from a device that rates from 1 to 10 with 1 as most severe with a device that rates from 1 to 7 with 7 as most severe to a device that uses words to describe severity, while also preserving the original score or value. This allows customers to switch, for example, from one brand of IDP to another or add new IDPs from other vendors (whether by procurement, merger or otherwise) without having to rewrite the standard ESM or customer-authored correlation rules. In addition to facilitating correlation, our translation, categorization and normalization capabilities allow ArcSight Manager to align data from many heterogeneous event sources so that they can be meaningfully compared and queried systematically without having to design the queries to address the specifics of how the event sources are reporting information. We use a similar abstraction approach with TRM and NCM to program responses and reconfiguration rules once, and have them transparently operate in any equipment environment, sorting out the relevant details and sending the right commands to the appropriate event sources.
 
  •  Common Event Format (CEF).  We created and are promoting the adoption of a common format for event sources to output their log data. Any event source that outputs data in this format can be integrated with our


71


Table of Contents

  platform without modification through our pre-packaged CEF-compatible connector. As a result, adoption of our CEF enables third-party vendors to more readily sell their devices and applications into our customer base. It also provides internal developers at our customers a simpler pathway for providing event data from their custom applications to our ESM software.
 
Customers
 
As of October 31, 2007, we have sold our products to more than 400 customers in a broad range of industries. Our customers include companies in the Fortune Top 5 of the aerospace and defense, energy and utilities, financial services, food production and services, healthcare, high technology, insurance, media and entertainment, retail and telecommunications industries, and more than 20 major U.S. government agencies. No customer accounted for more than 10% of our revenues in fiscal 2006 or 2007 or for the six months ended October 31, 2007. Our top ten customers accounted for 32% and 31% of our product revenues during fiscal 2006 and 2007, respectively. For each of the six months ended October 31, 2006 and 2007, our top ten customers accounted for 36% and 31%, respectively, of our product revenues. See note 10 of the notes to our consolidated financial statements for a discussion of total revenues by geographical region for fiscal 2005, 2006 and 2007 and the six months ended October 31, 2006 and 2007.
 
Research and Development
 
Building on our history of innovation, we believe that continued and timely development of new products and enhancements to our existing products are necessary to maintain our competitive position. Accordingly, we have invested, and intend to continue to invest, significant time and resources in our research and development activities to extend our technology leadership. At present, our research and development efforts are focused on improving and broadening the capabilities of each of our major product lines and developing additional products. We work closely with our customers as well as technology partners to understand their emerging requirements and use cases for our products. As of October 31, 2007, our research and development team had 96 employees. Our research and development expenses were $7.6 million, $12.2 million, $14.5 million, $6.9 million and $9.1 million during fiscal 2005, 2006 and 2007 and the six months ended October 31, 2006 and 2007, respectively.
 
Sales and Marketing
 
We market and sell our software through our direct sales organization and indirectly through value added resellers and systems integrators. Historically, the majority of our sales are made through our direct sales organization. We structure our sales organization by function, including direct and channel sales, strategic accounts, technical pre-sales, customer and sales operations, and by region, including Americas, U.S. Federal, EMEA and APAC. As of October 31, 2007, we had 110 employees in our sales and marketing organizations.
 
The selling process for ArcSight ESM follows a typical enterprise software sales cycle. It involves one or more of our direct sales representatives, even when a channel partner is involved. The sales cycle for an initial sale normally takes from three to six months, but can extend to more than a year for some sales, from the time of initial prospect qualification to consummation and typically includes product demonstrations and proof of concepts. We deploy a combination of field account management supported by technical pre-sales specialists to manage the activities from qualification through close. After initial deployment, our sales personnel focus on ongoing account management and follow-on sales. To assist our customers with reaching their business and technical goals for their implementations of our products, our Customer Success Ownership, or CSO, organization meets with customers to determine their success criteria and to help formulate both short- and long-term plans for their deployments of our products. We also have assigned specific sales personnel to our larger, more diverse and often global customers in order to understand their individual needs and increase customer satisfaction.
 
We derive a portion of our revenues from sales of our products and related services through channel partners, such as resellers and systems integrators. In particular, systems integrators are an important source of sales leads for us in the U.S. public sector, as government agencies often rely on them to meet IT needs, and we use resellers to augment our internal resources in international markets and, to a lesser extent, domestically. Our agreements with our channel partners are generally non-exclusive. Historically, we used our channel partners to support direct sales


72


Table of Contents

of our ESM platform products. Sometimes we are required by our U.S. government customers to utilize particular resellers. We also anticipate that we will derive a substantial portion of our TRM, Logger and NCM sales through channel partners, including parties with whom we have not yet developed relationships. In part to address the mid-market, we are currently investing resources to develop channel partners that will operate more independently. To this end, we recently created a dedicated channel team in each of our geographic regions responsible for recruiting, managing and supporting our channel partners.
 
We focus our marketing efforts on building brand awareness and on customer lead generation, including advertising, cooperative marketing, public relations activities, web-based seminars and targeted direct mail and e-mail campaigns. We also are building our brand through articles contributed to various trade magazines, public speaking opportunities and international, national and regional trade show participation. We reinforce our brand and loyalty among our customer base with our annual users conference.
 
Competition
 
Our primary product is our ArcSight ESM software platform, the key elements of which are the ESM Manager, the connectors and related toolkit for the creation of custom connectors and our Consoles that serve as the platform interface. In addition, we offer complementary software for our ESM platform that delivers pre-packaged analytics and reports tailored to specific security and compliance initiatives, and have recently introduced our complementary TRM, Logger and NCM appliances that assist our customers in threat response, log archiving and network configuration.
 
We believe that the market for a security and compliance management software platform that collects and correlates event data from across a heterogeneous IT infrastructure, which we are addressing with ArcSight ESM, is a developing market. Existing competitors for a platform-wide solution such as this product primarily are specialized, privately held companies, such as Intellitactics and NetForensics, as well as larger companies such as CA and Symantec, and EMC, IBM and Novell, through their acquisitions of Network Intelligence, Micromuse and Consul, and e-Security, respectively. A greater source of competition is represented by the custom efforts undertaken by potential customers to analyze and manage the information produced from their existing devices and applications to identify and remediate threats. In addition, some organizations have outsourced these functions to managed security services providers.
 
In addition to our existing competitors for our ESM platform, we believe that we face potential competition from a wide variety of sources that could become effective competitors. Many large, integrated software companies offer suites of products that include software applications for security and compliance and enterprise management. Hardware vendors, including diversified, global concerns, also offer products that address other security and compliance needs of the enterprises and government agencies that comprise our target market. If and to the extent that the market for our software platform continues to grow, we expect that large software and hardware vendors may seek to enter this market, either by way of the organic development of a competing product line or through the acquisition of a competitor.
 
For our ESM platform, we believe that we compete principally on the basis of functionality, analytical capability, scalability, interoperability with other components of the network and business infrastructure, and customers’ ability to successfully and rapidly deploy the product. We believe that we compete favorably with our existing competitors with respect to these factors. However, we may be at a competitive disadvantage when seeking customers that do not require the full range of features and functionality available in our ESM platform, especially those that may be price sensitive, which may particularly be the case for smaller organizations. Those potential customers may instead elect to purchase a less feature-rich product.
 
The market for our TRM, Logger and NCM products is also competitive. We have limited experience with the sales of these products, and we expect that to be successful in addressing these markets we will need to work effectively with channel partners. We are unable to predict the extent to which we will be successful selling these products independently of sales of our ESM platform. Further, we may be at a disadvantage in dealing with our channel partners, which also may have relationships with large competitors who offer a wide variety of products.


73


Table of Contents

Competitors for sales of our TRM and NCM products include privately-held companies, such as Alterpoint and Voyence; larger providers of IT automation software products, such as Opsware, which was recently acquired by Hewlett-Packard; and diversified IT security vendors. Current competitors for sales of our Logger product include specialized, privately-held companies, such as LogLogic and Sensage. In addition to these current competitors, we expect to face competition for our appliance products from both existing large, diversified software and hardware companies, from specialized, smaller companies and from new companies that may seek to enter this market. The primary competitive factors for our appliance products are functionality, price, scalability, interoperability with other components of the network and customers’ ability to successfully and rapidly deploy the product. We believe that we currently compete favorably with respect to these factors.
 
Mergers, acquisitions or consolidations by and among actual and potential competitors present heightened competitive challenges to our business. We believe that this trend toward consolidation in our industry will continue and may increase the competitive pressures we face on all our products. Further, continued industry consolidation may impact customers’ perceptions of the viability of smaller or even medium-sized software firms and consequently customers’ willingness to purchase from such firms.
 
Competitors that offer a large array of security or software products may be able to offer products or functionality similar to ours at a more attractive price than we can by integrating or bundling them with their other product offerings. The trend toward consolidation in our industry increases the likelihood of competition based on integration or bundling. If we are unable to sufficiently differentiate our products from the integrated or bundled products of our competitors, such as by offering enhanced functionality, performance or value, we may see a decrease in demand for those products, which would adversely affect our business, operating results and financial condition. Similarly, if customers seek to concentrate their software purchases in the product portfolios of a few large providers, we may be at a competitive disadvantage notwithstanding the superior performance that we believe our products can deliver.
 
Increased competition could result in fewer customer orders, price reductions, reduced gross margins and loss of market share. Many of our existing and potential competitors enjoy substantial competitive advantages, such as wider geographic presence, access to larger customer bases and the capacity to leverage their sales efforts and marketing expenditures across a broader portfolio of products, and substantially greater financial, technical and other resources. As a result, they may be able to adapt more quickly and effectively to new or emerging technologies and changing opportunities, standards or customer requirements. In addition, large competitors, such as integrated software companies and diversified, global hardware vendors, may regularly sell enterprise-wide and other large software applications, or large amounts of infrastructure hardware, to, and may have more extensive relationships within, large enterprises and government agencies worldwide, which may provide them with an important advantage in competing for business with those potential customers. In addition, if our target market continues to grow small, highly specialized competitors may continue to emerge.
 
Intellectual Property
 
Our intellectual property is an essential element of our business. We use a combination of copyright, patent, trademark, trade secret and other intellectual property laws, confidentiality agreements and license agreements to protect our intellectual property. It is our policy that our employees and independent contractors involved in development are required to sign agreements acknowledging that all inventions, trade secrets, works of authorship, developments and other processes generated by them on our behalf are our property, and assigning to us any ownership that they may claim in those works. Despite our precautions, it may be possible for third parties to obtain and use without consent intellectual property that we own or license. Unauthorized use of our intellectual property by third parties, and the expenses incurred in protecting our intellectual property rights, may adversely affect our business.
 
Patents and Patent Applications.  We have two issued patents and 29 patent applications pending, including one provisional application, in the United States. We also have three international patent applications and 12 patent applications in foreign countries pending, based on four of the patent applications in the United States. Our issued patents, which cover useful features rather than core elements of our technology, expire in 2024 and 2025. We do not know whether any of our patent applications will result in the issuance of a patent or


74


Table of Contents

whether the examination process will require us to narrow our claims, except that some of our patent applications have received office actions and in some cases we have modified the claims. Any patents that may be issued to us may be contested, circumvented, found unenforceable or invalidated, and we may not be able to prevent third parties from infringing them. Therefore, the exact effect of having a patent cannot be predicted with certainty.
 
Oracle License Agreement.  We license database software from Oracle that we integrate with our ESM platform. Our agreement with Oracle, which runs through May 2009, permits us to distribute Oracle database software embedded in our ESM platform. Under this agreement, we have agreed to make royalty payments totaling $3.9 million over the term of the license. The agreement allows us to offer this database software to our customers and partners that may not have previously acquired their own database management software.
 
From time to time, we may encounter disputes over rights and obligations concerning intellectual property. Although we believe that our product offerings do not infringe the intellectual property rights of any third party, we cannot be certain that we will prevail in any intellectual property dispute. If we do not prevail in these disputes, we may lose some or all of our intellectual property protection, be enjoined from further sales of our products that are determined to infringe the rights of others, and/or be forced to pay substantial royalties to a third party, any of which would adversely affect our business, financial condition and results of operations.
 
Employees
 
As of October 31, 2007, we had a total of 308 employees, consisting of 110 employees in sales and marketing, 96 employees in research and development, 35 employees in professional services, 27 employees in support and 40 employees in general and administrative functions. A total of 47 employees are located outside the United States. None of our employees is represented by a union or covered by a collective bargaining agreement. We consider our employee relations to be good and have never experienced a work stoppage.
 
Legal Proceedings
 
From time to time, we may be subject to legal proceedings and claims in the ordinary course of business. We are not currently a party to any material legal proceedings.
 
Facilities
 
Our corporate headquarters and research and development facilities occupy approximately 80,000 square feet in Cupertino, California under a lease that expires in October 2013. In addition to our principal office space in Cupertino, we lease facilities for use as sales and local support offices in various cities in the United States and internationally. We believe our facilities are adequate for our needs for at least the next 12 months. We also anticipate that suitable additional or alternative space will be available to accommodate foreseeable expansion of our operations.
 
ArcSight Historical Developments
 
We were incorporated in Delaware on May 3, 2000 as Wahoo Technologies, Inc. On March 30, 2001, we changed our name to ArcSight, Inc. We launched our first product in January 2002, and made our first product sale in June 2002. Following the completion of our fiscal year ended December 31, 2002, we changed our fiscal year end to April 30. As a result of the change, the first full fiscal year in which we sold our products and services was the fiscal year ended April 30, 2004. Our revenues have grown from $0.2 million in the fiscal year ended December 31, 2002 and $15.3 million in fiscal 2004 to $69.8 million in the fiscal year ended April 30, 2007. We initially funded our operations primarily through convertible preferred stock financings that raised a total of $26.8 million. We made our first sale to the U.S. federal government in September 2002 and our first sale internationally in December 2002.
 
We released version 1.0 of our ESM platform, which featured a proprietary security taxonomy that normalizes and categorizes data to enable cross-device, cross-vendor, time-based correlation as well as connectors based on a common architecture, in January 2002. Version 2.0 was released in November 2002,


75


Table of Contents

integrating vulnerability and asset criticality information to the data analyzed in order to prioritize security events. Version 2.5, released in September 2003, added real-time geospatial mapping to the incoming event stream as well as advanced visual analysis tools, such as three-dimensional dashboard monitors to enable more efficient analysis and response. In July 2004, we released version 3.0, which included real-time analyst collaboration and an enhanced security taxonomy. At that time, we also launched our Pattern Discovery product. We released version 3.5 in November 2005, adding quality of service metrics, improved performance, richer reporting and auditing. We introduced the first of our compliance insight packages in January 2006. In June 2006, we acquired substantially all of the assets of Enira Technologies, LLC, primarily consisting of the predecessors to our TRM and NCM products. We launched our TRM and NCM products in June 2006 and our Logger product in December 2006. We announced the availability of our current ESM platform, version 4.0, in May 2007. This newest release introduced integrated identity and role-based correlation capabilities as well as significant improvements to asset management capability and scalability.


76


Table of Contents

 
MANAGEMENT
 
Executive Officers and Directors
 
The following table provides information regarding our executive officers and directors as of December 1, 2007:
 
             
Name
 
Age
  Position(s)
 
Executive Officers:
           
Robert W. Shaw
    60     Chief Executive Officer and Chairman of the Board of Directors
Hugh S. Njemanze
    50     Founder, Chief Technology Officer and Executive Vice President of Research and Development
Thomas Reilly
    45     President and Chief Operating Officer
Stewart Grierson
    41     Chief Financial Officer
Kevin P. Mosher
    51     Senior Vice President of Worldwide Field Operations
Reed T. Henry
    44     Senior Vice President of Marketing and Business Development
Lawrence F. Lunetta
    56     Vice President of Strategy
Trâm T. Phi
    37     Vice President, General Counsel and Secretary
Other Directors:
           
Sandra Bergeron(2)
    49     Director
William P. Crowell(2)(3)
    67     Director
E. Stanton McKee, Jr.(1)(3)
    63     Director
Craig Ramsey(2)
    61     Director
Scott A. Ryles(1)(3)
    48     Director
Ted Schlein(2)
    43     Director
Ernest von Simson(1)(3)
    69     Director
 
(1) Member of the Audit Committee.
 
(2) Member of the Compensation Committee.
 
(3) Member of the Nominating and Corporate Governance Committee.
 
Robert W. Shaw has served as our Chairman and Chief Executive Officer since August 2001, and also served as our President until August 2007. From 1998 until its acquisition in 2001 by Whitman-Hart, Inc., Mr. Shaw served as Chief Executive Officer of USWeb Corporation, a provider of Internet professional services. From 1992 to 1998, Mr. Shaw served as Executive Vice President of worldwide consulting services and vertical markets for Oracle Corporation, a provider of enterprise software. Mr. Shaw holds a B.B.A. in finance from the University of Texas, Austin.
 
Hugh S. Njemanze co-founded ArcSight in May 2000 and has served as our Executive Vice President of Research Development and Chief Technology Officer since March 2002. From 1993 to 2000, Mr. Njemanze served in various positions at Verity, Inc., a provider of knowledge retrieval software products, most recently as its Chief Technology Officer. He holds a B.S. in computer science from Purdue University.
 
Thomas Reilly has served as our Chief Operating Officer since November 2006 and as our President since August 2007. From April 2004 to November 2006, Mr. Reilly served as Vice President of Business Information Services of IBM. From November 2000 until its acquisition in April 2004 by IBM, Mr. Reilly served as Chief


77


Table of Contents

Executive Officer of Trigo Technologies, Inc., a product information management software company. He holds a B.S. in mechanical engineering from the University of California, Berkeley.
 
Stewart Grierson has served as our Chief Financial Officer since October 2004 and also served as our Vice President of Finance from March 2003 to April 2007. In addition, from January 2003 to January 2006, he served as our Secretary. From 1999 to July 2002, Mr. Grierson served in several positions for ONI Systems Corp., a provider of optical communications equipment, including most recently as Vice President and Corporate Controller. From 1992 to 1999, he served in various roles in the audit practice at KPMG LLP. He holds a B.A. in economics from McGill University and is a chartered accountant.
 
Kevin P. Mosher <